== Security Team Weekly Summary for 01 December 2017 == ||<>|| The [[SecurityTeam|Security Team]] weekly reports are intended to be very short summaries of the Security Team's weekly activities. If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.ubuntu.com Due to the holiday last week, there was no weekly report, so this report covers the previous two weeks. During the last two weeks, the Ubuntu Security team: * Triaged 379 public security vulnerability reports, retaining the 74 that applied to Ubuntu. * Published 32 Ubuntu Security Notices which fixed 70 security issues (CVEs) across 34 supported packages. === Ubuntu Security Notices === * [[https://www.ubuntu.com/usn/usn-3477-3|[USN-3477-3] Firefox regressions ]] * [[https://www.ubuntu.com/usn/usn-3490-1|[USN-3590-1] Thunderbird vulnerabilities ]]] * [[https://www.ubuntu.com/usn/usn-3501-1|[USN-3501-1] libxcursor vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3500-1|[USN-3500-1] libXfont vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3499-1|[USN-3499-1] Exim vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3498-1|[USN-3498-1] curl vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3497-1|[USN-3497-1] OpenJDK 7 vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3496-3|[USN-3496-3] Python vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3496-2|[USN-3496-2] Python vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3496-1|[USN-3496-1] Python vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3477-2|[USN-3477-2] Firefox regression ]] * [[https://www.ubuntu.com/usn/usn-3476-2|[USN-3476-2] postgresql-common vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3495-1|[USN-3495-1] OptiPNG vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3494-1|[USN-3494-1] XML::LibXML vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3493-1|[USN-3493-1] Exim vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3492-1|[USN-3492-1] LibRaw vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3491-1|[USN-3491-1] ldns vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3489-2|[USN-3489-2] Berkeley DB vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3489-1|[USN-3489-1] Berkeley DB vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3485-3|[USN-3485-3] Linux kernel (AWS) vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3484-3|[USN-3484-3] Linux kernel (GCP) vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3488-1|[USN-3488-1] Linux kernel (Azure) vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3487-1|[USN-3487-1] Linux kernel vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3486-2|[USN-3486-2] Samba vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3483-2|[USN-3483-2] procmail vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3486-1|[USN-3486-1] Samba vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3485-2|[USN-3485-2] Linux kernel (Xenial HWE) vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3484-2|[USN-3484-2] Linux kernel (HWE) vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3485-1|[USN-3485-1] Linux kernel vulnerabilities ]] * [[https://www.ubuntu.com/usn/usn-3484-1|[USN-3484-1] Linux kernel vulnerability ]] * [[https://www.ubuntu.com/usn/usn-3480-2|[USN-3480-2] Apport regressions ]] * [[https://www.ubuntu.com/usn/usn-3483-1|[USN-3483-1] procmail vulnerability ]] === Bug Triage === * Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs === Mainline Inclusion Requests === * spice-vdagent completed (LP: #Bug:1200296) * MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D === Development === * add max compressed size check to the review tools * adjust review-tools runtime errors output for store (final) * adjust review-tools for redflagged base snap overrides * adjust review-tools for resquashing with fakeroot * upload a couple of bad snaps to test r945 of the review tools in the store. The store is correctly not auto-approving, but is also not handling them right. File LP: #1733699 * investigate SNAPCRAFT_BUILD_INFO=1 with snapcraft cleanbuild and attempt rebuilds * respond to feedback in PR 4245, close and resubmit as PR 4255 (interfaces/screen-inhibit-control: fix case in screen inhibit control) * investigate reported godot issue. Send up PR 4257 (interfaces/opengl: also allow 'revision' on /sys/devices/pci...) * investigation of potential biometrics-observe interface * snapd reviews * PR 4258: fix unmounting on systems without rshared * PR 4170: cmd/snap-update-ns: add planWritableMimic * PR 4306 (use #include instead of bare 'include') * PR 4224 - cmd/snap-update-ns: teach update logic to handle synthetic changes * PR 4312 - 'create mount targe for lib32,vulkan on demand * PR 4323 - interfaces: add gpio-memory-control interface * PR 4325 (add test for netlink-connector interface) and investigate NETLINK_CONNECTOR denials * review design of PR 4329 - discard stale mountspaces (v2) * finalized squashfs fix for 1555305 and submitted it upstream (https://sourceforge.net/p/squashfs/mailman/message/36140758/) * investigation into users 16.04 apparmor issues with tomcat === What the Security Team is Reading This Week === * [[ https://github.com/git/git/blob/master/Documentation/technical/hash-function-transition.txt|Git hash function transition]] * [[ http://packetlife.net/library/cheat-sheets/ |Cheat Sheets]] === Weekly Meeting === * Log: https://wiki.ubuntu.com/MeetingLogs/Security/20171127 * Info: https://wiki.ubuntu.com/SecurityTeam/Meeting === More Info === * [[http://people.canonical.com/~ubuntu-security/cve/| Ubuntu CVE Tracker]] * [[https://www.ubuntu.com/usn/| Ubuntu security notices]] * [[https://www.twitter.com/ubuntu_sec| Follow Ubuntu Security on Twitter]] * [[https://wiki.ubuntu.com/SecurityTeam/GettingInvolved| How to help improve Ubuntu security ]]