Overview
This week we discuss the recent announcement of a long-awaited native
client for 1password, plus Google Chrome experiments with anti-phishing
techniques, and we take a look at security updates for OpenJDK 8, Samba,
NSS and more.
This week in Ubuntu Security Updates
13 unique CVEs addressed
[USN-4453-1] OpenJDK 8 vulnerabilities [01:03]
- 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- Usual mix of issues for a Java update - sandbox escape, DoS, information
disclosure etc
[USN-4451-2] ppp vulnerability [01:29]
- 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
- Episode 85
- 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM),
Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- A remote attacker could send a zero length UDP packet to Samba when
acting as a AD DC with NetBIOS over TCP (NBT) enabled - would effectively
enter an infinite loop -> CPU-based DoS
[USN-4455-1] NSS vulnerabilities [02:41]
- 3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- Fixes for various side-channel attacks against elliptic curve crypto
implementations - could allow an attacker to infer the private key
Goings on in Ubuntu Security Community
Google Chrome 86 to only show domain in URL bar for phishing experiment [03:20]
- Will only show just the domain in the URL bar to select users to see if
this helps avoid phishing
- One way to help avoid phishing, particularly for credentials, is to use a
password manager that associates credentials with the site in question -
so it should only offer to say fill-in your paypal credentials on a
paypal.com site - and if it does not this is a hint it is not legitimate
- Has other benefits too like being able to autogenerate unique passwords
per site, sync across devices etc
1password just launched a beta of their Linux client [06:46]
Get in contact