Overview After a weeks break we are back to look at updates for ClamAV, GnuTLS, nginx, Samba and more, plus we briefly discuss the current 20.04 Mid-Cycle Roadmap Review sprint for the Ubuntu Security Team This week in Ubuntu Security Updates 73 unique CVEs addressed [USN-4230-1] ClamAV vulnerability [01:16] 1 CVEs addressed in Xenial, Bionic, Disco, Eoan CVE-2019-15961 Backport latest upstream release (0.102.1) from focal CPU based DoS when scanning crafted emails - parsing of MIME components in particular [USN-4232-1] GraphicsMagick vulnerabilities [01:52] 11 CVEs addressed in Xenial CVE-2017-16353 CVE-2017-16352 CVE-2017-15930 CVE-2017-15277 CVE-2017-14997 CVE-2017-14994 CVE-2017-14733 CVE-2017-14649 CVE-2017-14504 CVE-2017-14314 CVE-2017-14165 Episode 57, Episode 55 Heap based buffer over-reads - info leak or crash -> DoS Heap based buffer over-flow - crash -> DoS, RCE NULL ptr derefs - crash -> DoS Memory overallocation -> memory based remote DoS [USN-4231-1] NSS vulnerability [03:04] 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan CVE-2019-17006 UBSAN found possible buffer overflow due to failure to check lengths of inputs to various functions - so applications using libnss for crypto could be vulnerable to buffer overflow [USN-4233-1] GnuTLS update [03:54] Affecting Xenial, Bionic Update marks SHA1 as being untrusted for digital signature operations - SHA1 has been broken in theory for a while and 2017 Google showed the first SHA1 collision - recently the first chosen-prefix attack was demonstrated against SHA1 as well - demonstrated by creating a GPG key which can impersonate another As such GnuTLS will not trust SHA1 based digital signatures since these can relatively easily be forged now (but not for an arbitrary input) As such libraries / applications which use GnuTLS (libsoup, Epiphany) will not trust SHA1 based digital signatures https://sha-mbles.github.io/ [USN-4234-1] Firefox vulnerabilities [06:10] 8 CVEs addressed in Xenial, Bionic, Disco, Eoan CVE-2019-17026 CVE-2019-17025 CVE-2019-17024 CVE-2019-17023 CVE-2019-17022 CVE-2019-17020 CVE-2019-17017 CVE-2019-17016 Latest upstream Firefox release (72.0.1) Usual sorts of issues fixed: DoS, info disclosure, bypass content security policy restrictions, conduct XSS attacks or execute arbitrary code [USN-4047-2] libvirt update vulnerability [06:48] 1 CVEs addressed in Trusty ESM CVE-2019-10161 Episode 40 libvirt updated for regular releases - various APIs which could cause effects were accessible to read-only users Now backported for 14.04 ESM users / customers as well [USN-4235-1, USN-4235-2] nginx vulnerability [07:18] 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan CVE-2019-20372 HTTP request smuggling (Episode 52) - allowed attacker to read unauthorized web pages where nginx is being fronted by a load balanced when used with certain error_page configurations [USN-4236-1, USN-4236-2] Libgcrypt vulnerability [08:03] 1 CVEs addressed in Xenial, Bionic, Disco, Eoan CVE-2019-13627 ECDSA timing side-channel attack (Minerva) observe timing of signature generation on known messages to indicate the bit-length of the random nonce scalar during scalar multiplication on an elliptic curve - full private key is able to be recovered using lattice techniques https://minerva.crocs.fi.muni.cz/ [USN-4237-1, USN-4237-2] SpamAssassin vulnerabilities [09:04] 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan CVE-2019-12420 CVE-2018-11805 DoS via excessive resource usage RCE via crafted conf (CF) files - advised should only use trusted conf files [USN-4238-1] SDL_image vulnerabilities [09:55] 12 CVEs addressed in Xenial, Bionic CVE-2019-7635 CVE-2019-5052 CVE-2019-5051 CVE-2019-13616 CVE-2019-12222 CVE-2019-12221 CVE-2019-12220 CVE-2019-12219 CVE-2019-12218 CVE-2019-12217 CVE-2019-12216 CVE-2018-3977 Image loading library for SDL1.2 (low level library used for various games etc - provides common access to audio, input devices, graphics etc) Large C code-base - usual memory safety issues -> usual effects -> crash, DoS or possible RCE [USN-4239-1] PHP vulnerabilities [10:32] 4 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan CVE-2019-11050 CVE-2019-11047 CVE-2019-11046 CVE-2019-11045 2 heap buffer over-reads in parsing EXIF information, 1 over-read in bcmath extension, and 1 issue with handling filenames with embedded NUL bytes [USN-4221-2] libpcap vulnerability [11:28] 1 CVEs addressed in Precise ESM CVE-2019-15165 Episode 56 [USN-4240-1] Kamailio vulnerability [11:42] 1 CVEs addressed in Xenial CVE-2018-8828 SIP server written in C Heap based buffer overflow when receiving a specially crafted REGISTER message [USN-4241-1] Thunderbird vulnerabilities [11:59] 11 CVEs addressed in Bionic, Eoan CVE-2019-11745 CVE-2019-17026 CVE-2019-17024 CVE-2019-17022 CVE-2019-17017 CVE-2019-17016 CVE-2019-17012 CVE-2019-17011 CVE-2019-17010 CVE-2019-17008 CVE-2019-17005 Latest upstream release (68.4.1) Derived from Firefox code-base so contains fixes for lots issues which also affected Firefox above [USN-4225-2] Linux kernel (HWE) vulnerabilities [12:21] 15 CVEs addressed in Bionic CVE-2019-18813 CVE-2019-19534 CVE-2019-19529 CVE-2019-19524 CVE-2019-19072 CVE-2019-19055 CVE-2019-19052 CVE-2019-19051 CVE-2019-19045 CVE-2019-18660 CVE-2019-16231 CVE-2019-14897 CVE-2019-14896 CVE-2019-14901 CVE-2019-14895 Episode 58 - eoan (19.10) 5.3 kernel is now used as the HWE kernel for bionic (18.04 LTS) [USN-4242-1] Sysstat vulnerabilities [13:07] 2 CVEs addressed in Xenial, Bionic, Disco, Eoan CVE-2019-19725 CVE-2019-16167 Both issues occur when reading a crafted input file using the sadf utility - likely the original reported is fuzzing this Double free - heap corruption but on Ubuntu we enable the glibc heap-protector so this is just a crash -> DoS Integer overflow -> heap buffer overflow when reading crafted input file [USN-4243-1] libbsd vulnerabilities [14:12] 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco CVE-2019-20367 CVE-2016-2090 Library providing common BSD C functions which are not available on Linux (strlcpy() etc) OOB read (crash -> DoS) Off-by-one in fgetwln() (get line of wide characters from a stream) -> heap buffer overflow -> crash / RCE (doesn’t appear to be used by any software in Ubuntu) [USN-4244-1] Samba vulnerabilities [15:15] 3 CVEs addressed in Xenial, Bionic, Disco, Eoan CVE-2019-19344 CVE-2019-14907 CVE-2019-14902 UAF in DNS zone scavenging in AD DC Crash if fail to convert characters at log level 3 Does not automatically replicate ACLs which are set to inherit down a subtree (unable to be easily backported to Xenial so only fixed on Bionic, Disco and Eoan - instead can workaround by manually replication ACLs from one DC to another for a given naming context) [USN-4245-1] PySAML2 vulnerability [16:32] 1 CVEs addressed in Xenial, Bionic, Disco, Eoan CVE-2020-5390 May fail to properly validate signatures in a particularly crafted SAML document by using the wrong data - so could assert a document has been fully signed when only a part of it has Goings on in Ubuntu Security Community Mid cycle product roadmap sprint [17:18] Security team presents progress on plans for Ubuntu 20.04 Focal Fossa - ie. ESM offerings, AppArmor features, snapd security features, Ubuntu Core security features, MIR security reviews progress etc Represented by Joe McManus, Mark Morlino, Chris Coulson and John Johansen Get in contact security@ubuntu.com #ubuntu-security on the Libera.Chat IRC network ubuntu-hardened mailing list Security section on discourse.ubuntu.com @ubuntu_sec on twitter