Overview
This week we cover security updates for Apache, Twisted, Vim a kernel
livepatch and more, plus Alex and Joe discuss OVAL data feeds and the
cvescan snap for vulnerability awareness.
This week in Ubuntu Security Updates
16 unique CVEs addressed
[USN-4307-1] Apache HTTP Server update [00:24]
- TLSv1.3 enabled in Ubuntu 18.04 LTS (bionic)
[LSN-0064-1] Linux kernel vulnerability [01:03]
- 1 CVEs addressed in Xenial, Bionic
- KVM nested virtualisation issue (L2 guest could access resources of L1
parent) - Episode 67
[USN-4308-1] Twisted vulnerabilities [02:07]
- 7 CVEs addressed in Xenial, Bionic, Eoan
- 2 variations of a HTTP request splitting / smuggling vuln (Episode 52)
- 3 HTTP/2 DoS issues (Episode 43)
- MITM of XMPP TLS connections due to failure to verify certs
- Failure to sanitize URIs or HTTP methods in twisted.web
[USN-4309-1] Vim vulnerabilities [03:53]
- 7 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
- All low / negligible since requires a user to use vim to source a crafted
file (ie a list of commands / settings for vim) or crafted undo /
spelling dictionary etc
- Integer overflows -> heap overflows -> DoS / RCE etc
[USN-4134-3] IBus vulnerability [04:49]
- 1 CVEs addressed in Xenial, Bionic, Eoan
- Episode 47 - implements it’s own private DBus server which clients
connect to - original vuln allowed any user who knew address of this bus
to connect to it - update fixed this by checking the connecting user was
the same as the owning user - but caused a regression in Qt clients -
would fail to be able to properly connect to ibus - was reverted - this
has seen been fixed by fixing the GDBusServer implementation in libglib2
since it was actually incorrect - and so now we have re-fixed in ibus
Goings on in Ubuntu Security Community
Alex and Joe discuss Ubuntu Security OVAL feeds and cvescan [06:47]
Securing open source through CVE prioritisation [15:56]
Get in contact