LAMP & Oracle Technical Information

Milestone 4: port of HTML_QuickForm_Controller, group rules

Major additions and changes
* Includes a port of HTML_QuickForm_Controller. It is now possible to create
multipage forms (wizards, tabbed forms, etc.) with HTML_QuickForm2
* It is now possible to leverage existing rules for group validation
(see also request #12610)
* Rule configuration redone, now an error for an incomplete or bogus
configuration will be thrown immediately on adding a Rule rather than on
validating with it. Rule::getConfig() will now return the complete
configuration rather than a local part of it.

Features added
* It is possible to disable "intrinsic validation" for select
elements (request #13088)
* Checkboxes named 'foo[]' properly get their values from data sources
(request #16806)
* Arrays generated by Array Renderer for fieldsets and groups contain
'type' keys (request #16937)
* Added setElementTemplateForGroupClass() and setElementTemplateForGroupId()
methods HTML_QuickForm2_Renderer_Default setting templates for grouped
elements within a group of a given class or with a given id, respectively

Bug fixes
* E_NOTICE for an undefined index could be emitted when outputting
a checkbox (bug #16816)

Backwards compatibility issues
* HTML_QuickForm2_Renderer_Default::setGroupedTemplateForClass() is
deprecated
* If you implemented custom Rules, you should rewrite them to conform
to the new Rule configuration approach (this may require implementing
custom mergeConfig() and setConfig() methods) and implement
validateOwner() method instead of checkValue(). Old-style Rules will emit
notices in 0.4.0 and will stop working completely in the next release.
* Packaging changes: data/, docs/ and tests/ contents are installed without
redundant subdirectories, e.g. quickform.css now resides in
@data_dir@/HTML_QuickForm2 rather than
@data_dir@/HTML_QuickForm2/data

Referenced CVEs:  CVE-2010-0285, CVE-2010-0422 Description:  =========================================================== Ubuntu Security Notice USN-907-1 March 08, 2010 gnome-screensaver vulnerabilities CVE-2010-0285, CVE-2010-0422 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: gnome-screensaver 2.24.0-0ubuntu2.1 Ubuntu 9.04: gnome-screensaver 2.24.0-0ubuntu6.1 Ubuntu 9.10: gnome-screensaver 2.28.0-0ubuntu3.5 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: It was discovered that gnome-screensaver did not correctly lock all screens when monitors get hotplugged. An attacker with physical access could use this flaw to gain access to a locked session. (CVE-2010-0285) It was discovered that gnome-screensaver did not correctly handle keyboard grab when monitors get hotplugged. An attacker with physical access could use this flaw to gain access to a locked session. This issue only affected Ubuntu 9.10. (CVE-2010-0422)

Bugs Fixed:
* Fix encoding of Return-Receipt-To and Disposition-Notification-To headers [alec]

Implemented Features:
* Implement Feature #12466: Build parameters validation [alec]
* Implement Feature #17175: Content-Description support for attachments [alec]

Fixing header string quoting in data(). (Bug #17199)

Issue #113 of openSUSE Weekly News is now out!

• Pavol Rusnak: Announcing Connect!
• Andrew Wafaa: openSUSE & Google Summer of Code 2010
• Bento-Theme implementation approach
• Linux.com/Joe Brockmeier: Beginner’s Guide to Nmap
• Poll: Which linux Distro do you use frequently

For a list of available translations see this page:

http://en.opensuse.org/OpenSUSE_Weekly_News/113/Translations.

- fix Bug #11645: unused rhs labels undetected [r0vert]
- fix Bug #11647: substitution of @X works incorrectly [r0vert]
- Bug #10685 fatal error when calling "phplemon --help"

- fixed bizarre syntax error in PagamentoCerto.php
- fixed bug where setPaymentMethod() had no effect at all

The PHP development team is proud to announce the immediate release of PHP 5.3.2. This is a maintenance release in the 5.3 series, which includes a large number of bug fixes. Security Enhancements and Fixes in PHP 5.3.2: Improved LCG entropy. (Rasmus, Samy Kamkar) Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen) Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia) Key Bug Fixes in PHP 5.3.2 include: Added support for SHA-256 and SHA-512 to php's crypt. Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check. Fixed bug #51059 (crypt crashes when invalid salt are given). Fixed bug #50940 Custom content-length set incorrectly in Apache sapis. Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long). Fixed bug #50723 (Bug in garbage collector causes crash). Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16). Fixed bug #50632 (filter_input() does not return default value if the variable does not exist). Fixed bug #50540 (Crash while running ldap_next_reference test cases). Fixed bug #49851 (http wrapper breaks on 1024 char long headers). Over 60 other bug fixes. For users upgrading from PHP 5.2 there is a migration guide available here, detailing the changes between those releases and PHP 5.3. Further information and downloads: For a full list of changes in PHP 5.3.2, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.

Referenced CVEs:  CVE-2009-3553, CVE-2010-0302, CVE-2010-0393 Description:  =========================================================== Ubuntu Security Notice USN-906-1 March 03, 2010 cups, cupsys vulnerabilities CVE-2009-3553, CVE-2010-0302, CVE-2010-0393 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: cupsys 1.2.2-0ubuntu0.6.06.17 cupsys-client 1.2.2-0ubuntu0.6.06.17 Ubuntu 8.04 LTS: cupsys 1.3.7-1ubuntu3.8 cupsys-client 1.3.7-1ubuntu3.8 Ubuntu 8.10: cups 1.3.9-2ubuntu9.5 cups-client 1.3.9-2ubuntu9.5 Ubuntu 9.04: cups 1.3.9-17ubuntu3.6 cups-client 1.3.9-17ubuntu3.6 Ubuntu 9.10: cups 1.4.1-5ubuntu2.4 cups-client 1.4.1-5ubuntu2.4 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that the CUPS scheduler did not properly handle certain network operations. A remote attacker could exploit this flaw and cause the CUPS server to crash, resulting in a denial of service. This issue only affected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10. (CVE-2009-3553, CVE-2010-0302) Ronald Volgers discovered that the CUPS lppasswd tool could be made to load localized message strings from arbitrary files by setting an environment variable. A local attacker could exploit this with a format-string vulnerability leading to a root privilege escalation. The default compiler options for Ubuntu 8.10, 9.04 and 9.10 should reduce this vulnerability to a denial of service. (CVE-2010-0393)

Download Drupal 6.16
Download Drupal 5.22

Drupal 6.16 and 5.22, maintenance releases which fix issues reported through the bug tracking system, as well as security vulnerabilities, are now available for download. Drupal 6.16 also fixes other smaller issues.

Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases. For more information about the Drupal 6.x release series, consult the Drupal 6.0 release announcement, more information on the 5.x releases can be found in the Drupal 5.0 release announcement. Drupal 5 will no longer be maintained when Drupal 7 is released. Upgrading to Drupal 6 is recommended.

read more

Late last week I met Jim Kaskade of SIOS at a Seattle-area Starbucks for a meeting and a product demo. With the very cool (and appropriate) title "Chief of Cloud", Jim was the right person to demonstrate his company's new cloud-powered high availability and disaster recovery solution.

Jim's Mac laptop was running Centos. He used Xen and Red Hat's Virtual Machine Manager to host a couple of virtual machines representing the web, application, and database tiers of a SugarCRM installation. Each of the guest operating systems was running a copy of the new SIOS CloudStation product. Each copy of CloudStation was configured (using a web-based GUI) to replicate the state of the virtual machine to an Amazon EC2 instance running in a user-selected Region.

Once everything was up and running, Jim showed me how he could selectively kill the local virtual machines while keeping the application running. The demo was designed to feature a very short RPO (Recovery Point Objective) so that changes made locally just seconds before the database was killed were available from the cloud-based virtual mirror. Jim walked me through a number of different failure and recovery scenarios.

It was quite impressive and makes a great demo of the cloud-based DR (Disaster Recovery) and HA (High Availability) that I've been telling my audiences about for the last couple of years. Once configured, CloudStation can fail over from local processing to the cloud, from one cloud region to another, or even from one cloud provider to another. It can also be used as a migration tool, or what is sometimes calls P2V (Physical to Virtual) or P2C (Physical to Cloud).

Read more in the Solution Brief (PDF) or sign up for the March 24th webinar.

-- Jeff;

Drupal 6 Attachment Views, by me, J. Ayen Green, is my second title from Packt Publishing. It is aimed at Drupal web site developers who want to build more functionality and interaction into their views, but aren’t ready quite yet to take on panels. As a reader of drupal.org, you can receive a 15% discount (see below) and benefit the Drupal Association!

I wrote this to be a fun, informative, hands-on learning guide. It uses actual case study that was developed in parallel with the book’s writing. This guide presents purposeful and interactive examples that build on each other. Clear, concise instructions and practical examples help you to learn quickly to use this exciting feature of views.

read more

QA release - stable.

Updated minimum dependencies (Net_SMTP, PEAR, PHP)
Doc Bug #15620 Licence change to BSD
Bug #13659 Mail parse error in special condition
Bug #16200 - Security hole allow to read/write Arbitrary File
_hasUnclosedQuotes() doesn't properly handle a double slash before an end quote (slusarz@curecanti.org, Bug #9137).
Make sure Net_SMTP is defined when calling getSMTPObject() directly (slusarz@curecanti.org, Bug #13772).
Add addServiceExtensionParameter() to the SMTP driver (slusarz@curecanti.org, Bug #13764).
Add a method to obtain the Net_SMTP object from the SMTP driver (slusarz@curecanti.org, Bug #13766).

* Fixed bug #17075. Wrong test in package
* Added mb_string requirement after reported issues

Feature and bug fix release. Changes include:
* Better support for older versions of GnuPG. Fixes Bug #15906.
* Added method to get GnuPG version.
* New options to specify the location of the public keyring, secret keyring and trust database. Req #17005.
* Added methods to encrypt and sign data in a single pass. Req #17004.
* Added methods to decrypt and verify data in a single pass. Req #17004
* Added 'textmode' option to sign() and signFile() methods. Req #17006.
* Fixed Bug #17174, handling verification of bad signatures.
* Added fluent interface for UserId, Key, SubKey and Signature objects.

- Fix bug #17129
- Added unit test for bug #17129

Over 400 session submissions have been submitted for DrupalCon San Francisco, which will be held April 19-21, 2010. We need your help in deciding which of those sessions will be included in the conference program. Please come review the list of sessions and vote on the ones you'd like to see most.

Voting ends Monday, March 1st at 23:59 PST.

DrupalCon is a community-driven event. You've shared with us a vast array of exciting new ideas, proven recipes for success, case studies, best practices, new solutions to old problems, and other gems of knowledge. Now help us narrow down the selection. Your opinions are what shapes what happens at DrupalCon. Remember, every vote counts!

If you're a business, organization, or individual interested in helping to sponsor DrupalCon San Francisco, opportunities are still available. Contact us via the Web site, via e-mail at fundraising@drupal.com or phone at 415-894-9320 today!

read more

Issue #112 of openSUSE Weekly News is now out!

• Honoring openSUSE Wiki Reviewing Contributions
• Michal Hrusecky: Public openSUSE 11.3 virtual machine
• Jared Ottley: Alfresco PDF Toolkit
• How to make Monitor refresh 120htz
• Guillaume DE BURE (gdebure): A call for testers KMyMoney

For a list of available translations see this page:

http://en.opensuse.org/OpenSUSE_Weekly_News/112/Translations.

Referenced CVEs:  CVE-2010-0426, CVE-2010-0427 Description:  =========================================================== Ubuntu Security Notice USN-905-1 February 26, 2010 sudo vulnerabilities CVE-2010-0426, CVE-2010-0427 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: sudo 1.6.8p12-1ubuntu6.1 sudo-ldap 1.6.8p12-1ubuntu6.1 Ubuntu 8.04 LTS: sudo 1.6.9p10-1ubuntu3.6 sudo-ldap 1.6.9p10-1ubuntu3.6 Ubuntu 8.10: sudo 1.6.9p17-1ubuntu2.2 sudo-ldap 1.6.9p17-1ubuntu2.2 Ubuntu 9.04: sudo 1.6.9p17-1ubuntu3.1 sudo-ldap 1.6.9p17-1ubuntu3.1 Ubuntu 9.10: sudo 1.7.0-1ubuntu2.1 sudo-ldap 1.7.0-1ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that sudo did not properly validate the path for the 'sudoedit' pseudo-command. A local attacker could exploit this to execute arbitrary code as root if sudo was configured to allow the attacker to use sudoedit. The sudoedit pseudo-command is not used in the default installation of Ubuntu. (CVE-2010-0426) It was discovered that sudo did not reset group permissions when the 'runas_default' configuration option was used. A local attacker could exploit this to escalate group privileges if sudo was configured to allow the attacker to run commands under the runas_default account. The runas_default configuration option is not used in the default installation of Ubuntu. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04. (CVE-2010-0427)

The Augusta Chronicle, the flagship newspaper of Morris Publishing Group, recently relaunched its website on the outstanding Drupal framework.

Morris first began using Drupal in 2005 with the launch of BlufftonToday.com, a blog-centric community website coupled with a free daily newspaper. In 2006 it adopted Drupal for both news and blogs at SavannahNow.com, the website of the Savannah Morning News. Both newspapers won Digital Edge awards for innovation in user participation.

Since then, the digital media arm of Morris Communications, Morris DigitalWorks, has developed a robust digital newspaper platform built on Drupal 6, to eventually power all 13 of its daily newspapers. Morris also uses Drupal for its radio stations and Skirt.com, a national specialty site for women.

Reader Participation

Morris has made a commitment to make their online platform a dynamic arena for reader participation and contributions. Readers are encouraged to comment on stories and blogs, and, on some papers, are encouraged to create their own blogs on the site. Journalists are expected to post news online immediately and to interact with the public, and they need to be able to do it without learning HTML or tools such as FTP. These requirements made Drupal a natural choice.

read more