Verified identity
Iβm a member of ~canonical-security, and my identity was verified when I joined canonical as an employee on 8 Apr 2024 and during the 24.04 sprint.
Security Updates
Please find below some of the security updates I did:
- Cryptojs: USN-6753-1: CryptoJS vulnerability | Ubuntu security notices | Ubuntu
- Libspreadsheet-parse-excel: USN-6781-1: Spreadsheet::ParseExcel vulnerability | Ubuntu security notices | Ubuntu
- Tpm2-tss: https://ubuntu.com/security/notices/USN-6796-1
- Libphp-adodb: USN-6825-1: ADOdb vulnerabilities | Ubuntu security notices | Ubuntu
- Tomcat7: USN-6908-1: Tomcat vulnerabilities | Ubuntu security notices | Ubuntu
- Php-cas (collab with debian): USN-6913-1: phpCAS vulnerability | Ubuntu security notices | Ubuntu and https://ubuntu.com/security/notices/USN-6913-2
- Ocsinventory-server (collab with debian): USN-6914-1: OCS Inventory vulnerability | Ubuntu security notices | Ubuntu
- Curl: USN-6944-2: curl vulnerability | Ubuntu security notices | Ubuntu
- Postgresql-9.5: USN-6968-2: PostgreSQL vulnerability | Ubuntu security notices | Ubuntu
- Puma: USN-7031-2: Puma vulnerability | Ubuntu security notices | Ubuntu
In addition, I opened and fixed these LP bugs in tomcat7:
- Tomcat7 FTBFS: Bug #2071856 βTomcat7 fails to build from source due to the late...β : Bugs : tomcat7 package : Ubuntu
I opened this bug in OpenJDK, which is related to the tomcat7 bug: Bug #2071855 βTLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled afte...β : Bugs : openjdk-7 package : Ubuntu
In the following table, you can see how they cover the various supported Ubuntu releases:
| Ubuntu 14.04 | Ubuntu 16.04 | Ubuntu 18.04 | Ubuntu 20.04 | Ubuntu 22.04 | Ubuntu 23.10 | Ubuntu 24.04 | Ubuntu 24.10 | |
|---|---|---|---|---|---|---|---|---|
| Cryptojs (universe) | β | esm | esm | archive | esm | β | β | β |
| Libspreadsheet-parse-excel (universe) | esm | esm | esm | archive | archive | β | β | β |
| Tpm2-tss (main) | β | β | β | archive | archive | archive | archive | See notes below (*) |
| Libphp-adodb (universe) | β | esm | esm | esm | archive | β | β | β |
| Tomcat7 (main only in trusty) | esm | esm | esm | β | β | β | β | β |
| Php-cas (universe) | β | esm | β | archive | archive | β | β | β |
| Ocsinventory-server (universe) | β | β | β | β | archive | β | β | β |
| Curl (main) | esm | esm | esm | β | β | β | β | β |
| Postgresql (main) | β | esm | β | β | β | β | β | β |
| Puma (universe) | β | β | β | esm | esm | β | β | β |
(*) As recommended by a senior security team member, I contacted Gianfranco Costamagna through IRC since this person was the last one to merge tpm2-tss. I asked if they planned to upload a security update to oracular proposed.
Troubleshooting
While doing CVE patching, here are a few situations that I faced:
Tomcat7
While trying to patch tomcat7 for trusty, I found it was FTBFS in the test suite. After my research, I found out the reason for the failure was related to updates on the supported ciphers of OpenJDK since the last time the package was built. I opened these two LP bugs: Bug #2071856 βTomcat7 fails to build from source due to the late...β : Bugs : tomcat7 package : Ubuntu (tomcat) and Bug #2071855 βTLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled afte...β : Bugs : openjdk-7 package : Ubuntu (OpenJDK) and fixed the FTBFS issue by adding the missing ciphers back to the test suite only.
Php-cas / Ocsinventory-server
The update that I worked on for this package was a collaboration with Debian (php-cas). While working on it, I found several issues that prevented the package from being successfully built or operating normally:
- The version of ocsinventory-server for Jammy was incompatible with PHP 8.1, which we distribute in Jammy.
- Although the backend feature for logging via CAS was present, the package was missing some features that enabled users to select it.
- ocsinventory-server has a vendored php-cas version which should also be patched, and we were not tracking it.
I also found that Moodle (another source package not related to this collaboration) had a vendored version of php-cas so I updated the CVE to reflect that. See CVE-2022-39369 | Ubuntu. In addition, I created an MR to create a boilerplate for php-cas: https://code.launchpad.net/~federicoquattrin/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/470102.
Postgresql
While patching Postgresql, I found that the software FTBFS. After some research, we found that the root issue was that my system used a different locale than en_US. During build time, postgresql expects the system to have the en_US locale. To fix this issue, I had to jump into my schroot and execute βlocale-gen en_US en_US.UTF-8 es_AR.UTF-8β and then βdpkg-reconfigure localesβ.
Tools
I have demonstrated an understanding of QRT by creating the internal documentation and by opening the following MP that created new test suites for the packages:
- Cryptojs:
- Libphp-adobd:
- Cjson:
I have gathered experience with UCT by assigning and updating CVEs as well as filling in missing package information in package_info_overrides.json. I also improved some of the checks that we have in place:
Assigned CVEs to me (limited to 5 out of 14):
- https://code.launchpad.net/~federicoquattrin/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/464224
- Merge into master : assign_CVE-2023-46233 : lp:~federicoquattrin/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
- Merge into master : assign_CVE_2023_7101 : lp:~federicoquattrin/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
- Merge into master : assign_tpm2-tss_CVEs_to_federicoquattrin : lp:~federicoquattrin/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
- Merge into master : assign_libphp-adodb_to_federicoquattrin : lp:~federicoquattrin/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
Updated CVE data as a result of patching or triaging (limited to 5 out of 14):
- Merge into master : fixed_CVVE_2023_46233 : lp:~federicoquattrin/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
- Merge into master : update_CVE_2023_7101 : lp:~federicoquattrin/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
- Merge into master : update_tpm2_tss_CVEs : lp:~federicoquattrin/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
- Merge into master : update_oracular_in_CVE-2024-29040 : lp:~federicoquattrin/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
- Merge into master : update_libphp-adodb_cves : lp:~federicoquattrin/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
Update package_info_overrides.json so that new USNs can leverage this information:
- Merge into master : add_cryptojs_to_package_info_overrides : lp:~federicoquattrin/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
- https://code.launchpad.net/~federicoquattrin/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/467292
Improve scripts/tools:
-
Improved check-syntax to verify that esm releases have a not-affected status when the security issue has been fixed in the archive
I demonstrated an understanding of UST by putting in place some safeguards that will prevent us from doing work in unsupported packages:
- Add a feature to throw a warning when a package is not supported in a release:
Communications
I have signed and am following the Ubuntu Code of Conduct. As part of a collaboration with Debian for php-cas and ocsinventory-server, I interacted with Bastien Roucaries via email and shared the research results explained in the troubleshooting section.
I have also contacted upstream of wsdd as part of a MIR to discuss some package security topics.