Episode 148

Show Notes

Overview

It’s main vs universe as we take a deep dive into the Ubuntu archive and look at these components plus what goes into each and how the security team goes about reviewing software destined for main, plus we cover security updates for Django, BlueZ, NVIDIA Graphics Drivers and more.

This week in Ubuntu Security Updates

53 unique CVEs addressed

[USN-5265-1] Linux kernel vulnerabilities [01:19]

10 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
5.13 impish + focal hwe + 5.11 focal cloud kernel (gcp/aws/oracle/azure)

[USN-5266-1] Linux kernel (GKE) vulnerabilities

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2021-42739
- CVE-2021-22600
5.4 gke

[USN-5267-1] Linux kernel vulnerabilities

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
5.4 focal + bionic hwe

[USN-5268-1] Linux kernel vulnerabilities

4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
4.15 bionic + 16.04 hwe + 14.04 azure

[USN-5260-3] Samba vulnerability [02:29]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- CVE-2021-44142
Episode 147 - vfs_fruit RCE

[USN-5269-1, USN-5269-2] Django vulnerabilities [03:00]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- CVE-2022-23833
- CVE-2022-22818
XSS via incorrect handling of the {% debug %} template tag - failed to properly encode the current context
Possible infinite loop when parsing multipart forms as used when doing file uploads

[USN-5270-1, USN-5270-2] MySQL vulnerabilities [03:38]

26 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
6 CVEs addressed in Xenial ESM (16.04 ESM)
8.0.23 for Ubuntu 20.04 LTS and 21.10
5.7.37 for Ubuntu 18.04 LTS and Ubuntu 16.04 ESM

[USN-5030-2] Perl DBI module vulnerabilities [04:11]

2 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2020-14393
- CVE-2014-10402
Episode 125

[USN-5262-1] GPT fdisk vulnerabilities

2 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2021-0308
- CVE-2020-0256

[USN-5264-1] Graphviz vulnerabilities

3 CVEs addressed in Xenial ESM (16.04 ESM)

[USN-5275-1] BlueZ vulnerability [04:25]

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- CVE-2022-0204
Heap buffer overflow in gatt-server implementation since failed to check lengths of incoming packets - could allow a remote attacker to DoS or RCE

[USN-4754-5] Python vulnerability [04:53]

2 CVEs addressed in Trusty ESM (14.04 ESM)
- CVE-2020-27619
- CVE-2021-3177
Reinstate fix for CVE-2021-3177 which was previously removed due to a regression

[USN-5276-1] NVIDIA graphics drivers vulnerabilities [05:15]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- CVE-2022-21814
- CVE-2022-21813
Various issues around handling of permissions within the kernel - could allow a local user to write to protected memory in the kernel and DoS machine

[USN-5267-2] Linux kernel regression [05:52]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
5.4 focal + bionic hwe
Inadvertent DoS when accessing CIFS shares - kernel hang - fixed by reverting various CIFS related patches

Goings on in Ubuntu Security Community

Main vs Universe with Camila

Camila discusses the different software repository components in Ubuntu - what they are, how they compare and what you can expect to find in each, as well as the process for moving packages from universe to main to be supported by Canonical, in particular focusing on the security team’s role in performing security audits of each software package along the way.