Linux Blog

Recent Software Updates.

Filed under: The Linux Blog News — TheLinuxBlog.com at 8:53 am on Monday, September 8, 2008

The 2.6.26.4 Kernel was released at 11:47UTC with a lot of fixes. Notably the eeepc-laptop module got a fix that should stop it from failing to unload if anyone has an eeepc and had that problem. There were 40 unique commits to this update and I think that everyone involved should be thanked for their hard work.

A new Wine was released on Friday the 5th putting Wine on version 1.1.4, so those of you that use Wine may want to update to see if your apps run better. They’ve fixed a lot of applications and reimplemented parts of WinHTTP. Unless you’ve been under a rock, you’ll know about Google Chrome, and this Wine version includes several fixes to better support this. I might do a writeup of getting Google Chrome to work under Linux.

In security its just about the usual, SQL injections and XSS holes everywhere. Tomcat has some information disclosures that if your running the newest versions will not affect you.

Wireshark has some denial of service attacks and possibly arbitrary code execution, but only the DOS attacks have been confirmed. Your distribution probably has an older version in its repositories so, unless your running 1.0.3 which was released on September 3rd, you may want to update if your mission relies on this.

If you run postfix and notice your mail servers load is unusually high, look out for a denial of service against that also.

This ones an oldie but a good one: Get Pwnd by your Coffee machine of course its just one coffee machine, but as we see more household appliances being connected to the web. Which might get you thinking about Linux on Household Appliances.

Ubuntu & Gentoo Servers compromised

Filed under: General Linux — TheLinuxBlog.com at 11:00 pm on Wednesday, August 15, 2007

The case of the Ubuntu servers being breached [wiki.ubuntu.com]
Missing security updates and system administrators not running updates on servers is a problem. I don’t know why they didn’t do any updates past Breezy. They suggest that it was because of problems with network cards and later kernels but I don’t get it. Since when do software updates for an operating system have anything to do with what kernel is running? If there is a problem with hardware support for the network card you have two choices. The first is to fix the driver yourself or pay some one to do it. The second is to replace the network card to a better supported device. Both situations could be costly but it would get the problem fixed and five of the servers wouldn’t have been taken down at the same time.
If the kernels were configured correctly, the boxes probably wouldn’t of even had to have been rebooted.
Running FTP instead of a more secure version is not so bad unless they were running accounts with higher privileges than guest or using system accounts. In which case thats just stupid.

The Gentoo Situation [bugs.gentoo.org]
Apparently there is a problem in the packages.gentoo.org script. The bugzilla article goes into deeper explanation but basically there is some pretty unsafe code which could have allowed any one to run any command. I understand that the code is old but it probably should have been audited at some point. The problem would have stuck out like a soar thumb if looked at by a python coder and they probably would have fixed it, or at least suggested a fix. The problem was found on Tuesday the 7th. All of the infra- (I assume they mean infrastructure?) guys were at a conference last week so they couldn’t work on it. It still seems that if they were at the conference until midnight on the 12th they would still have been able to put up a coming back soon placeholder on the packages site by now. Hey, if they put some pay per click ads up there maybe they will get some additional funds during the down time. I would like to see what products would be pushed thru the advertising on that one. I believe that they could have reduced the downtime by releasing the code for the packages.gentoo.org site as open source or by asking for help from developers to review and upgrade the code as needed.

Its not strange for web servers get hacked. They get hacked all the time but who’s fault is it in the open source community? I really think that there is a problem in the community when it comes to situations like this but the blame can’t be placed on any one person. I would offer any assistance I could into getting these situations resolved but its not as easy as that. There has to be a certain level of trust for those working within a project. If they gave out keys to their servers to anyone the servers probably would have been compromised a long time ago. I hope that the affected sites can pull them selfs together and get back up and running as normal. It seems that Ubuntu did not have complete down time, but the Gentoo site is still down and there is no indication of when it will be back up.