dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Debian Weekly News - September 12th, 2000

Sep 12, 2000, 22:31 (0 Talkback[s])
(Other stories by Joey Hess)

WEBINAR:
On-Demand

Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers


Date: Tue, 12 Sep 2000 15:10:57 -0700
From: Joey Hess joeyh@debian.org
To: debian-news@lists.debian.org
Subject: Debian Weekly News - September 12th, 2000


Debian Weekly News
http://www.debian.org/News/weekly/current/issue/
Debian Weekly News - September 12th, 2000


Welcome to Debian Weekly News, a newsletter for the Debian community.

KDE packages are pouring into Debian. All of the core of KDE is already present in unstable, and more packages are sure to follow. This unexpected turn of events is due to a change in the license of Qt 2.2 -- Troll Tech released it dual-licensed [1]under the GPL -- the KDE licensing issue is finally resolved. For an excellent summary of the Debian/KDE issue and recent events, look no farther than [2]this article in LinuxPlanet.

Besides the good news about Qt, several other important licensing issues have recently surfaced. Python 1.6 was released, under a license that may have [3]compatibility problems with the GPL. Gregor Hoffleit, our python maintainer, is taking a [4]cautious approach to this possible problem -- there is still hope that the new license will be fixed to be GPL compatible. Meanwhile, the RSA algorithm was released into the [5]public domain. This should allow some software such as gpg-rsa and pgp-i to [6]move from non-free into Debian main, although they may remain in non-us for now since they involve encryption.

[7]Plans are being laid for a point release of potato: Debian 2.2r1. It will include security fixes, boot-floppy bugfixes, other important bug fixes, updated release notes, and perhaps a very few additional packages, like console-apt, that didn't make 2.2r0.

The most notable technical thread on the lists this week concerned changing the manner in which packages start and restart daemons when they are installed. The current behavior -- always start a package's daemon when it is installed -- isn't the behavior one would expect if a system is running in single user mode, and it can be rather inflexible for other needs, such as installing into a chroot. Henrique M. Holschuh [8]proposed a new method of determining if a daemon should be started at package install time that addresses these issues. However, it would require additional code to be placed in every package that uses it, and it still has some unresolved technical details.

A slew of security fixes have appeared in the past two weeks. In approximate order of importance, they include:
* A [9]remote shell exploit for horde and imp.
* A [10]remote root exploit in libpam-smb.
* Two [11]local root vulnerabilities in glibc.
* A [12]privilege elevation exploit for screen.
* A [13]remote shell exploit in muh.
* Two [14]vulnerabilities in xpdf.
* A [15]fork bomb attack involving tmpreaper.


References
1. http://www.linuxplanet.com/linuxplanet/reports/2269/1/
2. http://www.linuxplanet.com/linuxplanet/opinions/2281/1/
3. http://lists.debian.org/debian-legal-0009/msg00029.html
4. http://lists.debian.org/debian-devel-0009/msg00649.html
5. http://www.rsasecurity.com/news/pr/000906-1.html
6. http://lists.debian.org/debian-devel-0009/msg00450.html
7. http://www.debian.org/News/weekly/current/issue/mail#1
8. http://lists.debian.org/debian-devel-0009/msg00666.html
9. http://www.debian.org/security/2000/20000910
10. http://www.debian.org/security/2000/20000911
11. http://www.debian.org/security/2000/20000902
12. http://www.debian.org/security/2000/20000902a
13. http://lists.debian.org/debian-devel-changes-0009/msg00901.html
14. http://www.debian.org/security/2000/20000910a
15. http://bugs.debian.org/71249

--
see shy jo