Friday, October 26, 2007

Security fix for vulnerability in Django's internationalization framework.

A fix has been released for a security vulnerability discovered in Django's internationalization framework. The complete details are below, but the executive summary is that you should updated to a fixed version of Django immediately.

You can download them at http://www.djangoproject.com/download/. Those tracking trunk development should "svn update" as soon as possible.

Description of vulnerability
A per-process cache used by Django's internationalization ("i18n") system to store the results of translation lookups for particular values of the HTTP Accept-Language header used the full value of that header as a key. An attacker could take advantage of this by sending repeated requests with extremely large strings in the Accept-Language header, potentially causing a denial of service by filling available memory.

Due to limitations imposed by web server software on the size of HTTP header fields, combined with reasonable limits on the number of requests which may be handled by a single server process over its lifetime, this vulnerability may be difficult to exploit. Additionally, it is only present when the "USE_I18N" setting in Django is "True". Nonetheless, all users of affected versions of Django will be encouraged to update.

Affected versions
Django trunk prior to revision [6608].
Django 0.96
Django 0.95 (including 0.95.1)
Django 0.91
Resolution
New versions of Django containing this fix have been released today which lter this caching mechanism to store shortened, normalized values and to reject improperly-formatted headers.

These versions are called:

Django 0.96.1 (replaces Django 0.96)
Django 0.95.2 (replaces Django 0.95.1)
Django 0.91.1 (replaces Django 0.91.1)
Anyone using a stable Django release should upgrade to one of these point releases immediately. These fixed versions have already been provided to maintainers of Django packages for various OS distributions and should be released shortly.

Anyone tracking Django's trunk development should use Subversion to update to at least revision [6608].

Tuesday, October 9, 2007

PostgreSQL 8.3 Beta 1 now ready for testing!

The PostgreSQL Global Development Group released the long-awaited
first beta of version 8.3. Thanks to an unprecedented number of new
patches, this version introduces more new and improved features than any
previous one. Of course, more new features means that 8.3 needs more
user testing than any previous version, so we're counting on you to
download it and test it with development versions of your applications.

Among the features in the new version are:

-- Greatly improved performance consistency, through HOT, Load Distributed Checkpoint,
JIT bgwriter, Asynchronous Commit, and other features.
-- TSearch2 full text search integrated into the core code with improved syntax and ease of adding custom dictionaries.
-- SQL:XML syntax.
-- Logging to database-loadable CSV files.
-- Automated rebuilding of cached plans.
-- ENUMs, UUIDs and arrays of complex types.
-- GSSAPI and SSPI authentication support.


See the 8.3 Beta Page (http://www.postgresql.org/developer/beta) formore information on downloads, testing, documentation, and reportingbugs. Get started downloading the beta at:Source code: http://www.postgresql.org/ftp/source/v8.3beta1/Win32 Binaries: http://www.postgresql.org/ftp/binary/v8.3beta1/win32/

Thursday, October 4, 2007

openSUSE 10.3 is Now Available

Novell today announced the availability of openSUSE® 10.3, the newest version of the award-winning community Linux* distribution. Available for free download or in a convenient packaged retail edition, openSUSE 10.3 provides everything a user needs to get started with Linux. To improve the user experience, openSUSE 10.3 includes a flexible Linux-Windows dual-boot configuration, improved user interface, Microsoft* Office file compatibility with the latest OpenOffice.org office productivity suite, and enhanced multimedia support.

“The openSUSE community continues to deliver innovations and has created a new version of openSUSE that will excite a wide range of computer users,” said Andreas Jaeger, director of the openSUSE project. “OpenSUSE 10.3 provides a stable and state-of-the-art operating system based on Linux kernel 2.6.22, and it contains a large variety of the latest open source applications for desktops, servers and application development.”

Enhancements to openSUSE 10.3 include the newest versions of the GNOME* and KDE desktop environments, including a KDE 4 preview. OpenOffice.org 2.3 makes sharing files with Microsoft Office users easy, and the newest version of AppArmor™ protects the Linux operating system and applications from attacks, viruses and malicious applications. OpenSUSE 10.3 also now includes MP3 support out of the box for Banshee™ and Amarok, which are the default media players in openSUSE. In addition, openSUSE 10.3 offers the latest open source applications for developing applications, setting up a home network and running a Web server, as well as the latest virtualization software such as Xen* 3.1 and VirtualBox 1.5.

Version 10.3 makes openSUSE the first Linux distribution to take full advantage of the “1-Click Install” option, which gives openSUSE 10.3 users easy access to many more software packages residing on the openSUSE Build Service. Contributed by a single openSUSE community member, the one-click install is an example of the value openSUSE's strong community of developers, testers, writers, translators, artists and users bring to the distribution. OpenSUSE 10.3 was created by the openSUSE project, the community initiative sponsored by Novell that promotes the use of Linux everywhere. The openSUSE project has more than 54,000 registered members.

Availability and Pricing
OpenSUSE 10.3 is now available for free download at www.opensuse.org. The retail edition of openSUSE 10.3 is available on www.shopnovell.com as well as in select retail locations. It delivers the same packages as the downloadable version on an installable DVD for 32- and 64-bit architectures, and it is accompanied by a second DVD containing a large selection of additional software available at the release date. Also included are a comprehensive user manual and 90 days of installation support, all for a suggested $59.95. For retail locations and more information, visit www.novell.com/products/opensuse/resellers/index.html. For more on openSUSE 10.3 and the openSUSE project, visit www.opensuse.org and news.opensuse.org.

Tuesday, October 2, 2007

PostgreDAC ver.2.4.0 released

download the PostgresDAC v2.4.0 right now at:
http://microolap.com/products/connectivity/postgresdac/download/

Full list of current changes:
[*] Use 8.2.5 sources and client libraries
[*] TPSQLTools will Commit transaction before VACUUM processing if needed
[*] Now TPSQLDatabase.Execute method supports query parameters and caching
[*] Low level mask comparing routines improved
[*] Exception will be raised instead of MessageDlg call in case if libpq.dll is not found
[*] TPSQLDirectQuery component added
[+] TPSQLDatabase: SelectString and SelectStringDef methods added
[+] TPSQLDatabase.Reset method added
[+] TPSQLDatabase.CancelBackend method added to cancel a backend's current query
[-] Filters didn't work correctly in some cases
[-] "TPSQLTools can't perform Reindex within the current database
if DatabaseName needs quoting" bug fixed
[-] "TPSQLDataset.PSExecuteStatement method fails if used with parameters" bug fixed
[-] "Recordcount function moves cursor to EOF if Filtered is True" bug fixed

Monday, October 1, 2007

psqlODBC 08.02.0500 Released

For details of the changes in this release, please see the notes at:
http://psqlodbc.projects.postgresql.org/release.html

With this release two versions of the driver are provided for Windows;
'PostgreSQL ANSI' which supports single and multibyte applications
through the ANSI ODBC API, and 'PostgreSQL Unicode' which provides
Unicode support through the Unicode ODBC API. On Unix systems, the
driver type may be selected via a configure option. MSDTC is also
supported on Windows, and 64 bit support is now included in the source
code (binaries are not yet available).

psqlODBC may be downloaded from
http://www.postgresql.org/ftp/odbc/versions/ in source, Windows
Installer, merge module, and basic zip file formats.