Episode 84

Posted on Thursday, Jul 30, 2020
In a week when too many security updates are never enough, we cover the biggest one of them all for a while, BootHole, with an interview between Joe McManus and Alex Murray for some behind-the-scenes and in-depth coverage, plus we also look briefly at the other 100-odd CVEs for the week in FFmpeg, OpenJDK, LibVNCServer, ClamAV and more.

Show Notes

Overview

In a week when too many security updates are never enough, we cover the biggest one of them all for a while, BootHole, with an interview between Joe McManus and Alex Murray for some behind-the-scenes and in-depth coverage, plus we also look briefly at the other 100-odd CVEs for the week in FFmpeg, OpenJDK, LibVNCServer, ClamAV and more.

This week in Ubuntu Security Updates

109 unique CVEs addressed

[USN-4428-1] Python vulnerabilities [01:03]

[USN-4431-1] FFmpeg vulnerabilities [01:31]

[USN-4430-2] Pillow vulnerabilities [02:15]

[USN-4433-1] OpenJDK vulnerabilities [02:33]

[USN-4434-1] LibVNCServer vulnerabilities [03:11]

[USN-4435-1, USN-4435-2] ClamAV vulnerabilities [04:03]

  • 3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • 0.102.4 release
  • NULL ptr deref on crafted EGG, race condition where could replace target dir with a symlink and get clamscan to remove that target, OOB read in ARJ decoder (previous fix Episode 76 was incomplete)

[USN-4436-1, USN-4436-2] librsvg vulnerabilities / regression [04:55]

  • 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • Update caused a regression since it removed a symbol - backed out, waiting for a more complete fix from upstream

[USN-4437-1] libslirp vulnerability [05:26]

  • 1 CVEs addressed in Focal (20.04 LTS)
  • OOB read in icmp6 echo reply - guest leaks contents of host memory -> info disclosure

[USN-4438-1] SQLite vulnerability [05:45]

  • 1 CVEs addressed in Focal (20.04 LTS)
  • Heap buffer overflow

[USN-4439-1] Linux kernel vulnerabilities [05:51]

[USN-4440-1] Linux kernel vulnerabilities [06:05]

[USN-4441-1] MySQL vulnerabilities [06:17]

[USN-4442-1] Sympa vulnerabilities [06:54]

[USN-4443-1] Firefox vulnerabilities [07:27]

[USN-4432-1] GRUB 2 vulnerabilities [07:39]

Goings on in Ubuntu Security Community

Alex and Joe take an in-depth and behind-the-scenes look at BootHole / GRUB 2 [08:14]

Alex hints at pending future secureboot-db update [23:55]

Get in contact