18:25:46 <jdstrand> #startmeeting
18:25:46 <meetingology> Meeting started Mon Jan 14 18:25:46 2013 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
18:25:46 <meetingology> 
18:25:46 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired
18:26:09 <jdstrand> The meeting agenda can be found at:
18:26:12 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
18:26:18 <jdstrand> [TOPIC] Announcements
18:26:51 <jdstrand> Thanks to the following individuals who provided security for Ubuntu:
18:27:00 <jdstrand> Stefan Bader (smb) provided debdiffs for oneiric-quantal for xen
18:27:05 <jdstrand> Chad Miller (chad) for getting chromium-browser up to 23.0.1271.97 for lucid-quantal
18:27:08 <jdstrand> Benjamin Drung (bdrung) provided an update for precise and quantal for vlc (LP: #1084054)
18:27:10 <ubottu> Launchpad bug 1084054 in vlc (Ubuntu Oneiric) "Denial of service via crafted PNG file" [Undecided,Confirmed] https://launchpad.net/bugs/1084054
18:27:14 <jdstrand> Christian Kuersteiner (ckuerste) provided a debdiff for precise for xymon (LP: #1092412)
18:27:15 <ubottu> Launchpad bug 1092412 in xymon (Ubuntu Oneiric) "Xymon Multiple XSS" [Undecided,New] https://launchpad.net/bugs/1092412
18:27:24 <jdstrand> Your work is very much appreciated and will keep Ubuntu users secure. Great job! :)
18:27:30 <jdstrand> [TOPIC] Weekly stand-up report
18:27:35 <jdstrand> I'll go first
18:27:44 <jdstrand> I'm on triage today
18:28:16 <jdstrand> rather, this week
18:29:05 <jdstrand> I planned to get nss out last week, but was unable. I need to do new upstream releases for nss and nspr for this update, and I spent last week preparing those
18:29:13 <jdstrand> that should go out today or tomorrow
18:29:57 <jdstrand> chromium-browser (as mentioned) is now at 23.0.1271.97 for the stable releases, but upstream releases 24 last week, so I'll be sponsoring/testing that as well
18:30:06 <mdeslaur> ±o/
18:30:10 <mdeslaur> argh
18:30:27 <mdeslaur> \o/
18:30:31 <jdstrand> I'm going to look at the recent java issue some more
18:31:06 <jdstrand> and I need to patch pilot
18:31:09 <jdstrand> mdeslaur: you're up
18:31:18 <mdeslaur> I'm on community this week
18:31:33 <mdeslaur> I've just released a couple of security updates, and will pick some more off the list
18:32:11 <mdeslaur> and that's pretty much it. sbeattie, you're up
18:32:27 <sbeattie> I'm again an apparmor monkey this week
18:33:01 <sbeattie> My primary focus is on getting the display manager prototype going
18:33:45 <sbeattie> I'm not sure where jjohansen is on getting the alpha out the door, but may pitch in to help on that after getting 2.8.1 out last week.
18:34:05 <sbeattie> I'll also poke at the random things that have popped up on the list.
18:34:17 <sbeattie> that's it for me. tyhicks?
18:34:27 <tyhicks> Similar to last week. Embargoed item and apparmor policy kernel interface.
18:34:39 <tyhicks> That's it for me. Back to you, jdstrand
18:35:06 <jdstrand> actually, we skipped sarnold
18:35:10 <jdstrand> sarnold: you're up
18:35:20 <mdeslaur> who's sarnold?
18:35:20 <tyhicks> sorry, sarnold :)
18:35:22 <mdeslaur> :)
18:35:33 <sarnold> I'm in happy place this week, hoping to make forward progress on dnsmasq update, now using mdeslaur's suggestion for VM with two NICs, will combine with jdstrand's suggestion to use two VMs rather than do the testing via my host...
18:36:54 <sarnold> .. but if I have more trouble reproducing the reporter's situation, I'll be leaning towards just regression testing.
18:37:10 <mdeslaur> sarnold: sounds reasonable
18:37:37 <sarnold> (I'm thinking end-of-the-day today as the decision point...)
18:37:57 <sarnold> jdstrand: back to you
18:38:16 <mdeslaur> sarnold: you can get one of us to review your changes too, as a sanity check/second opinion since it affects an important package
18:38:36 <sarnold> mdeslaur: thanks :)
18:38:44 <jdstrand> [TOPIC] Highlighted packages
18:38:50 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
18:38:54 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
18:39:35 <jdstrand> Normally we provide a list of 5 packages. However, this week I'd like to ask for help on updating the recent raills vulnerabilities:
18:39:45 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0156.html
18:39:46 <ubottu> active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity referen... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156)
18:39:49 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0155.html
18:39:50 <ubottu> Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated b... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155)
18:40:28 <jdstrand> [TOPIC] Miscellaneous and Questions
18:40:34 <jdstrand> Does anyone have any other questions or items to discuss?
18:43:34 <jdstrand> mdeslaur, sbeattie, tyhicks, sarnold: thanks!
18:43:36 <jdstrand> #endmeeting