=== JoseAntonioR is now known as JoseeAntonioR === popey_ is now known as popey === doko_ is now known as doko === Tonio_ is now known as Tonio_aw === soren_ is now known as soren === Ursinha is now known as Ursinha-afk === Ursinha-afk is now known as Ursinha === chiluk_away is now known as chiluk === Ursinha is now known as Ursinha-afk === Ursinha-afk is now known as Ursinha === Tonio_aw is now known as Tonio_ === yofel_ is now known as yofel === Tonio_ is now known as Tonio_aw === Tonio_aw is now known as Tonio_ === Tonio_ is now known as Tonio_aw === Tonio_aw is now known as Tonio_ === Tonio_ is now known as Tonio_aw === Tonio_aw is now known as Tonio_ === Tonio_ is now known as Tonio_aw === tyhicks` is now known as tyhicks === chiluk is now known as chiluk_away === chiluk_away is now known as chiluk [18:25] hi [18:25] sorry we are a bit late [18:25] hello [18:25] \o [18:25] hello [18:25] * sbeattie waves [18:25] #startmeeting [18:25] Meeting started Mon Jan 14 18:25:46 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. [18:25] Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired [18:26] The meeting agenda can be found at: [18:26] [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting [18:26] [TOPIC] Announcements === meetingology changed the topic of #ubuntu-meeting to: Announcements [18:26] Thanks to the following individuals who provided security for Ubuntu: [18:27] Stefan Bader (smb) provided debdiffs for oneiric-quantal for xen [18:27] Chad Miller (chad) for getting chromium-browser up to 23.0.1271.97 for lucid-quantal [18:27] Benjamin Drung (bdrung) provided an update for precise and quantal for vlc (LP: #1084054) [18:27] Launchpad bug 1084054 in vlc (Ubuntu Oneiric) "Denial of service via crafted PNG file" [Undecided,Confirmed] https://launchpad.net/bugs/1084054 [18:27] Christian Kuersteiner (ckuerste) provided a debdiff for precise for xymon (LP: #1092412) [18:27] Launchpad bug 1092412 in xymon (Ubuntu Oneiric) "Xymon Multiple XSS" [Undecided,New] https://launchpad.net/bugs/1092412 [18:27] Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) [18:27] [TOPIC] Weekly stand-up report === meetingology changed the topic of #ubuntu-meeting to: Weekly stand-up report [18:27] I'll go first [18:27] I'm on triage today [18:28] rather, this week [18:29] I planned to get nss out last week, but was unable. I need to do new upstream releases for nss and nspr for this update, and I spent last week preparing those [18:29] that should go out today or tomorrow [18:29] chromium-browser (as mentioned) is now at 23.0.1271.97 for the stable releases, but upstream releases 24 last week, so I'll be sponsoring/testing that as well [18:30] ±o/ [18:30] argh [18:30] \o/ [18:30] I'm going to look at the recent java issue some more [18:31] and I need to patch pilot [18:31] mdeslaur: you're up [18:31] I'm on community this week [18:31] I've just released a couple of security updates, and will pick some more off the list [18:32] and that's pretty much it. sbeattie, you're up [18:32] I'm again an apparmor monkey this week [18:33] My primary focus is on getting the display manager prototype going [18:33] I'm not sure where jjohansen is on getting the alpha out the door, but may pitch in to help on that after getting 2.8.1 out last week. [18:34] I'll also poke at the random things that have popped up on the list. [18:34] that's it for me. tyhicks? [18:34] Similar to last week. Embargoed item and apparmor policy kernel interface. [18:34] That's it for me. Back to you, jdstrand [18:35] actually, we skipped sarnold [18:35] sarnold: you're up [18:35] who's sarnold? [18:35] sorry, sarnold :) [18:35] :) [18:35] I'm in happy place this week, hoping to make forward progress on dnsmasq update, now using mdeslaur's suggestion for VM with two NICs, will combine with jdstrand's suggestion to use two VMs rather than do the testing via my host... [18:36] .. but if I have more trouble reproducing the reporter's situation, I'll be leaning towards just regression testing. [18:37] sarnold: sounds reasonable [18:37] (I'm thinking end-of-the-day today as the decision point...) [18:37] jdstrand: back to you [18:38] sarnold: you can get one of us to review your changes too, as a sanity check/second opinion since it affects an important package [18:38] mdeslaur: thanks :) [18:38] [TOPIC] Highlighted packages === meetingology changed the topic of #ubuntu-meeting to: Highlighted packages [18:38] The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. [18:38] See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. [18:39] Normally we provide a list of 5 packages. However, this week I'd like to ask for help on updating the recent raills vulnerabilities: [18:39] http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0156.html [18:39] active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity referen... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156) [18:39] http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0155.html [18:39] Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated b... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155) [18:40] [TOPIC] Miscellaneous and Questions === meetingology changed the topic of #ubuntu-meeting to: Miscellaneous and Questions [18:40] Does anyone have any other questions or items to discuss? [18:43] mdeslaur, sbeattie, tyhicks, sarnold: thanks! [18:43] #endmeeting === meetingology changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds | Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendar | Logs: https://wiki.ubuntu.com/MeetingLogs | Meetingology documentation: https://wiki.ubuntu.com/meetingology [18:43] Meeting ended Mon Jan 14 18:43:36 2013 UTC. [18:43] Minutes (wiki): http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-01-14-18.25.moin.txt [18:43] Minutes (html): http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-01-14-18.25.html [18:43] thanks jdstrand :) [18:43] thanks jdstrand! [18:43] thanks! [18:43] thanks jdstrand === Tonio_aw is now known as Tonio_ === Ursinha is now known as Ursinha-afk === Ursinha-afk is now known as Ursinha === Tonio_ is now known as Tonio_aw === Tonio_aw is now known as Tonio_ === Tonio_ is now known as Tonio_aw === Tonio_aw is now known as Tonio_ === Tonio_ is now known as Tonio_aw === Tonio_aw is now known as Tonio_