== Security Team Weekly Summary for 17 November 2017 == ||<>|| The [[SecurityTeam|Security Team]] weekly reports are intended to be very short summaries of the Security Team's weekly activities. If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.ubuntu.com During the last week, the Ubuntu Security team: * Triaged 357 public security vulnerability reports, retaining the 90 that applied to Ubuntu. * Published 8 Ubuntu Security Notices which fixed 35 security issues (CVEs) across 9 supported packages. === Ubuntu Security Notices === * [[https://www.ubuntu.com/usn/usn-3477-1|[USN-3477-1] Firefox vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3482-1|[USN-3482-1] ipsec-tools vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3481-1|[USN-3481-1] WebKitGTK+ vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3480-1|[USN-3480-1] Apport vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3276-3|[USN-3276-3] shadow vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3479-1|[USN-3479-1] PostgreSQL vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3478-2|[USN-3478-2] Perl vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3478-1|[USN-3478-1] Perl vulnerabilities ]] === Bug Triage === * Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs === Mainline Inclusion Requests === * spice-vdagent underway (LP: #Bug:1200296) * MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D === Development === * prepared and sent a 4.15 eCryptfs pull request that was merged (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e0bcb42e602816415f6fe07313b6fc84932244b7) * apparmor updates based on testing with Firefox 57 * reviewed AppArmor Python utils merge request from cboltz * reviewed some libvirt apparmor patches from Debian to upstream * snapd reviews * review apparmor profile for 'man' for pending Debian/Ubuntu upload * 'add support for socket activation' PR 3916 * 'add detection of stale mount namespaces' PR 3999 * 're-factor secureMkDirAll into secureMk{Prefix,Dir}' PR 4163 * 'detect and report read-only filesystems' PR 4166 * 'add secureMkfileAll' PR 4169 * 'use gid owning /etc/shadow to setup seccomp rules' PR 4185 * 'use .preinit_array function rather than parsing /proc/self/cmdline' PR 4202 * 'extend socket validation tests' PR 4219 * setgid privilege dropping for LXD freezer cgroup PR 4230/PR 4246 * update firefox apparmor profile in deb packaging * reviewed existing snap declarations and update for consistency. Submitted PR 4238 to adjust base declaration for auto-connection. * updated snappy-debug for snapcraft preload and timedatectl issues * triage customer issue surrounding timedatectl and created PR 4216 to silence noisy timedatectl denial * created PR 4217 for browser-support update for nwjs * submitted PR 4245 for robustifying the AppArmor rules for screen-inhibit-control * submitted PR 4247 to allow use of chown root:root * updated review-tools for new 'sockets' yaml, other small fixes. Upload to store * finished implementation of the new CVE triage process * follow-up documentation and communication with browser-support allow-sandbox: true users * based on errors.ubuntu.com issues; fixed review tools to output expected output for runtime errors when specifying --json === What the Security Team is Reading This Week === * [[ https://xorl.wordpress.com/2017/11/13/openssh-sftp-server-remote-security-vulnerability/|OpenSSH ‘sftp-server’ Remote Security Vulnerability]] * [[ https://aliceevebob.com/2017/11/14/whats-a-blockchain-smart-contract/ |What’s a blockchain “smart contract”?]] * [[ https://lists.ubuntu.com/archives/apparmor/2017-November/011309.html | Let's enable AppArmor by default (why not?) ]] === Weekly Meeting === * Log: https://wiki.ubuntu.com/MeetingLogs/Security/20171113 * Info: https://wiki.ubuntu.com/SecurityTeam/Meeting === More Info === * [[http://people.canonical.com/~ubuntu-security/cve/| Ubuntu CVE Tracker]] * [[https://www.ubuntu.com/usn/| Ubuntu security notices]] * [[https://www.twitter.com/ubuntu_sec| Follow Ubuntu Security on Twitter]] * [[https://wiki.ubuntu.com/SecurityTeam/GettingInvolved| How to help improve Ubuntu security ]]