Overview
This week we look at some details of the 17 unique CVEs addressed across the supported Ubuntu releases, have a brief look at some Canonical presentations from LSS-EU and more.
This week in Ubuntu Security Updates
17 unique CVEs addressed
[USN-3799-2] MySQL vulnerabilities
- 3 CVEs addressed in Precise ESM
- Ubuntu 12.04 Precise ESM update for 3 CVEs fixed in usual supported releases (covered in Episode 9)
[USN-3803-1] Ghostscript vulnerabilities
- 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- More ghostscript vulnerabilities! (others recent ones covered in Episodes 5 and 7)
- 2 brand new sandbox (-dSAFER) bypasses by Tavis Ormandy
- Third one is due to an incomplete fix for CVE-2018-17183
[USN-3804-1] OpenJDK vulnerabilities
- 8 CVEs addressed in Xenial, Bionic, Cosmic
- New OpenJDK release covering multiple vulnerabilities including:
- Insufficient checking of signatures in manifest elements could allow untrusted Java application to escape sandbox
- Insufficient checking of all JAR attributes could allow untrusted Java application to escape sandbox
- Failure to clear HTTP header elements could result in exposure of sensitive info when follow redirect to another host
- Possible arbitrary code execution due to failure to enforce system security properties
[USN-3805-1, USN-3805-2] curl vulnerabilities
- 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- 1 CVE addressed in Precise ESM
- Buffer overflow in SASL authentication (very similar to CVE-2018-14618 from Episode 5)
- UAF when closing handle (DoS / crash)
- Out-of-bounds read when using curl to print show error messages via command-line
- This is fixed for Precise ESM too
Goings on in Ubuntu Security Community
Linux Security Summit Europe (LSS-EU)
Overview and Recent Developments: Namespaces and Capabilities
Overview and Recent Developments: AppArmor
Blog posts
A guide to snap permissions and interfaces
Hiring
Ubuntu Security Engineer
Get in contact