Security Team Weekly Summary: December 7, 2017

The Security Team weekly reports are intended to be very short summaries of the Security Team’s weekly activities.

If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: [email protected]

Due to the holiday last week, there was no weekly report, so this report covers the previous two weeks. During the last two weeks, the Ubuntu Security team:

• Triaged 379 public security vulnerability reports, retaining the 74 that applied to Ubuntu.
• Published 32 Ubuntu Security Notices which fixed 70 security issues (CVEs) across 34 supported packages.

Ubuntu Security Notices

• [USN-3477-3] Firefox regressions

• [USN-3590-1] Thunderbird vulnerabilities]

• [USN-3501-1] libxcursor vulnerability

• [USN-3500-1] libXfont vulnerability

• [USN-3499-1] Exim vulnerability

• [USN-3498-1] curl vulnerabilities

• [USN-3497-1] OpenJDK 7 vulnerabilities

• [USN-3496-3] Python vulnerability

• [USN-3496-2] Python vulnerability

• [USN-3496-1] Python vulnerability

• [USN-3477-2] Firefox regression

• [USN-3476-2] postgresql-common vulnerabilities

• [USN-3495-1] OptiPNG vulnerability

• [USN-3494-1] XML::LibXML vulnerability

• [USN-3493-1] Exim vulnerability

• [USN-3492-1] LibRaw vulnerabilities

• [USN-3491-1] ldns vulnerabilities

• [USN-3489-2] Berkeley DB vulnerability

• [USN-3489-1] Berkeley DB vulnerability

• [USN-3485-3] Linux kernel (AWS) vulnerabilities

• [USN-3484-3] Linux kernel (GCP) vulnerability

• [USN-3488-1] Linux kernel (Azure) vulnerability

• [USN-3487-1] Linux kernel vulnerabilities

• [USN-3486-2] Samba vulnerability

• [USN-3483-2] procmail vulnerability

• [USN-3486-1] Samba vulnerabilities

• [USN-3485-2] Linux kernel (Xenial HWE) vulnerabilities

• [USN-3484-2] Linux kernel (HWE) vulnerability

• [USN-3485-1] Linux kernel vulnerabilities

• [USN-3484-1] Linux kernel vulnerability

• [USN-3480-2] Apport regressions

• [USN-3483-1] procmail vulnerability

Bug Triage

• Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs

Mainline Inclusion Requests

• spice-vdagent completed (LP: #1200296)

• MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D

Development

• add max compressed size check to the review tools
• adjust review-tools runtime errors output for store (final)
• adjust review-tools for redflagged base snap overrides
• adjust review-tools for resquashing with fakeroot
• upload a couple of bad snaps to test r945 of the review tools in the store. The store is correctly not auto-approving, but is also not handling them right. File LP: #1733699
• investigate SNAPCRAFT_BUILD_INFO=1 with snapcraft cleanbuild and attempt rebuilds
• respond to feedback in PR 4245, close and resubmit as PR 4255 (interfaces/screen-inhibit-control: fix case in screen inhibit control)
• investigate reported godot issue. Send up PR 4257 (interfaces/opengl: also allow ‘revision’ on /sys/devices/pci…)
• investigation of potential biometrics-observe interface
• snapd reviews
  • PR 4258: fix unmounting on systems without rshared
  • PR 4170: cmd/snap-update-ns: add planWritableMimic
  • PR 4306 (use #include instead of bare ‘include’)
  • PR 4224 – cmd/snap-update-ns: teach update logic to handle synthetic changes
  • PR 4312 – ‘create mount targe for lib32,vulkan on demand
  • PR 4323 – interfaces: add gpio-memory-control interface
  • PR 4325 (add test for netlink-connector interface) and investigate NETLINK_CONNECTOR denials
  • review design of PR 4329 – discard stale mountspaces (v2)

• finalized squashfs fix for 1555305 and submitted it upstream (https://sourceforge.net/p/squashfs/mailman/message/36140758/)

• investigation into users 16.04 apparmor issues with tomcat

What the Security Team is Reading This Week

• Git hash function transition

• Cheat Sheets

Weekly Meeting

• Log: https://wiki.ubuntu.com/MeetingLogs/Security/20171127

• Info: https://wiki.ubuntu.com/SecurityTeam/Meeting

More Info

• Ubuntu CVE Tracker

• Ubuntu security notices

• Follow Ubuntu Security on Twitter

• How to help improve Ubuntu security