=== maclin1 is now known as maclin === chrisccoulson_ is now known as chrisccoulson [16:31] #startmeeting [16:31] Meeting started Mon Jul 23 16:31:43 2018 UTC. The chair is ratliff. Information about MeetBot at http://wiki.ubuntu.com/meetingology. [16:31] Available commands: action commands idea info link nick [16:31] The meeting agenda can be found at: [16:32] [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting [16:32] [TOPIC] Announcements === meetingology changed the topic of #ubuntu-meeting to: Announcements [16:32] Thanks to Simon Quigley (tsimonq2) for providing a debdiff for qutebrowser in bionic (LP: #1781295) and debdiffs for kwallet-pam in xenial-bionic (LP: #1768649)! [16:32] Launchpad bug 1781295 in qutebrowser (Ubuntu Bionic) "CVE-2018-10895: Possible remote code execution via CSRF in qute://settings " [Medium,Fix released] https://launchpad.net/bugs/1781295 [16:32] Launchpad bug 1768649 in pam-kwallet (Ubuntu Trusty) "[CVE] Access to privileged files" [High,New] https://launchpad.net/bugs/1768649 [16:32] Thanks to Dan Streetman (ddstreet) for providing debdiffs for libxstream-java for trusty and xenial (LP: #1780844)! [16:32] Launchpad bug 1780844 in libxstream-java (Ubuntu Xenial) "CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'" [Medium,Fix released] https://launchpad.net/bugs/1780844 [16:32] Your work is very much appreciated and will keep Ubuntu users secure. Thank you! [16:32] The Ubuntu Security team is hiring. See https://grnh.se/8c0a6c1f1 for more details. [16:33] We welcome Mike Salvatore and Eduardo Barretto to the Ubuntu Security Team today! Welcome Mike and Eduardo! We are thrilled that you are joining us to help continue improving security for Ubuntu users! [16:33] [TOPIC] Weekly stand-up report === meetingology changed the topic of #ubuntu-meeting to: Weekly stand-up report [16:33] mdeslaur: you're up [16:34] I'm on triage this week [16:34] and I'm working on clamav updates [16:34] and hopefully we'll get new mysql releases that I can work on [16:34] that's about it from me, sbeattie, you're up [16:35] I'm in the happy place this week [16:35] I'm working on an internal issue [16:35] I'm also working on intel-microcode updates [16:35] I have some other random tasks to pick up, before I go on vacation next week. [16:35] that's it for me. [16:35] jjohansen: you're up [16:36] I have a few LSS-NA duties to take care of this week [16:36] err, make that -EU [16:37] I need to finish look into mjg's network labeling patch [16:37] and I need to get back to working on prompt mode [16:37] pr [16:37] whoops [16:37] lol, good to see you tsimonq2! thanks for the updates! :) [16:38] :) [16:38] thats it for me [16:38] sarnold: you are up [16:39] hehe ratliff :) [16:39] Thanks [16:41] I'm in the happy place this week [16:41] I'm preparing an apparmor presentation and sadly neglecting the desktop portals MIR [16:42] that's it for me, chrisccoulson? [16:42] I need to spend a bit more time this week preparing thunderbird 60 updates [16:42] I've also got an embargoed issue [16:44] I'll be spending time on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726, hopefully uninterrupted [16:44] Debian bug 872726 in src:linux "linux: apparmor doesn't use proper audit event ids" [Normal,Open] [16:44] and then we'll see what else :) [16:44] that's me done [16:44] (no rust!) [16:44] yay! [16:44] I'm in the happy place this week [16:45] I'm just back from a sprint, so I have some catch up work to do and also some sprint outcome work [16:45] I have a bunch of internal work to do (see announcements) [16:45] msalvatore: you are up next [16:46] Hi, everyone. I just joined the team last Monday, so most of my time has been spent on general on-boarding tasks and getting up to speed. [16:47] I'm also working on resolving CVE-2018-10886 which is ZipSlip vulnerability in ant. [16:47] ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. A crafted zip or tar file submitted to an Ant build could create or overwrite arbitrary files with the privileges of the user running Ant. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10886) [16:47] I'm hoping to close that out today or tomorrow and move onto the next task. [16:47] That's it for me. You're up ebarretto. [16:50] we will catch up with ebarretto later [16:51] [TOPIC] Highlighted packages === meetingology changed the topic of #ubuntu-meeting to: Highlighted packages [16:51] The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. [16:51] See http://people.canonical.com/~ubuntu-security/d2u/ for available merges and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. [16:51] [TOPIC] Miscellaneous and Questions === meetingology changed the topic of #ubuntu-meeting to: Miscellaneous and Questions [16:51] Does anyone have any other questions or items to discuss? [16:51] hehe I had. [16:52] * sbeattie welcomes msalvatore and ebarretto [16:52] When did highlighted packages turn into Debian merges only? ;) [16:52] I'm in community , finished mutt updates and will move to python-cryptography and so hunting. [16:52] * tsimonq2 waves to msalvatore and ebarretto as well [16:52] that's it for me. [16:52] I'm so sorry leosilva [16:52] np [16:52] leosilva: thank you [16:53] tsimonq2: that was a few months ago I think, it seemed more likely to get traction than starting-from-scratch .. [16:53] sarnold: Ah. [16:53] tsimonq2: we switched to that believing that it woul dbe easier to get into than "here's five random universe packages that have open cves" [16:53] tsimonq2: .. the old list also didn't take into account that oftentimes there's no upstream patches, so actually fixing those issues might have been harder; with the debian merge possibilities, there's at least some known patches :) [16:54] that said, if you like rolling the dice to see what to work on, it's a simple script that generates it. [16:54] Makes sense. :) [16:54] (it does make for an okay "I should re-triage 5 old cves today" helper) [16:54] hehe [16:55] Oh, one thing, while I am here. [16:55] QtWebEngine has embedded Chromium, and would be good to deliver the patch release via bionic-security. [16:55] We can discuss more in -hardened but expect that Soon. [16:56] tsimonq2: cool, let's discuss more in ubuntu-hardened [16:56] Cool. Nothing else from me :) [16:56] mdeslaur, sbeattie, jjohansen, sarnold, chrisccoulson, leosilva, amurray, msalvatore, ebarretto: Thanks! Thanks also to tsimonq2! [16:56] #endmeeting === meetingology changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds: Please leave swords by the door | Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendars | Logs: https://wiki.ubuntu.com/MeetingLogs | Meetingology documentation: https://wiki.ubuntu.com/meetingology | be nice [16:56] Meeting ended Mon Jul 23 16:56:41 2018 UTC. [16:56] Minutes: http://ubottu.com/meetingology/logs/ubuntu-meeting/2018/ubuntu-meeting.2018-07-23-16.31.moin.txt [16:56] thanks ratliff! [16:56] Thanks! [16:56] tahnks ratliff [16:56] tks ratliff [16:57] thanks ratliff! [16:57] thanks ratliff [16:57] ratliff: thanks! [16:58] Hi everyone, I lost my turn ... had a minor power outage here ... this must be a sign of luck ... lol ... Today is my first day joining the Team, so I am still catching up! I am really excited to join the team and to work with the community. Feel free to ping me whenever you want! [17:13] ebarretto: what a way to start the new job, eh? :) hehe, welcome aboard