From Net-security.org: “Steven van Acker reported on bugtraq that the version of cfingerd
(aconfigurable finger daemon) as distributed in Debian GNU/Linux 2.2suffers from two problems:1.
The code that reads configuration files (files in which $ commands are expanded) copied its input
to a buffer without checking for a buffer overflow. When the ALLOW_LINE_PARSING feature is enabled
that code is used for reading users files as well, so local users could exploit this.2. There also
was a printf call in the same routine that did not protect against printf format attacks.Since
ALLOW_LINE_PARSING is enabled in the default /etc/cfingerd.conflocal users could use this to gain
root access.This has been fixed in version 1.4.1-1.2, and we recommend that you upgradeyour
cfingerd package immediately.”

Gary Lawrence Murphy writes, “The Ottawa-based semiconductor and telephony manufacturing giant Mitel has acquired the Linux-based e-smith Inc in a bid to ‘make Mitel’s telecommunications products more reliable and less expensive. and to ‘allow customers to customize their computer servers.’ Full the story in the Globe and Mail.”

The Register: “When Fully Licensed GmbH published details of its analysis of Microsoft’s Windows
Product Activation (WPA) system earlier this week, it had deliberately removed a
small piece of the picture. The company made a fully-working executable of its
XPDec utility available for download along with the XPDec source code, but it
removed the encryption key from the source.”

Wired: “A car rental agency in Connecticut uses GPS technology to fine speeders and says it won’t stop, even though the state is telling them it’s wrong.”

An anonymous reader writes: “It almost seems to defeat the purpose of the MP3 format to put it in a portable player the size of a watermelon. That might be why Philips is turning to the MP3 community to product test their new player. There is a link to sign up for those who are interested.

http://www.mp3newswire.net/stories/2001/philipstes t.html“

“Converted the semaphores in the lvm very fast path to rwsemaphores, so
we never block on locks in the common case. I’d like to know
if this makes a difference to Oracle users. It is incremental
with lvm beta7 (that was just previously included into my tree).”

Date:  Thu, 12 Jul 2001 10:16:35 +0200
                   From: Andrea Arcangeli 
                   Subject: 2.4.7pre6aa1

                   Diff between 2.4.7pre5aa1 and 2.4.7pre6aa1:

                   Only in 2.4.7pre5aa1: 00_bh-async-2
                   Only in 2.4.7pre6aa1: 00_bh-async-3

                    Rediffed again due trivial rejects.

                   Only in 2.4.7pre5aa1: 00_drop___unlock_buffer-1
                   Only in 2.4.7pre5aa1: 00_drop_end_buffer_write-1
                   Only in 2.4.7pre5aa1: 00_kiobuf-backout-get_bh-1
                   Only in 2.4.7pre5aa1: 00_linus-brelse-fix-1

                    Merged in mainline.

                   Only in 2.4.7pre6aa1: 00_iput-debug-1

                    Minor debugging check.

                   Only in 2.4.7pre6aa1: 00_lvm-0.9.1_beta7-4_rwsem-fast-path-1

                    Converted the semaphores in the lvm very fast path to rwsemaphores, so
                    we never block on locks in the common case. I'd like to know
                    if this makes a difference to Oracle users. It is incremental
                    with lvm beta7 (that was just previously included into my tree).

                   Only in 2.4.7pre5aa1: 00_rwsem-14
                   Only in 2.4.7pre6aa1: 00_rwsem-15

                    Temporarily turned off alpha optimizations because they don't fit into
                    this framework, will turn them on ASAP.

                   Only in 2.4.7pre5aa1: 00_softirq-fixes-4
                   Only in 2.4.7pre6aa1: 00_softirq-fixes-5

                    Dropped the definition of smp_mb__ for the atomic_t operations that are
                    now in mainline (left the other parts).

                   Only in 2.4.7pre6aa1: 40_blkdev-pagecache-5

                    Now fixed also initrd, and tested that reads and writes with part of
                    the page beyond of the end of the device works (assuming userspace
                    knows where the device ends without relying on the last
                    readable/writeable byte, kernel doesn't destabilize if you write and
                    read beyond the end though).

                   btw, I also made a port of the blkdev in pagecache rev 5 against
                   2.4.7pre6+o_direct-10. So to test blkdev in pagecache you can also apply
                   in order:

                         ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/patches/v2.4/2.4.7pre5/o_direct-10
                         ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/patches/v2.4/2.4.7pre6/blkdev-pagecache-5

                   on top of 2.4.7pre6.

                   Andrea

CNET: “SuperSOES, which runs on hardware from Compaq Computer and Unisys, debuted Monday and
began handling 18 stocks, including Agile Software and Liquid Audio. By July 30, the Nasdaq
intends to completely implement the new system, which will replace its old SOES, or Small Order
Execution System, which can handle only up to 1,000 shares at a time.”

BusinessWeek: “In less than a school year, Apple has clawed its way back to
the top of the bell tower in the all-important education market.
In public schools nationwide, it has dethroned reigning
champion Dell Computer by a margin of greater than two to
one, according to the very reputable Quality Education Data,
longtime number-cruncher and school consultant.”

LinuxSecurity: “The samba ports, versions prior to samba-2.0.10,
samba-devel-2.2.0a, and ja-samba-2.0.9.j1.0_1, fail to properly
validate NetBIOS names. By sending a specially crafted NetBIOS name
containing unix path characters, a remote user may be able to cause
the samba server to write the log files to arbitrary locations on
the local filesystems.”

FreeDevelopers announced today
the DotGNU project, a Free Software alternative to Microsoft’s .NET.
DotGNU has already been endorsed by the Free Software Foundation and
accepted as a part of the GNU project.

The DotGNU Project (which has a website at http://dotgnu.org)
has been started by Free Software developers who are very
concerned about what would happen to e-commerce and the freedom
of the internet if Microsoft is successful with their plans for
a centralized authentication system. Microsoft wants everyone’s
personal information and credit card numbers to be stored in
their “Passport” system, from where it can be made available to
online merchants without any inconvenience to the end user.
However, such convenience can be also achieved without a central
database that contains everyone’s personal information.

David Sugar, CTO of FreeDevelopers said, “The existing passport
system offers no technological advantage, and in fact, is a much
poorer technology than what can actually be offered, such as in
a distributed authentication and user data storage system.”
Sugar, who is highly respected among Free Software developers as
the maintainer of Bayonne, the GNU telephony system, goes on to
say that Microsoft’s passport system is “ethically and morally
wrong.” With its passport system, Microsoft is effectively saying,
“trust me – I will hold your wallet and whenever you need to buy
something, I will give it back to you.”

The developers behind the DotGNU project are not only concerned
about what Microsoft might do with the data intentionally. The
governments of some countries are interested in limiting their
citizens’ freedoms. Can Microsoft prevent the secret service of
such a government from breaking into the servers of the “passport”
system and silently snooping on all ongoing e-commerce transactions?
Can Microsoft prevent a well-funded secret service from intercepting
confidential data with a so-called man-in-the-middle attack?

Another risk is that when Microsoft controls a centralized
authentication system for all of the internet, the company can
use this monopoly to effectively force everyone to use software
that is controlled by Microsoft. Norbert Bollow, a
Switzerland-based business coach, said “I contribute to the
DotGNU project because I want my clients to be free to run their
businesses in the way they want, because that is what gives them
personal satisfaction and also the profits they want. Depending
on circumstances, the use of software components which cannot be
changed (because they are controlled by a Non-Free Software
company like Microsoft) can be anything from a minor annoyance
to something that really hinders your business success and
profits.”

Tony Stanco, founder of FreeDevelopers, calls DotGNU a “very
important strategic project for free software.” He adds, “It is
probably the battleground where we win or lose against Microsoft
in the next few years.”

Just like it is the goal of the GNU project, see http://dotgnu.org
to create a complete operating system that makes it completely
unnecessary to use a non-free operating system like e.g. Microsoft
Windows, it’s the goal of the DotGNU project to be a complete
competitor to Microsoft’s “.Net initiative” and “Hailstorm”
products.

The DotGNU project will compete with Microsoft for end-users,
business customers and developers. It is a huge project. Barry
Fitzgerald, a Free Software developer who contributes to DotGNU,
said, “It’s natural to have doubts about the implications of this
project, since the scope of this project is to counter something
that Microsoft is doing. I, too, had doubts upon first hearing
of the project. However, DotGNU is not simply a Free Software
version of .NET — DotGNU will be a suite of projects that are
designed to enhance the capabilities of the Free Software
infrastructure outright. Each of these projects can have value
as part of DotGNU, or as stand-alone products. If Microsoft is
making these tools, then someone will use them. It’s our
responsibility to counter that usage with a Free alternative.
Also, our responsibility is to create this infrastructure in a
way that is consistent with sensitivity to the user’s privacy
and with the sensitivity of their data. If there are problems
in the Microsoft architecture that users will implement, it is
our responsibility to produce Free alternatives that address and
ostensibly fix those problems.”

Enzo-Adrian Reyes, the Australian Free Software developer who has
started the DotGNU project, commented, “DotGNU will be a complete
replacement for the .NET strategy – it will not be a Free Software
implementation of .NET. While .NET has some very sound ideas,
problems arise with its implementation, especially with the
Authentication/Authorization systems which are centralized to
Microsoft. DotGNU will use a decentralized paradigm, no single
company, server or entity will control authorization. Secondly,
DotGNU will emphasize security, it will use encryption wherever
possible to keep user data secure and hidden.”

Right now is an excellent opportunity for every programmer and
software developer who cares about matters of Freedom, to get
involved right from the beginning in a truly important project.
Good starting points are to sign the Declaration of Software Freedom
at http://freedevelopers.net/freedomdec/ and to subscribe to one
or more of the mailing lists. There is a mailing list for general
discussions at http://dotgnu.org/mailman/listinfo/developers and
there are specialized mailing lists which focus on the overall
design of the system http://dotgnu.org/mailman/listinfo/arch and
on quickly creating an authentication system (the first version
will use browser plugins) that can compete with Microsoft’s
Passport system, http://dotgnu.org/mailman/listinfo/aut.

About the relation of the DotGNU project to the GNU system:

The DotGNU project has been endorsed by the Free Software
Foundation and accepted as a part of the GNU system. Therefore,
to be quite precise, DotGNU is a GNU project that has been
initiated by FreeDevelopers and that continues to be supported
by FreeDevelopers.

About FreeDevelopers:

FreeDevelopers ( which can be found on the internet at
http://freedevelopers.net) is a self-regulatory organization of free
software developers from around the world. It currently has over 900
developers from about 50 countries. FreeDevelopers is headquartered in
Washington, DC, USA. FreeDevelopers-India is located in Trivandrum,
India.

FreeDevelopers is a software development company, but it is very
different from traditional, “corporate” software companies:
FreeDevelopers has a “The Community is the Company” structure, and all
the software they develop is licensed under the GNU General Public
License (GNU GPL). The GNU GPL provides the users of the programs
with many rights. These rights include the freedom to modify the
program and the freedom to redistribute the program. If a person is
not a programmer, they may choose to hire someone to make the changes
for them. Computer programs where the users are given these freedom
rights are called Free Software. (For more details see
http://www.gnu.org/philosophy/philosophy.html#AboutFreeSoftware.)
So far much excellent Free Software has been developed by volunteers
working together informally over the internet, for example most of the
very successful GNU/Linux operating system has been developed in this
way. The company FreeDevelopers has been started with the goal to
create a commercial structure that will allow Free Software developers
to get paid for the work they do.

About GNU:

GNU is a Free Software Unix-like operating system. Development of GNU
began in 1984.

GNU/Linux is the integrated combination of the GNU operating system
with
the kernel, Linux, written by Linus Torvalds in 1991. The various
versions of GNU/Linux have an estimated 20 million users.

Some people call the GNU/Linux system “Linux”, but this misnomer leads
to confusion (people cannot tell whether you mean the whole system or
the kernel, one part), and spreads an inaccurate picture of how, when
and where the system was developed. Making a consistent distinction
between GNU/Linux, the whole operating system, and Linux, the kernel,
is
the best way to clear up the confusion.

About the Free Software Foundation:

The Free Software Foundation, founded in 1985, is dedicated to
promoting
computer users’ right to use, study, copy, modify, and redistribute
computer programs. The FSF promotes the development and use of free
(as
in freedom) software—particularly the GNU operating system and its
GNU/Linux variants—and free documentation for free software. The FSF
also helps to spread awareness of the ethical and political issues of
freedom in the use of software. Their web site, located at
http://www.gnu.org, is an important source of information about
GNU/Linux. They are headquartered in Boston, MA, USA.

Media Contacts:

USA: Tony Stanco Tony@FreeDevelopers.net
David Sugar david.sugar@FreeDevelopers.net
India: Radi@FreeDevelopers.net,
Arun@FreeDevelopers.net
Switzerland: nb@FreeDevelopers.net
Australia: myrddian@bigpond.net.au