Weekly Security Team Summary, 2009-02-22

Robbie Williamson robbie.williamson at canonical.com
Wed Feb 24 04:39:59 GMT 2010 

= Jamie Strandboge =
Role: happy place

== Issue Tracking ==
 * bug triage
 * CVE triage

== Updates ==
 * firefox update: test, publish USN-895-1 and USN-896-1
 * review sponsored uploads
 * xmlrpc-c update:
   - test, publish USN-890-5
   - write test-xmlrpc-c.py for QRT

== Technology Development ==
 * AppArmor
   - on upgrades, prepopulate apparmor/homedirs if it is not preseeded.
     Will check /etc/passwd for UIDs >= 1000 and < 30000 for unique
     dirnames of home directories that are not /home. Fully resolves
     (LP: #447292)
   - investigate and writeup[1] findings for enabling the firefox
     profile by default
 * UFW
   - fix LP: #521359 (ufw errors during boot with upstart (/tmp)
   - more ipv6 fixups for 'show listening' report
   - allow use of --force with reset
   - prepare, test, upload 0.30pre1-0ubuntu1 to Lucid
 * file LP: #522845 (compiling with libcap-ng disallows qemu/kvm access 
   to files not owned by root when not using AppArmor)
 * fight with no sound after recent pulseaudio/alsa-plugins problem (LP:
   #523902)

== Audit ==
 * discuss current state of heap protection and attacks with kees (wrt
   firefox 0-day)
 * review ssh-import-id (LP: #524226)

== Community ==
 * ReleaseStatus meeting

== Archive ==
 * UST check-source-package: 
   - adjust to work on cocoplum
   - add several new tests
   - adjust to work on diff.gz as well as debdiff
 * process NEW (not as much as I would have liked)

[1]
https://wiki.ubuntu.com/SecurityTeam/Specifications/Karmic/AppArmorFirefoxProfile#Future%20Work



= Kees Cook =
Weekly Role: community

== Updates ==
 * building and testing openoffice.org

== Technology Development ==
 * merged vm-builder fixes for lucid, ext4.
 * bolted check-bios-nx onto update-notifier.
 * documenting CPU features in the wiki
 * testing symlink protection kernel patch.

== Technology Integration ==
 * more testing and upload of devmapper/lvm2 merge.
 * uploaded latest AppArmor upstream, twice.
 * fixed hplip old udev rule removals.
 * fixed foo2zjs old udev rule removals.
 * fixed brltty initramfs hook execute bit.

== Auditing ==
 * investigating how virtuoso-opensource exploded into a giant package



= Marc Deslauriers =
Weekly role: triage

== Issue Tracking ==
 * CVE triage
 * security bug triage

== Updates ==
 * Worked on, tested and released USN-900-1: Ruby vulnerabilities
 * Worked on, tested and released USN-901-1: Squid vulnerabilities
 * Worked on, tested and released flashplugin-nonfree updates
 * Researched webkit CVEs
 * Worked on pidgin updates

== Technology development ==
 * Worked on DebuggingScreenLocking wiki page
 * Added debugging info to all the open screen locking bugs
 * Merged samba
 * Attempted to merge libvirt, but upstream apparmor support is broken
 * Opened and looked at vm-builder bug with "utf8" locales (LP: #523589)
 * Researched and solved screen locking bug (LP: #369359)
 * Updated gnome-screensaver apport hook to include g-p-m gconf keys
 * Created "security" symptom in apport-symptoms

-- 
Robbie Williamson                                     robbie at ubuntu.com
Ubuntu                                         robbiew[irc.freenode.net]                               

"You can't be lucky all the time, but you can be smart everyday" 
 -Mos Def

"Arrogance is thinking you are better than everyone else, while
Confidence is knowing no one else is better than you." -Me ;)

More information about the ubuntu-devel mailing list