18:12:43 #startmeeting 18:12:43 Meeting started Mon Sep 17 18:12:43 2012 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 18:12:43 18:12:43 Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 18:12:49 The meeting agenda can be found at: 18:12:50 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 18:12:53 [TOPIC] Announcements 18:15:24 * jdstrand is waiting for one more person 18:16:41 jdstrand: pong 18:16:57 sarnold: fyi, The meeting agenda can be found at: https://wiki.ubuntu.com/SecurityTeam/Meeting 18:17:01 (sorry friends, I was unaware that #ubuntu-* was the shorthand for "find it on freendoe") 18:17:18 so, only announcement this week is welcoming sarnold to the ubuntu-security team :) 18:17:32 sarnold: welcome! (again!) 18:17:33 sarnold: welcome! :) 18:17:34 Welcome sarnold 18:17:50 thank you all :) 18:18:18 [TOPIC] Weekly stand-up report 18:18:22 I'll go first 18:19:15 I'm on triage this week and am also patch piloting. I am supposed to do that today, but may need to reschedule... we'll see 18:19:38 I've got quite a bit of backlog from last week that I need to get through 18:19:47 and also follow-ups surrounding the manager's sprint 18:20:08 I also figure I'll be helping sarnold come up to speed a bit 18:20:32 I've also got some audits to do, and hopefully get to some updates 18:20:37 mdeslaur: you're up 18:21:18 I just published some updates 18:21:30 and am working on testing dhcp and dbus updates 18:21:45 I need to investigate some gpg key issues 18:21:51 and then will pick something else from the list 18:21:55 that's it from me 18:21:57 sbeattie: you're up 18:22:05 I'm on community this week 18:22:32 I'm briefly looking at a regression fix for openjdk-7 for doko 18:23:02 I've also got glibc on my plate 18:23:48 I've still got the apparmor/dbus stuff to upload to a ppa 18:24:02 after that, I'll try to pick up another update or two 18:24:12 that's it for me. 18:24:36 I'm up since Micah is out today 18:24:43 I'm in the happy place again this week 18:24:50 I'll be submitting the fix for bug 1051892 to upstream OpenSSL today for their comments 18:24:52 Launchpad bug 1051892 in openssl (Ubuntu) "[Quantal] Regression in TLS 1.2 workarounds" [High,Triaged] https://launchpad.net/bugs/1051892 18:25:00 Then I'll proceed with preparing updates for rubygems and ruby1.9.1 18:25:10 With the kernel merge window coming up soon, I need to get through all of my eCryptfs patch review backlog 18:25:25 I'm also in the process of getting the latest AppArmor introspection interface patches from jjohansen to start work on my related work items 18:25:35 jjohansen: You're up 18:25:47 I have an apparmor QRT failure happening on the QA machines but not locally to finish tracking down. The IMA config and YAMA upstream sync to finish up. 18:25:47 I still have to get together with sbeattie/tyhicks over apparmor dbus stuff 18:25:56 And then its back to apparmor labeling/stacking 18:26:55 thats it for me, jdstrand back to you 18:28:09 sarnold: you're up 18:28:18 jjohansen: jeez, already ignoring the new guy :P 18:28:27 oops 18:28:29 new-employee handling; I think I've just about finished making launchpad happy 18:29:00 I downloaded the magic cve tool but I was a bit shocked at how many CVE entries from three years ago appear to still need work -- are those for real? :) 18:29:14 yes, they are 18:29:33 oh. my. 18:29:46 Canonical-supported CVEs should not really be above 'low' though 18:30:17 community supported packages are in various states of up-to-dateness 18:30:54 so, CVE-2008-2004 isn't 'low' but it does have a handful of 'needed'... is that waiting on upstream? 18:30:54 The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2004) 18:30:57 (of course, we have some mediums to do, but you'll see more of that this week) 18:31:40 sarnold: without looking, xen-3.3 userspace is in universe and community supported 18:31:52 ah! 18:32:02 so the situation is not as dire as it first looked. Thanks. 18:32:21 jdstrand: I think that covers me for now. :) Thanks. 18:32:26 well, not for canonical supported stuff anyway :) 18:32:30 np 18:32:44 which brings me to our next topic 18:32:51 [TOPIC] Highlighted packages 18:32:56 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 18:33:00 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 18:33:07 http://people.canonical.com/~ubuntu-security/cve/pkg/sun-javadb.html 18:33:11 http://people.canonical.com/~ubuntu-security/cve/pkg/osc.html 18:33:14 http://people.canonical.com/~ubuntu-security/cve/pkg/ejabberd.html 18:33:17 http://people.canonical.com/~ubuntu-security/cve/pkg/pure-ftpd.html 18:33:19 http://people.canonical.com/~ubuntu-security/cve/pkg/libdbd-pg-perl.html 18:33:30 [TOPIC] Miscellaneous and Questions 18:33:40 There are a lot of merge opportunities for packages listed in http://people.canonical.com/~ubuntu-security/d2u/. Performing these updates is a great way to help Ubuntu and bolster your developer application. 18:33:47 Does anyone have any other questions or items to discuss? 18:37:44 #endmeeting