Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 60

14 min • 30 januari 2020

Overview

Security updates for python-apt, GnuTLS, tcpdump, the Linux kernel and more, plus we look at plans to integrate Ubuntu Security Notices within the main ubuntu.com website.

This week in Ubuntu Security Updates

91 unique CVEs addressed

[USN-4247-1, USN-4247-2, USN-4247-3] python-apt vulnerabilities [00:42]

  • 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • Could still use md5 to validate downloads - md5 has been broken for a while now so if md5 hashes were available for a repo then these would be trusted - instead, verify all hashes
  • Ensure repository is trusted before downloading from it - in some cases, could configure repositories that were not trusted and python-apt based clients would not check trust - so would use it - now always check and verify unless the repository is specifically configured as trusted

[USN-4248-1] GraphicsMagick vulnerabilities [02:31]

[USN-4246-1] zlib vulnerabilities [02:55]

  • 4 CVEs addressed in Xenial
  • Trail of Bits security audit of zlib found various instances of undefined behaviour in the implementation - pointer increment operations on undefined memory ranges, shifts by negative indices etc. Unlikely to have any real world impact.

[USN-4249-1] e2fsprogs vulnerability [03:55]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • Stack buffer overflow when e2fsck’ing a specially crafted ext4 file-system image

[USN-4233-2] GnuTLS update [04:34]

  • Affecting Xenial, Bionic
  • Episode 59 - disabled SHA1 for digital signatures in GnuTLS - this update adds VERIFY_ALLOW_BROKEN and VERIFY_ALLOW_SIGN_WITH_SHA1 priority strings so can still use sha1 if really needed

[USN-4230-2] ClamAV vulnerability [05:16]

[USN-4250-1] MySQL vulnerabilities [05:34]

[USN-4251-1] Tomcat vulnerabilities [06:02]

[USN-4252-1, USN-4252-2] tcpdump vulnerabilities [06:05]

[USN-4253-1, USN-4253-2] Linux kernel vulnerability [07:30]

  • 1 CVEs addressed in Bionic (HWE), Eoan (5.3 kernel)
  • Intel GPU would fail to clear state during context switch - could allow an info leak between local users - so update driver to forcibly clear state

[USN-4255-1, USN-4255-2] Linux kernel vulnerabilities [08:07]

  • 2 CVEs addressed in Xenial (HWE), Bionic (4.15 kernel)
  • Intel GPU state info leak
  • Intel GPU driver (i915) UAF - crash / code execution

[USN-4258-1] Linux kernel vulnerabilities [08:40]

[USN-4254-1, USN-4254-2] Linux kernel vulnerabilities [09:54]

[USN-4256-1] Cyrus SASL vulnerability [10:24]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
  • OOB write due to off-by-one error - originally reported against OpenLDAP which uses cyrus-sasl and was able to be crashed by an unauthenticated remote user due to this

[USN-4236-3] Libgcrypt vulnerability [10:57]

[USN-4257-1] OpenJDK vulnerabilities [11:15]

Goings on in Ubuntu Security Community

Moving Ubuntu Security Notices to ubuntu.com/security [11:34]

Get in contact

Kategorier
Förekommer på
00:00 -00:00