Hello all, I would like to submit my application for membership to ~ubuntu-security. I outline relevant information below:
Team Membership
I am a member of the following teams:
- Ubuntu Security Apprentices: Member since 2024-12-02
- Canonical Security Team: Member since 2024-12-02
- Canonical: Member since 2024-12-02
As of 2025-03-05, I am also a member of a private security team.
Verified Identity
I am a member of ~canonical-security and my identity has been verified through a background check, in person, and during the onboarding process.
History of high-quality sponsored security updates
Since becoming a member of ~canonical-security, I have had the opportunity to research, backport, and test patches for a wide variety of security vulnerabilities:
USNs:
- USN-7204-1: NeoMutt vulnerabilities. 21 CVEs patched, targeting the following releases: 18.04 (bionic), 20.04 (focal), 22.04 (jammy), and 24.04 (noble).
- USN-7208-1: Apache Common BCEL vulnerability. 1 CVE patched, targeting the following releases: 16.04 (xenial), 18.04 (bionic), 20.04 (focal), and 22.04 (jammy).
- USN-7209-1: GIMP DDS Plugin vulnerabilities. 1 CVE patched, targeting the following releases: 16.04 (xenial), 18.04 (bionic), 20.04 (focal), and 22.04 (jammy).
- USN-7224-1: Cyrus IMAP Server vulnerabilities. 3 CVEs patched, targeting the following releases: 18.04 (bionic), 20.04 (focal), 22.04 (jammy), and 24.04 (noble).
- USN-7230-1: Quagga vulnerability. 1 CVE patched, targeting the following release: 18.04 (bionic)
- USN-7230-2: FRR vulnerabilities. 2 CVEs patched, targeting the following releases: 20.04 (focal), 22.04 (jammy), 24.04 (noble), and 24.10 (oracular).
- USN-7247-1: OpenCV vulnerabilities. 5 CVEs patched, targeting the following releases: 18.04 (bionic) and 22.04 (jammy).
- USN-7249-1: libndp vulnerability. 1 CVE patched, targeting the following releases: 16.04 (xenial) and 18.04 (bionic).
- USN-7249-1: libvpx vulnerability. 1 CVE patched, targeting the following releases: 14.04 (trusty), 16.04 (xenial), and 18.04 (bionic).
- USN-7330-1: Ansible vulnerabilities. 8 CVEs patched, targeting the following releases: 14.04 (trusty), 16.04 (xenial), 18.04 (bionic), and 20.04 (focal).
- USN-7330-2: Ansible regression. 1 release updated (20.04 - focal) due to a regression (relevant LP bug).
- USN-7336-1: GNU Chess vulnerability. 1 CVE patched, targeting the following releases: 22.04 (jammy), 24.04 (noble), and 24.10 (oracular).
- USN-7343-1: Jinja2 vulnerabilities. 3 CVEs patched, targeting the following releases: 14.04 (trusty), 16.04 (xenial), 18.04 (bionic), 20.04 (focal), 22.04 (jammy), 24.04 (noble), 24.10 (oracular), and 25.04 (plucky).
- USN-7343-2: Jinja2 regression. 2 releases updated (18.04 - bionic and 20.04 - focal) due to a regression (relevant LP bug).
- USN-7352-2: FreeType vulnerabilities. 2 CVEs patched, targeting the following releases: 14.04 (trusty), 16.04 (xenial), and 18.04 (bionic).
- USN-7353-1: PlantUML vulnerability. 1 CVE patched, targeting the following releases: 16.04 (xenial), 18.04 (bionic), 20.04 (focal), 22.04 (jammy), 24.04 (noble), and 24.10 (oracular).
- USN-7364-1: OpenSAML vulnerability. 1 vulnerability patched, targeting the following releases: 16.04 (xenial), 18.04 (bionic), 20.04 (focal), 22.04 (jammy), 24.04 (noble), 24.10 (oracular), and 25.04 (plucky).
- USN-7368-1: SnakeYAML vulnerability. 1 CVE patched, targeting the following releases: 14.04 (trusty), 16.04 (xenial), 18.04 (bionic), and 20.04 (focal).
- USN-7377-1: Smarty vulnerability. 1 CVE patched, targeting the following releases: 24.04 (noble) and 24.10 (oracular).
- USN-7398-1: libtar vulnerabilities. 4 CVEs patched, targeting the following releases: 16.04 (xenial), 18.04 (bionic), 20.04 (focal), 22.04 (jammy), 24.04 (noble), and 24.10 (oracular).
Security updates troubleshooting:
- While patching CVE-2022-42920 for bcel, I encountered a situation where the included test to ensure the vulnerability had been properly mitigated targeted a newer version of JUnit. Due to this, during the backporting of this patch, I manually ported the test to an earlier version of JUnit (JUnit 4) to ensure that the test would be run as part of the package build process going forward to confirm the vulnerability is not unintentionally reintroduced.
- After patching Ansible, a regression was discovered with the focal release of Ansible (see here). This occurred due to one of the patches getting improperly truncated, which caused Ansible to fail to install on focal. When I was informed of this regression, I worked to provide updates on the issue in the linked LP bug and managed to address the regression within 24 hours of it being flagged.
- After patching Jinja2, a regression was discovered with the bionic and focal releases of Jinja2 (see here). Jinja2 ships as both a Python 2 and Python 3 package in bionic and focal, and the patch only considered Python 3. To correct this issue, I backported a Python 3 function to Python 2 to ensure compatibility with older Python releases. When I was informed of this regression, I worked to provide updates on the issue in the linked LP bug and managed to address the regression within 24 hours of it being flagged.
- In a variety of instances, I have had to carefully backport patches to previous releases by manually modifying patch files to ensure they applied cleanly and correctly. This was especially true for updates targeting multiple releases, as the version differences between releases could be quite significant (e.g., Ansible’s entire project structure changed dramatically between major upstream versions, which made backporting challenging).
Continued, on-going security updates
As a member of the Security Engineering team at Canonical, I will continue to work on security updates regularly.
Demonstrated understanding of required tools and systems
The majority of my effort has been focused on UCT, where I would engage in CVE triaging to update the tracker with information as a result of USN publications and CVE research.
Examples of this can be seen in the following merge proposals:
- Merge into master : jinja-assign : lp:~john-breton/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
- https://code.launchpad.net/~john-breton/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/480024
- Merge into master : jasperreports : lp:~john-breton/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker
In addition to UCT, I have also been active in contributing to QRT with the creation of tests to help reduce the potential for regressions in packages going forward:
- NeoMutt (Merge into master : neomutt : lp:~john-breton/qa-regression-testing : Git : Code : QA Regression Testing)
- Apache Common BCEL vulnerability (Merge into master : libbcel-tests : lp:~john-breton/qa-regression-testing : Git : Code : QA Regression Testing)
- OpenCV (Merge into master : john-dev : lp:~john-breton/qa-regression-testing : Git : Code : QA Regression Testing)
- Jinja2 (jinja2-tests : lp:~john-breton/qa-regression-testing : Git : Code : QA Regression Testing)
I’ve also made contributions towards internal tooling and documentation. I am happy to provide further information upon request.
Demonstrated responsive and respectful communication
I have signed the code of conduct. I regularly monitor Launchpad bugs for packages I have patched, as well as relevant mailing list announcements, looking for possible regressions. In two instances I have been informed of regressions introduced following security updates I have published, and in both cases, I made an effort to provide responsive communication and correct the regression within 24 hours of its initial report. While it is not realistic to achieve this turnaround for all regression, I will continue to strive to address regressions as soon as possible while maintaining communication with relevant community members regarding the status of the work.
Demonstrated understanding of the responsibility of ~ubuntu-security membership
I am following credentials best practices, my disk is fully encrypted, and I have 2FA enabled for all accounts.