17:12 #startmeeting 17:12 Meeting started Mon Jan 12 17:12:45 2015 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 17:12 17:12 Available commands: action commands idea info link nick 17:12 The meeting agenda can be found at: 17:12 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 17:12 [TOPIC] Announcements 17:13 Lev Lazinskiy (levlaz) provided a debdiff for precise for nginx (LP: #1370478). Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 17:13 Launchpad bug 1370478 in nginx (Ubuntu Utopic) "[CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"" [Undecided,Fix released] https://launchpad.net/bugs/1370478 17:13 [TOPIC] Weekly stand-up report 17:13 I'll go first 17:13 I'm on triage this week 17:13 hi 17:13 I have some stuff to look at regarding snappy for this week 17:13 and need to get to my pending updates 17:14 mdeslaur: you're up 17:14 I'm on community this week 17:14 I'm currently testing openssl which should go out in a few minutes 17:14 I also have an embargoed issue to look at 17:14 and have a bunch of other pending CVE updates I'm working on 17:14 that's it for me, sbeattie 17:15 * mdeslaur pokes sbeattie with stick 17:16 perhaps go to tyhicks and circle back around to sbeattie? 17:17 I'm currently working on git updates 17:17 the precise backport was failing the in-tree tests but I think I've just identified the problem so they should be going out today or tomorrow 17:17 then I plan on helping out wherever possible with bug #1408106 17:17 bug 1408106 in AppArmor "attach_disconnected not sufficient for overlayfs" [Critical,In progress] https://launchpad.net/bugs/1408106 17:18 tyhicks: where are we on that dbus apparmor bug? 17:18 jdstrand: that's next on my list :) 17:18 ah ok 17:19 jdstrand: I haven't been able to look at it in some time 17:19 but I expect to spend most of my time this week on bug #1362469 17:19 bug 1362469 in dbus (Ubuntu) "AppArmor unrequested reply protection generates unallowable denials" [Medium,In progress] https://launchpad.net/bugs/1362469 17:19 that's it for me 17:19 * sbeattie is here 17:19 not meaning to rush or reprioritize it. it came up in a meeting today that we'll likely be looking at moving rtm branch to vivid in the coming couple/few months 17:20 tyhicks: ^ 17:20 jdstrand: yep, I need to get it fixed and then post the latest set of revisions to the upstream dbus bug 17:20 cool, thanks 17:20 so there are two good reasons to get it fixed asap 17:20 go ahead, sbeattie 17:20 (that's it from me-- sbeattie and then jjohansen?) 17:20 I have a set of yaml updates to go out later today. 17:21 I have some upstream apparmor patches to review 17:21 I need to get the pie stuff back on the front burner 17:21 I'll also probably pick up the binutils update to work on in the background 17:22 Sorry, I'm also expecting to work on bug 1408106 as needed as well. 17:22 bug 1408106 in AppArmor "attach_disconnected not sufficient for overlayfs" [Critical,In progress] https://launchpad.net/bugs/1408106 17:22 that's it for me, jjohansen? 17:22 There are a couple of things to prep for the monthly apparmor meeting, some outstanding apparmor patches to finish reviewing, finish up the work on Bug #1408833, some work with tyhicks on the interaction of overlayfs and apparmor (as mentioned already Bug #1408106), and of course continuing the apparmor upstreaming work. 17:22 bug 1408833 in AppArmor "broken postinst test for uvtool-libvirt on utopic" [Undecided,Confirmed] https://launchpad.net/bugs/1408833 17:24 thats it for me, sarnold 17:25 I'm in the happy place this week; I'm working on an update to coreutils, and there are five packages needing MIR auditing -- I probably can't get to all of them this week unless several of them are smaller than I expect 17:25 thanks to those filing early MIR requests :) much appreciated 17:26 that's it for me, chrisccoulson 17:26 sarnold: fyi, I assigned one more to you today 17:26 it's mozilla updates for me this week 17:26 oh, I didn't try the new firefox yet 17:27 I'm fixing a build failure (armhf) at the moment 17:27 I thought chrisccoulson wanted us to do that tomorrow 17:27 I thought by tomorrow 17:27 ah 17:27 other than mozilla updates, I'm working on bug 1377198 which fixes some weird behaviour in an API that the browser is using 17:27 chrisccoulson: I'm running the new firefox, not seeing issues. 17:28 bug 1377198 in Oxide "CertificateError is not cancelled if you stop the pending navigation" [High,Triaged] https://launchpad.net/bugs/1377198 17:28 excellent, thanks 17:28 I think that's me done 17:29 [TOPIC] Highlighted packages 17:30 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 17:30 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 17:30 http://people.canonical.com/~ubuntu-security/cve/pkg/gcc-4.9-powerpc-cross.html 17:30 http://people.canonical.com/~ubuntu-security/cve/pkg/ldap-account-manager.html 17:30 http://people.canonical.com/~ubuntu-security/cve/pkg/bfgminer.html 17:30 http://people.canonical.com/~ubuntu-security/cve/pkg/ganeti.html 17:30 http://people.canonical.com/~ubuntu-security/cve/pkg/rawstudio.html 17:30 [TOPIC] Miscellaneous and Questions 17:30 Does anyone have any other questions or items to discuss? 17:31 I've got one for jjohansen, sarnold, and sbeattie regarding the libapparmor patches waiting for review 17:31 how can I help the review process there? 17:31 tyhicks: can you please provide 48h to my day 17:31 would it help if I wrote up a man page for the new functions? 17:32 jjohansen: :) 17:32 tyhicks: no, its just spending the time to give them a proper review 17:32 I need to write a man page before release, anyways, so it might help show the "bigger picture" during review 17:33 jjohansen: ack - I figured that was the bottleneck but wanted to make sure there was nothing else I could do 17:33 tyhicks: I would suggest holding off on that, I already have nacks on some of it 17:33 ok 17:33 tyhicks: sorry, I was daunted by just how many patches are still outstanding.. 17:33 (please send out nacks asap so I can start on new revisions) 17:34 jdstrand: that's all that I had 17:34 sarnold: he was just trying to make sure you would have your fill over the christmas break 17:34 tyhicks: ack 17:35 jjohansen: no fear there, it was an impressive patch dump :) 17:36 sure, now /me has to give sarnold an even bigger patch dump to keep him happy 17:36 :) 17:38 mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, chrisccoulson: thanks! 17:38 #endmeeting