ArtistasMúsicasPlaylistsPodcasts
Mais
  1. Página inicial
  2. Podcasts
  3. Ubuntu Security Podcast
  4. Episode 237

Episode 237

Ubuntu Security Podcast
19 de setembro de 2024 16min

Ubuntu Security Podcast

Ouvir episódio
Overview

John and Maximé have been talking about Ubuntu’s AppArmor user namespace restrictions at the the Linux Security Summit in Europe this past week, plus we cover some more details from the official announcement of permission prompting in Ubuntu 24.10, a new release of Intel TDX for Ubuntu 24.04 LTS and more.

This week in Ubuntu Security Updates (01:11)

613 unique CVEs addressed in the past fortnight

[USN-6989-1] OpenStack vulnerability 1 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-44082 [USN-6990-1] znc vulnerability 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-39844 [USN-6992-1] Firefox vulnerabilities 8 CVEs addressed in Focal (20.04 LTS) CVE-2024-8385 CVE-2024-8384 CVE-2024-8381 CVE-2024-8389 CVE-2024-8387 CVE-2024-8386 CVE-2024-8383 CVE-2024-8382 [USN-6993-1] Vim vulnerabilities 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-43374 CVE-2024-41957 [USN-6991-1] AIOHTTP vulnerability 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-23334 [USN-6995-1] Thunderbird vulnerabilities 10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS) CVE-2024-8384 CVE-2024-8381 CVE-2024-7525 CVE-2024-7522 CVE-2024-7519 CVE-2024-8382 CVE-2024-7529 CVE-2024-7527 CVE-2024-7526 CVE-2024-7521 [USN-6996-1] WebKitGTK vulnerabilities 6 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-4558 CVE-2024-40789 CVE-2024-40782 CVE-2024-40780 CVE-2024-40779 CVE-2024-40776 [USN-6841-2] PHP vulnerability 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM) CVE-2024-5458 [USN-6997-1, USN-6997-2] LibTIFF vulnerability 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-7006 [USN-6994-1] Netty vulnerabilities 2 CVEs addressed in Jammy (22.04 LTS) CVE-2023-44487 CVE-2023-34462 HTTP/2 DoS, seen exploited in the wild and listen on the CISA KEV [USN-6998-1] Unbound vulnerabilities 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-43168 CVE-2024-43167 [USN-6999-1] Linux kernel vulnerabilities 220 CVEs addressed in Noble (24.04 LTS) Full CVE list elided - see USN for details [USN-7003-1, USN-7003-2, USN-7003-3] Linux kernel vulnerabilities 85 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS) Full CVE list elided - see USN for details [USN-7004-1] Linux kernel vulnerabilities 221 CVEs addressed in Noble (24.04 LTS) Full CVE list elided - see USN for details [USN-7005-1, USN-7005-2] Linux kernel vulnerabilities 219 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS) Full CVE list elided - see USN for details [USN-7006-1] Linux kernel vulnerabilities 94 CVEs addressed in Focal (20.04 LTS) Full CVE list elided - see USN for details [USN-7007-1] Linux kernel vulnerabilities 219 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS) Full CVE list elided - see USN for details [USN-7008-1] Linux kernel vulnerabilities 222 CVEs addressed in Jammy (22.04 LTS) Full CVE list elided - see USN for details [USN-7009-1] Linux kernel vulnerabilities 219 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS) Full CVE list elided - see USN for details [USN-7019-1] Linux kernel vulnerabilities 429 CVEs addressed in Jammy (22.04 LTS) Full CVE list elided - see USN for details [USN-7002-1] Setuptools vulnerability 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-6345 [USN-7000-1, USN-7000-2] Expat vulnerabilities 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-45492 CVE-2024-45491 CVE-2024-45490 [USN-7001-1, USN-7001-2] xmltok library vulnerabilities 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-45491 CVE-2024-45490 [USN-6560-3] OpenSSH vulnerability 1 CVEs addressed in Xenial ESM (16.04 ESM) CVE-2023-51385 [USN-7011-1, USN-7011-2] ClamAV vulnerabilities 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-20506 CVE-2024-20505 [USN-7012-1] curl vulnerability 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-8096 [USN-7013-1] Dovecot vulnerabilities 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS) CVE-2024-23185 CVE-2024-23184 [USN-7014-1] nginx vulnerability 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-7347 [USN-7015-1] Python vulnerabilities 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-8088 CVE-2024-7592 CVE-2024-6923 CVE-2024-6232 CVE-2023-27043 [USN-7010-1] DCMTK vulnerabilities 9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-34509 CVE-2024-34508 CVE-2024-28130 CVE-2022-43272 CVE-2022-2121 CVE-2021-41690 CVE-2021-41689 CVE-2021-41688 CVE-2021-41687 [USN-7016-1] FRR vulnerability 1 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS) CVE-2024-44070 [USN-7017-1] Quagga vulnerability 1 CVEs addressed in Focal (20.04 LTS) CVE-2024-44070 [USN-7018-1] OpenSSL vulnerabilities 6 CVEs addressed in Trusty ESM (14.04 ESM) CVE-2024-0727 CVE-2023-3446 CVE-2022-2068 CVE-2022-1292 CVE-2021-23840 CVE-2020-1968 Goings on in Ubuntu Security Community Linux Security Summit Europe 2024 (03:44) https://events.linuxfoundation.org/linux-security-summit-europe/program/schedule/ Sep 16-17 - Vienna, Austria John Johansen and Maxime Bélair from AppArmor team presented “Restricting Unprivileged User Namespaces in Ubuntu” https://youtu.be/yCHGmdXpylA?t=1053 https://static.sched.com/hosted_files/lsseu2024/ed/Restricting%20Unprivileged%20User%20Namespaces%20In%20Ubuntu.pdf Other talks Deep-dive into xz-utils supply chain attack Internals of the SLUB memory allocator for exploit developers Landlock update - including details of new IOCTL restrictions etc systemd and TPM2 update Official announcement of Permissions Prompting in Ubuntu 24.10 (09:00) https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle-part-5-introducing-permissions-prompting/47963 Ubuntu Security Center with snapd-based AppArmor home file access prompting preview in episode 236 Even works for command-line applications etc - not just graphical Covers future developments as well: Better default response suggestions based on user feedback. Shell integration of the prompting pop-ups (eg full screen takeovers) Improved rule management summaries and better messaging of overlapping or redundant prompts. Expansion of the prompting system to cover additional snap interfaces such as camera and microphone access. Smarter client side analysis of prompts, recommending additional options if multiple similar prompts are detected. Version 2.1 of IntelⓇ TDX on Ubuntu 24.04 LTS Released (11:46) https://discourse.ubuntu.com/t/version-2-1-of-intel-tdx-on-ubuntu-24-04-lts-released/47918/1 Confidential computing - using TDX to run VMs in confidential mode - runs workloads (VMs) in hardware-backed isolated execution environments (Trust Domains). VM memory isolation via encryption in hardware so can’t be accessed by the hypervisor, remote attestation etc (Confidential Computing with Ijlal Loutfi and Karen Horovitz from Episode 230) https://discourse.ubuntu.com/t/intel-tdx-1-0-technology-preview-available-on-ubuntu-23-10/40698 Scripting to setup the required elements to use TDX on Ubuntu 24.04 host and then setup guest VMs to run in confidential mode Install server image, run scripts, enable TDX in BIOS, create VM images etc Can also configure remote attestation of VM too See full changes at https://github.com/canonical/tdx/releases/tag/2.1 Ubuntu 22.04.5 LTS released (13:45) https://discourse.ubuntu.com/t/jammy-jellyfish-point-release-changes/29835/8 Only covers changes in main and restricted, doesn’t list security updates either https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668 AppArmor security update for CVE-2016-1585 published (14:23) Upcoming AppArmor Security update for CVE-2016-1585 from Episode 226 https://discourse.ubuntu.com/t/upcoming-apparmor-security-update-for-cve-2016-1585/44268/3 Now published to -updates pocket for 20.04 LTS and 22.04 LTS Will be published to -security pocket next week Get in contact security@ubuntu.com #ubuntu-security on the Libera.Chat IRC network ubuntu-hardened mailing list Security section on discourse.ubuntu.com @ubuntusecurity@fosstodon.org, @ubuntu_sec on twitter
Episode 237