Sign up to save your podcasts
Or
Share Episode 80
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 80
Overview
This week, Sid Faber and Kyle Fazzari of the Ubuntu Robotics team interview
Vijay Sarvepalli from CERT about the recent Ripple20 vulnerabilities
announcement, plus we look at security updates for Bind, Mutt, curl and
more.
This week in Ubuntu Security Updates
8 unique CVEs addressed
[USN-4397-2] NSS vulnerability [00:40]
[USN-4399-1] Bind vulnerabilities [01:00]
authoritative nameserver which provides entries containing asterisks
could change entries and cause BIND to crash, also an attacker who can
send crafted zone data to cause a zone transfer could trigger an
assertion failure -> crash
[USN-4400-1] nfs-utils vulnerability [01:44]
could change then contents of this directory. This dir also contains
files owned and managed by root (rmtab etc) - mountd uses rmtab and so
since statd user can change this files contents, they could make mountd
create or overwrite other files on the system as root -> and so escalate
privileges. Fixed to just make the few specific subdirectories owned by
statd.
[USN-4401-1] Mutt vulnerabilities [03:16]
middleperson attack since wouldn’t properly do authentication of the
network connection, and would proceed to connect even if a user chooses
to reject the connection due to an expired certificate. So only relevant
if using mutt to connect to IMAP directly.
[USN-4402-1] curl vulnerabilities [04:06]
specified by a malicious server when using the CLI arguments -i in
combination with -J - -J is used to specify that the local filename
should come from a HTTP header specified by the server. Normally this
refuses to overwrite any existing local file but when using in
conjunction with -i this check was skipped.
of the password to the hostname before this is resolved via DNS during a
redirect - but only if the password contains an @ character….
Goings on in Ubuntu Security Community
Sid Faber and Kyle Fazzari interview Vijay Sarvepalli from CERT about Ripple20 [05:44]
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week, Sid Faber and Kyle Fazzari of the Ubuntu Robotics team interview
Vijay Sarvepalli from CERT about the recent Ripple20 vulnerabilities
announcement, plus we look at security updates for Bind, Mutt, curl and
more.
This week in Ubuntu Security Updates
8 unique CVEs addressed
[USN-4397-2] NSS vulnerability [00:40]
[USN-4399-1] Bind vulnerabilities [01:00]
authoritative nameserver which provides entries containing asterisks
could change entries and cause BIND to crash, also an attacker who can
send crafted zone data to cause a zone transfer could trigger an
assertion failure -> crash
[USN-4400-1] nfs-utils vulnerability [01:44]
could change then contents of this directory. This dir also contains
files owned and managed by root (rmtab etc) - mountd uses rmtab and so
since statd user can change this files contents, they could make mountd
create or overwrite other files on the system as root -> and so escalate
privileges. Fixed to just make the few specific subdirectories owned by
statd.
[USN-4401-1] Mutt vulnerabilities [03:16]
middleperson attack since wouldn’t properly do authentication of the
network connection, and would proceed to connect even if a user chooses
to reject the connection due to an expired certificate. So only relevant
if using mutt to connect to IMAP directly.
[USN-4402-1] curl vulnerabilities [04:06]
specified by a malicious server when using the CLI arguments -i in
combination with -J - -J is used to specify that the local filename
should come from a HTTP header specified by the server. Normally this
refuses to overwrite any existing local file but when using in
conjunction with -i this check was skipped.
of the password to the hostname before this is resolved via DNS during a
redirect - but only if the password contains an @ character….
Goings on in Ubuntu Security Community
Sid Faber and Kyle Fazzari interview Vijay Sarvepalli from CERT about Ripple20 [05:44]
Get in contact