Overview
This week we look at security updates for FreeTDS, HAProxy, Nokogiri, plus
some regressions in Whoopsie, Apport and Firefox, and Joe and Alex discuss
the release of 14.04 ESM for personal use under the Ubuntu Advantage
program.
This week in Ubuntu Security Updates
9 unique CVEs addressed
[USN-4171-2] Apport vulnerabilities [00:44]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
- OSS-Fuzz using libFuzzer - heap based buffer overflow of up to 4 bytes in
the CDF parser when handing vector elements - Composite Document File -
used in MS Office prior to new zipped XML format - ie. the old .doc /
.xls etc
[USN-4173-1] FreeTDS vulnerability [01:48]
- 1 CVEs addressed in Bionic, Disco, Eoan
- Felix Wilhelm for Google Security Team - if a server were to downgrade
the protocol to version 5 and send a UDT type to the client, would cause
a heap buffer overflow due to mismatch in size - fixed by forcing the
size to an appropriate value
- Affecting Xenial, Bionic, Disco, Eoan
- Episode 51 - update caused crash on upload to server due to mismatch in
size and resulting partial uninitialized variable - fixed to intialize
but realised this could still potentially crash on big-endian
architectures so fixed properly by changing size to 32-bit to match
memcpy()
- 5 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
- Episode 51 - regression due to missing change to python code to handle
new internal API - fixed by updating the API to be backwards compatible
[USN-4174-1] HAproxy vulnerability [04:55]
- 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- HTTP Request Smuggling attack
- Wouldn’t reject messages that specified transfer-encoding without
“chunked” value
- Could be combined with http reuse for request smuggling - ie. the ability
to get an attacker controlled chunk appended to a legitimate request and
hence the response sent back to the attacker etc - fixed to reject if
transfer-encoding is used without also specifying “chunked”
[USN-4175-1] Nokogiri vulnerability [06:36]
- 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- Ruby based parser for HTML/XML/SAS etc with XPath & CSS selector support
etc
- Command-injection vulnerability - due to use of the Rexical gem - and
would need to have code which then calls the undocumented load_file
method within the CSS tokenizer with user supplied input for the
filename - due to use of eval()…
[USN-4165-2] Firefox regressions [07:38]
- Affecting Xenial, Bionic, Disco, Eoan
- Upstream Firefox 70.0.1 release to fix a regression in the 70.0 release
(some pages with dynamic javascript would fail to load - v 70.0 had
enabled a new next-gen local storage feature which caused issues so this
is now disabled by default)
Goings on in Ubuntu Security Community
Alex and Joe discuss news that 14.04 ESM is free for personal use via new UA client [08:19]
Get in contact