Security Advisory – 2008-11-22

No-IP Linux DUC (Dynamic Update Client)

An updated version of the No-IP Linux Dynamic Update Client that fixes
a security issue is now available.

This update has been rated as having important security impact.

Description:
Versions 2.1.1- > 2.1.8 are prone to a stack-based buffer-overflow due to
a boundary error when processing HTTP responses received from the update
server. This can be exploited and cause a stack-based buffer overflow when
performing an update.

A malicious user could exploit this by faking the No-IP update server
via DNS poisoning or a man in the middle attack. This can cause a denial of
service (client crash) or
potentially execute arbitrary code on the computer the client is running on.

Users running versions 2.1.8 and older are encouraged to upgrade to the most
recent version, 2.1.9
at http://www.no-ip.com/downloads?page=linux&av=1

comments : 0 Add comment

This is a maintenance release. The following items were fixed and/or added:

• VMM: fixed Guru meditation when running 64 bits Windows guests (bug #2220)
• VMM: fixed Solaris 10U6 boot hangs (VT-x and AMD-V) bug #2220)
• VMM: fixed Solaris 10U6 reboot hangs (AMD-V only; bug #2220)
• GUI: the host key was sometimes not properly displayed (Windows hosts only, bug #1996)
• GUI: the keyboard focus was lost after minimizing and restoring the VM window via the Windows taskbar (bugs #784)
• VBoxManage: properly show SATA disks when showing the VM information (bug #2624)
• SATA: fixed access if the buffer size is not sector-aligned (bug #2024)
• SATA: improved performance
• SATA: fixed snapshot function with ports>1 (bug #2510)
• E1000: fixed crash under rare circumstances
• USB: fixed support for iPhone and Nokia devices (Linux host: bugs #470 & #491)
• Windows host installer: added proper handling of open VirtualBox applications when updating the installation
• Windows host installer: fixed default installation directory on 64-bit on new installations
• Windows host installer: added proper handling of open VirtualBox applications when updating the installation
• Linux/Solaris/Darwin hosts: verify permissions in /tmp/vbox-$USER-ipc
• Linux hosts: fixed assertion on high network load (AMD64 hosts, fix for Linux distributions with glibc 2.6 and newer (bug #616)
• Linux hosts: don’t crash during shutdown with serial ports connected to a host device
• Solaris hosts: fixed incompatibility between IPSEC and host interface networking
• Solaris hosts: fixed a rare race condition while powering off VMs with host interface networking
• Solaris hosts: fixed VBoxSDL on Solaris 10 by shipping the required SDL library (bug #2475)
• Windows additions: fixed logged in users reporting via guest properties when using native RDP connections
• Windows additions: fixed Vista crashes when accessing shared folders under certain circumstances (bug #2461)
• Windows additions: fixed shared folders access with MS-Office (bug #2591)
• Linux additions: fixed compilation of vboxvfs.ko for 64-bit guests (bug #2550)
• SDK: added JAX-WS port caching to speedup connections

REQUIREMENTS
Mac OS X 10.4 or later, Intel Mac.

downloads

comments : 0 Add comment

Announcement

New features

• Internationalization by default
• Stronger etag and last-modified support
• Thread safety and a connection pool
• Ruby 1.9 and JRuby compatibility
• Better API docs, great guides

comments : 0 Add comment

David Heinemeier Hansson started a serie of posts to explain some Rails myths.

The Rails Myth

These posts are a good opportunity to refresh our mind about Rails pros and cons.

comments : 0 Add comment

October 31st: The Ubuntu team is pleased to announce Ubuntu 8.10 Desktop and Server, continuing Ubuntu’s tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution.

What is Ubuntu

Get Ubuntu

comments : 0 Add comment

The release candidate version of the upcoming Ubuntu 8.10 (codename Intrepid Ibex), which is scheduled for launch in late October this year, arrived a few hours ago and. Compared with the beta release, which brought Firefox 3.0.3, PAM authentication framework and a BBC plugin for Totem.

The development team introduces now two new tools, the first one being System Cleaner (system-cleaner-gtk), which allows you to find and remove packages that are old or not supported by Ubuntu from the system. System Cleaner can also find different problems on the machine, such as wrong entries in /etc/fstab. The second tool is called “Create a USB startup disk” and it allows you to create a bootable USB stick in case you want to install Ubuntu from USB. Here is the screenshot tour of the release candidate of Ubuntu 8.10

Download

comments : 0 Add comment

VirtualBox 2.0.4, a maintenance release, has been released. See the ChangeLog for a list of changes since VirtualBox 2.0.2.

download area

comments : 0 Add comment

Rails 2.1.2: Security, other fixes
from Riding Rails – home by David

Rails 2.1.2 includes the same two security fixes that we pushed out for 2.0.x recently. We’re talking about a backport of the offset/limit sanitization fix for Active Record and a fix against header-injection when using user-contributed strings in redirect_to (see Response Splitting for more information).

In addition, Rails 2.1.2 fixes the warning that users of RubyGems 1.3.0 were having with script/generate as well as a range of other minor fixes. Enjoy!

As always, you can install with:

gem install rails --version 2.1.2

comments : 0 Add comment

Hot off the back of the Rails Guides hackfest came a lot of great new Rails documentation. Now joining that documentation comes an all new Ruby on Rails Security Guide. Clocking in at almost 11,000 words, the guide covers RJS injection, cookie store session replay attacks, session hijacking, File upload security, mass assignment of attributes, CAPTCHAs, SQL injection, and more.

comments : 0 Add comment

Newrelic goes free

NewRelic RPM is a Rails Performance Management system that monitors the performance of your Ruby on Rails applications as they run in production.

The free version RPM Lite, gives a free, supported performance monitoring product that helps developers and application managers optimize production Rails applications.

Announcement

comments : 0 Add comment