== Security Team Weekly Summary for 01 September 2017 == ||<>|| The [[SecurityTeam|Security Team]] weekly reports are intended to be very short summaries of the Security Team's weekly activities. If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.ubuntu.com During the last week, the Ubuntu Security team: * Triaged 201 public security vulnerability reports, retaining the 59 that applied to Ubuntu. * Published 9 Ubuntu Security Notices which fixed 18 security issues (CVEs) across 11 supported packages. === Ubuntu Security Notices === * [[https://www.ubuntu.com/usn/usn-3407-1|[USN-3407-1] PyJWT vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3406-2|[USN-3406-2] Linux kernel (Trusty HWE) vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3405-2|[USN-3405-2] Linux kernel (Xenial HWE) vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3404-2|[USN-3404-2] Linux kernel (HWE) vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3405-1|[USN-3405-1] Linux kernel vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3406-1|[USN-3406-1] Linux kernel vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3404-1|[USN-3404-1] Linux kernel vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3403-1|[USN-3403-1] Ghostscript vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3199-3|[USN-3199-3] Python Crypto vulnerability ]] === Bug Triage === * Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs === Mainline Inclusion Requests === * websockify, spice-html5 underway (LP: #Bug:1108935) * MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D === Updates to Community Supported Packages === * Gianfranco Costamagna provided a debdiff for xenial for check-all-the-things (LP: #Bug:1597245) === Development === * Lots of snapd reviews: PR 3720 (solus), PR 3398 (XDG_DATA_DIRS for wayland), PR 3617 (big udev update), PR 3814 (opengl updates), PR 3812 (bluez interface on classic) * snapd PR 3826 for iio * follow-ups on PR 3805 (username/group instead of uid/gid) * lots of review/discussion surrounding PR 3621 (snap-confine calling snap-update-ns) * triage/fix snap-seccop testsuite failures on armhf and arm64 * begin investigation of snapd device cgroup regression === What the Security Team is Reading This Week === * [[ https://www.icann.org/en/system/files/files/ksk-rollover-quick-guide-prepare-systems-03apr17-en.pdf | Quick Guide: Prepare Your Systems for the Root KSK Rollover ]] and [[ https://www.slideshare.net/apnic/2017-dnssec-ksk-rollover | DNSSEC KSK Rollover ]] * [[ https://news.harvard.edu/gazette/story/2017/08/when-it-comes-to-internet-privacy-be-very-afraid-analyst-suggests/ | Harvard Gazette On internet privacy, be very afraid ]] === Weekly Meeting === * Log: https://wiki.ubuntu.com/MeetingLogs/Security/20170828 * Info: https://wiki.ubuntu.com/SecurityTeam/Meeting === More Info === * [[http://people.canonical.com/~ubuntu-security/cve/| Ubuntu CVE Tracker]] * [[https://www.ubuntu.com/usn/| Ubuntu security notices]] * [[https://www.twitter.com/ubuntu_sec| Follow Ubuntu Security on Twitter]] * [[https://wiki.ubuntu.com/SecurityTeam/GettingInvolved| How to help improve Ubuntu security ]]