s l a m

Monday, March 3, 2003

Received another security notice from RedHat this afternoon:

During a code audit of Sendmail by ISS, a critical vulnerability was uncovered that affects unpatched versions of Sendmail prior to version 8.12.8. A remote attacker can send a carefully crafted email message which, when processed by sendmail, causes arbitrary code to be executed as root.

We are advised that a proof-of-concept exploit is known to exist, but is not believed to be in the wild.
Since this is a message-based vulnerability, MTAs other than Sendmail may pass on the carefully crafted message. This means that unpatched versions of Sendmail inside a network could still be at risk even if they do not accept external connections directly.
In addition, the restricted shell (SMRSH) in Sendmail allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after "||" sequences or "/" characters, which are not properly filtered or verified. A sucessful attack would allow an attacker who has a local account on a system which has explicitly enabled smrsh to execute arbitrary binaries as themselves by utilizing their .forward file.

Wow, that's one of the best looking security holes I've heard of in quite a while :-) Update time...

1:13:00 PM - See Also: Security

In Brief

Karen Kwiatkowski: I witnessed neoconservative agenda bearers within OSP usurp measured and carefully considered assessments, and through suppression and distortion of intelligence analysis promulgate what were in fact falsehoods to both Congress and the executive office of the president.

Fascinating eye-witness piece published by Salon.com.

3/11/04 - 9:40 am GMT - [guid]

Dave Winer: I'd like to make a constructive offer to the people who are working on Atom.

And before stating the offer, let me say that I am open to counter-offers.

3/9/04 - 10:55 am GMT - [guid]

Albert Delgado: I think Userland has the more important job of updating its products, from the kernel on out.

Atom support is secondary at this time.

3/8/04 - 11:38 am GMT - [guid]

Philip Miseldine: So, what I'm thinking is, why not provide a stylesheet (XSLT or something else, perhaps) that tells the aggregator how to consume your feed to produce descriptions.

3/8/04 - 11:35 am GMT - [guid]

Davenet: A Bright Future for Syndication.

Editor's note: check the publication date, and the file name in the url :-).

3/6/04 - 11:57 am GMT - [guid]

Amit Singh: Mac OS X is perhaps one of the best examples of how a capable system can result through the direct or indirect efforts of corporations, academic and research communities, the Open Source and Free Software movements, and even individuals.

3/6/04 - 11:10 am GMT - [guid]

how this works

activeRenderer News

Release delayed

I've run into unexpected problems when readying the next 2.1.1 minor update of activeRenderer: I'm overhauling the installation / uninstallation process to go along with the newly implemented outlining styles for weblog categories, and it's an even worse nightmare than I thought it would be :-)

I should have finished the testing by Friday though, Murphy willing...

3/17/04 - 6:13 pm GMT - [guid]

Gallery: Gerald Gleason

[image] [image] This week's featured publisher, Gerald Gleason, doesn't use Radio Userland to publish his weblog. He doesn't use Movable Type either. Yet, look at the navigation lighthouse that forms the left side of the page: you'll recognize a familiar outline structure, with a nautical twist :-)

[image] Gerald has put activeRenderer's javascript code to work, and produced wonderful looking 'nautical' replacements for the 'standard' outline wedges.

[image] With his authorisation, I'll soon include those picts as part of a 'nautical' style for outline wedges. Alternate sets of wedges with specific styles are scheduled to show up in the next 2.2 version of activeRenderer.

3/15/04 - 12:37 pm GMT - [guid]

Mailing Lists

There are currently 3 mailing lists / Yahoo groups devoted to the activeRenderer Radio tool, quite a lot really :-)

ar-announce is a slow traffic, read only list where I announce all updates to activeRenderer. All release messages include a description of new features, enumeration of fixed bugs, and a list of updated parts. Click here to subscribe or unsubscribe.
ar-support is a moderately active discussion forum to discuss all installation issues, report potential bugs, request new features and so on. Scan its archive when trying to solve a problem, there's a good chance it was already reported, and maybe even solved :-). Click here to subscribe or unsubscribe.
ar-devel is a moderated list for developers interested in contributing code to the tool, or porting its features to other environments via the activeRenderer API.. Click here to subscribe or unsubscribe.

I check all mailing lists on a daily basis, even when not working on the activeRenderer project: they are my main channel of feedback information, together with the feedback link in included in all pages of the activeRenderer site.

March 2003
Sun	Mon	Tue	Wed	Thu	Fri	Sat
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31
Feb Jul