== Security Team Weekly Summary for 25 August 2017 == ||<>|| The [[SecurityTeam|Security Team]] weekly reports are intended to be very short summaries of the Security Team's weekly activities. If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.ubuntu.com During the last week, the Ubuntu Security team: * Triaged 287 public security vulnerability reports, retaining the 61 that applied to Ubuntu. * Published 6 Ubuntu Security Notices which fixed 13 security issues (CVEs) across 6 supported packages. === Ubuntu Security Notices === * [[https://www.ubuntu.com/usn/usn-3402-1|[USN-3402-1] PySAML2 vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3401-1|[USN-3401-1] TeX Live vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3400-1|[USN-3400-1] Augeas vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3399-1|[USN-3399-1] cvs vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3398-1|[USN-3398-1] graphite2 vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3397-1|[USN-3397-1] strongSwan vulnerability ]] === Bug Triage === * Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs === Mainline Inclusion Requests === * websockify (LP: #Bug:1108935) underway * MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D === Updates to Community Supported Packages === * Simon Quigley (tsimonq2) provided a debdiff for trusty for kdepimlibs (LP: #Bug:1630700) * Simon Quigley (tsimonq2) provided a debdiff for xenial for kcoreaddons (LP: #Bug:1630700) * Simon Quigley (tsimonq2) provided debdiffs for trusty-zesty for varnish (LP: #Bug:1708354) === Development === * Updated review tools to calculate uncompressed squashfs size and error out if too large. Update to unpack to SNAP_USER_COMMON and cleanup stale review directories. * review-tools fix for LP: #Bug:1712476 * review-tools: implement new 'reload-command' yaml and new execstack checks * Submitted apparmor pull for artful to the Kernel Team. * Submitted seccomp logging patch set for both artful 4.12 and artful 4.13 kernels. * Submitted PR 3804 for user and group name lookups in snap-seccomp in support of snap privilege dropping. * Submitted PR 3805 to stop hardcoding uids and gids (for 'root' and 'shadow'). * Submitted libseccomp PR for improved logging changes (https://github.com/seccomp/libseccomp/pull/92). * fixed a libseccomp test runner bug that was causing a class of tests to not run (https://github.com/seccomp/libseccomp/pull/91). * Work with design on 'Snap interfaces GUI descriptions' * Perform various PR reviews in support of cross-distro and improved udev tagging * Meet with snapd team (Gustavo) on final designs for new desktop interfaces (PR 3719) === What the Security Team is Reading This Week === * [[ https://kate.io/blog/2017/08/22/weird-python-integers/ | Weird Python Integers ]] * [[ https://dvdhrm.github.io/rethinking-the-dbus-message-bus/ | Rethinking the dbus message bus ]] === Weekly Meeting === * Weekly meeting was cancelled this week (eclipse watching) * Info: https://wiki.ubuntu.com/SecurityTeam/Meeting === More Info === * [[http://people.canonical.com/~ubuntu-security/cve/| Ubuntu CVE Tracker]] * [[https://www.ubuntu.com/usn/| Ubuntu security notices]] * [[https://www.twitter.com/ubuntu_sec| Follow Ubuntu Security on Twitter]] * [[https://wiki.ubuntu.com/SecurityTeam/GettingInvolved| How to help improve Ubuntu security ]]