LWN.net

Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com)

jake — 2008-07-08T15:07:45+00:00

Dan Kaminsky has found a flaw in the design of DNS that can allow cache poisoning as an article at Securosis.com details. This has lead to a CERT advisory as well as a coordinated release of patched DNS servers from all affected vendors. Evidently source port randomization is helpful in alleviating the problem. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible." That last claim seems rather strong, time will tell, but it makes sense to be prepared to upgrade affected servers as soon as distributions make them available.

GNU/Linux free software tools to preserve your online privacy, anonymity and security (FSM)

ris — 2008-07-08T12:53:36+00:00

Free Software Magazine looks at some free software tools to protect freedom. "Whether you are online or offline, freedom matters. Like good health you never think about it or miss it until it is under threat or actually gone. If you love freedom, you probably love free software and it has given us some terrific tools with which to defend freedom. In this article I will give an overview of some of the available resources (Freenet, Wikileaks and Tor) to protect dissident opinion, facilitate whistle blowing and promote the safe and anonymous development of free software."

Security updates for Tuesday

ris — 2008-07-08T12:52:50+00:00

Debian has updated bind9 (DNS cache poisoning), bind8 (DNS cache poisoning).

Gentoo has updated pcre (buffer overflow).

SUSE has updated the kernel (multiple vulnerabilities).

The current development kernel is...linux-next?

corbet — 2008-07-08T11:24:22+00:00

Linux kernel developers are being encouraged to see the linux-next tree as the kernel they should use as their development base. But the unique nature of linux-next makes it difficult to use in that way. This article (from this week's Kernel Page, subscribers only) examines the evolving role of linux-next; click below for the full text.

Google releases Protocol Buffers

corbet — 2008-07-08T09:31:38+00:00

Google has announced the release of its "Protocol Buffers" code under the Apache license. "Protocol Buffers allow you to define simple data structures in a special definition language, then compile them to produce classes to represent those structures in the language of your choice. These classes come complete with heavily-optimized code to parse and serialize your message in an extremely compact format." In other words, it's another XDR/RPC/pickle implementation, but tuned to Google's performance needs.

Reiser leads police to wife's body (MercuryNews)

corbet — 2008-07-08T08:31:50+00:00

This MercuryNews article would appear to bring an end to the speculation on whether Hans Reiser was really guilty. "Accompanied by heavily armed Oakland police, software programmer Hans Reiser on Monday led authorities to the body of his missing wife, buried in a shallow grave in the Oakland hills."

Mozilla Foundation developing a model for a security metric (heise online)

jake — 2008-07-07T15:53:48+00:00

An article at heise online describes Mozilla's new security metrics project, which is an attempt to measure the relative security of Firefox. "One of the main factors cited is how long Firefox users are exposed to a threat while a hole remains unpatched. The developers say they want to use the security metric derived from the results to identify any problematic stage in the development and patch process."

Monday's security advisories

jake — 2008-07-07T14:23:02+00:00

CentOS has updated firefox, devhelp, xulrunner, yelp (multiple vulnerabilities).

Debian has updated pcre3 (arbitrary code execution).

Fedora has updated pcre (F8, F9: arbitrary code execution), jetty (F8, F9: multiple vulnerabilities). Fedora 8 has updated firefox (multiple vulnerabilities) which directly causes all of the following updates: devhelp, gtkmozembedmm, yelp, gnome-web-photo, kazehakase, epiphany, liferea, epiphany-extensions, openvrml, galeon, ruby-gnome2, chmsee, Miro, gnome-python2-extras, blam.

Mandriva has updated phpMyAdmin (multiple vulnerabilities), gnome-screensaver (authentication bypass), sympa (denial of service), squid (denial of service), gnome-screensaver (clipboard contents disclosure).

Move Your Business from Windows to Linux (PC World)

jake — 2008-07-07T09:53:22+00:00

It often seems that the mainstream technical press focuses on various "problems" with Linux, either technical or otherwise, which is what makes this PC World article stand out. It is a basic introduction to Linux for businesses that might be looking to switch from Windows, especially for the cost savings. "If that feels like a waste of your small business's precious IT budget, and you're still looking for an alternative to Windows Vista, look no further than Linux. The latest distributions are free, easy to install, and highly customizable; they harness your existing hardware without overtaxing it; and they include a wealth of productivity applications and utilities. You may already have a closet Linux expert on staff, but if you don't, paid support is usually available at rates far less than Microsoft's."

Stormy Peters becomes the GNOME Executive Director

corbet — 2008-07-07T09:12:42+00:00

The GNOME Foundation has announced that it's long search for an executive director is over: Stormy Peters has accepted the job. "The past year there has seen tremendous growth in the number of devices that ship with GNOME- mass-market laptops, phones, and even GPS devices. Hiring Stormy as executive director will help GNOME capitalize on this momentum, exactly at a time when more of the world is realizing the value of combining free and open source software with great user experiences, while also helping GNOME consolidate its traditional strengths in enterprise and other large-scale deployments."

Gentoo Linux 2008.0 released

corbet — 2008-07-06T08:33:37+00:00

Gentoo Linux 2008.0 is out. "Code-named 'It's got what plants crave,' this release contains numerous new features including an updated installer, improved hardware support, a complete rework of profiles, and a move to Xfce instead of GNOME on the LiveCD."

One more 2.6.26 prepatch

corbet — 2008-07-05T21:06:42+00:00

The 2.6.26-rc9 kernel prepatch is out. "Enough changes that we needed another -rc, and the regression list isn't emptying fast enough either (probably because a number of people, including reporters, are vacationing)." Along with the fixes there's a new driver for cameras which implement the standard USB video class spec. The long-format changelog has the details.

KDE 4.1 Beta 2: Two Steps Forward, One Step Back (Datamation)

corbet — 2008-07-05T11:56:20+00:00

Datamation reviews the second KDE 4.1 beta. "However, if the second beta of 4.1 is any indication, it will be only partly successful in quieting user dissent. On the one hand, KDE 4.1 includes the first 4.x versions of several major KDE applications, which goes a long way toward improving the user experience. And, in both other programs as well as the desktop, the second beta sports countless improvements in functionality and design. On the other hand, not only are many of the interface changes that people complain about still there, but the new Folder View raises a whole new set of issues about how users organize their desktops."

KOffice 2 Alpha 8 Reviewed (TechWorld)

ris — 2008-07-04T13:11:42+00:00

TechWorld takes a look at KOffice 2.0 Alpha 8. "KOffice 2.0 Alpha 8 ships as a suite of applications. In addition to the familiar word processor (KWord), spreadsheet (Kspread) and charting (Kchart), and presentation applications (KPresenter), KOffice has a wealth of tools for content design, manipulation and display. For the creative professional, there's Krita a fully-fledged graphic design and image manipulation tool, Karbon14 a Scalable Vector Graphics editor, and Kivio for flowcharts and diagrams. Also included is Kexi for database development (touted as "Microsoft Access for Linux"), and KPlato for project management. Other tools are KnetAttach, a network folder wizard, Kformula for mathematical formula editing, and a thesaurus." (Found on KDE.News)

Security advisories for Friday

ris — 2008-07-04T13:11:16+00:00

SUSE has updated sudo, courier-authlib, gnome-screensaver, clamav, php5, ImageMagick, GraphicsMagick, mtr, bind, pcre, tomcat, squid, freetype2 (various issues).

Mandriva has updated php (multiple vulnerabilities: 2007.1, Corporate 4.0, 2008.0, 2008.1, Corporate 3.0, Multi Network Firewall 2.0, Corporate 4.0).

Fedora 8 has updated ruby (multiple vulnerabilities).

Debian has updated wordpress (several vulnerabilities).