This week would appear to be pretty tame given how few security updates there were. Fedora Core saw zero security update while Red Hat Enterprise Linux saw two. The most notable thing that happened this week was a bind update. I shall comment on that at the end.
Security Updates
- Adobe Acrobat Reader
Fixed in Red Hat Enterprise Linux 3
This Acrobat Reader update lagged the Red Hat Enterprise Linux 4 update by a week due to technical difficulties. Adobe decided that the new Reader will only work with gtk version 2.4 and higher. Red Hat Enterprise Linux 3 contains gtk version 2.2, which is obviously a problem. We weren't willing to leave our users high and dry on this issue, so after a great deal of effort, Kristian managed to package a special gtk 2.4 package which is used only by the new Acrobat Reader packages.
This is one of the annoying issues with closed source software. We are beholden to Adobe and the choices they make. If Acrobat Reader was an open source application, we could have simply backported the security fix and built updated packages.
- gtk2
Fixed in Red Hat Enterprise Linux 4
A bug was found in the way gtk2 processes bad image data. There isn't any potential for arbitrary code execution, it's just a crash. Most things that use gtk2 can crash without causing much trouble for the user. We like to think of those crashes as "don't do that again" class of bugs. The biggest problem with this flaw is Evolution. Evolution seems to think that it's a neat idea to reload the same message you were reading when recovering from a crash. As any clever person may guess, if the mail message you opened is the reason for the crash, Evolution will never restart. This means that an evildoer could send a mail message to an evolution user that would make it difficult to recover from.
A
bind update was released on 2007-01-25. The new BIND fixes two security flaws, ISC has provided minimal details regarding the flaws. The way ISC handled these flaws was done rather irresponsibly in my opinion. The advisories and their response was very lacking. The advisories were not well written and did not contain useful details. I logically mailed ISC with questions about the update and if they could provide details about the flaws. I've found that it's usually easier for upstream to provide analysis for flaws since they are the experts. Almost all open source upstream projects are very responsive and helpful when dealing with security updates. ISC however has not been helpful or responsive. I did not receive a response for several days, and the response I did get asked "Did you even perform a recursive diff of BIND 9.3.3 vs BIND 9.3.4 ..."
This response is most disheartening. I once believed ISC was a stand up organization, but the past few BIND updates we've seen have me wondering if this is true. ISC is very unwilling to engage the community in a meaningful and helpful manner. This worries me greatly since there are a number of ISC projects that are widely used as part of the critical infrastructure of the Internet. Hopefully my experiences have been flukes, but I'm beginning to think not.
I really have nothing much to say about this week. The biggest thing to happen is probably a new version of Wireshark. Wireshark 0.99.5 was released on Thursday. It only fixes some minor crashing bugs. There was once a time when Wireshark (then Ethere
Tracked: Feb 04, 20:39