/srv/irclogs.ubuntu.com/2018/07/23/#ubuntu-meeting.txt

=== maclin1 is now known as maclin
=== chrisccoulson_ is now known as chrisccoulson
ratliff#startmeeting16:31
meetingologyMeeting started Mon Jul 23 16:31:43 2018 UTC.  The chair is ratliff. Information about MeetBot at http://wiki.ubuntu.com/meetingology.16:31
meetingologyAvailable commands: action commands idea info link nick16:31
ratliffThe meeting agenda can be found at:16:31
ratliff[LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting16:32
ratliff[TOPIC] Announcements16:32
=== meetingology changed the topic of #ubuntu-meeting to: Announcements
ratliffThanks to Simon Quigley (tsimonq2) for providing a debdiff for qutebrowser in bionic (LP: #1781295) and debdiffs for kwallet-pam in xenial-bionic (LP: #1768649)!16:32
ubottuLaunchpad bug 1781295 in qutebrowser (Ubuntu Bionic) "CVE-2018-10895: Possible remote code execution via CSRF in qute://settings " [Medium,Fix released] https://launchpad.net/bugs/178129516:32
ubottuLaunchpad bug 1768649 in pam-kwallet (Ubuntu Trusty) "[CVE] Access to privileged files" [High,New] https://launchpad.net/bugs/176864916:32
ratliffThanks to Dan Streetman (ddstreet) for providing debdiffs for libxstream-java for trusty and xenial (LP: #1780844)!16:32
ubottuLaunchpad bug 1780844 in libxstream-java (Ubuntu Xenial) "CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'" [Medium,Fix released] https://launchpad.net/bugs/178084416:32
ratliffYour work is very much appreciated and will keep Ubuntu users secure. Thank you!16:32
ratliffThe Ubuntu Security team is hiring. See https://grnh.se/8c0a6c1f1 for more details.16:32
ratliffWe welcome Mike Salvatore and Eduardo Barretto to the Ubuntu Security Team today! Welcome Mike and Eduardo! We are thrilled that you are joining us to help continue improving security for Ubuntu users!16:33
ratliff[TOPIC] Weekly stand-up report16:33
=== meetingology changed the topic of #ubuntu-meeting to: Weekly stand-up report
ratliffmdeslaur: you're up16:33
mdeslaurI'm on triage this week16:34
mdeslaurand I'm working on clamav updates16:34
mdeslaurand hopefully we'll get new mysql releases that I can work on16:34
mdeslaurthat's about it from me, sbeattie, you're up16:34
sbeattieI'm in the happy place this week16:35
sbeattieI'm working on an internal issue16:35
sbeattieI'm also working on intel-microcode updates16:35
sbeattieI have some other random tasks to pick up, before I go on vacation next week.16:35
sbeattiethat's it for me.16:35
sbeattiejjohansen: you're up16:35
jjohansenI have a few LSS-NA duties to take care of this week16:36
jjohansenerr, make that -EU16:36
jjohansenI need to finish look into mjg's network labeling patch16:37
jjohansenand I need to get back to working on prompt mode16:37
tsimonq2pr16:37
tsimonq2whoops16:37
ratlifflol, good to see you tsimonq2! thanks for the updates! :)16:37
jjohansen:)16:38
jjohansenthats it for me16:38
jjohansensarnold: you are up16:38
tsimonq2hehe ratliff :)16:39
tsimonq2Thanks16:39
sarnoldI'm in the happy place this week16:41
sarnoldI'm preparing an apparmor presentation and sadly neglecting the desktop portals MIR16:41
sarnoldthat's it for me, chrisccoulson?16:42
chrisccoulsonI need to spend a bit more time this week preparing thunderbird 60 updates16:42
chrisccoulsonI've also got an embargoed issue16:42
chrisccoulsonI'll be spending time on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726, hopefully uninterrupted16:44
ubottuDebian bug 872726 in src:linux "linux: apparmor doesn't use proper audit event ids" [Normal,Open]16:44
chrisccoulsonand then we'll see what else :)16:44
chrisccoulsonthat's me done16:44
chrisccoulson(no rust!)16:44
ratliffyay!16:44
ratliffI'm in the happy place this week16:44
ratliffI'm just back from a sprint, so I have some catch up work to do and also some sprint outcome work16:45
ratliffI have a bunch of internal work to do (see announcements)16:45
ratliffmsalvatore: you are up next16:45
msalvatoreHi, everyone. I just joined the team last Monday, so most of my time has been spent on general on-boarding tasks and getting up to speed.16:46
msalvatoreI'm also working on resolving CVE-2018-10886 which is ZipSlip vulnerability in ant.16:47
ubottuant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. A crafted zip or tar file submitted to an Ant build could create or overwrite arbitrary files with the privileges of the user running Ant. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10886)16:47
msalvatoreI'm hoping to close that out today or tomorrow and move onto the next task.16:47
msalvatoreThat's it for me. You're up ebarretto.16:47
ratliffwe will catch up with ebarretto later16:50
ratliff[TOPIC] Highlighted packages16:51
=== meetingology changed the topic of #ubuntu-meeting to: Highlighted packages
ratliffThe Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so.16:51
ratliffSee http://people.canonical.com/~ubuntu-security/d2u/ for available merges and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.16:51
ratliff[TOPIC] Miscellaneous and Questions16:51
=== meetingology changed the topic of #ubuntu-meeting to: Miscellaneous and Questions
ratliffDoes anyone have any other questions or items to discuss?16:51
leosilvahehe I had.16:51
* sbeattie welcomes msalvatore and ebarretto 16:52
tsimonq2When did highlighted packages turn into Debian merges only? ;)16:52
leosilvaI'm in  community , finished mutt updates and will move to python-cryptography and so hunting.16:52
* tsimonq2 waves to msalvatore and ebarretto as well16:52
leosilvathat's it for me.16:52
ratliffI'm so sorry leosilva16:52
leosilvanp16:52
ratliffleosilva: thank you16:52
sarnoldtsimonq2: that was a few months ago I think, it seemed more likely to get traction than starting-from-scratch ..16:53
tsimonq2sarnold: Ah.16:53
sbeattietsimonq2: we switched to that believing that it woul dbe easier to get into than "here's five random universe packages that have open cves"16:53
sarnoldtsimonq2: .. the old list also didn't take into account that oftentimes there's no upstream patches, so actually fixing those issues might have been harder; with the debian merge possibilities, there's at least some known patches :)16:53
sbeattiethat said, if you like rolling the dice to see what to work on, it's a simple script that generates it.16:54
tsimonq2Makes sense. :)16:54
sbeattie(it does make for an okay "I should re-triage 5 old cves today" helper)16:54
tsimonq2hehe16:54
tsimonq2Oh, one thing, while I am here.16:55
tsimonq2QtWebEngine has embedded Chromium, and would be good to deliver the patch release via bionic-security.16:55
tsimonq2We can discuss more in -hardened but expect that Soon.16:55
ratlifftsimonq2: cool, let's discuss more in ubuntu-hardened16:56
tsimonq2Cool. Nothing else from me :)16:56
ratliffmdeslaur, sbeattie, jjohansen, sarnold, chrisccoulson, leosilva, amurray, msalvatore, ebarretto: Thanks! Thanks also to tsimonq2!16:56
ratliff#endmeeting16:56
=== meetingology changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds: Please leave swords by the door | Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendars | Logs: https://wiki.ubuntu.com/MeetingLogs | Meetingology documentation: https://wiki.ubuntu.com/meetingology | <wxl> be nice
meetingologyMeeting ended Mon Jul 23 16:56:41 2018 UTC.16:56
meetingologyMinutes:        http://ubottu.com/meetingology/logs/ubuntu-meeting/2018/ubuntu-meeting.2018-07-23-16.31.moin.txt16:56
mdeslaurthanks ratliff!16:56
tsimonq2Thanks!16:56
jjohansentahnks ratliff16:56
leosilvatks ratliff16:56
sarnoldthanks ratliff!16:57
msalvatorethanks ratliff16:57
sbeattieratliff: thanks!16:57
ebarrettoHi everyone, I lost my turn ... had a minor power outage here ... this must be a sign of luck ... lol ... Today is my first day joining the Team, so I am still catching up! I am really excited to join the team and to work with the community. Feel free to ping me whenever you want!16:58
sarnoldebarretto: what a way to start the new job, eh? :) hehe, welcome aboard17:13

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!