Ej7367 ~ubuntu-security membership application

Hello! I would like to submit my application to join ~ubuntu-security.

Team membership

I am currently a member of the ~canonical-security Launchpad team.

Verified identity

I am an employee of Canonical, and my identity has been verified through a background check during the onboarding process as well as in person.

History of high-quality sponsored security updates

Over the past four months, I have published security updates for a variety of packages spread across the in-support releases. Each update involved a combination of researching vulnerabilities, backporting patches, and testing. Here is a list of the Ubuntu Security Notices that I have published:

• 2025-06-16: USN-7571-1 for “c3p0” - 1 CVE
• 2025-06-26: USN-7600-1 for “libxslt” - 1 CVE
• 2025-07-14: USN-7637-1 for “jpeg-xl” - 4 CVEs
• 2025-09-02: USN-7729-1 for “kdepim” - 4 CVEs
• 2025-09-02: USN-7730-1 for “kf5-messagelib” - 2 CVEs
• 2025-09-02: USN-7731-1 for “kmail” - 2 CVEs
• 2025-09-02: USN-7732-1 for “kmail-account-wizard” - 1 CVE
• 2025-09-08: USN-7740-1 for “libetpan” - 1 CVE
• 2025-09-11: USN-7746-1 for “node-cipher-base” - 1 CVE
• 2025-09-15: USN-7747-1 for “rubygems” - 1 CVE
• 2025-09-18: USN-7757-1 for “openjpeg2” - 2 CVEs
• 2025-09-25: USN-7778-1 for “node-sha.js” - 1 CVE
• 2025-10-08: USN-7813-1 for “fort-validator” - 7 CVEs

The following table shows how this set of updates covers the various Ubuntu releases:

(*) ESM update

These updates have provided a diverse set of challenges. Some notable ones are described below, along with the steps that I took to troubleshoot and resolve the issues:

• While researching CVE-2023-40403 for USN-7600-1, I found two sets of patches from the upstream developers: one for libxslt versions after 1.1.29, and another for libxslt versions 1.1.29 and older. However, upon reviewing the latter set of patches, I found that it did not adequately fix the vulnerability. Therefore, to fix the vulnerability in Ubuntu releases with libxslt versions 1.1.29 and older, I decided instead to backport the first set of patches, making sure to thoroughly test my updates to reduce the likelihood of regressions.
• When I was researching some vulnerabilities that impacted the KMail application, I noticed that in some cases, the vulnerable code was not actually in the kmail package, but in related packages such as kmail-account-wizard and kf5-messagelib. Additionally, in older Ubuntu releases, the kmail package did not exist, and the code was instead part of the kdepim package. This required some extra work during the triaging step to ensure that I was correctly patching all the affected packages. Backporting the patches for these vulnerabilities also proved to be challenging, as there were significant code changes between upstream versions. To ensure that I was backporting the patches correctly, I often had to look through the commit history of the upstream project to understand how and why certain changes were made to the code.
• During the testing of my updates for USN-7747-1, I noticed that the copy_sppa_to_repos script was not working as expected: some binaries from the rubygems package were not being copied over to my local APT repository. After some debugging, I found that the issue was that the script was using the version number of the source package to determine which binaries to copy. In the case of rubygems, some of the binaries have a different version number than the source package, and so the script was skipping those binaries. I documented the issue in a LP bug, and later submitted a fix as well.

Demonstrated understanding of required tools and systems

I am familiar with using the Ubuntu CVE Tracker to track the status and details of vulnerabilities. Here are some merge requests that I have created as part of the vulnerability patching workflow:

• Triaging
  • https://code.launchpad.net/~ej7367/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/489280
  • https://code.launchpad.net/~ej7367/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/491996
  • https://code.launchpad.net/~ej7367/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/492391
• Assigning
  • https://code.launchpad.net/~ej7367/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/486775
  • https://code.launchpad.net/~ej7367/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/492716
• Updating after USN
  • https://code.launchpad.net/~ej7367/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/492149
  • https://code.launchpad.net/~ej7367/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/492408
  • https://code.launchpad.net/~ej7367/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/492549

I am also familiar with how to use the scripts and libraries in the QA Regression Testing repository to validate security fixes and test for potential regressions. I have contributed both new test scripts and added additional test cases for existing scripts. Some examples are given below:

• test-libxslt.py: Added a new test case to an existing script to test the patch for CVE-2023-40403.
• test-libetpan.py: Added a new script that uses the testlib_dovecot library to test the functionality of the libetpan package.
• test-node-sha.js.py: Added a new script with functionality tests as well as a reproducer for CVE-2025-9288.
• test-fort-validator.py: Added a new script that runs the upstream test suite for fort-validator, with some additional test cases to test basic functionality.

Finally, I have contributed some small bug fixes to the various tools that are used by the team:

• QA Regression Testing: Fixed an issue when running certain QRT scripts in the Launchpad CI pipeline.
• Ubuntu Security Tools: Fixed an issue when running the copy_sppa_to_repos script with certain packages.
  • This fix unfortunately introduced a regression in a differerent script that relied on copy_sppa_to_repos. Fortunately, I was able to merge a fix for the regression shortly after it was discovered.
• Ubuntu CVE Tracker: Fixed a bug with the --releases argument in the gen_template.py script for USNs.

Continued, on-going security updates

As a member of the Security Engineering team at Canonical, I will continue to work on security updates on a regular basis.

Demonstrated responsive and respectful communication

I have signed the Ubuntu Code of Conduct.

I regularly monitor Launchpad bugs for packages I have patched, as well as relevant mailing list announcements, looking for possible regressions. To date, there have not been any reported regressions arising from my security updates. However, one of my updates to the Ubuntu Security Tools repository did cause a regression. In that case, I responded quickly and was able to resolve the issue shortly after it was reported to me.

I also participate regularly in the review process for new USNs, tooling changes, and documentation by providing (and responding to) feedback in a respectful manner.

Demonstrated understanding of the responsibility of ~ubuntu-security membership

I am following credentials best practices, my disk is fully encrypted, and I have 2FA enabled for all accounts.

Additional contributions to Ubuntu security

I have also made some contributions to the Ubuntu security documentation:

• I expanded the existing page on No Open Ports.
• I am currently working on a new page that discusses best practices related to Unnecessarily Open Ports.

Thanks for taking the time to read through my application! I’d be happy to answer any additional questions that you may have.

+1 from me. Edwin has proven to be a valuable member of the Security Team. Thanks for your work and contribution, keep it going !

+1 from me for Edwin to join ~ubuntu-security. Throughout the time here Edwin has demonstrated proficiency in handling security updates and many different edge cases that may arise with them. Therefore, I see no reason as to why he shouldn’t get the membership. Thank you for your commitment!

+1 from me for Edwin’s acceptance into ~ubuntu-security. Since he has joined Canonical he has taken on many challenges and proven to be an effective and valuable member of the team. Thanks for all your hard work!

+1 for Edwin’s application for ~ubuntu-security membership.

+1 from me to support @ej7367 's application to join ~ubuntu-security. He consistently produced great work with each contribution

+1 from me for @ej7367 to join ~ubuntu-security.

+1 from to for @ej7367 to join ~ubuntu-security

Thank you @ej7367 for your application, and thank you to everyone who gave feedback on the application. Voting is now closed.

The following votes were cast by existing Ubuntu Security members:

@rodrigo-zaiden: +1
@hlibk: +1
@elisehdy : +1
@iconstantin: +1
@0xnishit: +1
@shishirsub10: +1
@ebarretto: +1

The application is approved with a balance of 7 affirmative votes making up 100% of the total votes cast.

A big thanks to @john-breton for guiding Edwin!

Congratulations and welcome Edwin Jiang! You will be added to the Ubuntu Security team, please exercise caution with your new rights.

Thanks,
Eduardo Barretto

Congratulations @ej7367!!! To avoid bias I refrained from voting but I was fully convinced you would be approved. Your work ethic and patching cadence has been excellent and it has been great to see you settle into the role and contribute to the team. Wooooo!!!