Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

May 08, 2020Episode 73
Overview
After the recent release of Ubuntu 20.04 LTS, we look at security fixes for
OpenJDK, CUPS, the Linux kernel, Samba and more, plus Joe and Alex discuss
robot kits and the Kaiji botnet.
This week in Ubuntu Security Updates
86 unique CVEs addressed
[USN-4337-1] OpenJDK vulnerabilities [01:21]
13 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-2830
CVE-2020-2816
CVE-2020-2805
CVE-2020-2803
CVE-2020-2800
CVE-2020-2781
CVE-2020-2778
CVE-2020-2773
CVE-2020-2767
CVE-2020-2757
CVE-2020-2756
CVE-2020-2755
CVE-2020-2754
openjdk 11.0.7 and 8u252b09-1
Errors in regex handling and XML handling -> DoS
Various issues in TLS handshake handling -> bypass certification
verification or allow to compromise secure connections
Insecure handling of CRLF in HTTP headers -> info disclosure via
bypassing access controls
Possible sandbox bypass
[USN-4338-1, USN-4338-2] re2c vulnerability [02:26]
1 CVEs addressed in Eoan, Focal
CVE-2020-11958
Used to generate fast C code for parsing regular expressions
Heap buffer overflow if parsing a very long input due to incorrect length
checks
[USN-4339-1] OpenEXR vulnerabilities [02:59]
12 CVEs addressed in Xenial, Bionic, Eoan, Focal
CVE-2020-11765
CVE-2020-11764
CVE-2020-11763
CVE-2020-11762
CVE-2020-11761
CVE-2020-11760
CVE-2020-11759
CVE-2020-11758
CVE-2018-18444
CVE-2017-9115
CVE-2017-9113
CVE-2017-9111
Last mentioned back in Episode 49 - handles image format developed by ILM
with a high definition range for computer imaging applications - used by
opencv, gimp and others
Project Zero fuzzing OpenEXR - usual types of issues in large C++ code
base - OOB reads / writes - usual effects -> crashes, info leaks, RCE
[USN-4340-1] CUPS vulnerabilities [04:09]
2 CVEs addressed in Xenial, Bionic, Eoan, Focal
CVE-2020-3898
CVE-2019-2228
Heap buffer overflow when parsing ppd files - so if added a printer with
a crafted ppd file could crash / RCE - since cupsd runs as root could be
possible RCE as root
OOB read -> info leak / crash
[USN-4341-1, USN-4341-2, USN-4341-3] Samba vulnerabilities [05:11]
2 CVEs addressed in Trusty ESM, Xenial, Bionic, Eoan, Focal
CVE-2020-10704
CVE-2020-10700
Stack overflow able to be triggered by an unauthenticated user when Samba
is acting as an AD DC -> crash, code exec?
UAF in Samba AD DC LDAP server
[USN-4342-1] Linux kernel vulnerabilities [06:02]
7 CVEs addressed in Bionic, Eoan
CVE-2020-9383
CVE-2020-8992
CVE-2020-8648
CVE-2020-10942
CVE-2019-19768
CVE-2019-16234
CVE-2020-11884
5.3 kernel for eoan + bionic hwe
s390 specific race-condition in page table handling -> local attacker arbitrary
code exec
race-condition -> UAF in block io tracing -> OOB read -> info leak / crash
stack buffer overflow in vhost-net driver -> able to be triggered by a
local attacker via ioctl() on /dev/vhost-net
race-condition -> UAF in tty (virtual terminal) subsystem
low priority (DoS etc via crafted file-systems)
[USN-4344-1] Linux kernel vulnerabilities [07:58]
7 CVEs addressed in Bionic
CVE-2020-9383
CVE-2020-8992
CVE-2020-8648
CVE-2020-10942
CVE-2019-19768
CVE-2019-19051
CVE-2019-16234
5.0 gke / oem kernel
Same issues reported earlier
[USN-4343-1] Linux kernel vulnerability [08:13]
1 CVEs addressed in Focal
CVE-2020-11884
5.4 kernel
s390 page-table issue
[USN-4345-1] Linux kernel vulnerabilities [08:25]
9 CVEs addressed in Xenial, Bionic
CVE-2020-9383
CVE-2020-8648
CVE-2020-11668
CVE-2020-11609
CVE-2020-11608
CVE-2020-10942
CVE-2019-19768
CVE-2019-16234
CVE-2020-11884
4.15 kernel - xenial hwe + bionic
Same as above plus a few OOBs read when handing invalid USB camera device
descriptors in various drivers - so a local attacker could cause a crash
etc
[USN-4346-1] Linux kernel vulnerabilities [09:00]
5 CVEs addressed in Trusty ESM, Xenial
CVE-2020-9383
CVE-2020-8648
CVE-2019-19768
CVE-2019-16234
CVE-2019-16233
4.4 kernel - trusty hwe + xenial
tty and blk io subsystem race-conditions -> UAFs
[USN-4347-1] WebKitGTK vulnerability [09:26]
1 CVEs addressed in Bionic, Eoan, Focal
CVE-2020-3899
[USN-4348-1] Mailman vulnerabilities [09:47]
3 CVEs addressed in Xenial, Bionic
CVE-2020-12137
CVE-2018-13796
CVE-2018-0618
Possible XSS when viewing list archives since mailman does not track the
mime-type of attachments -> so HTTP reply may lack a MIME type and so the
receiving browser may assume that content-type is text/html and so
execute contained Javascript code
[USN-4349-1] EDK II vulnerabilities [10:36]
9 CVEs addressed in Xenial, Bionic, Eoan
CVE-2019-14587
CVE-2019-14586
CVE-2019-14575
CVE-2019-14563
CVE-2019-14559
CVE-2019-14558
CVE-2018-12181
CVE-2018-12180
CVE-2018-12178
UEFI firmware stack for x86-64 virtual machines - huge amount of code with a
large attack surface -> network stack, disk device and file-system
handling, cryptographic signature parsing etc
Buffer overflow in network stack and block io system
stack overflow, fail to clear memory containing passwords, memory leaks,
failure to properly check EFI signatures, memory corruption via a double
free etc
[USN-4350-1] MySQL vulnerabilities [12:05]
25 CVEs addressed in Xenial, Bionic, Eoan, Focal
CVE-2020-2930
CVE-2020-2928
CVE-2020-2926
CVE-2020-2925
CVE-2020-2924
CVE-2020-2923
CVE-2020-2922
CVE-2020-2921
CVE-2020-2904
CVE-2020-2903
CVE-2020-2901
CVE-2020-2898
CVE-2020-2897
CVE-2020-2896
CVE-2020-2895
CVE-2020-2893
CVE-2020-2892
CVE-2020-2812
CVE-2020-2804
CVE-2020-2780
CVE-2020-2765
CVE-2020-2763
CVE-2020-2762
CVE-2020-2760
CVE-2020-2759
Latest upstream point releases - 8.0.80 for eoan + focal, 5.7.30 for
xenial and bionic
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-30.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-20.html
https://www.oracle.com/security-alerts/cpuapr2020.html
[USN-4330-2] PHP vulnerabilities [12:46]
3 CVEs addressed in Focal
CVE-2020-7066
CVE-2020-7065
CVE-2020-7064
See Episode 72
[USN-4332-2] File Roller vulnerability [13:05]
1 CVEs addressed in Focal
CVE-2020-11736
See Episode 72
[USN-4333-2] Python vulnerabilities [13:06]
2 CVEs addressed in Focal
CVE-2020-8492
CVE-2019-18348
See Episode 72
Goings on in Ubuntu Security Community
Release of Ubuntu 20.04 LTS (Focal Fossa) [13:16]
Supported as LTS for 5 years and as ESM for 5 years -> 10 years of
security support
Kernel changes -> based on upstream 5.4 LTS kernel, includes Lockdown
LSM, Wireguard as built-in to the kernel
SSH client / server supports hardware based 2 factor auth (like Yubikeys) OOTB
More stringent TLS default parameters to blacklist insecure ciphers /
key-lengths etc
Joe and Alex discuss Kaiji Botnet targeting Linux IoT devices [16:00]
https://threatpost.com/kaiji-botnet-iot-linux-devices/155463/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
31min
April 24, 2020Episode 72
Overview
A huge number of CVEs fixed in the various Ubuntu releases, including for
PHP, Git, Thunderbird, GNU binutils and more, plus Joe McManus discusses
ROS with Sid Faber.
This week in Ubuntu Security Updates
93 unique CVEs addressed
[USN-4330-1] PHP vulnerabilities [01:03]
5 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
CVE-2020-7066
CVE-2020-7065
CVE-2020-7064
CVE-2020-7063
CVE-2020-7062
php5, php7.0, php7.2, php7.3
get_headers() would silently truncate a URL containing a NUL terminator
(\0) - so if used with user-supplied URL could get wrong details from the
server
stack overflow in mb_strtolower() when handling UTF32-LE encoding
1 byte buffer overread in handling EXIF data - info leak / crash
PHAR archives created with world readable permissions
NULL pointer dereference on file upload in certain situations -> crash
[USN-4331-1] WebKitGTK+ vulnerability [02:32]
1 CVEs addressed in Bionic, Eoan
CVE-2020-11793
UAF when processing maliciously crafted web content
[USN-4332-1] File Roller vulnerability [02:51]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-11736
Possible directory traversal issue when extracting an archive where
parent of file is a symlink pointing outside of the archive
[USN-4334-1] Git vulnerability [03:08]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-11008
Similar to CVE-2020-5260 from Episode 71 - due to an incomplete fix for
that where some credentials may still be leaked but the attacker cannot
control which ones
[USN-4333-1] Python vulnerabilities [03:47]
2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
CVE-2020-8492
CVE-2019-18348
CRLF injection via an attacker controlled url parameter to urlopen()
function in urllib
[USN-4335-1] Thunderbird vulnerabilities [04:09]
39 CVEs addressed in Xenial
CVE-2020-6811
CVE-2020-6794
CVE-2020-6822
CVE-2020-6795
CVE-2020-6793
CVE-2020-6792
CVE-2019-15903
CVE-2019-11755
CVE-2019-11745
CVE-2020-6825
CVE-2020-6821
CVE-2020-6820
CVE-2020-6819
CVE-2020-6814
CVE-2020-6812
CVE-2020-6807
CVE-2020-6806
CVE-2020-6805
CVE-2020-6800
CVE-2020-6798
CVE-2019-20503
CVE-2019-17026
CVE-2019-17024
CVE-2019-17022
CVE-2019-17017
CVE-2019-17016
CVE-2019-17012
CVE-2019-17011
CVE-2019-17010
CVE-2019-17008
CVE-2019-17005
CVE-2019-11764
CVE-2019-11763
CVE-2019-11762
CVE-2019-11761
CVE-2019-11760
CVE-2019-11759
CVE-2019-11758
CVE-2019-11757
Updated to latest upstream version 68.7.0
[USN-4336-1] GNU binutils vulnerabilities [04:46]
44 CVEs addressed in Bionic
CVE-2019-9077
CVE-2019-9075
CVE-2019-9074
CVE-2019-9073
CVE-2019-9071
CVE-2019-9070
CVE-2019-17451
CVE-2019-17450
CVE-2019-14444
CVE-2019-14250
CVE-2019-12972
CVE-2018-9138
CVE-2018-8945
CVE-2018-20671
CVE-2018-20651
CVE-2018-20623
CVE-2018-20002
CVE-2018-19932
CVE-2018-19931
CVE-2018-18701
CVE-2018-18700
CVE-2018-18607
CVE-2018-18606
CVE-2018-18605
CVE-2018-18484
CVE-2018-18483
CVE-2018-18309
CVE-2018-17985
CVE-2018-17794
CVE-2018-17360
CVE-2018-17359
CVE-2018-17358
CVE-2018-13033
CVE-2018-12934
CVE-2018-12700
CVE-2018-12699
CVE-2018-12698
CVE-2018-12697
CVE-2018-12641
CVE-2018-10535
CVE-2018-10534
CVE-2018-10373
CVE-2018-10372
CVE-2018-1000876
Huge update covering many issues - thanks Marc Deslauriers - mostly in
low severity issues like memory leaks in functions / utilities which are
used only once or which are assumed to process trusted input.
Often requested by customers who run vuln scanners - finds many open
issues but doesn’t consider low severity - only 3 out of 44 had medium
severity
Goings on in Ubuntu Security Community
Joe McManus talks ROS & ROS2 with Sid Faber from the Ubuntu Security Team [06:26]
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
21min
April 16, 2020Episode 71
Overview
This week Joe discusses Ubuntu’s involvement in ZDI’s Pwn2Own with special
guests Steve Beattie and Marc Deslauriers from the Ubuntu Security team,
plus we do the usual roundup of fixed vulnerabilities including libssh,
Thunderbird, Git and a kernel Livepatch.
This week in Ubuntu Security Updates
38 unique CVEs addressed
[USN-4325-1] Linux kernel vulnerabilities [00:59]
2 CVEs addressed in Bionic
CVE-2020-8428
CVE-2019-19046
5.0 (bionic clouds / oem - oracle, gke, gcp, azure, etc)
VFS UAF and IPMI memory leak - Episode 70
[USN-4326-1] libiberty vulnerabilities [01:46]
14 CVEs addressed in Xenial, Bionic
CVE-2019-9071
CVE-2019-9070
CVE-2019-14250
CVE-2018-9138
CVE-2018-18701
CVE-2018-18700
CVE-2018-18484
CVE-2018-18483
CVE-2018-17985
CVE-2018-17794
CVE-2018-12934
CVE-2018-12698
CVE-2018-12697
CVE-2018-12641
libib - collection of subroutines used by other libraries / applications
primarily binutils for parsing binary formats (ELF executables etc)
Mostly low priority issues (DoS via memory leak / NULL ptr dereference in
say objdump etc)
1 medium - integer overflow -> heap buffer overflow in parsing a crafted
ELF file
[USN-4327-1] libssh vulnerability [02:57]
1 CVEs addressed in Bionic, Eoan
CVE-2020-1730
Malicious client / server could crash other end when using AES-CTR
ciphers - error in memory handling on cleanup of cipher context when
closing the connection -> DoS
[LSN-0065-1] Linux kernel vulnerability [03:41]
3 CVEs addressed in Xenial, Bionic
CVE-2020-8428
CVE-2019-3016
CVE-2013-1798
Livepatch for VFS UAF, fix a possible SpectreV1/L1TF gadget introduced
back in 2013 for a KVM IOAPIC issue, KVM TLB flush (Episode 67)
[USN-4328-1] Thunderbird vulnerabilities [04:31]
18 CVEs addressed in Bionic, Eoan
CVE-2020-6811
CVE-2020-6825
CVE-2020-6821
CVE-2020-6820
CVE-2020-6819
CVE-2020-6814
CVE-2020-6812
CVE-2020-6807
CVE-2020-6806
CVE-2020-6805
CVE-2020-6800
CVE-2020-6798
CVE-2019-20503
CVE-2020-6794
CVE-2020-6822
CVE-2020-6795
CVE-2020-6793
CVE-2020-6792
68.7.0
Includes various fixes for issues previously covered in Firefox updates
[USN-4329-1] Git vulnerability [05:11]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-5260
Would not properly handle URLs that include newlines - and would possibly
send credentials to the wrong host as a result - fixed by forbidding a
newline in any part of credential handling
Goings on in Ubuntu Security Community
Joe discusses Ubuntu’s participation in ZDI’s Pwn2Own with Steve Beattie and Marc Deslauriers [06:25]
https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results
https://www.zdnet.com/article/windows-ubuntu-macos-virtualbox-fall-at-pwn2own-hacking-contest/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
25min
April 10, 2020Episode 70
Overview
This week we have a great interview between Joe McManus and Emilia Torino from the Ubuntu
Security team, plus we cover security updates for Apport, Firefox, GnuTLS,
the Linux kernel and more.
This week in Ubuntu Security Updates
18 unique CVEs addressed
[USN-4315-1] Apport vulnerabilities [00:32]
2 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-8833
CVE-2020-8831
Apport creates it’s lock file as world writable in a world-writable
location - so a local attacker could create a symlink in it’s place to a
non-existant file in a root-owned location and Apport would end up
creating that file but with world-writable permissions - so could be used
to possibly escalate privileges say by dropping a new cron file or
similar.
Apport runs as root but drops privileges when creating crash reports -
and then changes permissions on crash report to be owned by the user -
again using a symlink attack it could be possible to get Apport to change
the permissions on an arbitrary file to be readable by a regular user and
hence disclose sensitive information. Is generally mitigated by
protected_symlinks setting.
[USN-4316-1, USN-4316-2] GD Graphics Library vulnerabilities [02:46]
2 CVEs addressed in Trusty ESM, Xenial, Bionic, Eoan
CVE-2019-11038
CVE-2018-14553
Used by php for image handling
Use of an uninitialized variable during
image creation -> info leak or possible memory corruption
NULL ptr deref in certain circumstances
[USN-4317-1] Firefox vulnerabilities [03:10]
2 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-6820
CVE-2020-6819
74.0.1 - reports of two issues being used to exploit Firefox in the
wild - https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
2 use-after-free -> remote code execution
[USN-4321-1] HAProxy vulnerability [03:56]
1 CVEs addressed in Bionic, Eoan
CVE-2020-11100
Arbitrary heap memory write in HPACK decoder (HTTP/2 header
compression) -> crash, DoS or possible RCE
[USN-4322-1] GnuTLS vulnerability [04:35]
1 CVEs addressed in Eoan
CVE-2020-11501
Used all zeros instead of a random 32-byte value for key negotiation as a
DTLS client - so breaks the security guarantees of DTLS
(datagram-TLS). Introduced in a code change which changed a boolean OR to
and AND without inverting the logic (ie De Morgan)
[USN-4323-1] Firefox vulnerabilities [05:28]
6 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-6823
CVE-2020-6826
CVE-2020-6825
CVE-2020-6824
CVE-2020-6822
CVE-2020-6821
75.0
Malicious extension could possibly steal auth codes from OAuth login
sequences
Memory corruption -> DoS, info leak or RCE via malicious website
[USN-4318-1] Linux kernel vulnerabilities [06:18]
3 CVEs addressed in Xenial, Bionic
CVE-2020-8992
CVE-2020-8834
CVE-2020-8428
4.15 bionic kernel (xenial hwe)
3 DoS issues:
Use-after-free in VFS layer -> crash / info-leak
PowerPC KVM guest to host state memory corruption -> crash
Soft-lockup via malicious ext4 image due to failure to properly validate
the journal size
[USN-4319-1, USN-4325-1] Linux kernel vulnerabilities [07:22]
2 CVEs addressed in Bionic, Eoan
CVE-2020-8428
CVE-2019-19046
5.3 eoan kernel (bionic hwe), 5.0 bionic clouds kernel
VFS UAF from above
Memory leak in IPMI handler -> DoS via memory exhaustion
[USN-4320-1] Linux kernel vulnerability [08:08]
1 CVEs addressed in Trusty ESM, Xenial
CVE-2020-8428
4.4 xenial kernel (trusty hwe)
VFS UAF
[USN-4324-1] Linux kernel vulnerabilities [08:33]
2 CVEs addressed in Trusty ESM, Xenial, Bionic
CVE-2020-8992
CVE-2020-8428
4.15 rapsi, snapdragon, gke, aws etc - bionic, xenial hwe, trusty esm hwe
VFS UAF
Ext4 soft-lockup issue
Goings on in Ubuntu Security Community
Joe talks with Ubuntu Security Team member Emilia Torino [09:06]
Uncompressed OVAL data being discontinued on 1st May [24:25]
Will still have bzip2 compressed form just removing uncompressed since is
redundant and too large to be useful in general
https://discourse.ubuntu.com/t/uncompressed-oval-data-going-away/14981
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
27min
April 02, 2020Episode 69
Overview
This week we cover security updates for a Linux kernel vulnerability
disclosed during pwn2own, Timeshift, pam-krb5 and more, plus we have a
special guest, Vineetha Kamath, to discuss security certifications for
Ubuntu.
This week in Ubuntu Security Updates
10 unique CVEs addressed
[USN-4308-2] Twisted vulnerabilities [00:42]
4 CVEs addressed in Trusty ESM
CVE-2020-10109
CVE-2020-10108
CVE-2019-12855
CVE-2019-12387
Episode 68 - 4 of the 7 CVEs described there affect Twisted in 14.04
ESM
[USN-4310-1] WebKitGTK+ vulnerability [01:09]
1 CVEs addressed in Bionic, Eoan
CVE-2020-10018
UAF - discovered by CloudFuzz
[USN-4312-1] Timeshift vulnerability [01:49]
1 CVEs addressed in Eoan
CVE-2020-10174
Reuses predictably named temporary directory to execute scripts - and
runs as root - so a local attacker could replace the script in this
predictably named directory with one containing malicious commands, to
get code execution as root. Fixed by using a randomly named directory
and setting the permissions on it so other users can’t write to it.
[USN-4313-1] Linux kernel vulnerability [02:43]
1 CVEs addressed in Bionic, Eoan
CVE-2020-8835
pwn2own - Manfred Paul discovered the BPF verifier in the Linux kernel
did not properly calculate register bounds for 32-bit operations - so if
allow unprivileged users to load BPF, this could be used to read or write
kernel memory. Can then use this to elevate privileges to root.
https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results
[USN-4311-1] BlueZ vulnerabilities [03:52]
2 CVEs addressed in Xenial, Bionic, Eoan
CVE-2016-7837
CVE-2020-0556
Didn’t handle bonding of HID and HOGP (HID over GATT - Generic Attribute
Profile) devices - local attacker could use this to impersonate
non-bonded devices
Buffer overflow in parse_line function used by some CLI-based userland
utils
[USN-4314-1] pam-krb5 vulnerability [04:50]
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
CVE-2020-10595
Single-byte buffer overflow could potentially allow RCE - buffer is
provided by underlying kerberos library - attacker can supply input of
special length to overflow this and then cause memory corruption -
possible heap or stack corruption. Only used in code-paths where Kerberos
lib does supplemental prompting, or if running PAM with no_prompt
configured.
Goings on in Ubuntu Security Community
Joe and Vineetha discuss security certifications for Ubuntu [06:14]
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
21min
March 26, 2020Episode 68
Overview
This week we cover security updates for Apache, Twisted, Vim a kernel
livepatch and more, plus Alex and Joe discuss OVAL data feeds and the
cvescan snap for vulnerability awareness.
This week in Ubuntu Security Updates
16 unique CVEs addressed
[USN-4307-1] Apache HTTP Server update [00:24]
TLSv1.3 enabled in Ubuntu 18.04 LTS (bionic)
Enabled by default, could cause compatibility issues in some
environments - can be disabled using the SSLProtocol directive
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263
[LSN-0064-1] Linux kernel vulnerability [01:03]
1 CVEs addressed in Xenial, Bionic
CVE-2020-2732
KVM nested virtualisation issue (L2 guest could access resources of L1
parent) - Episode 67
[USN-4308-1] Twisted vulnerabilities [02:07]
7 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-10109
CVE-2020-10108
CVE-2019-9515
CVE-2019-9514
CVE-2019-9512
CVE-2019-12855
CVE-2019-12387
2 variations of a HTTP request splitting / smuggling vuln (Episode 52)
3 HTTP/2 DoS issues (Episode 43)
MITM of XMPP TLS connections due to failure to verify certs
Failure to sanitize URIs or HTTP methods in twisted.web
[USN-4309-1] Vim vulnerabilities [03:53]
7 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
CVE-2017-11109
CVE-2017-6350
CVE-2017-6349
CVE-2019-20079
CVE-2018-20786
CVE-2017-5953
All low / negligible since requires a user to use vim to source a crafted
file (ie a list of commands / settings for vim) or crafted undo /
spelling dictionary etc
Integer overflows -> heap overflows -> DoS / RCE etc
[USN-4134-3] IBus vulnerability [04:49]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2019-14822
Episode 47 - implements it’s own private DBus server which clients
connect to - original vuln allowed any user who knew address of this bus
to connect to it - update fixed this by checking the connecting user was
the same as the owning user - but caused a regression in Qt clients -
would fail to be able to properly connect to ibus - was reverted - this
has seen been fixed by fixing the GDBusServer implementation in libglib2
since it was actually incorrect - and so now we have re-fixed in ibus
Goings on in Ubuntu Security Community
Alex and Joe discuss Ubuntu Security OVAL feeds and cvescan [06:47]
https://people.canonical.com/~ubuntu-security/oval/
https://snapcraft.io/cvescan
Securing open source through CVE prioritisation [15:56]
https://ubuntu.com/blog/securing-open-source-through-cve-prioritisation
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
18min
March 19, 2020Episode 67
Overview
A big week in security updates, including the Linux kernel, Ceph, ICU,
Firefox, Dino and more, plus Joe and Alex discuss tips for securely working
from home in light of Coronavirus.
This week in Ubuntu Security Updates
38 unique CVEs addressed
[USN-4299-1] Firefox vulnerabilities [00:41]
12 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-6811
CVE-2020-6809
CVE-2020-6815
CVE-2020-6814
CVE-2020-6813
CVE-2020-6812
CVE-2020-6810
CVE-2020-6808
CVE-2020-6807
CVE-2020-6806
CVE-2020-6805
CVE-2019-20503
74.0 - usual sorts of fixes:
Crafted website -> DoS, URL and other browser chrome spoofing, bypass
content security policy protections, RCE etc
Extensions with all-url permission could access local files
Copy-as-cURL devtools feature failed to escape website-controlled
data - possible command injection -> RCE if user tricked into using
this on a crafted website
[USN-4300-1] Linux kernel vulnerabilities [02:02]
11 CVEs addressed in Bionic, Eoan
CVE-2019-19068
CVE-2019-19066
CVE-2019-19064
CVE-2019-19059
CVE-2019-19058
CVE-2019-19056
CVE-2019-19053
CVE-2019-19043
CVE-2019-18809
CVE-2020-2732
CVE-2019-3016
5.3 eoan, bionic hwe
2 KVM issues
Nested KVM guest could access resources of parent -> sensitive info
disclosure
Guest VM could read memory from another guest VM since would sometimes
miss deferred TLB flushes when switching guests
Rest low priority
Memory leaks in various network and other device drivers under
particular error scenarios - not likely that a local or remote user
could easily trigger these so hence low priority
[USN-4301-1] Linux kernel vulnerabilities [03:53]
8 CVEs addressed in Bionic
CVE-2019-19068
CVE-2019-19066
CVE-2019-19059
CVE-2019-19058
CVE-2019-19056
CVE-2019-19053
CVE-2020-2732
CVE-2019-3016
5.0 “cloud” specific kernel (oracle, aws, gke, gcp etc)
Same issues as above just with a couple less of the driver memory leak
fixes since these were already done in a previous update
[USN-4302-1] Linux kernel vulnerabilities [04:31]
10 CVEs addressed in Xenial, Bionic
CVE-2019-15217
CVE-2019-19068
CVE-2019-19066
CVE-2019-19058
CVE-2019-19056
CVE-2019-19051
CVE-2019-19046
CVE-2020-8832
CVE-2019-14615
CVE-2020-2732
4.15, bionic and xenial hwe
CVE-2020-8832 - Ubuntu Intel i915 specific issue due to previous fix for
CVE-2020-14615 being incomplete - so not completely mitigated in this
kernel as expected
KVM nested virt bug and various driver memory leak fixes (see above) and
a NULL pointer deref if a malicious USB device was inserted to the system
[USN-4303-1, USN-4303-2] Linux kernel vulnerability [05:26]
1 CVEs addressed in Xenial and Trusty ESM (HWE)
CVE-2020-2732
Nested KVM virt issue
[USN-4304-1] Ceph vulnerability [05:48]
1 CVEs addressed in Bionic, Eoan
CVE-2020-1700
DoS able to be triggered by an authenticated user causing an unexpected
disconnect to radosgw - sockets pile up and eventually exhaust resources
-> DoS
[USN-4305-1] ICU vulnerability [06:26]
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
CVE-2020-10531
C/C++ library for unicode handling - integer overflow -> heap buffer
overflow - DoS/RCE?
[USN-4306-1] Dino vulnerabilities [07:05]
3 CVEs addressed in Bionic
CVE-2019-16237
CVE-2019-16236
CVE-2019-16235
Thanks to Julian Andres Klode from Foundations
Fixes for multiple failures to validate inputs - remote attacker could
use to obtain, inject or remove info
Also includes a change to accept IV of 12 bytes as well as 16 bytes since
this is what a lo t of other OMEMO clients are using
OMEMO (OMEMO Multi-End Message and Object Encryption) - XMPP extension
for multiclient E2E - so allows messages to be synchronised across
multiple clients, even if some are offline
[USN-4171-5] Apport regression [08:14]
5 CVEs addressed in Xenial, Bionic, Eoan
CVE-2019-15790
CVE-2019-11485
CVE-2019-11483
CVE-2019-11482
CVE-2019-11481
Thanks to Tiago Daitx and Michael Hudson-Doyle from Foundations Team
Previous security update broke some autopkgtests and broke python2
compatibility for various parts of Apport
Goings on in Ubuntu Security Community
Joe and Alex discuss securely working from home whilst avoiding Coronavirus [09:21]
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
25min
March 12, 2020Episode 66
Overview
This week we cover security updates for Django, runC and SQLite, plus Alex
and Joe discuss the AMD speculative execution Take A Way attack and we
look at some recent blog posts by the team too.
This week in Ubuntu Security Updates
16 unique CVEs addressed
[USN-4296-1] Django vulnerability [00:49]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-9402
Possible SQL injection in the GIS functions when using an Oracle DB as
the backend - Oracle provides a tolerance parameter which can be used
when doing GIS queries and this was not properly sanitised before use so
could allow SQL injection
[USN-4297-1] runC vulnerabilities [01:30]
2 CVEs addressed in Bionic, Eoan
CVE-2019-19921
CVE-2019-16884
Race condition on mounting of shared volume mounts between two
containers - can replace /proc on one container with a symlink inside of
the shared mount - when this gets cleaned up other parts of /proc can end
mounted within the shared mount and this could be used for privilege
escalation since if outside of /proc then regular users might be able to
write to sensitive parts of /proc - fixed by having runc validate that
the target for mounting /proc or /sys must either not exist or must be a
directory to avoid symlink attacks etc
Possible bypass of AppArmor restrictions since would not properly check
the target of a mount and so could end up mounting a malicious image over
/proc - instead add more explicit checks on whether the dest of a mount
is /proc and only allow this if the source is also a procfs
[USN-4298-1] SQLite vulnerabilities [03:09]
13 CVEs addressed in Xenial, Bionic, Eoan
CVE-2019-13752
CVE-2020-9327
CVE-2019-20218
CVE-2019-19926
CVE-2019-19959
CVE-2019-19925
CVE-2019-19924
CVE-2019-19923
CVE-2019-19880
CVE-2019-13751
CVE-2019-13753
CVE-2019-13750
CVE-2019-13734
Many different memory safety issues resolved in SQLite - across various
parts of SQLite including handling of shadow tables, corrupt records,
parsing, ZIP archives and column optimisations. Most of these were
detected by fuzzing and so are unlikely to be an issue unless handling
untrusted SQLite databases or untrusted query inputs.
Goings on in Ubuntu Security Community
Alex and Joe discuss AMD Take A Way attack [04:10]
https://www.zdnet.com/article/amd-processors-from-2011-to-2019-vulnerable-to-two-new-attacks/
Blog posts [19:08]
https://ubuntu.com/blog/on-boxing-tabletop-exercises-and-threat-models
https://ubuntu.com/blog/ros-development-with-lxd
https://ubuntu.com/blog/ros-2-ci-with-github-actions
Hiring [20:21]
Robotics Security Engineer
https://canonical.com/careers/1550997
Security Engineer - Certifications (FIPS, Common Criteria)
https://canonical.com/careers/2085468
Ubuntu Security Engineer
https://canonical.com/careers/2085023
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
22min
March 05, 2020Episode 65
Overview
Whilst avoiding Coronavirus, this week we look at updates for libarchive,
OpenSMTPD, rake and more, plus Joe and Alex discuss ROS, the Robot
Operating System and how the Ubuntu Security Team is involved in the
ongoing development of secure foundations for robotics.
This week in Ubuntu Security Updates
7 unique CVEs addressed
[USN-4293-1] libarchive vulnerabilities [00:18]
2 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-9308
CVE-2019-19221
OSS-Fuzz: RAR unpacker would try and unpack a file with a corrupted /
malformed header (ie. zero length etc) - OOB read - crash/DoS
OOB read due to use of wrong length parameter to mbtowc()
[USN-4294-1] OpenSMTPD vulnerabilities [02:00]
2 CVEs addressed in Bionic, Eoan
CVE-2020-8793
CVE-2020-8794
Remote code exec on both clients and server (as server reuses client-side code for debouncing)
Possible arbitrary file read due to race-condition in offline
functionality - a user could create a hardlink to a root-owned file which
opensmtpd would then read - mitigated on Ubuntu since we enable
protected_hardlinks sysctl which stops regular users creating hardlinks
to root-owned files
[USN-4288-2] ppp vulnerability [03:12]
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2020-8597
Episode 64 (possible buffer overflow)
[USN-4290-2] libpam-radius-auth vulnerability [03:23]
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2015-9542
Episode 64 (stack overflow in password field handling)
[USN-4295-1] Rake vulnerability [03:31]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-8130
Command injection vulnerability via Rake::FileList - used the Kernel
open() method rather than File.open() - this supports launching a process
if the file-name starts with a pipe `|` - so instead just use File.open()
Goings on in Ubuntu Security Community
Joe and Alex discuss ROS, the Robot Operating System [04:28]
Kyle Fazzari’s ROS and Ubuntu Video Series
https://ubuntu.com/blog/from-ros-prototype-to-production-on-ubuntu-core
https://ubuntu.com/blog/your-first-robot-a-beginners-guide-to-ros-and-ubuntu-core-1-5
Hiring
Robotics Security Engineer
https://canonical.com/careers/1550997
Security Engineer - Certifications (FIPS, Common Criteria)
https://canonical.com/careers/2085468
Ubuntu Security Engineer
https://canonical.com/careers/2085023
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
23min
February 27, 2020Episode 64
Overview
This week we look at security updates for ppp, Squid, rsync + more, and Joe
and Alex discuss the wide scope of the Ubuntu Security Team including some
current open positions.
This week in Ubuntu Security Updates
19 unique CVEs addressed
[LSN-0063-1] Linux kernel vulnerability [00:43]
5 CVEs addressed in Xenial, Bionic
CVE-2020-7053
CVE-2019-20096
CVE-2019-19050
CVE-2019-14615
CVE-2019-5108
i915 UAF (Episode 60), DCCP memory leak -> DoS (Episode 63), crypto
subsystem memory leaks (Episode 60), i915 info leak (Episode 60, Episode
53), WiFi AP mode DoS (Episode 53)
[USN-4279-2] PHP regression [01:51]
3 CVEs addressed in Xenial
CVE-2020-7060
CVE-2020-7059
CVE-2015-9253
Episode 63 - Upstream fix for CVE-2015-9253 contained a memory leak -
this fix was backed-out in this update
[USN-4288-1] ppp vulnerability [02:16]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-8597
Included a check for possible buffer overflow a an rhostname but the
check was incorrect :( so could still overflow - fixed by making the
correct check
[USN-4289-1] Squid vulnerabilities [02:41]
4 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-8517
CVE-2020-8450
CVE-2020-8449
CVE-2019-12528
Buffer overflow in NTLM credentials parser - out-of-process so would just
result in a DoS
Buffer overflow when acting as a reverse proxy
Incorrect input validation leading to access to server resources which
should have been prohibited
Info disclosure due to heap buffer over-read when acting as an FTP client
from a malicious FTP server
[USN-4290-1] libpam-radius-auth vulnerability [03:26]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2015-9542
Stack overflow in password field handling -> crash, DoS
[USN-4291-1] mod-auth-mellon vulnerability [03:49]
1 CVEs addressed in Bionic, Eoan
CVE-2019-13038
SAML 2.0 authentication module for Apache
Open redirect - didn’t properly validate the ReturnTo substring of the
login API endpoint - could allow to launch possible phishing attacks etc
by masquerading as another domain via the redirect
[USN-4292-1] rsync vulnerabilities [04:33]
4 CVEs addressed in Xenial, Bionic
CVE-2016-9843
CVE-2016-9842
CVE-2016-9841
CVE-2016-9840
All issues with the vendored copy of zlib contained within rsync -
various low-level memory management issues (discussed back in Episode 60
in the context of zlib - as a result of a security audit a few years ago
by Trail of Bits )
Goings on in Ubuntu Security Community
Alex and Joe discuss the larger scope of the Ubuntu Security Team and current open positions [05:05]
Kyle Fazzari’s ROS and Ubuntu Video Series
https://ubuntu.com/blog/from-ros-prototype-to-production-on-ubuntu-core
https://ubuntu.com/blog/your-first-robot-a-beginners-guide-to-ros-and-ubuntu-core-1-5
Robotics Security Engineer
https://canonical.com/careers/1550997
Security Engineer - Certifications (FIPS, Common Criteria)
https://canonical.com/careers/2085468
Ubuntu Security Engineer
https://canonical.com/careers/2085023
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
24min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.