To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. הבנתי!
Artwork

Alex Murray Ubuntu Security Team Linux Tech Operating Systems Alex and Joe Security Software Development
תוכן מסופק על ידי Alex Murray and Ubuntu Security Team. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Alex Murray and Ubuntu Security Team או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.

דומה לUbuntu Security Podcast

Player FM - אפליקציית פודקאסט
התחל במצב לא מקוון עם האפליקציה Player FM !
Get it on App Store Get it on Google Play

Ubuntu Security Podcast « »
Episode 227

24:41
 
הפעל
מנגן
שתפו
 

MP3בית הפרקים
Manage episode 416201461 series 2423058
תוכן מסופק על ידי Alex Murray and Ubuntu Security Team. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Alex Murray and Ubuntu Security Team או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.

Overview

Ubuntu 24.04 LTS is finally released and we cover all the new security features it brings, plus we look at security vulnerabilities in, and updates for, FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.

This week in Ubuntu Security Updates

61 unique CVEs addressed

[USN-6749-1] FreeRDP vulnerabilities (00:45)

[USN-6752-1] FreeRDP vulnerabilities (01:41)

[USN-6657-2] Dnsmasq vulnerabilities (01:54)

[USN-6743-3] Linux kernel (Azure) vulnerabilities (02:13)

[USN-6750-1] Thunderbird vulnerabilities (02:19)

[USN-6751-1] Zabbix vulnerabilities (02:54)

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • First time Zabbix has featured in the podcast!
  • Fixes 2 reflected XSS issues - in newer versions both require the attacker to be able to specify the user’s specific CSRF token - but in older versions only there was only a session ID which is easier to guess

[USN-6753-1] CryptoJS vulnerability (03:38)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Insecure default config - uses older parameters for the implementation of PBKDF2 - SHA1 with a single iteration - makes any passwords protected via PBKDF2 in crypto-js easier to brute-force from the hashed value - instead updated to use SHA256 with 250,000 rounds

[USN-6754-1] nghttp2 vulnerabilities (04:32)

  • 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Fixes for most recent issue in HTTP/2 (plus a few older HTTP/2 issues for ESM releases - HTTP/2 Rapid Reset and 2 disclosed by Netflix back in 2019 which we covered back in [USN-4099-1] nginx vulnerabilities from Episode 49 - all DoS attacks)
  • HTTP/2 continuation frames - no proper limit on the amount of these frames which can be sent in a single stream - attacker can send many to cause a DoS on the server either through CPU by lots of processing or memory by storing all these headers in memory

[USN-6755-1] GNU cpio vulnerabilities (05:42)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Path traversal vuln - possible to write outside of the target directory
  • Specific to Debian/Ubuntu etc since reverted part of the fix for historic CVE-2015-1197 - path traversal via inclusion of a malicious symlink in the archive - since it broke the use of the --no-absolute-filenames CLI argument
  • Was reverted back in 2.13+dfsg-2 - this was included in all releases of Ubuntu since focal
  • Now use more correct fix from upstream (April 2023)

[USN-6756-1] less vulnerability (07:10)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Second vuln in less in the last 10 weeks or so - [USN-6664-1] less vulnerability from Episode 220
  • Similar issue - this time in the use of LESSOPEN environment variable - failed to properly quote newlines embedded in a filename - could then allow for arbitrary code execution if ran less on some untrusted file
  • LESSOPEN is automatically set in Debian/Ubuntu via lesspipe - allows to run less on say a gz compressed log file or even on a tar.gz tarball to list the files etc

[USN-6757-1] PHP vulnerabilities (08:41)

  • 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Incomplete fix for historic CVE-2022-31629 - ability for an attacker on the same network/site could set a cookie via HTTP with one name, which then gets used by sessions using HTTPS and when using a different cookie name - is a problem since certain cookie names (like __Host- and __Secure-) have specific meanings which in general should be allowed to be specified by the network but only by the browser itself - so can be used to bypass usual restrictions (apparently this issue was reported upstream by the original reported of the 2022 vuln but it got ignored by upstream till now…)
  • password_verify() function would sometimes return true for wrong passwords - ie if the actual password started with a NUL byte and the specified a password was the empty string would verify as true (unlikely to be an issue in practice)
  • Heap buffer overflow due to a large PHP_CLI_SERVER_WORKERS env var value - integer overflow -> wraparound -> allocate small amount of memory for a large number of values -> buffer overflow (low priority since would need to be able to set this env var first)

[USN-6761-1] Anope vulnerability (11:15)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Failed to deny ability to reset the password of a suspended account and hence gain access again

[USN-6758-1] JSON5 vulnerability (11:37)

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • NodeJS module for the JSON5 format - “JSON for humans” - much more similar to yaml, does away with a lot of the usual quotes etc
  • Protoype pollution vuln - when parsing would fail to restrict use of the __proto__ key and hence would allow the ability to set arbitrary keys etc within the returned object -> RCE

[LSN-0103-1] Linux kernel vulnerability (12:46)

Kernel type 22.04 20.04 18.04
aws 103.3 103.3
aws-5.15 103.3
aws-5.4 103.3
aws-6.5 103.1
azure 103.3 103.3
azure-5.4 103.3
azure-6.5 103.1
gcp 103.3 103.3
gcp-5.15 103.3
gcp-5.4 103.3
gcp-6.5 103.1
generic-5.15 103.3
generic-5.4 103.3 103.3
gke 103.3 103.3
hwe-6.5 103.1
ibm 103.3
ibm-5.15 103.3
linux 103.3
lowlatency-5.15 103.3
lowlatency-5.4 103.3 103.3 
canonical-livepatch status

[USN-6760-1] Gerbv vulnerability (13:01)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Vuln found by the Ubuntu Security team - David and (former member) Andrei - Andrei found this whilst patching Gerbv back in 2023 and doing a bunch of testing with ASan enabled - crafted filename -> crash

[USN-6759-1] FreeRDP vulnerabilities (13:41)

[USN-6737-2] GNU C Library vulnerability

[USN-6729-3] Apache HTTP Server vulnerabilities

[USN-6718-3] curl vulnerabilities

[USN-6733-2] GnuTLS vulnerabilities

[USN-6734-2] libvirt vulnerabilities

[USN-6744-3] Pillow vulnerability

Goings on in Ubuntu Security Community

Ubuntu 24.04 LTS (Noble Numbat) released (14:27)

Get in contact

  continue reading

246 פרקים

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development
Artwork

Episode 227

Ubuntu Security Podcast

148 subscribers

published

הפעל מנגן
iconשתפו
 
MP3בית הפרקים
Manage episode 416201461 series 2423058
תוכן מסופק על ידי Alex Murray and Ubuntu Security Team. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Alex Murray and Ubuntu Security Team או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.

Overview

Ubuntu 24.04 LTS is finally released and we cover all the new security features it brings, plus we look at security vulnerabilities in, and updates for, FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.

This week in Ubuntu Security Updates

61 unique CVEs addressed

[USN-6749-1] FreeRDP vulnerabilities (00:45)

[USN-6752-1] FreeRDP vulnerabilities (01:41)

[USN-6657-2] Dnsmasq vulnerabilities (01:54)

[USN-6743-3] Linux kernel (Azure) vulnerabilities (02:13)

[USN-6750-1] Thunderbird vulnerabilities (02:19)

[USN-6751-1] Zabbix vulnerabilities (02:54)

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • First time Zabbix has featured in the podcast!
  • Fixes 2 reflected XSS issues - in newer versions both require the attacker to be able to specify the user’s specific CSRF token - but in older versions only there was only a session ID which is easier to guess

[USN-6753-1] CryptoJS vulnerability (03:38)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Insecure default config - uses older parameters for the implementation of PBKDF2 - SHA1 with a single iteration - makes any passwords protected via PBKDF2 in crypto-js easier to brute-force from the hashed value - instead updated to use SHA256 with 250,000 rounds

[USN-6754-1] nghttp2 vulnerabilities (04:32)

  • 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Fixes for most recent issue in HTTP/2 (plus a few older HTTP/2 issues for ESM releases - HTTP/2 Rapid Reset and 2 disclosed by Netflix back in 2019 which we covered back in [USN-4099-1] nginx vulnerabilities from Episode 49 - all DoS attacks)
  • HTTP/2 continuation frames - no proper limit on the amount of these frames which can be sent in a single stream - attacker can send many to cause a DoS on the server either through CPU by lots of processing or memory by storing all these headers in memory

[USN-6755-1] GNU cpio vulnerabilities (05:42)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Path traversal vuln - possible to write outside of the target directory
  • Specific to Debian/Ubuntu etc since reverted part of the fix for historic CVE-2015-1197 - path traversal via inclusion of a malicious symlink in the archive - since it broke the use of the --no-absolute-filenames CLI argument
  • Was reverted back in 2.13+dfsg-2 - this was included in all releases of Ubuntu since focal
  • Now use more correct fix from upstream (April 2023)

[USN-6756-1] less vulnerability (07:10)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Second vuln in less in the last 10 weeks or so - [USN-6664-1] less vulnerability from Episode 220
  • Similar issue - this time in the use of LESSOPEN environment variable - failed to properly quote newlines embedded in a filename - could then allow for arbitrary code execution if ran less on some untrusted file
  • LESSOPEN is automatically set in Debian/Ubuntu via lesspipe - allows to run less on say a gz compressed log file or even on a tar.gz tarball to list the files etc

[USN-6757-1] PHP vulnerabilities (08:41)

  • 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Incomplete fix for historic CVE-2022-31629 - ability for an attacker on the same network/site could set a cookie via HTTP with one name, which then gets used by sessions using HTTPS and when using a different cookie name - is a problem since certain cookie names (like __Host- and __Secure-) have specific meanings which in general should be allowed to be specified by the network but only by the browser itself - so can be used to bypass usual restrictions (apparently this issue was reported upstream by the original reported of the 2022 vuln but it got ignored by upstream till now…)
  • password_verify() function would sometimes return true for wrong passwords - ie if the actual password started with a NUL byte and the specified a password was the empty string would verify as true (unlikely to be an issue in practice)
  • Heap buffer overflow due to a large PHP_CLI_SERVER_WORKERS env var value - integer overflow -> wraparound -> allocate small amount of memory for a large number of values -> buffer overflow (low priority since would need to be able to set this env var first)

[USN-6761-1] Anope vulnerability (11:15)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Failed to deny ability to reset the password of a suspended account and hence gain access again

[USN-6758-1] JSON5 vulnerability (11:37)

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • NodeJS module for the JSON5 format - “JSON for humans” - much more similar to yaml, does away with a lot of the usual quotes etc
  • Protoype pollution vuln - when parsing would fail to restrict use of the __proto__ key and hence would allow the ability to set arbitrary keys etc within the returned object -> RCE

[LSN-0103-1] Linux kernel vulnerability (12:46)

Kernel type 22.04 20.04 18.04
aws 103.3 103.3
aws-5.15 103.3
aws-5.4 103.3
aws-6.5 103.1
azure 103.3 103.3
azure-5.4 103.3
azure-6.5 103.1
gcp 103.3 103.3
gcp-5.15 103.3
gcp-5.4 103.3
gcp-6.5 103.1
generic-5.15 103.3
generic-5.4 103.3 103.3
gke 103.3 103.3
hwe-6.5 103.1
ibm 103.3
ibm-5.15 103.3
linux 103.3
lowlatency-5.15 103.3
lowlatency-5.4 103.3 103.3 
canonical-livepatch status

[USN-6760-1] Gerbv vulnerability (13:01)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Vuln found by the Ubuntu Security team - David and (former member) Andrei - Andrei found this whilst patching Gerbv back in 2023 and doing a bunch of testing with ASan enabled - crafted filename -> crash

[USN-6759-1] FreeRDP vulnerabilities (13:41)

[USN-6737-2] GNU C Library vulnerability

[USN-6729-3] Apache HTTP Server vulnerabilities

[USN-6718-3] curl vulnerabilities

[USN-6733-2] GnuTLS vulnerabilities

[USN-6734-2] libvirt vulnerabilities

[USN-6744-3] Pillow vulnerability

Goings on in Ubuntu Security Community

Ubuntu 24.04 LTS (Noble Numbat) released (14:27)

Get in contact

  continue reading

246 פרקים

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

כל הפרקים

×
 
Loading …

ברוכים הבאים אל Player FM!

Player FM סורק את האינטרנט עבור פודקאסטים באיכות גבוהה בשבילכם כדי שתהנו מהם כרגע. זה יישום הפודקאסט הטוב ביותר והוא עובד על אנדרואיד, iPhone ואינטרנט. הירשמו לסנכרון מנויים במכשירים שונים.

 

דומה לUbuntu Security Podcast

תקשיבו ל-500+ נושאים
Player FM - אפליקציית פודקאסט
התחל במצב לא מקוון עם האפליקציה Player FM !
Get it on App Store Get it on Google Play

מדריך עזר מהיר

פודקאסטים מובילים
מכביבול ברדיו תל אביב
הזווית - פודקאסט
בכל יום נתון - אוריאל דסקל וראם שרמן
עושים חשבון Osim Heshbon
טייכר וזרחוביץ' ברדיו תל אביב
טייכר וזרחוביץ' - מערכונים
גיבור תרבות Culture Hero
סרטים זה אנחנו - מגזין קולנוע
עושים תוכנה Osim Tochna
השבוע - פודקאסט הארץ
המשחק הגדול
חושבים טוב
המעבדה The Lab
מדע בגובה האוזניים
סליחה על השאלה - ההסכת You Can't Ask That Podcast
סיפור ישראלי
עבר פלילי
Lets Talk Murder | בואי נדבר רצח
Lets Talk Murder | בואי נדבר רצח
Player FM logo
עזרה / שאלות נפוצות | שדרגו | לְפַרְסֵם
אומנויות|עסקים|קומדיה|כלכלה|בידור|חדשות|פוליטיקה|דת
מדע|כדורגל|ספורט|מספרי סיפורים|טכנולוגיה|פשע אמיתי
זכויות יוצרים 2024 | מפת אתר | מדיניות פרטיות | תנאי השירות | | זכויות יוצרים
Episode being played series thumbnail
icon icon
מהירות
הגדרות סדרה
1x
1x
Volume
100%
icon
icon icon
/

הצג את Player FM ב- ...
Player FM
Browser
Chrome
Safari
Firefox