#title #ubuntu-meeting Meeting Meeting started by jdstrand at 18:03:27 UTC. The full logs are available at http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-03-18-18.03.log.html . == Meeting summary == ''LINK:'' https://wiki.ubuntu.com/SecurityTeam/Meeting (jdstrand, 18:03:53) *Announcements *Review of any previous action items *Weekly stand-up report *Highlighted packages ''LINK:'' http://people.canonical.com/~ubuntu-security/cve/pkg/extplorer.html (jdstrand, 18:32:58) ''LINK:'' http://people.canonical.com/~ubuntu-security/cve/pkg/rt-authen-externalauth.html (jdstrand, 18:33:01) ''LINK:'' http://people.canonical.com/~ubuntu-security/cve/pkg/tinymce.html (jdstrand, 18:33:05) ''LINK:'' http://people.canonical.com/~ubuntu-security/cve/pkg/msmtp.html (jdstrand, 18:33:09) ''LINK:'' http://people.canonical.com/~ubuntu-security/cve/pkg/festival.html (jdstrand, 18:33:12) *Miscellaneous and Questions ''ACTION:'' jdstrand to follow-up on potentially changing time of team meeting (jdstrand, 18:35:06) Meeting ended at 18:38:16 UTC. == Votes == == Action items == * jdstrand to follow-up on potentially changing time of team meeting == Action items, by person == * jdstrand ** jdstrand to follow-up on potentially changing time of team meeting == People present (lines said) == * jdstrand (57) * chrisccoulson (19) * mdeslaur (12) * jjohansen (12) * sarnold (7) * sbeattie (6) * meetingology (4) * ubottu (3) == Full Log == 18:03:27 #startmeeting 18:03:27 Meeting started Mon Mar 18 18:03:27 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 18:03:27 18:03:27 Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 18:03:52 The meeting agenda can be found at: 18:03:53 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 18:04:01 [TOPIC] Announcements 18:04:36 ChrisCoulson moved over to the security team as our browser security engineer. Chris has been a long-time friend to the security team as the Mozilla maintainer on the desktop team. Welcome Chris! :) 18:04:56 chrisccoulson 18:05:03 :) 18:05:11 Woot! Welcome, chrisccoulson! 18:05:16 welcome! 18:05:19 hunh, I never noticed that extra 'c' :) 18:05:30 hah, that confuses people ;) 18:05:40 tab-complete for the brain missed it entirely :) welcome :) 18:05:42 me either-- that will make my irssi commands interesting :) 18:05:57 all of my names begin with C. I'll let you try to guess what my other name is ;) 18:06:07 Custard? 18:06:12 lol 18:06:12 maybe in another channel :P 18:06:57 Thanks to Christian Kuersteiner (ckuerste) who provided a debdiff for precise for tinyproxy (LP: #1154502) and a debdiff for oneiric for tomcat7 (LP: #1115053). Your work is very much appreciated and will keep Ubuntu users secure. Great job! 18:07:00 Launchpad bug 1154502 in tinyproxy (Ubuntu Precise) "Multiple open vulnerabilities in tinyproxy" [High,Fix released] https://launchpad.net/bugs/1154502 18:07:01 Launchpad bug 1115053 in tomcat7 (Ubuntu Precise) "Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10" [Undecided,Triaged] https://launchpad.net/bugs/1115053 18:07:13 [TOPIC] Review of any previous action items 18:07:28 n/a 18:07:31 [TOPIC] Weekly stand-up report 18:07:35 I'll go first 18:08:06 I'm on triage this week 18:08:13 I'm working on a nova update 18:08:23 I've also got another embargoed update 18:08:53 the CVE list is pretty high atm. I hope to work on something else there 18:09:15 I've also got a work item for apparmor dbus policy I need to do before next week 18:09:36 I may pick up an audit as well 18:09:42 mdeslaur: you're up 18:09:53 I just published a couple of USNs 18:09:58 and I'm on community this week 18:10:06 I'm currently working on perl updates 18:10:11 and will continue going down the list, as usual 18:10:28 jdstrand: we need to send out the EoL notices 18:10:37 \o/ 18:10:38 a bunch of stuff in dying in a month 18:10:44 and that's it from me 18:10:45 ooh, i like EoL notices ;) 18:10:46 sbeattie: you're up 18:11:02 mdeslaur: ack 18:11:17 I'm on apparmor again this week, working on the display manager blueprint workitems 18:11:52 I'm still working on the apparmor dm prototype, still tracking down some memory allocation errors on my part 18:12:22 and digging into the mir codebase 18:12:36 that's pretty much it for me. tyhicks: tag 18:13:05 tyhicks: is out today 18:13:10 jjohansen: you're up 18:13:15 I need to finish up with a regression bug 1145234, and then fixing the loading profiles from cache issue. 18:13:17 bug 1145234 in QA Regression Testing "FAIL: parent ptrace(PTRACE_SINGLESTEP) failed - : No such process" [Undecided,Confirmed] https://launchpad.net/bugs/1145234 18:13:19 s/:// 18:13:47 And then it will be back to the apparmor labeling wi 18:13:53 jjohansen: can you elaborate on 1145234? 18:14:02 jjohansen: did this come about because of a security update? 18:14:24 jdstrand: yes our ptrace backport causes failures on lucid 18:15:00 jjohansen: ok, and only lucid? is it just with the backport kernels on lucid? 18:15:08 yes only on lucid 18:15:11 or even those kernels at all 18:15:36 jdstrand: only the lucid kernel with the ptrace backport 18:16:02 jdstrand: I know which patch even, however its not that simple as the patch is correct 18:16:27 hrm 18:16:29 ok 18:16:38 its the logic inbetween the backported patch that is missing that is causing problems 18:17:07 in other words we need to backport more than the 4 patches we are already doing for the bug 18:17:07 so it needs either some more commits or some glue 18:17:12 yeah 18:17:15 * jdstrand nods 18:17:33 * mdeslaur gets out the Elmer's 18:17:48 did you guys ever get the exploit to work on lucid? 18:18:16 sarnold: yes, it was hardy we failed on 18:18:24 ah :/ 18:18:36 but hardy should theoretically be vulnerable as well 18:19:18 sarnold: your up 18:20:13 I'm finishing up the systemd-related MIR audits this week; I've also got the lxc MIR audit outstanding that I'll work on unless jjohansen hands me a new patch set first :) 18:20:52 I also upgraded my laptop to raring over the weekend, initial impressions are quite good :) a handful of small bugs to file, but ... yay :) 18:21:30 nice 18:21:32 I think that's it for me, chrisccoulson's turn 18:23:00 so, for anyone who's not aware, one of the things i've been working on recently is improving our browser automated tests. i've done quite a lot of work for firefox already, but this week i plan to start improving the situation for chromium too 18:23:22 starting with hooking the upstream tests in to jenkins, like we have already for firefox 18:23:36 and then replacing our existing manual tests with more automated ones :) 18:23:52 and i've got some wiki stuff to read ;) 18:24:17 chrisccoulson: how would you characterize the status of the firefox tests? 18:25:03 jdstrand, in mostly good shape. there's some failures i don't yet understand, and some random failures too (eg, https://jenkins.qa.ubuntu.com/job/raring-ppa-adt-ubuntu_mozilla_daily_ppa-firefox-trunk/ARCH=i386,label=adt/lastCompletedBuild/testReport/dom.media.tests/mochitest/test_peerConnection_bug840344_html/ - although we've just established this one is an OOM) 18:25:43 but otherwise, the failure rate is very low. it would be nice to get it to zero though :) 18:25:51 chrisccoulson: not saying you should do this for this case, but is it possible to disable individual problematic tests? 18:26:33 we've been looking at doing that with openjdk for example, where some tests are non-deterministic 18:26:52 jdstrand, yeah, there's the ability to skip problematic tests. and for some of the testsuites, you can also mark them as failing or random so that they still run (and an expected-fail test that passes will cause a test failure) 18:27:17 heh, 'random' 18:27:22 chrisccoulson: cool :) 18:27:34 chrisccoulson: what releases are currently tested? 18:27:56 jdstrand, only raring for now. i'd like to get them running on all releases really though 18:28:03 i need to ask jibel about that though :) 18:28:35 chrisccoulson: well, since desktop lucid and oneiric are almost EOL, just precise and later would be enough 18:28:45 yeah, that makes sense 18:29:06 chrisccoulson: you mentioned to me that these are run within an Ubuntu environment, is that right? 18:29:48 mozilla are transitioning their test machines to ubuntu, so the upstream tests will be run on ubuntu 12.04 by mozilla as well 18:29:52 which helps us a bit 18:30:04 chrisccoulson: what I am eventually leading to asking is how much we'll be able to trust that these tests are valid for our security builds (it looks like this is against daily too) 18:30:40 chrisccoulson: re upstream> that is nice that they are aligned with our (soon to be) oldest supported LTS 18:30:48 jdstrand, i suspect there will still be additional high-level testing (eg, making sure flash works). but i hope i can automate that too 18:31:50 chrisccoulson: cool-- thanks for the deeper update. we can talk more about this another time. these automated tests will fill an important void for our team 18:32:33 chrisccoulson: I may have cut you off. do you have anything else to report? 18:32:43 jdstrand, no, i think i'm done now 18:32:52 [TOPIC] Highlighted packages 18:32:58 http://people.canonical.com/~ubuntu-security/cve/pkg/extplorer.html 18:33:01 http://people.canonical.com/~ubuntu-security/cve/pkg/rt-authen-externalauth.html 18:33:05 http://people.canonical.com/~ubuntu-security/cve/pkg/tinymce.html 18:33:09 http://people.canonical.com/~ubuntu-security/cve/pkg/msmtp.html 18:33:12 http://people.canonical.com/~ubuntu-security/cve/pkg/festival.html 18:33:32 The above are some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security on Freenode. 18:33:42 [TOPIC] Miscellaneous and Questions 18:34:40 I think we may want to consider moving our team meeting. I'll take an action to explore that and discuss next week 18:35:06 [ACTION] jdstrand to follow-up on potentially changing time of team meeting 18:35:06 * meetingology jdstrand to follow-up on potentially changing time of team meeting 18:35:17 Does anyone have any other questions or items to discuss? 18:38:12 mdeslaur, sbeattie, jjohansen, sarnold, chrisccoulson: thanks! 18:38:16 #endmeeting Generated by MeetBot 0.1.5 (http://wiki.ubuntu.com/meetingology)