Diff for "SecurityTeam/KnowledgeBase"

KnowledgeBase

Differences between revisions 3 and 59 (spanning 56 versions)

Ubuntu Security Team • Roadmap • Getting Involved • Knowledge Base • FAQ • Contacts

Contents

Security updates
Policies
Features
Process
Problems

Security updates

Announcements

Official Ubuntu Security Notices (USNs)
Ubuntu security update notifications additional information

Media coverage

In order to stay secure, Ubuntu users should simply apply all Ubuntu security updates to their systems when they become available.

For some vulnerabilities that are highlighted by the media, we've provided additional information as part of our KnowledgeBase:

2021

GRUB2 Secure Boot Bypass (CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2021-3418)

2020

2019

2018

2017

2016

2015

Vulnerability Resources

Update processes

Update techniques

How to prepare an updated package
How to handle backporting security updates
- schroot/sbuild setup
- virtual machine setup
How to test the update
- QA Regression Testing
- Proof of Concept (PoC)
- Build test suites (eg, 'make check')
ABI compatibility (eg, check-symbols, nm)
Checklists
Media coverage

Policies

Features

Feature Matrix (for all releases since Dapper, see the Historical Feature Matrix.)
Security Hardening Compiler Flags
AppArmor Profiles
Applications Built with PIE
AppArmor docs
SELinux docs

Process

Problems

DebuggingSecurity for bug reports
DebuggingApparmor for bug reports dealing with AppArmor profiles

CategorySecurityTeam

SecurityTeam/KnowledgeBase (last edited 2023-08-25 14:36:54 by rodrigo-zaiden)

-  ⇤ ← Revision 3 as of 2008-03-27 19:21:47 → 
  Size: 968
  Editor: c-76-105-157-155
  Comment:
+   ← Revision 59 as of 2021-03-02 18:41:11 → ⇥
  Size: 6655
  Editor: sbeattie
  Comment: reorg KB article listings....
-Deletions are marked like this.
+Additions are marked like this.
 Line 1:
-[[Include(SecurityTeam/Header)]]
+<<Include(SecurityTeam/Header)>>
 Line 3:
-||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position:  98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;">'''Contents'''[[BR]][[TableOfContents]]||
+||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position:  98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;"><<TableOfContents>>||

== Security updates ==

=== Announcements ===
 * Official [[http://www.ubuntu.com/usn/|Ubuntu Security Notices]] (USNs)
 * Ubuntu security update notifications [[SecurityTeam/UpdateNotifications|additional information]]

=== Media coverage ===
In order to stay secure, Ubuntu users should simply apply all Ubuntu security updates to their systems when they become available.

For some vulnerabilities that are highlighted by the media, we've provided additional information as part of our !KnowledgeBase:

==== 2021 ====
 * [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021 | GRUB2 Secure Boot Bypass (CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2021-3418)]]

==== 2020 ====
 * [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Platypus | Intel power side-channels (CVE-2020-8694 and CVE-2020-8695, aka Platypus)]]
 * [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass | GRUB2 Secure Boot Bypass (CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707, aka BootHole)]]
 * [[ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS | Special Register Buffer Data Sampling (SRBDS) Hardware Vulnerability in Intel CPUs (CVE-2020-0543, aka Crosstalk)]]

==== 2019 ====
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/runC | runC / docker.io Privileged Container Escape (CVE-2019-5736)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing | Snap Socket Parsing (CVE-2019-7304)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS | Microarchitectural Data Sampling (MDS) (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic | SACK Panic and Other TCP Denial of Service Issues (CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/k8s-CVE-2019-11247 | Kubernetes API Server Vulnerability (CVE-2019-11247) ]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/http2 | HTTP/2 Denial of Service Vulnerabilities ]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915 | TSX Asynchronous Abort (TAA, CVE-2019-11135), Intel® Processor Machine Check Error (MCEPSC, CVE-2018-12207), and i915 graphics (CVE-2019-0155, CVE-2019-0154) vulnerabilities]]

==== 2018 ====
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Pop_SS | Mov/Pop SS vulnerabilities (CVE-2018-8897 and CVE-2018-1087) ]] 
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4 | Variant 4 of Side Channel issues (CVE-2018-3639)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/LazyFP | Lazy FP Save/Restore (CVE-2018-3665)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BCBS | Bounds Check Bypass Store (BCBS) (CVE-2018-3693) ]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/NetSpectre | NetSpectre ]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF | L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646)]]

==== 2017 ====
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BlueBorne | BlueBorne bluetooth vulnerabilities (CVE-2017-1000250, CVE-2017-1000251)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | Spectre and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754, and CVE-2017-5715) ]]

==== 2016 ====
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/OpenSSHClientRoaming|OpenSSH Client Roaming (CVE-2016-0777, CVE-2016-0778)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/httpoxy|httpoxy CGI application vulnerability]]

==== 2015 ====
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GHOST|GHOST (CVE-2015-0235)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/VENOM|VENOM (CVE-2015-3456)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/LogJam|LogJam (CVE-2015-4000)]]
 * [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Stagefright|Stagefright (CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829)]]
-Line 6:
+Line 56:
+=== Vulnerability Resources ===
 * [[https://launchpad.net/ubuntu-cve-tracker|Ubuntu CVE tracker]]
 * [[http://people.canonical.com/~ubuntu-security/cve/|Ubuntu CVE Tracker]] (web view)
 * [[http://cve.mitre.org|Common Vulnerabilities and Exposures]] (CVEs)
 * [[http://nvd.nist.gov/nvd.cfm|National Vulnerabilities Database]]
 * [[http://oss-security.openwall.org|Open Source Software Security]]
-Line 7:
+Line 63:
-{{{
 This page is still very much place-holder.  If you have time, please update it with more information.
}}}
+=== Update processes ===
 * [[SecurityTeam/UpdateProcedures|Security update procedures]]
 * [[StableReleaseUpdates/MicroReleaseExceptions]]
 * [[StableReleaseUpdates]] (SRU)
 * [[https://help.ubuntu.com/community/UbuntuBackports|Backport Requests]]
-Line 11:
+Line 69:
+=== Update techniques ===
 * [[https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing%20an%20update|How to prepare an updated package]]
 * How to handle backporting security updates
  * [[SecurityTeam/BuildEnvironment|schroot/sbuild setup]]
  * [[SecurityTeam/TestingEnvironment|virtual machine setup]]
 * How to test the update
  * [[https://code.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master|QA Regression Testing]]
  * Proof of Concept (PoC)
  * Build test suites (eg, 'make check')
 * ABI compatibility (eg, check-symbols, nm)
 * Checklists
 * [[https://wiki.ubuntu.com/SecurityTeam/UpdatePublication#Media_coverage|Media coverage]]
-Line 12:
+Line 82:
- * security updates
  * [:SecurityUpdateProcedures: Security Update Procedures]
  * Ubuntu CVE tracker link
  * mitre
  * NVD
  * oss-security link
 * Policies (FAQ could link to Knowledge{{{}}}Base)
  * policy on local DoS
  * policy on root passwords/sudo
  * policy on open network ports
  * policy on sudo
  * policy on home directory permissions
 * AppArmor docs
 * SELinux docs
 * How to handle backporting security updates
  * good upstream patches
  * micro release
  * SRU
  * -backports
 * [:DebuggingSecurity] for bug reports
+== Policies ==
 * [[SecurityTeam/Policies|Ubuntu Security Policies]]
 * [[ApparmorProfileMigration|Creating enforcing AppArmor profiles policy]]

== Features ==
 * [[Security/Features|Feature Matrix]] (for all releases since Dapper, see the [[Security/Features/Historical|Historical Feature Matrix]].)
 * [[CompilerFlags|Security Hardening Compiler Flags]]
 * [[SecurityTeam/KnowledgeBase/AppArmorProfiles|AppArmor Profiles]]
 * [[SecurityTeam/KnowledgeBase/BuiltPIE|Applications Built with PIE]]
 * [[AppArmor]] docs
 * [[SELinux]] docs

== Process ==
 * [[SecurityTeam/BugTriage|Bug Triage]]
 * [[SecurityTeam/ReleaseCycle|Release Cycle Actions]]

== Problems ==
 * [[DebuggingSecurity]] for bug reports
 * [[DebuggingApparmor]] for bug reports dealing with [[AppArmor]] profiles

Ubuntu Wiki