Sign up to save your podcasts
Or
Share Episode 49
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 49
Overview
This week we look at updates for Sudo, Python, OpenStack Octavia and more,
plus we discuss a recent CVE for Python which resulted in erroneous
scientific research results, and we go over some of your feedback from
Episode 48.
This week in Ubuntu Security Updates
27 unique CVEs addressed
[USN-4148-1] OpenEXR vulnerabilities [00:45]
imaging applications
assertion failure or memory corruption -> crash / code execution
[USN-4149-1] Unbound vulnerability [02:06]
an ACL) -> crash
[USN-4151-1, USN-4151-2] Python vulnerabilities [02:40]
set_server_title() method as did not escape content
if domain contains multiple @ chars could get confused and return wrong
output - so applications which rely on this for validating email
addresses could accept an email address which is actually invalid
[USN-4152-1] libsoup vulnerability [03:53]
against the actual received message - could then memcpy past the end of
the input message -> crash
[USN-4153-1] Octavia vulnerability [04:33]
certificates for management network clients -> could allow anyone with
management network access to retrieve information / issue config commands
[USN-4154-1] Sudo vulnerability [05:06]
vulnerability - BUT requires an admin to have configured sudo with a
particular configuration (ie specifying a user can run a command as any
other user via the ALL keyword in a Runas rule). In this case if the rule
had also been configured to explicitly deny running the command as root,
this could be bypassed by the user specifying a UID of -1. So would only
affect a very small number of installations.
[USN-4155-1] Aspell vulnerability [07:26]
[USN-4156-1] SDL vulnerabilities [08:03]
now for SDL1.2 as well, plus rolled in a bunch of fixes for lower
priority issues (buffer over-reads in WAV handling etc)
Goings on in Ubuntu Security Community
Alex and Joe talk CVEs for bad documentation and resulting scientific research? [09:20]
Feedback on desired features for 20.04 [18:53]
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we look at updates for Sudo, Python, OpenStack Octavia and more,
plus we discuss a recent CVE for Python which resulted in erroneous
scientific research results, and we go over some of your feedback from
Episode 48.
This week in Ubuntu Security Updates
27 unique CVEs addressed
[USN-4148-1] OpenEXR vulnerabilities [00:45]
imaging applications
assertion failure or memory corruption -> crash / code execution
[USN-4149-1] Unbound vulnerability [02:06]
an ACL) -> crash
[USN-4151-1, USN-4151-2] Python vulnerabilities [02:40]
set_server_title() method as did not escape content
if domain contains multiple @ chars could get confused and return wrong
output - so applications which rely on this for validating email
addresses could accept an email address which is actually invalid
[USN-4152-1] libsoup vulnerability [03:53]
against the actual received message - could then memcpy past the end of
the input message -> crash
[USN-4153-1] Octavia vulnerability [04:33]
certificates for management network clients -> could allow anyone with
management network access to retrieve information / issue config commands
[USN-4154-1] Sudo vulnerability [05:06]
vulnerability - BUT requires an admin to have configured sudo with a
particular configuration (ie specifying a user can run a command as any
other user via the ALL keyword in a Runas rule). In this case if the rule
had also been configured to explicitly deny running the command as root,
this could be bypassed by the user specifying a UID of -1. So would only
affect a very small number of installations.
[USN-4155-1] Aspell vulnerability [07:26]
[USN-4156-1] SDL vulnerabilities [08:03]
now for SDL1.2 as well, plus rolled in a bunch of fixes for lower
priority issues (buffer over-reads in WAV handling etc)
Goings on in Ubuntu Security Community
Alex and Joe talk CVEs for bad documentation and resulting scientific research? [09:20]
Feedback on desired features for 20.04 [18:53]
Get in contact