Overview
Is npm audit more harm than good? Plus this week we look at security
updates for DjVuLibre, libuv, PHP and more.
This week in Ubuntu Security Updates
8 unique CVEs addressed
[USN-4905-2] X.Org X Server vulnerability [00:42]
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
- Episode 112 - Local user (X client) could crash the server via Xinput
extension and ChangeFeedbackControl request - integer underflow -> heap
buffer overflow
[USN-5005-1] DjVuLibre vulnerability [01:26]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- OOB write via crafted djvu file -> crash -> DoS, RCE
[USN-5007-1] libuv vulnerability [01:53]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Async event handling library - used by nodejs and others - supports async
handling TCP/UDP sockets, DNS resolution, file system operations etc
- OOB read when converting strings to ASCII -> can be triggered via calls
to uv_getaddrinfo() which are done by clients who handle TCP/UDP sockets
async (ie nodejs, Julia,, BIND etc)
[USN-5006-1] PHP vulnerabilities [03:04]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- UAF in PHAR archive handling - generally these are trusted so low impact
- mishandling of URLs with embedded passwords - unspecified impact but
could misparse the URL and cause unwanted behaviour
- Mishandling of XML when processing SOAP server responses -> NULL ptr
deref (so malicious server could trigger a crash) -> DoS
- Ability to bypass Sever Side Request Forgery (SSRF) protections in
FILTER_VALIDATE_URL
Goings on in Ubuntu Security Community
npm audit broken by design? [04:13]
Ubuntu Security Podcast on break for next 2 weeks [07:56]
Get in contact