Security Team Weekly Summary: August 17, 2017

The Security Team weekly reports are intended to be very short summaries of the Security Team’s weekly activities.

If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.ubuntu.com

During the last week, the Ubuntu Security team:

• Triaged 537 public security vulnerability reports, retaining the 134 that applied to Ubuntu.
• Published 16 Ubuntu Security Notices which fixed 36 security issues (CVEs) across 17 supported packages.

Ubuntu Security Notices

• [USN-3388-1] Subversion vulnerabilities

• [USN-3387-1] Git vulnerability

• [USN-3385-2] Linux kernel (Xenial HWE) vulnerabilities

• [USN-3386-2] Linux kernel (Trusty HWE) vulnerabilities

• [USN-3384-2] Linux kernel (HWE) vulnerabilities

• [USN-3386-1] Linux kernel vulnerabilities

• [USN-3385-1] Linux kernel vulnerabilities

• [USN-3384-1] Linux kernel vulnerabilities

• [USN-3383-1] libsoup vulnerability

• [USN-3382-1] PHP vulnerabilities

• [USN-3381-2] Linux kernel (Trusty HWE) vulnerabilities

• [USN-3381-1] Linux kernel vulnerabilities

• [USN-3380-1] FreeRDP vulnerabilities

• [USN-3379-1] Shotwell vulnerability

• [USN-3339-2] OpenVPN vulnerability

• [USN-3212-4] LibTIFF vulnerabilities

Bug Triage

• Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs

Mainline Inclusion Requests

• http-parser completed (LP: #1638957)

• python-certifi completed (LP: #1708496)

• MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D

Updates to Community Supported Packages

• Simon Quigley (tsimonq2) provided debdiffs for trusty-zesty for vlc (LP: #1709420)

Development

• Improved seccomp logging patches submitted to -next

• review tools updated for 2.27

• snapd interfaces documentation updated to include all interfaces

• Security policy and sandboxing updated

• miscellaneous snapd policy updates for master and 2.27.1

• finish wayland/XDG_RUNTIME_DIR investigation, submit wayland PR, submit/discuss snap-desktop-helpers PR, sync with desktop team for their next steps

• proposal for desktop interfaces going forward

• ‘desktop’ and ‘desktop-accessibility’ interfaces

• snapd PR interface reviews for avahi, opengl, optical-drive, physical-memory-observe, spi

What the Security Team is Reading This Week

• Parity’s Wallet Bug is not Alone by Emin Gün Sirer

• Because urandom isn’t everything

Weekly Meeting

• Log: https://wiki.ubuntu.com/MeetingLogs/Security/20170807

• Info: https://wiki.ubuntu.com/SecurityTeam/Meeting

More Info

• Ubuntu CVE Tracker

• Ubuntu security notices

• Follow Ubuntu Security on Twitter

• How to help improve Ubuntu security

Almost every household has an unsolved Rubiks Cube but you can esily solve it learning a few algorithms.