Security Team Weekly Summary 2009-11-2 & 2009-11-9
Robbie Williamson
robbie at ubuntu.com
Wed Nov 11 14:42:22 GMT 2009
= Jamie Strandboge =
Oct26 - Nov1
Role: triager
== Issue Tracking ==
* bug triage
* CVE triage
* Perform: https://wiki.ubuntu.com/SecurityTeam/ReleaseCycle#Release%
20Checklist
== Updates ==
* analyze CVE-2009-3616 for qemu/qemu-kvm/kvm (only affected on
qemu/jaunty (universe)
* firefox update (testing/publish): USN-853-1
* sponsor/discuss qemu-kvm to security-proposed with kirkland
== Technology Development ==
* iso testing
* discover/investigate/file/discuss LP: #462258 (raid1 won't boot in
degraded mode)
* UQT/vm-tools: update vm-iso to wait until the VM comes up to avoid
IO storm when fully allocating
* investigate/comment on LP: #426582 where my laptop would hard lock on
login (EXA vs XAA on radeon 7500)
* AppArmor
* triage all apparmor and apparmor-tagged bugs. Go through all bugs
with 'apparmor' in the description and tag them (if appropriate)
* update DebuggingApparmor for tags
* SRUs (3 abstractions bugs in apparmor, 1 firefox profiling bug)
* apparmor profile discussion with fta regarding ff dailes
* test jj's SRU kernel
* libvirt
* investigate/fix LP: #460271 (virt-aa-helper fails when serial or
console type is 'tcp')
* discover/investigate/fix LP :#461528 (apparmor blocks migration)
* update QRT for remote tests
* discover/file/fix LP: #462000 (apparmor disallows qemu+tcp://
connections)
* look into LP: #455832 (segfault when attaching disk with same
physical device) some more
* Debian bug #483139 (update to openssl-vulnkey patch)
* advise nxvl on openssl merge
* advise bdmurray on SRU update-manager
== Community ==
* discuss/update wiki for security-proposed
== Archive ==
* process/review/discuss a bunch of NEW -partner packages
Nov2 - Nov8
(Short week due Nov 4th vacation)
Role: community
== Issue Tracking ==
* bug triage
* CVE triage
* investigate/discuss gnome-keyring 'issue' with mdeslaur (ie, users
have access to their passwords).
* investigate/analyze/discuss TLS renogotiation issue with security
team
* discuss reporting graphs with kees and mdeslaur
== Updates ==
* Perform https://wiki.ubuntu.com/SecurityTeam/ReleaseCycle#Devel%
20Opens
* setup lucid debmirror
* update packages mirror setup
* setup kubuntu VM
* flashplugin-nonfree sponsored upload
* mandos sponsored upload
* mahara sponsored upload
* discover/discuss LP: #475808 (Unembargoing packages via the API
doesn't seem to apply overrides correctly)
* discover/discuss mandos not uploading to the ppa
* UQT: update unembargo to work aroung LP: #475808
* start looking at redhat-cluster again
== Technology Development ==
* SRUs
* apparmor SRU (prepare, test, upload, retest)
* evince SRU (prepare, test, upload, retest)
* firefox-3.5 SRU (prepare, test, request merge)
* AppArmor
* apparmor bug triage
* upload apparmor 2.3.1+1403-0ubuntu28 to lucid
* push much of apparmor's profile delta to apparmor-trunk (upstream)
* discover/analyze/fix FTBFS on lucid (LP: #474751)
* libvirt
* more migrate testing
* look into backing stores and storage volumes
* learn about libvirt storage pools and volumes investigate LP:
#470636 (AppArmor security driver does not support backingstore).
This shouldn't be too hard to fix as libvirt already has what is
needed. Discuss these features with mdeslaur
* gather up bug fixes and start preparing to push back upstream
* QRT: add docs for NFS for multipurpose-vm
== Community ==
* blog: "AppArmor sVirt security driver for libvirt". Picked up by LWN
* wiki: wrote gnome-keyring entry in the security team FAQ
* wiki: wrote firefox apparmor entry in the security team FAQ
== Archive ==
* proces NEW for Ubuntu and -partner
= Kees Cook =
Oct26 - Nov1
Weekly Role: community
== Issue Tracking ==
* prepared ubuntu-cve-tracker for lucid opening
== Technology Development ==
* added test for MMAP_PAGE_ZERO personality filtering.
== Auditing ==
* lots of ISO testing for Karmic final
* reproduced degraded raid failures seen by jdstrand
* looking for .intel_syntax in the archive source for doko
== Community ==
* security team meeting
Nov2 - Nov8
Weekly Role: happy-place
== Issue Tracking ==
* investigating kernel vulnerabilities as they appear
== Technology Development ==
* lots of graphs and lots of data updates
== Technology Integration ==
* requested sync for libifp, libselinux, libmikmod, mimetex
== Community ==
* super-short security team meeting
* reviewing slides for "writing secure software" OpenWeek talk
* held "Writing Secure Software" session for Ubuntu OpenWeek
= Marc Deslauriers =
Oct26 - Nov1
Weekly role: happy place
== Updates ==
* Looked at ffmpeg patches
* Updated adobe-flashplugin and acroread CVEs
* Built qt4-x11 updates and put in security-updates-testing PPA
== Technology development ==
* Researched and fixed AppArmor bug: aa-logprof doesn't seem to load
the existing profiles (LP: #446449)
* ISO testing:
- filed "Shutting down the livecd ends with black screen" (LP:
#462920)
- filed "Text mode displayed while booting live cd" (LP: #462328)
* Tested jj's apparmor test kernels
== Canonical ==
* Security team weekly meeting
* Attended MC meeting for core-dev application
== Community ==
* Sponsored drupal5, drupal6 and my own phpmyadmin security updates
Nov2- Nov8
Weekly role: triage
== Issue Tracking ==
* CVE triage
* massive security bug triage
== Updates ==
* Worked on, tested and released USN-850-3: poppler vulnerabilities
* Worked on, tested and released USN-854-1: GD library vulnerabilities
* Worked on, tested and released USN-855-1: libhtml-parser-perl
vulnerability
* Worked on openldap CVEs
== Technology development ==
* qa-regression-testing:
- added test-libhtml-parser-perl.py testing script
- added test-libgd2.py testing script
* Read about and discussed gnome-keyring issue
* Read about, investigated and discussed TLS issue with kees and
jdstrand
== Canonical ==
* Security team weekly meeting
--
Robbie Williamson <robbie at ubuntu.com>
Ubuntu
More information about the ubuntu-devel
mailing list