Security Team Weekly Summary, 2009-03-01

Robbie Williamson robbie at ubuntu.com
Wed Mar 3 23:17:24 GMT 2010 

= Jamie Strandboge =
Role: triager

== Issue Tracking ==
* bug triage
* CVE triage

== Updates ==
* clamav hardy (need 0.95.3 in hardy due to pending EOL of 0.94 by
   upstream):
   - rebuild clamav and rdepends
   - QRT- update test-clamav.py to work again (which also fixes it for
Lucid)
   - follow up with ScottK and cemc on test coverage
* sudo
   - extensively analyze CVE-2010-0426 wrt to sudo 1.6.8 (Dapper) since
     upstream said olyn 1.6.9 was affected, contrary to the code in
     1.6.8 (it did turn out to be affected, but only when using
     execv or without --secure-path).  
   - patch, build, test. publish USN-905-1
   - QRT: update test-sudo.py with many more tests

== Technology Development ==
* AppArmor
   - firefox and scim (still not working)
* followup on radeon bugs:
   - LP: #513950
   - LP: #513956
   - LP: #507148
   - LP: #527083
* fix LP: #527077 in vm-builder ([regression] Lacks ability to specify
   number of CPUs)

== Community ==
* ReleaseStatus meeting
* weekly ubuntu-security meeting
* discuss future of MOTU and motu-swat

== Archive ==
* UST check-source-package: more updates for archive review
* process NEW (lots)



= Kees Cook =
Weekly Role: happy-place

== Issue Tracking ==
 * updating and clarifying kernel CVEs with csurbhi

== Updates ==
 * testing, published openoffice.org update (USN-903-1)

== Technology Development ==
  * add dieharder tests to test-rng.py using glibc, kern, ssl, gnutls
RNGs

== Technology Integration ==
 * reviewed and sponsored irqbalance upload from bdmurray
 * re-trying ubuntuone now that n-m isn't required.
 * testing kernel symlink protections

== Auditing ==
 * verified brk-collision is fixed in karmic (LP: #452175)
 * examining process scheduling tricks
 * found root-cause of readdir_r stack smasher (LP: #392501)

== Community ==
 * security team meeting
 * technical board meeting and report

== Misc ==
* fighting with freaky firefox bugs trying to eat my profile



= Marc Deslauriers =
Weekly role: community

== Issue Tracking ==
 * CVE triage

== Updates ==
 * Worked on, tested and released USN-902-1: Pidgin vulnerabilities
 * Worked on, tested and released USN-904-1: Squid vulnerability
 * Added security fixes to mysql-dfsg-5.1, ruby1.9, squid and libvorbis
in lucid
 * Researched ffmpeg CVEs

== Technology development ==
 * Worked on app indicator support for virt-manager (LP: #525462)
 * Investigated ruby1.9 build failure on i386 (LP: #526144)
 * Removed ruby1.9 dependencies from libaugeas-ruby and rrdtool to get
ruby1.9 out of main (LP: #526677)
 * Researched screen locking bug. (LP: #524816)

== Community ==
 * Sponsored drupal5 and drupal6 community security updates
 * Performed fakesync of otrs2, ajaxterm and polipo security updates


-- 
Robbie Williamson                                     robbie at ubuntu.com
Ubuntu                                         robbiew[irc.freenode.net]                               

"You can't be lucky all the time, but you can be smart everyday" 
 -Mos Def

"Arrogance is thinking you are better than everyone else, while
Confidence is knowing no one else is better than you." -Me ;)

More information about the ubuntu-devel mailing list