Ubuntu Wiki

Security Team Weekly Summary for 17 November 2017

The Security Team weekly reports are intended to be very short summaries of the Security Team's weekly activities.

If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.ubuntu.com

During the last week, the Ubuntu Security team:

• Triaged 357 public security vulnerability reports, retaining the 90 that applied to Ubuntu.
• Published 8 Ubuntu Security Notices which fixed 35 security issues (CVEs) across 9 supported packages.

Ubuntu Security Notices

• [USN-3477-1] Firefox vulnerabilities

• [USN-3482-1] ipsec-tools vulnerability

• [USN-3481-1] WebKitGTK+ vulnerabilities

• [USN-3480-1] Apport vulnerabilities

• [USN-3276-3] shadow vulnerability

• [USN-3479-1] PostgreSQL vulnerabilities

• [USN-3478-2] Perl vulnerability

• [USN-3478-1] Perl vulnerabilities

Bug Triage

• Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs

Mainline Inclusion Requests

• spice-vdagent underway (LP: #1200296)

• MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D

Development

• prepared and sent a 4.15 eCryptfs pull request that was merged (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e0bcb42e602816415f6fe07313b6fc84932244b7)

• apparmor updates based on testing with Firefox 57

• reviewed AppArmor Python utils merge request from cboltz

• reviewed some libvirt apparmor patches from Debian to upstream
• snapd reviews
  • review apparmor profile for 'man' for pending Debian/Ubuntu upload
  • 'add support for socket activation' PR 3916
  • 'add detection of stale mount namespaces' PR 3999
  • 're-factor secureMkDirAll into secureMk{Prefix,Dir}' PR 4163
  • 'detect and report read-only filesystems' PR 4166
  • 'add secureMkfileAll' PR 4169
  • 'use gid owning /etc/shadow to setup seccomp rules' PR 4185
  • 'use .preinit_array function rather than parsing /proc/self/cmdline' PR 4202
  • 'extend socket validation tests' PR 4219
  • setgid privilege dropping for LXD freezer cgroup PR 4230/PR 4246
• update firefox apparmor profile in deb packaging
• reviewed existing snap declarations and update for consistency. Submitted PR 4238 to adjust base declaration for auto-connection.
• updated snappy-debug for snapcraft preload and timedatectl issues
• triage customer issue surrounding timedatectl and created PR 4216 to silence noisy timedatectl denial
• created PR 4217 for browser-support update for nwjs

• submitted PR 4245 for robustifying the AppArmor rules for screen-inhibit-control

• submitted PR 4247 to allow use of chown root:root <path>

• updated review-tools for new 'sockets' yaml, other small fixes. Upload to store
• finished implementation of the new CVE triage process
• follow-up documentation and communication with browser-support allow-sandbox: true users
• based on errors.ubuntu.com issues; fixed review tools to output expected output for runtime errors when specifying --json

What the Security Team is Reading This Week

• OpenSSH ‘sftp-server’ Remote Security Vulnerability

• What’s a blockchain “smart contract”?

• Let's enable AppArmor by default (why not?)

Weekly Meeting

• Log: https://wiki.ubuntu.com/MeetingLogs/Security/20171113

• Info: https://wiki.ubuntu.com/SecurityTeam/Meeting

More Info

• Ubuntu CVE Tracker

• Ubuntu security notices

• Follow Ubuntu Security on Twitter

• How to help improve Ubuntu security