From Linux Focus: “This is a review of the book titled “Linux System Administration – A User’s Guide” by Marcel Gagne. The book has 532 pages and 26 chapters that cover installation, daemons, run-levels,file systems, password policy, kernel building, printing, devices, backups, network administration, secure computing, and more.”

From Linux Journal: “Just as 2000 was a rough year for firewalls, with holes blown in both commercial and open-source products, 2001 was a most uncomfortable year for the secure shell, or ssh. Several groups focused their attentions on this cornerstone of the net, and several problems emerged. ssh has emerged from this scrutiny a stronger product.”

Debian: “Joost Pol found a buffer overflow in the address handling code of mutt (a popular mail user agent). Even though this is a one byte overflow this is exploitable.”

Date Reported:

02 Jan 2002

Affected Packages:

mutt

Vulnerable:

Yes

More information:

Joost Pol found a buffer overflow in the address handling code of
mutt (a popular mail user agent). Even though this is a one byte
overflow this is exploitable.

This has been fixed upstream in version 1.2.5.1 and 1.3.25. The
relevant patch has been added to version 1.2.5-5 of the Debian
package.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:

http://security.debian.org/dists/stable/updates/main/source/mutt_1.2.5-5.diff.gz

http://security.debian.org/dists/stable/updates/main/source/mutt_1.2.5-5.dsc

http://security.debian.org/dists/stable/updates/main/source/mutt_1.2.5.orig.tar.gz

Alpha:

http://security.debian.org/dists/stable/updates/main/binary-alpha/mutt_1.2.5-5_alpha.deb

ARM:

http://security.debian.org/dists/stable/updates/main/binary-arm/mutt_1.2.5-5_arm.deb

Intel IA-32:

http://security.debian.org/dists/stable/updates/main/binary-i386/mutt_1.2.5-5_i386.deb

Motorola 680×0:

http://security.debian.org/dists/stable/updates/main/binary-m68k/mutt_1.2.5-5_m68k.deb

PowerPC:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/mutt_1.2.5-5_powerpc.deb

MD5 checksums of the listed files are available in the original advisory.

---

See the Debian contact page for information on contacting us.

Last Modified: Wed, Jan 2 18:23:35 UTC 2002

Copyright © 2002
SPI; See license terms

ZDNet: “The nine states holding out against the proposed settlement of the landmark Microsoft antitrust case on Monday asked a federal judge to reject the software company’s request to delay remedy hearings.” Read more here.

ZDNet: ” Another year has gone by–an eternity in software-development terms–and it’s time once again for PC users to ask themselves: Is Linux ready for the desktop?” Read more here.

Red Hat: “A server running Mailmain versions prior to 2.0.8 will send certain user-modifiable data to clients without escaping embedded tags. This data may contain scripts which will then be executed by an unwary client,possibly transmitting private information to a third party.”

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated Mailman packages available
Advisory ID:       RHSA-2001:170-06
Issue date:        2001-12-11
Updated on:        2002-01-02
Product:           Red Hat Secure Web Server
Keywords:          cross-site scripting
Cross references:  RHSA-2001:168 RHSA-2001:169
Obsoletes:         
---------------------------------------------------------------------

1. Topic:

Updated Mailman packages are now available for Red Hat Secure Web Server
3.2 (U.S.).  These updates fix cross-site scripting bugs which might allow
another server to be used to gain a user's private information from a
server running Mailman.

2. Relevant releases/architectures:

Red Hat Secure Web Server 3.2 - i386

3. Problem description:

A server running Mailmain versions prior to 2.0.8 will send certain
user-modifiable data to clients without escaping embedded tags.  This data
may contain scripts which will then be executed by an unwary client,
possibly transmitting private information to a third party.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2001-0884 to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed  (http://bugzilla.redhat.com/bugzilla for more info):



6. RPMs required:

Red Hat Secure Web Server 3.2:

i386: 
ftp://updates.redhat.com/other_prod/secureweb/3.2/i386/mailman-2.0.8-0.6.2.i386.rpm



7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
e74be80586d59cff98f21b143e78cc48 other_prod/secureweb/3.2/SRPMS/mailman-2.0.8-0.6.2.src.rpm
c0b1a635356bb4c05218a4b49099bd1b other_prod/secureweb/3.2/i386/mailman-2.0.8-0.6.2.i386.rpm
 

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
     http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    rpm --checksig  

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg 

8. References:
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0884http://mail.python.org/pipermail/mailman-announce/2001-November/000031.htmlhttp://www.cert.org/advisories/CA-2000-02.htmlhttp://www.cgisecurity.org/advisory/7.txt


Copyright(c) 2000, 2001 Red Hat, Inc.

ZDNet: “The implosion of the dot-com economy has raised questions about the future of the GNU/Linux operating system and the open source movement that it typifies. But while the collapse of high-profile Linux ventures such as desktop software developer Eazel over the past year may have given the impression that open source would disappear with dot-com euphoria, Linux continues to gain ground, and could even be given a boost by the slowing economy.” Read more here.

LWN.net has more of the changelog. pre6:
– Davide Libenzi: nicer timeslices for scheduler
– Arnaldo: wd7000 scsi driver cleanups and bio update
– Greg KH: USB update (including initial 2.0 support)
– me: strict typechecking on “kdev_t”

Slashdot readers discuss an article at Rons.net in which the Vim author discusses Open Source and the concept of “charityware.”

LinuxSecurity Contributor writes, “Guardian Digital, pioneers in Linux and open source security, today released its worldwide online
Career Center. Encompassing more than 30,000 jobs within the Linux and open source fields,
careers.linuxsecurity.com has the hottest jobs within high profile industries including computer
security and consulting. http://www.linuxsecurity.com/articles/security_sources_article-4224.html.