Slashdot is discussing a Linux Weekly News report that Red Hat is filing for software patents related to the Tux web server.
Conectiva: ‘mailman’ Cross site scripting vulnerability
Conectiva: “Barry A. Warsaw announced[2] a new version of mailman that fixes two cross site scripting vulnerabilities. According to this announcement, “office” reported such a vulnerability in the login page, and Tristan Roddis reported one in the Pipermail index summaries. Mailman version 2.0.11 addresses both problems.”
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : mailman SUMMARY : Cross site scripting vulnerability DATE : 2002-05-24 18:35:00 ID : CLA-2002:489 RELEVANT RELEASES : 6.0, 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION Mailman[1] is a mailing list manager. Barry A. Warsaw announced[2] a new version of mailman that fixes two cross site scripting vulnerabilities. According to this announcement, "office" reported such a vulnerability in the login page, and Tristan Roddis reported one in the Pipermail index summaries. Mailman version 2.0.11 addresses both problems. SOLUTION It is recommended that all mailman users upgrade their packages. REFERENCES 1.http://www.list.org 2.http://mail.python.org/pipermail/mailman-announce/2002-May/000042.html DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/mailman-2.0.11-2U60_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/mailman-2.0.11-2U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mailman-2.0.11-2U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mailman-2.0.11-2U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/mailman-2.0.11-1U8_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mailman-2.0.11-1U8_1cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD4DBQE87rJT42jd0JmAcZARAoroAJimLJrL5oIZzcJENPrJiDfUdPu+AKCC+nOT 3EyR0Y0KJmjyS6mvJoDS1w== =mtbd -----END PGP SIGNATURE-----
Category:
- Security
File locking local denial of service: Impact on Sendmail
LinuxSecurity.com has an article which “discusses how sendmail currently handles file locking and how it will change in future versions. “Any application which uses either flock() or fcntl() style locking or other APIs that use one of these locking methods (such as open() with O_EXLOCK and O_SHLOCK) on files readable by other local untrusted users may be susceptible to local denial of service attacks.”
Category:
- Security
Conectiva: ‘imap’ remote vulnerability advisory
Conectiva: “Marcell Fodor published a remote buffer overflow
vulnerability in the IMAP server. This vulnerability can be
exploited by a remote attacker after he or she has been successfully
authenticated by the server. Arbitrary code could then be executed,
but with the privileges of the authenticated user.”
vulnerability in the IMAP server. This vulnerability can be
exploited by a remote attacker after he or she has been successfully
authenticated by the server. Arbitrary code could then be executed,
but with the privileges of the authenticated user.”
-------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT -------------------------------------------------------------------------- PACKAGE : imap SUMMARY : Remote buffer overflow DATE : 2002-05-24 11:32:00 ID : CLA-2002:487 RELEVANT RELEASES : 6.0, 7.0, 8 ------------------------------------------------------------------------- DESCRIPTION "imap"[4] is a package that contains POP2, POP3 and IMAP servers developed at the University of Washington (UW). Marcell Fodor published[1] a remote buffer overflow vulnerability[2][3] in the IMAP server. This vulnerability can be exploited by a remote attacker after he or she has been successfully authenticated by the server. Arbitrary code could then be executed, but with the privileges of the authenticated user. This vulnerability only affects the IMAP server available in this package. The updated packages have been fixed with the patch made available by the author[5]. SOLUTION It is recommended that all imap users upgrade their packages. After the upgrade, no restart is necessary since these servers are handled by inetd or xinetd. REFERENCES 1. http://www.freeweb.hu/mantra/05_2002/uw-imapd.html 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0379 3. http://online.securityfocus.com/bid/4713 4. http://www.washington.edu/imap/ 5 .http://online.securityfocus.com/archive/1/272030/2002-05-07/2002-05-13/2 DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/imap-2000c-10U60_3cl.src.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-2000c-10U60_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-devel-2000c-10U60_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-devel-static-2000c-10U60_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-doc-2000c-10U60_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/SRPMS/imap-2000c-10U70_3cl.src.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-2000c-10U70_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-devel-2000c-10U70_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-devel-static-2000c-10U70_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-doc-2000c-10U70_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/8/SRPMS/imap-2000c-12U8_2cl.src.rpmftp://atualizacoes.conectiva.com.br/8/RPMS/imap-2000c-12U8_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/8/RPMS/imap-devel-2000c-12U8_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/8/RPMS/imap-devel-static-2000c-12U8_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/8/RPMS/imap-doc-2000c-12U8_2cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
Category:
- C/C++
The business of embedded Linux
In this opinion column at LinuxDevices.com, Steven J. Vaughan-Nichols
offers a perspective on the business side of the Embedded Linux Market. Vaughan-Nichols sees ‘consolidation’ in his crystal ball. Who will win? Who will lose? Read more here.
offers a perspective on the business side of the Embedded Linux Market. Vaughan-Nichols sees ‘consolidation’ in his crystal ball. Who will win? Who will lose? Read more here.
Why Linux?
Author: Benjamin D. Thomas
“This document started out as a justification for producing another Linux distribution. However, the Simple End-User Linux project (SEUL) has changed
their goals from being a distribution project to working on the non-technical aspects of bringing Linux to end-users — Linux in education, advocacy
documents, managing and coordinating communications between projects, coordinating feedback from end-users, and hosting related development projects.
“However, this document is still very useful as a description of the reasons for why Linux should be considered as an alternative to other
(particularly proprietary) operating systems. In broadest terms, there are four categories under which this justification falls:
1. Problems with existing systems
2. Technical merits of Linux
3. Deficiencies of current Linux distributions
4. Advantages of commercial systems”
their goals from being a distribution project to working on the non-technical aspects of bringing Linux to end-users — Linux in education, advocacy
documents, managing and coordinating communications between projects, coordinating feedback from end-users, and hosting related development projects.
“However, this document is still very useful as a description of the reasons for why Linux should be considered as an alternative to other
(particularly proprietary) operating systems. In broadest terms, there are four categories under which this justification falls:
1. Problems with existing systems
2. Technical merits of Linux
3. Deficiencies of current Linux distributions
4. Advantages of commercial systems”
Defining a true Internet operating system at the O’Reilly Emerging Technology Conference
Nearly 500 programmers, technologists, and “alpha
geeks” from all over the world gathered for the O’Reilly Emerging
Technology Conference, held at the Westin Santa Clara, May 13-16.
Building on last fall’s Peer-to-Peer & Web Services Conference held in
Washington, DC, the 2002 edition featured ideas and projects that are
literally taking computing into uncharted territory.
Explains conference host Tim O’Reilly, O’Reilly & Associates founder
and president, “The fundamental message of the conference is that we’re
facing a tectonic shift in the focus of the computer industry, from the
PC era into the true internet era, in which the Internet is no longer
an add-on to the PC, but itself the platform. Peer-to-peer networking,
web services, and new user interface and software development paradigms
for distributed computing are coming together as we begin the job of
defining a true internet operating system. Hackers show the way; they
stretch the boundaries of what’s possible. Entrepreneurs follow, then
tools and platform vendors, and eventually ordinary users take for
granted what was once rich and strange.”
geeks” from all over the world gathered for the O’Reilly Emerging
Technology Conference, held at the Westin Santa Clara, May 13-16.
Building on last fall’s Peer-to-Peer & Web Services Conference held in
Washington, DC, the 2002 edition featured ideas and projects that are
literally taking computing into uncharted territory.
Explains conference host Tim O’Reilly, O’Reilly & Associates founder
and president, “The fundamental message of the conference is that we’re
facing a tectonic shift in the focus of the computer industry, from the
PC era into the true internet era, in which the Internet is no longer
an add-on to the PC, but itself the platform. Peer-to-peer networking,
web services, and new user interface and software development paradigms
for distributed computing are coming together as we begin the job of
defining a true internet operating system. Hackers show the way; they
stretch the boundaries of what’s possible. Entrepreneurs follow, then
tools and platform vendors, and eventually ordinary users take for
granted what was once rich and strange.”
Feeling “the buzz” in the atmosphere of the O’Reilly Emerging
Technology Conference, O’Reilly quoted Arthur C. Clarke, “Any
sufficiently advanced technology is indistinguishable from magic.” It
was indeed a magical scene, unimaginable even a few years ago.
Attendees clustered in the Westin Santa Clara’s lobby, poolside, and in
sessions, blogging away, blissfully untethered. Tutorials illustrated
constructing wireless equipment from potato chip cans. FBI agents,
Fortune 500 executives, accordion players, 15-year-olds, 60-somethings,
and computing based on ants and the autonomic nervous system all found
equal welcome at the conference, which reluctantly broke camp last
week. Highlights of the conference include:
- Dr. Lawrence Lessig and members of his Creative Commons team were on
hand to officially launch their project, a web-based licensing system
designed to ease the sharing of creative works on terms less
restrictive than copyright. - Google engineer Nelson Minar described the real-world experience of
building and executing a major web service in his “Deploying the Google
Web APIs Service” session. - Eric Bonabeau’s ideas of swarm intelligence, a model for computing
based on insect behavior, where autonomy, emergence, and distributed
functioning replace control, preprogramming, and centralization.
-Rob Flickenger continued to spread the joy of building wireless
community networks. - The release of Clay Shirky’s “Planning for Web Services: Obstacles and
Opportunities” research report. - IBM’s Almaden Research Center Director Robert Morris called for more
autonomic computing: designing and building computing systems capable
of running themselves and adjusting to varying circumstances, much as
our own autonomic nervous systems regulate and protect our bodies. - A first look at Brian McConnell’s Worldwide Lexicon Project, an open
source P2P effort whose goal is to build a comprehensive translations
dictionary spanning most human languages. - Bruce Schneier’s suggested solutions for corporate network security
issues using detection, response, and deterrence. - The ever-provacative Dave Winer digging deep into his Radio Userland
Weblogging tool and just-out Radio Community Server.
Concludes program chair Rael Dornfest, “We organized this conference
— as we try to do with all of our conferences — to play a role in
distributing the future. ‘Emerging Technology’ is a broad term, but the
pieces we fitted together in these four days make up what we predict
will be the foundation of the future: the internet operating system.
The work being pioneered by thousands of individual hackers and
entrepreneurs will, without question, be integrated into a standardized
platform that enables the next generation of internet applications.”
Exhibition and sponsorship
If you are interested in sponsoring or exhibiting at a future
conference, contact Andrew Calvo at 707-827-7176, or
andrewc@oreilly.com.
Additional resources
Conference information can be viewed at
http://conferences.oreilly.com/etcon2002/
For complete conference coverage, including audio recordings of the
keynote presentations, visit http://www.oreillynet.com/et2002/
For session presentation information, see
http://conferences.oreillynet.com/pub/w/18/presentations.html
For information on the “Planning for Web Services: Obstacles and
Opportunities” research report by Clay Shirky, see
http://www.oreilly.com/catalog/wsrep/
For details on Rob Flickenger’s “Building Wireless Community Networks,”
visit http://www.oreilly.com/catalog/wirelesscommnet/
Read O’Reilly Network’s DevCenters related web services, P2P, and
wireless articles at http://www.oreillynet.com/
For information on the upcoming O’Reilly Open Source Convention and the
O’Reilly Mac OS X Conference, see http://conferences.oreilly.com/
Words about the conference
“The O’Reilly Emerging Technology Conference was the most worthwhile
business travel I’ve done: the most intellectually stimulating, and the
most educative.”
–Michael Muchmore, Associate Editor, PC Magazine, May 20, 2002
“…the O’Reilly Emerging Technology Conference…saw hundreds of the
world’s top technologists, hackers and alpha geeks converge on Silicon
Valley to discuss the future of internet based technologies.”
–Ben Hammersley, The Guardian, May 20, 2002
“The O’Reilly Emerging Technology Conference was like four semester
beginnings all rolled into three days. Lots of stuff to think about,
digest, explore, etc. Most of all, I feel like this is my world, and
not just for the next 14 weeks. I’ve been given a syllabus to follow;
the future is uncertain but the path is clear. Best…conference ever.”
–kottke.org, May 17, 2002
“I had a great time and I keep hearing from people about how they did
too–or how much they wish they’d gone. It’s incredible how many blogs
are talking about loving the conference and having a great time. I
can’t think of a much better summer camp for geeks. Well done!”
–Marc Hedlund, May 2002
“Thanks very much for the outstanding Emerging Technology Conference
last week. It was the best conference I can remember being to, and I’ve
been to a few. The combination of researchers, geeks, and business
types added a depth to the conference that I’ve not seen before. I am
so impressed that I’m going to require that all of the researchers and
analysts who work for me attend next year’s. Again, thanks.”
–James Meacham, Vice President, Manager, Emerging Technologies,
Washington Mutual, May 20, 2002
About O’Reilly
O’Reilly & Associates is the premier information source for
leading-edge computer technologies. The company’s books, conferences,
and web sites bring to light the knowledge of technology innovators.
O’Reilly books, known for the animals on their covers, occupy a
treasured place on the shelves of the developers building the next
generation of software. O’Reilly conferences and summits bring alpha
geeks and forward-thinking business leaders together to shape the
revolutionary ideas that spark new industries. From the Internet to
XML, open source, .NET, Java, and web services, O’Reilly puts
technologies on the map. For more information: http://www.oreilly.com
O’Reilly is a registered trademark of O’Reilly & Associates, Inc. All
other trademarks are property of their respective owners.
An interview with Dr. Edgar Villanueva
LinuxJournal.com’s interview starts this way: “Dr. Edgar Villanueva has recently become somewhat of a celebrity in the Free Software and Open Source communities as a result of his legislative efforts favoring free software and his highly publicized, well informed and eloquent response to a Peruvian Microsoft executive’s letter. Much of the media coverage has focused on the letter and the response. An import part of the story, however, is how the proposal started and how it’s garnered support.”
Linux installation gets friendlier
From Forbes (via Yahoo.com): “A couple of years ago installing Linux was an exercise in nonstop profanity. This time when I tried two different versions, both worked — mostly.” The reviewer installs Red Hat 7.3 and Desktop/LX. Here’s a sample of his objections: “Though Linux can be installed alongside Windows so that you can choose either system at startup, neither Desktop/LX nor Red Hat includes Windows software to make that kind of installation easy.” Huh?
Category:
- Linux
Linux installation gets friendlier
From Forbes (via Yahoo.com): “A couple of years ago installing Linux was an exercise in nonstop profanity. This time when I tried two different versions, both worked — mostly.” The reviewer installs Red Hat 7.3 and Desktop/LX. Here’s a sample of his objections: “Though Linux can be installed alongside Windows so that you can choose either system at startup, neither Desktop/LX nor Red Hat includes Windows software to make that kind of installation easy.” Huh?