Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 10

9 min • 5 november 2018

Overview

This week we look at some details of the 17 unique CVEs addressed across the supported Ubuntu releases, have a brief look at some Canonical presentations from LSS-EU and more.

This week in Ubuntu Security Updates

17 unique CVEs addressed

[USN-3799-2] MySQL vulnerabilities

[USN-3803-1] Ghostscript vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • More ghostscript vulnerabilities! (others recent ones covered in Episodes 5 and 7)
  • 2 brand new sandbox (-dSAFER) bypasses by Tavis Ormandy
  • Third one is due to an incomplete fix for CVE-2018-17183

[USN-3804-1] OpenJDK vulnerabilities

  • 8 CVEs addressed in Xenial, Bionic, Cosmic
  • New OpenJDK release covering multiple vulnerabilities including:
    • Insufficient checking of signatures in manifest elements could allow untrusted Java application to escape sandbox
    • Insufficient checking of all JAR attributes could allow untrusted Java application to escape sandbox
    • Failure to clear HTTP header elements could result in exposure of sensitive info when follow redirect to another host
    • Possible arbitrary code execution due to failure to enforce system security properties

[USN-3805-1, USN-3805-2] curl vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • 1 CVE addressed in Precise ESM
  • Buffer overflow in SASL authentication (very similar to CVE-2018-14618 from Episode 5)
  • UAF when closing handle (DoS / crash)
  • Out-of-bounds read when using curl to print show error messages via command-line
    • This is fixed for Precise ESM too

Goings on in Ubuntu Security Community

Linux Security Summit Europe (LSS-EU)

Overview and Recent Developments: Namespaces and Capabilities

Overview and Recent Developments: AppArmor

Blog posts

A guide to snap permissions and interfaces

Hiring

Ubuntu Security Engineer

Get in contact

Kategorier
Förekommer på
00:00 -00:00