16:31 <ratliff> #startmeeting 16:31 <meetingology> Meeting started Mon Jul 23 16:31:43 2018 UTC. The chair is ratliff. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:31 <meetingology> 16:31 <meetingology> Available commands: action commands idea info link nick 16:31 <ratliff> The meeting agenda can be found at: 16:32 <ratliff> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:32 <ratliff> [TOPIC] Announcements 16:32 <ratliff> Thanks to Simon Quigley (tsimonq2) for providing a debdiff for qutebrowser in bionic (LP: #1781295) and debdiffs for kwallet-pam in xenial-bionic (LP: #1768649)! 16:32 <ubottu> Launchpad bug 1781295 in qutebrowser (Ubuntu Bionic) "CVE-2018-10895: Possible remote code execution via CSRF in qute://settings " [Medium,Fix released] https://launchpad.net/bugs/1781295 16:32 <ubottu> Launchpad bug 1768649 in pam-kwallet (Ubuntu Trusty) "[CVE] Access to privileged files" [High,New] https://launchpad.net/bugs/1768649 16:32 <ratliff> Thanks to Dan Streetman (ddstreet) for providing debdiffs for libxstream-java for trusty and xenial (LP: #1780844)! 16:32 <ubottu> Launchpad bug 1780844 in libxstream-java (Ubuntu Xenial) "CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'" [Medium,Fix released] https://launchpad.net/bugs/1780844 16:32 <ratliff> Your work is very much appreciated and will keep Ubuntu users secure. Thank you! 16:32 <ratliff> The Ubuntu Security team is hiring. See https://grnh.se/8c0a6c1f1 for more details. 16:33 <ratliff> We welcome Mike Salvatore and Eduardo Barretto to the Ubuntu Security Team today! Welcome Mike and Eduardo! We are thrilled that you are joining us to help continue improving security for Ubuntu users! 16:33 <ratliff> [TOPIC] Weekly stand-up report 16:33 <ratliff> mdeslaur: you're up 16:34 <mdeslaur> I'm on triage this week 16:34 <mdeslaur> and I'm working on clamav updates 16:34 <mdeslaur> and hopefully we'll get new mysql releases that I can work on 16:34 <mdeslaur> that's about it from me, sbeattie, you're up 16:35 <sbeattie> I'm in the happy place this week 16:35 <sbeattie> I'm working on an internal issue 16:35 <sbeattie> I'm also working on intel-microcode updates 16:35 <sbeattie> I have some other random tasks to pick up, before I go on vacation next week. 16:35 <sbeattie> that's it for me. 16:35 <sbeattie> jjohansen: you're up 16:36 <jjohansen> I have a few LSS-NA duties to take care of this week 16:36 <jjohansen> err, make that -EU 16:37 <jjohansen> I need to finish look into mjg's network labeling patch 16:37 <jjohansen> and I need to get back to working on prompt mode 16:37 <tsimonq2> pr 16:37 <tsimonq2> whoops 16:37 <ratliff> lol, good to see you tsimonq2! thanks for the updates! :) 16:38 <jjohansen> :) 16:38 <jjohansen> thats it for me 16:38 <jjohansen> sarnold: you are up 16:39 <tsimonq2> hehe ratliff :) 16:39 <tsimonq2> Thanks 16:41 <sarnold> I'm in the happy place this week 16:41 <sarnold> I'm preparing an apparmor presentation and sadly neglecting the desktop portals MIR 16:42 <sarnold> that's it for me, chrisccoulson? 16:42 <chrisccoulson> I need to spend a bit more time this week preparing thunderbird 60 updates 16:42 <chrisccoulson> I've also got an embargoed issue 16:44 <chrisccoulson> I'll be spending time on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726, hopefully uninterrupted 16:44 <ubottu> Debian bug 872726 in src:linux "linux: apparmor doesn't use proper audit event ids" [Normal,Open] 16:44 <chrisccoulson> and then we'll see what else :) 16:44 <chrisccoulson> that's me done 16:44 <chrisccoulson> (no rust!) 16:44 <ratliff> yay! 16:44 <ratliff> I'm in the happy place this week 16:45 <ratliff> I'm just back from a sprint, so I have some catch up work to do and also some sprint outcome work 16:45 <ratliff> I have a bunch of internal work to do (see announcements) 16:45 <ratliff> msalvatore: you are up next 16:46 <msalvatore> Hi, everyone. I just joined the team last Monday, so most of my time has been spent on general on-boarding tasks and getting up to speed. 16:47 <msalvatore> I'm also working on resolving CVE-2018-10886 which is ZipSlip vulnerability in ant. 16:47 <ubottu> ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. A crafted zip or tar file submitted to an Ant build could create or overwrite arbitrary files with the privileges of the user running Ant. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10886) 16:47 <msalvatore> I'm hoping to close that out today or tomorrow and move onto the next task. 16:47 <msalvatore> That's it for me. You're up ebarretto. 16:50 <ratliff> we will catch up with ebarretto later 16:51 <ratliff> [TOPIC] Highlighted packages 16:51 <ratliff> The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. 16:51 <ratliff> See http://people.canonical.com/~ubuntu-security/d2u/ for available merges and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:51 <ratliff> [TOPIC] Miscellaneous and Questions 16:51 <ratliff> Does anyone have any other questions or items to discuss? 16:51 <leosilva> hehe I had. 16:52 * sbeattie welcomes msalvatore and ebarretto 16:52 <tsimonq2> When did highlighted packages turn into Debian merges only? ;) 16:52 <leosilva> I'm in community , finished mutt updates and will move to python-cryptography and so hunting. 16:52 * tsimonq2 waves to msalvatore and ebarretto as well 16:52 <leosilva> that's it for me. 16:52 <ratliff> I'm so sorry leosilva 16:52 <leosilva> np 16:52 <ratliff> leosilva: thank you 16:53 <sarnold> tsimonq2: that was a few months ago I think, it seemed more likely to get traction than starting-from-scratch .. 16:53 <tsimonq2> sarnold: Ah. 16:53 <sbeattie> tsimonq2: we switched to that believing that it woul dbe easier to get into than "here's five random universe packages that have open cves" 16:53 <sarnold> tsimonq2: .. the old list also didn't take into account that oftentimes there's no upstream patches, so actually fixing those issues might have been harder; with the debian merge possibilities, there's at least some known patches :) 16:54 <sbeattie> that said, if you like rolling the dice to see what to work on, it's a simple script that generates it. 16:54 <tsimonq2> Makes sense. :) 16:54 <sbeattie> (it does make for an okay "I should re-triage 5 old cves today" helper) 16:54 <tsimonq2> hehe 16:55 <tsimonq2> Oh, one thing, while I am here. 16:55 <tsimonq2> QtWebEngine has embedded Chromium, and would be good to deliver the patch release via bionic-security. 16:55 <tsimonq2> We can discuss more in -hardened but expect that Soon. 16:56 <ratliff> tsimonq2: cool, let's discuss more in ubuntu-hardened 16:56 <tsimonq2> Cool. Nothing else from me :) 16:56 <ratliff> mdeslaur, sbeattie, jjohansen, sarnold, chrisccoulson, leosilva, amurray, msalvatore, ebarretto: Thanks! Thanks also to tsimonq2! 16:56 <ratliff> #endmeeting