Episode 68

Show Notes

Overview

This week we cover security updates for Apache, Twisted, Vim a kernel livepatch and more, plus Alex and Joe discuss OVAL data feeds and the cvescan snap for vulnerability awareness.

This week in Ubuntu Security Updates

16 unique CVEs addressed

[USN-4307-1] Apache HTTP Server update [00:24]

• TLSv1.3 enabled in Ubuntu 18.04 LTS (bionic)
  • Enabled by default, could cause compatibility issues in some environments - can be disabled using the SSLProtocol directive
  • https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263

[LSN-0064-1] Linux kernel vulnerability [01:03]

• 1 CVEs addressed in Xenial, Bionic
  • CVE-2020-2732
• KVM nested virtualisation issue (L2 guest could access resources of L1 parent) - Episode 67

[USN-4308-1] Twisted vulnerabilities [02:07]

• 7 CVEs addressed in Xenial, Bionic, Eoan
  • CVE-2020-10109
  • CVE-2020-10108
  • CVE-2019-9515
  • CVE-2019-9514
  • CVE-2019-9512
  • CVE-2019-12855
  • CVE-2019-12387
• 2 variations of a HTTP request splitting / smuggling vuln (Episode 52)
• 3 HTTP/2 DoS issues (Episode 43)
• MITM of XMPP TLS connections due to failure to verify certs
• Failure to sanitize URIs or HTTP methods in twisted.web

[USN-4309-1] Vim vulnerabilities [03:53]

• 7 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
  • CVE-2017-11109
  • CVE-2017-6350
  • CVE-2017-6349
  • CVE-2019-20079
  • CVE-2018-20786
  • CVE-2017-5953
• All low / negligible since requires a user to use vim to source a crafted file (ie a list of commands / settings for vim) or crafted undo / spelling dictionary etc
• Integer overflows -> heap overflows -> DoS / RCE etc

[USN-4134-3] IBus vulnerability [04:49]

• 1 CVEs addressed in Xenial, Bionic, Eoan
  • CVE-2019-14822
• Episode 47 - implements it’s own private DBus server which clients connect to - original vuln allowed any user who knew address of this bus to connect to it - update fixed this by checking the connecting user was the same as the owning user - but caused a regression in Qt clients - would fail to be able to properly connect to ibus - was reverted - this has seen been fixed by fixing the GDBusServer implementation in libglib2 since it was actually incorrect - and so now we have re-fixed in ibus

Goings on in Ubuntu Security Community

Alex and Joe discuss Ubuntu Security OVAL feeds and cvescan [06:47]

• https://people.canonical.com/~ubuntu-security/oval/
• https://snapcraft.io/cvescan

Securing open source through CVE prioritisation [15:56]

• https://ubuntu.com/blog/securing-open-source-through-cve-prioritisation

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter