The award-winning WIRED UK Podcast with James Temperton and the rest of the team. Listen every week for the an informed and entertaining rundown of latest technology, science, business and culture news. New episodes every Friday.
…
continue reading
Alex Murray and Ubuntu Security Team에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 Alex Murray and Ubuntu Security Team 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.
Ubuntu Security Podcast와 비슷한 콘텐츠
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
An open show powered by community LINUX Unplugged takes the best attributes of open collaboration and turns it into a weekly show about Linux.
…
continue reading
Hanselminutes is Fresh Air for Developers. A weekly commute-time podcast that promotes fresh technology and fresh voices. Talk and Tech for Developers, Life-long Learners, and Technologists.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Learn about getting the most from your Apple technology with focused topics and workflow guests. Creating Mac Power Users since 2009, one conversation at a time. Hosted by David Sparks and Stephen Hackett.
…
continue reading
1
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
Jerry Bell and Andrew Kalat
1k
200
Defensive Security is a weekly information security podcast which reviews recent high profile cyber security breaches, data breaches, malware infections and intrusions to identify lessons that we can learn and apply to the organizations we protect.
…
continue reading
Thanks for visiting The Cell Phone Junkie! I will be taking the time each week to discuss my favorite topic, cell phones. Any feedback is appreciated and welcome. You can email me at: questions (AT) thecellphonejunkie (DOT) com or call: 206-203-3734 Thanks and welcome!
…
continue reading
A weekly talk show taking a pragmatic look at the art and business of Software Development and the world of technology.
…
continue reading
It takes more than great code to be a great engineer. Soft Skills Engineering is a weekly advice podcast for software developers about the non-technical stuff that goes into being a great software developer.
…
continue reading
Player FM -팟 캐스트 앱
Player FM 앱으로 오프라인으로 전환하세요!
Player FM 앱으로 오프라인으로 전환하세요!
))
Episode 127
Manage episode 300334995 series 2423058
Alex Murray and Ubuntu Security Team에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 Alex Murray and Ubuntu Security Team 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.
Overview
This week we look at security updates for Firefox, PostgreSQL, MariaDB, HAProxy, the Linux kernel and more, plus we cover some current openings on the team - come join us ☺
This week in Ubuntu Security Updates
35 unique CVEs addressed
[USN-5037-1] Firefox vulnerabilities [00:39]
- 10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- 91.0
- Better support for clearing cookies to stop possible hidden data leaks as part of the Total Cookie Protection
- Private browsing to use attempt HTTPS by default than fallback to HTTP
- Various security fixes:
- race condition on DNS resolution specific to Linux -> memory corruption -> crash / RCE
- also specific to Linux - subsequent permissions dialogs would accept input in the location of the original one - so could possibly trick a user into accepting a permission without their direct knowledge
- various other memory corruption issues in JIT etc
[USN-3809-2] OpenSSH regression [02:54]
- 2 CVEs addressed in Bionic (18.04 LTS)
- Episode 11 - possible user enumeration since as a result of patching CVE-2018-15473 the behaviour when trying to log in changed depending on whether the specific user account existed or not - due to a mistake made when backporting the upstream patch
[USN-5038-1] PostgreSQL vulnerabilities [03:38]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- 2 possible remote crasher bugs - one through just sending a crafted TLS ClientHello message -> NULL ptr deref -> crash, the other via the planner which is used to try and optimise SQL queries - possible OOB read
[USN-5022-2] MariaDB vulnerabilities [04:19]
- 2 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- Episode 124 in MySQL - only 2 of these also were relevant to MariaDB
- Like MySQL, update to latest point release in each series - 10.5.12 for hirsute, 10.3.31 for focal - includes both bug and security fixes
[USN-5042-1] HAProxy vulnerabilities [05:07]
- Affecting Focal (20.04 LTS), Hirsute (21.04)
- HTTP/2 handling issues in HAProxy
- Researchers investigated HTTP/2 handling in various gateway / proxies and found multiple issues - HTTP/2 desync attacks - allow to possibly hijack clients, poison caches, and steal credentials
- Initially HAProxy upstream thought they were safe but then found after more analysis they were vulnerable to a few of the possible issues
- Can be mitigated by disabling HTTP/2 or just install these updates :)
[USN-5043-1] Exiv2 vulnerabilities [06:04]
- 11 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- Slew of issues discovered by Kevin Backhouse from Github security team
- C++ - so usual mix of issues - OOB read, NULL ptr deref, floating point exception (div/0), infinte loop, assertion failure - all DoS
[USN-5039-1] Linux kernel vulnerability [06:49]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- netfilter setsockopt()
[LSN-0080-1] Linux kernel vulnerability [07:08]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5044-1] Linux kernel vulnerabilities [07:39]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 bionic + ESM HWE
- 2 bluetooth UAF and 1 NFC NULL ptr deref
[USN-5045-1] Linux kernel vulnerabilities [08:06]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 focal + bionic hwe
- same as above plus CAN BCM uninitialised memory - info leak to local attacker
[USN-5046-1] Linux kernel vulnerabilities [08:31]
- 6 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- 5.11 hirsute + focal hwe
- bluetooth UAF, NFC NULL ptr deref, access control issue in bluetooth - could allow a local attacker in range to expose info, xen PV issue - attacker in guest could DoS/RCE on host
Goings on in Ubuntu Security Community
Hiring [09:10]
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact
248 에피소드
공유
Manage episode 300334995 series 2423058
Alex Murray and Ubuntu Security Team에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 Alex Murray and Ubuntu Security Team 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.
Overview
This week we look at security updates for Firefox, PostgreSQL, MariaDB, HAProxy, the Linux kernel and more, plus we cover some current openings on the team - come join us ☺
This week in Ubuntu Security Updates
35 unique CVEs addressed
[USN-5037-1] Firefox vulnerabilities [00:39]
- 10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- 91.0
- Better support for clearing cookies to stop possible hidden data leaks as part of the Total Cookie Protection
- Private browsing to use attempt HTTPS by default than fallback to HTTP
- Various security fixes:
- race condition on DNS resolution specific to Linux -> memory corruption -> crash / RCE
- also specific to Linux - subsequent permissions dialogs would accept input in the location of the original one - so could possibly trick a user into accepting a permission without their direct knowledge
- various other memory corruption issues in JIT etc
[USN-3809-2] OpenSSH regression [02:54]
- 2 CVEs addressed in Bionic (18.04 LTS)
- Episode 11 - possible user enumeration since as a result of patching CVE-2018-15473 the behaviour when trying to log in changed depending on whether the specific user account existed or not - due to a mistake made when backporting the upstream patch
[USN-5038-1] PostgreSQL vulnerabilities [03:38]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- 2 possible remote crasher bugs - one through just sending a crafted TLS ClientHello message -> NULL ptr deref -> crash, the other via the planner which is used to try and optimise SQL queries - possible OOB read
[USN-5022-2] MariaDB vulnerabilities [04:19]
- 2 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- Episode 124 in MySQL - only 2 of these also were relevant to MariaDB
- Like MySQL, update to latest point release in each series - 10.5.12 for hirsute, 10.3.31 for focal - includes both bug and security fixes
[USN-5042-1] HAProxy vulnerabilities [05:07]
- Affecting Focal (20.04 LTS), Hirsute (21.04)
- HTTP/2 handling issues in HAProxy
- Researchers investigated HTTP/2 handling in various gateway / proxies and found multiple issues - HTTP/2 desync attacks - allow to possibly hijack clients, poison caches, and steal credentials
- Initially HAProxy upstream thought they were safe but then found after more analysis they were vulnerable to a few of the possible issues
- Can be mitigated by disabling HTTP/2 or just install these updates :)
[USN-5043-1] Exiv2 vulnerabilities [06:04]
- 11 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- Slew of issues discovered by Kevin Backhouse from Github security team
- C++ - so usual mix of issues - OOB read, NULL ptr deref, floating point exception (div/0), infinte loop, assertion failure - all DoS
[USN-5039-1] Linux kernel vulnerability [06:49]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- netfilter setsockopt()
[LSN-0080-1] Linux kernel vulnerability [07:08]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5044-1] Linux kernel vulnerabilities [07:39]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 bionic + ESM HWE
- 2 bluetooth UAF and 1 NFC NULL ptr deref
[USN-5045-1] Linux kernel vulnerabilities [08:06]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 focal + bionic hwe
- same as above plus CAN BCM uninitialised memory - info leak to local attacker
[USN-5046-1] Linux kernel vulnerabilities [08:31]
- 6 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- 5.11 hirsute + focal hwe
- bluetooth UAF, NFC NULL ptr deref, access control issue in bluetooth - could allow a local attacker in range to expose info, xen PV issue - attacker in guest could DoS/RCE on host
Goings on in Ubuntu Security Community
Hiring [09:10]
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact
248 에피소드
모든 에피소드
×
플레이어 FM에 오신것을 환영합니다!
플레이어 FM은 웹에서 고품질 팟캐스트를 검색하여 지금 바로 즐길 수 있도록 합니다. 최고의 팟캐스트 앱이며 Android, iPhone 및 웹에서도 작동합니다. 장치 간 구독 동기화를 위해 가입하세요.
Ubuntu Security Podcast와 비슷한 콘텐츠
The award-winning WIRED UK Podcast with James Temperton and the rest of the team. Listen every week for the an informed and entertaining rundown of latest technology, science, business and culture news. New episodes every Friday.
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
An open show powered by community LINUX Unplugged takes the best attributes of open collaboration and turns it into a weekly show about Linux.
…
continue reading
Hanselminutes is Fresh Air for Developers. A weekly commute-time podcast that promotes fresh technology and fresh voices. Talk and Tech for Developers, Life-long Learners, and Technologists.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Learn about getting the most from your Apple technology with focused topics and workflow guests. Creating Mac Power Users since 2009, one conversation at a time. Hosted by David Sparks and Stephen Hackett.
…
continue reading
1
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
Jerry Bell and Andrew Kalat
1k200
Defensive Security is a weekly information security podcast which reviews recent high profile cyber security breaches, data breaches, malware infections and intrusions to identify lessons that we can learn and apply to the organizations we protect.
…
continue reading
Thanks for visiting The Cell Phone Junkie! I will be taking the time each week to discuss my favorite topic, cell phones. Any feedback is appreciated and welcome. You can email me at: questions (AT) thecellphonejunkie (DOT) com or call: 206-203-3734 Thanks and welcome!
…
continue reading
A weekly talk show taking a pragmatic look at the art and business of Software Development and the world of technology.
…
continue reading
It takes more than great code to be a great engineer. Soft Skills Engineering is a weekly advice podcast for software developers about the non-technical stuff that goes into being a great software developer.
…
continue reading
Player FM -팟 캐스트 앱
Player FM 앱으로 오프라인으로 전환하세요!
Player FM 앱으로 오프라인으로 전환하세요!
