18:03:36 <jdstrand> #startmeeting 18:03:36 <meetingology> Meeting started Mon Aug 27 18:03:36 2012 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 18:03:36 <meetingology> 18:03:36 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 18:03:41 <jdstrand> The meeting agenda can be found at: 18:03:42 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 18:03:50 <jdstrand> [TOPIC] Weekly stand-up report 18:03:55 <jdstrand> I'll go first 18:04:10 <jdstrand> I'm in the happy place this week 18:04:36 <jdstrand> I've got more MIR auditing and pending updates 18:05:13 <jdstrand> I should also be finished with the second iteration of aa-sandbox and send that to the list 18:05:21 <jdstrand> mdeslaur is not here today 18:05:26 <jdstrand> sbeattie: you're up 18:05:35 <sbeattie> I'm on community this week. 18:05:54 <sbeattie> I also have a couple of updates to finish testing and push out. 18:06:22 <sbeattie> I also need to get the apparmor-dbus ppa going and review aa-sandbox. 18:06:32 <sbeattie> that's it for me. 18:06:43 <sbeattie> did micahg make it back in time? 18:06:47 <jdstrand> sbeattie: I recommend holding off on that review til I submit again 18:06:55 <sbeattie> yeah 18:08:04 <jdstrand> I think he is not. he can jump in later if he comes back 18:08:06 <tyhicks> I'll go 18:08:16 <tyhicks> I'm handling triage this week 18:08:38 <tyhicks> I just returned from a long vacation and I'm still catching up 18:08:57 <tyhicks> Another couple hours and I should be back on top of everything 18:09:28 <tyhicks> While I was out, I finished xmlrpc-c patches for CVE-2012-0876 and CVE-2012-1148 18:09:29 <ubottu> The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876) 18:09:30 <ubottu> Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1148) 18:09:48 <tyhicks> I'll need to test those patches and try to get the updates out 18:10:03 <tyhicks> I say 'try' because I'll be at the Linux Security Summit Thursday and Friday of this week 18:10:18 <tyhicks> before I leave, i'm going to help jdstrand with a security audit 18:10:22 <tyhicks> I think that's it for me 18:11:00 <jjohansen> I guess I am up 18:11:04 <tyhicks> jjohansen: yep, you're up 18:12:32 <jjohansen> I need to finish up this the 2.8 port of the aa-dbus patches, and finish debugging the current set of kernel patches (rcu, fs update, ..), then I will be heading to Linux Security Summit for Thursday and Friday this week 18:13:47 <jjohansen> that is it for me jdstrand back to you 18:13:52 <jdstrand> thanks 18:14:02 <jdstrand> [TOPIC] Highlighted packages 18:14:05 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 18:14:09 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 18:14:16 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/smokeping.html 18:14:19 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/chasen.html 18:14:22 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/msmtp.html 18:14:26 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/mhonarc.html 18:14:29 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/ruby-actionpack-2.3.html 18:14:35 <jdstrand> [TOPIC] Miscellaneous and Questions 18:14:41 <jdstrand> There are a lot of merge opportunities for packages listed in http://people.canonical.com/~ubuntu-security/d2u/. Performing these updates is a great way to help Ubuntu and bolster your developer application. 18:14:48 <jdstrand> Does anyone have any other questions or items to discuss? 18:20:02 <jdstrand> sbeattie, jjohansen, tyhicks: thanks! 18:20:03 <jdstrand> #endmeeting