Episode 71

Posted on Thursday, Apr 16, 2020
This week Joe discusses Ubuntu’s involvement in ZDI’s Pwn2Own with special guests Steve Beattie and Marc Deslauriers from the Ubuntu Security team, plus we do the usual roundup of fixed vulnerabilities including libssh, Thunderbird, Git and a kernel Livepatch.

Show Notes

Overview

This week Joe discusses Ubuntu’s involvement in ZDI’s Pwn2Own with special guests Steve Beattie and Marc Deslauriers from the Ubuntu Security team, plus we do the usual roundup of fixed vulnerabilities including libssh, Thunderbird, Git and a kernel Livepatch.

This week in Ubuntu Security Updates

38 unique CVEs addressed

[USN-4325-1] Linux kernel vulnerabilities [00:59]

[USN-4326-1] libiberty vulnerabilities [01:46]

[USN-4327-1] libssh vulnerability [02:57]

  • 1 CVEs addressed in Bionic, Eoan
  • Malicious client / server could crash other end when using AES-CTR ciphers - error in memory handling on cleanup of cipher context when closing the connection -> DoS

[LSN-0065-1] Linux kernel vulnerability [03:41]

[USN-4328-1] Thunderbird vulnerabilities [04:31]

[USN-4329-1] Git vulnerability [05:11]

  • 1 CVEs addressed in Xenial, Bionic, Eoan
  • Would not properly handle URLs that include newlines - and would possibly send credentials to the wrong host as a result - fixed by forbidding a newline in any part of credential handling

Goings on in Ubuntu Security Community

Joe discusses Ubuntu’s participation in ZDI’s Pwn2Own with Steve Beattie and Marc Deslauriers [06:25]

Get in contact