16:32 <ratliff> #startmeeting
16:32 <meetingology> Meeting started Mon Jul 30 16:32:11 2018 UTC.  The chair is ratliff. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
16:32 <meetingology> 
16:32 <meetingology> Available commands: action commands idea info link nick
16:32 <ratliff> The meeting agenda can be found at:
16:32 <ratliff> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
16:32 <ratliff> [TOPIC] Announcements
16:32 <ratliff> Thanks to Thinh Hoang Quoc (g4mm4) for reporting  a subdomain takeover issue with the discourse.ubuntu.com domain.
16:32 <ratliff> Your work is very much appreciated and will keep Ubuntu users secure. Thank you!
16:33 <ratliff> The Ubuntu Security team is hiring. See https://grnh.se/8c0a6c1f1 for more details.
16:33 <ratliff> [TOPIC] Weekly stand-up report
16:33 <ratliff> jdstrand: you're up
16:35 <mdeslaur> zzzzz
16:35 <mdeslaur> ok, I'll go
16:35 <mdeslaur> I'm on community this week, and since one of my co-workers is slacking off on some beach somewhere, I'll be doing triage too
16:35 <jdstrand> sorry
16:35 <mdeslaur> I have some mysql updates to publish
16:35 <mdeslaur> and an embargoed issue to test and publish too
16:36 <mdeslaur> after that, I'll be going down the list as usual
16:36 <mdeslaur> that's about it
16:36 <mdeslaur> jdstrand: you're up
16:36 <jdstrand> This week I plan on working on:
16:36 <jdstrand> - miscellaneous snapd reviews (notably, anbox, but also a few others)
16:36 <jdstrand> - brand store snap declarations
16:36 <jdstrand> - various followups for Debian AppArmor MR reviews
16:36 <jdstrand> - an embargoed item
16:36 <jdstrand> - kubernetes interface as have time
16:36 <jdstrand> that's it from me. who is after me, jjohansen?
16:37 <jjohansen> I need to finish up with bug 1780227
16:37 <jjohansen> need to look into 1783922 and report regression around bind mounts on 4.18
16:37 <jjohansen> review sarnold's debconf presentation
16:37 <ubottu> bug 1780227 in linux (Ubuntu Bionic) "locking sockets broken due to missing AppArmor socket mediation patches" [Critical,Triaged] https://launchpad.net/bugs/1780227
16:38 <jjohansen> I have david's mount patches to review, and mjg's packet labeling patches to review also
16:38 <jjohansen> and I am off Wednesday and Thursday so I doubt I will get all of that done
16:38 <jjohansen> sarnold: you're up
16:38 <sarnold> I'm in the happy place this week; I'm going to debconf, so much travel, then conference, presentation, and then returning next week. I'm unlikely to have much traction on the xdg portal gtk backend mir, but I'll try to fit some in
16:39 <sarnold> that's it for me, chrisccoulson?
16:39 <chrisccoulson> I've got a chromium update to do
16:39 <chrisccoulson> I'm also working on an embargoed issue
16:40 <chrisccoulson> it's a short week for me this week, but I hope to have thunderbird 60 prepared before I finish too
16:40 <chrisccoulson> that's me done
16:40 <ratliff> I'm in the happy place this week.
16:40 <ratliff> I have internal and embargoed work to do.
16:40 <ratliff> leosilva: your turn
16:40 <leosilva> I'm in the happy place this week.
16:41 <leosilva> I'm working on the mysql-5.5 update for precise
16:41 <leosilva> Other than that I'm on free season hunting new pkgs.
16:41 <leosilva> msalvatore: I think is your turn
16:41 <msalvatore> Last week I published fixes for CVE-2018-10866 and CVE-2016-10727.
16:41 <ubottu> ** <A HREF="https://cve.mitre.org/about/faqs.html#reserved_signify_in_cve_entry">RESERVED</A> ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10866)
16:41 <ubottu> camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an e... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10727)
16:41 <msalvatore> I'm in the happy place this week.
16:42 <msalvatore> This morning I published a fix for CVE-2018-10900.
16:42 <ubottu> Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10900)
16:42 <msalvatore> This week I plan to work on firming up our policies and tooling for CVE prioritization with respect to universe packages in support of Expanded ESM.
16:42 <msalvatore> That's it for me. ebarretto, you're up.
16:42 <ebarretto> - I'm in the happy place this week
16:42 <ebarretto> - started working on package updates. The first package that I've updated went public today: libonig (trusty and xenial). Any feedback or complaints, please let us know. :)
16:42 <ebarretto> - I am continuing on package updates, next package: capnproto.
16:42 <ebarretto> - still catching up/learning the team tasks, processes and information
16:43 <ebarretto> that's it from me!
16:43 <ratliff> thanks!
16:43 <ratliff> [TOPIC] Highlighted packages
16:43 <ratliff> The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so.
16:43 <ratliff> See http://people.canonical.com/~ubuntu-security/d2u/ for available merges and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
16:43 <ratliff> [TOPIC] Miscellaneous and Questions
16:43 <ratliff> Does anyone have any other questions or items to discuss?
16:45 <ratliff> jdstrand, mdeslaur, jjohansen, sarnold, chrisccoulson, leosilva, msalvatore, ebarretto: Thanks!
16:45 <mdeslaur> thanks ratliff!
16:45 <ratliff> #endmeeting