Overview
This week we look at a reboot of the DWF project, Rust in the Linux kernel,
an Ubuntu security webinar plus some details of the 45 CVEs addressed
across the Ubuntu releases this last week and more.
This week in Ubuntu Security Updates
45 unique CVEs addressed
[LSN-0075-1] Linux kernel vulnerability [01:01]
- 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- madvise issue reported by Jann Horn -
- BPF spectre mitigations fixes (Episode 109)
[USN-4903-1] curl vulnerability [02:02]
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
- Episode 110 - leaking credentials via HTTP Referer header
[USN-4896-2] lxml vulnerability
[USN-4899-2] SpamAssassin vulnerability
[USN-4905-1] X.Org X Server vulnerability [02:26]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Local user (X client) could crash the server via Xinput extension and
ChangeFeedbackControl request - integer underflow -> heap buffer overflow
[USN-4906-1] Nettle vulnerability [03:31]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Low level crypto library used by lots of packages - chrony, dnsmasq,
lighttpd, qemu, squid, supertuxkart
- Could en up calling EC multiply with out-of-range scalers - as a result
would get incorrect results during EC signature verification and so could
allow an attacker to trigger an assertion failure -> DoS OR force an
invalid signature - bypass verification
[USN-4904-1] Linux kernel vulnerabilities [04:27]
- 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
[USN-4907-1] Linux kernel vulnerabilities
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
[USN-4909-1] Linux kernel vulnerabilities
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4910-1] Linux kernel vulnerabilities
- 5 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
[USN-4911-1] Linux kernel (OEM) vulnerabilities
- 4 CVEs addressed in Focal (20.04 LTS)
[USN-4912-1] Linux kernel (OEM) vulnerabilities
- 14 CVEs addressed in Focal (20.04 LTS)
- Piotr Krysiuk - BPF JIT - invalid branch displacement - could allow OOB
memory read/write -> code exec or at least crash - unpriv in Ubuntu so
could then allow an unprivileged user to get kernel code exec
- Thanks to kernel team for handling these issues - lots of kernel security
issues at the moment so thanks for their hard work
Goings on in Ubuntu Security Community
DWF v2 [07:25]
Rust support for Linux kernel [10:12]
Securing open source from cloud to edge webinar [12:19]
- https://www.brighttalk.com/webcast/6793/440517
- Ubuntu is built with security in mind from the ground up, and how we keep
you protected against major vulnerabilities
- How you can ensure performant open source in production environments
- Specific security services that can help you achieve maximum availability
by reducing downtime and providing access to high and critical CVE fixes
- Ubuntu helps organisations remain compliant with government and industry
standards and regulations, including Common Criteria EAL2 with FIPS 140-2
Level 1 certified crypto modules
Hiring [13:13]
AppArmor Security Engineer
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact