John-breton ~ubuntu-security membership application

Hello all, I would like to submit my application for membership to ~ubuntu-security. I outline relevant information below:

Team Membership

I am a member of the following teams:

As of 2025-03-05, I am also a member of a private security team.

Verified Identity

I am a member of ~canonical-security and my identity has been verified through a background check, in person, and during the onboarding process.

History of high-quality sponsored security updates

Since becoming a member of ~canonical-security, I have had the opportunity to research, backport, and test patches for a wide variety of security vulnerabilities:

USNs:

  • USN-7204-1: NeoMutt vulnerabilities. 21 CVEs patched, targeting the following releases: 18.04 (bionic), 20.04 (focal), 22.04 (jammy), and 24.04 (noble).
  • USN-7208-1: Apache Common BCEL vulnerability. 1 CVE patched, targeting the following releases: 16.04 (xenial), 18.04 (bionic), 20.04 (focal), and 22.04 (jammy).
  • USN-7209-1: GIMP DDS Plugin vulnerabilities. 1 CVE patched, targeting the following releases: 16.04 (xenial), 18.04 (bionic), 20.04 (focal), and 22.04 (jammy).
  • USN-7224-1: Cyrus IMAP Server vulnerabilities. 3 CVEs patched, targeting the following releases: 18.04 (bionic), 20.04 (focal), 22.04 (jammy), and 24.04 (noble).
  • USN-7230-1: Quagga vulnerability. 1 CVE patched, targeting the following release: 18.04 (bionic)
  • USN-7230-2: FRR vulnerabilities. 2 CVEs patched, targeting the following releases: 20.04 (focal), 22.04 (jammy), 24.04 (noble), and 24.10 (oracular).
  • USN-7247-1: OpenCV vulnerabilities. 5 CVEs patched, targeting the following releases: 18.04 (bionic) and 22.04 (jammy).
  • USN-7249-1: libndp vulnerability. 1 CVE patched, targeting the following releases: 16.04 (xenial) and 18.04 (bionic).
  • USN-7249-1: libvpx vulnerability. 1 CVE patched, targeting the following releases: 14.04 (trusty), 16.04 (xenial), and 18.04 (bionic).
  • USN-7330-1: Ansible vulnerabilities. 8 CVEs patched, targeting the following releases: 14.04 (trusty), 16.04 (xenial), 18.04 (bionic), and 20.04 (focal).
  • USN-7330-2: Ansible regression. 1 release updated (20.04 - focal) due to a regression (relevant LP bug).
  • USN-7336-1: GNU Chess vulnerability. 1 CVE patched, targeting the following releases: 22.04 (jammy), 24.04 (noble), and 24.10 (oracular).
  • USN-7343-1: Jinja2 vulnerabilities. 3 CVEs patched, targeting the following releases: 14.04 (trusty), 16.04 (xenial), 18.04 (bionic), 20.04 (focal), 22.04 (jammy), 24.04 (noble), 24.10 (oracular), and 25.04 (plucky).
  • USN-7343-2: Jinja2 regression. 2 releases updated (18.04 - bionic and 20.04 - focal) due to a regression (relevant LP bug).
  • USN-7352-2: FreeType vulnerabilities. 2 CVEs patched, targeting the following releases: 14.04 (trusty), 16.04 (xenial), and 18.04 (bionic).
  • USN-7353-1: PlantUML vulnerability. 1 CVE patched, targeting the following releases: 16.04 (xenial), 18.04 (bionic), 20.04 (focal), 22.04 (jammy), 24.04 (noble), and 24.10 (oracular).
  • USN-7364-1: OpenSAML vulnerability. 1 vulnerability patched, targeting the following releases: 16.04 (xenial), 18.04 (bionic), 20.04 (focal), 22.04 (jammy), 24.04 (noble), 24.10 (oracular), and 25.04 (plucky).
  • USN-7368-1: SnakeYAML vulnerability. 1 CVE patched, targeting the following releases: 14.04 (trusty), 16.04 (xenial), 18.04 (bionic), and 20.04 (focal).
  • USN-7377-1: Smarty vulnerability. 1 CVE patched, targeting the following releases: 24.04 (noble) and 24.10 (oracular).
  • USN-7398-1: libtar vulnerabilities. 4 CVEs patched, targeting the following releases: 16.04 (xenial), 18.04 (bionic), 20.04 (focal), 22.04 (jammy), 24.04 (noble), and 24.10 (oracular).

Security updates troubleshooting:

  • While patching CVE-2022-42920 for bcel, I encountered a situation where the included test to ensure the vulnerability had been properly mitigated targeted a newer version of JUnit. Due to this, during the backporting of this patch, I manually ported the test to an earlier version of JUnit (JUnit 4) to ensure that the test would be run as part of the package build process going forward to confirm the vulnerability is not unintentionally reintroduced.
  • After patching Ansible, a regression was discovered with the focal release of Ansible (see here). This occurred due to one of the patches getting improperly truncated, which caused Ansible to fail to install on focal. When I was informed of this regression, I worked to provide updates on the issue in the linked LP bug and managed to address the regression within 24 hours of it being flagged.
  • After patching Jinja2, a regression was discovered with the bionic and focal releases of Jinja2 (see here). Jinja2 ships as both a Python 2 and Python 3 package in bionic and focal, and the patch only considered Python 3. To correct this issue, I backported a Python 3 function to Python 2 to ensure compatibility with older Python releases. When I was informed of this regression, I worked to provide updates on the issue in the linked LP bug and managed to address the regression within 24 hours of it being flagged.
  • In a variety of instances, I have had to carefully backport patches to previous releases by manually modifying patch files to ensure they applied cleanly and correctly. This was especially true for updates targeting multiple releases, as the version differences between releases could be quite significant (e.g., Ansible’s entire project structure changed dramatically between major upstream versions, which made backporting challenging).

Continued, on-going security updates

As a member of the Security Engineering team at Canonical, I will continue to work on security updates regularly.

Demonstrated understanding of required tools and systems

The majority of my effort has been focused on UCT, where I would engage in CVE triaging to update the tracker with information as a result of USN publications and CVE research.

Examples of this can be seen in the following merge proposals:

In addition to UCT, I have also been active in contributing to QRT with the creation of tests to help reduce the potential for regressions in packages going forward:

I’ve also made contributions towards internal tooling and documentation. I am happy to provide further information upon request.

Demonstrated responsive and respectful communication

I have signed the code of conduct. I regularly monitor Launchpad bugs for packages I have patched, as well as relevant mailing list announcements, looking for possible regressions. In two instances I have been informed of regressions introduced following security updates I have published, and in both cases, I made an effort to provide responsive communication and correct the regression within 24 hours of its initial report. While it is not realistic to achieve this turnaround for all regression, I will continue to strive to address regressions as soon as possible while maintaining communication with relevant community members regarding the status of the work.

Demonstrated understanding of the responsibility of ~ubuntu-security membership

I am following credentials best practices, my disk is fully encrypted, and I have 2FA enabled for all accounts.

4 Likes

+1 from me. John is an awesome member of the team and would only be able to do more good with full membership.

1 Like

+1 from me for John to join ~ubuntu-security. John has demonstrated a deep understanding of the process through multiple security fixes, as well as helping with improvements along the way, including important documentation efforts. I am especially impressed with John’s handling of regressions, swiftly providing a response and fixing the issues that arose. Thank you for your commitment!

1 Like

+1 from me as well. John’s numerous contributions to the security of Ubuntu showcase his understanding of our tooling and processes, as well as his eagerness to address potential regressions.

1 Like

John has shown through the quality of their work to have a solid grasp on the patching process.

They have showed good acumen in handling not only “the happy path” but also regressions.

They have tackled a varied set of packages and have made additional contributions outside of that scope for the betterment of the team.

I see no compelling reason why they should not receive a +1 on their application.

1 Like

+1 from me. John has demonstrated the desired skills and is going beyond with a great understanding of the ubuntu-security needs.

1 Like

+1 from me. John has consistently shown a deep understanding of the security process, tackling challenges with patching and regressions. Their contributions have been invaluable, from addressing regressions to improving documentation.

I have full confidence in their ability to excel as a full ubuntu-security member.

1 Like

Thank you @john-breton for your application, and thank you to everyone who gave feedback on the application. Voting is now closed.

The following votes were cast by existing Ubuntu Security members:

@juliaphoebe: +1
@hlibk: +1
@octagalland: +1
@0xdsousa: +1
@rodrigo-zaiden: +1
@sudhackar: +1

The application is approved with a balance of 6 affirmative votes making up 100% of the total votes cast.

As your onboarding mentor I’ve purposely not voted to not provide bias, but as we discussed, I completely believe you are ready and I’m really happy with all the progress you’ve being through since joining the team.

Congratulations and welcome John Breton! You will be added to the Ubuntu Security team, please exercise caution with your new rights.

Thanks,
Eduardo Barretto

2 Likes