Episode 94

Episode 94

Update: 2020-10-30
Share

Description

Overview


This week we cover news of the CITL drop of 7000 “vulnerabilities”, the
Ubuntu Security disclosure and embargo policy plus we look at security
updates for pip, blueman, the Linux kernel and more.


This week in Ubuntu Security Updates


117 unique CVEs addressed


[USN-4596-1] Tomcat vulnerabilities [01:01 ]



[USN-4587-1] iTALC vulnerabilities



[USN-4588-1] FlightGear vulnerability



[USN-4552-2] Pam-python vulnerability



[USN-4597-1] mod_auth_mellon vulnerabilities



[USN-4598-1] LibEtPan vulnerability



[USN-4600-1, USN-4600-2] Netty vulnerabilities



[USN-4601-1] pip vulnerability [01:34 ]



  • 1 CVEs addressed in Bionic (18.04 LTS)


  • Failed to sanitize filenames during pip install if provided a URL in the
    install command - could allow a remote attacker to provide a
    Content-Disposition header that instructs pip to overwrite arbitrary
    files


[USN-4599-1, USN-4599-2] Firefox vulnerabilities [02:42 ]



[LSN-0073-1] Linux kernel vulnerability [03:02 ]



[USN-4593-2] FreeType vulnerability [03:23 ]



[USN-4602-1, USN-4602-2] Perl vulnerabilities [03:38 ]



[USN-4562-2] kramdown vulnerability



[USN-4605-1] Blueman vulnerability [04:10 ]



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Reported to Ubuntu by Vaisha Bernard - worked with upstream blueman devs
    & Debian maintainers to get this resolved - thanks :)

  • Blueman provides a dbus API to spawn DHCP client when doing
    bluetooth-based networking

  • Would not sanitise the provided argument and would pass this directly to
    dhcpcd which supports specifying a script file to run - this gets
    executed as root so is a simple local root-privesc

  • Fixed to change the way the argument is provided to dhcpcd so that it
    cannot pass arbitrary flags

  • Should also note, by default on Ubuntu we use isc-dhcp-client not dhcpcd
    so unless you have manually installed it, this cannot be exploited


[USN-4583-2] PHP vulnerabilities



[USN-3081-2] Tomcat vulnerability



[USN-4603-1] MariaDB vulnerabilities



[USN-4604-1] MySQL vulnerabilities



[USN-4607-1] OpenJDK vulnerabilities



[USN-4608-1] ca-certificates update [06:41 ]



  • Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

  • Updates to the latest from Mozill a - removes some root CAs (expired etc)
    and adds some new ones too


Goings on in Ubuntu Security Community


Ubuntu Security disclosure and embargo policy [07:17 ]



  • https://ubuntu.com/security/disclosure-policy

  • How to report an issue to us (LP / security@ubuntu.com)

  • Scope (Ubuntu archive + Canonical software / infrastructure -
    coordination etc)

  • What to expect from us

  • Disclosure timelines (within 1 week after updates provided, prefer
    exploits etc kept private for at least 1 week after fixes available)

  • Safe harbour (welcome research into the software we provide but no active
    probing of Canonical infra/services)


CITL releases high level details of 7000 defects [09:06 ]



  • https://cyber-itl.org/2020/10/28/citl-7000-defects.html

  • 7000 defects/vulns across 3243 packages from Ubuntu 18.04

  • Automated static / dynamic analysis system (fuzzing?)

  • Provide list of binaries / packages and the type of ‘vuln’ (SIG_SEGV
    etc) - without reproducers etc

  • Expect package maintainers to contact them to request full details

  • Some package maintainers / upstreams will likely contact but we expect
    this to be in the minority

  • Not really possible for @ubuntu_sec to triage and handle all of these but
    will likely be a collective effort between distros to try and analyse
    these all if CITL are willing to provide details

  • Without a collective effort unlikely that CVEs will get assigned and so
    fixes could be missed if various upstreams just contact and fix these
    themselves

  • Lots of open questions as to how this will play out…


Get in contact


Comments 
In Channel
Episode 114

Episode 114

2021-05-0612:44

Episode 113

Episode 113

2021-04-3016:28

Episode 112

Episode 112

2021-04-1614:37

Episode 111

Episode 111

2021-04-0812:10

Episode 110

Episode 110

2021-04-0113:57

Episode 109

Episode 109

2021-03-2608:16

Episode 108

Episode 108

2021-03-1911:48

Episode 107

Episode 107

2021-03-1212:04

Episode 106

Episode 106

2021-03-0414:00

Episode 105

Episode 105

2021-02-2517:03

Episode 104

Episode 104

2021-02-1914:18

Episode 103

Episode 103

2021-02-1213:14

Episode 102

Episode 102

2021-02-0512:26

Episode 101

Episode 101

2021-01-2827:25

Episode 100

Episode 100

2020-12-1117:46

Episode 99

Episode 99

2020-12-0418:35

Episode 98

Episode 98

2020-11-2713:54

Episode 97

Episode 97

2020-11-2115:11

Episode 96

Episode 96

2020-11-1307:41

Episode 95

Episode 95

2020-11-0610:26

loading
Download from Google Play
Download from App Store
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

Episode 94

Episode 94

Ubuntu Security Team