Linux Kernel 6.2
The included Linux Kernel in Ubuntu 23.04 has been upgraded from 5.19 to 6.2. Despite the major version bump, this upgrade includes mostly the usual device support and performance improvements. There are however a few interesting security features such as KFCI support, Intel SGX2 support, and improved in-kernel encryption support.
One of the more interesting new security-focused features in this release is Kernel Control Flow Integrity (KCFI) support. This new CFI implementation can more easily be enabled, hardening the kernel against attacks that modify kernel control flow. See this excellent LWN.net article for a detailed look at how CFI protects the kernel.
This updated kernel release also includes support for Intel’s Software Guard Extensions 2 (SGX2) hardware secure memory feature which was introduced in the Gemini Lake/Ice Lake processors. SGX2 features an improved secure memory enclave that allows processes to encrypt memory space in order to prevent snooping. One particularly interesting use of this technology is encrypting VM memory space to prevent other system processes or VMs from being able to read the contents.
The last security-focused change in this kernel update is improved in-kernel encryption support. Kernel 6.2 includes support for HCTR2, which is a length-preserving (plain text size == encrypted size) encryption method that works well with hardware acceleration in x86 and ARM processors. This release also adds support for ARIA-GCM as well as 256bit TLS hardware offload.
systemd 252
systemd has been updated from 251 to 252 with a number of minor but interesting security improvements:
- Communication between systemd and TPM2 devices is now conducted using a bind key for improved security.
- Systemd-resolved will now continue to use DNS over TLS even if it has been restarted and will no longer hard fail if the nameserver is using an unrecognized protocol.
- Networkd now supports passing values to the Kernel netlabel modules via a new `NetLabel=` config option.
- VM bootstrap configuration data can now be passed to systemd without the need for cloud-init by passing data using the DMI type 11 field.
- The /etc/os-release spec now includes an optional SUPPORT_END field to expose distro EOL dates to tools like Mondoo. Thank you systemd team!
Bundled Servers
MariaDB 10.11.2
MariaDB has been updated from 10.6.12 all the way to 10.11.2, with a huge number of improvements to the database server including a large number of security improvements.
MariaDB now includes new data types and functions for storing and comparing advanced data formats. By moving potentially unaudited logic out of your application and into the database server, you may be able to avoid data handling vulnerabilities.
- New UUID and INET4 datatypes
- RANDOM_BYTES function for generating random data
- JSON_TABLE data to convert JSON data to relational data
- JSON_EQUALS function to make JSON data comparisons
A large number of improvements have been made to enhance data security throughout MariaDB. SSL support is now enabled by default on the CLI and the server will now fail to start if SSL has not been properly configured in my.cnf file. A new `password_reuse_check` plugin prevents users from reusing passwords during password updates. A new `Hashicorp Key Management` plugin allows encrypting data in tables using HashiCorp Vault.
PostgreSQL 15.2
PostgreSQL has been upgraded from 14.7 to 15.2 with minor security improvements, mostly related to reducing the out-of-the-box DB privileges:
- Improved randomness in the random() function
- CREATE permissions removed for all users except the database owner
- UPDATE/DELETE logical replication no longer allowed when the user does not have SELECT permissions since both UPDATE/DELETE also require reading data
- Allow GRANT on the pg_log_backend_memory_contexts() function so it can be run by non-superusers
- Add new pg_checkpoint so members can run CHECKPOINTS which previously required superuser privileges.
- Allowing GRANT on individual server variables so non-superusers can change the values.
- Add new pg_write_server_files role to allow members to perform server-side base backups which previously required superuser privileges
Samba 4.17.7
One of the biggest updates in Samba 4.17 is support for Kerberos 1.20, which has enabled several important features:
- Support for Resource Based Constrained Delegation (RBCD) to allow controlled delegation for increased security and to match the functionality that was originally delivered in Windows 2003.
- Mitigation against the Bronze Bit attack.
- Support for the S4U2Self and S4U2Proxy Kerberos extensions for obtaining tickets on behalf of other users.
This release also includes the ability to entirely disable storing unsalted password hashes, includes support for the Protected Users security group which was introduced in Windows 2012R2, and removed support for the LanMan authentication and password storage mechanisms.
Time to Upgrade
Overall we think this release is well worth the effort to upgrade for desktop users and perhaps even some server users that are willing to brave the shorter support cycle of non-LTS Ubuntu releases.
Experience the simplicity of security: Try Mondoo!