Episode 112

Posted on Friday, Apr 16, 2021
This week we look at a reboot of the DWF project, Rust in the Linux kernel, an Ubuntu security webinar plus some details of the 45 CVEs addressed across the Ubuntu releases this last week and more.

Show Notes

Overview

This week we look at a reboot of the DWF project, Rust in the Linux kernel, an Ubuntu security webinar plus some details of the 45 CVEs addressed across the Ubuntu releases this last week and more.

This week in Ubuntu Security Updates

45 unique CVEs addressed

[LSN-0075-1] Linux kernel vulnerability [01:01]

[USN-4903-1] curl vulnerability [02:02]

[USN-4896-2] lxml vulnerability

[USN-4899-2] SpamAssassin vulnerability

[USN-4905-1] X.Org X Server vulnerability [02:26]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Local user (X client) could crash the server via Xinput extension and ChangeFeedbackControl request - integer underflow -> heap buffer overflow

[USN-4906-1] Nettle vulnerability [03:31]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Low level crypto library used by lots of packages - chrony, dnsmasq, lighttpd, qemu, squid, supertuxkart
  • Could en up calling EC multiply with out-of-range scalers - as a result would get incorrect results during EC signature verification and so could allow an attacker to trigger an assertion failure -> DoS OR force an invalid signature - bypass verification

[USN-4904-1] Linux kernel vulnerabilities [04:27]

[USN-4907-1] Linux kernel vulnerabilities

[USN-4909-1] Linux kernel vulnerabilities

[USN-4910-1] Linux kernel vulnerabilities

[USN-4911-1] Linux kernel (OEM) vulnerabilities

[USN-4912-1] Linux kernel (OEM) vulnerabilities

Goings on in Ubuntu Security Community

DWF v2 [07:25]

Rust support for Linux kernel [10:12]

Securing open source from cloud to edge webinar [12:19]

  • https://www.brighttalk.com/webcast/6793/440517
  • Ubuntu is built with security in mind from the ground up, and how we keep you protected against major vulnerabilities
  • How you can ensure performant open source in production environments
  • Specific security services that can help you achieve maximum availability by reducing downtime and providing access to high and critical CVE fixes
  • Ubuntu helps organisations remain compliant with government and industry standards and regulations, including Common Criteria EAL2 with FIPS 140-2 Level 1 certified crypto modules

Hiring [13:13]

AppArmor Security Engineer

Linux Cryptography and Security Engineer

Security Engineer - Ubuntu

Get in contact