Start / Ubuntu Security Podcast / Episode 29

Episode 29

21 min • 30 april 2019

Overview

This week we look at fixes from the past two weeks including BIND, NTFS-3G, Dovecot, Pacemaker and more, plus we follow up last episodes IoT security discussion with Joe McManus talking about Ubuntu Core. Finally we cover the release of Ubuntu 19.04 Disco Dingo and the transition of Ubuntu 14.04 Trusty Tahr to Extended Security Maintenance.

These past two weeks in Ubuntu Security Updates

53 unique CVEs addressed

[USN-3947-1, USN-3947-2] Libxslt vulnerability

1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
- CVE-2019-11068
Library to transform XML via XML definitions
Includes a security framework since XSLT can define operations to fetch/read/write files and resources etc
Various functions would return 0 if an operation is not allowed by the framework which was checked for and correctly disallowed - BUT they could also return -1 on error (say from a potentially bad URL) which would not be caught and so then would proceed and would fetch from the URL in question thereby violating the security policy
Fixed to also check for error codes on handle the same as an explicit policy violation

[USN-3948-1] WebKitGTK+ vulnerabilities

14 CVEs addressed in Bionic, Cosmic
Wide mix of issues fixed including XSS and DoS attacks or possible arbitrary code execution if visiting a malicious website

[USN-3949-1] OpenJDK 11 vulnerability

1 CVEs addressed in Bionic
- CVE-2019-2422
Backport of openjdk-11 from Disco to Bionic, includes a minor security fix to memory disclosure vulnerablity which could enable an attacker to bypass sandbox

[USN-3918-4] Firefox regressions

17 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
Episode 26 covered 66.0.2 regression - this is now 66.0.3 to fix further regressions in keyboard handling as discussed previously

[USN-3914-2] NTFS-3G update

Affecting Xenial, Bionic, Cosmic
Episode 25 covered ntfs-3g update for possible heap buffer overflow
- As was setuid root this could possibly be used for root privilege escalation
This update removes setuid root to additionally harden ntfs-3g so that any future vulnerablilites can’t be used for privilege escalation

[USN-3950-1] ZNC vulnerability

1 CVEs addressed in Cosmic
- CVE-2019-9917
crash -> DoS due to improper handling of character encoding - if a remote user specified an invalid encoding it could cause znc to crash
Fixed to fallback to utf-8 if unknown encoding specified

[USN-3951-1] Dovecot vulnerability

1 CVEs addressed in Cosmic, Disco
- CVE-2019-10691
Only affects Dovecot 2.3 and hence only Cosmic, Disco, Eoan etc
Improper handling of invalid utf-8 username in JSON encoding could cause the authentication service to crash

[USN-3952-1] Pacemaker vulnerabilities

3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
Cluster resource manager - high availability and load balancing for OpenStack
All discovered by Jan Pokorný - local attacker could possibly escalate privileges or cause a denial of service or to cause sensitive information to be leaked to system logs

[USN-3953-1] PHP vulnerabilities

2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- CVE-2019-11035
- CVE-2019-11034
php7.2 and php7.0
Buffer over-read when processing certain EXIF tags - possible information disclosure or crash -> DoS

[USN-3922-2, USN-3922-3] PHP vulnerabilities

7 CVEs addressed in Precise ESM, Trusty
Most covered back in Episode 26

[USN-3936-2] AdvanceCOMP vulnerability

1 CVEs addressed in Disco
- CVE-2019-9210
Corresponding update for Disco - covered in Episode 27

[USN-3954-1] FreeRADIUS vulnerabilities

2 CVEs addressed in Bionic, Cosmic, Disco
- CVE-2019-11235
- CVE-2019-11234
2 possible “Dragonblood” authentication bypass issues - mentioned back in Episode 28 in the context of wpa_supplicant and hostapd - similar issue for FreeRADIUS

[USN-3955-1] tcpflow vulnerabilities

2 CVEs addressed in Xenial, Bionic, Cosmic
- CVE-2018-18409
- CVE-2018-14938
Stack based buffer overflow and an integer overflow -> usual effects (crash -> DoS / information disclosure)

[USN-3956-1] Bind vulnerability

1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- CVE-2018-5743
DoS - possible to bypass bind’s limits on simultaneous TCP clients and so cause a DoS via excessive resource usage

IoT Security follow-up with Joe McManus

Alex and Joe follow up on last episode’s conversation about IoT and in particular talk about Ubuntu Core and how this has been engineered to address many of these common IoT security design and implementation flaws

Goings on in Ubuntu Security Community

Ubuntu 19.04 Disco Dingo Released

Released on Thursday 18th April
Officially supported by Canonical for 9 months - with security fixes for packages in main by the security team

Ubuntu 14.04 Trusty Tahr transitions to Extended Security Maintenance

Standard support period concluded on Thursday 25th April
Users are encouraged to upgrade to our latest LTS release 18.04 via 16.04
Extended security maintenance is now available via Ubuntu Advantage
https://blog.ubuntu.com/2019/02/05/ubuntu-14-04-trusty-tahr
https://www.ubuntu.com/esm

Hiring

Ubuntu Security Generalist

https://boards.greenhouse.io/canonical/jobs/1548812

Robotics Security Engineer

https://boards.greenhouse.io/canonical/jobs/1550997

Get in contact

Kategorier

Poddar Teknologi

Förekommer på

Teknik

00:00 -00:00