Episode 98

Episode 98

Update: 2020-11-27
Share

Description

Overview


This week we look at updates for c-ares, PulseAudio, phpMyAdmin and more,
plus we cover security news from the Ubuntu community including planning
for 16.04 LTS to transition to ESM, libgcrypt FIPS cerified for 18.04 LTS
and a proposal for making home directories more secure for upcoming Ubuntu
releases as well.


This week in Ubuntu Security Updates


48 unique CVEs addressed


[USN-4638-1] c-ares vulnerability [01:00 ]



  • 1 CVEs addressed in Groovy (20.10)


  • C library for performing async DNS requests and name resolution - a fork
    of the ares library with additional support for IPv6, and 64-bit/cross
    platform support

  • In particular is used by Node.js for DNS support - reported as a DoS via
    a remote attacker who could cause a Node.js application to perform a DNS
    request to a chosen host where a large number of DNS records - internally
    is a buffer-over-read - c-ares would return data of length N but with a
    purported length of >N - only in more recent releases so only affected
    groovy


[USN-4639-1] phpMyAdmin vulnerabilities [02:37 ]



[USN-4637-2] Firefox vulnerabilities [03:08 ]



[USN-4634-2] OpenLDAP vulnerabilities [03:57 ]



[USN-4640-1] PulseAudio vulnerability [04:13 ]



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Discovered and resolved by James Henstridge from the Ubuntu Desktop Team

  • Race condition in snap policy module could allow a confined snap to
    bypass snap pulseaudio restrictions - ie. could record audio when only
    authorised to playback audio

  • https://twitter.com/JamesHenstridge/status/1331161130740248580


[USN-4641-1] libextractor vulnerabilities [06:20 ]



[USN-4642-1] PDFResurrect vulnerability [07:28 ]



  • 1 CVEs addressed in Xenial (16.04 LTS)


  • Extract / manipulate revision info in PDFs

  • OOB write


[USN-4643-1] atftp vulnerabilities [07:56 ]



  • 2 CVEs addressed in Xenial (16.04 LTS)


  • TFTP server / client

  • NULL ptr deref due to race condition from missing mutex lock - different
    threads can race on the same data -> DoS

  • stack buffer overflow due to unsafe calls to strncpy -> DoS / RCE


[USN-4644-1] igraph vulnerability [08:35 ]



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)


  • NULL ptr deref


Goings on in Ubuntu Security Community


Ubuntu 16.04 LTS moving to ESM webinar [08:52 ]



Security Certifications - libgcrypt on Ubuntu 18.04 is FIPS 140-2 certified [10:13 ]



Private home directories for Ubuntu 21.04 onwards? [10:45 ]



Get in contact


Comments 
loading
In Channel
Episode 115

Episode 115

2021-05-1412:44

Episode 114

Episode 114

2021-05-0612:44

Episode 113

Episode 113

2021-04-3016:28

Episode 112

Episode 112

2021-04-1614:37

Episode 111

Episode 111

2021-04-0812:10

Episode 110

Episode 110

2021-04-0113:57

Episode 109

Episode 109

2021-03-2608:16

Episode 108

Episode 108

2021-03-1911:48

Episode 107

Episode 107

2021-03-1212:04

Episode 106

Episode 106

2021-03-0414:00

Episode 105

Episode 105

2021-02-2517:03

Episode 104

Episode 104

2021-02-1914:18

Episode 103

Episode 103

2021-02-1213:14

Episode 102

Episode 102

2021-02-0512:26

Episode 101

Episode 101

2021-01-2827:25

Episode 100

Episode 100

2020-12-1117:46

Episode 99

Episode 99

2020-12-0418:35

Episode 98

Episode 98

2020-11-2713:54

Episode 97

Episode 97

2020-11-2115:11

Episode 96

Episode 96

2020-11-1307:41

loading
Download from Google Play
Download from App Store
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

Episode 98

Episode 98

Ubuntu Security Team