Overview
This week we cover the recent reports of a new local privilege escalation exploit against the Linux kernel, follow-up on the xz-utils backdoor from last week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security vulnerabilities in the X Server, Django, util-linux and more.
This week in Ubuntu Security Updates
76 unique CVEs addressed
[LSN-0102-1] Linux kernel vulnerability (00:53)
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2024-1086
- CVE-2024-0646
- CVE-2023-51781
- CVE-2023-6176
- CVE-2023-4569
- CVE-2023-1872
- All covered in previous episodes
- netfilter UAF ([USN-6700-1] Linux kernel vulnerabilities from Episode 223)
- OOB write in KTLS ([USN-6648-1] Linux kernel vulnerabilities from Episode 220)
- UAF in AppleTalk network driver ([USN-6648-1] Linux kernel vulnerabilities from Episode 220)
- NULL ptr deref in TLS impl ([LSN-0100-1] Linux kernel vulnerability from Episode 219)
- Memory leak in netfilter ([USN-6383-1] Linux kernel vulnerabilities from Episode 210)
[USN-6710-2] Firefox regressions (01:54)
- 2 CVEs addressed in Focal (20.04 LTS)
- CVE-2024-29944
- CVE-2024-29943
- 124.0.2
- In particular fixes to allow firefox when installed directly from Mozilla to work under 24.04 LTS with the new AppArmor userns restrictions
- As discussed in previous episodes, default profile allows to use userns but then to be blocked on getting additional capabilities - Firefox would previously try and do both a new userns and a new PID NS in one call - which would be blocked - now split this into two separate calls so the userns can succeed but pidns will be denied (since requires CAP_SYS_ADMIN
Information
- Show
- FrequencyUpdated weekly
- Published12 April 2024 at 07:51 UTC
- Length20 min
- RatingClean