Overview
This week we look at security updates for Mutt, Thunderbird, Poppler, QEMU,
containerd, Linux kernel & more, plus we discuss the 2020 State of the
Octoverse Security Report from Github, Launchpad GPG keyserver migration, a
new AppArmor release & some open positions on the team.
This week in Ubuntu Security Updates
68 unique CVEs addressed
[USN-4645-1] Mutt vulnerability [00:59]
- 1 CVEs addressed in Precise ESM (12.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- When connecting to an IMAP server, if the first reponse from the server
was invalid, would fail to properly terminate the connection and could
continue trying to authenticate and hence send credentials in the clear.
[USN-4646-1] poppler vulnerabilities [01:44]
- 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- Various memory corruption issues, all DoS-able, some RCE?
[USN-4646-2] poppler regression
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- CVE-2019-10871
- Some applications linked against poppler would fail - backed out this
fix for future
[USN-4647-1] Thunderbird vulnerabilities [02:25]
- 13 CVEs addressed in Groovy (20.10)
- 78.5.0
- Usual web rendering type vulns - denial of service, obtain sensitive
information across origins, bypass security restrictions, conduct
phishing attacks, conduct cross-site scripting (XSS) attacks, bypass
Content Security Policy (CSP) restrictions, conduct DNS rebinding
attacks, or execute arbitrary code.
[USN-4648-1] WebKitGTK vulnerabilities [03:21]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- dejavu with thunderbird above - latest upstream version (2.30.3) and same sorts of
vulns - including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
[USN-4649-1] xdg-utils vulnerability [03:54]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Could cause files to be attached by not sanitizing mailto:?attach= -
particularly relevant to TB - so if a user is not paying attention, could
attach say a sensitive local file to the outgoing email
[USN-4382-2] FreeRDP vulnerabilities [05:09]
- 13 CVEs addressed in Bionic (18.04 LTS)
- Episode 78 - covered this for xenial, now for bionic
[USN-4650-1] QEMU vulnerabilities [05:29]
- 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Possible host RCE from guest via incorrect handling of SDHCI device
emulation but mitigated when using libvirt by AppArmor profile
- Various issues with USB and other device emulation, crash -> DoS
[USN-4651-1] MySQL vulnerabilities [06:14]
- Affecting Focal (20.04 LTS)
- Tom Reynolds (tomreyn in #ubuntu-hardened) reported issue with MySQL on
20.04 had the new MySQLX plugin enabled and listenting on all network
interfaces by default -> violates no open ports principle - this update
insteads changes the configuration to bind it to localhost only - if you
were using it you may now need to change your local configuration to
purposefully change this so it is remotely accessible
[USN-4653-1] containerd vulnerability [07:27]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- containerd-shim API exposed from abstract unix socket to host network
containers (in same network namespace) - would validate the effective UID
of a connecting process as 0 but did not apply other access controls - so
a malicious container in same network namespace with effective UID 0 but
otherwise reduced privileges could spawn new processes via
containerd-shim with full root privileges
- upstream advise against running containers in the hosts network namespace
- docker.io stops on upgrade of containerd
[USN-4652-1] SniffIt vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4654-1] PEAR vulnerabilities
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
[USN-4655-1] Werkzeug vulnerabilities
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
[USN-4656-1] X.Org X Server vulnerabilities
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
[USN-4657-1] Linux kernel vulnerabilities [09:11]
- 12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
- Most interesting is Power 9 processers could end up exposing information
via L1 cache -> spectre-like attack could allow this to be read - fix is
similar to spectre etc - flush L1 cache when transitioning between
privilege boundaries
- Thanks to Daniel Axtens from IBM for doing a lot of the heavy lifting,
working with the kernel team to provide backports etc
[USN-4658-1] Linux kernel vulnerabilities
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4659-1] Linux kernel vulnerabilities
- 7 CVEs addressed in Groovy (20.10)
Goings on in Ubuntu Security Community
GitHub state of open source security report 2020 [10:43]
- https://octoverse.github.com/static/2020-security-report.pdf
- Scanned packages in Composer (PHP), Maven (Java), npm (JS), NuGet (.NET),
PyPI and RubyGems
- Found 94% of projects on GitHub relied on open source components - JS
packages have a median of nearly 700 transitive dependencies - cf Python
with 19
- 17% of advisories sampled related to explicitly malicious behaviour
(almost all in npm packages) - but most are just mistakes
- Vulns go undetected for just over 4 years (218 weeks) before disclosure,
fixes though then come quick in ~4.4 weeks and then 10 weeks to alert
users of the fix
- A line of code written today is just as likely to contain a vulnerability
today as 4 years ago - so we are not getting more secure over time
Migrating Launchpad PGP keyservers from SKS to Hockeypuck [15:03]
AppArmor 3.0.1 Released [16:27]
Hiring [16:52]
AppArmor Security Engineer
Engineering Director - Ubuntu Security
Engineering Manager - Ubuntu Security
Get in contact