#ubuntu-meeting log

18:03:36 <jdstrand> #startmeeting
18:03:36 <meetingology> Meeting started Mon Aug 27 18:03:36 2012 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
18:03:36 <meetingology> 
18:03:36 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired
18:03:41 <jdstrand> The meeting agenda can be found at:
18:03:42 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
18:03:50 <jdstrand> [TOPIC] Weekly stand-up report
18:03:55 <jdstrand> I'll go first
18:04:10 <jdstrand> I'm in the happy place this week
18:04:36 <jdstrand> I've got more MIR auditing and pending updates
18:05:13 <jdstrand> I should also be finished with the second iteration of aa-sandbox and send that to the list
18:05:21 <jdstrand> mdeslaur is not here today
18:05:26 <jdstrand> sbeattie: you're up
18:05:35 <sbeattie> I'm on community this week.
18:05:54 <sbeattie> I also have a couple of updates to finish testing and push out.
18:06:22 <sbeattie> I also need to get the apparmor-dbus ppa going and review aa-sandbox.
18:06:32 <sbeattie> that's it for me.
18:06:43 <sbeattie> did micahg make it back in time?
18:06:47 <jdstrand> sbeattie: I recommend holding off on that review til I submit again
18:06:55 <sbeattie> yeah
18:08:04 <jdstrand> I think he is not. he can jump in later if he comes back
18:08:06 <tyhicks> I'll go
18:08:16 <tyhicks> I'm handling triage this week
18:08:38 <tyhicks> I just returned from a long vacation and I'm still catching up
18:08:57 <tyhicks> Another couple hours and I should be back on top of everything
18:09:28 <tyhicks> While I was out, I finished xmlrpc-c patches for CVE-2012-0876 and CVE-2012-1148
18:09:29 <ubottu> The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876)
18:09:30 <ubottu> Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1148)
18:09:48 <tyhicks> I'll need to test those patches and try to get the updates out
18:10:03 <tyhicks> I say 'try' because I'll be at the Linux Security Summit Thursday and Friday of this week
18:10:18 <tyhicks> before I leave, i'm going to help jdstrand with a security audit
18:10:22 <tyhicks> I think that's it for me
18:11:00 <jjohansen> I guess I am up
18:11:04 <tyhicks> jjohansen: yep, you're up
18:12:32 <jjohansen> I need to finish up this the 2.8 port of the aa-dbus patches, and finish debugging the current set of kernel patches (rcu, fs update, ..), then I will be heading to Linux Security Summit for Thursday and Friday this week
18:13:47 <jjohansen> that is it for me jdstrand back to you
18:13:52 <jdstrand> thanks
18:14:02 <jdstrand> [TOPIC] Highlighted packages
18:14:05 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
18:14:09 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
18:14:16 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/smokeping.html
18:14:19 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/chasen.html
18:14:22 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/msmtp.html
18:14:26 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/mhonarc.html
18:14:29 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/ruby-actionpack-2.3.html
18:14:35 <jdstrand> [TOPIC] Miscellaneous and Questions
18:14:41 <jdstrand> There are a lot of merge opportunities for packages listed in http://people.canonical.com/~ubuntu-security/d2u/. Performing these updates is a great way to help Ubuntu and bolster your developer application.
18:14:48 <jdstrand> Does anyone have any other questions or items to discuss?
18:20:02 <jdstrand> sbeattie, jjohansen, tyhicks: thanks!
18:20:03 <jdstrand> #endmeeting