Episode 29
Posted on Tuesday, Apr 30, 2019
This week we look at fixes from the past two weeks including BIND, NTFS-3G,
Dovecot, Pacemaker and more, plus we follow up last episodes IoT security
discussion with Joe McManus talking about Ubuntu Core. Finally we cover the
release of Ubuntu 19.04 Disco Dingo and the transition of Ubuntu 14.04
Trusty Tahr to Extended Security Maintenance.
Show Notes
Overview
This week we look at fixes from the past two weeks including BIND, NTFS-3G, Dovecot, Pacemaker and more, plus we follow up last episodes IoT security discussion with Joe McManus talking about Ubuntu Core. Finally we cover the release of Ubuntu 19.04 Disco Dingo and the transition of Ubuntu 14.04 Trusty Tahr to Extended Security Maintenance.
These past two weeks in Ubuntu Security Updates
53 unique CVEs addressed
[USN-3947-1, USN-3947-2] Libxslt vulnerability
- 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
- Library to transform XML via XML definitions
- Includes a security framework since XSLT can define operations to fetch/read/write files and resources etc
- Various functions would return 0 if an operation is not allowed by the framework which was checked for and correctly disallowed - BUT they could also return -1 on error (say from a potentially bad URL) which would not be caught and so then would proceed and would fetch from the URL in question thereby violating the security policy
- Fixed to also check for error codes on handle the same as an explicit policy violation
[USN-3948-1] WebKitGTK+ vulnerabilities
- 14 CVEs addressed in Bionic, Cosmic
- Wide mix of issues fixed including XSS and DoS attacks or possible arbitrary code execution if visiting a malicious website
[USN-3949-1] OpenJDK 11 vulnerability
- 1 CVEs addressed in Bionic
- Backport of openjdk-11 from Disco to Bionic, includes a minor security fix to memory disclosure vulnerablity which could enable an attacker to bypass sandbox
[USN-3918-4] Firefox regressions
- 17 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Episode 26 covered 66.0.2 regression - this is now 66.0.3 to fix further regressions in keyboard handling as discussed previously
[USN-3914-2] NTFS-3G update
- Affecting Xenial, Bionic, Cosmic
- Episode 25 covered ntfs-3g update for possible heap buffer overflow
- As was setuid root this could possibly be used for root privilege escalation
- This update removes setuid root to additionally harden ntfs-3g so that any future vulnerablilites can’t be used for privilege escalation
[USN-3950-1] ZNC vulnerability
- 1 CVEs addressed in Cosmic
- crash -> DoS due to improper handling of character encoding - if a remote user specified an invalid encoding it could cause znc to crash
- Fixed to fallback to utf-8 if unknown encoding specified
[USN-3951-1] Dovecot vulnerability
- 1 CVEs addressed in Cosmic, Disco
- Only affects Dovecot 2.3 and hence only Cosmic, Disco, Eoan etc
- Improper handling of invalid utf-8 username in JSON encoding could cause the authentication service to crash
[USN-3952-1] Pacemaker vulnerabilities
- 3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Cluster resource manager - high availability and load balancing for OpenStack
- All discovered by Jan Pokorný - local attacker could possibly escalate privileges or cause a denial of service or to cause sensitive information to be leaked to system logs
[USN-3953-1] PHP vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- php7.2 and php7.0
- Buffer over-read when processing certain EXIF tags - possible information disclosure or crash -> DoS
[USN-3922-2, USN-3922-3] PHP vulnerabilities
- 7 CVEs addressed in Precise ESM, Trusty
- Most covered back in Episode 26
[USN-3936-2] AdvanceCOMP vulnerability
- 1 CVEs addressed in Disco
- Corresponding update for Disco - covered in Episode 27
[USN-3954-1] FreeRADIUS vulnerabilities
- 2 CVEs addressed in Bionic, Cosmic, Disco
- 2 possible “Dragonblood” authentication bypass issues - mentioned back in Episode 28 in the context of wpa_supplicant and hostapd - similar issue for FreeRADIUS
[USN-3955-1] tcpflow vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Cosmic
- Stack based buffer overflow and an integer overflow -> usual effects (crash -> DoS / information disclosure)
[USN-3956-1] Bind vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- DoS - possible to bypass bind’s limits on simultaneous TCP clients and so cause a DoS via excessive resource usage
IoT Security follow-up with Joe McManus
- Alex and Joe follow up on last episode’s conversation about IoT and in particular talk about Ubuntu Core and how this has been engineered to address many of these common IoT security design and implementation flaws
Goings on in Ubuntu Security Community
Ubuntu 19.04 Disco Dingo Released
- Released on Thursday 18th April
- Officially supported by Canonical for 9 months - with security fixes for packages in main by the security team
Ubuntu 14.04 Trusty Tahr transitions to Extended Security Maintenance
- Standard support period concluded on Thursday 25th April
- Users are encouraged to upgrade to our latest LTS release 18.04 via 16.04
- Extended security maintenance is now available via Ubuntu Advantage
- https://blog.ubuntu.com/2019/02/05/ubuntu-14-04-trusty-tahr
- https://www.ubuntu.com/esm