Overview
This week we take a look at a long-awaited update of Thunderbird in Ubuntu
20.04LTS, plus security updates for Open vSwitch, JUnit 4, PostSRSd, GNOME
Autoar and more.
This week in Ubuntu Security Updates
14 unique CVEs addressed
[USN-4729-1] Open vSwitch vulnerability [00:55]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Most convoluted CVE description: A vulnerability was found in
openvswitch. A limitation in the implementation of userspace packet
parsing can allow a malicious user to send a specially crafted packet
causing the resulting megaflow in the kernel to be too wide, potentially
causing a denial of service. The highest threat from this vulnerability
is to system availability.
[USN-4731-1] JUnit 4 vulnerability [02:05]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Tests that used rule TemporaryFolder would use /tmp which is world
accessible - so contents could be read by other users - so if tests were
writing API keys or passwords these would be able to be read by others
users -> info disclosure. Fixed to create temp directory with permissions
so it is only readable by the owner.
[USN-4730-1] PostSRSd vulnerability [02:57]
- 1 CVEs addressed in Bionic (18.04 LTS)
- Postfix Sender Rewriter Scheme Daemon - Used for rewriting sender email
addresses when forwarding emails from hosts that use SPF - rewrites the
address to appear to come from your hosts address and allows you to do
the inverse and appropriately handle and bounces etc by reverse-rewriting
the sender address to recover the original address
- Could cause a CPU based DoS by excessive processing if an email contained
an exceedingly long SRS timestamp - fixed to just reject those which are
past the expected regular size
[USN-4732-1] SQLite vulnerability [04:20]
- 1 CVEs addressed in Groovy (20.10)
- Only affected more recent releases of sqlite - could cause a crash on
particular query constructs
[USN-4733-1] GNOME Autoar vulnerability [04:42]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Another archive extraction symlink traversal issue - gnome-autoar is a
library used by nautilus and other gnome components when handling
archives - ie right click an archive in nautilus and select “extract
here”
- If an archive contained a file whose parent was a symlink that pointed
outside the destination directory, would blindly follow the symlink and
overwrite arbitrary files - instead fixed to check if is a symlink with
an absolute target OR one that points outside the destination folder via
relative path and reject in that case
[USN-4734-1, USN-4734-2] wpa_supplicant and hostapd vulnerabilities [06:01]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Possible OOB write when doing a wifi-direct / p2p search - so an attacker
just has to be in radio range when the victim performs a P2P discovery
aka wifi direct search - discovered by Google’s OSS-Fuzz project
- CallStranger (Episode 91) - UPnP callback reflection
[USN-4735-1] PostgreSQL vulnerability [07:23]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- Latest upstream 12.6 release to fix a possible info leak which could
occur when handling particular errors - if a user had the permission to
UPDATE on a partitioned table but not the SELECT privilege on some column
and tried to UPDATE on that column, the resulting error message
concerning this constraint violation could leak values on the columns
which the user did not have permission. Rare setup so unlikely to be
affected in practice.
[USN-4736-1] Thunderbird vulnerabilities [08:18]
- 6 CVEs addressed in Groovy (20.10)
- Update to latest upstream release 78.7, usual spread of issues for TB
(derived from firefox) - DoS, info leak, RCE. Also possible response
injection attack from a person-in-the-middle during STARTTLS connection
setup - ie could inject unencrypted response which would then be
evaluated after the encrypted connection was setup so would get treated
as coming from the trusted host.
Goings on in Ubuntu Security Community
Thunderbird to be upgraded to 78.x in Ubuntu 20.04 LTS [09:32]
- Lead by oSoMoN (Olivier Tilloy) from Desktop Team
- 68.x no longer supported upstream and not really practical to backport
security fixes for this old codebase
- 78.x as a new major version introduces a bunch of breaking changes, in
particular with handling of PGP - previously TB had no native support for
PGP but Enigmail addon provided this
- Now does support PGP itself and enigmail is not supported anymore - new
internal PGP is a bit different and requires migration - this should be
handled automatically by the new version to migrate existing enigmail
users across
- A couple other packages tinyjsd and junit are also not supported by TB 78
- tinyjsd - JS debugger with a particular focus on being able to debug TB
extensions etc
- jsunit - unit testing tool for TB to allow add-on developers to setup
unit tests for their extensions and to run these in TB/FF etc
- these will be replaced by empty packages in the Ubuntu archive for
20.04
- Once this is done will then look to do Bionic (18.04 LTS) as well
- https://discourse.ubuntu.com/t/thunderbird-lts-update/20819
Get in contact