Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 94

14 min • 30 oktober 2020

Overview

This week we cover news of the CITL drop of 7000 “vulnerabilities”, the Ubuntu Security disclosure and embargo policy plus we look at security updates for pip, blueman, the Linux kernel and more.

This week in Ubuntu Security Updates

117 unique CVEs addressed

[USN-4596-1] Tomcat vulnerabilities [01:01]

[USN-4587-1] iTALC vulnerabilities

[USN-4588-1] FlightGear vulnerability

[USN-4552-2] Pam-python vulnerability

[USN-4597-1] mod_auth_mellon vulnerabilities

[USN-4598-1] LibEtPan vulnerability

[USN-4600-1, USN-4600-2] Netty vulnerabilities

[USN-4601-1] pip vulnerability [01:34]

  • 1 CVEs addressed in Bionic (18.04 LTS)
  • Failed to sanitize filenames during pip install if provided a URL in the install command - could allow a remote attacker to provide a Content-Disposition header that instructs pip to overwrite arbitrary files

[USN-4599-1, USN-4599-2] Firefox vulnerabilities [02:42]

[LSN-0073-1] Linux kernel vulnerability [03:02]

[USN-4593-2] FreeType vulnerability [03:23]

[USN-4602-1, USN-4602-2] Perl vulnerabilities [03:38]

[USN-4562-2] kramdown vulnerability

[USN-4605-1] Blueman vulnerability [04:10]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Reported to Ubuntu by Vaisha Bernard - worked with upstream blueman devs & Debian maintainers to get this resolved - thanks :)
  • Blueman provides a dbus API to spawn DHCP client when doing bluetooth-based networking
  • Would not sanitise the provided argument and would pass this directly to dhcpcd which supports specifying a script file to run - this gets executed as root so is a simple local root-privesc
  • Fixed to change the way the argument is provided to dhcpcd so that it cannot pass arbitrary flags
  • Should also note, by default on Ubuntu we use isc-dhcp-client not dhcpcd so unless you have manually installed it, this cannot be exploited

[USN-4583-2] PHP vulnerabilities

[USN-3081-2] Tomcat vulnerability

[USN-4603-1] MariaDB vulnerabilities

[USN-4604-1] MySQL vulnerabilities

[USN-4607-1] OpenJDK vulnerabilities

[USN-4608-1] ca-certificates update [06:41]

  • Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Updates to the latest from Mozill a - removes some root CAs (expired etc) and adds some new ones too

Goings on in Ubuntu Security Community

Ubuntu Security disclosure and embargo policy [07:17]

  • https://ubuntu.com/security/disclosure-policy
  • How to report an issue to us (LP / [email protected])
  • Scope (Ubuntu archive + Canonical software / infrastructure - coordination etc)
  • What to expect from us
  • Disclosure timelines (within 1 week after updates provided, prefer exploits etc kept private for at least 1 week after fixes available)
  • Safe harbour (welcome research into the software we provide but no active probing of Canonical infra/services)

CITL releases high level details of 7000 defects [09:06]

  • https://cyber-itl.org/2020/10/28/citl-7000-defects.html
  • 7000 defects/vulns across 3243 packages from Ubuntu 18.04
  • Automated static / dynamic analysis system (fuzzing?)
  • Provide list of binaries / packages and the type of ‘vuln’ (SIG_SEGV etc) - without reproducers etc
  • Expect package maintainers to contact them to request full details
  • Some package maintainers / upstreams will likely contact but we expect this to be in the minority
  • Not really possible for @ubuntu_sec to triage and handle all of these but will likely be a collective effort between distros to try and analyse these all if CITL are willing to provide details
  • Without a collective effort unlikely that CVEs will get assigned and so fixes could be missed if various upstreams just contact and fix these themselves
  • Lots of open questions as to how this will play out…

Get in contact

Kategorier
Förekommer på
00:00 -00:00