Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 137

7 min • 12 november 2021

Overview

This week we look at some details of the 29 unique CVEs addressed across the supported Ubuntu releases in the past 7 days and more.

This week in Ubuntu Security Updates

29 unique CVEs addressed

[USN-5131-1] Firefox vulnerabilities [00:42]

  • 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • 94.0
    • Copy image link - copies final image URL after redirects - if a page were to then combine this with a content security policy which blocked a redirect, the image URL may then contain any authentication tokens - and so if a page could trick a user into copying and pasting that image URL into the page an attacker could steal their auth token
    • Various web framework issues

[USN-5132-1] Thunderbird vulnerabilities [01:56]

[USN-5133-1] ICU vulnerability [02:17]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • unicode handling library
  • UAF - could be triggered if was packaging the ICU data with malicious input -> crash / RCU

[USN-5135-1] Linux kernel vulnerability [02:43]

  • 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • impish (5.13), hirsute (5.11), focal hwe (5.11)
  • IPC memory objects not properly accounted for in memcg - could allow to bypass limits and cause DoS

[USN-5130-1] Linux kernel vulnerabilities [03:24]

[USN-5136-1] Linux kernel vulnerabilities [04:06]

[USN-5137-1] Linux kernel vulnerabilities [04:48]

[USN-5134-1] Docker vulnerability [04:50]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • If was using a private registry for docker login but also had configured credsStore and credsHelper in ~/.docker/config.json and these were not able to be executed (ie. execute bit not set or not in $PATH), then creds would get sent to the public docker registry rather than the configured private registry.

Goings on in Ubuntu Security Community

Hiring [06:00]

Security - Product Manager

  • HOME BASED - EMEA (Europe, Middle East, Africa)
  • Role includes:
    • guiding the evolution of security offerings from Canonical and Ubuntu
    • driving compliance and certification of Ubuntu
    • engaging with the open source security community
    • telling the story of Canonical’s work to deliver secure platforms
  • https://canonical.com/careers/2278145/security-product-manager-remote

Get in contact

Kategorier
Förekommer på
00:00 -00:00