Episode 226

Overview

John and Georgia are at the Linux Security Summit presenting on some long awaited developments in AppArmor and we give you all the details in a sneak peek preview as well as some of the other talks to look out for, plus we cover security updates for NSS, Squid, Apache, libvirt and more and we put out a call for testing of a pending AppArmor security fix too.

This week in Ubuntu Security Updates

86 unique CVEs addressed

[USN-6727-1, USN-6727-2] NSS vulnerabilities + regression (01:02)

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2023-6135
  • CVE-2023-5388
  • CVE-2023-4421
• All various different timing side channels - two were effectively the same since the original fix was incomplete - mishandling of padding in PKCS#1 (RSA) certificate checks - possible to infer the length of the encrypted message and other properties to eventually infer secret key by sending a large number of attacker-chosen ciphertexts, the other when using various NIST curves (elliptic curve cryptography)
• Original fix caused some issues with loading NSS security modules so published a second update to fix that on focal+jammy

[USN-6728-1, USN-6728-2] Squid vulnerabilities + regression (02:05)

• 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-25617
  • CVE-2024-25111
  • CVE-2024-23638
  • CVE-2023-5824
  • CVE-2023-49288
• All found by the same researcher (Joshua Rogers) who performed a security audit of Squid back in 2021 - https://megamansec.github.io/Squid-Security-Audit/ - first mentioned by us in [USN-6500-1] Squid vulnerabilities in Episode 214 back in December 2023
• Then we mentioned how squid was under-resourced and so hadn’t be able to fix all the identified issues - over time upstream has published fixes for more issues and we are now incorporating those into squid in Ubuntu
• All of these were various DoS issues where could either cause squid to crash or stop responding
• One of these fixes was problematic and caused squid to crash itself so was reverted

[USN-6729-1] Apache HTTP Server vulnerabilities (03:01)

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-27316
  • CVE-2024-24795
  • CVE-2023-38709
• 2 different issues that could result in HTTP request splitting attacks - similar to HTTP request smuggling which is a more specific version of this attack, relies on different parsing/interpretation of HTTP request messages by an intermediate (load balancer/proxy/WAF etc.) to split a single HTTP request into multiple HTTP requests at the backend - allowing to bypass restrictions along the way - usually involves the use of injected CR/LF/TAB/SPC e