PLAY PODCASTS
Episode 148

Episode 148

It's main vs universe as we take a deep dive into the Ubuntu archive and look at these components plus what goes into each and how the security team goes about reviewing software destined for main, plus we cover security updates for...

Ubuntu Security Podcast · Ubuntu Security Team

February 11, 20221h 0m

Audio is streamed directly from the publisher (people.canonical.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

Overview

It’s main vs universe as we take a deep dive into the Ubuntu archive and look at these components plus what goes into each and how the security team goes about reviewing software destined for main, plus we cover security updates for Django, BlueZ, NVIDIA Graphics Drivers and more.

This week in Ubuntu Security Updates

53 unique CVEs addressed

[USN-5265-1] Linux kernel vulnerabilities [01:19]

[USN-5266-1] Linux kernel (GKE) vulnerabilities

[USN-5267-1] Linux kernel vulnerabilities

[USN-5268-1] Linux kernel vulnerabilities

[USN-5260-3] Samba vulnerability [02:29]

[USN-5269-1, USN-5269-2] Django vulnerabilities [03:00]

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • XSS via incorrect handling of the {% debug %} template tag - failed to properly encode the current context
  • Possible infinite loop when parsing multipart forms as used when doing file uploads

[USN-5270-1, USN-5270-2] MySQL vulnerabilities [03:38]

[USN-5030-2] Perl DBI module vulnerabilities [04:11]

[USN-5262-1] GPT fdisk vulnerabilities

[USN-5264-1] Graphviz vulnerabilities

[USN-5275-1] BlueZ vulnerability [04:25]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • Heap buffer overflow in gatt-server implementation since failed to check lengths of incoming packets - could allow a remote attacker to DoS or RCE

[USN-4754-5] Python vulnerability [04:53]

  • 2 CVEs addressed in Trusty ESM (14.04 ESM)
  • Reinstate fix for CVE-2021-3177 which was previously removed due to a regression

[USN-5276-1] NVIDIA graphics drivers vulnerabilities [05:15]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • Various issues around handling of permissions within the kernel - could allow a local user to write to protected memory in the kernel and DoS machine

[USN-5267-2] Linux kernel regression [05:52]

  • 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • 5.4 focal + bionic hwe
  • Inadvertent DoS when accessing CIFS shares - kernel hang - fixed by reverting various CIFS related patches

Goings on in Ubuntu Security Community

Main vs Universe with Camila

  • Camila discusses the different software repository components in Ubuntu - what they are, how they compare and what you can expect to find in each, as well as the process for moving packages from universe to main to be supported by Canonical, in particular focusing on the security team’s role in performing security audits of each software package along the way.

Get in contact

← All episodes of Ubuntu Security Podcast