Overview
This week Ubuntu 20.04 LTS was FIPS 140-2 certified plus the AppArmor
project made some point releases, and we released security updates for
Docker, Perl, c-ares, GPSd and more.
This week in Ubuntu Security Updates
2 unique CVEs addressed
[USN-5031-1] openCryptoki vulnerability [00:54]
- Affecting Hirsute (21.04)
- PKCS#11 daemon
- Bug fix that was deemed to have security implications - so was going to
be done via SRU for 21.04 but instead we published via -security to
ensure all users received it
- Thanks to Simon Chopin from Foundations team for preparing this update
- Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- Backport of the 20.10.7 version from 21.10 to older releases - this
includes a bunch of security fixes as well
- Unfortunately as this is a version upgrade there are some changes that
may break existing containers - in particular, drops support for the aufs
storage driver so if you were using this you should upgrade your
configuration to use the overlayfs2 storage driver instead -
https://docs.docker.com/storage/storagedriver/overlayfs-driver/ - this is
a bit involved since you need to export your images, switch the storage
driver, then load the images back one after another
- Thanks for Lucas Kanashiro from Server team for preparing this update
[USN-5033-1] Perl vulnerability [03:32]
- 1 CVEs addressed in Hirsute (21.04)
- Perl Encode library could end up running arbitrary Perl code from the
current working directory - was introduced by a change in Encode 3.05 in
perl 5.32/5.34 so only affected >= 21.04
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- Lib for async name resolution
- Failed to properly validate certain hostnames returned from DNS servers -
could allow a remote attacker to possibly perform domain hijacking
attacks
[USN-5035-1] GPSd vulnerability [04:28]
- Affecting Focal (20.04 LTS), Hirsute (21.04)
- incorrectly handled certain leap second events which would result in the
time jumping back 1024 weeks on 2021-10-31
- Upstream don’t consider this a security issue per-se but given how
pervasive gpsd is used for handling GPS receivers which are often used
for high precision timing or positioning systems (self-driving cars?) -
this could have real-world security implications
- Backported the fix from upstream - note this only affected gpsd >= 3.20
so older versions in 18.04 LTS etc were not affected
- https://lwn.net/Articles/865044/
Goings on in Ubuntu Security Community
AppArmor 3.0.2 / 3.0.3 released [06:39]
FIPS 140-2 certification for Ubuntu 20.04 LTS! [07:44]
- Enables organisations to run and develop applications and solutions for
the US public sector and Federal government including regulated
industries such as healthcare and finance
- FIPS 140-2, Level 1 certification crypto modules in Ubuntu 20.04 LTS,
including OpenSSL 1.1.1
- Linux kernel (crypto subsystem)
- OpenSSL
- Libgcrypt (used for LUKS for FDE so provides fully certified FDE
implementation)
- StrongSwan (IPsec based VPN) *under validation
- Available through Ubuntu Advantage and Ubuntu Pro - On public clouds,
Ubuntu Pro for AWS and Ubuntu Pro for Azure include subscriptions to
Canonical’s FIPS 140-2 repositories, alongside expanded security and
hardening.
- Future is FIPS 140-3 - aligns with ISO/IEC 19790 (Security requirements
for cryptographic modules)
- Existing certifications under FIPS 140-2 have a sunset date of five
years from the validation date
- Canonical is preparing Ubuntu for the new certification, and intends
to provide FIPS 140-3 certified cryptographic packages on a future
release of Ubuntu.
- https://ubuntu.com/blog/fips-certification-ubuntu-20-04-lts
- Full list of certifications at https://ubuntu.com/security/certifications
Ubuntu 20.04.3 LTS release delayed until August 26th [10:11]
- Next point release for 20.04 LTS series - respin of install media with
latest security updates etc - includes newest shim - this is now unified
across various Ubuntu releases - installation media with this new version
fails to boot on certain Dell and Sony Vaio machines - fix for this is in
progress, plus the current RISC-V HWE kernel build PANIC’s under certain
scenarios
- Release team decided to delay the release by 1 week to ensure these bugs
can be fixed and new media spun up and tested adequetly before the
release
- https://discourse.ubuntu.com/t/focal-fossa-20-04-3-lts-point-release-status-tracking/22948
Hiring [11:27]
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact