Episode 48

Posted on Thursday, Oct 10, 2019
This week we look at security updates for the Linux kernel, SDL 2, ClamAV and more, plus Alex and Joe talk security and performance trade-offs, snaps and OWASP Top 10 Cloud Security recommendations, and finally Alex covers some recent concerns about the security of the Snap Store.

Show Notes

Overview

This week we look at security updates for the Linux kernel, SDL 2, ClamAV and more, plus Alex and Joe talk security and performance trade-offs, snaps and OWASP Top 10 Cloud Security recommendations, and finally Alex covers some recent concerns about the security of the Snap Store.

This week in Ubuntu Security Updates

31 unique CVEs addressed

[USN-4142-1, USN-4142-2] e2fsprogs vulnerability [00:37]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • Cisco TALOS - possible code execution via OOB write to the heap for code which handles quota support in ext4 - so possible to trigger via a specially crafted ext4 partition - could be triggered during an fsck on the partition etc.

[USN-4143-1] SDL 2.0 vulnerabilities [01:37]

  • 5 CVEs addressed in Xenial, Bionic, Disco
  • 3 different heap based buffer over-reads -> crash, DoS
  • Heap based buffer over-write -> possible code execution or at least crash -> DoS
  • Integer overflow -> small alloc -> heap based buffer overflow -> possible code execution

[USN-4147-1] Linux kernel vulnerabilities [02:23]

[USN-4144-1] Linux kernel vulnerabilities [05:02]

  • 2 CVEs addressed in Xenial (HWE), Bionic
  • 2 different XFS issues
    • UAF triggered from a malicious XFS image -> code exection? -> crash, DoS
    • CPU based DoS if can trigger a chgrp() error due to out-of-quota

[USN-4145-1] Linux kernel vulnerabilities [05:46]

[USN-4146-1, USN-4146-2] ClamAV vulnerabilities [06:00]

  • 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • Update to latest upstream version (0.101.4)
  • OOB read when handling crafted BZIP2 and ZIP files - was covered for bzip2 itself in Ubuntu in Episode 38 - vendored in clamav

Goings on in Ubuntu Security Community

Alex and Joe talk security and performance trade-offs, snaps and OWASP Top 10 Cloud Security recommendations [07:01]

Alex addresses some concerns with the perceived security of the Snap Store [20:44]

Get in contact