Episode 98

Posted on Friday, Nov 27, 2020
This week we look at updates for c-ares, PulseAudio, phpMyAdmin and more, plus we cover security news from the Ubuntu community including planning for 16.04 LTS to transition to ESM, libgcrypt FIPS cerified for 18.04 LTS and a proposal for making home directories more secure for upcoming Ubuntu releases as well.

Show Notes

Overview

This week we look at updates for c-ares, PulseAudio, phpMyAdmin and more, plus we cover security news from the Ubuntu community including planning for 16.04 LTS to transition to ESM, libgcrypt FIPS cerified for 18.04 LTS and a proposal for making home directories more secure for upcoming Ubuntu releases as well.

This week in Ubuntu Security Updates

48 unique CVEs addressed

[USN-4638-1] c-ares vulnerability [01:00]

  • 1 CVEs addressed in Groovy (20.10)
  • C library for performing async DNS requests and name resolution - a fork of the ares library with additional support for IPv6, and 64-bit/cross platform support
  • In particular is used by Node.js for DNS support - reported as a DoS via a remote attacker who could cause a Node.js application to perform a DNS request to a chosen host where a large number of DNS records - internally is a buffer-over-read - c-ares would return data of length N but with a purported length of >N - only in more recent releases so only affected groovy

[USN-4639-1] phpMyAdmin vulnerabilities [02:37]

[USN-4637-2] Firefox vulnerabilities [03:08]

[USN-4634-2] OpenLDAP vulnerabilities [03:57]

[USN-4640-1] PulseAudio vulnerability [04:13]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Discovered and resolved by James Henstridge from the Ubuntu Desktop Team
  • Race condition in snap policy module could allow a confined snap to bypass snap pulseaudio restrictions - ie. could record audio when only authorised to playback audio
  • https://twitter.com/JamesHenstridge/status/1331161130740248580

[USN-4641-1] libextractor vulnerabilities [06:20]

[USN-4642-1] PDFResurrect vulnerability [07:28]

  • 1 CVEs addressed in Xenial (16.04 LTS)
  • Extract / manipulate revision info in PDFs
  • OOB write

[USN-4643-1] atftp vulnerabilities [07:56]

  • 2 CVEs addressed in Xenial (16.04 LTS)
  • TFTP server / client
  • NULL ptr deref due to race condition from missing mutex lock - different threads can race on the same data -> DoS
  • stack buffer overflow due to unsafe calls to strncpy -> DoS / RCE

[USN-4644-1] igraph vulnerability [08:35]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • NULL ptr deref

Goings on in Ubuntu Security Community

Ubuntu 16.04 LTS moving to ESM webinar [08:52]

Security Certifications - libgcrypt on Ubuntu 18.04 is FIPS 140-2 certified [10:13]

Private home directories for Ubuntu 21.04 onwards? [10:45]

Get in contact