== Security Team Weekly Summary for 27 October 2017 == ||<>|| The [[SecurityTeam|Security Team]] weekly reports are intended to be very short summaries of the Security Team's weekly activities. If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.ubuntu.com During the last week, the Ubuntu Security team: * Triaged 268 public security vulnerability reports, retaining the 40 that applied to Ubuntu. * Published 16 Ubuntu Security Notices which fixed 66 security issues (CVEs) across 16 supported packages. === Ubuntu Security Notices === * [[https://www.ubuntu.com/usn/usn-3466-1|[USN-3466-1] systemd vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3465-1|[USN-3465-1] Irssi vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3464-1|[USN-3464-1] Wget vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3463-1|[USN-3463-1] Werkzeug vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3425-2|[USN-3425-2] Apache HTTP Server vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3388-2|[USN-3388-2] Subversion vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3411-2|[USN-3411-2] Bazaar vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3462-1|[USN-3462-1] Pacemaker vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3454-2|[USN-3454-2] libffi vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3434-2|[USN-3434-2] Libidn vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3441-2|[USN-3441-2] curl vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3458-1|[USN-3458-1] ICU vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3461-1|[USN-3461-1] NVIDIA graphics drivers vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3460-1|[USN-3460-1] WebKitGTK+ vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3459-1|[USN-3459-1] MySQL vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3457-1|[USN-3457-1] curl vulnerability ]] === Bug Triage === * Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs === Mainline Inclusion Requests === * spice-vdagent underway (LP: #Bug:1200296) * MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D === Development === * Participated in online Enabling !AppArmor by default in Debian Sprint * Refreshed fscrypt package for bionic, tested in a bionic VM, and uploaded it to bionic (pending approval) * performed reviews in support of layouts: [[https://github.com/snapcore/snapd/pull/4008|PR 4008]], [[https://github.com/snapcore/snapd/pull/3965|PR 3965]]. Lots of technical discussion regarding use of overlayfs * performed review of xdg-settings support: [[https://github.com/snapcore/snapd/pull/4073|PR 4073]] * discuss autostart desktop files design options * performed review of USB interface number: [[https://github.com/snapcore/snapd/pull/4040|PR 4040]] * performed review of several libvirt patches from server team * performed review of making @unrestricted truly unrestricted: [[https://github.com/snapcore/snapd/pull/4054|PR 4054]] * Investigated, prepared, tested, and submitted snap-confine apparmor fix [[https://github.com/snapcore/snapd/pull/4098|PR 4098]] and policy-updates-xxxi [[https://github.com/snapcore/snapd/pull/4097|PR 4097]] * Investigated, prepared preliminary ssh-keys, ssh-public-keys, gpg-keys and gpp-public-keys interfaces: [[https://github.com/snapcore/snapd/pull/4100|PR 4100]] * Continue various snappy-debug improvements based on sprint feedback (we should be able to now always suggest using it instead of looking at raw log files): * only show AVC or audit violations, not both * cache rules files for big performance improvement * preliminary DBus recommendations (need to convert to logprof, but now we display DBus violations and suggest a few things) * add suggestions for signals and ptrace * add suggestions for mpris and dbus slots * suggest snapcraft preload plugin * split out classic and core policy and choose based on which device snappy-debug is running on * various small bug fixes * Set up https://gitlab.com/apparmor * Contributed seccomp documentation for Linux 4.14 changes to the ''man-pages'' project: [[https://www.spinics.net/lists/linux-man/msg12178.html|mailing list]] * Contributed libseccomp-golang bindings for libseccomp's new API level feature: [[https://github.com/seccomp/libseccomp-golang/pull/29#issuecomment-339221304|PR 29]] === What the Security Team is Reading This Week === * [[ https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/S6pfqiMCmOg|ROCA]] * [[ http://www.webtender.com/db/drink/4197 |Bionic Beaver]] === Weekly Meeting === * Log: https://wiki.ubuntu.com/MeetingLogs/Security/20171023 * Info: https://wiki.ubuntu.com/SecurityTeam/Meeting === More Info === * [[http://people.canonical.com/~ubuntu-security/cve/| Ubuntu CVE Tracker]] * [[https://www.ubuntu.com/usn/| Ubuntu security notices]] * [[https://www.twitter.com/ubuntu_sec| Follow Ubuntu Security on Twitter]] * [[https://wiki.ubuntu.com/SecurityTeam/GettingInvolved| How to help improve Ubuntu security ]]