Overview
A huge number of CVEs fixed in the various Ubuntu releases, including for
PHP, Git, Thunderbird, GNU binutils and more, plus Joe McManus discusses
ROS with Sid Faber.
This week in Ubuntu Security Updates
93 unique CVEs addressed
[USN-4330-1] PHP vulnerabilities [01:03]
- 5 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
- php5, php7.0, php7.2, php7.3
- get_headers() would silently truncate a URL containing a NUL terminator
(\0) - so if used with user-supplied URL could get wrong details from the
server
- stack overflow in mb_strtolower() when handling UTF32-LE encoding
- 1 byte buffer overread in handling EXIF data - info leak / crash
- PHAR archives created with world readable permissions
- NULL pointer dereference on file upload in certain situations -> crash
[USN-4331-1] WebKitGTK+ vulnerability [02:32]
- 1 CVEs addressed in Bionic, Eoan
- UAF when processing maliciously crafted web content
[USN-4332-1] File Roller vulnerability [02:51]
- 1 CVEs addressed in Xenial, Bionic, Eoan
- Possible directory traversal issue when extracting an archive where
parent of file is a symlink pointing outside of the archive
[USN-4334-1] Git vulnerability [03:08]
- 1 CVEs addressed in Xenial, Bionic, Eoan
[USN-4333-1] Python vulnerabilities [03:47]
- 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
- CRLF injection via an attacker controlled url parameter to urlopen()
function in urllib
[USN-4335-1] Thunderbird vulnerabilities [04:09]
- 39 CVEs addressed in Xenial
- Updated to latest upstream version 68.7.0
[USN-4336-1] GNU binutils vulnerabilities [04:46]
- 44 CVEs addressed in Bionic
- Huge update covering many issues - thanks Marc Deslauriers - mostly in
low severity issues like memory leaks in functions / utilities which are
used only once or which are assumed to process trusted input.
- Often requested by customers who run vuln scanners - finds many open
issues but doesn’t consider low severity - only 3 out of 44 had medium
severity
Goings on in Ubuntu Security Community
Joe McManus talks ROS & ROS2 with Sid Faber from the Ubuntu Security Team [06:26]
Get in contact