September 20, 2024

Episode 237

16 minutes

Overview

John and Maximé have been talking about Ubuntu’s AppArmor user namespace

restrictions at the the Linux Security Summit in Europe this past week, plus we

cover some more details from the official announcement of permission prompting

in Ubuntu 24.10, a new release of Intel TDX for Ubuntu 24.04 LTS and more.

This week in Ubuntu Security Updates (01:11)

613 unique CVEs addressed in the past fortnight

[USN-6989-1] OpenStack vulnerability

1 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-44082

[USN-6990-1] znc vulnerability

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-39844

[USN-6992-1] Firefox vulnerabilities

8 CVEs addressed in Focal (20.04 LTS)

CVE-2024-8385

CVE-2024-8384

CVE-2024-8381

CVE-2024-8389

CVE-2024-8387

CVE-2024-8386

CVE-2024-8383

CVE-2024-8382

[USN-6993-1] Vim vulnerabilities

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-43374

CVE-2024-41957

[USN-6991-1] AIOHTTP vulnerability

1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-23334

[USN-6995-1] Thunderbird vulnerabilities

10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2024-8384

CVE-2024-8381

CVE-2024-7525

CVE-2024-7522

CVE-2024-7519

CVE-2024-8382

CVE-2024-7529

CVE-2024-7527

CVE-2024-7526

CVE-2024-7521

[USN-6996-1] WebKitGTK vulnerabilities

6 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-4558

CVE-2024-40789

CVE-2024-40782

CVE-2024-40780

CVE-2024-40779

CVE-2024-40776

[USN-6841-2] PHP vulnerability

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

CVE-2024-5458

[USN-6997-1, USN-6997-2] LibTIFF vulnerability

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-7006

[USN-6994-1] Netty vulnerabilities

2 CVEs addressed in Jammy (22.04 LTS)

CVE-2023-44487

CVE-2023-34462

HTTP/2 DoS, seen exploited in the wild and listen on the CISA KEV

[USN-6998-1] Unbound vulnerabilities

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-43168

CVE-2024-43167

[USN-6999-1] Linux kernel vulnerabilities

220 CVEs addressed in Noble (24.04 LTS)

Full CVE list elided - see USN for details

[USN-7003-1, USN-7003-2, USN-7003-3] Linux kernel vulnerabilities

85 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)

Full CVE list elided - see USN for details

[USN-7004-1] Linux kernel vulnerabilities

221 CVEs addressed in Noble (24.04 LTS)

Full CVE list elided - see USN for details

[USN-7005-1, USN-7005-2] Linux kernel vulnerabilities

219 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)

Full CVE list elided - see USN for details

[USN-7006-1] Linux kernel vulnerabilities

94 CVEs addressed in Focal (20.04 LTS)

Full CVE list elided - see USN for details

[USN-7007-1] Linux kernel vulnerabilities

219 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

Full CVE list elided - see USN for details

[USN-7008-1] Linux kernel vulnerabilities

222 CVEs addressed in Jammy (22.04 LTS)

Full CVE list elided - see USN for details

[USN-7009-1] Linux kernel vulnerabilities

219 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

Full CVE list elided - see USN for details

[USN-7019-1] Linux kernel vulnerabilities

429 CVEs addressed in Jammy (22.04 LTS)

Full CVE list elided - see USN for details

[USN-7002-1] Setuptools vulnerability

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-6345

[USN-7000-1, USN-7000-2] Expat vulnerabilities

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-45492

CVE-2024-45491

CVE-2024-45490

[USN-7001-1, USN-7001-2] xmltok library vulnerabilities

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-45491

CVE-2024-45490

[USN-6560-3] OpenSSH vulnerability

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2023-51385

[USN-7011-1, USN-7011-2] ClamAV vulnerabilities

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-20506

CVE-2024-20505

[USN-7012-1] curl vulnerability

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-8096

[USN-7013-1] Dovecot vulnerabilities

2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2024-23185

CVE-2024-23184

[USN-7014-1] nginx vulnerability

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-7347

[USN-7015-1] Python vulnerabilities

5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-8088

CVE-2024-7592

CVE-2024-6923

CVE-2024-6232

CVE-2023-27043

[USN-7010-1] DCMTK vulnerabilities

9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-34509

CVE-2024-34508

CVE-2024-28130

CVE-2022-43272

CVE-2022-2121

CVE-2021-41690

CVE-2021-41689

CVE-2021-41688

CVE-2021-41687

[USN-7016-1] FRR vulnerability

1 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)

CVE-2024-44070

[USN-7017-1] Quagga vulnerability

1 CVEs addressed in Focal (20.04 LTS)

CVE-2024-44070

[USN-7018-1] OpenSSL vulnerabilities

6 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2024-0727

CVE-2023-3446

CVE-2022-2068

CVE-2022-1292

CVE-2021-23840

CVE-2020-1968

Goings on in Ubuntu Security Community

Linux Security Summit Europe 2024 (03:44)

https://events.linuxfoundation.org/linux-security-summit-europe/program/schedule/

Sep 16-17 - Vienna, Austria

John Johansen and Maxime Bélair from AppArmor team presented “Restricting

Unprivileged User Namespaces in Ubuntu”

https://youtu.be/yCHGmdXpylA?t=1053

https://static.sched.com/hosted_files/lsseu2024/ed/Restricting%20Unprivileged%20User%20Namespaces%20In%20Ubuntu.pdf

Other talks

Deep-dive into xz-utils supply chain attack

Internals of the SLUB memory allocator for exploit developers

Landlock update - including details of new IOCTL restrictions etc

systemd and TPM2 update

Official announcement of Permissions Prompting in Ubuntu 24.10 (09:00)

https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle-part-5-introducing-permissions-prompting/47963

Ubuntu Security Center with snapd-based AppArmor home file access prompting preview in episode 236

Even works for command-line applications etc - not just graphical

Covers future developments as well:

Better default response suggestions based on user feedback.

Shell integration of the prompting pop-ups (eg full screen takeovers)

Improved rule management summaries and better messaging of overlapping or redundant prompts.

Expansion of the prompting system to cover additional snap interfaces such as camera and microphone access.

Smarter client side analysis of prompts, recommending additional options if multiple similar prompts are detected.

Version 2.1 of IntelⓇ TDX on Ubuntu 24.04 LTS Released (11:46)

https://discourse.ubuntu.com/t/version-2-1-of-intel-tdx-on-ubuntu-24-04-lts-released/47918/1

Confidential computing - using TDX to run VMs in confidential mode - runs

workloads (VMs) in hardware-backed isolated execution environments (Trust

Domains). VM memory isolation via encryption in hardware so can’t be accessed

by the hypervisor, remote attestation etc (Confidential Computing with Ijlal

Loutfi and Karen Horovitz from Episode 230)

https://discourse.ubuntu.com/t/intel-tdx-1-0-technology-preview-available-on-ubuntu-23-10/40698

Scripting to setup the required elements to use TDX on Ubuntu 24.04 host and

then setup guest VMs to run in confidential mode

Install server image, run scripts, enable TDX in BIOS, create VM images etc

Can also configure remote attestation of VM too

See full changes at https://github.com/canonical/tdx/releases/tag/2.1

Ubuntu 22.04.5 LTS released (13:45)

https://discourse.ubuntu.com/t/jammy-jellyfish-point-release-changes/29835/8

Only covers changes in main and restricted, doesn’t list security updates either

https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668

AppArmor security update for CVE-2016-1585 published (14:23)

Upcoming AppArmor Security update for CVE-2016-1585 from Episode 226

https://discourse.ubuntu.com/t/upcoming-apparmor-security-update-for-cve-2016-1585/44268/3

Now published to -updates pocket for 20.04 LTS and 22.04 LTS

Will be published to -security pocket next week

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@[email protected], @ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings