16:34 <jdstrand> #startmeeting 16:34 <meetingology> Meeting started Mon Nov 4 16:34:17 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:34 <meetingology> 16:34 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 16:34 <jdstrand> The meeting agenda can be found at: 16:34 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:34 <jdstrand> [TOPIC] Announcements 16:34 <jdstrand> Thanks to the following individuals: 16:34 <jdstrand> Christian Biamont (christianbiamont) provided a debdiff for precise for xml-security-c (LP: #1192874) 16:34 <ubottu> Launchpad bug 1192874 in xml-security-c (Ubuntu Saucy) "heap overflow while processing InclusiveNamespace PrefixList" [Undecided,Fix released] https://launchpad.net/bugs/1192874 16:34 <jdstrand> Felix Geyer (debfx) provided debdiffs for precise-raring for libapache2-mod-fcgid (LP: #1238242) 16:34 <ubottu> Launchpad bug 1238242 in libapache2-mod-fcgid (Ubuntu Lucid) "CVE-2013-4365: possible heap buffer overwrite" [Undecided,New] https://launchpad.net/bugs/1238242 16:34 <jdstrand> Felix Geyer (debfx) provided debdiffs for precise-raring for ejabberd (LP: #1239307) 16:34 <ubottu> Launchpad bug 1239307 in ejabberd (Ubuntu Lucid) "Allows SSLv2 and weak ciphers" [Undecided,New] https://launchpad.net/bugs/1239307 16:34 <jdstrand> christianbiamont, debfx: Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 16:35 <jdstrand> [TOPIC] Weekly stand-up report 16:35 <chrisccoulson> hi! 16:35 <jdstrand> I'll go first 16:35 <jdstrand> I'm on triage this week 16:36 <jdstrand> I've got quite a few things to catch up on from being at the sprint last week 16:36 <jdstrand> also I need to process/communicate outcomes from sprint next week 16:36 <jdstrand> in general, there shouldn't be any surprises for our team 16:37 <jdstrand> nothing major was added to our plans for 14.04 and 14.10 16:38 <jdstrand> I will be doing a click-apaprmor upload to sponsor a fix for cjwatson. I'm getting some CI testing going around click-apparmor which is why I haven't updated it yet 16:38 <jdstrand> I hope to have that today or tomorrow at the latest 16:38 <jdstrand> I know tyhicks wants me to sponsor an apparmor upload 16:38 <jdstrand> I think that's it for me 16:38 <jdstrand> mdeslaur: you're up 16:38 <mdeslaur> hi! I'm on community this week 16:39 <mdeslaur> I'm currently pushing out libav updates 16:39 <mdeslaur> FYI, the libav and ffmpeg codebases have diverged to the point of it being unreasonable to track both using the same set of CVEs 16:39 <mdeslaur> as such, I've updated the CVEs in the tracker 16:39 <jdstrand> oh, interesting 16:39 <jdstrand> mdeslaur: updated as in, updated the boilerplate? 16:40 <mdeslaur> jdstrand: as in added README.libav, killing the boilerplate, and marking existing cves as ignored or not-affected for libav 16:40 <jdstrand> cool 16:40 <mdeslaur> we shouldn't track ffmpeg CVEs as affecting libav 16:41 <jdstrand> I noticed libav is now in universe in trusty 16:41 <sarnold> does kurt agree? 16:41 <mdeslaur> tomorrow I'm off, and further down this week, I plan on finishing my merges and picking up some more updates 16:41 <mdeslaur> sarnold: no idea 16:42 <mdeslaur> sarnold: but the CVE descriptions never had "libav" in them 16:42 <mdeslaur> and I can't track vulnerabilities/commits across them 16:42 <mdeslaur> and libav is commiting a whole slew of independant security fixes now without asking for CVEs 16:44 <mdeslaur> anyway, that's it from me 16:44 <mdeslaur> sbeattie: you're up 16:45 <mdeslaur> hrm, sbeattie seems to be MIA 16:45 <tyhicks> I'll go 16:45 <tyhicks> I'll wrap up a pending apparmor upload today and hand it off to jdstrand (thanks!) 16:45 <tyhicks> Then I need to look into an ecryptfs/apparmor kernel bug that I hit last week 16:46 <tyhicks> I also have some merges that I need to do 16:46 <tyhicks> oh, and I need to look at enabling yama on the mobile kernels 16:47 <tyhicks> that's it for me 16:47 <tyhicks> jjohansen: you're up 16:48 <tyhicks> sarnold: lets go to you 16:48 <sarnold> hehe 16:49 <sarnold> it appears I'm in my happy place again this week \o/ 16:49 <sarnold> I've been getting the hang of both canonistack and smo ser's virtual maas deployment scripts with an eye towards being able to do some maas update testing 16:50 <sarnold> I've prepared new versions of the maas updates for release hopefully this week -- it depends if the -proposed updates have moved into the -updates queue yet or not. 16:50 <mdeslaur> sarnold: \o/ 16:50 <sarnold> (bigjools had finished the last verification-needed test last week, so I hope the automated framework moved them through by now) 16:51 <sarnold> mdeslaur: yeah, it'll be nice to finally cross these two off the list :) 16:51 <jdstrand> which two? 16:52 <sarnold> unfortunately smo ser's older script isn't his preferred testing method, and I had trouble getting the newer script to work, but I think his older script will work well enough for a starting point for documenting how the whole thing works.. 16:52 <sarnold> jdstrand: CVE-2013-1057 and CVE-2013-1058 16:52 <ubottu> ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1057) 16:52 <ubottu> ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1058) 16:52 <jdstrand> ah, two CVEs, yes (I thought you were talking about source packages) 16:53 <sarnold> ah :) 16:53 <sarnold> once this is done I may do another MIR or pick up an update, depending upon mdeslaur's preference :) 16:54 * mdeslaur consults magic 8 ball 16:54 <sarnold> chrisccoulson: your turn :) 16:54 <chrisccoulson> chromium is up to date now (had mozilla updates last week as well) 16:54 <sarnold> \o/ 16:55 <jdstrand> \o/ 16:55 <mdeslaur> chrisccoulson: woot! 16:55 <chrisccoulson> this week i shall be helping get people up and running with oxide 16:56 <mdeslaur> \o/ 16:56 <chrisccoulson> i'm currently trying to improve the workflow for maintaining the chromium patches in oxide. there were various issues at the end of last week 16:56 <jdstrand> interesting 16:57 <chrisccoulson> other than that, i'll be back on to the usual again :) 16:57 <jdstrand> chrisccoulson: so, oxide made a big splash last week-- you should be getting the help now 16:57 <chrisccoulson> jdstrand, excellent, thanks 16:57 <chrisccoulson> jdstrand, you did a presentation didn't you? 16:57 <jdstrand> I did 16:58 <chrisccoulson> jdstrand, how did that go? 16:59 <jdstrand> chrisccoulson: well-- most everyone realized it was the plan of record 17:00 <jdstrand> chrisccoulson: phonedations had a number of questions cause we hadn't brought them into the loop before that (though they were in the meeting in april and saw the emails on it stating it was the plan) 17:00 <jdstrand> chrisccoulson: they've done quite a bit of work on qtwebkit to make sure it works well on armhf 17:01 <chrisccoulson> ah, ok. although i can't imagine it working that well, with no jit ;) 17:01 <jdstrand> chrisccoulson: and I imagine they will also start helping out soon (eg rsalveti). but like I said elsewhere-- getting you the armhf hardware and you can do some benchmarks marks to give to them 17:02 <jdstrand> yeah, I don't have the details. you and rsalveti should definitely talk at some point though 17:02 <chrisccoulson> yeah, that's cool 17:02 <jdstrand> I want to update/form a new bp for oxide for this cycle 17:02 <jdstrand> we can talk more about that this week 17:03 <jdstrand> oh, yes, that is another thing I have to do-- work with mdeslaur and all of you on bps for vUDS 17:03 <jdstrand> I don't know that we'll have an oxide session-- I think the work is known. we'll discuss later 17:04 <jdstrand> chrisccoulson: did you have any other questions or anything else to report? 17:04 <chrisccoulson> jdstrand, no, i think that's me done 17:04 <jdstrand> [TOPIC] Highlighted packages 17:04 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 17:04 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/openjpa.html 17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/flightgear.html 17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/sanlock.html 17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/rawstudio.html 17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/lighttpd.html 17:05 <jdstrand> [TOPIC] Miscellaneous and Questions 17:05 <jdstrand> Does anyone have any other questions or items to discuss? 17:06 <jdstrand> mdeslaur, tyhicks, sarnold, chrisccoulson: thanks! 17:06 <jdstrand> #endmeeting