16:30 <tyhicks> #startmeeting 16:30 <meetingology`> Meeting started Mon Aug 7 16:30:50 2017 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:30 <meetingology`> 16:30 <meetingology`> Available commands: action commands idea info link nick 16:30 <meetingology> Meeting started Mon Aug 7 16:30:50 2017 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:30 <meetingology> Available commands: action commands idea info link nick 16:30 * sbeattie waves 16:30 <chrisccoulson> o/ 16:30 <leosilva> o/ 16:31 <tyhicks> The meeting agenda can be found at: 16:31 <tyhicks> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:31 <tyhicks> [TOPIC] Announcements 16:31 <tyhicks> heh, zero meeting bots last week and two meeting bots this week 16:31 <mdeslaur> oooh! bot fight! 16:31 <tyhicks> James Lu (tacocat) provided debdiffs for xenial-zesty for gnome-exe-thumbnailer (LP: #651610) 16:31 <ubottu> Launchpad bug 651610 in gnome-exe-thumbnailer (Ubuntu) "[CVE-2017-11421] Version number for .msi thumbnail is obtained from unreliable source" [Critical,Fix released] https://launchpad.net/bugs/651610 16:31 <tyhicks> Simon Quigley (tsimonq2) provided debdiffs for trusty-xenial for lxterminal (LP: #1690416) 16:31 <ubottu> Launchpad bug 1690416 in lxterminal (Ubuntu Artful) "[CVE] socket can be blocked by another user" [Undecided,Fix released] https://launchpad.net/bugs/1690416 16:31 <tyhicks> Simon Quigley (tsimonq2) provided debdiffs for trusty-zesty for pcmanfm (LP: #1708542) 16:31 <ubottu> Launchpad bug 1708542 in pcmanfm (Ubuntu Zesty) "Fix potential access violation, use runtime user dir instead of tmp dir" [Undecided,Fix released] https://launchpad.net/bugs/1708542 16:31 <tyhicks> Otto Kekäläinen (otto) provided debdiffs for trusty for mariadb-5.5 (LP: #1705944) 16:31 <ubottu> Launchpad bug 1705944 in mariadb-5.5 (Ubuntu) "USN-3357-1: partially applies to MariaDB too" [Medium,Fix released] https://launchpad.net/bugs/1705944 16:32 <tyhicks> Otto Kekäläinen (otto) provided debdiffs for xenial for mariadb-10.0 (LP: #1698689) 16:32 <ubottu> Launchpad bug 1698689 in mariadb-10.1 (Ubuntu Artful) "USN-3269-1: partially applies to MariaDB too" [Undecided,New] https://launchpad.net/bugs/1698689 16:32 <tyhicks> Otto Kekäläinen (otto) provided debdiffs for zesty for mariadb-10.1 (LP: #1698689) 16:32 <tyhicks> Roger Light (ral) provided debdiffs for trusty-zesty for mosquitto (LP: #1700490) 16:32 <ubottu> Launchpad bug 1700490 in mosquitto (Ubuntu) "Persistence file is world readable" [Undecided,Fix released] https://launchpad.net/bugs/1700490 16:32 <tyhicks> Thank you for your assistance in keeping Ubuntu users secure! :) 16:32 <tyhicks> [TOPIC] Weekly stand-up report 16:32 <tyhicks> jdstrand: you're up 16:33 <jdstrand> hey 16:33 <jdstrand> Last week I focused a lot on interface reviews (broadcom-asic-control, udev tagging,kvm, spi, avahi reimplementation. I also coordinated with the Desktop team wrt snaps on 17.10 desktop. I triaged the snapd-interface bugs and picked up the wayland work a bit. 16:33 <jdstrand> This week I plan to: 16:33 <jdstrand> - finish going through the wayland interface (this has required quite a bit of investigation wrt interactions with snapd's setting of XDG_RUNTIME_DIR 16:33 <jdstrand> - be responsive to various snappy PRs and feature discussions (eg, udev tagging, avahi, snapd user/groups, portals, etc) 16:34 <jdstrand> - perform several PRs against snapd 2.27 for recent PRs that need to be in the next release 16:34 <jdstrand> - pickup new 'desktop' interface for gnome-shell, plasma and sway as have time 16:34 <jdstrand> that's it from me 16:34 <jdstrand> mdeslaur: you're up 16:34 <mdeslaur> I'm on triage this week 16:34 <mdeslaur> and I have a couple of updates to publish 16:34 <mdeslaur> and after down, down the list, as usual 16:34 <mdeslaur> sbeattie: you're up 16:34 <sbeattie> I'm in the happy place this week 16:35 <sbeattie> I have a couple of kernel USNs to publish this morning 16:35 <sbeattie> I have an embargoed issue on my plate 16:36 <sbeattie> I'm stll waiting on openjdk-7 from td aitx, but might have that to publish this week 16:36 <sbeattie> I'll look at picking up other updates as well 16:36 <tsimonq2> tyhicks: :D 16:36 <sbeattie> I also have some apparmor bits and qrt bits to poke at. 16:37 <sbeattie> that's it for me. tyhicks, over to you... 16:37 <tyhicks> I'm in the happy place this week 16:37 <tyhicks> I will finish making changes to seccomp v6 kernel patch set, test, and submit upstream 16:37 <tyhicks> need to do fscrypt pam module review and packaging 16:37 <tyhicks> still need to familiarize myself with the latest LSM stacking patch set 16:37 <tyhicks> I also still need to review jdstrand's snapd users/groups writeup 16:38 <tyhicks> jjohansen: you're up 16:38 <jjohansen> I am still working on upstreaming apparmor, specifically the type splitting needed to fixed the stored path issue in our unix domain sockets. 16:38 <jjohansen> I will be doing some more testing of the LSM stacking kernel, and getting my feedback to Casey 16:38 <jjohansen> I have some Ralley prep to take care of this week. 16:39 <jjohansen> and if there is time some misc apparmor test suite issues to poke at 16:39 <jdstrand> tyhicks: fyi, niemeyer ack'd that the users/groups write-up is accurate which I think is a precursor to his full review/comment 16:40 <jjohansen> thats it for me sarnold you're up 16:40 <sarnold> I'm on community this week; also setting up rally travel, and working down the MIRs. Maybe review a patch or two from jjohansen if he think it'd be helpful. 16:40 <sarnold> that's it for me, chrisccoulson? 16:40 <chrisccoulson> I've got firefox and chromium updates this week 16:41 <jjohansen> sarnold: oh yes 16:41 <chrisccoulson> I'm also in the process of updating rust to 1.19, but I've got an issue with 1.18 first. I imagine this will take up most of my week 16:41 <chrisccoulson> That's me done 16:41 <ratliff> I'm in the happy place this week 16:42 <ratliff> I will be focusing on KPIs for the foreseeable future 16:42 <ratliff> leosilva: you are up 16:43 <leosilva> I worked in a couple of update/finished the publishment today morning 16:43 <leosilva> this week I'm bug triage and also finish triage hope to get some updates too 16:43 <leosilva> that's it for me 16:43 <leosilva> tyhicks: it's back to you 16:44 <leosilva> duh, I mean, soon finish triage* 16:44 * tyhicks is catching up 16:45 <tyhicks> [TOPIC] Highlighted packages 16:45 <tyhicks> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 16:45 <tyhicks> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:45 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/unrar-nonfree.html 16:45 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/yaml-cpp.html 16:45 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/qpid-proton.html 16:45 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/freeciv.html 16:45 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/inspircd.html 16:45 <tyhicks> [TOPIC] Miscellaneous and Questions 16:45 <tyhicks> Does anyone have any other questions or items to discuss? 16:47 <sarnold> probably it's worth adding http://people.canonical.com/~ubuntu-security/cve/pkg/varnish.html to that list, four or so community folks filed bugs but I don't recall seeing any debdiffs http://people.canonical.com/~ubuntu-security/cve/pkg/varnish.html 16:47 <tyhicks> good thought 16:48 <tyhicks> I think varnish updates would be more useful than any of the ones I listed 16:50 <tsimonq2> I can provide debdiffs within the next hour if someone can help me test them. 16:50 <tsimonq2> Because it's a Universe package right? 16:50 <tsimonq2> (yes, answered my own question) 16:51 <tyhicks> tsimonq2: you could post debdiffs, sarnold could sponsor them to the ubuntu-security-proposed PPA, and then we could ask for testing in the bug 16:51 <tsimonq2> tyhicks: Works for me. 16:51 <tyhicks> tsimonq2: thanks! 16:51 <tyhicks> jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson, ratliff, leosilva: thank you! 16:51 <tyhicks> #endmeeting