16:32 <ratliff> #startmeeting 16:32 <meetingology> Meeting started Mon Jul 30 16:32:11 2018 UTC. The chair is ratliff. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:32 <meetingology> 16:32 <meetingology> Available commands: action commands idea info link nick 16:32 <ratliff> The meeting agenda can be found at: 16:32 <ratliff> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:32 <ratliff> [TOPIC] Announcements 16:32 <ratliff> Thanks to Thinh Hoang Quoc (g4mm4) for reporting a subdomain takeover issue with the discourse.ubuntu.com domain. 16:32 <ratliff> Your work is very much appreciated and will keep Ubuntu users secure. Thank you! 16:33 <ratliff> The Ubuntu Security team is hiring. See https://grnh.se/8c0a6c1f1 for more details. 16:33 <ratliff> [TOPIC] Weekly stand-up report 16:33 <ratliff> jdstrand: you're up 16:35 <mdeslaur> zzzzz 16:35 <mdeslaur> ok, I'll go 16:35 <mdeslaur> I'm on community this week, and since one of my co-workers is slacking off on some beach somewhere, I'll be doing triage too 16:35 <jdstrand> sorry 16:35 <mdeslaur> I have some mysql updates to publish 16:35 <mdeslaur> and an embargoed issue to test and publish too 16:36 <mdeslaur> after that, I'll be going down the list as usual 16:36 <mdeslaur> that's about it 16:36 <mdeslaur> jdstrand: you're up 16:36 <jdstrand> This week I plan on working on: 16:36 <jdstrand> - miscellaneous snapd reviews (notably, anbox, but also a few others) 16:36 <jdstrand> - brand store snap declarations 16:36 <jdstrand> - various followups for Debian AppArmor MR reviews 16:36 <jdstrand> - an embargoed item 16:36 <jdstrand> - kubernetes interface as have time 16:36 <jdstrand> that's it from me. who is after me, jjohansen? 16:37 <jjohansen> I need to finish up with bug 1780227 16:37 <jjohansen> need to look into 1783922 and report regression around bind mounts on 4.18 16:37 <jjohansen> review sarnold's debconf presentation 16:37 <ubottu> bug 1780227 in linux (Ubuntu Bionic) "locking sockets broken due to missing AppArmor socket mediation patches" [Critical,Triaged] https://launchpad.net/bugs/1780227 16:38 <jjohansen> I have david's mount patches to review, and mjg's packet labeling patches to review also 16:38 <jjohansen> and I am off Wednesday and Thursday so I doubt I will get all of that done 16:38 <jjohansen> sarnold: you're up 16:38 <sarnold> I'm in the happy place this week; I'm going to debconf, so much travel, then conference, presentation, and then returning next week. I'm unlikely to have much traction on the xdg portal gtk backend mir, but I'll try to fit some in 16:39 <sarnold> that's it for me, chrisccoulson? 16:39 <chrisccoulson> I've got a chromium update to do 16:39 <chrisccoulson> I'm also working on an embargoed issue 16:40 <chrisccoulson> it's a short week for me this week, but I hope to have thunderbird 60 prepared before I finish too 16:40 <chrisccoulson> that's me done 16:40 <ratliff> I'm in the happy place this week. 16:40 <ratliff> I have internal and embargoed work to do. 16:40 <ratliff> leosilva: your turn 16:40 <leosilva> I'm in the happy place this week. 16:41 <leosilva> I'm working on the mysql-5.5 update for precise 16:41 <leosilva> Other than that I'm on free season hunting new pkgs. 16:41 <leosilva> msalvatore: I think is your turn 16:41 <msalvatore> Last week I published fixes for CVE-2018-10866 and CVE-2016-10727. 16:41 <ubottu> ** <A HREF="https://cve.mitre.org/about/faqs.html#reserved_signify_in_cve_entry">RESERVED</A> ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10866) 16:41 <ubottu> camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an e... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10727) 16:41 <msalvatore> I'm in the happy place this week. 16:42 <msalvatore> This morning I published a fix for CVE-2018-10900. 16:42 <ubottu> Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10900) 16:42 <msalvatore> This week I plan to work on firming up our policies and tooling for CVE prioritization with respect to universe packages in support of Expanded ESM. 16:42 <msalvatore> That's it for me. ebarretto, you're up. 16:42 <ebarretto> - I'm in the happy place this week 16:42 <ebarretto> - started working on package updates. The first package that I've updated went public today: libonig (trusty and xenial). Any feedback or complaints, please let us know. :) 16:42 <ebarretto> - I am continuing on package updates, next package: capnproto. 16:42 <ebarretto> - still catching up/learning the team tasks, processes and information 16:43 <ebarretto> that's it from me! 16:43 <ratliff> thanks! 16:43 <ratliff> [TOPIC] Highlighted packages 16:43 <ratliff> The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. 16:43 <ratliff> See http://people.canonical.com/~ubuntu-security/d2u/ for available merges and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:43 <ratliff> [TOPIC] Miscellaneous and Questions 16:43 <ratliff> Does anyone have any other questions or items to discuss? 16:45 <ratliff> jdstrand, mdeslaur, jjohansen, sarnold, chrisccoulson, leosilva, msalvatore, ebarretto: Thanks! 16:45 <mdeslaur> thanks ratliff! 16:45 <ratliff> #endmeeting