Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
Phone (Toronto): 416 848 3114 x92 Conf: 95316#
Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
Book London travel
[decoder] Feedback requested on this blog post draft: https://security.etherpad.mozilla.org/SecurityBlogFuzzingTips
[gkw] Update from Beijing
- Biggest issues are plugins, banking/web compatibility and localization-related issues
- Helping push along PFS-bugs
[decoder] Meeting at BSI today, lots of good discussion happening :)
[Jesse] This week, the CrashKill & Socorro teams have gathered in Mountain View (Holodeck conference room).
- I joined their meeting on Monday to show them how to guess whether a crash is exploitable, and when to poke me about improving fuzzers.
- https://intranet.mozilla.org/WorkWeeks/booked/StabilityWorkWeek2012/Agenda
[joes] Q3 goal planning underway for Opsec
[joes] MySQL authentication flaw (CVE-2012-2122)
[psiinon] Any feedback on my brownbag video?

Security Review Status (koenig)

Number of Reviews Completed (so far this quarter): 63 (last week 51)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 27 (21)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =36(30)
Number of Outstanding Reviews: 185 (last week 185)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 46 (48)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 139 (137)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

Reviews trundle along.
Permission matrix complete: https://docs.google.com/spreadsheet/ccc?key=0Akyz_Bqjgf5pdENVekxYRjBTX0dCXzItMnRyUU1RQ0E#gid=0

Thunderbird (Dan Veditz)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

Still learning ropes (no update)

Sync (Simon Bennetts & Adam Muntner)

Services (Simon Bennetts & Adam Muntner)

Social - Pancake (Mark Goodwin)

Currently having a work week (without me)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

[decoder] IonMonkey landing postponed (by approx. 3 weeks) because of additional feature work (scope chain) that is required.

DOM, XPConnect (Jesse Ruderman)

[Jesse, decoder] Running domfuzzer on ASan builds now to evaluate the combination

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

[gkw] Marionette will be enabled on debug builds since we don't "officially ship" debug builds
- WIll continue to remain disabled on shipping optimized builds

Web Developer Tools (Mark Goodwin)

DevTools are rocking. Debugger UI and Responsive mode landed, all good fun.

Networking (Christoph Diehl)

added SDP model for WebRTC. No publisher available yet since no SDP implementation in Alder.
added USB model & publisher for fuzzing USB "SetupPacket" packets for potential fuzzing of WebUSB.
added a basic MITM StateModel concept for TCP based protocols.
will look at bug 763922 tomorrow.

Graphics (Christoph Diehl) =

Martin Hosking provided new Graphite 2 samples, will do a quick re-run.
no other updates

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

App Sync (David Chan)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

TellUsMore has been stopped (I don't know if that's permanent) - I'm a bit annoyed as that was a time consuming review. I may stop crying about this sometime next week.

Security/Meetings/SecurityAssurance/2012-06-12

Contents

Agenda

Security Review Status (koenig)

Project Updates

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

Thunderbird (Dan Veditz)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

Sync (Simon Bennetts & Adam Muntner)

Services (Simon Bennetts & Adam Muntner)

Social - Pancake (Mark Goodwin)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

Web Developer Tools (Mark Goodwin)

Networking (Christoph Diehl)

Graphics (Christoph Diehl) =

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

App Sync (David Chan)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

Navigation menu

Search