Overview
The release of Ubuntu 23.04 Lunar Lobster is nigh so we take a look at some of
the things the security team has been doing along the way, plus it’s our 6000th
USN so we look back at the last 19 years of USNs whilst covering security
updates for the Linux kernel, Emacs, Irssi, Sudo, Firefox and more.
This week in Ubuntu Security Updates
109 unique CVEs addressed
[USN-5998-1] Apache Log4j vulnerabilities (01:00)
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- A bunch of older vulnerabilities, some discovered in the wake of log4shell but
not deemed as critical
[USN-6000-1] Linux kernel (BlueField) vulnerabilities (01:37)
- 23 CVEs addressed in Focal (20.04 LTS)
- NVIDIA BlueField specific kernel (5.4)
- Most high priority CVE UAF in Upper Level Protocol (mentioned in the last few
episodes)
- 6000th USN published by the Ubuntu Security team - this one by Rodrigo Zaiden
- Out of interest:
- USN-5000-1 - also a kernel USN in June 2021 (Steve Beattie)
- USN-4000-1 - corosync in May 2019 (Leo Barbosa)
- USN-3000-1 - kernel (utopic HWE backported to trusty) in June 2016 (John Johansen)
- USN-2000-1 - nova in October 2013 (Jamie Strandboge)
- USN-1000-1 - kernel again in October 2010 (Kees Cook)
- USN-1-1 - libpng again in October 2004 (Matt Zimmerman)
[USN-6001-1] Linux kernel (AWS) vulnerabilities (04:18)
- 51 CVEs addressed in Xenial ESM (16.04 ESM)
- 4.4 kernel - wins the prize for the most number of CVEs fixed in a single
update this week - thanks as always to the kernel team for all their work on
these
[USN-6004-1] Linux kernel (Intel IoTG) vulnerabilities (04:42)
- 15 CVEs addressed in Jammy (22.04 LTS)
- 5.15 kernel
[USN-6007-1] Linux kernel (GCP) vulnerabilities (04:51)
- 20 CVEs addressed in Xenial ESM (16.04 ESM)
- 4.15 (backported from 18.04 LTS)
[USN-6009-1] Linux kernel (GCP) vulnerabilities
- 11 CVEs addressed in Xenial ESM (16.04 ESM)
- follow-up kernel update including a bunch more fixes
[USN-6003-1] Emacs vulnerability (05:03)
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Similar to [USN-5955-1] Emacs vulnerability [00:50] from Episode 191 - again
if used org-mode to output to a latex document which included other documents
that had shell metacharacters in their filenames, could get code execution as
the user running Emacs
[USN-6002-1] Irssi vulnerability (05:45)
- 1 CVEs addressed in Kinetic (22.10)
- IRC client - UAF when outputting a line which was not formatted whilst also
outputting a line that was formatted - only likely to be able to be triggered
by various scripts - was discovered after a recent update to GLib 2.75 which
stopped using it’s own internal memory allocator and instead switched to
regular
malloc()
/ free()
- would then trigger the memory checking of libc
which detected this
[USN-6005-1] Sudo vulnerabilities (07:25)
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- Failed to escape control characters in both the log output and
sudoreplay
(can
be used to list or play back the commands executed in a sudo session) - and so
could allow an attacker to get code execution as the user running sudoreplay
by injecting terminal control characters
[USN-6010-1] Firefox vulnerabilities (08:45)
- 15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 112.0 - one Linux specific vuln in particular around the handling of
downloaded
.desktop
files - could allow an attacker to get code execution as
the user running firefox - interesting to note that as a snap, firefox is
confined by default and cannot execute arbitrary commands from the host
system - can only use binaries from within the firefox
snap itself or the
user’s $HOME
which makes exploitation of such an issue harder since less
LOLBins to make use of
[USN-6011-1] Json-smart vulnerabilities (10:00)
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- Small and fast JSON parser for Java - two similar issues, one in handling of
unclosed quotes and the other in unclosed brackets - both could allow an
attacker to DoS the application through crafted input
Goings on in Ubuntu Security Community
Preparing for the release of Ubuntu 23.04 (Lunar Lobster) (10:36)
- Team has been busy finishing various items from the development roadmap for
this cycle:
- SBOM specification
- improvements to how we distribute OVAL data
- evaluation of dbus-broker integration with AppArmor to possibly replace
dbus-daemon in a future Ubuntu release
- Testing unprivileged user namespace restrictions via AppArmor
io_uring
mediation support in AppArmor
- Working with the snapd team on integrating
dm-verity
within snapd for
improved integrity of snaps
- Usual maintenance items as well:
- all the normal CVE patching
- a heap of MIR security reviews
- snap store reviews
- AppArmor upstream project maintenance
- and more
Ubuntu Security Podcast on 2 weeks break
- Alex on leave next week and the following week is the 23.10 start-of-cycle
product roadmap sprint in Prague
- Expect the podcast to be back the week ending 5th May
Get in contact