Episode 60

Show Notes

Overview

Security updates for python-apt, GnuTLS, tcpdump, the Linux kernel and more, plus we look at plans to integrate Ubuntu Security Notices within the main ubuntu.com website.

This week in Ubuntu Security Updates

91 unique CVEs addressed

[USN-4247-1, USN-4247-2, USN-4247-3] python-apt vulnerabilities [00:42]

• 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • CVE-2019-15796
  • CVE-2019-15795
• Could still use md5 to validate downloads - md5 has been broken for a while now so if md5 hashes were available for a repo then these would be trusted - instead, verify all hashes
• Ensure repository is trusted before downloading from it - in some cases, could configure repositories that were not trusted and python-apt based clients would not check trust - so would use it - now always check and verify unless the repository is specifically configured as trusted

[USN-4248-1] GraphicsMagick vulnerabilities [02:31]

• 10 CVEs addressed in Xenial
  • CVE-2017-17783
  • CVE-2017-17782
  • CVE-2017-17503
  • CVE-2017-17502
  • CVE-2017-17501
  • CVE-2017-17500
  • CVE-2017-17498
  • CVE-2017-16669
  • CVE-2017-16547
  • CVE-2017-16545
• Episode 59, Episode 57, Episode 55 etc

[USN-4246-1] zlib vulnerabilities [02:55]

• 4 CVEs addressed in Xenial
  • CVE-2016-9843
  • CVE-2016-9842
  • CVE-2016-9841
  • CVE-2016-9840
• Trail of Bits security audit of zlib found various instances of undefined behaviour in the implementation - pointer increment operations on undefined memory ranges, shifts by negative indices etc. Unlikely to have any real world impact.

[USN-4249-1] e2fsprogs vulnerability [03:55]

• 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • CVE-2019-5188
• Stack buffer overflow when e2fsck’ing a specially crafted ext4 file-system image

[USN-4233-2] GnuTLS update [04:34]

• Affecting Xenial, Bionic
• Episode 59 - disabled SHA1 for digital signatures in GnuTLS - this update adds VERIFY_ALLOW_BROKEN and VERIFY_ALLOW_SIGN_WITH_SHA1 priority strings so can still use sha1 if really needed

[USN-4230-2] ClamAV vulnerability [05:16]

• 1 CVEs addressed in Precise ESM, Trusty ESM
  • CVE-2019-15961
• Episode 59

[USN-4250-1] MySQL vulnerabilities [05:34]

• 14 CVEs addressed in Xenial, Bionic, Eoan
  • CVE-2020-2694
  • CVE-2020-2686
  • CVE-2020-2679
  • CVE-2020-2660
  • CVE-2020-2627
  • CVE-2020-2589
  • CVE-2020-2588
  • CVE-2020-2584
  • CVE-2020-2579
  • CVE-2020-2577
  • CVE-2020-2574
  • CVE-2020-2573
  • CVE-2020-2572
  • CVE-2020-2570
• New upstream release (5.7.29 - xenial, bionic) (8.0.19 - eoan)

[USN-4251-1] Tomcat vulnerabilities [06:02]

• 2 CVEs addressed in Xenial
  • CVE-2019-17563
  • CVE-2019-12418

[USN-4252-1, USN-4252-2] tcpdump vulnerabilities [06:05]

• 28 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic
  • CVE-2019-15167
  • CVE-2019-15166
  • CVE-2019-1010220
  • CVE-2018-19519
  • CVE-2018-16452
  • CVE-2018-16451
  • CVE-2018-16300
  • CVE-2018-16230
  • CVE-2018-16229
  • CVE-2018-16228
  • CVE-2018-16227
  • CVE-2018-14882
  • CVE-2018-14881
  • CVE-2018-14880
  • CVE-2018-14879
  • CVE-2018-14470
  • CVE-2018-14469
  • CVE-2018-14468
  • CVE-2018-14467
  • CVE-2018-14466
  • CVE-2018-14465
  • CVE-2018-14464
  • CVE-2018-14463
  • CVE-2018-14462
  • CVE-2018-14461
  • CVE-2018-10105
  • CVE-2018-10103
  • CVE-2017-16808
• Usual mix of buffer overflows and the like in various tcpdump dissectors - in general you should not run tcpdump on untrusted data - when run as root, by default tcpdump will drop permissions to the tcpdump user after opening the capture device so this makes it somewhat safer

[USN-4253-1, USN-4253-2] Linux kernel vulnerability [07:30]

• 1 CVEs addressed in Bionic (HWE), Eoan (5.3 kernel)
  • CVE-2019-14615
• Intel GPU would fail to clear state during context switch - could allow an info leak between local users - so update driver to forcibly clear state

[USN-4255-1, USN-4255-2] Linux kernel vulnerabilities [08:07]

• 2 CVEs addressed in Xenial (HWE), Bionic (4.15 kernel)
  • CVE-2020-7053
  • CVE-2019-14615
• Intel GPU state info leak
• Intel GPU driver (i915) UAF - crash / code execution

[USN-4258-1] Linux kernel vulnerabilities [08:40]

• 15 CVEs addressed in Bionic (AWS, GCP, GKE) (5.0 kernel)
  • CVE-2019-15291
  • CVE-2019-19767
  • CVE-2019-19332
  • CVE-2019-19252
  • CVE-2019-19227
  • CVE-2019-19082
  • CVE-2019-19079
  • CVE-2019-19078
  • CVE-2019-19077
  • CVE-2019-19071
  • CVE-2019-19062
  • CVE-2019-19050
  • CVE-2019-18885
  • CVE-2019-18683
  • CVE-2019-15099
• OOB write in KVM hypervisor via /dev/kvm
• Virtual console could allow writes via unimplemented unicode devices - out of bounds memory access - crash etc
• 2 separate memory leaks in crypto subsystem on certain failure paths - local user accessible - DoS via memory exhaustion
• NULL ptr deref in Atheros wireless USB driver

[USN-4254-1, USN-4254-2] Linux kernel vulnerabilities [09:54]

• 9 CVEs addressed in Trusty ESM (HWE), Xenial (4.4 kernel)
  • CVE-2019-15291
  • CVE-2019-19332
  • CVE-2019-19227
  • CVE-2019-19063
  • CVE-2019-19062
  • CVE-2019-19057
  • CVE-2019-18885
  • CVE-2019-18683
  • CVE-2019-14615
• OOB write in KVM hypervisor via /dev/kvm
• Crypto memory leak
• Intel GPU info leak

[USN-4256-1] Cyrus SASL vulnerability [10:24]

• 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
  • CVE-2019-19906
• OOB write due to off-by-one error - originally reported against OpenLDAP which uses cyrus-sasl and was able to be crashed by an unauthenticated remote user due to this

[USN-4236-3] Libgcrypt vulnerability [10:57]

• 1 CVEs addressed in Precise ESM, Trusty ESM
  • CVE-2019-13627
• Episode 59 - ECDSA side-channel timing attack

[USN-4257-1] OpenJDK vulnerabilities [11:15]

• 8 CVEs addressed in Xenial, Bionic, Eoan
  • CVE-2020-2659
  • CVE-2020-2655
  • CVE-2020-2654
  • CVE-2020-2604
  • CVE-2020-2601
  • CVE-2020-2593
  • CVE-2020-2590
  • CVE-2020-2583
• Latest upstream release (11.0.6)

Goings on in Ubuntu Security Community

Moving Ubuntu Security Notices to ubuntu.com/security [11:34]

• mpt put out a call for feedback on plans to move USNs from usn.ubuntu.com to ubuntu.com/security/
• originally announced as a plan back in October on the ubuntu-hardened mailing list
• posted a mock-up of the resulting page and called for feedback
• this is expected to land in the next few weeks
• https://discourse.ubuntu.com/t/security-notices-on-ubuntu-com/14159

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter