Date: Tue, 12 Sep 2000 15:10:57 -0700
From: Joey Hess joeyh@debian.org
To: debian-news@lists.debian.org
Subject: Debian Weekly News – September 12th, 2000
Debian Weekly News
http://www.debian.org/News/weekly/current/issue/
Debian Weekly News – September 12th, 2000
Welcome to Debian Weekly News, a newsletter for the Debian
community.
KDE packages are pouring into Debian. All of the core of KDE is
already present in unstable, and more packages are sure to follow.
This unexpected turn of events is due to a change in the license of
Qt 2.2 — Troll Tech released it dual-licensed [1]under the GPL —
the KDE licensing issue is finally resolved. For an excellent
summary of the Debian/KDE issue and recent events, look no farther
than [2]this article in LinuxPlanet.
Besides the good news about Qt, several other important
licensing issues have recently surfaced. Python 1.6 was released,
under a license that may have [3]compatibility problems with the
GPL. Gregor Hoffleit, our python maintainer, is taking a
[4]cautious approach to this possible problem — there is still
hope that the new license will be fixed to be GPL compatible.
Meanwhile, the RSA algorithm was released into the [5]public
domain. This should allow some software such as gpg-rsa and pgp-i
to [6]move from non-free into Debian main, although they may remain
in non-us for now since they involve encryption.
[7]Plans are being laid for a point release of potato: Debian
2.2r1. It will include security fixes, boot-floppy bugfixes, other
important bug fixes, updated release notes, and perhaps a very few
additional packages, like console-apt, that didn’t make 2.2r0.
The most notable technical thread on the lists this week
concerned changing the manner in which packages start and restart
daemons when they are installed. The current behavior — always
start a package’s daemon when it is installed — isn’t the behavior
one would expect if a system is running in single user mode, and it
can be rather inflexible for other needs, such as installing into a
chroot. Henrique M. Holschuh [8]proposed a new method of
determining if a daemon should be started at package install time
that addresses these issues. However, it would require additional
code to be placed in every package that uses it, and it still has
some unresolved technical details.
A slew of security fixes have appeared in the past two weeks. In
approximate order of importance, they include:
* A [9]remote shell exploit for horde and imp.
* A [10]remote root exploit in libpam-smb.
* Two [11]local root vulnerabilities in glibc.
* A [12]privilege elevation exploit for screen.
* A [13]remote shell exploit in muh.
* Two [14]vulnerabilities in xpdf.
* A [15]fork bomb attack involving tmpreaper.
References
1. http://www.linuxplanet.com/linuxplanet/reports/2269/1/
2. http://www.linuxplanet.com/linuxplanet/opinions/2281/1/
3. http://lists.debian.org/debian-legal-0009/msg00029.html
4. http://lists.debian.org/debian-devel-0009/msg00649.html
5. http://www.rsasecurity.com/news/pr/000906-1.html
6. http://lists.debian.org/debian-devel-0009/msg00450.html
7. http://www.debian.org/News/weekly/current/issue/mail#1
8. http://lists.debian.org/debian-devel-0009/msg00666.html
9. http://www.debian.org/security/2000/20000910
10. http://www.debian.org/security/2000/20000911
11. http://www.debian.org/security/2000/20000902
12. http://www.debian.org/security/2000/20000902a
13. http://lists.debian.org/debian-devel-changes-0009/msg00901.html
14. http://www.debian.org/security/2000/20000910a
15. http://bugs.debian.org/71249
—
see shy jo