Red Hat, Suse patch critical KDE security hole

InfoWorld ^ | 23 January 2006 | James Niccolai

[ShadowAce]

Red Hat and Suse have released patches for a critical security hole in their Linux distributions that stem from a vulnerability in the KDE desktop environment.

KDE is a user interface package used with several versions of Unix and Linux. The KDE hole was discovered Thursday and rated critical by both Red Hat and the French Security Incident Response Team (FrSIRT).

It affects the JavaScript engine used in various parts of KDE, including its Konqueror Web browser. The flaw could allow a remote attacker to launch an overflow attack and run arbitrary code on the user's machine, FrSIRT said.

Users could disable JavaScript in Konqueror as a workaround, but some Web sites might not display properly and installing the patches is better, said Suse, which is part of Novell.

The problem affects version 4 of Red Hat Enterprise Linux AS, ES, and WS, and also version 4 of Red Hat Desktop. Red Hat released patches for those products late last week on the Red Hat Network, it said.

The versions of Suse Linux affected are 10.0, 9.3, 9.2 and 9.1, according to a Suse advisory at http://www.novell.com/linux/security/advisories/2006_03_kdelibs3.html/

KDE also released patches for the hole, and an advisory at http://kde.org/info/security/advisory-20060119-1.txt. The flaw affects KDE 3.2.0 up to and including KDE 3.5.0, it said.

The newest version of KDE released in November, KDE 3.5, is apparently not affected. Also not affected are Red Hat Enterprise Linux 3 or 2.1, Red Hat said.

The FrSIRT advisory is at http://www.frsirt.com/english/advisories/2006/0279

[KayEyeDoubleDee]

What distro are you running under that WindowMaker. I tried it a few years ago on Mandrake, and wasn't too happy with. I'm a NextStep veteran, so I had some sentimental interest in WindowMaker and OpenStep...

[Bush2000]

This, plus the motivation of the involved developers being more project-oriented than closed-source developers, and yes--all bugs are shallow in comparison with closed-source projects.

That's a buttload of crap. Closed-source developers aren't any less "project-oriented" than open source developers. Probably more so. I know you'd like to think so but bugs aren't shallow in either methodology.

[ShadowAce]

Closed-source developers aren't any less "project-oriented" than open source developers.

So your position is that if you quit paying the MS developers, they'd gladly stay on and work?

[Bush2000]

So your position is that if you quit paying the MS developers, they'd gladly stay on and work?

Non-sequitor. If the companies that pay the devs that do open source in their free time stop paying them, they're not going to afford to stay on and work on the OSS projects, either.

[blues_guitarist]

I've found that the configuration that comes with Suse is preconfigured pretty well. It's set up to have access to the default Suse menus right from your right click menu.

[ShadowAce]

Non-sequitor.

No, it's not. Less than half of all FLOSS developers are paid to develop software for the project they are woring on. Yes, most of the large, well-known projects have paid developers, but those comprise a very small minority of projects.

[Bush2000]

No, it's not. Less than half of all FLOSS developers are paid to develop software for the project they are woring on. Yes, most of the large, well-known projects have paid developers, but those comprise a very small minority of projects.

Yes, it is. Take away a paycheck from either closed source or open source developers -- regardless of that source of income -- and you're not going to see people dedicating their time to their projects.

[ShadowAce]

The point is where that paycheck comes from. How many MS developers contribute their free/spare time to coding for MS? Contrast that to how many FLOSS developers are contributing their time and effort in addition to their full-time jobs. The difference is because of the orientation of those developers--FLOSS developers contribute is spite of not being paid by that project. MS developers contribute solely because they are being paid by that project.

That is the difference, and that is my point.

[Bush2000]

The point is where that paycheck comes from. How many MS developers contribute their free/spare time to coding for MS?

A majority of them. Overtime is not reimbursed at MS. Every dev that I know that works there is a workaholic. And many of them work on joint projects between several teams that aren't reimbursed. For example, DirectX started as a joint effort initiated by Alex St. John. People simply believed in the concept and made it happen. Without anybody paying them to do it. Consequently, based on what I've seen, your original statement is BS.

[Senator Bedfellow]

I'll disagree with that. I don't think that OSS programmers are necessarily more motivated or more able than their closed-source counterparts. Professional programmers are like everyone else, in the sense that most of them take some amount of pride in their work, and few of them want to be seen as Charlie Codegrinder, doing whatever bare minimum is necessary to keep from getting fired.

As far as ability goes, most OSS programmers are limited in what they can contribute by the simple fact that almost all of them have to have day jobs, so as to put food on the table and keep the lights on and so forth. It's awfully hard to put in an 80-hour week when you're up against a deadline for your real job, and then come home and not be too fried to put some real effort into hobby programming. Unless by "ability" you mean "talent", but I don't think either OSS or closed-source projects have a monopoly on talent.

Anyway, where you have OSS projects with a dedicated core of talented programmers, the output is generally of high quality. But of course, that's equally true for closed-source software.

[CodeToad]

"What are you suggesting? "Many eyeballs" translates into instantaneous discovery?"


Sure, because that is the value point the Open Source crowd claims of having "Many eyeballs".