Episode 99

Episode 99

Update: 2020-12-04
Share

Description

Overview


This week we look at security updates for Mutt, Thunderbird, Poppler, QEMU,
containerd, Linux kernel & more, plus we discuss the 2020 State of the
Octoverse Security Report from Github, Launchpad GPG keyserver migration, a
new AppArmor release & some open positions on the team.


This week in Ubuntu Security Updates


68 unique CVEs addressed


[USN-4645-1] Mutt vulnerability [00:59 ]



  • 1 CVEs addressed in Precise ESM (12.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • When connecting to an IMAP server, if the first reponse from the server
    was invalid, would fail to properly terminate the connection and could
    continue trying to authenticate and hence send credentials in the clear.


[USN-4646-1] poppler vulnerabilities [01:44 ]



[USN-4646-2] poppler regression



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

    • CVE-2019-10871

    • Some applications linked against poppler would fail - backed out this
      fix for future




[USN-4647-1] Thunderbird vulnerabilities [02:25 ]



[USN-4648-1] WebKitGTK vulnerabilities [03:21 ]



[USN-4649-1] xdg-utils vulnerability [03:54 ]



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Could cause files to be attached by not sanitizing mailto:?attach= -
    particularly relevant to TB - so if a user is not paying attention, could
    attach say a sensitive local file to the outgoing email


[USN-4382-2] FreeRDP vulnerabilities [05:09 ]



[USN-4650-1] QEMU vulnerabilities [05:29 ]



[USN-4651-1] MySQL vulnerabilities [06:14 ]



  • Affecting Focal (20.04 LTS)

  • Tom Reynolds (tomreyn in #ubuntu-hardened) reported issue with MySQL on
    20.04 had the new MySQLX plugin enabled and listenting on all network
    interfaces by default -> violates no open ports principle - this update
    insteads changes the configuration to bind it to localhost only - if you
    were using it you may now need to change your local configuration to
    purposefully change this so it is remotely accessible


[USN-4653-1] containerd vulnerability [07:27 ]



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • containerd-shim API exposed from abstract unix socket to host network
    containers (in same network namespace) - would validate the effective UID
    of a connecting process as 0 but did not apply other access controls - so
    a malicious container in same network namespace with effective UID 0 but
    otherwise reduced privileges could spawn new processes via
    containerd-shim with full root privileges

  • upstream advise against running containers in the hosts network namespace

  • docker.io stops on upgrade of containerd



[USN-4652-1] SniffIt vulnerability



[USN-4654-1] PEAR vulnerabilities



[USN-4655-1] Werkzeug vulnerabilities



[USN-4656-1] X.Org X Server vulnerabilities



[USN-4657-1] Linux kernel vulnerabilities [09:11 ]



[USN-4658-1] Linux kernel vulnerabilities



[USN-4659-1] Linux kernel vulnerabilities



Goings on in Ubuntu Security Community


GitHub state of open source security report 2020 [10:43 ]



  • https://octoverse.github.com/static/2020-security-report.pdf

  • Scanned packages in Composer (PHP), Maven (Java), npm (JS), NuGet (.NET),
    PyPI and RubyGems

  • Found 94% of projects on GitHub relied on open source components - JS
    packages have a median of nearly 700 transitive dependencies - cf Python
    with 19

  • 17% of advisories sampled related to explicitly malicious behaviour
    (almost all in npm packages) - but most are just mistakes

  • Vulns go undetected for just over 4 years (218 weeks) before disclosure,
    fixes though then come quick in ~4.4 weeks and then 10 weeks to alert
    users of the fix

  • A line of code written today is just as likely to contain a vulnerability
    today as 4 years ago - so we are not getting more secure over time


Migrating Launchpad PGP keyservers from SKS to Hockeypuck [15:03 ]



AppArmor 3.0.1 Released [16:27 ]



Hiring [16:52 ]


AppArmor Security Engineer



Engineering Director - Ubuntu Security



Engineering Manager - Ubuntu Security



Get in contact


Comments 
In Channel
Episode 115

Episode 115

2021-05-1412:44

Episode 114

Episode 114

2021-05-0612:44

Episode 113

Episode 113

2021-04-3016:28

Episode 112

Episode 112

2021-04-1614:37

Episode 111

Episode 111

2021-04-0812:10

Episode 110

Episode 110

2021-04-0113:57

Episode 109

Episode 109

2021-03-2608:16

Episode 108

Episode 108

2021-03-1911:48

Episode 107

Episode 107

2021-03-1212:04

Episode 106

Episode 106

2021-03-0414:00

Episode 105

Episode 105

2021-02-2517:03

Episode 104

Episode 104

2021-02-1914:18

Episode 103

Episode 103

2021-02-1213:14

Episode 102

Episode 102

2021-02-0512:26

Episode 101

Episode 101

2021-01-2827:25

Episode 100

Episode 100

2020-12-1117:46

Episode 99

Episode 99

2020-12-0418:35

Episode 98

Episode 98

2020-11-2713:54

Episode 97

Episode 97

2020-11-2115:11

Episode 96

Episode 96

2020-11-1307:41

loading
Download from Google Play
Download from App Store
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

Episode 99

Episode 99

Ubuntu Security Team