Security Team Weekly Summary: August 10, 2017

The Security Team weekly reports are intended to be very short summaries of the Security Team’s weekly activities.

If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.ubuntu.com

During the last week, the Ubuntu Security team:

• Triaged 242 public security vulnerability reports, retaining the 57 that applied to Ubuntu.
• Published 13 Ubuntu Security Notices which fixed 29 security issues (CVEs) across 15 supported packages.

Ubuntu Security Notices

• [USN-3372-1] NSS vulnerability

• [USN-3373-1] Apache HTTP Server vulnerabilities

• [USN-3363-2] ImageMagick regression

• [USN-3374-1] RabbitMQ vulnerability

• [USN-3366-2] OpenJDK 8 regression

• [USN-3294-2] Bash vulnerability

• [USN-3370-2] Apache HTTP Server vulnerability

• [USN-3375-1] LXC vulnerability

• [USN-3376-1] WebKitGTK+ vulnerabilities

• [USN-3377-1] Linux kernel vulnerabilities

• [USN-3377-2] Linux kernel (HWE) vulnerabilities

• [USN-3378-1] Linux kernel vulnerabilities

• [USN-3378-2] Linux kernel (Xenial HWE) vulnerabilities

Bug Triage

• Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs

Mainline Inclusion Requests

• http-parser underway (LP: #1638957)

• MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D

Updates to Community Supported Packages

• James Lu (tacocat) provided debdiffs for xenial-zesty for gnome-exe-thumbnailer (LP: #651610)

• Simon Quigley (tsimonq2) provided debdiffs for trusty-xenial for lxterminal (LP: #1690416)

• Simon Quigley (tsimonq2) provided debdiffs for trusty-zesty for pcmanfm (LP: #1708542)

• Otto Kekäläinen (otto) provided debdiffs for trusty for mariadb-5.5 (LP: #1705944)

• Otto Kekäläinen (otto) provided debdiffs for xenial for mariadb-10.0 (LP: #1698689)

• Otto Kekäläinen (otto) provided debdiffs for zesty for mariadb-10.1 (LP: #1698689)

• Roger Light (ral) provided debdiffs for trusty-zesty for mosquitto (LP: #1700490)

Development

• Updated seccomp patches submitted to LKML [PATCH v5 1/6] seccomp: Sysctl to display available actions

• snapd policy updates interfaces/many, cmd/snap-confine: miscellaneous policy updates (#3634)

• AppArmor updates for perl 5.26 transition in 17.10 (2.11.0-2ubuntu11, 2.11.0-2ubuntu12)

• review broadcom-asic-control interface for snapd PR

• find reproducer for AppArmor capability logging issues and file LP: #1707743

• coordinate with Desktop team wrt snaps on 17.10 desktop
• continue wayland interface investigation, coordinate with Desktop team
• several reviews of ‘Using udev tagging for snap interfaces’ PR
• review kvm interface for snapd PR
• triage snapd-interface bugs
• several reviews of spi interface for snapd PR

• be responsive to Debian AppArmor team with their request to make AppArmor on by default in Debian Buster

• review of avahi interface for snap reimplementation PR

What the Security Team is Reading This Week

• Abusing Certificate Transparency Logs by Hanno Boeck

• Cracking the Lens: Targeting HTTP’s Hidden Attack-Surface

Weekly Meeting

• Log: https://wiki.ubuntu.com/MeetingLogs/Security/20170731

• Info: https://wiki.ubuntu.com/SecurityTeam/Meeting

More Info

• Ubuntu CVE Tracker

• Ubuntu security notices

• Follow Ubuntu Security on Twitter

• How to help improve Ubuntu security