LWN.net Logo

LWN.net Weekly Edition for January 2, 2003

Obviously incorrect 2003 predictions

It's that time of year again. Traditionally the first LWN Weekly Edition of the year includes some predictions of what may happen in the near future. It is worthwhile, occasionally, to step back and think about what may be on the horizon, even though the real thing will, as always, include surprises that we are not able to anticipate.

Besides, real news tends to be scarce about now.

So, without further ado, here's a few Obviously Incorrect Predictions for the next year.

  • Use of Linux in government will increase, especially outside of the U.S. Government, officials are increasingly concerned about security, long-term public access to records, costs, and the health of the local software industry. Free software offers help in all of those areas. Governments move slowly, but there will be significant steps toward governmental adoption of free software in the coming year.

  • There will be high-profile desktop deployments, inside and outside of government. Linux as a desktop system is good enough for many users now, and is only getting better. As the number of success stories grows, more organizations will take the plunge and switch over to free software.

  • There will be a direct patent challenge to one or more free software products. Thus far, there has been a great deal of nervousness about software patents, and people have occasionally had to code their way around patent issues. But there has been a distinct lack of actual infringement suits. Suing a free software user for patent infringement will be a powerful way of creating uncertainty throughout the community, however; 2003 may well be the year that this weapon gets used.

  • It will be a watershed year in intellectual property law, but we are not foolish enough to try to predict which way it will go. It could be that, in 2003, copyright extension is struck down, the DMCA is revised and defanged, and the entertainment industry figures out that it needs to go after pirates instead of harassing its customers. Or the courts could be hostile, the CBDTPA could be passed, new encryption restrictions could surface, and "trusted computing systems" could come closer to reality.

    The first scenario is not out of the question. The copyright extension and ElcomSoft cases have done a lot to raise awareness of the excesses of American (and, increasingly, worldwide) intellectual property law. The costs (and vulnerabilities) of copy protection systems are increasingly apparent to all. We won the encryption battle, and we could well win this one too. But the forces behind the attempted intellectual property takeover will not give up easily. One way or the other, 2003 will be interesting.

  • The 2.6 kernel will be released, but probably not until well into the second half of the year. Chances are the 2.7 development series will not open in 2003. Of course, all bets are off if Linus starts accepting new developments in 2.5, but chances are that will not happen.

  • There will be a SourceForge crisis in 2003. SourceForge is operated by a company which is still bleeding cash, and which no longer has any real interest in free software. VA Software's investors and board are bound to question the value of the free SourceForge service. That service may well be cut back - or start demanding some sort of payment - in the coming year.

  • UnitedLinux will not be enough to save all four of its participants; at least one of them will probably exit the distribution business by the end of the year. MandrakeSoft, which is in a cash crunch as of this writing, will pull through with support from its users and emerge as a viable (if smaller) company.

Those are our guesses for what this year holds for Linux and free software. These predictions are offered in the hope that they will be useful, but they come with NO WARRANTY regarding their fitness for any particular purpose or relation to any sort of reality.

Comments (2 posted)

Distribution support: how long is long enough?

[This article was contributed by LWN reader Joe 'Zonker' Brockmeier]

Red Hat's recently announced errata policy has drawn some fire from the Linux community for being too stingy. The new policy guarantees that releases will be supported for "at least 12 months from the date of initial release." To look at it another way, it paves the way for Red Hat to end support for products only one year after release. Red Hat's 8.0 release, officially released on September 30 of last year, is slated for retirement on December 31, 2003. Fourteen months is a fairly short life cycle for an operating system, particularly since most companies and users won't be switching to a new release immediately.

An end of life policy isn't new to Linux vendors, though such a short life span is. SuSE announced last year that the company would be retiring releases after two years. Caldera and Mandrake also end support for their products after a few years, though they seem to have no posted policy stating a specific shelf life for the products.

Some have noted that Red Hat may be trying to move users to its "Advanced Server" product. While the latest "consumer" release of Red Hat is being retired at the end of this year, Advanced Server won't be put out to pasture until 2005. Naturally, Red Hat charges much more for the Advanced Server product.

When a company like Microsoft decides to end support for a product, it puts its customers in a fairly unpleasant situation: Be stranded with an unsupported platform that will no longer receive bugfixes and support for new hardware, or buck up the money for upgrades and possibly break support for older applications and face hardware upgrades. Red Hat's customers are in a different position, however, since they possess the full source to their operating system; there's nothing that says that someone else can't maintain a release past Red Hat's expiration date.

Companies that specialize in Linux support (e.g. Tummy.com, others) could provide longer-term support for companies (and individuals who happen to have the cash) for a fee. For that matter, there's no reason a savvy admin couldn't continue to patch a system on their own without official errata from Red Hat. If demand is great enough, Red Hat users might even form a community effort to release errata for older releases, though that might be more effort than simply upgrading to new releases or switching distributions. It will be some time before we see just how well, or how badly, Red Hat's policy change goes over with the Linux Community. It's likely that it will draw little attention until the expiration dates start to approach.

While many Linux users may complain about having to upgrade or scrounge for patches on their own, there is some justification for Red Hat and other vendors to stop supporting older releases. The Open Source development model moves very quickly, making it difficult for a vendor to continue support for a wide variety of packages that may put out many releases a year. Not only does the vendor need to provide updates for each package, they must ensure that the updates don't conflict with or break other packages that may depend on them. For a company struggling to be profitable while still giving away its software, it may make a large difference in the bottom line.

Comments (13 posted)

On the licensing of software patents

Unless it is changed before adoption, the proposed W3C royalty-free patent policy will allow "field of use" provisions. Patented technologies which are included in a W3C standard must be licensed for royalty-free use - but only for implementations of the the standard itself. Owners of patents can still require license payments for any other use of the technology.

What this means, of course, is that, if a W3C standard contains patented technology with "field of use" restrictions, no implementation of that standard may be distributed under the GPL. The GPL does not allow that sort of restrictions. Free implementations of such standards can be distributed under BSD-style licenses, so it remains possible to implement the standard in free software. But the range of that freedom has been restricted somewhat.

These terms make an interesting contrast with another form of royalty-free patent licensing. Companies like Red Hat and FSMLabs have licensed their patents for use in free software - but only for software licensed under the GPL. BSD-licensed implementations are not covered by these patent licenses.

If these trends continue, the proliferation of software patents is going to bring about a partial partitioning of the free software ecosystem. The two types of patent licensing are, essentially, allergic to each other, and can not be mixed. This is not a new situation - mixing free software with different licenses can be problematic even without the additional complication of patent issues. But adding in incompatible patent licensing creates new and dangerous problems.

Software patents may well turn out to be one of the more potent weapons against free software in general. Patent infringement lawsuits can be filed against any user of the allegedly infringing software, not just its developers or distributors. A couple of high-profile examples of companies being dragged into court for using a free program would serve to create a great deal of fear, uncertainty, and doubt among all free software users - even if the patent suits are eventually tossed out. The free software will have to step carefully when implementing algorithms covered by patents - and that may well not be enough.

Comments (8 posted)

Quick LWN update

The LWN staff has survived the holidays in reasonably good form. Hopefully the same is true for all of you; we wish you all the best for the new year.

Quite a few LWN subscriptions have expired over the holidays - many people, it seems, signed up at the beginning for a three-month subscription, and that has run out. If you are one of those folks, please consider renewing your subscription so you can have access to LWN's premium content and features and stay on top of what's happening in the Linux and free software community.

The final version of the LWN 2002 Linux Timeline is now available.

Enjoy the first LWN Weekly Edition of 2003, and thanks, as always, for supporting LWN.net.

Comments (7 posted)

Page editor: Jonathan Corbet

Security

Brief items

Postfix 2.0.0

[This article was contributed by LWN reader Tom Owen]

Wietse Venema released Postfix 2.0.0 on December 23. Originally created as the IBM "Secure Mailer" and released under GPL at the beginning of 1998, Postfix is a drop-in sendmail replacement designed from the ground up to be secure. Venema has a long history in the secure software area; his. TCP Wrappers package has been going into Linux distributions unchanged for five years now. So a new major release of one of his packages is worth a look.

The Postfix 2.0.0 release notes list dozens of new features, changes and fixes, mostly consolidations of patch releases accumulated over the last year. The reason for the major version change seems to be to flag some of the changes listed as incompatibilities with 1.1.0. Few of these will cause problems at most sites but virtual domain admins and those receiving mail for users listed in a table (i.e. not in the local /etc/passwd file) will need to read the upgrade notes with special care.

Postfix's strong spam control gets a substantial upgrade with extra control over DNS checks and a rewrite of the relay blacklist (RBL) handling code with new configuration directives. Content filtering based on regular expression matching in headers and body is improved with finer granularity, faster processing, better handling for MIME and other attachments, a more expressive regular expression language and more options to deal with the messages that match.

The many improvements to MIME handling allow better control over the processing of messages with attachments. Meanwhile, only mail mavens and frustrated crackers will care about the subtle semantic changes in fancier address formats and headers. Sysadmins will mostly be pleased with performance improvements and better logging for Postcript and RBL actions. Features like MacOS X support and the better LDAP client have a narrower appeal.

And of course there are occasional items on the way out:

Sendmail-style virtual domains are no longer documented. This part of Postfix was too confusing.

Postfix administrators will be pleased by 2.0.0. They've seen most of it already in the patch releases, and for such a central piece of infrastructure, that's the way it should be. Postfix is still the same straightforward, rather easy to configure mail server, with excellent compatibility as a sendmail replacement and out of the box security.

And that may be the most important lesson from Postfix: not the secure, flexible, multi-process, untrusting design, not the reduction in the mailer monoculture, not even the lucid and closely documented code. Just that security and ease of use are, sometimes, compatible.

Comments (1 posted)

Secure Programming for Linux and Unix HOWTO updated

David A. Wheeler has announced the availability of an updated version of his "Secure Programming for Linux and Unix HOWTO." "...this version adds new text on handling tmp files where there are tmp cleaners running (true on most real systems - this causes particular problems with mktemp(1)), notes on avoiding buffer overflow in FD_SET/FD_CLR(), and a long discussion on a new attack against web-based systems: session fixation. I also added text about protecting secrets in memory."

Full Story (comments: 1)

New vulnerabilities

bugzilla - cross site scripting

Package(s):bugzilla CVE #(s):
Created:December 30, 2002 Updated:January 1, 2003
Description: A cross site scripting vulnerability has been reported for Bugzilla, a web-based bug tracking system. Bugzilla does not properly sanitize any input submitted by users. As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running Bugzilla. This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software.

This vulnerability only affects users who have the 'quips' feature enabled and who upgraded from version 2.10.

Alerts:
Debian DSA-218-1 2002-12-30

Comments (1 posted)

cups - multiple vulnerabilities

Package(s):cups CVE #(s):CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383
Created:December 30, 2002 Updated:February 18, 2003
Description: Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges. See the iDEFENSE advisory for more information.
Alerts:
Debian DSA-232-2 2003-02-20
SCO Group CSSA-2003-004.0 2003-01-20
Debian DSA-232-1 2003-01-20
Yellow Dog YDU-20030114-1 2002-01-14
Red Hat RHSA-2002:295-07 2003-01-09
Mandrake MDKSA-2003:001 2003-01-09
SuSE SuSE-SA:2003:002 2003-01-02
Gentoo 200212-13 2002-12-29

Comments (none posted)

cyrus-imapd - Remote command execution vulnerability

Package(s):cyrus-imapd CVE #(s):
Created:December 29, 2002 Updated:January 1, 2003
Description: The Cyrus IMAP Server is an e-mail application that uses the Internet Message Access Protocol (IMAP). It allows an user to perform certain mail functions on a remote server rather than on a local computer.

Timo Sirainen discovered[1] a remotely exploitable pre-login buffer overflow in cyrus imapd. The problem resides in the way memory is managed (an integer overflow can cause less memory than needed to be allocated).

This vulnerability[2] may be exploited prior to authentication to the IMAP server and could allow a remote attacker to read other users' mail and to execute arbitrary code with the privileges of the user running the IMAP server (Conectiva Linux has a special unprivileged user called 'cyrus' responsible for that).

REFERENCES: 1.http://online.securityfocus.com/archive/1/301864
2.http://www.kb.cert.org/vuls/id/740169

Alerts:
Conectiva CLA-2002:557 2002-12-27
Debian DSA-215-1 2002-12-23

Comments (none posted)

cyrus-sasl - buffer overflows

Package(s):cyrus-sasl CVE #(s):CAN-2002-1347
Created:December 28, 2002 Updated:January 7, 2003
Description: "Insufficient buffer length checking in user name canonicalization may allow attacker to execute arbitrary code on servers using Cyrus SASL library. Client side library also has the bug but since the user name is asked from the local user, there's probably not many applications that care about it, except maybe webmails and the like. This overflow only happens if default realm is set."

"LDAP authentication with saslauthd doesn't allocate enough memory when it needs to escape characters '*', '(', ')', '\' and '\0' in username and realm. This should be easily exploited with glibc's malloc implementation."

"Log writer might not have allocated memory for the trailing \0 in message. Probably hard to exploit, although you can affect the logging data with at least anonymous authentication."

Read the full advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=103946297703402&w=2

Alerts:
Red Hat RHSA-2002:283-09 2003-01-06
Gentoo 200212-10 2002-12-27

Comments (none posted)

Helix Server - buffer overflows

Package(s):Helix Universal Server CVE #(s):
Created:January 1, 2003 Updated:January 1, 2003
Description: According to this NGSSoftware advisory, the Helix Universal Server (version 9.0 and earlier) has several buffer overflow vulnerabilities. A patch has been made available by RealNetworks.
Alerts: (No alerts in the database for this vulnerability)

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

KDE - command parameter quoting problems

Package(s):kde CVE #(s):CAN-2002-1393
Created:December 24, 2002 Updated:February 21, 2003
Description: In some instances, KDE (versions 2 and 3) fails to properly quote parameters of instructions passed to a command shell for execution.

These parameters may incorporate data such as URLs, filenames and e-mail addresses, and this data may be provided remotely to a victim in an e-mail, a webpage or files on a network filesystem or other untrusted source.

By carefully crafting such data an attacker might be able to execute arbitary commands on a vulnerable sytem using the victim's account and privileges.

See this announcement for more details.

Alerts:
Conectiva CLA-2003:569 2003-02-20
Debian DSA-243-1 2003-01-24
Debian DSA-242-1 2003-01-24
Debian DSA-241-1 2003-01-24
Debian DSA-239-1 2003-01-23
Debian DSA-240-1 2003-01-23
Debian DSA-237-1 2003-01-22
Debian DSA-238-1 2003-01-23
Debian DSA-236-1 2003-01-22
Debian DSA-235-1 2003-01-22
Debian DSA-234-1 2003-01-22
Gentoo 200301-11 2003-01-18
Mandrake MDKSA-2003:004-1 2003-01-17
Mandrake MDKSA-2003:004 2003-01-13
Gentoo 200212-9 2002-12-22

Comments (none posted)

typespeed: buffer overflow

Package(s):typespeed CVE #(s):
Created:January 1, 2003 Updated:June 17, 2003
Description: A problem has been discovered in the typespeed, a game that lets you measure your typematic speed. By overflowing a buffer a local attacker could execute arbitrary commands under the group id games.
Alerts:
Debian DSA-322-1 2003-06-16
Debian DSA-217-1 2002-12-27

Comments (none posted)

Updated vulnerabilities

Heap corruption vulnerability in at

Package(s):at at, sudo, xchat CVE #(s):CAN-2002-0004
Created:May 21, 2002 Updated:May 15, 2003
Description: The at command has a potentially exploitable heap corruption bug. (First LWN report:  January 17th).
Alerts:
EnGarde ESA-20030515-015 2003-05-15
Yellow Dog YDU-20020127-9 2002-01-27
SuSE SuSE-SA:2002:003 2001-01-16
Slackware sl-1011706104 2002-01-22
Red Hat RHSA-2002:015-15 2002-02-07
Red Hat RHSA-2002:015-13 2002-01-22
Mandrake MDKSA-2002:007 2002-01-18
Debian DSA-102-2 2002-01-18
Debian DSA-102-1 2002-01-16

Comments (none posted)

BIND8: Multiple vulnerabilities

Package(s):bind CVE #(s):CAN-2002-1219 CAN-2002-1220 CAN-2002-1221
Created:November 13, 2002 Updated:March 6, 2003
Description: Three new vulnerabilities have been found in version 8 of the Berkeley Internet Domain Server; see this ISS advisory, the CERT Advisory CA-2002-31, or the November 14 LWN Security Page for details.

Red Hat has sent out an alert (not a regular advisory) suggesting that customers apply its previous BIND updates, which upgrade the system to BIND9.

Alerts:
Sorcerer SORCERER2003-03-06 2003-03-06
SCO Group CSSA-2002-059.0 2002-12-19
Trustix 2002-0076 2002-11-15
OpenPKG OpenPKG-SA-2002.011 2002-11-15
Debian DSA-196-1 2002-11-14
Conectiva CLA-2002:546 2002-11-14
Mandrake MDKSA-2002:077 2002-11-14
SuSE SuSE-SA:2002:044 2002-11-13
EnGarde ESA-20021114-029 2002-11-14

Comments (1 posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:October 1, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
SCO Group CSSA-2003-005.0 2003-01-21
Debian DSA-224-1 2002-01-08
Gentoo 200212-8 2002-12-20
Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

dhcpcd: Character expansion vulnerability

Package(s):dhcpcd CVE #(s):
Created:November 19, 2002 Updated:January 10, 2003
Description: dhcpcd is an RFC2131 and RFC1541 compliant DHCP client daemon.

dhcpcd has the ability to execute an external script named /sbin/dhcpcd-<interface>.exe when assigning a new IP address to a network interface. This script sources a file named /var/lib/dhcpcd/dhcpcd-<interface>.info that contains several shell variables and assigments with DHCP information.

Simon Kelley pointed out a vulnerability in the way quotes inside these assignments are treated. By exploiting this, a malicious DHCP server (or attackers able to spoof DHCP responses) can execute arbitrary shell commands on the DHCP client (which is run by root).

Alerts:
Mandrake MDKSA-2003:003 2003-01-09
Gentoo 200301-3 2003-01-05
Debian DSA-219-1 2002-12-31
Conectiva CLA-2002:549 2002-11-18

Comments (none posted)

dvips: command execution vulnerability

Package(s):dvips CVE #(s):CAN-2002-0836
Created:October 16, 2002 Updated:June 10, 2003
Description: The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system.
Alerts:
Immunix IMNX-2003-7+-016-01 2003-06-09
OpenPKG OpenPKG-SA-2002.015 2002-12-16
Debian DSA-207-1 2002-12-11
Conectiva CLA-2002:537 2002-10-29
Mandrake MDKSA-2002:071 2002-10-24
Mandrake MDKSA-2002:070 2002-10-23
Gentoo tetex-20021018 2002-10-18
Red Hat RHSA-2002:194-18 2002-10-08

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Immunix IMNX-2003-7+-023-01 2003-10-17
Mandrake MDKSA-2003:011 2003-01-27
EnGarde ESA-20030127-002 2003-01-27
SCO Group CSSA-2003-001.0 2003-01-09
SuSE SuSE-SA:2003:001 2003-01-02
Debian DSA-216-1 2002-12-24
Red Hat RHSA-2002:293-09 2002-12-17
Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

GNU fileutils race condition

Package(s):fileutils ucdsnmp CVE #(s):CAN-2002-0435
Created:May 21, 2002 Updated:May 16, 2003
Description: A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).
Alerts:
Immunix IMNX-2003-7+-010-01 2003-05-16
Red Hat RHSA-2003:015-05 2003-02-12
Trustix 2002-0052 2002-06-06
SuSE SuSE-SA:2002:012 2002-04-08
Mandrake MDKSA-2002:031 2002-05-16
SCO Group CSSA-2002-018.1 2002-05-13

Comments (none posted)

Potential remote root exploit in glibc

Package(s):glibc CVE #(s):CAN-2002-0391
Created:August 14, 2002 Updated:June 30, 2003
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library which is used in glibc.This bug could be exploited to gain unauthorized root access to software linking to glibc.

Updating as soon as practical is a good idea.

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-333-1 2003-06-27
Conectiva CLA-2002:535 2002-10-29
Trustix 2002-0070 2002-10-17
EnGarde ESA-20021003-021 2002-10-03
Gentoo glibc-20020927 2002-09-27
Gentoo dietlibc-20020927 2002-09-27
Debian DSA-149-2 2002-09-26
Mandrake MDKSA-2002:061 2002-09-23
Gentoo glibc-20020905 2002-09-05
SuSE SuSE-SA:2002:031 2002-08-30
Trustix 2002-0067 2002-08-13
Eridani ERISA-2002:036 2002-08-13
Red Hat RHSA-2002:166-07 2002-08-12
Debian DSA-149-1 2002-08-13

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

IM: creates temporary files insecurely

Package(s):im CVE #(s):CAN-2002-1395
Created:December 3, 2002 Updated:March 6, 2003
Description: Tatsuya Kinoshita discovered that IM, which contains interface commands and Perl libraries for E-mail and NetNews, creates temporary files insecurely.
  1. The impwagent program creates a temporary directory in an insecure manner in /tmp using predictable directory names without checking the return code of mkdir, so it's possible to seize a permission of the temporary directory by local access as another user.

  2. The immknmz program creates a temporary file in an insecure manner in /tmp using a predictable filename, so an attacker with local access can easily create and overwrite files as another user.
Alerts:
Red Hat RHSA-2003:039-06 2003-03-06
Debian DSA-202-2 2002-12-06
Debian DSA-202-1 2002-12-03

Comments (none posted)

kdelibs: Vulnerabilities in KIO subsystem support

Package(s):kdelibs CVE #(s):CAN-2002-1281 CAN-2002-1282
Created:November 22, 2002 Updated:March 15, 2003
Description: Vulnerabilities were discovered in the KIO subsystem support for various network protocols. The implementation of the rlogin protocol affects all KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the telnet protocol only affects KDE 2.x. They allow a carefully crafted URL in an HTML page, HTML email, or other KIO-enabled application to execute arbitrary commands as the victim with their privilege. The KDE team provided a patch for KDE3 which has been applied in these packages. No patch was provided for KDE2, however the KDE team recommends disabling both the rlogin and telnet KIO protocols. This can be accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory, they should likewise be removed. See also: http://www.kde.org/info/security/advisory-20021111-1.txt
Alerts:
SCO Group CSSA-2003-012.0 2003-03-14
Debian DSA-204-1 2002-12-05
Red Hat RHSA-2002:220-40 2002-12-04
Mandrake MDKSA-2002:079 2002-11-21

Comments (none posted)

kernel: local denial of service vulnerability

Package(s):kernel CVE #(s):
Created:November 19, 2002 Updated:February 5, 2003
Description: All versions of the Linux kernel from (at least) 2.2.x through 2.4.19 and 2.5.47 contain a vulnerability which allows any local user to crash the system. This LWN article describes how the exploit works in detail. The vulnerability affects only x86 systems.
Alerts:
Mandrake MDKSA-2003:014 2003-02-05
Trustix 2002-0083 2002-12-19
Conectiva CLA-2002:553 2002-12-16
Red Hat RHSA-2002:264-05 2002-11-25
Trustix 2002-0077 2002-11-15
Red Hat RHSA-2002:262-07 2002-11-16

Comments (none posted)

krb5: Buffer Overflow in Kerberos Administration Daemon

Package(s):krb5, heimdal CVE #(s):CAN-2002-1235
Created:October 29, 2002 Updated:January 14, 2003
Description: CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon

Systems Affected

  • MIT Kerberos version 4 and version 5 up to and including krb5-1.2.6
  • KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version 0.5.1
  • Other Kerberos implementations derived from vulnerable MIT or KTH code

Overview

Multiple Kerberos distributions contain a remotely exploitable buffer overflow in the Kerberos administration daemon. A remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system.

The CERT/CC has received reports that indicate that this vulnerability is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002 notes that an exploit is circulating.

We strongly encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate.

Alerts:
Mandrake MDKSA-2002:073-1 2003-01-13
Red Hat RHSA-2002:242-06 2002-11-06
Conectiva CLA-2002:534 2002-10-25
Debian DSA-185-1 2002-10-31
Debian DSA-184-1 2002-10-30
Sorcerer SORCERER2002-10-27 2002-10-27
Mandrake MDKSA-2002:073 2002-10-29
Debian DSA-183-1 2002-10-29
Gentoo kth-krb-20021026 2002-10-26

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:October 1, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
Conectiva CLA-2003:720 2003-08-11
Mandrake MDKSA-2003:023 2003-02-24
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Red Hat RHSA-2003:029-06 2003-02-12
Trustix 2002-0085 2002-12-19
Debian DSA-210-1 2002-12-13
SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

perl-MailTools: remote command execution

Package(s):MailTools CVE #(s):CAN-2002-1271
Created:November 5, 2002 Updated:September 19, 2003
Description: The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

Alerts:
Debian DSA-386-1 2003-09-18
Gentoo 200302-01 2003-02-02
Mandrake MDKSA-2002:076 2002-11-07
Gentoo 200211-001 2002-11-06
SuSE SuSE-SA:2002:041 2002-11-05

Comments (none posted)

Cross-site scripting vulnerability in mhonarc

Package(s):mhonarc CVE #(s):CAN-2002-0738 CAN-2002-1307 CAN-2002-1388
Created:September 11, 2002 Updated:January 3, 2003
Description: Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution.
Alerts:
Debian DSA-221-1 2003-01-03
Debian DSA-199-1 2002-11-19
Debian DSA-163-1 2002-09-09

Comments (none posted)

micq: Denial of service

Package(s):micq CVE #(s):
Created:December 13, 2002 Updated:April 24, 2003
Description: Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE seperator causes all versions to crash.
Alerts:
Red Hat RHSA-2003:118-01 2003-04-24
Debian DSA-211-1 2002-12-13

Comments (none posted)

PHP Remote Compromise/DOS Vulnerability

Package(s):mod_php4 CVE #(s):
Created:July 22, 2002 Updated:February 18, 2003
Description: PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.

According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.

Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2.

For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team.

CERT Advisory: CA-2002-21 Vulnerability in PHP

Alerts:
SuSE SuSE-SA:2003:0009 2003-02-18

Comments (1 posted)

Mozilla: Privacy leak and other vulnerabilities

Package(s):mozilla CVE #(s):CAN-2002-1126 CAN-2002-1091
Created:November 1, 2002 Updated:February 13, 2003
Description: Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and Galeon, set the document referrer too quickly in certain situations when a new page is being loaded, which allows web pages to determine the next page that is being visited, including manually entered URLs.

Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to corrupt heap memory and execute arbitrary code via a GIF image with a zero width.

See also Mozilla's Recently fixed security issues page.

All users are encouraged to upgrade to this latest stable 1.0.x release of Mozilla.

Alerts:
Conectiva CLA-2003:568 2003-02-13
Mandrake MDKSA-2002:075 2002-10-31

Comments (none posted)

MySQL: multiple vulnerabilities

Package(s):mysql CVE #(s):
Created:December 13, 2002 Updated:April 10, 2003
Description: The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems.
Alerts:
Immunix IMNX-2003-7+-008-01 2003-04-08
EnGarde ESA-20030127-001 2003-01-27
Red Hat RHSA-2002:288-22 2003-01-15
SuSE SuSE-SA:2003:003 2003-01-02
Trustix 2002-0086 2002-12-19
Mandrake MDKSA-2002:087 2002-12-18
Debian DSA-212-1 2002-12-17
Conectiva CLA-2002:555 2002-12-17
OpenPKG OpenPKG-SA-2002.013 2002-12-16
Gentoo 200212-2 2002-12-15
EnGarde ESA-20021213-033 2002-12-13

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Conectiva CLA-2003:778 2003-11-07
Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

OpenLDAP2: remote command execution

Package(s):OpenLDAP2 CVE #(s):CAN-2002-1378 CAN-2002-1379
Created:December 6, 2002 Updated:February 21, 2003
Description: OpenLDAP is the Open Source implementation of the Lightweight Directory Access Protocol (LDAP) and is used in network environments for distributing certain information such as X.509 certificates or login information.

The SuSE Security Team reviewed critical parts of that package and found several buffer overflows and other bugs remote attackers could exploit to gain access on systems running vulnerable LDAP servers. In addition to these bugs, various local exploitable bugs within the OpenLDAP2 libraries (openldap2-devel package) have been fixed.

Since there is no workaround possible except shutting down the LDAP server, an update is strongly recommended.

Alerts:
Trustix 2003-0002 2003-02-20
Red Hat RHSA-2003:040-07 2003-02-05
Mandrake MDKSA-2003:006 2003-01-14
Debian DSA-227-1 2003-01-13
Gentoo 200212-12 2002-12-28
Conectiva CLA-2002:556 2002-12-19
SuSE SuSE-SA:2002:047 2002-12-06

Comments (1 posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:October 1, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
SCO Group CSSA-2003-008.0 2003-03-04
Gentoo 200211-005 2002-11-20
EnGarde ESA-20021122-031 2002-11-22
Conectiva CLA-2002:545 2002-11-13
Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

pine: buffer overflow parsing "From:" addresses

Package(s):pine CVE #(s):CAN-2002-1320
Created:November 27, 2002 Updated:January 3, 2003
Description: A malicious user could send a message with a specially crafted "From:" address and cause a segmentation fault on the client. Pine 4.50 fixes this vulnerability (CAN-2002-1320) and several others. Read the full advisory here.
Alerts:
Red Hat RHSA-2002:270-16 2003-01-02
Conectiva CLA-2002:551 2002-12-04
Mandrake MDKSA-2002:084 2002-12-02
Gentoo 200212-1 2002-12-02
EnGarde ESA-20021127-032 2002-11-27

Comments (none posted)

Buffer overflow vulnerabilities in PostgreSQL

Package(s):PostgreSQL CVE #(s):
Created:August 21, 2002 Updated:January 27, 2003
Description: PostgreSQL 7.2.2 has been released in response to a number of buffer overrun vulnerabilities which have been identified recently. "...it should be noted that these vulnerabilities are only critical on 'open' or 'shared' systems, as they require the ability to be able to connect to the database before they can be exploited."

Buffer overflow vulnerabilities fixed include those reported by "Sir Mordred The Traitor" in the cash_words, repeat, and lpad and rpad functions.

Alerts:
Yellow Dog YDU-20030127-5 2003-01-27
Red Hat RHSA-2003:001-16 2003-01-14
Red Hat RHSA-2003:010-10 2003-01-14
SuSE SuSE-SA:2002:038 2002-10-21
Trustix 2002-0071 2002-10-17
Mandrake MDKSA-2002:062 2002-10-01
Conectiva CLA-2002:524 2002-09-19
Debian DSA-165-1 2002-09-12
Gentoo postgresql-20020826 2002-08-26

Comments (none posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:October 1, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Red Hat RHSA-2002:202-33 2003-02-12
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-25 2003-01-21
Mandrake MDKSA-2002:082-1 2002-12-09
Mandrake MDKSA-2002:082 2002-11-25
SCO Group CSSA-2002-045.0 2002-11-14
Trustix 2002-0073 2002-10-17
Gentoo python-20021003 2002-10-03
Conectiva CLA-2002:527 2002-10-01
Debian DSA-159-2 2002-09-09
Debian DSA-159-1 2002-08-28

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

squirrelmail: cross-site scripting vulnerability

Package(s):squirrelmail CVE #(s):CAN-2002-1131 CAN-2002-1132
Created:October 16, 2002 Updated:January 2, 2003
Description: The Squirrelmail web mail package has a cross-site scriptinog vulnerability; versions 1.2.7 and prior are affected. See the advisory for details.
Alerts:
Debian DSA-220-1 2003-01-02
Gentoo 200212-4 2002-12-15
Debian DSA-191-2 2002-11-07
Debian DSA-191-1 2002-11-07
Red Hat RHSA-2002:204-10 2002-10-09

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

Tomcat 4.x JSP source code exposure vulnerability

Package(s):tomcat CVE #(s):
Created:September 25, 2002 Updated:January 29, 2003
Description: Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).". The current version of Tomcat is available here.

Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.
Alerts:
Debian DSA-246-1 2003-01-29
Debian DSA-225-1 2002-01-09
Gentoo tomcat-20021015 2002-10-15
Debian DSA-169-1 2002-10-04
Gentoo tomcat-20020925 2002-09-25

Comments (none posted)

traceroute-nanog: buffer overflow and root exploit

Package(s):traceroute-nanog/nkitb CVE #(s):
Created:November 12, 2002 Updated:February 27, 2003
Description: Traceroute is a tool that can be used to track packets in a TCP/IP network to determine it's route or to find out about not working routers. Traceroute-nanog requires root privilege to open a raw socket. It does not relinquish these privileges after doing so. This allows a malicious user to gain root access by exploiting a buffer overflow at a later point.
Alerts:
Debian DSA-254-1 2003-02-27
SuSE SuSE-SA:2002:043 2002-11-12

Comments (none posted)

webalizer: reverse DNS buffer overflow vulnerability

Package(s):webalizer CVE #(s):
Created:May 21, 2002 Updated:January 27, 2003
Description: The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report:  April 18th, 2002).
Alerts:
Yellow Dog YDU-20030127-4 2003-01-27
Red Hat RHSA-2002:254-05 2002-12-04
SCO Group CSSA-2002-036.0 2002-10-22
EnGarde ESA-20020423-009 2002-04-23
Conectiva CLA-2002:476 2002-04-26

Comments (none posted)

Webmin/Usermin vulnerabilities

Package(s):webmin CVE #(s):
Created:May 21, 2002 Updated:January 10, 2003
Description: Webmin is a web-based interface for system administration for Unix. Webmin has cross-site scripting and session ID spoofing vulnerabilities which are fixed in the May 6, 2002 release of version 0.970. (First LWN report: May 9).

This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication.

Alerts:
SCO Group CSSA-2003-002.0 2003-01-09
Yellow Dog YDU-20020522-7 2002-05-22
Mandrake MDKSA-2002:033 2002-05-21

Comments (1 posted)

wget:directory traversal bug

Package(s):wget CVE #(s):CAN-2002-1344
Created:December 10, 2002 Updated:October 1, 2003
Description: Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system.

FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3).

If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine.

See also this Bugtraq article from 1997.

CAN-2002-1344

Alerts:
Immunix IMNX-2003-7+-011-01 2003-06-03
OpenPKG OpenPKG-SA-2003.007 2003-01-23
SCO Group CSSA-2003-003.0 2003-01-16
Gentoo 200212-7 2002-12-20
Trustix 2002-0089 2002-12-19
Conectiva CLA-2002:552 2002-12-13
Debian DSA-209-1 2002-12-12
Mandrake MDKSA-2002:086 2002-12-11
Red Hat RHSA-2002:229-10 2002-12-04

Comments (none posted)

wmaker: buffer overflow in Window Maker image handling code

Package(s):wmaker windowmaker CVE #(s):CAN-2002-1277
Created:November 7, 2002 Updated:February 6, 2003
Description: Al Viro found a problem in the image handling code used in Window Maker, a popular NEXTSTEP like window manager. When creating an image it would allocate a buffer by multiplying the image width and height, but did not check for an overflow. This makes it possible to overflow the buffer. This could be exploited by using specially crafted image files (for example when previewing themes).
Alerts:
Red Hat RHSA-2003:043-12 2003-02-05
Mandrake MDKSA-2002:085 2002-12-02
Conectiva CLA-2002:548 2002-11-18
Debian DSA-190-1 2002-11-07

Comments (none posted)

Multiple vulnerabilities in wordtrans

Package(s):wordtrans CVE #(s):CAN-2002-0837
Created:September 11, 2002 Updated:February 4, 2003
Description: The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details.
Alerts:
Red Hat RHSA-2002:188-08 2002-09-05

Comments (none posted)

Problems with libgtop_daemon

Package(s):wuftpd libgtop CVE #(s):
Created:May 21, 2002 Updated:May 7, 2003
Description: The libgtop_daemon package is a GNOME program which makes system information available remotely. LWN reported the remotely exploitable format string and buffer overflow vulnerabilities in that package on December 6th. On November 28th disabling the libgtop_daemon on systems where it is running until an update is available.

Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway.

Alerts:
Debian DSA-301-1 2003-05-07
Mandrake MDKSA-2001:094 2001-12-19
Debian DSA-098-1 2002-01-09
Conectiva CLA-2002:448 2002-01-03

Comments (1 posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):wwwoffle CVE #(s):CAN-2002-0818
Created:August 14, 2002 Updated:October 1, 2003
Description: The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on."

CAN-2002-0818

Alerts:
SCO Group CSSA-2002-048.0 2002-11-18
Debian DSA-144-1 2002-08-06
SuSE SuSE-SA:2002:029 2002-08-01

Comments (none posted)

Resources

PHRACK #60 released

Issue number 60 of the PHRACK magazine is now available. It looks at kernel stack smashing, IOS exploits, patching static kernels, integer overflows, and several other topics.

Full Story (comments: none)

Linux Security Week

The LinuxSecurity.com Linux Security Week Newsletter for December 30 is available.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current development kernel is 2.5.53, which was released by Linus on December 23. It contains a bunch of device mapper fixes, an SCTP update, some memory management fixes, an ia-64 merge, some USB updates, a new aic7xxx driver, the new x86 "sysenter" system call mechanism (discussed in the December 19 LWN Kernel Page), and many other fixes and updates. The long-format changelog has the details.

Linus's pre-2.5.54 BitKeeper repository contains a large number of patches, most of which are the sorts of fixes that one would expect during a feature freeze. There is also a new bit of compiler trickery to issue warnings when deprecated functions are called, a number of kbuild fixes, a new dev_printk() function for standardized device error reporting, the removal of the much disliked hugetlb system calls (in favor of hugetlbfs), a new "kmalloc for each CPU" API, and more loadable module fixes.

The current stable kernel is 2.4.20. Marcelo has not released any 2.4.21 prepatches since December 18.

Comments (none posted)

Kernel development news

Fixing up the shared page table patch

One patch that is still apparently being considered for 2.5 is the shared page table code. Since this patch makes significant changes to the VM subsystem, it is worth looking at why it is interesting, and what its prospects are.

Shared page tables do exactly what one would expect: they allow processes to share their page tables. The primary application of this technique is at fork() time; when a process creates a new child, the two processes share the same low-level page tables. These tables are shared in a "copy on write" mode; when either process changes memory both the page being changed and the page table that point to it are copied. The idea is that if the new process calls exec() before changing much memory, much of the page table copying overhead can be avoided entirely.

Shared page tables can also save significant amounts of memory when large processes (or large shared memory segments) are involved, but the fork() overhead is the real driving force behind this patch. The 2.5 kernel has a significantly slower fork() than 2.4, as a result of the reverse mapping VM code. Copying page tables requires copying the reverse map entries, which slows fork() down. Shared page tables, it is hoped, can eliminate that copy and get fork() back to something close to its 2.4 performance.

So it was a little disappointing when Andrew Morton ran some benchmarks and discovered that shared page tables made fork() even slower than it was before. The optimization, it seems, is really a pessimization - at least when relatively small processes are involved, which is the case that matters to most users.

Dave McCracken figured out what is going on. Most smaller processes, it seems, have three distinct areas of writable memory, being the data area, the stack, and the C library's data area. On most systems, a single page table page holds enough page table entries to map 4MB of actual memory. Unless the process is fairly large, then, there will be exactly one page table page for each of the three writable areas, or three in all.

The shared page table patch thus allows the deferral of the copying of three pages worth of page table entries. As soon as either process changes the memory mapped by one of those page table pages, that page can no longer be shared and all page table entries within that page must be copied. Unfortunately, even a process which does nothing but call exec() will almost certainly write memory in all three areas, requiring the unsharing of all three page table pages.

In other words, the shared page table patch is introducing the extra overhead required to share and unshare page table pages, but, in most cases, all of those pages will have to be unshared and copied anyway. So the extra overhead just makes things even slower than they were before.

There are a couple of things that can be done to address this problem. Dave posted a relatively simple fix: simply do not share page tables unless the forking process has at least four pages worth. It turns out that, if even one page table page need not be copied, the sharing overhead is worthwhile. So, if you turn off sharing in the case where it doesn't help, you get back to where you were before, and can enjoy the benefits of page table sharing for very large processes.

A more involved approach would be to spread out a process's writable memory so that it is mapped by more than one page table page. Writable process memory comes in numerous distinct chunks; a look at the /proc/.../maps entry for the emacs process being used to write this article shows 33 separate, writable virtual memory areas (VMAs). If each VMA is mapped on its own 4MB boundary, and thus has its own page table page, then writing in one VMA does not require copying the page table entries for all the other VMAs.

Andrew Morton gave this approach a try, and saw a 5-10% speedup. Performance is improved, in other words, but is still far short of what a 2.4 kernel can do.

The bottom line appears to be this: the shared page table patch, while providing some benefits, is failing in its goal of mitigating the extra fork() overhead brought by the reverse mapping VM. Unless somebody finds a way to address this problem, shared page tables seem unlikely to find their way into the 2.5 kernel.

Comments (3 posted)

Manipulating multiple address spaces

Back in November, LWN covered a patch by Jeff Dike which made some User-mode Linux improvements possible. Jeff needed a mechanism which would allow him to create multiple address spaces for a single Linux process, manipulate those address spaces, and switch the process between them. The interface he came up with was:

  • Opening /proc/mm would return a file descriptor representing a newly-created address space.

  • Writing to that file descriptor would execute commands on the address space, as described by the data "written." Mapping of segments, changing permissions, etc. would be handled via this mechanism; in this way, UML could set up an address space as needed for one of its processes.

  • An extension to the ptrace() system call allows UML to switch a child process's address space.

This interface gets the job done, but it's not too surprising that Linus did not like it. Performing virtual memory management operations via a magic /proc file is just not the most elegant way of doing things.

Cleaning up the first step - creating new address spaces - is relatively easy. It's just a matter of adding a new create_mm() system call. But then how does one manipulate that new space - mapping in a file, or changing protections, for example? The system calls which normally perform these functions (mmap(), mprotect(), ...) are not set up to have a separate address space passed in as a parameter. One could create a whole new set of system calls that take that extra parameter, but that is a task that gets messy in a hurry.

So Linus has come up with another idea. Why not add one more system call (mm_indirect()), which would invoke any other system call in the context of a different address space? mm_indirect() would simply switch the calling process over to the new address space, invoke the real system call of interest, then switch back. In this way, all system calls could be made to manipulate a different address space without the need to modify any of them.

This solution will work for UML, and is thus likely to be implemented. It may eventually lead to a number of currently unimagined "coprocess' applications as well. One question remains unanswered, however: is this sort of change really 2.5 material, or does it get to wait for the next development series?

(As an aside, we look forward to seeing the results of Jeff's work running UML with the valgrind memory debugger. Chances are it will turn up a lot of previously unnoticed memory bugs in the Linux kernel.)

Comments (1 posted)

The end of the hugetlb system calls

The hugetlb (or "large page") patch was covered here last August. This patch added a couple of new system calls allowing a suitably privileged process to create anonymous memory using the large page capability of most modern processors. Using large pages cuts down on page table overhead, and, crucially, optimizes the use of the processor's address translation cache. The result is that applications using large memory arrays (Oracle, in particular) run faster.

The large page capability is seen as useful by most developers, but there has been a long series of complaints about the system call interface. The system calls do pretty much what one would expect: allocate a large page region, free it, share it with others. But not everybody sees the need for a new set of system calls for performing what is (mostly) standard memory operations. Then, there is the issue of permissions. The ability to allocate huge pages can not be handed out to just anybody, since it is a good vehicle for the creation of denial of service attacks. That means that root access is required to make use of the large page capability. Call them superstitious, but many users are reluctant to run Oracle with root access.

Meanwhile, William Lee Irwin added hugetlbfs - a RAM-based filesystem which uses large pages. An application wishing to create a memory region with large pages can create a file in a hugetlbfs directory, then use mmap() to map it into its address space. Sharing is nicely handled by the filesystem itself, and need no longer be done with a separate system call. And the permissions problem is solved by allowing a system administrator to set protections on the hugetlbfs filesystem which fit the site's needs. The filesystem interface provides a more flexible interface to the large page facility. So, as of 2.5.54, the system call interface will be removed.

All this could lead one to wonder why the hugetlb patch wasn't done this way in the first place. The whole point of the kernel peer review process, after all, is to keep poor interfaces out of the kernel. Linus's answer to this is simple: the patch simply was not much discussed prior to merging because the companies behind it are still unused to open code development. In fact, some companies have rules which forbid the sorts of conversations needed to develop in an open source environment.

So not only did you have a feature that is mostly useful only to a smallish group of people - you had that group of people not used to open communication in the first place, AND you had rules that made some of the important part of the communication illegal in the first place.

Still wonder why it wasn't widely discussed during development? Intel engineers would basically take people aside in private at conferences talking about what kinds of improvments Oracle was seeing.

Developing code in the open seems like the only way to work for many developers. This episode is a good reminder that not everybody, yet, has really come to understand how the free software development process works.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

Device drivers

Documentation

Janitorial

Kernel building

Memory management

Networking

Architecture-specific

Security-related

Benchmarks and bugs

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

2002 retrospective

2002 was year of belt-tightening and consolidatation in all technology sectors. A return to reality after the excesses of the dot com boom. Most distribution companies fared well though there were layoffs and struggles to find sources of real, sustainable income.

To that end, MandrakeSoft launched the "Mandrake Clubhouse" at the end of 2001. Club members have provided a steady source of income for MandrakeSoft, almost enough for the company to break even, but at year's end the company is still struggling financially. If you are a Mandrake user it is your best interest to join Mandrake Club (or Mandrake Corporate Club) and buy Mandrake products from the MandrakeStore to help support the distribution. This is MandrakeSoft's answer to the question, "How do you make money with free software?"

In September MandrakeSoft announced the release of Mandrake Linux 9.0, codenamed "Dolphin." One of the first distributions to be certified by Linux Standard Base.

LWN.net released the "new and improved" LWN Distribution List. Changes to the list were heavy for the first few months of 2002, and minor updates continue. The list remains a cumbersome flat file, with over 300 distributions currently listed. We still plan to move the list to a database. Perhaps in 2003.

Caldera International released Caldera OpenLinux Workstation 3.1.1 and Caldera OpenLinux Server 3.1.1 at the end of January. We could not have predicted at the time that this would be last release of OpenLinux. Caldera International became The SCO Group at the end of August and the next release was called SCO Linux 4.0 powered by UnitedLinux.

Speaking of UnitedLinux, this collaborative effort released version 1.0 on November 19, 2002. (UnitedLinux powers distributions by SCO, SuSE, Conectiva, and Turbolinux.)

LSB-certified distributions. Distributions from MandrakeSoft, Red Hat, and SuSE receive LSB certification in August.

Debian GNU/Linux Three candidates vied for Debian Project Leader, Bdale Garbee, Raphaël Hertzog, and Branden Robinson. Elections. Bdale was elected in April. Cryptographic software showed up in the main archive for the first time in March. The long awaited woody release, Debian GNU/Linux version 3.0 came out in July. In November a fire in the computing facilities of Twente University destroyed several Debian services, which were quickly restored.

Red Hat also looks for ways to spend less. This year support has been cut for Alpha and Sparc ports, and there's even an "end-of-life" date for the most recent release.

The Limbo beta was released in July, with the first taste the company's controversial Bluecurve desktop. Limbo became Red Hat Linux 8.0 in October. Red Hat's more stringent trademark requirements went into effect with that release.

SuSE Linux also announced an end of life for older distributions as the new UnitedLinux powered versions are released.

Slackware Linux 8.1 was released June 18, 2002.

Sorcerer GNU/Linux, a source-based distribution, came out in January and quickly gained popularity. By March the development team had grown and with that growth came creative conflicts. Kyle Sallee, original author of Sorcerer, pulled the source from the site. But the source was out there and two new projects forked from the old code. Now there are three projects as Sorcerer is joined by the forks SorceMage and Lunar-Penguin.

Easy to use desktop distributions proliferated, some garnering considerable press coverage. Lycoris Desktop/LX, Xandros Linux, Lindows OS, Desktop ROCK Linux (dRock), Debian Desktop, EvilEntity Linux, LibraNet GNU/Linux, and ELX, Everyone's Linux are just a few desktop Linux projects that started or gained momentum during 2002.

Libranet GNU/Linux took a stab at making a sustainable income by setting up a pay for download scheme.

All in all, a turbulent year for Linux distributions. We leave with a prediction for 2003. This will be the year that we will see some change in the major players. Either two major companies will merge, or at least one will get out of the Linux distribution business. Of course that has been predicted before.

Comments (none posted)

Distribution News

Debian GNU/Linux

Here is the Debian Weekly News for December 24, 2002 with news about the IPv6 Mini-Conf prior to the Linux Conference Australia; the Debian Mini-Conf; the first anniversary of the German debianforum; and more.

The Debian Weekly News for December 31, 2002 reflects on the past year and on the future.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for December 30 is out. It looks at a new kernel development strategy, the new release schedule process, and several other topics.

Full Story (comments: none)

Mandrake Linux

The Mandrake Linux Community Newsletter for December 27, 2002 is out. This week's top story: MandrakeSoft's Future.

Mandrake has updated urpmi and mdkonline packages available for 8.1 and 8.2. These updates bump up the version of urpmi and mdkonline to those found in Mandrake Linux 9.0, which offer more features and better support for updating packages via urpmi and Mandrake Online.

Comments (none posted)

Red Hat Linux

Red Hat has sent out an announcement for a new beta release, called "Phoebe." Among other things, it includes a bleeding-edge glibc with the new Native POSIX Thread Library included (along with, presumably, a suitably patched kernel).

Here is a press release for new releases of Red Hat Linux for IBM's iSeries, pSeries, and zSeries enterprise server platforms.

Red Hat has announced a new policy for errata support for Red Hat Linux products and gives the end-of-life dates for currently supported products. Red Hat Linux PowerTools (6.2, 7, and 7.1), all Red Hat Linux releases for the Alpha and Sparc architectures, and Red Hat Linux 7.1 for the IA64 architecture are no longer supported. End of life dates for Red Hat Linux 6.2 through 8.0 are also specified in the announcement.

Updated packages for Red Hat Linux 7.1, 7.1K, 7.2, 7.3, and 8.0 are now available that fix a bug in the ext3 file system, discovered in the previous errata kernel. The bug has the potential to cause data loss if the file system is used in a non-default way.

Comments (none posted)

SCO Linux

The SCO Group has announced that Argo21 will provide SCO's technical support services in Japan for SCO Linux 4.0 powered by UnitedLinux.

Comments (none posted)

Trustix Secure Linux

Trustix has released a minor bug fix for apache, with general config file cleanup. The new version behaves consistently with or without SSL enabled. Previously, the normal web server at port 80 would go away if you enabled SSL.

Trustix has also released a minor bug fix for rpm. A check was added to see if configure.in is newer than configure before trying to run libtoolize and _initdir macro was added.

Comments (none posted)

New Distributions

Qplus-P

Qplus-P is ETRI's embedded Linux solution for internet appliances such as PDA, Digital TV setopbox and webpad. Target Builder is an embedded Linux development toolkit tightly coupled with ETRI Qplus-P . It provides many features for developers to build embedded Linux systems. These features include configuration, dependency checking, conflict resolution, project management and deployment support to the target system. Using Target Builder, developers can make fully functional operating systems easily and quickly. See this article on LinuxDevices.com for additional information. Version 1.0 was released December 16, 2002.

Comments (none posted)

Minor distribution updates

Arch Linux

Arch Linux has released v0.4 (Dragon) with major feature enhancements. "Changes: NFS mounts were added to the init scripts. The install script was improved. The install CD layout was modified to run from an initrd. The rc.d scripts were modified to kill with .pid files or pidof. rc.sysinit now handles UTC times (user patch). Module depenencies are only updated if required. All packages were rebuilt with gcc 3.2. pacman now supports multiple servers and respositories."

Comments (none posted)

Astaro Security Linux

Astaro Security Linux has released v3.380 with major bugfixes. "Changes: This version is the second beta before 4.0. There are a lot of big and small improvements and bugfixes, such as Radius-based Surf Protection Profiles, and fixes in the SMTP and HTTP Proxy."

Comments (none posted)

BBIagent Router

BBIagent Router has released v1.6.0 with minor feature enhancements. "Changes: The Linux kernel on the boot image was upgraded to version 2.4.20. User-defined settings can now be saved to the diskette and restored automatically when the router is booted up."

Comments (none posted)

GENDIST

GENDIST has released v1.4.7 (stable) with minor bugfixes. "Changes: A workaround was implemented for the mke2fs bug/feature, so small initrds with a large number of inodes should work now. A minor bug in the ShellLinux example was fixed: the attributes of shared libraries are now restored after copying them with objcopy."

Comments (none posted)

IPCop Firewall

IPCop Firewall has released v1.2 with minor feature enhancements. "Changes: DNRD was replaced with DNSMASQ. Updated software includes Speedtouch, Snort, SSH, and a PPTP client. New modules include ip_masq_ipsec and ip_masq_h323. Multiple languages were added (German, French, Turkish), as was configuration backup/restore, support for the Pulsar PCI ADSL card, static DHCP leases, aliasing on the red interface, dial-on-demand ADSL, and proxy graphs."

Comments (none posted)

Phayoune Firewall

Phayoune Secure Linux has released Phayoune Firewall 0.3.3, the initial release of this CD-ROM firewall distribution.

Comments (none posted)

PXES Linux Thin Client

PXES Linux Thin Client has released v0.5.1-16 with major feature enhancements. "Changes: Support for the i586 family of processors has been added."

Comments (none posted)

RxLinux

RxLinux has been busy. In the last couple of weeks RxLinux has released v1.2.3, followed by v1.2.4, which added Mplayer to play movies on a diskless machine. Version 1.2.4-w was released soon after that, with a graphical user interface added to build rxnode without using an rxmaster; and more code cleanup.

Comments (none posted)

SmoothWall

SmoothWall has released v1.0 with major security fixes. "Changes: This release includes updates 1 through 21 from the previous version, which cover a great number of functionality updates and security fixes."

Comments (none posted)

TopologiLinux

TopologiLinux released v2.0 beta, adding NTFS support. The 2.0 Release Candidate 1 is also out, adding Licq and Wine.

Comments (1 posted)

Warewulf

Warewulf has released v1.7 with minor bugfixes. "Changes: An 'option routers' was added to dhcp-build to point to the DHCP master admin_ip. Some logic was added to 'nodebuild' to look for a mounted /proc in the virtual node image. Several bugs in 'nodeupdate' were fixed, along with a bug in the warewulfd init script that was prematurely setting the status of nodes to 'READY'. A bug where 'nodeadd' was forgetting to add the 'enable' field to node.conf was fixed, and it does not try to enable a clust_dev if it differs from admin_dev. Some weirdness in the warewulf-node RPM was fixed, and a binary 'strings' was added to the virtual node filesystem."

Comments (none posted)

WISP-Dist

WISP-Dist, a part of the LEAF project, has released v2397 with minor bugfixes. "Changes: This is a maintenance build with various bugfixes and small improvements."

Comments (none posted)

Distribution reviews

Bootable Business Card nears 2.0 release (Linux Journal)

Linux Journal checks out the upcoming release of the LNX-BBC rescue disk. "LNX-BBCs can be used to rescue ailing machines, perform intrusion post-mortems, act as a temporary workstation, install Debian, and perform many other tasks that we haven't yet imagined."

Comments (none posted)

Showdown: The Penguins Prepare for a Shootout (OfB.biz)

Open for Business begins a multi-part series of distribution reviews with a look at Xandros Desktop 1.0. "If initial presentation was the measure of quality, Xandros would have all of the other distributions beat right from the start; this company definitely understands the importance of first impressions. When the installer first boots up, rather than being greeted by a text-based progress bar or scrolling boot messages, this distribution starts up in style with a flashing Xandros logo that fades away once things are ready to go. It might not do much for you once your ready to use the system, but it did make for something different than the normal monotony of the boot system (which also often scares new GNU/Linux users)."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Mailman 2.1 announced

[Mailman] A new version of Mailman, a Python-based mailing list management system with a web-based user interface, has been announced.

A summary of features for this version of Mailman includes:

  • Web-based list creation and removal.
  • Multi-lingual support.
  • Real name support for list members.
  • Improved password-less operations.
  • Support for personalized deliveries with bounce detection.
  • Emergency moderation capabilities.
  • MIME-based content filtering.
  • Regexp based topic filtering.
  • Improved membership management with searching.
  • Support for moderated newsgroups.
  • A redesigned mail delivery subsystem architecture.
  • Moderation and privacy controls.
  • Autoresponse governors.
  • Global user option configurability.
  • Improved MIME and I18n support.
  • A new list moderator role.
  • Support for a new Urgent: header.
See the full list of Mailman features, and the NEWS file for a full history of revisions.

If you are interested in trying out Mailman, the online Mailman documentation is a good place to start.

Comments (none posted)

System Applications

Audio Projects

Ogg Traffic

Two new editions of Ogg Traffic are out with a bunch of Ogg Vorbis audio compression software news. Topics in the December 22, 2002 edition include: Converting FLAC to Ogg Vorbis, Transcoding Ogg Vorbis to Ogg Vorbis, Preaching the Gospel of the Fish, and Speex Beta 4 Released. Topics in the December 29, 2002 edition include: FUD-Busting, Recompressing Ogg Vorbis files, and Using oggenc to convert FLAC to Ogg Vorbis.

Comments (none posted)

Database Software

MySQL 4.0.7 is released

Version 4.0.7 of the MySQL open-source database is available. This release addresses a security issue, users are encouraged to upgrade ASAP.

Full Story (comments: none)

Education

Linux in Education Report

Issue #86 of the Linux in Education Report is out. Topics include games for kindergarteners, a proposal for producing audio books, a Sun deal that gives StarOffice 6.0 to Danish students, the GNU/LinuxIndia newsletter, a plea for help maintaining the English version of the DrGenius user's manual, and a bunch of new educational software releases.

Comments (none posted)

Electronics

GTKWave 2.0.0pre1-20021220

Version 2.0.0pre1-20021220 of GTKWave, an electronic waveform viewer, has been announced as part of the GEDA snapshot 20021220. New features include an XML trace save/load format, work on analog traces, code cleanup, better analog support, and more.

Comments (none posted)

Mail Software

Sendmail 8.12.7 available

Version 8.12.7 of Sendmail has been released. "It contains a fix for smrsh, support for Berkeley DB 4.1 (requires at least 4.1.25), fixes to enforce STARTTLS restrictions between sessions/transactions, some config file changes to deal with bogus DNS entries and to enforce tls_client restrictions, as well as a change to the default submit.cf file to use 127.0.0.1 instead of localhost as the address of the MTA."

Comments (none posted)

Milter news

New topics on the Milter mail filtering site include: Spamass-Milter 0.1.3 Released, Passing values from sendmail, How do you adjust internal milter timeouts?, and more.

Comments (none posted)

Peer to Peer

Mobile P2P messaging, Part 1 (IBM developerWorks)

Michael J. Yuan shows how to work with the Wireless Messaging API on IBM's developerWorks. "SMS-based peer-to-peer mobile messaging could become mobile commerce's killer application. The J2ME Wireless Messaging API (WMA) provides SMS capabilities for mobile Java clients. In this first installment of a two-part series on mobile P2P messaging, Michael J. Yuan discusses the design and usage of the WMA, and presents a sample application to demonstrate key concepts. He'll also discuss some server-side Java SMS solutions."

Comments (none posted)

Printing

CUPS 1.1.18 available

Version 1.1.18 of the CUPS Print System has been released. Most of the changes involve security issues and bug fixes, see the Release Notes for the full story.

Comments (none posted)

LinuxPrinting.org News

News from LinuxPrinting.org includes the release of version 2.9.1 of the Foomatic printer driver database, and instructions on using the Epson Stylus CX3200 and CX5200 for scanning.

Comments (none posted)

Web Site Development

Midgard 1.4.4 released

Version 1.4.4 of the Midgard open-source web application server has been announced. Changes include lots of bug fixes and a few enhancements. Thanks to Henri Bergius.

Comments (none posted)

Zope Members News

The most recent headlines on the Zope Members News include: ZServerSSL Rides Again, silva-0.9_installer_macosx-1.0 released, NeoPortal Content Pak 0.9a2 released - NeoPortal User Manager Tool added, NeoPortal Library 0.9a2 released, Silva 0.9 released, How-to Build Simple ZClass - updated to zope 2.6.x, MailBoxer 2.1.5, RemoteUserFolder public release, Interbase / Firebird Adapters, and Formulator 1.3.1 released.

Comments (none posted)

Miscellaneous

New hsflinmodem release

Several new versions of the Conexant HSF softmodem driver have been released, see below for details.

Full Story (comments: none)

Desktop Applications

Audio Applications

JACK Rack 1.0.1 available

Version 1.0.1 of JACK Rack, an audio effects connection system, has been released. This version features minor bug fixes.

Full Story (comments: none)

Sweep 0.5.13 released

Version 0.5.13 of the Sweep audio editor and playback tool has been released. New features include bug fixes and a new fade in/out capability.

Full Story (comments: none)

ZynAddSubFX 1.0.3 released

Version 1.0.3 of the ZynAddSubFX open-source software audio synthesizer has been released. This version features bug fixes, a new VU meter, split keyboard functionality, and more.

Full Story (comments: none)

GNUsound 0.5 available

Version 0.5 of the GNUsound multitrack audio editing package is available for download. Change information is in the source code.

Comments (none posted)

Desktop Environments

FootNotes

Headlines on the GNOME desktop FootNotes site include: Pan 0.13.3 released, GIMP 1.3.11 released, Ruby-GNOME2-0.2 is now available!, Interview with the Gnomemeeting Team, Red Hat Beta Released!, Release of GnuCash 1.7.6 ''Santa's got a brand new bag'', GTK+ user interface libraries, version 2.2 released, Gnumeric 1.1.14 is now available, GARNOME 0.19.5: ''Intergalactic War'', GNOME Development Series Snapshot 2.1.5 released, Dropline GNOME 1.3.1 Now Available, and more.

Comments (none posted)

KDE-CVS-Digest for December 20, 2002

The December 20, 2002 edition of the KDE-CVS-Digest is out. "This week we cover updates on the security audit, Kroupware issues, bugfixes and lots of new features in KDevelop, Konqueror, KDEPrint, Kig (a program for exploring geometrical constructions), as well as Proklam updates (see KMouth also) as a further step towards improving accessibility capabilities in KDE."

Comments (none posted)

KDE-CVS-Digest for December 27, 2002

The December 27, 2002 edition of the KDE-CVS-Digest is out. "Subjects discussed include the conclusion of the security audit, KMail merge problems, bugfixes and lots of new features in Kate, Kig, Gwenview, Krdc, kgpg, Konstruct, Kopete, Cervisia, KDevelop, KOffice and Kalzium. And much more."

Comments (none posted)

XFree86 4.2.99.3 Snapshot available

Snapshot 4.2.99.3 of XFree86 is available. This release will evolve into version 4.3 after the bug testing cycle is complete.

Comments (none posted)

Games

New Pygame entries

The latest entries on the PyGame site include Pyddr 0.5.8, which is a dance-dance revolution clone, and Sulk 0.24, a Space Hulk replica.

Comments (none posted)

Your First Micro Java Game

David Fox writes about Java game development for mobile phones on O'Reilly. "The Mobile Information Device Profile (MIDP) of J2ME is a subset of the standard Java you know and love, with a few minor modifications. Writing a basic MIDlet game is simple as apple pie. This article will show you how to start cookin'."

Comments (none posted)

GUI Packages

GTK+ user interface libraries 2.2

Version 2.2 of the GTK+ user interface libraries have been released. This release features: Multihead support, support for the fontconfig and Xft2 libraries, new font support in Pango, improved ports, gdk-pixbuf enhancements, and support for new X extensions and standards.

Full Story (comments: none)

Qt Script for Applications 1.0 beta1

Trolltech has announced the release of version 1.0 beta1 of Qt Script for Applications, which has been released under the GPL. "Qt Script, an easy-to-learn, multiplatform interpreted scripting language. Qt Script is based on the ECMAScript standard (as is JavaScript) . Qt Scripter, a multiplatform IDE which developers can make available to their end-users. Qt Scripter (screenshot) can be used to write and edit code, to visually design forms, and to run and debug scripts."

Comments (none posted)

LibGGI 2.0.2/LibGII 0.8.2 released

THE GGI Project has released new versions of LIBGGI, a cross-platform graphics API, and LIBGII, a stand-alone system for handling input devices.

Full Story (comments: none)

FLTK Developments

New software for FLTK, the Fast, Light ToolKit includes: flPhoto 1.0, and VolSuite 2.3.0.

Comments (none posted)

Interoperability

Kernel Cousin Wine

Issue #149 Kernel Cousin Wine is out. Topics include: Wine-20021219, Implementation of wineboot, Compile Time Comparisons / Tips, Compile Time Comparisons / Tips, COM Conformance Test Suite, and Running Cygwin Apps Under Wine.

Comments (none posted)

Kernel Cousin Wine

Issue #150 of Kernel Cousin Wine has been released, check it out for the latest Wine development news.

Comments (none posted)

Office Applications

TeXmacs 1.0.1 released

Version 1.0.1 of the TeXmacs typesetting system has been released. New features include a redesigned user interface, improved converters, the addition of several structural editing primitives, reorganized style files and packages, an improved documentation system, and more. (Thanks to David Allouche.)

Full Story (comments: 2)

AbiWord Weekly News

Issue #121 and Issue #122 of the AbiWord Weekly News are out with lots of AbiWord word processor development news.

Comments (none posted)

AbiWord Weekly News

Issues #123 and #124 of the AbiWord Weekly News are out with even more AbiWord word processor development news.

Comments (none posted)

Gnumeric 1.1.14

Version 1.1.14 of the Gnumeric spreadsheet has been released.

Full Story (comments: none)

Web Browsers

mozillaZine

The latest mozillaZine topics include: ExtremeTech Preview of Phoenix, Extra Two Weeks Added to 1.3 Beta Cycle, Honey, Hyatt's Coming Round for Christmas Dinner!, New Default Theme for Phoenix, Judge Orders Microsoft to Include Sun Java in Windows, Gecko Runtime Environment Overview, Guide to the New Bugzilla Flags Used by drivers@mozilla.org, and Independent Status Reports.

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The December 17-31, 2002 edition of the Caml Weekly News is out with the latest Caml news.

Full Story (comments: none)

The Caml Light / OCaml Hump

This week, the new software on The Caml Hump includes the Sleep Student Parser, Planets for simulating planetary systems, the ocamledefun defunctiorizer, and the CamlGL OpenGL bindings for OCaml.

Comments (none posted)

Java

Compiling Java with GCJ (Linux Journal)

Per Bothner talks about GCJ on Linux Journal. "One reason relatively few projects use Java has been the real or perceived lack of quality, free implementations of Java. Two free Java implementations, however, have been around since the early days of Java. One is Kaffe (www.kaffe.org), originally written by Tim Wilkinson and still developed by the company he cofounded, Transvirtual. The other is GCJ (the GNU Compiler for the Java language), which I started in 1996 at Cygnus Solutions (and which this article discusses). GCJ has been fully integrated and supported as a GCC language since GCC version 3.0."

Comments (none posted)

From black boxes to enterprises, Part 3: Hands-on JMX integration

Sing Li finishes his series on JMX Integration in the third article on IBM developerWorks. "In this third and final article of the JMX series, Sing Li will use an actual Network Management System (NMS) to monitor a Java application instrumented with JMX, revealing the typical techniques used in NMS/JMX integration, as well as some of the common difficulties that may be encountered when deploying JMX."

Comments (none posted)

Java Media Development with QuickTime for Java (O'Reilly)

Chris Adamson writes about the use of QuickTime with Java. "Now that Sun's Java Media Framework can't even play MP3s anymore — support was removed in August due to what Sun calls a "licensing issue" — its collection of supported media formats and compression schemes (codecs) has dwindled to near-uselessness. The JMF's powerful plug-in architecture allows developers to expand JMF's capabilities, however, and that's exactly what this article will do, by using the rival media API, Apple's QuickTime for Java."

Comments (none posted)

Lisp

CL-SDL 0.2.0 released

Version 0.2.0 of CL-SDL, which provides Common Lisp bindings for the Simple DirectMedia Layer and OpenGL multimedia libraries, has been released.

Full Story (comments: none)

CL-PDF 1.0 released

Version 1.0 of CL-PDF, the Common Lisp library for generating Adobe Acrobat documents, has been released.

Full Story (comments: none)

First public release of CL-PPCRE

The first public version of CL-PPCRE, the Portable Perl-compatible Regular Expressions for Common Lisp, has been announced. CL-PPCRE is a regular expression library for Common Lisp that features Perl compatibility, among other things.

Full Story (comments: none)

Perl

Parrot v0.0.9 'Nazgul' released (use Perl)

Use Perl mentions the release of version 0.0.9 of the Parrot compiler.

Comments (none posted)

This Week on perl5-porters (use Perl)

The December 16-22, 2002 edition of the Perl5-Porters Digest is out. Topics include: version object updates, new warning discussed, a bit of language design, and a Perl birthday present.

Comments (none posted)

This Week on perl5-porters (use Perl)

The December 23-29, 2002 edition of the Perl5-Porters Digest is out. Topics include: Implicit localisation of $DIGIT variables, Defining lexical aliases, %INC on Windows, EOL agnosticism, Iterator classes and memory leaks, and more.

Comments (none posted)

PHP

PHP 4.3.0 released

PHP 4.3.0 is out. Changes in this release include a new command line interface, a new streams API, an improved build system, the inclusion of the GD library, a number of security fixes, and more; see the announcement for details.

Comments (none posted)

PHP News

This week, the PHP News features the PHP Look Back, which summarizes PHP development in 2002, an announcement for PHP 4.3.0, and a new release of the PHP Manual CHM Edition.

Comments (none posted)

PHP Weekly Summary

Topics on this week's PHP Weekly Summary include: PHP 4.3 RC4, php-cgi vs. php-cli solved, PHP#, fixes for uniqid() and range(), and more.

Comments (none posted)

Python

Python 2.3a1 released

The first Python 2.3 alpha release is now available. Python 2.3 concentrates mostly on library enhancements, rather than changes in the language itself. Click below for the announcement; you can also head over to this page for a detailed description of what's in this release.

Full Story (comments: none)

This week's Python-URL

Dr. Dobb's Python-URL for December 23 is out with the latest from the Python development community.

Full Story (comments: none)

Dr. Dobb's Python-URL! - weekly Python news and links (Dec 30)

The weekly Dr. Dobb's Python-URL is available, with news and links for the Python community.

Full Story (comments: none)

The Daily Python-URL

This week's Daily Python-URL article topics include: Python 2.3a1 released, PyZine: Year in Review, Sort in Python, Guide to Python introspection, A Python & XML Companion, The Daily Chump Bot, PyRapi version 0.2 has been released!, and more.

Comments (none posted)

Charming Python: SimPy simplifies complex models (IBM developerWorks)

David Mertz introduces SimPy on IBM's developerWorks. "The stochastic behavior of real-world systems is often difficult to understand or predict. Sometimes it is possible rigorously to demonstrate statistical properties of systems, such as average, worst-case, and best-case performance features. But at other times, pitfalls of concrete designs only become evident when you actually run (or simulate) a system. In this article, David takes a look at SimPy, a Python package that allows you to very easily create models of discrete event systems."

Comments (none posted)

Ruby

The Ruby Garden

New topics on the Ruby Garden include the Ruby track at OSCON 2003, and debugging END{} section.

Comments (none posted)

The Ruby Weekly News

Topics on this week's Ruby Weekly News include: Build problems for FOX, FXRuby and FXScintilla?, Ruby on IRC, and RAA.your_project(name).freeze!. New Ruby software includes: RTrans 1.01, RDoc template system modification, RubyCocoa 0.4.0, Ruby-GNOME-0.2, Radical 0.6, Test::Unit 0.1.6, Ruby Document Bundle, and XTemplate.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The December 26, 2002 edition of Dr. Dobb's Tcl-URL! is out with the latest Tcl/Tk development news. Read about stdout manipulation, the making of Christmas stars, the Toucan desktop IDE for Palm OS apps, Tcl puzzles, and much more.

Full Story (comments: none)

Dr. Dobb's Tcl-URL!

The December 31, 2002 Dr. Dobb's Tcl-URL! is available. Topics include the Tcl Scripting Language Components for Delphi, learning grid semantics, Tcl use at Verizon, disconnecting in-process GUI applications, Tcl under KDE, an introduction to Yorick, Tcl Wiki pages for educational software, and more.

Full Story (comments: none)

XML

From XML-RPC to SOAP: A Migration Guide (O'Reilly)

Rich Salz writes about XML-RPC and SOAP on O'Reilly. "As you might expect from the name, XML-RPC is a way of using XML to send classic Remote Procedure Calls (RPC) over the net. XML-RPC's use of XML is very simple. It doesn't use namespaces. It doesn't even use attributes."

Comments (none posted)

What Is RSS? (O'Reilly)

Mark Pilgrim writes about RSS in his first article in the "Dive Into XML" series on O'Reilly. "RSS is a format for syndicating news and the content of news-like sites, including major news sites like Wired, news-oriented community sites like Slashdot, and personal weblogs. But it's not just for news. Pretty much anything that can be broken down into discrete items can be syndicated via RSS: the "recent changes" page of a wiki, a changelog of CVS checkins, even the revision history of a book. Once information about each item is in RSS format, an RSS-aware program can check the feed for changes and react to the changes in an appropriate way."

Comments (none posted)

Debuggers

GDB 5.3 released

Version 5.3 of GDB, the Gnu Project Debugger, has been released. New features include: improved GNU/Linux shared library multi-threaded performance, gdbserver support for multi-threaded applications on some targets, and support for C/C++ preprocessor macros. Several new multi-arched targets are now supported, the Fujitsu FRV architecture has been added, and some obsolete configurations have been removed. See the release notes for more details.

Comments (none posted)

Miscellaneous

Jext programmer's editor

A few new changes have been added to the Jext programmer's editor. The changes are summarized as: "two new plugins (Server Mapping and Jump) and an update of SQL Console which now accepts connections to any JDBC compliant database!"

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Is $200 the magic number for PCs? (ZDNet)

ZDNet looks at dirt-cheap computers, most of which run Linux. "But it's hard to find a $200 PC with Windows. Versions of Microtel PCs with Windows XP cost about $70 more than their Lindows counterparts, pushing them to $300 or more. Meanwhile, Linux has been catching up to Windows in compatibility. Lindows 3.0 lets PC owners view Windows files, while other applications such as StarOffice offer Linux PC users the ability to view and edit Microsoft files."

Comments (3 posted)

What's ahead? Take the annual quiz (SiliconValley)

Dan Gillmor has posted his annual predictions column. "Microsoft will ... file meritless but tactically useful patent lawsuits against open-source software developers in an effort to stop Linux and other products emerging from the volunteer community."

Comments (none posted)

Copyright extremists shouldn't control information (Townhall.com)

Townhall.com is running a column on copyright by Phillis Schlafly - not somebody we would normally look to as an ally. "The purpose of copyright law is to provide incentives and protection to authors to create and publish original works, not give corporations the power to control the flow of information. We should not permit copyright extremists to exploit current laws for that goal, and we should reject their demands that Congress give them even broader power to control and license information."

Comments (14 posted)

Companies

Microsoft alters message to counter Linux (The Daily Camera)

LWN's local newspaper, the Daily Camera has an article on Microsoft's changing strategy for dealing with Linux. "Microsoft can tout potential savings and commission studies, but those efforts won't be any more effective in securing customers than its past tactics, Enderle said. "To make that argument it really needs to be made by practitioners, not by the vendor itself," the analyst said. "To make it stick you really need company (information technology) managers to stand up.""

Comments (1 posted)

Business

Matsushita, Sony developing Linux platform for consumer devices (LinuxDevices)

LinuxDevices covers the partnership between Matsushita Electric Industrial Co. Ltd. (Panasonic) and Sony Corporation. "In what may well represent one of the most significant milestones of the rapidly emerging Embedded Linux market, Matsushita and Sony today jointly announced that the two companies are collaborating to create an embedded Linux operating system for consumer devices. To provide added perspective, LinuxDevices.com brings you this Special Report which includes the text of the Matsushita/Sony announcement, and also provides a roundup of some of the many international news stories surrounding this important development . . ."

Comments (none posted)

Seeing through the Linux-Windows TCO comparisons (LinuxWorld)

Joe Barr revisits IDC's Total Cost of Ownership study in this LinuxWorld article. "When you read about a TCO study in the press these days, you're not reading news. You're reading marketing material. More likely than not, you're reading a report sponsored by the vendor. If the comparison is against products from another vendor, the sponsor is the one whose ox was not gored. The recent IDC report proclaiming that Windows is cheaper (in some cases) than Linux is an excellent example."

Comments (none posted)

Linux Adoption

Businesses Leverage Mainframe Hardware, Software To Run Linux Apps (TechWeb)

TechWeb covers two businesses that have successfully moved their operations to Linux. "[Boscov's] had spent some time considering Linux as a potential alternative to client/server systems, but "got religion" when CIO Harry Roberts saw an IBM demonstration of Linux running on the mainframe first-hand at an industry conference."

Comments (4 posted)

Legal

Studios Sue Maker of DVD Copy Software (AP/Yahoo)

Here's an AP story on Yahoo about the 321 Studios DMCA case. "The movie studios say the software contains the power of digital piracy, and asked the court to enjoin 321 Studios from selling it or distributing it. The studios also seek damages from any proceeds derived from the company's software sales. 'It's like somebody selling a digital crowbar. It's like breaking into the castle if you will,' said Patricia Benson, an attorney for the studios." Of course, "analog" crowbars remain legal...

Comments (2 posted)

Supremes Intervene in DVD Case (Wired)

Wired is running an Associated Press article on the California DVD case. The Supreme Court, it seems, has decided to jump into the case and determine wither Matthew Pavlovich could be sued in California after all. "The California-based DVD Copy Control Association argued that California was the proper venue because of the movie industry's presence in that state. Lawyers for the association told the Supreme Court that the stay was needed to keep Pavlovich from reposting the decryption program on the Internet."

Comments (none posted)

Greece, Denmark (and no-one else) make EC copyright deadline (Register)

The Register reports that Greece and Denmark have signed up for the European Union's controversial Copyright Directive (AKA Europe's DMCA). "It's best to see this as a delay -rather than a derailment - of the controversial measures, fiercely advocated by the film and music industry. The software industry, most notably the Business Software Alliance (BSA), has also lobbied hard for the introduction of the directive as an important means to fight piracy. It's unhappy that new-piracy fighting laws have failed to materialise by Christmas."

Comments (1 posted)

Interviews

Sklyarov reflects on DMCA travails (News.com)

News.com talks with Dmitry Sklyarov about the DMCA and the Elcomsoft trial. "The meeting took place here during a break in the trial at a restaurant across the street from the boxy, gray corporate apartment his company has kept since it became the target of U.S. prosecution 17 months ago. The interview was given with the understanding it would not run until the ElcomSoft trial ended and Sklyarov was no longer under the terms of the government agreement."

Comments (none posted)

Duval Clears Up MNF Controversy (OfB.biz)

Open for Business talks with Gaël Duval, about MandrakeSoft's new Multiple Network Firewall. "MandrakeSoft's new Multiple Network Firewall ("MNF") specialty Linux distribution has been on the forefront of the computer news for the last week, not so much because of its technical merits, but because of what appeared to be a reversal in the company's policy on licensing. The distribution's creator and company co-founder, Gaël Duval, was kind enough to return to our hot seat and discuss both the licensing controversy as well as some other points about MNF."

Comments (none posted)

Resources

LinuxDevices.com Newsletter for Dec. 19, 2002

The LinuxDevices.com's Embedded Linux Newsletter for December 19, 2002 is now available, with all the latest embedded Linux news.

Full Story (comments: none)

Reviews

GNU Bayonne 1.2 (Linux Journal)

Linux Journal looks at the GNU Bayonne project. "GNU Bayonne is the telecommunications application server of the GNU Project. With the introduction of embedded SQL support, we are now actually close to having what I hope will be a new stable Bayonne base release, 1.2. Ideally, I would like to introduce a 1.2 release in late January, around the time of LinuxWorld in NYC. However, there are a number of specific things that I think need to happen before we can do a 1.2 release."

Comments (5 posted)

Linux Becomes Accessible to Average Users (Saint Paul Pioneer Press)

Remember the installation nightmare stories that were so common only a couple of years ago? Well this newspaper article isn't one of them. "Frustrated with crashes on a borrowed Windows 98 laptop, I returned it and ditched Microsoft, installing Linux instead of Windows 95 on an old 133-megahertz Pentium PC (yes, original Pentium, not Pentium II or III)."

Comments (2 posted)

Linux Network Servers: A Book Review (Linux Journal)

Linux Journal reviews Linux Network Servers by Craig Hunt. "I have read very few books that target the intermediate level Linux user/administrator so well and so precisely. This book is a masterful effort at providing more depth and utility than a beginner's book, while at the same time, not getting bogged down with minutia, as a more comprehensive book covering a single topic might."

Comments (1 posted)

Miscellaneous

Free Software at Rosenzweig and Maffia (Linux Journal)

Linux Journal takes a look at what the New York Linux Scene (NYLXS) has been up to. "In July, we started to take more concrete action in trying to do something to stimulate business for Free Software in the NYC community. We had already established a jobs posting site which has helped hook up employers with candidates. But this hasn't been enough. A committee has been formed in NYLXS to try to take on first hand the task to driving sales for Free Software. We've dubbed this effort, 'The Free Software Chamber of Commerce'."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Commercial announcements

Another MandrakeSoft cash crunch

MandrakeSoft, it seems, is facing another cash crunch. The company has put up a call for assistance asking for its users to join MandrakeClub, purchase Mandrake products, and, for "qualified investors," buy into the (ongoing) share offering. MandrakeSoft expects to hit the breakeven point in the (northern hemisphere) spring, but it has to get there first.

Comments (4 posted)

Sponsorships Double for Desktop Linux Summit

Desktop Linux Summit has announced that it has doubled the number of sponsors for the Desktop Linux Summit to be held in San Diego, CA on February 20 and 21, 2003.

Comments (none posted)

Resources

Linux Gazette, January, 2003

The January, 2003 issue of the Linux Gazette is available; it includes articles on undeletion, Ruby programming, EcolNet, and more.

Comments (none posted)

ZCAN updated (use Perl)

Use Perl covers the release of an updated version of "The Zen of Comprehensive Archive Networks", a document that covers the creation and maintenance of language archive sites.

Comments (none posted)

Upcoming Events

The Open Source Weekend

An series of events called the Open Source Weekend will be held on January 25 and 26, 2003 in Ottawa, Canada.

Full Story (comments: none)

OSCon 2003 Call for Participation

A Call for Participation has gone out for the O'Reilly Open Source Software Convention 2003. Proposals are due by February 15, 2003.

Comments (none posted)

Linux Bangalore/2002 slides

An online slide show has been posted for the Linux Bangalore/2002 conference that was heald earlier this month.

Full Story (comments: 1)

34 papers on real-time Linux (LinuxDevices)

LinuxDevices.com has published the proceedings from the Fourth Real-Time Linux Workshop held December 6-7, 2002 in Boston, MA at the Computer Science Department, Boston University. The conference was organized by the Real-Time Linux Foundation. Twenty-six of the papers are available as PDF downloads from LinuxDevices.com.

Comments (none posted)

Year-End Sale on Damian's Seattle Classes (use Perl)

Damian Conway is considering offering some Perl classes in Seattle, Washington from January 13-17, 2003 if there is sufficient student interest.

Comments (none posted)

FOSDEM Interviews

The first in a series of FOSDEM speaker interviews has been announced on the GNOME FootNotes site. The series begins with Michael Meeks on the topic of GNOME.

Comments (none posted)

Return of the Independent Game Developer? (O'Reilly)

Chromatic covers the recent Independent Game Developer's Conference on O'Reilly.

Eugene, Oregon is a surprising little powerhouse of game development. Originally home to now-defunct Dynamix, it still boasts a handful of experienced developers, managers, and artists. These days, it's home to Garage Games, the folks behind the popular Tribes 2.

Eugene is also the home of the (potentially) annual Independent Game Developers Conference. Conceived in the middle of September, this early November event drew around a hundred artists, developers, fans, and press to three days of talks, demos, and conversations.

Comments (none posted)

Reports from XML 2002 (O'Reilly)

Eric van der Vlist reports on word processor developments at the XML 2002 conference.

Comments (none posted)

Events: January 2 - February 27, 2003

Date Event Location
January 21 - 24, 2003LinuxWorld Conference & Expo(Jacob K. Javits Center)New York, NY
January 22 - 25, 2003Linux.conf.au 2003Perth, Australia
January 27 - 31, 2003SAINT-2003Orlando, Florida, USA
February 3 - 6, 2003O'Reilly Bioinformatics Technology Conference(Westin Horton Plaza.)San Diego, CA
February 4 - 6, 2003Linux Solutions 2003(CNIT)Paris, France
February 8 - 9, 2003Free and Open source Software Developers' European Meeting(FOSDEM)Brussels, Belgium
February 10 - 14, 2003The fifth NordU/USENIX Conference(NordU2003)(Aros Congress Center)Västerås, Sweden

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

"The Little Mermaid"

From:  Barry King <barry@wyrdwright.com>
To:  letters@lwn.net
Subject:  "The Little Mermaid"
Date:  Sun, 29 Dec 2002 19:10:13 -0500

 
Everyone has a personal "hot button" issue or another. Some of the
more foaming types have several, dotted like landmines across the soul.
  I hope mine are rather few, but on the December 19 edition of the
Linux Weekly News, I'm afraid Jonathan Corbet walked right over one of
mine by saying that "Disney may have done children a great service by
cleaning up the gory and depressing parts of 'The Little Mermaid'".
Rather than being off-topic though, I am sending this note because I
think the fight for a Commons is so much more important than what you
can do with a distribution of Linux. Rather, the code is only a part
of a much bigger problem.
 
If you have read one of the more folkloric versions of "The Little
Mermaid", there are two elements which have been overlooked in the
Disney version which are absolutely critical to the purpose of the
story. One is the bargain. The little mermaid herself (Why Disney
might have named her "Arial", I don't know, but it was singular bad
taste...) makes the bargain against her family's wishes that she will
get legs and be able to persue her beloved, who she does not know, but
has seen from the shallows. She gets the legs, but they make her feel
as if she is walking on glass and knives whenever she uses them, a
sacrifice she makes willingly. Secondly, the little mermaid discovers
after having made the bargain that her lover is not faithful, and
abandons her after having his way with her. This leaves her stranded
and in pain between the world she comes from and the world she chose,
but rejects her.
 
As a fairy tale, it's warning is "Don't decide to sacrifice the
familiar for the exciting before you know for sure you can live the
life you dream. You may ruin your chances at happiness in both places
if you fail," which is good advice for a fairy tale to give. Disney's
version is more along the lines of "Whatever trouble you get into,
Daddy will make it O.K.," which is the kind of advice we have had far
too much of, In My Curmugeonly Opinion.
 
What worries me is that Disney may gain the power to prevent anyone
from telling the tale as it was meant to be told, forever destroying a
bit of the wisdom that makes us human, much as a software company,
through a patent, destroys a bit of the common good by robbing the
commons of it's commodity.
 
So we're not just fighting for our code by fighting for the Commons.
In a way, we are also fighting for our cultural heritage. Maybe even
in a small way, for our souls.
 
Barry King
Kingston, Ontario
Canada

Comments (3 posted)

Page editor: Jonathan Corbet

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds