Overview
This week we look at security updates for Dovecot, Ghostscript, a livepatch update for the Linux kernel, Ceph and Apache, plus Alex and Joe discuss recent Wordpress plugin vulnerabilities and the Hostinger breach, and more.
This week in Ubuntu Security Updates
22 unique CVEs addressed
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- IMAP and ManageSieve protocol parsers would not check for embedded NUL bytes in strings
- When parsing these strings, would return indexes outside the normal
string bounds as the first character which needed unescaping
- Would then go and try to unescape the string from this index, which
rewrites the string on the fly, and so would then go and rewrite
outside the bounds of the string
- Fixed to disallow embedded NUL bytes AND to not try and skip up to
first unescaped character but instead loop over the whole string in
unescaping
[USN-4110-3, USN-4110-4] Dovecot regression [02:08]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Original patch used pre-release version of the fix from upstream which
contained an error such that the checking of NUL bytes was skipped -
re-released with correct final upstream fix
[LSN-0054-1] Linux kernel vulnerability [02:38]
- 9 CVEs addressed in Xenial, Bionic
- Livepatch for CVEs addressed in regular kernel updates (Episode 43)
- ptrace credentials race, Marvell Wifi heap-buffer overflows, NULL
pointer dereferences
[USN-4111-1] Ghostscript vulnerabilities [03:20]
- 4 CVEs addressed in Xenial, Bionic, Disco
- Four more -dSAFER sandbox bypasses (see Episode 43 for the last one)
- All variations on the theme of using the .forceput operator to escape the
sandbox
[USN-4112-1] Ceph vulnerability [04:01]
- 1 CVEs addressed in Bionic, Disco
- DoS - unauthenticated clients can crash the rados gateway by
disconnecting at certain time (triggering a NULL pointer deference when
looking up the remote address for a connected client)
- Older versions are not affected since this is in the beast RGW
frontend - which is not in the versions in trusty / xenial - and only
in the bionic version as an experimental feature
[USN-4113-1] Apache HTTP Server vulnerabilities [04:41]
-
7 CVEs addressed in Xenial, Bionic, Disco
-
HTTP/2 DoS issue (Internal Data Buffering) - Episode 43 for nginx
-
Open redirect in mod_rewrite if have self-referential redirects
-
Stack buffer overflow + NULL pointer dereference in mod_remoteip
-
Possible XSS in mod_proxy where the link shown on error pages could be
controlled by an attacker - but only possible where configured with
proxying enable but misconfigured so that Proxy Error page is shown.
-
UAF (read) during HTTP/2 connection shutdown
-
HTTP/2 push - allows server to send resources to a client before it
requests them - could overwrite memory of the server’s request pool -
this is preconfigured and not under control of client but could cause a
crash etc.
-
HTTP/2 upgrade - can configure to automatically upgrade HTTP/1.1 requests
to HTTP/2 - but if this was not the first request on the connection could
lead to crash
Goings on in Ubuntu Security Community
Alex and Joe talk Wordpress plugin vulnerabiliies and Hostinger password breach [07:03]
OpenSSL 1.1.1 with TLS 1.3 support complete for Ubuntu 18.04 LTS (Bionic) [17:29]
- OpenSSL upgraded to version 1.1.1 in Ubuntu 18.04 LTS - supports TLS
1.3 - now published via -updates and -security
Get in contact