Episode 29

Posted on Tuesday, Apr 30, 2019
This week we look at fixes from the past two weeks including BIND, NTFS-3G, Dovecot, Pacemaker and more, plus we follow up last episodes IoT security discussion with Joe McManus talking about Ubuntu Core. Finally we cover the release of Ubuntu 19.04 Disco Dingo and the transition of Ubuntu 14.04 Trusty Tahr to Extended Security Maintenance.

Show Notes

Overview

This week we look at fixes from the past two weeks including BIND, NTFS-3G, Dovecot, Pacemaker and more, plus we follow up last episodes IoT security discussion with Joe McManus talking about Ubuntu Core. Finally we cover the release of Ubuntu 19.04 Disco Dingo and the transition of Ubuntu 14.04 Trusty Tahr to Extended Security Maintenance.

These past two weeks in Ubuntu Security Updates

53 unique CVEs addressed

[USN-3947-1, USN-3947-2] Libxslt vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • Library to transform XML via XML definitions
  • Includes a security framework since XSLT can define operations to fetch/read/write files and resources etc
  • Various functions would return 0 if an operation is not allowed by the framework which was checked for and correctly disallowed - BUT they could also return -1 on error (say from a potentially bad URL) which would not be caught and so then would proceed and would fetch from the URL in question thereby violating the security policy
  • Fixed to also check for error codes on handle the same as an explicit policy violation

[USN-3948-1] WebKitGTK+ vulnerabilities

[USN-3949-1] OpenJDK 11 vulnerability

  • 1 CVEs addressed in Bionic
  • Backport of openjdk-11 from Disco to Bionic, includes a minor security fix to memory disclosure vulnerablity which could enable an attacker to bypass sandbox

[USN-3918-4] Firefox regressions

[USN-3914-2] NTFS-3G update

  • Affecting Xenial, Bionic, Cosmic
  • Episode 25 covered ntfs-3g update for possible heap buffer overflow
    • As was setuid root this could possibly be used for root privilege escalation
  • This update removes setuid root to additionally harden ntfs-3g so that any future vulnerablilites can’t be used for privilege escalation

[USN-3950-1] ZNC vulnerability

  • 1 CVEs addressed in Cosmic
  • crash -> DoS due to improper handling of character encoding - if a remote user specified an invalid encoding it could cause znc to crash
  • Fixed to fallback to utf-8 if unknown encoding specified

[USN-3951-1] Dovecot vulnerability

  • 1 CVEs addressed in Cosmic, Disco
  • Only affects Dovecot 2.3 and hence only Cosmic, Disco, Eoan etc
  • Improper handling of invalid utf-8 username in JSON encoding could cause the authentication service to crash

[USN-3952-1] Pacemaker vulnerabilities

  • 3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • Cluster resource manager - high availability and load balancing for OpenStack
  • All discovered by Jan Pokorný - local attacker could possibly escalate privileges or cause a denial of service or to cause sensitive information to be leaked to system logs

[USN-3953-1] PHP vulnerabilities

  • 2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • php7.2 and php7.0
  • Buffer over-read when processing certain EXIF tags - possible information disclosure or crash -> DoS

[USN-3922-2, USN-3922-3] PHP vulnerabilities

[USN-3936-2] AdvanceCOMP vulnerability

[USN-3954-1] FreeRADIUS vulnerabilities

  • 2 CVEs addressed in Bionic, Cosmic, Disco
  • 2 possible “Dragonblood” authentication bypass issues - mentioned back in Episode 28 in the context of wpa_supplicant and hostapd - similar issue for FreeRADIUS

[USN-3955-1] tcpflow vulnerabilities

  • 2 CVEs addressed in Xenial, Bionic, Cosmic
  • Stack based buffer overflow and an integer overflow -> usual effects (crash -> DoS / information disclosure)

[USN-3956-1] Bind vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • DoS - possible to bypass bind’s limits on simultaneous TCP clients and so cause a DoS via excessive resource usage

IoT Security follow-up with Joe McManus

  • Alex and Joe follow up on last episode’s conversation about IoT and in particular talk about Ubuntu Core and how this has been engineered to address many of these common IoT security design and implementation flaws

Goings on in Ubuntu Security Community

Ubuntu 19.04 Disco Dingo Released

  • Released on Thursday 18th April
  • Officially supported by Canonical for 9 months - with security fixes for packages in main by the security team

Ubuntu 14.04 Trusty Tahr transitions to Extended Security Maintenance

Hiring

Ubuntu Security Generalist

Robotics Security Engineer

Get in contact