Episode 98
Posted on Friday, Nov 27, 2020
This week we look at updates for c-ares, PulseAudio, phpMyAdmin and more,
plus we cover security news from the Ubuntu community including planning
for 16.04 LTS to transition to ESM, libgcrypt FIPS cerified for 18.04 LTS
and a proposal for making home directories more secure for upcoming Ubuntu
releases as well.
Show Notes
Overview
This week we look at updates for c-ares, PulseAudio, phpMyAdmin and more, plus we cover security news from the Ubuntu community including planning for 16.04 LTS to transition to ESM, libgcrypt FIPS cerified for 18.04 LTS and a proposal for making home directories more secure for upcoming Ubuntu releases as well.
This week in Ubuntu Security Updates
48 unique CVEs addressed
[USN-4638-1] c-ares vulnerability [01:00]
- 1 CVEs addressed in Groovy (20.10)
- C library for performing async DNS requests and name resolution - a fork of the ares library with additional support for IPv6, and 64-bit/cross platform support
- In particular is used by Node.js for DNS support - reported as a DoS via a remote attacker who could cause a Node.js application to perform a DNS request to a chosen host where a large number of DNS records - internally is a buffer-over-read - c-ares would return data of length N but with a purported length of >N - only in more recent releases so only affected groovy
[USN-4639-1] phpMyAdmin vulnerabilities [02:37]
- 13 CVEs addressed in Bionic (18.04 LTS)
- Various issues - multiple different instances of each of the following: XSS, SQL injection, CSRF, sensitive info leaks etc
[USN-4637-2] Firefox vulnerabilities [03:08]
- 15 CVEs addressed in Xenial (16.04 LTS)
- Episode 97
- Xenial takes longer usually due to toolchain issues between old versions in xenial vs newer things used in Firefox (ie rust etc)
[USN-4634-2] OpenLDAP vulnerabilities [03:57]
- 2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
- Episode 97 - 2 DoS issues
[USN-4640-1] PulseAudio vulnerability [04:13]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Discovered and resolved by James Henstridge from the Ubuntu Desktop Team
- Race condition in snap policy module could allow a confined snap to bypass snap pulseaudio restrictions - ie. could record audio when only authorised to playback audio
- https://twitter.com/JamesHenstridge/status/1331161130740248580
[USN-4641-1] libextractor vulnerabilities [06:20]
- 12 CVEs addressed in Xenial (16.04 LTS)
- Used to extract metadata from various file formats (HTML, PS, MS Office, audio, images, video, archives, packages etc)
- NULL ptr deref, divide by zero, OOB read, infinite loop, stack buffer overflows, heap buffer overflows etc
[USN-4642-1] PDFResurrect vulnerability [07:28]
- 1 CVEs addressed in Xenial (16.04 LTS)
- Extract / manipulate revision info in PDFs
- OOB write
[USN-4643-1] atftp vulnerabilities [07:56]
- 2 CVEs addressed in Xenial (16.04 LTS)
- TFTP server / client
- NULL ptr deref due to race condition from missing mutex lock - different threads can race on the same data -> DoS
- stack buffer overflow due to unsafe calls to strncpy -> DoS / RCE
[USN-4644-1] igraph vulnerability [08:35]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- NULL ptr deref
Goings on in Ubuntu Security Community
Ubuntu 16.04 LTS moving to ESM webinar [08:52]
- https://www.brighttalk.com/webcast/6793/453617
- 8th December 2020, 4pm UTC
Security Certifications - libgcrypt on Ubuntu 18.04 is FIPS 140-2 certified [10:13]
- https://discourse.ubuntu.com/t/security-certifications-libgcrypt-on-ubuntu-18-04-is-fips-140-2-certified/19511
- Ubuntu 18.04 LTS can now provide FIPS certified full disk encryption as via libgcrypt which is now FIPS certified
- Certified for 5 years until 2025
Private home directories for Ubuntu 21.04 onwards? [10:45]
- https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2020-November/018842.html
- https://discourse.ubuntu.com/t/private-home-directories-for-ubuntu-21-04-onwards/19533