16:31 <ratliff> #startmeeting
16:31 <meetingology> Meeting started Mon Jul 23 16:31:43 2018 UTC.  The chair is ratliff. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
16:31 <meetingology> 
16:31 <meetingology> Available commands: action commands idea info link nick
16:31 <ratliff> The meeting agenda can be found at:
16:32 <ratliff> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
16:32 <ratliff> [TOPIC] Announcements
16:32 <ratliff> Thanks to Simon Quigley (tsimonq2) for providing a debdiff for qutebrowser in bionic (LP: #1781295) and debdiffs for kwallet-pam in xenial-bionic (LP: #1768649)!
16:32 <ubottu> Launchpad bug 1781295 in qutebrowser (Ubuntu Bionic) "CVE-2018-10895: Possible remote code execution via CSRF in qute://settings " [Medium,Fix released] https://launchpad.net/bugs/1781295
16:32 <ubottu> Launchpad bug 1768649 in pam-kwallet (Ubuntu Trusty) "[CVE] Access to privileged files" [High,New] https://launchpad.net/bugs/1768649
16:32 <ratliff> Thanks to Dan Streetman (ddstreet) for providing debdiffs for libxstream-java for trusty and xenial (LP: #1780844)!
16:32 <ubottu> Launchpad bug 1780844 in libxstream-java (Ubuntu Xenial) "CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'" [Medium,Fix released] https://launchpad.net/bugs/1780844
16:32 <ratliff> Your work is very much appreciated and will keep Ubuntu users secure. Thank you!
16:32 <ratliff> The Ubuntu Security team is hiring. See https://grnh.se/8c0a6c1f1 for more details.
16:33 <ratliff> We welcome Mike Salvatore and Eduardo Barretto to the Ubuntu Security Team today! Welcome Mike and Eduardo! We are thrilled that you are joining us to help continue improving security for Ubuntu users!
16:33 <ratliff> [TOPIC] Weekly stand-up report
16:33 <ratliff> mdeslaur: you're up
16:34 <mdeslaur> I'm on triage this week
16:34 <mdeslaur> and I'm working on clamav updates
16:34 <mdeslaur> and hopefully we'll get new mysql releases that I can work on
16:34 <mdeslaur> that's about it from me, sbeattie, you're up
16:35 <sbeattie> I'm in the happy place this week
16:35 <sbeattie> I'm working on an internal issue
16:35 <sbeattie> I'm also working on intel-microcode updates
16:35 <sbeattie> I have some other random tasks to pick up, before I go on vacation next week.
16:35 <sbeattie> that's it for me.
16:35 <sbeattie> jjohansen: you're up
16:36 <jjohansen> I have a few LSS-NA duties to take care of this week
16:36 <jjohansen> err, make that -EU
16:37 <jjohansen> I need to finish look into mjg's network labeling patch
16:37 <jjohansen> and I need to get back to working on prompt mode
16:37 <tsimonq2> pr
16:37 <tsimonq2> whoops
16:37 <ratliff> lol, good to see you tsimonq2! thanks for the updates! :)
16:38 <jjohansen> :)
16:38 <jjohansen> thats it for me
16:38 <jjohansen> sarnold: you are up
16:39 <tsimonq2> hehe ratliff :)
16:39 <tsimonq2> Thanks
16:41 <sarnold> I'm in the happy place this week
16:41 <sarnold> I'm preparing an apparmor presentation and sadly neglecting the desktop portals MIR
16:42 <sarnold> that's it for me, chrisccoulson?
16:42 <chrisccoulson> I need to spend a bit more time this week preparing thunderbird 60 updates
16:42 <chrisccoulson> I've also got an embargoed issue
16:44 <chrisccoulson> I'll be spending time on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726, hopefully uninterrupted
16:44 <ubottu> Debian bug 872726 in src:linux "linux: apparmor doesn't use proper audit event ids" [Normal,Open]
16:44 <chrisccoulson> and then we'll see what else :)
16:44 <chrisccoulson> that's me done
16:44 <chrisccoulson> (no rust!)
16:44 <ratliff> yay!
16:44 <ratliff> I'm in the happy place this week
16:45 <ratliff> I'm just back from a sprint, so I have some catch up work to do and also some sprint outcome work
16:45 <ratliff> I have a bunch of internal work to do (see announcements)
16:45 <ratliff> msalvatore: you are up next
16:46 <msalvatore> Hi, everyone. I just joined the team last Monday, so most of my time has been spent on general on-boarding tasks and getting up to speed.
16:47 <msalvatore> I'm also working on resolving CVE-2018-10886 which is ZipSlip vulnerability in ant.
16:47 <ubottu> ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. A crafted zip or tar file submitted to an Ant build could create or overwrite arbitrary files with the privileges of the user running Ant. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10886)
16:47 <msalvatore> I'm hoping to close that out today or tomorrow and move onto the next task.
16:47 <msalvatore> That's it for me. You're up ebarretto.
16:50 <ratliff> we will catch up with ebarretto later
16:51 <ratliff> [TOPIC] Highlighted packages
16:51 <ratliff> The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so.
16:51 <ratliff> See http://people.canonical.com/~ubuntu-security/d2u/ for available merges and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
16:51 <ratliff> [TOPIC] Miscellaneous and Questions
16:51 <ratliff> Does anyone have any other questions or items to discuss?
16:51 <leosilva> hehe I had.
16:52 * sbeattie welcomes msalvatore and ebarretto
16:52 <tsimonq2> When did highlighted packages turn into Debian merges only? ;)
16:52 <leosilva> I'm in  community , finished mutt updates and will move to python-cryptography and so hunting.
16:52 * tsimonq2 waves to msalvatore and ebarretto as well
16:52 <leosilva> that's it for me.
16:52 <ratliff> I'm so sorry leosilva
16:52 <leosilva> np
16:52 <ratliff> leosilva: thank you
16:53 <sarnold> tsimonq2: that was a few months ago I think, it seemed more likely to get traction than starting-from-scratch ..
16:53 <tsimonq2> sarnold: Ah.
16:53 <sbeattie> tsimonq2: we switched to that believing that it woul dbe easier to get into than "here's five random universe packages that have open cves"
16:53 <sarnold> tsimonq2: .. the old list also didn't take into account that oftentimes there's no upstream patches, so actually fixing those issues might have been harder; with the debian merge possibilities, there's at least some known patches :)
16:54 <sbeattie> that said, if you like rolling the dice to see what to work on, it's a simple script that generates it.
16:54 <tsimonq2> Makes sense. :)
16:54 <sbeattie> (it does make for an okay "I should re-triage 5 old cves today" helper)
16:54 <tsimonq2> hehe
16:55 <tsimonq2> Oh, one thing, while I am here.
16:55 <tsimonq2> QtWebEngine has embedded Chromium, and would be good to deliver the patch release via bionic-security.
16:55 <tsimonq2> We can discuss more in -hardened but expect that Soon.
16:56 <ratliff> tsimonq2: cool, let's discuss more in ubuntu-hardened
16:56 <tsimonq2> Cool. Nothing else from me :)
16:56 <ratliff> mdeslaur, sbeattie, jjohansen, sarnold, chrisccoulson, leosilva, amurray, msalvatore, ebarretto: Thanks! Thanks also to tsimonq2!
16:56 <ratliff> #endmeeting