This week we detail the recently announced and long-awaited feature of TPM-backed full-disk encryption for the upcoming Ubuntu 23.10 release, plus we cover security updates for elfutils, GitPython, atftp, BusyBox, Docker Registry and more.
93 unique CVEs addressed
git cloneand doesn’t completely validate the options and so leads to shell-command injection - thanks to Sylvain Beucler from Debian LTS team for noticing this and pointing it out to the upstream project
/etc/groupon the server but likely this is not deterministic and would be whatever else was on the heap
free()on malformed gzip data - on error, sets bit 1 of a pointer to indicate that an error occurred - would then go and pass this pointer to
free()but now the pointer is 1-byte past where it should be - so need to unset this bit first
snap recovery --show-keys
emergency.serviceunit is still enabled which allows the usual boot checks to be bypassed