Security Team Weekly Summary: September 27, 2017

The Security Team weekly reports are intended to be very short summaries of the Security Team’s weekly activities.

If you would like to reach the Security Team, you can find us at the #ubuntu-hardened channel on FreeNode. Alternatively, you can mail the Ubuntu Hardened mailing list at: [email protected]

During the last week, the Ubuntu Security team:

• Triaged 296 public security vulnerability reports, retaining the 81 that applied to Ubuntu.
• Published 16 Ubuntu Security Notices which fixed 37 security issues (CVEs) across 18 supported packages.

Ubuntu Security Notices

• [USN-3428-1] Emacs vulnerability

• [USN-3427-1] Emacs vulnerability

• [USN-3426-1] Samba vulnerabilities

• [USN-3414-2] QEMU regression

• [USN-3425-1] Apache HTTP Server vulnerability

• [USN-3424-1] libxml2 vulnerabilities

• [USN-3423-1] Linux kernel vulnerability

• [USN-3422-2] Linux kernel (Trusty HWE) vulnerabilities

• [USN-3420-2] Linux kernel (Xenial HWE) vulnerabilities

• [USN-3419-2] Linux kernel (HWE) vulnerabilities

• [USN-3419-1] Linux kernel vulnerabilities

• [USN-3420-1] Linux kernel vulnerabilities

• [USN-3421-1] Libidn2 vulnerability

• [USN-3422-1] Linux kernel vulnerabilities

• [USN-3346-2] Bind regression

• [USN-3418-1] GDK-PixBuf vulnerabilities

Bug Triage

• Backlog: https://bugs.launchpad.net/~ubuntu-security/+subscribedbugs

Mainline Inclusion Requests

• python-pyelftools underway (LP: #1630073)

• MIR backlog: https://bugs.launchpad.net/~ubuntu-security/+assignedbugs?field.searchtext=%5BMIR%5D

Updates to Community Supported Packages

• Simon Quigley (tsimonq2) provided debdiffs for trusty-zesty for jython (LP: #1714728)

Development

• review
  • udisks2 PR 3931
  • snap-confile calls snap-update-ns PR 3621
  • bind mount relative to snap-confine PR 3956
  • snaps on NFS support
• completed: create PR 3937 to use only ‘udevadm trigger –action=change’ instead of ‘udevadm control –reload-rules’
• update snap-confine to unconditional add the nvidia devices to the device cgroup and rely only on apparmor for mediation

• wrote/tested libseccomp-golang changes to complement the libseccomp changes: https://github.com/seccomp/libseccomp-golang/pull/29

• uploaded libseccomp, with the most minimal change needed to support snapd, to artful after receiving a Feature Freeze exception

What the Security Team is Reading This Week

• 2017 Linux Security Summit (Day 1)

• CLKSCREW: Exposing the perils of security-oblivious energy management

• Easy ssh into libvirt VMs and LXD containers

Weekly Meeting

• Log: https://wiki.ubuntu.com/MeetingLogs/Security/20170918

• Info: https://wiki.ubuntu.com/SecurityTeam/Meeting

More Info

• Ubuntu CVE Tracker

• Ubuntu security notices

• Follow Ubuntu Security on Twitter

• How to help improve Ubuntu security