Overview
Alex and Camila discuss security update management strategies after a recent
outage at Datadog was attributed to a security update for systemd on Ubuntu,
plus we look at security vulnerabilities in the Linux kernel, OpenStack,
Synapse, OpenJDK and more.
This week in Ubuntu Security Updates
66 unique CVEs addressed
[USN-6069-1] Linux kernel (Raspberry Pi) vulnerability (01:01)
[USN-6070-1] Linux kernel vulnerabilities (01:37)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 raspi in 22.04, Azure FDE in 20.04
- TCINDEX UAF plus UAF in
io_uring
[USN-6071-1] Linux kernel (OEM) vulnerabilities (01:58)
[USN-6072-1] Linux kernel (OEM) vulnerabilities (02:31)
- 6 CVEs addressed in Jammy (22.04 LTS)
- 6.0
- UAFs in TCINDEX,
io_uring
, logic issue in OverlayFS
[USN-6079-1] Linux kernel vulnerabilities (02:49)
- 25 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
- 5.19 22.10 / 22.04 Azure
[USN-6080-1] Linux kernel vulnerabilities (02:55)
- 10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 22.04 / 20.04 HWE
[USN-6081-1] Linux kernel vulnerabilities (03:02)
- 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 18.04 GA / 16.04 AWS (Ubuntu Pro)
[USN-6073-1, USN-6073-2, USN-6073-3, USN-6073-4] Cinder, Glance Store, Nova, os-brick vulnerability (03:14)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Inconsistency between Cinder (block storage service of OpenStack) and Nova
(compute / virtual server provisioning) could result in storage volumes being
attached to the wrong compute instances - would happen when trying to detach a
volume from an instance
- Lots of interacting components, all need a consistent view of the system etc
- Affecting Focal (20.04 LTS)
- Above update meant that in some circumstances Nova would be unable to detach
volumes from instances
[USN-6074-1] Firefox vulnerabilities (04:15)
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 113.0
[USN-6074-2] Firefox regressions (04:27)
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 113.0.1 from upstream
[USN-6075-1] Thunderbird vulnerabilities (04:36)
- 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- 102.11.0
[USN-6060-3] MySQL regression (05:02)
- Affecting Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- [USN-6060-1, USN-6060-2] MySQL vulnerabilities from Episode 194
- Latest upstream release 8.0.33 introduced a regression on 32-bit ARM (armhf) -
would crash on startup - to fix, reverted an upstream commit which was
introduced to help with performance of atomic operations
[USN-6076-1] Synapse vulnerabilities (05:39)
- 7 CVEs addressed in Bionic (18.04 LTS)
- Matrix homeserver
- Various issues - signature checking on APIs, failure to properly apply event
visibility rules, DoS - exploited in the wild, insufficient randomness when
generating random IDs made them guessable, ability for unauthorised users to
hijack rooms, more predictable randomness which could allow remote attackers
to impersonate users, event spoofing due to improper signature validation -
some of these require to be the admin of a room or to have a malicious server
etc - but since Matrix is federated, this is not so implausible
[USN-6078-1] libwebp vulnerability (06:38)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Double free when handling crafted content
[USN-6077-1] OpenJDK vulnerabilities (06:45)
- 7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Latest upstream point releases
- Most Ubuntu releases support more then 1 version of OpenJDK - this update is
for OpenJDK versions 20, 17, 11 and 8 across the various Ubuntu releases
[USN-6082-1] EventSource vulnerability (07:02)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- EventSource client for NodeJS - info leak - could leak cookies and
authorisation headers to third party applications - but should have been
sanitising headers to avoid this as per same-origin-policy
Goings on in Ubuntu Security Community
Datadog outage and management of security updates (07:32)
Get in contact