18:04:30 #startmeeting 18:04:30 Meeting started Mon Dec 17 18:04:30 2012 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 18:04:30 18:04:30 Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 18:04:34 The meeting agenda can be found at: 18:04:35 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 18:04:39 [TOPIC] Announcements 18:04:59 thanks to Christian Kuersteiner (ckuerste) provided a debdiff for lucid for pgbouncer (LP: #1083414) 18:05:01 Launchpad bug 1083414 in pgbouncer (Ubuntu Raring) "DoS-Vulnerability in pgbouncer" [Undecided,Fix released] https://launchpad.net/bugs/1083414 18:05:08 Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 18:05:13 [TOPIC] Weekly stand-up report 18:05:17 I'll go first 18:05:32 I've got a short week this week-- off Thu and Fri 18:05:39 I'm on community 18:06:23 I plan to look at an old apport/apparmor hardening update 18:06:47 I also hope to look at some audits and tick off various things off my todo list 18:06:58 mdeslaur: you're up 18:07:08 I'm in the happy place this week 18:07:14 I just published a few updates 18:07:25 and I plan on doing some merges 18:07:39 I have a short week as I'm off starting on thursday at noon 18:07:52 and I'll look at some other CVEs, time permitting 18:07:54 that's it from me 18:07:56 sbeattie: you're up 18:08:16 I have a very short week this week, as I am on holiday starting tomorrow 18:08:47 (I'll be available and sporadically checking irc/email) 18:09:08 Otherwise, I'm continuing to work on apparmor display manager stuff 18:09:20 that's it for me. micahg? 18:09:43 sbeattie: hehe, you must not have felt like getting up this morning :) 18:10:20 I've got more webkit, patch piloting, and hopefully Chromium if qengho tracks down the issues he's working on 18:10:44 that's it 18:11:22 tyhicks: ping 18:11:31 I'm working on an embargoed item 18:11:41 I'll be working on the apparmor kernel policy interface work item, as well 18:12:15 I should also take a look at the outstanding eCryptfs kernel patches sent to me recently since the kernel merge window will close this week 18:12:28 I'm working all week 18:12:33 that's it for me 18:12:35 jjohansen: you're up 18:13:24 sarnold, fyi, the one issue that the gcc trunk build was broken with ssp is now fixed 18:13:40 doko: excellent, thank you :) 18:14:04 jj isn't here 18:14:05 now reenabling again format security 18:14:10 sarnold: you're up 18:14:15 doko: \o/ 18:14:18 oh yeah, sorry 18:14:39 I'm on triage this week 18:14:42 I think he is working on getting 2.8 alpha together and the base labeling patches done before the break 18:15:19 (he should be here most of the week as well) 18:15:45 * jdstrand is done 18:15:51 sarnold: sorry 18:16:30 I've been reading and re-reading the bugzilla report from dwmw2 and trying to re-create the problem on my laptop 18:16:44 I'd like to recreate the problem in a way that leads to reproducers that could be added to QRT 18:17:06 sarnold: is that a gcc thing? 18:17:20 (dwmw2's configuration is _highly_ specific to his use, and isn't easy to recreate... I've found that the dnsmasq spawned by juju seems ideal at showing the problem...) 18:17:28 ah, dnsmasq 18:17:33 jdstrand: ah, no, sorry, dnsmasq 18:18:47 I'm currently poking at using the 'dummy' interfaces because the ethernet aliases don't have the correct 'bind to interface' properties that a 'real' interface would have, and I want them separate from my physical interfaces... 18:19:47 I think I'm going to be using tcpdump, tcprewrite, and tcpreplay to fiddle with the packets, though I'm not 100% confident that tcpreplay will let me send to a 'wrong' ip for a given interface. 18:20:36 the patch itself is surprisingly small for the effort though; I feel like dnsmasq is important enough to get right to put in this time, but wouldn't mind be persuaded to just do the update. 18:20:57 sarnold: hmm, you might check out scapy 18:21:04 sarnold: hrm, is this something where testing in a multi-interfaced vm would make more sense? 18:21:24 sbeattie: ah, it could. 18:21:35 sarnold: you can look at the instructions for quagga for examples on multi-vm testing instructions 18:22:13 I was hoping to stick with dummy just so that it would be easier to put into qrt tests -- something that could be configured and run entirely on one host, you know? 18:22:19 sarnold: or isc-dhcp 18:22:29 mdeslaur: cool, thanks. :) 18:23:58 sarnold: one host is definitely nice. there are some tests scripts (libvirt, krb5, openldap (iirc)) that can be given an extra argument to connect to another server 18:24:12 which is a totally acceptable fallback 18:25:02 sarnold: do you have more to report? 18:25:25 jdstrand: no, that's it. thanks. 18:25:30 [TOPIC] Highlighted packages 18:25:37 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 18:25:41 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 18:25:47 http://people.canonical.com/~ubuntu-security/cve/pkg/ircd-ratbox.html 18:25:50 http://people.canonical.com/~ubuntu-security/cve/pkg/dracut.html 18:25:53 http://people.canonical.com/~ubuntu-security/cve/pkg/xymon.html 18:25:56 http://people.canonical.com/~ubuntu-security/cve/pkg/libapache2-mod-auth-openid.html 18:26:01 http://people.canonical.com/~ubuntu-security/cve/pkg/pnp4nagios.html 18:26:11 [TOPIC] Miscellaneous and Questions 18:26:16 Does anyone have any other questions or items to discuss? 18:28:13 mdeslaur, sbeattie, micahg, tyhicks, sarnold: thanks! 18:28:14 #endmeeting