Overview
This week we look at updates for Sudo, Python, OpenStack Octavia and more,
plus we discuss a recent CVE for Python which resulted in erroneous
scientific research results, and we go over some of your feedback from
Episode 48.
This week in Ubuntu Security Updates
27 unique CVEs addressed
[USN-4148-1] OpenEXR vulnerabilities [00:45]
- 8 CVEs addressed in Xenial, Bionic, Disco
- Image format developed by ILM with a high definition range for computer
imaging applications
- Range of issues (c++ codebase)
- OOB writes (usually only of a few bytes past the end of a buffer) -
assertion failure or memory corruption -> crash / code execution
- OOB reads (same) - crash
[USN-4149-1] Unbound vulnerability [02:06]
- 1 CVEs addressed in Disco
- Validating, recursive DNS resolver
- OOB read due to a remotely crafted NOTIFY query (source IP needs to match
an ACL) -> crash
- 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- XML-RPC server module could end up serving arbitrary JS if set via the
set_server_title() method as did not escape content
- Python email module tries to parse email address into sender + domain -
if domain contains multiple @ chars could get confused and return wrong
output - so applications which rely on this for validating email
addresses could accept an email address which is actually invalid
[USN-4152-1] libsoup vulnerability [03:53]
- 1 CVEs addressed in Bionic, Disco
- Heap buffer OOB read - fails to check the specified length of message
against the actual received message - could then memcpy past the end of
the input message -> crash
[USN-4153-1] Octavia vulnerability [04:33]
- 1 CVEs addressed in Disco
- Amphora Images in OpenStack Octavia - fails to properly validate client
certificates for management network clients -> could allow anyone with
management network access to retrieve information / issue config commands
[USN-4154-1] Sudo vulnerability [05:06]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Lots of press around a seemingly high priority privilege escalation
vulnerability - BUT requires an admin to have configured sudo with a
particular configuration (ie specifying a user can run a command as any
other user via the ALL keyword in a Runas rule). In this case if the rule
had also been configured to explicitly deny running the command as root,
this could be bypassed by the user specifying a UID of -1. So would only
affect a very small number of installations.
[USN-4155-1] Aspell vulnerability [07:26]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Stack buffer over-read - found by Google’s oss-fuzz
[USN-4156-1] SDL vulnerabilities [08:03]
- 12 CVEs addressed in Xenial, Bionic
- Covered all the higher priority ones in Episode 48 for SDL 2.0 - fixed
now for SDL1.2 as well, plus rolled in a bunch of fixes for lower
priority issues (buffer over-reads in WAV handling etc)
Goings on in Ubuntu Security Community
Alex and Joe talk CVEs for bad documentation and resulting scientific research? [09:20]
Feedback on desired features for 20.04 [18:53]
Get in contact