Episode 10

Show Notes

Overview

This week we look at some details of the 17 unique CVEs addressed across the supported Ubuntu releases, have a brief look at some Canonical presentations from LSS-EU and more.

This week in Ubuntu Security Updates

17 unique CVEs addressed

[USN-3799-2] MySQL vulnerabilities

• 3 CVEs addressed in Precise ESM
  • CVE-2018-3282
  • CVE-2018-3174
  • CVE-2018-3133
• Ubuntu 12.04 Precise ESM update for 3 CVEs fixed in usual supported releases (covered in Episode 9)

[USN-3803-1] Ghostscript vulnerabilities

• 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-18284
  • CVE-2018-18073
  • CVE-2018-17961
• More ghostscript vulnerabilities! (others recent ones covered in Episodes 5 and 7)
• 2 brand new sandbox (-dSAFER) bypasses by Tavis Ormandy
• Third one is due to an incomplete fix for CVE-2018-17183

[USN-3804-1] OpenJDK vulnerabilities

• 8 CVEs addressed in Xenial, Bionic, Cosmic
  • CVE-2018-3214
  • CVE-2018-3183
  • CVE-2018-3180
  • CVE-2018-3169
  • CVE-2018-3150
  • CVE-2018-3149
  • CVE-2018-3139
  • CVE-2018-3136
• New OpenJDK release covering multiple vulnerabilities including:
  • Insufficient checking of signatures in manifest elements could allow untrusted Java application to escape sandbox
  • Insufficient checking of all JAR attributes could allow untrusted Java application to escape sandbox
  • Failure to clear HTTP header elements could result in exposure of sensitive info when follow redirect to another host
  • Possible arbitrary code execution due to failure to enforce system security properties

[USN-3805-1, USN-3805-2] curl vulnerabilities

• 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-16842
  • CVE-2018-16840
  • CVE-2018-16839
• 1 CVE addressed in Precise ESM
  • CVE-2018-16839
• Buffer overflow in SASL authentication (very similar to CVE-2018-14618 from Episode 5)
• UAF when closing handle (DoS / crash)
• Out-of-bounds read when using curl to print show error messages via command-line
  • This is fixed for Precise ESM too

Goings on in Ubuntu Security Community

Linux Security Summit Europe (LSS-EU)

• 2 presentations by Canonical engineers
• https://events.linuxfoundation.org/events/linux-security-summit-europe-2018/

Overview and Recent Developments: Namespaces and Capabilities

• Christian Brauner (Kernel engineer focussing on lxd at Canonical)
• Namespaces and Capabilities are building blocks for containers
• Summarises recent enhancements to various namespaces etc
• Future highlights: seccomp trap to userspace, LSM stacking, CAP_SYS_ADMIN split?
• Slides: https://events.linuxfoundation.org/wp-content/uploads/2017/12/2018-LSS-Europe-Edinburgh-Namespaces-and-Capabilities_Christian-Brauner.pdf
• Video: https://www.youtube.com/watch?v=-PZNF8XDNn8&list=PLbzoR-pLrL6oa4x78bHssxmGAw_ns1Tm2&index=8

Overview and Recent Developments: AppArmor

• John Johansen (Ubuntu Security team, AppArmor (kernel) maintainer)
• Summarises some of the history, use of and the latest developments in AppArmor
• Future highlights: Allow user / apps to load policy, delegation, pam_apparmor
• Slides: https://events.linuxfoundation.org/wp-content/uploads/2017/12/lss-eu-apparmor-overview-2018.pdf
• Video: https://www.youtube.com/watch?v=3MkU_Z-fClE&list=PLbzoR-pLrL6oa4x78bHssxmGAw_ns1Tm2&index=15

Blog posts

A guide to snap permissions and interfaces

• https://blog.ubuntu.com/2018/11/01/a-guide-to-snap-permissions-and-interfaces

Hiring

Ubuntu Security Engineer

• https://boards.greenhouse.io/canonical/jobs/1158266

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter