Overview
Updated Intel microcode for Cherry + Bay Trial CPUs, fixes for
vulnerabilities in curl, Firefox, PHP and MariaDB, plus we talk
configuration of virtualised guests to mitigate speculative execution
vulnerabilities as well as plans for the Ubuntu 19.10 development cycle.
This week in Ubuntu Security Updates
43 unique CVEs addressed
[USN-3977-2] Intel Microcode update
- 4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
- Corresponding Intel microcode updates for Cherry Trail and Bay Trail CPU families
[USN-3989-1] LibRaw vulnerabilities
- 7 CVEs addressed in Xenial, Bionic, Cosmic
- Multiple issues fixed:
- 2*NULL pointer dereference
- Heap-based buffer overflow
- Stack-based buffer overflow
- 3 different cases of possible infinite loop - CPU DoS
[USN-3990-1] urllib3 vulnerabilities
- 3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- When validating certs for HTTPS, could specify a set of certs to validate
against - however it would always include the system CA certs as well -
so could validate successfully even if cert is not in chain of explicitly
desired set - fixed to NOT include system certs in this case
- Possible CRLF injection
- Would possibly expose HTTP authorization credentials across different
origin hosts as after authenticating, if being redirected to a different
origin host, would still include the Authorization header from the old
host to the new host - fixed by ensuring this defaults to being off
[USN-3991-1] Firefox vulnerabilities
- 17 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Latest upstream Firefox release (67.0)
- Includes fixes for various issues including:
- DoS, spoofing of browser UI, tricking users into launching local
executables, XSS and RCE
- Tricking users into installing a malicious add-on by disabling the UI prompt
- History exposure via bookmark handling
[USN-3566-2] PHP vulnerabilities
- 5 CVEs addressed in Precise ESM, Trusty ESM
- In February 2018, and March 2018, released updates for PHP5 in Trusty
fixing multiple CVEs - this update is a corresponding update which fixes
some new CVEs in both Precise ESM and Trusty ESM and some of the same
older CVEs in Precise ESM.
[USN-3992-1] WebKitGTK+ vulnerabilities
- 3 CVEs addressed in Bionic, Cosmic, Disco
- New upstream release (2.24.2) - like most WebKitGTK+ updates, contains
little information on the new vulnerabilities - so assume the worst -
DoS, XSS, RCE
- Used by GNOME Shell for captive portal handling etc
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic and Disco
- TFTP receive heap-based buffer overflow
- 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Integer overflow for 32-bit arches when handling a very large URL (>2GB)
via the libcurl API (curl_url_set())
[USN-3957-2] MariaDB vulnerabilities
- 2 CVEs addressed in Trusty ESM
- Episode 30 mentioned an update for MariaDB for the standard support
releases fixing 8 CVEs - 2 of those applied to MariaDB in Trusty ESM -
both where a privileged attacker can crash server
Goings on in Ubuntu Security Community
Clarifications to documentation regarding latest Intel MDS vulnerabilities
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ
- Updated to describe situation when doing virtualisation:
- To enable guest to mitigate various speculative execution
vulnerabilities, need to ensure the guest CPU emulates the various CPU
features (such as pcid, ssbd etc).
- Depends on workloads - if running untrusted code in guests or not etc.
- Previously QEMU would define various CPU models such as Broadwell-IBRS
which would include support for this emulation. However, most of the
newer features ssbd, md_clear etc are not included in these CPU models.
- So instead need to explicitly enable them - this can be done in a few ways:
- Can just passthrough host CPU features directly - recommended
approach if NOT going to migrating guests across hosts (since if has
different features will cease to work)
- Otherwise manually enable features directly as a subset of the
supported features from all the various hosts in your datacenter -
depending on whether using QEMU on the command-line or libvirt to
configure has different ways to specify this but same idea for both
Security Team plans for 19.10 development cycle
- 19.10 cycle roadmap meeting was held in Lyon a 2 weeks ago - each Ubuntu
team presented on the progress etc from the 19.04 cycle as well as their
plans for the 19.10 cycle
- Security team highlights for 19.10:
- Automate more parts of our processes around triage of code reviews,
reactive package updates etc
- Review and incorporate KSPP recommendations for kernel hardening
- GCC -fstack-clash-protection and -fcf-protection as default
- Various snapd enhancements (daemon user, OpenGL support, audio
migration)
- AppArmor features - prompting, more groundwork for fine-grained network
mediation
Hiring
Robotics Security Engineer
Security Certifications Engineer
Get in contact