From IT Director: “One of the less commented aspects of the Linux revolution is the phenomenon of large Linux clusters. And when we say large, we mean large. This is not just a matter of bolting down a few servers together, this is about clusters of hundreds of servers.”

Computer World reports on a request for comments on a proposal to standardize the reporting of bug and security reports and the fixing of reported problems.

LinuxSecurity Contributor writes “This week, advisories were released for cups, snmp, hanterm,. uucp, ncurses, squid, and gnujsp.
The vendors include Caldera, Conectiva, Debian, FreeBSD, and Mandrake.” You can read more here.

NewsFactor Network writes “The tendency of companies to reject any technologies not developed within the confines of the corporate campus has been called the ‘Not Built Here’ syndrome. In the past, Apple was plagued by this affliction, to its detriment. Fortunately, this trend seems to have vanished completely from One Infinite Loop. OS X includes a variety of open source tools, making it perhaps the ultimate ‘Not Built Here’ software.”

David Faure has recently published an article for IBM developerWorks which gives an overview of KParts, touching on CORBA, XParts, XML-GUI and DCOP. “KParts is also used in more high-level interfaces, such as the TextEditor interface. The former is a complete interface that models the API of a text editor so that applications can interchangeably use any text editor available that implements this interface. vi users will love being able to type mail in KMail using a vi text-editor component (such a component is under development). A general ImageViewer interface is under development as well.”

Marcello Tosatti has just announced the fourth release candidate for the Linux 2.4.18 kernel. According to Marcello, “something really bad (for some non-x86 archs) appeared up, so here goes rc4.” You can get the latest kernels from Kernel.org.

From:	 Marcelo Tosatti <marcelo@conectiva.com.br>
To:	 lkml <linux-kernel@vger.kernel.org>
Subject: Linux 2.4.18-rc4
Date:	 Fri, 22 Feb 2002 09:19:59 -0200 (BRST)


Hi, 

Unfortunately something really bad (for some non-x86 archs) appeared up,
so here goes rc4.

rc4:

- Load code did not set personality for
  binaries without an interpreter: This was 
  breaking static apps on several archs		(Tom Gall)

rc3: 

- Fix reiserfs endianess problems		(Chris Mason) 
- Fix PowerMac compilation problem 		(Pmac team)
- Fix some eepro100 ID's which had problems 
  in -ac merge					(Jeff Garzik)
- Rename some internal pcnet32 definitions to
  not clash with ethtool.h - the clash caused 
  the driver not work correctly			(William Lee Irwin)
- Add missing netif_carrier_{on,off} to
  eepro100					(Andrew Morton)
- Fix netfilter race				(Rusty Russell)
- Correct error handling on tcp_recvmsg		(Alexey Kuznetsov)
- Revert tulip changes which were apparently
  causing slowdowns				(Jeff Garzik) 
- Fix ptrace behaviour				(Linus Benedict Torvalds)

rc2: 

- Make get_user_pages handle VM_IO areas
  gracefully					(Manfred Spraul)
- Fix SMP race on PID allocation		(Erik A. Hendriks)
- Fix SMP race on dnotify scheme		(Alexander Viro)
- Add missing checks to shmem_file_write	(Alan Cox)

rc1: 
- PPC MPC8260 update				(Tom Rini)
- eepro100 fixes				(Jeff Garzik)
- Make natsemi hardware workaround a config 
  option					(Jeff Garzik)
- Add serial board PCI ID			(Jeff Garzik)
- Add support for another tulip clone		(Jeff Garzik)
- Fix typo in winbond driver			(Jeff Garzik)
- Move initialization of tridentfb before 
  the generic drivers				(Geert Uytterhoeven)
- Reiserfs bugfixes				(Oleg Drokin)
- More __devexit_p assorted fixes		(Andrew Morton)
- Merge some -ac bugfixes			(Alan Cox)

pre9:

- Cris update					(Bjorn Wesen)
- SPARC update					(David S. Miller)
- Remove duplicate CONFIG_SUNLANCE entry in 
  Config.in					(David S. Miller)
- Change Netfilter maintainer 			(David S. Miller)
- More SunGEM bugfixes				(David S. Miller)
- Update md5sums in ISDN's md5sums.asc		(Kai Germaschewski)
- 3ware driver update				(Adam Radford)
- Fix cosa compile problem			(Adrian Bunk)
- Change VIA "disabling write queue" message	(Oliver Feiler)
- Remove buggy Elan-specific handling code	(Robert Schwebel)
- Reiserfs bugfixes				(Oleg Drokin)
- Fix ppp memory leak				(Andrew Morton)
- Really add devfs fix for removable devices: 
  its on pre8 changelog but not on pre8 patch	(me)
- Add framebuffer support for trident graphics
  card						(James Simmons)
- SCSI tape driver bugfixes			(Kai Makisara)
- Add support to Ovislink card on 8139too
  driver					(Jeff Garzik)
- Add SIOCxMIIxxxx ioctls for better binary 
  compatibility on au1000_eth driver		(Jeff Garzik)
- Fix initialization of phy on epic100 driver	(Jeff Garzik)
- Add MODULE_* info to mii.c 			(Jeff Garzik)
- Add new PCI ID to sundance driver		(Jeff Garzik)
- Merge some -ac3 patches			(Alan Cox)
- Unify simple_strtol symbol export		(Russell King)
- Add amount of cached memory to sysreq-m 
  output					(Martin Knoblauch)
- Do not use SCSI device type to change
  IO clustering					(Jens Axboe)
- IRC conntrack update				(Harald Welte)
- sonypi driver update				(Stelian Pop)
- Fix one of the PPP deadlocks			(Manfred Spraul)

pre8: 

- Add missing netfilter files in pre7 		(David S. Miller)
- SunGEM driver update				(David S. Miller)
- Kill get_fast_time				(David S. Miller)
- Update APIC LVTERR fix to work correctly on 
  old 486/586 APICs				(Mikael Pettersson)
- Check the return code of copy_{from,to}_user
  on serial code				(Rasmus Andersen)
- Mark 2.5 extended attributes system calls as 
  reserved to avoid potential conflicts		(Nathan Scott)
- Change Christoph Hellwig's email address	(Christoph Hellwig)
- Make BLKGETSIZE64 return size in bytes not 
  sectors					(Eric Sandeen)
- Coda dentry revalidation fix			(Jan Harkes)
- hisax_fcpcipnp driver update			(Kai Germaschewski)
- i810 sound driver update			(Doug Ledford)
- Early personality setting in binfmt_elf	(Christoph Hellwig)
- Fix rename bug in reiserfs			(Oleg Drokin)
- SCSI documentation update			(Douglas Gilbert)
- Fix silly typo in megaraid driver 		(Arjan Van de Ven)
- PPC update					(Benjamin Herrenschmidt)
- USB bug fixes					(Greg KH)
- Fix devfs problems with removable devices	(Richard Gooch)
- Merge -ac1 fixes				(Alan Cox)
- VXFS update					(Christoph Hellwig)
- Add Compaq FC array to the LUN whitelist	(Arjan Van de Ven) 

pre7:

- Make ext2/minix/sysvfs actually operate
  synchronously on directories when using
  the sync mount option				(Andrew Morton)
- AFFS update					(Roman Zippel)
- Fix 3dfx fb crash with high pixelclock 	(Jurriaan on Alpha)
- PATH_MAX POSIX compliance			(Rusty Russell)
- Really apply AMD Elan patch			(me)
- Don't drop IP packets with less than 8 bytes 
  of payload 					(David S. Miller)
- Netfilter update 				(Netfilter team)
- Backport 2.5 sb_bread() changes		(Alexander Viro)
- Fix AF_UNIX fd leak				(David S. Miller)
- Add Audigy Gameport PCI ID	 		(Daniel Bertrand)
- Sync with ia64 arch independant parts		(Keith Owens)
- APM fixes					(Stephen Rothwell)
- fs/super.c cleanups				(Alexander Viro)

pre6:

- Removed patch in icmp code: its
  not needed and causes problems                (me)

pre5:

- Include missing radeonfb defines		(Erik Andersen)
- Fix fs/buffer.c thinko introduced in pre4	(Andrew Morton)
- USB bugfixes					(Greg KH)
- Make fat work correctly with gcc-3.0.x 	(Tom Rini)
- Avoid overusage of the vmalloc area by 
  NTFS						(Anton Altaparmakov)
- atyfb: Decrease clock rate for 3d RAGE XL 	(David S. Miller)
- Sungem driver bugfixes			(David S. Miller)
- More networking updates			(David S. Miller)
- More SPARC updates				(David S. Miller)
- devfs update 					(Richard Gooch)
- Reiserfs expanding truncate fix		(Chris Mason)
- ext3 update					(Andrew Morton/Stephen Tweedie)
- Add support to WDIOC_SETTIMEOUT on several
  watchdog drivers				(Joel Becker)
- dl2k driver update				(Jeff Garzik)
- Orinoco driver update				(David Gibson)
- Radeonfb driver update			(Ani Joshi)
- Avoid free_swap_and_cache() from leaving 
  freeable pages on the cache			(Hugh Dickins)
- Add workarounds for AMD Elan processors	(Robert Schwebel)
- Random pmac driver bugfixing			(Benjamin Herrenschmidt)
- emu10k1 driver update				(Rui Sousa)

pre4:

- Networking updates				(David S. Miller)
- clgenfb update				(Jeff Garzik)
- 8139cp: make it faster			(Jeff Garzik)
- 8139too: fix bugs, add experimental RX reset	(Jeff Garzik)
- Add MII ethtool interface and change 
  several drivers to support that		(Jeff Garzik)
- Fix ramdisk corruption problems		(Andrea Arcangeli) 	
- Correct in-kernel MS_ASYNC behaviour 
  on msync/fsync()				(Andrew Morton)
- Fix PLIP problems 				(Niels Jensen)
- Fix problems triggered by the "fsx test" 
  on smbfs					(Urban Widmark)
- Turn on OOSTORE for IDT winchip		(from -ac tree)
- Fix iphase crash				(from -ac tree)
- Fix crash with two mxser cards		(from -ac tree)
- Fix tty write block bug			(from -ac tree)
- Add mono/stereo detect to gemtek pci radio	(from -ac tree)
- Fix sf16fmi crash on load			(from -ac tree)
- add CP1250 (windows eastern european) 
  translation table				(from -ac tree)
- cs46xx driver update				(from -ac tree)
- Fix rare data loss case with RAID-1		(Ingo Molnar)
- Add 2.5.x compatibility for the kdev_t
  changes					(me)
- SPARC updates					(David S. Miller)

pre3:

- Cris arch merge				(Bjorn Wesen)
- Finish PPC merge				(Benjamin Herrenschmidt)
- Add Dell PowerEdge 2400 to 
  "use BIOS to reboot" blacklist		(Arjan van de Ven)
- Avoid potential oops at module unload with 
  cyclades driver				(Andrew Morton)
- Gracefully handle SCSI initialization 
  failures					(Pete Zaitcev)
- USB update					(Greg KH)
- Fix potential oops while ejecting ide cds 	(Zwane Mwaikambo)
- Unify page freeing codepaths 			(Benjamin LaHaise)
- Miata dma corruption workaround 		(Richard Henderson)
- Fix vmalloc corruption problem on machines 
  with virtual dcaches				(Ralf Baechle)
- Reiserfs fixes				(Oleg Drokin)
- DiskOnChip driver update			(David Woodhouse)
- Do not inherit page locking rules across 
  fork/exec					(Dave Anderson)
- Add DRM 4.0 for XFree 4.0 users convenience	(Christoph Hellwig)
- Replace .text.lock with .subsection 		(Keith Owens)
- IrDA bugfixes					(Jean Tourrilhes)

pre2: 

- APIC LVTERR fixes				(Mikael Pettersson)
- Fix ppdev ioctl oops and deadlock		(Tim Waugh)
- parport fixes					(Tim Waugh)
- orinoco wireless driver update		(David Gibson)
- Fix oopsable race in binfmt_elf.c 		(Alexander Viro)
- Small sx16 driver bugfix			(Heinz-Ado Arnolds)
- sbp2 deadlock fix 				(Andrew Morton)
- Fix JFFS2 write error handling		(David Woodhouse)
- Intermezzo update				(Peter J. Braam)
- Proper AGP support for Intel 830MP chipsets	(Nicolas Aspert)
- Alpha fixes					(Jay Estabrook)
- 53c700 SCSI driver update			(James Bottomley)
- Fix coredump mmap_sem deadlock on IA64	(David Mosberger)
- 3ware driver update				(Adam Radford)
- Fix elevator insertion point on failed 
  request merge					(Jens Axboe)
- Remove bogus rpciod_tcp_dispatcher definition (David Woodhouse)
- Reiserfs fixes				(Oleg Drokin)
- de4x5 endianess fixes				(Kip Walker)
- ISDN CAPI cleanup				(Kai Germaschewski)
- Make refill_inactive() correctly account 
  progress					(me)

pre1:

- S390 merge					(IBM)
- SuperH merge					(SuperH team)
- PPC merge					(Benjamin Herrenschmidt)
- PCI DMA update				(David S. Miller)
- radeonfb update 				(Ani Joshi)
- aty128fb update				(Ani Joshi)
- Add nVidia GeForce3 support to rivafb		(Ani Joshi)
- Add PM support to opl3sa2			(Zwane Mwaikambo)
- Basic ethtool support for 3com, starfire
  and pcmcia net drivers			(Jeff Garzik)
- Add MII ethtool interface			(Jeff Garzik)
- starfire,sundance,dl2k,sis900,8139{too,cp},
  natsemi driver updates			(Jeff Garzik)
- ufs/minix: mark inodes as bad in case of read
  failure					(Christoph Hellwig)
- ReiserFS fixes				(Oleg Drokin)
- sonypi update					(Stelian Pop)
- n_hdlc update					(Paul Fulghum)
- Fix compile error on aty_base.c		(Tobias Ringstrom)
- Document cpu_to_xxxx() on kernel-hacking doc  (Rusty Russell)
- USB update					(Greg KH)
- Fix sysctl console loglevel bug on 
  IA64 (and possibly other archs)		(Jesper Juhl) 
- Update Athlon/VIA PCI quirks			(Calin A. Culianu)
- blkmtd update					(Simon Evans)
- boot protocol update (makes the highest 
  possible initrd address available to the 
  bootloader)					(H. Peter Anvin)
- NFS fixes					(Trond Myklebust)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Trustix reports that multiple vulnerabilities have recently been found in the Squid-2.x releases up to and including 2.4.STABLE3. These include a meamory leak in the optional SNMP interface to Squid, a buffer overflow in the implementation of ftp:// URLs and an inability to properly disable HTCP from squid.conf.

--------------------------------------------------------------------------
Trustix Secure Linux Bugfix Advisory #2002-0031

Package name:      squid-cron
Summary:           Security update
Date:              2002-02-22
Affected versions: TSL 1.01, 1.1, 1.2, 1.5

--------------------------------------------------------------------------

Problem description:
 From the Squid advisory at
  http://www.squid-cache.org/Advisories/SQUID-2002_1.txt

Three security issues have recently been found in the Squid-2.X
 releases up to and including 2.4.STABLE3.

 a) A memory leak in the optional SNMP interface to Squid,
    allowing an malicious user who can send packets to the Squid SNMP
    port to possibly perform an denial of service attack on the Squid
    proxy service if the SNMP interface has been enabled (disabled by
    default).

 b) A buffer overflow in the implementation of  ftp:// URLs where
    users who are allowed to proxy  ftp:// URLs via Squid can perform
    an denial of service on the proxy service, and possibly even
    trigger remote execution of code (not yet confirmed).

 c) The optional HTCP interface cannot be properly disabled from
    squid.conf even if the documentation claims it can. The HTCP
    interface to Squid is not enabled by default, but can be enabled
    at compile time using the --enable-htcp configure option and some
    vendors distribute Squid binaries with HTCP enabled.

Action:
  We recommend that all systems with this package installed are upgraded.
  Note that due to a packaging error in TSL 1.2 and earlier, the swup tool
  can not be used to upgrade this package (again in TSL 1.2 and earlier)
  and you will need to give the --oldpackage argument to rpm when upgrading.
  Typically, that is
  rpm -Fvh --oldpackage squid-2.4.STABLE4-1tr.i586.rpm


Location:
  All TSL updates are available from
  http://www.trustix.net/pub/Trustix/updates/>ftp://ftp.trustix.net/pub/Trustix/updates/>


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  http://www.trustix.net/pub/Trustix/testing/>ftp://ftp.trustix.net/pub/Trustix/testing/>


Questions?
  Check out our mailing lists:
  http://www.trustix.net/support/>


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  http://www.trustix.net/TSL-GPG-KEY>

The advisory itself is available from the errata pages at
  http://www.trustix.net/errata/trustix-1.2/>http://www.trustix.net/errata/trustix-1.5/>
or directly at
  http://www.trustix.net/errata/misc/2002/TSL-2002-0031-squid.asc.txt>


MD5sums of the packages:
--------------------------------------------------------------------------
e30e406a2e6f241e9eb5639ae939cf70  ./1.5/SRPMS/squid-2.4.STABLE4-1tr.src.rpm
3b495cb2a47b3aba7b44c1c4135d8ac7  ./1.5/RPMS/squid-2.4.STABLE4-1tr.i586.rpm
e30e406a2e6f241e9eb5639ae939cf70  ./1.2/SRPMS/squid-2.4.STABLE4-1tr.src.rpm
ff158589fc17a67ad47a65d824a5876e  ./1.2/RPMS/squid-2.4.STABLE4-1tr.i586.rpm
e30e406a2e6f241e9eb5639ae939cf70  ./1.1/SRPMS/squid-2.4.STABLE4-1tr.src.rpm
9ea10e9c83acd3eb2c04f01f707e9f9a  ./1.1/RPMS/squid-2.4.STABLE4-1tr.i586.rpm
--------------------------------------------------------------------------


Trustix Security Team

Debian: “Thomas Springer found a vulnerability in GNUJSP, a Java servlet that allows you to insert Java source code into HTML files. The problem can be used to bypass access restrictions in the web server. An attacker can view the contents of directories and download files directly rather then receiving their HTML output. This means that the source code of scripts could also be revealed.” Details here.

Anonymous Reader writes, “This article is the fifth in LinuxDevices.com’s series of reviews of Embedded Linux toolkits. Each of the toolkits is evaluated against a common set of criteria which include ease of use, overall toolkit architecture, methods of package management, diversity of platform support, and openness of the source code. In this installment, embedded developer Jerry Epplin takes a close-up look at REDSonic’s RED-Builder 2.0 XE toolkit.” Read the review here at LinuxDevices.com.

From Mitchell Baker: Information about the event can be found at
here. The registration site is courtesy of Yet Another Society, can be found at donate.perl-foundation.org.