Security Team Weekly Summary, 2009-09-28

Robbie Williamson robbie at ubuntu.com
Mon Sep 28 22:44:07 BST 2009 

=== Jamie Strandboge ===
Role: community

== Issue Tracking ==
 * bug triage
 * CVE traige

== Updates ==
 * publish postgresql
 * asterisk sponsored upload and testing for iamfuzz
 * dovecot and newt sponsored uploads for mdeslaur

== Technology Development ==
 * AppArmor
  * firefox
   * fix LP: #433128 (Apparmor denies firefox extension execution)
   * fix LP: #433362 (Apparmor blocks access to /media in Firefox)
   * fix LP: #436221 (apparmor profile is not disabled on upgrade from
     jaunty firefox-3.5)
   * firefox merge discussion
  * libvirt
   * implement XML parsing in security driver along with other upstream
     suggestions
   * test cases for attach/detach-disk/device
   * investigate spurious apparmor denied messages which occasionally
     occur on attach (only occurs during guest boot when acpi is being
     loaded and perform the attach at that instant)
   * resubmit libvirt patch to upstream
 * QRT: write libvirt-apparmor.sh
 * follow up on LP: #400682 ([Karmic stac9227 regression] No sound after
   upgrade from Jaunty to Karmic)
 * brainstorm group functionality for ufw. Basic idea is that ufw can
   essentially be a wrapper around ip[6]tables so most applications that
   just add rules to the BUILTIN chains can more easily add ufw support.
   This is all very hand-wavy, but the user experience might be
   something like:
  * application calls 'ufw -g eucalyptus -A INPUT ...iptables rule...',
    which creates a 'eucalyptus-INPUT' chain, and adds the rule to this
    chain (note that the various BUILTIN chains would need to be
supported)
  * administrator can then reference <group> when manipulating rulesets,
eg
    'sudo ufw group in eucalyptus'. This rule will add '-j
eucalyptus-INPUT'
    rule into the user chain

== Community ==
 * participate in security team meeting
 * comment on core-dev application for nxvl
 * prepare for/participate in release meeting
* write https://wiki.ubuntu.com/SecurityTeam/ReleaseStatus


=== Kees Cook ===
Weekly Role: community

== Updates ==
 * published neon updates (USN-835-1)

== Technology Development ==
 * backported AppArmor parser to jaunty kernel interface.

== Technology Integration ==
 * discussing apparmor loading with Keybuk.
 * writing initramfs hooks for apparmor.
 * removing executable stack from mountall (LP: #434813).
 * implemented --password in gnome-about-me (LP: #307019).

== Auditing ==
 * embargoed issue investigation.

== Community ==
 * attended LinuxCon, Linux Plumber's Conference.
 * investigating SELinux state in Karmic, talked with Caleb Case.
 * discussed upstreaming NX-emulation with Dave Jones.
 * reviewed/uploaded ufw for jdstrand.


=== Marc Deslauriers ===
Weekly role: triage

== Issue Tracking ==
 * CVE triage
 * security bug triage

== Updates ==
 * Worked on, tested and released USN-836-1: WebKit vulnerabilities
 * Worked on, tested and released USN-837-1: Newt vulnerability
 * Researched php5 CVEs
 * Researched and worked on dovecot CVEs

== Technology development ==
 * ubuntu-security-tools:
   - scripts/cve_lib.py: don't die on a blank line
 * Opened upstream bug for "vino-preferences does not report public IPv6
addresses" (LP: #344489)
 * qa-regression-testing:
   - Added to test-dovecot.py testing script







-- 
Robbie Williamson <robbie at ubuntu.com>
Ubuntu

More information about the ubuntu-devel mailing list