Artwork

محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Player FM - برنامه پادکست
با برنامه Player FM !

Episode 195

26:58
 
اشتراک گذاری
 

Manage episode 363721190 series 2423058
محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal

Overview

Alex and Camila discuss security update management strategies after a recent outage at Datadog was attributed to a security update for systemd on Ubuntu, plus we look at security vulnerabilities in the Linux kernel, OpenStack, Synapse, OpenJDK and more.

This week in Ubuntu Security Updates

66 unique CVEs addressed

[USN-6069-1] Linux kernel (Raspberry Pi) vulnerability (01:01)

[USN-6070-1] Linux kernel vulnerabilities (01:37)

  • 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • 5.15 raspi in 22.04, Azure FDE in 20.04
  • TCINDEX UAF plus UAF in io_uring

[USN-6071-1] Linux kernel (OEM) vulnerabilities (01:58)

[USN-6072-1] Linux kernel (OEM) vulnerabilities (02:31)

[USN-6079-1] Linux kernel vulnerabilities (02:49)

[USN-6080-1] Linux kernel vulnerabilities (02:55)

[USN-6081-1] Linux kernel vulnerabilities (03:02)

[USN-6073-1, USN-6073-2, USN-6073-3, USN-6073-4] Cinder, Glance Store, Nova, os-brick vulnerability (03:14)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Inconsistency between Cinder (block storage service of OpenStack) and Nova (compute / virtual server provisioning) could result in storage volumes being attached to the wrong compute instances - would happen when trying to detach a volume from an instance
  • Lots of interacting components, all need a consistent view of the system etc

[USN-6073-5] Nova regression

  • Affecting Focal (20.04 LTS)
  • Above update meant that in some circumstances Nova would be unable to detach volumes from instances

[USN-6074-1] Firefox vulnerabilities (04:15)

[USN-6074-2] Firefox regressions (04:27)

[USN-6075-1] Thunderbird vulnerabilities (04:36)

[USN-6060-3] MySQL regression (05:02)

  • Affecting Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • [USN-6060-1, USN-6060-2] MySQL vulnerabilities from Episode 194
  • Latest upstream release 8.0.33 introduced a regression on 32-bit ARM (armhf) - would crash on startup - to fix, reverted an upstream commit which was introduced to help with performance of atomic operations

[USN-6076-1] Synapse vulnerabilities (05:39)

  • 7 CVEs addressed in Bionic (18.04 LTS)
  • Matrix homeserver
  • Various issues - signature checking on APIs, failure to properly apply event visibility rules, DoS - exploited in the wild, insufficient randomness when generating random IDs made them guessable, ability for unauthorised users to hijack rooms, more predictable randomness which could allow remote attackers to impersonate users, event spoofing due to improper signature validation - some of these require to be the admin of a room or to have a malicious server etc - but since Matrix is federated, this is not so implausible

[USN-6078-1] libwebp vulnerability (06:38)

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Double free when handling crafted content

[USN-6077-1] OpenJDK vulnerabilities (06:45)

[USN-6082-1] EventSource vulnerability (07:02)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • EventSource client for NodeJS - info leak - could leak cookies and authorisation headers to third party applications - but should have been sanitising headers to avoid this as per same-origin-policy

Goings on in Ubuntu Security Community

Datadog outage and management of security updates (07:32)

Get in contact

  continue reading

228 قسمت

Artwork

Episode 195

Ubuntu Security Podcast

136 subscribers

published

iconاشتراک گذاری
 
Manage episode 363721190 series 2423058
محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal

Overview

Alex and Camila discuss security update management strategies after a recent outage at Datadog was attributed to a security update for systemd on Ubuntu, plus we look at security vulnerabilities in the Linux kernel, OpenStack, Synapse, OpenJDK and more.

This week in Ubuntu Security Updates

66 unique CVEs addressed

[USN-6069-1] Linux kernel (Raspberry Pi) vulnerability (01:01)

[USN-6070-1] Linux kernel vulnerabilities (01:37)

  • 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • 5.15 raspi in 22.04, Azure FDE in 20.04
  • TCINDEX UAF plus UAF in io_uring

[USN-6071-1] Linux kernel (OEM) vulnerabilities (01:58)

[USN-6072-1] Linux kernel (OEM) vulnerabilities (02:31)

[USN-6079-1] Linux kernel vulnerabilities (02:49)

[USN-6080-1] Linux kernel vulnerabilities (02:55)

[USN-6081-1] Linux kernel vulnerabilities (03:02)

[USN-6073-1, USN-6073-2, USN-6073-3, USN-6073-4] Cinder, Glance Store, Nova, os-brick vulnerability (03:14)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Inconsistency between Cinder (block storage service of OpenStack) and Nova (compute / virtual server provisioning) could result in storage volumes being attached to the wrong compute instances - would happen when trying to detach a volume from an instance
  • Lots of interacting components, all need a consistent view of the system etc

[USN-6073-5] Nova regression

  • Affecting Focal (20.04 LTS)
  • Above update meant that in some circumstances Nova would be unable to detach volumes from instances

[USN-6074-1] Firefox vulnerabilities (04:15)

[USN-6074-2] Firefox regressions (04:27)

[USN-6075-1] Thunderbird vulnerabilities (04:36)

[USN-6060-3] MySQL regression (05:02)

  • Affecting Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • [USN-6060-1, USN-6060-2] MySQL vulnerabilities from Episode 194
  • Latest upstream release 8.0.33 introduced a regression on 32-bit ARM (armhf) - would crash on startup - to fix, reverted an upstream commit which was introduced to help with performance of atomic operations

[USN-6076-1] Synapse vulnerabilities (05:39)

  • 7 CVEs addressed in Bionic (18.04 LTS)
  • Matrix homeserver
  • Various issues - signature checking on APIs, failure to properly apply event visibility rules, DoS - exploited in the wild, insufficient randomness when generating random IDs made them guessable, ability for unauthorised users to hijack rooms, more predictable randomness which could allow remote attackers to impersonate users, event spoofing due to improper signature validation - some of these require to be the admin of a room or to have a malicious server etc - but since Matrix is federated, this is not so implausible

[USN-6078-1] libwebp vulnerability (06:38)

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Double free when handling crafted content

[USN-6077-1] OpenJDK vulnerabilities (06:45)

[USN-6082-1] EventSource vulnerability (07:02)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • EventSource client for NodeJS - info leak - could leak cookies and authorisation headers to third party applications - but should have been sanitising headers to avoid this as per same-origin-policy

Goings on in Ubuntu Security Community

Datadog outage and management of security updates (07:32)

Get in contact

  continue reading

228 قسمت

همه قسمت ها

×
 
Loading …

به Player FM خوش آمدید!

Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.

 

راهنمای مرجع سریع