Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 72

21 min • 24 april 2020

Overview

A huge number of CVEs fixed in the various Ubuntu releases, including for PHP, Git, Thunderbird, GNU binutils and more, plus Joe McManus discusses ROS with Sid Faber.

This week in Ubuntu Security Updates

93 unique CVEs addressed

[USN-4330-1] PHP vulnerabilities [01:03]

  • 5 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
  • php5, php7.0, php7.2, php7.3
  • get_headers() would silently truncate a URL containing a NUL terminator (\0) - so if used with user-supplied URL could get wrong details from the server
  • stack overflow in mb_strtolower() when handling UTF32-LE encoding
  • 1 byte buffer overread in handling EXIF data - info leak / crash
  • PHAR archives created with world readable permissions
  • NULL pointer dereference on file upload in certain situations -> crash

[USN-4331-1] WebKitGTK+ vulnerability [02:32]

  • 1 CVEs addressed in Bionic, Eoan
  • UAF when processing maliciously crafted web content

[USN-4332-1] File Roller vulnerability [02:51]

  • 1 CVEs addressed in Xenial, Bionic, Eoan
  • Possible directory traversal issue when extracting an archive where parent of file is a symlink pointing outside of the archive

[USN-4334-1] Git vulnerability [03:08]

  • 1 CVEs addressed in Xenial, Bionic, Eoan

[USN-4333-1] Python vulnerabilities [03:47]

  • 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
  • CRLF injection via an attacker controlled url parameter to urlopen() function in urllib

[USN-4335-1] Thunderbird vulnerabilities [04:09]

[USN-4336-1] GNU binutils vulnerabilities [04:46]

Goings on in Ubuntu Security Community

Joe McManus talks ROS & ROS2 with Sid Faber from the Ubuntu Security Team [06:26]

Get in contact

Kategorier
Förekommer på
00:00 -00:00