Start / Ubuntu Security Podcast / Episode 47

Episode 47

28 min • 3 oktober 2019

Overview

We catch up on details of the past few weeks of security updates, including Python, curl, Linux kernel, Exim and more, plus Alex and Joe discuss the recent Ubuntu Engineering Sprint in Paris and building a HoneyBot for Admin Magazine.

This week in Ubuntu Security Updates

93 unique CVEs addressed

[USN-4125-1] Memcached vulnerability [00:42]

1 CVEs addressed in Xenial, Bionic, Disco
- CVE-2019-15026
Possible stack buffer over-read when using UNIX sockets (copies address of UNIX socket using strncpy() which could possibly read past the end of the src buffer) - possible crash -> DoS - fixed to explicitly limit length to smallest of src/dst buffers rather than just size of dest buffer

[USN-4126-1] FreeType vulnerability [01:49]

1 CVEs addressed in Precise ESM, Trusty ESM, Xenial
- CVE-2015-9383
2 CVEs addressed in Precise ESM, Trusty ESM only
- CVE-2015-9382
- CVE-2015-9381
All various heap based buffer over-reads - crash -> DoS

[USN-4127-1, USN-4127-2] Python vulnerabilities [02:13]

8 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
4 issues in urllib:
- would allow to easily open files from local file-system
- 2 different CRLF injection issues
- specially crafted URL could cause urllib to send cookies / auth data for wrong host
  - Fixed incorrectly upstream so had a two CVEs assigned
http cookiejar wouldn’t validate URL correctly so could also send cookies for another domain
Possible NULL ptr deref when parsing X509 certs if had an empty CRL distpoint / URI
Possible integer overflow when serializing a tens of hundreds of gigabytes of data via the pickle format - could cause memory exhaustion

[USN-4128-1, USN-4128-2] Tomcat vulnerabilities [03:35]

3 CVEs addressed in Xenial, Bionic (tomcat-8) and Bionic, Disco (tomcat-9)
HTTP/2 server would accept streams with an excessive number of SETTINGS frames and would permit clients to keep streams open without reading / writing anything - could lead to DoS by causing server-side threads to block
- Original fix was incomplete - so got a second CVE
Possible XSS injection if using SSI printenv command as would echo user provided data without escaping - intended only for debugging so shouldn’t be used in a production website anyway

[USN-4120-2] systemd regression [04:45]

Affecting Bionic, Disco
Episode 46 - systemd-resolved dbus access control - the update was prepared using a pending SRU update - but this contained a regression in networking - re-released the security fix but without this SRU update included.

[USN-4115-2] Linux kernel regression [05:18]

Affecting Xenial (HWE), Bionic
Recent kernel update (Episode 46) could possibly crash on handling fragmented packets

[USN-4129-1, USN-4129-2] curl vulnerabilities [05:42]

1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- CVE-2019-5482
  - Heap buffer overflow in TFTP protocol handler
1 extra CVEs addressed in Xenial, Bionic, Disco
- CVE-2019-5481
  - Double free in FTP-kerberos code

[USN-4130-1] WebKitGTK+ vulnerabilities [06:15]

16 CVEs addressed in Bionic, Disco
Update to latest WebKitGTK upstream release (2.24.4)

[USN-4131-1] VLC vulnerabilities [06:38]

11 CVEs addressed in Bionic, Disco
Update to latest VLC upstream release (3.0.8)

[USN-4133-1] Wireshark vulnerabilities [06:48]

2 CVEs addressed in Xenial, Bionic, Disco
- CVE-2019-13619
- CVE-2019-12295
Update to latest upstream release (2.6.10-1)

[USN-4132-1, USN-4132-2] Expat vulnerability [06:55]

1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- CVE-2019-15903
Crafted XML could fool the parser to switch to document parsing too early (whilst still in DTD) - could then result in a heap-based buffer over-read when looking up current line / column number - possible crash -> DoS

[USN-4134-1] IBus vulnerability [07:30]

1 CVEs addressed in Xenial, Bionic, Disco
- CVE-2019-14822
Failed to apply access controls to D-Bus server socket - could allow another local user to connect to logged in local user’s IBus daemon and snoop on keystrokes etc
- Attacker needs to know IBus socket address which is randomised and not easily discoverable

[USN-4134-2] IBus regression [08:00]

Affecting Xenial, Bionic, Disco
Regressed for Qt users - Qt seems unable to connect to IBus socket - so reverted

[USN-4124-2] Exim vulnerability [08:25]

1 CVEs addressed in Trusty ESM
- CVE-2019-15846
Episode 46 - high profile possible remote root exploit

[USN-4113-2] Apache HTTP Server regression [08:38]

Affecting Xenial, Bionic, Disco
Episode 45 - HTTP/2 DoS issues - update caused a regression when proxying balance manager connections - fixed by incorporating missing upstream patches

[USN-4135-1, USN-4135-2] Linux kernel vulnerabilities [09:01]

3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
Possible host privilege escalation from a libvirt guest (guest user needs to be privileged)
2 related info disclosures on PowerPC - local user could possibly read vector registers of other users’ processes either during an interrupt or via a facility unavailable exception

[LSN-0056-1] Linux kernel vulnerability [09:51]

1 CVEs addressed in Xenial, Bionic
- CVE-2019-14835
Livepatch notification of above libvirt host privesc

[USN-4136-1, USN-4136-2] wpa_supplicant and hostapd vulnerability [10:06]

1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- CVE-2019-16275
Attacker in radio range could cause a station to disconnect by sending a specially crafted management frame (since would not properly validate the source address of the frame)

[USN-4137-1] Mosquitto vulnerability [10:44]

1 CVEs addressed in Disco
- CVE-2019-11779
Stack overflow if a malicious client sends a SUBSCRIBE with a topic of ~65k ‘/’ characters

[USN-4138-1] LibreOffice vulnerability [10:56]

1 CVEs addressed in Xenial, Bionic, Disco
- CVE-2019-9854
Episode 44 - able to bypass protections added to try and stop inclusion of code on local file-system in macros etc via URL encoding

[USN-4139-1] File Roller vulnerability [11:18]

1 CVEs addressed in Xenial, Bionic
- CVE-2019-16680
Path traversal outside of CWD to parent

[USN-4140-1] Firefox vulnerability [11:33]

1 CVEs addressed in Xenial, Bionic, Disco
- CVE-2019-11754
Latest upstream release (69.0.1) - pointer lock able to be enabled without any notification to user - could allow a malicious website to hijack mouse cursor and confuse user

[USN-4141-1] Exim vulnerability [11:54]

1 CVEs addressed in Disco
- CVE-2019-16928
Heap-based buffer overflow - could possibly allow remote code execution - was announced on Saturday 28th - thanks Marc for the quick update :)

Goings on in Ubuntu Security Community

Joe and Alex talk about the Paris Engineering Sprint and Joe’s recent article in Admin Magazine [12:42]

New security category on discourse.ubuntu.com [25:52]

https://discourse.ubuntu.com/c/security
Created to allow discussion of security relevant Ubuntu topics and issues in a more user-friendly and centralised location
- Will be used in addition to the existing ubuntu-hardened mailing list and #ubuntu-hardened IRC channel

Get in contact

Kategorier

Poddar Teknologi

Förekommer på

Teknik

00:00 -00:00