16:33 #startmeeting 16:33 Meeting started Mon Jun 1 16:33:48 2015 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:33 16:33 Available commands: action commands idea info link nick 16:34 o/ 16:34 The meeting agenda can be found at: 16:34 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:34 hi 16:34 [TOPIC] Announcements 16:34 We had a number of contributions over the last two weeks 16:34 Stefan Bader (smb) provided debdiffs for trusty-vivid for xen 16:34 Otto Kekäläinen (otto) provided debdiffs for trusty-utopic for mariadb-5.5 (LP: #1451677) 16:34 Launchpad bug 1451677 in mariadb-5.5 (Ubuntu) "USN-2575-1: MySQL vulnerabilities partially also applies to MariaDB" [Undecided,Fix released] https://launchpad.net/bugs/1451677 16:34 Gianfranco Costamagna (LocutusOfBorg) provided debdiffs for precise-utopic for virtualbox (LP: #1456553) 16:34 Launchpad bug 1456553 in virtualbox (Ubuntu) "CVE-2015-3456" [Undecided,Fix released] https://launchpad.net/bugs/1456553 16:34 Andreas Cadhalpun (andreas-cadhalpun) provided a debdiff for vivid for ffmpeg (LP: #1458171) 16:34 Launchpad bug 1458171 in ffmpeg (Ubuntu) "FFmpeg security fixes May 2015" [Undecided,Fix released] https://launchpad.net/bugs/1458171 16:34 Felipe Reyes (freyes) provided debdiffs for precise-vivid for openldap (LP: #1446809) 16:34 Launchpad bug 1446809 in openldap (Ubuntu Precise) "[SRU] denial of service via an LDAP search query (CVE-2012-1164, CVE-2013-4449, CVE-2015-1545)" [High,Fix released] https://launchpad.net/bugs/1446809 16:34 Thanks to you all for your assistance in keeping Ubuntu secure! :) 16:35 [TOPIC] Weekly stand-up report 16:35 jdstrand: you're up 16:36 hopefully today I will finish the big review tools update that will make the store and packages work as well for snappy apps and frameworks as for clicks 16:36 that got delayed a bit last week due to store api changes and LP being down (I wanted to pull down everything from the store and compare existing tools with trunk) 16:36 that's all resolved, just need to go through the output now 16:38 I've been working quite a bit on processes surrounding security support for system-image variants of Ubuntu (eg, touch and core) 16:38 that will continue 16:38 there is work planning with tyhicks 16:39 and I hope to at least start if not finish (for wily) handling seccomp policy upgrades on snappy 16:39 which will then need an SRU, at which point I will also do an SRU for ubuntu-core-security. that SRU work is likely next week 16:39 I have two embargoed items 16:41 that's it from me 16:41 I guess I'm up 16:41 I'm about to publish an ipsec-tools update for precise 16:41 and I have some openssl updates that will be going out today that disable export ciphers 16:42 after that, I'll be working on testing an apache2 update for precise that backports ecc support and better dh handling 16:42 I also have some qt updates to test 16:42 I am also looking into a glibc tzdata regression that is causing mercurial to FTBFS on 32 bit platforms 16:42 that's it from me, sbeattie, you're up 16:42 I'm on community this week 16:43 I'm working through the backlog of outstanding apparmor patch reviews. 16:43 I'm also working on testing for the apparmor trusty SRU 16:44 I still have the gcc pie work on my plate. 16:44 mmm....pie 16:44 (that joke never gets old) 16:44 and I have an nbd updtae simmering on the back burner. 16:45 * sbeattie takes a note to use cooking analogies for all his future status reports) 16:45 that's it for me. tyhicks? 16:45 sbeattie: is it still possible to land the PIE change for wily? 16:46 I think so, yes. 16:46 ok 16:46 I'm handling bug triage this week 16:46 oh, I have something else I forgot to mention 16:46 go for it 16:47 I plan on uploading bash to wily today with the setuid privilege dropping re-enabled, and I plan on looking at taviso's patch for dash to do the same 16:47 oh cool 16:47 \o/ 16:48 yay :) 16:48 I plan on helping out with security updates this week 16:48 I will return to working on adding kernel keyring mediation support to AppArmor parser 16:49 hopefully wrap up work planning tasks 16:49 and I have a few embargoed items 16:50 that's it for me 16:50 jjohansen: you're up 16:50 I need to finish up dealing with 2.10 patch review and replies, so we can get 2.10 out the door. 16:51 Finish up with the kernel security sign-offs 16:51 Figure out what we are doing for LSS (if anything) 16:51 Sync up on dconf mediation 16:52 Continue with the kernel patch cleanup 16:52 and I have an embargoed item or two 16:53 jjohansen: can you send your fix for bug #1430546 to the kteam this week? (I'm assuming it is just a git send-email away) 16:53 bug 1430546 in linux (Ubuntu) "apparmor kernel BUG kills firefox" [Medium,Triaged] https://launchpad.net/bugs/1430546 16:54 tyhicks: yes 16:54 thanks 16:54 sarnold: you're up 16:54 I'm on cve triage this week; I'm also going to continue going through open openstack issues and figuring out which ones are still needing attention; I'll also try to handle a few apparmor patch reviews. 16:54 I think that's it for me 16:54 chrisccoulson? 16:55 I'm hoping for chromium updates this week 16:55 Also, I need to spend some time on Firefox - a recent change upstream has broken the way we handle localized search plugins in our packaging 16:57 I got an email last week (I think it got sent to everyone with an account on addons.mozilla.org) with details of addon signing in Firefox 16:57 It had a link to https://wiki.mozilla.org/Addons/Extension_Signing 16:57 I was about to ask if you have heard anything about that :) 16:57 (the tl;dr version - we need to get our addons reviewed and signed) 16:57 In Firefox 40, unsigned addons will be disabled (but there'll be a pref to override) 16:58 in Firefox 41, there'll be no override 16:59 I tried getting ubufox reviewed, but the automatic part of the process compains that we override the startpage (something which is prohibited in addons, but is the whole point of our customizations) 16:59 So I'm not confident we'll get that through a manual review 16:59 and then, webapps..... 16:59 Anyway 17:00 Other than that, I'll be working on stuff from https://launchpad.net/oxide/+milestone/branch-1.9 17:00 I think that's me done 17:01 chrisccoulson: dbarth's team will handle the webapps reviews? 17:02 chrisccoulson: who should handle the "Ubuntu Online Accounts" review? 17:02 tyhicks, I'm not sure. The experience with that addon is so bad currently, I wonder whether it's worth the effort (but I guess that's up to dbarth's team) 17:02 tyhicks, that would be dbarth too 17:02 ok 17:03 chrisccoulson: lets make sure they're aware of the newly released details in tomorrow's oxide meeting 17:03 [TOPIC] Highlighted packages 17:03 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 17:03 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 17:03 http://people.canonical.com/~ubuntu-security/cve/pkg/gajim.html 17:03 http://people.canonical.com/~ubuntu-security/cve/pkg/nginx.html 17:03 http://people.canonical.com/~ubuntu-security/cve/pkg/pyfribidi.html 17:03 http://people.canonical.com/~ubuntu-security/cve/pkg/gcc-4.4-armel-cross.html 17:03 http://people.canonical.com/~ubuntu-security/cve/pkg/shaarli.html 17:03 [TOPIC] Miscellaneous and Questions 17:04 Does anyone have any other questions or items to discuss? 17:06 jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson: Thanks! 17:06 #endmeeting