Debian Weekly News - email

Date:	Mon, 7 Jun 1999 00:28:15 -0700
Reply-To: security@debian.org
From:	debian-security-announce@LISTS.DEBIAN.ORG
Subject:      [SECURITY] New version if ipopd prevents exploit
To:	BUGTRAQ@NETSPACE.ORG

-----BEGIN PGP SIGNED MESSAGE-----

We have received reports that the version of the imap suite
in Debian GNU/Linux 2.1 has a vulnerability in its POP-2 daemon,
which can be found in the ipopd package. Using this vulnerability
it is possible for remote users to get a shell as user "nobody"
on the server.

We recommend you upgrade your ipopd package immediately.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

Debian GNU/Linux 2.1 alias slink
- --------------------------------

  This version of Debian was released only for Intel, the Motorola
  680x0, the alpha and the Sun sparc architecture.

  Source archives:
    http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.diff.gz
      MD5 checksum: 606f893869069eee68f4c1e31392af29
    http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.dsc
      MD5 checksum: 93ed80a3619586ff9f3246003aca2448
    http://security.debian.org/dists/stable/updates/source/imap_4.5.orig.tar.gz
      MD5 checksum: 59afe4be5fcd17c20d241633a4a3d0ac

  Sun Sparc architecture:
    http://security.debian.org/dists/stable/updates/binary-sparc/c-client-dev_4.5-0slink2_sparc.deb
      MD5 checksum: 2de5363a3ea9f27c1aa064c3102567cc
    http://security.debian.org/dists/stable/updates/binary-sparc/imap_4.5-0slink2_sparc.deb
      MD5 checksum: 87638b6ad06094f30ff6d2dddfd10b8b
    http://security.debian.org/dists/stable/updates/binary-sparc/ipopd_4.5-0slink2_sparc.deb
      MD5 checksum: aa6621e2f7e2df751489c397e9e169a8

  Intel ia32 architecture:
    http://security.debian.org/dists/stable/updates/binary-i386/c-client-dev_4.5-0slink2_i386.deb
      MD5 checksum: fd92656c7281a4d8322b6da1285475cd
    http://security.debian.org/dists/stable/updates/binary-i386/imap_4.5-0slink2_i386.deb
      MD5 checksum: c92eaece7e431c84708909362afad07d
    http://security.debian.org/dists/stable/updates/binary-i386/ipopd_4.5-0slink2_i386.deb
      MD5 checksum: 29685847b0eef8307383a428b1d02be2

  Motorola 680x0 architecture:
    http://security.debian.org/dists/stable/updates/binary-m68k/c-client-dev_4.5-0slink2_m68k.deb
      MD5 checksum: eeab449299e9f2d3fc97db69110b4432
    http://security.debian.org/dists/stable/updates/binary-m68k/imap_4.5-0slink2_m68k.deb
      MD5 checksum: 4bd0fbaa392b6013f6caa33b04578764
    http://security.debian.org/dists/stable/updates/binary-m68k/ipopd_4.5-0slink2_m68k.deb
      MD5 checksum: d43f502971afc531923903f3ac7b5b3f

  Alpha architecture:
    http://security.debian.org/dists/stable/updates/binary-alpha/c-client-dev_4.5-0slink2_alpha.deb
      MD5 checksum: 6732ae9495ee29590ed85cc482fbda97
    http://security.debian.org/dists/stable/updates/binary-alpha/imap_4.5-0slink2_alpha.deb
      MD5 checksum: d0ee05b972d5d1bc1d066e2bae4d8c8b
    http://security.debian.org/dists/stable/updates/binary-alpha/ipopd_4.5-0slink2_alpha.deb
      MD5 checksum: 89c3931092537d0eb23fb50fa57f1bb0


  These files will be copied into
  http://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.

Please note you can also use apt to always get the latest security
updates. To do so add the following line to /etc/apt/sources.list:

  deb http://security.debian.org/ stable updates


- --
Debian GNU/Linux      .    Security Managers     .   security@debian.org
              debian-security-announce@lists.debian.org
  Christian Hudon     .     Wichert Akkerman     .     Martin Schulze
<chrish@debian.org>   .   <wakkerma@debian.org>  .  <joey@debian.org>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBN1sKgajZR/ntlUftAQGqlgL/d+dzjkxSf0bVDuFmWmeMgH9UxhpJXAwV
0EAtFEY7oRyNpiRLHojnJ48sPviIetVsojHsz9w4uh787skIUJYdFTJN+/O+kxLq
TeF2k+ESbtLJav5QCnVrR7CfiIhYMLgx
=Z3ew
-----END PGP SIGNATURE-----

To: spi-announce@lists.spi-inc.org
cc: debian-announce@lists.debian.org
Subject: Non-Profit status approved for SPI
From: "Nils Lohner" <lohner@spi-inc.org>
Date: Wed, 02 Jun 1999 11:19:16 -0400


---------------------------------------------------------------------------
Software in the Public Interest, Inc.               http://www.spi-inc.org/
Non-Profit status approved for SPI
June 2, 1999
---------------------------------------------------------------------------

>> News

  The Internal Revenue Service of the US has just determined that under
section 501 (a) of the Internal Revenue Code SPI qualifies for 501 (c) (3)
(non-profit organization) status under section 509 (a) (1) and 170 (b) (1)
(A) (vi).  This means that all deductions made to SPI and its supported
projects are tax deductible for the donor.

Further information on this status will be available on the SPI web pages
shortly, and can also be found on the IRS web pages at <http://www.irs.gov>.
More information about exempt organizations can be found at
<http://www.irs.ustreas.gov/prod/bus_info/eo/index.html>.


>> About SPI

SPI is a non-profit organization which was founded to help organizations
develop and distribute open hardware and software.  We encourage programmers
to use the GNU General Public License or other licenses that allow free
redistribution and use of software, and hardware developers to distribute
documentation that will allow device drivers to be written for their product.

Open Source is a Registered Certification Mark of SPI.
Debian is a registered Trademark of SPI.


>> Contact Information

For further information, please send email to press@spi-inc.org or visit the
Software in the Public Interest, Inc. homepage at <http://www.spi-inc.org/>.


--
Nils Lohner                         Software in the Public Interest, Inc.
E-Mail: lohner@spi-inc.org          PO Box 1326
Press Contact <press@spi-inc.org>   Boston, Ma. 02117 USA

Date: Mon, 7 Jun 1999 13:36:55 -0700
From: Joey Hess <dwn@debian.org>
To: debian-user@lists.debian.org, debian-devel@lists.debian.org
Subject: FWD: [svlug] Linus Torvalds at BALUG Debian Benefit on 6/15, RSVP ASAP.

----- Forwarded message from "Arthur F. Tyde III - Administrator" <aftyde@linuxcare.com> -----

Date: Mon, 07 Jun 1999 12:17:45 -0700
From: "Arthur F. Tyde III - Administrator" <aftyde@linuxcare.com>
Organization: Linuxcare Inc.
X-Mailer: Mozilla 4.51 [en] (X11; I; Linux 2.3.4 i586)
To: svlug <svlug@svlug.org>
Subject: [svlug] Linus Torvalds at BALUG Debian Benefit on 6/15, RSVP ASAP.

Linus Torvalds to Headline Benefit Dinner for Debian Project

Linuxcare, VA Linux Systems to Sponsor Event at Upcoming BALUG
Meeting

June 7, 1999  Linus Torvalds, creator of the Linux operating
system, will headline a benefit dinner for the Debian Project,
developers of the Debian GNU/Linux distribution, on Tuesday, June
15, at the monthly meeting of the Bay Area Linux Users
Group (BALUG).

The dinner will be held at the Four Seas Restaurant in San
Francisco's Chinatown district; reservation and other information
can be found at http://www.balug.org/. Because seating is
limited, guests are urged to register early using the BALUG
Web site. Contributions to the benefit, which also covers the
cost of the meal exclusive of beverages, are $10 per person.

The Debian Project is an international group of Open Source
software developers who collectively produce Debian GNU/Linux,
one of the major distributions of the Linux operating system.
Unlike other Linux distributors, such as Red Hat Software, the
Debian Project is wholly non-profit.

"The Debian Project perfectly exemplifies the spirit of Open
Source development," Torvalds said. "Debian's non-commercial
Linux distribution shows again that Internet-enabled, cooperative
software development can produce software of the very highest
quality."

Two Linux industry leaders--Linuxcare, Inc., and VA Linux
Systems--are co-sponsoring the Debian benefit in coordination
with BALUG. The two companies will underwrite a $10 contribution
to the Debian Project for every person who attends the June 15
dinner; at least several hundred persons are anticipated to be on
hand. The Debian Project (http://www.debian.org) operates under
the auspices of Software in the Public Interest, Inc. (SPI), a
non-profit, 501(c) corporation. SPI can be found on the Web at
http://www.spi-inc.org/.

About BALUG

The Bay Area Linux Users Group, founded in 1994, is one of the
oldest Linux Users Groups (LUGs) in the United States. BALUG
pursues a vigorous agenda of Linux advocacy activities, including
regular Installfests and special educational seminars and other
events. Most recently, BALUG sponsored a special presentation on
the Samba Open Source software suite by key developers Andrew
Tridgell and Jeremy Allison, and helped support the successful
Windows Refund Day activities in February 1999. The BALUG
membership meets every third Tuesday of the month at the Four
Seas Restaurant in San Francisco. Visit http://www.balug.org/ for
more information.

About Linuxcare, Inc.

Linuxcare, Inc. is the first company to provide a complete
solution for Linux technical support, consulting, education and
product certification for Global 1000 companies. Linuxcare
supports all major distributions of Linux on all major platforms,
offering a variety of programs including 24x7 enterprise-class
telephone support. With funding from Kleiner Perkins and others,
Linuxcare counts Dell Computer among its strategic partners. The
company also hosts www.linuxcare.com, the world's largest
technical-support resource for Linux. Founded in 1998, Linuxcare
is headquartered in San Francisco, Calif. The company can be
reached at 888-LIN-GURU (888-546-4878) and at www.linuxcare.com.

About VA Linux Systems

VA Linux Systems is a leading provider of Linux-based hardware
software, service and support solutions. The first Linux systems
company in the world, VA is a pioneer in providing high
performance workstations and servers to enterprises and is at the
forefront of the Open Source revolution. VA also has the rights
to the premier Linux portal, Linux.com. Based in Mountain View,
Calif., the privately held company has been profitable since its
formation in 1993 and has gained a reputation for innovation and
responsiveness that is making it a leader in full service Linux
solutions. For more information, contact VA at 888-LINUX-4U or
www.varesearch.com.

--
echo "unsubscribe svlug" | mail majordomo@svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe
see http://www.svlug.org/mdstuff/lists.shtml for posting guidelines.

----- End forwarded message -----

--
see shy jo

(Reposted with permission.)
Date: Tue, 8 Jun 1999 01:32:00 +0100 (BST)
From: Steve McIntyre <stevem@chiark.greenend.org.uk>
To: debian-private@lists.debian.org
Subject: Usenix: Debian BoF

As nobody else appeared to have done anything about it when I looked
earlier this afternoon, I've organised one. Thursday evening, 7 till 8.
Bonzai 1, Doubletree.

Hope to see people there...

If you want to contact me this week, please mail me directly as I don't
have the bandwidth to read lists here.

Steve McIntyre, CURS CCE, Cambridge, UK
stevem@chiark.greenend.org.uk
http://www.chiark.greenend.org.uk/~stevem/

To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Weekly News was edited by Joey Hess.