--get your your Linux knowledge
> Linux Reviews > News and headlines > 2004 News archive > August >

Bug Season continues: All the recently discovered security holes it making GNU/Linux look like a cheese. The pressure is on developers to close all open bugs and restore Open Source's reputation.

Suse and Trustix released updated, patched kernels yesterday, closing some rather embarrassing security problems. Numerous GNU projects are still have open, high-risk security bugs.

  1. The kernel is the most part of a Linux system
  2. LKML to the rescue
  3. The road ahead

1. The kernel is the most part of a Linux system

Trustix Secure Linux released a new kernel fixing these issues yesterday:

Read more:

Suse also released updated kernels yesterday, fixing the race condition in the 64bit file offset handling code of the kernel reported by iSEC last week . Their announcement also list the recently discovered mozilla / firefox and gaim vulnerabilities and pending.

Read more:

Suse does not mention the GMplayer remote exploit buffer overflow attack vulnerability reported by Gentoo 20040801.

2. LKML to the rescue

As always, the kernel bugs were quickly reported to the Linux kernel mailing list. Linux kernel mailing list is where Real Heroes do what may, in fact, be the most Important Work and Development done during our time. These individuals are impressively effective when it comes to fixing bugs. In irrelevant, but related news, Joerg Schilling, the mastermind behind cdrecord, has once again manged to upset most of the Linux kernel mailing by refusing to use a mail client capable of sorting mail in threads.

3. The road ahead

There are still open security risks in Mozilla and Firefox, bugs 22183 and 154892 must be closed.

Security problems were also found in the Opera web browser last week. One is serious: An attacker can read the local file-system remotely. This affects versions up to 7.53, Opera users should upgrade to 7.54. Chances are high you are getting a very risky version (pre 7.52) if Opera you are obtaining it from any kind of CD media.

Many distributions have yet to release updated mplayer packages.

Looking at the recient Gentoo Linux Security Advisories is it hard not to think thay may be many more security problems in Linux. It also shows these are found, and resolved, very quickly, yet a delay problem seems to be present: There is a big delay between the time when a bug is fixed and the time the safe version is actually part of all the major distributions. Gentoo is very quick to release new packages due to the nature of their package system, but RPM and APT makes it a tad more difficult to poor out updates packages whenever a problem is discovered. This is something the Linux community needs to work on.

Package upgrading should be something like the The Gentoo program Porthole:

  • Start Porthole
  • Click "Sync"
  • Enter the package you want to upgrade in the search filed
  • Select it
  • Click "Emerge"

Most modern distributions have something like this, but the availability of software in general and more importantly, availability of upgraded versions seems to be very limited on some distributions. This is in the nature of APT and RPM: It is very hard to make a binary package that will work "most" Linux dialects.

Ideally, a bug closed in in the stable branches would mean updated packages for all distributions within a few days.

We can expect many security updates the next few weeks, simply because there are so many fixes who are not implemented in the major distributions.

News and headlines

Meet new people