Episode 181
Posted on Friday, Oct 21, 2022
It’s the release of Ubuntu 22.10 Kinetic Kudu, and we give you all the details
on what’s new and improved, with a particular focus on the security features,
plus we cover a high priority vulnerability in libksba as well.
Show Notes
Overview
It’s the release of Ubuntu 22.10 Kinetic Kudu, and we give you all the details on what’s new and improved, with a particular focus on the security features, plus we cover a high priority vulnerability in libksba as well.
This week in Ubuntu Security Updates
39 unique CVEs addressed
[USN-5672-1] GMP vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5673-1] unzip vulnerabilities
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5674-1] XML Security Library vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5675-1] Heimdal vulnerabilities
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5677-1] Linux kernel vulnerabilities
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5678-1] Linux kernel vulnerabilities
- 9 CVEs addressed in Bionic (18.04 LTS)
[USN-5679-1] Linux kernel (HWE) vulnerabilities
- 9 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5676-1] PostgreSQL vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5680-1] gThumb vulnerabilities
- 2 CVEs addressed in Focal (20.04 LTS)
[USN-5682-1] Linux kernel (AWS) vulnerabilities
- 11 CVEs addressed in Bionic (18.04 LTS)
[USN-5683-1] Linux kernel (IBM) vulnerabilities
- 16 CVEs addressed in Jammy (22.04 LTS)
[USN-5684-1] Linux kernel (Azure) vulnerabilities
- 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
[USN-5570-2] zlib vulnerability
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5685-1] FRR vulnerabilities
- 2 CVEs addressed in Jammy (22.04 LTS)
[USN-5686-1] Git vulnerabilities
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5687-1] Linux kernel (Azure) vulnerabilities
- 9 CVEs addressed in Bionic (18.04 LTS)
[USN-5688-1] Libksba vulnerability [01:24]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- libksba library used to parse and build ASN.1 objects contained within S/MIME, X.509 certificates etc
- ASN.1 supports various encoding formats - BER, DER (basic and distinguised encoding rules respectively)
- Both use a tag-length-value scheme to encode objects
- When copying these objects around, would copy both a header as well as the object itself - if an object was really large, the sum of the header size plus the object would overflow - allowing a size check to be bypassed (since when overflowing wraps around to be a small sized integer)
- Integer overflow leading to a buffer overflow
- Considered a severe bug by upstream
- in Ubuntu is used by gpgsm (used to handled SMIME signed data) and dirmngr - responsible for parsing and loading CRLS and verifying certs used by TLS
Goings on in Ubuntu Security Community
Ubuntu 22.10 Kinetic Kudu release [04:02]
- https://ubuntu.com/blog/canonical-releases-ubuntu-22-10-kinetic-kudu
- kernel 5.19
- security wise
- Faster RNG (entropy extraction switched from SHA1 to BLAKE2)
- Support for Intel Trust Domain Extensions (TDX)
- successor to SGX, builds on lessons learned
- virtualisation based confidential computing environment
- equivalent to an SGX enclave
- uses a new processor mode called SEAM
- allows to deploy legacy applications without having to adapt them a different programming model as was done for SGX
- AppArmor support for posix-mq and unprivileged user namespace mediation
- idea is that only applications which are running under an AppArmor profile with permission to user userns will be able to - unconfined will not - this kernel configuration is disabled by default but can be enabled via a sysctl:
- then unconfined applications will not be able to use them
- helps limit an attack surface for exploits - 4 out of 5 pwn2own exploits against Ubuntu this year used unprivileged userns as part of their attack chain
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
- Desktop
- pipewire is now default instead of pulseaudio - improved bluetooth handling
- GNOME 43 - gedit replaced by gnome-text-editor, gnome-terminal still there but likely will be new gnome-console in 23.04
- LibreOffice 7.4
- FF 106/ TB 102
- Updated bluez, CUPS, network-manager, Mesa 22 etc
- Server
- socket-activated SSH daemon to reduce memory footprint inside containers etc
- improved support for integration with Windows Server w/ LDAP channel binding and LDAP signing in cyrus-sasl2
- bind9 support for remote TLS verification in both
namedanddigto allow to implement strict and mutual TLS authentication - updated containerd, runc, docker.io
- updated qemu - improved emulation of RISC-V, s390x
- updated libvirt - ppc64 Power10 processor support
- For developers:
- debuginfod
- updated gcc, Go, Ruby and Rust toolchains
Canonical Product Roadmap + Engineering Sprints + Ubuntu Summit [12:32]
- No podcast for the next 3 weeks