Episode 57
Posted on Thursday, Dec 19, 2019
In the final episode of 2019, we look at security updates for RabbitMQ,
GraphicsMagick, OpenJDK and more, plus Joe and Alex discuss a typical
day-in-the-life of a Ubuntu Security Team member.
Show Notes
Overview
In the final episode of 2019, we look at security updates for RabbitMQ, GraphicsMagick, OpenJDK and more, plus Joe and Alex discuss a typical day-in-the-life of a Ubuntu Security Team member.
This week in Ubuntu Security Updates
34 unique CVEs addressed
[USN-4217-2] Samba vulnerabilities [01:00]
- 2 CVEs addressed in Trusty ESM
- See Episode 56
[USN-4214-2] RabbitMQ vulnerability [01:23]
- 1 CVEs addressed in Xenial, Bionic
- AMQP implementation
- Possible integer overflow when handling the CONNECTION_STATE_HEADER frame - rogue server could return a malicious frame header which is then processed by the client and leads to a smaller target_size value due to integer overflow - then when the frame data is copied in via memcpy() this would overwrite past the bounds of the heap allocation, and with attacker controlled data
- Not an issue if connecting to trusted servers
[USN-4222-1] GraphicsMagick vulnerabilities [02:28]
- 15 CVEs addressed in Xenial
- Episode 55 covered previous update for GraphicsMagick - more of the same here
[USN-4223-1] OpenJDK vulnerabilities [03:00]
- 16 CVEs addressed in Xenial, Bionic, Disco, Eoan
- Latest upstream micro-release for openjdk 8 and openjdk 11
- Various mix of issues (buffer overflows, NULL pointer dereferences and various denial of service issues on application crashes in different scenarios) - see the full USN for details