Episode 237

Show Notes

Overview

John and Maximé have been talking about Ubuntu’s AppArmor user namespace restrictions at the the Linux Security Summit in Europe this past week, plus we cover some more details from the official announcement of permission prompting in Ubuntu 24.10, a new release of Intel TDX for Ubuntu 24.04 LTS and more.

This week in Ubuntu Security Updates (01:11)

613 unique CVEs addressed in the past fortnight

[USN-6989-1] OpenStack vulnerability

• 1 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-44082

[USN-6990-1] znc vulnerability

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-39844

[USN-6992-1] Firefox vulnerabilities

• 8 CVEs addressed in Focal (20.04 LTS)
  • CVE-2024-8385
  • CVE-2024-8384
  • CVE-2024-8381
  • CVE-2024-8389
  • CVE-2024-8387
  • CVE-2024-8386
  • CVE-2024-8383
  • CVE-2024-8382

[USN-6993-1] Vim vulnerabilities

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-43374
  • CVE-2024-41957

[USN-6991-1] AIOHTTP vulnerability

• 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-23334

[USN-6995-1] Thunderbird vulnerabilities

• 10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2024-8384
  • CVE-2024-8381
  • CVE-2024-7525
  • CVE-2024-7522
  • CVE-2024-7519
  • CVE-2024-8382
  • CVE-2024-7529
  • CVE-2024-7527
  • CVE-2024-7526
  • CVE-2024-7521

[USN-6996-1] WebKitGTK vulnerabilities

• 6 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-4558
  • CVE-2024-40789
  • CVE-2024-40782
  • CVE-2024-40780
  • CVE-2024-40779
  • CVE-2024-40776

[USN-6841-2] PHP vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • CVE-2024-5458

[USN-6997-1, USN-6997-2] LibTIFF vulnerability

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-7006

[USN-6994-1] Netty vulnerabilities

• 2 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2023-44487
  • CVE-2023-34462
• HTTP/2 DoS, seen exploited in the wild and listen on the CISA KEV

[USN-6998-1] Unbound vulnerabilities

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-43168
  • CVE-2024-43167

[USN-6999-1] Linux kernel vulnerabilities

• 220 CVEs addressed in Noble (24.04 LTS)
• Full CVE list elided - see USN for details

[USN-7003-1, USN-7003-2, USN-7003-3] Linux kernel vulnerabilities

• 85 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
• Full CVE list elided - see USN for details

[USN-7004-1] Linux kernel vulnerabilities

• 221 CVEs addressed in Noble (24.04 LTS)
• Full CVE list elided - see USN for details

[USN-7005-1, USN-7005-2] Linux kernel vulnerabilities

• 219 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)
• Full CVE list elided - see USN for details

[USN-7006-1] Linux kernel vulnerabilities

• 94 CVEs addressed in Focal (20.04 LTS)
• Full CVE list elided - see USN for details

[USN-7007-1] Linux kernel vulnerabilities

• 219 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
• Full CVE list elided - see USN for details

[USN-7008-1] Linux kernel vulnerabilities

• 222 CVEs addressed in Jammy (22.04 LTS)
• Full CVE list elided - see USN for details

[USN-7009-1] Linux kernel vulnerabilities

• 219 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
• Full CVE list elided - see USN for details

[USN-7019-1] Linux kernel vulnerabilities

• 429 CVEs addressed in Jammy (22.04 LTS)
• Full CVE list elided - see USN for details

[USN-7002-1] Setuptools vulnerability

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-6345

[USN-7000-1, USN-7000-2] Expat vulnerabilities

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-45492
  • CVE-2024-45491
  • CVE-2024-45490

[USN-7001-1, USN-7001-2] xmltok library vulnerabilities

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-45491
  • CVE-2024-45490

[USN-6560-3] OpenSSH vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2023-51385

[USN-7011-1, USN-7011-2] ClamAV vulnerabilities

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-20506
  • CVE-2024-20505

[USN-7012-1] curl vulnerability

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-8096

[USN-7013-1] Dovecot vulnerabilities

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2024-23185
  • CVE-2024-23184

[USN-7014-1] nginx vulnerability

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-7347

[USN-7015-1] Python vulnerabilities

• 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-8088
  • CVE-2024-7592
  • CVE-2024-6923
  • CVE-2024-6232
  • CVE-2023-27043

[USN-7010-1] DCMTK vulnerabilities

• 9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-34509
  • CVE-2024-34508
  • CVE-2024-28130
  • CVE-2022-43272
  • CVE-2022-2121
  • CVE-2021-41690
  • CVE-2021-41689
  • CVE-2021-41688
  • CVE-2021-41687

[USN-7016-1] FRR vulnerability

• 1 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-44070

[USN-7017-1] Quagga vulnerability

• 1 CVEs addressed in Focal (20.04 LTS)
  • CVE-2024-44070

[USN-7018-1] OpenSSL vulnerabilities

• 6 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2024-0727
  • CVE-2023-3446
  • CVE-2022-2068
  • CVE-2022-1292
  • CVE-2021-23840
  • CVE-2020-1968

Goings on in Ubuntu Security Community

Linux Security Summit Europe 2024 (03:44)

• https://events.linuxfoundation.org/linux-security-summit-europe/program/schedule/
• Sep 16-17 - Vienna, Austria
• John Johansen and Maxime Bélair from AppArmor team presented “Restricting Unprivileged User Namespaces in Ubuntu”
  • https://youtu.be/yCHGmdXpylA?t=1053
  • https://static.sched.com/hosted_files/lsseu2024/ed/Restricting%20Unprivileged%20User%20Namespaces%20In%20Ubuntu.pdf
• Other talks
  • Deep-dive into xz-utils supply chain attack
  • Internals of the SLUB memory allocator for exploit developers
  • Landlock update - including details of new IOCTL restrictions etc
  • systemd and TPM2 update

Official announcement of Permissions Prompting in Ubuntu 24.10 (09:00)

• https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle-part-5-introducing-permissions-prompting/47963
• Ubuntu Security Center with snapd-based AppArmor home file access prompting preview in episode 236
• Even works for command-line applications etc - not just graphical
• Covers future developments as well:
  • Better default response suggestions based on user feedback.
  • Shell integration of the prompting pop-ups (eg full screen takeovers)
  • Improved rule management summaries and better messaging of overlapping or redundant prompts.
  • Expansion of the prompting system to cover additional snap interfaces such as camera and microphone access.
  • Smarter client side analysis of prompts, recommending additional options if multiple similar prompts are detected.

Version 2.1 of IntelⓇ TDX on Ubuntu 24.04 LTS Released (11:46)

• https://discourse.ubuntu.com/t/version-2-1-of-intel-tdx-on-ubuntu-24-04-lts-released/47918/1
• Confidential computing - using TDX to run VMs in confidential mode - runs workloads (VMs) in hardware-backed isolated execution environments (Trust Domains). VM memory isolation via encryption in hardware so can’t be accessed by the hypervisor, remote attestation etc (Confidential Computing with Ijlal Loutfi and Karen Horovitz from Episode 230)
• https://discourse.ubuntu.com/t/intel-tdx-1-0-technology-preview-available-on-ubuntu-23-10/40698
• Scripting to setup the required elements to use TDX on Ubuntu 24.04 host and then setup guest VMs to run in confidential mode
  • Install server image, run scripts, enable TDX in BIOS, create VM images etc
  • Can also configure remote attestation of VM too
• See full changes at https://github.com/canonical/tdx/releases/tag/2.1

Ubuntu 22.04.5 LTS released (13:45)

• https://discourse.ubuntu.com/t/jammy-jellyfish-point-release-changes/29835/8
  • Only covers changes in main and restricted, doesn’t list security updates either
• https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668

AppArmor security update for CVE-2016-1585 published (14:23)

• Upcoming AppArmor Security update for CVE-2016-1585 from Episode 226
• https://discourse.ubuntu.com/t/upcoming-apparmor-security-update-for-cve-2016-1585/44268/3
• Now published to -updates pocket for 20.04 LTS and 22.04 LTS
• Will be published to -security pocket next week

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntusecurity@fosstodon.org, @ubuntu_sec on twitter