Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

February 20, 2020Episode 63
Overview
Security updates for Firefox, QEMU, Linux kernel, ClamAV and more, plus we
discuss our recommended reading list for getting into infosec and farewell
long-time member of the Ubuntu Security Team / community Tyler Hicks.
This week in Ubuntu Security Updates
54 unique CVEs addressed
[USN-4278-1] Firefox vulnerabilities [00:55]
4 CVEs addressed in Bionic, Eoan
CVE-2020-6801
CVE-2020-6800
CVE-2020-6798
CVE-2020-6796
Firefox 73.0
Various memory safety issues
Possible XSS if a site used a
...more
27min
February 13, 2020Episode 62
Overview
This week Alex and Joe take an indepth look at the recent Sudo
vulnerability CVE-2019-18634 plus we look at security updates for
OpenSMTPD, systemd, Mesa, Yubico PIV tool and more. We also look at a
recent job opening for a Robotics Security Engineer to join the Ubuntu
Security team.
This week in Ubuntu Security Updates
33 unique CVEs addressed
[USN-4263-2] Sudo vulnerability [00:41]
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2019-18634
See Episode 61 and discussion later in episode
[USN-4268-1] OpenSMTPD vulnerability [01:02]
1 CVEs addressed in Bionic, Eoan
CVE-2020-7247
Logic bug caused existing sanity checks on MAIL FROM field to be skipped
under certain scenarios - so by failing to perform this validation, could
allow an attacker to input shell metacharacters to obtain command
execution in smtpd (which runs as root) -> remote root command execution.
Fixed to always perform sanity checks on MAIL FROM
[USN-4269-1] systemd vulnerabilities [02:06]
5 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-1712
CVE-2019-3844
CVE-2019-3843
CVE-2019-20386
CVE-2018-16888
Heap UAF when handing asynchronous policykit queries and dbus messages -
could allow possible root privesc
Possible sandbox escape through DynamicUser property on services via
setuid binaries to gain new privileges or created setgid binaries
Also DynamicUser services can create setuid/setgid binaries which could
then be used to escalate privileges after
Both low priority since not many users of DynamicUser services plus
requires cooperation between the service and a helper so can’t be
directly exploited
Memory leak in logind when executing udevadm trigger command
Possible to get systemd to kill the wrong process if can write to it’s
PIDFile since the pid specified here is not validated
[USN-4267-1] ARM mbed TLS vulnerabilities [03:26]
5 CVEs addressed in Xenial
CVE-2018-0498
CVE-2018-0497
CVE-2018-0488
CVE-2018-0487
CVE-2017-18187
lightweight crypto / TLS library
integer overflow -> heap overflow -> RCE / DoS
read buffer overflow in handling of certificate chains -> DOS
2 different cache side-channel attacks which could allow a remote
attacker to recover partial plaintext for CBC modes
[USN-4270-1] Exiv2 vulnerability [04:22]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2019-20421
Infinite loop in JP2 image metadata parser -> CPU DoS
[USN-4271-1] Mesa vulnerability [04:38]
1 CVEs addressed in Bionic, Eoan
CVE-2019-5068
Created a shared memory segment with world readable and writable
permissions - so any local user could interfere with or access shared
memory buffers which are often used for back buffers to improve
performance - changed to open as only user readable / writable
[USN-4272-1] Pillow vulnerabilities [05:24]
6 CVEs addressed in Trusty ESM, Xenial, Bionic, Eoan
CVE-2020-5313
CVE-2020-5311
CVE-2020-5310
CVE-2020-5312
CVE-2019-19911
CVE-2019-16865
Python Image Library
Various errors in handling image formats -> Crash -> DoS, RCE etc
[USN-4273-1] ReportLab vulnerability [05:48]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2019-17626
Python library used for creating PDFs
RCE via a crafted XML document - would eval() an argument which comes
from a document and so would execute arbitrary python code from the
document as a result
[USN-4250-2] MariaDB vulnerability [06:21]
1 CVEs addressed in Bionic, Eoan
CVE-2020-2574
Episode 60 for MySQL - similar update for MariaDB - unfortunately no
details from upstream
[USN-4275-1] Qt vulnerabilities [06:45]
4 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-0570
CVE-2020-0569
CVE-2019-18281
CVE-2018-19872
2 possible code execution bugs where Qt would search for plugins and
libraries in incorrect locations, allowing a local attacker to get code
execution
2 different buffer overflow vulnerabilities in handling PPM images and in
text files with many unicode directional characters
[USN-4274-1] libxml2 vulnerabilities [07:20]
2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
CVE-2020-7595
CVE-2019-19956
Infinite loop for crafted XML documents -> CPU DoS
Memory leak
[USN-4276-1] Yubico PIV Tool vulnerabilities [07:41]
2 CVEs addressed in Bionic
CVE-2018-14780
CVE-2018-14779
Yubico PIV (personal identity verificatiion) smart card driver - can be
used with a Yubikey to do authentication
2 different buffer overflows able to be triggered by a malicious USB
device - could lead to possible code execution
[USN-4277-1] libexif vulnerabilities [08:14]
3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
CVE-2019-9278
CVE-2017-7544
CVE-2016-6328
Buffer overflow (crash or RCE) and 2 buffer over reads (crash / info
disclosure)
Goings on in Ubuntu Security Community
Alex and Joe discuss the recent sudo vulnerability (CVE-2019-18634) [08:46]
https://threatpost.com/docker-registries-malware-data-theft/152734/
Hiring [22:07]
Robotics Security Engineer
https://canonical.com/careers/1550997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
25min
February 07, 2020Episode 61
Overview
Joe is back to discuss a recent breach against Wawa, plus we detail
security updates from the past week including Apache Solr, OpenStack
Keystone, Sudo, Django and more.
This week in Ubuntu Security Updates
23 unique CVEs addressed
[USN-4259-1] Apache Solr vulnerability [00:50]
1 CVEs addressed in Xenial
CVE-2017-12629
Enterprise search server based on Lucene with XML/HTTP and JSON APIs
Was vulnerable to an XML External Entity (XXE) attack - XML can include a
reference to another XML resource which might then be fetched - this
could then be combined with another flaw (use of Config API to obtain
access to the RunExecutableListener class) to allow remote code fetched
from the remote XML
[USN-4261-1] WebKitGTK+ vulnerabilities [01:44]
3 CVEs addressed in Bionic, Eoan
CVE-2019-8846
CVE-2019-8844
CVE-2019-8835
Various memory management issues which could be triggered via a malicious
websites - possible remote code execution as a result
[USN-4262-1] OpenStack Keystone vulnerability [02:13]
1 CVEs addressed in Eoan
CVE-2019-19687
Keystone provides identity services (client authentication etc) for
OpenStack
credentials API allowed any user with a role on a project to list all
credentials when enforce_scope was false - so could view other users
credentials.
Was introduced in keystone 15 so didn’t affect bionic or older releases -
only eoan
[LSN-0062-1] Linux kernel vulnerability [03:01]
7 CVEs addressed in Xenial and Bionic
CVE-2019-18885
CVE-2019-14901
CVE-2019-14897
CVE-2019-14896
CVE-2019-14895
CVE-2019-14615
CVE-2019-2214
Heap and stack buffer overflows in Marvell Wifi drivers, Intel GPU info
leak on context switch, binder IPC heap buffer overflow
[USN-4263-1] Sudo vulnerability [03:50]
1 CVEs addressed in Xenial, Bionic, Eoan
CVE-2019-18634
Lots of press around this but most people would not be vulnerable since
need to run in an non-default configuration
When pwfeedback enabled in /etc/sudoers, stack buffer overflow able to be
triggered in sudo during password authentication
Not enabled by default in Ubuntu
[USN-4264-1] Django vulnerability [05:00]
1 CVEs addressed in Bionic, Eoan
CVE-2020-7471
Possible SQL injection via the PostgreSQL module if was using the
StringAgg instance
Fixed to sanitize the input before processing it
[USN-4265-1, USN-4265-2] SpamAssassin vulnerabilities [05:29]
2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
CVE-2020-1931
CVE-2020-1930
Episode 59 - possible RCE via crafted CF file - 2 more similar
vulnerabilities fixed - again upstream advise should only use trusted
update channels or 3rd parted .cf files
[USN-4266-1] GraphicsMagick vulnerabilities [06:37]
7 CVEs addressed in Xenial
CVE-2017-18231
CVE-2017-18230
CVE-2017-18229
CVE-2017-18219
CVE-2017-17915
CVE-2017-17913
CVE-2017-17912
Episode 55, Episode 57, Episode 59, Episode 60
NULL ptr dereferences -> crash, DoS
Large memory allocation -> crash, DoS
Heap + stack based buffer over-read and over-writes too
Goings on in Ubuntu Security Community
Joe and Alex discuss recent Wawa breach [07:26]
https://krebsonsecurity.com/2020/01/wawa-breach-may-have-compromised-more-than-30-million-payment-cards/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
20min
January 30, 2020Episode 60
Overview
Security updates for python-apt, GnuTLS, tcpdump, the Linux kernel and
more, plus we look at plans to integrate Ubuntu Security Notices within the
main ubuntu.com website.
This week in Ubuntu Security Updates
91 unique CVEs addressed
[USN-4247-1, USN-4247-2, USN-4247-3] python-apt vulnerabilities [00:42]
2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
CVE-2019-15796
CVE-2019-15795
Could still use md5 to validate downloads - md5 has been broken for a
while now so if md5 hashes were available for a repo then these would be
trusted - instead, verify all hashes
Ensure repository is trusted before downloading from it - in some cases,
could configure repositories that were not trusted and python-apt based
clients would not check trust - so would use it - now always check and
verify unless the repository is specifically configured as trusted
[USN-4248-1] GraphicsMagick vulnerabilities [02:31]
10 CVEs addressed in Xenial
CVE-2017-17783
CVE-2017-17782
CVE-2017-17503
CVE-2017-17502
CVE-2017-17501
CVE-2017-17500
CVE-2017-17498
CVE-2017-16669
CVE-2017-16547
CVE-2017-16545
Episode 59, Episode 57, Episode 55 etc
[USN-4246-1] zlib vulnerabilities [02:55]
4 CVEs addressed in Xenial
CVE-2016-9843
CVE-2016-9842
CVE-2016-9841
CVE-2016-9840
Trail of Bits security audit of zlib found various instances of undefined
behaviour in the implementation - pointer increment operations on
undefined memory ranges, shifts by negative indices etc. Unlikely to have
any real world impact.
[USN-4249-1] e2fsprogs vulnerability [03:55]
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
CVE-2019-5188
Stack buffer overflow when e2fsck’ing a specially crafted ext4
file-system image
[USN-4233-2] GnuTLS update [04:34]
Affecting Xenial, Bionic
Episode 59 - disabled SHA1 for digital signatures in GnuTLS - this update
adds VERIFY_ALLOW_BROKEN and VERIFY_ALLOW_SIGN_WITH_SHA1 priority strings
so can still use sha1 if really needed
[USN-4230-2] ClamAV vulnerability [05:16]
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2019-15961
Episode 59
[USN-4250-1] MySQL vulnerabilities [05:34]
14 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-2694
CVE-2020-2686
CVE-2020-2679
CVE-2020-2660
CVE-2020-2627
CVE-2020-2589
CVE-2020-2588
CVE-2020-2584
CVE-2020-2579
CVE-2020-2577
CVE-2020-2574
CVE-2020-2573
CVE-2020-2572
CVE-2020-2570
New upstream release (5.7.29 - xenial, bionic) (8.0.19 - eoan)
[USN-4251-1] Tomcat vulnerabilities [06:02]
2 CVEs addressed in Xenial
CVE-2019-17563
CVE-2019-12418
[USN-4252-1, USN-4252-2] tcpdump vulnerabilities [06:05]
28 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic
CVE-2019-15167
CVE-2019-15166
CVE-2019-1010220
CVE-2018-19519
CVE-2018-16452
CVE-2018-16451
CVE-2018-16300
CVE-2018-16230
CVE-2018-16229
CVE-2018-16228
CVE-2018-16227
CVE-2018-14882
CVE-2018-14881
CVE-2018-14880
CVE-2018-14879
CVE-2018-14470
CVE-2018-14469
CVE-2018-14468
CVE-2018-14467
CVE-2018-14466
CVE-2018-14465
CVE-2018-14464
CVE-2018-14463
CVE-2018-14462
CVE-2018-14461
CVE-2018-10105
CVE-2018-10103
CVE-2017-16808
Usual mix of buffer overflows and the like in various tcpdump
dissectors - in general you should not run tcpdump on untrusted data -
when run as root, by default tcpdump will drop permissions to the tcpdump
user after opening the capture device so this makes it somewhat safer
[USN-4253-1, USN-4253-2] Linux kernel vulnerability [07:30]
1 CVEs addressed in Bionic (HWE), Eoan (5.3 kernel)
CVE-2019-14615
Intel GPU would fail to clear state during context switch - could allow
an info leak between local users - so update driver to forcibly clear
state
[USN-4255-1, USN-4255-2] Linux kernel vulnerabilities [08:07]
2 CVEs addressed in Xenial (HWE), Bionic (4.15 kernel)
CVE-2020-7053
CVE-2019-14615
Intel GPU state info leak
Intel GPU driver (i915) UAF - crash / code execution
[USN-4258-1] Linux kernel vulnerabilities [08:40]
15 CVEs addressed in Bionic (AWS, GCP, GKE) (5.0 kernel)
CVE-2019-15291
CVE-2019-19767
CVE-2019-19332
CVE-2019-19252
CVE-2019-19227
CVE-2019-19082
CVE-2019-19079
CVE-2019-19078
CVE-2019-19077
CVE-2019-19071
CVE-2019-19062
CVE-2019-19050
CVE-2019-18885
CVE-2019-18683
CVE-2019-15099
OOB write in KVM hypervisor via /dev/kvm
Virtual console could allow writes via unimplemented unicode devices -
out of bounds memory access - crash etc
2 separate memory leaks in crypto subsystem on certain failure paths -
local user accessible - DoS via memory exhaustion
NULL ptr deref in Atheros wireless USB driver
[USN-4254-1, USN-4254-2] Linux kernel vulnerabilities [09:54]
9 CVEs addressed in Trusty ESM (HWE), Xenial (4.4 kernel)
CVE-2019-15291
CVE-2019-19332
CVE-2019-19227
CVE-2019-19063
CVE-2019-19062
CVE-2019-19057
CVE-2019-18885
CVE-2019-18683
CVE-2019-14615
OOB write in KVM hypervisor via /dev/kvm
Crypto memory leak
Intel GPU info leak
[USN-4256-1] Cyrus SASL vulnerability [10:24]
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
CVE-2019-19906
OOB write due to off-by-one error - originally reported against OpenLDAP
which uses cyrus-sasl and was able to be crashed by an unauthenticated
remote user due to this
[USN-4236-3] Libgcrypt vulnerability [10:57]
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2019-13627
Episode 59 - ECDSA side-channel timing attack
[USN-4257-1] OpenJDK vulnerabilities [11:15]
8 CVEs addressed in Xenial, Bionic, Eoan
CVE-2020-2659
CVE-2020-2655
CVE-2020-2654
CVE-2020-2604
CVE-2020-2601
CVE-2020-2593
CVE-2020-2590
CVE-2020-2583
Latest upstream release (11.0.6)
Goings on in Ubuntu Security Community
Moving Ubuntu Security Notices to ubuntu.com/security [11:34]
mpt put out a call for feedback on plans to move USNs from usn.ubuntu.com
to ubuntu.com/security/
originally announced as a plan back in October
on the ubuntu-hardened mailing list
posted a mock-up of the resulting page and called for feedback
this is expected to land in the next few weeks
https://discourse.ubuntu.com/t/security-notices-on-ubuntu-com/14159
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
14min
January 23, 2020Episode 59
Overview
After a weeks break we are back to look at updates for ClamAV, GnuTLS,
nginx, Samba and more, plus we briefly discuss the current 20.04 Mid-Cycle
Roadmap Review sprint for the Ubuntu Security Team
This week in Ubuntu Security Updates
73 unique CVEs addressed
[USN-4230-1] ClamAV vulnerability [01:16]
1 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-15961
Backport latest upstream release (0.102.1) from focal
CPU based DoS when scanning crafted emails - parsing of MIME components
in particular
[USN-4232-1] GraphicsMagick vulnerabilities [01:52]
11 CVEs addressed in Xenial
CVE-2017-16353
CVE-2017-16352
CVE-2017-15930
CVE-2017-15277
CVE-2017-14997
CVE-2017-14994
CVE-2017-14733
CVE-2017-14649
CVE-2017-14504
CVE-2017-14314
CVE-2017-14165
Episode 57, Episode 55
Heap based buffer over-reads - info leak or crash -> DoS
Heap based buffer over-flow - crash -> DoS, RCE
NULL ptr derefs - crash -> DoS
Memory overallocation -> memory based remote DoS
[USN-4231-1] NSS vulnerability [03:04]
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
CVE-2019-17006
UBSAN found possible buffer overflow due to failure to check lengths of
inputs to various functions - so applications using libnss for crypto
could be vulnerable to buffer overflow
[USN-4233-1] GnuTLS update [03:54]
Affecting Xenial, Bionic
Update marks SHA1 as being untrusted for digital signature operations -
SHA1 has been broken in theory for a while and 2017 Google showed the
first SHA1 collision - recently the first chosen-prefix attack was
demonstrated against SHA1 as well - demonstrated by creating a GPG key
which can impersonate another
As such GnuTLS will not trust SHA1 based digital signatures since these
can relatively easily be forged now (but not for an arbitrary input)
As such libraries / applications which use GnuTLS (libsoup, Epiphany)
will not trust SHA1 based digital signatures
https://sha-mbles.github.io/
[USN-4234-1] Firefox vulnerabilities [06:10]
8 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-17026
CVE-2019-17025
CVE-2019-17024
CVE-2019-17023
CVE-2019-17022
CVE-2019-17020
CVE-2019-17017
CVE-2019-17016
Latest upstream Firefox release (72.0.1)
Usual sorts of issues fixed: DoS, info disclosure, bypass content
security policy restrictions, conduct XSS attacks or execute arbitrary
code
[USN-4047-2] libvirt update vulnerability [06:48]
1 CVEs addressed in Trusty ESM
CVE-2019-10161
Episode 40 libvirt updated for regular releases - various APIs which
could cause effects were accessible to read-only users
Now backported for 14.04 ESM users / customers as well
[USN-4235-1, USN-4235-2] nginx vulnerability [07:18]
1 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
CVE-2019-20372
HTTP request smuggling (Episode 52) - allowed attacker to read
unauthorized web pages where nginx is being fronted by a load balanced
when used with certain error_page configurations
[USN-4236-1, USN-4236-2] Libgcrypt vulnerability [08:03]
1 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-13627
ECDSA timing side-channel attack (Minerva)
observe timing of signature generation on known messages to indicate
the bit-length of the random nonce scalar during scalar multiplication
on an elliptic curve - full private key is able to be recovered using
lattice techniques
https://minerva.crocs.fi.muni.cz/
[USN-4237-1, USN-4237-2] SpamAssassin vulnerabilities [09:04]
2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
CVE-2019-12420
CVE-2018-11805
DoS via excessive resource usage
RCE via crafted conf (CF) files - advised should only use trusted conf
files
[USN-4238-1] SDL_image vulnerabilities [09:55]
12 CVEs addressed in Xenial, Bionic
CVE-2019-7635
CVE-2019-5052
CVE-2019-5051
CVE-2019-13616
CVE-2019-12222
CVE-2019-12221
CVE-2019-12220
CVE-2019-12219
CVE-2019-12218
CVE-2019-12217
CVE-2019-12216
CVE-2018-3977
Image loading library for SDL1.2 (low level library used for various
games etc - provides common access to audio, input devices, graphics etc)
Large C code-base - usual memory safety issues -> usual effects -> crash,
DoS or possible RCE
[USN-4239-1] PHP vulnerabilities [10:32]
4 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
CVE-2019-11050
CVE-2019-11047
CVE-2019-11046
CVE-2019-11045
2 heap buffer over-reads in parsing EXIF information, 1 over-read in
bcmath extension, and 1 issue with handling filenames with embedded NUL
bytes
[USN-4221-2] libpcap vulnerability [11:28]
1 CVEs addressed in Precise ESM
CVE-2019-15165
Episode 56
[USN-4240-1] Kamailio vulnerability [11:42]
1 CVEs addressed in Xenial
CVE-2018-8828
SIP server written in C
Heap based buffer overflow when receiving a specially crafted REGISTER
message
[USN-4241-1] Thunderbird vulnerabilities [11:59]
11 CVEs addressed in Bionic, Eoan
CVE-2019-11745
CVE-2019-17026
CVE-2019-17024
CVE-2019-17022
CVE-2019-17017
CVE-2019-17016
CVE-2019-17012
CVE-2019-17011
CVE-2019-17010
CVE-2019-17008
CVE-2019-17005
Latest upstream release (68.4.1)
Derived from Firefox code-base so contains fixes for lots issues which
also affected Firefox above
[USN-4225-2] Linux kernel (HWE) vulnerabilities [12:21]
15 CVEs addressed in Bionic
CVE-2019-18813
CVE-2019-19534
CVE-2019-19529
CVE-2019-19524
CVE-2019-19072
CVE-2019-19055
CVE-2019-19052
CVE-2019-19051
CVE-2019-19045
CVE-2019-18660
CVE-2019-16231
CVE-2019-14897
CVE-2019-14896
CVE-2019-14901
CVE-2019-14895
Episode 58 - eoan (19.10) 5.3 kernel is now used as the HWE kernel for
bionic (18.04 LTS)
[USN-4242-1] Sysstat vulnerabilities [13:07]
2 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-19725
CVE-2019-16167
Both issues occur when reading a crafted input file using the sadf
utility - likely the original reported is fuzzing this
Double free - heap corruption but on Ubuntu we enable the glibc
heap-protector so this is just a crash -> DoS
Integer overflow -> heap buffer overflow when reading crafted input file
[USN-4243-1] libbsd vulnerabilities [14:12]
2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
CVE-2019-20367
CVE-2016-2090
Library providing common BSD C functions which are not available on Linux
(strlcpy() etc)
OOB read (crash -> DoS)
Off-by-one in fgetwln() (get line of wide characters from a stream) ->
heap buffer overflow -> crash / RCE (doesn’t appear to be used by any
software in Ubuntu)
[USN-4244-1] Samba vulnerabilities [15:15]
3 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-19344
CVE-2019-14907
CVE-2019-14902
UAF in DNS zone scavenging in AD DC
Crash if fail to convert characters at log level 3
Does not automatically replicate ACLs which are set to inherit down a
subtree (unable to be easily backported to Xenial so only fixed on
Bionic, Disco and Eoan - instead can workaround by manually replication
ACLs from one DC to another for a given naming context)
[USN-4245-1] PySAML2 vulnerability [16:32]
1 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2020-5390
May fail to properly validate signatures in a particularly crafted SAML
document by using the wrong data - so could assert a document has been
fully signed when only a part of it has
Goings on in Ubuntu Security Community
Mid cycle product roadmap sprint [17:18]
Security team presents progress on plans for Ubuntu 20.04 Focal Fossa -
ie. ESM offerings, AppArmor features, snapd security features, Ubuntu
Core security features, MIR security reviews progress etc
Represented by Joe McManus, Mark Morlino, Chris Coulson and John Johansen
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
20min
January 09, 2020Episode 58
Overview
In the first episode for 2020, we look at security updates for Django and
the Linux kernel, plus Alex and Joe discuss security and privacy aspects of
smart assistant connected devices.
This week in Ubuntu Security Updates
34 unique CVEs addressed
[USN-4224-1] Django vulnerability [00:51]
1 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-19844
Account takeover via password reset - when comparing email addresses,
would not do a proper unicode comparison - and so could specify an email
address which appears equal to an existing users email address (after
unicode case and character transmformation) and would then get sent a
token to reset their accounts password to your doppleganger email
address. Fix includes doing both a proper unicode case comparison AND
sending the password reset token to the email address to the one
registered against the user account, not the one input to the password
reset field.
[USN-4225-1] Linux kernel vulnerabilities [02:25]
5.3 kernel
18 CVEs addressed in Bionic (Azure and GCP edge), Eoan
CVE-2019-18813
CVE-2019-19807
UAF in ALSA timer implementation - local user - crash (DoS) / ACE
CVE-2019-19534
CVE-2019-19529
CVE-2019-19524
CVE-2019-19072
Memory leak in tracing subsystem -> DoS
CVE-2019-19055
CVE-2019-19052
CVE-2019-19051
CVE-2019-19047
CVE-2019-19045
CVE-2019-19044
CVE-2019-18660
SpectreRSB mitigations not properly enforced on PPC
CVE-2019-16231
CVE-2019-14897
CVE-2019-14896
2 heap overflows in Marvell Libertas Wifi Driver - OTA - crash / ACE
CVE-2019-14901
CVE-2019-14895
2 heap overflows in Marvell Wifi-Ex Driver - OTA - crash / ACE
[USN-4226-1] Linux kernel vulnerabilities [03:58]
5.0 kernel
28 CVEs addressed in Bionic (AWS & Oracle Edge, Azure, GKE), Disco
CVE-2019-18813
CVE-2019-17075
CVE-2019-2214
Binder IPC OOB write - crash, ACE
CVE-2019-19922
CVE-2019-19534
CVE-2019-19532
CVE-2019-19529
CVE-2019-19526
CVE-2019-19524
CVE-2019-19083
CVE-2019-19075
CVE-2019-19072
Memory leak in tracing subsystem -> DoS
CVE-2019-19067
CVE-2019-19065
CVE-2019-19060
CVE-2019-19055
CVE-2019-19052
CVE-2019-19048
Memory leak in virtualbox guest driver -> DoS
CVE-2019-19045
CVE-2019-18660
SpectreRSB mitigations not properly enforced on PPC
CVE-2019-17133
Wifi stack failed to validate SSID IE length - buffer overflow
CVE-2019-16233
CVE-2019-16231
CVE-2019-14897
CVE-2019-14896
2 heap overflows in Marvell Libertas Wifi Driver - OTA - crash / ACE
CVE-2019-14901
CVE-2019-14895
2 heap overflows in Marvell Wifi-Ex Driver - OTA - crash / ACE
CVE-2019-10220
Kernel CIFS impl failed to sanitize paths returned from SMB server -
malicious server could overwrite arbitrary files on the client
[USN-4227-1, USN-4227-2] Linux kernel vulnerabilities [05:36]
14 CVEs addressed in Xenial, Bionic, Trusty ESM (Azure)
CVE-2019-19807
UAF in ALSA timer implementation - local user - crash (DoS) / ACE
CVE-2019-19534
CVE-2019-19529
CVE-2019-19524
CVE-2019-19083
CVE-2019-19052
CVE-2019-19045
CVE-2019-18660
SpectreRSB mitigations not properly enforced on PPC
CVE-2019-16233
CVE-2019-16231
CVE-2019-14897
CVE-2019-14896
2 heap overflows in Marvell Libertas Wifi Driver - OTA - crash / ACE
CVE-2019-14901
CVE-2019-14895
2 heap overflows in Marvell Wifi-Ex Driver - OTA - crash / ACE
[USN-4228-1, USN-4228-2] Linux kernel vulnerabilities [06:17]
8 CVEs addressed in Xenial, Trusty ESM (Xenial HWE)
CVE-2019-19534
CVE-2019-19524
CVE-2019-19052
CVE-2019-18660
SpectreRSB mitigations not properly enforced on PPC
CVE-2019-14897
CVE-2019-14896
2 heap overflows in Marvell Libertas Wifi Driver - OTA - crash / ACE
CVE-2019-14901
CVE-2019-14895
2 heap overflows in Marvell Wifi-Ex Driver - OTA - crash / ACE
[LSN-0061-1] Linux kernel vulnerability [06:38]
5 CVEs addressed in Bionic & Xenial
CVE-2019-15794
OverlayFS & ShiftFS reference counting issue - Episode 55
CVE-2019-14901
CVE-2019-14895
2 heap overflows in Marvell Wifi-Ex Driver - OTA - crash / ACE
CVE-2019-14897
CVE-2019-14896
2 heap overflows in Marvell Libertas Wifi Driver - OTA - crash / ACE
Goings on in Ubuntu Security Community
Alex and Joe discuss connected devices and smart assistants [07:25]
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
21min
December 19, 2019Episode 57
Overview
In the final episode of 2019, we look at security updates for RabbitMQ,
GraphicsMagick, OpenJDK and more, plus Joe and Alex discuss a typical
day-in-the-life of a Ubuntu Security Team member.
This week in Ubuntu Security Updates
34 unique CVEs addressed
[USN-4217-2] Samba vulnerabilities [01:00]
2 CVEs addressed in Trusty ESM
CVE-2019-14870
CVE-2019-14861
See Episode 56
[USN-4214-2] RabbitMQ vulnerability [01:23]
1 CVEs addressed in Xenial, Bionic
CVE-2019-18609
AMQP implementation
Possible integer overflow when handling the CONNECTION_STATE_HEADER
frame - rogue server could return a malicious frame header which is then
processed by the client and leads to a smaller target_size value due to
integer overflow - then when the frame data is copied in via memcpy()
this would overwrite past the bounds of the heap allocation, and with
attacker controlled data
Not an issue if connecting to trusted servers
[USN-4222-1] GraphicsMagick vulnerabilities [02:28]
15 CVEs addressed in Xenial
CVE-2017-13777
CVE-2017-13776
CVE-2017-13775
CVE-2017-13737
CVE-2017-13134
CVE-2017-13065
CVE-2017-13064
CVE-2017-13063
CVE-2017-12937
CVE-2017-12936
CVE-2017-12935
CVE-2017-11643
CVE-2017-11642
CVE-2017-11641
CVE-2017-11638
Episode 55 covered previous update for GraphicsMagick - more of the same
here
[USN-4223-1] OpenJDK vulnerabilities [03:00]
16 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-2999
CVE-2019-2992
CVE-2019-2989
CVE-2019-2988
CVE-2019-2987
CVE-2019-2983
CVE-2019-2978
CVE-2019-2977
CVE-2019-2975
CVE-2019-2981
CVE-2019-2973
CVE-2019-2964
CVE-2019-2962
CVE-2019-2949
CVE-2019-2945
CVE-2019-2894
Latest upstream micro-release for openjdk 8 and openjdk 11
Various mix of issues (buffer overflows, NULL pointer dereferences and
various denial of service issues on application crashes in different
scenarios) - see the full USN for details
Goings on in Ubuntu Security Community
Joe and Alex discuss a day-in-the-life of a Ubuntu Security Team member [03:50]
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
19min
December 13, 2019Episode 56
Overview
In the second to last episode for 2019, we look at security updates for
Samba, Squid, Git, HAProxy and more, plus Alex and Joe discuss Evil Corp
hacker indictments, unsecured AWS S3 buckets and more.
This week in Ubuntu Security Updates
43 unique CVEs addressed
[USN-4212-1] HAProxy vulnerability [00:50]
1 CVEs addressed in Bionic, Disco, Eoan
CVE-2019-19330
Failed to treat malformed headers as invalid - HTTP/2 allows encoding
headers as binary and these can then contain characters which would be
invalid when converted to HTTP/1.1 - as such these should be treated as
invalid, otherwise allows to send on invalid headers to HTTP/1.1 servers
and could be used to launch attacks against them - so test for and reject
in valid chars (CR, LF and NUL)
[USN-4213-1] Squid vulnerabilities [01:37]
7 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-18679
CVE-2019-18678
CVE-2019-18677
CVE-2019-18676
CVE-2019-12854
CVE-2019-12526
CVE-2019-12523
2 issues in URN handling (uniform resource name, globally unique
identifier within a particular namespace - e.g. urn:ietf:rfc:2648):
When handling URN requests Squid makes a corresponding HTTP request but
the various access control checks that are normally done for HTTP
weren’t done so could end up accessing restricted HTTP resources (such
as servers that listen to localhost etc)
Heap buffer overflow if response received from a server that is
handling a URN request does not fit within the buffer
Failure to NUL terminal strings - buffer overflow on read -> crash in
cachemgr cgi process - DoS to all clients using the cachemgr
Able to redirect traffic to origins that should be disallowed due to use
of append_domain setting
HTTP request smuggling (Episode 52 for HAProxy)
Nonces used for HTTP digest authentication were generated from a raw byte
value of a pointer from a heap memory allocation - this allows attackers
to deduce this pointer value and therefore help to defeat ASLR
[USN-4214-1] RabbitMQ vulnerability [03:54]
1 CVEs addressed in Trusty ESM, Disco, Eoan
CVE-2019-18609
Integer overflow if a client sent a frame of size close to UINT32_MAX - a
resulting size is calculated that could overflow, and then memory
allocated with this overflowed (and hence small) size, resulting in a
heap buffer overflow when the frame is copied to that resulting buffer -
so instead just reject frames greater than INT32_MAX
[USN-4215-1] NSS vulnerability [04:38]
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
CVE-2019-17007
NULL pointer dereference -> crash -> DoS when handling Netscape
Certificate Sequences (a type of encoded certificate) handled by NSS
[USN-4216-1] Firefox vulnerabilities [05:07]
9 CVEs addressed in Bionic, Disco, Eoan
CVE-2019-17014
CVE-2019-17013
CVE-2019-17012
CVE-2019-17011
CVE-2019-17010
CVE-2019-17008
CVE-2019-17005
CVE-2019-11756
CVE-2019-11745
Latest upstream firefox release (71.0)
Includes fix for NSS issue discussed last week plus other sorts of issues:
UAFs
Stack memory corruption
Heap buffer overflows etc
[USN-4217-1] Samba vulnerabilities [05:45]
2 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-14870
CVE-2019-14861
Kerberos delegation allows to be configured as non-forwardable - but this
would not be honored properly by the Samba AD DC - so could allow
delegation to be forwarded by clients even when was disabled by config
Able to read invalid memory and so crash AD DC if a DNS record was
created that matched the name of a DNS zone due to type confusion
[USN-4218-1] GNU C vulnerability [06:43]
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2018-6485
eglibc was used as the standard libc in Ubuntu in older releases like
Trusty/Precise etc - posix_memalign integer overflow - allocates memory
of a given size aligned to a certain size - could return a smaller area
than requested -> heap overflow as a result
[USN-4219-1] libssh vulnerability [07:30]
1 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-14889
libssh ssh_scp_new() function takes a 3rd argument - if this could be
attacker influenced then could possible inject arbitrary commands which
will then be run on the server - so requires the API to be used in a
particular way - but could then allow users to execute commands on the
server even if they should only have been able to copy files
[USN-4220-1] Git vulnerabilities [08:16]
9 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-19604
CVE-2019-1387
CVE-2019-1354
CVE-2019-1353
CVE-2019-1352
CVE-2019-1351
CVE-2019-1350
CVE-2019-1349
CVE-2019-1348
RCE if clone a malicious repo with a crafted .gitmodules file (used to
specify git submodules for the parent repo)
Mishandling of CLI arguments during cloning of repos via SSH URLs allowed
possible RCE
Arbitrary path overwrite during a fast-import due to incorrect handling
of the export-marks option
WSL relevant issues:
On Windows would write out filenames that contained backslashes even
though these then act as directory separators on Windows
Wouldn’t enforce NTFS protections in the working directory
Didn’t take into account NTFS Alternate Data Streams, allowing files
inside the .git dir to be overwritten during clone (file attribute
specific to NTFS, allowing to store data for a file alongside the
actual file itself)
Second attack via NTFS ADS via name squatting on the git~2 short-name
Didn’t handle Window virtual drives which can be named as not just say
A: but a full name - git would handle these as relative paths, allowing
writing outside the worktree during a clone
[USN-4202-2] Thunderbird regression [10:15]
10 CVEs addressed in Bionic, Eoan
CVE-2019-15903
CVE-2019-11764
CVE-2019-11763
CVE-2019-11762
CVE-2019-11761
CVE-2019-11760
CVE-2019-11759
CVE-2019-11758
CVE-2019-11757
CVE-2019-11755
Upstream regression - previous update 68.2.1 could result in a new
profile being created for some users so would appear to lose settings etc
[USN-4221-1] libpcap vulnerability [10:37]
1 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco
CVE-2019-15165
Possible buffer overflow when handling PHB headers - confusion upstream
about which commit fixes which part but have included all the various
commits from upstream - thanks Steve for taking the time to dig into this
issue
Goings on in Ubuntu Security Community
Alex and Joe discuss Evil Corp hackers and unsecured S3 buckets [11:06]
https://threatpost.com/birth-certificate-data-multiple-states/150948/
https://threatpost.com/feds-5m-reward-evil-corp-dridex-hacker/150858/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
27min
December 09, 2019Episode 55
Overview
This week we cover security updates for NSS, SQLite, the Linux kernel and
more, plus Joe and Alex discuss a recent FBI advisory warning about
possible dangers of Smart TVs.
This week in Ubuntu Security Updates
49 unique CVEs addressed
[USN-4203-1, USN-4203-2] NSS vulnerability [00:59]
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
CVE-2019-11745
OOB write if using an output buffer smaller than the block size (since
used block size instead of buffer size) when writing output for
NSC_EncryptUpdate()
[USN-4204-1] psutil vulnerability [02:05]
1 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-18874
Double free due to mishandling of reference counting when handling errors
during conversion of system data into Python objects - could be triggered
when using a malicious disk partition label with an invalid character
that fails to decode - so triggers error than fails to cleanup properly
and results in a double free
[USN-4205-1] SQLite vulnerabilities [02:59]
6 CVEs addressed in Precise ESM, Xenial, Bionic, Disco, Eoan
CVE-2019-5827
CVE-2019-5018
CVE-2019-19244
CVE-2019-19242
CVE-2019-16168
CVE-2018-8740
Various robustness updates for SQLite related to CVEs from other
applications that misuse SQLite - so this makes SQLite more tolerant if
it is misused in the future - plus a fix of a possible crash (DoS) under
certain usage scenarios.
[USN-4208-1] Linux kernel vulnerabilities [03:42]
12 CVEs addressed in Bionic (gcp-edge), Eoan (5.3 kernel)
CVE-2019-17075
CVE-2019-19083
CVE-2019-19075
CVE-2019-19069
CVE-2019-19067
CVE-2019-19065
CVE-2019-19061
CVE-2019-19060
CVE-2019-19048
CVE-2019-18810
CVE-2019-17133
CVE-2019-15794
Buffer overflow in wifi driver stack - able to be triggered by a remote
user in wifi range
Ubuntu specific OverlayFS and ShiftFS memory mapped reference counting
issue - can be triggered when combined with that when combined with AUFS
by a local attacker.
Memory leak based denial of service issues in various drivers (usually
during error conditions so unlikely to ever be hit in real use or able to
be easily triggered by malicious local users):
AMD Display Engine
Qualcomm FastRPC
Cascoda CA8210 SPI 802.15.4 wireless controller
AMD Audio CoProcessor
Intel OPA Gen1 Infiniband
ADIS16400 IIO IMU
VirtualBox guest
ARM Komeda display
[USN-4209-1] Linux kernel vulnerabilities [06:07]
3 CVEs addressed in Bionic (HWE), Disco (5.0 kernel)
CVE-2019-19076
CVE-2019-16746
CVE-2019-15794
Memory leak in Netronome NFP4000/NFP6k000 driver
Buffer overflow via 802.11 wifi config interface - local user onlu
OverlayFS/ShiftFS issue above
[USN-4210-1] Linux kernel vulnerabilities [06:47]
6 CVEs addressed in Xenial (HWE), Bionic (4.15)
CVE-2019-17075
CVE-2019-19075
CVE-2019-19065
CVE-2019-19060
CVE-2019-17133
CVE-2019-16746
See above:
Wifi stack buffer overflow from remote user
Wifi config buffer overflow from local user
Memory leaks above:
Cascoda CA8210 SPI 802.15.4 wireless controller
Intel OPA Gen1 Infiniband
ADIS16400 IIO IMU
[USN-4211-1, USN-4211-2] Linux kernel vulnerabilities [07:22]
3 CVEs addressed in Xenial, Trusty ESM (Xenial HWE)
CVE-2019-17075
CVE-2019-17133
CVE-2018-20784
Wifi stack remote user buffer overflow
Infinite loop in the CFS scheduler able to be triggered by a local user
-> DoS
[USN-4206-1] GraphicsMagick vulnerabilities [07:55]
10 CVEs addressed in Xenial
CVE-2017-6335
CVE-2017-14042
CVE-2017-13147
CVE-2017-11637
CVE-2017-11636
CVE-2017-11403
CVE-2017-11140
CVE-2017-11102
CVE-2017-10799
CVE-2017-10794
Usual sorts of memory mismanagement issues seen in large C codebases
(most resulting in crash -> DoS)
OOB read
Various memory allocation failure issues - trigger crash -> DoS
NULL pointer dereference
Heap buffer overflow for RGB images with multiple frames with
non-identical widths
UAF via a crafted MNG image
Resource consumption via crafted JPEG which specifies invalid scanlines
Memory leaks -> memory exhaustion -> crash -> DoS
[USN-4207-1] GraphicsMagick vulnerabilities [09:18]
13 CVEs addressed in Bionic
CVE-2019-11506
CVE-2019-11505
CVE-2019-11474
CVE-2019-11473
CVE-2019-11010
CVE-2019-11009
CVE-2019-11008
CVE-2019-11007
CVE-2019-11006
CVE-2019-11005
CVE-2018-20189
CVE-2018-20185
CVE-2018-20184
[USN-4194-2] postgresql-common vulnerability [09:29]
1 CVEs addressed in Trusty ESM
CVE-2019-3466
Episode 54 - Debian specific package - privesc
[USN-4182-3, USN-4182-4] Intel Microcode regression [09:44]
2 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
CVE-2019-11139
CVE-2019-11135
Previous microcode update resulted in some Skylake processors hanging on
a warm reboot - not Ubuntu specific and is tracked upstream by Intel
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 -
so this update reverts the microcode only for those specific processor
models
Goings on in Ubuntu Security Community
Joe and Alex discuss a recent FBI Advisory concerning SmartTVs [10:50]
https://threatpost.com/smart-tvs-cyberthreat-living-room-feds/150713/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
26min
November 23, 2019Episode 54
Overview
Security updates for DPDK, Linux kernel, QEMU, ImageMagick, Ghostscript and
more, plus Joe and Alex talk about how to get into information security.
This week in Ubuntu Security Updates
89 unique CVEs addressed
[USN-4189-1] DPDK vulnerability [01:00]
1 CVEs addressed in Bionic, Disco, Eoan
CVE-2019-14818
Data Plane Development Kit - Memory and file-descriptor leak, able to be
triggered by a malicious master or a container with access to the
vhost_user socket
[USN-4190-1] libjpeg-turbo vulnerabilities [01:41]
4 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-2201
CVE-2018-20330
CVE-2018-19664
CVE-2018-14498
2 x heap-buffer overflow - crash or possible RCE
2 x heap-buffer overread - crash
[USN-4183-2] Linux kernel vulnerability [02:48]
9 CVEs addressed in Eoan
CVE-2019-17666
CVE-2019-16746
CVE-2019-15793
CVE-2019-15792
CVE-2019-15791
CVE-2019-0154
CVE-2018-12207
CVE-2019-11135
CVE-2019-0155
Episode 53 - Extra update for CVE-2019-0155 (i915 blitter command streamer) - previous
one was based on an in-flight patch that got changed at the last minute
before the CRD - part of this fix is to whitelist certain commands to the
command-streamer, and this is done via a bitmask - this used a memset()
to zero it out but assumed the size of the underlying data was 32-bit -
so on 64-bit platforms this becomes a 64-bit size and so half the bitmask
is not zeroed out - meaning the whitelist may be able to be bypassed -
this fix includes the final upstream fix
[USN-4184-2] Linux kernel vulnerability and regression [04:37]
14 CVEs addressed in Bionic (HWE), Disco
CVE-2019-17666
CVE-2019-17056
CVE-2019-17055
CVE-2019-17054
CVE-2019-17053
CVE-2019-17052
CVE-2019-15793
CVE-2019-15792
CVE-2019-15791
CVE-2019-15098
CVE-2019-0154
CVE-2018-12207
CVE-2019-11135
CVE-2019-0155
See above (i915 vuln) - but also includes a fix for a regression that was
introduced in last week’s kernel - KVM guests would fail to launch if
extended page tables were disabled or not supported.
[USN-4185-3] Linux kernel vulnerability and regression [05:05]
11 CVEs addressed in Xenial (HWE), Bionic
CVE-2019-17666
CVE-2019-17056
CVE-2019-17055
CVE-2019-17054
CVE-2019-17053
CVE-2019-17052
CVE-2019-15098
CVE-2019-0154
CVE-2018-12207
CVE-2019-11135
CVE-2019-0155
See above (both i915 vuln and KVM regression)
[USN-4186-3] Linux kernel vulnerability [05:22]
13 CVEs addressed in Xenial
CVE-2019-2215
CVE-2019-17666
CVE-2019-17056
CVE-2019-17055
CVE-2019-17054
CVE-2019-17053
CVE-2019-17052
CVE-2019-16746
CVE-2019-15098
CVE-2019-0154
CVE-2018-12207
CVE-2019-11135
CVE-2019-0155
i915 vuln
[USN-4191-1, USN-4191-2] QEMU vulnerabilities [05:32]
5 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
CVE-2019-15890
CVE-2019-14378
CVE-2019-13164
CVE-2019-12155
CVE-2019-12068
Heap buffer overflow and UAF in SLiRP networking implementation - DoS +
possible code exec
Bridge helper didn’t validate interface names to be within IFNAMSIZ -
could be used to bypass ACL restrictions
NULL pointer dereference in qxl paravirtual graphics driver - DoS
Possible CPU based DoS via an infinite loop able to be triggered in the
LSI SCSI adaptor emulator
[USN-4192-1] ImageMagick vulnerabilities [06:48]
30 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-16713
CVE-2019-16711
CVE-2019-16710
CVE-2019-16709
CVE-2019-16708
CVE-2019-15140
CVE-2019-15139
CVE-2019-14981
CVE-2019-13454
CVE-2019-13391
CVE-2019-13311
CVE-2019-13310
CVE-2019-13309
CVE-2019-13308
CVE-2019-13307
CVE-2019-13306
CVE-2019-13305
CVE-2019-13304
CVE-2019-13301
CVE-2019-13300
CVE-2019-13297
CVE-2019-13295
CVE-2019-13137
CVE-2019-13135
CVE-2019-12979
CVE-2019-12978
CVE-2019-12977
CVE-2019-12976
CVE-2019-12975
CVE-2019-12974
Usual raft of issues - DoS, RCE etc - in various image decoders etc - so
just need to display or process a malicious image via ImageMagick to
trigger - interestingly, seems to be noticed - some applications (Emacs)
chose not to automatically link against and use ImageMagick now as a
result of all the various vulnerablilties which keep being found in it…
[USN-4193-1] Ghostscript vulnerability [08:13]
1 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-14869
Another -dSAFER bypass - newest Ghostscript is not affected since it
rewrote the SAFER sandbox - but older versions are - allows a malicious
postscript file to bypass the sandbox and access files or execute
commands etc.
[USN-4194-1] postgresql-common vulnerability [09:17]
1 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-3466
Privesc via arbitrary directory creation through the pg_ctlcluster
command - allows to create a dir as postgres user - say
/usr/lib/sudo/haswell - then dump a shared lib there which will be loaded
by sudo to gain a root shell - by specifying this as the
stats_temp_directory in the config
Interesting but requires ability to configure and run as postgres
[USN-4195-1] MySQL vulnerabilities [11:07]
29 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-3018
CVE-2019-3011
CVE-2019-3009
CVE-2019-3004
CVE-2019-3003
CVE-2019-2998
CVE-2019-2997
CVE-2019-2993
CVE-2019-2991
CVE-2019-2982
CVE-2019-2974
CVE-2019-2969
CVE-2019-2968
CVE-2019-2967
CVE-2019-2966
CVE-2019-2963
CVE-2019-2960
CVE-2019-2957
CVE-2019-2950
CVE-2019-2948
CVE-2019-2946
CVE-2019-2938
CVE-2019-2924
CVE-2019-2923
CVE-2019-2922
CVE-2019-2920
CVE-2019-2914
CVE-2019-2911
CVE-2019-2910
Multiple issues fixed in MySQL - updated to 8.0.18 in eoan, whilst in
xenial, bionic and disco - 5.7.28 - for more details see upstream notices
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-28.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-18.html
https://www.oracle.com/security-alerts/cpuoct2019.html
[USN-4196-1] python-ecdsa vulnerabilities [11:42]
2 CVEs addressed in Xenial, Bionic, Disco, Eoan
CVE-2019-14859
CVE-2019-14853
Issues in handling DER encoding of signatures - failed to verify proper
DER encoding but also might raise exceptions unexpectedly on valid input
so would cause a DoS
Goings on in Ubuntu Security Community
Joe and Alex discuss how to get into infosec [12:18]
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
27min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.