Episode 86

Overview

This week we discuss the recent announcement of a long-awaited native client for 1password, plus Google Chrome experiments with anti-phishing techniques, and we take a look at security updates for OpenJDK 8, Samba, NSS and more.

This week in Ubuntu Security Updates

13 unique CVEs addressed

[USN-4453-1] OpenJDK 8 vulnerabilities [01:03]

• 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-14621
  • CVE-2020-14593
  • CVE-2020-14583
  • CVE-2020-14581
  • CVE-2020-14579
  • CVE-2020-14578
  • CVE-2020-14577
  • CVE-2020-14556
• Usual mix of issues for a Java update - sandbox escape, DoS, information disclosure etc

[USN-4451-2] ppp vulnerability [01:29]

• 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
  • CVE-2020-15704
• Episode 85

[USN-4454-1, USN-4454-2] Samba vulnerability [01:50]

• 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-14303
• A remote attacker could send a zero length UDP packet to Samba when acting as a AD DC with NetBIOS over TCP (NBT) enabled - would effectively enter an infinite loop -> CPU-based DoS

[USN-4455-1] NSS vulnerabilities [02:41]

• 3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-6829
  • CVE-2020-12401
  • CVE-2020-12400
• Fixes for various side-channel attacks against elliptic curve crypto implementations - could allow an attacker to infer the private key

Goings on in Ubuntu Security Community

Google Chrome 86 to only show domain in URL bar for phishing experiment [03:20]

• Will only show just the domain in the URL bar to select users to see if this helps avoid phishing
  • Presumably users will be less likely to mistake a URL like http://h.paypal.de-checking.net/de/ID.php?u=LhsdoOKJfsjdsdvg for a real paypay.com URL
• One way to help avoid phishing, particularly for credentials, is to use a password manager that associates credentials with the site in question - so it should only offer to say fill-in your paypal credentials on a paypal.com site - and if it does not this is a hint it is not legitimate
  • Has other benefits too like being able to autogenerate unique passwords per site, sync across devices etc

1password just launched a beta of their Linux client [06:46]

• https://discussions.agilebits.com/discussion/114964/1password-for-linux-development-preview
• https://snapcraft.io/1password

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter