O’Reilly Mac DevCenter: “Earlier this year, when Jason McIntosh offered to let us integrate his excellent “Mac OS Open
Source Software” site into O’Reilly’s Mac DevCenter, we felt that it would help us complete our
vision of being a complete open-source resource for Mac users. Happily, we’ve just finished the
first stage of this transition, and the directory is now up and running. This incarnation is titled the
Mac Open Source Software Directory.

LinuxDevices.com: “In response to recent rumors of a substantial layoff at Embedded Linux vendor LynuxWorks,
LinuxDevices.com contacted the company for comment. LynuxWorks Chairman Inder Singh
acknowledged a recent layoff at his company, putting its size at “approximately 15 percent of the
company’s work force.”

Additionally, Singh strongly disputed rumors that LynuxWorks — which sells both BlueCat Embedded
Linux and a proprietary real-time operating system (RTOS) called LynxOS — has virtually eliminated all
of their BlueCat Linux developers.”

There is a security problem with Squid, a proxy server shipped as part
of OpenLinux 3.1 Server. If Squid is configured for accelerator mode
(setting http_accel_with_proxy off), any request to Squid is allowed.
Malicious users may use your proxy to portscan remote systems, forge
email, and other activities.

____________________________________________________________________________
                   Caldera International, Inc.  Security Advisory

Subject:                Linux - Squid configuration problems
Advisory number:        CSSA-2001-029.0
Issue date:             2001, August 06
Cross reference:
____________________________________________________________________________


1. Problem Description

   There is a security problem with Squid, a proxy server shipped as part
   of OpenLinux 3.1 Server. If Squid is configured for accelerator mode
   (setting http_accel_with_proxy off), any request to Squid is allowed.
   Malicious users may use your proxy to portscan remote systems, forge
   email, and other activities.


2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3                 not vulnerable                
   
   OpenLinux eServer 2.3.1       not vulnerable                
   and OpenLinux eBuilder                                      
   
   OpenLinux eDesktop 2.4        not vulnerable                
   
   OpenLinux Server 3.1          All packages previous to      
                                 squid-2.4.STABLE/1-7           
   
   OpenLinux Workstation 3.1     not vulnerable                
   


3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

    not vulnerable

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

    not vulnerable

6. OpenLinux eDesktop 2.4

    not vulnerable

7. OpenLinux 3.1 Server

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   7.2 Verification

       1779083edd38872f2ac15c219131d1ba  RPMS/squid-2.4.STABLE1-7.i386.rpm
       e5020ebf7aef60878139cdac81737212  SRPMS/squid-2.4.STABLE1-7.src.rpm
       

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh squid-2.4.STABLE1-7.i386.rpm
         

8. OpenLinux 3.1 Workstation

    not vulnerable



9. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10294.

10. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.

The GNOME Summary covering July 29 through August 4 is now available. Read all about GNOME Basic and Mono, a new home for GNOME Print, the release of GNOME 1.4.1, and Jens Finke’s work on creating a thumbnail managing standard.

This is the GNOME Summary for 2001-07-29 - 2001-08-04
    
==============================================================
Table of Contents
--------------------------------------------------------------

1. GNOME Basic and Mono
2. Abiword prepares for the big 1.0
3. Evolution close to producing first 1.0 release
4. Mozilla charges ahead towards 1.0 release
5. Jens Finke working on creating Thumbnail Managing Standard
6. GNOME Print gets a home
7. GNOME Useability project gets some muscle
8. GNOME 2.0 Library freeze in progress
9. GNOME 1.4.1 release underway
10. New release of GNOME-GCJ Java-bindings available
11. GNOME summary translations
12. Hacker Activity
13. New and Updated Software

==============================================================
1. GNOME Basic and Mono
--------------------------------------------------------------

As you all know Ximian announced the Mono project not long ago. The goal
of the Mono project is to create a full free C# development environment
for Linux and Unix operating systems, including a compiler. Cool thing
is that it has spawned a nice synergy for the GNOME project as it seems
to be interest among some of the Mono developers to also create support
for vb.net not just C#. The basis for this will be GNOME basic, the VB
compatible Basic implementation, developed in order to enable support
for reading Excel VBA macros in Gnumeric. Hopefully this effort will
also improve the featureset of GNOME Basic in regard to improved VB
scripting for GNOME office applications.Best of luck to Ravi Pratap and
the rest on this task. Links below to the Mono homepage,the GNOME Basic
homepage and an interview by Joe Barr. 

        http://www.go-mono.orghttp://www.gnome.org/projects/gbhttp://www.linuxworld.com/linuxworld/lw-2001-07/lw-07-mono.html

==============================================================
2. Abiword prepares for the big 1.0
--------------------------------------------------------------

The Abiword hackers are not resting on their laurels. This week they put
out the 0.9.0 release which is the first feature freeze release in
preparation for the 1.0 release. They plan on making rapid 0.9.x
releases for a while now in order to iron out all bugs and major
useability issues. Below are links to the 0.9.0 release notes, the
Abiword Weekly News #55 and the Abiword download area 
on Sourceforge. 

        http://www.abisource.com/release-notes/0.9.0-1.htmlhttp://www.abisource.com/dev/news/2001/awn55.phtmlhttp://sourceforge.net/project/showfiles.php?group_id=15518_release&id=45623


==============================================================
3. Evolution close to producing first 1.0 release
--------------------------------------------------------------

The Evolution team are hard at work ironing out bugs in order to get
Evolution 1.0 out the door. Beta 2 was released this week and the
Evolutin team is 
hosting bug days on irc.gnome.org/ #evolution each Thursday. If you want
to be sure that any bugs that have been bugging you are squashed before
the offical 1.0 release be sure to join the Evolution team next thursday
to help them find and eliminate your bug. Full beta 2 announcent at link
below. 

        http://www.ximian.com/release_notes/evolution/1.0_beta_2.php3

==============================================================
4. Mozilla charges ahead towards 1.0 release
--------------------------------------------------------------

The Mozilla team was happy to announce a new release this week, 0.9.3,
which kills of even more cras bugs and add even more polish. GNOME users
should hold of a little while though since a 0.9.3 compatible releases
of Nautilus and Galeon isn't ready yet, but don't despair. Galeon
already has a new Mozilla 0.9.3 compatible pre-release out, and the
Nautilus hackers are already looking into seeing what needs to be done
on their side. 

        http://www.mozilla.org/releases/mozilla0.9.3/

==============================================================
5. Jens Finke working on creating Thumbnail Managing Standard
--------------------------------------------------------------

Lots of applications these days creates thumbnails of images on your
disk. Of course if you have many different applications doing this then
these thumbnails will start to take up a lot of disk space eventually.
Jens Finke is working on changing this and has made a draft for a new
Thumbnail Managing Standard which will allow all your applications to
share the same thumbnail images. The 0.2 version of the draft is now
avaialable and he is requesting feedback. Below you find a link to the
current draft and contact information for Jens. The specification can
also be discussed on the freedesktop.org mailing-list. 

        http://www.informatik.uni-oldenburg.de/~pearl/thumbnail-spec/index.htmlhttps://listman.redhat.com/mailman/listinfo/xdg-list

==============================================================
6. GNOME Print gets a home
--------------------------------------------------------------

The GNOME printing library has made it easy to add good printing support
to GNOME applications, but finding information on GNOME print has not
always been that easy. GNOME print has now gotten its own homepage
hosted on gnome.org. So if you want to learn more about GNOME print or
just gaze at a beutifully designed page now is your chance. Link to the
new GNOME-print homepage below. 

        http://www.gnome.org/projects/gnome-print

==============================================================
7. GNOME Useability project gets some muscle
--------------------------------------------------------------

Seth Nickell has become the lead developer on the GNOME useability
project which plans to get as many of the useability improvements that
the Sun useability study uncovered into GNOME as possible. Seth plans to
hold regular meetings togheter with the Sun usebility engineers on IRC
to plan and work on such issues. Interested hackers should join the
useability list in order to join the discussions and get information on
when the next meeting are. Below is a link to the mailing-list and to
the Useability meeting prepartion notes. The first online meeting was a
great success with over 30 people participating. 

        http://mail.gnome.org/mailman/listinfo/usabilityhttp://developer.gnome.org/projects/gup/meeting.html

==============================================================
8. GNOME 2.0 Library freeze in progress
--------------------------------------------------------------

The run-up to the GNOME 2.0 release is underway with the libraries going
into API freeze this week. Libraries such as bonobo-activation (formerly
known as OAF), libbonobo and bonoboui, libgnome and libgnomeui,
gnome-vfs, gconf, libart_lgpl and more have all had a feature freeze
release. Hopefully a full GNOME 2.0 platform preview release is ready to
be released soon. 

        ftp://ftp.gnome.org/pub/GNOME/pre-gnome2/latest/sources/

==============================================================
9. GNOME 1.4.1 release underway
--------------------------------------------------------------

Kjartan Maraas is preparing the first GNOME 1.4.1 beta release which
will be out very soon. This is a bugfix release for the GNOME 1.4
release containing bugfixes and improvements made since the 1.4.0
release. For an almost complete list of what packages which will be in
GNOME 1.4.1 take a look at Kjartan's beta1 list linked below. 

        http://mail.gnome.org/archives/gnome-hackers/2001-July/msg00267.html

==============================================================
10. New release of GNOME-GCJ Java-bindings available
--------------------------------------------------------------

Oskar Liljeblad released version 0.15.0 of the GNOME-GCJ Java bindings
this week. GNOME-GCJ are Java bindings for GNOME and GTK+ which can be
compiled into native bytecode with the GCJ compiler which is part of
GCC. Oskar is also looking for more developers to help out since he has
extensive plans for GNOME-GCJ.Link to the relase announcement and the
GNOME GCJ homepage below. 

        
http://mail.gnome.org/archives/gnome-announce-list/2001-August/msg00000.htmlhttp://gnome-gcj.sourceforge.net

==============================================================
11. GNOME summary translations
--------------------------------------------------------------

The GNOME summary is being translated into Spanish and Hungarian.
Translations are usually available shortly after the release of the
summary in english. 

        http://es.gnome.org/actualidad/http://cactus.rulez.org/projects/gnome/summary/

==============================================================
12. Hacker Activity
--------------------------------------------------------------

Thanks for Paul Warren for these lists.

Most active modules:
 148 evolution
 102 SashWDE
 84 gnome-applets
 78 SashMo
 65 galeon
 64 web-devel-2
 53 gail
 51 mc
 37 anjuta
 37 libbonobo
 37 gtkhtml
 33 libgnome
 32 gimp
 29 gtkvts
 26 gnumeric
 25 gnome-vfs
 25 gnome-core
 24 ximian-setup-tools
 22 gnomeweb-wml
 22 gal
[101 active modules omitted]

Most active hackers:
 68 martin
 67 michael
 62 barreiro
 57 kmaraas
 54 tyeler
 36 baddog
 35 clahey
 33 rodrigo
 32 proskin
 32 mpeseng
 32 seth
 29 chatham
 28 kabalak
 26 jody
 25 jleach
 25 hovinen
 23 bcameron
 23 dkc
 22 darin
 22 billh
[125 active hackers omitted]


==============================================================
13. New and Updated Software
--------------------------------------------------------------

Gnome Predict  - A satellite tracking program for Gnome.
gtktalog  - App to easily browse a CDROM database.
gmrun  - Run utility, providing bash-like TAB completion and history
linphone  - A web-phone application
gnome-pilot  - Pilot synchronization for GNOME
Metacity  - A window manager based on GTK+ 2.0
rubrica  - Addressbook application
Pan  - Multithreaded Usenet newsreader for GTK and GNOME
devhelp  - Browse and search GNOME API and GNU Manuals.
gchch  - Chinese Checkers board game.
Tenes Empanadas Graciela  - A pseudo-clone of Risk

For more information on these packages visit the GNOME Software map: 
http://www.gnome.org/applist/listrecent.php3

Sincerely,
Christian

Reuters: “Antitrust enforcers at the U.S. Justice Department are investigating
the online music business, including two new joint ventures in the
industry, an industry source said on Monday.

The department is in the initial stages of a probe that includes the
industry’s Pressplay and MusicNet ventures and, more generally, how
major record labels control online distribution of copyrighted music, the
source said. “They have launched an investigation.””

CNET News.com:
“For several weeks, news that record companies have quietly been selling
copy-protected compact discs in stores has been filtering around the
Net. Although nobody has yet produced a verified copy of a CD loaded
with this technology, developed by copy-protection giant Macrovision, it has
produced a wave of ‘sightings’ that have swept even to places as prominent
as Amazon.com’s consumer reviews.”

Patrick Mullen writes “The Duke of URL has just posted its review of Slackware Linux
8.0. Slackware is one of the older Linux distributions our there, and prides
itself on it’s UNIX-like operation. The review covers installation,
security, usability and much more.”

Beginning this fall, subscribers to
MP3.com’s, Inc. Business Music Services will begin receiving a
new media server designed by MP3.com and Lineo, Inc. The
next-generation player at less than half the size of the existing media player
retains all of the current features plus added enhancements such as keyboard
access and troubleshooting capabilities. The new player is based on the Lineo
SecureEdge(TM) internet appliance platform and uses a Lineo uClinux(TM) embedded
operating system that’s more advanced than its predecessor, with new features
and a quicker startup. Read the full press release at PR News Wire.

“Paul Foster is a believer. Microsoft may have billions of
dollars backing Windows, but Foster is convinced that
one day the Linux operating system will challenge it.

“We’re not that far from being fully ready for the desktop,”
said Foster, president of the Suncoast Linux Users
Group (www.suncoastlug.org).” More at St. Petersburg Times online.

– by Tina Gasperson –
My firewall logs are bigger … I mean, longer … I mean, more verbose than yours. Comparisons are rife across the ‘Net among those non-Windows users for whom Code Red is nothing more than a curiosity. One guy even wrote a Perl script to log Code Red scans and warn offenders.That script was posted on the comp.os.linux.security newsgroup. Here’s how it begins (with expletives deleted):

#!/usr/bin/perl

print <END;
Content-type: text/html

<HTML><TITLE>Error</TITLE><BODY>
<H1>F*** you, code red...</H1>
No, I am no IIS... bad luck, CODE RED!<BR>
You have been LOGGED, LOGGED and LOGGED!!!!!!!!!!!!!!!!!<P>

<A HREF="http://www.amishrakefight.org/gfy/">Go f*** yourself!</A>
</BODY></HTML>
END

Not everyone is out to flame scanners, though. Some of the conversations simply noted increasing numbers of the offending scans. In typical pissing contest fashion, those who’d received more scans were the coolest. “Why are you getting more Code Reds than I? Do you have multiple IPs? Aren’t they randomly chosen, so everyone should get equally many?” was one lament seen by a dribbler in the Code Red races.

Geeks are curious folk, so its no surprise they are examining Code Red and considering the possibilities; no matter that it is a Windows problem. It is an equal opportunity visitor, knocking on all doors. When it shows up, some hackers can’t help but grab it and inspect closely.

Some people are starting to share their observations about the worm that infects systems running Windows 2000 or IIS. “I set up apache on my home machine to count the attempts. What is interesting is that within 10 seconds of starting apache and
tail -f’ing the access_log, I had 1 attempt. Now suppose I was
setting up a Win 2000 machine from the install CD. Chances are
I (and probably most new installs) would be infected before they
have a chance to patch the system,” wrote one LUG list participant.

Collectors of Code Red-infected IPs are also noticing certain broadband ISPs are getting hit hard. Understandably, the worm seems to travel fastest within its own IP block, which could cause big problems for cable networks. In fact, subscribers to broadband are starting to get letters like this one from the Road Runner system in Tampa Bay, Fla.:

ROAD RUNNER ALERT

VIRUS ALERT.  YOUR IMMEDIATE ACTION IS REQUIRED.

Dear Road Runner Subscriber:

Road Runner, like many other ISPs and indeed the entire Internet, has
today experienced an attack on its network which is apparently
attributeable to the Code Red virus.  It is possible that this virus has
infected the PC's of Road Runner's subscribers using the Microsoft
Windows NT or Microsoft Windows 2000 operating systems.  Infected PC's
may continue to flood the Internet and Road Runner's network with virus
generated messages (even without your being aware of it).

Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus.  In the meantime, Road Runner subscribers may
experience slow network response, flashing connectivity lights on the
cable modem, and other symptoms (such as unusual port scan log activity
or increased firewall activity) while Road Runner and the Internet
community work to control the impact of this virus.

IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY
DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.

IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.

Thank you.

Road Runner Security

One guy set up a site on his cable connection that shows a real time log of Code Red scans and the accompanying IPs. Rinse and reload to get a picture of just how frequently the worms are hitting.

Kai Lien, a Tampa, Fla., technology consultant, got curious about Code Red after he was “bombarded with a few thousand hits over the weekend.” He took it upon himself to read up on the worm and do some thinking. He realized that his logs had provided him with a ready collection of IPs from compromised machines, because Code Red scans only come from systems that have been infected.

“In essence, my Apache log is telling me which machines I can easily manipulate. In a round about way, I have a honey-pot box for compromised machines,” says Lien.

It’s kind of a black-hatted honey-pot, one that would be most helpful for crackers. Instead of scanning IP blocks looking for vulnerable systems, all they’d have to do is set up a Linux system and collect IPs for a few hours. Says Lien: “Although I would not do it, any ‘hacker’ could easily damage those compromised machines with something as simple as this:
get /scripts/root.exe?/c+any_dos_command+c:
.”

In other words, a machine that has been infected by Code Red is now open to attacks from all sides.

Lien says because of the Code Red problems, the time is ripe for pushing Linux as a secure alternative to Windows for servers. “This is a great time to let people know that with Linux they don’t have to worry about this problem,” he says. “Of course, it’s a great time for ‘hackers’ to start using Linux, too.”