16:33 #startmeeting 16:33 Meeting started Mon Apr 27 16:33:24 2015 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:33 16:33 Available commands: action commands idea info link nick 16:33 The meeting agenda can be found at: 16:33 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:33 [TOPIC] Announcements 16:34 Thanks to Rhonda D'Vine (rhonda) for help on security updates for the community supported wesnoth-1.10 last week. Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 16:34 (LP: #1445688) 16:34 Launchpad bug 1445688 in wesnoth-1.10 (Ubuntu Utopic) "private file disclosure issue (CVE-2015-0844)" [Undecided,Fix released] https://launchpad.net/bugs/1445688 16:34 [TOPIC] Weekly stand-up report 16:35 jdstrand is busy atm so we'll skip him for now 16:35 he can jump in if he frees up 16:35 mdeslaur: go ahead 16:35 I'm on community this week 16:35 Im currently sponsoring ffmpeg 16:35 tomorrow I have patch piloting duties 16:35 I just published a few updates, and I have a couple more to test 16:36 and I completely forgot about the openssl precise update that I started, which I'll look into again 16:36 that's about it form me, sbeattie? 16:36 I'm on bug triage this week 16:36 essembe: INTRUDER! 16:36 who's this guy 16:36 oh bah 16:36 he looks shifty 16:36 I'm on bug triage this week 16:37 I'm finishing up preparing the trusty apparmor SRU, I just have a couple of snags I hit to smooth out. 16:38 And then I'll switch to focusing on the gcc-pie work 16:38 I need to look at tyhicks patchset to support systemd, so we can land that work when W opens 16:38 that's pretty much it for me. tyhicks? 16:39 mdeslaur: back to your openssl precise update - is that to enable tlsv1.2 by default for clients? 16:41 I'm on CVE triage this week 16:41 I have a short week and will be off Thursday and Friday 16:41 I need to circle back to a number of things that were ignored during the ramp up to the Vivid release 16:42 and I want to finish the kernel patches for AppArmor kernel keyring mediation 16:42 it would be nice if I could get those patches out for review before Thursday but I'm not sure 16:42 jjohansen: you're up 16:42 tyhicks: yes, that's it 16:42 thanks 16:42 I have a short week this week, I will be off Friday 16:43 I have a couple backported CVE kernel fixes to look at and discuss with the kernel team 16:44 I also have a couple more apparmor patches to get out to the kernel team, so we can get the fixes into the next round of kernels 16:44 bug #1430546 16:44 bug 1430546 in linux (Ubuntu) "apparmor kernel BUG kills firefox" [Medium,Triaged] https://launchpad.net/bugs/1430546 16:45 being one of them (sorry I seem to have lost my browser tabs) 16:46 no problem 16:46 and then its back to the apparmor upstream cleanup. I plan to finish up with the domain transition cleanup/fixes this week (not that I didn't plan on finishing that bit last week :/) 16:47 I think that is it from me sarnold you're up 16:47 jjohansen: I noticed that a new AA kernel bug came in (LP: #1448912) 16:47 Launchpad bug 1448912 in AppArmor "BUG: unable to handle kernel NULL pointer dereference" [Undecided,New] https://launchpad.net/bugs/1448912 16:48 tyhicks: oh I hadn't noticed that one, yet. I'll poke at that one too, this week 16:48 thanks 16:49 sarnold: go ahead :) 16:49 I'm in the happy place this week; I will be working more on openstack updates, and getting the hang of how the different openstack services work, etc. 16:50 sarnold: FYI, I think the updates in the ppa are now out of date, more CVEs came out in the meantime 16:50 I think I'll poke at the horizon service this week, and try to reproduce one of the issues on serverstack and try to find out if th e issue affects precise or not, and I'd love love love to get an update out the door, but .. thursdays always come so quickly 16:51 mdeslaur: yes, I think most of those updates are now stale :( 16:51 getting an update out this week would be great since you're in the happy place 16:51 it is always a little more difficult on cve triage weeks 16:51 yes 16:51 so very much yes :) 16:51 sarnold: do you plan on updating the packages with the new fixes? 16:52 tyhicks: I can give it ashot, I haven't actually looked into the details of any of the fixed packages in the ppa, excepting the one horizon issue 16:52 .. nor the details of the subsequently discovered CVEs 16:52 sarnold: ok, we'll discuss it more in a little bit 16:53 I may also do some apparmor patch reviews for distraction along the way 16:53 that's me, chrisccoulson? 16:53 This week, I need to get chromium out 16:53 I'll also be working through code reviews (my queue is quite large now) 16:54 And I'm currently looking at a browser crash on the phone 16:54 Other than that, it's business as usual (hopefully) 16:55 thanks 16:55 [TOPIC] Highlighted packages 16:56 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 16:56 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:56 http://people.canonical.com/~ubuntu-security/cve/pkg/mednafen.html 16:56 http://people.canonical.com/~ubuntu-security/cve/pkg/prewikka.html 16:56 http://people.canonical.com/~ubuntu-security/cve/pkg/rt-authen-externalauth.html 16:56 http://people.canonical.com/~ubuntu-security/cve/pkg/forked-daapd.html 16:56 http://people.canonical.com/~ubuntu-security/cve/pkg/mc.html 16:56 [TOPIC] Miscellaneous and Questions 16:56 Does anyone have any other questions or items to discuss? 16:58 mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson: Thanks! 16:58 #endmeeting