LWN.net Logo

LWN.net Weekly Edition for February 13, 2003

The Art of Unix Programming

Eric Raymond first announced this project back in 1999: The Art of Unix Programming was to be a new book, written with help from the community, that would "attempt to explain the Zenlike 'special transmission, outside the scriptures' that distinguishes Unix gurus from ordinary mortals." More than three years later, a draft of the book is available for review.

The Art of Unix Programming is certainly not a beginner's programming manual. It assumes, instead, that the reader is already a competent hacker and is looking to learn more about the Unix way of doing things. So there is a lot of talk about philosophy and history, and a wealth of case studies. There is a lot of language like:

As with Zen art, the simplicity of good Unix code depends on exacting self-discipline and a high level of craft, neither of which are necessarily apparent on casual inspection. Transparency is hard work, but worth the effort for more than merely artistic reasons. Unlike Zen art, software requires debugging - and usually needs continuing maintenance, forward-porting, and adaptation throughout its lifetime. Transparency is therefore more than an esthetic triumph, but a victory that will be reflected in lower costs throughout the software's lifecycle.

Eric would, seemingly, like his book to be seen as a successor to the Kernighan and Plauger classics The Elements of Programming Style and Software Tools. This book shows some of the classic Raymond traits: no less than six case studies feature fetchmail (which he wrote), and the examples demonstrating the fortune file format are all about the evils of gun control. But there is some good stuff in there which has not necessarily been written down before. Eric is a good writer, and he has experience in the realm he is writing about. The Art of Unix Programming is worth a look.

We asked Eric a few questions about the draft release; here are his answers.

LWN: If you could characterize the art of programming in/for Unix as described in your book, in a single paragraph, how would you do it?

ESR: I'll do better, I'll boil it down to a single phrase. Keep it simple, stupid!

The true art of programming -- and this is something Unix guys were arguably the first to figure out and the most consistent at applying -- is minimizing global complexity. Most of the rest of the Unix philosophy pretty much falls out of that.

LWN: The draft as posted does not include any sort of licensing; will the final version be available under a free license?

ESR: Yes, but I haven't decided which one. There will be some restrictions on print reproduction, but none on electronic.

LWN: When you first announced the book project, it seemed you were planning to put the chapters out gradually and make use of a lot of community input. After chapter four, however (released almost exactly two years ago), things went quiet, and the rest of the book, seemingly, was done in a "cathedral" mode. Why is that? Did the more open approach not work out?

ESR: No, it's just that I stalled out for a long time and then gave it six weeks of intense work. This happened after an acquisitions editor at Addison-Wesley called me and said "Uh. Apparently you had an agreement to do a book with my predecessor, but I can't find a contract." There wasn't one; I have a twitch that way, I don't sign a contract until the book is essentially complete. He successfully nudged me into working on it again.

LWN: The book talks little about the programming of complex graphical applications, and avoids the GNOME/KDE issue altogether. Yet one could argue that complex applications are a big part of the future of Unix-like systems. There is often, however, a sort of impedance mismatch between fancy applications (think StarOffice 5) and the Unix way of doing things. What suggestions do you have for authors of graphical applications to help them carry forward the Unix tradition in the graphical world?

ESR: Separate policy from mechanism, because policy ages much faster than mechanism. Separate engines from interfaces, because tangling the two together tends to lead to unmaintainable messes. Don't give it a GUI if it doesn't need one.

Policy-mechanism separation is a major theme in the book. It's usually thought of in connection with X, but it can be applied a lot more widely -- and, in fact, Unix programmers *do* apply it a lot more widely without being really aware of the principle consciously.

(Yes, that's right, I'm doing another yet another book that's basically about conscious expression of unconscious folk practices. This would be #3. Is there anybody left who still finds this surprising? No? I thought not... :-))

One of the insights I got, one that's especially applicable to big gnarly GUI applications, is that Unix programmers divide all Gaul into three parts -- policy, mechanism, and glue. Mechanism is code that tells how to do things, policy is code that tells what to do -- and glue is the stuff that binds policy and mechanism together.

The punch line: glue is evil and must be destroyed, or at least minimized. Your typical huge honkin' C++ application with classes stacked twelve deep is an unmaintainable mess because the top two layers are policy, the bottom two are mechanism, and the middle eight are glue. And the trouble with glue is that it's opaque -- it impedes your ability to see clear down through the system from the top, or clear up from the bottom. You can't debug what you can't see through, because you can't form an adequate mental model of its behavior.

So my advice to GUI programmers is this: Decide what's policy and what's mechanism. Separate them cleanly -- ideally, have the GUI and engine running in separate processes, like gv and ghostscript or xcdroast and cdrecord. Then *ruthlessly eliminate all glue*. Or as much of it as you can, anyway.

LWN: There is very little treatment of security in the book. Why is that? Is, in your mind, security peripheral to the main art of Unix programming, or is something else going on?

ESR: It's peripheral. This is not a book about system administration, it's about how to design well. There's an aspect of that that has to do with secirity of course, but most of the things that make for good security (like minimizing code that has to be trusted) are just good engineering practice. That I *do* talk about a lot.

LWN: Unix has had a long run in the computing world, and, by all indications, it has a while to go yet. All good things come to an end eventually, however. What do you think might bring about the end of the Unix era, and what might replace Unix in the future?

ESR: My money is on capability-based persistent-object systems like EROS. But prophecy is difficult, especially about the future.

Comments (24 posted)

Comparing free and proprietary software defect rates

[This article was contributed by Joe 'Zonker' Brockmeier]

Tuesday a company called Reasoning, Inc. released a study that seems to prove what Open Source developers have been saying for years: Open code, and the inspection that it allows, produces a better product. Specifically, the company compared the Linux TCP/IP stack against a number of commercial TCP/IP stacks and found that the Linux implementation had fewer defects than other proprietary implementations.

The paper, "How Open-Source and Commercial Software Compare" is available from Reasoning by request, so we decided to take a look at it to see how they had reached their conclusions.

Specifically, Reasoning lined up the Linux TCP/IP implementation from the 2.4.19 Linux kernel against five commercial implementations. In total, out of 81,852 lines of code, Reasoning found only 8 defects in the Linux TCP/IP code. All but one of the other five implementations compared with Linux were at least ten years old, the other is about three years old. The company did not name the specific operating systems, but Reasoning's CEO Scott Trappe confirmed that two were commercial Unix systems, one was "not Unix but in very broad use," and the embedded implementations were by "major vendors of networking equipment." Trappe said that Reasoning couldn't name companies specifically, but the companies had agreed to let Reasoning use the aggregate data.

As always, it helps to understand the company doing the research, and the context of the research, before taking the results too seriously. We spoke with Trappe, to clarify some information not in the white paper and to get a feel for Reasoning's background. Reasoning is a company that specializes in automated testing of software written in C/C++, which it has been doing since 2001. Prior to that, the company had specialized in Y2K testing. The company plans to add testing of Java software to its services later this year.

The study was not commissioned by any of the Linux vendors or companies who might be competing with Linux. Instead, Trappe said that the company had performed the study primarily to highlight its services. Unlike the other projects that Reasoning works on, they were free to release their results along with specific code examples from the Linux TCP/IP stack. Trappe also said that the company was looking to prove that inspection itself was important in providing quality software and that "testing alone can never uncover all the defects in software."

The company chose the TCP/IP stack because it provided a good point of comparison. Trappe admitted that it might be stretching it to draw too many conclusions from the study of one piece of software, but that their study "does support some claims that it can rival commercial quality." Trappe also mentioned that the company may do further studies in the future comparing Open Source software to commercial software.

The company looks for five kinds of defects in code: Memory leaks, null pointer dereferences, bad deallocations, out of bounds array access and uninitialized variables. According to Trappe, none of the errors found in the Linux TCP/IP stack were security issues. At least one of the issues, a memory leak, was fixed in the 2.4.20 kernel before Reasoning notifed the kernel team of the defects. Four of the problems found (an uninitialized variable and some out-of-bounds errors) are not truly defects, since they do not cause the code to behave incorrectly. So, of eight defects reported, four are not real, three are debatable and one has been fixed.

When taking into account the revised information, the Linux TCP/IP stack has a defect density of 0.013 per 1,000 lines of code. The implementation with the fewest defects after Linux is one of the embedded stacks, with .08 defects per 1,000 lines of code. One implementation, one of the commercial OSes, had 183 defects out of about 269,100 lines of code - 0.7 per thousand.

To be sure, the Reasoning study raises some interesting points, though there's not enough data to say conclusively that Open Source software is always of higher quality than its proprietary counterparts. The study looked only at one small piece of the Linux kernel, and only considered a small set of information. The Linux kernel has also been extensively checked for this sort of error by the Stanford checker and the new "smatch" program, so it should be relatively clean. Reasoning's study says nothing about performance or features, and it does not address the functionality of the code. However, it does supply some data in favor of the argument that open code leads to higher quality -- at least in terms of specific defects.

We'll be interested to see what kinds of studies Reasoning does in the future, and how other Open Source projects compare to commercial code.

Comments (8 posted)

Lawrence Lessig wins FSF Award

The Free Software Foundation has announced that this year's winner of its Award for the Advancement of Free Software is Lawrence Lessig - a fine choice. "FSF President and founder, Richard Stallman, presented the award to Professor Lawrence Lessig for promoting understanding of the political dimension of free software, including the idea that 'code is law'."

Comments (1 posted)

Page editor: Jonathan Corbet

Security

Brief items

Keeping Secrets

[This article was contributed by Tom Owen]

Information contained on hard drives is often of the type that should not fall into the wrong hands. After all, being on the wrong end of a Canadian class action lawsuit for releasing personal information counts as one of the rougher server administrator nightmares. It's not clear whether the Canadian disk drive was stolen or retired, but it doesn't look like an isolated case. Responsible equipment dealers and recyclers use special tools to sanitize disks that come into their hands. But it doesn't always happen, and there's always the risk of simple theft.

Being sued is one possible outcome. In Europe, criminal charges are possible, though unlikely. Even if all you have to worry about is an embarrassingly public gap between your privacy policy and your real operations, it may be time to look more closely at what might emerge if your data partitions ended up on eBay.

The problem is that the ordinary techniques of host security are useless against an explorer who can install your disks in a lab machine. 0600 modes won't be noticed by an attacker who is root already. Wipes and sanitizers won't have been used if the equipment was stolen. The only option is to encrypt the information you don't want to leak. If you do it right you can publish the contents of your disks without a qualm. Encryption is doubly important for Linux administrators because the range of software is so great that failure to encrypt is that much less excusable. The only plausible objections relate to performance and convenience issues.

In the past, the US imposed export restrictions on cryptographic software. Those rules obliged Linux kernels from kernel.org to exclude cryptographic software. Something like that never stops hackers, and the kernel code for encrypted disks and networks was hosted and has continued outside the US. The 2.5 kernel has crypto built in, but users of the current stable kernels must get their encryption code from another source. Incorporating crypto code into a standard kernel is well documented but it's simpler to use a distribution like SuSE which includes crypto out of the box.

Beyond the offerings from your distribution the broad choice is rather daunting. The standard approach uses encryption in the loopback device to create a secure partition "hosted" in a big contiguous file. A filesystem can be created on that device and mounted as the data directory. The host file is unintelligible without the passphrase.

Encrypted loopback can't handle swapfiles, and so there's a risk of leaving decrypted application information on the disk. If you can't configure enough memory, ppdd, which layers encryption on top of the plain loopback device does support swap files.

Other approaches like CFS don't use loopback, instead running a userspace daemon to encrypt on a file by file basis. These suffer under I/O load and wouldn't be a good choice to host a database.

All of this is relatively well documented. But the manuals seem to skate around the hard problems:

  • Passwords are hard to manage. Changing the password involves backup and restore, too much trouble to do often, so it has to be closely guarded. Even worse, the passphrase can't be held anywhere on the machine, so an unattended start isn't possible.

  • It's surprisingly tricky to backup encrypted data. The loopback host file can be sensitive to absolute location on the disk, and getting data securely off the machine requires more encryption.

It's unfortunate that the commonest server setup, remote hosting, is one of the toughest operational security challenges. But if remote servers are the only possible answer, then encryption security is still possible. Linux is solid enough that unattended restart isn't strictly necessary. Instead, the machine can boot far enough to page the admin to ssh in and mount the loopback devices. And a backup can be prepared on the encrypted volume and once it's re-encrypted with the admin's public key any transfer method will do.

This is all convoluted to say the least. It's not standard, and it goes beyond what's commonly done. It's easy to feel that keeping the site going and current is challenge enough. But if you take privacy seriously there are no other choices. Once your hosts are as secure as you can make them against attacks from the network, it's time to move up a level. If you have other people's personal data, you should probably encrypt it.

Comments (9 posted)

New vulnerabilities

hypermail - buffer overflows

Package(s):hypermail CVE #(s):CAN-2003-0057
Created:February 11, 2003 Updated:February 27, 2003
Description: Ulf Harnhammar discovered two problems in hypermail, a program to create HTML archives of mailing lists.

An attacker could craft a long filename for an attachment that would overflow two buffers when a certain option for interactive use was given, opening the possibility to inject arbitrary code. This code would then be executed under the user id hypermail runs as, mostly as a local user. Automatic and silent use of hypermail does not seem to be affected.

The CGI program mail, which is not installed by the Debian package, does a reverse look-up of the user's IP number and copies the resulting hostname into a fixed-size buffer. A specially crafted DNS reply could overflow this buffer, opening the program to an exploit.

Alerts:
SuSE SuSE-SA:2003:0012 2003-02-27
Debian DSA-248-1 2003-01-31

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Debian DSA-397-1 2003-11-07
Immunix IMNX-2003-7+-005-01 2003-04-08
Trustix 2003-0004 2003-02-20
Mandrake MDKSA-2002:062-1 2003-02-11

Comments (1 posted)

w3m - cross-site scripting vulnerabilities

Package(s):w3m CVE #(s):CAN-2002-1335 CAN-2002-1348
Created:February 7, 2003 Updated:February 18, 2003
Description: w3m is a pager with Web browsing capabilities. Two cross-site scripting (XSS) issues have been found in w3m.

An XSS vulnerability in w3m 0.3.2 allows remote attackers to insert arbitrary HTML and web script into frames. Frames are disabled by default in the version of w3m shipped with Red Hat Linux. Therefore, this problem will not appear as long as users do not use w3m with the -F option, or enable frame support in either the /etc/w3m/w3mconfig or ~/.w3m/config configuration files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1335 to this issue.

An XSS vulnerability in versions of w3m before 0.3.2.2 allows attackers to insert arbitrary HTML and web script into image attributes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1348 to this issue

Alerts:
OpenPKG OpenPKG-SA-2003.009 2003-02-18
Gentoo 200302-07 2003-02-17
Debian DSA-251-1 2003-02-14
Debian DSA-250-1 2003-02-12
Debian DSA-249-1 2003-02-11
Red Hat RHSA-2003:044-20 2003-02-06

Comments (none posted)

Updated vulnerabilities

Heap corruption vulnerability in at

Package(s):at at, sudo, xchat CVE #(s):CAN-2002-0004
Created:May 21, 2002 Updated:May 15, 2003
Description: The at command has a potentially exploitable heap corruption bug. (First LWN report:  January 17th).
Alerts:
EnGarde ESA-20030515-015 2003-05-15
Yellow Dog YDU-20020127-9 2002-01-27
SuSE SuSE-SA:2002:003 2001-01-16
Slackware sl-1011706104 2002-01-22
Red Hat RHSA-2002:015-15 2002-02-07
Red Hat RHSA-2002:015-13 2002-01-22
Mandrake MDKSA-2002:007 2002-01-18
Debian DSA-102-2 2002-01-18
Debian DSA-102-1 2002-01-16

Comments (none posted)

BIND8: Multiple vulnerabilities

Package(s):bind CVE #(s):CAN-2002-1219 CAN-2002-1220 CAN-2002-1221
Created:November 13, 2002 Updated:March 6, 2003
Description: Three new vulnerabilities have been found in version 8 of the Berkeley Internet Domain Server; see this ISS advisory, the CERT Advisory CA-2002-31, or the November 14 LWN Security Page for details.

Red Hat has sent out an alert (not a regular advisory) suggesting that customers apply its previous BIND updates, which upgrade the system to BIND9.

Alerts:
Sorcerer SORCERER2003-03-06 2003-03-06
SCO Group CSSA-2002-059.0 2002-12-19
Trustix 2002-0076 2002-11-15
OpenPKG OpenPKG-SA-2002.011 2002-11-15
Debian DSA-196-1 2002-11-14
Conectiva CLA-2002:546 2002-11-14
Mandrake MDKSA-2002:077 2002-11-14
SuSE SuSE-SA:2002:044 2002-11-13
EnGarde ESA-20021114-029 2002-11-14

Comments (1 posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

bladeenc - improper input verification

Package(s):bladeenc CVE #(s):
Created:February 5, 2003 Updated:February 5, 2003
Description: Versions 0.94.2 (and prior) of the Blade MP3 encoder contain an input validation vulnerability which can lead to arbitrary code execution; see this advisory for details.
Alerts:
Gentoo 200302-04 2003-02-05

Comments (none posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:October 1, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
SCO Group CSSA-2003-005.0 2003-01-21
Debian DSA-224-1 2002-01-08
Gentoo 200212-8 2002-12-20
Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

courier - missing input sanitizing

Package(s):courier CVE #(s):CAN-2003-0040
Created:January 30, 2003 Updated:February 5, 2003
Description: The developers of courier, an integrated user side mail server, discovered a problem in the PostgreSQL auth module. Not all potentially malicious characters were sanitized before the username was passed to the PostgreSQL engine. An attacker could inject arbitrary SQL commands and queries exploiting this vulnerability. The MySQL auth module is not affected.
Alerts:
Debian DSA-247-1 2003-01-30

Comments (none posted)

cups - multiple vulnerabilities

Package(s):cups CVE #(s):CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383
Created:December 30, 2002 Updated:February 18, 2003
Description: Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges. See the iDEFENSE advisory for more information.
Alerts:
Debian DSA-232-2 2003-02-20
SCO Group CSSA-2003-004.0 2003-01-20
Debian DSA-232-1 2003-01-20
Yellow Dog YDU-20030114-1 2002-01-14
Red Hat RHSA-2002:295-07 2003-01-09
Mandrake MDKSA-2003:001 2003-01-09
SuSE SuSE-SA:2003:002 2003-01-02
Gentoo 200212-13 2002-12-29

Comments (none posted)

CVS - exploitable double-free bug in the CVS server

Package(s):cvs CVE #(s):CAN-2003-0015
Created:January 20, 2003 Updated:April 7, 2003
Description: CVS is a version control system frequently used to manage source code repositories. During an audit of the CVS sources, Stefan Esser discovered an exploitable double-free bug in the CVS server.

On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges. Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server.

All users of CVS are advised to upgrade to erratum packages which contain patches to correct the double-free bug.

See also this CERT advisory

Alerts:
Immunix IMNX-2003-7+-004-01 2003-04-02
SCO Group CSSA-2003-006.0 2003-01-31
Yellow Dog YDU-20030127-6 2003-01-27
Conectiva CLA-2003:561 2003-01-23
SuSE SuSE-SA:2003:0007 2003-01-22
Slackware sl-1043242333 2003-01-22
Conectiva CLA-2003:560 2003-01-21
Debian DSA-233-1 2003-01-21
Gentoo 200301-12 2003-01-21
OpenPKG OpenPKG-SA-2003.004 2003-01-21
Mandrake MDKSA-2003:009 2003-01-20
Red Hat RHSA-2003:012-07 2003-01-20

Comments (none posted)

dhcp3 - ignored counter boundary

Package(s):dhcp3 CVE #(s):CAN-2003-0039
Created:January 28, 2003 Updated:April 5, 2003
Description: Florian Lohoff discovered a bug in the dhcrelay causing it to send a continuing packet storm towards the configured DHCP server(s) in case of a malicious BOOTP packet, such as sent from buggy Cisco switches.

When the dhcp-relay receives a BOOTP request it forwards the request to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff which causes the network interface to reflect the packet back into the socket. To prevent loops the dhcrelay checks whether the relay-address is its own, in which case the packet would be dropped. In combination with a missing upper boundary for the hop counter an attacker can force the dhcp-relay to send a continuing packet storm towards the configured dhcp server(s).

This patch introduces a new commandline switch ``-c maxcount'' and people are advised to start the dhcp-relay with ``dhcrelay -c 10'' or a smaller number, which will only create that many packets.

The dhcrelay program from the ``dhcp'' package does not seem to be affected since DHCP packets are dropped if they were apparently relayed already.

Alerts:
Conectiva CLA-2003:616 2003-04-04
Red Hat RHSA-2003:034-01 2003-03-31
OpenPKG OpenPKG-SA-2003.012 2003-02-19
Debian DSA-245-1 2003-01-28

Comments (none posted)

dvips: command execution vulnerability

Package(s):dvips CVE #(s):CAN-2002-0836
Created:October 16, 2002 Updated:June 10, 2003
Description: The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system.
Alerts:
Immunix IMNX-2003-7+-016-01 2003-06-09
OpenPKG OpenPKG-SA-2002.015 2002-12-16
Debian DSA-207-1 2002-12-11
Conectiva CLA-2002:537 2002-10-29
Mandrake MDKSA-2002:071 2002-10-24
Mandrake MDKSA-2002:070 2002-10-23
Gentoo tetex-20021018 2002-10-18
Red Hat RHSA-2002:194-18 2002-10-08

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Immunix IMNX-2003-7+-023-01 2003-10-17
Mandrake MDKSA-2003:011 2003-01-27
EnGarde ESA-20030127-002 2003-01-27
SCO Group CSSA-2003-001.0 2003-01-09
SuSE SuSE-SA:2003:001 2003-01-02
Debian DSA-216-1 2002-12-24
Red Hat RHSA-2002:293-09 2002-12-17
Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

GNU fileutils race condition

Package(s):fileutils ucdsnmp CVE #(s):CAN-2002-0435
Created:May 21, 2002 Updated:May 16, 2003
Description: A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).
Alerts:
Immunix IMNX-2003-7+-010-01 2003-05-16
Red Hat RHSA-2003:015-05 2003-02-12
Trustix 2002-0052 2002-06-06
SuSE SuSE-SA:2002:012 2002-04-08
Mandrake MDKSA-2002:031 2002-05-16
SCO Group CSSA-2002-018.1 2002-05-13

Comments (none posted)

Potential remote root exploit in glibc

Package(s):glibc CVE #(s):CAN-2002-0391
Created:August 14, 2002 Updated:June 30, 2003
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library which is used in glibc.This bug could be exploited to gain unauthorized root access to software linking to glibc.

Updating as soon as practical is a good idea.

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-333-1 2003-06-27
Conectiva CLA-2002:535 2002-10-29
Trustix 2002-0070 2002-10-17
EnGarde ESA-20021003-021 2002-10-03
Gentoo glibc-20020927 2002-09-27
Gentoo dietlibc-20020927 2002-09-27
Debian DSA-149-2 2002-09-26
Mandrake MDKSA-2002:061 2002-09-23
Gentoo glibc-20020905 2002-09-05
SuSE SuSE-SA:2002:031 2002-08-30
Trustix 2002-0067 2002-08-13
Eridani ERISA-2002:036 2002-08-13
Red Hat RHSA-2002:166-07 2002-08-12
Debian DSA-149-1 2002-08-13

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

IM: creates temporary files insecurely

Package(s):im CVE #(s):CAN-2002-1395
Created:December 3, 2002 Updated:March 6, 2003
Description: Tatsuya Kinoshita discovered that IM, which contains interface commands and Perl libraries for E-mail and NetNews, creates temporary files insecurely.
  1. The impwagent program creates a temporary directory in an insecure manner in /tmp using predictable directory names without checking the return code of mkdir, so it's possible to seize a permission of the temporary directory by local access as another user.

  2. The immknmz program creates a temporary file in an insecure manner in /tmp using a predictable filename, so an attacker with local access can easily create and overwrite files as another user.
Alerts:
Red Hat RHSA-2003:039-06 2003-03-06
Debian DSA-202-2 2002-12-06
Debian DSA-202-1 2002-12-03

Comments (none posted)

IMP - SQL injection vulnerability

Package(s):imp CVE #(s):CAN-2003-0025
Created:January 15, 2003 Updated:July 8, 2003
Description: The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem.
Alerts:
Conectiva CLA-2003:690 2003-07-08
SuSE SuSE-SA:2003:0008 2003-02-18
Debian DSA-229-2 2003-01-15

Comments (1 posted)

KDE - command parameter quoting problems

Package(s):kde CVE #(s):CAN-2002-1393
Created:December 24, 2002 Updated:February 21, 2003
Description: In some instances, KDE (versions 2 and 3) fails to properly quote parameters of instructions passed to a command shell for execution.

These parameters may incorporate data such as URLs, filenames and e-mail addresses, and this data may be provided remotely to a victim in an e-mail, a webpage or files on a network filesystem or other untrusted source.

By carefully crafting such data an attacker might be able to execute arbitary commands on a vulnerable sytem using the victim's account and privileges.

See this announcement for more details.

Alerts:
Conectiva CLA-2003:569 2003-02-20
Debian DSA-243-1 2003-01-24
Debian DSA-242-1 2003-01-24
Debian DSA-241-1 2003-01-24
Debian DSA-239-1 2003-01-23
Debian DSA-240-1 2003-01-23
Debian DSA-237-1 2003-01-22
Debian DSA-238-1 2003-01-23
Debian DSA-236-1 2003-01-22
Debian DSA-235-1 2003-01-22
Debian DSA-234-1 2003-01-22
Gentoo 200301-11 2003-01-18
Mandrake MDKSA-2003:004-1 2003-01-17
Mandrake MDKSA-2003:004 2003-01-13
Gentoo 200212-9 2002-12-22

Comments (none posted)

kdelibs: Vulnerabilities in KIO subsystem support

Package(s):kdelibs CVE #(s):CAN-2002-1281 CAN-2002-1282
Created:November 22, 2002 Updated:March 15, 2003
Description: Vulnerabilities were discovered in the KIO subsystem support for various network protocols. The implementation of the rlogin protocol affects all KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the telnet protocol only affects KDE 2.x. They allow a carefully crafted URL in an HTML page, HTML email, or other KIO-enabled application to execute arbitrary commands as the victim with their privilege. The KDE team provided a patch for KDE3 which has been applied in these packages. No patch was provided for KDE2, however the KDE team recommends disabling both the rlogin and telnet KIO protocols. This can be accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory, they should likewise be removed. See also: http://www.kde.org/info/security/advisory-20021111-1.txt
Alerts:
SCO Group CSSA-2003-012.0 2003-03-14
Debian DSA-204-1 2002-12-05
Red Hat RHSA-2002:220-40 2002-12-04
Mandrake MDKSA-2002:079 2002-11-21

Comments (none posted)

kernel: local denial of service vulnerability

Package(s):kernel CVE #(s):
Created:November 19, 2002 Updated:February 5, 2003
Description: All versions of the Linux kernel from (at least) 2.2.x through 2.4.19 and 2.5.47 contain a vulnerability which allows any local user to crash the system. This LWN article describes how the exploit works in detail. The vulnerability affects only x86 systems.
Alerts:
Mandrake MDKSA-2003:014 2003-02-05
Trustix 2002-0083 2002-12-19
Conectiva CLA-2002:553 2002-12-16
Red Hat RHSA-2002:264-05 2002-11-25
Trustix 2002-0077 2002-11-15
Red Hat RHSA-2002:262-07 2002-11-16

Comments (none posted)

kernel - Multiple vulnerabilities in version 2.4.18 of the kernel

Package(s):kernel CVE #(s):CAN-2003-0001 CAN-2003-0018
Created:February 4, 2003 Updated:February 5, 2003
Description: Vulnerabilities have been found in version 2.4.18 of the kernel.

Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0001 to this issue.

A vulnerability exists in O_DIRECT handling in Linux kernels 2.4.10 and later that can create a limited information leak where any user on the system with write privileges to a file system can read information from that file system (from previously deleted files), and can create minor file system corruption (easily repaired by fsck). Red Hat Linux in its default configuration is not affected by this bug, because the ext3 file system (the default file system in Red Hat Linux 7.2 and later) does not support the O_DIRECT feature. Of the kernels Red Hat has released, only the 2.4.18 kernels have this bug. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0018 to this issue.

Alerts:
Red Hat RHSA-2003:025-20 2003-02-03

Comments (none posted)

krb5 - vulnerability in Kerberos ftp client

Package(s):krb5 ftp netkit CVE #(s):CAN-2003-0041
Created:January 31, 2003 Updated:February 21, 2003
Description: Kerberos is a network authentication system.

A problem has been found in the Kerberos ftp client. When retrieving a file with a filename beginning with a pipe character, the ftp client will pass the filename to the command shell in a system() call. This could allow a malicious ftp server to write to files outside of the current directory or execute commands as the user running the ftp client.

The Kerberos ftp client runs as the default ftp client when the Kerberos package krb5-workstation is installed on a Red Hat Linux distribution.

Alerts:
Mandrake MDKSA-2003:021 2003-02-21
Red Hat RHSA-2003:020-10 2003-01-31

Comments (none posted)

libmcrypt: buffer overflows and memory exhaustion

Package(s):libmcrypt CVE #(s):CAN-2003-0031 CAN-2003-0032
Created:January 6, 2003 Updated:February 27, 2003
Description: libmcrypt versions prior to 2.5.5 contain a number of buffer overflow vulnerabilities that stem from improper or lacking input validation. By passing a longer than expected input to a number of functions (multiple functions are affected) the user can successful make libmcrypt crash.

Another vulnerability is due to the way libmcrypt loads algorithms via libtool. When the algorithms are loaded dynamically the each time the algorithm is loaded a small (few kilobytes) of memory are leaked. In a persistant enviroment (web server) this could lead to a memory exhaustion attack that will exhaust all avaliable memory by launching repeated requests at an application utilizing the mcrypt library.

Alerts:
SuSE SuSE-SA:2003:0010 2003-02-26
Conectiva CLA-2003:567 2003-02-05
Debian DSA-228-1 2003-01-14
Gentoo 200301-4 2003-01-05

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:October 1, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
Conectiva CLA-2003:720 2003-08-11
Mandrake MDKSA-2003:023 2003-02-24
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Red Hat RHSA-2003:029-06 2003-02-12
Trustix 2002-0085 2002-12-19
Debian DSA-210-1 2002-12-13
SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

perl-MailTools: remote command execution

Package(s):MailTools CVE #(s):CAN-2002-1271
Created:November 5, 2002 Updated:September 19, 2003
Description: The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

Alerts:
Debian DSA-386-1 2003-09-18
Gentoo 200302-01 2003-02-02
Mandrake MDKSA-2002:076 2002-11-07
Gentoo 200211-001 2002-11-06
SuSE SuSE-SA:2002:041 2002-11-05

Comments (none posted)

micq: Denial of service

Package(s):micq CVE #(s):
Created:December 13, 2002 Updated:April 24, 2003
Description: Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE seperator causes all versions to crash.
Alerts:
Red Hat RHSA-2003:118-01 2003-04-24
Debian DSA-211-1 2002-12-13

Comments (none posted)

PHP Remote Compromise/DOS Vulnerability

Package(s):mod_php4 CVE #(s):
Created:July 22, 2002 Updated:February 18, 2003
Description: PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.

According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.

Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2.

For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team.

CERT Advisory: CA-2002-21 Vulnerability in PHP

Alerts:
SuSE SuSE-SA:2003:0009 2003-02-18

Comments (1 posted)

mod_php - buffer overflow

Package(s):mod_php php CVE #(s):CAN-2002-1396
Created:January 13, 2003 Updated:February 20, 2003
Description: The wordwrap() function on user-supplied input may allow a specially-crafted input to overflow the allocated buffer and overwrite the heap. There are no known exploits, but an exploit is theoretically possible.

Read the full advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=104102689503192&w=2

Alerts:
Mandrake MDKSA-2003:019 2003-02-19
EnGarde ESA-20030219-003 2003-02-19
Red Hat RHSA-2003:017-06 2003-02-04
OpenPKG OpenPKG-SA-2003.005 2003-01-22
Gentoo 200301-8 2003-01-13

Comments (none posted)

Mozilla: Privacy leak and other vulnerabilities

Package(s):mozilla CVE #(s):CAN-2002-1126 CAN-2002-1091
Created:November 1, 2002 Updated:February 13, 2003
Description: Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and Galeon, set the document referrer too quickly in certain situations when a new page is being loaded, which allows web pages to determine the next page that is being visited, including manually entered URLs.

Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to corrupt heap memory and execute arbitrary code via a GIF image with a zero width.

See also Mozilla's Recently fixed security issues page.

All users are encouraged to upgrade to this latest stable 1.0.x release of Mozilla.

Alerts:
Conectiva CLA-2003:568 2003-02-13
Mandrake MDKSA-2002:075 2002-10-31

Comments (none posted)

MySQL - double free vulnerability

Package(s):mysql CVE #(s):CAN-2003-0073
Created:January 29, 2003 Updated:February 21, 2003
Description: MySQL 3.23.55 fixes a double-free vulnerability which allows a hostile client to crash the server process. Logging into the server is necessary before this vulnerability can be exploited.
Alerts:
Trustix 2003-0003 2003-02-20
EnGarde ESA-20030220-004 2003-02-20
Mandrake MDKSA-2003:013 2003-02-03
OpenPKG OpenPKG-SA-2003.008 2003-01-29

Comments (none posted)

MySQL: multiple vulnerabilities

Package(s):mysql CVE #(s):
Created:December 13, 2002 Updated:April 10, 2003
Description: The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems.
Alerts:
Immunix IMNX-2003-7+-008-01 2003-04-08
EnGarde ESA-20030127-001 2003-01-27
Red Hat RHSA-2002:288-22 2003-01-15
SuSE SuSE-SA:2003:003 2003-01-02
Trustix 2002-0086 2002-12-19
Mandrake MDKSA-2002:087 2002-12-18
Debian DSA-212-1 2002-12-17
Conectiva CLA-2002:555 2002-12-17
OpenPKG OpenPKG-SA-2002.013 2002-12-16
Gentoo 200212-2 2002-12-15
EnGarde ESA-20021213-033 2002-12-13

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Conectiva CLA-2003:778 2003-11-07
Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

OpenLDAP2: remote command execution

Package(s):OpenLDAP2 CVE #(s):CAN-2002-1378 CAN-2002-1379
Created:December 6, 2002 Updated:February 21, 2003
Description: OpenLDAP is the Open Source implementation of the Lightweight Directory Access Protocol (LDAP) and is used in network environments for distributing certain information such as X.509 certificates or login information.

The SuSE Security Team reviewed critical parts of that package and found several buffer overflows and other bugs remote attackers could exploit to gain access on systems running vulnerable LDAP servers. In addition to these bugs, various local exploitable bugs within the OpenLDAP2 libraries (openldap2-devel package) have been fixed.

Since there is no workaround possible except shutting down the LDAP server, an update is strongly recommended.

Alerts:
Trustix 2003-0002 2003-02-20
Red Hat RHSA-2003:040-07 2003-02-05
Mandrake MDKSA-2003:006 2003-01-14
Debian DSA-227-1 2003-01-13
Gentoo 200212-12 2002-12-28
Conectiva CLA-2002:556 2002-12-19
SuSE SuSE-SA:2002:047 2002-12-06

Comments (1 posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:October 1, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
SCO Group CSSA-2003-008.0 2003-03-04
Gentoo 200211-005 2002-11-20
EnGarde ESA-20021122-031 2002-11-22
Conectiva CLA-2002:545 2002-11-13
Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:October 1, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Red Hat RHSA-2002:202-33 2003-02-12
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-25 2003-01-21
Mandrake MDKSA-2002:082-1 2002-12-09
Mandrake MDKSA-2002:082 2002-11-25
SCO Group CSSA-2002-045.0 2002-11-14
Trustix 2002-0073 2002-10-17
Gentoo python-20021003 2002-10-03
Conectiva CLA-2002:527 2002-10-01
Debian DSA-159-2 2002-09-09
Debian DSA-159-1 2002-08-28

Comments (none posted)

qt-dcgui: file leaking

Package(s):qt-dcgui CVE #(s):
Created:February 4, 2003 Updated:February 5, 2003
Description: All versions of qt-dcqui prior to 0.2.2 have a major security vulnerability in the directory parser. This bug allows a remote attacker to download files outside the sharelist. It's recommended that you upgrade the packages immediatly.

Read the full announcment at: http://dc.ketelhot.de/pipermail/dc/2003-January/000094.html

Alerts:
Gentoo 200302-03 2003-02-04

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

slocate - buffer overflow

Package(s):slocate CVE #(s):CAN-2003-0056
Created:February 5, 2003 Updated:May 8, 2003
Description: version 2.6 (at least) of slocate contains a buffer overflow vulnerability which could lead to a local exploit; see this advisory for the details.
Alerts:
Conectiva CLA-2003:643 2003-05-08
SCO Group CSSA-2003-009.0 2003-03-06
Debian DSA-252-1 2003-02-21
Mandrake MDKSA-2003:015 2003-02-05
Gentoo 200302-02 2003-02-02

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

traceroute-nanog: buffer overflow and root exploit

Package(s):traceroute-nanog/nkitb CVE #(s):
Created:November 12, 2002 Updated:February 27, 2003
Description: Traceroute is a tool that can be used to track packets in a TCP/IP network to determine it's route or to find out about not working routers. Traceroute-nanog requires root privilege to open a raw socket. It does not relinquish these privileges after doing so. This allows a malicious user to gain root access by exploiting a buffer overflow at a later point.
Alerts:
Debian DSA-254-1 2003-02-27
SuSE SuSE-SA:2002:043 2002-11-12

Comments (none posted)

typespeed: buffer overflow

Package(s):typespeed CVE #(s):
Created:January 1, 2003 Updated:June 17, 2003
Description: A problem has been discovered in the typespeed, a game that lets you measure your typematic speed. By overflowing a buffer a local attacker could execute arbitrary commands under the group id games.
Alerts:
Debian DSA-322-1 2003-06-16
Debian DSA-217-1 2002-12-27

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Conectiva CLA-2004:812 2004-02-10
Mandrake MDKSA-2003:012 2003-02-03
Yellow Dog YDU-20030127-3 2003-01-27
Gentoo 200301-13 2003-01-22
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

wget:directory traversal bug

Package(s):wget CVE #(s):CAN-2002-1344
Created:December 10, 2002 Updated:October 1, 2003
Description: Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system.

FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3).

If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine.

See also this Bugtraq article from 1997.

CAN-2002-1344

Alerts:
Immunix IMNX-2003-7+-011-01 2003-06-03
OpenPKG OpenPKG-SA-2003.007 2003-01-23
SCO Group CSSA-2003-003.0 2003-01-16
Gentoo 200212-7 2002-12-20
Trustix 2002-0089 2002-12-19
Conectiva CLA-2002:552 2002-12-13
Debian DSA-209-1 2002-12-12
Mandrake MDKSA-2002:086 2002-12-11
Red Hat RHSA-2002:229-10 2002-12-04

Comments (none posted)

wmaker: buffer overflow in Window Maker image handling code

Package(s):wmaker windowmaker CVE #(s):CAN-2002-1277
Created:November 7, 2002 Updated:February 6, 2003
Description: Al Viro found a problem in the image handling code used in Window Maker, a popular NEXTSTEP like window manager. When creating an image it would allocate a buffer by multiplying the image width and height, but did not check for an overflow. This makes it possible to overflow the buffer. This could be exploited by using specially crafted image files (for example when previewing themes).
Alerts:
Red Hat RHSA-2003:043-12 2003-02-05
Mandrake MDKSA-2002:085 2002-12-02
Conectiva CLA-2002:548 2002-11-18
Debian DSA-190-1 2002-11-07

Comments (none posted)

Problems with libgtop_daemon

Package(s):wuftpd libgtop CVE #(s):
Created:May 21, 2002 Updated:May 7, 2003
Description: The libgtop_daemon package is a GNOME program which makes system information available remotely. LWN reported the remotely exploitable format string and buffer overflow vulnerabilities in that package on December 6th. On November 28th disabling the libgtop_daemon on systems where it is running until an update is available.

Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway.

Alerts:
Debian DSA-301-1 2003-05-07
Mandrake MDKSA-2001:094 2001-12-19
Debian DSA-098-1 2002-01-09
Conectiva CLA-2002:448 2002-01-03

Comments (1 posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):wwwoffle CVE #(s):CAN-2002-0818
Created:August 14, 2002 Updated:October 1, 2003
Description: The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on."

CAN-2002-0818

Alerts:
SCO Group CSSA-2002-048.0 2002-11-18
Debian DSA-144-1 2002-08-06
SuSE SuSE-SA:2002:029 2002-08-01

Comments (none posted)

xpdf: integer overflow

Package(s):xpdf CVE #(s):CAN-2002-1384
Created:January 2, 2003 Updated:February 6, 2003
Description: - From iDEFENSE advisory:
The pdftops filter in the Xpdf and CUPS packages contains an integer overflow that can be exploited to gain the privileges of the target user or in some cases the increased privileges of the 'lp' user if installed setuid. There are multiple ways of exploiting this vulnerability.

Read the full advisory at http://www.idefense.com/advisory/12.23.02.txt

Alerts:
Red Hat RHSA-2003:037-09 2003-02-06
Debian DSA-226-1 2003-01-10
Mandrake MDKSA-2003:002 2003-01-09
Debian DSA-222-1 2003-01-06
Gentoo 200301-1 2003-01-02

Comments (none posted)

Resources

LinuxSecurity.com newsletters

This week's Linux Advisory Watch and Linux Security Week newsletters from LinuxSecurity.com are available.

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current development kernel is 2.5.60, which was released by Linus on February 10. This release was mostly an exercise in catching up with the pile of patches that accumulated while Linus was traveling; it includes ia32 lost timer tick detection and compensation, self-unplugging block I/O request queues, an ACPI update, various architecture updates, a SCSI command queue rework, Linux Security Module networking hooks, a big user-mode Linux update, a number of kbuild changes, 64-bit jiffies support, and a great many other fixes and updates. The long-format changelog has the details.

Linus's (pre-2.5.61) BitKeeper tree includes a big x86-64 update, some fixups for signal problems in 2.5.60, some kbuild work, and another set of AGP patches.

Dave Jones has released 2.5.60-dj2, which adds some driver fixes and a number of 2.4 fixes to the 2.5.60 kernel.

The current stable kernel is 2.4.20; Marcelo has not released any 2.4.21 prepatches since January 29.

The current patch from Alan Cox is 2.4.21-pre4-ac4. It contains another set of IDE fixes and a few other repairs.

Comments (2 posted)

Kernel development news

The continuing development of I/O scheduling

The 2.5 development series has seen a great deal of work aimed at improving the performance of the block I/O subsystem. Recently there has been a resurgence of interest in I/O scheduling - deciding which disk I/O requests to process in which order. Optimal scheduling can keep the disks running at full speed and users happy, but the optimal solution can be hard to find. That doesn't stop the kernel hackers from trying, however. The anticipatory I/O scheduler work was covered here a couple of weeks ago; now a new approach is being tried which may improve I/O performance even more.

The technique being looked at is "stochastic fair queueing," and it is intended to bring greater fairness to I/O scheduling decisions. In a fair situation, all users of a particular drive would be able to execute about the same number of I/O requests over a given time. This approach to fairness gets rid of starvation problems, and ensures that all processes can get some work done. The hope would be, for example, that a streaming media application would be able to move its data without outages, even in the presence of other, disk-intensive applications.

The stochastic fair queueing approach was first developed in the networking world by Paul E. McKenney; his paper on the subject can be found on this page. In the networking context, stochastic fair queueing tries to divide the available bandwidth equally among all users. Ideally, a separate queue would be used for each ongoing connection, but high-performance routers lack the resources to do things that way. So a smaller number of queues is used, with each connection being assigned to a queue via a hash function. Packets are then taken from each queue in turn, dividing the bandwidth between them. If two high-bandwidth connections happen to land on the same queue, they will be penalized relative to the other queues; to address this problem, the hash function is periodically changed to redistribute connections among the queues. The algorithm works reasonably well and is easy to make fast; the Linux networking code has had a stochastic queueing module available for some time.

In the disk I/O context, the aim is to divide the available disk bandwidth fairly between processes. The initial implementation by Jens Axboe creates 64 subqueues for each block I/O request queue, and distributes requests among the subqueues based on the process ID of the requestor. (Actually, it uses the process ID of the currently running process, which could, in some situations, not be the originator of the request). When the time comes to dispatch requests, one is taken from each subqueue, and the whole set is ordered before being sent to the drive for execution.

Taking things even further, Jens has also posted a complete fair queueing scheduler, which does away with the hash function used in the stochastic approach. Each process has its own queue, and requests are taken equally from all queues. It is hard to get fairer than that. Of course, as Jens points out, once you have this infrastructure in place, it is relatively easy to make things less fair again by adding, say, I/O priorities to processes.

Where this all appears to be heading (though probably not in the 2.5 series) is toward a configurable I/O scheduler with several possible algorithms which can be mixed and matched according to a site's local policy. In other words, it looks a lot like the traffic control code which has existed in the networking subsystem for a few years. As with networking, most sites will probably not need to tweak their disk scheduling regimes. Users with special needs, however, will be glad for the ability to fine-tune things to their specifications.

Comments (8 posted)

Porting drivers to 2.5

Last week's Kernel Page included the first articles in a series on porting device drivers (and other kernel code) to the 2.5 kernel. These articles are an offshoot of the work to update the Linux Device Drivers sample code (and then, of course, the book itself). Three more articles have been added to the series; one of them, which fills in more information on porting to the new module loader, appears below. The other two (on miscellaneous changes and the seq_file interface) can be read separately.

These articles will be collected at lwn.net/Articles/driver-porting as the series continues to develop. With luck, they will become a useful resource for the kernel development community. Stay tuned...

Comments (none posted)

Driver porting: more module changes

This article is part of the LWN Porting Drivers to 2.6 series.
The first article in this series noted a couple of changes that result from the new, kernel-based module loader. In particular, explicit module_init() and module_exit() declarations are now necessary. Quite a few other things have changed as well, however; this article will summarize the most important of those changes.

Module parameters

The old MODULE_PARM macro, which used to specify parameters which can be passed to the module at load time, is no more. The new parameter declaration scheme add type safety and new functionality, but at the cost of breaking compatibility with older modules.

Modules with parameters should now include <linux/moduleparam.h> explicitly. Parameters are then declared with module_param:

    module_param(name, type, perm);
Where name is the name of the parameter (and of the variable holding its value), type is its type, and perm is the permissions to be applied to that parameter's sysfs entry. The type parameter can be one of byte, short, ushort, int, uint, long, ulong, charp, bool or invbool. That type will be verified during compilation, so it is no longer possible to create confusion by declaring module parameters with mismatched types. The plan is for module parameters to appear automatically in sysfs, but that feature had not been implemented as of 2.6.0-test9; for now, the safest alternative is to set perm to zero, which means "no sysfs entry."

If the name of the parameter as seen outside the module differs from the name of the variable used to hold the parameter's value, a variant on module param may be used:

    module_param_named(name, value, type, perm);
Where name is the externally-visible name and value is the internal variable.

String parameters will normally be declared with the charp type; the associated variable is a char pointer which will be set to the parameter's value. If you need to have a string value copied directly into a char array, declare it as:

    module_param_string(name, string, len, perm);
Usually, len is best specified as sizeof(string).

Finally, array parameters (supplied at module load time as a comma-separated list) may be declared with:

    module_param_array(name, type, num, perm);

The one parameter not found in module_param() (num) is an output parameter; if a value for name is supplied when the module is loaded, num will be set to the number of values given. This macro uses the declared length of the array to ensure that it is not overrun if too many values are provided.

As an example of how the new module parameter code works, here is a paramaterized version of the "hello world" module shown previously:

    #include <linux/init.h>
    #include <linux/module.h>
    #include <linux/moduleparam.h>
    
    MODULE_LICENSE("Dual BSD/GPL");
    
    /*
     * A couple of parameters that can be passed in: how many times we say
     * hello, and to whom.
     */
    static char *whom = "world";
    module_param(whom, charp, 0);
    static int howmany = 1;
    module_param(howmany, int, 0);
    
    
    static int hello_init(void)
    {
        int i;
        for (i = 0; i < howmany; i++)
	    printk(KERN_ALERT "(%d) Hello, %s\n", i, whom);
        return 0;
    }
    
    static void hello_exit(void)
    {
    	printk(KERN_ALERT "Goodbye, cruel %s\n", whom);
    }
    
    module_init(hello_init);
    module_exit(hello_exit);
Inserting this module with a command like:
    insmod ./hellop.ko howmany=2 whom=universe
causes the message "hello, universe" to show up twice in the system logfile.

Module aliases

A module alias is an alternative name by which a loadable module can be known. These aliases are typically defined in /etc/modules.conf, but many of them are really a feature of the module itself. In 2.6, module aliases can be embedded with a module's source. Simply add a line like:

    MODULE_ALIAS("alias-name");

The module use count

In 2.4 and prior kernels, modules maintained their "use count" with macros like MOD_INC_USE_COUNT. The use count, of course, is intended to prevent modules from being unloaded while they are being used. This method was always somewhat error prone, especially when the use count was manipulated inside the module itself. In the 2.6 kernel, reference counting is handled differently.

The only safe way to manipulate the count of references to a module is outside of the module's code. Otherwise, there will always be times when the kernel is executing within the module, but the reference count is zero. So this work has been moved outside of the modules, and life is generally easier for module authors.

Any code which wishes to call into a module (or use some other module resource) must first attempt to increment that module's reference count:

    int try_module_get(&module);
It is also necessary to look at the return value from try_module_get(); a zero return means that the try failed, and the module should not be used. Failure can happen, for example, when the module is in the process of being unloaded.

A reference to a module can be released with module_put().

Again, modules will not normally have to manage their own reference counts. The only exception may be if a module provides a reference to an internal data structure or function that is not accounted for otherwise. In that (rare) case, a module could conceivably call try_module_get() on itself.

As of this writing, modules are considered "live" during initialization, meaning that a try_module_get() will succeed at that time. There is still talk of changing things, however, so that modules are not accessible until they have completed their initialization process. That change will help prevent a whole set of race conditions that come about when a module fails initialization, but it also creates difficulties for modules which have to be available early on. For example, block drivers should be available to read partition tables off of disks when those disks are registered, which usually happens when the module is initializing itself. If the policy changes and modules go back off-limits during initialization, a call to a function like make_module_live() may be required for those modules which must be available sooner. (Update 2.6.0-test9: this change has not happened and seems highly unlikely at this point).

Finally, it is not entirely uncommon for driver authors to put in a special ioctl() function which sets the module use count to zero. Sometimes, during module development, errors can leave the module reference count in a state where it will never reach zero, and there was no other way to get the kernel to unload the module. The new module code supports forced unloading of modules which appear to have outstanding references - if the CONFIG_MODULE_FORCE_UNLOAD option has been set. Needless to say, this option should only be used on development systems, and, even then, with great caution.

Exporting symbols

For the most part, the exporting of symbols to the rest of the kernel has not changed in 2.6 - except, of course, for the fact that any user of those symbols should be using try_module_get() first. In older kernels, however, a module which did not arrange things otherwise would implicitly export all of its symbols. In 2.6, things no longer work that way; only symbols which have explicitly been exported are visible to the rest of the kernel.

Chances are that change will cause few problems. When you get a chance, however, you can remove EXPORT_NO_SYMBOLS lines from your module source. Exporting no symbols is now the default, so EXPORT_NO_SYMBOLS is a no-op.

The 2.4 inter_module_ functions have been deprecated as unsafe. The symbol_get() function exists for the cases when normal symbol linking does not work well enough. Its use requires setting up weak references at compile time, and is beyond the scope of this document; there are no users of symbol_get() in the 2.6.0-test9 kernel source.

Kernel version checking

2.4 and prior kernels would include, in each module, a string containing the version of the kernel that the module was compiled against. Normally, modules would not be loaded if the compile version failed to match the running kernel.

In 2.5, things still work mostly that way. The kernel version is loaded into a separate, "link-once" ELF section, however, rather than being a visible variable within the module itself. As a result, multi-file modules no longer need to define __NO_VERSION__ before including <linux/module.h>.

The new "version magic" scheme also records other information, including the compiler version, SMP status, and preempt status; it is thus able to catch more incompatible situations than the old scheme did.

Module symbol versioning ("modversions") has been completely reworked for the 2.6 kernel. Module authors who use the makefiles shipped with the kernel (and that is about the only way to work now) will find that dealing with modversions has gotten easier than before. The #define hack which tacked checksums onto kernel symbols has gone away in favor of a scheme which stores checksum information in a separate ELF section.

Comments (5 posted)

Getting at the BitKeeper repositories without BitKeeper

Andrea Arcangeli, with a statement that he prefers coding to participating in flame wars, recently released a script which can pull code from a BitKeeper repository without the need to actually run BitKeeper. The script makes use of the web interface to the repository running on bkbits.net. It looks like a great way for developers who do not want to run proprietary software to get access to Linus's current tree. There is only one problem, however: the BitMover folks are very concerned about the amount of bandwidth that could be burned by extensive use of this script, and have promised to shut down the web interface if the bandwidth bill gets too high.

The issue of access to the BitKeeper repositories via free software will not go away, however; there is a determined subset of the kernel hacker community that simply does not want to use proprietary code. Fortunately, there appears to be an answer on the horizon: BitMover has promised to make Linus's repository available as an automatically updated CVS repository. That repository, presumably, will be hosted at kernel.org. At that point, a lot of minds should be eased about access to the repository - and about long-term preservation of the kernel's revision history in an open format (not that the BitKeeper format, which is based on SCCS, is particularly closed).

Incidentally, it has been just over one year since Linus let the world know he was trying out BitKeeper in the 2.5.4-pre1 announcement.

Comments (3 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Janitorial

Memory management

Architecture-specific

Benchmarks and bugs

Miscellaneous

Page editor: Jonathan Corbet

Distributions

Distribution News

Debian GNU/Linux

The Debian Project announced that it is a founding member of the Desktop Linux Consortium (DLC) which was recently founded and will be incorporated as a non-profit association. A recent survey on DesktopLinux.com indicated that Debian is the most popular GNU/Linux Distribution for the Desktop.

Stephen Frost discussed problems in OpenSSL 0.9.6/0.9.7, LDAP, SSH. "There are quite a few bugs that are probably because of the problem I'm about to describe (177868, 178061, 173821, probably others..) so it was felt that this might be something to make other developers aware of."

Comments (none posted)

Gentoo Weekly Newsletter -- Volume 2, Issue 6

Here's the Gentoo Weekly Newsletter for the week of February 10th, 2003. This week's top topics: Gentoo Linux at FOSDEM; New Release Manager for 1.4; Icons for Gentoo Linux.

Full Story (comments: none)

MandrakeSoft releases Mandrake Corporate Server 2.1

MandrakeSoft announced the immediate release of Mandrake Corporate Server 2.1, a comprehensive and versatile Linux solution that provides large accounts with critical business server functions, plus MandrakeSoft's famous "user friendly" touch. The Corporate Server includes MandrakeClustering tools.

Full Story (comments: none)

Red Hat Linux

Red Hat, Inc. has announced that Red Hat Linux Advanced Server has achieved US Department of Defense (DoD) Defense Information Systems Agency (DISA) Common Operating Environment (COE) certification. COE is a DoD software security and interoperability specification.

Comments (none posted)

Slackware Linux

Slackware has upgraded several gnome packages and gcc has been upgraded to gcc-3.2.2 on slackware-current. See the details of these and other updates in the change log.

Comments (none posted)

New Distributions

Shabdix

KDE.News covers an informal group called LIGLUG (LinuxIran Gnu/Linux User Group), which has finished its work on a customized live CD based on KNOPPIX GNU/Linux and KDE. This live CD, which is called "Shabdix", will be used to promote GNU/Linux and FarsiKDE in Iran. The initial release is Shabdix 0.7.

Comments (none posted)

Minor distribution updates

2-Disk Xwindow embedded Linux

2-Disk Xwindow embedded Linux has released 1disk 1.0 update with minor bug fixes. "Changes: Text widget cleanups were made. additional net drivers were added."

Comments (none posted)

MURIX Linux

MURIX Linux has released v2003-01-14 with minor feature enhancements.

Comments (none posted)

RUNT

RUNT has released v1.10 with major feature enhancements. "Changes: A first attempt at USB bootable support was added. Please read "Booting from USB" in README.runt."

Comments (none posted)

RxLinux

RxLinux has released v1.3.0 with major feature enhancements. "Changes: Many changes have been made in the startup scripts in order to support embedded systems. This means that Rxlinux can now boot and run from solid state hard disk like Disc-On-Chip, FlashDisk, etc. It also means that it can be installed on a regular hard disk. New software packages include keepalive, Postfix, squid, and frox."

Comments (none posted)

TA-Linux

TA-Linux has released v0.2.0 beta 3 (i386) with minor bug fixes. "Changes: Many packages including the kernel and XFree86 were updated. The collection now features over 360 packages, including GNOME 2.2 and KDE 3.1. Some bugs were also fixed."

Comments (none posted)

TopologiLinux

TopologiLinux has released v2.0.2 with minor feature enhancements. "Changes: Small fixes and updated packages."

Comments (none posted)

uClinux

uClinux has released v2.5.60-uc0 with minor feature enhancements. "Changes: Updates to the latest Linux kernel."

Comments (none posted)

Vector Linux

Vector Linux has released version 3.2 of their Linux distribution. This release marks the complete conversion to a Slackware based system and mostly LSB compliant.

Full Story (comments: none)

Distribution reviews

SuSE Linux 8.1 Takes Our Challenge (OfB.biz)

Open for Business reviews SuSE Linux 8.1. "In reality, to the average user, there really isn't much of note in SuSE 8.1's desktop that wasn't available in 8.0. Like 8.0, the default GUI is KDE 3.0, and also like 8, SuSE uses a pre-release version of the Keramik style for the widgets (buttons, scrollbars, etc.). SuSE added an attractive new window manager style to the mix that went very nicely with the new "Crystal" icons and the aforementioned Keramik style to provide a professional looking desktop. As an added bonus, we found the main program launch menu and the "quick launch" menu both to be better organized in this release than in previous editions."

Comments (none posted)

Page editor: Rebecca Sobol

Development

TownPortal 0.1

An interesting new open-source project called TownPortal is under development. The first release, version 0.1 has been announced.

"The alpha release is mostly feature-complete, but lots of tuning will still be needed for installation and user interfaces. Midgard experience is required for installing and using the package."

TownPortal provides a dynamic content-driven site structure that is managed with the Aegir CMS content management system, it works under the Midgard open source application server. TownPortal is organized as a Linux, Apache, MySQL and PHP (LAMP) system.

The system currently has the following features:

  • Support for community information pages.
  • Home Pages for people and groups.
  • News capabilities.
  • Support for photo galleries with management features.
  • An event calendar.
  • Support for registered users.
  • Personalized user features including user calendar.
  • Support for Finnish and English user interfaces.
  • A localization tool for adding new languages.
  • A fully-configurable portal layout.

TownPortal is licensed under the GPL, it may be downloaded here. The screenshots page shows the system in action. If your town or group needs a new web site, TownPortal looks like a nicely organized system.

Comments (none posted)

System Applications

Audio Projects

JACK 0.50.0 released

Version 0.50.0 of JACK, the Jack Audio Connection Kit, has been released with a number of new capabilities.

Full Story (comments: none)

LADCCA 0.3.0 available

Bob Ham has released version 0.3.0 of LADCCA. "LADCCA, the session management system for jack and alsa sequencer applications on linux is now at version 0.3. After about a month of gentle fiddling, it now seems to work quite well. As an example, I managed to run muse, 2 standalone copies of iiwusynth and 2 copies of jack rack, save it with the server, close all the apps and restore it nearly perfectly (I say "nearly" as muse likes to control alsa ports and connections.) It's certainly coming along."

Full Story (comments: none)

Database Software

PostgreSQL 7.3.2 Released

PostgreSQL 7.3.2 has been released. "This release addresses several overrun and memory leak issues that were found in recent weeks, so it is highly recommended that those running the 7.3.1 branch upgrade at their earliest convience. This release is backwards compa[tible] to the previous v7.3.x releases, and does not require a dump/restore to upgrade."

Comments (3 posted)

Education

Linux in Education Report

Issue #89 of the Linux in Education Report is out. Topics include two conferences on open-source software in education, one in the UK and another in Texas, the Blue Crane College for art, science and ecological studies' open source development centre, CD Repositories for Indian cities and towns, a new Red Hat program for educators, and more.

Comments (none posted)

Electronics

gEDA news

The latest new releases from the GNU Electronic Design and Analysys (gEDA) project include Icarus Verilog snapshot 20030208 and GTKWave 2.0.0 pre3.

Comments (none posted)

XCircuit 3.1 revision 3 released

Release 3 of XCircuit 3.1, an electronic schematic drawing package, has been announced. "As of revision 3 (February 10, 2003), the Tcl interface appears to be stable and duplicates all of the features available under the last non-Tcl-based version."

Comments (none posted)

Mail Software

Mailman 2.1.1 Released

Mailman 2.1.1 has been released. This version of the GNU Mailing List Manager fixes many bugs found in Mailman 2.1 final, and updates language support. It also fixes a cross-site scripting vulnerability. It is recommended that all Mailman 2.1 sites upgrade to version 2.1.1.

Full Story (comments: none)

Printing

ESP Ghostscript 7.05.6 available

The CUPS project has released version 7.05.6 of ESP Ghostscript. More information on ESP Ghostscript is available here.

Comments (none posted)

Web Site Development

mod_security 1.4.2 released

Version 1.4.2 of mod_security is available. "Mod_security is an Apache module whose purpose is to protect vulnerable applications and reject human or automated attacks. It is an open source intrusion detection and prevention system for Apache. In addition to request filtering, it also creates Web application audit logs. Requests are filtered using regular expressions." This version now runs without patching Apache for POST request filtering.

Full Story (comments: none)

AxKit 1.6.1 Released (use Perl)

Use Perl has an announcement for AxKit 1.6.1, a Perl-based web site system. This version features bug-fixes and minor features.

Comments (none posted)

Zope Members News

The most recent headlines on the Zope Members News include: MyMediaManager 1.1 released, DCOracle2 1.3 beta available, Silva 0.9.1 beta released , Zope 2.6.1 Released, DZUG ZOPE meeting in Berlin, March 28-29th, CMFPortlets 0.5.2 released: Portlets get interactive CJKSplitter 0.1 Released, PropertyObject & PropertyFolder 1.3.1 released, Groupware Suite for CPS, Developer Preview, and ZChecker 0.1 Released.

Comments (none posted)

Zope Newbies

New article topics on Zope Newbies include: reStructuredText and Shipping the Prototype.

Comments (none posted)

Miscellaneous

POE 0.25 Released (use Perl)

Use Perl reports on the release of POE version 0.25. "cwest writes "Version 0.25 of the award-winning POE networking and multitasking framework has been released. This version is mainly a bug fix release.""

Comments (none posted)

Desktop Applications

Audio Applications

Ardour developments

The latest release of Ardour, a multi-track audio recorder, includes the following changes: "gain faders once again move during automation playback, sessions can now live anywhere on your system, s/w RAID definition is now per-session, LADSPA plugin UIs significantly improved for plugins with output and toggle controls."

Comments (none posted)

JACK Rack 1.3.0 released

Version 1.3.0 of JACK Rack, a virtual audio effects rack, is available. New features include wet/dry controls for each plugin, logarithmic controls, a better file loader, and more.

Full Story (comments: none)

ALSA Patch Bay 0.5.1 released

Two versions of Alsa Patch Bay came out this week. Version 0.5.0 was released, and adds JACK support. Version 0.5.1 fixed a bug with version 0.5.0.

Full Story (comments: none)

Sweep 0.8.1 Released

Version 0.8.1 of Sweep, an audio editor and live playback tool, has been released. "This release contains performance improvements for basic editing operations, including reduced memory consumption during cut and paste insert. It also includes support for creation of new files on the command line, updated handling of raw file loading through libsndfile, and updated support for voice activity detection and intensity stereo coding features of the Speex speech codec."

Full Story (comments: none)

AlsaPlayer 0.9.74 is out

AlsaPlayer version 0.9.74 has been released. "This release has many new features including Icecast/Shoutcast support, CDDB lookup support and lots of other fixes. Check out the ChangeLog."

Comments (none posted)

Desktop Environments

FootNotes

Headlines on the GNOME desktop FootNotes site include: Gnome Gazette: An independent journalist's perspective on recent Gnome events, Evolution 1.3 (GTK2) snapshots available, XChat 2.0 is out!, The Free/Libre/Open Source Software Survey for 2003, Progress and Future of Mozilla the application suite, Ruby-GNOME2-0.3.0 is released!, New project: Gnoppix, Get involved with Gnome: Fix some Nautilus bugs!, Sodipodi 0.30 released, Dropline GNOME 2.2.0 is Ready for Consumption, Evolution 1.2.2 available, and more.

Comments (none posted)

KDE-CVS-Digest for February 7, 2003

The Febrary 7, 2003 edition of the KDE-CVS-Digest is available. "Work continues on the Kde Personal Information Manager and Koffice. Filters to interoperate with other applications and formats such as Outlook Express, OOImpress, MSWrite, rtf and ApplixGraphics were improved. Plus the continuing improvements to Konqueror, Kopete and many others."

Comments (none posted)

KDE 3.1: Desktop Sharing in Practice

KDE.News covers the new KDE 3.1 desktop sharing capabilities. "This new feature of KDE 3.1 allows a friend or administrator to fix problems on your computer, or you can use it to show your desktop to somebody else at a remote location."

Comments (none posted)

KDE 3.1: eWeek Review, More RPMs

KDE.News covers an eWeek review of KDE 3.1, and some places where KDE 3.1 binaries can be found.

Comments (1 posted)

Kopete 0.6 available

KDE.News looks at the release of Kopte 0.6. "Kopete is KDE's all-purpose, modular and extensible chat client, which currently supports the MSN Messenger, ICQ, AIM OSCAR, Jabber and IRC protocols. A sampling of the great new features includes sophisticated (HTML) text rendering, signing / encrypting chats and sending SMS messages to mobile phones, as well as chat tabs, translucent windows and web presence notification."

Comments (none posted)

Graphics

GSview 4.31 beta test is now available

A beta version of GSview 4.31, a graphical interface for the Ghostscript PostScript interpreter, is available. Changes include support for the AFPL Ghostscript 8.00 security updates, the inclusion of Catalan and Slovak languages, support for the UTF-8 character set under Linux, and bug fixes.

Comments (none posted)

GUI Packages

FLTK Developments

The latest new software for FLTK, the Fast, Light ToolKit includes: fl_connect 0.99, Log 0.91, and Fltk 1.1.XX utf-8 patch.

Comments (none posted)

Interoperability

Kernel Cousin Wine

Issue #156 of Kernel Cousin Wine is out. Topics include: Cross-compiling Windows Apps, Threading Problems with glibc 2.3 (cont'd), RPC Data Marshalling (cont'd), Paypal Link, Wineconf 2003?, ReactOS v0.1, Windows API Database (cont'd), and GDI Performance.

Comments (none posted)

Samba 2.2.8pre1 released

Version 2.2.8pre1 of Samba is available for testing. " This is a non-production preview release provided for testing purposes. The full release notes and source code can be found on Samba mirrors."

Comments (none posted)

Office Applications

AbiWord Weekly News

Issue #130 of the AbiWord Weekly News is out, with the latest AbiWord word processor development news. "Dom and Hub add a little to their respective hackdowns. Hub's in particular refers to the re-opening of that annoying crash-on-zoom problem, while Dom does some bug spotting and decides it belongs in the 2.0 hackdown. Needless to say, with crash on zoom's return, so has its position in the top20."

Comments (none posted)

Release of GnuCash stable version 1.8.1

GnuCash 1.8.1 has been released. New features include automatic entering for scheduled transactions, a mortgage and loand repayment druid, new small business accounting features, OFX import, HBCI support, multi-currency transaction handling, redesigned menus, and improved documentation.

Full Story (comments: none)

LyX 1.3.0 is out

Version 1.3.0 of LyX, a GUI front-end for the TeX typesetting system, has been released. "One of the major projects that has been going on behind the scenes is the so-called GUI-independence project. We are glad to announce that version 1.3.0 shows the first results of this. LyX now comes in two flavours: Qt-LyX and xforms-LyX!"

Comments (none posted)

LyX Development News

The February 4, 2003 edition of the LyX Development News is out. Topics include the release of LyX 1.2.3, CJK LyX, and the translation effect.

Comments (none posted)

OpenOffice.org 1.0.2 Beta SDK

Version 1.0.2 Beta of the OpenOffice.org Software Development Kit is available for download. "The highlight of this SDK is the new Developer's Guide. This guide provides a detailed description of the OpenOffice.org API concepts, the OpenOffice.org UNO component model and how to use the API in the context of the different application areas."

Full Story (comments: none)

Web Browsers

Mozilla 1.3 beta released

Version 1.3 beta of Mozilla has been announced. New features include image auto sizing, the nearing completion of Mozilla Mail's junk-mail classification, dynamic profile switching, find as you type, a mozilla preferences panel for Chatzilla, an editable about:config preference list, and a new machine learning autocompletion feature. See the release notes for details.

Comments (none posted)

mozillaZine

The latest mozillaZine topics include: Andy Ihnatko of Chicago Sun-Times Still Prefers Mozilla, Review of Mozilla Composer, Mozilla 1.3 Beta Going Live as We Speak, Progress and Future of Mozilla the Application Suite, and Independent Status Reports.

Comments (none posted)

Miscellaneous

GNU nano 1.2.0 needs feedback

Testers are being requested to help work out the bugs in the GNU nano editor. "As you may know, the nano development team is readying the 1.2.0 release of GNU nano. If you haven't already tried a recent version of nano, we have eliminated a large number of bugs in the 1.1 series. Our most recent release, 1.1.99pre2, should be stable enough for everyday use."

Full Story (comments: none)

GNU Midnight Commander 4.6.0 released

Version 4.6.0 of GNU Midnight Commander is available, upgrades are recommended. "The difference from the last prerelease 4.6.0-pre3 is not very significant, but it's still recommended to upgrade because of a bug that could cause GNU Midnight Commander to remain in memory and eat CPU cycles after closing the terminal it's running on."

Full Story (comments: none)

Languages and Tools

Caml

Caml Weekly News

The Caml Weekly News for February 4-11, 2003 is out. Topics include the future of Camlp4, Support for Unicode, ocamlnet-0.95 released, Optimizing false polymorphic local functions, and the first release of Cstr.

Full Story (comments: none)

The Caml Light / OCaml Hump

This week, the new software on The Caml Light / OCaml Hump includes: Cstr; A full-featured charset and string library, GeoCaml; A tool allowing to handle easily euclidian geometry, and OCamlnet; A collection of modules for the Objective Caml language which focus on application-level Internet protocols and conventions.

Comments (none posted)

HTML

HTML to Formatting Objects (FO) conversion guide (IBM developerWorks)

IBM's developerWorks has published a guide that details the process of converting HTML documents to formatting objects. "Need help converting HTML documents to PDF? This reference guide shows by example how to use XSLT templates to convert 45 commonly used HTML elements to formatting objects (from the XSL-FO vocabulary) for easy transformation to PDF using XSLT. The examples assume that you're using the Java-based XSLT processor Xalan and the Apache XML Project's FOP tool, but most of the methods would work just as well with other tools."

Comments (none posted)

Java

Sun says 22% of JVM bugs left unfixed

According to this internal memo which was leaked from Sun, a number of known Java bugs have been marked as "will not fix". "Our experience in filing bugs against Java has been to see them rapidly closed as "will not fix". 22% of accepted on-duplicate bugs against base Java are closed in this way as opposed to 7% for C++." Thanks to Giorgio Zoppi.

Comments (none posted)

Using the Decorator Pattern (O'Reilly)

Budi Kurniawan talks about the decorator pattern in relation to Java Swing on O'Reilly. "This article explains the Decorator pattern and when to subclass and when to decorate."

Comments (none posted)

Automating EJB Unit Testing (O'Reilly)

JiRong Hu writes about performing unit testing on EJBs on O'Reilly. "Enterprise Java Beans, or EJBs, cannot be tested on their own as can plain Java classes. There are additional steps to deploy them to an EJB container before they can be tested. This means that our testing process must include the additional process of deployment and re-deployment of EJBs. The deployment must be automated as well."

Comments (none posted)

A JSTL primer: The expression language (IBM developerWorks)

IBM's developerWorks has an article by Mark A. Kolb on the use of JSTL tags. "The JSP Standard Tag Library (JSTL) is a collection of custom tag libraries that implement general-purpose functionality common to Web applications, including iteration and conditionalization, data management formatting, manipulation of XML, and database access. In this first installment of his new series on developerWorks, software engineer Mark Kolb shows you how to use JSTL tags to avoid using scripting elements in your JSP pages."

Comments (none posted)

Lisp

OpenMCL 0.13.4 released

Version 0.13.4 of OpenMCL, an open-source Common Lisp implementation, has been released. "OpenMCL 0.13.4 is a maintenance release, containing bug fixes and minor feature enhancements relative to 0.13.3."

Full Story (comments: none)

Perl

The Perl Journal

The February, 2003 edition of The Perl Journal has been published. Topics include: Using PerlObjCBridge to Write Cocoa Applications in Perl, Parsing MIME & HTML, Home Automation with Perl, Amazon.com Wish Lists by brian d foy, Other People's Arguments by Simon Cozens, And including a review of Practical Python.

Comments (none posted)

This Week on perl5-porters

The February 3-9, 2003 edition of This Week on perl5-porters is out. Topics include: Maintenance releases, Reducing op size, Seeking a safe signal test, and more.

Comments (none posted)

This week on Perl 6 (O'Reilly)

The February 2, 2003 edition of This week on Perl 6 is out with the latest Perl 6 news. Topics include: Parrot Objects (noun, not verb), The packfile patches, an ongoing saga, Securing Parrot ASM, Parrot Developer World Map, Coroutine context patch, Multiple code segments and the interpreter, Parrot run loop problems, More Array Behaviours, Spare Brackets, Arrays: Default values, Damian Takes a Sabbatical, and more.

Comments (none posted)

PHP

PHP Weekly Summary

Topics on this week's PHP Weekly Summary include: Recommendation engine testers, Non-command prompt PHP, CVS confusion, Solaris build issues, NSAPI changes, php.NET?, servlet SAPI, and Timezone functions.

Comments (none posted)

Working with Permissions in PHP, Part 1 (O'Reilly)

John Coggeshall discusses Unix file permissions under PHP on O'Reilly. "In the past few columns, I have been discussing using PHP's file I/O capabilities for manipulating both files and directories. This week, we'll take a slight detour from a strictly PHP-related subject and discuss file permissions in Unix systems."

Comments (none posted)

Python

The Daily Python-URL

This week's Daily Python-URL article topics include: David Mertz on reStructuredText, A conversation with Guido van Rossum, part V: Strong versus weak typing, The Java Problem, Interview with Dennis Ritchie, Shipping the prototype, pypy-dev List Summary, exchange4linux, Alpha of Kapor's open-source PIM due in spring.

Comments (none posted)

This week's Python-URL

Dr. Dobb's Python-URL for February 10 is available with the latest news from the Python development community - including a proposal to add a ternary operator to the language at last.

Full Story (comments: none)

Python for Freenet

A Python-based API has been made available for the Freenet anonymising/encrypting publishing and file-sharing network.

Full Story (comments: none)

Ruby

The Ruby Weekly News

Topics on this week's Ruby Weekly News include: Embedding Ruby in C code, locana, SVG, cross-platform GUI meanderings, Blogging software, The way of the Gentoo, Relative performance of Ruby templating systems, and ruby-dev summary 19457-19539.

New Ruby software includes: ZenWeb 2.15.0 Released, sys-uname 0.4.0, Text::Format 0.61, Digest::CRC32 0.1.0, bdb, FXRuby-1.0.19 Now Available, plruby, math-const 1.0.0, Ruby-GNOME2-0.3.0, MIME::Types 1.005, and ruby syntax file for GNU Source-highlight.

Comments (none posted)

Scheme

Scheme Weekly News

The February 10, 2003 edition of the Scheme Weekly News has been published. Check it out for the latest Scheme news.

Full Story (comments: none)

Tcl/Tk

Dr. Dobbs' Tcl-URL!

The February 10, 2003 edition of Dr. Dobb's Tcl-URL! is out with lots of Tcl news and links.

Full Story (comments: none)

XML

Managing Enumerations in W3C XML Schemas (O'Reilly)

Anthony Coates covers XML controlled vocabularies on O'Reilly. "In this article, we will discuss how controlled vocabularies can be managed when using W3C XML Schemas, since this is the dominant XML schema format for data-oriented XML. Note that the "vocabularies" we refer to are enumerated lists of element-attribute values. This differs from other contexts where "vocabularies" are sets of XML element names."

Comments (none posted)

BrownSauce: An RDF Browser (O'Reilly)

Damian Steer describes his BrownSauce RDF browser on O'Reilly. "BrownSauce is an RDF browser. It attempts, armed with no more than a knowledge of RDF and RDF Schema, to present all RDF data as intelligibly as possible."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

MS .Net patent--a threat to standards? (ZDNet)

Microsoft is in the process of applying for a wide-ranging patent that covers a variety of functions related to its .Net initiative, say this ZDNet article. "If approved as is, the patent would cover application programming interfaces (APIs) that allow actions related to accessing the network, handling Extensible Markup Language (XML), and managing data from multiple sources. APIs are the hooks in software that allow applications to work with another system."

Comments (9 posted)

Companies

Tale of Two Stories (Linux Journal)

The Linux Journal looks at Google's success. "But what does "leading Linux company" mean when the real leaders aren't the usual suspects at all? They're the worker bees at companies of all sizes that are shifting IT dependencies from other operating systems and development methods to Linux and open source. They're IT departments embracing a de facto standard. And more, much more."

Comments (none posted)

Red Hat offers Linux exams for schools (vnunet)

Vnunet covers the Red Hat Academy, an academic version of its Red Hat Certified Engineer training program for schools and colleges. "Among the subjects covered will be: systems administration, network engineering, C or C++ programming, databases, web development, PC repair and forensic computing."

Comments (none posted)

Linux Adoption

Banks Want to Swim With Penguin (Wired)

Wired looks at the financial institutions that are using Linux to run their back-end operations. "Tux the penguin, Linux's beloved mascot, is rapidly becoming the financial services industry's totem animal of choice. In fact, it seems that the only steadily rising statistic on Wall Street these days is the number of companies moving to open-source systems."

Comments (none posted)

Sam's joins $300 Linux PC club (News.com)

News.com reports that Sam's Club will be selling PCs running Red Hat Linux. "The Sam's Club PCs will include a wealth of open-source software ready to run, including the OpenOffice productivity package, Mozilla Web browser, and Evolution personal information manager."

Comments (1 posted)

Pixar switches from Sun to Intel (News.com)

News.com reports on Pixar, which has switched from Unix systems to a Linux cluster for its image rendering. "While the financial impact of the individual contract may be negligible to Sun, the symbolism is tough to ignore. A number of film and entertainment studios in the past year have swapped out Unix computers containing reduced instruction set computer (RISC) processors, like Sun's UltraSparc III, in favor of systems running Linux and chips from Intel or from Intel rival Advanced Micro Devices."

Comments (5 posted)

Sales increase for U.S. Linux servers (News.com)

News.com reports that sales of servers running Linux are up. ""Linux (sales) increased a lot because of IBM," said Shahin Naftchi, server analyst for Gartner. Naftchi said that IBM is now shipping blade servers, 75 percent of which run Linux."

Comments (none posted)

Interviews

Interview - Dennis Ritchie (unix.se)

Unix.se has published an interview with Dennis Ritchie.
What do you consider your greatest achievement in the field of computing to be?

Dennis Ritchie: The single thing that I'm happiest about is that the notion of making the Unix system portable was mostly mine. C was already implemented on several quite different machines and OSs, Unix was already being distributed on the PDP-11, but the portability of the whole system was new.

Comments (none posted)

Gates Taking 'Pervasive' Linux Seriously (eWeek)

eWeek is carrying an article on Bill Gates's latest remarks on Linux. "In a way, there's more incompatible versions of Linux than there are of all other operating systems put together. That is, as people do innovations on top of Linux, they don't all get tested together and they're not all consistent with each other."

Comments (9 posted)

IBM's Linux Growth Path (eWeek)

eWeek features an interview with IBM's general manager of Linux, Jim Stallings. "Here are the numbers. Some 15 to 20 percent of our servers [sold] are Linux-driven. So it helps our server business, and we make a lot of money from our server business. There are other companies who don't make any money from their server business. Dell [Computer Corp.] and IBM are the only ones out there making money on their server business. So Linux is important to that business for us. It just so happens we also have a services business, and we make money on that, too."

Comments (none posted)

Resources

Linux Productivity Magazine - February 2003

The February issue of Linux Productivity Magazine takes a long look at Perl Tk. "Perl Tk is an excellent choice for GUI apps because of its highly developed Tk widgets, and even more so because of Perl's ubiquity and the incredible power of Perl and its available modules. This Linux Productivity magazine contains details of major Tk widgets, culminating with a GPL licensed speech timer program."

Comments (none posted)

Reviews

Gnome 2.2 cleans up the Linux desktop (ZDNet)

ZDNet covers the launch of Gnome 2.2. "The Gnome project said that version 2.2 has added support for other Freedesktop.org specifications, including icon themes, recent files and thumbnail management."

Comments (none posted)

Trail of tears: MySQL, ODBC and OpenOffice 1.0 (LinuxWorld.com)

Joe Barr writes about the good and bad parts of working with MySQL, ODBC and OpenOffice 1.0. "I found a wonderful "how-to" piece called "OpenOffice.org 1.0, ODBC and MySQL," by John McCreesh. In the introduction, McCreesh writes about OpenOffice.org 1.0's "best kept secret" — that secret being the fact that hidden away inside, completely unknown to most OpenOffice users, is a user-friendly front end for databases that is "a Microsoft Access (and more) equivalent." That may be so, but there is a very good reason why it's a secret: it's too damn hard getting OpenOffice and ODBC wired up correctly."

Comments (none posted)

KDE 3.1 reviewed (eWeek)

eWeek reviews KDE version 3.1. "In the latest release—KDE 3.1, which became available late last month—the product has seen significant advances since its 3.0 version, which eWeek Labs reviewed last spring, and represents Linux's best hope for becoming a viable desktop contender."

Comments (none posted)

Open-Source GUI Fans: Meet Gnome 2.2 (TechWeb)

TechWeb takes a look at Gnome 2.2. "The upgrade moves toward settling unnecessary differences with its open-source competitor the K Desktop Environment, or KDE. There's a growing trend among developers in both camps to adopt specifications that bring consistency to common functions found in desktops and applications, such as having similar help, file, and cut-and-paste operations."

Comments (14 posted)

Miscellaneous

Perens throws hat into SPI ring (Register)

The Register covers elections at Software in the Public Interest. "SPI is looking to elect three new board members from a total of eight candidates. Contributing members of SPI are eligible to vote. A contributing member is one who is considered to have made a significant contribution to the Free Software community, as determined by SPI's membership committee."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Debian joins Desktop Linux Consortium

The Debian Project announced that it is a founding member of the Desktop Linux Consortium (DLC). A recent survey on DesktopLinux.com indicated that Debian is the most popular GNU/Linux Distribution for the Desktop.

Full Story (comments: 9)

New DLC mailing list

The Desktop Linux Consortium has created a moderate volume mailing list for general discussions regarding the DLC.

Full Story (comments: none)

openMosix celebrates first anniversary

The openMosix project is celebrating its first anniversary. "This OpenSource project has quickly attracted thousands of users, building thousands of clusters. OpenSource is more than just free access to software source code. openMosix is a modern OpenSource project which encourages a very active user community."

Full Story (comments: none)

Commercial announcements

UCITA withdrawn from the ABA

An attempt to get American Bar Association approval for the UCITA "shrink-wrap software law" bill has been withdrawn after it became clear that it would not pass. ABA approval, while not strictly required, is a usual step taken before trying to push a law through state legislatures throughout the U.S. This is a big setback for UCITA, but experience over the years shows that this law (which, among other things, would legitimize a number of restrictive licensing practices, and potentially subject free software developers to liability claims) will be back before too long. (Thanks to Max Hyre).

Full Story (comments: none)

Merant Showcases Solutions in IBM’s Linux Center of Competence

Financial services are coming to Linux. Merant has announced that it is showcasing its solutions at IBM’s Linux Center of Competence. Merant is offering financial organizations the opportunity to evaluate two of its leading products, PVCS Dimensions and PVCS Version Manager, in the Center’s Linux environment.

Full Story (comments: 3)

Quicknet PC-to-Phone Service now available for Linux users

Quicknet Technologies announced the Linux Special Edition, a commercial PC-to-Phone supported service for Linux users in concert with GnomeMeeting.Org.

Full Story (comments: none)

Press Release from Castle Technology Ltd

Castle Technology Limited has put out a press release concerning an alleged GPL violation. Source code is being made available to alleviate the concern. Thanks to Jonathan Riddell.

Full Story (comments: none)

Linux LPI Bootcamp

Jim Dennis will be teaching the first in a series of Linux LPI Bootcamp courses in Concord, California, starting on Febrary 24, 2003.

Full Story (comments: none)

SnapGear Develops Linux-Based Integrated Development Toolchain for Intel XScale Processor

SnapGear, Inc. has announced an open source developement environment for the Intel XScale(TM) (IXP425) microprocessor.

Comments (none posted)

Resources

Study: comparing free and proprietary network stacks

A company called Reasoning has put out a press release on a defect study it did of six different TCP/IP stacks. "Reasoning found 8 defects in 81,852 lines of Linux kernel source code - the fewest number of defects of the various implementations of TCP/IP inspected by Reasoning as part of its study."

Comments (7 posted)

Beginning Perl available online

Wrox Press has made Simon Cozens' book Beginning Perl available online at no charge.

Comments (none posted)

wxWindows Tutorials online

Julian Smart's FOSDEM 2003 presentation and tutorial on the wxWindows cross-platform GUI framework are available online.

Comments (none posted)

Upcoming Events

NOIE Open Source Software Seminar

The National Office for the Information Economy is hosting a seminar for departmental Chief Information Officer's (CIO's), Chief Technology Officer's (CTO's), agency ICT professionals and invited guests on government demand for Open Source Software. The seminar will take place at the National Press Club in Canberra, Australia on February 18, 2003.

Comments (none posted)

OpenOffice.org Conference 2003

The first OpenOffice.org conference will be happening March 20 and 21 in Hamburg, Germany - right after CeBIT. Speakers will include Bruce Perens and Curtis Sasaki (the VP of Engineering of the Desktop Systems Group at Sun Microsystems).

Full Story (comments: none)

GUADIC 2003 - the first Italian GNOME Users and Developers Conference

GUADIC 2003 - the "GNOME Users And Developers Italian Conference" will be held February 22 in Florence. Click below for the full announcement (in Italian).

Full Story (comments: none)

FSF Announces Date for Annual Associate Membership Meeting

The Free Software Foundation will hold an annual meeting on March 15, 2003. The event will include a panel discussion with some board members of FSF.

Full Story (comments: none)

KDE Developers Meet In Brussels For FOSDEM

KDE.News covers KDE developers at FOSDEM. "Activities included bugfixing, development discussions and presentations, keysigning and of course socializing. Pictures are available."

Comments (none posted)

Copenhagen Perl Workshop in April (use Perl)

Use Perl reports on work by the Copenhagen Perl Mongers to put together a Perl Workshop in Copenhagen. The event it tentatively scheduled for the end of April.

Comments (none posted)

Call for Candidates YAPC::Europe::2004 (use Perl)

A Call for Candidates has been posted for the YAPC::Europe::2004 conference.

Comments (none posted)

Open Source for National and Local eGovernment Programs in the U.S. and EU

The Open Source for National and Local eGovernment Programs in the U.S. and EU conference will be held in Washington, D.C. on March 17-19, 2003.

Full Story (comments: none)

Events: February 13 - April 10, 2003

Date Event Location
February 13 - 14, 2003The fifth NordU/USENIX Conference(NordU2003)(Aros Congress Center)Västerås, Sweden
February 20 - 21, 2003Desktop Linux Summit(Vivendi Universal Building)San Diego, CA
February 22 - 24, 2003CodeCon 2.0(Club NV)San Francisco CA, USA
February 27 - 28, 2003Linux Summit 2003(Dipoli Conference Center)Espoo, Finland
March 17 - 19, 2003Open Source for National and Local eGovernment Programs in the U.S. and EU(The Marvin Center Grand Ballroom, George Washington University)Washington, DC
March 20 - 21, 2003First OpenOffice.org Conference(OOoCon2003)(University of Hamburg)Hamburg, Germany
March 20 - 21, 2003Conference PHP 2003(École Polytechnique de Montréal)Montreal, Quebec, Canada
March 26 - 28, 2003PyCon DC 2003(George Washington University)Washington DC
March 31 - April 2, 20032nd USENIX Conference on File and Storage Technologies(FAST '03)(Cathedral Hill Hotel)San Francisco, CA
April 2 - 3, 2003The UK Python Conference(Holiday Inn Oxford)Oxford, England
April 10 - 12, 2003MySQL Users Conference & Expo 2003(Doubletree Hotel)San Jose, California

Comments (1 posted)

Web sites

ALU.CLiki.net web site

alu.cliki.net is the location of a new CLiki-based web site which contains general LISP information.

Full Story (comments: none)

KDE-Forum.org and KDE-Look.org Hosting Updates

KDE.News reports on the resurfacing of KDE-Forum.org. "We're pleased to note that KDE-Forum.org is now back online after a rocky start. A big thanks goes out to Pierre-Emmanuel Muller and Cyberbrain who are now hosting this site, and of course to zenok, fan of KDE and creator of KDE-Forum.org for web-based KDE-related discussions."

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

Misleading reporting of TRACE flaw

From:  John Fremlin <john@fremlin.de>
To:  letters@lwn.net
Subject:  Misleading reporting of TRACE flaw
Date:  Fri, 07 Feb 2003 03:59:54 +0000

In http://lwn.net/Articles/21364/ "Cross-site tracing attacks" it says:
 
   The whitepaper is more tempered, but it implies that the TRACE
   method has a defect which compromises every web server.
 
This is misleading. Having read the white paper I cannot see where it
implies or states that.
 
The information is being leaked from the client. The client wrongly
sends the sensitive information to the server, which is then echoed
back, and this reply containing the sensitive information is wrongly
made available to the untrusted code.
 
The problem clearly lies with a bug in the ActiveX, etc. objects, not
the server, as the white paper states. It does recommend that TRACE be
disabled to make it impossible for the vulnerability to affect
vulnerable clients, but the problem will not lead to the compromise of
any web server unless it is possible to do that by reading someone's
cookie. Which is very, very doubtful.
 

Comments (none posted)

Page editor: Jonathan Corbet

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds