Overview
It’s the release of Ubuntu 22.10 Kinetic Kudu, and we give you all the details
on what’s new and improved, with a particular focus on the security features,
plus we cover a high priority vulnerability in libksba as well.
This week in Ubuntu Security Updates
39 unique CVEs addressed
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5673-1] unzip vulnerabilities
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5674-1] XML Security Library vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5675-1] Heimdal vulnerabilities
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5677-1] Linux kernel vulnerabilities
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5678-1] Linux kernel vulnerabilities
- 9 CVEs addressed in Bionic (18.04 LTS)
[USN-5679-1] Linux kernel (HWE) vulnerabilities
- 9 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5676-1] PostgreSQL vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5680-1] gThumb vulnerabilities
- 2 CVEs addressed in Focal (20.04 LTS)
[USN-5682-1] Linux kernel (AWS) vulnerabilities
- 11 CVEs addressed in Bionic (18.04 LTS)
[USN-5683-1] Linux kernel (IBM) vulnerabilities
- 16 CVEs addressed in Jammy (22.04 LTS)
[USN-5684-1] Linux kernel (Azure) vulnerabilities
- 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
[USN-5570-2] zlib vulnerability
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5685-1] FRR vulnerabilities
- 2 CVEs addressed in Jammy (22.04 LTS)
[USN-5686-1] Git vulnerabilities
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5687-1] Linux kernel (Azure) vulnerabilities
- 9 CVEs addressed in Bionic (18.04 LTS)
[USN-5688-1] Libksba vulnerability [01:24]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- libksba library used to parse and build ASN.1 objects contained within S/MIME,
X.509 certificates etc
- ASN.1 supports various encoding formats - BER, DER (basic and distinguised
encoding rules respectively)
- Both use a tag-length-value scheme to encode objects
- When copying these objects around, would copy both a header as well as the
object itself - if an object was really large, the sum of the header size plus
the object would overflow - allowing a size check to be bypassed (since when
overflowing wraps around to be a small sized integer)
- Integer overflow leading to a buffer overflow
- Considered a severe bug by upstream
- in Ubuntu is used by gpgsm (used to handled SMIME signed data) and dirmngr -
responsible for parsing and loading CRLS and verifying certs used by TLS
Goings on in Ubuntu Security Community
Ubuntu 22.10 Kinetic Kudu release [04:02]
- https://ubuntu.com/blog/canonical-releases-ubuntu-22-10-kinetic-kudu
- kernel 5.19
- security wise
- Faster RNG (entropy extraction switched from SHA1 to BLAKE2)
- Support for Intel Trust Domain Extensions (TDX)
- successor to SGX, builds on lessons learned
- virtualisation based confidential computing environment
- equivalent to an SGX enclave
- uses a new processor mode called SEAM
- allows to deploy legacy applications without having to adapt them a
different programming model as was done for SGX
- AppArmor support for posix-mq and unprivileged user namespace mediation
- idea is that only applications which are running under an AppArmor profile
with permission to user userns will be able to - unconfined will not -
this kernel configuration is disabled by default but can be enabled via a
sysctl:
- then unconfined applications will not be able to use them
- helps limit an attack surface for exploits - 4 out of 5 pwn2own exploits
against Ubuntu this year used unprivileged userns as part of their attack
chain
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
- Desktop
- pipewire is now default instead of pulseaudio - improved bluetooth handling
- GNOME 43 - gedit replaced by gnome-text-editor, gnome-terminal still there
but likely will be new gnome-console in 23.04
- LibreOffice 7.4
- FF 106/ TB 102
- Updated bluez, CUPS, network-manager, Mesa 22 etc
- Server
- socket-activated SSH daemon to reduce memory footprint inside containers etc
- improved support for integration with Windows Server w/ LDAP channel binding and LDAP signing in cyrus-sasl2
- bind9 support for remote TLS verification in both
named
and dig
to allow to implement strict and mutual TLS authentication
- updated containerd, runc, docker.io
- updated qemu - improved emulation of RISC-V, s390x
- updated libvirt - ppc64 Power10 processor support
- For developers:
- debuginfod
- updated gcc, Go, Ruby and Rust toolchains
Canonical Product Roadmap + Engineering Sprints + Ubuntu Summit [12:32]
- No podcast for the next 3 weeks
Thanks and farewell to Shaun Murphy [13:45]
Get in contact