Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

April 30, 2021Episode 113
Overview
With 21 CVEs fixed this week we look at updates for Dnsmasq, Firefox,
OpenJDK and more, plus we discuss the recent release of Ubuntu 21.04 and
malicious commits in the upstream Linux kernel.
This week in Ubuntu Security Updates
21 unique CVEs addressed
[USN-4916-2] Linux kernel regression [00:48]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-29154
CVE-2021-3493
Possible memory leak introduced via fix for overlayfs priv esc vuln - so
the fix effectively introduced a new vuln but only a DoS not priv esc
[USN-4924-1] Dnsmasq vulnerabilities [01:17]
2 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-14513
CVE-2017-15107
2 DoS issues, one possible OOB read -> crash, the other a trust issue
where for DNSSEC configurations could end up having dnsmasq prove the
non-existence of hostnames that actually exist - so again a DoS but not
in the traditional sense
[USN-4925-1] Shibboleth vulnerability [01:57]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2021-28963
SSO solution for InCommon Federation system
Possible content injection bug in error or other pages since template
generation would use attacker controlled inputs
[USN-4926-1] Firefox vulnerabilities [02:19]
12 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Groovy (20.10), Focal (20.04 LTS)
CVE-2021-24002
CVE-2021-23995
CVE-2021-29947
CVE-2021-29946
CVE-2021-29945
CVE-2021-24001
CVE-2021-24000
CVE-2021-23999
CVE-2021-23998
CVE-2021-23997
CVE-2021-23996
CVE-2021-23994
88.0
Usual web issues plus a possible UAF in responsive design mode as well as
an issue in FTP client where specially crafted FTP URL (ie one containing
newlines) could embed FTP commands and cause the client to execute
arbitrary FTP commands to the server
FTP client in Firefox is deprecated and disabled by default now -
expected to be removed in a future release
[USN-4927-1] File Roller vulnerability [03:46]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-36314
Incomplete fix for previous CVE-2020-11736 (Episode 72) - directory
traversal via symlink issue on extraction of archives
[USN-4892-1] OpenJDK vulnerability [04:15]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-2163
Latest upstream point release to fix an issue where would fail to
properly verify signatures on crafted JARs - could bypass security
restrictions if a JAR is signed with an algorithm that is disabled
[USN-4922-2] Ruby vulnerability [04:35]
1 CVEs addressed in Hirsute (21.04)
CVE-2021-28965
First USN for Hirsute \o/
XML deserialisation issue
[USN-4913-2] Underscore vulnerability [04:49]
1 CVEs addressed in 21.04
CVE-2021-23358
Code injection via template function due to failure to properly handle
untrusted input
Goings on in Ubuntu Security Community
Ubuntu 21.04 Hirsute Hippo Released [05:05]
Standard support release, supported for 9 months
Private home dirs
Kernel 5.11
Stack protector for RISC-V
Improved performance for Spectre mitigations via static calls
Initial support for memory tagging for ARM64
Will require support in glibc etc but this is an initial start to
providing improved protection against memory corruption vulns
OpenSSH 8.4
Improved support for FIDO/U2F keys for 2FA
Hypocrite commits and the upstream Linux kernel [07:38]
First came to light in November 2020 when one of the authors of a paper
from University of Minnesota tweeted about the acceptance of their paper
to IEEE S&P 2021 - this showed the first page of the paper and seemed to
indicate that for the purposes of academic research a number of malicious
commits (ie commits that when added to the kernel would create a
vulnerability) had been introduced into the upstream kernel.
Lots of blowback at the time amongst both kernel devs, other researchers
etc regarding both the ethics of effectively experimenting on subjects
without their consent and the concept of purposely introducing vulns just
for the sake of research purposes
The researchers claimed they followed these up with subsequent commits to
fix the vulns and so none actually would have made it to end users so
they thought it was effectively done
At this stage as a team we thought this was interesting but effectively
just demonstrating something that most folks in OSS always knew was a
potential reality - that once a contributor to a project builds a certain
level of trust it would be relatively easy to introduce vulns like this
in a stealthy manner and that the best defence would be better automated
review tooling (static/dynamic analysis via CI etc) rather than trying to
rely on human reviewers to detect
Issue again came to light recently when the paper was made available in
full and it was revealed that 3 malicious commits were potentially
integrated into the upstream kernel - actually only 1 was ACKed and then
this was rejected and the other 2 were rejected outright. Recently,
GregKH weighed in and effectively blacklisted all contributions from UMN
and proposed to revert all commits that had come from umn.edu authors
Not surprisingly, most of these were NOT malicious and so took careful
review by various developers to decide which should NOT be reverted as
lots of them did actually fix legitimate issues
Researchers then apologised and so only a few commits actually got
reverted as a result
In the end it highlights how OSS development is built on trust and how
this can be abused in either direction - tempting to jump to technical
solutions (ie better static analysis/CI etc) but this will never be
foolproof - also need the ability to move fast so can get say reverts
done and delivered to users, and also to build good relationships BUT in
the end need to still be wary - “trust but verify” - both on a technical
basis and also on a personal basis so we can better understand the
provenance of code etc
Hiring [14:36]
AppArmor Security Engineer
https://canonical.com/careers/2114847/apparmor-security-engineer-remote
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
17min
April 16, 2021Episode 112
Overview
This week we look at a reboot of the DWF project, Rust in the Linux kernel,
an Ubuntu security webinar plus some details of the 45 CVEs addressed
across the Ubuntu releases this last week and more.
This week in Ubuntu Security Updates
45 unique CVEs addressed
[LSN-0075-1] Linux kernel vulnerability [01:01]
8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-27365
CVE-2021-27364
CVE-2021-27363
CVE-2021-3444
CVE-2020-29374
CVE-2020-29372
CVE-2020-27171
CVE-2020-27170
madvise issue reported by Jann Horn -
BPF spectre mitigations fixes (Episode 109)
[USN-4903-1] curl vulnerability [02:02]
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2021-22876
Episode 110 - leaking credentials via HTTP Referer header
[USN-4896-2] lxml vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2021-28957
Episode 110
[USN-4899-2] SpamAssassin vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-1946
Episode 110
[USN-4905-1] X.Org X Server vulnerability [02:26]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-3472
Local user (X client) could crash the server via Xinput extension and
ChangeFeedbackControl request - integer underflow -> heap buffer overflow
[USN-4906-1] Nettle vulnerability [03:31]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-20305
Low level crypto library used by lots of packages - chrony, dnsmasq,
lighttpd, qemu, squid, supertuxkart
Could en up calling EC multiply with out-of-range scalers - as a result
would get incorrect results during EC signature verification and so could
allow an attacker to trigger an assertion failure -> DoS OR force an
invalid signature - bypass verification
[USN-4904-1] Linux kernel vulnerabilities [04:27]
11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2021-28038
CVE-2021-26931
CVE-2021-26930
CVE-2021-20261
CVE-2019-19061
CVE-2019-16232
CVE-2019-16231
CVE-2018-13095
CVE-2017-5967
CVE-2017-16644
CVE-2015-1350
[USN-4907-1] Linux kernel vulnerabilities
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2021-3348
CVE-2021-3347
CVE-2018-13095
[USN-4909-1] Linux kernel vulnerabilities
4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3348
CVE-2021-26931
CVE-2021-26930
CVE-2021-20194
[USN-4910-1] Linux kernel vulnerabilities
5 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2021-3178
CVE-2021-3348
CVE-2021-3347
CVE-2021-20268
CVE-2021-20239
[USN-4911-1] Linux kernel (OEM) vulnerabilities
4 CVEs addressed in Focal (20.04 LTS)
CVE-2021-28950
CVE-2021-28375
CVE-2021-28038
CVE-2020-25639
[USN-4912-1] Linux kernel (OEM) vulnerabilities
14 CVEs addressed in Focal (20.04 LTS)
CVE-2021-3178
CVE-2021-3411
CVE-2021-20194
CVE-2020-36158
CVE-2020-27830
CVE-2020-25669
CVE-2020-25645
CVE-2020-25285
CVE-2020-14390
CVE-2020-14351
CVE-2020-0466
CVE-2020-0465
CVE-2020-0423
CVE-2021-29154
Piotr Krysiuk - BPF JIT - invalid branch displacement - could allow OOB
memory read/write -> code exec or at least crash - unpriv in Ubuntu so
could then allow an unprivileged user to get kernel code exec
Thanks to kernel team for handling these issues - lots of kernel security
issues at the moment so thanks for their hard work
Goings on in Ubuntu Security Community
DWF v2 [07:25]
https://lwn.net/Articles/851849/
https://iwantacve.org/
https://twitter.com/CVEannounce/status/1368992488464203777
Rust support for Linux kernel [10:12]
https://lore.kernel.org/lkml/[email protected]/
https://security.googleblog.com/2021/04/rust-in-linux-kernel.html
Securing open source from cloud to edge webinar [12:19]
https://www.brighttalk.com/webcast/6793/440517
Ubuntu is built with security in mind from the ground up, and how we keep
you protected against major vulnerabilities
How you can ensure performant open source in production environments
Specific security services that can help you achieve maximum availability
by reducing downtime and providing access to high and critical CVE fixes
Ubuntu helps organisations remain compliant with government and industry
standards and regulations, including Common Criteria EAL2 with FIPS 140-2
Level 1 certified crypto modules
Hiring [13:13]
AppArmor Security Engineer
https://canonical.com/careers/2114847/apparmor-security-engineer-remote
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
15min
April 08, 2021Episode 111
Overview
This week we look at how Ubuntu is faring at Pwn2Own 2021 (which still has
1 day and 2 more attempts at pwning Ubuntu 20.10 to go) plus we look at
security updates for SpamAssassin, the Linux kernel, Rack and Django, and
we cover some open positions on the Ubuntu Security team too.
This week in Ubuntu Security Updates
14 unique CVEs addressed
[USN-4899-1] SpamAssassin vulnerability [00:46]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-1946
Damian Lukowski - remote code execution in configuration file parser for
SpamAssassin - failed to properly sanitise certain elements of config
files so could allow an attacker to specify commands to be executed by
SpamAssassin - if not using configs from untrusted sources should be fine
[USN-4900-1] OpenEXR vulnerabilities [01:40]
6 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-3479
CVE-2021-3478
CVE-2021-3477
CVE-2021-3476
CVE-2021-3475
CVE-2021-3474
Usual mix of memory corruption vulns in this image processing library -
DoS via memory consumption, integer overflow -> buffer overflow -> RCE
etc from crafted image files
[USN-4901-1] Linux kernel (Trusty HWE) vulnerabilities [02:24]
4 CVEs addressed in Precise ESM (12.04 ESM)
CVE-2021-27364
CVE-2021-27363
CVE-2020-28374
CVE-2021-27365
3.13 kernel used as the HWE kernel from 14.04 backported to 12.04 ESM
iSCSI issues from Episode 109 plus LIO SCSI XCOPY issue from Episode 102
[USN-4561-2] Rack vulnerabilities [03:27]
2 CVEs addressed in Xenial (16.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-8184
CVE-2020-8161
Modular Ruby webserver interface
Episode 93 - 18.04 LTS - now provided for remaining releases
[USN-4902-1] Django vulnerability [03:53]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-28658
Potential directory traversal via uploaded files - if using a custom
upload handler with the MultiPartParser from the django parsers
framework, could have been vulnerable - didn’t affect any of the built-in
upload parsers within django hence the low priority rating for this CVE
Goings on in Ubuntu Security Community
Ubuntu at Pwn2Own 2021 [04:47]
https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results
6th, 7th & 8th April - 23 separate entries targeting 10 different
products in the categories of Web Browsers, Virtualization, Servers,
Local Escalation of Privilege, and Enterprise
Communications (aka Zoom, MS Teams etc)
14 years - grows each year to include new targets / platforms - this year
included categories for both automotive (Tesla Model 3) and Enterprise
applications (MS Office, Adobe Reader) - but neither had any entrants
4 different teams targeted Ubuntu Desktop in local privilege escalation
category - go from a standard user to root - and pwn2own rules say this
must be via a kernel vulnerability - in this case it is an up-to-date
Ubuntu 20.10 install running inside a virtual machine
Attempts on day 1 and 2 were both successful - Ryota Shiga of Flatt
Security and Manfred Paul both used separate OOB access bugs to escalate
from a standard user to root
each earned $30,000 and 3 points in the competitions Master of Pwn
award
Tomorrow (8th) will see two more attempts by Billy from STAR Labs and
Vincent Dehors of Synacktiv - this will be live-streamed too on YouTube,
Twitch, and the conference site.
Also not just Ubuntu was exploited - so far all teams who have attempted
to exploit have been successful - Safari, MS Exchange, MS Teams, Windows
10, Parallels Desktop, Chrome, Microsoft Edge, Zoom
only exception so far is for STAR Labs who have not managed to get
their exploits working in the allotted time
More details to follow once the vulns and their fixes become public -
competition has a 90 day policy for fixes to be public but I suspect we
will see these sooner than that - regardless will look at remaining results of
other 2 teams next week as well
Hiring [10:03]
AppArmor Security Engineer
https://canonical.com/careers/2114847/apparmor-security-engineer-remote
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
13min
April 01, 2021Episode 110
Overview
This week we look at 2 years of 14.04 ESM, a kernel Livepatch issue,
DNS-over-HTTPS for Google Chrome plus security updates for ldb, OpenSSL,
Squid, curl and more.
This week in Ubuntu Security Updates
38 unique CVEs addressed
[USN-4888-1, USN-4888-2] ldb vulnerabilities [01:06]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-27840
CVE-2021-20277
In the ldb package but was reported by Samba - libldb provides an
LDAP-like database - is used internally by Samba etc - and whilst the
Samba package contains a copy of ldb internally we don’t compile this in
Ubuntu, instead we link it against the ldb package in the repo so we only
have to patch a CVE in one place
Heap buffer overflow when parsing a DN string with lots of trailing
whitespace - allows to place a single NUL byte at a chosen offset before
an allocated buffer
Heap buffer overflow when parsing an LDAP attribute string with multiple
consecutive leading spaces - memmove() to a location beyond the end of
the buffer
Crash -> DoS, can’t rule out RCE due to nature of heap buffer overflows
[USN-4889-1] Linux kernel vulnerabilities [02:49]
3 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2021-27364
CVE-2021-27363
CVE-2021-27365
iSCSI issues discussed in Episode 109 (most interesting was various heap
buffer overflows that could possibly be used for codeexec)
[USN-4890-1] Linux kernel vulnerabilities [03:09]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-27170
CVE-2020-27171
BPF speculative execution issues also discussed in Episode 109
[USN-4891-1] OpenSSL vulnerability [03:26]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-3449
NULL ptr deref when processing signature algorithms - could allow a
remote client to crash a server during renegotiation
[USN-3685-2] Ruby regression
9 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2018-8777
CVE-2018-1000074
CVE-2017-17742
CVE-2017-10784
CVE-2017-14064
CVE-2017-0902
CVE-2017-0901
CVE-2017-0898
CVE-2017-0903
[USN-4893-1] Firefox vulnerabilities [03:47]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-23986
CVE-2021-23985
CVE-2021-23984
CVE-2021-23988
CVE-2021-23987
CVE-2021-23983
CVE-2021-23982
CVE-2021-23981
87.0 - various web issues (malicious website -> XSS, DoS, RCE etc) plus
some specific fixes for issues which could allow extensions to either
spoof website pop-ups or to read the response of various cross-origin
requests, plus a silent enabling of the DevTools remote debugging feature
(so a local attacker could modify the browser config to turn this on
without any hint to the user, and then a remote attacker could use this
to snoop on the browser session)
[USN-4894-1] WebKitGTK vulnerabilities [04:49]
7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-1870
CVE-2021-1801
CVE-2021-1799
CVE-2021-1789
CVE-2021-1765
CVE-2020-29623
CVE-2020-27918
Usual web issues - malicious website -> XSS, DoS, RCE etc
[USN-4895-1] Squid vulnerabilities [05:19]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25097
CVE-2020-15049
2 different HTTP request smuggling attack issues - one could result in
possible cache poisoning and the other in the ability to bypass security
controls and access forbidden services
[USN-4896-1] lxml vulnerability [05:39]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-28957
Mishandled HTML attributes which could allow a remote attacker to perform
XSS - depends on how lxml is used in application context
[USN-4897-1] Pygments vulnerability [06:03]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-27291
Another pygments vuln (Episode 109) - this one due to the use of regex in
various lexers, these have exponential or cubic complexity so could allow
an attacker to DoS via CPU
[USN-4898-1] curl vulnerabilities [06:38]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-22890
CVE-2021-22876
Failed to strip credentials from referrer headers - could then be leaked
Incorrect handling of session tickets when using an HTTPS proxy -
attacker who controlled the proxy could cause curl to bypass cert checks
and intercept comms as a result - only affected later Ubuntu releases
(20.04 LTS, 20.10)
Goings on in Ubuntu Security Community
Livepatch incident for CVE-2020-29372 [07:26]
https://ubuntu.com/blog/livepatch-2021-03-24-incident-investigation-report
Summary of 14.04 ESM so far [09:39]
https://ubuntu.com/blog/what-lies-after-lts-two-years-of-ubuntu-14-04-in-esm
DoH coming for Google Chrome on Linux [11:01]
https://www.bleepingcomputer.com/news/security/google-chrome-for-linux-is-getting-dns-over-https-but-theres-a-catch
Targeting chrome 91 but perhaps more likely 92 (89 is current stable
release, new release every 6 weeks)
Needs to parse /etc/nsswitch.conf - uses the hosts: entry and expects
‘files dns’ - should hopefully also support mdns4_minimal so that then
this would work with Ubuntu OOTB (since on 20.04 we use these 3 resolvers
by default)
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
14min
March 26, 2021Episode 109
Overview
This week we look at security updates for containerd, Ruby, the Linux
kernel, Pygments and more, plus we cover some open positions within the
team as well.
This week in Ubuntu Security Updates
28 unique CVEs addressed
[USN-4881-1] containerd vulnerability [00:38]
1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2021-21334
When using the containerd CRI implementation (kubernetes container
runtime interface) - would share environment variables etc between
containers that shared the same image - so could allow an inadvertent
info leak from one container to another - race condition so would be less
likely to occur if not launching containers in rapid succession which
share the same image
[USN-4882-1] Ruby vulnerabilities [01:27]
3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25613
CVE-2020-10933
CVE-2020-10663
Crafted JSON could result in RCE - could create a malicious object within
the interpreter
Possible info leak via unintialised memory across socket operations -
heap info leak so could expose sensitive data from the interpreter
Failure to validate xfer encoding header - could bypass reverse proxy and
so be vulnerable to HTTP request smuggling attacks
[USN-4883-1] Linux kernel vulnerabilities [02:32]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2021-27364
CVE-2021-27363
CVE-2021-27365
4.15 kernel for bionic + 4.4 kernel for xenial
3 iSCSI issues, most important was heap overflow that could be exploited
by a local attacker -> code-exec as root
Other 2 are info leak via kernel pointers being disclosed to userspace
and a OOB read -> crash or possible infoleak
[USN-4884-1] Linux kernel (OEM) vulnerabilities [03:13]
3 CVEs addressed in Focal (20.04 LTS)
CVE-2021-3348
CVE-2021-3347
CVE-2021-20194
OEM kernel - 5.10
UAF in network block device driver - local attacker could exploit for
crash/codexec
[USN-4885-1] Pygments vulnerability [03:36]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-20270
infinite loop -> CPU based DoS when parsing crafted Standard ML files -
input file containing just ’exception’ would be enough to trigger this
[USN-4886-1] Privoxy vulnerabilities [04:18]
14 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-20214
CVE-2021-20211
CVE-2021-20276
CVE-2021-20212
CVE-2021-20275
CVE-2021-20273
CVE-2021-20272
CVE-2021-20217
CVE-2021-20216
CVE-2021-20215
CVE-2021-20213
CVE-2021-20210
CVE-2021-20209
CVE-2020-35502
Privacy enhancing HTTP proxy
Incorrect handling of:
CGI requests -> DoS/info-leak
regexes -> DoS (crash + mem-leak)
client tags -> DoS (memory leaks)
[USN-4887-1] Linux kernel vulnerabilities [05:03]
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-27364
CVE-2021-27363
CVE-2020-27170
CVE-2020-27171
CVE-2021-27365
CVE-2021-3444
BPF verifier failed to properly handle mod32 destination register
truncation when source register was known to be 0 -> could be turned into
an arbitrary memory read -> info-leak - and can’t rule out arbitrary
memory write -> RCE
Spectre mitigations for BPF were found to be insufficient - could allow
an attacker to read entirety of kernel memory via speculative execution
attack through BPF
iSCSI issues discussed earlier too
Goings on in Ubuntu Security Community
Hiring [07:04]
AppArmor Security Engineer
https://canonical.com/careers/2114847/apparmor-security-engineer-remote
Ubuntu Security Engineer
https://canonical.com/careers/2612092/ubuntu-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
9min
March 19, 2021Episode 108
Overview
This week we start preparing for 16.04 LTS to transition to Extended
Security Maintenance, plus we look at security updates for OpenSSH, Python,
the Linux kernel and more, as well as some currently open positions on our
team.
This week in Ubuntu Security Updates
28 unique CVEs addressed
[USN-4762-1] OpenSSH vulnerability [00:54]
1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2021-28041
Double free in ssh-agent - so only affects openssh-client and where the
ssh-agent socket is able to be accessed by other users etc - on moderns
systems the socket is only accessible by the owner so would need to have
forwarded the ssh-agent to an attacker controlled host perhaps to be
vulnerable..
[USN-4763-1] Pillow vulnerabilities [01:50]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-27923
CVE-2021-27922
CVE-2021-27921
CVE-2021-25293
CVE-2021-25292
CVE-2021-25290
CVE-2021-25291
CVE-2021-25289
Python imaging library - uses C libraries like libjpeg for actual image
handling so ends up with usual mix of C memory corruption issues - OOB
read/write etc - crash, code exec
[USN-4754-3] Python vulnerabilities [02:50]
7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3177
CVE-2020-27619
CVE-2020-26116
CVE-2020-8492
CVE-2019-20907
CVE-2019-17514
CVE-2019-9674
Good illustration of main vs universe split - multiple python
versions in different releases - 2.7 in main X+B, but universe in F+G,
3.5 in X, 3.6 in B, 3.8 in F+G - but we still have 2.7 in universe on
those releases as well - so this update addresses the same vulns in
universe
[USN-4764-1] GLib vulnerability [04:57]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-28153
g_file_replace() on a dangling symlink would also create the target of
the symlink as an empty file (but only if did not already exist)
[USN-4876-1] Linux kernel vulnerabilities [05:49]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2021-3178
CVE-2020-36158
CVE-2020-29569
4.4 (xenial + trusty esm)
[USN-4877-1] Linux kernel vulnerabilities
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2021-3178
CVE-2020-36158
4.15
[USN-4878-1] Linux kernel vulnerabilities
4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3178
CVE-2021-3347
CVE-2021-20239
CVE-2020-36158
5.4
[USN-4879-1] Linux kernel vulnerabilities
2 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2021-20194
CVE-2020-36158
5.8
Marvell wifi driver buffer overflow - could be triggered by a malicious
remote device sending a overly long ad-hoc SSID value - DoS, RCE
[USN-4880-1] OpenJPEG vulnerabilities [07:00]
5 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-27845
CVE-2020-27841
CVE-2020-27824
CVE-2020-27823
CVE-2020-27814
Various memory corruption issues fixed in openjpeg - DoS, RCE etc
Goings on in Ubuntu Security Community
Preparing for 16.04 ESM transition [07:35]
https://wiki.ubuntu.com/SecurityTeam/ESM/16.04
https://ubuntu.com/blog/ubuntu-16-04-lts-upgrade-vs-esm
https://ubuntu.com/engage/16-04-ESM-webinar
Lech Sandecki and Rick Harding discuss key concerns for preparing for
16.04 to move to ESM
Hiring [10:17]
AppArmor Security Engineer
https://canonical.com/careers/2114847/apparmor-security-engineer-remote
Ubuntu Security Engineer
https://canonical.com/careers/2612092/ubuntu-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
12min
March 12, 2021Episode 107
Overview
This week we check on the status of the pending GRUB2 Secure Boot updates
and detail some open positions within the team, plus we look at security
updates for GLib, zstd, Go, Git and more.
This week in Ubuntu Security Updates
7 unique CVEs addressed
[USN-4757-2] wpa_supplicant and hostapd vulnerability [00:45]
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2021-27803
P2P/wifi direct UAF -> crash, RCE from Episode 106
[USN-4733-2] GNOME Autoar regression [01:23]
Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Episode 104 - upstream patch caused a regression such that folders within
the archive may fail to be extracted - once noticed and fixed by upstream
we have now included this too
[USN-4759-1] GLib vulnerabilities [02:06]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-27219
CVE-2021-27218
Possible integer overflow when allocation memory due to implicit cast
from a 64-bit long to a 32-bit int when allocating memory - g_memdup()
function takes an 32-bit int argument but is called by g_bytes_new()
which takes a gsize 64-bit argument. Ends up allocating much less memory
than expected, then later when this is copied into a buffer overflow can
occur.
Since g_memdup() is a public API, can’t just change it to take a gsize as
argument since this would break the ABI - so instead added g_memdup2()
and converted internal callers to use this - but other applications
should think about porting to this new API to avoid this sort of issue
(and audit their own code to check they don’t have similar implicit
integer overflow issues)
[USN-4760-1] libzstd vulnerabilities [04:44]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-24032
CVE-2021-24031
Files created with default permissions - so was patched to chmod() so
only owner could read/write them
But this introduced a race condition where the file initially still has
the default permissions so a different user could potentially access it
during that time until the chmod() call is made - so was deemed an
incomplete fix for the first CVE - second CVE allocated for this
incomplete fix - instead changed to set umask() before creating the file
in the first place so permissions get set properly at creation
[USN-4758-1] Go vulnerability [05:41]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-24553
Possible XSS issue in CGI and FastCGI impl since go would treat non-HTML
data as HTML and so would return a text/html content-type which would
then be served as such by the webserver even if it had been uploaded with
a different content type
Thanks to Dariusz Gadomski from SEG team for preparing these fixes (since
these versions of golang are in universe on these Ubuntu releases)
[USN-4761-1] Git vulnerability [06:59]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-21300
Possible code execution by local git client when cloning a malicious
remote repository - local client would need a git filter to be
installed - like git LFS - and would have to be on a case-insensitive
file-system - so would be a more common scenario for Windows users but
unlikely to affect Linux users - patched anyway
Goings on in Ubuntu Security Community
GRUB2 updates still in progress [08:54]
Still being tested internally by our hardware certification lab and
others and some minor tweaks being made, plus shim devel work is still
ongoing, thanks to Dimitri John Ledkov from Foundations team for handling
that work, as well as all the one-grub work too
Hiring [09:53]
AppArmor Security Engineer
https://canonical.com/careers/2114847/apparmor-security-engineer-remote
Ubuntu Security Engineer
https://canonical.com/careers/2612092/ubuntu-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
13min
March 04, 2021Episode 106
Overview
This week we talk about more BootHole-like vulnerabilities in GRUB2, a
Spectre exploit found in-the-wild, security updates for xterm, screen,
Python, wpa_supplicant and more.
This week in Ubuntu Security Updates
52 unique CVEs addressed
[USN-4698-2] Dnsmasq regression [00:44]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2019-14834
CVE-2020-25686
CVE-2020-25685
CVE-2020-25684
CVE-2020-25683
CVE-2020-25682
CVE-2020-25687
CVE-2020-25681
Relates to a dnsmasq update done back in January - upstream fixes results
in regressions in some network environments - backported the resulting
additional fixes from upstream to resolve these
[USN-4746-1] xterm vulnerability [01:14]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021 -27135
taviso - crafted UTF-8 could cause a crash - related to very similar bug
in screen
[USN-4747-1, USN-4747-2] GNU Screen vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-26937
Crash in screen from crafted UTF-8 - found by users crashing a minecraft
server with this crafted content - ? - server was running under screen so
would log this crafted content - screen dies, minecraft server dies -
lots of tutorials for running a minecraft server mention to run it under
screen so this is a common thing apparently
[USN-4748-1] Linux kernel vulnerabilities [02:54]
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2020-29661
CVE-2020-29660
CVE-2020-29568
CVE-2020-29374
CVE-2020-27815
[USN-4749-1] Linux kernel vulnerabilities
9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-29661
CVE-2020-29660
CVE-2020-29569
CVE-2020-29568
CVE-2020-29374
CVE-2020-28941
CVE-2020-27830
CVE-2020-27815
CVE-2020-25669
[USN-4750-1] Linux kernel vulnerabilities
10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-20177
CVE-2020-29661
CVE-2020-29660
CVE-2020-29569
CVE-2020-29568
CVE-2020-28588
CVE-2020-28941
CVE-2020-27830
CVE-2020-27815
CVE-2020-25669
[USN-4751-1] Linux kernel vulnerabilities
18 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2020-35508
CVE-2020-29661
CVE-2020-29660
CVE-2020-29569
CVE-2020-29568
CVE-2020-28974
CVE-2020-28588
CVE-2020-27835
CVE-2020-28941
CVE-2020-27830
CVE-2020-27815
CVE-2020-27777
CVE-2020-27675
CVE-2020-27673
CVE-2020-25704
CVE-2020-25669
CVE-2020-25668
CVE-2020-25656
[USN-4752-1] Linux kernel (OEM) vulnerabilities
20 CVEs addressed in Focal (20.04 LTS)
CVE-2020-35508
CVE-2020-29661
CVE-2020-29660
CVE-2020-29371
CVE-2020-29369
CVE-2020-29368
CVE-2020-28915
CVE-2020-28588
CVE-2020-27815
CVE-2020-27152
CVE-2020-25704
CVE-2020-25643
CVE-2020-25641
CVE-2020-25284
CVE-2020-25212
CVE-2020-24490
CVE-2020-15437
CVE-2020-15436
CVE-2020-14314
CVE-2020-10135
[USN-4753-1] Linux kernel (OEM) vulnerability
2 CVEs addressed in Focal (20.04 LTS)
CVE-2021-3178
CVE-2020-28374
[USN-4754-1] Python vulnerabilities [03:07]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-3177
CVE-2020-27619
unsafe sprintf() call to format doubles - heap buffer overflow - BUT on
Ubuntu Python (like the vast majority of the archive) is compiled with
FORTIFY_SOURCE - just one of various hardening features - so can detect
some buffer overflows at runtime - turns this into a DoS
test code calls eval on content received via HTTP - so if ran the tests
and someone could interpose on connection, could get RCE
[USN-4754-2] Python regression
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-27619
CVE-2021-3177
[USN-4754-4] Python 2.7 vulnerability
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-27619
CVE-2021-3177
[USN-4755-1] LibTIFF vulnerabilities [04:21]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-35524
CVE-2020-35523
Heap buffer overflow in tiff2pdf tool and integer overflow -> buffer
overflow from crafted tiff file input
[USN-4737-2] Bind vulnerability [04:39]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2020-8625
Episode 105
[USN-4757-1] wpa_supplicant and hostapd vulnerability [04:53]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-27803
When using P2P could result in a UAF -> crash or possible RCE from a
remote user within local radio range
Goings on in Ubuntu Security Community
GRUB2 Secure Boot Bypass 2021 [05:31]
https://ubuntu.com/blog/grub2-secure-boot-bypass-2021
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021
https://discourse.ubuntu.com/t/grub2-secureboot-bypass-2021-and-one-grub/21200
First Spectre Exploit discovered in the wild [09:47]
https://dustri.org/b/spectre-exploits-in-the-wild.html
Uploaded to VT last month - not the first artefacts the use Spectre to be
uploaded - back in 2018 the original PoCs and various variants thereof
were uploaded to VT but these were all benign.
This one is a real exploit with versions targeting Windows and Linux -
the Linux variant reads /etc/shadow by default - it does this by spawning
a call to su to get the file paged into memory, then by walking in-kernel
file-system structures through their spec exec read gadget to eventually
read and dump out the file
Was developed by Immunity as part of their CANVAS tool
(https://vimeo.com/271127615)
Linux Mint to more forcefully encourage security updates be installed [12:02]
https://blog.linuxmint.com/?p=4037
Update manager will track metrics, can then detect cases where updates
are overlooked, remind or even insist to apply updates
Focus on not getting in the way, here to help, employ smart patters and
usages, will be configurable etc
Still forming strategies but space to watch
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
14min
February 25, 2021Episode 105
Overview
This week we discuss security updates in Linux Mint, Google funding Linux
kernel security development and details for security updates in BIND,
OpenSSL, Jackson, OpenLDAP and more.
This week in Ubuntu Security Updates
14 unique CVEs addressed
[USN-4737-1] Bind vulnerability [00:45]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-8625
If using GSS-TSIG could be vulnerable to a DoS or possible RCE - this
option is not enabled by default BUT is often used when bind is
integrated with Samba or with a AD-DC. In Ubuntu we confine BIND with an
AppArmor profile by default isolates BIND quite tightly so helps to
mitigate any affect a possible RCE attack could have.
Was interesting to see upstream released 2 advisories that some of
their upstream version updates (e.g. 9.16.12) for this caused some
regressions as this included some new as well features - and they
specifically ended up recommended downstreams ship the prior version
(9.16.11) with just the fix for this backported - this is what we do in
Ubuntu precisely for this reason, to minimise the chance of introducing
regressions in our security updates by only backporting the patch for
the particularly vulnerability
[USN-4738-1] OpenSSL vulnerabilities [02:13]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-23841
CVE-2021-23840
NULL ptr deref when parsing malicious issuer fields in X509
certificates - crash, DoS
Possible buffer overflow if some library functions were used in an
unlikely manner - had to specify an input length that was close to the
bounds of an integer size of the platform - so only if calling with a
buffer of INT_MAX or similar could this be an issue
[USN-4745-1] OpenSSL vulnerabilities [02:56]
2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2021-23841
CVE-2020-1971
NULL ptr deref above plus separate NULL pointer deref in handling of
EDIPartyNames as discussed in Episode 100
[USN-4739-1] WebKitGTK vulnerability [03:25]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-13558
UAF in audio handling - specially crafted webpage could cause an RCE on
local machine
[USN-4741-1] Jackson vulnerabilities [03:40]
3 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-10172
CVE-2017-7525
CVE-2017-15095
JSON processor for Java - allows to map JSON to Java objects
Flaws in (de)serialization could expose various classes to being mapped
to the resulting input and hence allow a remote code execution attack -
fix is to deny various classes being mapped as a result
Also fixed an XML external entity issue that could also result in RCE
[USN-4740-1] Apache Shiro vulnerabilities [04:20]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-1957
CVE-2020-11989
2 different possible authentication bypass issues when using with Spring
dynamic controllers
[USN-4742-1] Django vulnerability [04:33]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-23336
Possible web-cache poisoning attack - due to difference in handling of
requests between the proxy and the server - malicious requests can be
cached as they look like safe ones due to difference in interpretation
[USN-4743-1] GDK-PixBuf vulnerability [05:06]
1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2021-20240
Integer underflow in GIF loader - code execution?
[USN-4744-1] OpenLDAP vulnerability [05:27]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-27212
Assertion failure could be triggered by crafted timestamp content -> crash, DoS
[USN-4467-3] QEMU regression [05:46]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-13754
In patching previous vulnerabilities in QEMU, we backported various
patches but missed some related to riscv emulation so would cause a
possible crash in this case - fixed to add missing patches to resolve
this crash issue
Goings on in Ubuntu Security Community
Linux Mint users being slow with security updates, running old versions [06:33]
https://www.zdnet.com/article/top-linux-distro-tells-users-stop-using-out-of-date-versions-update-your-software-now/
https://www.theregister.com/2021/02/23/linux_mint_team_berates_users/
https://blog.linuxmint.com/?p=4030
Blog post from lead developer Clem (Clement Lefebvre) discussing how
Linux Mint users seem to not be installing updates
Linux Mint is a Ubuntu derivative - uses the Ubuntu archives plus some of
their own repos - so in general all security updates for Ubuntu get
propagated to Linux Mint - cf. relationship between Ubuntu and Debian.
Interesting history in regards to security
In Febrary 2016, website was hacked and the link to the installer ISO
was modified to point to a malicious one with a backdoor -
https://blog.linuxmint.com/?p=2994
Recommend to turn of UEFI Secure Boot since their shim is not signed by
Microsoft
Update Manager would offer security updates but would rate them in
supposed terms of safety - so would in essence deter users from
installing some security updates - and also would not select to install
some updates which they deemed as more risky - but how did they assign
this safety level? Based more on if a component was critical to boot
(kernel/firmware would get rated as more risky) than anything to do
with the actual update itself. So was intended to help guide users BUT
created a system where users believed they were “safer” in terms of
stability, but in fact were less safe in terms of security.
This created an impression that Linux Mint either blocked security
updates or actively discouraged users from installing them -
https://distrowatch.com/weekly.php?issue=20170320#myth
These levels were removed in the 19.2 release but it seems users are
still wary
30% of users apply updates in less than a week (based on recent Firefox update)
30% of users are still running 17.x - EOLd in April 2019 - (based on
Ubuntu 14.04)
So it is not really surprising given their past history that their
userbase is wary of security updates and are perhaps putting themselves
at risk as a result by delaying installing security updates
But good to see they are now actively encouraging users to install
security updates
Use of timeshift is interesting as a mitigation against possible issues
with security updates
Also was interesting to see they published an emergency update just for
Firefox for the 17.x release to upgrade this from 66.0 to 78 ESR - so
this gives some protection but perhaps again lessens the incentive for
these users to upgrade to a newer supported release of Linux Mint
Google funds Linux kernel developers to work exclusively on security [14:20]
https://www.linuxfoundation.org/en/press-release/google-funds-linux-kernel-developers-to-focus-exclusively-on-security/
Gustavo Silva and Nathan Chancellor
Chancellor - Triaging and fixing bugs found via Clang/LLVM, CI systems
Already leading a lot of the upstream ClangBuiltLinux work
Silva - KSPP related work on eliminating bug classes - VLAs etc
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
18min
February 19, 2021Episode 104
Overview
This week we take a look at a long-awaited update of Thunderbird in Ubuntu
20.04LTS, plus security updates for Open vSwitch, JUnit 4, PostSRSd, GNOME
Autoar and more.
This week in Ubuntu Security Updates
14 unique CVEs addressed
[USN-4729-1] Open vSwitch vulnerability [00:55]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-35498
Most convoluted CVE description: A vulnerability was found in
openvswitch. A limitation in the implementation of userspace packet
parsing can allow a malicious user to send a specially crafted packet
causing the resulting megaflow in the kernel to be too wide, potentially
causing a denial of service. The highest threat from this vulnerability
is to system availability.
[USN-4731-1] JUnit 4 vulnerability [02:05]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-15250
Tests that used rule TemporaryFolder would use /tmp which is world
accessible - so contents could be read by other users - so if tests were
writing API keys or passwords these would be able to be read by others
users -> info disclosure. Fixed to create temp directory with permissions
so it is only readable by the owner.
[USN-4730-1] PostSRSd vulnerability [02:57]
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-35573
Postfix Sender Rewriter Scheme Daemon - Used for rewriting sender email
addresses when forwarding emails from hosts that use SPF - rewrites the
address to appear to come from your hosts address and allows you to do
the inverse and appropriately handle and bounces etc by reverse-rewriting
the sender address to recover the original address
Could cause a CPU based DoS by excessive processing if an email contained
an exceedingly long SRS timestamp - fixed to just reject those which are
past the expected regular size
[USN-4732-1] SQLite vulnerability [04:20]
1 CVEs addressed in Groovy (20.10)
CVE-2021-20227
Only affected more recent releases of sqlite - could cause a crash on
particular query constructs
[USN-4733-1] GNOME Autoar vulnerability [04:42]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-36241
Another archive extraction symlink traversal issue - gnome-autoar is a
library used by nautilus and other gnome components when handling
archives - ie right click an archive in nautilus and select “extract
here”
If an archive contained a file whose parent was a symlink that pointed
outside the destination directory, would blindly follow the symlink and
overwrite arbitrary files - instead fixed to check if is a symlink with
an absolute target OR one that points outside the destination folder via
relative path and reject in that case
[USN-4734-1, USN-4734-2] wpa_supplicant and hostapd vulnerabilities [06:01]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-12695
CVE-2021-0326
Possible OOB write when doing a wifi-direct / p2p search - so an attacker
just has to be in radio range when the victim performs a P2P discovery
aka wifi direct search - discovered by Google’s OSS-Fuzz project
CallStranger (Episode 91) - UPnP callback reflection
[USN-4735-1] PostgreSQL vulnerability [07:23]
1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2021-3393
Latest upstream 12.6 release to fix a possible info leak which could
occur when handling particular errors - if a user had the permission to
UPDATE on a partitioned table but not the SELECT privilege on some column
and tried to UPDATE on that column, the resulting error message
concerning this constraint violation could leak values on the columns
which the user did not have permission. Rare setup so unlikely to be
affected in practice.
[USN-4736-1] Thunderbird vulnerabilities [08:18]
6 CVEs addressed in Groovy (20.10)
CVE-2020-15685
CVE-2021-23964
CVE-2021-23960
CVE-2021-23954
CVE-2021-23953
CVE-2020-26976
Update to latest upstream release 78.7, usual spread of issues for TB
(derived from firefox) - DoS, info leak, RCE. Also possible response
injection attack from a person-in-the-middle during STARTTLS connection
setup - ie could inject unencrypted response which would then be
evaluated after the encrypted connection was setup so would get treated
as coming from the trusted host.
Goings on in Ubuntu Security Community
Thunderbird to be upgraded to 78.x in Ubuntu 20.04 LTS [09:32]
Lead by oSoMoN (Olivier Tilloy) from Desktop Team
68.x no longer supported upstream and not really practical to backport
security fixes for this old codebase
78.x as a new major version introduces a bunch of breaking changes, in
particular with handling of PGP - previously TB had no native support for
PGP but Enigmail addon provided this
Now does support PGP itself and enigmail is not supported anymore - new
internal PGP is a bit different and requires migration - this should be
handled automatically by the new version to migrate existing enigmail
users across
A couple other packages tinyjsd and junit are also not supported by TB 78
tinyjsd - JS debugger with a particular focus on being able to debug TB
extensions etc
jsunit - unit testing tool for TB to allow add-on developers to setup
unit tests for their extensions and to run these in TB/FF etc
these will be replaced by empty packages in the Ubuntu archive for
20.04
Once this is done will then look to do Bionic (18.04 LTS) as well
https://discourse.ubuntu.com/t/thunderbird-lts-update/20819
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
15min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.