From LinuxWorld: “Snort offers many options. However, setting it up is easier than you may think. Here’s how to start protecting your network.”

Posted at LinuxPR: “Sitellite Content Management System 2.1.1 is a world-class web collaboration tool and application framework, which drastically simplifies both the maintenance and the development of complex web applications.

At its core is the Sitellite Application Framework, an Open Source set of PHP libraries that drastically improve the efficiency and quality of web development projects.”

In the 23rd edition of Kernel Cousin KDE, Aaron J. Seigo writes: “It has been another fast-paced week for KDE. CVS commits were flying in as were application announcements on apps.kde.com. The (relatively) new KDE eye-candy site got a make-over, and judging by how few KDE related items are to be found at themes.org it seems to have a firm grip on the KDE audience. And speaking of eye-candy, guess who is back again?” Posted at kt.zork.net.

There is a cross-site scripting vulnerability in webalizer which can
allow an attacker to exploit a victim by embedding malicious HTML tags
in webalizer-generated reports.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory               November 01, 2001 |
| http://www.engardelinux.org/                           ESA-20011101-01 |
|                                                                        |
| Package:  webalizer                                                    |
| Summary:  Cross-site scripting vulnerability in webalizer.             |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  There is a cross-site scripting vulnerability in webalizer which can
  allow an attacker to exploit a victim by embedding malicious HTML tags
  in webalizer-generated reports.


DETAIL
- ------
  This update fixes the aforementioned cross-site scripting
  vulnerability reported by Magnux Software.  This updated version also
  fixes a date calculation overflow error and enables DNS resolution
  provided it is enabled in the webalizer configuration file.


SOLUTION
- --------
  All users should upgrade to the most recent version as outlined in
  this advisory.

  Guardian Digital recently made available the Guardian Digital Secure
  Update, a means to proactively keep systems secure and manage 
  system software. EnGarde users can automatically update their system
  using the Guardian Digital WebTool secure interface.

  If choosing to manually upgrade this package, updates can be
  obtained from:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh 

  You must now update the LIDS configuration by executing the command:

    # /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signatures of the updated packages, execute the command:

    # rpm -Kv 


UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

    SRPMS/webalizer-2.01-1.0.3.src.rpm
      MD5 Sum:  73fd07083ef6d0f6f7981698ac955dae

  Binary Packages:

    i386/webalizer-2.01-1.0.3.i386.rpm
      MD5 Sum:  3d8d8b5169a447565cac5aca1103ecea

    i686/webalizer-2.01-1.0.3.i686.rpm
      MD5 Sum:  b1e2de1411610e6740bbf7e0992aa697


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    Flavio Veloso 

  Webalizer's Official Web Site:
    http://www.mrunix.net/webalizer/

  Security Contact:    security@guardiandigital.com
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html


- --------------------------------------------------------------------------
$Id: ESA-20011101-01-webalizer 1.2 2001/11/01 18:27:34 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple,  
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE74ZgnHD5cqd57fu0RAjguAJ9nKnUYrlrOXF9oJq2GBr4tEWvk+wCfe23D
6dqrF8UjjfOXMJVqbZKviy0=
=Twd9
-----END PGP SIGNATURE-----

Paul Emsley has posted the 113th edition of Kernel Cousin Debian Hurd. Discussions include cross-compiling errors (and a fix), news of a December CD release, and a patch to implement I/O permission control in OSKit-Mach.

A Mandrake advisory, posted at Linux Weekly News: “Tarhon-Onu Victor found a problem in /bin/login’s PAM implementation.
It stored the value of a static pwent buffer across PAM calls, and when
used with some PAM modules in non-default configurations (ie. using
pam_limits), it would overwrite the buffer and cause the user to get
the credentials of another user.”

Guikachu is a GNOME application for graphical editing of resource
files for PalmOS-based pocket computers. The user interface is
modelled after Glade, the GNOME UI builder.

Dear users of both large and small computing tools,

A new release of Guikachu is available.

About Guikachu
--------------
Guikachu is a GNOME application for graphical editing of resource
files for PalmOS-based pocket computers. The user interface is
modelled after Glade, the GNOME UI builder.

Catch it all from http://cactus.rulez.org/projects/guikachu/

Features
--------
* libXML-based I/O
* Exporting to PilRC .rcp files (compile with pilrc -H)
* String resources
* Dialog resources
* Menu resources
* Form resources
* Per-application resources (e.g. version number, icon)
* Form editor, with 100% accurate preview and graphical drag & drop
  capability to make designing forms more easier and faster
* Native font support in the form editor for more precise
  preview
* XSLT style sheets and shell script to generate RCP files from
  Guikachu documents

About this release
------------------
Remember the first release of Guikachu that included the Form Editor?
It contained long descriptions why you should not rely on the preview
rendered by Guikachu because it can not be guaranteed to be 100%
accurate on the level of single pixels.
Well people also tought the Earth was flat.

Changes:
	* Every widget has been checked pixel-per-pixel against POSE
	  screenshots.
	* Plugged some memory leaks (I *LOVE* MemProf)
	* Some fixes in the included XSL style sheets and the I/O code
	* Operations on more than one widget now work in the Tree View
	* Form Editor drag & drop fixes
	* Resource/Widget ID sanity checks -- ID's can only contain
	  [a-zA-Z0-9_], everything else is converted to '_' on the fly
	* Properties that are references to other resources/widgets
	  (e.g. Form::Menu ID) are much smarter

Guikachu uses GTK-- and GNOME-- for its user interface. File I/O is
implemented with the libxml package. Dialog windows are loaded via
libglade. You will need the versions of these packages available in
the GNOME 1.4 bundle (with the exception of GNOME-- which you will
need to upgrade to version 1.2.0)
To actually create the PalmOS resource files, you will also need PilRC
(part of the GNU PalmOS SDK) to compile the .rpc files produced by
Guikachu.

Beware of bugémons!

        Cactus

Posted to LinuxPR: “MontaVista Software Inc. today announced that GET Engineering Corporation has successfully converted to the Hard Hat Linux operating environment, porting from a proprietary RTOS platform to embedded Linux.”

Colin Watson posts: “The sixth Bug-Squashing Party for woody will take place on the second
weekend of November: Friday 9th to Sunday 11th. Our goal is to fix
release-critical bugs, especially those filed against base and
standard/task packages.” Check out his message, posted at Linux Weekly News, for more information.

“A problem was discovered in the ht://Dig web indexing and searching
program. Nergal reported a vulnerability in htsearch that allows a
remote user to pass the -c parameter, to use a specific config file,
to the htsearch program when running as a CGI. A malicious user could
point to a file like /dev/zero and force the CGI to stall until it
times out. Repeated attacks could result in a DoS. As well, if the
user has write permission on the server and can create a file with
certain entries, they can point the server to it and retrieve any file
readable by the webserver UID.” Posted at Linux Weekly News.