Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 64

23 min • 27 februari 2020

Overview

This week we look at security updates for ppp, Squid, rsync + more, and Joe and Alex discuss the wide scope of the Ubuntu Security Team including some current open positions.

This week in Ubuntu Security Updates

19 unique CVEs addressed

[LSN-0063-1] Linux kernel vulnerability [00:43]

[USN-4279-2] PHP regression [01:51]

[USN-4288-1] ppp vulnerability [02:16]

  • 1 CVEs addressed in Xenial, Bionic, Eoan
  • Included a check for possible buffer overflow a an rhostname but the check was incorrect :( so could still overflow - fixed by making the correct check

[USN-4289-1] Squid vulnerabilities [02:41]

  • 4 CVEs addressed in Xenial, Bionic, Eoan
  • Buffer overflow in NTLM credentials parser - out-of-process so would just result in a DoS
  • Buffer overflow when acting as a reverse proxy
  • Incorrect input validation leading to access to server resources which should have been prohibited
  • Info disclosure due to heap buffer over-read when acting as an FTP client from a malicious FTP server

[USN-4290-1] libpam-radius-auth vulnerability [03:26]

  • 1 CVEs addressed in Xenial, Bionic, Eoan
  • Stack overflow in password field handling -> crash, DoS

[USN-4291-1] mod-auth-mellon vulnerability [03:49]

  • 1 CVEs addressed in Bionic, Eoan
  • SAML 2.0 authentication module for Apache
  • Open redirect - didn’t properly validate the ReturnTo substring of the login API endpoint - could allow to launch possible phishing attacks etc by masquerading as another domain via the redirect

[USN-4292-1] rsync vulnerabilities [04:33]

  • 4 CVEs addressed in Xenial, Bionic
  • All issues with the vendored copy of zlib contained within rsync - various low-level memory management issues (discussed back in Episode 60 in the context of zlib - as a result of a security audit a few years ago by Trail of Bits )

Goings on in Ubuntu Security Community

Alex and Joe discuss the larger scope of the Ubuntu Security Team and current open positions [05:05]

Kyle Fazzari’s ROS and Ubuntu Video Series

Robotics Security Engineer

Security Engineer - Certifications (FIPS, Common Criteria)

Ubuntu Security Engineer

Get in contact

Kategorier
Förekommer på
00:00 -00:00