Overview

As the podcast winds down for a break over the next month, this week we talk
about RSA timing side-channel attacks and the recently announced DNSBomb
vulnerability as we cover security updates in VLC, OpenSSL, Netatalk, WebKitGTK,
amavisd-new, Unbound, Intel Microcode and more.

This week in Ubuntu Security Updates

152 unique CVEs addressed

[USN-6783-1] VLC vulnerabilities (00:54 )

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2023-47360
  
  
  • CVE-2023-47359
  
  
  
  


• integer underflow and a heap buffer overflow -> RCE

[USN-6663-3] OpenSSL update (01:40 )

• Affecting Noble (24.04 LTS)


• [USN-6663-1] OpenSSL update from Episode 220 - hardening improvement to return
  deterministic random bytes instead of an error when an incorrect padding
  length is detected during PKCS#1 v1.5 RSA to avoid this being used for
  possible Bleichenbacher timing attacks

[USN-6673-3] python-cryptography vulnerability (02:32 )

• 1 CVEs addressed in Noble (24.04 LTS)
  
  
  
  • CVE-2024-26130
  
  
  
  


• [USN-6673-1] python-cryptography vulnerabilities from Episode 220 -
  counterpart to the OpenSSL update mentioned earlier

[USN-6736-2] klibc vulnerabilities (02:43 )

• 4 CVEs addressed in Noble (24.04 LTS)
  
  
  
  • CVE-2022-37434
  
  
  • CVE-2018-25032
  
  
  • CVE-2016-9841
  
  
  • CVE-2016-9840
  
  
  
  


• [USN-6736-1] klibc vulnerabilities from Episode 228

[USN-6784-1] cJSON vulnerabilities (02:58 )

• 3 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-31755
  
  
  • CVE-2023-50472
  
  
  • CVE-2023-50471
  
  
  
  


• 2 different researchers fuzzing cJSON APIs
  
  
  
  • all different NULL ptr deref - requires particular / “incorrect” or possible
    misuse use of the APIs (like passing in purposefully corrupted values) so
    unlikely to be an issue in practice
  
  
  
  

[USN-6785-1] GNOME Remote Desktop vulnerability (03:52 )

• 1 CVEs addressed in Noble (24.04 LTS)
  
  
  
  • CVE-2024-5148
  
  
  
  


• Discovered by a member of the SUSE security team when reviewing g-r-d


• Exposed various DBus services that were able to be called by any unprivileged
  user which would then return the SSL private key used to encrypt the
  connection - so could allow a local user to possibly spy on the sessions of
  other users remotely connected to the system

[USN-6786-1] Netatalk vulnerabilities (04:45 )

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  
  
  
  • CVE-2022-22995
  
  
  
  


• Apple file sharing implementation for Linux


• If the same path was shared via both AFP and SMB then a remote attacker could
  combine various operations through both file-systems (like creating a crafted
  symlink, which would then be followed during a second operation where a file
  is renamed) to allow them to overwrite arbirary files and hence achieve
  arbitrary code execution on the host

[USN-6788-1] WebKitGTK vulnerabilities (05:48 )

• 1 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-27834
  
  
  
  


• Possible pointer authentication bypass - used on arm64 in particular -
  demonstrated at Pwn2Own earlier this year by Manfred Paul - $60k

[USN-6789-1] LibreOffice vulnerability (06:28 )

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-3044
  
  
  
  


• Unchecked script execution triggered when clicking on a graphic - allows to
  run arbitrary scripts without the usual prompt

[USN-6790-1] amavisd-new vulnerability (07:09 )

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-28054
  
  
  
  


• MTA / AV interface - often used in conjunction with Postfix, not just for AV
  but also can be used to do DKIM verification and integration with spamassassin
  etc


• Misinterpreted MIME message boundaries in emails, allowing email parts to
  possibly bypass usual checks

[USN-6791-1] Unbound vulnerability (07:46 )

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-33655
  
  
  
  


• DNSBomb attack announced recently at IEEE S&P - affecting multiple different
  DNS implementations including BIND, Unbound, PowerDNS, Knot, DNSMasq and others


• Unbound itself was not necessarily vulnerable to such an attack specifically,
  but could be used to generate such an attack against others - in particular
  Unbound had the highest amplification factor of ~22k times - next highest was
  DNSMasq at ~3k times


• Fix involves introducing a number of timeout parameters for various operations
  and discarding operations if they take longer than this to avoid the ability
  to “store up” responses to be released at a later time

[USN-6793-1] Git vulnerabilities (09:31 )

• 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-32465
  
  
  • CVE-2024-32021
  
  
  • CVE-2024-32020
  
  
  • CVE-2024-32004
  
  
  • CVE-2024-32002
  
  
  
  

[USN-6792-1] Flask-Security vulnerability

• 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  
  
  
  • CVE-2021-23385
  
  
  
  

[USN-6794-1] FRR vulnerabilities

• 4 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-34088
  
  
  • CVE-2024-31951
  
  
  • CVE-2024-31950
  
  
  • CVE-2024-31948
  
  
  
  

[USN-6777-4] Linux kernel (HWE)