To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. 알았습니다
Artwork

Alex Murray Ubuntu Security Team Linux Tech Operating Systems Alex and Joe Security Software Development
Alex Murray and Ubuntu Security Team에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 Alex Murray and Ubuntu Security Team 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.

Ubuntu Security Podcast와 비슷한 콘텐츠

Player FM -팟 캐스트 앱
Player FM 앱으로 오프라인으로 전환하세요!
Get it on App Store Get it on Google Play

Ubuntu Security Podcast « »
Episode 138

15:56
 
재생
재생
공유
 

MP3에피소드 홈
Manage episode 307506001 series 2423058
Alex Murray and Ubuntu Security Team에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 Alex Murray and Ubuntu Security Team 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.

Overview

This week we discuss some of the challenges and trade-offs encountered when providing security support for ageing software, plus we discuss security updates for the Linux kernel, Firejail, Samba, PostgreSQL and more.

This week in Ubuntu Security Updates

42 unique CVEs addressed

[USN-5138-1] python-py vulnerability [00:38]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Python library providing path handling, config file parsing and other features which are now in standard lib or other packages - has been deprecated
  • ReDoS against path handling code (regex with catastrophic backtracking)

[USN-5139-1] Linux kernel (OEM 5.10) vulnerabilities [01:25]

[USN-5140-1] Linux kernel (OEM 5.14) vulnerabilities [02:12]

[USN-5137-2] Linux kernel vulnerabilities [02:33]

[LSN-0082-1] Linux kernel vulnerability [03:05]

[USN-5141-1] Firejail vulnerability [03:48]

  • 1 CVEs addressed in Focal (20.04 LTS)
  • TOCTOU race condition in handling of overlayfs - decided to drop support for overlayfs since was deemed - thanks to Reiner Herrmann for providing this update

[USN-5142-1] Samba vulnerabilities [04:43]

[USN-5144-1] OpenEXR vulnerability [05:55]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • Integer overflow -> buffer overflow -> crash / RCE

[USN-5145-1] PostgreSQL vulnerabilities [06:08]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Incorrect handling of SSL cert verification - could allow a remote attacker to inject arbitrary SQL queries on the initial connection establishment (similar to various STARTTLS vulns which have been seen recently) - would process data sent in the clear before the TLS connection had been established but should just throw this away
  • New upstream release with other bug fixes too (13.5 - impish/hirsute, 12.9 - focal, 10.19 - bionic)

[USN-5147-1] Vim vulnerabilities [07:13]

[USN-5149-1] AccountsService vulnerability [08:01]

  • 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Double free in SetLanguage() DBus method - memory corruption in root daemon which can be triggered by an unprivileged user - is due to a Ubuntu specific patch which we include so that when the user selects a language / format we save this in their ~/.pam_environment to keep settings in sync
  • Patch contained code to use an existing pointer but then freed it - and then it would get freed again by the original code
  • Priv-esc by getting accountsservice daemon to run arbitrary code

[USN-5148-1] hivex vulnerability [09:24]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Tools for handling Windows Registry hive files
  • OOB read with specially crafted input file -> crash -> DoS

Goings on in Ubuntu Security Community

How to handle large security updates in outdated software versions? [09:56]

  • Samba updates in [USN-5142-1] do not include Bionic
  • Upstream released a new 4.13.14 which we could upgrade to in F/H/I/J without a lot of work or risk of regression since those releases already used a more recent version like 4.11 etc so the change in behaviour as a result of upgrading was so large and other packages in the archive were still compatible with this new version
  • Upstream has released patches for these vulns back to 4.10 but this is 686 individual patches - bionic has Samba 4.7 and so would require a lot of manual work to backport these ~700 patches, and the risk of introducing a regression (ie breaking something) when backporting such a large set of changes is higher
    • We are security engineers not full-time Samba software developers so not cognisant of all the possible pitfalls etc
  • Other option would be to update Samba in bionic to 4.13.14 like in the later releases, other packages like talloc, tdb, tevent and ldb and these would all need to be upgraded as well
  • But this new Samba version only supports python3, not python2.7 which the older Samba currently in bionic does
  • FreeIPA in bionic is Python2 so would then be broken if we did this upgrade
  • We could also try and upgrade FreeIPA to a newer version which uses Python3 but it isn’t clear if the required Python3 dependencies even exist in the 18.04 archive - so they man need to be backported and introduced there as well
  • Either option involves a lot of change and hence complexity ∴ a high risk of regression
  • Unclear yet which will be the preferred option but this illustrates the difficulties involved in doing security support for old software versions which upstream has ceased to provide support
  • Will likely come across more cases like this as we get further into ESM support periods for various packages - Bionic is still in it’s LTS phase till 2023 so not even in ESM and already has trouble for Samba
  • Watch this space…

Get in contact

  continue reading

231 에피소드

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development
Artwork

Episode 138

Ubuntu Security Podcast

138 subscribers

published

재생 재생
icon공유
 
MP3에피소드 홈
Manage episode 307506001 series 2423058
Alex Murray and Ubuntu Security Team에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 Alex Murray and Ubuntu Security Team 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.

Overview

This week we discuss some of the challenges and trade-offs encountered when providing security support for ageing software, plus we discuss security updates for the Linux kernel, Firejail, Samba, PostgreSQL and more.

This week in Ubuntu Security Updates

42 unique CVEs addressed

[USN-5138-1] python-py vulnerability [00:38]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Python library providing path handling, config file parsing and other features which are now in standard lib or other packages - has been deprecated
  • ReDoS against path handling code (regex with catastrophic backtracking)

[USN-5139-1] Linux kernel (OEM 5.10) vulnerabilities [01:25]

[USN-5140-1] Linux kernel (OEM 5.14) vulnerabilities [02:12]

[USN-5137-2] Linux kernel vulnerabilities [02:33]

[LSN-0082-1] Linux kernel vulnerability [03:05]

[USN-5141-1] Firejail vulnerability [03:48]

  • 1 CVEs addressed in Focal (20.04 LTS)
  • TOCTOU race condition in handling of overlayfs - decided to drop support for overlayfs since was deemed - thanks to Reiner Herrmann for providing this update

[USN-5142-1] Samba vulnerabilities [04:43]

[USN-5144-1] OpenEXR vulnerability [05:55]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • Integer overflow -> buffer overflow -> crash / RCE

[USN-5145-1] PostgreSQL vulnerabilities [06:08]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Incorrect handling of SSL cert verification - could allow a remote attacker to inject arbitrary SQL queries on the initial connection establishment (similar to various STARTTLS vulns which have been seen recently) - would process data sent in the clear before the TLS connection had been established but should just throw this away
  • New upstream release with other bug fixes too (13.5 - impish/hirsute, 12.9 - focal, 10.19 - bionic)

[USN-5147-1] Vim vulnerabilities [07:13]

[USN-5149-1] AccountsService vulnerability [08:01]

  • 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Double free in SetLanguage() DBus method - memory corruption in root daemon which can be triggered by an unprivileged user - is due to a Ubuntu specific patch which we include so that when the user selects a language / format we save this in their ~/.pam_environment to keep settings in sync
  • Patch contained code to use an existing pointer but then freed it - and then it would get freed again by the original code
  • Priv-esc by getting accountsservice daemon to run arbitrary code

[USN-5148-1] hivex vulnerability [09:24]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Tools for handling Windows Registry hive files
  • OOB read with specially crafted input file -> crash -> DoS

Goings on in Ubuntu Security Community

How to handle large security updates in outdated software versions? [09:56]

  • Samba updates in [USN-5142-1] do not include Bionic
  • Upstream released a new 4.13.14 which we could upgrade to in F/H/I/J without a lot of work or risk of regression since those releases already used a more recent version like 4.11 etc so the change in behaviour as a result of upgrading was so large and other packages in the archive were still compatible with this new version
  • Upstream has released patches for these vulns back to 4.10 but this is 686 individual patches - bionic has Samba 4.7 and so would require a lot of manual work to backport these ~700 patches, and the risk of introducing a regression (ie breaking something) when backporting such a large set of changes is higher
    • We are security engineers not full-time Samba software developers so not cognisant of all the possible pitfalls etc
  • Other option would be to update Samba in bionic to 4.13.14 like in the later releases, other packages like talloc, tdb, tevent and ldb and these would all need to be upgraded as well
  • But this new Samba version only supports python3, not python2.7 which the older Samba currently in bionic does
  • FreeIPA in bionic is Python2 so would then be broken if we did this upgrade
  • We could also try and upgrade FreeIPA to a newer version which uses Python3 but it isn’t clear if the required Python3 dependencies even exist in the 18.04 archive - so they man need to be backported and introduced there as well
  • Either option involves a lot of change and hence complexity ∴ a high risk of regression
  • Unclear yet which will be the preferred option but this illustrates the difficulties involved in doing security support for old software versions which upstream has ceased to provide support
  • Will likely come across more cases like this as we get further into ESM support periods for various packages - Bionic is still in it’s LTS phase till 2023 so not even in ESM and already has trouble for Samba
  • Watch this space…

Get in contact

  continue reading

231 에피소드

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

كل الحلقات

×
 
Loading …

플레이어 FM에 오신것을 환영합니다!

플레이어 FM은 웹에서 고품질 팟캐스트를 검색하여 지금 바로 즐길 수 있도록 합니다. 최고의 팟캐스트 앱이며 Android, iPhone 및 웹에서도 작동합니다. 장치 간 구독 동기화를 위해 가입하세요.

 

Ubuntu Security Podcast와 비슷한 콘텐츠

500개 이상의 주제를 청취
Player FM -팟 캐스트 앱
Player FM 앱으로 오프라인으로 전환하세요!
Get it on App Store Get it on Google Play

빠른 참조 가이드

인기 팟 캐스트
손에 잡히는 경제
요즘은 팟캐스트시대
두시탈출 컬투쇼
김혜리의 필름클럽
씨네타운 나인틴 - 풍문으로 듣는 방송
44BITS 팟캐스트 - 클라우드, 개발, 가젯
TBS 김어준의 뉴스공장
CBS 시사자키 정관용입니다
O tvN어쩌다어른X인문학살롱
김희준 교수의 우주와 생명
과학과사람들님의 팟캐스트입니다.
닥터데스
Player FM logo
도움말/FAQ | 업그레이드 | Advertise
예술|비즈니스|코미디|경제|엔터테인먼트|뉴스|정치|종교
과학|축구|스포츠|이야기|과학 기술|실제 범죄
저작권 2024 | 사이트 맵 | 개인 정보 보호 정책 | 서비스 약관 | | 저작권
Episode being played series thumbnail
icon icon
속도
시리즈 설정
1x
1x
Volume
100%
icon
icon icon
/

Player FM 보기 ...
Player FM
Browser
Chrome
Safari
Firefox