fidzu : SUN

A security vulnerability in the Sun Java System Directory Server(ns-slapd and slapd.exe) may allow a remote unprivileged user to crashthe Directory Server process via crafted LDAP search requests, therebyleading to a Denial of Service (DoS) condition.

01 Mar 2010 3:50am GMT

Multiple integer overflow and improper memory allocationvulnerabilities have been identified in the Solaris GNOME PDF renderinglibraries. These vulnerabilities may allow a local or remoteunprivileged user to cause the Solaris GNOME PDF viewers (evince(1) forOpenSolaris and gpdf(1) for Solaris 10) which are linked to theselibraries to crash, resulting in a Denial of Service (DoS) or arbitrarycode execution with the privileges of the user running the application.

These issues are also referenced in the following documents:

01 Mar 2010 3:50am GMT

A cross-site scripting (XSS) vulnerability in the Apache 1.3 HTTPserver "mod_perl" module's perl-status utility may allow anunprivileged remote user to inject arbitrary web script or HTML whileaccessing a crafted URL to perl-status utility. This can result invarious impacts including the theft of sensitive information such ascookie information, access to user credentials or the hijacking ofsessions.

Additional information regarding this issue is available at:

01 Mar 2010 3:50am GMT

Multiple integer overflow vulnerabilities in the FreeType 2 Font Library
(libfreetype) may affect applications that make use of this library. Depending
on the application, this vulnerability may allow a local or remote unprivileged
user to crash the application through a specially crafted font file, resulting in
a Denial of service(DOS) or to execute arbitrary code with the privileges of
the user running that application.

These issues are also described in the following document CVE-2009-0946 at :

01 Mar 2010 3:50am GMT

Remember in The Fifth Element when Leeloo threatens to shoot Korben Dallas for stealing a kiss, saying "ecto gammat"? Turns out it means "never without my permission". A good rallying cry for personal data sharing in today's world!

The Economist has a thoughtful article called The Data Deluge on the benefits, and the privacy risks, of making better use of the torrent of data (it mostly focuses on, but doesn't ever say, "personal" data) being generated in all kinds of business and marketplace endeavors. My favorite part, 'cause I share this assumption with the author:

The best way to deal with these drawbacks of the data deluge is, paradoxically, to make more data available in the right way, by requiring greater transparency in several areas. First, users should be given greater access to and control over the information held about them, including whom it is shared with.

This article makes a great companion to this meaty blog post by Iain Henderson laying out a serious vision for the notion of a personal datastore as a personal data warehouse. Iain knows whereof he speaks; he's been in the CRM business a long time, and runs the Kantara InfoSharing work group (along with Joe Andrieu, another thoughtful guy who's passionate about this stuff). I'm lucky to have both of them on my entirely complementary User-Managed Access group, UMA serving as a technological match for InfoSharing use cases.

I tried to add a comment to the Economist article about an aspect it didn't cover: the quality of the personal data that's floating around. Either this commenting effort completely failed, or in the fullness of time three copies of the same comment will appear - sigh. In the spirit of using this blog as my pensieve, here's the main bit:

Volatile data goes stale. Excessive data collected directly from people is often larded with, to put it bluntly, lies. (To acquire a comment account on this site, I was required to provide my given name, surname, email address, country of residence, gender, and year of birth. If everyone were totally honest when signing up, that's a powerful set of facts with which to locate and track them pretty precisely. You can tell which fields are excessive by looking at which ones people lie to…) And data collected silently through our behavior is, at best, second-hand and can never know our true intent.

Privacy is not secrecy (says digital identity analyst Bob Blakley). It is context, control, choice, and respect. Ideal levels of personal data sharing may actually be higher in total than now - but more selective. And they won't be interesting to people without offering convenience at the same time.

Wouldn't it be great to get out of the defensive crouch of "never without my permission" and turn it into "with my permission, sure, why not, it'll help me just as much as it will help you"?

(Any bets on whether I told the truth and nothing but the truth when I registered at the Economist site?)

28 Feb 2010 4:59pm GMT

After watching the movie above (which is only a few days old), you'll be interested in a look at the related site (http://gephi.org/):

Swing and the NetBeans Platform in action, pretty cool. It seems to be in a similar domain to Maltego, the intelligence gathering application from South Africa, which is also a NetBeans Platform application! Since it's a NetBeans Platform application, Gephi is pluggable and has a very cool developers page that provides all the info you need, including API details and tutorials.

In other news. I was visiting family in South Africa last week and this is one very short video that I made while there: http://blip.tv/file/3279679.

28 Feb 2010 1:27pm GMT

オープンソースカンファレンス 2010 Tokyo/Spring が無事終了しました。

展示ブースに寄ってくださったみなさま、「NetBeans 最新情報」セミナーに参加してくださったみなさま、本当にありがとうございました。

セミナーの時に JavaFX Composer で作った簡単なサンプルを置いておきます。Web Start で動くはずです。

28 Feb 2010 1:17pm GMT

• U.K. bill would 'outlaw open Wi-Fi'
  At a recent debate in the House of Lords on the Digital Economy Bill, a number of amendments designed to ensure citizen rights (as opposed to most terms of the DEB that limit citizen rights in defence on corporate rights) were rejected by the UK governmnet on the basis they would upset the delicate balance of UK law. Yet here we see the very same Bill seriously disrupting the delicate balance of rights voters already enjoy. You'll no longer be able to offer your guests easy wifi access, ruining evolving and desirable modes of work and interaction in order to shore up the 20th century monopolies of Lord Mandelson's media friends. I've not heard nearly enough from the opposition parties on this stuff, making me fear they will just do more of the same - not a surprise, it's advance preparation for ACTA ratification. It's election time; we need to make sure the politicians know we care about this stuff.
  (tags: Rights Freedom Privacy UK DigitalEconomyBill Policy ACTA WiFi)
• Petition to: Make public the details and text of the ACTA agreement
  UK citizens can sign this petition to the UK government calling for transparency.
  (tags: UK ACTA Transparency Petition)
• The ACTA Transparency Scorecard
  Useful summary from Michael Geist - worth asking your representatives why your government hates transparency if you're in one of the countries opposing it.
  (tags: ACTA Transparency)
• Opening up some details of OpenSolaris under Oracle
  Peter Tribble documents some of the comments made by Oracle's representative in theOpenSolaris annual meeting. Net: Oracle intends to keep going with OpenSolaris.
  (tags: OpenSolaris Oracle Sun FOSS OpenSource)

28 Feb 2010 12:08pm GMT

Assignment for Dailyshoot 104 on 2010/02/27: "The horizon can be a strong composition element. Make a photograph that emphasizes the horizon today."

It's an artwork called "Vectorial Elevation" that's been showing here in Vancouver as part of the Olympic festivities, ends tomorrow. Really quite impressive even when shot with a wet camera on a rainy evening.

28 Feb 2010 9:05am GMT

Firefox 3.5.8, 3.0.18 and Thunderbird 3.0.2 are available for Solaris 10 and OpenSolaris.

• http://hub.opensolaris.org/bin/view/Community+Group+desktop/development

Release Notes:

• http://www.mozilla.com/firefox/3.5.8/releasenotes/
• http://www.mozilla.com/firefox/3.0.18/releasenotes/
• http://www.mozillamessaging.com/thunderbird/3.0.2/releasenotes/

28 Feb 2010 8:53am GMT

A security vulnerability in the Transport Layer Security (TLS) andSecure Sockets Layer 3.0 (SSLv3) protocols in the handling of sessionrenegotiations affects Network Security Services (NSS)libraries bundled with the following products:

Systems running these server applications are susceptible to aman-in-the-middle attack whereby a remote unauthenticated user with theability to intercept and control network traffic may sendunauthenticated request at the beginning of an HTTPS session that isprocessed retroactively by the server. The vulnerability does not allowone to decrypt the HTTPS responses or requests in the session.

Systems running Sun Java System Directory Server Enterprise Editionproduct are also vulnerable to a man-in-the-middle scenario where aremote unauthenticated user may send appropriated request at thebeginning of an LDAP session which causes the directory server toprocess the LDAP operation.

This issue is referenced in the following document:

Sun acknowledges with thanks, Marsh Ray and Steve Dispensa ofPhoneFactor for bringing this issue to our attention.

Please also see Sun Alert 273350 that describes this issue in NSSlibraries provided with Solaris and Sun Java System Enterprise System 5.

28 Feb 2010 7:53am GMT

Today I resigned from Sun/Oracle - the official integration date here in Canada is March 1st, so I won't ever have actually been an Oracle employee. I'm not currently looking for another job. I'll write some looking-back and looking-forward stories when I've got a little perspective. I can't say enough good things about the people at Sun - and outsiders with whom I worked - over the past few years. Thanks for enriching my life! [Update: Contact info].

There are a lot of people who've been contacting me via my Sun email address and it's now gonzo. Since 1997 (and likely till I'm in my grave) my permanent email has been on on exhibit on the front page of the XML Specification.

28 Feb 2010 12:13am GMT

Some comments about my Sunsolve document Infodoc:

"How to Install a Package Under Sun[TM] Linux (LX50), Redhat AS 2.1 and 3.0, Suse Linux ES"

This is very important to understand that this should apply to all RPM package installer enabled operating systems.

(See the systems we do support : http://www.sun.com/software/linux/)

For example, using any SUSE Distro, you'll probably try to maintain your installation using the GUI tool named YAST/YAST2 but the things to know is that it will manipulate the system packages using the native RPM commands.

That will be the same for "*drake tools" from Mandiva distro or any Gnome RPM management tools. So if you've got a single package to install, you'll probably save some precious time by using the shell console and the relevant RPM commands. By using the shell you'll start to understand what's going on.

References:

http://sunsolve.sun.com/search/document.do?assetkey=1-61-204547-1

http://es.wikipedia.org/wiki/RPM_Package_Manager

27 Feb 2010 7:23pm GMT

Hang on, let's go!

* So what is a Solaris **Zone** ?

A "Zone" is what you can imagine as a virtual machine. You can install
another Solaris operating system into and from the same host. It means
that the main operating system, named **"Global Zone"** will host one or
more OSes. You can see it like if the main OS is the father of many
children. But each child process are and behave like if they were
installed on a different host. The Global Zone has access to the hosted
(runned) zones but the zones themselves have no access to the host
(Global Zone).

Remember Vmware ? it's a true **virtual** computer, ok ? Well, Solaris 10
provide you "almost" the same thing but the differences are big! Both
have one same main host.

You can launch or reboot any zones without rebooting the main OS
(Global Zone). Each of them will have a different IP address but
can/will use the network hardware interface you want.

So you can launch Apache from a single zone or in each zones you run.
Also you can run a zone with a different patches level than the Global
Zone has. From the **Global Zone**, you can "ssh" to one of the zones or
remote serial login in.

It's wonderful, many things are possible.


* How to set it ? Prerequisites

The zone will use the files from the Global Zone... Understand ? it means you don't need a big file system. That's very useful.


So what you need are :

2 hours of time (it depends of your machine, of course! Mine was the U10 with latest OBP release)
300 Mb of RAM, at least,
A Solaris 10 "already" installed OS. (SPARC/X86-X64),
The disk size is not very important (as it's virtual, it does not really consume the FS space),
A free IP address (if the network is needed),
For our test, I used an ULTRA 10 Sparc computer, so the 1st real network interface is named : "hme0"
Take care to use a free IP address. I prefered to use an IP address which is on the same subnet. Also
note that by using "hme0" this IP address will be binded to the real hme0 (from the Global Zone : At the end of the document, you can see my ifconfig output from the main OS)




* Let's start :


1 ) To check the available **zones**

#zoneadm list -vc
ID NAME STATUS PATH
0 global running /



2 ) Create a folder

mkdir /my_zone1
chmod 700 /my_zone1

3 ) Create the new zone

Let's name it as "my_zone1", also we will use it for its hostname


(from the shell)

#zonecfg -z my_zone1
my_zone1: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:my_zone1> create
zonecfg:my_zone1> set zonepath=/my_zone1
zonecfg:my_zone1> set autoboot=true
zonecfg:my_zone1> add net
zonecfg:my_zone1:net> set address=192.168.0.2
zonecfg:my_zone1:net> set physical=hme1
zonecfg:my_zone1:net> end
zonecfg:my_zone1> info
zonepath: /my_zone1
autoboot: true
pool:
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
net:
address: 192.168.0.2
physical: hme0
zonecfg:my_zone1> verify
zonecfg:my_zone1> commit
zonecfg:my_zone1> ^D (yes a CTRL+D !)

OK so we are back to our shell. We are still at the first stage.

4 ) Let's check

#zoneadm -z my_zone1 verify (it will check your settings)
#zoneadm list -civ (it will check the zone status)
#zonecfg -z my_zone1 info

5 ) Let's boot it and **finish** the installation.

#zoneadm -z my_zone1 boot ("boot" is the parameter)
#zlogin -C my_zone1 (the serial login command so you can interact)



At this step, you'll see the OS booting : You have to finish the **instalation** ;
It will just ask you the basic questions you already known : IP address (again), hostname, name services...
until the final reboot. The IP address must be the same you've set while using "zonecfg".

Thanks to zlogin, you are still connected, so you see your "virtual" OS rebooting, then you can login in and
create a new user account, so later you can use telnet or ssh commands.
Yes, you can **ping** it from the Global Zone or from any other computer within your LAN.

6 ) Some useful commands and tips

Boot the zone :
#zoneadm -z my_zone1 boot

Reboot the zone OS :
#zoneadm -z my_zone1 reboot

Serial login to your zone :
#zlogin -C my_zone1
(under JDS, select "xterm" as console)
(under CDE, select "dtterm" as console)
TIP : this applies only for the use of zlogin at this step. Using telnet, you'll just have to set the correct "TERM" value regarding the console you use.

From the serial console, how to go back to your shell?
Using : ~.

To check what is doing the "zoneadmd" deamon :
#ps -fea | grep zoneadmd

Don't forget by default you can't use the "root" user to connect to any zone using ssh nor telnet.
So the use of "zlogin" is very useful for the first time.

Later, regarding your architecture, the console or terminal you usually use, you'll have to find the correct
TERM value. eg, if you initiate a telnet from a CDE desktop, you'll probably have to try TERM=dtterm even
if you used a gnome-terminal to launch the telnet command !

Hey look, from the Global Zone, you can see my **ifconfig** output :

#ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone my_data1
inet 127.0.0.1 netmask ff000000
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.0.1 netmask ffffff00 broadcast 192.168.0.255
ether 8:0:20:d1:2c:9b
hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone my_data1
inet 192.168.0.2 netmask ffffff00 broadcast 192.168.0.255



On **another** Sparc U10, I have installed **3** zones. Look, it's very easy. Mine has 512MB of RAM and 8GB disk drive. With the 3 Zones running at the same time, the computer is still ok to be used. Yes, you have access to 4 instances of Solaris!
I let you imagine what you can do (eg. one will run Apache, another Mysql, and the rest could be used as Os backups).

#zoneadm list -vc
ID NAME STATUS PATH
0 global running /
7 data3 running /data3
8 data1 running /data1
9 data2 running /data2


By the way, have a look to your Global Zone process. You'll see that a deamon
named **"zoneadmd"** is running. This **IS** the process that will manage the zone.
You'll see one deamon per zones.

Zone is much more powerful : you can share the CPU time between the zone so it means, you can manage it.

Also you can share some "mounting points" from the Global Zone to be used within your zones.
For example, the /mnt mount point from your main OS (your Global Zone) can be published to be "zone aware", which means that /mnt will be binded and accessible from and within your zone.



* Feel free to comment this article, I will improve it soon.

Enjoy :=)

27 Feb 2010 7:15pm GMT

Hey guys, If you don't have the user account to access to the Redhat network (RHN), you can fetch the source product from : http://ftp.redhat.com/pub/redhat/linux/updates/enterprise/

and compile the product by yourself then make the installation.

Also from this folder http://ftp.redhat.com/pub/redhat/linux/updates/ you can update (following same idea) most of the Redhat Distros.

Of course this idea is perfect for a single package...

What is the Redhat Network ?

It's the single way to download and update your RHEL Distro.

You can download new ISOs, new packages, or use the "up2date" command to update/upgrade your installed operating system.

Note: ISOs and the pre-compiled packages are not available to the public.

This is a comercial product and you'll only have access to the Redhat products by using an official account (eg. licence).

See http://www.redhat.com/software/rhn/ to get an overview about the Redhat Network.

27 Feb 2010 7:10pm GMT

-> Jimmy, IT senior System Engineer for Sun Microsystems, Inc. a wholly owned subsidiary of Oracle Corporation.

I am based in Spain and actually "managing" and supporting the IT of France, Portugal and Spain countries.

I am supposed to be an IT specialist, with some good knowledge of x86 hardware and various *nix Operating Systems (but also being very comfortable with any Microsoft Windows versions).

In charge of helping end-users and ensuring that all my sites (approx more than >2000 users) run safe and stable, I have also to manage services as the interface to local or external providers.

27 Feb 2010 7:06pm GMT