A series of fixes and updates to the popular Open Source web application server. Hotfix 2001-03-08 “addresses an important security issue that affects Zope version 2.3.0 and the current 2.3.1 beta 1 release.” Another security update for Debian Zope users is also available.

“The version of GNU libc that was distributed with Debian GNU/Linux 2.2 suffered from 2 security problems. Both problems have been fixed in version 2.1.3-17 and we recommend that
you upgrade your glibc packages immediately.” More information and upgrade links available at LWN.net.

“joe will look for a configuration file in three
locations: the current directory, the users homedirectory ($HOME)
and in /etc/joe. Since the configuration file can define commands
joe will run (for example to check spelling) reading it from
the current directory can be dangerous: an attacker can leave
a .joerc file in a writable directory, which would be read when
a unsuspecting user starts joe in that directory.” More information at LWN.net.

At LWN.net: “Several potential buffer overflows in the ePerl package have been found
by Fumitoshi Ukai and Denis Barbier. When eperl is installed setuid
root, it can switch to the UID/GID of the script’s owner. Although
Linux-Mandrake does not ship the program setuid root, this is a useful
feature which some users may have activated locally on their own.
There is also the potential for a remote vulnerability as well.”

– By Grant Gross –
The 1.0 release of Eazel’s Nautilus, the much-anticipated Gnome software environment, is scheduled to be available for download within a few days.

Eazel, the company co-founded by former Macintosh interface designers, will officially announce the 1.0 release later this month, but the first post-beta release of Nautilus will be able for download next week sometime at http://services.eazel.com/download/. Internet rumors had 1.0 available as early as Monday, but Eazel officials couldn’t confirm that date as of mid-day Friday.

The Nautilus shell integrates file management, Web browsing, and system management into Gnome. “This desktop application is not only designed to be a major step forward in ease of use for Linux but will also lead the next generation of innovation on the desktop by integrating local file management with Internet-based services,” according to the Eazel Web site. If you’re still wondering what this all means, there’s a Nautilus demo available at http://magritte.eazel.com/nautiluswsdemo.html.

The 1.0 release promises fewer bugs and more stability than the current preview release 3, and Eazel is constantly working on expanding the number of services that work with Nautilus, says Tom Goguen, director of product management for Eazel.

“I keep the hourly builds running on my system,” he says, “and I’ve been pretty excited by how the performance has ramped up over the last couple of weeks. It’s amazing how the stability of the system has increased as well, so it’s a lot of fun to use.”

Users of 1.0 should notice integration with Eazel’s online services, a slick installer working on Red Hat 7, and an updated software catalog, Goguen says. “All of this is Open Source, so if someone else comes up with a service they want to do and tie it in, there’s the opportunity to do that as well,” Goguen says.

Among the features coming out shortly that will work with 1.0 is an easy-to-use software update service and software suites, such as a digital music suite that includes an easy-to-install group of applications for playing, ripping, and recording MP3s. Goguen also pointed users to the already available “text-based services,” which helps users find applications for using and viewing different types of digital media and also allows users to highlight a chunk of text and search Google for those words. “Now everything in a document is a potential hyperlink,” he says.

Goguen says he’s heartened by the amount of support for Nautilus in the Open Source community. Of the 107 developers who’ve contributed to Nautilus so far, only 30 are employees of Eazel. “This is really a community effort; it shows the power of Open Source development,” he says. “The source code is already in Gnome CVS, so people can check it out, they can work on it, they can add to it, they can extend it.”

Eazel has tested the Nautilus installer extensively on Red Hat 6.2 and 7.0, but users of other Linux and Unix flavors should be able to run 1.0 with Gnome, too, Goguen says. This week, Goguen watched as Eazel employees ran Nautilus on Sun’s Solaris 8. Eazel will test Nautilus on Mandrake, SuSE, and Debian over the next few months.

NewsForge editors read and respond to comments
posted on our discussion
page.

ZDNet UK reports that a “damaging split in the European Commission may delay a
decision on whether to follow lax U.S. patent rules, widely
blamed for a flood of lawsuits in recent years.”

From LWN.net: “Klaus Frank has found a vulnerability in the way gnuserv handled
remote connections. Gnuserv is a remote control facility for Emacsen
which is available as standalone program as well as included in
XEmacs21. Gnuserv has a buffer for which insufficient boundary checks
were made. Unfortunately this buffer affected access control to
gnuserv which is using a MIT-MAGIC-COOCKIE based system. It is
possible to overflow the buffer containing the cookie and foozle
cookie comparison.”

From the humor site, Segfault: “In a shock report released today, market research giants Nielsens claimed that 88% of
people on the street who expressed an opinion found the operating system Linux ‘dull’.

‘It’s preposterous!’ exclaimed Alex Johnson, C programmer and heavily bearded Linux
user. ‘Where did they do these surveys, Microsoft HQ? How could anyone not enjoy tinkering with a well made .cshrc file, or carefully setting
environmental variables such as HOSTNAME, MANPATH or ENV_SET?

Dull? How could anyone call this dull?’ “

At LWN.net: Package: slrn; problem type: buffer overflow; Debian-specific: no.

Bill Nottingham reported a problem in the wrapping/unwrapping
functions of the slrn newsreader. A long header in a message
might overflow a buffer and which could result into executing
arbitraty code encoded in the message.

EET.com reports that “Windows’ migration to the factory floor gathered momentum
this past week, as exhibitors at National Manufacturing Week laid the
groundwork for a new era of automation equipment.” However, some manufacturers are interested in Linux, but they predict its adoption into factories will take time, just as Windows’ adoption has.