Artwork

Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Player FM - Podcast App
Go offline with the Player FM app!

Episode 55

25:29
 
Share
 

Manage episode 247723145 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Overview

This week we cover security updates for NSS, SQLite, the Linux kernel and more, plus Joe and Alex discuss a recent FBI advisory warning about possible dangers of Smart TVs.

This week in Ubuntu Security Updates

49 unique CVEs addressed

[USN-4203-1, USN-4203-2] NSS vulnerability [00:59]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • OOB write if using an output buffer smaller than the block size (since used block size instead of buffer size) when writing output for NSC_EncryptUpdate()

[USN-4204-1] psutil vulnerability [02:05]

  • 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • Double free due to mishandling of reference counting when handling errors during conversion of system data into Python objects - could be triggered when using a malicious disk partition label with an invalid character that fails to decode - so triggers error than fails to cleanup properly and results in a double free

[USN-4205-1] SQLite vulnerabilities [02:59]

[USN-4208-1] Linux kernel vulnerabilities [03:42]

  • 12 CVEs addressed in Bionic (gcp-edge), Eoan (5.3 kernel)
  • Buffer overflow in wifi driver stack - able to be triggered by a remote user in wifi range
  • Ubuntu specific OverlayFS and ShiftFS memory mapped reference counting issue - can be triggered when combined with that when combined with AUFS by a local attacker.
  • Memory leak based denial of service issues in various drivers (usually during error conditions so unlikely to ever be hit in real use or able to be easily triggered by malicious local users):
    • AMD Display Engine
    • Qualcomm FastRPC
    • Cascoda CA8210 SPI 802.15.4 wireless controller
    • AMD Audio CoProcessor
    • Intel OPA Gen1 Infiniband
    • ADIS16400 IIO IMU
    • VirtualBox guest
    • ARM Komeda display

[USN-4209-1] Linux kernel vulnerabilities [06:07]

  • 3 CVEs addressed in Bionic (HWE), Disco (5.0 kernel)
  • Memory leak in Netronome NFP4000/NFP6k000 driver
  • Buffer overflow via 802.11 wifi config interface - local user onlu
  • OverlayFS/ShiftFS issue above

[USN-4210-1] Linux kernel vulnerabilities [06:47]

[USN-4211-1, USN-4211-2] Linux kernel vulnerabilities [07:22]

  • 3 CVEs addressed in Xenial, Trusty ESM (Xenial HWE)
  • Wifi stack remote user buffer overflow
  • Infinite loop in the CFS scheduler able to be triggered by a local user -> DoS

[USN-4206-1] GraphicsMagick vulnerabilities [07:55]

[USN-4207-1] GraphicsMagick vulnerabilities [09:18]

[USN-4194-2] postgresql-common vulnerability [09:29]

[USN-4182-3, USN-4182-4] Intel Microcode regression [09:44]

Goings on in Ubuntu Security Community

Joe and Alex discuss a recent FBI Advisory concerning SmartTVs [10:50]

Get in contact

  continue reading

228 episodes

Artwork

Episode 55

Ubuntu Security Podcast

136 subscribers

published

iconShare
 
Manage episode 247723145 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Overview

This week we cover security updates for NSS, SQLite, the Linux kernel and more, plus Joe and Alex discuss a recent FBI advisory warning about possible dangers of Smart TVs.

This week in Ubuntu Security Updates

49 unique CVEs addressed

[USN-4203-1, USN-4203-2] NSS vulnerability [00:59]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • OOB write if using an output buffer smaller than the block size (since used block size instead of buffer size) when writing output for NSC_EncryptUpdate()

[USN-4204-1] psutil vulnerability [02:05]

  • 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • Double free due to mishandling of reference counting when handling errors during conversion of system data into Python objects - could be triggered when using a malicious disk partition label with an invalid character that fails to decode - so triggers error than fails to cleanup properly and results in a double free

[USN-4205-1] SQLite vulnerabilities [02:59]

[USN-4208-1] Linux kernel vulnerabilities [03:42]

  • 12 CVEs addressed in Bionic (gcp-edge), Eoan (5.3 kernel)
  • Buffer overflow in wifi driver stack - able to be triggered by a remote user in wifi range
  • Ubuntu specific OverlayFS and ShiftFS memory mapped reference counting issue - can be triggered when combined with that when combined with AUFS by a local attacker.
  • Memory leak based denial of service issues in various drivers (usually during error conditions so unlikely to ever be hit in real use or able to be easily triggered by malicious local users):
    • AMD Display Engine
    • Qualcomm FastRPC
    • Cascoda CA8210 SPI 802.15.4 wireless controller
    • AMD Audio CoProcessor
    • Intel OPA Gen1 Infiniband
    • ADIS16400 IIO IMU
    • VirtualBox guest
    • ARM Komeda display

[USN-4209-1] Linux kernel vulnerabilities [06:07]

  • 3 CVEs addressed in Bionic (HWE), Disco (5.0 kernel)
  • Memory leak in Netronome NFP4000/NFP6k000 driver
  • Buffer overflow via 802.11 wifi config interface - local user onlu
  • OverlayFS/ShiftFS issue above

[USN-4210-1] Linux kernel vulnerabilities [06:47]

[USN-4211-1, USN-4211-2] Linux kernel vulnerabilities [07:22]

  • 3 CVEs addressed in Xenial, Trusty ESM (Xenial HWE)
  • Wifi stack remote user buffer overflow
  • Infinite loop in the CFS scheduler able to be triggered by a local user -> DoS

[USN-4206-1] GraphicsMagick vulnerabilities [07:55]

[USN-4207-1] GraphicsMagick vulnerabilities [09:18]

[USN-4194-2] postgresql-common vulnerability [09:29]

[USN-4182-3, USN-4182-4] Intel Microcode regression [09:44]

Goings on in Ubuntu Security Community

Joe and Alex discuss a recent FBI Advisory concerning SmartTVs [10:50]

Get in contact

  continue reading

228 episodes

All episodes

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Quick Reference Guide