Security Team Weekly Summary, 2009-09-21

Robbie Williamson robbie at ubuntu.com
Mon Sep 21 19:23:29 BST 2009 

= Jamie Strandboge =
Role: triager

== Issue Tracking ==
 * bug triage
 * CVE triage
 * UCT
  * better handle partial EOL releases (ie Dapper)
  * update mass-cve-edit to deal with multiple packages and releases
    triage old CVEs and bring karmic back into reality check-cves

== Updates ==
 * kdelibs:
  * analyze, patch, build, test, publish (USN-833-1)
  * [karmic]: apply patches from USN-822-1 and USN-833-1, fix FTBFS
 * kde4libs
  * analyze, patch, build, test, publish (USN-833-1)
  * [karmic]: apply patches from USN-833-1
 * openoffice.org update
  * analyze, start patching
  * rebuild schroots to handle OO.o on Intrepid and higher
 * coordinate postgresql update
 * postfix update: analyze and coordinate CVE-2009-2939 (low impact,
   will process as SRU)

== Technology Development ==
 * follow up on LP: #418197 (Ext4 Jaunty SRU tracking bug)
 * test LP: #400682 ([Karmic stac9227 regression] No sound after upgrade
   from Jaunty to Karmic): still broken
 * AppArmor
  * fix LP: #429061 (allow gnash in firefox profile)
  * fix LP: #428071 (allow access to plugins directory in firefox
    profile) add email abstractions for email clients
  * discuss LP: #429872 (/sbin/apparmor_parser: ... Profile doesn't
    conform to protocol) with jj, kees and mdeslaur
  * libvirt
   * workaround bug #431090 (libvirt apparmor profile is preventing
     libvirt from running eucalyptus VMs)
   * struggle with attach-disk (discovered it is broken on Karmic kvm,
     see LP: #432154)
   * start developing fix for LP: #432581 (libvirt/apparmor breaks
     non-default serial, console, kernel and initrd). This is the proper
     fix for LP #431090 and requires virt-aa-helper to be updated to read
     XML instead of a bunch of command line arguments. This fix is also
     required for upstream acceptance and will fix LP: #432810 in the
     process
 * become mildly proficient with upstart
 * ufw
  * fix LP: #430053 (ufw does not error out when filesystem is
    read-only)
  * fix LP: #431804 (ufw starts after some network daemons due to move
    to upstart in Ubuntu). This provides a small window where network
    daemons are running without a firewall. This constitutes a security
    risk (although small) for people who enable the firewall and expect
    its protection (eg in hostile wireless networks). Fixed by creating
    an upstart job for ufw.
  * update packaging to use upstart in Ubuntu and sysv in Debian
  * miscellaneous cleanups to make sure that ufw starts before networking
    for upstart, and before listening services for sysv
  * update documentation to include upstart
  * fix LP: #424528 (ufw crashed with ValueError in under_ssh()) by simply
    not reloading instead of tracing back
  * prepare and release 0.29-3 and 0.29-4

== Community ==
 * security team meeting

== Archive ==
 * proces sync requests
 * process NEW


= Kees Cook =
Weekly Role: community

== Updates ==
 * hunt/patch/build/test neon updates

== Technology Integration ==
 * bisecting RH gdb patch sets to find minimum patch series for PIE support.

== Auditing ==
 * verified test-{gcc,glibc,kernel}-security regression tests on all releases.
 * scanned old apport-crashes to add SegvAnalysis to, added to 2000 bugs.

== Community ==
 * uploaded SELinux fixes from ccase (LP: #428007, #371075, #418026, #428043).
 * reviewed nginx patches
 * security team weekly meeting
 * reviewed/uploaded ufw to Debian for jdstrand.
 * reviewed/responded to community patch suggestions.


= Marc Deslauriers
Weekly role: happy place

== Updates ==
 * Worked on, tested and released USN-830-1: OpenSSL vulnerability
 * Worked on, tested and released USN-831-1: OpenEXR vulnerabilities
 * Worked on, tested and released USN-832-1: FreeRADIUS vulnerability
 * Researched and worked on webkit CVEs
 * Researched and worked on qt4-x11 CVEs

== Technology development ==
 * Filed Soyuz bug "PPA page's "view package details" link is in a bad place"
(LP: #429551)
 * Filed Evolution bug "contacts displayed twice in new email contact list" (LP:
#428917)
 * Filed libwnck bug "window list doesn't show proper window title" (LP: #429715)
 * ubuntu-security-tools:
   - added --lpnet to copy_sppa_to_repos
 * qa-regression-testing:
   - Added to test-openexr.py testing script
   - Wrote test-freeradius.py
 * Added aide info to server marketing wiki page
 * Created and uploaded disabled apache2 apparmor profile into Karmic
 * Filed tomboy bug "tomboy search no longer works" (LP: #430050)
 * Filed freeradius bug "freeradius config needs freeradius-mysql" (LP: #430730)
 * Filed freeradius bug "radclient doesn't work" (LP: #430732)
 * Worked on and fixed apparmor bug "aa-logprof doesn't handle "open" log
entries" (LP: #427966)
 * Worked on and fixed apparmor bug "libapparmor doesn't parse ouid" (LP: #431929)
 * Opened evolution bug "contacts displayed twice in new email contact list"
(LP: #428917)

More information about the ubuntu-devel mailing list