October 30, 2020

Episode 94

13 minutes

Overview

This week we cover news of the CITL drop of 7000 “vulnerabilities”, the

Ubuntu Security disclosure and embargo policy plus we look at security

updates for pip, blueman, the Linux kernel and more.

This week in Ubuntu Security Updates

117 unique CVEs addressed

[USN-4596-1] Tomcat vulnerabilities [01:01]

4 CVEs addressed in Focal (20.04 LTS)

CVE-2020-9484

CVE-2020-13935

CVE-2020-13934

CVE-2020-11996

[USN-4587-1] iTALC vulnerabilities

19 CVEs addressed in Xenial (16.04 LTS)

CVE-2019-15681

CVE-2018-7225

CVE-2018-20750

CVE-2018-20749

CVE-2018-20748

CVE-2018-20024

CVE-2018-20023

CVE-2018-20022

CVE-2018-20021

CVE-2018-20020

CVE-2018-20019

CVE-2018-15127

CVE-2016-9942

CVE-2016-9941

CVE-2014-6055

CVE-2014-6054

CVE-2014-6053

CVE-2014-6052

CVE-2014-6051

[USN-4588-1] FlightGear vulnerability

1 CVEs addressed in Xenial (16.04 LTS)

CVE-2016-9956

[USN-4552-2] Pam-python vulnerability

1 CVEs addressed in Xenial (16.04 LTS)

CVE-2019-16729

[USN-4597-1] mod_auth_mellon vulnerabilities

3 CVEs addressed in Xenial (16.04 LTS)

CVE-2019-3878

CVE-2019-3877

CVE-2017-6807

[USN-4598-1] LibEtPan vulnerability

1 CVEs addressed in Xenial (16.04 LTS)

CVE-2020-15953

[USN-4600-1, USN-4600-2] Netty vulnerabilities

5 CVEs addressed in Bionic (18.04 LTS), 4 CVEs addressed in Xenial (16.04 LTS)

CVE-2020-11612 (bionic only)

CVE-2020-7238

CVE-2019-16869

CVE-2019-20445

CVE-2019-20444

[USN-4601-1] pip vulnerability [01:34]

1 CVEs addressed in Bionic (18.04 LTS)

CVE-2019-20916

Failed to sanitize filenames during pip install if provided a URL in the

install command - could allow a remote attacker to provide a

Content-Disposition header that instructs pip to overwrite arbitrary

files

[USN-4599-1, USN-4599-2] Firefox vulnerabilities [02:42]

7 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-15969

CVE-2020-15684

CVE-2020-15683

CVE-2020-15682

CVE-2020-15681

CVE-2020-15680

CVE-2020-15254

[LSN-0073-1] Linux kernel vulnerability [03:02]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-24490

CVE-2020-12352

CVE-2020-12351

BleedingTooth (Episode 93)

[USN-4593-2] FreeType vulnerability [03:23]

1 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2020-15999

Episode 93

[USN-4602-1, USN-4602-2] Perl vulnerabilities [03:38]

3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-12723

CVE-2020-10878

CVE-2020-10543

[USN-4562-2] kramdown vulnerability

1 CVEs addressed in Groovy (20.10)

CVE-2020-14001

[USN-4605-1] Blueman vulnerability [04:10]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-15238

Reported to Ubuntu by Vaisha Bernard - worked with upstream blueman devs

& Debian maintainers to get this resolved - thanks :)

Blueman provides a dbus API to spawn DHCP client when doing

bluetooth-based networking

Would not sanitise the provided argument and would pass this directly to

dhcpcd which supports specifying a script file to run - this gets

executed as root so is a simple local root-privesc

Fixed to change the way the argument is provided to dhcpcd so that it

cannot pass arbitrary flags

Should also note, by default on Ubuntu we use isc-dhcp-client not dhcpcd

so unless you have manually installed it, this cannot be exploited

[USN-4583-2] PHP vulnerabilities

2 CVEs addressed in Groovy (20.10)

CVE-2020-7070

CVE-2020-7069

[USN-3081-2] Tomcat vulnerability

1 CVEs addressed in Xenial (16.04 LTS)

CVE-2016-1240

[USN-4603-1] MariaDB vulnerabilities

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-2814

CVE-2020-2812

CVE-2020-2760

CVE-2020-2752

CVE-2020-15180

CVE-2020-13249

[USN-4604-1] MySQL vulnerabilities

49 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-14893

CVE-2020-14891

CVE-2020-14888

CVE-2020-14878

CVE-2020-14873

CVE-2020-14870

CVE-2020-14869

CVE-2020-14868

CVE-2020-14867

CVE-2020-14866

CVE-2020-14861

CVE-2020-14860

CVE-2020-14853

CVE-2020-14852

CVE-2020-14848

CVE-2020-14846

CVE-2020-14845

CVE-2020-14844

CVE-2020-14839

CVE-2020-14838

CVE-2020-14837

CVE-2020-14836

CVE-2020-14830

CVE-2020-14829

CVE-2020-14828

CVE-2020-14827

CVE-2020-14821

CVE-2020-14814

CVE-2020-14812

CVE-2020-14809

CVE-2020-14804

CVE-2020-14800

CVE-2020-14794

CVE-2020-14793

CVE-2020-14791

CVE-2020-14790

CVE-2020-14789

CVE-2020-14786

CVE-2020-14785

CVE-2020-14777

CVE-2020-14776

CVE-2020-14775

CVE-2020-14773

CVE-2020-14771

CVE-2020-14769

CVE-2020-14765

CVE-2020-14760

CVE-2020-14672

CVE-2019-14775

[USN-4607-1] OpenJDK vulnerabilities

8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-14803

CVE-2020-14798

CVE-2020-14797

CVE-2020-14796

CVE-2020-14792

CVE-2020-14782

CVE-2020-14781

CVE-2020-14779

[USN-4608-1] ca-certificates update [06:41]

Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

Updates to the latest from Mozill a - removes some root CAs (expired etc)

and adds some new ones too

Goings on in Ubuntu Security Community

Ubuntu Security disclosure and embargo policy [07:17]

https://ubuntu.com/security/disclosure-policy

How to report an issue to us (LP / [email protected])

Scope (Ubuntu archive + Canonical software / infrastructure -

coordination etc)

What to expect from us

Disclosure timelines (within 1 week after updates provided, prefer

exploits etc kept private for at least 1 week after fixes available)

Safe harbour (welcome research into the software we provide but no active

probing of Canonical infra/services)

CITL releases high level details of 7000 defects [09:06]

https://cyber-itl.org/2020/10/28/citl-7000-defects.html

7000 defects/vulns across 3243 packages from Ubuntu 18.04

Automated static / dynamic analysis system (fuzzing?)

Provide list of binaries / packages and the type of ‘vuln’ (SIG_SEGV

etc) - without reproducers etc

Expect package maintainers to contact them to request full details

Some package maintainers / upstreams will likely contact but we expect

this to be in the minority

Not really possible for @ubuntu_sec to triage and handle all of these but

will likely be a collective effort between distros to try and analyse

these all if CITL are willing to provide details

Without a collective effort unlikely that CVEs will get assigned and so

fixes could be missed if various upstreams just contact and fix these

themselves

Lots of open questions as to how this will play out…

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

October 30, 2020

Episode 94

13 minutes

Overview

This week we cover news of the CITL drop of 7000 “vulnerabilities”, the

Ubuntu Security disclosure and embargo policy plus we look at security

updates for pip, blueman, the Linux kernel and more.

This week in Ubuntu Security Updates

117 unique CVEs addressed

[USN-4596-1] Tomcat vulnerabilities [01:01]

4 CVEs addressed in Focal (20.04 LTS)

CVE-2020-9484

CVE-2020-13935

CVE-2020-13934

CVE-2020-11996

[USN-4587-1] iTALC vulnerabilities

19 CVEs addressed in Xenial (16.04 LTS)

CVE-2019-15681

CVE-2018-7225

CVE-2018-20750

CVE-2018-20749

CVE-2018-20748

CVE-2018-20024

CVE-2018-20023

CVE-2018-20022

CVE-2018-20021

CVE-2018-20020

CVE-2018-20019

CVE-2018-15127

CVE-2016-9942

CVE-2016-9941

CVE-2014-6055

CVE-2014-6054

CVE-2014-6053

CVE-2014-6052

CVE-2014-6051

[USN-4588-1] FlightGear vulnerability

1 CVEs addressed in Xenial (16.04 LTS)

CVE-2016-9956

[USN-4552-2] Pam-python vulnerability

1 CVEs addressed in Xenial (16.04 LTS)

CVE-2019-16729

[USN-4597-1] mod_auth_mellon vulnerabilities

3 CVEs addressed in Xenial (16.04 LTS)

CVE-2019-3878

CVE-2019-3877

CVE-2017-6807

[USN-4598-1] LibEtPan vulnerability

1 CVEs addressed in Xenial (16.04 LTS)

CVE-2020-15953

[USN-4600-1, USN-4600-2] Netty vulnerabilities

5 CVEs addressed in Bionic (18.04 LTS), 4 CVEs addressed in Xenial (16.04 LTS)

CVE-2020-11612 (bionic only)

CVE-2020-7238

CVE-2019-16869

CVE-2019-20445

CVE-2019-20444

[USN-4601-1] pip vulnerability [01:34]

1 CVEs addressed in Bionic (18.04 LTS)

CVE-2019-20916

Failed to sanitize filenames during pip install if provided a URL in the

install command - could allow a remote attacker to provide a

Content-Disposition header that instructs pip to overwrite arbitrary

files

[USN-4599-1, USN-4599-2] Firefox vulnerabilities [02:42]

7 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-15969

CVE-2020-15684

CVE-2020-15683

CVE-2020-15682

CVE-2020-15681

CVE-2020-15680

CVE-2020-15254

[LSN-0073-1] Linux kernel vulnerability [03:02]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-24490

CVE-2020-12352

CVE-2020-12351

BleedingTooth (Episode 93)

[USN-4593-2] FreeType vulnerability [03:23]

1 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2020-15999

Episode 93

[USN-4602-1, USN-4602-2] Perl vulnerabilities [03:38]

3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-12723

CVE-2020-10878

CVE-2020-10543

[USN-4562-2] kramdown vulnerability

1 CVEs addressed in Groovy (20.10)

CVE-2020-14001

[USN-4605-1] Blueman vulnerability [04:10]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-15238

Reported to Ubuntu by Vaisha Bernard - worked with upstream blueman devs

& Debian maintainers to get this resolved - thanks :)

Blueman provides a dbus API to spawn DHCP client when doing

bluetooth-based networking

Would not sanitise the provided argument and would pass this directly to

dhcpcd which supports specifying a script file to run - this gets

executed as root so is a simple local root-privesc

Fixed to change the way the argument is provided to dhcpcd so that it

cannot pass arbitrary flags

Should also note, by default on Ubuntu we use isc-dhcp-client not dhcpcd

so unless you have manually installed it, this cannot be exploited

[USN-4583-2] PHP vulnerabilities

2 CVEs addressed in Groovy (20.10)

CVE-2020-7070

CVE-2020-7069

[USN-3081-2] Tomcat vulnerability

1 CVEs addressed in Xenial (16.04 LTS)

CVE-2016-1240

[USN-4603-1] MariaDB vulnerabilities

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-2814

CVE-2020-2812

CVE-2020-2760

CVE-2020-2752

CVE-2020-15180

CVE-2020-13249

[USN-4604-1] MySQL vulnerabilities

49 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-14893

CVE-2020-14891

CVE-2020-14888

CVE-2020-14878

CVE-2020-14873

CVE-2020-14870

CVE-2020-14869

CVE-2020-14868

CVE-2020-14867

CVE-2020-14866

CVE-2020-14861

CVE-2020-14860

CVE-2020-14853

CVE-2020-14852

CVE-2020-14848

CVE-2020-14846

CVE-2020-14845

CVE-2020-14844

CVE-2020-14839

CVE-2020-14838

CVE-2020-14837

CVE-2020-14836

CVE-2020-14830

CVE-2020-14829

CVE-2020-14828

CVE-2020-14827

CVE-2020-14821

CVE-2020-14814

CVE-2020-14812

CVE-2020-14809

CVE-2020-14804

CVE-2020-14800

CVE-2020-14794

CVE-2020-14793

CVE-2020-14791

CVE-2020-14790

CVE-2020-14789

CVE-2020-14786

CVE-2020-14785

CVE-2020-14777

CVE-2020-14776

CVE-2020-14775

CVE-2020-14773

CVE-2020-14771

CVE-2020-14769

CVE-2020-14765

CVE-2020-14760

CVE-2020-14672

CVE-2019-14775

[USN-4607-1] OpenJDK vulnerabilities

8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-14803

CVE-2020-14798

CVE-2020-14797

CVE-2020-14796

CVE-2020-14792

CVE-2020-14782

CVE-2020-14781

CVE-2020-14779

[USN-4608-1] ca-certificates update [06:41]

Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

Updates to the latest from Mozill a - removes some root CAs (expired etc)

and adds some new ones too

Goings on in Ubuntu Security Community

Ubuntu Security disclosure and embargo policy [07:17]

https://ubuntu.com/security/disclosure-policy

How to report an issue to us (LP / [email protected])

Scope (Ubuntu archive + Canonical software / infrastructure -

coordination etc)

What to expect from us

Disclosure timelines (within 1 week after updates provided, prefer

exploits etc kept private for at least 1 week after fixes available)

Safe harbour (welcome research into the software we provide but no active

probing of Canonical infra/services)

CITL releases high level details of 7000 defects [09:06]

https://cyber-itl.org/2020/10/28/citl-7000-defects.html

7000 defects/vulns across 3243 packages from Ubuntu 18.04

Automated static / dynamic analysis system (fuzzing?)

Provide list of binaries / packages and the type of ‘vuln’ (SIG_SEGV

etc) - without reproducers etc

Expect package maintainers to contact them to request full details

Some package maintainers / upstreams will likely contact but we expect

this to be in the minority

Not really possible for @ubuntu_sec to triage and handle all of these but

will likely be a collective effort between distros to try and analyse

these all if CITL are willing to provide details

Without a collective effort unlikely that CVEs will get assigned and so

fixes could be missed if various upstreams just contact and fix these

themselves

Lots of open questions as to how this will play out…

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 94

Sign up to save your podcasts

Episode 94

Episode 94