Overview
We catch up on details of the past few weeks of security updates, including
Python, curl, Linux kernel, Exim and more, plus Alex and Joe discuss the
recent Ubuntu Engineering Sprint in Paris and building a HoneyBot for Admin
Magazine.
This week in Ubuntu Security Updates
93 unique CVEs addressed
[USN-4125-1] Memcached vulnerability [00:42]
- 1 CVEs addressed in Xenial, Bionic, Disco
- Possible stack buffer over-read when using UNIX sockets (copies address
of UNIX socket using strncpy() which could possibly read past the end of
the src buffer) - possible crash -> DoS - fixed to explicitly limit
length to smallest of src/dst buffers rather than just size of dest
buffer
[USN-4126-1] FreeType vulnerability [01:49]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial
- 2 CVEs addressed in Precise ESM, Trusty ESM only
- All various heap based buffer over-reads - crash -> DoS
- 8 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- 4 issues in urllib:
- would allow to easily open files from local file-system
- 2 different CRLF injection issues
- specially crafted URL could cause urllib to send cookies / auth data
for wrong host
- Fixed incorrectly upstream so had a two CVEs assigned
- http cookiejar wouldn’t validate URL correctly so could also send cookies
for another domain
- Possible NULL ptr deref when parsing X509 certs if had an empty CRL
distpoint / URI
- Possible integer overflow when serializing a tens of hundreds of
gigabytes of data via the pickle format - could cause memory exhaustion
- 3 CVEs addressed in Xenial, Bionic (tomcat-8) and Bionic, Disco (tomcat-9)
- HTTP/2 server would accept streams with an excessive number of SETTINGS
frames and would permit clients to keep streams open without reading /
writing anything - could lead to DoS by causing server-side threads to
block
- Original fix was incomplete - so got a second CVE
- Possible XSS injection if using SSI printenv command as would echo user
provided data without escaping - intended only for debugging so shouldn’t
be used in a production website anyway
[USN-4120-2] systemd regression [04:45]
- Affecting Bionic, Disco
- Episode 46 - systemd-resolved dbus access control - the update was
prepared using a pending SRU update - but this contained a regression in
networking - re-released the security fix but without this SRU update
included.
[USN-4115-2] Linux kernel regression [05:18]
- Affecting Xenial (HWE), Bionic
- Recent kernel update (Episode 46) could possibly crash on handling
fragmented packets
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- 1 extra CVEs addressed in Xenial, Bionic, Disco
[USN-4130-1] WebKitGTK+ vulnerabilities [06:15]
- 16 CVEs addressed in Bionic, Disco
- Update to latest WebKitGTK upstream release (2.24.4)
[USN-4131-1] VLC vulnerabilities [06:38]
- 11 CVEs addressed in Bionic, Disco
- Update to latest VLC upstream release (3.0.8)
[USN-4133-1] Wireshark vulnerabilities [06:48]
- 2 CVEs addressed in Xenial, Bionic, Disco
- Update to latest upstream release (2.6.10-1)
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Crafted XML could fool the parser to switch to document parsing too early
(whilst still in DTD) - could then result in a heap-based buffer
over-read when looking up current line / column number - possible crash
-> DoS
[USN-4134-1] IBus vulnerability [07:30]
- 1 CVEs addressed in Xenial, Bionic, Disco
- Failed to apply access controls to D-Bus server socket - could allow
another local user to connect to logged in local user’s IBus daemon and
snoop on keystrokes etc
- Attacker needs to know IBus socket address which is randomised and not
easily discoverable
[USN-4134-2] IBus regression [08:00]
- Affecting Xenial, Bionic, Disco
- Regressed for Qt users - Qt seems unable to connect to IBus socket - so
reverted
[USN-4124-2] Exim vulnerability [08:25]
- 1 CVEs addressed in Trusty ESM
- Episode 46 - high profile possible remote root exploit
[USN-4113-2] Apache HTTP Server regression [08:38]
- Affecting Xenial, Bionic, Disco
- Episode 45 - HTTP/2 DoS issues - update caused a regression when proxying
balance manager connections - fixed by incorporating missing upstream
patches
[USN-4135-1, USN-4135-2] Linux kernel vulnerabilities [09:01]
- 3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Possible host privilege escalation from a libvirt guest (guest user needs
to be privileged)
- 2 related info disclosures on PowerPC - local user could possibly read
vector registers of other users’ processes either during an interrupt or
via a facility unavailable exception
[LSN-0056-1] Linux kernel vulnerability [09:51]
- 1 CVEs addressed in Xenial, Bionic
- Livepatch notification of above libvirt host privesc
[USN-4136-1, USN-4136-2] wpa_supplicant and hostapd vulnerability [10:06]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Attacker in radio range could cause a station to disconnect by sending a
specially crafted management frame (since would not properly validate the
source address of the frame)
[USN-4137-1] Mosquitto vulnerability [10:44]
- 1 CVEs addressed in Disco
- Stack overflow if a malicious client sends a SUBSCRIBE with a topic of
~65k ‘/’ characters
[USN-4138-1] LibreOffice vulnerability [10:56]
- 1 CVEs addressed in Xenial, Bionic, Disco
- Episode 44 - able to bypass protections added to try and stop inclusion
of code on local file-system in macros etc via URL encoding
[USN-4139-1] File Roller vulnerability [11:18]
- 1 CVEs addressed in Xenial, Bionic
- Path traversal outside of CWD to parent
[USN-4140-1] Firefox vulnerability [11:33]
- 1 CVEs addressed in Xenial, Bionic, Disco
- Latest upstream release (69.0.1) - pointer lock able to be enabled
without any notification to user - could allow a malicious website to
hijack mouse cursor and confuse user
[USN-4141-1] Exim vulnerability [11:54]
- 1 CVEs addressed in Disco
- Heap-based buffer overflow - could possibly allow remote code execution -
was announced on Saturday 28th - thanks Marc for the quick update :)
Goings on in Ubuntu Security Community
Joe and Alex talk about the Paris Engineering Sprint and Joe’s recent article in Admin Magazine [12:42]
New security category on discourse.ubuntu.com [25:52]
Get in contact