Security Team Weekly Summaries, Mar15-Apr4

[Robbie Williamson]

Please accept my deepest apologies, as there is no excuse on being so
late with updating people on the good work our Security team does.

-Robbie

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Jamie Strandboge

= Mar 8 - Mar 21 =
Vacation from Mar 13 - Mar 21

Role: happy place

== Issue Tracking ==
* bug triage
* CVE triage
* fix reassign.py traceback in ubuntu-qa-tools

== Updates ==
* moin:
- finish writing patch for Hardy and Dapper
- develop tests for CVEs and regression tests
- publish USN-911-1
- review/test 1.9.2 merge for lucid
* clean up mis-added community USN to USN database, document editing
USN database in wiki

== Technology Development ==
* followup on radeon bugs (still not fixed):
- LP: #513950
- LP: #513956
- LP: #507148
- LP: #527083
- lent affected laptop to kernel team (manjo) so they can more easily
test fixes
* AppArmor
- apparmor abstraction and firefox profile cleanup. fix various
profile bugs along the way
- look into various Oopses possibly related to apparmor (can't
reproduce)
- fix LP: #462419 (evince apparmor profile prevents movies from
opening)
- use child profile to fix LP: #484148 (freeze when using java)
- investigate with kees why READ_IMPLIES_EXEC is being used in
sun-java6 (why need 'm' for certain sun-java6 items in the
profile)

== Audit ==
* discover/investigate/patch/send upstream/negotiate CRD for embargoed
issue (LP: #538022)

== Community ==
* ReleaseStatus meeting
* weekly ubuntu-security meeting

== Archive ==
* process binary NEW


= Mar 22 - Mar 28 =
Short week due to vacation on Monday

Role: community

== Issue Tracking ==
* bug triage

== Updates ==
* openssl analysis (16-bit integers not affected (verify all Ubuntu
releases on all architectures use 16-bit integers))
* twiki sponsored upload
* weechat sponsored upload
* erlang sponsored upload
* tdiary security fake-sync for intrepid, jaunty and karmic

== Technology Development ==
* fix LP: #484148 for karmic users too (apparmor profile freezes
Firefox when using Java)
* fix LP: #523345 (tcpdump: Apparmor prevents opening usbmon)
* discuss php5 extensions in abstraction
* analyze LP: #545426 (SDL support broken (libvirt))
* libvirt 0.7.7-4 merge
- develop new patches due to upstream changes and upload to my PPA
- perform extensize testing (and QRT updates)
- send email to ubuntu-server@ suggesting evaluation of this merge
for Lucid (lots and lots of bugfixes, very few new features)
- write daily local build script so can better keep track of upstream
making incompatible changes. This will eventually lead to daily QRT
test being run on the new build as well
* fix apparmor-notify not noticing log rotation (when running as normal
user) 

== Community ==
* ReleaseStatus meeting

== Miscellaneous ==
* catch-up on 10 days of email (yow that took awhile :))

== Archive ==
* process NEW
* process sync requests
* process removal requests
* process backport requests


= Mar 29 - Apr 4 =
Role: happy place

== Issue Tracking ==
* bug triage
* cve triage
* update UCT for CVE triage discussion from meeting this week

== Updates ==
* publish sponsored uploads from last week
* publish clamav update to 0.95 from -backports to -security for Dapper
* moin
* merge 0.9.2 for Lucid (for security updates)
* moin update (analyze, patch, build)
* sponsor nss for chriscoulson (use transitional renegotiation for
CVE-2009-3555)
* clamav update discussion/review upstream commits (from 0.96)

== Technology Development ==
* discover and file LP: #551178 (apt-get source pkg=version
downloads the wrong version)
* discover, find reproducer for and file LP: #551264 (lvm dies
while snapshotting)
* AppArmor
* Fix LP: #543587 (apparmor profile prevents access to mousepad)
* apparmor_notify: handle log rotate with auditd as well
* send email to ubuntu-devel regarding apparmor_notify
* cleanup php5 abstraction (LP: #538661)
* dia memory leaks (LP: #550772)
* Libvirt
* properly fix save/restore in 0.7.7 (LP: #457716)
* fix backingstore in 0.7.7 (LP: #470636)
* fix hostdev in 0.7.7 (LP: #545795). Start on pcidev
* meet with kirkland to test 0.7.7 for lucid, eucalyptus demo, libvirt
bug triage
* scsi hotswap analysis in 0.7.7 (not a bug, but a functional
regression).
        libvirt now connects new scsi disks to an existing controller
        rather than adding a new controller for each new disk. This
        requires the guestto rescan the bus to notice the disk. This
        prevents 0.7.7 from going to Lucid because eucalyptus hot
        attaches scsi disks as part of EBS and needs the guest to notice
        them. Upstream eucalyptus will have to move to virtio (instead
        of scsi) in Maverick based on this and upstream qemu discussion.
        Discuss all of this with kirkland and smoser, follow up in bug
        and ubuntu-server at u.c
* reinstall lucid on t42, to test/update radeon bugs: all fixed (yea!)
except now plymouth shows only text mode (LP: #554143)

== Community ==
* ubuntu-security meeting
* ReleaseStatus meeting

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Kees Cook

= Mar 15 - Mar 21 =
Weekly Role: triage

== Issue Tracking ==
* 41 CVEs triaged
* security bugs reviewed

== Updates ==
* tested and published kernel updates (USN-914-1)

== Auditing ==
* investigating embargoed issues
* checked all build logs in main/restricted for -fno-stack-protector
* testing beta release
* debugging screen saver failures
* debugging ATI KMS failures

== Community ==
* security team meeting



= Mar 22 - Mar 28 =
Weekly Role: triage

== Issue Tracking ==
* 170 CVEs triaged
* security bugs reviewed

== Updates ==
* patched, tested, published krb5 updates (USN-916-1)

== Technology Development ==
* fixed up memmove leak test to correctly detect fixed case on amd64.

== Auditing ==
* performed quick audit of eucalyptus helper script for kirkland.
* reviewed and approved MIR for scgi (LP: #493593)
* trying to reproduce AppArmor memory-pressure stalls with jj.

== Community ==
* security team meeting

== Misc ==
* fighting really horrible I/O speed regression (LP: #543617)


= Mar 29 - Apr 4 =
Weekly Role: community

== Issue Tracking ==
* reviewing old CVEs and emails.

== Updates ==
* published emacs update (USN-919-1)
* tested and published libnss-db update (USN-922-1)
* preparing openjdk-6 updates with doko

== Technology Integration ==
* debugging patch issue in openjdk-6 jaunty update with doko
* debugging OpenID scraping failure in USN publication

== Community ==
* security team meeting

== Misc ==
* fighting with recent lucid updates breaking gnome for me.
* reproduced kernel hangs on heavy IO

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Marc Deslauriers

= Mar 15 - Mar 21 =
Weekly role: community

== Updates ==
* Worked on, tested and released USN-912-1: Audio File Library
vulnerability
* Worked on, tested and released USN-913-1: libpng vulnerabilities
* Tested and released USN-915-1: Thunderbird vulnerabilities
* Worked on puppet updates
* Worked on samba updates

== Community ==
* Sponsored normalize-audio community security updates
* Sponsored polipo community security updates
* Sponsored mediawiki community security updates

== Canonical ==
* Security team weekly meeting
* Booked travel to UDS


= Mar 22 - Mar 28 =
Weekly role: happy place

== Updates ==
* Worked on, tested and released USN-917-1: Puppet vulnerabilities
* Worked on, tested and released USN-918-1: Samba vulnerability
* Researched xen, sendmail, kvm, webkit CVEs
* Researched CVE-2009-3555 some more

== Technology development ==
* qa-regression-testing:
- scripts/test-samba.py: added extra tests
- scripts/test-puppet.py: new testing script
* Added DTLS backport to openssl (LP: 516318)
* Fixed aa-logprof spewing warnings
* Fixed aa-logprof missing abstractions error (LP: #539441)
* Added a couple of leak patches from AA upstream to Lucid
* Tested updated kernel for radeon issue on Thinkpad T30 (LP: #507148)

== Canonical ==
* Security team weekly meeting


= Mar 29 - Apr 4 =
Weekly role: triage

== Issue Tracking ==
* CVE triage
* security bug triage
* Re-triaged and retired when applicable CVEs before 2009
* Marked Dapper universe CVEs as "ignored" as per security team
discussion

== Technology development ==
* ubuntu-security-tools:
- scripts/sync-from-eol.py: add more functionality
* Fix dvd playback with updated gst-plugins-good0.10 package. (LP:
#522897, LP: #522901)
* Fixed default keyboard mapping in virt-manager (LP: #551243)
* Added security fixes to Lucid openssl
* Discussed firefox lcd filtering patch with Chris Coulson (LP: #512615)
* Discussed and tested ATI Radeon memory issue with Thinkpad T30 (LP:
#507148)
* Researched vmmouse issue (LP: #553081)
* Opened graphical corruption bug with Nouveau (LP: #552736)
* Discussed and researched plymouth bug with ATI Radeon <=32Mb (LP:
#554143)

== Canonical ==
* Security team weekly meeting 


-- 
Robbie Williamson                                     robbie at ubuntu.com
Ubuntu                                         robbiew[irc.freenode.net]                               

"You can't be lucky all the time, but you can be smart everyday" 
 -Mos Def

"Arrogance is thinking you are better than everyone else, while
Confidence is knowing no one else is better than you." -Me ;)