Ubuntu Security Podcast

Episode 57

Listen Later
Overview

In the final episode of 2019, we look at security updates for RabbitMQ,

GraphicsMagick, OpenJDK and more, plus Joe and Alex discuss a typical
day-in-the-life of a Ubuntu Security Team member.

This week in Ubuntu Security Updates

34 unique CVEs addressed

[USN-4217-2] Samba vulnerabilities [01:00]
  • 2 CVEs addressed in Trusty ESM
    • CVE-2019-14870
    • CVE-2019-14861
    • See Episode 56
      • [USN-4214-2] RabbitMQ vulnerability [01:23]
      • 1 CVEs addressed in Xenial, Bionic
        • CVE-2019-18609
        • AMQP implementation
        • Possible integer overflow when handling the CONNECTION_STATE_HEADER
          • frame - rogue server could return a malicious frame header which is then
          processed by the client and leads to a smaller target_size value due to
          integer overflow - then when the frame data is copied in via memcpy()
          this would overwrite past the bounds of the heap allocation, and with
          attacker controlled data
        • Not an issue if connecting to trusted servers
          • [USN-4222-1] GraphicsMagick vulnerabilities [02:28]
          • 15 CVEs addressed in Xenial
            • CVE-2017-13777
            • CVE-2017-13776
            • CVE-2017-13775
            • CVE-2017-13737
            • CVE-2017-13134
            • CVE-2017-13065
            • CVE-2017-13064
            • CVE-2017-13063
            • CVE-2017-12937
            • CVE-2017-12936
            • CVE-2017-12935
            • CVE-2017-11643
            • CVE-2017-11642
            • CVE-2017-11641
            • CVE-2017-11638
            • Episode 55 covered previous update for GraphicsMagick - more of the same
              • here
              [USN-4223-1] OpenJDK vulnerabilities [03:00]
              • 16 CVEs addressed in Xenial, Bionic, Disco, Eoan
                • CVE-2019-2999
                • CVE-2019-2992
                • CVE-2019-2989
                • CVE-2019-2988
                • CVE-2019-2987
                • CVE-2019-2983
                • CVE-2019-2978
                • CVE-2019-2977
                • CVE-2019-2975
                • CVE-2019-2981
                • CVE-2019-2973
                • CVE-2019-2964
                • CVE-2019-2962
                • CVE-2019-2949
                • CVE-2019-2945
                • CVE-2019-2894
                • Latest upstream micro-release for openjdk 8 and openjdk 11
                • Various mix of issues (buffer overflows, NULL pointer dereferences and
                  • various denial of service issues on application crashes in different
                  scenarios) - see the full USN for details
                  Goings on in Ubuntu Security Community
                  Joe and Alex discuss a day-in-the-life of a Ubuntu Security Team member [03:50]
                  Get in contact
                  • [email protected]
                  • #ubuntu-security on the Libera.Chat IRC network
                  • ubuntu-hardened mailing list
                  • Security section on discourse.ubuntu.com
                  • @ubuntu_sec on twitter
                    • ...more
                    View all episodesView all episodes
                    Download on the App Store
                    Ubuntu Security PodcastBy Ubuntu Security Team
                    • 4.8
                    • 4.8
                    • 4.8
                    • 4.8
                    • 4.8

                    4.8

                    10 ratings