To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. Got it!
Artwork

Alex Murray Ubuntu Security Team Linux Tech Operating Systems Alex and Joe Security Software Development
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Similar to Ubuntu Security Podcast

Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play

Ubuntu Security Podcast « »
Episode 98

13:54
 
Play
Playing
Share
 

MP3Episode home
Manage episode 278670460 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Overview

This week we look at updates for c-ares, PulseAudio, phpMyAdmin and more, plus we cover security news from the Ubuntu community including planning for 16.04 LTS to transition to ESM, libgcrypt FIPS cerified for 18.04 LTS and a proposal for making home directories more secure for upcoming Ubuntu releases as well.

This week in Ubuntu Security Updates

48 unique CVEs addressed

[USN-4638-1] c-ares vulnerability [01:00]

  • 1 CVEs addressed in Groovy (20.10)
  • C library for performing async DNS requests and name resolution - a fork of the ares library with additional support for IPv6, and 64-bit/cross platform support
  • In particular is used by Node.js for DNS support - reported as a DoS via a remote attacker who could cause a Node.js application to perform a DNS request to a chosen host where a large number of DNS records - internally is a buffer-over-read - c-ares would return data of length N but with a purported length of >N - only in more recent releases so only affected groovy

[USN-4639-1] phpMyAdmin vulnerabilities [02:37]

[USN-4637-2] Firefox vulnerabilities [03:08]

[USN-4634-2] OpenLDAP vulnerabilities [03:57]

[USN-4640-1] PulseAudio vulnerability [04:13]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Discovered and resolved by James Henstridge from the Ubuntu Desktop Team
  • Race condition in snap policy module could allow a confined snap to bypass snap pulseaudio restrictions - ie. could record audio when only authorised to playback audio
  • https://twitter.com/JamesHenstridge/status/1331161130740248580

[USN-4641-1] libextractor vulnerabilities [06:20]

[USN-4642-1] PDFResurrect vulnerability [07:28]

  • 1 CVEs addressed in Xenial (16.04 LTS)
  • Extract / manipulate revision info in PDFs
  • OOB write

[USN-4643-1] atftp vulnerabilities [07:56]

  • 2 CVEs addressed in Xenial (16.04 LTS)
  • TFTP server / client
  • NULL ptr deref due to race condition from missing mutex lock - different threads can race on the same data -> DoS
  • stack buffer overflow due to unsafe calls to strncpy -> DoS / RCE

[USN-4644-1] igraph vulnerability [08:35]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • NULL ptr deref

Goings on in Ubuntu Security Community

Ubuntu 16.04 LTS moving to ESM webinar [08:52]

Security Certifications - libgcrypt on Ubuntu 18.04 is FIPS 140-2 certified [10:13]

Private home directories for Ubuntu 21.04 onwards? [10:45]

Get in contact

  continue reading

242 episodes

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development
Artwork

Episode 98

Ubuntu Security Podcast

147 subscribers

published

Play Playing
iconShare
 
MP3Episode home
Manage episode 278670460 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Overview

This week we look at updates for c-ares, PulseAudio, phpMyAdmin and more, plus we cover security news from the Ubuntu community including planning for 16.04 LTS to transition to ESM, libgcrypt FIPS cerified for 18.04 LTS and a proposal for making home directories more secure for upcoming Ubuntu releases as well.

This week in Ubuntu Security Updates

48 unique CVEs addressed

[USN-4638-1] c-ares vulnerability [01:00]

  • 1 CVEs addressed in Groovy (20.10)
  • C library for performing async DNS requests and name resolution - a fork of the ares library with additional support for IPv6, and 64-bit/cross platform support
  • In particular is used by Node.js for DNS support - reported as a DoS via a remote attacker who could cause a Node.js application to perform a DNS request to a chosen host where a large number of DNS records - internally is a buffer-over-read - c-ares would return data of length N but with a purported length of >N - only in more recent releases so only affected groovy

[USN-4639-1] phpMyAdmin vulnerabilities [02:37]

[USN-4637-2] Firefox vulnerabilities [03:08]

[USN-4634-2] OpenLDAP vulnerabilities [03:57]

[USN-4640-1] PulseAudio vulnerability [04:13]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Discovered and resolved by James Henstridge from the Ubuntu Desktop Team
  • Race condition in snap policy module could allow a confined snap to bypass snap pulseaudio restrictions - ie. could record audio when only authorised to playback audio
  • https://twitter.com/JamesHenstridge/status/1331161130740248580

[USN-4641-1] libextractor vulnerabilities [06:20]

[USN-4642-1] PDFResurrect vulnerability [07:28]

  • 1 CVEs addressed in Xenial (16.04 LTS)
  • Extract / manipulate revision info in PDFs
  • OOB write

[USN-4643-1] atftp vulnerabilities [07:56]

  • 2 CVEs addressed in Xenial (16.04 LTS)
  • TFTP server / client
  • NULL ptr deref due to race condition from missing mutex lock - different threads can race on the same data -> DoS
  • stack buffer overflow due to unsafe calls to strncpy -> DoS / RCE

[USN-4644-1] igraph vulnerability [08:35]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • NULL ptr deref

Goings on in Ubuntu Security Community

Ubuntu 16.04 LTS moving to ESM webinar [08:52]

Security Certifications - libgcrypt on Ubuntu 18.04 is FIPS 140-2 certified [10:13]

Private home directories for Ubuntu 21.04 onwards? [10:45]

Get in contact

  continue reading

242 episodes

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

All episodes

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Similar to Ubuntu Security Podcast

Listen to 500+ topics
Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play

Quick Reference Guide

Top Podcasts
The Bill Simmons Podcast
PTI
First Take
Marketplace
Comedy of the Week
The Bugle
How Did This Get Made?
Doug Loves Movies
Planet Money
TED Talks Daily
NBC Nightly News with Lester Holt
The World This Hour
Daily Boost Motivation and Coaching
Radiolab
Science Friday
This American Life
Criminal
Sword and Scale
In The Dark
Player FM logo
Help/FAQ | Upgrade | Advertise
Arts|Business|Comedy|Economics|Entertainment|News|Politics|Religion
Science|Soccer|Sports|Storytelling|Technology|True Crime
Copyright 2024 | Sitemap | Privacy Policy | Terms of Service | | Copyright
Episode being played series thumbnail
icon icon
Speed
Series settings
1x
1x
Volume
100%
icon
icon icon
/

View Player FM in...
Player FM
Browser
Chrome
Safari
Firefox