Picture of Jürgen Kreileder

Another WordPress Security Update

1.5.2 “Strayhorn” has been released today. The changelog mentions that several vulnerabilities have been fixed but — once again — the developers don’t provide any details! One has to look at the diffs to see what has been fixed.

I hate that kind of silly security by obscurity. Vague vulnerability descriptions are almost useless for administrators, just saying “we’ve fixed some security problems” is even worse!

August 15th, 2005: See this article for a reply to some comments I’ve received.

August 18th, 2005: The WordPress developers seem to have problems with release management too: There are two different 1.5.2 versions, read more in WordPress Security Annoyances.

Debian Installer With Kernel 2.6.11

As mentioned recently, Debian Sarge’s installer doesn’t work on my Dell Inspiron 9300. I like Debian but I think it’s a shame that the sarge installer was already outdated on the day of its release.

The official sarge installer still uses a 2.4 kernel by default but includes a 2.6 kernel that can be used by booting with "install26" or "expert26". But even that kernel, 2.6.8, is too old for the Inspiron 9300. It still doesn’t recognize the hard disk.

Ubuntu’s installer, which uses a 2.6.11 kernel, works fine on the machine. Although Ubuntu is a nice distribution, I like pure Debian better. Unfortunately I wasn’t able to find any 2.6.11 based Debian installer on the net, even a question on debian-boot yielded nothing.

Anyhow, I finally had the time to build one myself:
debian-2.6.11-i386-businesscard.iso (GPG signature)

The image is basically a sarge businesscard ISO with a 2.6.11 kernel from Debian testing instead of the original 2.6.8 kernel.

Unlike with Ubuntu, installation on the Inspiron 9300 still doesn’t work out of the box but with a few tricks I was able to install Debian sarge:

  • Boot with expert26
  • When the installer starts up, switch to the second console (Alt-F2) and enter these commands:
    ~ # modprobe ide_generic
    ~ # modprobe ata_piix

    Without this the installer won’t find the CD-ROM.

  • If network configuration via DHCP fails, just retry — worked for me
  • When asked what version of Debian you would like to install, choose stable. Installing testing or unstable directly doesn’t work.
  • It doesn’t matter which kernel you choose to install, we have to replace it with a 2.6.11 kernel later anyway
  • Just before the first reboot, that means right after the installer ejects the CD-ROM, switch back to console two. Now download and install the latest available Debian kernel. I’ve used 2.6.11-1-686:
    ~ # mount -t proc proc /target/proc
    ~ # chroot /target
    sh-2.05b# cd /root
    sh-2.05b# wget http://blog.blackdown.de/static/debian/kernel-image-2.6.11-1-686_2.6.11-7_i386.deb
    sh-2.05b# dpkg -i kernel-image-2.6.11-1-686_2.6.11-7_i386.deb
    …
    sh-2.05b# exit
    ~ # umount /target/proc
  • Reboot (using the kernel just installed) and complete the installation
  • Upgrade to testing or unstable
  • Build a custom kernel (2.6.12 or newer). It’s probably a good idea to include some additional libata patches. To get the DVD drive working you have to apply this patch.

Debian Packages for J2SE 1.4.2-02

Thanks to Matthias Klose, Debian packages for Blackdown J2SE-1.4.2-02 are available now. Just add something like

deb ftp://ftp.tux.org/java/debian/ sarge non-free

to your /etc/apt/sources.list.

Upgrading is recommended as 1.4.2-02 contains an important security fix.

Blackdown J2SE 1.4.2-02

Blackdown has released J2SE 1.4.2-02 for Linux on x86 and AMD64/EM64T yesterday. The release fixes a security issue (JRE May Allow Untrusted Applet to Elevate Privileges), so make sure you upgrade.

Users of other Java implementations based on Sun’s code should check for updates too.

The Sky Is Falling

  • Debian Sarge is released (unfortunately the installer doesn’t like my Inspiron 9300)
  • Apple is switching to Intel CPUs