18:03:36 #startmeeting 18:03:36 Meeting started Mon Aug 27 18:03:36 2012 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 18:03:36 18:03:36 Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 18:03:41 The meeting agenda can be found at: 18:03:42 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 18:03:50 [TOPIC] Weekly stand-up report 18:03:55 I'll go first 18:04:10 I'm in the happy place this week 18:04:36 I've got more MIR auditing and pending updates 18:05:13 I should also be finished with the second iteration of aa-sandbox and send that to the list 18:05:21 mdeslaur is not here today 18:05:26 sbeattie: you're up 18:05:35 I'm on community this week. 18:05:54 I also have a couple of updates to finish testing and push out. 18:06:22 I also need to get the apparmor-dbus ppa going and review aa-sandbox. 18:06:32 that's it for me. 18:06:43 did micahg make it back in time? 18:06:47 sbeattie: I recommend holding off on that review til I submit again 18:06:55 yeah 18:08:04 I think he is not. he can jump in later if he comes back 18:08:06 I'll go 18:08:16 I'm handling triage this week 18:08:38 I just returned from a long vacation and I'm still catching up 18:08:57 Another couple hours and I should be back on top of everything 18:09:28 While I was out, I finished xmlrpc-c patches for CVE-2012-0876 and CVE-2012-1148 18:09:29 The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876) 18:09:30 Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1148) 18:09:48 I'll need to test those patches and try to get the updates out 18:10:03 I say 'try' because I'll be at the Linux Security Summit Thursday and Friday of this week 18:10:18 before I leave, i'm going to help jdstrand with a security audit 18:10:22 I think that's it for me 18:11:00 I guess I am up 18:11:04 jjohansen: yep, you're up 18:12:32 I need to finish up this the 2.8 port of the aa-dbus patches, and finish debugging the current set of kernel patches (rcu, fs update, ..), then I will be heading to Linux Security Summit for Thursday and Friday this week 18:13:47 that is it for me jdstrand back to you 18:13:52 thanks 18:14:02 [TOPIC] Highlighted packages 18:14:05 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 18:14:09 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 18:14:16 http://people.canonical.com/~ubuntu-security/cve/pkg/smokeping.html 18:14:19 http://people.canonical.com/~ubuntu-security/cve/pkg/chasen.html 18:14:22 http://people.canonical.com/~ubuntu-security/cve/pkg/msmtp.html 18:14:26 http://people.canonical.com/~ubuntu-security/cve/pkg/mhonarc.html 18:14:29 http://people.canonical.com/~ubuntu-security/cve/pkg/ruby-actionpack-2.3.html 18:14:35 [TOPIC] Miscellaneous and Questions 18:14:41 There are a lot of merge opportunities for packages listed in http://people.canonical.com/~ubuntu-security/d2u/. Performing these updates is a great way to help Ubuntu and bolster your developer application. 18:14:48 Does anyone have any other questions or items to discuss? 18:20:02 sbeattie, jjohansen, tyhicks: thanks! 18:20:03 #endmeeting