December 04, 2020

Episode 99

18 minutes

Overview

This week we look at security updates for Mutt, Thunderbird, Poppler, QEMU,

containerd, Linux kernel & more, plus we discuss the 2020 State of the

Octoverse Security Report from Github, Launchpad GPG keyserver migration, a

new AppArmor release & some open positions on the team.

This week in Ubuntu Security Updates

68 unique CVEs addressed

[USN-4645-1] Mutt vulnerability [00:59]

1 CVEs addressed in Precise ESM (12.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-28896

When connecting to an IMAP server, if the first reponse from the server

was invalid, would fail to properly terminate the connection and could

continue trying to authenticate and hence send credentials in the clear.

[USN-4646-1] poppler vulnerabilities [01:44]

5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2020-27778

CVE-2019-9959

CVE-2019-13283

CVE-2019-10871

CVE-2018-21009

Various memory corruption issues, all DoS-able, some RCE?

[USN-4646-2] poppler regression

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2019-10871

Some applications linked against poppler would fail - backed out this

fix for future

[USN-4647-1] Thunderbird vulnerabilities [02:25]

13 CVEs addressed in Groovy (20.10)

CVE-2020-26968

CVE-2020-26965

CVE-2020-26961

CVE-2020-26960

CVE-2020-26959

CVE-2020-26958

CVE-2020-26956

CVE-2020-26953

CVE-2020-26951

CVE-2020-26950

CVE-2020-16012

CVE-2020-15969

CVE-2020-15683

78.5.0

Usual web rendering type vulns - denial of service, obtain sensitive

information across origins, bypass security restrictions, conduct

phishing attacks, conduct cross-site scripting (XSS) attacks, bypass

Content Security Policy (CSP) restrictions, conduct DNS rebinding

attacks, or execute arbitrary code.

[USN-4648-1] WebKitGTK vulnerabilities [03:21]

5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-9983

CVE-2020-9952

CVE-2020-9951

CVE-2020-9948

CVE-2020-13753

dejavu with thunderbird above - latest upstream version (2.30.3) and same sorts of

vulns - including cross-site scripting attacks, denial of service

attacks, and arbitrary code execution.

[USN-4649-1] xdg-utils vulnerability [03:54]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-27748

Could cause files to be attached by not sanitizing mailto:?attach= -

particularly relevant to TB - so if a user is not paying attention, could

attach say a sensitive local file to the outgoing email

[USN-4382-2] FreeRDP vulnerabilities [05:09]

13 CVEs addressed in Bionic (18.04 LTS)

CVE-2020-13398

CVE-2020-13397

CVE-2020-13396

CVE-2020-11526

CVE-2020-11525

CVE-2020-11523

CVE-2020-11522

CVE-2020-11521

CVE-2020-11058

CVE-2020-11048

CVE-2020-11046

CVE-2020-11045

CVE-2020-11042

Episode 78 - covered this for xenial, now for bionic

[USN-4650-1] QEMU vulnerabilities [05:29]

8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-27617

CVE-2020-27616

CVE-2020-25723

CVE-2020-25625

CVE-2020-25624

CVE-2020-25085

CVE-2020-25084

CVE-2020-17380

Possible host RCE from guest via incorrect handling of SDHCI device

emulation but mitigated when using libvirt by AppArmor profile

Various issues with USB and other device emulation, crash -> DoS

[USN-4651-1] MySQL vulnerabilities [06:14]

Affecting Focal (20.04 LTS)

Tom Reynolds (tomreyn in #ubuntu-hardened) reported issue with MySQL on

20.04 had the new MySQLX plugin enabled and listenting on all network

interfaces by default -> violates no open ports principle - this update

insteads changes the configuration to bind it to localhost only - if you

were using it you may now need to change your local configuration to

purposefully change this so it is remotely accessible

[USN-4653-1] containerd vulnerability [07:27]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-15257

containerd-shim API exposed from abstract unix socket to host network

containers (in same network namespace) - would validate the effective UID

of a connecting process as 0 but did not apply other access controls - so

a malicious container in same network namespace with effective UID 0 but

otherwise reduced privileges could spawn new processes via

containerd-shim with full root privileges

upstream advise against running containers in the hosts network namespace

docker.io stops on upgrade of containerd

https://discourse.ubuntu.com/t/usn-4653-1-containerd-vulnerability/19607

manual restart

server team working on a fix for this

[USN-4652-1] SniffIt vulnerability

1 CVEs addressed in Xenial (16.04 LTS)

CVE-2014-5439

[USN-4654-1] PEAR vulnerabilities

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-28949

CVE-2020-28948

[USN-4655-1] Werkzeug vulnerabilities

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2020-28724

CVE-2019-14806

[USN-4656-1] X.Org X Server vulnerabilities

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-25712

CVE-2020-14360

[USN-4657-1] Linux kernel vulnerabilities [09:11]

12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)

CVE-2020-4788

CVE-2020-28915

CVE-2020-25705

CVE-2020-25645

CVE-2020-25643

CVE-2020-25284

CVE-2020-25211

CVE-2020-14390

CVE-2020-14351

CVE-2020-12352

CVE-2020-10135

CVE-2020-0427

Most interesting is Power 9 processers could end up exposing information

via L1 cache -> spectre-like attack could allow this to be read - fix is

similar to spectre etc - flush L1 cache when transitioning between

privilege boundaries

Thanks to Daniel Axtens from IBM for doing a lot of the heavy lifting,

working with the kernel team to provide backports etc

[USN-4658-1] Linux kernel vulnerabilities

11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-4788

CVE-2020-28915

CVE-2020-25705

CVE-2020-25645

CVE-2020-25643

CVE-2020-25284

CVE-2020-25211

CVE-2020-14390

CVE-2020-14351

CVE-2020-10135

CVE-2020-0423

[USN-4659-1] Linux kernel vulnerabilities

7 CVEs addressed in Groovy (20.10)

CVE-2020-4788

CVE-2020-28915

CVE-2020-27152

CVE-2020-25705

CVE-2020-14351

CVE-2020-10135

CVE-2020-0423

Goings on in Ubuntu Security Community

GitHub state of open source security report 2020 [10:43]

https://octoverse.github.com/static/2020-security-report.pdf

Scanned packages in Composer (PHP), Maven (Java), npm (JS), NuGet (.NET),

PyPI and RubyGems

Found 94% of projects on GitHub relied on open source components - JS

packages have a median of nearly 700 transitive dependencies - cf Python

with 19

17% of advisories sampled related to explicitly malicious behaviour

(almost all in npm packages) - but most are just mistakes

Vulns go undetected for just over 4 years (218 weeks) before disclosure,

fixes though then come quick in ~4.4 weeks and then 10 weeks to alert

users of the fix

A line of code written today is just as likely to contain a vulnerability

today as 4 years ago - so we are not getting more secure over time

Migrating Launchpad PGP keyservers from SKS to Hockeypuck [15:03]

https://ubuntu.com/blog/migrating-the-launchpad-keyservers-from-sks-to-hockeypuck

AppArmor 3.0.1 Released [16:27]

https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.1

cap checkpoint_restore for 5.9 kernels onwards plus bug fixes etc

Hiring [16:52]

AppArmor Security Engineer

https://canonical.com/careers/2114847

Engineering Director - Ubuntu Security

https://canonical.com/careers/2439068

Engineering Manager - Ubuntu Security

https://canonical.com/careers/2439058

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

December 04, 2020

Episode 99

18 minutes

Overview

This week we look at security updates for Mutt, Thunderbird, Poppler, QEMU,

containerd, Linux kernel & more, plus we discuss the 2020 State of the

Octoverse Security Report from Github, Launchpad GPG keyserver migration, a

new AppArmor release & some open positions on the team.

This week in Ubuntu Security Updates

68 unique CVEs addressed

[USN-4645-1] Mutt vulnerability [00:59]

1 CVEs addressed in Precise ESM (12.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-28896

When connecting to an IMAP server, if the first reponse from the server

was invalid, would fail to properly terminate the connection and could

continue trying to authenticate and hence send credentials in the clear.

[USN-4646-1] poppler vulnerabilities [01:44]

5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2020-27778

CVE-2019-9959

CVE-2019-13283

CVE-2019-10871

CVE-2018-21009

Various memory corruption issues, all DoS-able, some RCE?

[USN-4646-2] poppler regression

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2019-10871

Some applications linked against poppler would fail - backed out this

fix for future

[USN-4647-1] Thunderbird vulnerabilities [02:25]

13 CVEs addressed in Groovy (20.10)

CVE-2020-26968

CVE-2020-26965

CVE-2020-26961

CVE-2020-26960

CVE-2020-26959

CVE-2020-26958

CVE-2020-26956

CVE-2020-26953

CVE-2020-26951

CVE-2020-26950

CVE-2020-16012

CVE-2020-15969

CVE-2020-15683

78.5.0

Usual web rendering type vulns - denial of service, obtain sensitive

information across origins, bypass security restrictions, conduct

phishing attacks, conduct cross-site scripting (XSS) attacks, bypass

Content Security Policy (CSP) restrictions, conduct DNS rebinding

attacks, or execute arbitrary code.

[USN-4648-1] WebKitGTK vulnerabilities [03:21]

5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-9983

CVE-2020-9952

CVE-2020-9951

CVE-2020-9948

CVE-2020-13753

dejavu with thunderbird above - latest upstream version (2.30.3) and same sorts of

vulns - including cross-site scripting attacks, denial of service

attacks, and arbitrary code execution.

[USN-4649-1] xdg-utils vulnerability [03:54]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-27748

Could cause files to be attached by not sanitizing mailto:?attach= -

particularly relevant to TB - so if a user is not paying attention, could

attach say a sensitive local file to the outgoing email

[USN-4382-2] FreeRDP vulnerabilities [05:09]

13 CVEs addressed in Bionic (18.04 LTS)

CVE-2020-13398

CVE-2020-13397

CVE-2020-13396

CVE-2020-11526

CVE-2020-11525

CVE-2020-11523

CVE-2020-11522

CVE-2020-11521

CVE-2020-11058

CVE-2020-11048

CVE-2020-11046

CVE-2020-11045

CVE-2020-11042

Episode 78 - covered this for xenial, now for bionic

[USN-4650-1] QEMU vulnerabilities [05:29]

8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-27617

CVE-2020-27616

CVE-2020-25723

CVE-2020-25625

CVE-2020-25624

CVE-2020-25085

CVE-2020-25084

CVE-2020-17380

Possible host RCE from guest via incorrect handling of SDHCI device

emulation but mitigated when using libvirt by AppArmor profile

Various issues with USB and other device emulation, crash -> DoS

[USN-4651-1] MySQL vulnerabilities [06:14]

Affecting Focal (20.04 LTS)

Tom Reynolds (tomreyn in #ubuntu-hardened) reported issue with MySQL on

20.04 had the new MySQLX plugin enabled and listenting on all network

interfaces by default -> violates no open ports principle - this update

insteads changes the configuration to bind it to localhost only - if you

were using it you may now need to change your local configuration to

purposefully change this so it is remotely accessible

[USN-4653-1] containerd vulnerability [07:27]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-15257

containerd-shim API exposed from abstract unix socket to host network

containers (in same network namespace) - would validate the effective UID

of a connecting process as 0 but did not apply other access controls - so

a malicious container in same network namespace with effective UID 0 but

otherwise reduced privileges could spawn new processes via

containerd-shim with full root privileges

upstream advise against running containers in the hosts network namespace

docker.io stops on upgrade of containerd

https://discourse.ubuntu.com/t/usn-4653-1-containerd-vulnerability/19607

manual restart

server team working on a fix for this

[USN-4652-1] SniffIt vulnerability

1 CVEs addressed in Xenial (16.04 LTS)

CVE-2014-5439

[USN-4654-1] PEAR vulnerabilities

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-28949

CVE-2020-28948

[USN-4655-1] Werkzeug vulnerabilities

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2020-28724

CVE-2019-14806

[USN-4656-1] X.Org X Server vulnerabilities

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-25712

CVE-2020-14360

[USN-4657-1] Linux kernel vulnerabilities [09:11]

12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)

CVE-2020-4788

CVE-2020-28915

CVE-2020-25705

CVE-2020-25645

CVE-2020-25643

CVE-2020-25284

CVE-2020-25211

CVE-2020-14390

CVE-2020-14351

CVE-2020-12352

CVE-2020-10135

CVE-2020-0427

Most interesting is Power 9 processers could end up exposing information

via L1 cache -> spectre-like attack could allow this to be read - fix is

similar to spectre etc - flush L1 cache when transitioning between

privilege boundaries

Thanks to Daniel Axtens from IBM for doing a lot of the heavy lifting,

working with the kernel team to provide backports etc

[USN-4658-1] Linux kernel vulnerabilities

11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-4788

CVE-2020-28915

CVE-2020-25705

CVE-2020-25645

CVE-2020-25643

CVE-2020-25284

CVE-2020-25211

CVE-2020-14390

CVE-2020-14351

CVE-2020-10135

CVE-2020-0423

[USN-4659-1] Linux kernel vulnerabilities

7 CVEs addressed in Groovy (20.10)

CVE-2020-4788

CVE-2020-28915

CVE-2020-27152

CVE-2020-25705

CVE-2020-14351

CVE-2020-10135

CVE-2020-0423

Goings on in Ubuntu Security Community

GitHub state of open source security report 2020 [10:43]

https://octoverse.github.com/static/2020-security-report.pdf

Scanned packages in Composer (PHP), Maven (Java), npm (JS), NuGet (.NET),

PyPI and RubyGems

Found 94% of projects on GitHub relied on open source components - JS

packages have a median of nearly 700 transitive dependencies - cf Python

with 19

17% of advisories sampled related to explicitly malicious behaviour

(almost all in npm packages) - but most are just mistakes

Vulns go undetected for just over 4 years (218 weeks) before disclosure,

fixes though then come quick in ~4.4 weeks and then 10 weeks to alert

users of the fix

A line of code written today is just as likely to contain a vulnerability

today as 4 years ago - so we are not getting more secure over time

Migrating Launchpad PGP keyservers from SKS to Hockeypuck [15:03]

https://ubuntu.com/blog/migrating-the-launchpad-keyservers-from-sks-to-hockeypuck

AppArmor 3.0.1 Released [16:27]

https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.1

cap checkpoint_restore for 5.9 kernels onwards plus bug fixes etc

Hiring [16:52]

AppArmor Security Engineer

https://canonical.com/careers/2114847

Engineering Director - Ubuntu Security

https://canonical.com/careers/2439068

Engineering Manager - Ubuntu Security

https://canonical.com/careers/2439058

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 99

Sign up to save your podcasts

Episode 99

Episode 99