Overview
This week we look at security updates for ppp, Squid, rsync + more, and Joe
and Alex discuss the wide scope of the Ubuntu Security Team including some
current open positions.
This week in Ubuntu Security Updates
19 unique CVEs addressed
[LSN-0063-1] Linux kernel vulnerability [00:43]
[USN-4279-2] PHP regression [01:51]
- 3 CVEs addressed in Xenial
- Episode 63 - Upstream fix for CVE-2015-9253 contained a memory leak -
this fix was backed-out in this update
[USN-4288-1] ppp vulnerability [02:16]
- 1 CVEs addressed in Xenial, Bionic, Eoan
- Included a check for possible buffer overflow a an rhostname but the
check was incorrect :( so could still overflow - fixed by making the
correct check
[USN-4289-1] Squid vulnerabilities [02:41]
- 4 CVEs addressed in Xenial, Bionic, Eoan
- Buffer overflow in NTLM credentials parser - out-of-process so would just
result in a DoS
- Buffer overflow when acting as a reverse proxy
- Incorrect input validation leading to access to server resources which
should have been prohibited
- Info disclosure due to heap buffer over-read when acting as an FTP client
from a malicious FTP server
[USN-4290-1] libpam-radius-auth vulnerability [03:26]
- 1 CVEs addressed in Xenial, Bionic, Eoan
- Stack overflow in password field handling -> crash, DoS
[USN-4291-1] mod-auth-mellon vulnerability [03:49]
- 1 CVEs addressed in Bionic, Eoan
- SAML 2.0 authentication module for Apache
- Open redirect - didn’t properly validate the ReturnTo substring of the
login API endpoint - could allow to launch possible phishing attacks etc
by masquerading as another domain via the redirect
[USN-4292-1] rsync vulnerabilities [04:33]
- 4 CVEs addressed in Xenial, Bionic
- All issues with the vendored copy of zlib contained within rsync -
various low-level memory management issues (discussed back in Episode 60
in the context of zlib - as a result of a security audit a few years ago
by Trail of Bits )
Goings on in Ubuntu Security Community
Alex and Joe discuss the larger scope of the Ubuntu Security Team and current open positions [05:05]
Kyle Fazzari’s ROS and Ubuntu Video Series
Robotics Security Engineer
Security Engineer - Certifications (FIPS, Common Criteria)
Ubuntu Security Engineer
Get in contact