18:25:46 #startmeeting 18:25:46 Meeting started Mon Jan 14 18:25:46 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 18:25:46 18:25:46 Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 18:26:09 The meeting agenda can be found at: 18:26:12 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 18:26:18 [TOPIC] Announcements 18:26:51 Thanks to the following individuals who provided security for Ubuntu: 18:27:00 Stefan Bader (smb) provided debdiffs for oneiric-quantal for xen 18:27:05 Chad Miller (chad) for getting chromium-browser up to 23.0.1271.97 for lucid-quantal 18:27:08 Benjamin Drung (bdrung) provided an update for precise and quantal for vlc (LP: #1084054) 18:27:10 Launchpad bug 1084054 in vlc (Ubuntu Oneiric) "Denial of service via crafted PNG file" [Undecided,Confirmed] https://launchpad.net/bugs/1084054 18:27:14 Christian Kuersteiner (ckuerste) provided a debdiff for precise for xymon (LP: #1092412) 18:27:15 Launchpad bug 1092412 in xymon (Ubuntu Oneiric) "Xymon Multiple XSS" [Undecided,New] https://launchpad.net/bugs/1092412 18:27:24 Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 18:27:30 [TOPIC] Weekly stand-up report 18:27:35 I'll go first 18:27:44 I'm on triage today 18:28:16 rather, this week 18:29:05 I planned to get nss out last week, but was unable. I need to do new upstream releases for nss and nspr for this update, and I spent last week preparing those 18:29:13 that should go out today or tomorrow 18:29:57 chromium-browser (as mentioned) is now at 23.0.1271.97 for the stable releases, but upstream releases 24 last week, so I'll be sponsoring/testing that as well 18:30:06 ±o/ 18:30:10 argh 18:30:27 \o/ 18:30:31 I'm going to look at the recent java issue some more 18:31:06 and I need to patch pilot 18:31:09 mdeslaur: you're up 18:31:18 I'm on community this week 18:31:33 I've just released a couple of security updates, and will pick some more off the list 18:32:11 and that's pretty much it. sbeattie, you're up 18:32:27 I'm again an apparmor monkey this week 18:33:01 My primary focus is on getting the display manager prototype going 18:33:45 I'm not sure where jjohansen is on getting the alpha out the door, but may pitch in to help on that after getting 2.8.1 out last week. 18:34:05 I'll also poke at the random things that have popped up on the list. 18:34:17 that's it for me. tyhicks? 18:34:27 Similar to last week. Embargoed item and apparmor policy kernel interface. 18:34:39 That's it for me. Back to you, jdstrand 18:35:06 actually, we skipped sarnold 18:35:10 sarnold: you're up 18:35:20 who's sarnold? 18:35:20 sorry, sarnold :) 18:35:22 :) 18:35:33 I'm in happy place this week, hoping to make forward progress on dnsmasq update, now using mdeslaur's suggestion for VM with two NICs, will combine with jdstrand's suggestion to use two VMs rather than do the testing via my host... 18:36:54 .. but if I have more trouble reproducing the reporter's situation, I'll be leaning towards just regression testing. 18:37:10 sarnold: sounds reasonable 18:37:37 (I'm thinking end-of-the-day today as the decision point...) 18:37:57 jdstrand: back to you 18:38:16 sarnold: you can get one of us to review your changes too, as a sanity check/second opinion since it affects an important package 18:38:36 mdeslaur: thanks :) 18:38:44 [TOPIC] Highlighted packages 18:38:50 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 18:38:54 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 18:39:35 Normally we provide a list of 5 packages. However, this week I'd like to ask for help on updating the recent raills vulnerabilities: 18:39:45 http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0156.html 18:39:46 active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity referen... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156) 18:39:49 http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0155.html 18:39:50 Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated b... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155) 18:40:28 [TOPIC] Miscellaneous and Questions 18:40:34 Does anyone have any other questions or items to discuss? 18:43:34 mdeslaur, sbeattie, tyhicks, sarnold: thanks! 18:43:36 #endmeeting