16:45 <jdstrand> #startmeeting 16:45 <meetingology> Meeting started Mon Nov 25 16:45:24 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:45 <meetingology> 16:45 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 16:45 <jdstrand> The meeting agenda can be found at: 16:45 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:45 <jdstrand> [TOPIC] Announcements 16:45 <jdstrand> Thanks to Thomas Ward (teward) provided debdiffs for precise-saucy for nginx (LP: #1253691) 16:45 <ubottu> Launchpad bug 1253691 in nginx (Ubuntu Trusty) "Specially crafted request URI permits security restriction bypass [CVE-2013-4547]" [High,Fix released] https://launchpad.net/bugs/1253691 16:45 <jdstrand> Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 16:46 <jdstrand> [TOPIC] Weekly stand-up report 16:46 <jdstrand> I'll go first 16:46 <jdstrand> I have a very short week this week. I am working today and tomorrow 16:46 <jdstrand> I'm on triage 16:46 <jdstrand> I'm working on an update for keystone which should go out today 16:46 <mdeslaur> jdstrand: I'll take over triage for the rest of the week 16:46 <jdstrand> mdeslaur: thanks :) 16:47 <jdstrand> and I need to get the work items in shape for this cycle. I figure I'll work with you guys on that when I have something to review 16:47 <jdstrand> mdeslaur: you're up 16:47 <mdeslaur> I'm on community this week 16:47 <mdeslaur> I have some jpeg updates to write some test scripts for 16:48 <mdeslaur> and am working on merging ruby and uploading some packages in an attempt to get ruby1.8 demoted from main 16:48 <mdeslaur> since we now have three rubys in main, and I don't want that for a 5-year supported lts 16:48 <jdstrand> what's the story with puppet there? 16:48 <jdstrand> (and yes, great idea) 16:49 <mdeslaur> hrm, good question 16:49 <jdstrand> well, worht looking at. I don't mean to derail the meeting 16:49 <mdeslaur> looks like it's using whatever ruby is default instead of 1.8 16:49 <mdeslaur> so 1.9.1 presumably 16:50 <mdeslaur> it didn't show up on my list of reverse depends 16:50 <jdstrand> cool 16:50 <jdstrand> ah, perfect 16:50 <mdeslaur> pending that, I'll be going down the cve list, as usual 16:50 <mdeslaur> that's it from me 16:50 <mdeslaur> sbeattie: you're up 16:50 <mdeslaur> (if you're here...) 16:50 <jdstrand> that was the only thing I could think of otoh that might be weird. glad it isn't an issue at all :) 16:50 <sbeattie> I'm on apparmor again this week 16:51 <sbeattie> I'll be working on testing improvements as well as some parser fixes/improvements 16:51 <sbeattie> Which is pretty much it for me. 16:51 <jdstrand> is that for IPC? 16:51 <sbeattie> the testing stuff, yes. The parser bits, no. 16:52 <sbeattie> tyhicks: I think you're up. 16:52 <tyhicks> I have a very short week this week 16:52 <tyhicks> I'm only working today 16:52 <tyhicks> Right now, I'm looking into some apparmor_parser oddness 16:52 <tyhicks> It segfaults if I change AA_DBUS_EAVESDROP from (1 << 5) to (1 << 7) 16:52 <tyhicks> That shouldn't happen and makes me think there's a bigger bug lurking somewhere 16:52 <tyhicks> I'll spend a little more time on that 16:52 <tyhicks> Then I'm going to switch to the yama on touch work items 16:52 <tyhicks> (I haven't been able to start on them yet) 16:53 <jdstrand> tyhicks: I didn't think having a week shorter than mine was possible :) 16:53 <tyhicks> jdstrand: beat ya :) 16:53 <tyhicks> that's it for me 16:53 <mdeslaur> bunch of slackers :) 16:53 <tyhicks> jjohansen: you're up 16:53 <sbeattie> tyhicks: oh hrm, is that with the patch set you submitted? 16:53 <tyhicks> sbeattie: yep 16:53 * jjohansen is working on apparmor ipc again this week. 16:54 <jjohansen> I need to coordinate with sbeattie on some testing and see if I can't get him a new kernel 16:55 <sbeattie> +1 16:55 <jdstrand> jjohansen(, sbeattie): can you give a brief update on IPC (eg, are we still on track for ppa this month, archive, next, etc)? 16:56 <jjohansen> jdstrand: we are running behind, since this week is the last week of the month. PPA this month might not happen, if not this week though hopefully next 16:57 <jdstrand> jjohansen: ok, well, please don't feel like you have to work through the holiday 16:58 <jjohansen> who me? 16:58 <jjohansen> never 16:58 <jjohansen> :) 16:58 <jdstrand> jjohansen: was there anything on goldfish? 16:58 <jdstrand> s/thing/ update/ 16:59 <jjohansen> oh, I suppose I need to send the patch to the kernel team today, and make sure, the apparmor=0 work around is reverted once the kernel rolls out 16:59 <jdstrand> ah, so you found the problem? what was it? 16:59 <jjohansen> it was that patch from last week, the #ifdef SMP 16:59 <jjohansen> one 17:00 <jdstrand> oh, interesting. I thought that was something else 17:00 <jdstrand> cool 17:00 <jdstrand> (that but number was old iirc) 17:00 <jdstrand> anyhoo, nice! :) 17:01 <jjohansen> jdstrand: well there was a bug against the saucy kernel from some guy doing self compiled kernels 17:01 <jjohansen> that was the old bug number, same bug really 17:01 <jjohansen> sarnold: your up 17:03 <sarnold> I'm in the happy place this week, also a short week, off thursday and friday; I have a merge of libgcrypt11 to work on, a new MIR audit, and -maybe- ask for a CVE for an already-known issue I discovered while working on a MIR audit last week 17:04 <sarnold> it'd be wonderful to make some further dents in the apparmor patches that are still unreviewed, I know there's several of them left.. 17:04 <sarnold> I think that's it for me, chrisccoulson you're up :) 17:04 <chrisccoulson> yoyo 17:05 <chrisccoulson> the oxide packaging is almost done now. just waiting on https://code.launchpad.net/~osomon/oxide/initial-build-fixes/+merge/195076, which is basically the last blocker 17:05 <chrisccoulson> i should have it in a PPA after that :) 17:05 <chrisccoulson> this week, i'm focusing on getting bug 1214049 finished 17:05 <ubottu> bug 1214049 in Oxide "Support accelerated compositing" [High,In progress] https://launchpad.net/bugs/1214049 17:06 <mdeslaur> \o/ 17:06 <chrisccoulson> oSoMoN has been contributing some fixes as well now 17:06 <sarnold> wow :) 17:06 <sarnold> \o/ :D 17:07 <chrisccoulson> so we got http://bazaar.launchpad.net/~oxide-developers/oxide/oxide.trunk/revision/257 and http://bazaar.launchpad.net/~oxide-developers/oxide/oxide.trunk/revision/256 last week 17:07 <chrisccoulson> i think that's me done 17:08 <jdstrand> chrisccoulson: nice! :) 17:08 <chrisccoulson> oh, i had the joy of learning how to use bzrlib last week too 17:08 <chrisccoulson> that wasn't fun ;) 17:09 <jdstrand> :) 17:09 <jdstrand> [TOPIC] Highlighted packages 17:09 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 17:09 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 17:09 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/network-manager-openvpn.html 17:09 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/turba2.html 17:09 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/smsclient.html 17:10 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/djbdns.html 17:10 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/feh.html 17:10 <jdstrand> [TOPIC] Miscellaneous and Questions 17:10 <jdstrand> Does anyone have any other questions or items to discuss? 17:10 <sarnold> djbdns? o_O I'm shocked :) 17:11 <jdstrand> the CVEs are old. possibly needs more triage 17:12 <sbeattie> well, the package version we ship hasn't changed since precise, either. 17:15 <jdstrand> mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, ChrisCoulson: thanks! 17:15 <sarnold> thanks jdstrand :) 17:15 <jdstrand> #endmeeting