Overview

This week we take a look at the recent Crowdstrike outage and what we can learn
from it compared to the testing and release process for security updates in
Ubuntu, plus we cover details of vulnerabilities in poppler, phpCAS, EDK II,
Python, OpenJDK and one package with over 300 CVE fixes in a single update.

This week in Ubuntu Security Updates

462 unique CVEs addressed

[USN-6915-1] poppler vulnerability (01:35 )

• 1 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)
  
  
  
  • CVE-2024-6239
  
  
  
  


• Installed by default in Ubuntu due to use by cups


• PDF document format describes a Catalog which has a tree of destinations -
  essentially hyperlinks within the document. These can be either a page number
  etc or a named location within the document. If open a crafted document with a
  missing name property for a destination - name would then be NULL and would
  trigger a NULL ptr deref -> crash -> DoS

[USN-6913-1] phpCAS vulnerability (02:26 )

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  
  
  
  • CVE-2022-39369
  
  
  
  


• Authentication library for PHP to allow PHP applications to authenticates
  users against a Central Authentication Server (ie. SSO).


• When used for SSO, a client who is trying to use a web application gets
  directed to the CAS. The CAS then authenticates the user and returns a service
  ticket - the client then needs to validate this ticket with the CAS since it
  could have possibly been injected via the application. To do this, pass the
  ticket along with its own service identifier to CAS - and if this succeeds is
  provided with the details of which user was authenticated etc.


• For clients, previously would use HTTP headers to determine where the CAS
  server was to authenticate the ticket. Since these can be manipulated by a
  malicious application, could essentially redirect the client to send the
  ticket to the attacker who could then use that to impersonate the client and
  login as the user.


• Fix requires a refactor to include an additional API parameter which specifies
  either a fixed CAS server for the client to use, or a mechanism to
  auto-discover this in a secure way - either way, applications using phpCAS now
  need to be updated.

[USN-6914-1] OCS Inventory vulnerability

• 1 CVEs addressed in Jammy (22.04 LTS)
  
  
  
  • CVE-2022-39369
  
  
  
  


• Same as above since has an embedded copy of phpCAS

[USN-6916-1] Lua vulnerabilities (04:44 )

• 2 CVEs addressed in Jammy (22.04 LTS)
  
  
  
  • CVE-2022-33099
  
  
  • CVE-2022-28805
  
  
  
  


• Heap buffer over-read and a possible heap buffer over-flow via recursive error
  handling - looks like both require to be interpreting malicious code

[USN-6920-1] EDK II vulnerabilities (05:04 )

• 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  
  
  
  • CVE-2019-0160
  
  
  • CVE-2018-3613
  
  
  • CVE-2018-12183
  
  
  • CVE-2018-12182
  
  
  • CVE-2017-5731
  
  
  
  


• UEFI firmware implementation in qemu etc


• Various missing bounds checks -> stack and heap buffer overflows -> DoS or
  code execution in BIOS context -> privilege escalation within VM

[USN-6928-1] Python vulnerabilities (05:49 )

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  
  
  
  • CVE-2024-4032
  
  
  • CVE-2024-0397
  
  
  
  


• Memory race in the ssl module - can call into various functions to get
  certificate information at the same time as certs are loaded if happening to
  be doing a TLS handshake with a certificate directory configured - all via
  different threads. Python would then possibly return inconsistent results
  leading to various issues


• Occurs since ssl module is implemented in C to interface with openssl and did
  not properly lock access to the certificate store

[USN-6929-1, USN-6930-1] OpenJDK 8 and OpenJDK 11 vulnerabilities (06:52 )

• 6 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  
  
  
  • CVE-2024-21147
  
  
  • CVE-2024-21145
  
  
  • CVE-2024-21144
  
  
  • CVE-2024-21140
  
  
  • CVE-2024-21138
  
  
  • CVE-2024-21131
  
  
  
  


• Latest upstream releases of OpenJDK 8 and 11


• 8u422-b05-1, 11.0.24+8


• Fixes various issues in the Hotspot and Concurrency components

[USN-6931-1, USN-6932-1] OpenJDK 17 and OpenJDK 21 vulnerabilities (07:11 )

• 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  
  
  
  • CVE-2024-21147
  
  
  • CVE-2024-21145
  
  
  • CVE-2024-21140
  
  
  • CVE-2024-21138
  
  
  • CVE-2024-21131
  
  
  
  


• Latest upstream releases of OpenJDK 17 and 21


• 17.0.12+7, 21.0.4+7


• Fixes the same issues in the Hotspot component

[USN-6934-1] MySQL vulnerabilities (07:29 )

• 15 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  
  
  
  • CVE-2024-21185
  
  
  • CVE-2024-21179
  
  
  • CVE-2024-21177
  
  
  • CVE-2024-21173
  
  
  • CVE-2024-21171
  
  
  • CVE-2024-21165
  
  
  • CVE-2024-21163
  
  
  • CVE-2024-21162
  
  
  • CVE-2024-21142
  
  
  • CVE-2024-21134
  
  
  • CVE-2024-21130
  
  
  • CVE-2024-21129
  
  
  • CVE-2024-21127
  
  
  • CVE-2024-21125
  
  
  • CVE-2024-20996
  
  
  
  


• Also latest upstream release


• 8.0.39


• Bug fixes, possible new features and incompatible changes - consult release
  notes:
  
  
  
  • <a href="https://dev.mysql.com/doc/rel