Overview
This week we look at updates for c-ares, PulseAudio, phpMyAdmin and more,
plus we cover security news from the Ubuntu community including planning
for 16.04 LTS to transition to ESM, libgcrypt FIPS cerified for 18.04 LTS
and a proposal for making home directories more secure for upcoming Ubuntu
releases as well.
This week in Ubuntu Security Updates
48 unique CVEs addressed
[USN-4638-1] c-ares vulnerability [01:00]
- 1 CVEs addressed in Groovy (20.10)
- C library for performing async DNS requests and name resolution - a fork
of the ares library with additional support for IPv6, and 64-bit/cross
platform support
- In particular is used by Node.js for DNS support - reported as a DoS via
a remote attacker who could cause a Node.js application to perform a DNS
request to a chosen host where a large number of DNS records - internally
is a buffer-over-read - c-ares would return data of length N but with a
purported length of >N - only in more recent releases so only affected
groovy
[USN-4639-1] phpMyAdmin vulnerabilities [02:37]
- 13 CVEs addressed in Bionic (18.04 LTS)
- Various issues - multiple different instances of each of the following:
XSS, SQL injection, CSRF, sensitive info leaks etc
[USN-4637-2] Firefox vulnerabilities [03:08]
- 15 CVEs addressed in Xenial (16.04 LTS)
- Episode 97
- Xenial takes longer usually due to toolchain issues between old versions
in xenial vs newer things used in Firefox (ie rust etc)
[USN-4634-2] OpenLDAP vulnerabilities [03:57]
- 2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
- Episode 97 - 2 DoS issues
[USN-4640-1] PulseAudio vulnerability [04:13]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Discovered and resolved by James Henstridge from the Ubuntu Desktop Team
- Race condition in snap policy module could allow a confined snap to
bypass snap pulseaudio restrictions - ie. could record audio when only
authorised to playback audio
- https://twitter.com/JamesHenstridge/status/1331161130740248580
[USN-4641-1] libextractor vulnerabilities [06:20]
- 12 CVEs addressed in Xenial (16.04 LTS)
- Used to extract metadata from various file formats (HTML, PS, MS Office,
audio, images, video, archives, packages etc)
- NULL ptr deref, divide by zero, OOB read, infinite loop, stack buffer
overflows, heap buffer overflows etc
[USN-4642-1] PDFResurrect vulnerability [07:28]
- 1 CVEs addressed in Xenial (16.04 LTS)
- Extract / manipulate revision info in PDFs
- OOB write
[USN-4643-1] atftp vulnerabilities [07:56]
- 2 CVEs addressed in Xenial (16.04 LTS)
- TFTP server / client
- NULL ptr deref due to race condition from missing mutex lock - different
threads can race on the same data -> DoS
- stack buffer overflow due to unsafe calls to strncpy -> DoS / RCE
[USN-4644-1] igraph vulnerability [08:35]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- NULL ptr deref
Goings on in Ubuntu Security Community
Ubuntu 16.04 LTS moving to ESM webinar [08:52]
Security Certifications - libgcrypt on Ubuntu 18.04 is FIPS 140-2 certified [10:13]
Private home directories for Ubuntu 21.04 onwards? [10:45]
Get in contact