April 24, 2020

Episode 72

20 minutes

Overview

A huge number of CVEs fixed in the various Ubuntu releases, including for

PHP, Git, Thunderbird, GNU binutils and more, plus Joe McManus discusses

ROS with Sid Faber.

This week in Ubuntu Security Updates

93 unique CVEs addressed

[USN-4330-1] PHP vulnerabilities [01:03]

5 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan

CVE-2020-7066

CVE-2020-7065

CVE-2020-7064

CVE-2020-7063

CVE-2020-7062

php5, php7.0, php7.2, php7.3

get_headers() would silently truncate a URL containing a NUL terminator

(\0) - so if used with user-supplied URL could get wrong details from the

server

stack overflow in mb_strtolower() when handling UTF32-LE encoding

1 byte buffer overread in handling EXIF data - info leak / crash

PHAR archives created with world readable permissions

NULL pointer dereference on file upload in certain situations -> crash

[USN-4331-1] WebKitGTK+ vulnerability [02:32]

1 CVEs addressed in Bionic, Eoan

CVE-2020-11793

UAF when processing maliciously crafted web content

[USN-4332-1] File Roller vulnerability [02:51]

1 CVEs addressed in Xenial, Bionic, Eoan

CVE-2020-11736

Possible directory traversal issue when extracting an archive where

parent of file is a symlink pointing outside of the archive

[USN-4334-1] Git vulnerability [03:08]

1 CVEs addressed in Xenial, Bionic, Eoan

CVE-2020-11008

Similar to CVE-2020-5260 from Episode 71 - due to an incomplete fix for

that where some credentials may still be leaked but the attacker cannot

control which ones

[USN-4333-1] Python vulnerabilities [03:47]

2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan

CVE-2020-8492

CVE-2019-18348

CRLF injection via an attacker controlled url parameter to urlopen()

function in urllib

[USN-4335-1] Thunderbird vulnerabilities [04:09]

39 CVEs addressed in Xenial

CVE-2020-6811

CVE-2020-6794

CVE-2020-6822

CVE-2020-6795

CVE-2020-6793

CVE-2020-6792

CVE-2019-15903

CVE-2019-11755

CVE-2019-11745

CVE-2020-6825

CVE-2020-6821

CVE-2020-6820

CVE-2020-6819

CVE-2020-6814

CVE-2020-6812

CVE-2020-6807

CVE-2020-6806

CVE-2020-6805

CVE-2020-6800

CVE-2020-6798

CVE-2019-20503

CVE-2019-17026

CVE-2019-17024

CVE-2019-17022

CVE-2019-17017

CVE-2019-17016

CVE-2019-17012

CVE-2019-17011

CVE-2019-17010

CVE-2019-17008

CVE-2019-17005

CVE-2019-11764

CVE-2019-11763

CVE-2019-11762

CVE-2019-11761

CVE-2019-11760

CVE-2019-11759

CVE-2019-11758

CVE-2019-11757

Updated to latest upstream version 68.7.0

[USN-4336-1] GNU binutils vulnerabilities [04:46]

44 CVEs addressed in Bionic

CVE-2019-9077

CVE-2019-9075

CVE-2019-9074

CVE-2019-9073

CVE-2019-9071

CVE-2019-9070

CVE-2019-17451

CVE-2019-17450

CVE-2019-14444

CVE-2019-14250

CVE-2019-12972

CVE-2018-9138

CVE-2018-8945

CVE-2018-20671

CVE-2018-20651

CVE-2018-20623

CVE-2018-20002

CVE-2018-19932

CVE-2018-19931

CVE-2018-18701

CVE-2018-18700

CVE-2018-18607

CVE-2018-18606

CVE-2018-18605

CVE-2018-18484

CVE-2018-18483

CVE-2018-18309

CVE-2018-17985

CVE-2018-17794

CVE-2018-17360

CVE-2018-17359

CVE-2018-17358

CVE-2018-13033

CVE-2018-12934

CVE-2018-12700

CVE-2018-12699

CVE-2018-12698

CVE-2018-12697

CVE-2018-12641

CVE-2018-10535

CVE-2018-10534

CVE-2018-10373

CVE-2018-10372

CVE-2018-1000876

Huge update covering many issues - thanks Marc Deslauriers - mostly in

low severity issues like memory leaks in functions / utilities which are

used only once or which are assumed to process trusted input.

Often requested by customers who run vuln scanners - finds many open

issues but doesn’t consider low severity - only 3 out of 44 had medium

severity

Goings on in Ubuntu Security Community

Joe McManus talks ROS & ROS2 with Sid Faber from the Ubuntu Security Team [06:26]

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

April 24, 2020

Episode 72

20 minutes

Overview

A huge number of CVEs fixed in the various Ubuntu releases, including for

PHP, Git, Thunderbird, GNU binutils and more, plus Joe McManus discusses

ROS with Sid Faber.

This week in Ubuntu Security Updates

93 unique CVEs addressed

[USN-4330-1] PHP vulnerabilities [01:03]

5 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan

CVE-2020-7066

CVE-2020-7065

CVE-2020-7064

CVE-2020-7063

CVE-2020-7062

php5, php7.0, php7.2, php7.3

get_headers() would silently truncate a URL containing a NUL terminator

(\0) - so if used with user-supplied URL could get wrong details from the

server

stack overflow in mb_strtolower() when handling UTF32-LE encoding

1 byte buffer overread in handling EXIF data - info leak / crash

PHAR archives created with world readable permissions

NULL pointer dereference on file upload in certain situations -> crash

[USN-4331-1] WebKitGTK+ vulnerability [02:32]

1 CVEs addressed in Bionic, Eoan

CVE-2020-11793

UAF when processing maliciously crafted web content

[USN-4332-1] File Roller vulnerability [02:51]

1 CVEs addressed in Xenial, Bionic, Eoan

CVE-2020-11736

Possible directory traversal issue when extracting an archive where

parent of file is a symlink pointing outside of the archive

[USN-4334-1] Git vulnerability [03:08]

1 CVEs addressed in Xenial, Bionic, Eoan

CVE-2020-11008

Similar to CVE-2020-5260 from Episode 71 - due to an incomplete fix for

that where some credentials may still be leaked but the attacker cannot

control which ones

[USN-4333-1] Python vulnerabilities [03:47]

2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan

CVE-2020-8492

CVE-2019-18348

CRLF injection via an attacker controlled url parameter to urlopen()

function in urllib

[USN-4335-1] Thunderbird vulnerabilities [04:09]

39 CVEs addressed in Xenial

CVE-2020-6811

CVE-2020-6794

CVE-2020-6822

CVE-2020-6795

CVE-2020-6793

CVE-2020-6792

CVE-2019-15903

CVE-2019-11755

CVE-2019-11745

CVE-2020-6825

CVE-2020-6821

CVE-2020-6820

CVE-2020-6819

CVE-2020-6814

CVE-2020-6812

CVE-2020-6807

CVE-2020-6806

CVE-2020-6805

CVE-2020-6800

CVE-2020-6798

CVE-2019-20503

CVE-2019-17026

CVE-2019-17024

CVE-2019-17022

CVE-2019-17017

CVE-2019-17016

CVE-2019-17012

CVE-2019-17011

CVE-2019-17010

CVE-2019-17008

CVE-2019-17005

CVE-2019-11764

CVE-2019-11763

CVE-2019-11762

CVE-2019-11761

CVE-2019-11760

CVE-2019-11759

CVE-2019-11758

CVE-2019-11757

Updated to latest upstream version 68.7.0

[USN-4336-1] GNU binutils vulnerabilities [04:46]

44 CVEs addressed in Bionic

CVE-2019-9077

CVE-2019-9075

CVE-2019-9074

CVE-2019-9073

CVE-2019-9071

CVE-2019-9070

CVE-2019-17451

CVE-2019-17450

CVE-2019-14444

CVE-2019-14250

CVE-2019-12972

CVE-2018-9138

CVE-2018-8945

CVE-2018-20671

CVE-2018-20651

CVE-2018-20623

CVE-2018-20002

CVE-2018-19932

CVE-2018-19931

CVE-2018-18701

CVE-2018-18700

CVE-2018-18607

CVE-2018-18606

CVE-2018-18605

CVE-2018-18484

CVE-2018-18483

CVE-2018-18309

CVE-2018-17985

CVE-2018-17794

CVE-2018-17360

CVE-2018-17359

CVE-2018-17358

CVE-2018-13033

CVE-2018-12934

CVE-2018-12700

CVE-2018-12699

CVE-2018-12698

CVE-2018-12697

CVE-2018-12641

CVE-2018-10535

CVE-2018-10534

CVE-2018-10373

CVE-2018-10372

CVE-2018-1000876

Huge update covering many issues - thanks Marc Deslauriers - mostly in

low severity issues like memory leaks in functions / utilities which are

used only once or which are assumed to process trusted input.

Often requested by customers who run vuln scanners - finds many open

issues but doesn’t consider low severity - only 3 out of 44 had medium

severity

Goings on in Ubuntu Security Community

Joe McManus talks ROS & ROS2 with Sid Faber from the Ubuntu Security Team [06:26]

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 72

Sign up to save your podcasts

Episode 72

Episode 72