March 26, 2020

Episode 68

17 minutes

Overview

This week we cover security updates for Apache, Twisted, Vim a kernel

livepatch and more, plus Alex and Joe discuss OVAL data feeds and the

cvescan snap for vulnerability awareness.

This week in Ubuntu Security Updates

16 unique CVEs addressed

[USN-4307-1] Apache HTTP Server update [00:24]

TLSv1.3 enabled in Ubuntu 18.04 LTS (bionic)

Enabled by default, could cause compatibility issues in some

environments - can be disabled using the SSLProtocol directive

https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263

[LSN-0064-1] Linux kernel vulnerability [01:03]

1 CVEs addressed in Xenial, Bionic

CVE-2020-2732

KVM nested virtualisation issue (L2 guest could access resources of L1

parent) - Episode 67

[USN-4308-1] Twisted vulnerabilities [02:07]

7 CVEs addressed in Xenial, Bionic, Eoan

CVE-2020-10109

CVE-2020-10108

CVE-2019-9515

CVE-2019-9514

CVE-2019-9512

CVE-2019-12855

CVE-2019-12387

2 variations of a HTTP request splitting / smuggling vuln (Episode 52)

3 HTTP/2 DoS issues (Episode 43)

MITM of XMPP TLS connections due to failure to verify certs

Failure to sanitize URIs or HTTP methods in twisted.web

[USN-4309-1] Vim vulnerabilities [03:53]

7 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan

CVE-2017-11109

CVE-2017-6350

CVE-2017-6349

CVE-2019-20079

CVE-2018-20786

CVE-2017-5953

All low / negligible since requires a user to use vim to source a crafted

file (ie a list of commands / settings for vim) or crafted undo /

spelling dictionary etc

Integer overflows -> heap overflows -> DoS / RCE etc

[USN-4134-3] IBus vulnerability [04:49]

1 CVEs addressed in Xenial, Bionic, Eoan

CVE-2019-14822

Episode 47 - implements it’s own private DBus server which clients

connect to - original vuln allowed any user who knew address of this bus

to connect to it - update fixed this by checking the connecting user was

the same as the owning user - but caused a regression in Qt clients -

would fail to be able to properly connect to ibus - was reverted - this

has seen been fixed by fixing the GDBusServer implementation in libglib2

since it was actually incorrect - and so now we have re-fixed in ibus

Goings on in Ubuntu Security Community

Alex and Joe discuss Ubuntu Security OVAL feeds and cvescan [06:47]

https://people.canonical.com/~ubuntu-security/oval/

https://snapcraft.io/cvescan

Securing open source through CVE prioritisation [15:56]

https://ubuntu.com/blog/securing-open-source-through-cve-prioritisation

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

March 26, 2020

Episode 68

17 minutes

Overview

This week we cover security updates for Apache, Twisted, Vim a kernel

livepatch and more, plus Alex and Joe discuss OVAL data feeds and the

cvescan snap for vulnerability awareness.

This week in Ubuntu Security Updates

16 unique CVEs addressed

[USN-4307-1] Apache HTTP Server update [00:24]

TLSv1.3 enabled in Ubuntu 18.04 LTS (bionic)

Enabled by default, could cause compatibility issues in some

environments - can be disabled using the SSLProtocol directive

https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263

[LSN-0064-1] Linux kernel vulnerability [01:03]

1 CVEs addressed in Xenial, Bionic

CVE-2020-2732

KVM nested virtualisation issue (L2 guest could access resources of L1

parent) - Episode 67

[USN-4308-1] Twisted vulnerabilities [02:07]

7 CVEs addressed in Xenial, Bionic, Eoan

CVE-2020-10109

CVE-2020-10108

CVE-2019-9515

CVE-2019-9514

CVE-2019-9512

CVE-2019-12855

CVE-2019-12387

2 variations of a HTTP request splitting / smuggling vuln (Episode 52)

3 HTTP/2 DoS issues (Episode 43)

MITM of XMPP TLS connections due to failure to verify certs

Failure to sanitize URIs or HTTP methods in twisted.web

[USN-4309-1] Vim vulnerabilities [03:53]

7 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan

CVE-2017-11109

CVE-2017-6350

CVE-2017-6349

CVE-2019-20079

CVE-2018-20786

CVE-2017-5953

All low / negligible since requires a user to use vim to source a crafted

file (ie a list of commands / settings for vim) or crafted undo /

spelling dictionary etc

Integer overflows -> heap overflows -> DoS / RCE etc

[USN-4134-3] IBus vulnerability [04:49]

1 CVEs addressed in Xenial, Bionic, Eoan

CVE-2019-14822

Episode 47 - implements it’s own private DBus server which clients

connect to - original vuln allowed any user who knew address of this bus

to connect to it - update fixed this by checking the connecting user was

the same as the owning user - but caused a regression in Qt clients -

would fail to be able to properly connect to ibus - was reverted - this

has seen been fixed by fixing the GDBusServer implementation in libglib2

since it was actually incorrect - and so now we have re-fixed in ibus

Goings on in Ubuntu Security Community

Alex and Joe discuss Ubuntu Security OVAL feeds and cvescan [06:47]

https://people.canonical.com/~ubuntu-security/oval/

https://snapcraft.io/cvescan

Securing open source through CVE prioritisation [15:56]

https://ubuntu.com/blog/securing-open-source-through-cve-prioritisation

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 68

Sign up to save your podcasts

Episode 68

Episode 68