LinuxPR: HancomLinux, a Linux expert developing
and distributing Linux applications, has announced that they have concluded an
agreement with the Central Procurement Office of the Korean Government to
supply the 120 copies of desktop Linux office packages in this year.

From Advogato: “Now released as Open Source: OpenPKG, the world of cross-platform RPM-based Unix software packaging.”

Craig writes “Joe Cheek the CEO of Redmond Linux has informed me that if there are no major showstoppers, the current ISO’s on ftp.redmondlinux.org will go gold and should start appearing on the mirrors over the next few days. I downloaded and installed the ISO’s dated January 11, 2002. I’m not going to go into a big review since this is not yet a considered final but I will tell you some things I like about it.

The article is at Pclinuxonline.”

CNet News: “A federal judge in Baltimore on Friday rejected a controversial settlement that would have ended more than 100 private class-action lawsuits against Microsoft.” Read more here.

From Linux Planet: “It has been over a month since I first installed MandrakeLinux 8.1 Gaming Edition on my primary home machine and after a gruelling month of use, I am here to report that Mandrake Linux has been surprisingly deft and convenient to use.”

From BSD Today: “BSDCon 2002 will be February 11 – 14 in San Francisco, California. This year’s program features keynote presentations by John Mashey of SenseiPartners and Brett Halle of Apple Computer, as well as a unique collection of refereed papers and invited talks covering a variety of topics, such as MacOS X and Darwin, multiprocessing work for FreeBSD, and vulnerabilities of wireless networks.”

Anonymous Reader writes “After three and a half years of development, the Gnumeric project recently announced the availability of version 1.0.0 of Gnumeric, an open source spreadsheet program. To learn more about the what goes on behind the scenes in an open source project and what makes an open source developer ‘tick’, DesktopLinux.com chatted with Gnumeric project leader Jody Goldberg. Read the DesktopLinux.com interview here.”

Slashcode.com: “Slash, the code that runs Slashdot and many other web sites, has a
vulnerability in recent versions that allows any logged-in user to
log in as any other user.This allows users to take nearly full control of a Slash system (post and delete stories, posting stories, edit users, post as other users, etc., and do anything that a Slash user can do) by logging in to an administrator’s Slash account.”

[SA-2002:00] Slashcode login vulunerability


RISK FACTOR: HIGH


SYNOPSIS

Slash, the code that runs Slashdot and many other web sites, has a
vulnerability in recent versions that allows any logged-in user to
log in as any other user.

This allows users to take nearly full control of a Slash system (post
and delete stories, posting stories, edit users, post as other users,
etc., and do anything that a Slash user can do) by logging in to
an adminstrator's Slash account.


VULNERABLE SYSTEMS

Any system running Slash 2.1.x (development versions for 2.2), 2.2.0,
2.2.1, or 2.2.2, and sites using the development code from CVS.  Slash
2.0.x and previous are unaffected.


RESOLUTION

Slash 2.2.3 should be installed for all Slash 2.1 and 2.2 sites.
Users of the development code from CVS should run cvs update and install
the most recent code.

In the meantime, if upgrading is not possible or will not happen
immediately, site administrators should either shut down the web site
or disable admin.pl and users.pl by moving them elsewhere or disabling
the execution bits (Apache may need to be restarted following this).

Further, site administrators should change their passwords, and check
the "seclev" field in the users table to make sure no one has a seclev
greater to or equal than "100" who should not have administrator
privileges:

  mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100;

That should list only users with some administrator privileges.

Site administrators should subscribe to the slashcode-general or
slashcode-announce mailing lists, to keep up to date on the latest
releases and security notices.  Subscription information is on the
Slashcode site at  http://slashcode.com/.


CREDITS

Daniel Bowers daniel@satus.com> found and exploited the bug, and
notified the Slash team.  The Slash team immediately patched the code
and released Slash 2.2.3 three hours after notification.


CONTACT INFORMATION

Chris Nandor, pudge@osdn.comhttp://slashcode.com/

Kernel.org: Linux 2.4.18-pre3 is out. Time to fire up the compilers!

From:	 Marcelo Tosatti <marcelo@conectiva.com.br>
To:	 lkml <linux-kernel@vger.kernel.org>
Subject: Linux 2.4.18pre3
Date:	 Thu, 10 Jan 2002 18:30:07 -0200 (BRST)


Hi, 

So here it goes pre3.

pre3:

- Cris arch merge				(Bjorn Wesen)
- Finish PPC merge				(Benjamin Herrenschmidt)
- Add Dell PowerEdge 2400 to 
  "use BIOS to reboot" blacklist		(Arjan van de Ven)
- Avoid potential oops at module unload with 
  cyclades driver				(Andrew Morton)
- Gracefully handle SCSI initialization 
  failures					(Pete Zaitcev)
- USB update					(Greg KH)
- Fix potential oops while ejecting ide cds 	(Zwane Mwaikambo)
- Unify page freeing codepaths 			(Benjamin LaHaise)
- Miata dma corruption workaround 		(Richard Henderson)
- Fix vmalloc corruption problem on machines 
  with virtual dcaches				(Ralf Baechle)
- Reiserfs fixes				(Oleg Drokin)
- DiskOnChip driver update			(David Woodhouse)
- Do not inherit page locking rules across 
  fork/exec					(Dave Anderson)
- Add DRM 4.0 for XFree 4.0 users convenience	(Christoph Hellwig)
- Replace .text.lock with .subsection 		(Keith Owens)
- IrDA bugfixes					(Jean Tourrilhes)

pre2: 

- APIC LVTERR fixes				(Mikael Pettersson)
- Fix ppdev ioctl oops and deadlock		(Tim Waugh)
- parport fixes					(Tim Waugh)
- orinoco wireless driver update		(David Gibson)
- Fix oopsable race in binfmt_elf.c 		(Alexander Viro)
- Small sx16 driver bugfix			(Heinz-Ado Arnolds)
- sbp2 deadlock fix 				(Andrew Morton)
- Fix JFFS2 write error handling		(David Woodhouse)
- Intermezzo update				(Peter J. Braam)
- Proper AGP support for Intel 830MP chipsets	(Nicolas Aspert)
- Alpha fixes					(Jay Estabrook)
- 53c700 SCSI driver update			(James Bottomley)
- Fix coredump mmap_sem deadlock on IA64	(David Mosberger)
- 3ware driver update				(Adam Radford)
- Fix elevator insertion point on failed 
  request merge					(Jens Axboe)
- Remove bogus rpciod_tcp_dispatcher definition (David Woodhouse)
- Reiserfs fixes				(Oleg Drokin)
- de4x5 endianess fixes				(Kip Walker)
- ISDN CAPI cleanup				(Kai Germaschewski)
- Make refill_inactive() correctly account 
  progress					(me)

pre1:

- S390 merge					(IBM)
- SuperH merge					(SuperH team)
- PPC merge					(Benjamin Herrenschmidt)
- PCI DMA update				(David S. Miller)
- radeonfb update 				(Ani Joshi)
- aty128fb update				(Ani Joshi)
- Add nVidia GeForce3 support to rivafb		(Ani Joshi)
- Add PM support to opl3sa2			(Zwane Mwaikambo)
- Basic ethtool support for 3com, starfire
  and pcmcia net drivers			(Jeff Garzik)
- Add MII ethtool interface			(Jeff Garzik)
- starfire,sundance,dl2k,sis900,8139{too,cp},
  natsemi driver updates			(Jeff Garzik)
- ufs/minix: mark inodes as bad in case of read
  failure					(Christoph Hellwig)
- ReiserFS fixes				(Oleg Drokin)
- sonypi update					(Stelian Pop)
- n_hdlc update					(Paul Fulghum)
- Fix compile error on aty_base.c		(Tobias Ringstrom)
- Document cpu_to_xxxx() on kernel-hacking doc  (Rusty Russell)
- USB update					(Greg KH)
- Fix sysctl console loglevel bug on 
  IA64 (and possibly other archs)		(Jesper Juhl) 
- Update Athlon/VIA PCI quirks			(Calin A. Culianu)
- blkmtd update					(Simon Evans)
- boot protocol update (makes the highest 
  possible initrd address available to the 
  bootloader)					(H. Peter Anvin)
- NFS fixes					(Trond Myklebust)



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

http://www.kernel.org/pub/linux/kernel/v2.4/testing/patch-2.4.18-pre3.gz

LinuxSecurity: “This week, advisories were released for exim, libgtop, mutt, pkg_install, pw, pine, mod_auth_pgsql, bind, proftpd, LIDS, stunnel, and namazu. The vendors include Conectiva, Debian, FreeBSD, Mandrake, Red Hat, SuSE, and Trustix.” Read more here.