Security Team Weekly Summary 2009-11-2 & 2009-11-9

[Robbie Williamson]

= Jamie Strandboge =

Oct26 - Nov1
Role: triager

== Issue Tracking ==
* bug triage
* CVE triage
* Perform: https://wiki.ubuntu.com/SecurityTeam/ReleaseCycle#Release%
20Checklist

== Updates ==
* analyze CVE-2009-3616 for qemu/qemu-kvm/kvm (only affected on
   qemu/jaunty (universe)
* firefox update (testing/publish): USN-853-1
* sponsor/discuss qemu-kvm to security-proposed with kirkland

== Technology Development ==
* iso testing
  * discover/investigate/file/discuss LP: #462258 (raid1 won't boot in
    degraded mode)
  * UQT/vm-tools: update vm-iso to wait until the VM comes up to avoid
    IO storm when fully allocating
* investigate/comment on LP: #426582 where my laptop would hard lock on
   login (EXA vs XAA on radeon 7500)
* AppArmor
  * triage all apparmor and apparmor-tagged bugs. Go through all bugs
    with 'apparmor' in the description and tag them (if appropriate)
  * update DebuggingApparmor for tags
  * SRUs (3 abstractions bugs in apparmor, 1 firefox profiling bug)
  * apparmor profile discussion with fta regarding ff dailes
  * test jj's SRU kernel
* libvirt
  * investigate/fix LP: #460271 (virt-aa-helper fails when serial or
    console type is 'tcp')
  * discover/investigate/fix LP :#461528 (apparmor blocks migration)
  * update QRT for remote tests
  * discover/file/fix LP: #462000 (apparmor disallows qemu+tcp://
    connections)
  * look into LP: #455832 (segfault when attaching disk with same
    physical device) some more
* Debian bug #483139 (update to openssl-vulnkey patch)
* advise nxvl on openssl merge
* advise bdmurray on SRU update-manager

== Community ==
* discuss/update wiki for security-proposed

== Archive ==
* process/review/discuss a bunch of NEW -partner packages


Nov2 - Nov8
(Short week due Nov 4th vacation)
Role: community

== Issue Tracking ==
* bug triage
* CVE triage
* investigate/discuss gnome-keyring 'issue' with mdeslaur (ie, users
   have access to their passwords).
* investigate/analyze/discuss TLS renogotiation issue with security
   team
* discuss reporting graphs with kees and mdeslaur

== Updates ==
* Perform https://wiki.ubuntu.com/SecurityTeam/ReleaseCycle#Devel%
20Opens
* setup lucid debmirror
* update packages mirror setup
* setup kubuntu VM
* flashplugin-nonfree sponsored upload
* mandos sponsored upload
* mahara sponsored upload
* discover/discuss LP: #475808 (Unembargoing packages via the API
   doesn't seem to apply overrides correctly)
* discover/discuss mandos not uploading to the ppa
* UQT: update unembargo to work aroung LP: #475808
* start looking at redhat-cluster again

== Technology Development ==
* SRUs
  * apparmor SRU (prepare, test, upload, retest)
  * evince SRU (prepare, test, upload, retest)
  * firefox-3.5 SRU (prepare, test, request merge)
* AppArmor
  * apparmor bug triage
  * upload apparmor 2.3.1+1403-0ubuntu28 to lucid
  * push much of apparmor's profile delta to apparmor-trunk (upstream)
  * discover/analyze/fix FTBFS on lucid (LP: #474751)
* libvirt
  * more migrate testing
  * look into backing stores and storage volumes
  * learn about libvirt storage pools and volumes investigate LP:
    #470636 (AppArmor security driver does not support backingstore).
    This shouldn't be too hard to fix as libvirt already has what is
    needed. Discuss these features with mdeslaur
  * gather up bug fixes and start preparing to push back upstream
* QRT: add docs for NFS for multipurpose-vm

== Community ==
* blog: "AppArmor sVirt security driver for libvirt". Picked up by LWN
* wiki: wrote gnome-keyring entry in the security team FAQ
* wiki: wrote firefox apparmor entry in the security team FAQ

== Archive ==
* proces NEW for Ubuntu and -partner


= Kees Cook =

Oct26 - Nov1
Weekly Role: community

== Issue Tracking ==
* prepared ubuntu-cve-tracker for lucid opening

== Technology Development ==
* added test for MMAP_PAGE_ZERO personality filtering.

== Auditing ==
* lots of ISO testing for Karmic final
* reproduced degraded raid failures seen by jdstrand
* looking for .intel_syntax in the archive source for doko

== Community ==
* security team meeting


Nov2 - Nov8
Weekly Role: happy-place

== Issue Tracking ==
* investigating kernel vulnerabilities as they appear

== Technology Development ==
* lots of graphs and lots of data updates

== Technology Integration ==
* requested sync for libifp, libselinux, libmikmod, mimetex

== Community ==
* super-short security team meeting
* reviewing slides for "writing secure software" OpenWeek talk
* held "Writing Secure Software" session for Ubuntu OpenWeek


= Marc Deslauriers =
Oct26 - Nov1
Weekly role: happy place

== Updates ==
* Looked at ffmpeg patches
* Updated adobe-flashplugin and acroread CVEs
* Built qt4-x11 updates and put in security-updates-testing PPA

== Technology development ==
* Researched and fixed AppArmor bug: aa-logprof doesn't seem to load
   the existing profiles (LP: #446449)
* ISO testing:
   - filed "Shutting down the livecd ends with black screen" (LP:
#462920)
   - filed "Text mode displayed while booting live cd" (LP: #462328)
* Tested jj's apparmor test kernels

== Canonical ==
* Security team weekly meeting
* Attended MC meeting for core-dev application

== Community ==
* Sponsored drupal5, drupal6 and my own phpmyadmin security updates


Nov2- Nov8
Weekly role: triage

== Issue Tracking ==
* CVE triage
* massive security bug triage

== Updates ==
* Worked on, tested and released USN-850-3: poppler vulnerabilities
* Worked on, tested and released USN-854-1: GD library vulnerabilities
* Worked on, tested and released USN-855-1: libhtml-parser-perl
vulnerability
* Worked on openldap CVEs

== Technology development ==
* qa-regression-testing:
   - added test-libhtml-parser-perl.py testing script
   - added test-libgd2.py testing script
* Read about and discussed gnome-keyring issue
* Read about, investigated and discussed TLS issue with kees and
jdstrand

== Canonical ==
* Security team weekly meeting



-- 
Robbie Williamson <robbie at ubuntu.com>
Ubuntu