Overview
This week we cover news of the CITL drop of 7000 “vulnerabilities”, the
Ubuntu Security disclosure and embargo policy plus we look at security
updates for pip, blueman, the Linux kernel and more.
This week in Ubuntu Security Updates
117 unique CVEs addressed
[USN-4596-1] Tomcat vulnerabilities [01:01]
- 4 CVEs addressed in Focal (20.04 LTS)
[USN-4587-1] iTALC vulnerabilities
- 19 CVEs addressed in Xenial (16.04 LTS)
[USN-4588-1] FlightGear vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4552-2] Pam-python vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4597-1] mod_auth_mellon vulnerabilities
- 3 CVEs addressed in Xenial (16.04 LTS)
[USN-4598-1] LibEtPan vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
- 5 CVEs addressed in Bionic (18.04 LTS), 4 CVEs addressed in Xenial (16.04 LTS)
[USN-4601-1] pip vulnerability [01:34]
- 1 CVEs addressed in Bionic (18.04 LTS)
- Failed to sanitize filenames during pip install if provided a URL in the
install command - could allow a remote attacker to provide a
Content-Disposition header that instructs pip to overwrite arbitrary
files
- 7 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
[LSN-0073-1] Linux kernel vulnerability [03:02]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- BleedingTooth (Episode 93)
[USN-4593-2] FreeType vulnerability [03:23]
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
- Episode 93
[USN-4602-1, USN-4602-2] Perl vulnerabilities [03:38]
- 3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4562-2] kramdown vulnerability
- 1 CVEs addressed in Groovy (20.10)
[USN-4605-1] Blueman vulnerability [04:10]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Reported to Ubuntu by Vaisha Bernard - worked with upstream blueman devs
& Debian maintainers to get this resolved - thanks :)
- Blueman provides a dbus API to spawn DHCP client when doing
bluetooth-based networking
- Would not sanitise the provided argument and would pass this directly to
dhcpcd which supports specifying a script file to run - this gets
executed as root so is a simple local root-privesc
- Fixed to change the way the argument is provided to dhcpcd so that it
cannot pass arbitrary flags
- Should also note, by default on Ubuntu we use isc-dhcp-client not dhcpcd
so unless you have manually installed it, this cannot be exploited
[USN-4583-2] PHP vulnerabilities
- 2 CVEs addressed in Groovy (20.10)
[USN-3081-2] Tomcat vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4603-1] MariaDB vulnerabilities
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4604-1] MySQL vulnerabilities
- 49 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
[USN-4607-1] OpenJDK vulnerabilities
- 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
[USN-4608-1] ca-certificates update [06:41]
- Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Updates to the latest from Mozill a - removes some root CAs (expired etc)
and adds some new ones too
Goings on in Ubuntu Security Community
Ubuntu Security disclosure and embargo policy [07:17]
- https://ubuntu.com/security/disclosure-policy
- How to report an issue to us (LP / [email protected])
- Scope (Ubuntu archive + Canonical software / infrastructure -
coordination etc)
- What to expect from us
- Disclosure timelines (within 1 week after updates provided, prefer
exploits etc kept private for at least 1 week after fixes available)
- Safe harbour (welcome research into the software we provide but no active
probing of Canonical infra/services)
CITL releases high level details of 7000 defects [09:06]
- https://cyber-itl.org/2020/10/28/citl-7000-defects.html
- 7000 defects/vulns across 3243 packages from Ubuntu 18.04
- Automated static / dynamic analysis system (fuzzing?)
- Provide list of binaries / packages and the type of ‘vuln’ (SIG_SEGV
etc) - without reproducers etc
- Expect package maintainers to contact them to request full details
- Some package maintainers / upstreams will likely contact but we expect
this to be in the minority
- Not really possible for @ubuntu_sec to triage and handle all of these but
will likely be a collective effort between distros to try and analyse
these all if CITL are willing to provide details
- Without a collective effort unlikely that CVEs will get assigned and so
fixes could be missed if various upstreams just contact and fix these
themselves
- Lots of open questions as to how this will play out…
Get in contact