Episode 181

Posted on Friday, Oct 21, 2022
It’s the release of Ubuntu 22.10 Kinetic Kudu, and we give you all the details on what’s new and improved, with a particular focus on the security features, plus we cover a high priority vulnerability in libksba as well.

Show Notes

Overview

It’s the release of Ubuntu 22.10 Kinetic Kudu, and we give you all the details on what’s new and improved, with a particular focus on the security features, plus we cover a high priority vulnerability in libksba as well.

This week in Ubuntu Security Updates

39 unique CVEs addressed

[USN-5672-1] GMP vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-5673-1] unzip vulnerabilities

[USN-5674-1] XML Security Library vulnerability

[USN-5675-1] Heimdal vulnerabilities

[USN-5677-1] Linux kernel vulnerabilities

[USN-5678-1] Linux kernel vulnerabilities

[USN-5679-1] Linux kernel (HWE) vulnerabilities

[USN-5676-1] PostgreSQL vulnerability

[USN-5680-1] gThumb vulnerabilities

[USN-5682-1] Linux kernel (AWS) vulnerabilities

[USN-5683-1] Linux kernel (IBM) vulnerabilities

[USN-5684-1] Linux kernel (Azure) vulnerabilities

[USN-5570-2] zlib vulnerability

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

[USN-5685-1] FRR vulnerabilities

[USN-5686-1] Git vulnerabilities

[USN-5687-1] Linux kernel (Azure) vulnerabilities

[USN-5688-1] Libksba vulnerability [01:24]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • libksba library used to parse and build ASN.1 objects contained within S/MIME, X.509 certificates etc
  • ASN.1 supports various encoding formats - BER, DER (basic and distinguised encoding rules respectively)
  • Both use a tag-length-value scheme to encode objects
  • When copying these objects around, would copy both a header as well as the object itself - if an object was really large, the sum of the header size plus the object would overflow - allowing a size check to be bypassed (since when overflowing wraps around to be a small sized integer)
  • Integer overflow leading to a buffer overflow
  • Considered a severe bug by upstream
  • in Ubuntu is used by gpgsm (used to handled SMIME signed data) and dirmngr - responsible for parsing and loading CRLS and verifying certs used by TLS

Goings on in Ubuntu Security Community

Ubuntu 22.10 Kinetic Kudu release [04:02]

  • https://ubuntu.com/blog/canonical-releases-ubuntu-22-10-kinetic-kudu
  • kernel 5.19
    • security wise
    • Faster RNG (entropy extraction switched from SHA1 to BLAKE2)
    • Support for Intel Trust Domain Extensions (TDX)
      • successor to SGX, builds on lessons learned
      • virtualisation based confidential computing environment
        • equivalent to an SGX enclave
        • uses a new processor mode called SEAM
      • allows to deploy legacy applications without having to adapt them a different programming model as was done for SGX
  • AppArmor support for posix-mq and unprivileged user namespace mediation
    • idea is that only applications which are running under an AppArmor profile with permission to user userns will be able to - unconfined will not - this kernel configuration is disabled by default but can be enabled via a sysctl:
    • then unconfined applications will not be able to use them
    • helps limit an attack surface for exploits - 4 out of 5 pwn2own exploits against Ubuntu this year used unprivileged userns as part of their attack chain
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
  • Desktop
    • pipewire is now default instead of pulseaudio - improved bluetooth handling
    • GNOME 43 - gedit replaced by gnome-text-editor, gnome-terminal still there but likely will be new gnome-console in 23.04
    • LibreOffice 7.4
    • FF 106/ TB 102
    • Updated bluez, CUPS, network-manager, Mesa 22 etc
  • Server
    • socket-activated SSH daemon to reduce memory footprint inside containers etc
    • improved support for integration with Windows Server w/ LDAP channel binding and LDAP signing in cyrus-sasl2
    • bind9 support for remote TLS verification in both named and dig to allow to implement strict and mutual TLS authentication
    • updated containerd, runc, docker.io
    • updated qemu - improved emulation of RISC-V, s390x
    • updated libvirt - ppc64 Power10 processor support
  • For developers:
    • debuginfod
    • updated gcc, Go, Ruby and Rust toolchains

Canonical Product Roadmap + Engineering Sprints + Ubuntu Summit [12:32]

  • No podcast for the next 3 weeks

Thanks and farewell to Shaun Murphy [13:45]

Get in contact