The Register writes “Microsoft trial judge Colleen Kollar-Kotelly yesterday allowed the unsettling states to introduce evidence indicating that a modular version of Windows, based on XP Embedded, was possible. The evidence, in the shape of testing consultant James Bach, is a late entrant, but the judge nevertheless allowed it, saying ‘I’m going to allow Mr. Bach’s testimony primarily for the reason that I think the information should be presented to the court, that I should have it.’

SuSE: “The ifup-dhcp script which is part of the sysconfig package is responsible
for setting up network-devices using configuration data obtained from a
DHCP server by the dhcpcd DHCP client. It is possible for remote attackers
to feed this script with evil data via spoofed DHCP replies for example.
This way ifup-dhcp could be tricked into executing arbitrary commands as
root. The ifup-dhcp shellscript has been fixed to not source the file
containing the possible evil data anymore.”

____________________________________________________________________________

                        SuSE Security Announcement

        Package:                sysconfig
        Announcement-ID:        SuSE-SA:2002:016
        Date:                   Wed May  8 12:00:00 MEST 2002
        Affected products:      8.0
        Vulnerability Type:     remote command execution
        Severity (1-10):        4
        SuSE default package:   Yes.
        Other affected systems: No.

    Content of this advisory:
        1) security vulnerability resolved: Quotation problem in ifup-dhcp.
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

____________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

    The ifup-dhcp script which is part of the sysconfig package is responsible
    for setting up network-devices using configuration data obtained from a
    DHCP server by the dhcpcd DHCP client. It is possible for remote attackers
    to feed this script with evil data via spoofed DHCP replies for example.
    This way ifup-dhcp could be tricked into executing arbitrary commands as
    root. The ifup-dhcp shellscript has been fixed to not source the file
    containing the possible evil data anymore.
        Even though the sysconfig package is installed by default, this problem
    only affects systems with certain dhcp network-setups so only users using
    DHCP should update their sysconfig package.

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.

    i386 Intel Platform:

    SuSE-8.0
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/sysconfig-0.23.14-60.i386.rpm
4d6a9f1a3e1a461ebbea9a6e98f4e894
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sysconfig-0.23.14-60.src.rpm
d0fdfe02cfc9b7fc32fed8da6c16cf9d

____________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

    - mozilla/netscape
    The mozilla browser in version 0.9.7 or higher and the netscape browser
    in version 6.1 or higher contain a flaw which allows remote sites
    to read arbitrary files if the user running the browser has the
    permission to do so. Fixed packages for the mozilla browser will be
    available soon on our ftp-servers. Patches for the affected netscape
    browser are not yet available due to missing fixes from Netscape.

    - xpilot
    It has been reported that the xpilot server contains a buffer-overflow
    which allows remote attackers to execute arbitrary commands as the user
    running the server. The overflow has been fixed and new xpilot packages
    are available on our ftp-servers. Please update to the newest xpilot
    packages if you used to run this program.

____________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SuSE update packages are available on many mirror ftp servers all over
    the world. While this service is being considered valuable and important
    to the free and open source software community, many users wish to be
    sure about the origin of the package and its content before installing
    the package. There are two verification methods that can be used
    independently from each other to prove the authenticity of a downloaded
    file or rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
       Then, compare the resulting md5sum with the one that is listed in the
       announcement. Since the announcement containing the checksums is
       cryptographically signed (usually using the key security@suse.de),
       the checksums show proof of the authenticity of the package.
       We disrecommend to subscribe to security lists which cause the
       email message containing the announcement to be modified so that
       the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
       filename of the rpm package that you have downloaded. Of course,
       package authenticity verification can only target an uninstalled rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SuSE in rpm packages for SuSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SuSE Linux distributions version 7.1 and thereafter install the
           key "build@suse.de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the toplevel directory of the first CD (pubring.gpg)
           and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

  - SuSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
-   general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
-   SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-info@suse.com> or
        <suse-security-faq@suse.com> respectively.

    =====================================================================
    SuSE's security contact is <security@suse.com> or <security@suse.de>.
    The <security@suse.de> public key is listed below.
    =====================================================================
____________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular,
    it is desired that the cleartext signature shows proof of the
    authenticity of the text.
    SuSE GmbH makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

Linux Journal: “One of the greatest challenges, if you are working with Linux, is to fulfill all your multimedia needs. In this article we explore some of the available possibilities, using Red Hat version 7.2. Only the first two CDs were installed because the third CD only contains commercial software, and we don’t want to use anything commercial, only openly available software.”

Taipei Times: “Given all the slogans and talk about developing a ‘knowledge economy,’ it’s a good thing that the government is taking the lead in protecting intellectual property rights. However, ‘anti’ anti-piracy and ‘anti-Microsoft’ protests are emerging among Taiwan’s student, teachers and social activist groups. Why should they oppose the ‘anti-piracy’ movement? Because they have no choice but to use Microsoft software even though many of them cannot afford to buy such expensive software. The government’s crackdown is triggering a grassroots backlash.” Read more here.

PR NewsWire: “Xi Graphics, Inc. announced today the
release of eight high-performance OpenGL Linux graphics drivers for the
A31 ThinkPad Notebook Series from IBM. Four of the drivers support the
A31p ThinkPad models that have the new ATI Mobility FireGL 7800 graphics chip
and a 15 inch 1600×1200 resolution LCD panel, while the other four drivers
support the models that have the ATI Mobility RADEON(TM) 7500 graphics chips.
The A31 notebook drivers also differ in feature sets and in 2D or 2D+OpenGL
3D capabilities.” Read more in this press release.

Microsoft’s whining again about proposed antitrust penalties. The Associated Press (on Salon.com) reports: “Hackers, virus writers and software pirates could run rampant if Microsoft disclosed the technical product information that nine states have requested as an antitrust penalty, a company executive says. Jim Allchin, who oversees the Windows operating system, said that disclosures sought by the states ‘would make it easier for hackers to break into computer networks, for malicious individuals or organizations to spread destructive computer viruses and for unethical people to pirate’ Microsoft’s flagship software.”

Zach Paine writes, Tux-fans: On Saturday, May 11, 2002, the Western Pennsylvania Linux Users Group will be hosting an installfest in Carnegie Mellon University’s Newel-Simon Hall, room 1507. Anyone is welcome to come and get some help installing and configuring linux on their machines. There are a few requirements:
– It helps to bring your own power strip. We do have some to provide but not enough for everyone

– Either a cdrom drive, or a network card and a floppy drive are required for the installation.

– If you intend to do a network install, try to bring some ethernet cable.

– Try to bring a distro on cd. If everyone does this we will have plenty of cd’s to go around and plenty of varieties.

– Come prepared with some basic knowledge of your system.

– $5 for pizza!

The meeting will run from 10am-5pm. Please try to arrive as early as possible. Some installs will take less than 30 minutes, but more complicated ones can take much more time. Try not to arrive to late and then expect to have your system up and running before 5. After all, by showing up early, not only do you get a nice new linux system, but also get to hang out with us cool geeks! Directions can be found on the wplug website. If you have any questions, email zman [at] wplug [dot] org.

See you there!!

zman || monkeybot || all things geek

Caldera International, Inc., a leading provider of business solutions to small-to-medium businesses, today announced that it expects to report revenue in the range of $15.1 to $15.5 million for the second quarter ended April 30, 2002. These latest projections modify earlier projections announced at the end of the prior quarter that Caldera expected revenue to be between $16.0 and $18.0 million. Caldera cited the continued economic weakness and a slower than anticipated increase in IT spending that contributed to the revenue shortfall. Customers are continuing to expand their operations, but at a much slower pace than in past years.
Caldera will provide updated information with regard to the upcoming quarter’s revenue outlook in a press release and conference call announcing results for the second quarter on Wednesday, May 29, 2002.

Due to Caldera’s revenue shortfall and the company’s increased efficiencies, Caldera also announced a 15 percent reduction in the company’s worldwide staff, or approximately 73 employees. The reduction will broadly cover all functional and geographic areas of the company. After this reduction, the company will have a total staff of approximately 400 employees.

The company plans to streamline operations by closing offices in Chelmsford, Massachusetts and Erlangen, Germany. Caldera will continue its German operations in Munich and Frankfurt. The restructuring is another step to help the company realize its goal of achieving profitability and is expected to save the company $7.0 million on an annual basis.

“Recognizing the difficult worldwide I.T. market conditions and Caldera’s commitment to profitability, we believe that this is a necessary step to protect shareholder value in Caldera,” said Ransom Love, Chairman and CEO, Caldera International. “Since the acquisition of the SCO Server division, Caldera has eliminated $9.3 million or 42 percent in quarterly operating expenses as we continue to drive to our profitable operating model.”

In addition to the reduction in force, Caldera is also announcing the departure of the company’s chief technology officer, Drew Spencer, and Chief Legal Counsel, Harrison Colter. Both Spencer and Colter will continue consulting with the company on a part-time basis. Spencer joined Caldera in 1999 and has held several positions overseeing software development, research and engineering. Colter joined Caldera in 2001 as Caldera’s chief legal counsel.

As part of the executive reorganization, Reg Broughton, the company’s senior vice president over services and operating systems, will assume responsibilities for the company’s global operations. Broughton brings more than 25 years of experience in executing sales, marketing and operational excellence of public and private companies.

Caldera International, Inc.
Caldera International (Nasdaq: CALD) provides “Powerful Choices” for businesses through its UNIX, Linux and Volution product lines and services. Based in Lindon, UT, Caldera has representation in 82 countries and 16,000+ resellers worldwide. Caldera Global Services provides reliable localized support and services to partners and customers. For more information on Caldera products and services, visit http://www.caldera.com.>[?

Caldera, the Caldera logos, Caldera Volution, OpenLinux, SCO and the associated SCO logo, and SCO OpenServer are trademarks or registered trademarks of Caldera International, Inc. in the U.S. and other countries. Caldera Global Services is a service mark of Caldera International, Inc. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds. All other brand or product names are or may be trademarks of, and are used to identify products or services of, their respective owners.

Forward Looking Statements
The statements set forth above include forward-looking statements that involve risks and uncertainties. The Company wishes to advise readers that a number of important factors could cause actual results to differ materially from those in the forward-looking statements. These factors include the ability of the Company to successfully meet its revenue projections, which are based in part, on the continued acceptance in the marketplace of the historical products of the acquired operations; the ability of the Company to develop and successfully introduce products integrating its products and services with those historically offered by the recently acquired operations; the ability of the Company to continue to manage its cost reductions without adversely affecting customer service and employee productivity; the ability of recently introduced and new products to operate as designed, including compatibility with various platforms in the absence of other defects; the Company’s reliance on developers in the open source community; new and changing technologies and customer acceptance of those technologies; the Company’s ability to compete effectively with other companies; failure of our brand to achieve the broad recognition necessary to succeed; unenforceability of the GNU general public license and other Open Source licenses; our reliance on third party developers of components of our software offerings; claims of infringement of third-party intellectual property rights; and disruption in the Company’s distribution sales channel. These and other factors, which could cause actual results to differ materially, are discussed in more detail in the Company’s filings with the Securities and Exchange Commission.

linuxToday.com has both announcements in one convenient location. “”Following the release of GNOME 1.2 for HP-UX, Ximian has been working with HP on a port of GNOME 1.4. Ximian and HP are proud to offer a developer’s preview of GNOME 1.4 for HP-UX.”

linuxToday.com has both announcements in one convenient location. “Following the release of GNOME 1.2 for HP-UX, Ximian has been working with HP on a port of GNOME 1.4. Ximian and HP are proud to offer a developer’s preview of GNOME 1.4 for HP-UX.”