Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 228

16 min • 24 maj 2024

Overview

The team is back from Madrid and this week we bring you some of our plans for the upcoming Ubuntu 24.10 release, plus we talk about Google’s kernelCTF project and Mozilla’s PDF.js sandbox when covering security updates for the Linux kernel, Firefox, Spreadsheet::ParseExcel, idna and more.

This week in Ubuntu Security Updates

121 unique CVEs addressed

[USN-6766-2] Linux kernel vulnerabilities (01:07)

[USN-6766-3] Linux kernel (AWS) vulnerabilities (04:48)

[USN-6774-1] Linux kernel vulnerabilities (05:01)

[USN-6775-1] Linux kernel vulnerabilities

[USN-6775-2] Linux kernel vulnerabilities

[USN-6776-1] Linux kernel vulnerabilities

[USN-6777-1] Linux kernel vulnerabilities

[USN-6777-2] Linux kernel (Azure) vulnerabilities

[USN-6777-3] Linux kernel (GCP) vulnerabilities

[USN-6778-1] Linux kernel vulnerabilities

[USN-6773-1] .NET vulnerabilities (05:34)

[USN-6779-1] Firefox vulnerabilities (05:54)

[USN-6782-1] Thunderbird vulnerabilities (07:29)

[USN-6781-1] Spreadsheet::ParseExcel vulnerability (07:51)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • RCE vuln via the use of eval() on untrusted user input - high profile, disclosed by Mandiant - high profile since it affected Barracuda email gateway devices and was publicly reported as being exploited against these by a Chinese APT group

[USN-6780-1] idna vulnerability (08:59)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Python module for handling internationalised domain names (RFC 5895)
  • CPU-based DoS due to inefficient algorithm when encoding a domain name

Goings on in Ubuntu Security Community

Ubuntu Security Plans for 24.10 Development Cycle (09:33)

  • Progressing the FIPS certification for 24.04 though NIST
  • Implementation of OpenVEX and OSV data formats for machine readable vulnerability information
    • Historically have generated OVAL data for this purpose
    • XML-based format, existed for over 20 years
    • more recently, OpenVEX and OSV have appeared which also serve the same purpose and have a more vibrant community around them
    • Similarly, next version of the SPDX format will also support vulnerability descriptions too
    • Finally, given the recent announcement that CIS has relinquished the role in sponsoring OVAL project and there doesn’t appear to be any other sponsor on the horizon, thought it was prudent to develop a “second-supplier” approach given this uncertain future for OVAL upstream
    • likely will have more to say on this in the future
  • Improvements to the process the team uses for working with the snap store and doing reviews etc
  • AppArmor profile development across the 24.10 release

Get in contact

Kategorier
Förekommer på
00:00 -00:00