== Meeting == * '''Who''': SecurityTeam * '''When''': [[http://www.timeanddate.com/worldclock/fixedtime.html?month=07&day=07&year=2014&hour=&min=30&sec=0&p1=0|Mon Jul 7th 2014 16:30 UTC]] * '''End''': 17:00 UTC * '''Where''': #ubuntu-meeting on irc.freenode.net * '''Chaired By''': JamieStrandboge (jdstrand) == Attendance == * jdstrand * mdeslaur * sbeattie * tyhicks * jjohansen * sarnold * chrisccoulson == Not present == * None == Agenda == * Announcements * Andrew Starr-Bochicchio (andrewsomething) provided a debdiff for trusty for libtorrent-rasterbar (LP: #1330703) * James Page (jamespage) provided an update for trusty for percona-xtradb-cluster-5.5 (LP: #1325916) * Louis Bouchard (caribou) provided a debdiff for precise-utopic for openssl098 (LP: #1331452) * Felix Geyer (debfx) provided a debdiff for trusty for mumble (LP: #1335597) Your work is very much appreciated and will keep Ubuntu users secure. Great job! * Weekly stand-up report (each member discusses any pending and planned future work for the week) * jdstrand * off Wednesday * weekly role: happy place * !AppArmor testing * RTM work items * performance reviews * catch up * mdeslaur * weekly role: triage * pending updates (php5 and dbus) then work down the list * sbeattie * catch up * !AppArmor in support of abstract socket mediation * PIE by default on amd64 as have time * tyhicks * ecryptfs part of https://bugzilla.kernel.org/show_bug.cgi?id=41692#c2 * review patch on upcoming file encryption kernel feature * rebase my dbus merge against the latest version in Debian testing * !AppArmor abstract socket landing in Ubuntu * jjohansen * !Apparmor * abstract socket mediation * sync up with sbeattie, tyhicks and jdstrand * push patches to the list * iterate, push upstream * discuss risk and upload ordering * sarnold * weekly role: community * trust-store MIR * phone password handling merge request * !AppArmor review * RTM work items * chrisccoulson * oxide daily builds * chromium-browser sponsored upload * oxide update for 14.04 * blog about chromium and oxide release cadence * Highlighted packages The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. The highlighted packages for this week are: <> * Miscellaneous and Questions * RTM work items - reiterate prioritizing them to land soon == Log == Meeting bot not available at time of meeting. Here are the logs:{{{ 11:54 < jdstrand> #startmeeting 11:54 < jdstrand> The meeting agenda can be found at: 11:54 < jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 11:54 < mdeslaur> hello! 11:54 < jdstrand> [TOPIC] Announcements 11:54 < jdstrand> Andrew Starr-Bochicchio (andrewsomething) provided a debdiff for trusty for libtorrent-rasterbar (LP: #1330703) 11:54 < ubottu> Launchpad bug 1330703 in libtorrent-rasterbar (Ubuntu Trusty) "[Security] UPNP opens port 0 which fully exposes PC to the internet." [High,Fix released] https://launchpad.net/bugs/1330703 11:54 < jdstrand> James Page (jamespage) provided an update for trusty for percona-xtradb-cluster-5.5 (LP: #1325916) 11:54 < ubottu> Launchpad bug 1325916 in percona-xtradb-cluster-5.5 (Ubuntu Utopic) "Update to 5.5.37 for security updates" [Undecided,Fix released] https://launchpad.net/bugs/1325916 11:54 < jdstrand> Felix Geyer (debfx) provided a debdiff for trusty for mumble (LP: #1335597) 11:54 < ubottu> Launchpad bug 1335597 in mumble (Ubuntu Saucy) "CVE-2014-3755 and CVE-2014-3756" [Undecided,Confirmed] https://launchpad.net/bugs/1335597 11:54 -!- brendand [~brendand@5751f17e.skybroadband.com] has quit [Quit: Leaving] 11:54 < jdstrand> Louis Bouchard (caribou) provided a debdiff for precise-utopic for openssl098 (LP: #1331452) 11:54 < ubottu> Launchpad bug 1331452 in openssl098 (Ubuntu Utopic) "Please backport current CVEs for Precise LTS openssl098" [High,Fix released] https://launchpad.net/bugs/1331452 11:54 < jdstrand> Your work is very much appreciated and will keep Ubuntu users secure. Great job! 11:54 < jdstrand> [TOPIC] Weekly stand-up report 11:54 < jdstrand> I'll go first 11:55 < jdstrand> I'm back from vacation so am catching up on what I missed 11:55 < jdstrand> seems to be going ok so far 11:55 < jdstrand> thank you for covering for me 11:55 < jdstrand> I'm off Wednesday 11:55 < jdstrand> I plan to do apparmor testing of jjohansen's abstract socket mediation patch set 11:55 < mdeslaur> jdstrand: it was easy, I just did /nick jdstrand "I don't know." all week 11:55 < jdstrand> hehe 11:56 < jdstrand> I have an rtm work item I will be working on for click-apparmor 11:56 < jdstrand> and I need to really get cracking on the performance reviews 11:56 < jdstrand> mdeslaur: you're up 11:56 < mdeslaur> I'm on triage this week 11:56 < mdeslaur> I've got a few updates to test and release, including dbus 11:56 < mdeslaur> and am currently working on php5 updates 11:57 < mdeslaur> the list is getting long, so that's what I'll be doing the rest of the week also 11:57 < mdeslaur> that's it for me! sbeattie, you're up 11:57 < sbeattie> I'm also back from vacation and catching up on what I missed 11:57 < sbeattie> I digging back into the gcc pie stuff 11:58 < mdeslaur> ah crud, I forgot about smb's xen updates last week...I'll be sponsoring that too 11:58 < sbeattie> I need to sync up with jjohansen 11:58 < mdeslaur> sbeattie: hrm, please ask if jj has anything for you to help with before looking at gcc again 11:59 < sbeattie> mdeslaur: heh, yeah, that's what I'm trying to say. 11:59 < mdeslaur> cool 11:59 < sbeattie> mdeslaur: but ack 11:59 < sbeattie> anyway, that's pretty much it for me 11:59 < sbeattie> tyhicks: you're up 11:59 < tyhicks> I'm currently fixing an eCryptfs kernel bug 12:00 < tyhicks> it doesn't yet have an official bug, but it is mentioned in another bug: https://bugzilla.kernel.org/show_bug.cgi?id=41692#c2 12:00 < ubottu> bugzilla.kernel.org bug 41692 in ecryptfs "Obscure improper EACCES with ecryptfs_xattr_metadata" [Normal,New] 12:01 < tyhicks> I also plan to review a patch for an upcoming file encryption kernel feature 12:01 < tyhicks> I need to rebase my dbus merge against the latest version debian testing 12:02 < tyhicks> and then push it through 12:02 < tyhicks> and then I'd like to take a look at my outstanding work items 12:02 < mdeslaur> tyhicks: helping jj with whatever tasks he has to land the stuff for rtm has priority 12:02 < tyhicks> I think "implement kernel postinst policy compiles" work item from last month would be a good one to start on 12:02 < jdstrand> so, jjohansen said earlier that he would likely have some abstract patches 12:02 < tyhicks> ok 12:03 < jdstrand> mdeslaur: perhaps tyhicks can help with the Ubuntu packaging/testing? 12:03 < tyhicks> jjohansen: give me anything you'd like and I'll drop whatever I'm working on 12:03 < mdeslaur> definitely 12:03 < tyhicks> ok 12:03 < jdstrand> cool, yeah, let's have tyhicks take the lead on the Ubuntu landing. 12:03 * tyhicks nods 12:03 < jdstrand> tyhicks: I'll work with you on that like last time 12:03 < tyhicks> ok 12:04 < tyhicks> that's it for me 12:04 < tyhicks> jjohansen: you're up 12:04 < jjohansen> well gee, I think its all been covered already :) 12:04 < jdstrand> hehe 12:04 < jdstrand> jjohansen: you are the man of the hour :) 12:04 < jjohansen> I need to sync up with sbeattie, and jdstrand 12:05 < jjohansen> I need to push out the abstract socket patches, I am currently doing some revisions on them 12:05 < tyhicks> jjohansen: are you revising the kernel or userspace patches? (or both?) 12:05 < jjohansen> tyhicks: both 12:05 < tyhicks> ok 12:06 < tyhicks> I'll watch the list for the userspace patches and then start packaging them up 12:06 < jjohansen> tyhicks: I'll start kicking stuff out today, I'll push the userspace first 12:06 < tyhicks> sounds good 12:06 -!- bbcmicrocomputer [~bbcmicroc@unaffiliated/bbcmicrocomputer] has quit [Quit: Leaving] 12:07 < jdstrand> jjohansen: will this include the backports for the touch kernels? 12:07 < jjohansen> once the abstract/anonymous socket mediation patches look good, I have to get some patches together to push upstream 12:08 < jjohansen> jdstrand: uh sort of 12:09 < jdstrand> ? 12:09 < jjohansen> jdstrand: its a set of changes on top of the current stuff. I expect we are going to just drop it as a diff on top of the current set. So now rebase etc is needed 12:09 < jdstrand> ok, that's sounds fine 12:09 < jjohansen> I can certainly build touch kernels with the diff on top of the current 12:10 < jdstrand> we can't consider this landed until it is both userspace and the touch kernels 12:10 < jjohansen> jdstrand: correct 12:10 < jdstrand> so I just wanted to ask 12:10 < jdstrand> jjohansen: for tyhicks and myself, we'll need generic amd64 (at least, perhaps i386), mako and goldfish 12:10 < jjohansen> jdstrand: for landing there is some dependency ordering on policy 12:10 < jdstrand> sure 12:10 < jjohansen> right 12:10 < jdstrand> like last time 12:11 < jjohansen> kernel is not dependent on userspace and userspace on kernel, so just policy 12:11 < jjohansen> yep 12:11 < jdstrand> so we don't have to hash that our all here. sounds like things are in order, we just need to execute 12:11 * jdstrand is excited, but slightly worried about the policy changes 12:12 < jdstrand> jjohansen: have you seen anything scary wrt policy changes? 12:12 < jjohansen> define scary :) 12:12 < mdeslaur> scary as in "breaks everything" 12:12 < jdstrand> I'm hoping it'll be a more or less non-event for upgraders (ie, we can tweak base and apparmor-easyprof-ubuntu accordingly) 12:13 < jdstrand> I'm also hoping that we don't have bad required policy 12:13 < jjohansen> uh yeah if rules aren't in place you can break things that are using abstract sockets 12:13 < jdstrand> like apps have to talk to the upstart abstract socket for some reason 12:14 < jjohansen> think just like with the unix socket fix that was done with saucy, without certain rules in place you fail to boot 12:14 < jdstrand> jjohansen: right, I meant in your work, have you seen anything that was obvious that it couldn't be handled well by adjusting base, etc 12:14 < jdstrand> or do we expect things to be similar to signal/ptrace mediation 12:15 < jdstrand> (which went very well) 12:15 < jjohansen> jdstrand: hrmmm, I haven't really thought about where the best place for the additions is, we certainly can add to base 12:15 < jjohansen> yep 12:15 < jdstrand> ok, that's fine. just wondering if you had a feel for it yet. we certainly will once the patches go up :) 12:16 * jdstrand is done with his questions 12:17 < jjohansen> jdstrand: so my feel is we will stuff some of it in base. which is fine, its just a matter of tuning how tight you want things 12:17 * jjohansen is done, sarnold you're up 12:17 < jdstrand> cool, sounds great 12:17 < jdstrand> we'll discuss all that in #apparmor when the time is right 12:17 * sarnold hides 12:18 < sarnold> I'm on community this week; I have a MIR for trust-store to work on, blueprint items to work on, and it sounds like jj's going to give me a giant gift-wrapped bow-tied balloon-festooned box of new patches to review! \o/ 12:19 < mdeslaur> sarnold: are you still working with mterry on phone password handling? 12:19 < sarnold> mdeslaur: let me go reload that bug :) 12:19 < sarnold> s/bug/merge request/ 12:20 -!- marrusl [~mark@nat/canonical/x-eoerduednboafkun] has quit [Quit: sync && halt] 12:20 < mdeslaur> sarnold: I believe he had some follow up questions about how to handle empty passwords, etc, and I told him to work that out with you 12:20 < sarnold> mdeslaur: ah, looks like he's got wonderful answers to my questions, no new questions, looks like he's probably good :D 12:20 < sarnold> mdeslaur: ah right, and the securetty bits. i'm sorry I forgot about those. 12:21 < mdeslaur> sarnold: ping him when you get a chance and follow up to make sure all is resolved, please 12:21 < sarnold> mdeslaur: ack :) 12:22 < sarnold> I think that's me done, chrisccoulson? 12:22 < chrisccoulson> hi :) 12:22 -!- xequence [~zequence@ubuntu/member/zequence] has joined #ubuntu-meeting 12:23 < chrisccoulson> this week, I'm looking at getting daily builds going for oxide (I did a hangout last week with oSoMoN and psivaa, and we decided to separate the CI and daily builds tasks, with me taking the latter) 12:23 < chrisccoulson> also, will hopefully be testing and publishing a chromium update from chad :) 12:24 < mdeslaur> \o/ 12:24 < chrisccoulson> and, there'll be an oxide update too (with the new chromium release in) 12:24 < chrisccoulson> so, if you're using webapps in trusty, please do install the oxide build from https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa/ 12:25 < mdeslaur> sweet 12:26 < jdstrand> chrisccoulson: re daily builds> oh nice :) 12:26 < chrisccoulson> also, when I did our hangout last week, I did a little diagram explaining the release cycle: https://docs.google.com/a/canonical.com/presentation/d/1cJ_2nhHgv1A4tMUy4-7Tc1kt5r861a0CnYaG9GiOqIo/edit?usp=sharing 12:26 < jdstrand> very nice on oxide update for trusty too 12:27 < mdeslaur> cool 12:27 < chrisccoulson> I'll put that in a blog post soon (the diagram is currently not publically shared, although there's no reason it shouldn't be) 12:27 < chrisccoulson> so the link won't work for anyone outside of canonical atm 12:27 < jdstrand> cool 12:28 < chrisccoulson> I think that's me done 12:29 < jdstrand> chrisccoulson: so, I think we need some sort of MRE like thing for oxide 12:29 < jdstrand> https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions 12:29 < sarnold> meal ready to eat? 12:29 < sarnold> oh jeeze 12:29 < chrisccoulson> aha :) 12:30 < jdstrand> chrisccoulson: perhaps mdeslaur can help there since he is on the TB 12:30 < jdstrand> it is the plan of action, but it hasn't been ratified by the TB 12:30 < mdeslaur> since there are security fixes included, no need for a mre 12:31 < mdeslaur> if you ever want to publish new versions with only fixes, you need an mre 12:31 < jdstrand> this will have more than security updates aiui 12:31 < jdstrand> just like firefox and chromium-browser 12:31 < mdeslaur> doesn't matter, the mres are only for SRUs 12:31 < jdstrand> (which have MREs) 12:31 < jdstrand> ok, fair enough 12:31 < jdstrand> makes it easier :) 12:32 < mdeslaur> I mean, we still should probably ask for one, in case there are updates that don't include security fixes 12:32 * jdstrand nods 12:33 -!- coolbhavi [~bhavani@ubuntu/member/coolbhavi] has joined #ubuntu-meeting 12:33 < mdeslaur> once we've done a couple via security updates, chrisccoulson can ask for the MRE 12:33 < jdstrand> sounds like a plan 12:33 < jdstrand> [TOPIC] Highlighted packages 12:34 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/redis.html 12:34 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/sup-mail.html 12:34 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/forked-daapd.html 12:34 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/syncevolution.html 12:34 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libjboss-cache3-java.html 12:34 < jdstrand> The Ubuntu Security team will highlight some community-supported packages (^) that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 12:34 < jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 12:34 < jdstrand> [TOPIC] Miscellaneous and Questions 12:35 < jdstrand> I only have one thing: if you have RTM work items, please work with mdeslaur on finding time to do them. we are rapidly approaching bug fixes only on the phone 12:36 < jdstrand> otoh, I have one and then there is the abstract sockets 12:36 < jdstrand> (mine is small and should be done this week) 12:36 < jdstrand> if you aren't sure if it is for rtm, ask me and mdeslaur 12:36 < jdstrand> Does anyone have any other questions or items to discuss? 12:38 -!- vladk is now known as vladk|offline 12:39 < jdstrand> #endmeeting }}}