Episode 94

Show Notes

Overview

This week we cover news of the CITL drop of 7000 “vulnerabilities”, the Ubuntu Security disclosure and embargo policy plus we look at security updates for pip, blueman, the Linux kernel and more.

This week in Ubuntu Security Updates

117 unique CVEs addressed

[USN-4596-1] Tomcat vulnerabilities [01:01]

• 4 CVEs addressed in Focal (20.04 LTS)
  • CVE-2020-9484
  • CVE-2020-13935
  • CVE-2020-13934
  • CVE-2020-11996

[USN-4587-1] iTALC vulnerabilities

• 19 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2019-15681
  • CVE-2018-7225
  • CVE-2018-20750
  • CVE-2018-20749
  • CVE-2018-20748
  • CVE-2018-20024
  • CVE-2018-20023
  • CVE-2018-20022
  • CVE-2018-20021
  • CVE-2018-20020
  • CVE-2018-20019
  • CVE-2018-15127
  • CVE-2016-9942
  • CVE-2016-9941
  • CVE-2014-6055
  • CVE-2014-6054
  • CVE-2014-6053
  • CVE-2014-6052
  • CVE-2014-6051

[USN-4588-1] FlightGear vulnerability

• 1 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2016-9956

[USN-4552-2] Pam-python vulnerability

• 1 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2019-16729

[USN-4597-1] mod_auth_mellon vulnerabilities

• 3 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2019-3878
  • CVE-2019-3877
  • CVE-2017-6807

[USN-4598-1] LibEtPan vulnerability

• 1 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2020-15953

[USN-4600-1, USN-4600-2] Netty vulnerabilities

• 5 CVEs addressed in Bionic (18.04 LTS), 4 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2020-11612 (bionic only)
  • CVE-2020-7238
  • CVE-2019-16869
  • CVE-2019-20445
  • CVE-2019-20444

[USN-4601-1] pip vulnerability [01:34]

• 1 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2019-20916
• Failed to sanitize filenames during pip install if provided a URL in the install command - could allow a remote attacker to provide a Content-Disposition header that instructs pip to overwrite arbitrary files

[USN-4599-1, USN-4599-2] Firefox vulnerabilities [02:42]

• 7 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-15969
  • CVE-2020-15684
  • CVE-2020-15683
  • CVE-2020-15682
  • CVE-2020-15681
  • CVE-2020-15680
  • CVE-2020-15254

[LSN-0073-1] Linux kernel vulnerability [03:02]

• 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-24490
  • CVE-2020-12352
  • CVE-2020-12351
• BleedingTooth (Episode 93)

[USN-4593-2] FreeType vulnerability [03:23]

• 1 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2020-15999
• Episode 93

[USN-4602-1, USN-4602-2] Perl vulnerabilities [03:38]

• 3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-12723
  • CVE-2020-10878
  • CVE-2020-10543

[USN-4562-2] kramdown vulnerability

• 1 CVEs addressed in Groovy (20.10)
  • CVE-2020-14001

[USN-4605-1] Blueman vulnerability [04:10]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-15238
• Reported to Ubuntu by Vaisha Bernard - worked with upstream blueman devs & Debian maintainers to get this resolved - thanks :)
• Blueman provides a dbus API to spawn DHCP client when doing bluetooth-based networking
• Would not sanitise the provided argument and would pass this directly to dhcpcd which supports specifying a script file to run - this gets executed as root so is a simple local root-privesc
• Fixed to change the way the argument is provided to dhcpcd so that it cannot pass arbitrary flags
• Should also note, by default on Ubuntu we use isc-dhcp-client not dhcpcd so unless you have manually installed it, this cannot be exploited

[USN-4583-2] PHP vulnerabilities

• 2 CVEs addressed in Groovy (20.10)
  • CVE-2020-7070
  • CVE-2020-7069

[USN-3081-2] Tomcat vulnerability

• 1 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2016-1240

[USN-4603-1] MariaDB vulnerabilities

• 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-2814
  • CVE-2020-2812
  • CVE-2020-2760
  • CVE-2020-2752
  • CVE-2020-15180
  • CVE-2020-13249

[USN-4604-1] MySQL vulnerabilities

• 49 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-14893
  • CVE-2020-14891
  • CVE-2020-14888
  • CVE-2020-14878
  • CVE-2020-14873
  • CVE-2020-14870
  • CVE-2020-14869
  • CVE-2020-14868
  • CVE-2020-14867
  • CVE-2020-14866
  • CVE-2020-14861
  • CVE-2020-14860
  • CVE-2020-14853
  • CVE-2020-14852
  • CVE-2020-14848
  • CVE-2020-14846
  • CVE-2020-14845
  • CVE-2020-14844
  • CVE-2020-14839
  • CVE-2020-14838
  • CVE-2020-14837
  • CVE-2020-14836
  • CVE-2020-14830
  • CVE-2020-14829
  • CVE-2020-14828
  • CVE-2020-14827
  • CVE-2020-14821
  • CVE-2020-14814
  • CVE-2020-14812
  • CVE-2020-14809
  • CVE-2020-14804
  • CVE-2020-14800
  • CVE-2020-14794
  • CVE-2020-14793
  • CVE-2020-14791
  • CVE-2020-14790
  • CVE-2020-14789
  • CVE-2020-14786
  • CVE-2020-14785
  • CVE-2020-14777
  • CVE-2020-14776
  • CVE-2020-14775
  • CVE-2020-14773
  • CVE-2020-14771
  • CVE-2020-14769
  • CVE-2020-14765
  • CVE-2020-14760
  • CVE-2020-14672
  • CVE-2019-14775

[USN-4607-1] OpenJDK vulnerabilities

• 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-14803
  • CVE-2020-14798
  • CVE-2020-14797
  • CVE-2020-14796
  • CVE-2020-14792
  • CVE-2020-14782
  • CVE-2020-14781
  • CVE-2020-14779

[USN-4608-1] ca-certificates update [06:41]

• Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
• Updates to the latest from Mozill a - removes some root CAs (expired etc) and adds some new ones too

Goings on in Ubuntu Security Community

Ubuntu Security disclosure and embargo policy [07:17]

• https://ubuntu.com/security/disclosure-policy
• How to report an issue to us (LP / security@ubuntu.com)
• Scope (Ubuntu archive + Canonical software / infrastructure - coordination etc)
• What to expect from us
• Disclosure timelines (within 1 week after updates provided, prefer exploits etc kept private for at least 1 week after fixes available)
• Safe harbour (welcome research into the software we provide but no active probing of Canonical infra/services)

CITL releases high level details of 7000 defects [09:06]

• https://cyber-itl.org/2020/10/28/citl-7000-defects.html
• 7000 defects/vulns across 3243 packages from Ubuntu 18.04
• Automated static / dynamic analysis system (fuzzing?)
• Provide list of binaries / packages and the type of ‘vuln’ (SIG_SEGV etc) - without reproducers etc
• Expect package maintainers to contact them to request full details
• Some package maintainers / upstreams will likely contact but we expect this to be in the minority
• Not really possible for @ubuntu_sec to triage and handle all of these but will likely be a collective effort between distros to try and analyse these all if CITL are willing to provide details
• Without a collective effort unlikely that CVEs will get assigned and so fixes could be missed if various upstreams just contact and fix these themselves
• Lots of open questions as to how this will play out…

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter