Overview This week we deep-dive into one of the best vulnerabilities we’ve seen in a longtime regreSSHion - an unauthenticated, remote, root code-execution vulnerabilityin OpenSSH. Plus we cover updates for Plasma Workspace, Ruby, Netplan,FontForge, OpenVPN and a whole lot more. This week in Ubuntu Security Updates 39 unique CVEs addressed [USN-684…

Overview A look into CISA’s Known Exploited Vulnerability Catalogue is on our minds thisweek, plus we look at vulnerability updates for gdb, Ansible, CUPS, libheif,Roundcube, the Linux kernel and more. This week in Ubuntu Security Updates 175 unique CVEs addressed [USN-6842-1] gdb vulnerabilities (01:10) 6 CVEs addressed in Xenial ESM (16.04 ESM), …

Overview This week we bring you a special edition of the podcast, featuring an interviewbetween Ijlal Loutfi and Karen Horovitz who deep-dive into ConfidentialComputing. Ranging from a high-level discussion of the need for and the featuresprovided by confidential computing, through to the specifics of how this isimplemented in Ubuntu and a look at …

Overview As the podcast winds down for a break over the next month, this week we talkabout RSA timing side-channel attacks and the recently announced DNSBombvulnerability as we cover security updates in VLC, OpenSSL, Netatalk, WebKitGTK,amavisd-new, Unbound, Intel Microcode and more. This week in Ubuntu Security Updates 152 unique CVEs addressed [U…

Overview The team is back from Madrid and this week we bring you some of our plans forthe upcoming Ubuntu 24.10 release, plus we talk about Google’s kernelCTF projectand Mozilla’s PDF.js sandbox when covering security updates for the Linuxkernel, Firefox, Spreadsheet::ParseExcel, idna and more. This week in Ubuntu Security Updates 121 unique CVEs a…

Overview Ubuntu 24.04 LTS is finally released and we cover all the new security featuresit brings, plus we look at security vulnerabilities in, and updates for,FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more. This week in Ubuntu Security Updates 61 unique CVEs addressed [USN-6749-1] FreeRDP vulnerabilities (00:45) 7 CVEs addressed in F…

Overview John and Georgia are at the Linux Security Summit presenting on some longawaited developments in AppArmor and we give you all the details in a sneak peekpreview as well as some of the other talks to look out for, plus we coversecurity updates for NSS, Squid, Apache, libvirt and more and we put out a callfor testing of a pending AppArmor se…

Overview This week we cover the recent reports of a new local privilege escalationexploit against the Linux kernel, follow-up on the xz-utils backdoor from lastweek and it’s the beta release of Ubuntu 24.04 LTS - plus we talk securityvulnerabilities in the X Server, Django, util-linux and more. This week in Ubuntu Security Updates 76 unique CVEs ad…

Overview It’s been an absolutely manic week in the Linux security community as the newsand reaction to the recent announcement of a backdoor in the xz-utils projectwas announced late last week, so we dive deep into this issue and discuss how itimpacts Ubuntu and give some insights for what this means for the open sourceand Linux communities in the …

Overview This week we bring you a sneak peak of how Ubuntu 23.10 fared at Pwn2OwnVancouver 2024, plus news of malicious themes in the KDE Store and we coversecurity updates for the Linux kernel, X.Org X Server, TeX Live, Expat, Bash andmore. This week in Ubuntu Security Updates 61 unique CVEs addressed [USN-6681-3] Linux kernel vulnerabilities (00:…

Overview We cover recent Linux malware from the Magnet Goblin threat actor, plus the newsof Ubuntu 23.10 as a target in Pwn2Own Vancouver 2024 and we detailvulnerabilities in Puma, AccountsService, Open vSwitch, OVN, and more. This week in Ubuntu Security Updates 102 unique CVEs addressed [USN-6679-1] FRR vulnerability (01:11) 1 CVEs addressed in J…

Overview Andrei is back to discuss recent academic research into malware within thePython/PyPI ecosystem and whether it is possible to effectively combat it withopen source tooling, plus we cover security updates for Unbound, libuv, node.js,the Linux kernel, libgit2 and more. This week in Ubuntu Security Updates 56 unique CVEs addressed [USN-6665-1…

Overview The Linux kernel.org CNA has assigned their first CVEs so we revisit this topicto assess the initial impact on Ubuntu and the CVE ecosystem, plus we coversecurity updates for Roundcube Webmail, less, GNU binutils and the Linux kernelitself. This week in Ubuntu Security Updates 64 unique CVEs addressed [USN-6647-1] Linux kernel vulnerabilit…

Overview This week the Linux kernel project announced they will be assigning their ownCVEs so we discuss the possible implications and fallout from such a shift, pluswe cover vulnerabilities in the kernel, Glance_store, WebKitGTK, Bind and more. This week in Ubuntu Security Updates 64 unique CVEs addressed [LSN-0100-1] Linux kernel vulnerability (0…

Overview AppArmor unprivileged user namespace restrictions are back on the agenda thisweek as we survey the latest improvements to this hardening feature in theupcoming Ubuntu 24.04 LTS, plus we discuss SMTP smuggling in Postfix, runCcontainer escapes and Qualys’ recent disclosure of a privilege escalationexploit for GNU libc and more. This week in…

Overview For the first episode of 2024 we take a look at the case of a raft of bogus FOSSCVEs reported on full-disclosure as well as AppSec tools in Ubuntu and the EOLannouncement for 23.04, plus we cover vulnerabilities in the Linux kernel, Puma,Paramiko and more. This week in Ubuntu Security Updates 81 unique CVEs addressed [USN-6601-1] Linux ker…

Overview For the final episode of 2023 we discuss creating PoCs for vulns in tar and thelooming EOL for Ubuntu 23.04, plus we look into security updates for curl,BlueZ, Netatalk, GNOME Settings and a heap more. This week in Ubuntu Security Updates 57 unique CVEs addressed [USN-6535-1] curl vulnerabilities (00:54) 2 CVEs addressed in Focal (20.04 LT…

Overview Mark Esler is our special guest on the podcast this week to discuss theOpenSSF’s Compiler Options Hardening Guide for C/C++ plus we covervulnerabilities and updates for GIMP, FreeRDP, GStreamer, HAProxy and more. This week in Ubuntu Security Updates 65 unique CVEs addressed [USN-6521-1] GIMP vulnerabilities (00:50) 6 CVEs addressed in Foca…

Overview This week we take a deep dive into the Reptar vuln in Intel processors plus welook into some relic vulnerabilities in Squid and OpenZFS and finally we detailnew hardening measures in tracker-miners to keep your desktop safer. This week in Ubuntu Security Updates 115 unique CVEs addressed [USN-6481-1] FRR vulnerabilities (01:21) 2 CVEs addr…

Overview As we ease back into regular programming, we cover the various activities theteam got up to over the past few weeks whilst away in Riga for the Ubuntu Summitand Ubuntu Engineering Sprint. Goings on in Ubuntu Security Community Ubuntu Security team at the Ubuntu Summit (00:48) Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and E…

Overview With the Ubuntu Summit just around the corner, we preview a couple talks by theUbuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP,AOM, ncurses, the Linux kernel and more. This week in Ubuntu Security Updates 91 unique CVEs addressed [USN-6437-1] VIPS vulnerabilities (00:35) 5 CVEs addressed in Xenial ESM (16.04 E…

Overview After a well-deserved break, we’re is back looking at the recent Ubuntu 23.10release and the significant security technologies it introduces along with acall for testing of unprivileged user namespace restrictions, plus the detailsof security updates for curl, Samba, iperf3, CUE and more. This week in Ubuntu Security Updates 26 unique CVEs…

Overview It’s the Linux Security Summit in Bilbao this week and we bring you somehighlights from our favourite talks, plus we cover the 25 most stubborn softwareweaknesses, and we look at security updates for Open VM Tools, libwebp, Django,binutils, Indent, the Linux kernel and more. This week in Ubuntu Security Updates 88 unique CVEs addressed [US…

Overview Andrei is back this week with a deep dive into recent research around CVSSscoring inconsistencies, plus we look at a recent Ubuntu blog post on theinternals of package updates and the repositories, and we cover security updatesin Apache Shiro, GRUB2, CUPS, RedCloth, curl and more. This week in Ubuntu Security Updates 77 unique CVEs address…

Overview This week we detail the recently announced and long-awaited feature ofTPM-backed full-disk encryption for the upcoming Ubuntu 23.10 release, plus wecover security updates for elfutils, GitPython, atftp, BusyBox, Docker Registryand more. This week in Ubuntu Security Updates 93 unique CVEs addressed [USN-6322-1] elfutils vulnerabilities (00:…

Overview This week we cover reports of “fake” CVEs and their impact on the FOSS securityecosystem, plus we look at security updates for PHP, Fast DDS, JOSE for C/C++,the Linux kernel, AMD Microcode and more. This week in Ubuntu Security Updates 83 unique CVEs addressed [USN-6305-1] PHP vulnerabilities (00:53) 2 CVEs addressed in Jammy (22.04 LTS), …

Overview This week we talk about HTTP Content-Length handling, intricacies of groupmanagement in container environments and making sure you check your return codeswhile covering vulns in HAProxy, Podman, Inetutils and more, plus we put a callout for input on using open source tools to secure your SDLC. This week in Ubuntu Security Updates 69 unique…

Overview We’re back after unexpectedly going AWOL last week to bring you the latest inUbuntu Security including the recently announced Downfall and GameOver(lay)vulnerabilities, plus we look at security updates for OpenSSH and GStreamer andwe detail plans for using AppArmor to restrict the use of unprivileged usernamespaces as an attack vector in f…

Overview This week we look at the recent Zenbleed vulnerability affecting some AMDprocessors, plus we cover security updates for the Linux kernel, a highprofile OpenSSH vulnerability and finally Andrei is back with a deep dive intorecent academic research around how to safeguard machine learning systems whenused across distributed deployments. This…

Overview This week we talk about the dual use purposes of eBPF - both for security andfor exploitation, and how you can keep your systems safe, plus we cover securityupdates for the Linux kernel, Ruby, SciPy, YAJL, ConnMan, curl and more. This week in Ubuntu Security Updates 80 unique CVEs addressed [USN-6220-1] Linux kernel vulnerabilities (00:50)…

Overview We take a sneak peek at the upcoming AppArmor 4.0 release, plus we covervulnerabilities in AccountsService, the Linux Kernel, ReportLab, GNU Screen,containerd and more. This week in Ubuntu Security Updates 50 unique CVEs addressed [USN-6190-1] AccountsService vulnerability (00:47) 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), K…

Overview This week we look at the top 25 most dangerous vulnerability types, as well asthe announcement of the program for LSS EU, and we cover security updates forBind, the Linux kernel, CUPS, etcd and more. This week in Ubuntu Security Updates 36 unique CVEs addressed [USN-6183-1] Bind vulnerabilities (00:53) 2 CVEs addressed in Focal (20.04 LTS)…

Overview For our 200th episode, we discuss the impact of Red Hat’s decision to stoppublicly releasing the RHEL source code, plus we cover security updates forlibX11, GNU SASL, QEMU, VLC, pngcheck, the Linux kernel and a whole lot more. This week in Ubuntu Security Updates 73 unique CVEs addressed [USN-6163-1] pano13 vulnerabilities (01:08) 2 CVEs a…

Overview For our 199th episode Andrei looks at Fuzzing Configurations of Program Optionsplus we discuss Google’s findings on the io_uring kernel subsystem and we lookat vulnerability fixes for Netatalk, Jupyter Core, Vim, SSSD, GNU binutils, GLiband more. This week in Ubuntu Security Updates 53 unique CVEs addressed [USN-6145-1] Sysstat vulnerabili…

Overview This week we investigate the mystery of failing GPG signatures for the 16.04 ISOimages, plus we look at security updates for CUPS, Avahi, the Linux kernel, FRR,Go and more. This week in Ubuntu Security Updates 58 unique CVEs addressed [USN-6128-1, USN-6128-2] CUPS vulnerability (00:56) 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM…

Overview The venerable Ubuntu 18.04 LTS release has transitioned into ESM, plus we lookat Till Kamppeter’s excellent guide on how to set up your GitHub projects toreceive private vulnerability reports, and we cover the week in security updatesincluding PostgreSQL, Jhead, the Linux kernel, Linux PTP, snapd and a whole lotmore. This week in Ubuntu Se…

Overview This week we look at some recent security developments from PyPI, the LinuxSecurity Summit North America and the pending transition of Ubuntu 18.04 to ESM,plus we cover security updates for cups-filter, the Linux kernel, Git, runC,ncurses, cloud-init and more. This week in Ubuntu Security Updates 83 unique CVEs addressed [USN-6083-1] cups-…

Overview Alex and Camila discuss security update management strategies after a recentoutage at Datadog was attributed to a security update for systemd on Ubuntu,plus we look at security vulnerabilities in the Linux kernel, OpenStack,Synapse, OpenJDK and more. This week in Ubuntu Security Updates 66 unique CVEs addressed [USN-6069-1] Linux kernel (R…

Overview The team are back from Prague and bring with them a new segment, drilling intorecent academic research in the cybersecurity space - for this inaugural segmentnew team member Andrei looks at modelling of attacks against network intrusiondetections systems, plus we cover the week in security updates looking atvulnerabilities in Django, Ruby,…

Overview The release of Ubuntu 23.04 Lunar Lobster is nigh so we take a look at some ofthe things the security team has been doing along the way, plus it’s our 6000thUSN so we look back at the last 19 years of USNs whilst covering securityupdates for the Linux kernel, Emacs, Irssi, Sudo, Firefox and more. This week in Ubuntu Security Updates 109 un…

Overview Ubuntu gets pwned at Pwn2Own 2023, plus we cover security updates for vulns inGitPython, object-path, amanda, url-parse and the Linux kernel - and we mentionthe recording of Alex’s Everything Open 2023 presentation as well. This week in Ubuntu Security Updates 91 unique CVEs addressed [USN-5968-1] GitPython vulnerability [00:46] 1 CVEs add…

Overview This week saw the unexpected release of Ubuntu 20.04.6 so we go into the detailbehind that, plus we talk Everything Open and we cover security updatesincluding Emacs, LibreCAD, Python, vim and more. This week in Ubuntu Security Updates 82 unique CVEs addressed [USN-5955-1] Emacs vulnerability [00:50] 1 CVEs addressed in Xenial ESM (16.04 E…

Overview The Ubuntu Security Podcast is on a two week break to focus on Everything Open2023 in Melbourne next week - come hear Alex talk about Securing a distributionand securing your own open source project in person if you can. Get in contact security@ubuntu.com #ubuntu-security on the Libera.Chat IRC network ubuntu-hardened mailing list Security…

Overview This week we dive into the BlackLotus UEFI bootkit teardown and find out howthis malware has some roots in the FOSS ecosystem, plus we look at securityupdates for the Linux kernel, DCMTK, ZoneMinder, Python, tar and more. This week in Ubuntu Security Updates 111 unique CVEs addressed [USN-5739-2] MariaDB regression [00:48] Affecting Focal …

Overview This week the common theme is vulnerabilities in setuid-root binaries and theiruse of environment variables, so we take a look at a great blog post from theTrail of Bits team about one such example in the venerable chfn plus we look atsome security vulnerabilities in, and updates for the Linux kernel, Go Text, theX Server and more, and fin…

Overview After the announcement of Ubuntu Pro GA last week, we take the time to dispelsome myths around all things Ubuntu Pro, esm-apps and apt etc, plus Camila sitsdown with Mark and David to discuss the backstory of Editorconfig CVE-2023-0341and we also have a brief summary of the security updates from the past week. Ubuntu Pro, esm-apps and apt …

Overview The Ubuntu Security Podcast is back for 2023! We ease into the year withcoverage of the recently announced launch of Ubuntu Pro as GA, plus we look atsome recent vulns in git, sudo, OpenSSL and more. This week in Ubuntu Security Updates 212 unique CVEs addressed [USN-5778-1] X.Org X Server vulnerabilities 6 CVEs addressed in Bionic (18.04 …

Overview For our final episode of 2022, Camila is back with a special holiday themeddiscussion of the security of open source code, plus we hint at what is in storefor the podcast for 2023 and we cover some recent security updates includingPython, PostgreSQL, Squid and more. This week in Ubuntu Security Updates 54 unique CVEs addressed [USN-5765-1]…

Overview This week we cover Mark Esler’s keynote address from UbuCon Asia 2022 onImproving FOSS Security, plus we look at security vulnerabilities and updatesfor snapd, the Linux kernel, ca-certificates and more. This week in Ubuntu Security Updates 42 unique CVEs addressed [USN-5753-1] snapd vulnerability [01:08] 1 CVEs addressed in Xenial ESM (16…

Overview This week we look at a recent report from Elastic Security Labs on the globalLinux threat landscape, plus we look at a few of the security vulnerabilitiespatched by the team in the past 7 days. This week in Ubuntu Security Updates 81 unique CVEs addressed [USN-5638-3] Expat vulnerability 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (…