#ubuntu-meeting log

18:12:43 <jdstrand> #startmeeting
18:12:43 <meetingology> Meeting started Mon Sep 17 18:12:43 2012 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
18:12:43 <meetingology> 
18:12:43 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired
18:12:49 <jdstrand> The meeting agenda can be found at:
18:12:50 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
18:12:53 <jdstrand> [TOPIC] Announcements
18:15:24 * jdstrand is waiting for one more person
18:16:41 <sarnold> jdstrand: pong
18:16:57 <jdstrand> sarnold: fyi, The meeting agenda can be found at: https://wiki.ubuntu.com/SecurityTeam/Meeting
18:17:01 <sarnold> (sorry friends, I was unaware that #ubuntu-* was the shorthand for "find it on freendoe")
18:17:18 <jdstrand> so, only announcement this week is welcoming sarnold to the ubuntu-security team :)
18:17:32 <mdeslaur> sarnold: welcome! (again!)
18:17:33 <jdstrand> sarnold: welcome! :)
18:17:34 <jjohansen> Welcome sarnold
18:17:50 <sarnold> thank you all :)
18:18:18 <jdstrand> [TOPIC] Weekly stand-up report
18:18:22 <jdstrand> I'll go first
18:19:15 <jdstrand> I'm on triage this week and am also patch piloting. I am supposed to do that today, but may need to reschedule... we'll see
18:19:38 <jdstrand> I've got quite a bit of backlog from last week that I need to get through
18:19:47 <jdstrand> and also follow-ups surrounding the manager's sprint
18:20:08 <jdstrand> I also figure I'll be helping sarnold come up to speed a bit
18:20:32 <jdstrand> I've also got some audits to do, and hopefully get to some updates
18:20:37 <jdstrand> mdeslaur: you're up
18:21:18 <mdeslaur> I just published some updates
18:21:30 <mdeslaur> and am working on testing dhcp and dbus updates
18:21:45 <mdeslaur> I need to investigate some gpg key issues
18:21:51 <mdeslaur> and then will pick something else from the list
18:21:55 <mdeslaur> that's it from me
18:21:57 <mdeslaur> sbeattie: you're up
18:22:05 <sbeattie> I'm on community this week
18:22:32 <sbeattie> I'm briefly looking at a regression fix for openjdk-7 for doko
18:23:02 <sbeattie> I've also got glibc on my plate
18:23:48 <sbeattie> I've still got the apparmor/dbus stuff to upload to a ppa
18:24:02 <sbeattie> after that, I'll try to pick up another update or two
18:24:12 <sbeattie> that's it for me.
18:24:36 <tyhicks> I'm up since Micah is out today
18:24:43 <tyhicks> I'm in the happy place again this week
18:24:50 <tyhicks> I'll be submitting the fix for bug 1051892 to upstream OpenSSL today for their comments
18:24:52 <ubottu> Launchpad bug 1051892 in openssl (Ubuntu) "[Quantal] Regression in TLS 1.2 workarounds" [High,Triaged] https://launchpad.net/bugs/1051892
18:25:00 <tyhicks> Then I'll proceed with preparing updates for rubygems and ruby1.9.1
18:25:10 <tyhicks> With the kernel merge window coming up soon, I need to get through all of my eCryptfs patch review backlog
18:25:25 <tyhicks> I'm also in the process of getting the latest AppArmor introspection interface patches from jjohansen to start work on my related work items
18:25:35 <tyhicks> jjohansen: You're up
18:25:47 <jjohansen> I have an apparmor QRT failure happening on the QA machines but not locally to finish tracking down. The IMA config and YAMA upstream sync to finish up.
18:25:47 <jjohansen> I still have to get together with sbeattie/tyhicks over apparmor dbus stuff
18:25:56 <jjohansen> And then its back to apparmor labeling/stacking
18:26:55 <jjohansen> thats it for me, jdstrand back to you
18:28:09 <jdstrand> sarnold: you're up
18:28:18 <jdstrand> jjohansen: jeez, already ignoring the new guy :P
18:28:27 <jjohansen> oops
18:28:29 <sarnold> new-employee handling; I think I've just about finished making launchpad happy
18:29:00 <sarnold> I downloaded the magic cve tool but I was a bit shocked at how many CVE entries from three years ago appear to still need work -- are those for real? :)
18:29:14 <jdstrand> yes, they are
18:29:33 <sarnold> oh. my.
18:29:46 <jdstrand> Canonical-supported CVEs should not really be above 'low' though
18:30:17 <jdstrand> community supported packages are in various states of up-to-dateness
18:30:54 <sarnold> so, CVE-2008-2004 isn't 'low' but it does have a handful of 'needed'... is that waiting on upstream?
18:30:54 <ubottu> The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2004)
18:30:57 <jdstrand> (of course, we have some mediums to do, but you'll see more of that this week)
18:31:40 <jdstrand> sarnold: without looking, xen-3.3 userspace is in universe and community supported
18:31:52 <sarnold> ah!
18:32:02 <sarnold> so the situation is not as dire as it first looked. Thanks.
18:32:21 <sarnold> jdstrand: I think that covers me for now. :) Thanks.
18:32:26 <jdstrand> well, not for canonical supported stuff anyway :)
18:32:30 <jdstrand> np
18:32:44 <jdstrand> which brings me to our next topic
18:32:51 <jdstrand> [TOPIC] Highlighted packages
18:32:56 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
18:33:00 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
18:33:07 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/sun-javadb.html
18:33:11 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/osc.html
18:33:14 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/ejabberd.html
18:33:17 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/pure-ftpd.html
18:33:19 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libdbd-pg-perl.html
18:33:30 <jdstrand> [TOPIC] Miscellaneous and Questions
18:33:40 <jdstrand> There are a lot of merge opportunities for packages listed in http://people.canonical.com/~ubuntu-security/d2u/. Performing these updates is a great way to help Ubuntu and bolster your developer application.
18:33:47 <jdstrand> Does anyone have any other questions or items to discuss?
18:37:44 <jdstrand> #endmeeting