Debian Weekly News - September 12th, 2000
---------------------------------------------------------------------------
Debian Weekly News
http://www.debian.org/News/weekly/current/issue/
Debian Weekly News - September 12th, 2000
---------------------------------------------------------------------------
Welcome to Debian Weekly News, a newsletter for the Debian community.
KDE packages are pouring into Debian. All of the core of KDE is
already present in unstable, and more packages are sure to follow.
This unexpected turn of events is due to a change in the license of Qt
2.2 -- Troll Tech released it dual-licensed [1]under the GPL -- the
KDE licensing issue is finally resolved. For an excellent summary of
the Debian/KDE issue and recent events, look no farther than [2]this
article in LinuxPlanet.
Besides the good news about Qt, several other important licensing
issues have recently surfaced. Python 1.6 was released, under a
license that may have [3]compatibility problems with the GPL. Gregor
Hoffleit, our python maintainer, is taking a [4]cautious approach to
this possible problem -- there is still hope that the new license will
be fixed to be GPL compatible. Meanwhile, the RSA algorithm was
released into the [5]public domain. This should allow some software
such as gpg-rsa and pgp-i to [6]move from non-free into Debian main,
although they may remain in non-us for now since they involve
encryption.
[7]Plans are being laid for a point release of potato: Debian 2.2r1.
It will include security fixes, boot-floppy bugfixes, other important
bug fixes, updated release notes, and perhaps a very few additional
packages, like console-apt, that didn't make 2.2r0.
The most notable technical thread on the lists this week concerned
changing the manner in which packages start and restart daemons when
they are installed. The current behavior -- always start a package's
daemon when it is installed -- isn't the behavior one would expect if
a system is running in single user mode, and it can be rather
inflexible for other needs, such as installing into a chroot. Henrique
M. Holschuh [8]proposed a new method of determining if a daemon
should be started at package install time that addresses these issues.
However, it would require additional code to be placed in every
package that uses it, and it still has some unresolved technical
details.
A slew of security fixes have appeared in the past two weeks. In
approximate order of importance, they include:
* A [9]remote shell exploit for horde and imp.
* A [10]remote root exploit in libpam-smb.
* Two [11]local root vulnerabilities in glibc.
* A [12]privilege elevation exploit for screen.
* A [13]remote shell exploit in muh.
* Two [14]vulnerabilities in xpdf.
* A [15]fork bomb attack involving tmpreaper.
---------------------------------------------------------------------------
References
1. http://www.linuxplanet.com/linuxplanet/reports/2269/1/
2. http://www.linuxplanet.com/linuxplanet/opinions/2281/1/
3. http://lists.debian.org/debian-legal-0009/msg00029.html
4. http://lists.debian.org/debian-devel-0009/msg00649.html
5. http://www.rsasecurity.com/news/pr/000906-1.html
6. http://lists.debian.org/debian-devel-0009/msg00450.html
7. http://www.debian.org/News/weekly/current/issue/mail#1
8. http://lists.debian.org/debian-devel-0009/msg00666.html
9. http://www.debian.org/security/2000/20000910
10. http://www.debian.org/security/2000/20000911
11. http://www.debian.org/security/2000/20000902
12. http://www.debian.org/security/2000/20000902a
13. http://lists.debian.org/debian-devel-changes-0009/msg00901.html
14. http://www.debian.org/security/2000/20000910a
15. http://bugs.debian.org/71249
--
see shy jo
Reply to: