Overview
This week we look at fixes from the past two weeks including BIND, NTFS-3G,
Dovecot, Pacemaker and more, plus we follow up last episodes IoT security
discussion with Joe McManus talking about Ubuntu Core. Finally we cover the
release of Ubuntu 19.04 Disco Dingo and the transition of Ubuntu 14.04
Trusty Tahr to Extended Security Maintenance.
These past two weeks in Ubuntu Security Updates
53 unique CVEs addressed
[USN-3947-1, USN-3947-2] Libxslt vulnerability
- 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
- Library to transform XML via XML definitions
- Includes a security framework since XSLT can define operations to
fetch/read/write files and resources etc
- Various functions would return 0 if an operation is not allowed by the
framework which was checked for and correctly disallowed - BUT they could
also return -1 on error (say from a potentially bad URL) which would not
be caught and so then would proceed and would fetch from the URL in
question thereby violating the security policy
- Fixed to also check for error codes on handle the same as an explicit
policy violation
[USN-3948-1] WebKitGTK+ vulnerabilities
- 14 CVEs addressed in Bionic, Cosmic
- Wide mix of issues fixed including XSS and DoS attacks or possible
arbitrary code execution if visiting a malicious website
[USN-3949-1] OpenJDK 11 vulnerability
- 1 CVEs addressed in Bionic
- Backport of openjdk-11 from Disco to Bionic, includes a minor security
fix to memory disclosure vulnerablity which could enable an attacker to
bypass sandbox
[USN-3918-4] Firefox regressions
- 17 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Episode 26 covered 66.0.2 regression - this is now 66.0.3 to fix further
regressions in keyboard handling as discussed previously
- Affecting Xenial, Bionic, Cosmic
- Episode 25 covered ntfs-3g update for possible heap buffer overflow
- As was setuid root this could possibly be used for root privilege
escalation
- This update removes setuid root to additionally harden ntfs-3g so that
any future vulnerablilites can’t be used for privilege escalation
- 1 CVEs addressed in Cosmic
- crash -> DoS due to improper handling of character encoding - if a remote
user specified an invalid encoding it could cause znc to crash
- Fixed to fallback to utf-8 if unknown encoding specified
[USN-3951-1] Dovecot vulnerability
- 1 CVEs addressed in Cosmic, Disco
- Only affects Dovecot 2.3 and hence only Cosmic, Disco, Eoan etc
- Improper handling of invalid utf-8 username in JSON encoding could cause
the authentication service to crash
[USN-3952-1] Pacemaker vulnerabilities
- 3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Cluster resource manager - high availability and load balancing for OpenStack
- All discovered by Jan Pokorný - local attacker could possibly escalate
privileges or cause a denial of service or to cause sensitive information
to be leaked to system logs
[USN-3953-1] PHP vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- php7.2 and php7.0
- Buffer over-read when processing certain EXIF tags - possible information
disclosure or crash -> DoS
[USN-3922-2, USN-3922-3] PHP vulnerabilities
- 7 CVEs addressed in Precise ESM, Trusty
- Most covered back in Episode 26
[USN-3936-2] AdvanceCOMP vulnerability
- 1 CVEs addressed in Disco
- Corresponding update for Disco - covered in Episode 27
[USN-3954-1] FreeRADIUS vulnerabilities
- 2 CVEs addressed in Bionic, Cosmic, Disco
- 2 possible “Dragonblood” authentication bypass issues - mentioned back in
Episode 28 in the context of wpa_supplicant and hostapd - similar issue
for FreeRADIUS
[USN-3955-1] tcpflow vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Cosmic
- Stack based buffer overflow and an integer overflow -> usual effects
(crash -> DoS / information disclosure)
[USN-3956-1] Bind vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- DoS - possible to bypass bind’s limits on simultaneous TCP clients and so
cause a DoS via excessive resource usage
IoT Security follow-up with Joe McManus
- Alex and Joe follow up on last episode’s conversation about IoT and in
particular talk about Ubuntu Core and how this has been engineered to
address many of these common IoT security design and implementation flaws
Goings on in Ubuntu Security Community
Ubuntu 19.04 Disco Dingo Released
- Released on Thursday 18th April
- Officially supported by Canonical for 9 months - with security fixes for
packages in main by the security team
Ubuntu 14.04 Trusty Tahr transitions to Extended Security Maintenance
Hiring
Ubuntu Security Generalist
Robotics Security Engineer
Get in contact