Overview
With 60 CVEs fixed across MySQL, Django, Please and the Linux kernel this
week we take a look at some of these details, plus look at the recent
announcement of 1Password for Linux and some open positions on the team
too.
This week in Ubuntu Security Updates
60 unique CVEs addressed
[USN-4952-1] MySQL vulnerabilities [00:58]
- 33 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Latest upstream point releases - includes both security and bug fixes and
possibly incompatible changes etc
- MySQL has been updated to 8.0.25 in Ubuntu 20.04 LTS, Ubuntu 20.10, and
Ubuntu 21.04. Ubuntu 18.04 LTS has been updated to MySQL 5.7.34.
[USN-4932-2] Django vulnerability [01:37]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
- Episode 114 - directory traversal via file upload
[USN-4953-1] AWStats vulnerabilities [01:56]
- 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- A-W-Stats - Advanced Web Statistics - log analyzer etc
- Incomplete fix for old CVE-2017-1000501 - this itself was incomplete
too - hence CVE-2020-35176
- Could be used to read an arbitrary file on the webserver via the config
parameter - and this could allow code execution as this was not
sanitised properly
[USN-4954-1] GNU C Library vulnerabilities [03:00]
- 2 CVEs addressed in Xenial (16.04 LTS)
- ARMv7 specific issue - memcpy() undefined behaviour if a negative length
were specified
- DoS (assertion failure + abort) via crafted regex - so should not be
passing untrusted regular expressions to posix regex implementation
[USN-4628-3] Intel Microcode vulnerabilities [04:08]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Episode 96 - RAPL side-channel etc - corresponding update for some Xeon
processors
[USN-4955-1] Please vulnerabilities [04:44]
- 3 CVEs addressed in Hirsute (21.04)
- sudo replacement written in rust
- Code analysis by Matthias Gerstner @ SuSE -
- arbitrary file existence test and open (eg could open /dev/zero and
consume memory -> OOM)
- unsafe permissions for token directory - create world-writable - can
allow an unprivileged user to get root privileges quite easily by
creating their own token as though they had authenticated
- pleaseedit uses predictable paths in /tmp - without symlink protections
could allow a user to change ownership of arbitrary files as it would
follow symlinks
- rust is not a panacea - not all vulnerabilities are memory corruption and
writing setuid root binaries is always going to be challenging
[LSN-0077-1] Linux kernel vulnerability [07:04]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- shiftfs specific vuln reported via ZDI (found by Vincent Dehors) - Ubuntu
carry this as an out-of-tree patch so doesn’t affect upstream kernel
(used by LXD etc for UID mapping in containers)
- Failed to handle faults in copy_from_user() -> double-free or possible
memory leak -> code execution/DoS
[USN-4956-1] Eventlet vulnerability [08:05]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Python eventlet (concurrent networking library)
- Used by a lot of other packages including openstack etc
- websocket peer could DoS via memory exhaustion by sending very large
websocket frames
- 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- document format alternative to pdf - for storing scanned documents etc
- c++ - memory corruption vulns
- heap buffer overflow
- oob write
- stack buffer overflow
- oob read
- integer overflow
- DoS/RCE
[USN-4958-1] Caribou vulnerability [09:27]
- Affecting Focal (20.04 LTS), Groovy (20.10)
- Caribou on-screen keyboard could crash if given crafted input - in some
cases, this would then cause the screensaver to crash -> unauthenticated
access to a desktop session
- Thanks to Fabio Fantoni and Joshua Peisach (itzswirlz) from the Ubuntu
community for preparing these updates
[USN-4959-1] GStreamer Base Plugins vulnerability [10:11]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- OOB read on crafted input since failed to properly check size -> DoS
[USN-4945-2] Linux kernel (Raspberry Pi) vulnerabilities [10:18]
- 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Episode 115 - regular kernels for Ubuntu 20.04 / 18.04 LTS
- Update also for the raspi specific kernel build
Goings on in Ubuntu Security Community
1Password for Linux officially released [10:43]
- Episode 86 (August 2020) - beta was announced
- Now officially released, includes integration with browser extension to
stay unlocked across both, use of regular desktop authentication to
unlock as well - e.g. fingerprint / yubikey etc - both opt-in features.
- Great desktop integration, theme, clipboard, GNOME Keyring / KDE Wallet,
kernel keyring, DBUS API, integration with system lock / idle etc
- Feature parity with Windows and MacOS clients PLUS extra features like
Secure file attachment, Watchtower, item archiving / deletion, quick find
and more
- Uses kernel keyring to store the key used to establish the connection
between the browser and the desktop client
- Backend and lots of underlying libs written in Rust - UI is React
- Native packages for Ubuntu (Debian. CentOS, Fedora, RHEL)
- Snap
Hiring [13:56]
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact