== Security Team Weekly Summary for 04 August 2017 == The [[SecurityTeam|Security Team]] weekly reports are intended to be very short summaries of the Security Team's weekly activities. If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.ubuntu.com During the last week, the Ubuntu Security team: * Triaged 242 public security vulnerability reports, retaining the 57 that applied to Ubuntu. * Published 13 Ubuntu Security Notices which fixed 29 security issues (CVEs) across 15 supported packages. === Ubuntu Security Notices === * [[https://www.ubuntu.com/usn/usn-3372-1|[USN-3372-1] NSS vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3373-1|[USN-3373-1] Apache HTTP Server vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3363-2|[USN-3363-2] ImageMagick regression ]] * [[https://www.ubuntu.com/usn/usn-3374-1|[USN-3374-1] RabbitMQ vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3366-2|[USN-3366-2] OpenJDK 8 regression ]] * [[https://www.ubuntu.com/usn/usn-3294-2|[USN-3294-2] Bash vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3370-2|[USN-3370-2] Apache HTTP Server vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3375-1|[USN-3375-1] LXC vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3376-1|[USN-3376-1] WebKitGTK+ vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3377-1|[USN-3377-1] Linux kernel vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3377-2|[USN-3377-2] Linux kernel (HWE) vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3378-1|[USN-3378-1] Linux kernel vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3378-2|[USN-3378-2] Linux kernel (Xenial HWE) vulnerabilities ]] === Bug Triage === * Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs === Mainline Inclusion Requests === * http-parser underway (LP: #Bug:1638957) * MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D === Updates to Community Supported Packages === * James Lu (tacocat) provided debdiffs for xenial-zesty for gnome-exe-thumbnailer (LP: #Bug:651610) * Simon Quigley (tsimonq2) provided debdiffs for trusty-xenial for lxterminal (LP: #Bug:1690416) * Simon Quigley (tsimonq2) provided debdiffs for trusty-zesty for pcmanfm (LP: #Bug:1708542) * Otto Kekäläinen (otto) provided debdiffs for trusty for mariadb-5.5 (LP: #Bug:1705944) * Otto Kekäläinen (otto) provided debdiffs for xenial for mariadb-10.0 (LP: #Bug:1698689) * Otto Kekäläinen (otto) provided debdiffs for zesty for mariadb-10.1 (LP: #Bug:1698689) * Roger Light (ral) provided debdiffs for trusty-zesty for mosquitto (LP: #Bug:1700490) === Development === * Updated seccomp patches submitted to LKML [[https://lkml.org/lkml/2017/7/28/668|[PATCH v5 1/6] seccomp: Sysctl to display available actions]] * snapd policy updates [[https://github.com/snapcore/snapd/commit/4b73774a02be51a3f09e3d5f6bdb90da064f7d00|interfaces/many, cmd/snap-confine: miscellaneous policy updates (#3634)]] * !AppArmor updates for perl 5.26 transition in 17.10 ([[https://launchpad.net/ubuntu/+source/apparmor/2.11.0-2ubuntu11|2.11.0-2ubuntu11]], [[https://launchpad.net/ubuntu/+source/apparmor/2.11.0-2ubuntu12|2.11.0-2ubuntu12]]) * review broadcom-asic-control interface for snapd PR * find reproducer for !AppArmor capability logging issues and file [[https://launchpad.net/bugs/1707743|LP: #1707743]] * coordinate with Desktop team wrt snaps on 17.10 desktop * continue wayland interface investigation, coordinate with Desktop team * several reviews of 'Using udev tagging for snap interfaces' PR * review kvm interface for snapd PR * triage snapd-interface bugs * several reviews of spi interface for snapd PR * be responsive to Debian !AppArmor team with [[https://lists.ubuntu.com/archives/apparmor/2017-August/010937.html|their request to make AppArmor on by default in Debian Buster]] * review of avahi interface for snap reimplementation PR === What the Security Team is Reading This Week === * [[ https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Hanno-Boeck-Abusing-Certificate-Transparency-Logs.pdf|Abusing Certificate Transparency Logs]] by Hanno Boeck * [[ http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html |Cracking the Lens: Targeting HTTP's Hidden Attack-Surface]] === Weekly Meeting === * Log: https://wiki.ubuntu.com/MeetingLogs/Security/20170731 * Info: https://wiki.ubuntu.com/SecurityTeam/Meeting === More Info === * [[http://people.canonical.com/~ubuntu-security/cve/| Ubuntu CVE Tracker]] * [[https://www.ubuntu.com/usn/| Ubuntu security notices]] * [[https://www.twitter.com/ubuntu_sec| Follow Ubuntu Security on Twitter]] * [[https://wiki.ubuntu.com/SecurityTeam/GettingInvolved| How to help improve Ubuntu security ]]