Security Team Weekly Summary, 2009-12-14

Robbie Williamson robbie at ubuntu.com
Fri Dec 18 13:46:30 GMT 2009 

= Jamie Strandboge =
Role: community

== Issue Tracking ==
 * bug triage
 * CVE triage

== Updates ==
 * ntp (previously embargoed) update (test, publish): USN-867-1
 * grub2 update (analyze, patch, build, test, publish): USN-868-1
 * pygresql update (test, publish): USN-870-1
 * kdelibs update (merge patch from Riddell, test, publish): USN-871-1
 * kde4libs update (merge patch from Riddell, test, publish): USN-871-2
  * investigate "from 'i'" discrepency in compare-bin (the 'file'
    program misdetected a portion of ktexteditor_isearch.so such that it
    found a PT_NOTE of type NT_PRPSINFO, then what is prints is supposed
    to be "from '',".
 * kdebase-runtime: (merge patch from Riddell, analyze, build, test,
   publish): USN-872-1
 * asterisk sponsored upload for Daviey
 * squirrelmail sponsored update
 * UST:
   - add lintian to checks in debcompare and other small updates
   - update umt to be able to specify version to build-orig
 * follow up on qemu-kvm USN with redhat
 * QRT:
   - update test-ntp.py
   - wrote test-postgresql.py (this integrates the ~1000 tests from
     postgresql-common as well as several other tests (eg pygresql))
 * fake-syncs:
   - camlimages (jaunty)
   - gforge (jaunty)
   - mysql-ocaml (hardy - jaunty)
   - php-mail (dapper - karmic)
   - postgresql-ocaml (intrepid - jaunty)

== Technology Development ==
 * fix LP: #493582 ([lucid] libvirt-bin fails to install (sed: can't
   read /etc/apparmor.d/usr.bin.virt-aa-helper)

== Community ==
 * participate in weekly security team meeting
 * prepare for/participate in ReleaseStatus meeting
 * send email to ubuntu-release for security team blueprints
 * work on security-lucid-sponsorship-review
   - created ubuntu-security-sponsors
   - SecurityTeam wiki updates
   - create SponsorshipProcess
   - formalize process for handling low-confidence updates
   - create SecurityTeam/SponsorsQueue
   - integrate into SponsorshipProcess

== Audit ==
 * Read up on latest wireless network attacks (wpa cracker)

== Archive ==
 * get Debian autosync working again (ie, workaround LP: #293106 (does
   not support debian v3 source formats)




= Kees Cook =
Weekly Role: triage

== Issue Tracking ==
 * 100 total CVEs triaged
 * tracked down and fixed bug in per-package CVE status HTML exporter
 * security bug triage

== Updates ==
 * test and publish kernel update (USN-869-1).

== Technology Development ==
 * Pushed fixes for mtime checks on AppArmor profile loading (LP:
#468429)
 * fixed regression in workitems parser (r26).
 * created debconf question for wine's use of mmap_min_addr (LP:
#475540)
 * cleaned up old wine sysctl files.
 * sort per-assignee workitems by blueprint priority

== Technology Integration ==
 * requestsync for john.
 * requestsync for dmidecode.
 * merged smarty.
 * merged gawk.
 * merged came.
 * merged curl.
 * merged policycoreutils.

== Auditing ==
 * generated several ARM full-archive source search reports for doko.
 * reviewing interactions between PTRACE and capabilities.
 * advising on best-practices for handling authentication failures.
 * scanned partner archive for executable stacks.

== Community ==
 * security team meeting
 * reviewing wiki changes for Sponsorship process updates.
 * wrote up TB notes from last meeting.



= Marc Deslauriers =
Weekly role: happy place

Short week as I was on holiday Thursday and Friday

== Updates ==
 * Worked on, tested and released USN-865-1: Bind vulnerability
 * Worked on, tested and released USN-866-1: gnome-screensaver
vulnerability
 * Worked on, tested and released flashplugin-nonfree updates
 * Looked at gimp issues

== Technology development ==
 * ubuntu-cve-tracker:
   - scripts/cve_packages: don't abort on an empty PublicDate
 * Researched and fixed aide bug (LP #456679) and (LP #456710)
 * Investigated and released update for screen-locking bug caused by
hamster-applet (LP #448438)
 * Investigated, opened bug, and wrote patch for modemmanager issue (LP
#496206)

== Auditing ==
 * sponsored openssl merge from nxvl, and fixed FTBFS

== Canonical ==
 * Security team weekly meeting




-- 
Robbie Williamson                                     robbie at ubuntu.com
Ubuntu                                         robbiew[irc.freenode.net]                               

"You can't be lucky all the time, but you can be smart everyday" 
 -Mos Def

"Arrogance is thinking you are better than everyone else, while
Confidence is knowing no one else is better than you." -Me ;)

More information about the ubuntu-devel mailing list