Overview
Security updates for python-apt, GnuTLS, tcpdump, the Linux kernel and
more, plus we look at plans to integrate Ubuntu Security Notices within the
main ubuntu.com website.
This week in Ubuntu Security Updates
91 unique CVEs addressed
- 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
- Could still use md5 to validate downloads - md5 has been broken for a
while now so if md5 hashes were available for a repo then these would be
trusted - instead, verify all hashes
- Ensure repository is trusted before downloading from it - in some cases,
could configure repositories that were not trusted and python-apt based
clients would not check trust - so would use it - now always check and
verify unless the repository is specifically configured as trusted
[USN-4248-1] GraphicsMagick vulnerabilities [02:31]
[USN-4246-1] zlib vulnerabilities [02:55]
- 4 CVEs addressed in Xenial
- Trail of Bits security audit of zlib found various instances of undefined
behaviour in the implementation - pointer increment operations on
undefined memory ranges, shifts by negative indices etc. Unlikely to have
any real world impact.
[USN-4249-1] e2fsprogs vulnerability [03:55]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
- Stack buffer overflow when e2fsck’ing a specially crafted ext4
file-system image
[USN-4233-2] GnuTLS update [04:34]
- Affecting Xenial, Bionic
- Episode 59 - disabled SHA1 for digital signatures in GnuTLS - this update
adds VERIFY_ALLOW_BROKEN and VERIFY_ALLOW_SIGN_WITH_SHA1 priority strings
so can still use sha1 if really needed
[USN-4230-2] ClamAV vulnerability [05:16]
- 1 CVEs addressed in Precise ESM, Trusty ESM
- Episode 59
[USN-4250-1] MySQL vulnerabilities [05:34]
- 14 CVEs addressed in Xenial, Bionic, Eoan
- New upstream release (5.7.29 - xenial, bionic) (8.0.19 - eoan)
[USN-4251-1] Tomcat vulnerabilities [06:02]
- 2 CVEs addressed in Xenial
- 28 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic
- Usual mix of buffer overflows and the like in various tcpdump
dissectors - in general you should not run tcpdump on untrusted data -
when run as root, by default tcpdump will drop permissions to the tcpdump
user after opening the capture device so this makes it somewhat safer
- 1 CVEs addressed in Bionic (HWE), Eoan (5.3 kernel)
- Intel GPU would fail to clear state during context switch - could allow
an info leak between local users - so update driver to forcibly clear
state
[USN-4255-1, USN-4255-2] Linux kernel vulnerabilities [08:07]
- 2 CVEs addressed in Xenial (HWE), Bionic (4.15 kernel)
- Intel GPU state info leak
- Intel GPU driver (i915) UAF - crash / code execution
[USN-4258-1] Linux kernel vulnerabilities [08:40]
- 15 CVEs addressed in Bionic (AWS, GCP, GKE) (5.0 kernel)
- OOB write in KVM hypervisor via /dev/kvm
- Virtual console could allow writes via unimplemented unicode devices -
out of bounds memory access - crash etc
- 2 separate memory leaks in crypto subsystem on certain failure paths -
local user accessible - DoS via memory exhaustion
- NULL ptr deref in Atheros wireless USB driver
[USN-4254-1, USN-4254-2] Linux kernel vulnerabilities [09:54]
- 9 CVEs addressed in Trusty ESM (HWE), Xenial (4.4 kernel)
- OOB write in KVM hypervisor via /dev/kvm
- Crypto memory leak
- Intel GPU info leak
[USN-4256-1] Cyrus SASL vulnerability [10:24]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
- OOB write due to off-by-one error - originally reported against OpenLDAP
which uses cyrus-sasl and was able to be crashed by an unauthenticated
remote user due to this
[USN-4236-3] Libgcrypt vulnerability [10:57]
- 1 CVEs addressed in Precise ESM, Trusty ESM
- Episode 59 - ECDSA side-channel timing attack
[USN-4257-1] OpenJDK vulnerabilities [11:15]
- 8 CVEs addressed in Xenial, Bionic, Eoan
- Latest upstream release (11.0.6)
Goings on in Ubuntu Security Community
Moving Ubuntu Security Notices to ubuntu.com/security [11:34]
Get in contact