Rubenerd

The video is the Rolling Stones singing (I Can’t Get No) Satisfaction, for those who can’t see the iframe.

We have another corker of a Linux bug to patch on all our systems this morning, this time in the nearly-ubiquitous GNU wget. In light of the fact all vulnerabilities need catchy names now, I’m dubbing this one #wgetNoSatisfaction. You’re welcome.

From MITRE:

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

Wget 1.16 patches this. If you can’t update, enforce the --retr-symlinks option in the relevent place(s) for your system, such as:

# echo 'retr-symlinks=on' >> /usr/local/etc/wgetrc

From the Wget manpage:

Usually, when retrieving FTP directories recursively and a symbolic link is encountered, the linked-to file is not downloaded. Instead, a matching symbolic link is created on the local filesystem. The pointed-to file will not be downloaded unless this recursive retrieval would have encountered it separately and downloaded it anyway.

When --retr-symlinks is specified, however, symbolic links are traversed and the pointed-to files are retrieved. At this time, this option does not cause Wget to traverse symlinks to directories and recurse through them, but in the future it should be enhanced to do this.

As with Shellshock, FreeBSD is unaffected unless you’ve pulled wget from ports.

This post originally appeared on the Annexe.

Assuming you can access your database:

postgres=# SHOW data_directory

On Debian Wheezy with the official PostgreSQL repo, the default will show:

    data_directory
---
 /var/lib/postgresql/9.3/main
(1 row)

Too easy :).

This post originally appeared on the Annexe.

So now when I restarted Postgres:

Error: Invalid line 603 in /etc/postgresql/9.3/main/postgresql.conf: \
>listen_addresses="localhost,10.0.1.2"

See the bug? Yes, double quotes instead of single. From postgresql.conf:

listen_addresses='localhost, 10.0.1.2'

It’s been a long Monday!

This post originally appeared on the Annexe.

Getting the following error when trying to start Postgres:

UTC LOG:  invalid IP mask "md5": Name or service not known

Turns out, it’s because I forgot to define the subnet mask for the allowed IP, which meant the security setting was being interpreted. Weird behavior, I would have expected it to search after a backslash.

An example for pg_hba.conf:

host replication postgres 10.0.1.10/24 md5

And an example of my bad one:

host replication postgres 10.0.1.10 md5

This article by Harry Leslie Smith in The Guardian is emblematic of so much of the world right now. No he’s not a young “bleeding heart” progressive, he’s a farmer who fought in World War II.

This belief that the disadvantaged and the unemployed are the authors of their own misfortune has rained down hard on on our young people. Since the 2008 crash, the young of Britain have faced crippling unemployment rates that still hover around 16%, exorbitant higher education costs and housing expenses that guarantee a lifetime of debt repayment.

The same could be said about many, many places. Here in Sydney for example, young people face one of the most unaffordable housing markets in the world. With our new government, university deregulation could triple student fees and our universal healthcare system may require co-payments for first time. In light of Gough Whitlam’s recent departure, it’s all the more sinister.

Unfortunately, this nonsense comes form both sides. One of the more incidious motivational lines we’ve all heard usually goes something like this:

“With passion and motivation, you can achieve anything!”

The unavoidable corollary is that people who aren’t accomplishing their dreams merely lack passion or motivation. It places the blame for people’s circumstances directly on them. Pardon the French, but that’s as bullshit as those who parrot “personal responsibility” in defence of welfare cuts.

I say this as a middle class caucasian Australian male in his late twenties with a university degree and a stable job. I can take some credit for this, but my circumstances have made it easier in ways I can’t even appreciate. To say nothing of the government assistance that let me study. I’m extremely lucky, and damn it if I need reminding of it sometimes.

Where was I going with this? Oh yeah, stop blaming the victims.

Travis on the GRC Security newsgroup:

The question still is “Do you trust Microsoft?” Every OS ever made has/had a keylogger built it, [sic] it’s called a keyboard driver.

And Steve’s response:

Keyboard drivers don’t keep a log.

I’m aware this is specific product documentation, but I found the first few lines of this post far too amusing.

Network Ports Used by DNS
Applies To: Windows Server 2008

My review on the App Store:

You can assign hot keys, drag windows to tile, everything I’ve wanted in a utility like this. I’m still a Xmonad user at heart, but this is the best you’ll get on Mac. A great app :)

It’s AU$2.49. Thank you Andreas Hegenberg :).

Ladies and gentleman, we may well say “God save the Queen”, because nothing will save the Governor-General!

One one the great progressive Prime Ministers in Australian history. Both my parents, but especially my mum, loved what he did.

At the time, he granted exemptions for military conscription, ended Australian involvement in the Vietnam War, abolished university fees and voted for sanctions against apartheid South Africa. Thanks to his 1970s cabinet, Australia has universal healthcare, recognises Australian Aboriginal land titles, abolished the death penalty, allows for no-fault divorce, has some of the world’s strongest consumer protections, and a managed national parks system.

As Lindsay Tanner so eloquently wrote in 2011:

Whitlam and his government changed the way we think about ourselves. The curse of sleepy mediocrity and colonial dependency, so mercilessly flayed in 1964 by Donald Horne in The Lucky Country, was cast aside. Outdated social attitudes were brutally confronted. The tribal conservatism of the ’50s that had been slowly eroded by prolonged prosperity was unable to withstand this concerted assault. The Australia in which Indigenous people were seen as subhuman, women were second-class citizens, censorship of artistic work was commonplace, nature was solely for exploitation, electoral laws were rigged and community leaders were rewarded with knighthoods was relegated to the history books.

It’s hard to imagine a modern Australia without Mr Whitlam’s contributions. RIP.

News coverage and articles

• ABC News
• The Guardian
• Kirinyan
• National Museum of Australia
• SBS World News
• Sydney Morning Herald
• The Monthly
• Wikiquote
• Wikipedia
• Yahoo7