LWN.net Logo

LWN.net Weekly Edition for February 6, 2003

The Open-HCI project launches

The announcement went out on the last day of January: members of the GNOME and KDE projects have gotten together to improve cooperation between the two with regard to human interface guidelines. For the (many) users who have wanted to see a higher degree of cooperation between KDE and GNOME, this move can only be seen as a step in the right direction.

At the beginning, of course, it is a pretty small step. Both desktop projects maintain a set of usability guidelines which promote consistency and good human factors in desktop applications. The plan is to merge the two sets into a single document. Initially, each project's guidelines will remain in a separate section. Over time, the plan is to find areas which can be merged into shared sections, common to both desktops. The possibility exists that a single set of guidelines could eventually emerge. That is a distant hope, however; for now, the Open-HCI workers are more concerned with details like what format will be used for the combined document.

It would be hard to overestimate the value of a high-quality, shared usability document. Usability work is hard, tedious, and unglorious; it is also a crucial part of the development of end-user applications that actually work. It is exactly the sort of work that free software projects are not supposed to be good at - though much of the work already done within GNOME and KDE puts the lie to that claim. Making it easier for both projects to benefit from the usability work that is being done can only lead to better desktop applications in the future.

Shared usability guidelines should also lead to more consistent behavior between the two desktops. The competition between KDE and GNOME has been a good thing for both projects, and for the Linux desktop as a whole. But there is no need for the two to be separate islands. More consistent behavior will make it easier for users to pick and choose applications from both projects, allowing them to take advantage of the best of each. And that, too, should be good for the Linux desktop.

(See also: usability guidelines for KDE and GNOME; there is also a mailing list for the Open-HCI project).

Comments (5 posted)

Desktop Linux Summits and Consortiums

[This article was contributed by Joe 'Zonker' Brockmeier]

Sometimes two stories in the media become inextricably linked. When one story is covered, the other issue is always mentioned -- creating an impression that there is a connection where the link is sometimes tenuous or non-existant.

Such is the case with the Desktop Linux Summit and the Desktop Linux Consortium (DLC).

The link, however, between the Summit and the DLC is thin at best and seems to be the victim of bad timing. With better timing, the DLC might be seen for what its founders want it to be: a meeting of the minds of companies and organizations who are interested in furthering Linux as a desktop operating system.

Questions still remain as to exactly what happened with the Desktop Linux Summit. The event is promoted as a "multi-vendor" event about Linux on the desktop. However, many vendors have abandoned the summit after Bruce Perens was replaced as the keynote speaker by Michael Robertson -- not coincidentally the CEO and founder of Lindows.com.

The original list of sponsors and exhibitors differs greatly from the current list. In fact, at least one organization listed as an exhibitor has asked to be withdrawn. Sam Hiser, of the OpenOffice.org Project confirmed today that the project has asked to be withdrawn from the list of exhibitors. However, they are still listed on the Summit website. A representative for Sun Microsystems also confirmed that they have asked to be removed as an exhibitor, but explained that it was because Sun's speaker would be unavailable for the conference -- not because Perens was no longer speaking.

We spoke with Jill Ratkevic, who was the original coordinator for the Desktop Linux Summit. According to Ratkevic, Robertson and Lindows.com president Kevin Carmony were aware of the decision to have Perens do the keynote. However, Carmony claims that he "always" thought that Robertson would be the keynote speaker and that it was a "mix-up."

We'll take 100 percent responsibility for the miscommunication early on... We haven't come out and told our side of the story, and we really don't want to. We'd rather have everybody think ill of Lindows and get on with business. Okay we're slimeballs, okay we can take that as long as we get on with business. We don't want to spend time on the debate.

Jeremy White, CEO of CodeWeavers, told us that no one had a problem with Robertson speaking -- only the manner in which the change was made. "I think that a lot of folks that were willing to be flexible on the agenda...what was frustrating was the manner in which it was done."

According to Carmony, the event is still sold out, but it certainly has a different flavor now that many Linux companies have pulled out. Attendees listed for the "sold-out" conference now include such Linux-specific companies as Borders, NovaPCs and the Brobeck law firm.

Shawn Gordon, of The Kompany, says he plans to remain involved:

I did pull out for a few days, for a different reason however, and I'm back in it now... My interest is mostly in getting theKompany as much exposure as possible to the main stream press and potential users that haven't heard about us before, and this looked like the best opportunity to do it, regardless of the speakers or program.

The Linux Professional Institute and SuSE will also remain involved. Holger Dyroff, head of SuSE's U.S. operations, said that he did not want to disappoint people who had already made appointments to speak with SuSE.

However, by all accounts, the fuss over the summit is separate from the decision to form a Linux Desktop Consortium. Perens, who is serving as the interim executive director for the consortium, says that the LDC:

...is not a response to the summit issue, but I think that having the Consortium run the next summit will result in some good things... Lindows won't have to pay for everything, and we'll have a better shot at a more even program.

White says that the discussions for the consortium began "more than a month ago." "A few of us got together and said, 'hey, we should do a Linux Desktop Consortium.' We felt that we could use a more unified voice, and it's time for a Linux desktop." White says that the consortium will focus on business users' needs, but "we definitely don't want to neglect grandma."

The consortium is still in the planning stages right now. White says the group is "in a waiting period while we're gathering information."

Despite the fact that a number of LDC members pulled out of the Summit, Lindows.com was still invited to join the LDC. Carmony says that Lindows.com is taking a wait-and-see attitude about the consortium, but that Lindows is "absolutely" open to the idea of joining the group if it turns out to be something they can get behind.

Though the goals of the consortium are still somewhat vague, Perens said that they definitely plan to put on a vendor-neutral desktop conference. Group marketing initiatives also seem to be part of the plan. White says that the group wants to find a way that companies, projects and end-users can work together -- though the details haven't been ironed out yet. Member companies are being asked to pony up $1,000 for membership, but White says that the group doesn't plan to ask free software and open source projects for money.

Some may wonder how successful the consortium will be, since many members are competing companies. However, Perens says that the consortium "won't have to do much to be successful... there are a number of things that the various players should be taking about. There are events that should be held that can be held fairly. We don't have to save the world."

Holger Dyroff, head of SuSE Linux U.S. operations, says that SuSE doesn't plan to take the most active role in the organization but that SuSE is behind the idea of pooling marketing efforts and encouraging companies to see that their products integrate their products with Linux.

With any luck, the bad blood over the Summit will fade in time and Linux vendors will be able to make Linux a real success on the desktop. Everyone we spoke to for this story indicated a desire to put the issue behind them and to work on making Linux a success rather than focusing on the negatives.

Comments (1 posted)

The MS-SQL worm: lessons for free software

The MS-SQL worm has run its course and been cleared off the net. It is also, of course, another example of a proprietary software failure that did not affect Linux users except in indirect ways. Still, the worm is interesting to look at in a number of ways, and it should give free software users and developers a few things to think about.

Much has been written about how quickly the worm spread across the net. Most of the vulnerable systems had been infected within about ten minutes. With that sort of propagation speed, there really is very little that system and network administrators can do; by the time they know that there is a problem, they have already been infected. There is no time to scramble for patches, or even to pull the plug. Someday networks will have to be able to react automatically to this sort of attack; automated response systems, however, are likely to be a source of outages themselves.

The worm infected something on the order of 100,000 hosts. Given the size of the Internet, that is a relatively small number; there just weren't that many vulnerable systems which were directly reachable on the net. Even with such a small proportion of vulnerable systems, however, the worm was able to create a great deal of disruption. It is not necessary to infect much of the net to create trouble for everybody.

This suggests that the talk of software monocultures that one often encounters (including on this site) may be a bit misguided. The net, certainly, is not a monoculture of vulnerable SQL Server systems. Monocultures still increase the risk of truly devastating, global attacks, but their elimination will not necessarily make the net a whole lot safer.

There are plenty of free programs which run at least 100,000 network-exposed systems. A widespread vulnerability in any of these programs could, conceivably, be used to similar effect by a future attacker. There is a good chance, perhaps almost a certainty, that a vulnerability in free software will be used someday to trash the net. It is not an occasion to look forward too.

Still, there are aspects of the free software way of doing things that help to make this kind of event less likely. They include:

  • Security updates for free programs tend to be small fixes which address the vulnerability and nothing else. Most distributors put considerable effort into backporting fixes to whatever version of the program they shipped. As a result, the security updates are relatively safe and easy to install. The SQL Server fix was, apparently, part of a huge patch set which changed many things. Applying all security updates as they come out to a Linux system can be tedious and annoying, but it is also a reasonable thing to do. It has been said that companies trying to keep up with Microsoft patch sets will encounter more outages from the patches themselves than from security breaches.

    The result of all this is that Linux systems are more likely to be current with their security updates. Or, at least, they have less of an excuse if they fall behind.

  • Many, if not most of the systems compromised by the MS-SQL worm were running a version of SQL Server that came packaged with a completely different application; some examples include the Cisco E-Mail Manager, ISS System Scanner, JD Edwards ERP, Office 2000/XP, Visio, Unicenter, and many others. Many of the people running vulnerable systems had no idea that SQL Server was even present. Free applications do not tend to drag along major subsystems in quite the same way. Further moves toward complicated applications and component architectures could change that, however.

  • SQL Server, by default, opens a port to the world as a whole. For the most part, free software (and Linux distributors) have learned better than that. PostgreSQL and MySQL will talk to the net, and both have had security issues in the recent past. It is a rare installation, however, which has exposed either database server to the net without deliberate action by the system administrator.

All of the above points, hopefully, indicate that free software offers some relative security advantages, especially with regard to widespread infections. We have a long way to go, however, before we can even begin to think that we are safe. Smugness is the wrong response to this episode; instead, we need to learn from it and redouble our efforts to keep it from happening to us.

Comments (3 posted)

Page editor: Jonathan Corbet

Security

Brief items

Vulnerabilities and alerts in 2002

One of the advantages to having a site built on a real database is that you can use it to generate nifty tables. When we ran a list of vulnerabilities and alerts one year ago, the whole thing was generated by hand. Life is easier this time around.

...at least, if you're not concerned with keeping your systems secure. The following table, which covers the second half of 2002, contains 119 separate vulnerabilities, and well over 300 alerts. As much as we like to say that free software is more secure, the table below makes it clear that it is not anywhere near secure enough.

On the other hand, it's worth pointing out that almost none of the vulnerabilities listed below have, to our knowledge, been exploited on any kind of scale. Most of these problems have been found (and fixed) by developers proactively auditing the code; in general, the fixes seem to get out to most users in time to avoid widespread problems. Many of these vulnerabilities are, most likely, relatively hard to exploit.

The table reveals some of the limitations of our security database. If a vulnerability has no alerts from a particular distributor, it does not necessarily mean that said distributor never got around to fixing the problem. In many cases, the distributor did not ship a vulnerable version of the affected program, and thus did not need to put out an update.

Vulnerability Conectiva Debian Gentoo Mandrake Red Hat SCO SuSE
acroread X
amavis X
apache
apache X X X X X X X X
bind X X X X X
bind glibc X X X X X X X X
bugzilla X
bugzilla X
bugzilla X
bzip2 X
cacti X
canna X X X X
cups X X X X X X
cvs X
cyrus-imapd X X
cyrus-sasl X X
dhcpcd X X X X
dietlibc X X X
dvips X X X X X X
epic4-script-light X
ethereal X X X
evolution
exim X
fam X
fetchmail X X X X X X
fetchmail X X X X X X X
freeswan X
gaim X X
gaim X X X X
gallery X
glibc X X X X X X X X X
glibc X X
gtetrinet X X
gv X X X X X X X X
heartbeat X X X
heimdal X X
html2ps X X
hylafax X X X
i4l X
im X X
inn X
interchange X
irssi-text X
kde X X
kde X X X X X X X X X X X X X X
kdelibs X X X X
kdelibs X X X
kdenetwork X X X X
kernel X
kernel X X X
kernel X X X
kernel X
kgpg X
krb5 X X X
krb5 X
krb5, heimdal X X X X X X X X
l2tpd X
mod_ssl X X X X X
libpng X X X X
libpng X
libpng X X X X X
linuxconf
linuxconf X
log2mail X
luxman X
lynx X X
mailman X X
mantis X
mantis X X
masqmail X
mhonarc X X X
micq X
mm X X X X X X
mod_php4
mod_ssl X X X X X
mozilla X
mpack X
mysql X X X X X X
net-snmp X
nis, ypserv X X X X X X
nn
nss_ldap X X X
nullmailer X
openafs X
pam X
php X X X
pine X X X X
purity X
pxe X X
python X X X X X X X X
samba X X X X X X
scrollkeeper X X X
sendmail X
sendmail X X X X
smb2www X
squid X
squid X X X X
squirrelmail X X X X X
super X
syslog-ng X X X X
tar unzip X X X X X X
tcltk expect X X
tcpdump X X
tinyproxy X
tkmail X
tomcat X X X X X
traceroute X
util-linux X X X X
wget X X X X X X
windowmaker X X X
wordtrans X
wwwoffle X X X
xf86 xfree86 X X X X
xinetd X X X X X
zope X
zope X
sqwebmail X
Konqueror X
MailTools X X X
OpenLDAP2 X X X X X
OpenSSL X X X X X X X X X X X X
PHP X X X X
PostgreSQL X X X X X X X
Safe.pm X X

Comments (6 posted)

New vulnerabilities

bladeenc - improper input verification

Package(s):bladeenc CVE #(s):
Created:February 5, 2003 Updated:February 5, 2003
Description: Versions 0.94.2 (and prior) of the Blade MP3 encoder contain an input validation vulnerability which can lead to arbitrary code execution; see this advisory for details.
Alerts:
Gentoo 200302-04 2003-02-05

Comments (none posted)

courier - missing input sanitizing

Package(s):courier CVE #(s):CAN-2003-0040
Created:January 30, 2003 Updated:February 5, 2003
Description: The developers of courier, an integrated user side mail server, discovered a problem in the PostgreSQL auth module. Not all potentially malicious characters were sanitized before the username was passed to the PostgreSQL engine. An attacker could inject arbitrary SQL commands and queries exploiting this vulnerability. The MySQL auth module is not affected.
Alerts:
Debian DSA-247-1 2003-01-30

Comments (none posted)

kernel - Multiple vulnerabilities in version 2.4.18 of the kernel

Package(s):kernel CVE #(s):CAN-2003-0001 CAN-2003-0018
Created:February 4, 2003 Updated:February 5, 2003
Description: Vulnerabilities have been found in version 2.4.18 of the kernel.

Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0001 to this issue.

A vulnerability exists in O_DIRECT handling in Linux kernels 2.4.10 and later that can create a limited information leak where any user on the system with write privileges to a file system can read information from that file system (from previously deleted files), and can create minor file system corruption (easily repaired by fsck). Red Hat Linux in its default configuration is not affected by this bug, because the ext3 file system (the default file system in Red Hat Linux 7.2 and later) does not support the O_DIRECT feature. Of the kernels Red Hat has released, only the 2.4.18 kernels have this bug. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0018 to this issue.

Alerts:
Red Hat RHSA-2003:025-20 2003-02-03

Comments (none posted)

krb5 - vulnerability in Kerberos ftp client

Package(s):krb5 ftp netkit CVE #(s):CAN-2003-0041
Created:January 31, 2003 Updated:February 21, 2003
Description: Kerberos is a network authentication system.

A problem has been found in the Kerberos ftp client. When retrieving a file with a filename beginning with a pipe character, the ftp client will pass the filename to the command shell in a system() call. This could allow a malicious ftp server to write to files outside of the current directory or execute commands as the user running the ftp client.

The Kerberos ftp client runs as the default ftp client when the Kerberos package krb5-workstation is installed on a Red Hat Linux distribution.

Alerts:
Mandrake MDKSA-2003:021 2003-02-21
Red Hat RHSA-2003:020-10 2003-01-31

Comments (none posted)

qt-dcgui: file leaking

Package(s):qt-dcgui CVE #(s):
Created:February 4, 2003 Updated:February 5, 2003
Description: All versions of qt-dcqui prior to 0.2.2 have a major security vulnerability in the directory parser. This bug allows a remote attacker to download files outside the sharelist. It's recommended that you upgrade the packages immediatly.

Read the full announcment at: http://dc.ketelhot.de/pipermail/dc/2003-January/000094.html

Alerts:
Gentoo 200302-03 2003-02-04

Comments (none posted)

slocate - buffer overflow

Package(s):slocate CVE #(s):CAN-2003-0056
Created:February 5, 2003 Updated:May 8, 2003
Description: version 2.6 (at least) of slocate contains a buffer overflow vulnerability which could lead to a local exploit; see this advisory for the details.
Alerts:
Conectiva CLA-2003:643 2003-05-08
SCO Group CSSA-2003-009.0 2003-03-06
Debian DSA-252-1 2003-02-21
Mandrake MDKSA-2003:015 2003-02-05
Gentoo 200302-02 2003-02-02

Comments (none posted)

Updated vulnerabilities

Heap corruption vulnerability in at

Package(s):at at, sudo, xchat CVE #(s):CAN-2002-0004
Created:May 21, 2002 Updated:May 15, 2003
Description: The at command has a potentially exploitable heap corruption bug. (First LWN report:  January 17th).
Alerts:
EnGarde ESA-20030515-015 2003-05-15
Yellow Dog YDU-20020127-9 2002-01-27
SuSE SuSE-SA:2002:003 2001-01-16
Slackware sl-1011706104 2002-01-22
Red Hat RHSA-2002:015-15 2002-02-07
Red Hat RHSA-2002:015-13 2002-01-22
Mandrake MDKSA-2002:007 2002-01-18
Debian DSA-102-2 2002-01-18
Debian DSA-102-1 2002-01-16

Comments (none posted)

BIND8: Multiple vulnerabilities

Package(s):bind CVE #(s):CAN-2002-1219 CAN-2002-1220 CAN-2002-1221
Created:November 13, 2002 Updated:March 6, 2003
Description: Three new vulnerabilities have been found in version 8 of the Berkeley Internet Domain Server; see this ISS advisory, the CERT Advisory CA-2002-31, or the November 14 LWN Security Page for details.

Red Hat has sent out an alert (not a regular advisory) suggesting that customers apply its previous BIND updates, which upgrade the system to BIND9.

Alerts:
Sorcerer SORCERER2003-03-06 2003-03-06
SCO Group CSSA-2002-059.0 2002-12-19
Trustix 2002-0076 2002-11-15
OpenPKG OpenPKG-SA-2002.011 2002-11-15
Debian DSA-196-1 2002-11-14
Conectiva CLA-2002:546 2002-11-14
Mandrake MDKSA-2002:077 2002-11-14
SuSE SuSE-SA:2002:044 2002-11-13
EnGarde ESA-20021114-029 2002-11-14

Comments (1 posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:October 1, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
SCO Group CSSA-2003-005.0 2003-01-21
Debian DSA-224-1 2002-01-08
Gentoo 200212-8 2002-12-20
Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

cups - multiple vulnerabilities

Package(s):cups CVE #(s):CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383
Created:December 30, 2002 Updated:February 18, 2003
Description: Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges. See the iDEFENSE advisory for more information.
Alerts:
Debian DSA-232-2 2003-02-20
SCO Group CSSA-2003-004.0 2003-01-20
Debian DSA-232-1 2003-01-20
Yellow Dog YDU-20030114-1 2002-01-14
Red Hat RHSA-2002:295-07 2003-01-09
Mandrake MDKSA-2003:001 2003-01-09
SuSE SuSE-SA:2003:002 2003-01-02
Gentoo 200212-13 2002-12-29

Comments (none posted)

CVS - exploitable double-free bug in the CVS server

Package(s):cvs CVE #(s):CAN-2003-0015
Created:January 20, 2003 Updated:April 7, 2003
Description: CVS is a version control system frequently used to manage source code repositories. During an audit of the CVS sources, Stefan Esser discovered an exploitable double-free bug in the CVS server.

On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges. Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server.

All users of CVS are advised to upgrade to erratum packages which contain patches to correct the double-free bug.

See also this CERT advisory

Alerts:
Immunix IMNX-2003-7+-004-01 2003-04-02
SCO Group CSSA-2003-006.0 2003-01-31
Yellow Dog YDU-20030127-6 2003-01-27
Conectiva CLA-2003:561 2003-01-23
SuSE SuSE-SA:2003:0007 2003-01-22
Slackware sl-1043242333 2003-01-22
Conectiva CLA-2003:560 2003-01-21
Debian DSA-233-1 2003-01-21
Gentoo 200301-12 2003-01-21
OpenPKG OpenPKG-SA-2003.004 2003-01-21
Mandrake MDKSA-2003:009 2003-01-20
Red Hat RHSA-2003:012-07 2003-01-20

Comments (none posted)

dhcp3 - ignored counter boundary

Package(s):dhcp3 CVE #(s):CAN-2003-0039
Created:January 28, 2003 Updated:April 5, 2003
Description: Florian Lohoff discovered a bug in the dhcrelay causing it to send a continuing packet storm towards the configured DHCP server(s) in case of a malicious BOOTP packet, such as sent from buggy Cisco switches.

When the dhcp-relay receives a BOOTP request it forwards the request to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff which causes the network interface to reflect the packet back into the socket. To prevent loops the dhcrelay checks whether the relay-address is its own, in which case the packet would be dropped. In combination with a missing upper boundary for the hop counter an attacker can force the dhcp-relay to send a continuing packet storm towards the configured dhcp server(s).

This patch introduces a new commandline switch ``-c maxcount'' and people are advised to start the dhcp-relay with ``dhcrelay -c 10'' or a smaller number, which will only create that many packets.

The dhcrelay program from the ``dhcp'' package does not seem to be affected since DHCP packets are dropped if they were apparently relayed already.

Alerts:
Conectiva CLA-2003:616 2003-04-04
Red Hat RHSA-2003:034-01 2003-03-31
OpenPKG OpenPKG-SA-2003.012 2003-02-19
Debian DSA-245-1 2003-01-28

Comments (none posted)

dvips: command execution vulnerability

Package(s):dvips CVE #(s):CAN-2002-0836
Created:October 16, 2002 Updated:June 10, 2003
Description: The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system.
Alerts:
Immunix IMNX-2003-7+-016-01 2003-06-09
OpenPKG OpenPKG-SA-2002.015 2002-12-16
Debian DSA-207-1 2002-12-11
Conectiva CLA-2002:537 2002-10-29
Mandrake MDKSA-2002:071 2002-10-24
Mandrake MDKSA-2002:070 2002-10-23
Gentoo tetex-20021018 2002-10-18
Red Hat RHSA-2002:194-18 2002-10-08

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Immunix IMNX-2003-7+-023-01 2003-10-17
Mandrake MDKSA-2003:011 2003-01-27
EnGarde ESA-20030127-002 2003-01-27
SCO Group CSSA-2003-001.0 2003-01-09
SuSE SuSE-SA:2003:001 2003-01-02
Debian DSA-216-1 2002-12-24
Red Hat RHSA-2002:293-09 2002-12-17
Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

GNU fileutils race condition

Package(s):fileutils ucdsnmp CVE #(s):CAN-2002-0435
Created:May 21, 2002 Updated:May 16, 2003
Description: A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).
Alerts:
Immunix IMNX-2003-7+-010-01 2003-05-16
Red Hat RHSA-2003:015-05 2003-02-12
Trustix 2002-0052 2002-06-06
SuSE SuSE-SA:2002:012 2002-04-08
Mandrake MDKSA-2002:031 2002-05-16
SCO Group CSSA-2002-018.1 2002-05-13

Comments (none posted)

Potential remote root exploit in glibc

Package(s):glibc CVE #(s):CAN-2002-0391
Created:August 14, 2002 Updated:June 30, 2003
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library which is used in glibc.This bug could be exploited to gain unauthorized root access to software linking to glibc.

Updating as soon as practical is a good idea.

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-333-1 2003-06-27
Conectiva CLA-2002:535 2002-10-29
Trustix 2002-0070 2002-10-17
EnGarde ESA-20021003-021 2002-10-03
Gentoo glibc-20020927 2002-09-27
Gentoo dietlibc-20020927 2002-09-27
Debian DSA-149-2 2002-09-26
Mandrake MDKSA-2002:061 2002-09-23
Gentoo glibc-20020905 2002-09-05
SuSE SuSE-SA:2002:031 2002-08-30
Trustix 2002-0067 2002-08-13
Eridani ERISA-2002:036 2002-08-13
Red Hat RHSA-2002:166-07 2002-08-12
Debian DSA-149-1 2002-08-13

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

IM: creates temporary files insecurely

Package(s):im CVE #(s):CAN-2002-1395
Created:December 3, 2002 Updated:March 6, 2003
Description: Tatsuya Kinoshita discovered that IM, which contains interface commands and Perl libraries for E-mail and NetNews, creates temporary files insecurely.
  1. The impwagent program creates a temporary directory in an insecure manner in /tmp using predictable directory names without checking the return code of mkdir, so it's possible to seize a permission of the temporary directory by local access as another user.

  2. The immknmz program creates a temporary file in an insecure manner in /tmp using a predictable filename, so an attacker with local access can easily create and overwrite files as another user.
Alerts:
Red Hat RHSA-2003:039-06 2003-03-06
Debian DSA-202-2 2002-12-06
Debian DSA-202-1 2002-12-03

Comments (none posted)

IMP - SQL injection vulnerability

Package(s):imp CVE #(s):CAN-2003-0025
Created:January 15, 2003 Updated:July 8, 2003
Description: The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem.
Alerts:
Conectiva CLA-2003:690 2003-07-08
SuSE SuSE-SA:2003:0008 2003-02-18
Debian DSA-229-2 2003-01-15

Comments (1 posted)

KDE - command parameter quoting problems

Package(s):kde CVE #(s):CAN-2002-1393
Created:December 24, 2002 Updated:February 21, 2003
Description: In some instances, KDE (versions 2 and 3) fails to properly quote parameters of instructions passed to a command shell for execution.

These parameters may incorporate data such as URLs, filenames and e-mail addresses, and this data may be provided remotely to a victim in an e-mail, a webpage or files on a network filesystem or other untrusted source.

By carefully crafting such data an attacker might be able to execute arbitary commands on a vulnerable sytem using the victim's account and privileges.

See this announcement for more details.

Alerts:
Conectiva CLA-2003:569 2003-02-20
Debian DSA-243-1 2003-01-24
Debian DSA-242-1 2003-01-24
Debian DSA-241-1 2003-01-24
Debian DSA-239-1 2003-01-23
Debian DSA-240-1 2003-01-23
Debian DSA-237-1 2003-01-22
Debian DSA-238-1 2003-01-23
Debian DSA-236-1 2003-01-22
Debian DSA-235-1 2003-01-22
Debian DSA-234-1 2003-01-22
Gentoo 200301-11 2003-01-18
Mandrake MDKSA-2003:004-1 2003-01-17
Mandrake MDKSA-2003:004 2003-01-13
Gentoo 200212-9 2002-12-22

Comments (none posted)

kdelibs: Vulnerabilities in KIO subsystem support

Package(s):kdelibs CVE #(s):CAN-2002-1281 CAN-2002-1282
Created:November 22, 2002 Updated:March 15, 2003
Description: Vulnerabilities were discovered in the KIO subsystem support for various network protocols. The implementation of the rlogin protocol affects all KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the telnet protocol only affects KDE 2.x. They allow a carefully crafted URL in an HTML page, HTML email, or other KIO-enabled application to execute arbitrary commands as the victim with their privilege. The KDE team provided a patch for KDE3 which has been applied in these packages. No patch was provided for KDE2, however the KDE team recommends disabling both the rlogin and telnet KIO protocols. This can be accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory, they should likewise be removed. See also: http://www.kde.org/info/security/advisory-20021111-1.txt
Alerts:
SCO Group CSSA-2003-012.0 2003-03-14
Debian DSA-204-1 2002-12-05
Red Hat RHSA-2002:220-40 2002-12-04
Mandrake MDKSA-2002:079 2002-11-21

Comments (none posted)

kernel: local denial of service vulnerability

Package(s):kernel CVE #(s):
Created:November 19, 2002 Updated:February 5, 2003
Description: All versions of the Linux kernel from (at least) 2.2.x through 2.4.19 and 2.5.47 contain a vulnerability which allows any local user to crash the system. This LWN article describes how the exploit works in detail. The vulnerability affects only x86 systems.
Alerts:
Mandrake MDKSA-2003:014 2003-02-05
Trustix 2002-0083 2002-12-19
Conectiva CLA-2002:553 2002-12-16
Red Hat RHSA-2002:264-05 2002-11-25
Trustix 2002-0077 2002-11-15
Red Hat RHSA-2002:262-07 2002-11-16

Comments (none posted)

libmcrypt: buffer overflows and memory exhaustion

Package(s):libmcrypt CVE #(s):CAN-2003-0031 CAN-2003-0032
Created:January 6, 2003 Updated:February 27, 2003
Description: libmcrypt versions prior to 2.5.5 contain a number of buffer overflow vulnerabilities that stem from improper or lacking input validation. By passing a longer than expected input to a number of functions (multiple functions are affected) the user can successful make libmcrypt crash.

Another vulnerability is due to the way libmcrypt loads algorithms via libtool. When the algorithms are loaded dynamically the each time the algorithm is loaded a small (few kilobytes) of memory are leaked. In a persistant enviroment (web server) this could lead to a memory exhaustion attack that will exhaust all avaliable memory by launching repeated requests at an application utilizing the mcrypt library.

Alerts:
SuSE SuSE-SA:2003:0010 2003-02-26
Conectiva CLA-2003:567 2003-02-05
Debian DSA-228-1 2003-01-14
Gentoo 200301-4 2003-01-05

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:October 1, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
Conectiva CLA-2003:720 2003-08-11
Mandrake MDKSA-2003:023 2003-02-24
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Red Hat RHSA-2003:029-06 2003-02-12
Trustix 2002-0085 2002-12-19
Debian DSA-210-1 2002-12-13
SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

perl-MailTools: remote command execution

Package(s):MailTools CVE #(s):CAN-2002-1271
Created:November 5, 2002 Updated:September 19, 2003
Description: The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

Alerts:
Debian DSA-386-1 2003-09-18
Gentoo 200302-01 2003-02-02
Mandrake MDKSA-2002:076 2002-11-07
Gentoo 200211-001 2002-11-06
SuSE SuSE-SA:2002:041 2002-11-05

Comments (none posted)

micq: Denial of service

Package(s):micq CVE #(s):
Created:December 13, 2002 Updated:April 24, 2003
Description: Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE seperator causes all versions to crash.
Alerts:
Red Hat RHSA-2003:118-01 2003-04-24
Debian DSA-211-1 2002-12-13

Comments (none posted)

PHP Remote Compromise/DOS Vulnerability

Package(s):mod_php4 CVE #(s):
Created:July 22, 2002 Updated:February 18, 2003
Description: PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.

According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.

Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2.

For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team.

CERT Advisory: CA-2002-21 Vulnerability in PHP

Alerts:
SuSE SuSE-SA:2003:0009 2003-02-18

Comments (1 posted)

mod_php - buffer overflow

Package(s):mod_php php CVE #(s):CAN-2002-1396
Created:January 13, 2003 Updated:February 20, 2003
Description: The wordwrap() function on user-supplied input may allow a specially-crafted input to overflow the allocated buffer and overwrite the heap. There are no known exploits, but an exploit is theoretically possible.

Read the full advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=104102689503192&w=2

Alerts:
Mandrake MDKSA-2003:019 2003-02-19
EnGarde ESA-20030219-003 2003-02-19
Red Hat RHSA-2003:017-06 2003-02-04
OpenPKG OpenPKG-SA-2003.005 2003-01-22
Gentoo 200301-8 2003-01-13

Comments (none posted)

Mozilla: Privacy leak and other vulnerabilities

Package(s):mozilla CVE #(s):CAN-2002-1126 CAN-2002-1091
Created:November 1, 2002 Updated:February 13, 2003
Description: Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and Galeon, set the document referrer too quickly in certain situations when a new page is being loaded, which allows web pages to determine the next page that is being visited, including manually entered URLs.

Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to corrupt heap memory and execute arbitrary code via a GIF image with a zero width.

See also Mozilla's Recently fixed security issues page.

All users are encouraged to upgrade to this latest stable 1.0.x release of Mozilla.

Alerts:
Conectiva CLA-2003:568 2003-02-13
Mandrake MDKSA-2002:075 2002-10-31

Comments (none posted)

MySQL - double free vulnerability

Package(s):mysql CVE #(s):CAN-2003-0073
Created:January 29, 2003 Updated:February 21, 2003
Description: MySQL 3.23.55 fixes a double-free vulnerability which allows a hostile client to crash the server process. Logging into the server is necessary before this vulnerability can be exploited.
Alerts:
Trustix 2003-0003 2003-02-20
EnGarde ESA-20030220-004 2003-02-20
Mandrake MDKSA-2003:013 2003-02-03
OpenPKG OpenPKG-SA-2003.008 2003-01-29

Comments (none posted)

MySQL: multiple vulnerabilities

Package(s):mysql CVE #(s):
Created:December 13, 2002 Updated:April 10, 2003
Description: The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems.
Alerts:
Immunix IMNX-2003-7+-008-01 2003-04-08
EnGarde ESA-20030127-001 2003-01-27
Red Hat RHSA-2002:288-22 2003-01-15
SuSE SuSE-SA:2003:003 2003-01-02
Trustix 2002-0086 2002-12-19
Mandrake MDKSA-2002:087 2002-12-18
Debian DSA-212-1 2002-12-17
Conectiva CLA-2002:555 2002-12-17
OpenPKG OpenPKG-SA-2002.013 2002-12-16
Gentoo 200212-2 2002-12-15
EnGarde ESA-20021213-033 2002-12-13

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Conectiva CLA-2003:778 2003-11-07
Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

noffle - buffer overflows

Package(s):noffle CVE #(s):CAN-2003-0037
Created:January 27, 2003 Updated:January 29, 2003
Description: Dan Jacobson noticed a problem in noffle, an offline news server, that leads to a segmentation fault. It is not yet clear whether this problem is exploitable. However, if it is, a remote attacker could trigger arbitrary code execution under the user that calls noffle, probably news.
Alerts:
Debian DSA-244-1 2003-01-27

Comments (none posted)

OpenLDAP2: remote command execution

Package(s):OpenLDAP2 CVE #(s):CAN-2002-1378 CAN-2002-1379
Created:December 6, 2002 Updated:February 21, 2003
Description: OpenLDAP is the Open Source implementation of the Lightweight Directory Access Protocol (LDAP) and is used in network environments for distributing certain information such as X.509 certificates or login information.

The SuSE Security Team reviewed critical parts of that package and found several buffer overflows and other bugs remote attackers could exploit to gain access on systems running vulnerable LDAP servers. In addition to these bugs, various local exploitable bugs within the OpenLDAP2 libraries (openldap2-devel package) have been fixed.

Since there is no workaround possible except shutting down the LDAP server, an update is strongly recommended.

Alerts:
Trustix 2003-0002 2003-02-20
Red Hat RHSA-2003:040-07 2003-02-05
Mandrake MDKSA-2003:006 2003-01-14
Debian DSA-227-1 2003-01-13
Gentoo 200212-12 2002-12-28
Conectiva CLA-2002:556 2002-12-19
SuSE SuSE-SA:2002:047 2002-12-06

Comments (1 posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:October 1, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
SCO Group CSSA-2003-008.0 2003-03-04
Gentoo 200211-005 2002-11-20
EnGarde ESA-20021122-031 2002-11-22
Conectiva CLA-2002:545 2002-11-13
Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:October 1, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Red Hat RHSA-2002:202-33 2003-02-12
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-25 2003-01-21
Mandrake MDKSA-2002:082-1 2002-12-09
Mandrake MDKSA-2002:082 2002-11-25
SCO Group CSSA-2002-045.0 2002-11-14
Trustix 2002-0073 2002-10-17
Gentoo python-20021003 2002-10-03
Conectiva CLA-2002:527 2002-10-01
Debian DSA-159-2 2002-09-09
Debian DSA-159-1 2002-08-28

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

Tomcat 4.x JSP source code exposure vulnerability

Package(s):tomcat CVE #(s):
Created:September 25, 2002 Updated:January 29, 2003
Description: Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).". The current version of Tomcat is available here.

Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.
Alerts:
Debian DSA-246-1 2003-01-29
Debian DSA-225-1 2002-01-09
Gentoo tomcat-20021015 2002-10-15
Debian DSA-169-1 2002-10-04
Gentoo tomcat-20020925 2002-09-25

Comments (none posted)

traceroute-nanog: buffer overflow and root exploit

Package(s):traceroute-nanog/nkitb CVE #(s):
Created:November 12, 2002 Updated:February 27, 2003
Description: Traceroute is a tool that can be used to track packets in a TCP/IP network to determine it's route or to find out about not working routers. Traceroute-nanog requires root privilege to open a raw socket. It does not relinquish these privileges after doing so. This allows a malicious user to gain root access by exploiting a buffer overflow at a later point.
Alerts:
Debian DSA-254-1 2003-02-27
SuSE SuSE-SA:2002:043 2002-11-12

Comments (none posted)

typespeed: buffer overflow

Package(s):typespeed CVE #(s):
Created:January 1, 2003 Updated:June 17, 2003
Description: A problem has been discovered in the typespeed, a game that lets you measure your typematic speed. By overflowing a buffer a local attacker could execute arbitrary commands under the group id games.
Alerts:
Debian DSA-322-1 2003-06-16
Debian DSA-217-1 2002-12-27

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Conectiva CLA-2004:812 2004-02-10
Mandrake MDKSA-2003:012 2003-02-03
Yellow Dog YDU-20030127-3 2003-01-27
Gentoo 200301-13 2003-01-22
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

wget:directory traversal bug

Package(s):wget CVE #(s):CAN-2002-1344
Created:December 10, 2002 Updated:October 1, 2003
Description: Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system.

FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3).

If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine.

See also this Bugtraq article from 1997.

CAN-2002-1344

Alerts:
Immunix IMNX-2003-7+-011-01 2003-06-03
OpenPKG OpenPKG-SA-2003.007 2003-01-23
SCO Group CSSA-2003-003.0 2003-01-16
Gentoo 200212-7 2002-12-20
Trustix 2002-0089 2002-12-19
Conectiva CLA-2002:552 2002-12-13
Debian DSA-209-1 2002-12-12
Mandrake MDKSA-2002:086 2002-12-11
Red Hat RHSA-2002:229-10 2002-12-04

Comments (none posted)

wmaker: buffer overflow in Window Maker image handling code

Package(s):wmaker windowmaker CVE #(s):CAN-2002-1277
Created:November 7, 2002 Updated:February 6, 2003
Description: Al Viro found a problem in the image handling code used in Window Maker, a popular NEXTSTEP like window manager. When creating an image it would allocate a buffer by multiplying the image width and height, but did not check for an overflow. This makes it possible to overflow the buffer. This could be exploited by using specially crafted image files (for example when previewing themes).
Alerts:
Red Hat RHSA-2003:043-12 2003-02-05
Mandrake MDKSA-2002:085 2002-12-02
Conectiva CLA-2002:548 2002-11-18
Debian DSA-190-1 2002-11-07

Comments (none posted)

Multiple vulnerabilities in wordtrans

Package(s):wordtrans CVE #(s):CAN-2002-0837
Created:September 11, 2002 Updated:February 4, 2003
Description: The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details.
Alerts:
Red Hat RHSA-2002:188-08 2002-09-05

Comments (none posted)

Problems with libgtop_daemon

Package(s):wuftpd libgtop CVE #(s):
Created:May 21, 2002 Updated:May 7, 2003
Description: The libgtop_daemon package is a GNOME program which makes system information available remotely. LWN reported the remotely exploitable format string and buffer overflow vulnerabilities in that package on December 6th. On November 28th disabling the libgtop_daemon on systems where it is running until an update is available.

Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway.

Alerts:
Debian DSA-301-1 2003-05-07
Mandrake MDKSA-2001:094 2001-12-19
Debian DSA-098-1 2002-01-09
Conectiva CLA-2002:448 2002-01-03

Comments (1 posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):wwwoffle CVE #(s):CAN-2002-0818
Created:August 14, 2002 Updated:October 1, 2003
Description: The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on."

CAN-2002-0818

Alerts:
SCO Group CSSA-2002-048.0 2002-11-18
Debian DSA-144-1 2002-08-06
SuSE SuSE-SA:2002:029 2002-08-01

Comments (none posted)

xpdf: integer overflow

Package(s):xpdf CVE #(s):CAN-2002-1384
Created:January 2, 2003 Updated:February 6, 2003
Description: - From iDEFENSE advisory:
The pdftops filter in the Xpdf and CUPS packages contains an integer overflow that can be exploited to gain the privileges of the target user or in some cases the increased privileges of the 'lp' user if installed setuid. There are multiple ways of exploiting this vulnerability.

Read the full advisory at http://www.idefense.com/advisory/12.23.02.txt

Alerts:
Red Hat RHSA-2003:037-09 2003-02-06
Debian DSA-226-1 2003-01-10
Mandrake MDKSA-2003:002 2003-01-09
Debian DSA-222-1 2003-01-06
Gentoo 200301-1 2003-01-02

Comments (none posted)

Resources

LinuxSecurity.com newsletters

The latest Linux Advisory Watch and Linux Security Week newsletters from LinuxSecurity.com are available.

Comments (none posted)

Events

Sixth Annual Digital Money Forum

The Sixth Digital Money Forum will be held April 2 and 3 in London; click below for information on the program.

Full Story (comments: none)

SummerCon 2003

SummerCon 2003 is happening June 6 to 8 in Pittsburgh, PA. The organizers are still looking for more speakers if you would like to present at this event.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current development kernel is 2.5.59; no development kernels have been released since January 16.

Linus is back from his travels, and has merged some 300 patches (as of this writing) into his BitKeeper tree. They include some JFS updates, a number of kbuild changes (including the merge of the new modversions code), a new aic7xxx driver, an ALSA update, various network driver fixes, a number of USB updates, a big rework of the SCSI command block allocation code, and more.

The current stable kernel is 2.4.20; there have been no 2.4.21 prepatches from Marcelo in the last week.

Alan Cox has released a couple of patches, the most recent being 2.4.21-pre4-ac2. Quite a bit of IDE work has been going on, and this patch should be handled carefully. (Indeed, there have been some reports of IDE-related deadlocks with the -ac2 patch).

Comments (2 posted)

Kernel development news

Initramfs status

One bit of unfinished 2.5 business is "initramfs," the boot-time root filesystem which is tacked onto the kernel binary image. The plan is to move much of the initialization-time code out of the kernel and into initramfs; the result should be a smaller kernel and a safer, more flexible boot process.

The code to support initramfs has been in the kernel for some time. The big missing piece has been on the user space side. Before anything useful can be run in user mode as part of the boot process, there must be a whole environment to build it in. Attaching the C library to the kernel image is not an option that would appeal to many, so a special-purpose C library is needed. That library is "klibc," which has been under development by Greg Kroah-Hartman and others for some time. klibc provides a minimal set of standard functions, written with an eye toward portability and small size.

Greg recently posted an update on klibc. The library seems to be essentially complete, at least until somebody tries to do something requiring functions which have not been provided. The sticking point, at the moment, seems to be a bug in the initramfs unpacking code. Greg is interested in input from anybody who would like to help debug that problem. Once that's been ironed out, it is mostly just a matter of figuring out which boot-time operations should be taken out of the kernel and moved into a user-space implementation. If that is going to happen in 2.5, it would be nice if it happened soon; making major changes to the boot process brings with it a real risk of destabilizing the kernel for a while.

Comments (3 posted)

Driver porting: hello world

This article is part of the LWN Porting Drivers to 2.6 series.
Your editor is currently in the middle of porting the example source from Linux Device Drivers, Second Edition to the 2.5 kernel. This work is, of course, just the beginning of the rather larger job of updating the whole book. This article is the first in what will, hopefully, be a series describing what is required to make this code work again. The series will thus, with luck, be useful as a guide to how to port drivers to the new kernel API.

The obvious place to start in this sort of exercise, of course, is the classic "hello world" program, which, in this context, is implemented as a kernel module. The 2.4 version of this module looked like:

    #define MODULE
    #include <linux/module.h>
    #include <linux/kernel.h>

    int init_module(void)      
    { 
	printk(KERN_INFO "Hello, world\n"); 
	return 0; 
    }

    void cleanup_module(void)  
    { 
	printk(KERN_INFO "Goodbye cruel world\n"); 
    }

One would not expect that something this simple and useless would require much in the way of changes, but, in fact, this module will not quite work in a 2.5 kernel. So what do we have to do to fix it up?

The first change is relatively insignificant; the first line:

    #define MODULE
is no longer necessary, since the kernel build system (which you really should use now, see the next article) defines it for you.

The biggest problem with this module, however, is that you have to explicitly declare your initialization and cleanup functions with module_init and module_exit, which are found in <linux/init.h>. You really should have done that for 2.4 as well, but you could get away without it as long as you used the names init_module and cleanup_module. You can still sort of get away with it (though you may have to ignore some compiler warnings), but the new module code broke this way of doing things once, and could do so again. It's really time to bite the bullet and do things right.

With these changes, "hello world" now looks like:

    #include <linux/init.h>
    #include <linux/module.h>
    #include <linux/kernel.h>

    static int hello_init(void)
    {
        printk(KERN_ALERT "Hello, world\n");
        return 0;
    }

    static void hello_exit(void)
    {
        printk(KERN_ALERT "Goodbye, cruel world\n");
    }

    module_init(hello_init);
    module_exit(hello_exit);

This module will now work - the "Hello, world" message shows up in the system log file. What also shows up there, however, is a message reading "hello: module license 'unspecified' taints kernel." "Tainting" of the kernel is (usually) a way of indicating that a proprietary module has been inserted, which is not really the case here. What's missing is a declaration of the license used by the module:

    MODULE_LICENSE("Dual BSD/GPL");
MODULE_LICENSE is not exactly new; it was added to the 2.4.10 kernel. Some older code may still lack MODULE_LICENSE calls, however. They are worth adding; in addition to avoiding the "taints kernel" message, a license declaration gives your module access to GPL-only kernel symbols. Assuming, of course, that the module is GPL-licensed.

With these changes, "hello world" works as desired. At least, once you have succeeded in building it properly; that is the subject of the next article.

Comments (26 posted)

Driver porting: compiling external modules

This article is part of the LWN Porting Drivers to 2.6 series.
The 2.5 development series saw extensive changes to the kernel build mechanism and the complete replacement of the module loading code. One result of these changes is that compiling loadable modules has gotten a bit more complicated. In the 2.4 days, a makefile for an external module could be put together in just about any old way; typically a form like the following was used:

    KERNELDIR = /usr/src/linux
    CFLAGS = -D__KERNEL__ -DMODULE -I$(KERNELDIR)/include -O

    all: module.o

Real-world makefiles, of course, tended to be a bit more complicated, but the job of creating a loadable module was handled in a single, simple compilation step. All you really needed was a handy set of kernel headers to compile against.

With the 2.6 kernel, you still need those headers. You also, however, need a configured kernel source tree and a set of makefile rules describing how modules are built. There's a few reasons for this:

  • The new module loader needs to have some extra symbols defined at compilation time. Among other things, it needs to have the KBUILD_BASENAME and KBUILD_MODNAME symbols defined.

  • All loadable modules now need to go through a linking step - even those which are built from a single source file. The link brings in init/vermagic.o from the kernel source tree; this object creates a special section in the loadable module describing the environment in which it was built. It includes the compiler version used, whether the kernel was built for SMP, whether kernel preemption is enabled, the architecture which was compiled for, and, of course, the kernel version. A difference in any of these parameters can render a module incompatible with a given running kernel; rather than fail in mysterious ways, the new module loader opts to detect these compatibilities and refuse to load the module.

    As of this writing (2.5.59), the "vermagic" scheme is fallible in that it assumes a match between the kernel's vermagic.o file and the way the module is being built. That will normally be the case, but people who change compiler versions or perform some sort of compilation trickery could get burned.

  • The new symbol versioning scheme ("modversions") requires a separate post-compile processing step and yet another linkable object to hold the symbol checksums.

One could certainly, with some effort, write a new, standalone makefile which would handle the above issues. But that solution, along with being a pain, is also brittle; as soon as the module build process changes again, the makefile will break. Eventually that process will stabilize, but, for a while, further changes are almost guaranteed.

So, now that you are convinced that you want to use the kernel build system for external modules, how is that to be done? The first step is to learn how kernel makefiles work in general; makefiles.txt from a recent kernel's Documentation/kbuild directory is recommended reading. The makefile magic needed for a simple kernel module is minimal, however. In fact, for a single-file module, a single-line makefile will suffice:

	obj-m := module.o
(where module is replaced with the actual name of the resulting module, of course). The kernel build system, on seeing that declaration, will compile module.o from module.c, link it with vermagic.o, and leave the result in module.ko, which can then be loaded into the kernel.

A multi-file module is almost as easy:

	obj-m := module.o
	module-objs := file1.o file2.o 
In this case, file1.c and file2.c will be compiled, then linked into module.ko.

Of course, all this assumes that you can get the kernel build system to read and deal with your makefile. The magic command to make that happen is something like the following:

    make -C /path/to/source SUBDIRS=$PWD modules
Where /path/to/source is the path to the source directory for the (configured and built) target kernel. This command causes make to head over to the kernel source to find the top-level makefile; it then moves back to the original directory to build the module of interest.

Of course, typing that command could get tiresome after a while. A trick posted by Gerd Knorr can make things a little easier, though. By looking for a symbol defined by the kernel build process, a makefile can determine whether it has been read directly, or by way of the kernel build system. So the following will build a module against the source for the currently running kernel:

    ifneq ($(KERNELRELEASE),)
    obj-m	:= module.o

    else
    KDIR	:= /lib/modules/$(shell uname -r)/build
    PWD		:= $(shell pwd)

    default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
    endif

Now a simple "make" will suffice. The makefile will be read twice; the first time it will simply invoke the kernel build system, while the actual work will get done in the second pass. A makefile written in this way is simple, and it should be robust with regard to kernel build changes.

Comments (57 posted)

Morse code kernel panics

Here's one feature which didn't get in before the freeze: morse code kernel panics, recently updated to 2.5 by Tomas Szepe. With this patch, a 2.5 kernel which goes into a panic state will blink out the panic message in morse code using the keyboard LEDs. Possible future enhancements include audio output using the PC speaker or a sound card. One developer has mentioned the possibility of having a nearby machine with a microphone to detect and decode the encoded panic message.

One might well be tempted to object that the number of people clamoring for this feature has been relatively small. But there is actually a serious side to this patch. It is well known that production Linux systems never panic, but if, someday, a box were to be struck by a cosmic ray and go down, its owner might like to know about it. Preferably before the "where has your site been this last week?" mail starts to show up. The morse code patch could, with a bit of work, be the beginning of a more general panic notification feature. It could be useful, even if you hope you never actually make use of it.

Comments (10 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Janitorial

Memory management

  • Rik van Riel: rmap 15c. (January 30, 2003)
  • Rik van Riel: rmap 15d. (January 31, 2003)

Networking

Architecture-specific

Security-related

Benchmarks and bugs

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Linux on iPod

The Linux on iPod project is currently focused on porting the uClinux kernel to the iPod, a propriatary MP3 player made by Apple. Apple has not supplied very much technical information for this hardware platform so a lot of reverse engineering and guess work has gone into the project. The uCLinux kernel is a pretty solid embedded version of the Linux kernel that supports systems without a Memory Management Unit (MMU).

This is a new project. The author, Bernard Leach, recommends that if you really love your iPod, don't try installing Linux on it just yet. For the adventurous hacker there are plenty of challenges left. Here's the status as of January 27, 2003.

Current features:

  • Basic frame buffer
  • Audio device (44.1kHz 16bit little-endian)
  • Directional buttons via tty interface
  • HDD support
  • FAT (and UMSDOS) filesystem support
The following features are not present:
  • Scroll-wheel input
  • Firewire
  • Remote control
  • Peizo
  • Power Management (suspend etc)
  • Battery Status
  • Hold button status
  • HFS+ support
  • Flash support
You can find some of the technical details of the iPod hardware here, and the instructions for building a uClinux system for the iPod are here.

Comments (none posted)

Distribution News

Debian GNU/Linux

The Debian Weekly News for February 4th, 2003 is available. This week Martin Michlmayr was interviewed (German only) about the Debian project; Jonathan Oxer told us that the Debian Mini-Conf last week was a success with 117 people attending; there's a new Debian archive key; and much more.

Debian has many different mailing lists where people can discuss a wide variety of Debian related topics. This listmaster update talks about some new mailing lists, what's being done to reduce spam on the lists, and more.

Comments (none posted)

Gentoo Weekly Newsletter -- Volume 2, Issue 5

The Gentoo Weekly Newsletter for the week of February 3rd, 2003 is available. This week looks at the KDE 3.1 release; mirror slowdowns; Gentoo server migrations; and more.

Full Story (comments: none)

Mandrake Linux

The Mandrake Linux Community Newsletter for January 31, 2003 is out. This week looks at the Mandrake Linux 9.1 Beta 2 release; a new PPC beta; and much more.

MandrakeSoft has announced a new end of life policy for Mandrake Linux. "With the release of Mandrake Linux 9.1, we will put in place a cycle that customers can easily anticipate. MandrakeSoft will provide 12 months of "desktop" support for distributions, and 18 months of "base" support for distributions. This means that applications such as window managers, desktop environments, browsers, etc. will have a 12 month support life, while applications such as the kernel, Apache, and other "base" components will have a support life of 18 months. At certain times, MandrakeSoft may choose to extend support for certain versions of Mandrake Linux."

Comments (none posted)

Slackware Linux

Slackware Linux has upgraded both GNOME and KDE packages, among many other changes. See the change log for complete details.

Comments (none posted)

Red Hat preps wider range of 'Advanced' server, client OSes (Register)

The Register looks at Red Hat's support policy and the new products that are coming soon. "Red Hat Advanced Workstation will be out later this year, and the company also proposes lower cost versions of non-consumer server products "that fit in below Advanced Server", which should give the company a clearer and more viable product range, with consumer being the traditional open source stuff you can get for free, and that updates eye-wateringly fast, while non-consumer has upgrade cycles and support periods that are in line with businesses expectations of being able to deploy something and have it supported without major upgrades for three to five years."

Comments (none posted)

Minor distribution updates

Blue Linux

Blue Linux has released v1.0 with major feature enhancements. "Changes: This release updates several libraries, the Linux kernel, and others. KDE has been updated from 2.2 to 3.0.5a."

Comments (none posted)

Coyote Linux

Coyote Linux has released v1.40rc1 with major feature enhancements. "Changes: A Web-based administrator, SSHd available for all config types, an updated kernel, a rebuild to use uClibc instead of glibc, remote syslog capabilities, a new menu system, and numerous bugfixes."

Comments (none posted)

LRs-Linux

LRs-Linux has released v0.3.1-rc1 with major feature enhancements. "Changes: KDE 3.1, Gnome 2, The GIMP, LFS-CVS-27.01.2003, kernel 2.4.20, and much more."

Comments (none posted)

RUNT

RUNT has released v1.01 with minor bug fixes. "Changes: This release adds support for USB keyboards."

Comments (none posted)

Topologilinux 2.0.0.1

Topologilinux has released version 2.0.0.1 which has many new features. This release is based on Slackware (current 2003-01-19) with some updated packages and some extra packages like the ICQ clone Licq and the windows emulator Wine.

Full Story (comments: none)

Distribution reviews

Xandros Desktop Deluxe 1.0 Review (LinuxLookup)

LinuxLookup.com test drives Xandros Desktop Deluxe 1.0. "The Xandros Desktop development team should be applauded for the simple elegance and fearlessness exhibited in the construction of this system. I have finally found a Linux OS that is not afraid of alienating hardcore Linux users by incorporating some of the triumphs of Windows like certain aspects of the XFM and acknowledging the importance of access to Microsoft Office through Crossover Office."

Comments (none posted)

Page editor: Rebecca Sobol

Development

GNOME 2.2.0 released

Version 2.2.0 of the GNOME desktop has been announced, one month ahead of schedule.

Five months ago, we were only just beginning to recover from the enormous task that was GNOME 2.0. We were committed to a six month release cycle for 2.2, and after such a long period of development and point-releases, we were excited to be working on new features again. We were, as the release code names suggested, "Back to the Future".

The release notes document the changes and include many screen shots. Here are a few highlights:

  • A matured GNOME 2 developer platform.
  • A UI overhaul for the Nautilus file manager with context sensitive menus.
  • Application startup notification via a clock cursor.
  • Support for themes in the panel.
  • A Show Desktop panel button for raising desktop icons.
  • Improved file searching via the Actions menu.
  • An Open Recent capability in the Actions menu.
  • An instant messenger Notification Area on the panel.
  • A wireless link status box on the panel.
  • Inclusion of the GStreamer multimedia framework.
  • Improved View As features for Nautilus with support for Audio.
  • More file formats are supported by the multimedia utilities.
  • New thumbnailing abilities for additional multimedia types.
  • A simpler and more powerful Theme Preferences dialog.
  • Desktop-wide support for fontconfig and Xft2.
  • Better font configuration and rendering.
  • Multihead support for systems with multiple screens.
  • Support for the Metacity window manager.
GNOME 2.2.0 also features a number of new and improved applications:
  • Spell checking and an output window for the gedit text editor.
  • Rotation and full screen views for the Eye of GNOME image viewer.
  • Unicode character support for the Character Map.
  • The File Roller archive manager for working with numerous archive formats.
  • Keyboard key assignment capabilities via the Multimedia Keys Preferences dialog.
  • Language support for 26 languages, including right-to-left languages.
  • Standards support via freedesktop.org for better KDE interoperability.
GNOME 2.2.0 also features a focus on better UI consistency, accessibility features for the disabled, and improved performance. The documentation continues to be improved, and a new comprehensive guide for administrators has been included.

Comments (none posted)

System Applications

Audio Projects

Ogg Traffic for Sunday, February 2, 2003

The February 2, 2003 edition of Ogg Traffic is available with the latest Ogg Vorbis audio compression software news. Topics include: Status Updates, PlusV for Ogg Vorbis?, FLAC joins Xiph.Org, and Speex RC2.

Comments (none posted)

Alsa 0.9.0 rc 7 available

Version 0.9.0 release candidate #7 of the Alsa sound driver development release is ready for downloading. Change info is in the source code.

Comments (none posted)

BLOP 0.2.6 released

Version 0.2.6 of BLOP, the Bandlimited LADSPA Audio Plugins, is available with lots of new audio synthesis features.

Full Story (comments: none)

JACK Rack 1.2.0 released

Version 1.2.0 of JACK Rack is available. "No response to the beta testing request, so I'll have to subject you all to a likely hairy release :) Arbitrary channels are the biggest thing. Also, previous save files will no longer work as the save files use XML now."

Full Story (comments: none)

Database Software

Npgsql adopted into the Mono Class Library

Npgsql has been incorporated into Mono. "The Npgsql Development Team is proud to announce that Npgsql (the .NET Data Provider for PostgreSQL) stable sources are now part of the Mono Class Library cvs codebase."

Comments (none posted)

SAP DB 7.4.03.10 available

Version 7.4.03.10 of the SAP DB database is available. See the release info document for details.

Comments (none posted)

Databases and Element Names (O'Reilly)

John E. Simpson explains how to deal with XML-illegal characters in database field names on O'Reilly's XML Q & A column.

Comments (none posted)

Electronics

Xcircuit 3.1 released

Development version 3.1 of XCircuit, an electronic schematic drawing program, has been released. The download page says: "The source for version 3.1 contains the first official release of the (long-in-coming) Tcl/Tk-based version of xcircuit. At this time (January 27), everything in the original program has been implemented in the Tk GUI. The Tcl version has the greatest amount of command-line control, and can be run exclusively from the command line (e.g., from a script). A command-line argument "-exec" has been added to facilitate running xcircuit in "batch mode"."

Comments (none posted)

Printing

LinuxPrinting.org news

The latest news from the LinuxPrinting.org site includes the release of version 3.0.0beta1 of the Foomatic printer support database, and the addition of the Epson Stylus C50 to the database.

Comments (none posted)

Web Site Development

Zope Members News

The most recent headlines on the Zope Members News include: Groupware Suite for CPS, Developer Preview, ZChecker 0.1 Released, New release of OpenPT and PlacelessTranslationService, RenderPM renamed to RenderableCharts, Solutions Linux is in Paris - where are you?, ZWiki 0.15.0 released, Zope 2.6.1 beta 2 released, Plone 1.0 Release Date and Celebration, Open Letter to the Community (Updated), and more.

Comments (none posted)

Zope Newbies

New articles on Zope Newbies include: A Conversation with Guido, Part IV, Zope 2.6.1 beta 2, Write the Web goes Zope, Upgraded to Apache 2, Plone 1.0 RC2 installer for Mac OS X, and more.

Comments (none posted)

ZODB 3.1.1 beta available

Version 3.1.1 beta 2 of ZODB3, the Zope Object Database, is out. "We've made another beta release of ZODB 3.1.1 available, including ZEO 2.0.2. This is primarily a bug fix release; see the NEWS.txt file excerpt below for details. Of particular note are the enabling of the BTrees-based index for FileStorage and the disabling of the rare "hosed" state in ZODB."

Full Story (comments: none)

mnoGoSearch 3.2.8 search engine released

Version 3.2.8 of the mnoGoSearch web site search engine software is available. A number of changes have been included, see the change log for details.

Comments (none posted)

Web Services

XML Forms, Web Services and Apache Cocoon (O'Reilly)

Ivelin Ivanov writes about XForms on O'Reilly. "Server side business logic is often invariant with regard to client devices. An email client supports the same basic operations whether it's used from a cellular phone, PDA, or a PC. To address the needs of web developers who build applications for a variety of devices, the W3C has formed the XForms working group. According to the XForms specification, "XForms" is W3C's name for a specification of Web forms that can be used with a wide variety of platforms including desktop computers, hand helds, information appliances, and even paper."

Comments (none posted)

Desktop Applications

CAD

PythonCAD third release available

The third release of PythonCAD, an open-source CAD package written in Python, is available. "The third release adds some new functionality to the program. Construction lines can be easily drawn tangent to circles and arcs, as well as drawn perpendicular to the various entities in a drawing. The thickness of drawing entities like line segments and circles is now drawn on the screen, too. Splitting the entities in the drawing can now be done by clicking on them at the point where they are to be split, or entities can be split at points where they intersect one another."

Full Story (comments: none)

Desktop Environments

Open-HCI Announced

KDE.News reports on efforts to gain closer cooperation between the KDE and GNOME usability teams.

Comments (none posted)

FootNotes

Headlines on the GNOME desktop FootNotes site include: GNOME 2.0 Desktop for Solaris released, First pre-release of GTK2 Dia available, 2.3 Proposed Features, New Nautilus features, librsvg 2.2.2 released, Open-HCI Announced, Gnumeric 1.1.16 aka 'L M L W' is now available, GNOME 2.2 Translation Statistics and Rankings, Fifth Toe Website, A glimpse of the future? I hope so, GNOME comes to Clemson University!, and more.

Comments (none posted)

KDE-CVS-Digest

The January 31, 2003 edition of the KDE-CVS-Digest is out. "Is the 3.1 the ultimate in KDE? The end of development? Not from looking at the commits for this week. Some of the less trivial fixes from Apple are getting applied to Konqueror. The user interface continues to be refined. The Kde PIM project and all it's parts are a beehive of activity. Utilities such as K3b and Cdbakeoven are actively worked on. I'm already impatient for 3.2!"

Comments (none posted)

Games

Pygame updates

New Python-based game software on the Pygame site includes: Pygsear .25 and Pyui 0.95.

Comments (none posted)

Crystal Space 0.96r002 released

The beta 2 release of Crystal Space 0.96, a portable 3D Engine, is available. "Again a new release of Crystal Space. This releases fixes a few bugs here and there and also adds a VERY significant optimization in the OpenGL renderer. This optimization can effectively double performance for some levels."

Full Story (comments: none)

FreeSCI: Rebuilding Sierra's Classic Quests (O'Reilly)

Howard Wen writes about the FreeSCI project on O'Reilly. "For the past few years, programming-capable adventure fans have been developing FreeSCI, an open source SCI clone. Their goals are to port SCI games to other platforms, to add new features to the original games, to provide an engine upon which other hobbyists can create new Sierra-style games, and simply to have fun."

Comments (none posted)

GUI Packages

FLTK Developments

The latest new software for FLTK, the Fast, Light ToolKit includes: fl_connect 0.92, Log 0.91, Fltk 1.1.XX utf-8 patch, SPTK 1.00, FL-Inventor 0.9.5-rev1, and more.

Comments (none posted)

Interoperability

Kernel Cousin Wine

Issue #155 of Kernel Cousin Wine is out. Topics include: News: Install IE 6, Threading Problems with glibc 2.3, User Interface Status, RPC Data Marshalling, File Dialog Options, and Windows API Database.

Comments (none posted)

Xmingwin for cross-generating apps (IBM developerWorks)

Cameron Laird introduces Xmingwin for cross-platform development on IBM's developerWorks. "I do much of my Window development on Linux hosts, even when working in C. This installment of Server clinic tells how you can, too, and why you might want to add mingw32-gcc source.c -o executable.exe to your usual repertoire of gcc source.c -o executable."

Comments (none posted)

Multimedia

GStreamer 0.6.0 released

Version 0.6.0 of the GStreamer streaming media framework is available. "At this point in time GStreamer is fully functional for creating audio-based applications, as shown by applications such as gnome-sound-recorder, Rhythmbox and nautilus-media. Video-based applications still have some issues at this point, but we plan on solving those issues during the 0.6.x series in an ABI compatible way."

Full Story (comments: none)

Office Applications

GnuCash 1.8.0 released

The long-awaited release of gnucash 1.8.0 - the beginning of a new stable series - has happened. This version of gnucash includes scheduled transactions, mortgage and loan handling, some small business accounting support, multi-currency support, and much more. Click below for the release announcement; LWN also previewed this release last December.

Full Story (comments: 1)

Kernel Cousin GNUe

Issue #66 of Kernel Cousin GNUe is out with the latest GNU Enterprise development news. Topics include: New release of Double Chocco Latte, Text Encoding in Common, Gadfly database driver for GNUe, Modal forms in wxPython and GTK, Passing parameters to Forms, and Passing parameters to Forms.

Comments (none posted)

AbiWord Weekly News

Issue #129 of the AbiWord Weekly News is out, with the latest AbiWord word processor development news. "Gabriel Gerhardsson declares the hash downloader bloat, ironic the maintainer would come out and say that after a long absence. Dom starts adding HELP! buttons everywhere, while I recommend altering them to "Don't Panic" buttons. The 1.0.5 HackDown displays that Hub has no belief that historical record is a sign of future performance, as he dares to add even more bugs and features to the new HackDown. Hey, he's French. AbiWord II: The Wrath of Dom will break an incredible historical record that no one would have anticipated: It shall be the most fully documented word processor, the most fully documented any application for that matter, before it even comes out."

Comments (none posted)

Web Browsers

mozillaZine

The latest mozillaZine topics include: Independent Status Reports, MozillaZine Readers Give Their Verdict on Safari, ActiveState Komodo 2.3 Beta 1 Released, mozdev.org Soliciting for Donations, Integrating Switch Accessibility into Mozilla, and more.

Comments (none posted)

Lynx version 2.8.5 dev 14

Version 2.8.5 dev 14 of Lynx, a text-based web browser, has been released. Change information is in the source code, which can be downloaded here.

Comments (none posted)

Languages and Tools

C

GCC 3.2.2 has been released

Version 3.2.2 of GCC, the GNU Compiler Collection, has been released. Change documentation is forthcoming.

Comments (1 posted)

Caml

Caml Weekly News

The Caml Weekly News for January 28 - February 4, 2003 is out. Topics include: Wish: dynamic linking for Ocaml, question: "autoconfiguration" of Ocaml code, @, List.append, and tail recursion, XML-RPC server for OCaml, New release of Active-DVI, Finding the sign of a float, and WDialog 2.00-test4 released.

Full Story (comments: none)

The Caml Light / OCaml Hump

This week, the new software on The Caml Light / OCaml Hump includes: XmlRPCServer, OCaml XML-RPC, Active DVI, and WDialog.

Comments (none posted)

Java

J2EE technologies for the stateless network (IBM developerWorks)

Kyle Gabhart covers stateless session beans on IBM's developerWorks. "In this first installment, we'll explore stateless J2EE components and evaluate the most appropriate one to use for your enterprise architecture. When it comes to stateless, request-processing components, you have two primary J2EE technologies to choose from: servlets or Enterprise JavaBeans technology -- or more specifically, stateless session beans."

Comments (none posted)

XML in Java: Data binding, Part 2: Performance (IBM developerWorks)

Dennis M. Sosnoski writes about XML data binding on IBM's developerWorks. "Enterprise Java expert Dennis Sosnoski checks out the speed and memory usage of several frameworks for XML data binding in Java. These include all the code generation approaches discussed in Part 1, the Castor mapped binding approach discussed in an earlier article, and a surprise new entry in the race. If you're working with XML in your Java applications you'll want to learn how these data binding approaches stack up!"

Comments (none posted)

Java Swing: Menus and Toolbars, Part 3 (O'Reilly)

O'Reilly continues the series on Java Swing with part 3. "In part three in this book excerpt series on Swing menus and toolbars from Java Swing, 2nd Edition, learn about the JMenuItem class."

Comments (none posted)

EJB Inheritance, Part 4 (O'Reilly)

Emmanuel Proulx continues his series on EJB inheritance with part 4. "So far, we've seen how inheritance can be used when calling an EJB directly through RMI. However, SOAP (web services) and JMS also allow you to invoke objects remotely. Recognizing this, the EJB committee introduced JMS consumer beans (message-driven beans) in version 2.0 of the specification, and, in version 2.1, a generic asynchronous mechanism allowing web service invocations. This article discusses the steps involved in using inheritance in message-driven beans."

Comments (none posted)

Building Dependency Webs in J2EE

Alex Iskold and Daniel Kogan cover dependency webs on O'Reilly. "J2EE applications are fundamentally complex. A typical system may contain thousands of EJBs, Java classes, JSP pages, and servlets, which are linked into an intricate web of numerous dependencies. Managing this complexity is the key to building stable and flexible J2EE applications. To deal with complexity, it is important to focus on the structure of the dependencies between all components in the system."

Comments (none posted)

Lisp

Dynamic Learning Center for Lisp

Lisp vendor Franz, Inc. has made a Lisp educational resource site, known as the Dynamic Learning Center, available to the public. "The Dynamic Learning Center contains sample programs with documentation, programming exercises with solutions, support tools for learning and teaching Lisp, links and references to useful material. Practical notes and collateral material will also be made available."

Full Story (comments: none)

Perl

This Week on perl5-porters (use Perl)

The January 27 - February 2, 2003 edition of This Week on perl5-porters is out. "Hi all, here's your weekly dose of bug and fixes. Fold constants, send signals, leak memory and introspect layers through this week's summary."

Comments (none posted)

This week on Perl 6 (O'Reilly)

The January 26, 2003 edition of This week on Perl 6 is out with the latest Perl 6 news. Topics include: The eval patch, The Parrot crashes, Compiling to Parrot, Extending the packfile format, The long running Objects thread, Intersegment branching, Bytecode Metadata, Odd JIT timings, L2R/R2L syntax, A proposal on if and else, Arc: An Unfinished Dialect of Lisp, Array/Colon question, Multiple Dispatch by Context?, and more.

Comments (none posted)

PHP

PHP Weekly Summary

Topics on this week's PHP Weekly Summary include: RSS bug feed, QA results suite, str_replace() sensitivity, Conferences, conferences everywhere, Array to XML, Mandatory file locking, and Sablotron build problems.

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The Dr. Dobb's Python-URL for February 3, 2003 is available, with this week's news and links for the Python community.

Full Story (comments: none)

January 31 python-dev summary

The python-dev summary covering the second half of January is now available; it looks at Japanese support in the distribution, extended function syntax proposals, adding "capabilities" to the language, and several other topics.

Full Story (comments: none)

The Daily Python-URL

This week's Daily Python-URL article topics include: A conversation with Guido van Rossum, part IV, What Python Can Do for the Enterprise, pyblosxom, a chapter from Python in a Nutshell, An introduction to SkunkWeb, Introduction to PyObjC, Test-Driven Development by Example, REST and FSM and BP for Quixote, PiP - Python in PHP, REST for AOLserver, PyWX, and Quixote, pin.py, SQLObject, PyObjC, rlcompleter2, EuroPython 2003 Conference, Eric3, a Python IDE, and more.

Comments (none posted)

Ruby

The Ruby Weekly News

Topics on this week's Ruby Weekly News include: The Ruby Way in Japanese, OSCON Presentations, Ruby Books, Test::Unit order of tests, and Local variables and blocks.

New Ruby software includes: FXRuby-1.0.18, cLabs IEController, Borges, Webplayer, and the Ruby Application Archive version 2.3.0.

Comments (none posted)

Scheme

Scheme Weekly News

The February 3, 2003 edition of the Scheme Weekly News is out. Topics include: scsh 0.6.3, SISC 1.7.1-beta, LAML version 19, SRFI-37: args-fold, SRFI-40: A Library of Streams, ReadScheme Library Expands Again, GNU TeXmacs 1.0.1.2, Scheme UK Meeting 5 Feb 2003, Quack.el 0.17, Guile GTK at Savannah, Guile 1.6.3, Scheme Scribe 1.1a, and Swindle 20030203.

Full Story (comments: none)

Tcl/Tk

This week's Tcl-URL

Dr. Dobb's Tcl-URL for February 5 is available with the latest from the Tcl/Tk development community.

Full Story (comments: none)

XML

XML Pipelining with Ant (O'Reilly)

Michael Fitzgerald looks into Ant on O'Reilly. "Ant is an extensible, open-source build tool written in Java and sponsored by Apache's Jakarta project. Ant has developed into something more than a just a build tool, however. It has gone beyond its predecessor make (and make's kin) to become a framework for performing an even larger variety of operations in a single step, not just compiling code or cleaning up after a build."

Comments (none posted)

Profilers

OProfile 0.5 released

Version 0.5 of OProfile, a code profiler, has been released with a long list of new features and bug fixes. "OProfile is still in alpha, but has been proven stable for many users."

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Linux-Based Voice Recognition (Linux Journal)

Linux Journal looks at Linux-based voice recognition. "The health-care market alone may justify the Linux-based voice recognition project. Health-care services are the largest expense of the Group of Ten nations, and it is the fastest growing sector as well. Health-care workers would benefit from using their voices to document patients' treatments. Voice recognition would allow them a hands-free environment in which to analyze, treat and write about particular cases easily and quickly."

Comments (none posted)

Linux Report: The Year in Review (eWeek)

eWeek considers the progress Linux has made in the business world. "By 2007, we said one year ago, "No one will be fired for recommending Linux." Shortening our own timeline by four years, we suggest that an IT buyer might already be fired today for failing to consider Linux. That's a small step but one of Neil Armstrong caliber."

Comments (none posted)

Internet beams out into space (BBC News)

BBC News looks at computers in space. NASA plans for each spacecraft and satellite to some day have their own net address. "To test the technology the Columbia space shuttle was fitted with an embedded PC that has a 233 MHz processor, 128 MB of RAM and a solid-state 144 MB hard drive. The computer is running Red Hat, a version of the Linux operating system, and is maintaining a connection with the Goddard Space Flight Center which will to try to contact the onboard PC more than 140 times over the duration of the shuttle mission STS-107." Thanks to Henrik Storner

Comments (1 posted)

Trade Shows and Conferences

Desktop Linux Event Continues to Lose Support (OfB.biz)

Open for Business looks at the withdrawal of Lycoris and others from the Lindows controlled Desktop Linux Summit. "The summit, which still includes vendors such as SuSE and Sun Microsystems, will take place on February 20-21."

Comments (1 posted)

Crossing the Desktop Linux Chasm in San Diego (Linux Journal)

Doc Searls takes a look at the brouhaha surrounding the Desktop Linux Summit, in this Linux Journal article. "But, y'know, Lindows paid for this whole thing, apparently. So they have a reason to want the event the way they want it. I just wish they didn't call it the Linux Desktop Summit, because it's not really one any more. Actually, they never wanted it to be what we consider a summit in the Linux world."

Comments (2 posted)

Desktop Linux group launches (ZDNet)

ZDNet covers the launch of the Desktop Linux Consortium, which is made up of SuSE, MandrakeSoft, Lycoris, Xandros, ArkLinux, CodeWeavers, OpenOffice.org, the KDE project, and, perhaps, others. "Participants say the new consortium is in part a reaction to the behavior of one company not on the consortium's membership list: Lindows." Bruce Perens will be leading the new group.

Comments (12 posted)

Linux Adoption

Practical Questions (Linux Journal)

In this Linux Journal article, Doc wonders about the new face and organization of IT departments as they move more and more of the work to Linux. "I think the Linux hat fits corporate IT because there's a good value match between Linux and the way large organizations like to work. That may sound a bit oxymoronic to some, because Linux is not by nature a commercial operating system, and many businesses built on commercializing Linux have notoriously failed (Mandrake Linux being the latest example)."

Comments (none posted)

Reuters introduces Linux-based market data feeds (Forbes.com)

Here's a Reuters article announcing that Reuters now has its flagship financial data and quote system running on Linux. "Reuters, working with Linux distributor Red Hat Inc., chipmaker Intel Corp. and computer maker Hewlett-Packard Co, said they are now selling a Linux-based system to pipe the latest market-moving data on to the trading room floors of banks and brokerages." Thanks to Ashwin

Comments (none posted)

Moving into Mainframe Linux (Computerworld)

Computerworld covers Linux on the mainframe. "The sweet spot for mainframe Linux today is server consolidation -- replacing dozens or even hundreds of separate Intel-based Linux or Windows servers with a partition on the mainframe that dedicates a single processor, memory and other system sources to running Linux."

Comments (none posted)

South Africa embraces open source (News.com)

According to this News.com article, South Africa has joined the list of countries whose governments are seeking to use more free software. "By and large, South Africa imports its proprietary software and finds itself with comparatively little influence on how that software develops. The government expects that open-source software, by contrast, will provide more flexibility."

Comments (none posted)

Interviews

Last FOSDEM Interviews

The FOSDEM team has published the last interviews in its series of interviews with the speakers. FOSDEM takes place this weekend in Brussels.

Comments (none posted)

Resources

Linux Gazette #87

The Linux Gazette #87 for February 2003 is available. This month read articles on Linux-Based Voice Recognition; Fun with Simputer and Embedded Linux; and more; plus all the regular features.

Comments (none posted)

Reviews

Peeking under the hood of SnapGear's uClinux-powered VPN appliances (LinuxDevices.com)

LinuxDevices.com technical editor Jerry Epplin takes a look at SnapGear's uClinux-based VPN appliances from the perspective of a developer's ability to customize them. "With the impressive improvements made in uClinux in the last couple of years, it has become increasingly practical to implement the networking capabilities of Linux in a small-footprint device. Perhaps the most obvious network-oriented devices for which uClinux is appropriate are firewall/routers, which need all the latest protocols and capabilities, but are in a highly competitive environment in which cost is paramount."

Comments (none posted)

Breaking down the .Net barriers (MSNBC)

MSNBC looks at the Mono project. "In his office, Icaza lunges for a pen and starts sketching diagrams on the wall, which doubles as a dry-erase board, to illustrate Mono's progress so far. "We've been 18 months on this thing, and we've built an amazing amount of tools," he said. Still, many, including Icaza, caution against over-hype, in part because .NET is not yet the dominant force Microsoft hopes it will become." Thanks to Ashwin N

Comments (none posted)

DB2 for Linux Clustering scales to 1,000 nodes (ADTmag)

ADTmag covers IBM's DB2 for Linux Clustering. "IBM first demonstrated the DB2 version last year, but observers noted that this week's proclamation by Scott Handy, Linux solutions marketing director for the IBM Software Group, marks the first time the company claimed 1,000-node performance. IBM engineers have tested the new implementation on systems running SAP, WebSphere and Tivoli, Handy said."

Comments (none posted)

Germany-funded Linux software arriving (News.com)

News.com looks at the latest KDE release. "Further improvements are complete but haven't yet been integrated with KDE, Pour said. Originally that integration was scheduled to take place with the next version of KDE, which is scheduled to arrive in the second half of 2003."

Comments (15 posted)

Embedding Perl in HTML with Mason (O'Reilly)

Simon Cozens reviews the book Embedding Perl in HTML with Mason. "The book that's fallen onto my desk for review this month is Dave Rolsky and Ken Williams' Embedding Perl in HTML with Mason "What is this," you're thinking, "an O'Reilly site doing a review of an O'Reilly book? Scandalous!" Well, I hope that you've taken a look at my other reviews and have satisfied yourself that I try to be as impartial as I can when reviewing. As far as I'm concerned, this is a Perl site first and an O'Reilly site second."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Commercial announcements

"Linux Server Hacks" Released by O'Reilly

O'Reilly has released "Linux Server Hacks". ""Linux Server Hacks" is a collection of industrial-strength, real-world, tested solutions to practical problems. The book contains one hundred independent but related tips, tools, and scripts that solve common but frequently difficult administrative tasks."

Full Story (comments: 2)

SCO Manager v1.5 Wins Best Systems Administration Tool Award At LinuxWorld 2003

The SCO Group has announced that SCO Manager v1.5 won "Best Systems Administration Tool" from the Open Source Product Excellence Awards at LinuxWorld 2003 in New York. SCO Manager v1.5 is an enhanced and re-branded version of Volution Manager 1.1, which enables secure and remote management, monitoring and updating of multiple systems through a browser.

Comments (2 posted)

TimeSys Corporation Joins Eclipse; Releases Beta of TimeStorm 2.0 IDE

TimeSys Corporation has announced that it has been elected as a supporting member of Eclipse. Additionally, TimeSys announced the beta availability of its first offering powered by Eclipse technology, the TimeStorm 2.0 IDE for embedded C/C++ development. Developers interested in the TimeSys' IDE can download the beta version of TimeStorm 2.0 along with TimeSys Linux for x86.

Comments (none posted)

Witnet to Develop Mobilick for New Security Based Handheld Computer

Witnet International, Inc. has announced that the company will begin working on a special Linux version of Mobilick for integration within the software suite of solutions for Consumer Direct Link's ("CDL") Paron pervasive handheld device.

Comments (none posted)

Geac Helps Konica Leverage The Power of Linux

Geac Computer Corporation Limited has announced that Konica Business Technologies, Inc. has successfully implemented Geac's Connector Foundation(TM) 3.0 for Linux.

Comments (none posted)

MontaVista Doubles Revenues; Completes Record Year with Record Quarter

MontaVista Software, Inc. announced it has ended its 2002 fiscal year with revenues doubling over 2001, despite the general economic downturn. Maybe the downturn is finally turning around.

Full Story (comments: 4)

Sony announced a Linux-based wireless portable file server

Sony announced FSV-PGX1, a wireless portable file server based on Linux 2.4.20 with ext3, which supports CIFS/SMB, NFS and ftp via IEEE 802.11b.

Full Story (comments: 1)

Key Research gets $12.5 million

The Linux-installed hardware market may be a difficult place to do business, but that does not keep people from trying. A company called Key Research has announced the receipt of $12.5 million in venture capital to help it build a Linux server business. Key will be creating 64-bit systems intended for use in Linux clusters; they claim to have "an innovative approach" which will be revealed at a future time.

Comments (none posted)

Resources

LPI-News January 2003

Here's the monthly newsletter from the Linux Professional Institute, with news about LPI at LinuxWorld and other conferences; LPI and United Linux; LPI certificates; and much more.

Full Story (comments: none)

Modular synthesis with AlsaModularSynth 1.5.5 (QuickToots)

This month, QuickToots looks at AlsaModularSynth. "AlsaModularSynth is a digital implementation of a classical analog modular synthesizer system. It uses virtual control voltages to control the parameters of the modules. The control voltages which control the frequency of the VCO (Voltage Controlled Oscillator) and VCF (Voltage Controlled Filter) modules follow the convention of 1V / Octave."

Comments (none posted)

Upcoming Events

Ottawa Linux Symposium 2003 registration opens

Attendee registration is open for the 2003 Ottawa Linux Symposium, which will be happening next July 23 to 26. OLS is the premier kernel-oriented developer conference in North America, and it tends to sell out, so it's best not to wait too long before signing up.

Comments (none posted)

Lycoris withdraws from the Desktop Linux Summit

Lycoris has announced that it will not participate in the Desktop Linux Summit. "Lycoris originally joined the conference after assurances of egalitarian control and changes to the conference schedule including the addition of keynote speaker Bruce Perens and vendors like Hewlett Packard. The recent changes to the conference schedule, the withdraw of Hewlett Packard, and conference management have given a single-vendor too much focus which is no longer in the interest of Lycoris."

Full Story (comments: none)

Call for Lightning Talks at TPC 7 (use Perl)

Use Perl has announced that they are looking for some Lightning talk presentations for the upcoming TPC7 conference. "Mark Jason Dominus writes, "Lightning talks are brief (5-minute) talks that focus on a single example, idea, project, or technique. Lightning talks do not attempt to cover all aspects of their subject matter, but rather to present one facet of the idea clearly and succinctly. Last year's lightning talks sessions were a big success, and we hope to repeat the event.""

Comments (none posted)

LinuxTag 2003 - First Call for Papers

The first call for papers has gone out for LinuxTag 2003, to be held in Karlsruhe, Germany on July 10-13, 2003.

Comments (none posted)

OSCOM opens conference planning

The Midgard site has an announcement for the OSCOM 3 conference, which will be held in Cambridge, Mass in late May, 2003. "Gregor Rothfuss from OSCOM board writes: "What kind of conference do you want? This question has arisen repeatedly over the last several weeks, as OSCOM board members and interested parties pondered past conferences, and wondered what to do about the upcoming OSCOM III. We decided to do a first, to the best of our knowledge: open up the conference preparation process. Effective immediately, you can take a look at the proposals we received on the redesigned OSCOM site.""

Comments (none posted)

Announcing the UK Python Conference

The UK Python Conference will be held in Oxford, England on April 2 and 3, 2003. "The line up of speakers is impressive, with Guido van Rossum giving the keynote speech on Wednesday the 2nd April."

Full Story (comments: none)

UKUUG Linux Developers' Conference

The UKUUG Linux Developers' Conference will be held in Edinburgh, Scotland on July 31 to August 3, 2003.

Full Story (comments: none)

Events: February 6 - April 3, 2003

Date Event Location
February 6, 2003O'Reilly Bioinformatics Technology Conference(Westin Horton Plaza.)San Diego, CA
February 6, 2003Linux Solutions 2003(CNIT)Paris, France
February 8 - 9, 2003Free and Open source Software Developers' European Meeting(FOSDEM)Brussels, Belgium
February 10 - 14, 2003The fifth NordU/USENIX Conference(NordU2003)(Aros Congress Center)Västerås, Sweden
February 20 - 21, 2003Desktop Linux Summit(Vivendi Universal Building)San Diego, CA
February 22 - 24, 2003CodeCon 2.0(Club NV)San Francisco CA, USA
February 27 - 28, 2003Linux Summit 2003(Dipoli Conference Center)Espoo, Finland
March 17 - 19, 2003Open Source for National and Local eGovernment Programs in the U.S. and EU(The Marvin Center Grand Ballroom, George Washington University)Washington, DC
March 20 - 21, 2003First OpenOffice.org Conference(OOoCon2003)(University of Hamburg)Hamburg, Germany
March 20 - 21, 2003Conference PHP 2003(École Polytechnique de Montréal)Montreal, Quebec, Canada
March 26 - 28, 2003PyCon DC 2003(George Washington University)Washington DC
April 2 - 3, 2003The UK Python Conference(Holiday Inn Oxford)Oxford, England

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Miscellaneous

Desktop Linux Consortium press release

Desktop Linux Consortium has sent out a press release announcing its existence. "Linus Torvalds, creator of Linux, said 'We already have all of the tools, in Open Source software, necessary for 80 percent of office workers in the world: an office suite including spreadsheet, word processor, and presentation program; a web browser, graphical desktop with file manager, and tools for communications, scheduling, and personal information management. The Linux desktop is inevitable!'"

Comments (5 posted)

Results from survey at WeWantLinux.org

The WeWantLinux.org survey site has been operating since last August, gathering data on consumer interest in computers pre-loaded with the GNU/Linux operating system. With 1500 survey entries validated, the results show a high level of interest in Linux PCs across the board.

Full Story (comments: 1)

A Call for PostgreSQL Case Study Participants

Companies who are using PostgreSQL are invited to report on their activities. "We're looking for volunteers running PostgreSQL in their companies, or who have good contact with companies running PostgreSQL, to please assist us in creating a large number of good quality, reference PostgreSQL Case Studies."

Comments (none posted)

WorldForge Logo Design Contest

The WorldForge game project is holding a contest for the creation of a new WorldForge logo. "WorldForge is looking for a new logo to reflect our project's growth and maturity. If you're an artist that's been looking for an easy way to contribute to WorldForge here's your chance."

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds