Sign up to save your podcasts
Or
Share Episode 29
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 29
Overview
This week we look at fixes from the past two weeks including BIND, NTFS-3G,
Dovecot, Pacemaker and more, plus we follow up last episodes IoT security
discussion with Joe McManus talking about Ubuntu Core. Finally we cover the
release of Ubuntu 19.04 Disco Dingo and the transition of Ubuntu 14.04
Trusty Tahr to Extended Security Maintenance.
These past two weeks in Ubuntu Security Updates
53 unique CVEs addressed
[USN-3947-1, USN-3947-2] Libxslt vulnerability
fetch/read/write files and resources etc
framework which was checked for and correctly disallowed - BUT they could
also return -1 on error (say from a potentially bad URL) which would not
be caught and so then would proceed and would fetch from the URL in
question thereby violating the security policy
policy violation
[USN-3948-1] WebKitGTK+ vulnerabilities
arbitrary code execution if visiting a malicious website
[USN-3949-1] OpenJDK 11 vulnerability
fix to memory disclosure vulnerablity which could enable an attacker to
bypass sandbox
[USN-3918-4] Firefox regressions
regressions in keyboard handling as discussed previously
[USN-3914-2] NTFS-3G update
escalation
any future vulnerablilites can’t be used for privilege escalation
[USN-3950-1] ZNC vulnerability
user specified an invalid encoding it could cause znc to crash
[USN-3951-1] Dovecot vulnerability
the authentication service to crash
[USN-3952-1] Pacemaker vulnerabilities
privileges or cause a denial of service or to cause sensitive information
to be leaked to system logs
[USN-3953-1] PHP vulnerabilities
disclosure or crash -> DoS
[USN-3922-2, USN-3922-3] PHP vulnerabilities
[USN-3936-2] AdvanceCOMP vulnerability
[USN-3954-1] FreeRADIUS vulnerabilities
Episode 28 in the context of wpa_supplicant and hostapd - similar issue
for FreeRADIUS
[USN-3955-1] tcpflow vulnerabilities
(crash -> DoS / information disclosure)
[USN-3956-1] Bind vulnerability
cause a DoS via excessive resource usage
IoT Security follow-up with Joe McManus
particular talk about Ubuntu Core and how this has been engineered to
address many of these common IoT security design and implementation flaws
Goings on in Ubuntu Security Community
Ubuntu 19.04 Disco Dingo Released
packages in main by the security team
Ubuntu 14.04 Trusty Tahr transitions to Extended Security Maintenance
Hiring
Ubuntu Security Generalist
Robotics Security Engineer
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we look at fixes from the past two weeks including BIND, NTFS-3G,
Dovecot, Pacemaker and more, plus we follow up last episodes IoT security
discussion with Joe McManus talking about Ubuntu Core. Finally we cover the
release of Ubuntu 19.04 Disco Dingo and the transition of Ubuntu 14.04
Trusty Tahr to Extended Security Maintenance.
These past two weeks in Ubuntu Security Updates
53 unique CVEs addressed
[USN-3947-1, USN-3947-2] Libxslt vulnerability
fetch/read/write files and resources etc
framework which was checked for and correctly disallowed - BUT they could
also return -1 on error (say from a potentially bad URL) which would not
be caught and so then would proceed and would fetch from the URL in
question thereby violating the security policy
policy violation
[USN-3948-1] WebKitGTK+ vulnerabilities
arbitrary code execution if visiting a malicious website
[USN-3949-1] OpenJDK 11 vulnerability
fix to memory disclosure vulnerablity which could enable an attacker to
bypass sandbox
[USN-3918-4] Firefox regressions
regressions in keyboard handling as discussed previously
[USN-3914-2] NTFS-3G update
escalation
any future vulnerablilites can’t be used for privilege escalation
[USN-3950-1] ZNC vulnerability
user specified an invalid encoding it could cause znc to crash
[USN-3951-1] Dovecot vulnerability
the authentication service to crash
[USN-3952-1] Pacemaker vulnerabilities
privileges or cause a denial of service or to cause sensitive information
to be leaked to system logs
[USN-3953-1] PHP vulnerabilities
disclosure or crash -> DoS
[USN-3922-2, USN-3922-3] PHP vulnerabilities
[USN-3936-2] AdvanceCOMP vulnerability
[USN-3954-1] FreeRADIUS vulnerabilities
Episode 28 in the context of wpa_supplicant and hostapd - similar issue
for FreeRADIUS
[USN-3955-1] tcpflow vulnerabilities
(crash -> DoS / information disclosure)
[USN-3956-1] Bind vulnerability
cause a DoS via excessive resource usage
IoT Security follow-up with Joe McManus
particular talk about Ubuntu Core and how this has been engineered to
address many of these common IoT security design and implementation flaws
Goings on in Ubuntu Security Community
Ubuntu 19.04 Disco Dingo Released
packages in main by the security team
Ubuntu 14.04 Trusty Tahr transitions to Extended Security Maintenance
Hiring
Ubuntu Security Generalist
Robotics Security Engineer
Get in contact