16:30 #startmeeting 16:30 Meeting started Mon Jan 23 16:30:14 2017 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:30 16:30 Available commands: action commands idea info link nick 16:30 The meeting agenda can be found at: 16:30 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:30 [TOPIC] Announcements 16:30 Ahmed Farag provided notifications for false positive virus identification for files in the archive (pnsnap, ettercap-common, dbacl, and libmail-deliverystatus-bounceparser-perl). 16:30 Scott Kitterman (ScottK) provided a debdiff for trusty for pdns-recursor (LP: #1656931) 16:30 Launchpad bug 1656931 in pdns-recursor (Ubuntu Trusty) "Security update for pdns-recursor on trusty" [High,Fix released] https://launchpad.net/bugs/1656931 16:30 Clive Johnston (clivejo) provided a debdiff for xenial for ark (LP: #1655507) 16:30 Launchpad bug 1655507 in ark (Ubuntu Yakkety) "CVE-2017-5330 - Ark: unintended execution of scripts and executable files" [High,Fix released] https://launchpad.net/bugs/1655507 16:30 \o 16:30 Vishnu Vardhan Reddy Naini (visred) provided a debdiff for yakkety for ark (LP: #1655507) 16:30 Thank you for your assistance in keeping Ubuntu users secure! :) 16:30 [TOPIC] Weekly stand-up report 16:31 jdstrand: you're up 16:31 This week I plan to work on: 16:31 - various PR reviews (8 new ones since friday) 16:31 - miscellaneous apparmor policy updates 16:31 - prepare snap for testing security policy 16:31 - seccomp arg filtering policy 16:31 that's it from me. mdeslaur, you're up 16:31 I'm on community this week, so i'll be sponsoring a bunch of stuff 16:32 I have a short week, I'm off on friday 16:32 I plan on publishing a couple of usns this afternoon, and if I have time I'll be picking something from the list 16:32 that's it from me, sbeattie, you're up 16:32 I'm on bug triage this week 16:33 I'll have openjdk-8 packages from tdaitx to test and publish 16:34 I need to push some packages to the security pocket that recent linux-raspi2 kernels depend on. 16:34 after that, I'll be going through the list looking for updates as well 16:34 that's it for me, tyhicks? 16:34 I'm on cve triage this week 16:35 I will finish and submit the second revision of seccomp/libseccomp patches to upstream 16:35 I am also working on uploading AppArmor 2.11.0 to zesty but have hit some test failures that need to be sorted out first 16:35 I have an embargoed issue 16:35 any free time will go towards a security update 16:35 that's it for me 16:35 jjohansen: go ahead 16:36 I will be looking into some outstanding bugs 1658219, and 1656121 16:36 bug 1658219 in AppArmor "flock not mediated by 'k'" [Undecided,New] https://launchpad.net/bugs/1658219 16:36 and probably a couple more 16:37 I have a nice stack of patches for the xenial/yakketty kernels that I need to cleanup and send up to the kteam 16:38 I will be doing some work on revising the dconf/gsetting patches and synching with will on them 16:39 and if I have any time I will be working on the next steps in upstreaming, likely the securityfs modification RFC 16:40 thats it for me, sarnold? you're up 16:41 I'm in the happy place this week; I expect to finish the uvp-monitor sorta-mir today, I'll file some bugs with upstream project for things i've found so far. I'm having trouble seeing the point of the thing compared to e.g. collectd or other popular tools... 16:41 so tyhicks, another suggestion for the next thing to undertake soon, but not immediately :) 16:42 also I'm losing verbs at an astounding rate. good luck. 16:42 sarnold: what's the suggestion? 16:42 tyhicks: hehe, the missing bit, "I need another suggestion" :) if it's another MIR or reactive or whatever 16:43 I would vote for libapache2-mod-auth-mellon 16:43 I think there are some new MIRs that I need to add to the list 16:44 I bet ratliff's suggestion is the right one to take next 16:44 works for me, thanks :) 16:44 that's it for me, chrisccoulson? 16:44 It's firefox update week this week 16:45 In addition to that, I need to fix some issues in the ubufox extension caused by breaking changes in firefox 53 (removal of the non-standard 'for each' syntax) 16:46 I'll also be spending time trying to get rust backported, but I need to talk to foundations first to agree how to split the work 16:46 Other than that, I'll be working on oxide stuff, particularly work around JS dialogs 16:47 that's me done 16:47 I'm in the happy place this week 16:47 I will spend time working on updates for snappy-prev 16:47 back to you tyhicks 16:48 thanks! 16:48 [TOPIC] Highlighted packages 16:48 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 16:48 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:48 http://people.canonical.com/~ubuntu-security/cve/pkg/pxz.html 16:48 http://people.canonical.com/~ubuntu-security/cve/pkg/ckeditor.html 16:48 http://people.canonical.com/~ubuntu-security/cve/pkg/radicale.html 16:48 http://people.canonical.com/~ubuntu-security/cve/pkg/elog.html 16:48 http://people.canonical.com/~ubuntu-security/cve/pkg/gksu.html 16:48 [TOPIC] Miscellaneous and Questions 16:48 Does anyone have any other questions or items to discuss? 16:49 chrisccoulson: I wanted to ask what sort of deadline are we looking at for having rustc available in the archive in old stable releases that don't already include it? 16:52 tyhicks, I'm not entirely sure yet. Mozilla said firefox will depend on it in "early 2017", but that will give us between 12-18 weeks before it reaches stable 16:52 chrisccoulson: ok, thanks 16:52 So we've still got 3 months, at least 16:52 * tyhicks nods 16:53 jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson, ratliff: Thanks! 16:53 #endmeeting