This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
内容由Alex Murray and Ubuntu Security Team提供。所有播客内容(包括剧集、图形和播客描述)均由 Alex Murray and Ubuntu Security Team 或其播客平台合作伙伴直接上传和提供。如果您认为有人在未经您许可的情况下使用您的受版权保护的作品,您可以按照此处概述的流程进行操作https://zh.player.fm/legal。
类似 Ubuntu Security Podcast 的节目
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
The award-winning WIRED UK Podcast with James Temperton and the rest of the team. Listen every week for the an informed and entertaining rundown of latest technology, science, business and culture news. New episodes every Friday.
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
This feed includes all episodes of Paul's Security Weekly, Enterprise Security Weekly, Business Security Weekly, Application Security Weekly, and Security Weekly News! Your one-stop shop for all things Security Weekly!
…
continue reading
Daily update on current cyber security threats
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Hungry for Technology Talk? Get All You Can Eat at the Android Buffet
…
continue reading
An open show powered by community LINUX Unplugged takes the best attributes of open collaboration and turns it into a weekly show about Linux.
…
continue reading
Player FM -播客应用
使用Player FM应用程序离线!
使用Player FM应用程序离线!
))
Episode 123
Manage episode 297055570 series 2423058
内容由Alex Murray and Ubuntu Security Team提供。所有播客内容(包括剧集、图形和播客描述)均由 Alex Murray and Ubuntu Security Team 或其播客平台合作伙伴直接上传和提供。如果您认为有人在未经您许可的情况下使用您的受版权保护的作品,您可以按照此处概述的流程进行操作https://zh.player.fm/legal。
Overview
Is npm audit more harm than good? Plus this week we look at security updates for DjVuLibre, libuv, PHP and more.
This week in Ubuntu Security Updates
8 unique CVEs addressed
[USN-4905-2] X.Org X Server vulnerability [00:42]
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
- Episode 112 - Local user (X client) could crash the server via Xinput extension and ChangeFeedbackControl request - integer underflow -> heap buffer overflow
[USN-5005-1] DjVuLibre vulnerability [01:26]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- OOB write via crafted djvu file -> crash -> DoS, RCE
[USN-5007-1] libuv vulnerability [01:53]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Async event handling library - used by nodejs and others - supports async handling TCP/UDP sockets, DNS resolution, file system operations etc
- OOB read when converting strings to ASCII -> can be triggered via calls to uv_getaddrinfo() which are done by clients who handle TCP/UDP sockets async (ie nodejs, Julia,, BIND etc)
[USN-5006-1] PHP vulnerabilities [03:04]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- UAF in PHAR archive handling - generally these are trusted so low impact
- mishandling of URLs with embedded passwords - unspecified impact but could misparse the URL and cause unwanted behaviour
- Mishandling of XML when processing SOAP server responses -> NULL ptr deref (so malicious server could trigger a crash) -> DoS
- Ability to bypass Sever Side Request Forgery (SSRF) protections in FILTER_VALIDATE_URL
Goings on in Ubuntu Security Community
npm audit broken by design? [04:13]
Ubuntu Security Podcast on break for next 2 weeks [07:56]
Get in contact
231集单集
分享
Manage episode 297055570 series 2423058
内容由Alex Murray and Ubuntu Security Team提供。所有播客内容(包括剧集、图形和播客描述)均由 Alex Murray and Ubuntu Security Team 或其播客平台合作伙伴直接上传和提供。如果您认为有人在未经您许可的情况下使用您的受版权保护的作品,您可以按照此处概述的流程进行操作https://zh.player.fm/legal。
Overview
Is npm audit more harm than good? Plus this week we look at security updates for DjVuLibre, libuv, PHP and more.
This week in Ubuntu Security Updates
8 unique CVEs addressed
[USN-4905-2] X.Org X Server vulnerability [00:42]
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
- Episode 112 - Local user (X client) could crash the server via Xinput extension and ChangeFeedbackControl request - integer underflow -> heap buffer overflow
[USN-5005-1] DjVuLibre vulnerability [01:26]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- OOB write via crafted djvu file -> crash -> DoS, RCE
[USN-5007-1] libuv vulnerability [01:53]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Async event handling library - used by nodejs and others - supports async handling TCP/UDP sockets, DNS resolution, file system operations etc
- OOB read when converting strings to ASCII -> can be triggered via calls to uv_getaddrinfo() which are done by clients who handle TCP/UDP sockets async (ie nodejs, Julia,, BIND etc)
[USN-5006-1] PHP vulnerabilities [03:04]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- UAF in PHAR archive handling - generally these are trusted so low impact
- mishandling of URLs with embedded passwords - unspecified impact but could misparse the URL and cause unwanted behaviour
- Mishandling of XML when processing SOAP server responses -> NULL ptr deref (so malicious server could trigger a crash) -> DoS
- Ability to bypass Sever Side Request Forgery (SSRF) protections in FILTER_VALIDATE_URL
Goings on in Ubuntu Security Community
npm audit broken by design? [04:13]
Ubuntu Security Podcast on break for next 2 weeks [07:56]
Get in contact
231集单集
Semua episode
×
欢迎使用Player FM
Player FM正在网上搜索高质量的播客,以便您现在享受。它是最好的播客应用程序,适用于安卓、iPhone和网络。注册以跨设备同步订阅。
类似 Ubuntu Security Podcast 的节目
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
The award-winning WIRED UK Podcast with James Temperton and the rest of the team. Listen every week for the an informed and entertaining rundown of latest technology, science, business and culture news. New episodes every Friday.
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
This feed includes all episodes of Paul's Security Weekly, Enterprise Security Weekly, Business Security Weekly, Application Security Weekly, and Security Weekly News! Your one-stop shop for all things Security Weekly!
…
continue reading
Daily update on current cyber security threats
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Hungry for Technology Talk? Get All You Can Eat at the Android Buffet
…
continue reading
An open show powered by community LINUX Unplugged takes the best attributes of open collaboration and turns it into a weekly show about Linux.
…
continue reading
Player FM -播客应用
使用Player FM应用程序离线!
使用Player FM应用程序离线!
