Episode 47
We catch up on details of the past few weeks of security updates, including Python, curl, Linux kernel, Exim and more, plus Alex and Joe discuss the recent Ubuntu Engineering Sprint in Paris and building a HoneyBot for Admin Magazine....
Ubuntu Security Podcast · Ubuntu Security Team
October 3, 201928m 26s
Audio is streamed directly from the publisher (people.canonical.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
Overview
We catch up on details of the past few weeks of security updates, including Python, curl, Linux kernel, Exim and more, plus Alex and Joe discuss the recent Ubuntu Engineering Sprint in Paris and building a HoneyBot for Admin Magazine.
This week in Ubuntu Security Updates
93 unique CVEs addressed
[USN-4125-1] Memcached vulnerability [00:42]
- 1 CVEs addressed in Xenial, Bionic, Disco
- Possible stack buffer over-read when using UNIX sockets (copies address of UNIX socket using strncpy() which could possibly read past the end of the src buffer) - possible crash -> DoS - fixed to explicitly limit length to smallest of src/dst buffers rather than just size of dest buffer
[USN-4126-1] FreeType vulnerability [01:49]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial
- 2 CVEs addressed in Precise ESM, Trusty ESM only
- All various heap based buffer over-reads - crash -> DoS
[USN-4127-1, USN-4127-2] Python vulnerabilities [02:13]
- 8 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- 4 issues in urllib:
- would allow to easily open files from local file-system
- 2 different CRLF injection issues
- specially crafted URL could cause urllib to send cookies / auth data
for wrong host
- Fixed incorrectly upstream so had a two CVEs assigned
- http cookiejar wouldn’t validate URL correctly so could also send cookies for another domain
- Possible NULL ptr deref when parsing X509 certs if had an empty CRL distpoint / URI
- Possible integer overflow when serializing a tens of hundreds of gigabytes of data via the pickle format - could cause memory exhaustion
[USN-4128-1, USN-4128-2] Tomcat vulnerabilities [03:35]
- 3 CVEs addressed in Xenial, Bionic (tomcat-8) and Bionic, Disco (tomcat-9)
- HTTP/2 server would accept streams with an excessive number of SETTINGS
frames and would permit clients to keep streams open without reading /
writing anything - could lead to DoS by causing server-side threads to
block
- Original fix was incomplete - so got a second CVE
- Possible XSS injection if using SSI printenv command as would echo user provided data without escaping - intended only for debugging so shouldn’t be used in a production website anyway
[USN-4120-2] systemd regression [04:45]
- Affecting Bionic, Disco
- Episode 46 - systemd-resolved dbus access control - the update was prepared using a pending SRU update - but this contained a regression in networking - re-released the security fix but without this SRU update included.
[USN-4115-2] Linux kernel regression [05:18]
- Affecting Xenial (HWE), Bionic
- Recent kernel update (Episode 46) could possibly crash on handling fragmented packets
[USN-4129-1, USN-4129-2] curl vulnerabilities [05:42]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- CVE-2019-5482
- Heap buffer overflow in TFTP protocol handler
- CVE-2019-5482
- 1 extra CVEs addressed in Xenial, Bionic, Disco
- CVE-2019-5481
- Double free in FTP-kerberos code
- CVE-2019-5481
[USN-4130-1] WebKitGTK+ vulnerabilities [06:15]
- 16 CVEs addressed in Bionic, Disco
- Update to latest WebKitGTK upstream release (2.24.4)
[USN-4131-1] VLC vulnerabilities [06:38]
- 11 CVEs addressed in Bionic, Disco
- Update to latest VLC upstream release (3.0.8)
[USN-4133-1] Wireshark vulnerabilities [06:48]
- 2 CVEs addressed in Xenial, Bionic, Disco
- Update to latest upstream release (2.6.10-1)
[USN-4132-1, USN-4132-2] Expat vulnerability [06:55]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Crafted XML could fool the parser to switch to document parsing too early (whilst still in DTD) - could then result in a heap-based buffer over-read when looking up current line / column number - possible crash -> DoS
[USN-4134-1] IBus vulnerability [07:30]
- 1 CVEs addressed in Xenial, Bionic, Disco
- Failed to apply access controls to D-Bus server socket - could allow
another local user to connect to logged in local user’s IBus daemon and
snoop on keystrokes etc
- Attacker needs to know IBus socket address which is randomised and not easily discoverable
[USN-4134-2] IBus regression [08:00]
- Affecting Xenial, Bionic, Disco
- Regressed for Qt users - Qt seems unable to connect to IBus socket - so reverted
[USN-4124-2] Exim vulnerability [08:25]
- 1 CVEs addressed in Trusty ESM
- Episode 46 - high profile possible remote root exploit
[USN-4113-2] Apache HTTP Server regression [08:38]
- Affecting Xenial, Bionic, Disco
- Episode 45 - HTTP/2 DoS issues - update caused a regression when proxying balance manager connections - fixed by incorporating missing upstream patches
[USN-4135-1, USN-4135-2] Linux kernel vulnerabilities [09:01]
- 3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Possible host privilege escalation from a libvirt guest (guest user needs to be privileged)
- 2 related info disclosures on PowerPC - local user could possibly read vector registers of other users’ processes either during an interrupt or via a facility unavailable exception
[LSN-0056-1] Linux kernel vulnerability [09:51]
- 1 CVEs addressed in Xenial, Bionic
- Livepatch notification of above libvirt host privesc
[USN-4136-1, USN-4136-2] wpa_supplicant and hostapd vulnerability [10:06]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Attacker in radio range could cause a station to disconnect by sending a specially crafted management frame (since would not properly validate the source address of the frame)
[USN-4137-1] Mosquitto vulnerability [10:44]
- 1 CVEs addressed in Disco
- Stack overflow if a malicious client sends a SUBSCRIBE with a topic of ~65k ‘/’ characters
[USN-4138-1] LibreOffice vulnerability [10:56]
- 1 CVEs addressed in Xenial, Bionic, Disco
- Episode 44 - able to bypass protections added to try and stop inclusion of code on local file-system in macros etc via URL encoding
[USN-4139-1] File Roller vulnerability [11:18]
- 1 CVEs addressed in Xenial, Bionic
- Path traversal outside of CWD to parent
[USN-4140-1] Firefox vulnerability [11:33]
- 1 CVEs addressed in Xenial, Bionic, Disco
- Latest upstream release (69.0.1) - pointer lock able to be enabled without any notification to user - could allow a malicious website to hijack mouse cursor and confuse user
[USN-4141-1] Exim vulnerability [11:54]
- 1 CVEs addressed in Disco
- Heap-based buffer overflow - could possibly allow remote code execution - was announced on Saturday 28th - thanks Marc for the quick update :)
Goings on in Ubuntu Security Community
Joe and Alex talk about the Paris Engineering Sprint and Joe’s recent article in Admin Magazine [12:42]
- http://www.admin-magazine.com/Articles/Build-a-honeypot-with-real-world-alerts?utm_source=AMTW
- https://github.com/joemcmanus/honeybot
New security category on discourse.ubuntu.com [25:52]
- https://discourse.ubuntu.com/c/security
- Created to allow discussion of security relevant Ubuntu topics and issues
in a more user-friendly and centralised location
- Will be used in addition to the existing ubuntu-hardened mailing list and #ubuntu-hardened IRC channel