Episode 181

Overview

It’s the release of Ubuntu 22.10 Kinetic Kudu, and we give you all the details on what’s new and improved, with a particular focus on the security features, plus we cover a high priority vulnerability in libksba as well.

This week in Ubuntu Security Updates

39 unique CVEs addressed

[USN-5672-1] GMP vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-43618

[USN-5673-1] unzip vulnerabilities

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-0530
  • CVE-2022-0529
  • CVE-2021-4217

[USN-5674-1] XML Security Library vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2017-1000061

[USN-5675-1] Heimdal vulnerabilities

• 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2022-3116
  • CVE-2021-3671
  • CVE-2019-12098
  • CVE-2018-16860

[USN-5677-1] Linux kernel vulnerabilities

• 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2022-36879
  • CVE-2022-33744
  • CVE-2022-33742
  • CVE-2022-33741
  • CVE-2022-33740
  • CVE-2022-3176
  • CVE-2022-26373
  • CVE-2022-26365
  • CVE-2022-2318
  • CVE-2022-20369
  • CVE-2021-4159

[USN-5678-1] Linux kernel vulnerabilities

• 9 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2022-33744
  • CVE-2022-33742
  • CVE-2022-33741
  • CVE-2022-33740
  • CVE-2022-26365
  • CVE-2022-2318
  • CVE-2022-32296
  • CVE-2022-1012
  • CVE-2022-0812

[USN-5679-1] Linux kernel (HWE) vulnerabilities

• 9 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2022-33744
  • CVE-2022-33742
  • CVE-2022-33741
  • CVE-2022-33740
  • CVE-2022-26365
  • CVE-2022-2318
  • CVE-2022-32296
  • CVE-2022-1012
  • CVE-2022-0812

[USN-5676-1] PostgreSQL vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2022-1552

[USN-5680-1] gThumb vulnerabilities

• 2 CVEs addressed in Focal (20.04 LTS)
  • CVE-2020-36427
  • CVE-2019-20326

[USN-5682-1] Linux kernel (AWS) vulnerabilities

• 11 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2022-36879
  • CVE-2022-33744
  • CVE-2022-33742
  • CVE-2022-33741
  • CVE-2022-33740
  • CVE-2022-3176
  • CVE-2022-26373
  • CVE-2022-26365
  • CVE-2022-2318
  • CVE-2022-20369
  • CVE-2021-4159

[USN-5683-1] Linux kernel (IBM) vulnerabilities

• 16 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2022-39189
  • CVE-2022-36946
  • CVE-2022-36879
  • CVE-2022-34495
  • CVE-2022-34494
  • CVE-2022-33744
  • CVE-2022-33743
  • CVE-2022-33742
  • CVE-2022-33741
  • CVE-2022-33740
  • CVE-2022-3176
  • CVE-2022-26373
  • CVE-2022-26365
  • CVE-2022-2318
  • CVE-2022-1882
  • CVE-2021-33655

[USN-5684-1] Linux kernel (Azure) vulnerabilities

• 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2022-33744
  • CVE-2022-33742
  • CVE-2022-33741
  • CVE-2022-33740
  • CVE-2022-26365
  • CVE-2022-2318
  • CVE-2022-32296
  • CVE-2022-1012
  • CVE-2022-0812

[USN-5570-2] zlib vulnerability

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-37434

[USN-5685-1] FRR vulnerabilities

• 2 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2022-37035
  • CVE-2022-37032

[USN-5686-1] Git vulnerabilities

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-39260
  • CVE-2022-39253

[USN-5687-1] Linux kernel (Azure) vulnerabilities

• 9 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2022-33744
  • CVE-2022-33742
  • CVE-2022-33741
  • CVE-2022-33740
  • CVE-2022-26365
  • CVE-2022-2318
  • CVE-2022-32296
  • CVE-2022-1012
  • CVE-2022-0812

[USN-5688-1] Libksba vulnerability [01:24]

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-3515
• libksba library used to parse and build ASN.1 objects contained within S/MIME, X.509 certificates etc
• ASN.1 supports various encoding formats - BER, DER (basic and distinguised encoding rules respectively)
• Both use a tag-length-value scheme to encode objects
• When copying these objects around, would copy both a header as well as the object itself - if an object was really large, the sum of the header size plus the object would overflow - allowing a size check to be bypassed (since when overflowing wraps around to be a small sized integer)
• Integer overflow leading to a buffer overflow
• Considered a severe bug by upstream
• in Ubuntu is used by gpgsm (used to handled SMIME signed data) and dirmngr - responsible for parsing and loading CRLS and verifying certs used by TLS

Goings on in Ubuntu Security Community

Ubuntu 22.10 Kinetic Kudu release [04:02]

• https://ubuntu.com/blog/canonical-releases-ubuntu-22-10-kinetic-kudu
• kernel 5.19
  • security wise
  • Faster RNG (entropy extraction switched from SHA1 to BLAKE2)
  • Support for Intel Trust Domain Extensions (TDX)
    • successor to SGX, builds on lessons learned
    • virtualisation based confidential computing environment
      • equivalent to an SGX enclave
      • uses a new processor mode called SEAM
    • allows to deploy legacy applications without having to adapt them a different programming model as was done for SGX
• AppArmor support for posix-mq and unprivileged user namespace mediation
  • idea is that only applications which are running under an AppArmor profile with permission to user userns will be able to - unconfined will not - this kernel configuration is disabled by default but can be enabled via a sysctl:
  • then unconfined applications will not be able to use them
  • helps limit an attack surface for exploits - 4 out of 5 pwn2own exploits against Ubuntu this year used unprivileged userns as part of their attack chain

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1

• Desktop
  • pipewire is now default instead of pulseaudio - improved bluetooth handling
  • GNOME 43 - gedit replaced by gnome-text-editor, gnome-terminal still there but likely will be new gnome-console in 23.04
  • LibreOffice 7.4
  • FF 106/ TB 102
  • Updated bluez, CUPS, network-manager, Mesa 22 etc
• Server
  • socket-activated SSH daemon to reduce memory footprint inside containers etc
  • improved support for integration with Windows Server w/ LDAP channel binding and LDAP signing in cyrus-sasl2
  • bind9 support for remote TLS verification in both named and dig to allow to implement strict and mutual TLS authentication
  • updated containerd, runc, docker.io
  • updated qemu - improved emulation of RISC-V, s390x
  • updated libvirt - ppc64 Power10 processor support
• For developers:
  • debuginfod
  • updated gcc, Go, Ruby and Rust toolchains

Canonical Product Roadmap + Engineering Sprints + Ubuntu Summit [12:32]

• No podcast for the next 3 weeks

Thanks and farewell to Shaun Murphy [13:45]

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter