Ubuntu Security Podcast

regreSSHion

cat /sys/firmware/efi/efivars/SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23
mokutil --list-sbat-revocations

sbat,1,2023012900
shim,2
grub,3
grub.debian,4

objdump -j .sbat -s /boot/efi/EFI/ubuntu/grubx64.efi | xxd -r

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.12,https://www.gnu.org/software/grub/
grub.ubuntu,2,Ubuntu,grub2,2.12-5ubuntu4,https://www.ubuntu.com/
grub.peimage,2,Canonical,grub2,2.12-5ubuntu4,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch

rm -rf grub2-signed
mkdir grub2-signed
pushd grub2-signed >/dev/null || exit
for rel in focal jammy noble; do
  mkdir $rel
  pushd $rel >/dev/null || exit
  pull-lp-debs grub2-signed $rel-security 1>/dev/null 2>/dev/null || pull-lp-debs grub2-signed $rel-release 1>/dev/null 2>/dev/null
  dpkg-deb -x grub-efi-amd64-signed*.deb grub2-signed
  echo $rel
  echo -----
  find . -name grubx64.efi.signed -exec objdump -j .sbat -s {} \; | tail -n +5 | xxd -r
  popd >/dev/null || exit
done
popd >/dev/null

focal
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.ubuntu,1,Ubuntu,grub2,2.06-2ubuntu14.4,https://www.ubuntu.com/
jammy
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.ubuntu,1,Ubuntu,grub2,2.06-2ubuntu14.4,https://www.ubuntu.com/
noble
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.12,https://www.gnu.org/software/grub/
grub.ubuntu,2,Ubuntu,grub2,2.12-1ubuntu7,https://www.ubuntu.com/
grub.peimage,2,Canonical,grub2,2.12-1ubuntu7,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch

rm -rf shim-signed
mkdir shim-signed
pushd shim-signed >/dev/null || exit
for rel in focal jammy noble; do
  mkdir $rel
  pushd $rel >/dev/null || exit
  pull-lp-debs shim-signed $rel-security 1>/dev/null 2>/dev/null || pull-lp-debs shim-signed $rel-release 1>/dev/null 2>/dev/null
  dpkg-deb -x shim-signed*.deb shim-signed
  echo $rel
  echo -----
  find . -name shimx64.efi.signed.latest -exec objdump -j .sbat -s {} \; | tail -n +5 | xxd -r
  popd >/dev/null || exit
done
popd >/dev/null

focal
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.ubuntu,1,Ubuntu,shim,15.7-0ubuntu1,https://www.ubuntu.com/
jammy
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.ubuntu,1,Ubuntu,shim,15.7-0ubuntu1,https://www.ubuntu.com/
noble
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.ubuntu,1,Ubuntu,shim,15.8-0ubuntu1,https://www.ubuntu.com/

canonical-livepatch status

canonical-livepatch status

diff -w <(curl https://raw.githubusercontent.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/main/main.c) <(curl https://raw.githubusercontent.com/YuriiCrimson/ExploitGSM/main/ExploitGSM_6_5/main.c)

canonical-livepatch status

# appletalk
alias net-pf-5 off

canonical-livepatch status

$ hardening-check $(which tar)
/usr/bin/tar:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes
 Stack clash protection: yes
 Control flow integrity: yes

canonical-livepatch status

kernel.apparmor_restrict_unprivileged_userns = 1

abi <abi/4.0>,

include <tunables/global>

/opt/google/chrome/chrome flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/opt.google.chrome.chrome>
}

snap recovery --show-keys

ubuntu@ubuntu:~$ groups
ubuntu sudo

wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))

canonical-livepatch status

wget -q https://old-releases.ubuntu.com/releases/xenial/SHA256SUMS{,.gpg}
gpg --verify --no-default-keyring --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg --verbose SHA256SUMS.gpg SHA256SUMS

gpg: Signature made Fri 01 Mar 2019 02:56:07 ACDT
gpg:                using DSA key 46181433FBB75451
gpg: Can't check signature: No public key
gpg: Signature made Fri 01 Mar 2019 02:56:07 ACDT
gpg:                using RSA key D94AA3F0EFE21092
gpg: using pgp trust model
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096

gpg: Signature made Fri 09 Jun 2023 00:38:30 ACST
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: using pgp trust model
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096

canonical-livepatch status

cat /sys/firmware/efi/efivars/SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23

sbat,1,2022052400
grub,2

objdump -j .sbat -s grubx64.efi

The following security updates require Ubuntu Pro with 'esm-apps' enabled:
  python2.7-minimal python2.7 libpython2.7-minimal libpython2.7-stdlib
Learn more about Ubuntu Pro at https://ubuntu.com/pro

pro config set apt_news False

The following security updates require Ubuntu Pro with 'esm-apps' enabled:
  python2.7-minimal python2.7 libpython2.7-minimal libpython2.7-stdlib
Learn more about Ubuntu Pro at https://ubuntu.com/pro

canonical-livepatch status

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1

sudo sysctl kernel.unprivileged_userns_clone=0

#!/bin/bash
for d in $(curl -s "https://ubuntu.com/security/cves.json?order=newest&package=curl&limit=100" | jq -r ".cves[].published"); do
  date +%s -d "$d";
done > curlhist

#!/usr/bin/gnuplot
binwidth = 60*60*24*365 # ~30days in seconds
bin(x,width)=width*floor(x/width) + width/2.0
set xdata time
set datafile missing NaN
set boxwidth binwidth
set xtics format "%Y" time rotate
set style fill solid 0.5 # fill style
set title 'Frequency of curl CVEs in the Ubuntu CVE Tracker by year'
plot 'curlhist' using (bin($1,binwidth)):(1.0) \
    smooth freq with boxes notitle

          fwupdmgr security

          The HSI specification is not yet complete. To ignore this warning, use --force

sudo sysctl kernel.unprivileged_userns_clone=0

sudo do-release-upgrade

canonical-livepatch status

cat /sys/devices/system/cpu/vulnerabilities/mmio_stale_data

mmio_stale_data=full # or 'full,nosmt'  or 'off'

canonical-livepatch status

sudo apt install jq
xdg-open "https://www.virustotal.com/gui/file/$(sha256sum /usr/bin/jq | cut -f1 -d' ')"

Kernel type	22.04	20.04	18.04
aws	103.3	103.3	—
aws-5.15	—	103.3	—
aws-5.4	—	—	103.3
aws-6.5	103.1	—	—
azure	103.3	103.3	—
azure-5.4	—	—	103.3
azure-6.5	103.1	—	—
gcp	103.3	103.3	—
gcp-5.15	—	103.3	—
gcp-5.4	—	—	103.3
gcp-6.5	103.1	—	—
generic-5.15	—	103.3	—
generic-5.4	—	103.3	103.3
gke	103.3	103.3	—
hwe-6.5	103.1	—	—
ibm	103.3	—	—
ibm-5.15	—	103.3	—
linux	103.3	—	—
lowlatency-5.15	—	103.3	—
lowlatency-5.4	—	103.3	103.3

Kernel type	22.04	20.04	18.04	16.04	14.04
aws	102.1	102.1	102.1	102.1	—
aws-5.15	—	102.1	—	—	—
aws-5.4	—	—	102.1	—	—
aws-6.5	102.1	—	—	—	—
aws-hwe	—	—	—	102.1	—
azure	102.1	102.1	—	102.1	—
azure-4.15	—	—	102.1	—	—
azure-5.4	—	—	102.1	—	—
azure-6.5	102.1	—	—	—	—
gcp	102.1	102.1	—	102.1	—
gcp-4.15	—	—	102.1	—	—
gcp-5.15	—	102.1	—	—	—
gcp-5.4	—	—	102.1	—	—
gcp-6.5	102.1	—	—	—	—
generic-4.15	—	—	102.1	102.1	—
generic-4.4	—	—	—	102.1	102.1
generic-5.15	—	102.1	—	—	—
generic-5.4	—	102.1	102.1	—	—
gke	102.1	102.1	—	—	—
gke-5.15	—	102.1	—	—	—
gkeop	—	102.1	—	—	—
hwe-6.5	102.1	—	—	—	—
ibm	102.1	102.1	—	—	—
ibm-5.15	—	102.1	—	—	—
linux	102.1	—	—	—	—
lowlatency	102.1	—	—	—	—
lowlatency-4.15	—	—	102.1	102.1	—
lowlatency-4.4	—	—	—	102.1	102.1
lowlatency-5.15	—	102.1	—	—	—
lowlatency-5.4	—	102.1	102.1	—	—

Kernel type	22.04	20.04	18.04	16.04	14.04
aws	101.1	101.1	101.1	101.1	—
aws-5.15	—	101.1	—	—	—
aws-5.4	—	—	101.1	—	—
aws-6.5	101.1	—	—	—	—
aws-hwe	—	—	—	101.1	—
azure	101.1	101.1	—	101.1	—
azure-4.15	—	—	101.1	—	—
azure-5.4	—	—	101.1	—	—
azure-6.5	101.1	—	—	—	—
gcp	101.1	101.1	—	101.1	—
gcp-4.15	—	—	101.1	—	—
gcp-5.15	—	101.1	—	—	—
gcp-5.4	—	—	101.1	—	—
gcp-6.5	101.1	—	—	—	—
generic-4.15	—	—	101.1	101.1	—
generic-4.4	—	—	—	101.1	101.1
generic-5.15	—	101.2	—	—	—
generic-5.4	—	101.1	101.1	—	—
gke	101.1	—	—	—	—
gke-5.15	—	101.1	—	—	—
gkeop	—	101.1	—	—	—
hwe-6.5	101.1	—	—	—	—
ibm	101.1	101.1	—	—	—
ibm-5.15	—	101.1	—	—	—
linux	101.2	—	—	—	—
lowlatency-4.15	—	—	101.1	101.1	—
lowlatency-4.4	—	—	—	101.1	101.1
lowlatency-5.15	—	101.2	—	—	—
lowlatency-5.4	—	101.1	101.1	—	—

Kernel type	22.04	20.04	18.04	16.04	14.04
aws	100.1	100.1	100.1	100.1	—
aws-5.15	—	100.1	—	—	—
aws-5.4	—	—	100.1	—	—
aws-6.2	100.1	—	—	—	—
aws-hwe	—	—	—	100.1	—
azure	100.1	100.1	—	100.1	—
azure-4.15	—	—	100.1	—	—
azure-5.4	—	—	100.1	—	—
azure-6.2	100.1	—	—	—	—
gcp	100.1	100.1	—	100.1	—
gcp-4.15	—	—	100.1	—	—
gcp-5.15	—	100.1	—	—	—
gcp-5.4	—	—	100.1	—	—
gcp-6.2	100.1	—	—	—	—
generic-4.15	—	—	100.1	100.1	—
generic-4.4	—	—	—	100.1	100.1
generic-5.15	—	100.1	—	—	—
generic-5.4	—	100.1	100.1	—	—
gke	100.1	100.1	—	—	—
gke-5.15	—	100.1	—	—	—
gkeop	—	100.1	—	—	—
hwe-6.2	100.1	—	—	—	—
ibm	100.1	100.1	—	—	—
ibm-5.15	—	100.1	—	—	—
linux	100.1	—	—	—	—
lowlatency-4.15	—	—	100.1	100.1	—
lowlatency-4.4	—	—	—	100.1	100.1
lowlatency-5.15	—	100.1	—	—	—
lowlatency-5.4	—	100.1	100.1	—	—

Kernel type	22.04	20.04	18.04	16.04	14.04
aws	99.2	99.1	99.1	99.1	—
aws-5.15	—	99.2	—	—	—
aws-5.4	—	—	99.1	—	—
aws-6.2	99.2	—	—	—	—
aws-hwe	—	—	—	99.1	—
azure	99.2	99.1	—	99.1	—
azure-4.15	—	—	99.1	—	—
azure-5.4	—	—	99.1	—	—
azure-6.2	99.2	—	—	—	—
gcp	99.2	99.1	—	99.1	—
gcp-4.15	—	—	99.1	—	—
gcp-5.15	—	99.2	—	—	—
gcp-5.4	—	—	99.1	—	—
gcp-6.2	99.2	—	—	—	—
generic-4.15	—	—	99.1	99.1	—
generic-4.4	—	—	—	99.1	99.1
generic-5.15	—	99.2	—	—	—
generic-5.4	—	99.1	99.1	—	—
gke	99.2	99.1	—	—	—
gke-5.15	—	99.2	—	—	—
gkeop	—	99.1	—	—	—
hwe-6.2	99.2	—	—	—	—
ibm	99.2	99.1	—	—	—
ibm-5.15	—	99.2	—	—	—
ibm-5.4	—	—	99.1	—	—
linux	99.2	—	—	—	—
lowlatency-4.15	—	—	99.1	99.1	—
lowlatency-4.4	—	—	—	99.1	99.1
lowlatency-5.15	—	99.2	—	—	—
lowlatency-5.4	—	99.1	99.1	—	—

CWE-ID	Description	2023 Rank
CWE-787	Out-of-bounds Write	1
CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	2
CWE-89	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	3
CWE-416	Use After Free	4
CWE-78	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	5
CWE-20	Improper Input Validation	6
CWE-125	Out-of-bounds Read	7
CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	8
CWE-352	Cross-Site Request Forgery (CSRF)	9
CWE-476	NULL Pointer Dereference	12
CWE-287	Improper Authentication	13
CWE-190	Integer Overflow or Wraparound	14
CWE-502	Deserialization of Untrusted Data	15
CWE-119	Improper Restriction of Operations within Bounds of a Memory Buffer	17
CWE-798	Use of Hard-coded Credentials	18

Kernel type	22.04	20.04	18.04	16.04	14.04
aws	—	96.2	—	96.2	—
aws-hwe	—	—	—	96.2	—
azure	96.3	96.2	—	96.2	—
azure-5.4	—	—	96.2	—	—
gcp	96.3	96.2	—	96.2	—
gcp-4.15	—	—	96.2	—	—
gcp-5.15	—	96.3	—	—	—
gcp-5.4	—	—	96.2	—	—
generic-4.15	—	—	96.2	96.2	—
generic-4.4	—	—	—	96.2	96.2
generic-5.15	—	96.3	—	—	—
generic-5.4	—	96.2	96.2	—	—
gke	96.3	96.2	—	—	—
gke-5.15	—	96.3	—	—	—
gke-5.4	—	—	96.2	—	—
gkeop	—	96.2	—	—	—
gkeop-5.4	—	—	96.2	—	—
ibm	96.3	96.2	—	—	—
ibm-5.4	—	—	96.2	—	—
linux	96.3	—	—	—	—
lowlatency-4.15	—	—	96.2	96.2	—
lowlatency-4.4	—	—	—	96.2	96.2
lowlatency-5.15	—	96.3	—	—	—
lowlatency-5.4	—	96.2	96.2	—	—

Rank	ID	Name	Score	CVEs in KEV
1	CWE-787	Out-of-bounds Write	63.72	70
2	CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	45.54	4
3	CWE-89	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	34.27	6
4	CWE-416	Use After Free	16.71	44
5	CWE-78	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	15.65	23
6	CWE-20	Improper Input Validation	15.50	35
7	CWE-125	Out-of-bounds Read	14.60	2
8	CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	14.11	16
9	CWE-352	Cross-Site Request Forgery (CSRF)	11.73	0
10	CWE-434	Unrestricted Upload of File with Dangerous Type	10.41	5
11	CWE-862	Missing Authorization	6.90	0
12	CWE-476	NULL Pointer Dereference	6.59	0
13	CWE-287	Improper Authentication	6.39	10
14	CWE-190	Integer Overflow or Wraparound	5.89	4
15	CWE-502	Deserialization of Untrusted Data	5.56	14
16	CWE-77	Improper Neutralization of Special Elements used in a Command (‘Command Injection’)	4.95	4
17	CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	4.75	7
18	CWE-798	Use of Hard-coded Credentials	4.57	2
19	CWE-918	Server-Side Request Forgery (SSRF)	4.56	16
20	CWE-306	Missing Authentication for Critical Function	3.78	8
21	CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)	3.53	8
22	CWE-269	Improper Privilege Management	3.31	5
23	CWE-94	Improper Control of Generation of Code (‘Code Injection’)	3.30	6
24	CWE-863	Incorrect Authorization	3.16	0
25	CWE-276	Incorrect Default Permissions	3.16	0

Kernel type	22.04	20.04	18.04
aws	95.4	95.4	—
aws-5.15	—	95.4	—
aws-5.4	—	—	95.4
azure	95.4	95.4	—
azure-5.4	—	—	95.4
gcp	95.4	95.4	—
gcp-5.15	—	95.4	—
gcp-5.4	—	—	95.4
generic-5.4	—	95.4	95.4
gke	95.4	95.4	—
gke-5.15	—	95.4	—
gke-5.4	—	—	95.4
gkeop	—	95.4	—
gkeop-5.4	—	—	95.4
ibm	95.4	95.4	—
ibm-5.4	—	—	95.4
linux	95.4	—	—
lowlatency	95.1	—	—
lowlatency-5.4	—	95.4	95.4

Kernel type	22.04	20.04	18.04	16.04
aws	93.1	93.1	93.1	—
aws-5.15	—	93.1	—	—
aws-5.4	—	—	93.1	—
aws-hwe	—	—	—	93.1
azure	93.1	93.1	—	93.1
azure-4.15	—	—	93.1	—
azure-5.4	—	—	93.1	—
gcp	93.2	93.1	—	93.1
gcp-4.15	—	—	93.1	—
gcp-5.15	—	93.2	—	—
gcp-5.4	—	—	93.1	—
generic-4.15	—	—	93.1	93.1
generic-5.4	—	93.1	93.1	—
gke	93.2	93.1	—	—
gke-4.15	—	—	93.1	—
gke-5.15	—	93.2	—	—
gke-5.4	—	—	93.1	—
gkeop	—	93.1	—	—
gkeop-5.4	—	—	93.1	—
ibm	93.1	93.1	—	—
linux	93.1	—	—	—
lowlatency-4.15	—	—	93.1	93.1
lowlatency-5.4	—	93.1	93.1	—
oem	—	—	93.1	—

Kernel type	22.04	20.04	18.04
aws	90.3	90.2	—
aws-5.15	—	90.3	—
aws-5.4	—	—	90.2
azure	90.2	90.2	—
azure-5.4	—	—	90.2
gcp	90.3	90.2	—
gcp-5.15	—	90.3	—
gcp-5.4	—	—	90.2
generic-5.4	—	90.2	90.2
gke	90.3	90.2	—
gke-5.15	—	90.3	—
gke-5.4	—	—	90.2
gkeop	—	90.2	—
gkeop-5.4	—	—	90.2
ibm	90.2	90.2	—
ibm-5.4	—	—	90.2
linux	90.2	—	—
lowlatency	90.2	—	—
lowlatency-5.4	—	90.2	90.2

Kernel type	22.04	20.04	18.04	16.04	14.04
aws	—	87.1	87.2	87.1	—
aws-5.4	—	—	87.1	—	—
aws-hwe	—	—	—	87.2	—
azure	—	87.1	—	87.1	—
azure-4.15	—	—	87.1	—	—
azure-5.4	—	—	87.1	—	—
gcp	87.1	87.1	—	87.1	—
gcp-4.15	—	—	87.1	—	—
gcp-5.4	—	—	87.1	—	—
generic-4.15	—	—	87.1	87.1	—
generic-4.4	—	—	—	87.1	87.1
generic-5.4	—	87.1	87.1	—	—
gke	87.1	87.1	—	—	—
gke-4.15	—	—	87.1	—	—
gke-5.4	—	—	87.1	—	—
gkeop	—	87.1	—	—	—
gkeop-5.4	—	—	87.1	—	—
ibm	87.1	87.1	—	—	—
linux	87.1	—	—	—	—
lowlatency	87.1	—	—	—	—
lowlatency-4.15	—	—	87.1	87.1	—
lowlatency-4.4	—	—	—	87.1	87.1
lowlatency-5.4	—	87.1	87.1	—	—
oem	—	—	87.1	—	—

Kernel type	22.04	20.04	18.04	16.04	14.04
aws	—	86.3	86.3	86.3	—
aws-5.4	—	—	86.3	—	—
aws-hwe	—	—	—	86.3	—
azure	—	86.3	—	86.3	—
azure-4.15	—	—	86.3	—	—
azure-5.4	—	—	86.3	—	—
gcp	86.4	86.3	—	86.3	—
gcp-4.15	—	—	86.3	—	—
gcp-5.4	—	—	86.3	—	—
generic-4.15	—	—	86.3	86.3	—
generic-4.4	—	—	—	86.3	86.3
generic-5.4	—	86.3	86.3	—	—
gke	86.4	86.3	—	—	—
gke-4.15	—	—	86.3	—	—
gke-5.4	—	—	86.3	—	—
gkeop	—	86.3	—	—	—
gkeop-5.4	—	—	86.3	—	—
ibm	86.4	86.3	—	—	—
ibm-5.4	—	—	86.3	—	—
linux	86.4	—	—	—	—
lowlatency	86.4	—	—	—	—
lowlatency-4.15	—	—	86.3	86.3	—
lowlatency-4.4	—	—	—	86.3	86.3
lowlatency-5.4	—	86.3	86.3	—	—
oem	—	—	86.3	—	—

KERNEL TYPE	20.04	18.04	16.04	14.04
aws	85.1	85.1	85.1	—
azure	85.1	—	85.1	—
azure-4.15	—	85.1	—	—
gcp	85.1	—	—	—
generic-4.15	—	85.1	85.1	—
generic-4.4	—	—	85.1	85.1
generic-5.4	85.2	85.2	—	—
gke	85.1	—	—	—
gke-4.15	—	85.1	—	—
gke-5.4	—	85.1	—	—
gkeop	85.1	—	—	—
gkeop-5.4	—	85.1	—	—
ibm	85.1	—	—	—
ibm-5.4	—	85.1	—	—
lowlatency-4.15	—	85.1	85.1	—
lowlatency-4.4	—	—	85.1	85.1
lowlatency-5.4	85.2	85.2	—	—
oem	—	85.1	—	—

RELEASE	RELEASE DATE	END OF LIFE*
Ubuntu 14.04 (Trusty Tahr)	April 2014	April 2024(from April 2022)
Ubuntu 16.04 (Xenial Xerus)	April 2016	April 2026(from April 2024)
Ubuntu 18.04 (Bionic Beaver)	April 2018	April 2028(unchanged)
Ubuntu 20.04 (Focal Fossa)	April 2020	April 2030(unchanged)

Ubuntu Security Podcast

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ...

Om podden

Avsnitt

Episode 237

Overview

This week in Ubuntu Security Updates (01:11)

[USN-6989-1] OpenStack vulnerability

[USN-6990-1] znc vulnerability

[USN-6992-1] Firefox vulnerabilities

[USN-6993-1] Vim vulnerabilities

[USN-6991-1] AIOHTTP vulnerability

[USN-6995-1] Thunderbird vulnerabilities

[USN-6996-1] WebKitGTK vulnerabilities

[USN-6841-2] PHP vulnerability

[USN-6997-1, USN-6997-2] LibTIFF vulnerability

[USN-6994-1] Netty vulnerabilities

[USN-6998-1] Unbound vulnerabilities

[USN-6999-1] Linux kernel vulnerabilities

[USN-7003-1, USN-7003-2, USN-7003-3] Linux kernel vulnerabilities

[USN-7004-1] Linux kernel vulnerabilities

[USN-7005-1, USN-7005-2] Linux kernel vulnerabilities

[USN-7006-1] Linux kernel vulnerabilities

[USN-7007-1] Linux kernel vulnerabilities

[USN-7008-1] Linux kernel vulnerabilities

[USN-7009-1] Linux kernel vulnerabilities

[USN-7019-1] Linux kernel vulnerabilities

[USN-7002-1] Setuptools vulnerability

[USN-7000-1, USN-7000-2] Expat vulnerabilities

[USN-7001-1, USN-7001-2] xmltok library vulnerabilities

[USN-6560-3] OpenSSH vulnerability

[USN-7011-1, USN-7011-2] ClamAV vulnerabilities

[USN-7012-1] curl vulnerability

[USN-7013-1] Dovecot vulnerabilities

[USN-7014-1] nginx vulnerability

[USN-7015-1] Python vulnerabilities

[USN-7010-1] DCMTK vulnerabilities

[USN-7016-1] FRR vulnerability

[USN-7017-1] Quagga vulnerability

[USN-7018-1] OpenSSL vulnerabilities

Goings on in Ubuntu Security Community

Linux Security Summit Europe 2024 (03:44)

Official announcement of Permissions Prompting in Ubuntu 24.10 (09:00)

Version 2.1 of IntelⓇ TDX on Ubuntu 24.04 LTS Released (11:46)

Ubuntu 22.04.5 LTS released (13:45)

AppArmor security update for CVE-2016-1585 published (14:23)

Get in contact

Episode 236

Overview

This week in Ubuntu Security Updates

[USN-6972-4] Linux kernel (Oracle) vulnerabilities

[USN-6982-1] Dovecot vulnerabilities

[USN-6983-1] FFmpeg vulnerability

[USN-6984-1] WebOb vulnerability

[USN-6973-4] Linux kernel (Raspberry Pi) vulnerabilities

[USN-6981-2] Drupal vulnerabilities

[USN-6986-1] OpenSSL vulnerability

[USN-6987-1] Django vulnerabilities

[USN-6988-1] Twisted vulnerabilities

[USN-6985-1] ImageMagick vulnerabilities

Goings on in Ubuntu Security Community

Ubuntu 24.04.1 LTS released (02:55)

Ubuntu Security Center with snapd-based AppArmor home file access prompting preview (05:45)

Get in contact

Episode 235

Overview

This week in Ubuntu Security Updates

[USN-6960-1] RMagick vulnerability

[USN-6951-2] Linux kernel (Azure) vulnerabilities

[USN-6961-1] BusyBox vulnerabilities

[USN-6962-1] LibreOffice vulnerability

[USN-6963-1] GNOME Shell vulnerability (01:03)

[USN-6909-3] Bind vulnerabilities

[USN-6964-1] ORC vulnerability

[USN-6837-2] Rack vulnerabilitie

[USN-6966-1] Firefox vulnerabilities

[USN-6966-2] Firefox regressions

[USN-6951-3] Linux kernel (Azure) vulnerabilities

[USN-6968-1] PostgreSQL vulnerability

[USN-6967-1] Intel Microcode vulnerabilities

Discussion of CVE-2024-5290 in `wpa_supplicant` (16:10)