Security Team Weekly Summary: November 2, 2017

The Security Team weekly reports are intended to be very short summaries of the Security Team’s weekly activities.

If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.myasnchisdf.eu.org

During the last week, the Ubuntu Security team:

• Triaged 268 public security vulnerability reports, retaining the 40 that applied to Ubuntu.
• Published 16 Ubuntu Security Notices which fixed 66 security issues (CVEs) across 16 supported packages.

Ubuntu Security Notices

• [USN-3466-1] systemd vulnerability

• [USN-3465-1] Irssi vulnerabilities

• [USN-3464-1] Wget vulnerabilities

• [USN-3463-1] Werkzeug vulnerability

• [USN-3425-2] Apache HTTP Server vulnerability

• [USN-3388-2] Subversion vulnerabilities

• [USN-3411-2] Bazaar vulnerability

• [USN-3462-1] Pacemaker vulnerabilities

• [USN-3454-2] libffi vulnerability

• [USN-3434-2] Libidn vulnerability

• [USN-3441-2] curl vulnerabilities

• [USN-3458-1] ICU vulnerability

• [USN-3461-1] NVIDIA graphics drivers vulnerabilities

• [USN-3460-1] WebKitGTK+ vulnerabilities

• [USN-3459-1] MySQL vulnerabilities

• [USN-3457-1] curl vulnerability

Bug Triage

• Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs

Mainline Inclusion Requests

• spice-vdagent underway (LP: #1200296)

• MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D

Development

• Participated in online Enabling AppArmor by default in Debian Sprint

• Refreshed fscrypt package for bionic, tested in a bionic VM, and uploaded it to bionic (pending approval)

• performed reviews in support of layouts: PR 4008, PR 3965. Lots of technical discussion regarding use of overlayfs

• performed review of xdg-settings support: PR 4073

• discuss autostart desktop files design options

• performed review of USB interface number: PR 4040

• performed review of several libvirt patches from server team

• performed review of making @unrestricted truly unrestricted: PR 4054

• Investigated, prepared, tested, and submitted snap-confine apparmor fix PR 4098 and policy-updates-xxxi PR 4097

• Investigated, prepared preliminary ssh-keys, ssh-public-keys, gpg-keys and gpp-public-keys interfaces: PR 4100

• Continue various snappy-debug improvements based on sprint feedback (we should be able to now always suggest using it instead of looking at raw log files):
  • only show AVC or audit violations, not both
  • cache rules files for big performance improvement
  • preliminary DBus recommendations (need to convert to logprof, but now we display DBus violations and suggest a few things)
  • add suggestions for signals and ptrace
  • add suggestions for mpris and dbus slots
  • suggest snapcraft preload plugin
  • split out classic and core policy and choose based on which device snappy-debug is running on
  • various small bug fixes

• Set up https://gitlab.com/apparmor

• Contributed seccomp documentation for Linux 4.14 changes to the man-pages project: mailing list

• Contributed libseccomp-golang bindings for libseccomp’s new API level feature: PR 29

What the Security Team is Reading This Week

• ROCA

• Bionic Beaver

Weekly Meeting

• Log: https://wiki.myasnchisdf.eu.org/MeetingLogs/Security/20171023

• Info: https://wiki.myasnchisdf.eu.org/SecurityTeam/Meeting

More Info

• Ubuntu CVE Tracker

• Ubuntu security notices

• Follow Ubuntu Security on Twitter

• How to help improve Ubuntu security