Mrmajumder ~ubuntu-security Membership Application

Project Discussion Security
1

Hi everyone!

I am Shafayat, applying for membership in the ~ubuntu-security Launchpad team. To support this application, I have curated a summary of my technical contributions and security-focused work below:

Team membership

I am currently a member of the following Launchpad teams.

I am also a member of a private Launchpad team.

Verified identity

I am an employee of Canonical, and my identity has been verified through a background check during the hiring process. Looking forward to meeting everyone in person during the Madrid Engineering sprint (May 2026)!

History of high-quality sponsored security updates

Over the past 4 months, I have published security updates for a variety of packages spread across different ecosystems and in-support releases. Each update involved a combination of researching vulnerabilities, backporting patches, and testing. Here is a list of the 13 Ubuntu Security Notices (USNs) that I have published till now:

  1. 2026-01-20: USN-7571-1 for “crawl” - 1 CVE (1 Critical)

  2. 2026-02-03: USN-7999-1 for “python-filelock” - 2 CVEs (2 Medium)

  3. 2026-02-25: USN-8045-1 for “ceph” - 2 CVEs (1 Medium, 1 High)

  4. 2026-02-26: USN-8065-1 for “python-authlib” - 5 CVEs (1 Medium, 4 High)

  5. 2026-03-05: USN-8077-1 for “python-bleach” - 5 CVEs (3 Medium, 1 High, 1 Critical)

  6. 2026-03-12: USN-8088-1 for “golang-github-go-git-go-git” - 5 CVEs (1 Medium, 2 High, 2 Critical)

  7. 2026-03-23: USN-8118-1 for “rust-sized-chunks” - 5 CVEs (5 High)

  8. 2026-03-26: USN-8128-1 for “libcryptx-perl” - 3 CVEs (3 Critical)

  9. 2026-04-02: USN-8147-1 for “libarchive” - 9 CVEs (3 Low, 3 Medium, 3 High)

  10. 2026-04-16: USN-8181-1 for “libowasp-esapi-java” - 3 CVEs (2 Medium, 1 Critical)

  11. 2026-04-23: USN-8194-1 for “php-league-commonmark” - 3 CVEs (3 Medium)

  12. 2026-04-28: USN-8217-1 for “node-follow-redirects” - 4 CVEs (1 Low, 1 Medium, 2 High)

  13. 2026-04-30: USN-8218-1 for “zulucrypt” - 1 CVE (1 High)

The following table shows how this set of updates covers the various Ubuntu releases:

Package Ecosystem Trusty (14.04) Xenial (16.04) Bionic (18.04) Focal (20.04) Jammy (22.04) Noble (24.04) Questing (25.10) Resolute(26.04)
crawl (universe) C++ - esm-apps esm-apps esm-apps - - - -
python-filelock (universe) Python - - esm-apps esm-apps esm-apps esm-apps - -
ceph (main) C++ esm-infra-legacy esm-infra esm-infra esm-infra archive archive archive archive
python-authlib (universe) Python - - - - esm-apps esm-apps - -
python-bleach (universe) Python - esm-apps esm-apps esm-apps - - - -
golang-github-go-git-go-git (universe) Go - - - - esm-apps esm-apps - -
rust-sized-chunks (universe) Rust - - - esm-apps - - - -
libcryptx-perl (universe) Perl - - esm-apps esm-apps esm-apps esm-apps - -
libarchive (main) C esm-infra-legacy esm-infra esm-infra esm-infra archive archive archive archive
libowasp-esapi-java (universe) Java - esm-apps esm-apps esm-apps esm-apps archive - -
php-league-commonmark (universe) PHP - - - esm-apps esm-apps esm-apps - -
node-follow-redirects (universe) Javascript - - esm-apps esm-apps esm-apps - - -
zulucrypt (universe) C,C++ - - - esm-apps esm-apps esm-apps - -

These updates have provided a diverse set of challenges and learning opportunities. Some notable ones are described below, along with the steps that I took to troubleshoot and resolve the issues:

  • While researching CVE-2023-40403 for USN-7600-1, I found that at first glance, it seems like this CVE affects xenial. But upon further digging, I found out that the scripting=False flag is a newer addition in the html5lib library that python-bleach uses. Xenial uses html5lib=0.999, however scripting was added in this commit in v0.999999999. Through research I found that previously scripting was True by default (see these and these discussions, which was fixed in this PR). Since the patch itself sets scripting=True, therefore I concluded that this CVE does not affect xenial. However, to be extra sure, I ran the tests for the CVE, and this version passed it by default.

  • While working on patching several vulnerabilities in golang-github-go-git-go-git, I found that the package FTBFS for jammy (5.4.2-3). I later investigated the issue and found out that the reason for this failure was a missing dependency package in jammy. This issue was further documented as a Debian bug #1027907, and later upon searching I found out that it was fixed in this commit. I documented the issue as an LP bug (#2143856) and submitted the fix as well.

  • While triaging pluxml for CVE-2024-22636, I found the patch hidden inside a release candidate, and thus had to mark the CVE as deferred. I first traced the issue to the processing of POST content in statique.php, where the POST content is handled via editStatique(). From there, I followed the flow into class.plx.admin.php, and found that at line 1371, plxUtils::sanitizePhp() is used before plxUtils::write(), which matches the vulnerable flow described in the CVE and sanitizes risky payloads (such as system) before writing. To verify whether this was part of the actual fix, I blamed plxUtils::sanitizePhp() function and confirmed that it was introduced by this commit, which appears to fix the CVE in versions >= 5.9.0, although that version is still a release candidate. Since the package was mostly commented in French, which I’m not very familiar with, it added additional complexity. To further validate, I also locally downloaded the pluxml packages present in jammy, focal, bionic, and xenial and confirmed that in those versions the content is not sanitized before plxUtils::write(). Based on this analysis, I concluded that those Ubuntu releases remain affected and need patching, but since the patch is still in a release candidate, I had to mark the CVE as deferred in this commit. I also communicated with upstream maintainers (in #589) about the issue.

  • While working on patching several vulnerabilities in node-follow-redirects, I found that the package FTBFS for jammy (1.14.9+~1.14.1-1). I later investigated the issue and found out that the failure was a HTTP compliance issue for some of the tests. Basically, two test cases related to redirect responses were written with LF line endings instead of HTTP-compliant CRLF line endings. I documented the issue as an LP bug (#2150153) and submitted the fix in the new ESM release.

  • While researching CVE-2025-53391 for zulucrypt, I found out that the vulnerability was introduced due to a Debian patch (as reported in #1108288). Later, Debian responded by simply removing the package from unstable (reported in #1126350), therefore there was no traditional patch commit which could be backported. This was a new situation for me, which I researched and fixed by removing the CVE-introducing patch instead in the updates.

Continued, on-going security updates

As a member of the Security Engineering team at Canonical, I will continue to work on security updates on a regular basis.

Demonstrated understanding of required tools and systems

I am familiar with using the Ubuntu CVE Tracker to track the status and details of vulnerabilities. Here are some merge requests that I have created as part of the vulnerability patching workflow:

I am also familiar with how to use the scripts and libraries in the QA Regression Testing repository to validate security fixes and test for potential regressions. I have contributed both new test scripts and added additional test cases for existing scripts. Some examples are given below:

  • python-filelock: Added a new script to test the patch for CVE-2025-6846, as well as basic functionality.

  • crawl: Added a new script and some notes to test the patch for CVE-2020-11722.

  • ceph: Added notes to explain how to set up and test the package locally, as well as added a working PoC to test CVE-2024-47866.

  • python-authlib: Added a new script to test the patch for CVE-2024-37568, as well as basic functionality.

  • libcryptx-perl: Added a new script to test the patches for CVE-2018-25099 (two cases) and CVE-2025-40912, as well as basic functionality.

  • libarchive: Added a testcase for CVE-2025-5917 in the already existing test script.

  • libowasp-esapi-java: Added a new script to smoke test the package’s basic functionality, as well as various helper files for the library’s configuration.

  • php-league-commonmark: Added a new script to test the package’s basic functionality, as well as tests for patches of CVE-2025-46734, CVE-2026-30838 and CVE-2026-33347.

Additional contributions to Ubuntu security

I have also contributed to the Main Inclusion Review (MIR) by completing the MIR security review of rust-sequoia-sqv.

Additionally, I have contributed to the internal documentation through reviews and updates.

Finally, I have contributed to the security maintainability audit of 9 packages for an internal Canonical project.

Demonstrated responsive and respectful communication

I have signed the Ubuntu Code of Conduct.

I regularly monitor Launchpad bugs for packages I have patched, as well as relevant mailing list announcements, looking for possible regressions. To date, there have not been any reported regressions arising from my security updates.

I also participate regularly in the review process for new USNs, tooling changes, and documentation by providing (and responding to) feedback in a respectful manner.

Demonstrated understanding of the responsibility of ~ubuntu-security membership

I am following credentials best practices, my disk is fully encrypted, and I have 2FA enabled for all accounts.

1 Like
2

+1 from me to support @mrmajumder’s application to join ~ubuntu-security. The evidence provided clearly demonstrates that he is meeting the expected requirements. Thanks for contributing to Ubuntu’s security!

2 Likes
3

+1 from me for @mrmajumder to join ~ubuntu-security. Shafayat has demonstrated great patching commitment by learning the team’s processes quickly, while also contributing to testing and tooling improvements. Looking forward to seeing you in Madrid!

2 Likes
4

@mrmajumder has delivered several high-quality security updates, actively participates in the USN review process, and has also made significant contributions to several of the team’s other initiatives. +1 from me!

1 Like
5

This is also an easy +1 from me to accept @mrmajumder’s application to join ~ubuntu-security. He has quickly become a valuable member of the team, making many significant contributions to patching, tooling updates, and other internal projects. Thank you for all the hard work!

1 Like
6

+1 from me, @mrmajumder has done a great job publishing package security updates and reviewing team member USNs. Also kudos on such a well written post demonstrating your attention to detail!

1 Like
7

+1 from me for @mrmajumder to join ~ubuntu-security – he’s been working on increasingly complex tasks and asking good questions throughout.

1 Like
8

+1 from me for @mrmajumder
Shafayat has demonstrated lots of skills and talent and put a lot of work which can be seen in his application. I’m looking forward to see what you achieve next!

1 Like
9

Thank you @mrmajumder for your application, and thank you to everyone who gave feedback on the application. Voting is now closed.

The following votes were cast by existing Ubuntu Security members:

@federicoquattrin +1
@hlibk +1
@ej7367 +1
@elisehdy +1
@bruce-cable +1
@sarnold +1
@ebarretto +1

The application is approved with a balance of 7 affirmative votes making up 100% of the total votes cast.

Congratulations and welcome Shafayat! I have added you to the Ubuntu Security team, please exercise caution with your new rights.

Thanks,
Eduardo

1 Like