PLAY PODCASTS
Episode 99

Episode 99

This week we look at security updates for Mutt, Thunderbird, Poppler, QEMU, containerd, Linux kernel & more, plus we discuss the 2020 State of the Octoverse Security Report from Github, Launchpad GPG keyserver migration, a new...

Ubuntu Security Podcast · Ubuntu Security Team

December 4, 202018m 35s

Audio is streamed directly from the publisher (people.canonical.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

Overview

This week we look at security updates for Mutt, Thunderbird, Poppler, QEMU, containerd, Linux kernel & more, plus we discuss the 2020 State of the Octoverse Security Report from Github, Launchpad GPG keyserver migration, a new AppArmor release & some open positions on the team.

This week in Ubuntu Security Updates

68 unique CVEs addressed

[USN-4645-1] Mutt vulnerability [00:59]

  • 1 CVEs addressed in Precise ESM (12.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • When connecting to an IMAP server, if the first reponse from the server was invalid, would fail to properly terminate the connection and could continue trying to authenticate and hence send credentials in the clear.

[USN-4646-1] poppler vulnerabilities [01:44]

[USN-4646-2] poppler regression

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
    • CVE-2019-10871
    • Some applications linked against poppler would fail - backed out this fix for future

[USN-4647-1] Thunderbird vulnerabilities [02:25]

[USN-4648-1] WebKitGTK vulnerabilities [03:21]

  • 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • dejavu with thunderbird above - latest upstream version (2.30.3) and same sorts of vulns - including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

[USN-4649-1] xdg-utils vulnerability [03:54]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Could cause files to be attached by not sanitizing mailto:?attach= - particularly relevant to TB - so if a user is not paying attention, could attach say a sensitive local file to the outgoing email

[USN-4382-2] FreeRDP vulnerabilities [05:09]

[USN-4650-1] QEMU vulnerabilities [05:29]

[USN-4651-1] MySQL vulnerabilities [06:14]

  • Affecting Focal (20.04 LTS)
  • Tom Reynolds (tomreyn in #ubuntu-hardened) reported issue with MySQL on 20.04 had the new MySQLX plugin enabled and listenting on all network interfaces by default -> violates no open ports principle - this update insteads changes the configuration to bind it to localhost only - if you were using it you may now need to change your local configuration to purposefully change this so it is remotely accessible

[USN-4653-1] containerd vulnerability [07:27]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • containerd-shim API exposed from abstract unix socket to host network containers (in same network namespace) - would validate the effective UID of a connecting process as 0 but did not apply other access controls - so a malicious container in same network namespace with effective UID 0 but otherwise reduced privileges could spawn new processes via containerd-shim with full root privileges
  • upstream advise against running containers in the hosts network namespace
  • docker.io stops on upgrade of containerd

[USN-4652-1] SniffIt vulnerability

[USN-4654-1] PEAR vulnerabilities

[USN-4655-1] Werkzeug vulnerabilities

[USN-4656-1] X.Org X Server vulnerabilities

[USN-4657-1] Linux kernel vulnerabilities [09:11]

[USN-4658-1] Linux kernel vulnerabilities

[USN-4659-1] Linux kernel vulnerabilities

Goings on in Ubuntu Security Community

GitHub state of open source security report 2020 [10:43]

  • https://octoverse.github.com/static/2020-security-report.pdf
  • Scanned packages in Composer (PHP), Maven (Java), npm (JS), NuGet (.NET), PyPI and RubyGems
  • Found 94% of projects on GitHub relied on open source components - JS packages have a median of nearly 700 transitive dependencies - cf Python with 19
  • 17% of advisories sampled related to explicitly malicious behaviour (almost all in npm packages) - but most are just mistakes
  • Vulns go undetected for just over 4 years (218 weeks) before disclosure, fixes though then come quick in ~4.4 weeks and then 10 weeks to alert users of the fix
  • A line of code written today is just as likely to contain a vulnerability today as 4 years ago - so we are not getting more secure over time

Migrating Launchpad PGP keyservers from SKS to Hockeypuck [15:03]

AppArmor 3.0.1 Released [16:27]

Hiring [16:52]

AppArmor Security Engineer

Engineering Director - Ubuntu Security

Engineering Manager - Ubuntu Security

Get in contact

← All episodes of Ubuntu Security Podcast