Today’s Debian security advisories, as posted to Help Net Security: “When ePerl is installed setuid root, it can switch the UID/GID of the scripts’ owner (details)” … “The AsciiSrc and MultSrc widget in the Athena widget library handle temporary files insecurely (details)” … “It has been reported that one can tweak man2html remotely into consuming all available memory (details)” … “Former versions of sgml-tools created files directly in /tmp in an insecure fashion (details).”

An O’Reilly article bears news that Python plays a big role in the Walt Disney Feature Animation (WDFA) shop’s computer production process. WDFA is already a heavy user of Perl, but “some shortcomings with Perl led the software group to investigate other scripting alternatives.”

From PR Newswire: Lineo, Inc., a leading innovator
in embedded systems, real-time and high availability solutions, and
Bryan Sparks, Lineo CEO and Founder, today welcomed Lindon Mayor Larry
Ellertson, Utah County Commissioner Jerry Grover and other dignitaries to
break ground on a state-of-the art facility to become the new home for Lineo’s
corporate headquarters in Lindon, Utah.

Ismet writes: From 10 a.m. to 4 p.m. on Sat, March 10, 2001, at 2555
West 190th Street, Torrance, CA 90504,
Linuxatlax.org presents “Powerful Web tools: An Overview of
Zope/Python and Roxen”.

Paul Everitt, co-founder of Digital Creations, Inc., will discuss
Zope, and our own Martin Bäehr will talk about the Roxen WebServer and Roxen Platform.
Zope and Roxen are two different open source application servers (web
servers with lots of support for active content and databases). Both
have large and happy user communities. Here’s your chance to hear more
about Zope from the horse’s mouth, and to learn about the lesser-known
challenger Roxen. Don’t miss it!

DATE: Sat, March 10, 2001

ORGANIZATION: Linuxatlax.org – Linux user group

EVENT:”Powerful Web tools”-An Overview of
Zope/Python and Roxen. Used in web
application development and large scale
distributed web content management

SPEAKERS:Paul Everitt, co-founder of Digital
Creations, Inc., is scheduled to speak
about Zope/Python.
Martin Bäehr will talk about the
Roxen web server/platform

TIME:10am to 4pm

LOCATION:eLinux.com 2555 West 190th Street, Torrance, CA 90504-6002

DETAILS: http://www.linuxatlax.org

COST: Free

Additional information on the Zope portion of the seminar:

Zope is an Open Source application server, specializing in content
management, portals, and custom solutions. Zope is focused on rapid
delivery of rich solutions to wide audiences. It runs on UNIX, Linux, NT, Win9x,
Win2000
and Mac.

Paul will be reviewing it’s architecture, implementation and follow with a
series of demonstrations.

This will including building a clustered application server, where all
three tiers (presentation, logic, and content) are transactionally
distributed.

Zope has a cluster mode called ZEO (Zope Enterprise Objects) that allows
one to add machines and distribute transactions. This will be included as
part of the hands on demonstration.

Please pass the information on to others. They can check the Linuxatlax
site for additional updates concerning this seminar.

ZD’s Sm@rt Partner has a story saying opportunity is knocking for Linux integrators, who get paid $50,000 to $110,000 a year and are billed out at $150 or more an hour.

From the Debian Security Advisory list March 8, 2001:

Package : glibc
Problem type : local file overwrite
Debian-specific: no

The version of GNU libc that was distributed with Debian GNU/Linux 2.2
suffered from 2 security problems:* It was possible to use LD_PRELOAD to load libraries that are listed
in
/etc/ld.so.cache, even for suid programs. This could be used to
create
(and overwrite) files which a user should not be allowed to.

* by using LD_PROFILE suid programs would write data to a file
to /var/tmp, which was not done safely. Again, this could be used
to create (and overwrite) files which a user should not have access
to.

Both problems have been fixed in version 2.1.3-17 and we recommend that
you upgrade your glibc packages immediately.

Please note that a side-effect of this upgrade is that ldd will no
longer
work on suid programs, unless you logged in as root.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

Debian GNU/Linux 2.2 alias potato

John Gowin writes: “Linux Orbit’s editor in chief spent the weekend configuring his laptop with the new 2.4.2 kernel and along the way, some interesting discoveries where made.
‘Recently, I embarked on yet another odyssey of epic proportions with my laptop. Previously, I told you about my switch from Windows to Linux and the idiosyncrasies I encountered. Well, what with all the hoopla and fanfare over the 2.4 kernel, I wanted to share in the joy of being on the cutting edge with everyone else. On top of upgrading my kernel, I purchased a USB CD-RW HP 8200 series drive, and figured that this new toy would make the work worth the effort. Not only would I have a screaming new kernel, but I could burn all my MP3s to CD and…. Oh wait, no I mean I could burn new beta CDs of Mandrake and Red Hat and try them out.’
Read the article at LinuxOrbit.com.”

FT.com has a feature on MandrakeSoft’s CEO Henri Poole and on his company’s efforts to market its Linux distribution.

From LWN.net: From March 15th, Linux Valley
(www.linuxvalley.com), the Italian portal for the Linux operating system,
will be updated.
Graphic, contents and services have been enriched and reorganized for
making it more and more complete and interactive.

From LinuxPR: MontaVista Software Inc.,
developer of the Hard Hat Linux operating system for embedded applications, is
sponsoring for software developers a free, full-day seminar demonstrating how
Linux can significantly reduce the cost of building and deploying pervasive
computing devices. The seminar, titled “Linux Inside,” will be held at the
Bellevue Hilton in Bellevue, Wash., on Friday, March 23 from 8:30 a.m. to 4 p.m.,
and at the Hotel Boulderado in Boulder, Colo., on Tuesday, March 27, from 8:30
a.m. to 4 p.m.