20080410

Meeting

Agenda for this meeting

Notes

http://blackbird.kaarsemaker.net/mootbot/meeting/ubuntu-meeting.20080410_2200.html 

People Present:

   1. keescook
   2. propagandist
   3. nijaba
   4. Keybuk
   5. jdstrand
   6. ubotu

Logs

http://blackbird.kaarsemaker.net/mootbot/meeting/ubuntu-meeting.log.20080410_2200.html 

Started logging meeting in #ubuntu-meeting
[20:00:23] <keescook> hello! who all is here for the security team meeting?
[20:01:44] * propagandist waves
[20:01:50] <keescook> :)
[20:02:02] <nijaba> o/
[20:02:21] <keescook> emgent had to leave, so I put a few quick agenda items in the meeting today
[20:02:24] <Keybuk> I'm not here
[20:02:28] <keescook> [topic] agenda
[20:02:38] <keescook> [link] https://wiki.ubuntu.com/SecurityTeam/Meeting
[20:02:42] <jdstrand> hi!
[20:02:43] <keescook> Keybuk: noted. :)
[20:03:13] <keescook> I have to split for another meeting in half an hour, so hopefully we can make this quick. :)
[20:03:31] <jdstrand> ok go!
[20:03:38] <keescook> I'm going to cover emgent's topics quickly, since they're more "announcements" than anything else.
[20:03:43] <keescook> [topic] ubuntu whitehat
[20:04:04] <keescook> emgent has been working on anteater for reporting private security issues to Launchpad.
[20:04:11] <keescook> [link] https://blueprints.launchpad.net/ubuntu-whitehat-project/+spec/anteater-plb-support
[20:04:27] <keescook> so anyone interested in that, please have a look. He's also looking for help with documentation
[20:04:33] <keescook> [link] https://blueprints.launchpad.net/ubuntu-whitehat-project/+spec/anteater-docs
[20:05:12] <keescook> I'd also like to have emgent organize the first whitehat meeting, and announce it to the ubuntu-hardened mailing list.
[20:05:33] <keescook> [action] emgent to send email to ubuntu-hardened mailing list, with schedule for first whitehat meeting
[20:05:51] <keescook> [topic] CVE review
[20:06:09] <keescook> anyone got any CVEs they'd like to call attention to?
[20:07:03] <jdstrand> emgent gave me a list of debdiffs that I'll be looking at soon
[20:07:25] <keescook> okay, cool. I haven't had time yet this week to review the security sponsorship queue
[20:07:41] <keescook> hm, Fujitsu is missing... we scheduled this meeting special for him :P
[20:07:48] <jdstrand> I cleared out a few things today, and have been trying to see where hardy really stands
[20:08:29] <keescook> if anyone reading this has some interest, I'd like to see if we can help calc with CVE-2007-4575 (bug 174112). It's been open a while, and the backporting isn't trivial.
[20:08:32] <jdstrand> (quite a few uploads fixed things)
[20:08:45] <keescook> jdstrand: very cool; nice work.
[20:09:40] <keescook> okay, moving on.
[20:09:46] <keescook> [topic] roadmap progress
[20:10:08] <keescook> the roadmap has been tweaked a bit since the last meeting, and it's looking much better.
[20:10:18] <keescook> the FAQ and KnowledgeBase still need work though. :)
[20:10:28] <keescook> [link] https://wiki.ubuntu.com/SecurityTeam/Roadmap
[20:11:22] <ubotu> Launchpad bug 174112 in openoffice.org "[openoffice.org] [CVE-2007-4575] Potential arbitrary code execution vulnerability in 3rd party module (HSQLDB)" [Critical,In progress] https://launchpad.net/bugs/174112
[20:11:23] <ubotu> HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows user-assisted remote attackers to execute arbitrary Java code via crafted database documents, related to "exposing static java methods." (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4575)
[20:11:33] <jdstrand> the hsqldb part of that is fixed in hardy btw
[20:11:54] <keescook> yeah, hardy is okay, but the backports are supposedly not easy, according to calc.
[20:12:02] * jdstrand nods
[20:12:15] <keescook> [topic] SELinux progress
[20:12:20] <jdstrand> (I just happened to update ubuntu-cve-tracker for that one today ;)
[20:12:25] <keescook> propagandist: how'd things?
[20:12:30] <keescook> er, how're things?
[20:12:33] <propagandist> SETools has been syned with Debian. Several bug have been submitted and I'll be trying to resolve as many as possible asap. I've been working on fixes to the cups, cups-pdf, and service restarting problems and hope to have an updated refpol package soon.
[20:12:53] <keescook> cool, are any of the setools bugs show-stoppers?
[20:13:24] <propagandist> Not that I know of, but I haven't looked at them since earlier this week.
[20:14:02] <keescook> I chatted with slangasek briefly about release notes including SELinux -- it sounds like something can get worked out.
[20:14:04] <propagandist> Redhat has given us some props:
[20:14:10] <propagandist> [LINK] http://www.press.redhat.com/2008/04/09/red-hat-welcomes-opensolaris-and-ubuntu-to-the-world-of-type-enforcement/
[20:14:17] <keescook> haha nice
[20:14:29] <propagandist> ;o]
[20:14:42] <propagandist> Not much else to report.
[20:15:21] <keescook> no news can be good news. :)
[20:15:23] <keescook> thanks!
[20:15:32] <keescook> [topic] hardening wrapper testing
[20:16:06] <keescook> the buildds for interpid are still not set up for hardening, but infinity and doko have promised to get to a solution before the archive opens.
[20:16:38] <keescook> Debian adoption continues, but slowly, and is uncovering bugs in various arch flavors.
[20:17:13] <keescook> anyone else uncover any issues or ideas for the wrappers?
[20:19:01] <keescook> [topic] next meeting
[20:19:16] <keescook> I propose same time & place in two weeks...
[20:19:28] <jdstrand> cool by me
[20:20:04] <propagandist> sounds good
[20:21:02] <keescook> okay, Apr 24th, 2000 UTC #ubuntu-meeting.
[20:21:08] <keescook> thanks everyone! yay quick meeting! :)
[20:21:42] <keescook> #endmeeting
Meeting ended.

MeetingLogs/Security/20080410 (last edited 2008-08-06 16:32:20 by localhost)