LWN.net Logo

LWN.net Weekly Edition for September 23, 2004

The USB that ate Linux

Robert X. Cringely has reported on a new threat to Linux: a Microsoft-driven version of the USB standard which will not be usable by Linux. The article is rather short on details, but the idea seems to be that only "trusted" USB devices could be written to, and the mechanism for identifying and communicating with these devices would be closed. You'll be able to install Linux on your future motherboard, but it will not be able to work with the new USB devices.

This sort of story comes around fairly regularly. Long-time LWN readers will remember some past worries:

  • Once upon a time, the "Merced" architecture from Intel was to be the future of computing. Unfortunately, Merced was under nondisclosure, and, in any case, getting gcc to generate code for that architecture was said to be beyond the capabilities of its developers. In the reality, Merced, later named Itanium, had top-quality Linux support from the beginning. We're still waiting for the "future of computing" part, though.

  • The I2O specification was kept under wraps for some time, and it looked like Linux would be unable to drive any I2O-based hardware. Richard Stallman called I2O "a broad plan to keep hardware specifications secret". As it turned out, the specifications were released, and Linux supports I2O without trouble.

In other words, we have seen this sort of thing before. Fears of Linux-killer hardware turned out to be misplaced even in the 1990's, when Linux was a far smaller commercial force than it is now. In the current climate, it is hard to imagine the hardware companies adopting a fundamental technology (a processor or bus architecture, say) that was deliberately closed to non-Microsoft operating systems. Not all vendors rush out to embrace Linux, BSD, and MacOS users, but few will see a business case in explicitly excluding them. Especially if that exclusion would consolidate the position of a company which has not always distinguished itself with its considerate treatment of its "partners."

On the other hand, proprietary hardware and digital restrictions management schemes do bear watching. The troubles Linux has had with playing DVDs have been well documented. The "broadcast flag" will restrict the ability of Linux systems to work with digital radio receivers in the future. "Trusted computing" schemes may keep Linux off some hardware altogether. There are threats out there, but an exclusionary USB specification is probably not one of them. Nobody besides Cringely seems to know much about this new USB standard, however, and the Linux USB developers are not particularly worried about it. For the time being, the rest of us probably need not worry either.

Comments (7 posted)

What's coming in Fedora Core 3

September 22, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

The final release of Fedora Core 3 isn't expected until November 1, but with the release of Fedora Core 3 test 2 (FC3t2) on Monday (a week later than originally planned) we decided to check in and see what users could expect from the next release of Fedora Core. We also contacted Red Hat to see if Cristian Gafton or another representative would be available to talk about Fedora, and its relation to Red Hat's commercial products, but they were unable to provide a representative to speak to LWN by deadline.

This release marks the addition of the GNOME 2.8 release candidate, KDE 3.3.0, X.org 6.8.0, and the udev device model.

We gave FC3t2 a try on an Athlon XP 2000 system with 1 GB of RAM. One thing we noticed was that the media check failed all of the disks we burned, but we were able to perform an install from the media without any problems. This seems to be an issue that came up during tests of FC3 test 1 as well. While bugs and glitches are to be expected in test releases, we note this particular issue so that users trying out FC3t2 do not burn through a stack of blanks in a futile attempt to burn four good disks.

Users will find that the default partitioning has changed a bit since Fedora Core 2. By default, the installer will attempt to set up LVM rather than the standard "simple" partitioning most Linux users are used to. There seem to be a few bugs left in the partitioning tool, as the installer informed us we were "probably out of disk space" when attempting to install. However, when we performed an install using a standard partitioning scheme, all went well. No doubt, this will be ironed out by the time that FC3 final is released.

Fedora Core 3 marks the Fedora team's second stab at SELinux, and they are asking that users give SELinux another try as well. According to Colin Walters, this release marks a scaled-back approach that should cause fewer problems while still providing additional security for "select system daemons."

Instead of the original "strict" policy which covered everything, a new "targeted" policy has been developed which only applies SELinux restrictions to a few select system daemons. Regular user login sessions are unrestricted.

The initial approach to SELinux was probably a too-radical departure for many users, so we're happy to see the Fedora team taking a more moderate approach that will (we hope) build support for SELinux over time.

However, the actual documentation and tools for SELinux leave a bit to be desired, as Matias Feliciano points out on the fedora-devel list. While the "targeted" policy is "mostly invisible" to the end-user, so is the documentation for users who want to customize and tweak their SELinux policy.

FC3t2 marks the introduction of the udev device model to Fedora. The udev device model implements devfs in userspace, creating a dynamic /dev that allows consistent naming of devices. Users upgrading from test 1 or installing udev on test 1 reported a few bugs, but we didn't see any problems with udev from a clean install.

Despite the occasional glitch in the test release, FC3 is shaping up nicely. It's not a radical change from FC2, most of the changes are package upgrades and further refinement of existing features. The udev device model is probably one of the most major changes that users will see in FC3.

It bears mentioning that the Fedora Core development process still seems to be shy on community involvement. However, Red Hat and the Fedora team have provided a usable Linux distribution with many of the cutting-edge technologies that users want to try. From that perspective, we think that Fedora has become a success.

Comments (4 posted)

Reforming WIPO

There is a movement afoot, initially pushed by Brazil and Argentina, to change the mission of the World Intellectual Property Organization (WIPO). An information page is available. There is also the text of a declaration (PDF) which will be debated in Geneva on September 30. "As an intergovernmental organization, however, WIPO embraced a culture of creating and expanding monopoly privileges, often without regard to consequences. The continuous expansion of these privileges and their enforcement mechanisms has led to grave social and economic costs, and has hampered and threatened other important systems of creativity and innovation.... We do not ask that WIPO abandon efforts to promote the appropriate protection of intellectual property, or abandon all efforts to harmonize or improve these laws. But we insist that WIPO work from the broader framework described in the 1974 agreement with the UN, and to take a more balanced and realistic view of the social benefits and costs of intellectual property rights as a tool, but not the only tool, for supporting creativity [and] intellectual activity."

Comments (3 posted)

LWN update

Occasionally we get a message noting that we have not been posting "LWN update" articles, and wondering how things are going. We are still trying to keep a lid on such articles, but we're about to hit an important anniversary. It is now two years since we began the subscription experiment, so the time seems right for a look at how things are going.

Our goal at the outset was 4,000 subscribers. As of this writing, LWN has just under 3,300 active, paid subscriptions - up from about 2,700 at this time last year. Things are clearly headed in the right direction, even if they are not yet where we would like them to be. The next big test will be to see what happens over the next month as the "great expiration" sets in. We got a big group of subscribers right at the beginning, and many of their subscriptions will expire (again) in the next few weeks. Last year's "great renewal" brought in enough cash to see through the slow parts of the year (we're sure glad we hung onto it at the beginning); with luck that will happen again. Our subscription renewal rate tends to be quite high, and you can be sure that we are grateful for it.

We're looking to add more new subscribers, of course. The external authors program has helped to fill out our content, but LWN could really benefit from another editor who could write original content and provide a bit of redundancy. We will continue to work to find those subscribers; going out and marketing LWN to new readers has proved to be a challenge, however.

Meanwhile, we plan to continue to do our best to provide top-quality, comprehensive coverage of the Linux and free software community. Many thanks for your continued support; it is a pleasure to write for this group of readers.

[As an aside: we have noted for a while a certain number of people creating accounts without giving us working email addresses, then trying to sign up for our mailing lists. That is clearly not going to work. If you do not get the mail you expect, please try going into the My Account area and making sure we're sending it somewhere useful.]

Comments (17 posted)

Page editor: Jonathan Corbet

Security

An introduction to SELinux

September 22, 2004

This article was contributed by Jake Edge.

It has taken nearly four years for Security Enhanced Linux (SELinux) to make its way into some of the more mainstream distributions, but that process is accelerating. First released by the US National Security Agency (NSA), in December 2000, SELinux has been incorporated into Fedora Core 2 (and the test versions of Fedora Core 3), Debian and Gentoo and will likely see more distributions that support it and more deployments in the future. It seems like a good time to take an in-depth look at how SELinux can increase the security of Linux.

Linux, like UNIX, has its security based on what is known as Discretionary Access Control (DAC) which means that access to objects is governed by the identity of an authenticated user. It is discretionary because the user can (sometimes unwittingly) pass their permissions to others on the system. A simple "chmod a+w somefile" is an example of a command that a Linux user can execute that opens up permissions on a file to all other users in the system. In addition, any program that is run by a user has at least the permissions of that user. This allows malicious, badly configured, or exploitable programs to use the full permissions of the user executing them and can lead to unexpected security breaches. If, for example, the cat program had an exploitable buffer overrun bug and a particular file could trigger that bug and cause it to delete the files in a user's home directory, standard Linux access control would not prevent it. Any user that could be tricked into executing cat badfile would be susceptible.

SELinux, on the other hand, uses a Mandatory Access Control (MAC) mechanism that seeks to only allow a program the access it needs to do its job and not all the access that the user running it has. In the example above, cat could be configured to only have read access to any files that the user has read access to and any attempt to write or delete any file in the system would be prevented. The administrator can prevent programs from having unneeded access and only allow the user to grant that portion of their access that is needed by the normal functioning of the program. MAC embodies the idea that "those things which are not explicitly permitted are forbidden."

At its core, SELinux defines a security attribute called a type and assigns types to various resources handled by the kernel: processes, files, directories, sockets, etc. The usage of the term type is unfortunate in that it implies all files would be one type, all directories another, etc. This is not the case as each individual resource could have its own type. Each type in the system is associated with a set of rights for each other type in the system and those rights govern what kinds of operations can be performed. This model is known as Type Enforcement (TE) and is the subject of a patent granted to Secure Systems Corp. (SSC), one of the contractors that worked with the NSA on parts of SELinux. At one time there were concerns that the patent would preclude SELinux from being distributed under the GPL, but the SSC Statement of Assurance seems to have alleviated those concerns. SELinux augments the traditional TE model with the addition of Role-Based Access Control (RBAC). Instead of directly associating a user with a type, RBAC associates users with one or more roles in the system and associates one or more types with each of those roles. The permissions checks are still handled by the TE system and RBAC just provides a simpler way to manage users.

SELinux provides a much richer set of permissions than the read, write, execute permissions that UNIX users are used to. There are separate permissions that govern all of the kinds of operations you can do on a file (create, delete, rename, unlink, etc.) as well as specific kinds of permissions for directories, sockets, semaphores, etc. Permissions are stored as bits in an access vector and SELinux has three types of these vectors: allowed, auditallow, and auditdeny. The allowed vector governs whether the operation is permitted. Auditallow and auditdeny determine whether the operation is logged if it is allowed or denied.

It should be noted that all of the permissions checking that is done by SELinux is done after the normal Linux permissions checks are performed. If a user cannot read a file due to the rwx permissions, the SELinux access control mechanism is not consulted.

One would guess that with all of this fine-grained control over permissions, SELinux would be very complex to set up and that would be true, but the NSA and the distributions have done a great deal of the necessary groundwork. As part of their release, the NSA also released policy definitions to be used as a starting point for SELinux administrators. Various distributions have tweaked these definitions for their specific needs, but it is still a very complex and somewhat fragile framework. This author had difficulty with various cron jobs on a Fedora Core 2 SELinux system and the mailing list archives have quite a few queries from administrators trying to get the permissions set correctly for their specific needs. Based on this message it would appear that Fedora Core 3 has ratcheted down the checking that SELinux will do in the default install.

An upcoming article will give a more "hands-on" approach to exploring SELinux using Fedora Core 3 test2 including looks at the policies defined and how they are used to provide more protection than a standard Linux installation.

Comments (35 posted)

New vulnerabilities

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

glFTPd: Local buffer overflow vulnerability

Package(s):glFTPd CVE #(s):
Created:September 21, 2004 Updated:September 22, 2004
Description: The glFTPd server is vulnerable to a buffer overflow in the 'dupescan' program. This vulnerability is due to an unsafe strcpy() call which can cause the program to crash when a large argument is passed. A local user with malicious intent can pass a parameter to the dupescan program that exceeds the size of the buffer, causing it to overflow. This can lead the program to crash, and potentially allow arbitrary code execution with the permissions of the user running glFTPd, which could be the root user.
Alerts:
Gentoo 200409-27 2004-09-21

Comments (none posted)

heimdal: root escalation

Package(s):heimdal CVE #(s):CAN-2004-0794
Created:September 16, 2004 Updated:September 22, 2004
Description: The Heimdal FTP daemon has several bugs that can allow a remote attacker to gain root privileges.
Alerts:
Debian DSA-551-1 2004-09-21
Gentoo 200409-19 2004-09-16

Comments (none posted)

imagemagick: buffer overflow vulnerability

Package(s):imagemagick CVE #(s):CAN-2004-0827
Created:September 16, 2004 Updated:November 30, 2004
Description: The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Alerts:
Ubuntu USN-35-1 2004-11-30
Ubuntu USN-7-1 2004-10-27
Red Hat RHSA-2004:480-01 2004-10-20
Red Hat RHSA-2004:494-01 2004-10-20
Mandrake MDKSA-2004:102 2004-09-22
Debian DSA-547-1 2004-09-16

Comments (none posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005
Description: There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service.
Alerts:
Conectiva CLA-2005:924 2005-02-14
Red Hat RHSA-2005:004-01 2005-01-12
Red Hat RHSA-2004:537-01 2004-12-02
Ubuntu USN-27-1 2004-11-17
Mandrake MDKSA-2004:124 2004-11-04
Debian DSA-561-1 2004-10-11
Gentoo 200410-09 2004-10-09
Debian DSA-560-1 2004-10-07
Red Hat RHSA-2004:479-01 2004-10-06
Red Hat RHSA-2004:478-01 2004-10-04
Gentoo 200409-34 2004-09-27
SuSE SUSE-SA:2004:034 2004-09-17
Mandrake MDKSA-2004:099 2004-09-15
Mandrake MDKSA-2004:098 2004-09-15

Comments (none posted)

mozilla products: arbitrary code execution and other vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908
Created:September 20, 2004 Updated:January 13, 2005
Description: Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. See the CERT advisory for details.
Alerts:
Gentoo 200501-03 2005-01-05
Fedora-Legacy FLSA:2089 2004-10-27
Conectiva CLA-2004:877 2004-10-22
Mandrake MDKSA-2004:107 2004-10-19
SuSE SUSE-SA:2004:036 2004-10-06
Red Hat RHSA-2004:486-01 2004-09-30
Slackware SSA:2004-266-03 2004-09-22
Gentoo 200409-26 2004-09-20

Comments (none posted)

mpg123: buffer overflow bug

Package(s):mpg123 CVE #(s):CAN-2004-0805
Created:September 16, 2004 Updated:January 11, 2005
Description: The mpg123 audio playing utility has a buffer overflow bug that may allow arbitrary execution of code.
Alerts:
Gentoo 200501-14 2005-01-10
Debian DSA-564-1 2004-10-13
Mandrake MDKSA-2004:100 2004-09-22
Gentoo 200409-20 2004-09-16

Comments (none posted)

phpGroupWare: cross site scripting vulnerability

Package(s):phpgroupware CVE #(s):
Created:September 16, 2004 Updated:September 22, 2004
Description: The wiki module in phpGroupWare has a cross-site scripting vulnerability.
Alerts:
Gentoo 200409-22 2004-09-16

Comments (none posted)

SnipSnap: HTTP errors

Package(s):snipsnap-bin CVE #(s):
Created:September 22, 2004 Updated:September 22, 2004
Description: SnipSnap, a content management system, is vulnerable to several "HTTP response splitting" attacks, leading to cross-site scripting and cache poisoning problems. Version 1.0_beta1 fixes things.
Alerts:
Gentoo 200409-23 2004-09-17

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

Updated vulnerabilities

Apache mod_proxy: denial of service

Package(s):apache CVE #(s):CAN-2004-0492
Created:June 11, 2004 Updated:October 14, 2004
Description: A buffer overflow vulnerability in the apache mod_proxy module can be exploited to create a denial of service.
Alerts:
Fedora-Legacy FLSA:1737 2004-10-13
Mandrake MDKSA-2004:065 2004-06-29
Debian DSA-525-1 2004-06-24
Gentoo 200406-16 2004-06-21
OpenPKG OpenPKG-SA-2004.029 2004-06-11

Comments (none posted)

apache2: stack-based buffer overflow in ssl_util.c

Package(s):apache2 CVE #(s):CAN-2004-0488
Created:June 1, 2004 Updated:October 14, 2004
Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:
Fedora-Legacy FLSA:1888 2004-10-13
Debian DSA-532-2 2004-07-27
Debian DSA-532-1 2004-07-22
Red Hat RHSA-2004:245-01 2004-06-14
Gentoo 200406-05 2004-06-09
Slackware SSA:2004-154-01 2004-06-02
OpenPKG OpenPKG-SA-2004.026 2004-05-27
Trustix TSLSA-2004-0031 2004-06-02
Mandrake MDKSA-2004:054 2004-06-01
Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 2004-12-20
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Gentoo 200406-14 2004-06-17

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

cups: denial of service

Package(s):cups cupsys CVE #(s):CAN-2004-0558
Created:September 15, 2004 Updated:October 14, 2004
Description: Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port.
Alerts:
Conectiva CLA-2004:872 2004-10-14
Fedora FEDORA-2004-275 2004-09-28
Slackware SSA:2004-266-01 2004-09-22
Whitebox WBSA-2004:449-01 2004-09-20
Gentoo 200409-25 2004-09-20
SuSE SUSE-SA:2004:031 2004-09-15
Red Hat RHSA-2004:449-01 2004-09-15
Mandrake MDKSA-2004:097 2004-09-15
Debian DSA-545-1 2004-09-15

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

Gaim: remote code execution vulnerability

Package(s):gaim CVE #(s):CAN-2004-0500
Created:August 12, 2004 Updated:October 18, 2004
Description: The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability in the MSN-protocol parsing functions.
Alerts:
Fedora-Legacy FLSA:1237 2004-10-16
Whitebox WBSA-2004:400-01 2004-09-20
Slackware SSA:2004-239-01 2004-08-26
Fedora FEDORA-2004-279 2004-08-26
Fedora FEDORA-2004-278 2004-08-26
Mandrake MDKSA-2004:081 2004-08-12
SuSE SUSE-SA:2004:025 2004-08-12
Gentoo 200408-12 2004-08-12

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

httpd: mod_ssl input filter denial of service vulnerability

Package(s):httpd CVE #(s):CAN-2004-0748
Created:September 2, 2004 Updated:September 23, 2004
Description: Apache httpd has a denial of service vulnerability in mod_ssl in which an attacker can force an SSL connection to abort, resulting in the Apache child process entering an infinite loop. This affects httpd versions up to and including 2.0.50.
Alerts:
Fedora FEDORA-2004-313 2004-09-23
Conectiva CLA-2004:868 2004-09-23
SuSE SUSE-SA:2004:030 2004-09-06
Red Hat RHSA-2004:349-01 2004-09-01

Comments (none posted)

apache2: IPv6 denial of service

Package(s):httpd apache2 CVE #(s):CAN-2004-0747 CAN-2004-0751 CAN-2004-0786 CAN-2004-0809
Created:September 15, 2004 Updated:October 6, 2004
Description: Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux.
Alerts:
Debian DSA-558-1 2004-10-06
Trustix TSLSA-2004-0047 2004-09-16
Mandrake MDKSA-2004:096 2004-09-15
Gentoo 200409-21 2004-09-16
Fedora FEDORA-2004-308 2004-09-16
Fedora FEDORA-2004-307 2004-09-16
SuSE SUSE-SA:2004:032 2004-09-15
Red Hat RHSA-2004:463-01 2004-09-15

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

kdebase: multiple vulnerabilities

Package(s):kdebase CVE #(s):CAN-2004-0689 CAN-2004-0690 CAN-2004-0721 CAN-2004-0746
Created:August 12, 2004 Updated:October 4, 2004
Description: Three separate vulnerabilities have been identified in the KDE 3.2 "kdebase" package; see this advisory for details. These problems include two temporary file vulnerabilities and a "frame injection" problem in konqueror which could help with phishing attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies for certain country specific secondary top level domains.
Alerts:
Red Hat RHSA-2004:412-01 2004-10-04
Conectiva CLA-2004:864 2004-09-13
Fedora FEDORA-2004-293 2004-09-08
Fedora FEDORA-2004-292 2004-09-08
Fedora FEDORA-2004-291 2004-09-08
Fedora FEDORA-2004-290 2004-09-08
Slackware SSA:2004-247-01 2004-09-03
Mandrake MDKSA-2004:086 2004-08-20
Debian DSA-539-1 2004-08-17
Gentoo 200408-13 2004-08-12

Comments (none posted)

kernel allows unauthorized changes to the group ID

Package(s):kernel CVE #(s):CAN-2004-0497
Created:July 2, 2004 Updated:September 27, 2004
Description: During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances - such as when the files are exported via NFS.
Alerts:
Conectiva CLA-2004:869 2004-09-27
Gentoo 200407-16 2004-07-22
Whitebox WBSA-2004:360-01 2004-07-07
Mandrake MDKSA-2004:066 2004-07-06
SuSE SUSE-SA:2004:020 2004-07-02
Fedora FEDORA-2004-206 2004-07-02
Fedora FEDORA-2004-205 2004-07-02
Red Hat RHSA-2004:354-01 2004-07-02
Red Hat RHSA-2004:360-01 2004-07-02

Comments (none posted)

kernel information leak

Package(s):kernel CVE #(s):CAN-2004-0415
Created:August 3, 2004 Updated:October 26, 2004
Description: Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.

A fix for this problem was added to the fifth 2.4.27 release candidate.

Alerts:
Conectiva CLA-2004:879 2004-10-26
Fedora-Legacy FLSA:1804 2004-10-18
Mandrake MDKSA-2004:087 2004-08-26
Gentoo 200408-24 2004-08-25
Whitebox WBSA-2004:413-01 2004-08-19
Red Hat RHSA-2004:327-01 2004-08-18
Fedora FEDORA-2004-251 2004-08-10
Trustix TSLSA-2004-0041 2004-08-09
SuSE SUSE-SA:2004:024 2004-08-09
Red Hat RHSA-2004:413-01 2004-08-03
Red Hat RHSA-2004:418-01 2004-08-03
Fedora FEDORA-2004-247 2004-08-03

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

krb5: double-free and ASN.1 parsing

Package(s):krb5 CVE #(s):CAN-2004-0642 CAN-2004-0643 CAN-2004-0644 CAN-2004-0772
Created:August 31, 2004 Updated:September 21, 2004
Description: Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. See CAN-2004-0642, CAN-2004-0643 and CAN-2004-0772. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. See CAN-2004-0644. See this CERT advisory for additional information.
Alerts:
Whitebox WBSA-2004:350-01 2004-09-20
OpenPKG OpenPKG-SA-2004.039 2004-09-13
Conectiva CLA-2004:860 2004-09-09
Gentoo 200409-09 2004-09-06
Trustix TSLSA-2004-0045 2004-09-02
Mandrake MDKSA-2004:088 2004-08-31
Debian DSA-543-1 2004-08-31
Fedora FEDORA-2004-277 2004-08-31
Fedora FEDORA-2004-276 2004-08-31
Red Hat RHSA-2004:350-01 2004-08-31
Red Hat RHSA-2004:448-01 2004-08-31

Comments (none posted)

lha: stack-based buffer overflow

Package(s):lha CVE #(s):CAN-2004-0769 CAN-2004-0771 CAN-2004-0694 CAN-2004-0745
Created:September 2, 2004 Updated:October 14, 2004
Description: The lha archiving and compression utility has a stack-based buffer overflow vulnerability. A modified archive could allow an attacker to execute code when a victim extracts or test the archive.
Alerts:
Fedora-Legacy FLSA:1833 2004-10-13
Whitebox WBSA-2004:323-01 2004-09-20
Gentoo 200409-13 2004-09-08
Fedora FEDORA-2004-295 2004-09-08
Fedora FEDORA-2004-294 2004-09-08
Red Hat RHSA-2004:323-01 2004-09-01

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

Midnight Commander: extfs vfs vulnerability

Package(s):mc CVE #(s):CAN-2004-0494
Created:September 2, 2004 Updated:January 5, 2005
Description: Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts.
Alerts:
Red Hat RHSA-2004:464-02 2005-01-05
Red Hat RHSA-2004:464-01 2004-09-15
Fedora FEDORA-2004-273 2004-09-01
Fedora FEDORA-2004-272 2004-09-01

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

neon: buffer overflow

Package(s):neon CVE #(s):CAN-2004-0398
Created:May 19, 2004 Updated:September 30, 2004
Description: The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:
Fedora-Legacy FLSA:1552 2004-09-29
Mandrake MDKSA-2004:078 2004-07-29
Gentoo 200406-03 2004-06-05
Gentoo 200405-25b 2004-06-02
Gentoo 200405-25 2004-05-30
Conectiva CLA-2004:841 2004-05-25
Gentoo 200405-15 2004-05-20
Gentoo 200405-13 2004-05-20
OpenPKG OpenPKG-SA-2004.024 2004-05-19
Mandrake MDKSA-2004:049 2004-05-19
Fedora FEDORA-2004-130 2004-05-19
Fedora FEDORA-2004-129 2004-05-19
Red Hat RHSA-2004:191-01 2004-05-19
Debian DSA-507-1 2004-05-19
Debian DSA-506-1 2004-05-19

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

OpenOffice: information disclosure

Package(s):openoffice.org CVE #(s):CAN-2004-0752
Created:September 15, 2004 Updated:October 20, 2004
Description: OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files.
Alerts:
Gentoo 200410-17 2004-10-20
Mandrake MDKSA-2004:103 2004-09-27
Red Hat RHSA-2004:446-01 2004-09-15

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pavuk: buffer overflow

Package(s):pavuk CVE #(s):CAN-2004-0456
Created:June 30, 2004 Updated:November 11, 2004
Description: Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server.
Alerts:
Gentoo 200411-19 2004-11-10
Debian DSA-527-1 2004-07-03
Gentoo 200406-22 2004-06-30

Comments (none posted)

php: remotely exploitable memory errors

Package(s):php CVE #(s):CAN-2004-0594
Created:July 14, 2004 Updated:February 7, 2005
Description: Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not).
Alerts:
Debian DSA-669-1 2005-02-07
Whitebox WBSA-2004:392-01 2004-08-19
Fedora FEDORA-2004-223 2004-07-23
Fedora FEDORA-2004-222 2004-07-23
OpenPKG OpenPKG-SA-2004.034 2004-07-22
Slackware SSA:2004-202-01 2004-07-20
Debian DSA-531-1 2004-07-20
Red Hat RHSA-2004:392-01 2004-07-19
Red Hat RHSA-2004:395-01 2004-07-19
Conectiva CLA-2004:847 2004-07-16
SuSE SUSE-SA:2004:021 2004-07-16
Mandrake MDKSA-2004:068 2004-07-14
Gentoo 200407-13 2004-07-15
tinysofa TSSA-2004-013 2004-07-14

Comments (none posted)

PuTTY: pre-authentication arbitrary code execution problem

Package(s):putty CVE #(s):
Created:August 5, 2004 Updated:October 28, 2004
Description: PuTTY, a telnet and SSH client, contains a vulnerability that can allow an SSH server to execute arbitrary code on a connecting client.
Alerts:
Gentoo 200410-29 2004-10-27
Gentoo 200408-04 2004-08-05

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

qt3: BMP image parser heap overflow

Package(s):qt3/qt3-non-mt/qt3-32bit/qt3-static CVE #(s):CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
Created:August 19, 2004 Updated:May 15, 2005
Description: A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution.
Alerts:
Fedora-Legacy FLSA:152763 2005-05-12
Conectiva CLA-2004:866 2004-09-22
Whitebox WBSA-2004:414-01 2004-09-20
Debian DSA-542-1 2004-08-30
Fedora FEDORA-2004-271 2004-08-23
Fedora FEDORA-2004-270 2004-08-23
Gentoo 200408-20 2004-08-22
Red Hat RHSA-2004:414-01 2004-08-20
Mandrake MDKSA-2004:085 2004-08-18
SuSE SUSE-SA:2004:027 2004-08-19

Comments (none posted)

rsync: path-sanitizing bug

Package(s):rsync CVE #(s):CAN-2004-0792
Created:August 16, 2004 Updated:November 1, 2004
Description: This August 2004 rsync advisory reports that there is a path-sanitizing bug that affects daemon mode in all recent rsync versions (including 2.6.2) but only if chroot is disabled. It does NOT affect the normal send/receive filenames that specify what files should be transferred (this is because these names happen to get sanitized twice, and thus the second call removes any lingering leading slash(es) that the first call left behind). It does affect certain option paths that cause auxilliary files to be read or written.
Alerts:
Conectiva CLA-2004:881 2004-11-01
Slackware SSA:2004-285-01 2004-10-12
Whitebox WBSA-2004:436-01 2004-09-20
Red Hat RHSA-2004:436-01 2004-09-01
Fedora FEDORA-2004-269 2004-08-19
Fedora FEDORA-2004-268 2004-08-19
Gentoo 200408-17 2004-08-17
Mandrake MDKSA-2004:083 2004-08-17
Netwosix NW-2004-0017 2004-08-17
Trustix TSLSA-2004-0042 2004-08-17
tinysofa TSSA-2004-020-ES 2004-08-16
Debian DSA-538-1 2004-08-17
SuSE SUSE-SA:2004:026 2004-08-16
OpenPKG OpenPKG-SA-2004.037 2004-08-15

Comments (none posted)

ruby: insecure file permissions

Package(s):ruby CVE #(s):CAN-2004-0755
Created:August 16, 2004 Updated:October 14, 2004
Description: Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore, but not in Debian woody) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session.
Alerts:
Fedora FEDORA-2004-264 2004-10-15
Red Hat RHSA-2004:441-01 2004-09-30
Gentoo 200409-08 2004-09-03
Debian DSA-537-1 2004-08-16

Comments (none posted)

Samba: Denial of Service vulnerabilities

Package(s):samba CVE #(s):CAN-2004-0807 CAN-2004-0808
Created:September 13, 2004 Updated:September 22, 2004
Description: There is a defect in smbd's ASN.1 parsing. A bad packet received during the authentication request could throw newly-spawned smbd processes into an infinite loop (CAN-2004-0807). Another defect was found in nmbd's processing of mailslot packets, where a bad NetBIOS request could crash the nmbd process (CAN-2004-0808). See this advisory for details.
Alerts:
Red Hat RHSA-2004:467-01 2004-09-22
OpenPKG OpenPKG-SA-2004.040 2004-09-15
Trustix TSLSA-2004-0046 2004-09-14
Slackware SSA:2004-257-01 2004-09-13
Mandrake MDKSA-2004:092 2004-09-13
Fedora FEDORA-2004-305 2004-09-13
Fedora FEDORA-2004-304 2004-09-13
Gentoo 200409-16 2004-09-13

Comments (none posted)

sox: buffer overflow

Package(s):sox CVE #(s):CAN-2004-0557
Created:July 28, 2004 Updated:February 21, 2005
Description: Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file.
Alerts:
Fedora-Legacy FLSA:1945 2005-02-20
Debian DSA-565-1 2004-10-13
Whitebox WBSA-2004:409-01 2004-08-19
Slackware SSA:2004-223-03 2004-08-07
Conectiva CLA-2004:855 2004-07-30
Gentoo 200407-23 2004-07-30
Mandrake MDKSA-2004:076 2004-07-28
Red Hat RHSA-2004:409-01 2004-07-29
Fedora FEDORA-2004-244 2004-07-28
Fedora FEDORA-2004-235 2004-07-28

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

squid: buffer overflow

Package(s):squid CVE #(s):CAN-2004-0541
Created:June 9, 2004 Updated:September 30, 2004
Description: The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Alerts:
Red Hat RHSA-2004:462-01 2004-09-30
Mandrake MDKSA-2004:093 2004-09-15
Gentoo 200409-04 2004-09-02
Gentoo 200406-13 2004-06-17
Whitebox WBSA-2004:242-01 2004-06-10
Trustix TSLSA-2004-0033 2004-06-10
Mandrake MDKSA-2004:059 2004-06-09
SuSE SuSE-SA:2004:016 2004-06-09
Red Hat RHSA-2004:242-01 2004-06-09
Fedora FEDORA-2004-164 2004-06-09
Fedora FEDORA-2004-163 2004-06-09

Comments (none posted)

SquirrelMail cross site scripting vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2004-0519 CAN-2004-0520 CAN-2004-0521
Created:May 21, 2004 Updated:October 4, 2004
Description: Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found in SquirrelMail versions 1.4.2 and lower. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
Alerts:
Fedora-Legacy FLSA:1733 2004-10-02
Conectiva CLA-2004:858 2004-08-12
Whitebox WBSA-2004:240-01 2004-06-21
Gentoo 200406-08 2004-06-15
Red Hat RHSA-2004:240-01 2004-06-14
Fedora FEDORA-2004-160 2004-06-09
Fedora FEDORA-2004-159 2004-06-09
Gentoo 200405-16:02 2004-05-25
Gentoo 200405-16 2004-05-21

Comments (none posted)

Subversion: Remote heap overflow

Package(s):subversion CVE #(s):CAN-2004-0413
Created:June 11, 2004 Updated:March 7, 2005
Description: Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:
Fedora-Legacy FLSA:1748 2005-03-07
SuSE SuSE-SA:2004:018 2004-06-17
Fedora FEDORA-2004-166 2004-06-11
Fedora FEDORA-2004-165 2004-06-11
OpenPKG OpenPKG-SA-2004.028 2004-06-11
Gentoo 200406-07 2004-06-10

Comments (none posted)

SUS 2.0.2 local root vulnerability

Package(s):SUS CVE #(s):
Created:September 14, 2004 Updated:September 15, 2004
Description: SUS is a suid root program that allows ordinary users the execution of certain programs with superuser privileges. SUS is run by default as setuid root. A simple format string bug in the log() function allows any local user to gain root privileges. See this BugTraq advisory for more information.
Alerts:
Gentoo 200409-17 2004-09-14

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

Webmin, Usermin: Multiple vulnerabilities in Usermin

Package(s):webmin usermin CVE #(s):CAN-2004-0559
Created:September 13, 2004 Updated:September 23, 2004
Description: There is an input validation bug in the webmail feature of Usermin. Additionally, the Webmin and Usermin installation scripts write to /tmp/.webmin without properly checking if it exists first.

The first vulnerability allows a remote attacker to inject arbitrary shell code in a specially-crafted e-mail. This could lead to remote code execution with the privileges of the user running Webmin or Usermin.

The second could allow local users who know Webmin or Usermin is going to be installed to have arbitrary files be overwritten by creating a symlink by the name /tmp/.webmin that points to some target file, e.g. /etc/passwd.

Alerts:
Mandrake MDKSA-2004:101 2004-09-22
Debian DSA-544-1 2004-09-14
Gentoo 200409-15 2004-09-12

Comments (none posted)

wv: buffer overflow

Package(s):wv CVE #(s):CAN-2004-0645
Created:July 14, 2004 Updated:February 10, 2005
Description: wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem.
Alerts:
Fedora-Legacy FLSA:1906 2005-02-08
Conectiva CLA-2004:902 2004-12-01
Debian DSA-579-1 2004-11-01
Debian DSA-550-1 2004-09-20
Conectiva CLA-2004:863 2004-09-10
Mandrake MDKSA-2004:077 2004-07-29
Fedora FEDORA-2004-225 2004-07-23
Fedora FEDORA-2004-224 2004-07-23
Gentoo 200407-11 2004-07-14

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

zlib: denial of service

Package(s):zlib CVE #(s):CAN-2004-0797
Created:August 25, 2004 Updated:June 10, 2005
Description: Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks.
Alerts:
OpenPKG OpenPKG-SA-2005.007 2005-06-10
Fedora-Legacy FLSA:2043 2005-02-23
Conectiva CLA-2004:878 2004-10-25
Slackware SSA:2004-278-02 2004-10-04
Conectiva CLA-2004:865 2004-09-13
Mandrake MDKSA-2004:090 2004-09-07
SuSE SUSE-SA:2004:029 2004-09-02
Gentoo 200408-26 2004-08-27
OpenPKG OpenPKG-SA-2004.038 2004-08-25

Comments (none posted)

Resources

Tool announcement: fakebust

Michal Zalewski has announced the availability of "fakebust," which is "a simple, open-source, user-friendly, intuitive and very rapid malicious code analyzer that can partly replace and in certain aspects outperform an expensive, strictly controlled sandbox setup."

Full Story (comments: none)

The Phishing Guide

NGS has released a new white paper entitled "The Phishing Guide." "This paper covers the technologies and security flaws Phishers exploit to conduct their attacks, and provides detailed vendor-neutral advice on what organisations can do to prevent future attacks."

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch remains 2.6.9-rc2; Linus has released no prepatches since September 13.

Linus's BitKeeper repository contains more __iomem annotations (see last week's Kernel Page) and new sparse annotations intended to flush out byte endianness errors, an NTFS update, ethtool support in the loopback driver, m32r architecture support, the "string" I/O memory access functions, support for more than eight partitions on BSD-labeled disks, some User-mode Linux cleanups, a tunable "max sectors" limit for block I/O requests (a latency reduction feature), a new prctl() option allowing programs to change their name, some shared memory scalability improvements, and a change in TCP ICMP source quench behavior (such messages are simply ignored now).

The current tree from Andrew Morton is 2.6.9-rc2-mm1. Recent changes to -mm include the inclusion of a number of Ingo Molnar's latency reduction patches, a rework of tty locking, a number of User-mode Linux updates, and various fixes.

The current 2.4 prepatch is still 2.4.28-pre3; Marcelo has released no prepatches since September 11.

Comments (5 posted)

Kernel development news

Modular, switchable I/O schedulers

The I/O scheduler ("elevator") has a challenging job: it must arrange for disk I/O operations to be executed in the optimal order. "Optimal" means maximizing the I/O bandwidth to the disk while, simultaneously, ensuring that all requests are satisfied in a timely manner, no process suffers excessive latency, and, for desktop systems, that the interactive "feel" of the system is responsive. Some schedulers take on additional tasks, such as dividing the available bandwidth equally between processes (or users) contending for each disk.

Given that set of demands, it is not surprising that there are multiple I/O schedulers in the Linux kernel. The deadline scheduler works by enforcing a maximum latency for all requests. The anticipatory scheduler briefly stalls I/O after a read request completes with the idea that another, nearby read is likely to come in quickly. The completely fair queueing scheduler (recently updated by Jens Axboe) applies a bandwidth allocation policy. And there is a simple "noop" scheduler for devices, such as RAM disks, which do not benefit from fancy scheduling schemes (though such devices usually short out the request queue entirely).

The kernel has a nice, modular scheme for defining and using I/O schedulers. What it lacks, however, is any flexible way of letting a system administrator choose a scheduler. I/O schedulers are built into the kernel code, and exactly one of them can be selected - for all disks in the system - at boot time with the elevator= parameter. There is no way to use different schedulers for different drives, or to change schedulers once the system boots. The chosen scheduler is used, and any others configured into the system simply sit there and consume memory.

Jens Axboe has recently posted a patch which improves on this situation. With this patch in place, I/O schedulers can be built as loadable modules (though, as Jens cautions, at least one scheduler must be linked directly into the kernel or the system will have a hard time booting). A new scheduler attribute in each drive's sysfs tree lists the available schedulers, noting which one is active at any given time. Changing schedulers is simply a matter of writing the name of the new scheduler into that attribute.

The patch is long, but the amount of work required to support switchable I/O schedulers wasn't all that great. The internal structures describing elevators have been split apart to reflect the more dynamic nature of things; struct elevator_ops contains the scheduler methods, while struct elevator_type holds the metadata which describes an I/O scheduler to the kernel. The new elevator_queue structure glues an instance of an I/O scheduler to a specific request queue. Updating the mainline schedulers to work with the new structures required a fair number of relatively straightforward code changes. Each scheduler now also has module initialization and cleanup functions which have been separated from the code needed to set up or destroy an elevator for a specific queue.

One interesting question is: what should be done with the currently queued block requests when an I/O scheduler change is requested? One could imagine requeueing all of those requests with the new scheduler in order to let it have its say immediately. The simpler approach, which was chosen for this patch, is to block the creation of new requests and wait for the queue to empty out. Once all outstanding I/O has been finished up, the old scheduler can be shut down and moved out of the way.

There have been no (public) objections to the patch; chances are it will find its way into the mainline sometime after 2.6.9 comes out.

Comments (14 posted)

Goodbye, old code

In the Good Old Days, loadable modules had to manage their own reference counts with the MOD_INC_USE_COUNT and MOD_DEC_USE_COUNT macros. This mechanism was always subject to race conditions; since the count was manipulated inside the module itself, there was no way to avoid situations where the kernel was executing inside the module, but the use count was zero. And that was for correctly written modules; distributing responsibility for the reference count in this way also provided lots of opportunities for module writers to get things wrong.

So, for 2.6, reference count management was moved up into the code which calls into modules, and the MOD_*_USE_COUNT macros were deprecated. In recent times the kernel janitors have been busy, to the effect that, at this point, there are no more users of those macros in the mainline kernel. So Christoph Hellwig has posted a patch removing them altogether. That patch has not been merged as of this writing, but the writing is clearly on the wall. Any external modules which are still using these macros should probably be fixed up in a hurry.

Christoph has also sent out a patch marking the lightly-used inter_module functions as deprecated. These functions, which perform a sort of run-time linking between modules, have never been seen as elegant or safe to use.

Rusty Russell, meanwhile, has added a warning to the kernel informing users that the ipchains and ipfwadm interfaces to netfilter will be going away soon. They have been obsolete since 2.4, but the kernel developers have kept them around because they are a user-space interface which is still very much in use. Once a site administrator gets a set of firewall rules that works, he or she is rarely amused by the idea of rewriting everything for a new interface.

Supporting these interfaces requires the maintenance of an intermediate compatibility layer in the netfilter code, however, and that makes maintenance and development of the code hard. In the interests of carrying the code forward, the netfilter developers want to get rid of the older cruft. For now, they are just adding a warning; no time frame has been given for (1) firmer warnings, or (2) actual removal of the code.

There are a couple of obstacles to actually taking this code out:

  • The users of the old interfaces. For those trying to convert to iptables, William Stearns has posted a script which converts ipchains rules to iptables.

  • 32-bit emulation. The binary interface used by iptables is exceedingly difficult to implement for 32-bit user-space programs in a 64-bit kernel - with the result that it has not been done. For this reason, x86-64 maintainer Andi Kleen has requested that ipchains not be removed at this time. Fixing that problem will not be a straightforward task, however.

In the longer term, it seems clear that the older interfaces have to go. The alternative is a steady accumulation of compatibility cruft which, eventually, causes the kernel to collapse under its own weight.

Comments (none posted)

I/O space write barriers

Some platforms, it seems, have an interesting property: writes to I/O memory space from multiple processors may be reordered before reaching the device. Even if the device registers are protected by a lock (pretty much necessary to keep multiple processors from writing simultaneously and confusing the device), writes issued by one CPU can arrive before those from another, even if the second CPU had held the lock and issued its writes first. The Itanium architecture in particular behaves this way, though others may as well.

The answer, according to Jesse Barnes is the addition of a new type of memory barrier to force the ordering of writes to the device. Jesse's patch adds a new function, mmiowb(), which implements this barrier. He has also updated the qla1280 driver to make use of it.

Authors of PCI drivers are accustomed to coding a different sort of barrier: reading from a device register to ensure that all writes have actually been posted to the device. mmiowb() is a different, lighter-weight mechanism. After a call to mmiowb(), writes might still have not reached the device. Writes are not forced out; they just have their ordering with respect to subsequent writes guaranteed. In many situations, that sort of guarantee is all that is needed.

Comments (1 posted)

Configuration of pluggable network adaptors

Li Shaohua ran into a problem when repeatedly plugging and unplugging an e1000 network adaptor. After 32 times, the adaptor would no longer work. It seems that the driver (like many others in the 2.6 kernel) was designed to discover at most 32 devices at boot time, and it has space for configuration parameters for just that many devices. Each new hotplug event looked like a new device, so the driver quickly ran out of parameter storage. In fact, the e1000 driver can handle many more devices than that; it just lacks space in its boot-time arrays to hold default configuration information.

Mr. Li's diagnosis was that the problem lies with the e1000 driver's inability to reuse board numbers internally. So he wrote up a patch to keep track of existing boards, and to reuse their numbers when they are removed. After some discussion, this patch was reworked into a general mechanism using the "idr" facility (described in the next article) - since the e1000 is not the only driver which behaves this way, it makes sense to fix the problem once for everybody.

Not everybody agrees that this is the right approach, however. Boot-time configuration parameters can be useful for many (if not most) systems where the network interfaces are screwed down and are unlikely to be replaced while the system is up. But do they really make sense for hotpluggable devices? There is a whole system in place for the configuration of hotpluggable devices; perhaps that should be used rather than adding complexity to the network drivers. Given that the conversation came to a hard stop after this view was posted, it seems likely to carry the day.

Comments (none posted)

idr - integer ID management

There has been a fair number of patches in recent times which convert one part or other of the kernel over to the "idr" facility. Idr is a set of library functions for the management of small integer ID numbers. In essence, an idr object can be thought of as a sparse array mapping integer IDs onto arbitrary pointers, with a "get me an available entry" function as well. This code was first added in February, 2003 as part of the POSIX clocks patch, and has seen various tweaks since.

Working with idr requires including <linux/idr.h>. Creating a new idr object is simply a matter of allocating a struct idr and passing it to:

    void idr_init(struct idr *idp);

The interface for allocating new IDs is somewhat unintuitive and interesting. The authors decided to separate out the parts of the ID allocation process which may require getting memory from the system; the idea was that the memory allocation could be done with no locks held, while the actual generation of an ID number could be done in a locked state. Thus, before allocating a new ID, one must call:

    int idr_pre_get(struct idr *idp, unsigned int gfp_mask);

This function will get set up to allocate a new ID number, allocating memory (with the given gfp_mask) if necessary. Contrary to the usual conventions, the return value will be zero if something goes wrong, nonzero otherwise.

Once that is done, a new ID can be allocated with either of:

    int idr_get_new(struct idr *idp, void *ptr, int *id);
    int idr_get_new_above(struct idr *idp, void *ptr, int start_id, int *id);

The first form gets the next available ID number, stores it in id, and associates it with the given ptr internally. If you wish to specify a minimum value for the new ID, use idr_get_new_above() instead. If all goes well, the return value will be zero; if no more IDs can be allocated, -ENOSPC will be returned.

Imagine a situation where two processors are both looking to allocate a new ID. Both call idr_pre_get(), guaranteeing that enough memory exists to allocate at least one more ID. Then one processor swoops in and grabs that ID, leaving no memory for the other. In that case, idr_get_new() will not attempt to allocate more memory; it will, instead, return -EAGAIN. At that point, the code should emit a heavy sigh, release its locks, and go back to the idr_pre_get() stage. Thus, ID allocation code can look something like this:

    again:
	if (idr_pre_get(&my_idr, GFP_KERNEL) == 0) {
		/* No memory, give up entirely */
	}
	spin_lock(&my_lock);
	result = idr_get_new(&my_idr, &target, &id);
	if (result == -EAGAIN) {
		sigh();
		spin_unlock(&my_lock);
		goto again;
	}

It should be noted that calls to idr_get_new() (and most other idr functions) must be serialized by some sort of lock, or unpleasant things could happen. idr_pre_get() can sleep, however, and should not be called under lock.

Looking up an existing ID is much simpler:

    void *idr_find(struct idr *idp, int id);

The return value will be the pointer associated with the given id, or NULL otherwise.

To deallocate an ID, use:

    void idr_remove(struct idr *idp, int id);

With these functions, kernel code can generate ID numbers to use as minor device numbers, inode numbers, or in any other place where small integer IDs are useful.

There is one more interesting twist to the idr code: it does (almost) nothing to help users detect reused ID numbers. When an object is destroyed, it may not be possible to tell whether anybody still has its ID number around or not. When some part of the kernel comes along with an ID number, it would be nice to know that refers to a currently-existing object, rather than being left over from some previous time.

The idr code makes it possible for callers to perform this check by ignoring the high-order bits in the ID number. Here, "high-order" is defined as "all the bits which are not needed to represent the largest allocated ID." By putting some sort of unique information in the upper part of the ID (and by limiting the maximum ID number which can be used), idr users can turn the small ID numbers into unique identifiers. The POSIX timer and SCTP code use idr in this way; most of the other in-kernel users treat idr as a sort of unique number generation service and do not perform this sort of check.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Filesystems and block I/O

Janitorial

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Ubuntu: A Universal Bond of Sharing

September 22, 2004

This article was contributed by Ladislav Bodnar

Here is a little quiz. Which Linux distribution's mailing list recorded over 1,000 posts during the first week of its existence? Which project succeeded in attracting some of the best-known and most prominent open source developers to work on it? And why do their email addresses invariably end with @canonical.com?

The answer, of course, is Ubuntu Linux. Ubuntu, a Zulu word representing a belief in a universal bond of sharing that connects all humanity, gave the name to a new Debian-based Linux distribution, which very few people heard of as little as two weeks ago. Despite being a new kid on the block, Ubuntu has a potential to turn the Linux distribution world upside down and make rapid inroads into our minds, not to mention hard disks. The reason? Ubuntu Linux is the first distribution since LindowsOS that has serious capital behind it, a substantial financial backing from a wealthy open source advocate.

But let's start from the beginning. It is the late 1999 and we are in Cape Town, South Africa. A company called Thawte Consulting, the world's second largest provider of digital certificates, has just been sold to Verisign for $575 million. The name of the entrepreneur behind Thawte is Mark Shuttleworth, a young man who thus became a multi-millionaire just four years after he graduated from a university. The local press excitedly reported that Mark had paid bonuses of one million Rand (about $163,000 at the time) to every one of his employees, including those who had been with the company for a very short time.

Young and rich, Mark pursued some of his extravagant dreams as he became only the second space tourist when he visited the International Space Station on board of the Russian Soyuz shuttle in April 2002, in exchange for some $20 million. Part of his fortune was also channeled into more selfless projects, such as The Shuttleworth Foundation, established with a goal "to invest in projects that provide innovative solutions to educational challenges in an African context, focusing on maths, science, entrepreneurship and technology in education and open source." Note the magic words "open source" in the above statement. Then, earlier this year, he teamed up with Hewlett-Packard to launch Go Open Source, a massive campaign designed to increase the awareness of open source software solutions in South Africa. He also founded Canonical Limited, a Isle of Man-based company now funding the development of Ubuntu Linux.

According to the company's web site and some of the early interviews with its representatives, Canonical employs over 40 developers, most of them from GNOME, Debian and GNU Arch projects. Among them, one will find Sebastien Bacher (Debian GNOME packages), Carlos Perelló Marín (Debian PowerPC port), Nathaniel McCallum (Gentoo Linux), Dave Miller (Bugzilla), Martin Pitt (PostgreSQL packaging for Debian), Daniel Stone (Release Manager, FreeDesktop.org), Colin Watson (Debian QA and Debian installer), Jeff Waugh (GNOME Release Coordinator) and Matt Zimmerman (member of the Debian Security Team), just to name a few.

Besides being a free project (in both senses of the word) and the fact that the developers are getting paid for their work, what else is special about Ubuntu Linux? And why would an average Debian user consider switching to it? One of the most interesting attractions is the promise of regular stable releases in roughly 6 months' intervals. In fact, the distribution's versioning scheme is time-based, with version 4.10 representing October 2004, while the next stable release due in April 2005 will be version 5.04. All releases will be supported by the security team for 18 months after the release. Ubuntu's default desktop is GNOME, with much less attention to other desktops (KDE is available too, but only as an unsupported "universe" component). One other peculiarity, rarely seen in a distribution, is the fact that the superuser account is disabled by default. The first user created during the installation has administrative rights on the system, and can run programs as root with "sudo". Although it is easy enough to reset the root password, the default setup encourages good security practices. Ubuntu Linux currently supports three architectures: i386, ppc and x86_64.

It is important to realize that Ubuntu Linux is not trying to compete with Debian, and those Debian developers who now work on Ubuntu will continue with their Debian duties as usual. But an interesting debate is starting to revolve around the relationship between Ubuntu and other Debian-based projects, especially the ones with commercial interests, such as UserLinux or Progeny Componentized Linux. The three of them have a lot in common, with the goal of developing a commercially supported Debian-based Linux distribution. Bruce Perens of UserLinux has already indicated his readiness to meet with Mark Shuttleworth later this year and discuss issues of mutual interest. This would certainly benefit UserLinux, the development of which has been moving forward at a remarkably slow pace. Progeny's Ian Murdock might be interested in this meeting too. It really is hard to justify the existence of three projects with roughly similar goals, much overlapping work and a risk of further fragmentation in the market place. After all, it makes sense to combine resources if a small start-up intends to compete with the likes of Novell or Red Hat.

Whatever the outcome, it will be interesting to watch the development of Ubuntu Linux during the next few months. Will a Debian-based distribution finally break into enterprise, with an offer of a superior product, matching hardware and software support, certified by some by the major industry players, such as IBM or Oracle? With Ubuntu Linux on the table and Canonical Ltd behind it, hopes are higher than ever.

Comments (5 posted)

Distribution News

Mandrakelinux

The announcement has gone out for the Mandrakelinux 10.1 release. This release features improved hardware support (including improved support for laptop systems) and the usual set of software upgrades.

In with the new, out with the old: Mandrakelinux 9.1 and Mandrakelinux 9.1/PPC products will be expiring on the 25th of September.

Comments (none posted)

Fedora

Fedora Core 3 Test 2 has been released. This edition includes GNOME 2.8, KDE 3.3.0, X.org X11 6.8.0 and more.

Maintenance of Fedora Core 1 has been transfered to Fedora Legacy.

Comments (none posted)

Debian Weekly News

The Debian Weekly News for September 21, 2004 covers Debian on a laptop, Security-Hardening Debian, Ubuntu 4.10 Preview, updating virus and security scanners in Debian stable, maintaining SSL certificates, another Installer release candidate, Sarge release notes, LSB status, and more.

Full Story (comments: none)

Gentoo Weekly Newsletter 20 September 2004

The Gentoo Weekly Newsletter is back. There's a new user survey out to get some feedback from Gentoo users, the forums have been moved to new hardware, Portage 2.0.51 is becoming stable, there will be an international Gentoo PPC developer meeting, and more.

Full Story (comments: 3)

DistroWatch Weekly

This week's DistroWatch Weekly looks at Ubuntu Linux, Mandrakelinux 10.1, Lycoris Desktop/LX and more.

Comments (none posted)

New Distributions

KAZIT

KAZIT is a KNOPPIX-based bootable CD translated into Hebrew. It features a collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI devices, and other peripherals. It can be used as a Linux demo, educational CD, rescue system, etc. It is not necessary to install anything on a hard disk due to on-the-fly decompression. KAZIT Beta 2 was released September 20, 2004.

Comments (none posted)

Minor distribution updates

Astaro Security Linux

Astaro Security Linux has released v5.023. "This Up2Date adds Single Sign On with Active Directory (NTLM), adds DNS hostname support to the parent proxy, and improves the HTTP proxy performance when using authentication. It fixes also six smaller issues." Some minor security issues have also been fixed recently.

Comments (none posted)

CentOS

CentOS has released v3.3 with support for both X86_64 and i386. "This is a complete rebuild of all the updated packages that Red Hat has included in the SRPM's of their Enterprise Linux 3 Update 3. The changed packages from update 3 are overlaid onto 3.1. This release includes a rebuilt anaconda and new boot kernels for the installer." Both X86_64 and i386 architectures are supported.

Comments (1 posted)

Feather Linux

Feather Linux has released v0.5.9. "This release adds wmapm, madwifi, and reiserfsck. It adds a new baby Tux background, makes dnsmasq.conf writable, and reverts the USB settings to the previous 0.5.7 ones. Other small bugfixes and changes were also made."

Comments (none posted)

Hiweed GNU/Linux

Hiweed GNU/Linux released 0.55beta1 for for the national day of China, with the newest Debian-Installer and other new features. Version 0.55beta2 fixes lots of bugs. " This is the second beta version for 0.55, for the national day of China. Major bugs were fixed. The font-size of GDM and XFCE4 was adjusted. Normal users can now shutdown on XFCE4 or GDM. root can now login via GDM. The GDM can start automatically every time the machine boots. mc can now display Chinese as normal. xpdf was replaced with gpdf. helix-player was replaced with RealPlayer 10. chmsee was added. A default sources.list was added. The last version of Debian Reference (Chinese Edition) was added. The console is now booted to a resolution of 800x600 by default."

Comments (none posted)

LinuxConsole

LinuxConsole has released v0.4.5.1 with major bugfixes. "Many bugfixes and some improvements were made. The boot messages were updated and boot commands were added. Patch 5.1 was enabled. English, French, Italian, are German languages are now available in icewm, GNOME, and Freevo. The NVIDIA files were moved from xfree_drivers to the nvidia module, and the NVIDIA licence must be accepted before they are used or else the XFree drivers without 3D acceleration are used. Mplayer now supports Real Media streams."

Comments (none posted)

Sentry Firewall

Sentry Firewall has released v1.5.0-rc15. "A number of bugs have been fixed in the configuration scripts, and a lot of code cleanups have been made. "path[#]" directives and a "mkdir" command were added to sentry.conf. Several packages have also been updated including snort, squid, and dnsmasq."

Comments (none posted)

VectorLinux

VectorLinux has released v4.3. "The kernel has been updated to version 2.6.7. A submount filesystem has been added for automounting of removable media. All the base programs and libraries have been upgraded to their latest stable versions. Mozilla-1.7 is configured to have Java, Flash, and video streaming working out of the box. Rox-Filer is now the default desktop file manager, using its pinboard feature to manage icons. A new GUI-configurable firewall (Gshield) has replaced the old firewall script. ALSA is now the default sound system. The automatic hardware detect feature has been improved, and printing service is now an installable option."

Comments (none posted)

Newsletters and articles of interest

Interview with Jeff Waugh On Ubuntu Linux (OSNews)

OSNews talks with Ubuntu team member Jeff Waugh about this new project. "What are its main differences from Debian? Why would someone pick Ubuntu over Debian or any another distro?
Jeff Waugh: At its core, Ubuntu *is* Debian. Our six-monthly releases are based on Debian's "sid" development branch, with lots of bugfixing and integration work (which goes back to Debian), and some special additions such as the very latest GNOME releases. Ubuntu 4.10, which we call the "Warty Warthog" shipped GNOME 2.8 in our Preview release last night. :-) We provide 18 months of high-impact, dataloss and security support with every release.
"

Comments (none posted)

Introducing OpenVistA VivA FOIA Gold live CD (LinuxMedNews)

LinuxMedNews introduces a live Linux CD with OpenVistA software. "VistA as traditionally released by the VA did not run on GT.M. OpenVistA as available to date has been FOIA VistA ported to GT.M, but it also had some enhancements not in the FOIA software. With the release of a recent patch, FOIA VistA now runs on GT.M, which makes possible an OpenVistA VivA live CD that is exactly the software available under FOIA, no more and no less. Since the FOIA software has been referred to as the "gold standard", the name of this live CD is "OpenVistA VivA FOIA Gold"."

Comments (none posted)

SECURE Linux OS expected in early 2005 (GCN.com)

Government Computer News reports that Trusted Computer Solutions Inc. of Herndon, Va., expects to begin beta-testing Trusted Linux this fall. "The trusted version of the open-source OS will automate and enforce stringent security policies to achieve multilevel security, enabling top-secret and below interoperability. It will be based on the kernel from the National Security Agency's Security Enhanced Linux project." Here's the press release from TCS.

Comments (none posted)

Distribution reviews

The Stealth Desktop: Managing Users, Fonts, and Printers (OfB.biz)

Here's the third installment of Eduardo Sánchez's look at Slackware on the desktop, on Open for Business. "If you ask any person more or less knowledgeable in distributions about the most distinctive feature of Slackware, they will most likely reply "the lack of GUI tools". They are right in the sense that there aren't any Slackware-specific GUI tools, but you do have graphical administration tools at your fingertips that might be very useful in the task of administering a system. Let's see a few of them."

Comments (none posted)

DeLi Linux 0.6 Review (OSNews)

OSNews reviews DeLi Linux version 0.6. " I think, DeLi Linux is a good attempt to create a Linux distro specialised to older hardware. What it currently lacks of, is the amount of software included. I understand that the developer wants to keep it small in size, but I think this should only be appliable to the software you have installed on your hard disk; on the CD or in the ISO, some more software should be included, mainly alternatives to already available types of software ... Also the using of a 2.2 series kernel was a wise choice; to mention an example, the PCMCIA controller of my Notebook is only supported by kernels up to 2.2 - it was dropped in 2.4. The installation system is yet quite o.k. for such a young distro. Maybe the amount of system settings supported by delisetup will grow in the future."

Comments (none posted)

Review of UserLinux Beta LiveCD (Ammai.com)

Ammai.com has brief review of the recently released UserLinux LiveCD. "The current LiveCD is based on Morphix but includes the UserLinux package selction."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The State of Linux Gaming

September 22, 2004

This article was contributed by Dave Fancella

With all the talk about Linux for the Desktop, Linux for the Server, Linux for the Toaster, and Linux for the Masses there's one area that gets consistent criticism: gaming. Popular wisdom is that Linux will never be good for gaming because open source developers don't write games. Open source developers don't like to have fun, apparently.

Well, it's not true. None of it is true.

I did a fairly exhaustive search for Linux games, installing them and running them on my own machine, and this article is entirely about what I found. Like many applications, each game is lacking in some area. Since most of these games are pre-1.0 versions, it's not surprising at all. I ruled out any game that crashed my X server, requires root privileges, or is unplayable for any other reason. I've also ruled out games that are generally bundled with CD distributions, since you already know about those. So here is a list of games that are playable, relatively stable, and fun.

My test hardware consists of an 800mhz Duron processor, 256MB of DDR RAM, an nVidia TNT2 video card, and VIA's infamous AC'97 onboard sound system. These games all ran well on my system, so you should be able to compare your system specs to mine and easily extrapolate how well they should run on your own system.

Blobwars 0.91

[Blobwars] Blobwars is a pretty standard platform game. It is structured in levels, but organized as missions. You play Bob, a blob whose purpose is to rescue soldiers that are marked Missing In Action due to an alien invasion and subjugation. The game is playable and has many levels, an excellent mod-based soundtrack, and some pretty polished graphics. Some of the graphics and levels are reminiscent of the old arcade game Strider, and the plot itself is similar. Game play is different, for the most part. According to Parallel Realities' website, Blobwars is story-complete and all that's left for a 1.0 release is testing and bug fixing.

I installed Blobwars from the generic Linux RPM provided, and it ran fine. Like most Linux games, it uses a selection of SDL libraries. Blobwars is licensed under the GPL.

SDL Vexed 0.6

[SDL Vexed] SDL Vexed is a SDL-perl clone of the popular PalmOS game, Vexed. Vexed is a puzzle game. Your goal is to eliminate all blocks on a level by placing each one adjacent to one another. When you move a block, you can move it left or right. If there is empty space under it, it will fall. Game play is slightly different than the PalmOS version, so if you've been a fan of the original game you will have to adjust. The soundtrack appears to be minimal but good, and reminiscent of the soundtrack in Frozen Bubble. Here, again, I don't have any idea what is planned for a 1.0 release, but the 0.6 release has many levels. In fact, I looked in the levels subdirectory and saw that the game was written to use the levels in the original Vexed game. There don't appear to be any new levels over the existing Vexed for PalmOS, but it does look like SDL Vexed may well provide a path to a level editor that will be advantageous for both games. The graphics are good, but still a little rough around the edges.

The game doesn't actually install, you just need to make sure you have SDL-perl installed. Then unpack the tarball, cd into the directory, and run it. SDL Vexed is released under the GPL.

Armagetron Advanced 0.2.7.0

[Armagetron Advanced] (A slight disclaimer, I am somewhat involved in this project.)

Armagetron Advanced is a fork of the game Armagetron. You may already know Armagetron from your distribution, it comes with Mandrake, SuSE, and possibly others. In Armagetron Advanced you are a light cycle on a grid, and wherever you go this big wall appears behind you. The object of the game is to coerce the other players to crash into your wall. It's an excellent 3d gaming version of the light cycle sequence from Tron. Like all of the best games in history, game play itself is very simple, but the game is not. Played as a network game, you will find servers that range in abilities; some will have a steep learning curve for survival, while others will be more friendly to new players. There is a sizeable and growing community around this game. Armagetron Advanced has a decent collection of sound samples and does a good job panning the sounds. Many players have become dependent on the sounds as clues to what is going on around them. The graphics are excellent and fairly well-polished, but the game is lacking a musical soundtrack. Sound effects are present, non-intrusive, and actually reflective of the game you see. The game is playable now, and continues to get better.

I installed Armagetron Advanced using the generic Linux RPM provided by the project. I was also able to successfully build it with the SDL libraries provided by Mandrake. Armagetron Advanced is released under the GPL.

Cube 2004.05.22

[Cube] Cube is a first person shooter game. It appears that Cube brings some interesting innovation to this field; according to this statement from their web page: "Cube is a landscape-style engine that pretends to be an indoor FPS engine, which combines very high precision dynamic occlusion culling with a form of geometric mipmapping on the whole world for dynamic LOD for configurable fps & graphic detail on most machines." Whatever that means.

I enjoyed the game when I played it. Cube appears to have a very active community of players and servers, and it doesn't take long to find a server for you to get your brains blown out. Game play was fairly typical of first person shooters, but the Cube developers have made some real strides in eliminating lag, the biggest problem facing first person shooting. Speaking as a metal-head, the heavy metal soundtrack was outstanding and varied. The sound effects themselves were good, and with the polished graphics combined well to make a fairly realistic playing experience.

I almost didn't include Cube because it didn't fit some of my criteria. Namely, it has a tendency to run out of memory and crash, leaving my X environment stuck in Cube's native resolution. Cube also didn't surrender my mouse gracefully after one session. I decided I could safely ignore these problems since they are doubtless bugs that will be fixed soon. If you want a good open source first person shooter, Cube is it.

Cube includes binaries for all supported platforms in one tarball. It is released under the Zlib license.

Battle for Wesnoth 0.8

[Battle for Wesnoth] The Battle for Wesnoth is a fantasy turn-based strategy game with a twist. It is story-driven. Victory conditions for maps range from "Destroy the bad guys" to "Run a player character to a specific point on the map". There are even factions on the maps that are allies, but you don't get to control them. I found myself getting sucked into a world of trolls, orcs, elves, and magic even though I had thought I had outgrown such things. The soundtrack is pretty complete with a good variety of music and sound effects. All the little bells and whistles appear to be present, with fun animations for combat, walking units, and even standalone hexes on the map. The map itself doesn't have grid lines by default, and unless you turn on the grid lines, you may not even notice the map is hexagonal.

I did have a little trouble installing Battle for Wesnoth. The Mandrake packages provided didn't install on my system, so I built the source code tarball. The build went smoothly although it did take some time. Naturally I recommend building from source, but you may find the packages work for you. Battle for Wesnoth is released under the GPL.

Crimson Fields 0.4.4

[Crimson Fields] (A disclaimer for this one as well, I am pretty involved with Crimson Fields.)

Crimson Fields is a turn-based strategy game set way in the future on another planet. You are the leader of the Free Nexus Army, a rebel group whose purpose in life is to overthrow the alien invaders and bring independence back to the planet of Nexus. Crimson Fields draws a lot of inspiration from the old Battle Isle series, and supports the map format from that series. It is still a very young project and only comes with a few maps, but it is playable now. You can play by email, hot seat, or locally against the computer. It has a soundtrack of exactly one song, and during extended play you may find that one song to be worth disabling after a while. Sound effects are pretty minimal as well, but both are at the level expected for a pre-0.5 release.

I have installed Crimson Fields every which way, and it installs smoothly. There are user-contributed packages for every operating system under the sun, and the project directly provides a source tarball, source rpm, and generic Linux rpm. Crimson Fields is released under the GPL.

FlightGear 0.9.3

[FlightGear] FlightGear is a flight simulator. FlightGear claims to have a huge selection of airports and accurate scenery to accompany its airports. I was unable to confirm any of this because the few times I managed to get the plane off the ground it crashed. That is actually my litmus test of how good a flight simulator is. If I can't get the plane off the ground, it must be good. I'm starting to suspect I'll have to go to flight school to be able to play this game, so if flight simulators are your thing, you definitely need to check this game out. I can say, however, that I'm dying to see the beautiful scenery that I see in their screenshots. FlightGear only ran at about 10 frames per second on my machine, you will definitely need more powerful hardware than what I have.

FlightGear can be tricky to download. For some of their packages they depend on rpmfind.net, and for others you have to surf through their ftp mirrors. I have built FlightGear from source before, so it's definitely possible, but it's a build on the order of the Linux kernel itself--it takes a while. When you manage to find a binary download it's going to be very large, 98MB large. Luckily they offer it on CD as well, so if either bandwidth or patience are problems you are currently experiencing, consider ordering a CD. FlightGear is released under the GPL.

Gaming Resources

There are a number of web sites you can visit that keep tabs on the Linux gaming community. Here is a list of those websites:
  • LINUXGAMES - A community news site that accepts story submissions from its readers.
  • The Linux Game Tome - attempts to catalog every single game available for Linux.
  • The Linux Gamers' Game List - A searchable list that offers filtering and sorting of the games in the list. The list is fairly old, but is still a good way to find established games.
  • Games for Linux - Another searchable list that supports user ratings.

Comments (32 posted)

System Applications

Audio Projects

Jack Audio Connection Kit 0.99.0

Version 0.99.0 of JACK, the Jack Audio Connection Kit has been released. Changes include additions to the API, better compatibility with NPTL, a new --unlock option, a new CoreAudio driver, fixes, code cleanups, and more.

Comments (none posted)

Database Software

Knoda 0.7.1 released

Version 0.7.1 of Knoda, a database frontend, is available. Changes include a fully KDE-compliant GUI, subform support, support for asterics in the Query Editor, and bug fixes.

Full Story (comments: none)

pgst 1.1.0 Released

Version 1.1.0 of pgst, a GNOME-based frontend to PostgreSQL, has been announced. Here are the release comments: "Was developed on RedHat 9 Linux that had all the default RPMs installed on it and nothing more. Uses the same technology for the frontend that Red Hat uses for its GNOME-based control panels. More than likely it will work on any post 2003 Linux in the RedHat and Suse product lines, and many others."

Comments (none posted)

PostgreSQL Weekly News

The PostgreSQL Weekly News for September 21, 2004 is available, take a look for the latest PostgreSQL database information.

Full Story (comments: none)

Libraries

Prerelease of libgdither 0.2 dithering library

A pre-release of libgdither 0.2 is available for testing and comments. "Libgdither is a GPL'd library library for performing audio dithering on PCM samples. The dithering process should be carried out before reducing the bit width of PCM audio data (eg. float to 16 bit int conversions) to preserve audio quality."

Full Story (comments: none)

Mail Software

SpamAssassin 3.0 released

SpamAssassin 3.0 has been released. There's a lot of stuff in this release, including SPF checking, testing for spammer URLs, a new plugin mechanism for third-party modules, better SQL database support, and more. This is the first release under the Apache Software Foundation umbrella; it is now covered by the Apache license. There is an information posting with details on this release.

Comments (none posted)

Web Site Development

Apache HTTP Server 2.0.51 Released

Version 2.0.51 of Apache is out. "This version of Apache is principally a bug fix release. Of particular note is that 2.0.51 addresses five security vulnerabilities".

Full Story (comments: none)

Midgard 1.6.0rc1 released

Version 1.6.0rc1 of Midgard, a CMS framework, is available. Changes include Multilang and PAM support, an Apache2 module, a PHP4 module, and a new version of midgard-data.

Full Story (comments: none)

Samizdat 0.5.3, the Portal release

Version 0.5.3 of Samizdat, a generic RDF-based engine for building collaboration and open publishing web sites, is out. "Starting with this version, Samizdat can send out email: currently, it is used to recover lost passwords and to confirm that member email address is real. Email addresses are now unique, making it more difficult to cheat using throwaway accounts. Other changes include new dc:description message property for attaching article abstract, thumbnail image, or table of contents to a message, new preferences infrastructure allowing to add more server-side member settings in the future, and the inevitable database schema change."

Full Story (comments: none)

ZopeMag Weekly News

The ZopeMag Weekly News for September 22, 2004 is out with the latest Zope and Plone development news.

Comments (none posted)

Miscellaneous

YALE 2.4 released (SourceForge)

Version 2.4 of YALE (Yet Another Learning Environment), a Java environment for machine learning and data mining, is available. "Several new features where implemented for YALE 2.4. These are a LearningCurveOperator, StandardDeviationWeighting, PrincipalComponents, WekaAttributeWeighting, C45ExampleSource, Obfuscator, Deobfuscator, CorpusBasedWeighting, and several XXXExampleSource operators."

Comments (none posted)

Desktop Applications

Desktop Environments

GARNOME 2.8.0 announced

Version 2.8.0 of GARNOME, the bleeding-edge GNOME distribution, is out. "This release incorporates the GNOME 2.8.0 Desktop & Developer Platform, as well as plenty of new third-party package updates and funkey new features."

Full Story (comments: none)

gnome-themes 2.8.0 announced

Version 2.8.0 of GNOME-themes, a collection of themes for the GNOME desktop, is available. Changes include the new Glider theme and some bug fixes.

Full Story (comments: none)

KDE CVS-Digest

The September 17, 2004 edition of the KDE CVS-Digest is online, here's the content summary: "Kpdf adds zoom, search, thumbnails and is optimized. Kontact now supports Kolab version 2. Krita adds startup templates. khtml improves the outline painting algorithm. Kopete merges Novell GroupWise Messenger support into HEAD. Plastik style optimized."

Comments (none posted)

KDE 3.3 Usability Study and Review (KDE.News)

KDE.News looks at a userinstinct usability review. "Based on feedback from our test group, the default settings for a number of KDE parameters differ from what is usually expected and desired by users. Providing better defaults would reduce the time users spend looking for configuration settings and would provide a better "out-of-the-box" experience."

Comments (none posted)

Electronics

gEDA News

The latest releases from the gEDA project include new versions of the Icarus Verilog compiler and gspiceui, a GUI frontend to several freely available SPICE simulators.

Comments (none posted)

XCircuit 3.2.27 released

Version 3.2.27 of Xcircuit, a schematic drawing package, is available. From the CHANGES file: "Quick fix to allow the non-Tcl code to compile; the experimental "ngspice" code contains numerous Tcl references, and although it does not depend on Tcl in principle, it is easier just to disable the code for the non-Tcl compile. It will not be missed. Also: Changed the startup method from the hacked-up redirection of $HOME to a standalone "wish"-like executable that sets up "wish" to read in the .xcircuitrc file as its startup script."

Comments (none posted)

GUI Packages

GTK+ 2.4.10 released

Version 2.4.10 of GTK+, a multi-platform toolkit for creating GUIs, is out with numerous bug fixes and more.

Full Story (comments: none)

TG Framework - Milestone Release 1.0a1

The first alpha release (1.0a1) of the TechGame Framework for Python, has been announced. "The TechGame Framework for Python is a toolkit for skinning (building) GUIs using a blend of XML, CSS, and Python."

Comments (none posted)

Interoperability

Wine 20040914 is available

Version 20040914 of Wine has been announced. Changes include improvements to the common controls, a new ITSS dll, compatibility fixes in the exported headers, replacements for the Windows standard bitmap fonts, and bug fixes.

Comments (none posted)

Wine Traffic

The September 17, 2004 edition of Wine Traffic is available with the week's Wine news.

Comments (none posted)

Mail Clients

Evolution 2.0.0 released

Evolution 2.0.0 has been released to go along with GNOME 2.8. There's lots of new features, including NNTP and S/MIME support, built-in SpamAssassin filtering, web calendars, and more; click below for the details.

Full Story (comments: 16)

Ristretto 1.0 RC2 released (SourceForge)

Version 1.0 rc2 of Ristretto, the mail api for the Columba mail client, is out. "New and noteworthy features are: implementation of the IMAP Namespace extension (RFC 2342), asynchronous download of messages from POP3, license changed to tri-license MPL/LGPL/GPL and more JavaDocs added."

Comments (none posted)

Music Applications

Q-Audio 2.0 and Q-Synth 1.0 released (SourceForge)

New versions of Q-Audio and Q-Synth have been announced. "Q is a functional programming language based on the term rewriting calculus. Q-Audio 2.0 is a major update, which now supports LSA and Jack via PortAudio v19, and also adds Fourier transform operations via FFTW3. Q-Synth 1.1 is a minor update which fixes some bugs in the SuperCollider synth definitions and adds support for Q-Audio 2.0."

Comments (none posted)

Office Suites

KOffice 1.3.3 Released (KDE.News)

KOffice version 1.3.3 has been announced. "The KOffice team is happy to bring you the third bugfix package that builds upon the previous 1.3.x versions, with many fixes, mainly in the core libraries and in some filters. But there is also a fully new and complete translation for KOffice: Welsh."

Comments (none posted)

Digital Photography

ESWPHOTO 0.1.9 released

The Pygame site has an announcement for version 0.1.9 of ESWPHOTO: "A slideshow viewer, designed for digital photography enthusiasts. Features include: intuitive control (no distracting GUI), zoom and pan feature, full screen, fast, EXIF tag display, high quality scaling, lossless image rotation."

Comments (2 posted)

Miscellaneous

gcalctool v4.4.19 announced

Stable version 4.4.19 of gcalctool, the default GNOME desktop calculator, is available. "This release is for GNOME 2.8.1 when it becomes available. Note that gcalctool now requires the Gtk+ libraries that come with GNOME 2.6 or later in order to build."

Full Story (comments: none)

GPSBabel beta 09202004 released (SourceForge)

Beta release 09202004 of GPSBabel, a cross-platform and cross-vendor GPS application, has been announced. "This version adds several new formats and filters and fixes several bugs. The next version will add the Garmin/USB work to cover 60C, 60CS, 76C, 76CS, 96C, VistaC, and SummitC on Windows."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The September 14-21, 2004 edition of the Caml Weekly News is out with the week's collection of Caml language articles.

Full Story (comments: none)

Erlang

Erlange REPOS 1.0 beta 3 released

Version 1.0 beta 3 of Erlange REPOS, a CDROM-based repository of Erlang projects, is out with a multitude of ready-to-use Erlang software projects.

Full Story (comments: none)

Java

Joone DTE 0.8.0 released (SourceForge)

Version 0.8.0 of Joone, a Java-based neural net framework, has been announced. Changes with this release include an almost linear-scaled training process, dynamic addition and removal of machines, XML-based process paramenter control, Jini 2.0 compliance, and more.

Comments (none posted)

Develop aspect-oriented Java applications with Eclipse and AJDT (IBM developerWorks)

Matt Chapman and Helen Hawkins introduce AJDT on IBM's developerWorks. "The AspectJ Development Tools for Eclipse (AJDT) is an open source Eclipse Technology Project that provides the tooling required to develop and run AspectJ applications. We believe good tools have a key role to play in realizing the full benefits of aspect-oriented programming, and particularly in helping newcomers understand the concepts involved."

Comments (none posted)

Can't beat Jazzy (IBM developerWorks)

Tom White covers spell checking with Jazzy on IBM's developerWorks. "Users have come to expect spell-check capabilities from applications that involve natural-language text entry. Because building a spell checker from scratch is no simple task, this article offers you a workaround using Jazzy, an open source Java spell checker API."

Comments (1 posted)

Developing Your First Enterprise Beans (O'Reilly)

O'Reilly has published part one in a book excerpt series on Enterprise Beans. "One of the most important features of EJB is that enterprise beans have the ability to work with containers from different vendors. However, that doesn't mean that selecting a server and installing your enterprise beans on that server are trivial processes."

Comments (none posted)

Understanding the Interplay Between Utility Classes and Static Initialization (O'Reilly)

Satya Komatineni covers issues with Java static functions on O'Reilly. "Java is an OO language, which means much of the functionality of a Java application is encapsulated into cohesive classes that can be instantiated and acted upon. Nevertheless, once in a while you end up with some functions that are applicable to more than one class. These functions don't really belong to any particular class, but to a sub-system or a package. Although one can express this grouping as a class by itself (represented by interfaces), it is just simpler to collect them as static functions in a class, when one doesn't need the sophistication of service-centric approach for these methods."

Comments (none posted)

Perl

Simon Cozens' Modules Need New Maintainers (use Perl)

Use Perl has a request for help with the maintenance of Simon Cozens' legacy Perl modules. "He's retiring from the CPAN, and leaving his legacy of Perl modules behind. I've stepped up to take on the task of making sure his 100 modules don't fall into disuse, and that they have proper new masters and mistresses, like I did with Iain Truskett's modules when he passed away last year."

Comments (none posted)

Volunteers wanted to help get PPI to 1.0 (use Perl)

Use Perl has a request for volunteer help on PPI, the 'almost parser' for Perl. "While all the hard work is done now, and it is largely complete and quite usable, I've gotten tied up with work, and I will not have the time in the forseeable future to finish the final features, testing and docs to get it to 1.0."

Comments (none posted)

This Week on Perl 6

The September 16, 2004 edition of This Week on Perl 6 is out with the latest Perl 6 discussion topics.

Comments (none posted)

PHP

PHP 4.3.9RC3 released

Version 4.3.9RC3 of PHP is out. "This is the last release candidate before the final release and should have a very low number of problems and/or bugs. Nevertheless, please download and test it as much as possible on real-life applications to uncover any remaining issues."

Comments (none posted)

PHP Weekly Summary for September 6, 2004

The PHP Weekly Summary for September 6, 2004 is out. Topics include: PHP 5 Bug Summary, native PHP events, 4.3.9 RC 2, vars to string, preg_match and object cast, pdflib 6 support, hashes in globals, sqlite_temp_dir, and untrusted serialized data.

Comments (none posted)

Python

python-dev Summary

The August 16-31, 2004 edition of the python-dev Summary is available, take a look to see the latest discussions from the python-dev mailing list.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The September 20, 2004 edition of Dr. Dobb's Python-URL! is online with a new collection of Python language article links.

Full Story (comments: none)

Ruby

QtRuby and Korundum Bring eXtreme RAD to KDE (KDE.News)

KDE.News looks at Ruby developments under KDE. "Now with QtRuby and Korundrum, that power and expressivity has increased: You can sketch out pretty interfaces with Qt Designer and automatically create Ruby code with the rbuic tool. Or do amazing things with DCOP without needing preprocessors, makefiles etc -- just type in your Ruby script and be in control of your desktop. In fact, you can find a fairly complete description of all the features supported by QtRuby and Korundrum over at the Ruby bindings section of the KDE Developer's Corner."

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The September 21, 2004 edition of Dr. Dobb's Tcl-URL! is available with more Tcl/Tk articles and resources.

Full Story (comments: none)

XML

Perl Parser Performance (O'Reilly)

Petr Cimprich looks at Perl-based XML parser performance in an O'Reilly article. "There was one dominant XML parser in Perl a few years ago; parsing an XML document was synonymous for using the XML::Parser module. The module written by Larry Wall and Clark Cooper worked as an interface to James Clark's expat XML parser, and it didn't leave much room for competitors. Traditional Perl modules for XML processing were built on the top of XML::Parser. But times are changing."

Comments (none posted)

Build Tools

Automate the application build and distribution process (IBM developerWorks)

Martin C. Brown works on the process of optimizing software builds across multiple platforms. "You have enough to consider when building an open source application for a single type of system, but what if you're building that application for distribution among a range of different, incompatible machines? There's no easy answer, but using a little discipline and some custom scripts, you can simplify the process. This article looks at how to create a structure for building and distributing applications, including heavily customized versions, and a simple way of disseminating the applications among a number of machines, manually or automatically, as easily as possible."

Comments (none posted)

IDEs

developing FLTK applications in Eclipse

A new document called developing FLTK applications in Eclipse by Dejan Lekic has been placed online. "Each section in this document will come with one picture and explanation (that is why it's called "step-by-step"), and it actually represents each sucessive step in setting up Eclipse for working on simple FLTK-based application called "flimple"."

Comments (none posted)

Profilers

Coverage Measurement and Profiling (Linux Journal)

Zach Frey explains code coverage analysis on Linux Journal. "Maybe you've always wondered what the gcov utility that comes with GCC is used for, or maybe your new project at work has a regulatory or customer requirement that your delivered software be tested to a certain percentage of coverage, and you are looking for how to accomplish that task. In this article, I introduce the general ideas of coverage measurement and of performance profiling, along with the standard GNU tools (gcov and gprof) used in these two techniques."

Comments (none posted)

Test Suites

Marathon 0.84 Released (SourceForge)

Version 0.84 of Marathon is available. "Marathon is a testing framework for GUI applications developed using Java/Swing. Marathon composes of recorder, runner and editor. The testscripts are composed of python code. Marathon version 0.84 is released, this contains minor feature enhancement and bugfixes."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

OpenOffice: A legal Trojan horse--but for whom? (ZDNet)

Here's a lengthy ZDNet article about the agreement between Sun and Microsoft which protects StarOffice users - but not OpenOffice users - against Microsoft patent suits. "It's a message from Microsoft and Sun to companies like Red Hat and IBM that they will allow and, in Sun's case, even promote the benefits of open source for the open-source community. But, they're not willing to be IP benefactors to competitors like Red Hat and IBM that would just as soon destroy them with their own IP. If you doubt this, allow me to remind you of what Steve Ballmer said on the day that Microsoft and Sun went public with their watershed agreement: 'It's an agreement that comes from two companies that believe in intellectual property, that develop intellectual property and that are respecting intellectual property.'"

Comments (19 posted)

What the open source industry stands for (ZDNet)

Con Zymaris expresses some observations about the open-source community. "Let's establish another truism while we are at it: all open source software is commercial. Open source licenses are not anti-commercial; they are anti lock-in. There is a big difference. Removing the possibility of vendor lock-in is good for end-users. Support this stance when you see it. Furthermore, there have been open source vendors selling solutions in this space for over 15 years. Open source is not suddenly going 'commercial'--it always has been."

Comments (5 posted)

Trade Shows and Conferences

Extreme Markup 2004 (O'Reilly)

O'Reilly covers the Extreme Markup Languages conference. "What we like most at Extreme is the opportunity for networking, controversy, and intellectual challenges. From Usdin's opening keynote, "Don't Pull Up the Ladder Behind You," to Sperberg-McQueen's "Runways, Product Differentiation, Snap-Together Joints, Airplane Glue, and Switches that Really Switch," the latest edition of his eagerly awaited annual wrap-up, the focus was once again on what makes markup work and how we can stretch its limits."

Comments (none posted)

The SCO Problem

SCO v. IBM hearing report (Groklaw)

Groklaw has an early report from today's hearing in the SCO v. IBM case. "Frank's impression is that [Judge] Kimball had made up his mind by the time it was over, and if he had to guess, he'd guess that he is going to rule against SCO on its motion and for IBM on its motion." It looks like we get to wait a week or so for a ruling.

Comments (none posted)

SCO Reaps What It Sows - A Supplemental Memo on Discovery Boomerangs (Groklaw)

Groklaw reports on a legal blunder by SCO. " Here is SCO's supporting memorandum. What it tells us is priceless. It seems that when SCO filed its Supplemental Memorandum, with the permission of Judge Wells, another in a long series of the paper blizzard they have been showering on the court, regarding their alleged need for all of AIX since the founding of the world, they shot themselves in the foot. SCO presents the "emergency" as dire indeed, brought on by IBM's litigation tactics, as they put it, and which -- unless the Court will help -- means IBM will win, they say, based on tactics and not merits."

Comments (none posted)

SCO asks IBM for 'road map' (Salt Lake Tribune)

The Salt Lake Tribune reports from the SCO v. IBM hearing. "However, in a hearing that began at 2 p.m. and continued more than an hour after the courthouse's 4:30 p.m. closing time, the judge repeatedly cut off SCO's attorneys to keep them narrowly on the issues at hand. 'Unix is yours and Linux everybody can get hold of it, right?' [Judge] Kimball asked at one point, and later, visibly frustrated, the judge pressed further: What is it you think you need?'"

Comments (none posted)

Dr. Randall Davis's 2nd Declaration - I Found No Identical or Similar Code (Groklaw)

Groklaw reports that MIT's Dr. Randall Davis has been unable to find any infringing code in Linux. "Dr. Davis looked at all the code Sandeep Gupta listed as allegedly infringing, and this world-famous expert concludes thus: "Despite an extensive review, I could find no source code in any of the IBM Code that incorporates any portion of the source code contained in the Unix System V Code or is in any other manner similar to such source code. Accordingly, the IBM Code cannot be said, in my opinion, to be a modification or a derivative work based on Unix System V Code.""

Comments (5 posted)

Companies

Mandrakesoft positions for the future (NewsForge)

NewsForge takes a look at Mandrakesoft. "Mandrakesoft, the Parisian Linux company known for its stylized penguin, is persistent. A new release of its flagship Linux operating system and some interesting financial news suggest the company, which filed for bankruptcy only last year, is back on track."

Comments (none posted)

Microsoft to take direct shots at Linux rivals (News.com)

News.com reports on a change of strategy in Microsoft's campaign against Linux. "Taylor's methods include funding analyst firm studies, launching a "Get the Facts" advertising campaign and discouraging Microsoft executives from making any more inflammatory comments that open-source software is a "cancer" or "un-American." Taylor meets with customers worldwide and has begun expanding the Microsoft attack to Europe. Taylor said he expects that targeting Linux sellers such as Red Hat and Novell will be persuasive to software customers."

Comments (36 posted)

Sun Close to a Linux Purchase (InternetNews.com)

InternetNews.com speculates that Sun is about to announce a Linux acquisition. "Sources close to the discussions said they expected that company to be embedded Linux player MontaVista, but cautioned that the deal wasn't finalized and talks could still break down."

Comments (10 posted)

Business

Linux small business servers (NewsForge)

NewsForge takes a look at two Linux based server products. "At least two companies, ClarkConnect and Cybernet, directly challenge the notion that Microsoft has a lock on the small and medium business server market."

Comments (3 posted)

WINE will set you free, hardware vendors told (The Age)

The Age covers WINE advocates within Australia's Open Source Industry Association. "OSIA spokesman Steven D'Aprano said if WINE was nurtured then Linux would be able to run most Windows applications and could deliver higher margins and more control to the PC vendors." (Thanks to Con Zymaris)

Comments (12 posted)

Linux Adoption

Linux can give kids an edge (NewsForge)

Here's a NewsForge article about teaching kids Linux skills. "A standard Linux CD set gives a young person just about every imaginable computing tool. While your youngsters may not need to be a super techno whiz when it comes to computers, giving them a view of the multi-user networked world at a young age puts them that much farther ahead of kids that were brought up on, shall we say, less capable platforms."

Comments (13 posted)

Linux at Work

Linux in Government: Navy Sonar Opens New Opportunities for Linux Clusters and IBM G5 servers (Linux Journal)

Yellow Dog Linux powers naval sonar systems, from Linux Journal. "Lockheed Martin delivered a High Performance Computing (HPC) solution to the US Navy last year to run sonar systems in nuclear submarines. The solutions involved Apple Xserve systems using G4 processors and a Red Hat Linux-based operating system. While few people noticed the announcements made by Terra Soft, makers of Yellow Dog Linux, the event triggered ripples in the industry."

Comments (9 posted)

Interviews

Why The Open-Source Model Can Work In India (Information Week)

Information Week talks with professor Deepak Phatak about free software in India. "The fact that the open-source community offers users a direct dialogue with the developers of a particular application provides particular appeal in India. This direct connection is something that's been lacking for Indian businesses, many of which must resolve software problems through system integrators rather than the vendors themselves, Phatak says."

Comments (none posted)

Interview with Jaanus Kase from Skype (KDE.News)

KDE.News interviews Jaanus Kase, a member of the Skype internet telephony project's project management team. "Today we know have just over 10.5 million registered users on Skype as we also track this information. The concurrent online users figure, which you can see in the Skype client, is approaching half a million. These are very significant numbers and they are growing all the time."

Comments (none posted)

Man in the middle: Jack Messman talks to vnunet.com (vnunet)

Vnunet interviews Jack Messman, Novell CEO, at Novell BrainShare Europe in Barcelona. "Ximian taught us some new ways of thinking about software development. I guess the biggest opportunity is to change our culture to be more customer-focused and open source-oriented. Some old habits continue and we're slowly eliminating those. Novell has always been an engineering-driven organisation that created great products, some of which nobody wanted or were created ahead of the marketplace."

Comments (none posted)

Resources

A Linux graphics project that could be a good opportunity for the right developer(s) (NewsForge)

Robin "roblimo" Miller is looking for better video screen-capture software, on NewsForge. "So far the two most likely Linux video screen capture programs I've found are vnc2swf and Xvidcap. The problem with vnc2swf is that it produces only .swf files without sound, so to make narrated videos in MPEG format requires a format conversion step, possibly using transcode, a utility neither I nor several friends have managed to get working correctly. But if we can get transcode working correctly, once we convert our swf videos to MPEG we should theoretically be able to add a soundtrack recorded before we started making our screen capture video or one recorded at the same time -- or record and add a new one after the fact. This would work, but it would lengthen production time considerably."

Comments (2 posted)

Using Extensions in Firefox (O'ReillyNet)

O'ReillyNet plays with Firefox extensions. "If you are a web application developer, then the Web Developer extension is a godsend. Web Developer adds a menu and a toolbar to the browser with various web developer tools such as converting POSTs to GETs, hiding and disabling images, outlining block-level elements, disabling styles, and so on."

Comments (none posted)

Formatting documents with OpenOffice.org Writer macros (NewsForge)

Micha Kosmulski discusses OpenOffice.org Writer macros in a NewsForge article. "This article presents some macro "building blocks" you can use to modify a document's formatting or to generate well-formatted documents from plain text files."

Comments (none posted)

Open Source and Free Documentation Licenses, Part 1: The GNU FDL (O'ReillyNet)

O'ReillyNet begins a series on licensing for software and documentation. "The licenses discussed in this series of articles--the GNU Free Documentation License (FDL), the Open Publication License, and the Open Gaming License--are directed at documents in particular. They reflect a fundamental split in licensing philosophies associated with different groups of open source licenses. The GNU Free Documentation License, described in this article, applies to documents the same requirements of reciprocity applied by the GNU General Public License to software."

Comments (11 posted)

Open Source Wireless Tools Emerge (IBM developerWorks)

IBM developerWorks covers some tools for wireless computing. "Though open source projects are beginning to bloom, wireless tools and apps are emerging more slowly than open source applications in other significant networking and telephony categories. At present, the mobile development world is largely controlled by major handset manufacturers, companies that generally make money by licensing copies of their own operating systems. And wireless LANs, for their part, have not become critical enough to attract the interest of the corporate sponsors who can give large open source projects a kick start."

Comments (1 posted)

Reviews

Beowulf Cluster Computing with Linux, Second Edition (Linux Journal)

Linux Journal reviews the book Beowulf Cluster Computing with Linux. "This book is valuable for three audiences: management, system administrators and developers. For management, it provides enough information to become familiar with the concept of a Beowulf cluster and determine whether the effort and cost of a cluster is worthwhile. It provides you with enough information to evaluate vendor proposals, and it should provide enough information to assist in making the build/buy/lease decision."

Comments (1 posted)

Hot LyX (NewsForge)

NewsForge reviews LyX. "LyX's primary benefit is that it takes the work of typesetting completely out of your hands. Since I spend a lot of time writing without knowing what the target format will be, I found LyX to be exactly the right tool at the right time for me. I find that even after I've written something in one format I frequently have to provide the same stuff in other formats, and LyX handles that beautifully."

Comments (5 posted)

Miscellaneous

Linux blunder Down Under could land MPAA in court (ZDNet)

ZDNet Australia covers an MPAA screwup. "Linux Australia president Pia Smith told Builder AU the MPAA had issued Linux Australia with a notice of claimed infringement demanding the group cease providing access to two copyrighted movies -- one called 'Grind' and the other 'Twisted' -- and ordering it to 'take appropriate action against the account holder'. However, the files in question had nothing to do with those movies. The file entitled Twisted is a download of the popular framework written in Python and Grind refers to a download of Valgrind, a tool for developers to locate memory management." Linux Australia looks set to have some fun with this one.

Comments (16 posted)

Mozilla Press Roundup (MozillaZine)

MozillaZine has put together a press roundup with numerous article links. "Lots of press on one of the biggest Firefox releases to date, starting with a profile of Ben Goodger, in the New Zealand Herald. News.com had 4 different articles covering Mozilla news, with the first 3: "Mozilla burns to prove Firefox worthy"," Firefox drawing fans away from Microsoft IE", and "Firefox browser to hit 1.0 milestone", covering Firefox's release and marketshare, and the final one Latest Mozilla releases fix 10 security flaws, covering the security holes that were fixed in the latest release cycle."

Comments (none posted)

The Nazgul, A Derivative Work of the Intellectual Property of Edgar Allan Poe, by Alanyst (Groklaw)

Groklaw presents a parody of Edgar Allan Poe's the Raven.
Once upon a midnight dreary, as I worked at SCO/Caldera,
Searching many quaint and curious printouts of forgotten source --
While I nodded, nearly napping, suddenly there came a tapping,
As of some one gently rapping, rapping at my office door.
"Tis some co-worker," I muttered, "tapping at my office door --
Only this, and nothing more."

Comments (1 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Firefox hits 1,000,000 downloads in under 100 hours (MozillaZine)

MozillaZine reports on a new record for Firefox browser downloads. "The site had been hoping for 1 million downloads in 10 days, and has easily surpassed that goal. As of today, they are reporting that there have been just over 1.5 million downloads, and we expect them to hit 2 million by the end of the 10 day campaign."

Comments (none posted)

GNOME Anonymous Voting Referendum

The GNOME Foundation has announced a new Anonymous Voting Referendum.

Full Story (comments: none)

LPI Announces HP Sponsorship of LPI-German

The Linux Professional Institute has announced the sponsorship of LPI-German by HP. "The Linux Professional Institute (LPI), the premier Linux certification organization world wide together with its affiliate LPI-German, announced that Hewlett-Packard Education Services had become its most recent sponsor. Hewlett-Packard Germany was providing the sponsorship to LPI international to assist with LPI-German marketing and business development activities in Germany, Austria and Switzerland."

Full Story (comments: none)

LPI RFC process for community input

The Linux Professional Institute has sent out an RFC looking for input from the open-source community. "I have put up a RFC on the LPI wiki with the intent that this be a formal process where people in the community can suggest policies, procedures, technical infrastructure, practices, ideas, ... I am looking for comments on this idea, in general, but specifically, I'm looking for comments on the process RFC itself."

Full Story (comments: none)

mozdev's 4th Anniversary Pledge Drive (MozillaZine)

The mozdev.org folks will be holding a pledge drive. "In the last year, mozdev has incorporated as a non-profit organization and is working on receiving tax-exempt status. The site is now hosting over 150 active projects and receives over 2 million page views a week. "To keep the site growing we are asking the community to help us raise $5000 to pay for ongoing hosting costs, fees associated with incorporating, and other expenses involved with becoming a fully functioning non-profit organization."

Comments (none posted)

MozillaES Launches Spanish mozillaZine (MozillaZine)

A new Spanish version of MozillaZine has been launched. "Together with this, they have a whole new portal for Spanish-speaking users including forums, polls, FAQs, downloads, etc., at http://www.mozillaes.org/."

Comments (none posted)

Commercial announcements

Amstrad E3 video phone runs Linux

Here's another Linux-powered gadget: according to this MontaVista press release, the Amstrad E3 video phone runs MontaVista Linux. Of course, we would be remiss if we neglected to point out NTK's take on the E3.

Comments (8 posted)

ARC Brings Linux to the ARC 700 Configurable Core

ARC has announced that they will be supporting Linux on their new ARC 700 configurable processor core. "The ARC 700 is designed to provide customers a high-performance embedded core, which is configurable to deliver very small die size and silicon cost. The GNU tool chain supports the ARC 700's DSP capabilities, while Linux provides process-level protection."

Comments (none posted)

Astaro Promotes Jon Friedman to VP of Product Marketing

Astaro has announced the promotion of Jon Friedman to Vice President of Product Marketing. ""Since joining Astaro, Jon has clearly articulated Astaro's value to customers in marketing messages, collateral, sales tools, and Webinars," said Jan Hichert, CEO and co-founder of Astaro. "This has improved our lead generation and sales effectiveness. In his new role, Jon will help Astaro maintain our rapid growth by applying his excellent management and communications skills to expanding our product line and strengthening our partner programs.""

Comments (none posted)

JBoss, Inc. Delivers JBoss Application Server 4.0 to the Enterprise Market

JBoss, Inc. has announced general availability of JBoss Application Server 4.0 for enterprise production deployment.

Comments (none posted)

Mandrakesoft shareholders approve transfer to regulated market

Mandrakesoft shareholders have voted to transfer from the unregulated Marché Libre to a regulated market, by December 2005. The shareholders also approved a capital increase of up to 6 million euros at a price of 6 euros per share. The capital increase is to be completed by mid-December 2004. Finally, shareholders approved the acquisition of services company Edge-IT.

Full Story (comments: none)

PathScale EKO Compiler Suite accelerates

PathScale has announced (PDF) over 1000 downloads for the PathScale EKO Compiler Suite for 64-bit Linux applications.

Comments (none posted)

Red Hat's second quarter results

Red Hat has sent out a press release with its second quarter results: income of almost $12 million on $46 million in revenue.

Comments (none posted)

New Books

"Understanding Open Source and Free Software Licensing" Released by O'Reilly

O'Reilly has published the book Understanding Open Source and Free Software Licensing by Andrew M. St. Laurent.

Full Story (comments: none)

Resources

The LDP Weekly News

The September 22, 2004 edition of the Linux Documentation Project Weekly News is available with the latest new and updated documentation.

Full Story (comments: none)

CSC releases open source study

Computer Sciences Corporation has announced the release of a study called "Open Source: Open for Business." It is available as a 96-page PDF file. We are just beginning to look at it, but it looks like a comprehensive and highly positive report. "Indeed, open source places the scarce resource of software into everybody's hands, the way the Gutenberg press placed the scarce resource of texts into everybody's hands. The open, collaborative approach levels the playing field, enabling anyone to contribute and defying the big hand of the corporation. Open source is a movement that is technical, political, and sociological."

Comments (7 posted)

Contests and Awards

Docs Competition - Win O'Reilly Gear (KDE.News)

KDE.News mentions a documentation effort that includes prizes. "If you missed out on the writing competition at aKademy, now is your chance to make up for it. The KDE Quality and Documentation teams have got together to offer some great O'Reilly prizes for writing documentation. All you have to do to enter is write a page for the new KDE User Guide within two weeks and we'll send you a prize! Read on for the full details."

Comments (none posted)

Half Price Computer Books Scholarship Winners Optimistic About Open Source

Half Price Computer Books has announced the winners of their Fall 2004 essay scholarship award. "Congratulations to Matthew Isison (Boxford, MA), Kimberley Liao (Sterling, VA) and David Suozzi (Albuquerque, NM). All three winners choose to discuss the viability of Open Source software as a business concept. Despite the paradoxical nature of profiting from free software, the winners insightfully identified various methods of revenue generation, such as charging for support, tiered licensing, product tie-ins, and advertising."

Full Story (comments: none)

Upcoming Events

EclipseCon 2005 Announced

EclipseCon 2005 will be held in Burlingame, CA on February 28 - March 3, 2005. "You'll have the chance to hear the very latest that's new and cool from around the community and you'll have a chance to take tutorials, listen to presentations and participate in a variety of forums with key Eclipse developers and community members. The Program Committee has also released a Call For Papers."

Full Story (comments: none)

Media Innovation Unit Workshops at Firenze World Vision

Streaming media connections will be available for several workshops at the Firenze World Vision conference. The workshops will be held from September 23-25, 2004.

Full Story (comments: none)

IBM Software Development Technical Conference

IBM will be holding a Software Development Technical Conference in Strasbourg, France on October 12-15, 2004.

Full Story (comments: none)

Independent High Performance Computing Seminar

The Independent High Performance Computing Seminar will be held on September 30, 2004 at the National Space Centre in Leicester, UK. "HPC is at a major crossroads. Cluster capabilities are at unprecedented levels and new technologies and applications have led to new challenges. As the former mainstays of the Linux community have become increasingly commercially focussed, it has become vital that academia, government and industry are able to address their HPC strategy with access to the best information."

Full Story (comments: none)

Linux.conf.au 2005 CFP

A call for papers has gone out for the 2005 linux.conf.au. The conference will be held in Canberra, Australia on April 18-23, 2005.

Full Story (comments: none)

Linux Installfest workshops in Davis - October 9th and 17th

The Linux Users' Group of Davis has announced two more Linux Installfest workshops in Davis, CA on October 9 and 17, 2004.

Full Story (comments: none)

London Perl Workshop (use Perl)

A one day Perl workshop will be held on December 11, 2004 in London, England. "A small group of London Perl Mongers have organised a 1 day Perl Workshop to be held at the Imperial College Union on Saturday, December the 11th. It will have two tracks seperated into Beginners and Advanced (or Scary :) Perl."

Comments (none posted)

Red Hat Announces First-Annual Summit

Red Hat, Inc. has announced its first annual summit, the event will take place in New Orleans, LA. "Summit 2005 will be held in New Orleans June 1-3 and will bring together the diverse people that make up the open source community, including community contributors, developers, customers and partners. The Summit will blend different views and content into a program useful for attendees building and enabling open source architectures."

Comments (none posted)

YAPC::NA::2005 Venue Chosen (use Perl)

The venu for the YAPC::NA::2005 Perl conference has been announced. The event will take place in Toronto, Canada on June 22-24, 2005.

Comments (none posted)

Events: September 23 - November 18, 2004

Date Event Location
September 23, 2004New Security Paradigms Workshop(NSPW)(White Point Beach Resort)Nova Scotia
September 23 - 24, 2004OpenOffice.org Conference(OOoCon 2004)(Humboldt University)Berlin, Germany
September 23 - 24, 2004php|works 2004(Holiday Inn Yorkdale Hotel and Conference Centre)Toronto, Canada
September 23 - 26, 2004FirenzeWorldVisionFirenze, Italy
September 27 - October 1, 20044th International SANE Conference(SANE)(Amsterdam RAI Centre)Amsterdam, The Netherlands
September 27 - 29, 2004ConSec '04(J.J.Pickle Research Center)Austin, Texas
September 29 - October 1, 2004OSCOM 4(Swiss Federal Institute of Technology)Zurich, Switzerland
September 30, 2004HPC Is Changing - Seminar(National Space Centre)Leicester, UK
September 30, 2004Independent High Performance Computing Seminar(National Space Centre)Leicester, UK
October 2, 2004Ohio LinuxFestColumbus, Ohio
October 6 - 7, 2004LinuxWorld Conference and Expo(Olympia Exhibition Centre)London, England, UK
October 8 - 10, 2004Linucon(Red Lion Hotel)Austin, TX
October 9, 2004Italian Code Jam(University of Ferrara)Ferrara, Italy
October 10 - 17, 2004MySQL SwellAcross the Mediterranean
October 11 - 15, 200411th Annual Tcl/Tk Conference(Bourbon Orleans Hotel)New Orleans, LA
October 21 - 22, 2004Web.It 2004Bari, Italy
October 21 - 22, 20045. Encuentro LinuxValparaiso, Chile
October 26 - 28, 2004LinuxWorld Conference and ExpoFrankfurt, Germany
October 27 - 29, 2004Sixth International Conference on Information and Communications Security(ICICS'04)Malaga, Spain
November 1 - 6, 2004International Computer Music Conference(ICMC)Miami, FL
November 4 - 5, 2004HiverCon 2004(The Davenport Hotel)Dublin, Ireland
November 6 - 12, 2004High Performance Computing, Networking, and Storage Conf(SCnn)Pittsburgh, PA
November 7 - 10, 2004International PHP Conference 2004Frankfurt, Germany
November 8 - 10, 2004MySQL ComCon Europe(NH Hotel Frankfurt-Mörfelden)Frankfurt, Germany
November 14 - 18, 2004COMDEX Conference and Exposition(Las Vegas Convention Center)Las Vegas, Nevada
November 14 - 17, 2004ApacheCon 2004 US(Alexis Park Resort)Las Vegas, NV
November 14 - 19, 2004Large Installation System Administration Conference(LISA '04)(Atlanta Marriott Marquis)Atlanta, GA

Comments (none posted)

Web sites

SOT opens first Open Source demo server

SOT has announced a new open-source demo site. "SOT Finnish Software Engineering Ltd. has opened the Internet's first centralised demo server for Open Source products. The newly opened website offers product information, specifications and on-line demonstrations for 12 showcase products - a number that will increase to over 20 during the month of September."

Full Story (comments: none)

Wikipedia Reaches One Million Articles

The Wikimedia Foundation has announced the one millionth article in the Wikipedia online encyclopedia.

Full Story (comments: none)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds