Security Team Weekly Summary: November 9, 2017

The Security Team weekly reports are intended to be very short summaries of the Security Team’s weekly activities.

If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: ubuntu-hardened@lists.ubuntu.com

During the last week, the Ubuntu Security team:

• Triaged 201 public security vulnerability reports, retaining the 45 that applied to Ubuntu.
• Published 13 Ubuntu Security Notices which fixed 33 security issues (CVEs) across 16 supported packages.

Ubuntu Security Notices

• [USN-3426-2] Samba vulnerabilities

• [USN-3472-1] LibreOffice vulnerabilities

• [USN-3470-2] Linux kernel (Trusty HWE) vulnerabilities

• [USN-3471-1] Quagga vulnerabilities

• [USN-3469-2] Linux kernel (Xenial HWE) vulnerabilities

• [USN-3469-1] Linux kernel vulnerabilities

• [USN-3470-1] Linux kernel vulnerabilities

• [USN-3468-3] Linux kernel (GCP) vulnerabilities

• [USN-3468-2] Linux kernel (HWE) vulnerabilities

• [USN-3468-1] Linux kernel vulnerabilities

• [USN-3459-2] MySQL vulnerabilities

• [USN-3464-2] Wget vulnerabilities

• [USN-3467-1] poppler vulnerability

Bug Triage

• Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs

Mainline Inclusion Requests

• spice-vdagent underway (LP: #1200296)

• pcp (pcp-3.12.2) completed (LP: #1700827)

• MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D

Updates to Community Supported Packages

• Lucas Kocia (lkocia) provided a debdiff for xenial for firewalld (LP: #1617617)

• Jeremy Bicha (jbicha) provided a debdiff for zesty for gdm3 (LP: #1729354)

Development

• fixed last of snappy-debug updates (handle core vs classic policy), test, push to stable
• reviews
  • PR 4105 – i386/socket/trusty testsuite fix
  • review apparmor.d man page patch from jj
  • PR 4109 – fix parsing of mountinfo fields
  • PRs 4123 and 4124 – fix bug in ofono interface
  • PR 4136 – snap-confine apparmor policy bug

• https://forum.snapcraft.io/t/device-cgroup-is-applied-to-devmode-snap/2663

• documented the content interface wrt shared libraries to follow store guidelines for cross-publisher sharing.
• documented auto-connection for a specific plugging snap to a specific slotting snap
• documented errno for different security backends
• 1724785
• PR 4114 don’t udev tag with devmode/classic snaps
• PR 4115 udev tag serial-port interface with only path attribute
• PR 4116 udev tag hidraw interface with only path attribute
• PR 4127 don’t udev tag but add /dev/uhid to device cgroup
• PRs 4131-4134 for 2.29

• Migrated AppArmor to GitLab: https://gitlab.com/apparmor

• [Work-in-progress] AppArmor support for multiple policy cache directories: apparmor/apparmor!4

• Simplified usage of libapparmor cleanup functions by preserving errno: apparmor/apparmor!6

• Landed upstream libseccomp changes to support new dynamic seccomp logging: seccomp/libseccomp#92

What the Security Team is Reading This Week

• TorMoil

• My VM is Lighter and Safer Than Your Container

Weekly Meeting

• Log: https://wiki.ubuntu.com/MeetingLogs/Security/20171030

• Info: https://wiki.ubuntu.com/SecurityTeam/Meeting

More Info

• Ubuntu CVE Tracker

• Ubuntu security notices

• Follow Ubuntu Security on Twitter

• How to help improve Ubuntu security