News: HTML5 jetzt offizieller Standard

Die HTML5-Arbeitsgruppe beim W3C hat HTML5 jetzt zur »Empfehlung« erhoben, womit die neue Generation der Auszeichnungssprache nun offiziell standardisiert ist.

Article source: http://www.pro-linux.de/news/1/21676/html5-jetzt-offizieller-standard.html

Security: Ausführen beliebiger Kommandos in wpa_supplicant (Mandriva)

This is a multi-part message in MIME format...

------------=_1414569428-1617-0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:211
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : wpa_supplicant
Date : October 29, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated wpa_supplicant packages fix security vulnerability:

A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root in common use cases) (CVE-2014-3686).

Using the wpa_supplicant package, systems are exposed to the
vulnerability if operating as a WPS registrar.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686
http://advisories.mageia.org/MGASA-2014-0429.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
ced7370f763cfcd719993bbff7c26b39
mbs1/x86_64/wpa_supplicant-1.0-3.1.mbs1.x86_64.rpm
14843754579e3f57c239725935cb62cb
mbs1/SRPMS/wpa_supplicant-1.0-3.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
security*mandriva.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFUUI93mqjQ0CJFipgRAlnvAKD14RPvyI2U95/dswWEBog98B+tDgCgv314
qSApshV8g+vY6lXWVNWXX30=
=mRqF
-----END PGP SIGNATURE-----


------------=_1414569428-1617-0
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________


------------=_1414569428-1617-0--

Article source: http://www.pro-linux.de/sicherheit/2/27723/ausfuehren-beliebiger-kommandos-in-wpa_supplicant.html

Security: Ausführen beliebiger Kommandos in wpa_supplicant (Fedora)

Originalnachricht

Article source: http://www.pro-linux.de/sicherheit/2/27730/ausfuehren-beliebiger-kommandos-in-wpa_supplicant.html

Security: Überschreiben von Dateien in wget (Mandriva)

This is a multi-part message in MIME format...

------------=_1414570330-1617-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:212
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : wget
Date : October 29, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated wget package fixes security vulnerability:

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP (CVE-2014-4877).

The default settings in wget have been changed such that wget no longer
creates local symbolic links, but rather traverses them and retrieves
the pointed-to file in such a retrieval. The old behaviour can be
attained by passing the --retr-symlinks=no option to the wget command.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
http://advisories.mageia.org/MGASA-2014-0431.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
1bc1ac95b16cd6b4609d723e34d46d2c mbs1/x86_64/wget-1.13.4-3.2.mbs1.x86_64.rpm
252f30b8b9a529590010bf1c4a4e1ff1 mbs1/SRPMS/wget-1.13.4-3.2.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
security*mandriva.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFUUJLJmqjQ0CJFipgRArX9AJ9jL8QrbsDa7YYajWu4QHYexb6yAACeLLwt
tjs1GgRdqYqHaAocX8cyEVk=
=BQDh
-----END PGP SIGNATURE-----


------------=_1414570330-1617-1
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________


------------=_1414570330-1617-1--

Article source: http://www.pro-linux.de/sicherheit/2/27724/ueberschreiben-von-dateien-in-wget.html

Security: Mehrere Probleme in DokuWiki (Debian)

Originalnachricht

Article source: http://www.pro-linux.de/sicherheit/2/27732/mehrere-probleme-in-dokuwiki.html

Security: Überschreiben von Dateien in wget (Slackware)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security] wget (SSA:2014-302-01)

New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
and -current to fix a security issue.


Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/wget-1.14-i486-3_slack14.1.txz: Rebuilt.
This update fixes a symlink vulnerability that could allow an attacker
to write outside of the expected directory.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
(* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 13.0:
wget-1.11.4-i486-2_slack13.0.txz

Updated package for Slackware x86_64 13.0:
wget-1.11.4-x86_64-2_slack13.0.txz

Updated package for Slackware 13.1:
wget-1.12-i486-2_slack13.1.txz

Updated package for Slackware x86_64 13.1:
wget-1.12-x86_64-2_slack13.1.txz

Updated package for Slackware 13.37:
wget-1.12-i486-2_slack13.37.txz

Updated package for Slackware x86_64 13.37:
wget-1.12-x86_64-2_slack13.37.txz

Updated package for Slackware 14.0:
wget-1.14-i486-2_slack14.0.txz

Updated package for Slackware x86_64 14.0:
wget-1.14-x86_64-2_slack14.0.txz

Updated package for Slackware 14.1:
wget-1.14-i486-3_slack14.1.txz

Updated package for Slackware x86_64 14.1:
wget-1.14-x86_64-3_slack14.1.txz

Updated package for Slackware -current:
wget-1.16-i486-1.txz

Updated package for Slackware x86_64 -current:
wget-1.16-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 13.0 package:
b7a81d5572aee18d5c869bbd9f59893d wget-1.11.4-i486-2_slack13.0.txz

Slackware x86_64 13.0 package:
102437fb8609a463691711e252af4ff8 wget-1.11.4-x86_64-2_slack13.0.txz

Slackware 13.1 package:
e4d34ed701fc66d12322038d895cb3d3 wget-1.12-i486-2_slack13.1.txz

Slackware x86_64 13.1 package:
cf85b424baff5aecbf8681bb557e6e12 wget-1.12-x86_64-2_slack13.1.txz

Slackware 13.37 package:
a9c99de9c8e7c30b9327e5c8a3d04228 wget-1.12-i486-2_slack13.37.txz

Slackware x86_64 13.37 package:
3b2c2cbe1d8f646580f78460b0c2df2a wget-1.12-x86_64-2_slack13.37.txz

Slackware 14.0 package:
922b995ba10798ee698d07782e1aadda wget-1.14-i486-2_slack14.0.txz

Slackware x86_64 14.0 package:
1fdeebdd813a14848e45a7c3b717bd90 wget-1.14-x86_64-2_slack14.0.txz

Slackware 14.1 package:
b9bb85eb35501cc88c44160116a3c90b wget-1.14-i486-3_slack14.1.txz

Slackware x86_64 14.1 package:
5c1246ee37bfcc9d8055105152fb8827 wget-1.14-x86_64-3_slack14.1.txz

Slackware -current package:
7a653e3e70efccf0951572c48debf409 n/wget-1.16-i486-1.txz

Slackware x86_64 -current package:
1c165656309faf28127690637e85d954 n/wget-1.16-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg wget-1.14-i486-3_slack14.1.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlRRMHcACgkQakRjwEAQIjOpLQCdE3/IFS9eXVNMN638yl0YOdXK
G94An1bbDWpVwGwpsY+wT9KB6LWOjiqc
=RRkU
-----END PGP SIGNATURE-----

Article source: http://www.pro-linux.de/sicherheit/2/27733/ueberschreiben-von-dateien-in-wget.html

News: Hochkritische Lücke in Drupal verursacht Nachwehen

Am 15. Oktober hatte das Sicherheitsteam des Content Management Systems Drupal eine schwerwiegende Lücke in der Kernkomponente Drupal-Core geschlossen. Jetzt ergeht eine Warnung, zu spät aktualisierte Installationen müssten als kompromittiert betrachtet werden.

Article source: http://www.pro-linux.de/news/1/21677/hochkritische-luecke-in-drupal-verursacht-nachwehen.html

News: Linux-Server Zentyal 4.0 freigegeben

Software::Distributionen

Linux-Server Zentyal 4.0 freigegeben

Die spanische Firma Zentyal hat ihren Linux-Unternehmens-Server in Version 4.0 freigegeben. Schwerpunkte der neuen Version sind eine native Implementation des MS Exchange-Protokolls sowie Interoperabilität mit MS Active Directory.

Benutzerverwaltung von Zentyal


Zentyal

Benutzerverwaltung von Zentyal

Die Linux-Distribution von Zentyal, einem Unternehmen mit Sitz in Zaragoza, Spanien, zielt auf den reibungslosen Ersatz von MS Windows-Servern ab. Sie ist vor allem für kleinere Unternehmen gedacht, die eine Microsoft-Umgebung besitzen und ihren womöglich nicht mehr unterstützten Server aktualisieren wollen. Daher bringt Zentyal alles mit, was man für diesen Umstieg benötigt: Samba mit seiner Implementation des Active Directory, Datei- und Druckdiensten, grafische Oberfläche für die Konfiguration, Webserver, Web-Proxy mit der Möglichkeit, Seiten zu blockieren, E-Mail und Groupware, Gateway, Firewall und Traffic Shaping, Netzdienste wie DHCP und DNS, FTP, Zertifikatsverwaltung, VPN und einiges weitere.

Die letzten Versionen von Zentyal wurden im Quartalsrhythmus veröffentlicht, wie es seit Version 3.3 auch der offiziellen Veröffentlichungspolitik entspricht. Die neue Version 4.0 macht hiervon eine Ausnahme und erscheint knapp einen Monat später als erwartet.

Zentyal 4.0 beruht wie der Vorgänger auf Ubuntu 14.04 LTS. Die neue Version kann als primärer MS Exchange-Server eingesetzt werden und unterstützt die proprietären Formate und Protokolle des Konkurrenten besser, darunter PST, RPC über HTTP (benötigt von MS Outlook Anywhere), Autodiscover, mehrere virtuelle Mail-Domänen, MS Outlook 2007 bis 2013, gemeinsame Kalender und Kontakte, Mehrsprachigkeit für Postfächer und Benachrichtigungen bei Abwesenheit.

Das L2TP-Modul wurde neu strukturiert und verbessert. Ein kostenloses Backup der Konfiguration in der Cloud ist nun direkt aus der Verwaltungs-Oberfläche des Servers möglich. Daneben hat Zentyal nach eigenen Angaben seine Qualitätssicherung und seine Werkzeuge verbessert und kann schneller auf Probleme reagieren.

Um sich mehr auf die höhere Kompatibilität mit Microsoft-Servern konzentrieren zu können, wurden außerdem einige Module entfernt: Einbruchsverhinderung (IPS), USV-Verwaltung, Backup, Monitor, RADIUS, Webserver, Roundcube Webmail (ersetzt durch SOGo Webmail) und IPsec (ersetzt durch ein neues Modul, das nur L2TP unterstützt). Auch der kostenlose Zentyal-Account wurde gestrichen. Einzelheiten sind den Anmerkungen zur Veröffentlichung zu entnehmen.

Eine automatische Aktualisierung von Zentyal 3.5 auf die neue Version will das Unternehmen in Kürze bereitstellen. Zuvor soll der Prozess noch ausgetestet werden, so dass ein sicheres Update möglich ist. Zentyal 4.0 erscheint sowohl als Gemeinschafts- als auch als Unternehmensversion, die die aktuelle Unternehmensversion 3.2 ablösen kann.

Zentyal Server beruht auf Ubuntu und wird in drei Varianten angeboten. Die Gemeinschaftsversion ohne Support, die unter der GPL steht, ist frei erhältlich. Sie wird vierteljährlich in einer neuen Version herausgegeben, die immer auf der aktuellen Version von Ubuntu Server beruht, auch wenn diese keine Version mit langfristiger Unterstützung (LTS) ist. Die Unternehmensversionen hingegen beruhen auf der neuesten LTS-Version und erscheinen demnach nur alle zwei Jahre. Sie sind zudem an ein Support-Abonnement gekoppelt. Zur Auswahl steht eine Version mit einer Antwortzeit auf Probleme bis zum nächsten Tag sowie eine Version mit vier Stunden Reaktionszeit für unternehmenskritische Server. Über Vertriebspartner ist Zentyal Server in über 20 Ländern erhältlich.

Article source: http://www.pro-linux.de/news/1/21678/linux-server-zentyal-40-freigegeben.html

Spooky Linux Urban Legends

zombie arm Flickr creative commons

Outside the window, I see nothing but night — no movement, no light — as if the universe simply ceased to exist outside these thin walls. The sound, though… the sound was there to remind me of the world that I could not see. The howl of the wind through the forest, the trees around our little cabin scratching and clawing at the rooftop.

“Daddy?”, a soft voice whispered from behind me.

“Hey, kiddo. What are you doing out of bed? Did you have that bad dream again?”

I picked up my son and held him tightly in my arms. “Uh-huh,” he uttered, rubbing his eyes. “The bad man told me that Linux has a higher Total Cost of Ownership when compared to proprietary software offerings.”

We’ve all been there, little guy. Don’t listen to the bad man.

To help you sleep better tonight, I’m going to list off some of the scariest things that mean old bad guys say about Linux… and show you why those guys are just being big, FUD-spreading booger-heads.

Linux is Communism!”

This seems to be one of the favorite pastimes of a few previous executives at Microsoft — to try to fit the words “Linux” and “Communism” in the same sentence as often as possible. I assume there’s a scoreboard, somewhere in Redmond, keeping track.

There’s only one teensy, tiny flaw in comparing “Open Source” and “Linux” to “Communism”: It’s about as real as dressing a dog up as a spider. Sure, it’s big and scary and looks like a spider… but it’s still just a big, cuddly dog (that takes up most of the bed at night).

One of the cornerstones of Communism is the concept of “common ownership”. Which is, distilled to its simplest form, a way of saying “nobody owns anything — and everybody owns everything”. The obvious implication, when connecting this ideology with Linux and Open Source / Free Software is that, in the Open Source model of software development… nobody owns anything. Thus, clearly, destroying one’s ability to control, and generate revenue from, a piece of software.

Fortunately, this isn’t the case. Not at all. Here’s a few quick “fun facts” that immediately destroy any idea that there’s a link between Communism and Linux:

1) The license being used by Linux (the GPL) allows for software to be copywritten. If someone writes a piece of software, they own the copyright to the code they wrote.

2) You can sell Linux if you want to — in fact many companies do. The only real requirement is that, if you do, you also need to make any changes to the source code of Linux also available to your customers. Not to the whole world (if you don’t want to)… just to your customers.

3) Linux (and Free and Open Source software in general) is depended on, and monetized by, a large number of companies around the world. SUSE, Canonical, Red Hat, Samsung, HTC, Google, Amazon, Microsoft (that’s right, even Microsoft)… the list goes on and on and on.

The truth is remarkably clear. Linux is like lighter fluid on the fire of Capitalism.

Side Note: Part of the problem here is in the name: “Free Software”. Note that the “F” is capitalized and “Free” doesn’t actually mean “free” as in “I got some stuff that I didn’t have to pay for!”. I know. That’s a little confusing and has been a bit of a marketing and image problem for many years (blame this guy). Luckily that’s all it is… just a naming issue.

Linux is a cancer!”

Microsoft’s CEO (at the time), Steve Ballmer, once said that “Linux is a cancer that attaches itself in an intellectual property sense to everything it touches”.

The basic assertion is that, if you use Open Source software, licensed under the GPL, then all of the software you work on (or your organization works on) must now also be licensed under the GPL. Man. That would be pretty insidious! If that were the case, the GPL would spread faster than that virus is that causes the zombie apocalypse.

Luckily for us this simply isn’t the case. You can build closed source software that runs on Linux, including Linux Kernel drivers. No problems there.

There’s a big list Frequently Asked Questions on the GPL that covers all the nitty gritty. But, in a nutshell, the GPL is far less invasive, and far less of a problem, than the imminent zombie apocalypse.

Linux has a higher TCO!”

TCO. Total Cost of Ownership. The idea that the true cost for something can only be determined when looking at all factors (including costs outside of purchasing/licensing said thing) over time. A simple, and obvious, notion.

Well, Microsoft has made a point, over the years, of claiming that Linux — despite, often, being free of cost to begin using — has a higher TCO than Windows. They’ve paid for studies that haven’t quite added up in order to support this claim as well.

And then there’s the following quote, from this rather infamous internal Microsoft email, that is rather damning:

“We MUST get a TOC study done… If the IDC report won’t cut it, then we get another one done.” – Microsoft VP, Jim Allchin.

Ah, that age-old strategy. If you don’t like any of the existing studies… pay for someone to write a new study that you will.

The long and short of it? Linux has a lower TCO. That’s true today just as it was true a decade ago.

Just ignore the big, mean man.

The truth is, Linux — and the ecosystem of Free and Open Source software around it — isn’t perfect. Heck, I regularly give Linux a hard time for its shortcomings, myself. But the reality is… it’s absolutely fantastic for both end users and companies building software/hardware solutions alike.

Even Microsoft, a company whose leadership made so many anti-Linux claims, has come around on Linux. Satya Nadella, Microsoft’s CEO, recently made the rather direct declaration that “Microsoft loves Linux” — and the company supports multiple Linux distributions on their Azure cloud platform. A company that was one of Linux’s harshest critics has now embraced the Open Source operating system as a key part of its business. If that’s not a ringing endorsement for Linux and Open Source… I don’t know what is.

And, perhaps most importantly, Linux is certainly not a Communist-spreading zombie-disease with a high total cost of ownership. So sleep tight, kiddo… we’ve banished the boogie-man.

Article source: http://www.linux.com/news/software/applications/793397-spooky-linux-urban-legends

Survey Indicates Four Out of Five Developers Now Use Open Source

Forrester Research’s survey shows that most developers, even ones who usually stick with Microsoft Visual Studio, are now using open source.

Article source: http://www.linux.com/news/software/applications/793514-survey-indicates-four-out-of-five-developers-now-use-open-source