Europeans, like citizens of much of the "free world," have a certain
tendency toward smugness when software patents are discussed. Software
patents, after all, are an American problem. Unfortunately, the U.S. is
quite good at exporting its problems. Software patents in Europe took
another step toward reality this week when the Legal Affairs Committee of
the European Parliament voted in favor of an EU-wide software patent
scheme. The 20-8 committee vote adopted the proposed directive, as
written by the European Commission, almost without changes.
The proposal is said to be more restrictive than the American version of
software patents. Patentable technologies would have to be useful in a
particular setting and application; simply having a program is not enough.
And business models still would not be subject to patents. But the
proposed directive is still enough to raise widespread concern throughout
Europe. The Greens were quite
clear on what they think:
The Legal Affairs Committee of the European Parliament today
adopted a report that allows for the unlimited patenting of
software which will, in one swoop, entrench the market dominance of
multinational companies, force small software firms out of business
and bring to an end the European free software movement.
There is also this
release from the Foundation for a Free Information Infrastructure,
which contains quotes from a number of European business figures.
The sad truth is that software patents have done great harm in the U.S.,
and they are unlikely to be more beneficial in Europe. This is one import
the EU could do without.
Comments (none posted)
One of these days we'll manage to keep SCO off the front page. Not this
week. The next two articles cover a couple of important issues in this
whole mess - the breathtaking scope of SCO's claims and a look inside the
company as revealed in its latest 10Q filing. Both articles, we think,
give some insight into just what the Linux community is up against.
During the last week the read-copy-update (RCU) technology has been singled
out as one of IBM's contributions that SCO objects to. We ran an article looking into the
origins of RCU and concluding that SCO had nothing to do with the creation
of RCU. The article is a
bit dated (already) but it still gives an overview of the RCU situation; a
number of the reader comments are well worth reading too. In the end,
however, origins matter little; SCO believes it owns everything that was
ever part of a Unix system.
The company has filed a new version of its complaint against IBM,
upping the damages demanded and changing many points. See this LWN article for a brief summary, a pointer
to the document, and numerous comments.
Finally, should all this not be enough on SCO, the SCOvsIBM
Wiki maintained by Karsten Self is exhaustive and exhausting.
Comments (1 posted)
According to some opponents of free software, users of that software are
taking grave risks. The GPL, it is said, is "viral" and can cause the loss
of a company's intellectual property. And free software users are exposed
to the possibility that somebody, somewhere, may have incorporated tainted
code, exposing users and distributors to unexpected liabilities. The
solution to these problems, of course, is to simply stick with safe,
licensed, proprietary software. It costs, and you sign away a lot of
rights, but the warm, fuzzy feeling that comes from signing that license
agreement is worth it.
Except it's increasingly clear that things are not that way. We all owe
SCO a debt of gratitude for showing us how unsafe proprietary software can
be. That company is using proprietary licensing to press a truly
staggering set of claims over the work of others and power to disrupt
organizations worldwide.
Consider first the issue of intellectual property. SCO CEO Darl McBride
recently gave an
interview which provided a clear picture of how he sees the ownership
of proprietary Unix systems:
Where people get a little confused is when they think of SCO Unix
as just the Unix that runs the cash register at McDonalds. We think
of this as a tree. We have the tree trunk, with Unix System 5
running right down the middle of the trunk. That is our core
ownership position on Unix.
Off the tree trunk, you have a number of branches, and these are
the various flavors of Unix. HP-UX, IBM's AIX, Sun Solaris,
Fujitsu, NEC--there are a number of flavors out there. SCO has a
couple of flavors, too, called OpenServer and UnixWare. But don't
confuse the branches with the trunk. The System 5 source code, that
is really the area that gives us incredible rights, because it
includes the control rights on the derivative works that branch off
from that trunk.
These "control rights" are at the core of the IBM lawsuit. SCO is claiming
that any work any vendor has ever put into a Unix system is subject to
SCO's control. Chris Sontag, the head of SCOsource, is
even more direct:
We believe that UNIX System V provided the basic building blocks
for all subsequent computer operating systems, and that they all
tend to be derived from UNIX System V (and therefore are claimed as
SCO's intellectual property).
SCO, it would seem, owns everything.
Compared to that claim, the allegedly "viral" nature of the GPL
(if you distribute something derived from a GPL-licensed product, the
derived product must also be licensed under the GPL) seems weak indeed.
SCO is laying claim to decades of work done by dozens of proprietary Unix
vendors, and that's just the starting point.
Does this claim have any basis in reality? SCO has posted the relevant
agreements on its IBM lawsuit
page, so this sort of thing can be checked - at least, for the IBM
case. The basic software
agreement ("Exhibit A") states (in section 2.01):
Such right to use includes the right to modify such SOFTWARE
PRODUCT and to prepare derivative works based on such SOFTWARE
PRODUCT, provided the resulting materials are treated hereunder as
part of the original SOFTWARE PRODUCT.
Since the agreement on the original "SOFTWARE PRODUCT" includes
prohibitions on disclosure, this language would seem to back up SCO's
claim. Thus, technologies like read-copy-update, which were never part of
any SCO product, could be said to come under this agreement and be
prohibited from disclosure. In fact, the language could even be read to
transfer ownership of any modifications to SCO, except that IBM caught that
and forced a change ("Exhibit C"):
Regarding section 2.01, we agree that modifications and derivative
works prepared by or for you are owned by you. However, ownership
of any portion or portions of SOFTWARE PRODUCTS included in any
such modification or derivative work remains with us.
So IBM owns its changes. But the company might have signed away its
right to disclose its changes to others or deploy them in other contexts.
Other vendors with less-aware lawyers may well have signed away all
ownership to their Unix work.
So much for the safety of intellectual property in the proprietary
environment.
Of course, all this is IBM's problem. As SCO and others have stated,
customers are better off with licensed, proprietary software, since it is
warranted against intellectual property problems. Sun Microsystems plans to press
this point to its advantage. The only problem is that, once again,
SCO has shown us that this statement is not true.
SCO is attempting to revoke IBM's license to distribute AIX. This move
does not just affect IBM; consider this quote from Chris
Sontag, the head of SCOsource:
SCO said that the termination of the AIX license means that all IBM
Unix customers also have no license to use the software. "This
termination not only applies to new business by IBM, but also
existing copies of AIX that are installed at all customer
sites. All of it has to be destroyed," Sontag said.
All of those AIX customers did exactly what they are supposed to do: they
signed a proprietary license, paid their fees, and went off with the idea
that they had bought the right to use the system on their machines. Now it
appears that Unix users, at SCO's whim, can be deprived of the software
upon which they have built their businesses. Proprietary Unix, it would
seem, is a foundation built upon sand. Given that Microsoft felt the need
to buy a Unix license from SCO, it is not clear that Windows users are in
any better shape. One might assume that SCO would not try to pull the plug
on Windows, but the possibility exists regardless. We look forward to the
forthcoming warning from the Gartner Group.
SCO's actions have pointed out the very real possibility for trouble
resulting from the incorporation of proprietary code into a free product.
This is an issue that should probably be taken more seriously throughout
the free software community in the future. But SCO has also made it
painfully clear that the proprietary world, too, has its traps, and those
traps are at least as frightening as any faced by free software users.
Taken to their extreme, the proprietary rights claimed by SCO give that
company ownership and control over most computing systems on the planet.
It is a frightening thing to contemplate.
Comments (17 posted)
SCO's
Form
10-Q filing, summarizing the company's operations for the quarter
ending April 30, is now available. These reports always have some
interesting tidbits for those who are patient enough to wade through them,
and SCO's is no exception.
SCO claims a profit of $4.5 million for the quarter - the first in the
company's history. (Bear in mind that "the company" is the one formerly
known as Caldera). Based on that figure, SCO management has made much
noise about how strong SCO is. A look at the figures tells a different
story.
Products revenue was $11 million - down 12% from one year ago. Services
revenue was $2 million, down 30% from one year ago. SCO would have
racked up a significant loss in this quarter if it weren't for SCOsource,
which brought in $8.3 million. Even after they spent over
$2 million in legal expenses and such, that money was enough to put
SCO into a position of profit for the quarter. That makes for a nice
one-time bottom line, but, as SCO says, "SCOsource licensing revenue
is unlikely to produce stable, predictable revenue for the foreseeable
future."
SCOsource, so far, has exactly two customers. They won't tell us who the
first is, saying only:
The first of these licenses was with a long-time licensee of the
UNIX source code which is a major participant in the UNIX industry
and was a 'clean-up' license to cover items that were outside the
scope of the initial license.
The second licensee, of course, is Microsoft. We don't know how much each
one spent, only that the two add up to $8.3 million.
There are hints of some interesting stuff going on with regard to the
sale of these licenses. Consider:
During the quarter ended April 30, 2003, the Company issued a
warrant to a SCOsource licensee. The warrant allows the licensee
to acquire 210,000 shares of the Company's common stock at
an exercise price of $1.83 per share for a term of five years from
the date of grant. Because the warrant was issued for no
consideration to the SCOsource licensee, the Company has recorded
the fair value of the warrant of $500,000, as determined using the
Black-Scholes option-pricing model, as a warrant outstanding during
the quarter ended April 30, 2003 and reduced license revenue
accordingly.
Of course, at today's price for SCO stock, that warrant can be exercised
(if the holder moves quickly) for a $1.8 million overnight profit.
That, one might suppose, will
take a bit of the sting out of paying for a license from SCO. The filing
does not say which licensee got this little added gift ("for no
consideration") or why, but the wording
suggests the lucky recipient was the "long-time licensee," not Microsoft.
The story with Vista.com (covered in the June 12
Weekly Edition) gets more interesting as well. There, Vista founder got
800,000 shares (now going on the market) in exchange for a $1 million
note payable by Vista. Vista, however, is in default on some of its other
loans from SCO - but was given more money in April anyway. There is no
real explanation of why SCO is supporting Vista (and its founder) in this
way.
SCO claims to have $10 million in the bank, and another $15 million in various
assets. $1 million of that is the dubious note from Vista. In the
absence of new investments or SCOsource deals, the company may well burn
through that cash pile in two years or less. Participants in the recent
rally in SCO's stock price may yet find a reason to wish they had missed
out.
Comments (10 posted)
[This article was contributed by Joe 'Zonker' Brockmeier]
The JavaOne conference was held last week in San Francisco, and as usual
there was a barrage of announcements from Sun about new Java-related
initiatives and technologies, some of them actually of interest to the
Linux and Open Source communities.
One of the big announcements was the launch of Java.net, a cooperative effort with
O'Reilly and CollabNet. Java.net
seems to be Sun's answer to SourceForge, an Open Source development site
but with a specialization in Java and Java-related technologies.
The site will include hosting of projects, mailing lists, forums, wikis
and blogs (presumably about Java or related technologies). Right now
Java.net only boasts a few projects: JXTA, NetBeans, the Javapedia, JAIN
and so on.
The NetBeans team announced the NetBeans 3.5 release, including the
NetBeans IDE, last week as well. The NetBeans IDE is written, not
surprisingly, in Java, so you should be able to run it on Linux or any
other platform with decent Java support. However, the NetBeans IDE is
not limited to Java development -- it supports C, C++, XML and HTML as
well as Java. NetBeans has been available under an Open Source license,
the Sun Public License, for three years now.
Sun also announced the Sun ONE Studio 5
IDE, which is based on the NetBeans Platform. This one isn't Open
Source, but it does run on Linux and may be of interest to J2SE (Java 2
Standard Edition) and J2EE (Java 2 Enterprise Edition) developers.
Another interesting tidbit announced during the JavaOne timeframe is the
Scripting Java
Specification Request (JSR), a plan to help scripting languages like
PHP and Java interact. Specifically, it's aimed at writing Java classes
that can be invoked by a page using PHP, ECMAScript or other scripting
languages that are in wide usage. The Scripting JSR seems to be in a
formative stage at the moment, but it should be interesting to see what
the group comes up with in the long term. The initial members of the
group are Sun, Macromedia, Zend and Oracle.
Open Source gamers might be pleased to learn that Sun has diverted work
on some gaming APIs from the Java Community Process to Java.net as well. However,
this probably has more to do with the fact that Sun doesn't see much
profitability in gaming APIs for Java than any major commitment to the
Open Source philosophy.
Sun also touted a "simplified" Java Research License (JRL). The
JRL is supposed to "simplify and relax" the research section of Sun's Sun
Community Source License (SCSL). This allows some limited
development for research and development, but anyone hoping to
distribute a project will have to go to Sun for a commercial agreement
and meet Java compatibility requirements. In other words, it still is not
a free license.
What are the prospects of Sun making Java itself Open Source? It's
probably not going to happen anytime soon, but there are folks at Sun
who'd are in favor of making Java, or parts of it, Open Source. James
Gosling, the guy responsible for Java, is in favor of releasing Java
according to this Computerworld article:
Oh, yeah. I've always felt that sort of in the abstract, open-source is
the right thing to do for a lot of the kinds of things that we do. There
are a variety of issues that make it a very complex discussion as to
whether it actually works as a business.
Slowly but surely, Sun seems to be moving towards a more open stance
with Java, but the company is still retaining very tight control on the
core Java technologies.
Comments (6 posted)
Page editor: Jonathan Corbet
Security
Brief items
Solar Designer has sent out
an announcement
of a new set of security-oriented releases from OpenWall. These components
are, of course, integrated into
Openwall Linux, but they are
available separately for integration into other distributions as well.
Here's what's available:
- A patch for the 2.4.21
kernel fixing problems and adding a number of security features.
You can now use 2.4.21 in Openwall Linux, though, in true conservative
form, they still recommend sticking with 2.2 for now.
- msulogin, a version of
the "sulogin" program (which is normally used to control access to a
system in single-user mode). The twist offered by msulogin is that it
can handle multiple root accounts.
- tcb, an alternative shadow
password implementation. The difference is that tcb implements
separate shadow files for each user. This technique allows group
permissions to be used to implement password policies, and it allows
the entire password subsystem to work with no need for root
privileges.
These tools and patches can be used as components in a more secure Linux
system, and that can only be a good thing.
Comments (none posted)
Bruce Schneier's CRYPTO-GRAM newsletter for June is out; it looks at
cyberterrorism, teaching virus writing, attacking virtual machines with
memory errors, and fun with expired domains (beyond the usual trick of
pointing them at porn sites): "
Step 1: Buy an expired
domain. Step 2: Watch all the spam come in, and figure out what e-mail
accounts were active for that domain's previous owner. Step 3: Go to
an account-based site -- eBay, Amazon, etc. -- and request that the
password be sent to those accounts. If the people with those accounts
didn't bother to change their e-mail address when the domain expired,
you can collect their passwords."
Full Story (comments: 1)
New vulnerabilities
BitchX: Denial of service vulnerability
| Package(s): | BitchX |
CVE #(s): | CAN-2003-0334
|
| Created: | June 17, 2003 |
Updated: | June 17, 2003 |
| Description: |
A Denial Of Service (DoS) vulnerability was discovered in BitchX that would
allow a remote attacker to crash BitchX by changing certain channel modes.
Read more
here and here. |
| Alerts: |
|
Comments (none posted)
ethereal: buffer and integer overflows
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0356
CAN-2003-0357
|
| Created: | June 12, 2003 |
Updated: | June 18, 2003 |
| Description: |
Timo Sirainen discovered several vulnerabilities in ethereal, a
network traffic analyzer. These include one-byte buffer overflows in
the AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2, Quake3, Rsync, SMB,
SMPP, and TSP dissectors, and integer overflows in the Mount and PPP
dissectors. |
| Alerts: |
|
Comments (none posted)
gnocatan: buffer overflows, denial of service
| Package(s): | gnocatan |
CVE #(s): | CAN-2003-0433
|
| Created: | June 12, 2003 |
Updated: | June 28, 2003 |
| Description: |
Bas Wijnen discovered that the gnocatan server is vulnerable to
several buffer overflows which could be exploited to execute arbitrary
code on the server system. |
| Alerts: |
|
Comments (none posted)
lyskom-server: denial of service
| Package(s): | lyskom-server |
CVE #(s): | CAN-2003-0366
|
| Created: | June 13, 2003 |
Updated: | June 17, 2003 |
| Description: |
Calle Dybedahl discovered a bug in lyskom-server which could result in
a denial of service where an unauthenticated user could cause the
server to become unresponsive as it processes a large query. |
| Alerts: |
|
Comments (none posted)
man: format string exploit
| Package(s): | man |
CVE #(s): | |
| Created: | June 16, 2003 |
Updated: | June 17, 2003 |
| Description: |
Versions of man 1.5l and below contain a format string vulnerability. The
vulnerability occurs when man uses an optional catalog file, supplied by
the NLSPATH/LANG environmental variables. See the full
advisory for more details. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
noweb: insecure temporary files
| Package(s): | noweb |
CVE #(s): | CAN-2003-0381
|
| Created: | June 17, 2003 |
Updated: | June 28, 2003 |
| Description: |
Jakob Lell discovered a bug in the 'noroff' script included in noweb
whereby a temporary file was created insecurely. During a review,
several other instances of this problem were found and fixed. Any of
these bugs could be exploited by a local user to overwrite arbitrary
files owned by the user invoking the script. |
| Alerts: |
|
Comments (none posted)
radiusd-cistron: possible remote system compromise
| Package(s): | radiusd-cistron |
CVE #(s): | CAN-2003-0450
|
| Created: | June 13, 2003 |
Updated: | July 11, 2003 |
| Description: |
The package radiusd-cistron is an implementation of the RADIUS protocol.
Unfortunately the RADIUS server handles large NAS numbers incorrectly. This
leads to overwriting internal memory of the server process and may be
abused to gain remote access to the system the RADIUS server is running on. |
| Alerts: |
|
Comments (none posted)
webmin: session ID spoofing
| Package(s): | webmin |
CVE #(s): | CAN-2003-0101
|
| Created: | June 13, 2003 |
Updated: | November 18, 2003 |
| Description: |
miniserv.pl in the webmin package does not properly handle
metacharacters, such as line feeds and carriage returns, in
Base64-encoded strings used in Basic authentication. This
vulnerability allows remote attackers to spoof a session ID, and
thereby gain root privileges. |
| Alerts: |
|
Comments (none posted)
Xpdf - command execution vulnerability
| Package(s): | Xpdf |
CVE #(s): | CAN-2003-0434
|
| Created: | June 18, 2003 |
Updated: | July 24, 2003 |
| Description: |
Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache 2 - denial of service
| Package(s): | apache |
CVE #(s): | CAN-2003-0189
CAN-2003-0245
|
| Created: | May 28, 2003 |
Updated: | June 16, 2003 |
| Description: |
A new set of denial of service vulnerabilities has been found in Apache versions 2.0 through 2.0.45. The potential for a remote code exploit apparently exists as well. See the Apache 2.0.46 announcement for more information. |
| Alerts: |
|
Comments (none posted)
atftp: buffer overflow
| Package(s): | atftp |
CVE #(s): | CAN-2003-0380
|
| Created: | June 9, 2003 |
Updated: | June 12, 2003 |
| Description: |
Rick Patel discovered that atftpd is vulnerable to a buffer overflow
when a long filename is sent to the server. An attacker could exploit
this bug remotely to execute arbitrary code on the server. Read the
full
advisory for more information. |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
CUPS: vulnerability in the CUPS IPP implementation
| Package(s): | cups |
CVE #(s): | CAN-2003-0195
|
| Created: | May 27, 2003 |
Updated: | July 22, 2003 |
| Description: |
Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP
(Internet Printing Protocol) implementation. The IPP implementation is
single-threaded, which means only one request can be serviced at a time.
An attacker could make a partial request that does not time out and
therefore creates a denial of service. In order to exploit this bug, an
attacker must have the ability to make a TCP connection to the IPP port (by
default 631). |
| Alerts: |
|
Comments (none posted)
eterm: buffer overflow
| Package(s): | eterm |
CVE #(s): | |
| Created: | June 9, 2003 |
Updated: | June 12, 2003 |
| Description: |
"bazarr" discovered that eterm is vulnerable to a buffer overflow of
the ETERMPATH environment variable. This bug can be exploited to gain
the privileges of the group "utmp" on a system where eterm is
installed. |
| Alerts: |
|
Comments (none posted)
ethereal - format string vulnerability
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0081
|
| Created: | March 10, 2003 |
Updated: | June 12, 2003 |
| Description: |
The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string
overflow. This vulnerability has been present in Ethereal since the SOCKS
dissector was introduced in version 0.8.7. It was discovered by Georgi
Guninski. Additionally, the NTLMSSP code is susceptible to a heap
overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade.
See the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
ghostscript: command execution vulnerability
| Package(s): | ghostscript |
CVE #(s): | CAN-2003-0354
|
| Created: | June 2, 2003 |
Updated: | June 16, 2003 |
| Description: |
A flaw in unpatched versions of Ghostscript before 7.07 allows malicious
postscript files to execute arbitrary commands even with -dSAFER enabled. |
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 30, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 16, 2003 |
Updated: | November 18, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
gzip: insecure temporary files
| Package(s): | gzip |
CVE #(s): | CVE-1999-1332
CAN-2003-0367
|
| Created: | June 9, 2003 |
Updated: | June 16, 2003 |
| Description: |
Paul Szabo discovered that znew, a script included in the gzip
package, creates its temporary files without taking precautions to
avoid a symlink attack (CAN-2003-0367).
The gzexe script has a similar vulnerability which was patched in an
earlier release but inadvertently reverted. |
| Alerts: |
|
Comments (none posted)
hanterm: two vulnerabilities in Hangul Terminal
| Package(s): | hanterm |
CVE #(s): | CAN-2003-0077
CAN-2003-0079
|
| Created: | June 6, 2003 |
Updated: | June 11, 2003 |
| Description: |
Hangul Terminal is a terminal emulator for the X Window System, based on Xterm.
Hangul Terminal provides an escape sequence for reporting the current
window title, which essentially takes the current title and places it
directly on the command line. An attacker can craft an escape sequence
that sets the window title of a victim using Hangul Terminal to an
arbitrary command and then report it to the command line. Since it is not
possible to embed a carriage return into the window title the attacker
would then have to convince the victim to press Enter for it to process the
title as a command, although the attacker could craft other escape
sequences that might convince the victim to do so.
In addition, it is possible to lock up Hangul Terminal before version 2.0.5
by sending an invalid DEC UDK escape sequence. |
| Alerts: |
|
Comments (none posted)
IMP - SQL injection vulnerability
| Package(s): | imp |
CVE #(s): | CAN-2003-0025
|
| Created: | January 15, 2003 |
Updated: | July 8, 2003 |
| Description: |
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem. |
| Alerts: |
|
Comments (1 posted)
kde: arbitrary code execution
| Package(s): | kde |
CVE #(s): | CAN-2003-0204
|
| Created: | April 10, 2003 |
Updated: | June 30, 2003 |
| Description: |
The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF
files in a way that allows for the execution of arbitrary commands that can
be contained in such files.
An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the victim
browses a directory containing such malicious file and has file previews
enabled.
An attacker can provide malicious files remotely to a victim in an e-mail,
as part of a webpage, via an ftp server and possible other means. |
| Alerts: |
|
Comments (none posted)
KDE: vulnerability in SSL implementation
| Package(s): | KDE |
CVE #(s): | CAN-2003-0370
|
| Created: | June 6, 2003 |
Updated: | June 11, 2003 |
| Description: |
KDE versions 2.2.2 and earlier have a vulnerability in their SSL
implementation that makes it possible for users of Konqueror and other SSL
enabled KDE software to fall victim to a man-in-the-middle attack. |
| Alerts: |
|
Comments (none posted)
kernel - ptrace-related vulnerability
| Package(s): | kernel |
CVE #(s): | CAN-2003-0127
|
| Created: | March 17, 2003 |
Updated: | June 30, 2003 |
| Description: |
Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in
ptrace() which may be exploited by a local user to obtain root
access. This announcement contains the
details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released
which contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel 2.4 - two new vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2003-0244
CAN-2003-0246
|
| Created: | May 14, 2003 |
Updated: | July 25, 2003 |
| Description: |
The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
- The ioperm() system call doesn't perform proper checking,
allowing a local user to manipulate arbitrary I/O ports.
- The networking code contains a remotely exploitable denial of
service condition; see the May 24 Security Page for details.
|
| Alerts: |
|
Comments (2 posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
kon2: buffer overflow allows local users to obtain root privileges
| Package(s): | kon2 |
CVE #(s): | CAN-2002-1155
|
| Created: | June 3, 2003 |
Updated: | June 16, 2003 |
| Description: |
KON is a Kanji emulator for the console. There is a buffer overflow
vulnerability in the command line parsing code portion of the kon program
up to and including version 0.3.9b. This vulnerability, if appropriately
exploited, can lead to local users being able to gain elevated (root)
privileges. |
| Alerts: |
|
Comments (none posted)
kopete: vulnerabiliy in GnuPG plugin
| Package(s): | kopete |
CVE #(s): | CAN-2003-0256
|
| Created: | May 8, 2003 |
Updated: | June 27, 2003 |
| Description: |
A vulnerability was discovered in versions of kopete
prior to 0.6.2. Kopete is a KDE instant messenger client. This
vulnerabiliy is in the GnuPG plugin that allows for users to send each
other GPG-encrypted instant messages. The plugin passes encrypted messages
to gpg, but does no checking to sanitize the commandline passed to gpg.
This can allow remote users to execute arbitrary code, with the permissions
of the user running kopete, on the local system. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
LPRng: insecure temporary file
| Package(s): | LPRng |
CVE #(s): | CAN-2003-0136
|
| Created: | April 14, 2003 |
Updated: | June 16, 2003 |
| Description: |
Karol Lewandowski discovered that psbanner, a printer filter that
creates a PostScript format banner and is part of LPRng, insecurely
creates a temporary file for debugging purpose when it is configured
as filter. The program does not check whether this file already
exists or is linked to another place writes its current environment
and called arguments to the file unconditionally with the user id
daemon. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | October 1, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
mod_php: integer overflow
| Package(s): | mod_php php |
CVE #(s): | |
| Created: | June 9, 2003 |
Updated: | June 12, 2003 |
| Description: |
The PHP emalloc() function implements the error safe wrapper around
malloc(). Unfortunately this function suffers from an integer overflow and
considering the fact that emalloc() is used in many places around PHP
source code, it may lead to many serious security issues. Read the full
advisory.
The function str_repeat(string input, int multiplier) returns input
repeated multiplier times. The implementation of this function suffers
from a simple integer overflow caused by a very long second argument and
could allow a local/remote attacker in the worst case to gain control over
the web server. Read the full
advisory.
The function array_pad(array input, int pad_size, mixed pad_value) returns
a copy of the input padded to size specified by pad_size with pad_value.
Unfortunately the implementation of this function suffers from an integer
overflow caused by a very long second argument and could allow a
local/remote attacker in the worst case to gain control over the web
server. Read the full
advisory. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye |
CVE #(s): | CAN-2003-0358
CAN-2003-0359
|
| Created: | February 18, 2003 |
Updated: | July 15, 2003 |
| Description: |
Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details.
Note that falconseye does not contain the file permission error
CAN-2003-0359 which affected some other nethack packages. |
| Alerts: |
|
Comments (none posted)
netscape-flash: buffer overflow
| Package(s): | netscape-flash |
CVE #(s): | |
| Created: | March 10, 2003 |
Updated: | June 20, 2003 |
| Description: |
Potentially exploitable buffer overflows exist in the Macromedia Flash
Player. The full advisory is here.
"The cumulative security patch is available today and addresses the
potential for exploits surrounding buffer overflows (read/write) and
sandbox integrity within the player, which might allow malicious users to
gain access to a user's computer. The possibility of running native code on
a users machine is a theoretical exploit, and extremely difficult to
execute in practice. There are no known examples of running such native
code from Macromedia Flash movies; however, even though this issue is
difficult and theoretical in nature only, we are encouraging users to
upgrade." |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
pam_xauth: root exploit
| Package(s): | pam_xauth |
CVE #(s): | CAN-2002-1160
|
| Created: | February 13, 2003 |
Updated: | July 10, 2003 |
| Description: |
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat
Linux since version 7.1 would forward authorization information from the
root account to unprivileged users. This could be used by a local attacker
to gain access to an administrator's X session. In order to exploit this
vulnerability, the attacker would have to get the administrator, as root,
to use su to the account belonging to the attacker. |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | October 1, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | October 1, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
typespeed: buffer overflow
| Package(s): | typespeed |
CVE #(s): | |
| Created: | January 1, 2003 |
Updated: | June 17, 2003 |
| Description: |
A problem has been discovered in the typespeed, a game that lets you
measure your typematic speed. By overflowing a buffer a local
attacker could execute arbitrary commands under the group id games. |
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
vixie-cron: Local vulnerability
| Package(s): | vixie-cron |
CVE #(s): | CVE-2001-0559
|
| Created: | April 17, 2003 |
Updated: | October 3, 2003 |
| Description: |
From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in
LWN on the May 10,
2001 security page. |
| Alerts: |
|
Comments (none posted)
wget:directory traversal bug
| Package(s): | wget |
CVE #(s): | CAN-2002-1344
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
See also
this Bugtraq article from 1997.
CAN-2002-1344 |
| Alerts: |
|
Comments (none posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | October 1, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
XaoS: improper setuid-root execution
| Package(s): | xaos |
CVE #(s): | |
| Created: | June 9, 2003 |
Updated: | June 11, 2003 |
| Description: |
XaoS, a program for displaying fractal images, is installed setuid
root on certain architectures in order to use svgalib, which requires
access to the video hardware. However, it is not designed for secure
setuid execution, and can be exploited to gain root privileges. |
| Alerts: |
|
Comments (none posted)
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd |
CVE #(s): | CAN-2003-0211
|
| Created: | May 13, 2003 |
Updated: | November 13, 2003 |
| Description: |
Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a
connection was refused for any reason. An attacker could exploit this flaw
to crash the xinetd server, rendering all services it controls unavailable.
In addition, other flaws in xinetd could cause incorrect operation in
certain unusual server configurations.
All users of xinetd are advised to update to xinetd-2.3.11 which is not
vulnerable to these issues. |
| Alerts: |
|
Comments (none posted)
Resources
The June 13 Linux Advisory Watch newsletter from LinuxSecurity.com is
available.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current development kernel is 2.5.72, which was
released by Linus on June 16. This
relatively small patch contains an x86-64 merge, a partial reversion of the
IDE taskfile switchover, a PA-RISC update, and various fixes and cleanups.
The long-format changelog has the details.
Linus had released the 2.5.71 ("sticky
turtle") kernel only two days before. This long-awaited patch included a
fair amount of driver model work, some extensive PCI bus cleanups (dealing
with potential race conditions there), the big IDE changeover to taskfile
I/O, a new /proc/kallsyms file, support for per-CPU variables in
modules, a change the kmalloc_percpu() interface, an Atmel
at76c50x wireless driver, a long-sought fix for hanging TCP sessions, an
improved slab allocator which performs better in busy, multi-processor
situations, some kbuild tweaks, an ALSA update, a set of hash function
changes to deal with algorithmic complexity attacks, a FAT filesystem
rework (if you have been waiting to be able to create FAT partitions
greater than 128GB, this patch is for you), a v850 subarchitecture merge, a
RAID update, the removal of the long-deprecated callout TTY device
(/dev/cua) support, numerous architecture updates, and several
other fixes and updates. As always, the
long-format changelog has the gory details.
Linus's BitKeeper tree contains an extensive ext3 and JBD rework (see
below), an OProfile update, some NFS server fixes, and a few other fixes
and updates.
With the 2.5.72 announcement, Linus announced that he is taking a leave of
absence from Transmeta to go work at the Open Source Development Lab.
"Transmeta has always been very good at letting me spend even an
inordinate amount of time on Linux, but as a result I've been feeling a
little guilty at just how little 'real work' I got done lately. To fix
that, I'll instead be working at OSDL, finally actually doing Linux as my
main job."
The current stable kernel is 2.4.21, released, at last, on June 13. There were
no changes since -rc8.
No 2.4.22 prepatches have come out yet. Marcelo's plan, at this point, is to have 2.4.22 contain
an updated aic7xx driver and the current ACPI tree (both items that people
had wanted in 2.4.21), along with some interactivity and memory management
fixes.
Comments (none posted)
Kernel development news
Back in April, LWN
looked at udev, a simple
user-space daemon which handles the dynamic creation and removal of device
nodes. Udev is an answer to devfs which uses hotplug events and sysfs to
manage the device tree in user space. Things have been fairly quiet on the udev front -
at least, on the public lists. That changed, however, when Steven Dake
posted
a patch aimed at fixing some problems
he sees with how udev works. At that point, it become clear that an
off-list discussion has been going on for some time.
Mr. Dake has a list of four problems that he is trying to fix with his
patch, which creates an event queue within the kernel and a virtual device
for retrieving events from that queue. These problems are:
- The current implementation (which invokes /sbin/hotplug for
each device event) has performance problems when the number of devices
is large.
- There is no policy controlling how many /sbin/hotplug
processes can be created simultaneously, a shortcoming which can lead
to out-of-memory situations.
- /sbin/hotplug is not available during the early part of
the system initialization process, so early device enumeration is
not possible.
- Hotplug events can be processed out of order, leading to device
directory corruption.
The posting elicited some strongly-worded
responses. The general view is that the first three of the problems
listed above do not actually exist. The cost of /sbin/hotplug is
small relative to the cost of device probing and initialization, so, in the
real world, system load and performance are not problems. Early
initialization can be handled with initramfs or by reconstructing things in
user space from the sysfs tree. The hotplug developers thus feel no
pressure to "fix" any of those problems. Linus also chimed in with a condemnation of event daemon
schemes.
When the dust settled, however, the problem of event reordering remained.
Device events can come quickly, and the vagaries of scheduling, page
faults, etc. can cause them to be processed in an order different from that
in which they were generated. Some fairly complicated schemes were
presented for dealing with this problem, but they were set aside when
Andrew Morton suggested the (in retrospect)
obvious: add a sequence number to hotplug events. With a unique,
increasing sequence number, it is simple for a user-space process to detect
(and fix) misordered events. Problem solved.
Comments (1 posted)
One of the nice (and increasingly important) features of the 2.5 device
model is sysfs. This virtual filesystem exports a view of the system's
structure to user space; it also provides a nice control interface - and
/proc replacement - by allowing attributes to be attached to sysfs
entries. Sysfs is not without its traps, however, and many kernel
developers are just now beginning to realize the sort of care that is
necessary to avoid making mistakes.
The hardware supported by Linux is increasingly dynamic; devices can appear
and disappear at any time. The sysfs filesystem adjusts itself in response
to hardware events by creating and removing directories associated with
devices, classes, and other objects. Kernel code typically implements this
functionality by allocating (and registering) device structures and other
objects when a device is plugged in, and deleting those structures when the
device is removed. It tends to work quite well.
But consider the following possible sequence of events:
- A user plugs in a shiny new hotplug PCI frobnicator.
- The driver creates a device structure and registers it; as a result,
the directory /sys/devices/pci0/00:11.0/ (or some such) gets
created and filled with attributes.
- A user process moves into that directory, opens one of the attribute
files, but doesn't get around to reading it yet.
- The user, having done enough frobnication for one day, unplugs the
device.
- The driver unregisters and frees the device structures.
All seems well, except for the small problem of that user process. By
sitting in the directory, it maintains a reference there. The open
attribute file is yet another reference. If the driver has truly cleaned
up and freed the devices, the user process will be holding structures with
pointers into freed memory. An attempt to read the (already open)
attribute file at this point is almost certain to crash the system.
The above scenario is not hypothetical; a fair number of such conditions
exist in the 2.5 kernel now. That is why this issue (titled "kobject
refcounting") appears in the 2.6 must-fix
list. It truly must be fixed.
The infrastructure exists to handle these problems, but it must be used
properly to be effective. The solution lies in the same place as the
problem - the kobject structure. The 2.5.72 version of this
structure looks like:
struct kobject {
char name[KOBJ_NAME_LEN];
atomic_t refcount;
struct list_head entry;
struct kobject *parent;
struct kset *kset;
struct kobj_type *ktype;
struct dentry *dentry;
};
Entries in sysfs are closely tied to kobjects; there is a kobject
associated with each directory in the filesystem. When a process moves
into a sysfs directory or opens a sysfs file, the associated kobject has
its refcount field incremented. As long as the reference count is
above zero, the kobject cannot be deleted.
The same kobjects, of course, are embedded deeply within the structures
used to represent devices and other system objects. So a nonzero reference
count in a kobject means that the entire device structure (and, perhaps,
the module infrastructure supporting it) is still in use. Safely putting
things into sysfs is really just a matter of not deleting objects until
their reference counts hits zero.
Of course, that is easily said, but the current mechanism for implementing
such a policy is not entirely obvious. An example might help, so we'll
look at the block subsystem, which does things right. Disks, within the
kernel, are represented by the gendisk
structure. The function used to create a gendisk is
alloc_disk(), which, after allocating and initializing a
gendisk structure (which contains a kobject), executes this
mysterious line of code:
kobj_set_kset_s(disk,block_subsys);
This line tweaks the kobject within disk (the gendisk
structure) to make it a part of block_subsys. The block subsystem
structure, in turn, contains a pointer to a kobj_type structure,
which, in this case, looks like:
static struct kobj_type ktype_block = {
.release = disk_release,
.sysfs_ops = &disk_sysfs_ops,
.default_attrs = default_attrs,
};
We'll come back to this structure in a moment. For now, suffice to say
that it identifies the kobject (and the gendisk structure that
contains it) as something belonging to the block code, and provides some
methods implementing the object's operations.
The function which puts a new disk into the system is add_disk();
it creates the associated sysfs structure, and increments the disk's
reference count. The disk then goes through its lifecycle, with the
reference count going up and down as it is mounted and unmounted, and as
its sysfs files are accessed. Should the disk disappear, the driver will
do some cleanup and call del_gendisk() to return the
gendisk structure to the system.
del_gendisk() does not actually free the structures, however. It
removes the sysfs entries and generally shuts things down; it then finishes
by decrementing the reference count. That operation releases the reference
which was first obtained in add_disk(). The driver also must
release its own reference with put_disk(). These operations may
drop the reference count to zero - if nobody else is holding a reference to
the disk. But there is no way to know ahead of time.
Sooner or later, however, the last reference will go away. The function
which actually decrements the count (kobject_put()) tests that
count for zero. If no references remain, kobject_put() will go
back to the kobj_type structure associated with the kobject
(the ktype_block we saw above, in the case of a gendisk) and
call the release() method found there. That method, knowing that
nobody is referring to the object, can actually remove it from the system.
That is how sysfs objects must be managed. They must have a
destructor associated with them, by way of the kobj_type
structure, and that destructor must understand the higher-level objects
that it is dealing with. With this mechanism in place, objects will
continue to exist as long as references to them are held.
Of course, things can get more complicated than that. If, for example, a
module adds attributes to sysfs entries, that module cannot be removed
until it is certain that all of the relevant references have gone away.
It gets even worse if kernel code tries to attach attributes to objects
which it does not own; in that case it can be very hard to get everything
right. It may eventually prove necessary to rework some of the sysfs
interfaces to make it easier to avoid mistakes, but that seems unlikely for
2.5 at this point. In the mean time, connecting the pieces together
correctly can be an intimidating task the first time around, but the
alternative is to put denial of service vulnerabilities into the kernel.
Comments (1 posted)
The ext3 filesystem is, for many, the standard journaling filesystem for
the Linux kernel. So it has been somewhat embarrassing that ext3 still
uses a number of deprecated interfaces, including the big kernel lock and
sleep_on(). The big kernel lock (BKL) is a holdover from the
initial Linux symmetric multiprocessing implementation, when it was not
safe for more than one processor to run in the kernel at the same time.
Its presence in ext3 is not just considered archaic and inelegant; it is
also a serious performance constraint on larger SMP systems.
As of 2.5.73, the BKL has been abolished from ext3, thanks to a lengthy
series of patches by Andrew Morton and Alex Tomas. These patches never did
show up on linux-kernel, but they have been part of the -mm kernel tree for
some time. Says Andrew:
My gut feeling is that there should be one, maybe two bugs left in
it, but no problems have been discovered...
So, as with all development kernels, a bit of caution is called for.
Removing the BKL from ext3 was actually a simple thing to do. That
filesystem, itself, had no need for the BKL - it is the generic journaled
block device (JBD) layer that required that protection. So the first step
was to push the BKL
down a layer, and ext3 was BKL-free. Of course, that didn't solve the real
problem, but it was a start. While ext3 was being worked on, a few other
patches went in:
- Concurrent block and inode allocation, much like ext2 has had for
some time. This patch puts a separate spinlock on each cylinder group
in a filesystem, allowing allocation to happen in multiple groups
simultaneously.
- "Fuzzy counters," which implements approximate counters for free
blocks and inodes using per-CPU variables.
- The ext3 "data=journal" mode has been fixed. This mode,
which journals all data written to the disk (rather than just the
metadata) has been broken for a long time.
With ext3 done, it was time to fix up the JBD layer. This job was not done
halfway - a lengthy series of patches adds several locks and a whole,
complicated, fine-grained scheme. Each transaction gets two separate locks
(t_handle_lock and t_jcb_lock) controlling access to
various data structures. There is another set for the journal:
j_state_lock for scalar state information, j_list_lock
for lists and buffers, and j_revoke_lock for the list of revoked
blocks. Two more locks protect aspects of the buffer head/journal
head combination. And, of course, there is a whole set of ordering rules
to control which locks must be taken before which others. Believe it or
not, there is even a certain amount of documentation in the code comments
describing which locks protect which data structures.
The whole body of work clearly needs wider testing (and benchmarking), so
it's probably a good time for it to go into the mainline kernel. Hopefully
there won't be too many surprises lurking for the unwary (or unbacked-up).
As this work stabilizes, however, another big item can be scratched off the
"must-fix" list.
Comments (6 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
[This article was contributed by Ladislav Bodnar]
An unfortunate side effect of the current media frenzy over a certain
legal battle is that many interesting development projects get less
exposure in the media or get buried in between more "exciting"
headlines. Fortunately, there is little doubt that Linux software
development continues unabated, despite all the ill-founded attempts to
discredit it. Last week's
announcement
by Transmeta Corporation about an agreement to allow Chinese 2000 Holdings
Ltd. to develop and market Midori Linux in Asia might have been one of such
missed press releases. But what exactly is Midori Linux and how significant
is this announcement?
Midori Linux is a Linux-based distribution for small and embedded
devices. The name stands for "green" in Japanese, which becomes rather
apparent if you visit the project's home page. Little was known
about the beginnings of the Midori project before it was been open
sourced and released
under GPL in March 2001. However, interest by the open source
community in further developing the distribution has been limited and
the project appeared to be on its way to extinction after the last
release of Midori Linux, version 1.0.0-beta3, nearly 2 years ago. The
announcement about the Asian involvement in the project is Transmeta's
latest attempt at reviving Midori Linux.
Who is Chinese 2000 Holdings? An investigation on the Hong Kong-based
company's background reveals some interesting facts. The company was
initiated by one Henry Chu (Chu Bang-fu), a name that is unlikely to
ring any bells in the minds of most Western readers, but Mr. Chu is a
household name in Taiwan and other parts of the Chinese-speaking world.
In fact, he is often credited with initiating the Chinese computer
revolution by inventing in 1980 a Chinese input method for computers
called "Cang Jie". The Cang Jie
input enables users to enter Chinese characters based on the
character's shape and structural appearance, rather than its
pronunciation. This method greatly reduces the number of key strokes
required for inputting Chinese and eliminates common typing errors.
While many newer input methods, many of them commercial, were invented
in later years, Cang Jie still remains a popular input method of
professional typists in Taiwan and Hong Kong.
Instead of demanding royalties and enforcing rights,
Mr. Chu released his invention into the public domain to be shared
without any strings attached. It therefore comes as no surprise that
the company Mr. Chu later founded embraced Linux wholeheartedly as a
platform for further development. The current range of products
developed by Chinese 2000 Holdings include a desktop Linux distribution
called Chinese
2000 and various Linux-based electronic devices such as their e-book
reader.
This brings us back to Midori Linux and Transmeta's interest to get a
foot into the Asian market for embedded devices. While the adoption of
embedded devices has been slow in North America and Europe (even the
sales of PDAs have reportedly been dropping), Asian consumers appear to
be more receptive to these new technologies. More importantly,
development of embedded Linux is well advanced in Asia and there are
companies in Korea, Taiwan and Japan with many years of experience
modifying the Linux Kernel for specialist needs. Korea's Hancom Linux is a prime
example; all the latest Linux-based Sharp Zaurus PDAs ship with a
modified version of Hancom Office for Zaurus. Many US-based
corporations specializing in embedded devices have also been keen on
establishing active presence in Asia. MontaVista opened an office in Taiwan
in October last year, while RedSonic has set up a substantial
network of development offices and distribution partners throughout
Taiwan, China, Korea and Japan. If anything, Transmeta's Midori is
rather late for the embedded Linux party.
But has the party really started? If it has, it is confined to less
visible and specialist applications, perhaps in car manufacturing or
medicine, but embedded Linux certainly hasn't had much of an impact on
the consumer market. Taiwan's Computex is a good indication of what the
Asian hardware manufacturers are up to and the increasing number of
e-books, tablet PCs and Internet-enabled mobile telephones over the
last two years seem to indicate that these devices are here to stay.
Yet, seeing a morning commuter taking out an electronic reading device,
instead of a newspaper remains an elusive dream. Take into the account
that these types of devices are often expensive, prone to damage, lack
common standards and provide limited availability of reading material
and it is easy to see why consumers have yet to find compelling reasons
to embrace them.
Few will doubt that Linux is an excellent choice for small and embedded
electronic devices, capable of providing solutions for specialist
needs. But a large scale consumer adoption of electronic devices that
many have predicted has yet to happen. Nevertheless, work continues and
Midori's latest expansion to Asia is a proof that this field is far
from dead.
Comments (none posted)
Distribution News
Below is a letter from Seth Vidal, at Duke University, who points out that
many universities have customized distributions based on Red Hat Linux,
Duke included. This
mailing
list has been set up to facilitate discussion on supporting these
systems past Red Hat's end-of-life dates.
Full Story (comments: 1)
This week's edition of the
Debian Weekly
News is out, with a look at a survey which demonstrates a high level of
interest in PCs preloaded with GNU/Linux across the world; the story of
Tux; and much more.
Debian Planet has
announced the creation of a Debian 10th birthday party
coordination page. Debian turns ten on August 16, 2003.
Comments (none posted)
The Gentoo Weekly Newsletter for June 16, 2003 is out. This week's edition
looks at Gentoo Linux Enhancement Proposals and a new home for
bugs.gentoo.org, plus user stories, Gentoo Linux in production
environments, and more.
Full Story (comments: 2)
The
Mandrake Linux Community Newsletter for
June 5, 2003 is out. In this issue: Mandrake in the News --
TweakHound.com, LinuxWorld.com; BizCase of the Week -- Multimedia: Ambitone
Oy; Quick Tips -- Mandrake Community TWiki, Easy URPMI Setup; Software
Updates -- sb, mozilla, gnupg, more; Headlines from MandrakeClub.com --
Write better PHP code, 101 modules for Advanced Extranet server.
MandrakeSoft has announced the immediate
availability of The Definitive Guide to Using Mandrake Linux, 2nd
Edition which has been thoroughly updated and
expanded to cover the recently released Mandrake Linux 9.1.
Here's a bug advisory for qt3, which would
cause a crash when XFree86 did not support render.
Comments (none posted)
Slackware Linux has some new
changes in the
slackware-current changelog, including upgrades to Linux kernel
2.4.21.
Comments (none posted)
ZDNet picks up an article on
easing
Lindows OS into an existing network. "
When the Lindows OS
developers were working with version 1.0 and readying version 2.0, I was
extremely skeptical as to whether or not this operating system would find
its way into the enterprise. With the release of Lindows OS 3.0, I think
they've got a potential winner on their hands as long as it is approached
with an open mind. Let's take a look at how you can slowly introduce this
Linux-based operating system into your Windows environment without having a
major upheaval of your existing infrastructure." (Thanks to Con
Zymaris)
Comments (none posted)
New Distributions
Alcolix is a minimal Linux
rescue distribution with the goals of being small, compatible, and very
usable. It has a cozy shell and a multitude of partition rescue/editing
tools, all based on up-to-date releases (e.g., 2.4.x kernel with USB
support). It uses cpio.bz2 data disks and has a full GRUB bootloader,
memtest86, and more. Version
2.4.20 BETA3 was released
June 16, 2003.
Comments (1 posted)
CERN Linux is based on Red Hat Linux,
with modifications to the kernel (to better support their hardware) and
with additional software for High Energy Physics (HEP). It is used mostly
at CERN and a few of the smaller HEP institutes worldwide, running on farm
machines, servers, desktops and embedded PCs.
Comments (none posted)
free-EOS is a French
distribution with the aim of being incredibly easy to set up and get a set
of services running. Version 1.1 was released June 14, 2003.
Comments (none posted)
Linux4Geeks is a collection of
GNU-software, several programs and the Linux-kernel. If you want a fast
and stable system - this distribution is the right for you! But if you are
looking for an easy-to-use operating system - go and get another
distribution! Linux4Geeks is based on Linux from Scratch. So if you don't
want to compile all needed packages by yourself you can easily take this
distribution and start to integrate your needed programs. By the way: To
install Linux4Geeks you need a working installation of Linux to make your
Linux4Geeks bootable. Version
0.01 was released June 11,
2003.
Comments (none posted)
Minor distribution updates
Adamantix (formerly known as
TrustedDebian) has released
v1.0.1 with minor feature
enhancements. "
Changes: In this version all packages are GPG signed,
there are random PIDs, the kernel is compiled with SSP, several packages
have been fixed, there are several security updates, the PaX functionality
test suite was added, PaX, RSBAC, and SSP were updated, and several kernel
fixes (mostly security related) were added."
Comments (none posted)
Astaro Security Linux
has released
v4.008
with major feature enhancements. "
Changes: This ISO adds support for
AMD K6, Intel P1, and VIA C3 CPUs, as well as modern boards with dual CPU
support and interrupt controller programming (APIC). It also updates all
occurrences of glibc (security fix). The new Linux kernel includes the
security routing-cache-hash and TCP/IP fragment reassembly handling patch,
the TTY expolit patch, an ext3 bugfix, new modules for PPTP, drivers for
NICs, support for the Toshiba LCD, and support for Compaq SmartArray 5 and
Adaptec I2O RAID. A new exim (SMTP-Proxy) is included for a small AV
interaction bugfix."
Comments (none posted)
Freepia has released
v0.3.6 with major feature
enhancements. "
Changes: This release supports 5.1 surround sound
over S/PDIF (coax). A new graphics driver brings better performance. There
is dhcpclient support and smbclient support. Partitions are now
autodetected. USB storage supporthas been added to store configuration on
USB devices. Kernel 2.4.21-rc2 is now used. rootfs has been shrunken. There
is cramfs support for packages, a US keyboard layout, and many
bugfixes."
Comments (none posted)
MoviX has released
v0.8.0rc1 with major
feature enhancements. "
Changes: The DVD interface has been
completed. The VCD, XCD, and AudioCD interfaces were implemented. APIC
kernel support was added. A menu entry for filing bug reports was added. A
Spanish translation was added. Linux swap partitions are now automatically
activated. The DXR3 modules call was fixed, and new DXR3 menu and
partitions/net volumes menus were implemented. Support for TrueType fonts
and Chinese fonts was added."
MoviX2 has released v0.3.0rc1 with minor
bugfixes. "Changes: Bug fixes were made for the "Error while reading
cmd fd 7 : Success" message, for eject, and for ISA audio cards
bugs. Subtitles with True Type fonts were added. Simplified Chinese
subtitle fonts were added. NVidiaTV label was added. setHardware.pl from
MoviX was synchronized. The default color depth was set to 16bpp for all
cards. Support for Intel video cards was fixed. Minor changes were made to
input.conf and gui.conf. bugReport was improved. Support for Sony remotes
was added. ACPI support was added to the kernel."
Comments (none posted)
PLD RescueCD has released
v1.01 with minor feature
enhancements. "
Changes: The kernel was updated to PLD 2.4.20-8. 235
new modules were built (USB serial, irda, mtd, ieee1394, bluetooth, pcmcia,
gigabit ethernet). Framebuffer support was added. 115 packages were
updated. The following programs were added: diag-ether, fbset, iptstate,
mathopd, pound, progsreiserfs, trafshow, and wireless-tools."
Comments (none posted)
Recovery
Is Possible! (RIP) has released
v53 with major feature
enhancements. "
Changes: All the software and the kernel have been
updated."
Comments (none posted)
Rock Linux has announced
v2.0.0.0-beta5 with minor
feature enhancements. The Desktop Rock distribution (dRock) has also
released
v2.0.0-beta5.
Comments (none posted)
ThinStation has released
v0.92 with major
bugfixes. "
Changes: The order of downloading
thinstation-group-XXX.conf with TFTP was fixed. The XFree 4.2 cursors were
tweaked. The thinstation.conf file was cleaned-up."
Comments (none posted)
Distribution reviews
LinuxQuestions.org adds a
Distribution Review
Section to its website. Compare different distributions, read what
others like (or don't like), and add comments of your own.
Comments (none posted)
Page editor: Rebecca Sobol
Development
The
Q Equational Programming Language is a project that is being
worked on by Albert Gräf at the University of Mainz in Germany.
The Q language has the following properties:
- It is an interpreted language.
- The programs consist of collections of equations.
- It has dynamic object-oriented typing.
- It features exception handling and posix multi-threading.
- It comes with its own standard library.
- It can be extended with C language primitives.
- It runs on a wide variety of operating system platforms.
- An EMACS editor interface is included.
- Performance is similar to that of other interpreted languages.
- It has been released under the GNU General Public License (GPL).
The
Q language Documentation explains the language in more detail. An
example Huffman encoding program shows the language in use.
Version 4.3 of the Q interpreter has been released, see the
NEWS document for the language change history.
Recent additions to the language include new versions of
Q-Audio 1.0 and Q-Midi 1.10.
Q-Audio adds a language interface to the libsndfile audio libraries,
and Q-Midi adds a MIDI interface to the language.
Comments (1 posted)
System Applications
Audio Projects
The latest
additions to the
Planet CCRMA audio utility packaging project include
new versions of Jack, Rosegarden, Noteedit, MCP LADSPA Plugins,
Mammut and Ceres for RedHat 8.0 and 9, Cinerella, Meterbridge, and more.
Comments (none posted)
Version 0.72.4 of JACK, the Jack Audio Connection Kit, has been
released. This version includes updated documentation, bug fixes,
MacOSX support, and more.
Full Story (comments: none)
Database Software
A new project called Common Lisp Prevalence has been started.
It is a lisp implementation of Object Prevalence, a scheme for
performing database-like operations in system RAM.
"
The first public version of Common Lisp Prevalence has been
released. The system is a proof of concept implementation of
Object Prevalence in Common Lisp. It has been developed with
OpenMCL and it is known to run also under CMUCL."
Full Story (comments: none)
The June 11, 2003 edition of the PostgreSQL Weekly News
is out with the latest PostgreSQL database news.
"
The biggest change is that 7.4 code freeze and beta testing
is being pushed
back 2 weeks to account for the cvs downtime. Code freeze will now be
July 1st, with beta testing starting July 15th. This should allow
everyone enough time to get their patches in and get the currently
submitted patches all caught up."
Full Story (comments: none)
Education
Version 1.4.3 of Fle3
is available.
"
Version 1.4.3 of Fle3, a server software for computer supported
collaborative learning (CSCL), is released. This is a bug fix release that
also contains some new features (information graphs in a knowledge building,
course resources) and improvements in the user interface."
Comments (none posted)
Electronics
The latest developments from the
gEDA project
(GPL'd suite of Electronic Design Automation) include
new versions
of Icarus Verilog, gnucap, and VBS.
Comments (none posted)
Printing
Version 1.08 of PyKota, a print quota system,
is available.
"
Two major bugs were fixed, first one wrt LPRng support and second one wrt increasing or decreasing a user's account balance. Some minor bugs were also fixed. Finally an LDAP schema and sample LDIF file are included, which will serve as the basis for the future LDAP storage support."
Comments (none posted)
Web Site Development
Sean Reifschneider has released the first public version of
JOTWeb.
"
JOTWeb is a system for developing dynamic web sites using a combination
of HTML+TAL/TALES/METAL and Python, with mod_python for integrating with
Apache. Benefits include good documentation, a fairly simple and
intuitive design, and powerful yet easy to use session and form
processing."
Full Story (comments: none)
Version 3.1.21 of the
mnoGoSearch
web site search engine is available.
The
changes
are mostly related to bug-fixes.
Comments (none posted)
A beta release of version 0.9.2 of Silva
has been announced.
"
Silva is a web application (Zope based) for authoring and serving
publications for the web, paper, and other media. Content is stored in
clean and future-proof formats, independent of layout and presentation,
suitable for use in multiple contexts."
The release adds a revised user interface, a new metadata architecture,
indexing via the Zope catalog, better performance, and more.
Comments (none posted)
Version 0.3 of Epoz, a wysiwyg editor for Zope and Plone that works
with Mozilla,
is available.
"
Epoz is now shipped with a default toolbox for Plone. So you can
insert Links and Images simply by navigating your site. With Epoz
Plone becomes usable even for unexperienced users...:)"
Comments (none posted)
Version 3.2b2 of ZODB, the Zope Object Database, has been released.
It includes performance improvements, bug fixes, a new ZEO
authentication protocol, and the new ZConfig configuration language.
Full Story (comments: none)
Version 0.3 of Zope Group Calendar, an open-source group calendar,
has been released.
"
A new screen for changing permissions settings was added, the broken
week/day view was fixed, and the calendar now shows all event-like objects
that have a start and end attribute."
Comments (none posted)
Version 1.1 of GuardedFile
is available for Zope.
"
GuardedFile provides a convenient way to create Zope
File objects that are accessible by proxy only."
Comments (none posted)
Documentation
The June 17, 2003 edition of The Linux Documentation Project
weekly news is out. Topics include a history of The LDP,
updated documents, and happenings in the LDP world.
Full Story (comments: none)
Standards
According to PCWorld, the 802.11g wireless standard
has been approved.
"
The new standard, 802.11g, lays out the ground rules for wireless LAN gear that is capable of at least 24 megabits per second and up to 54 mbps, while remaining backward compatible with existing 802.11b gear that runs at a maximum 11 mbps. Both standards use radio spectrum in the range of 2.4 GHz. Another standard, 802.11a, defines 54 mbps gear in the 5-GHz range."
Comments (none posted)
Miscellaneous
Version 1.2.3 of the FreeGIS CD has been released and contains a
collection of mapping applications.
"
The CD presents a collection of GIS applications, libraries and data
sets in current, stable versions. It contains e.g. GRASS, MapServer,
gdal, PROJ, GLOBE and the simple viewer Thuban."
Full Story (comments: none)
A new version of PCGen
has been released.
"
PCGen is a Java-based RPG character generator and maintenance
program that works on all platforms (Windows,
Mac OS X, Linux,
etc). All datafiles are ASCII so they can be modified by users,
and are available through the pcgendm
project. An XML conversion is underway."
A number of bugs have been fixed for this release.
Comments (none posted)
IBM's developerWorks has
an article on the OptimalGrid project.
"
In this article, we introduce OptimalGrid, a research prototype from grid researchers at the IBM Almaden Research Center. OptimalGrid is middleware that aims to simplify creating and managing large-scale, connected, parallel grid applications. It optimizes performance and includes autonomic grid functionality. You don't need to be a grid infrastructure expert to use it. You supply the code that represents your basic problem algorithm, and OptimalGrid manages everything else -- problem partitioning, problem piece deployment, runtime management, dynamic level of parallelism, dynamic load balancing, and even system fault tolerance and recovery."
Comments (none posted)
Desktop Applications
Audio Applications
Another new version of horgand, an organ simulator, has been released.
This version adds a reverb preset, real time response for sliders and
dials, bug fixes, and more.
Full Story (comments: none)
Desktop Environments
According to GnomeDesktop.org, the first release of
Gnome-themes-extras
is available. A new collection of metathemes is now available
for the GNOME desktop.
Comments (none posted)
The June 13, 2003 edition of the
KDE-CVS-Digest
is online.
"
We see new Kontact plugins for summary, notes and newsticker. Koffice has improved import and export filters, plus template loading from the command line. An improvement in speed for Konqueror file and image viewing. Also, KDE crash handler Dr Konqi hooks to Kdevelop for debugging. Improvements to Kdeprint, KGhostview, and user interface cleanups. And numerous bug fixes."
Comments (none posted)
KDE.News
mentions
the publication of the preliminary KDE 3.2 release schedule.
KDE developers should take a look and schedule their project releases
for inclusion in KDE 3.2.
Comments (none posted)
KDE.News
reports on
a DVD backup utility called QuickRip.
"
Version
0.7 has just been released, bringing the basic list of features close to
completion, but we'd like to see more feature requests, bug reports (or
less!) and code submissions before we hit the 1.0 milestone to make QuickRip
the best DVD backup utility for KDE."
Comments (none posted)
Games
Version 0.82 of the game Civil
has been announced.
"
Civil 0.82 was released today. This version includes faster LOS
code, support
for battles from multiple theatres and numerous bug fixes and enhancements.
Civil is a turn-based strategy game about battles in the American Civil War.
Features network play, fancy graphics and audio."
Comments (none posted)
Graphics
GnomeDesktop has
an announcement for version 1.2.5 of the GIMP.
"
This is a minor bugfix release. Notably the build error in
gimp-remote has been fixed."
Comments (none posted)
Version 1.45 of
Gmsh,
a three-dimensional finite element mesh generator, has been released.
The
changes
include bug fixes, updated documentation, and more.
Comments (none posted)
GUI Packages
Version 2.4.1 of the
wxWindows
cross-platform GUI framework is available.
"
This contains bug fixes to 2.4.0, including improved behaviour on Windows XP."
Comments (none posted)
Interoperability
Issue #174 of
Wine Traffic is out.
Topics include:
SuSE Linux Office Desktop, Game Compatibility List,
Direct3D To Do List, and Quartz Revisited - New Ideas.
Comments (none posted)
Office Applications
Issue #148 of the
AbiWord Weekly News is online.
"
This week, you can learn how to add OTS to your applications, help us develop Windows, see what icons from Jimmac can do to the Abi-Interface and witness the miracle of OpenSource. Also, Marc is still many euros in debt, and we are still without our server."
Comments (none posted)
Issue #84 of
GNUe Traffic has the latest GNU Enterprise development news.
Topics include: Designer's dependencies for Python and wxPython,
Bayonne developments, New relase and Debian packaging strategy,
SAP-DB and MySQL join forces?, and Arias, fork of NOLA.
Comments (none posted)
Web Browsers
Mozilla 1.4 RC 2
has been announced. See the
release notes for a list of changes.
Comments (none posted)
The minutes from two weeks worth of Mozilla.org staff meetings
are online. See the minutes from
June 2, 2003 and
June 9, 2003.
Comments (none posted)
The June 13, 2003
Mozilla.org Status Update has been published.
"
This status update contains news on Mozilla 1.4, Mozilla Thunderbird, Mozilla Calendar, ChatZilla, Linux 1.4 branch builds compiled with GCC 3.2.3, tabbed browsing URL-remembering fixes and more."
Comments (none posted)
The June 15, 2003 Mozilla
Independent Status Reports are out.
Updates include Extension Room, CardGames, Der Tandem Browser,
mozdev, Mozile, and Linky.
Comments (none posted)
Miscellaneous
According to GnomeDesktop, version 0.99 of gtranslator, a
gettext po file editor,
has been released.
"
The new gtranslator 0.99 is out which is the 1st release on the
GNOME 2.x platform and features a quite usable and stable subset
of the gtranslator functionality - all users and interested people
in gtranslator development should try the new release!"
Comments (none posted)
Version 4.1.6 of HylaFAX, a fax modem utility, has been released.
"
A large number of mission-critical bugs are fixed in 4.1.6.
Upgrading is recommended for all users."
The release also has new features and support for additional modems.
New users of HylaFAX should take a look at the
How-To Guide.
Thanks to Jay R. Ashworth.
Full Story (comments: 1)
Languages and Tools
Caml
Richard Jones has put together
a tutorial
for learning OCaml.
"
This is a practical, detailed tutorial for people who already know an imperative or OO-language and wish to learn OCaml."
Comments (1 posted)
The June 10-17, 2003 edition of the Caml Weekly News
is out with the latest Caml language news.
Full Story (comments: none)
Java
O'Reilly has published another
excerpt from the JavaScript & DHTML Cookbook.
"
In our sixth and final sample recipe from Danny Goodman's
JavaScript & DHTML Cookbook, learn how to locate the pixel
coordinates of a nonpositioned element that the browser has placed
during normal page flow."
Comments (1 posted)
Andrei Cioroianu
shows how to code a progress bar with JSP.
"
Many web and enterprise applications must perform CPU-intensive operations, such as complex database queries or heavy XML processing. These tasks are handled by database systems or middleware components, but the results are presented to the user with the help of JSP. This article shows how to implement the front tier in order to improve the user experience and reduce the server load."
Comments (none posted)
Brian Goetz
covers the future of Java on IBM's devloperWorks.
"
As with past JavaOne conferences, the opening keynote looked at the current state of Java technology and presented a roadmap for where it is going in the next year. This year, Sun VP Graham Hamilton and CTO Timothy Lindholm offered some notable changes in direction and focus for Java technology over the next twelve to eighteen months."
Comments (none posted)
Perl
The June 9-15, 2003 edition of
This Week on perl5-porters is out.
"
This was a quiet week -- summer approaches -- but a few interesting points were raised. New warnings, portability points, and miscellaneous bugs are covered in this summary."
Comments (none posted)
The June 8, 2003 edition of
This week on Perl 6 is out with the latest Perl 6 development news.
Comments (none posted)
Phil Crow
talks about working with Design Patterns in Perl.
"
In 1995, Design Patterns was published, and during the intervening years, it has had a great influence on how many developers write software. In this series of articles, I present my take on how the Design Patterns book (the so-called Gang of Four book, which I will call GoF) and its philosophy applies to Perl."
Comments (none posted)
PHP
Version 0.97 Final of PHPSurveyor
is available.
"
PHPSurveyor, a set of PHP Scripts for developing, and publishing online
surveys, makes its final 0.97 release. 0.97 concentrated on implementing
templates so that users could develop their own 'look and feel' to their
surveys. This release includes 3 templates. Releases with the 0.98 moniker
will be aimed at implementing localisation for the public survey screens, and
some additional features like date/time-stamping of survey responses and a
better way of ordering pre-defined answers."
Comments (none posted)
The June 16, 2003
PHP Weekly Summary
has been published. Topics include:
PECL migration, MySQL and OpenSSL, mysql_info() function, mysqli (PHP 5), PHP and System32 on Win32.
Comments (none posted)
Python
The Python-Dev summary for the second half of May is out; it looks at the
Python 2.2.3 release, dealing with new-style classes in C, attribute
lookup, and several other topics.
Full Story (comments: none)
The June 16, 2003 edition of Dr. Dobb's Python-URL! has been
published with a week's worth of Python projects and news.
Full Story (comments: none)
Take a look at the
Daily Python-URL
for a long list of Python language articles.
Comments (none posted)
David Mertz
discusses combinational iterators in Python on IBM's developerWorks.
"
Python 2.2 introduced simple generators to the Python language and reconceived standard loops in terms of underlying iterators. With Python 2.3, generators become standard (no need for _future_), and the new module itertools is introduced to work flexibly with iterators. The itertools module is essentially a set of combinatorial higher-order functions, but ones that work with lazy iterators rather than with finite lists. In this installment, David explores the new module, and gives you a sense of the new expressive power available with combinatorial iterators."
Comments (none posted)
Ruby
The June 16, 2003 edition of the
Ruby Weekly News is out.
Threads include Description of changes between Ruby versions,
High speed String concatenation, and
RaaInstall in the standard Ruby distribution.
Comments (none posted)
Tcl/Tk
The June 16, 2003 Dr. Dobb's Tcl-URL! has been published,
take a look for the latest Tcl/Tk development news.
Full Story (comments: none)
XML
Uche Ogbuji
writes about XML data binding in Python on O'Reilly.
"
The XML community of late there has been a lot of talk that there are no really easy and efficient ways of general XML programming. Push processing has the usual rap of being too difficult. It is easy to dismiss this as a problem for amateur programmers who have not properly learned how to code state machines; but let's face it, state machines are hard to code by hand, and the community has been slow to develop more declarative and friendly tools for developing SAX processing stubs, such as LEX and YACC tools for generating parser state machines."
Comments (none posted)
Manfred Knobloch
discusses XML stylesheet efficieny on O'Reilly.
"
XSLT is often considered to be too verbose. As stylesheet code grows, it tends to be unreadable. This is not a fate stylesheet authors have to accept. There are some strategies to keep your XSLT code short. This article proposes some ways of shorten stylesheets without loss of functionality, and throws a glance at XSLT 2.0 user defined functions."
Comments (none posted)
Bei Shu
writes about XML localization techniques on IBM's developerWorks.
"
In this article, IBM software engineer Bei Shu shows you how to enable multiple language support in your Web applications using different XML technologies from the architect perspective. She presents two approaches to implementing XML-based localization pack managers using XPath and XSLT -- embed and extend."
Comments (none posted)
IDEs
KDE.News
covers
the latest changes from the CVS version of KDevelop.
"
The CVS version of KDevelop (a.k.a. "Gideon") continues to improve, both stability-wise and in the feature department."
Comments (none posted)
SourceForge has
an announcement for version 0.8 of Treebeard.
"
Treebeard is a cross platform XSLT IDE written in Java; it's
editor allows the loading and editing of an XML document and an XSLT
document at the same
time. It can apply the XSLT to the XML and display the output for further
editing / saving in XML, HTML or PDF. Treebeard also has a plug-able XML and
XSLT parser architecture, and comes bundled with Xalan2.5 and Saxon7.5."
A number of new features are included with this release.
Comments (1 posted)
Profilers
Version 0.5.4 of
OProfile,
a code profiler, has been released.
"
This a bugfix release; if you're using kernel 2.5.71 or above, upgrading is strongly recommended. A number of other fixes have also been made."
Comments (none posted)
Miscellaneous
Mark Murphy
writes about some of the issues behind geographically isolated
software development.
"
Remote software development is becoming increasingly important to major technology firms and the IT groups of other large firms. Collaborating in business settings resembles volunteer public collaboration, but it's not identical. It is up to you and your boss to help promote a development model and system that will be effective for everyone."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
ZDNet
discusses SCO's latest moves, which include raising the requested damages to $3 billion.
"
The suit also adds illegal export issues stemming from the worldwide availability of open-source software. SCO claims IBM has breached its contract by making multiprocessor operating system technology available 'for free distribution to anyone in the world,' including residents of Cuba, Iran, Syria, North Korea and Libya, countries to which the United States controls exports. The open-source technology IBM released 'can be used for encryption, scientific research and weapons research,' the suit said." The new complaint also affirms that read-copy-update is one of SCO's issues; as
this LWN article from last week (still subscribers only) showed, that will be a hard one for them to prove.
Comments (24 posted)
Vnunet
covers a Giga
Information Group pronouncement saying IT decision-makers should rule out
Linux on the desktop until at least 2005. "
'It's a high risk
strategy to make any decisions based on being upset with Microsoft or
wanting to give Linux a chance. This is no time for platform religion,'
[analyst Rob Enderle] said."
Comments (8 posted)
Here's
a fun column in ZDNet on the importance of intellectual property protection.
"
I think the open source movement does even more damage to the perceived value of bits. By advocating that all software should be basically free and that developers should work in a communal environment for everyones benefit, the open source movement greatly denigrates the publics perception of the value of digital intellectual property."
Comments (23 posted)
Trade Shows and Conferences
This NewsForge article
looks at the
projects coming to LinuxTag taking place July 10 - 13, 2003 in
Karlsruhe, Germany. "
LinuxTag, which is itself organised along the
lines of a Free Software project, combines a free conference program
lasting three entire days, a business congress aiming at professional users
and enterprises, a government congress aiming at members of governmental
agencies, a workshop program maintained by the attending projects and an
exhibition consisting of commercial and non-commercial booths."
Comments (none posted)
The Register
heads for the
LinuxUser & Developer Expo, coming to Birmingham, UK later this
month. "
Heavyweights in the open source community such as Alan Cox,
Jon 'Maddog' Hall and Tim O'Reilly are down to present keynotes at the
show, which is part of the Networks for Business 2003 conference taking
place at the Birmingham NEC on June 24-26."
Comments (none posted)
Companies
News.com
reports
that HP has set up a new Linux division. "
In his new role as vice
president of Linux, Martin Fink will report to both ESS boss Scott Stallard
and HP's chief technology officer, Shane Robison. Fink had been a vice
president in the company's Business Critical Systems unit before the last
reorganization. Within the Linux organization, HP plans to add a director
of marketing, director of strategy and a director of engineering, although
those positions have not been formally named."
Comments (9 posted)
ComputerWorld
looks
into Microsoft's latest acquisition; the RAV technology from Romania's
GeCAD Software Srl. "
GeCAD's RAV AntiVirus for Mail Servers supports
a host of e-mail server products, including the free Sendmail, Qmail and
Postfix, and is available for a variety of operating systems, including
many flavors of Linux and BSD. Pricing per e-mail domain instead of per
mailbox is another major draw, experts and users said." Microsoft
plans to discontinue the RAV product line. (Thanks to Jay R. Ashworth)
Comments (19 posted)
NewsForge
predicts
that more anti-virus products for Linux will emerge to replace RAV, and
covers the discounts and deals currently available for RAV customers.
"
Steven Sundermeier, Central Command product manager, says his
company is not only not in danger of being bought by Microsoft, but that
"Linux is an increasing part of our business. One of the niches of our
business plan is the Linux market." To help grow that niche, Central
Command is offering RAV users who 'upgrade' to their Vexira product between
now and September 30 a 25% discount."
Comments (none posted)
ComputerWorld
reports
on Red Hat's revenue for the first quarter of 2003. "
In a
statement issued after the close of the U.S. financial markets, the
Raleigh, N.C.-based company said it had a net income of $1.5 million for
the quarter that ended May 31, compared with a net loss of $273,000 in the
previous quarter and a $4.6 million net loss one year ago. Red Hat reports
its figures using generally accepted accounting principles." (Thanks
to Jay R. Ashworth)
Comments (none posted)
E-Commerce Times is running
a "special
report" on the SCO case. The article is most interesting in that it
shows that the wider press is beginning to figure out that there are GPL
issues involved in SCO's having distributed the disputed code. "
'The
GPL issue is something we've just recently been looking at,' SCO
spokesperson Blake Stowell told the E-Commerce Times. 'It's been said that
maybe we've contributed Unix source code to Linux, because SCO was formerly
a distributor of Linux.'
However, Stowell said, when the company discovered that its source code had
been incorporated into Red Hat Linux, it stopped
distributing its own version of Linux and ended any further Linux
development. This move, he noted, showed that SCO was acting according to
another GPL clause that could shore up its case." It's about time
they started thinking about the GPL...
On a similar front, NZheretic's
comment to another LWN article is worth a look for those who haven't
seen it; there's a great deal of detail regarding SCO's involvement in the
Trillian project, which worked to bring Linux to the ia64 processor.
Comments (12 posted)
ZDNet
looks at the implications of SCO having shipped its (claimed) code under the GPL.
"
The issue isn't as clear-cut as either SCO or its opponents would have it, said John Ferrell, an intellectual-property attorney with Carr and Ferrell. 'If anybody tells you they have the definitive answer, they're crazy,' he said.
But he'd give the edge to SCO in the situation, not because of its interpretation of the GPL, but because of a legal principle stemming from the 1887 sale of a pregnant cow in Michigan. That case established the so-called doctrine of mutual mistake, under which a contract can be nullified if two parties--in this case SCO and a company using Linux--misapprehended the true nature of what was in the contract."
Comments (33 posted)
News.com
reports that SCO has dropped its bomb. "
SCO said that the termination of the AIX license means that all IBM Unix customers also have no license to use the software. 'This termination not only applies to new business by IBM, but also existing copies of AIX that are installed at all customer sites. All of it has to be destroyed,' [SCOsource manager Chris] Sontag said."
That should make SCO some more friends, and convince the world of the benefits of proprietary software as well.
Comments (22 posted)
Forbes is running
an article
on the litigious history of SCO, its backers, and its management.
"
In other words, like many religious folk, the Linux-loving crunchies
in the open-source movement are a) convinced of their own righteousness,
and b) sure the whole world, including judges, will agree.
They should wake up. SCO may not be very good at making a profit by selling
software. (Last year the company lost $24.9 million on sales of $64.2
million.) But it is very good at getting what it wants from other
companies. And it has a tight circle of friends." (Thanks to
"alonzo").
Comments (57 posted)
Linux Adoption
The Brazilian government is planning to migrate 80% of all state-owned
computers from Windows to Linux. HispaLinux
covers
the announcement (in Spanish). PCLinuxOnline has a
translated
summary by Gonzalo Porcel. Or read the full
Google
translation. (Thanks to Leon Brooks)
Comments (none posted)
IT-Director
looks into
Linux adoption in Europe. "
Following the recent decision by the
City of Munich to opt for Linux on the desktop, it is worth taking stock of
the progress of Linux in government circles across Europe. This is, in my
view, a determining point in the Linux story, because if European
governments move to Linux in a big way, it will boost the momentum for
Linux everywhere. We have thus assembled a set of press clippings which
chart Linux acceptance in government."
Comments (none posted)
Legal
TheAge
reports that South Australia is getting pressure from Microsoft backed
Initiative for Software Choice (ISC) over a proposed Open Source software
bill. "
ISC executive director Bob Kramer said in the letter: "The
ISC believes that if this 'preference' legislation were to be enacted it
would severely limit software choices for South Australia's government,
harming not only its citizens, but also South Australia's vibrant
information and communications technology (ICT) industry." You can
find a draft of arguments for the bill
here, along with a link to
the actual bill. (Thanks to James Berry)
Comments (2 posted)
Interviews
EuroPython continues a series of interviews with the people who will be
speaking at the EuroPython and Zope Conference. This week
meet Marc-Andre Lemburg author of mx Extensions for Python.
"
EuroPython: On which parts of Python are you working as Python
developer? Which parts interest you most? MAL: Since I wrote much of
Python's Unicode implementation building on an initial prototype written by
Fredrik Lundh a few years ago, I still maintain most of it. These days I
tend not to have much time to actually do coding work, but I try to
overlook the general design and make sure that it stays in line with what
the original idea behind the Unicode integration."
Comments (none posted)
WineHQ
Interviews
Mike McCormack.
"
How many Australian Wine developers live in South Korea and work for an American company? If you said just Mike McCormack then you'd be correct. Mike studied Electrical Engineering and Computer Science at the University of Sydney but now lives in Seoul half the time. The other half he lives in Minneapolis. Full time he's a Wine developer working for CodeWeavers. The arrangement works well for him - he gets to see his girlfriend regularly and has time to concentrate on work too."
Comments (none posted)
OpenEnterpriseTrends.com has
an interview with Alex Martelli.
"
In Part II of OET's exclusive interview with Alex Martelli, author of O'Reilly's popular Python in a Nutshell and Python Cookbook, we turn to how commercial developers of any stripe (Java, ASP.NET, Win32, C++) can best get started with using the Python scripting language to help their applications share data and business logic. In this discussion, Martelli also includes some great practical tips for your own starter project."
Comments (none posted)
O'Reilly
interviews computer historian George Dyson.
"
One of the first significant expenditures of machine cycles at IAS (second only to thermonuclear bomb calculations and meteorology) was a series of experiments conducted by the viral geneticist Nils Aall Barricelli to see if code could be prompted to evolve, within the "artificial universe" of the von Neumann computer, on its own. All the questions raised by Barricelli are equally applicable and equally instructive with regard to the evolution of software "in the wild" today."
Comments (none posted)
IBM's developerWorks features
an interview with Kent Beck.
"
Extreme Programming (XP) founder Kent Beck likes to say he made up XP's fundamentals during a particularly troubled project in 1996. While strictly true, from talking to him you sense he'd really been formulating the process for quite some time. Find out what Kent thinks about the contribution of the Java platform to software development's success (or lack thereof) in this exclusive developerWorks interview."
Comments (2 posted)
IBM's developerWorks has
an interview with web services developer Sam Ruby.
"
Sam Ruby, a member of the IBM Emerging Technologies Group, has become a key part of several Web services-related open source projects over the last three years, including Tomcat and the IBM SOAP stack. He's still contributing both his code and his insight to the community. He spoke with Bob McMillan on a number of topics, including the appeal of open source, the future of Web services, and the power of Web logs."
Comments (none posted)
Resources
Here's an article from IBM developerWorks on
emulating
legacy operating systems on Linux. "
One of the best things to do
with a Linux box is to run programs for other operating systems on it. It
can simplify your life considerably. Companies spend millions on "server
consolidation" in hopes of reducing maintenance, administration, and even
heat burdens. They're usually just moving between different flavors of
UNIX, though. What they often don't realize, however, is that the range
and quality of Linux-hosted OS emulations -- some of them rather old, like
CP/M, RSX, OpenVMS, and DOS -- are quite high. Moreover, companies don't
always understand just how much this software can enhance the convenience
of server-room operations."
Comments (none posted)
NewsForge
looks at
tools to keep crackers out of your network. "
While many
vulnerability assessment products can test Linux clients and servers, most
run only on Microsoft or, in the case of MacAnalysis, Apple
platforms. We've highlighted two that can run on Linux, and one standalone
hardware device."
Comments (none posted)
This NewsForge
article
contains excerpts from the book
Intrusion Detection with Snort by
Jack Koziol. "
Real-time alerting with Snort is highly
customizable. You can pick and choose which alerts to be notified of in
real time by assigning a priority to each rule or classification of
rule. Each rule can have an individual priority attached to it, and every
rule can be included in a classification of rules that has a priority
attached to it."
Comments (none posted)
Reviews
KDE.News has
a review
of JuK, an mp3 Jukebox application for KDE.
"
Okay, I admit it: I'm a blonde who isn't a techie. I'm learning because it is kind of fun, but I'll only go so far. I know most people who will read this will probably chuckle because this is for a techie site, but it is worth noting that I am a user who has switched her desktop from Microsoft to Linux with KDE. That is a pretty big jump."
Comments (none posted)
MadPenguin.org
reviews
version 0.6 of the Firebird browser.
"
This browser is the beginning of something wonderful. I say it's the beginning because it is very obvious that it is a work-in-progress and is pre-1.0, but let me tell you it is pretty impressive for such an early build."
Comments (none posted)
Neowin.net
reviews a number of Mozilla Firebird plugins.
AdBlock, Autoscroll, LiveHTTPHeaders, Popup ALT Attribute, Mycroft,
User Agent Switcher, and Web Developer are covered.
Comments (none posted)
NewsForge
reviews the
new Pogo Linux StorageWare S212 Server. "
The server comes with Red
Hat Linux 9's three-CD set, plus a Pogo Linux Recovery CD, which contains
all the post-install scripts required to bring the box back into factory
condition. It includes kits for the 2.4.20-9 kernel, official update RPMs
to Red Hat 9 (very handy), and other Pogo Linux personality items like
wallpaper and splash screens."
Comments (none posted)
ContentPeople features
a review of Quanta Plus.
"
In recent times, we have seen the advent of Linux as a prominent web development platform, no doubt as a result of the popular LAMP framework: Linux Apache MySQL PHP. Thanks to its open source nature, it has given everyone access to an enterprise class environment for web applications.
The LAMP community has created a variety of supporting text editors, tools and utilities to help you craft your web applications. One of the most popular is the Quanta Plus web development environment."
Comments (none posted)
O'ReillyNet
takes
a look at the game Slash'EM, a variant of NetHack. "
Slash'EM is
written in C, with its Qt windowing interface in C++. Of course, because of
its NetHack lineage, the current release contains lots of code which the
present team did not develop originally. Normally, incorporating code from
outside a project can be a problem due to incompatibilities among various
open source licenses, but things work differently within the NetHack
family. J. Ali Harlow, 36, a programmer for the Applied Vision Research
Centre of City University in London, England and one of the current
maintainers of Slash'EM, says, "There's no such problem with code that has
been written to be used with NetHack. We seek to use the best of these
whenever possible.""
Comments (none posted)
Tux Reports
reviews the Ximian Desktop 2.
"
There are as many different philosophies for the perfect desktop as there are Linux developers and users. Each of us has developed our preferences and opinions. Some of us may perceive Ximian Desktop 2 as nothing more than GNOME with some eye-candy, or an attempt to clone Windows. Others may argue that following the KISS principle, by simplifying the applications, system menus and documentation, avoids overwhelming new users. In other words, one persons opinion is another persons opportunity to complain."
Comments (none posted)
Miscellaneous
South Florida area LUG members
help inner city
kids in this NewsForge article. "
11 a.m. - Chris Williams, a
Ft. Myers programmer and sysadmin, huddles with Gonzalo. They decide to
replace the existing Red Hat installation on the server with Mandrake 9.1
because of its ease of administration, plus the fact that Gonzalo is used
to Mandrake, and he's the one who will be responsible for ongoing
maintenance of the Center's computers."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Submissions are open until June 23 for the 2003 Linux Journal Readers' Choice Awards, nominate your favorite applications soon.
Full Story (comments: none)
Responses are being requested for the WeWantLinux.org survey.
"
The WeWantLinux.org survey shows a high level of interest in computers
pre-loaded with GNU/Linux, even among non-Linux users.
The WeWantLinux.org survey site continues to gather data on consumer
interest in computers pre-loaded with the GNU/Linux operating system.
With nearly 1700 survey entries validated, the results show a high level
of interest in Linux PCs across the board. The survey site will remain
active for the forseeable future, but the interim results are worth noting."
Full Story (comments: none)
The Extremadura regional government has
announced
(at GUADEC in Dublin) the completion of the deployment of 80,000 computers running the
LinEx distribution and GNOME in schools.
There's now one system available for every two students. "
The Junta of Extremadura has also created 33 computing centers for
the general population. The centers feature one-on-one computer
assistance, so users who are unfamiliar with computers can learn
computer and e-mail basics. The centers have drawn citizens of all
ages and walks of life. The oldest user of the centers is 99 years
old."
Comments (2 posted)
The Center of Open Source & Government endorses the South African
Proposed Strategy for Using Open Source Software in the South African
Government by providing rationally defensible policy guidelines. The
South African
Strategy (PDF format) is a reasonable road map for a viable Open Source
Government Policy.
Full Story (comments: none)
An IDC Research report sponsored by LinuxWorld
shows that in 2003 Linux is expected to ship over 162,000 servers in
Western Europe, a market worth $621 million. By 2007 this sum is
anticipated to have more than doubled in value to $1.9 billion and tripled
in volume (203% growth), shipping on almost half a million servers.
Comments (none posted)
Tony Stanco has sent us his opinion of Brazil's new open source policy.
"
While I think that Open Source in government is a good thing and
have been working towards that goal for many years, making it mandatory is
an industrial policy that may not succeed, which will hurt Open Source in
the long run."
Full Story (comments: 14)
Here's a press release from the Open Source Development Lab (OSDL) on the
appointment of Linus Torvalds as the first OSDL Fellow. George Weiss, vice
president and research director for Gartner, is quoted; "
Linus
Torvalds adds tremendous credibility to OSDL's efforts to drive the
evolution of Linux forward into enterprise computing and carrier
environments. The computing market is still questioning how far and how
fast Linux can go as an enterprise-ready platform. With Linus at OSDL, many
will be looking for leadership from the lab for answers to those
questions."
Full Story (comments: 5)
According to Use Perl, the Perl Foundation
has a new president.
"
In a recent meeting of the board of directors of Yet Another Society (a.k.a. The Perl Foundation), long-standing President Kevin Lenzo decided to step down from his role to pursue other commitments. In his place the board elected a new President, Allison Randal."
Comments (none posted)
Commercial announcements
IBM
responds
to SCO in a short press release. "
Since filing a lawsuit
against IBM, The SCO Group has made public statements and accusations about
IBM's Unix license and about Linux in an apparent attempt to create fear,
uncertainty, and doubt among IBM's customers and the open source
community."
Comments (6 posted)
O'Reilly has published the book "Linux Security Cookbook".
Full Story (comments: none)
Central Command is offering a discount to existing RAV Antivirus customers.
"
With the recent announcement from Microsoft Corporation of
the pending acquisition of RAV Antivirus technology the
future support of the existing RAV Antivirus product line
has caused concern from existing RAV Antivirus customers."
Full Story (comments: none)
TimeSys Corporation has
announced
that its TimeSys Linux RTOS (real-time operating system) and JTime
real-time Java(TM) virtual machine are driving the Mars Exploration Rover
concept vehicle being demonstrated by NASA's Jet Propulsion Laboratory
(JPL) and Sun Microsystems' James Gosling at the JavaOne Conference this
week in San Francisco.
Comments (2 posted)
Transmeta Corporation has
announced
it has entered into an agreement to allow Chinese 2000 Holdings Ltd. to
develop and market Transmeta's Midori(TM) Linux for mobile and embedded
devices in China and other countries in the Asia-Pacific region. The
collaboration between the two companies on Midori Linux development and
marketing focuses on China, Hong Kong, Macau and Taiwan.
Comments (none posted)
Resources
OSDL and SD Times have
released
the results of a joint survey on the use of Linux in corporations.
"
The survey of 8,000* SD Times readers, mostly senior managers at
corporations with more than 1,000 employees, showed broad and deep use of
Linux in IT shops even though only a third of the companies had adopted the
open source operating system as a corporate standard computing
platform."
Comments (1 posted)
A new UML 2.0 standard was released at the OMG Technical Meeting in Paris.
Full Story (comments: none)
Upcoming Events
Do you want to see what's going on at GUADEC? Well now you can. Just
check out the
LIVE GU4DEC site.
Comments (none posted)
An expanded conference program for LinuxWorld Conference & Expo has
been
announced. "
LinuxWorld's CIO Agenda is a new program featuring
sessions specifically designed for CIOs who need to be well-versed in the
implications of Linux adoption. With topics in business, security, system
administration, application development, and emerging technologies, the CIO
Agenda will provide CIOs with insights on how Linux and open source can
benefit their organizations."
Comments (none posted)
The
2004 iteration of
Linux.Conf.Au is happening January 14 to 17
in Adelaide. The call for papers has just gone out, with abstracts due by
August 18. Speakers who have already been confirmed include Keith
Packard, Jon 'maddog' Hall, Bdale Garbee, Rusty Russell, and Andrew
Tridgell.
Full Story (comments: none)
EducationaLinux 2004 will be held on January, 2004 in Adelaide, Australia.
"
This conference presents an opportunity for anyone
who is a part
of the education system to get together, share ideas and network with
other like-minded individuals using or promoting open source in
education."
Full Story (comments: none)
| Date | Event | Location |
| June 19 - 23, 2003 | Open Source Clinical Application Resource Workshop(OSCAR) | (McMaster University)Ontario, Canada |
| June 19 - 20, 2003 | Infosec 2003 | (UniNet)Online |
| June 21 - 22, 2003 | EuropeanRubyConference | (University of Karlsruhe)Karlsruhe, Germany |
| June 23 - 26, 2003 | ClusterWorld Conference & Expo | (San Jose Convention Center)San Jose, California |
| June 23 - 26, 2003 | Fourth Workshop On UML for Enterprise Applications | (Hyatt Regency San Francisco Airport Hotel)Burlingame, CA |
| June 24 - 26, 2003 | LinuxUser & Developer Expo | (Birmingham National Exhibition Centre)Birmingham, UK |
| June 25 - 27, 2003 | European Python and Zope Conference 2003 | (CEME)Charleroi, Belgium |
| July 7 - 11, 2003 | O'Reilly Open Source Convention 2003(OSCON) | (Portland Marriot)Portland, Oregon |
| July 9 - 12, 2003 | Libre Software Meeting | Metz, France |
| July 10 - 13, 2003 | LinuxTag | Karlsruhe, Germany |
| July 12 - 17, 2003 | Debcamp | Oslo, Norway |
| July 18 - 20, 2003 | Debconf 3 | (The University of Oslo)Oslo, Norway |
| July 23 - 26, 2003 | Ottawa Linux Symposium | Ottawa Canada |
| July 23 - 25, 2003 | YAPC::Europe 2003 | (CNAM Conservatory)Paris, France |
| July 25 - 27, 2003 | Fifth Annual Linux Festival in Kaluga Region | (bank of the river Protva)Kaluga region, Russia |
| July 29 - August 2, 2003 | The 10th Annual Tcl/Tk Conference | Ann Arbor, Michigan |
| July 31 - August 3, 2003 | UKUUG Linux Developers' Conference(LINUX 2003) | (George Watson's College)Edinburgh Scotland |
| August 4 - 7, 2003 | LinuxWorld Conference and Expo 2003 | (Moscone Convention Center)San Francisco, CA |
| August 7 - 10, 2003 | Chaos Communication Camp 2003 | Paulshof, Altlandsberg, Germany |
Comments (none posted)
Web sites
A new debugging server called AskIgor is online.
"
We're doing a public debugging server - a Web site that accepts buggy
Linux C programs and automatically tells you why the program failed.
This has been brewing for two years, and is starting to get ready.
We'd like any feedback on things people like/dislike about it."
Full Story (comments: none)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Leon Brooks <leon@cyberknights.com.au> |
| To: |
| Continental Airlines <investorrelationsdept@coair.com>,
Nathan Hanks <nhanks@coair.com> |
| Subject: |
| Nathan Hanks again demonstrates his ignorance of security |
| Date: |
| Mon, 16 Jun 2003 08:31:56 +0800 |
| Cc: |
| Linux Weekly News Letters <letters@lwn.net> |
Quoting http://www.techweb.com/wire/story/TWB20030603S0012
> But [Hanks] and others said Microsoft is not unique in its
> vulnerabilities. "We have a Linux server that has three times
> the critical updates as our Windows server," he said.
Hanks, your MS-Windows server arrived with maybe half a dozen services
available and probably had all of them running until you shut them off.
If you add a big service, say MS-SQL-Server, you might have the
equivalent of 20 or 30 Linux packages installed on your machine.
I use Mandrake Linux 9.1, which arrives with over 800 packages, zero of
which will be accessible from the Internet after a "kitchen-sink"
install and without the installer switching anything off.
The "critical updates" you speak of cover all 800+ packages on Linux but
only the equivalent of about 20 or 30 on MS-Windows, so in a parity
situation you would expect to see roughly thirty to forty times as many
updates listed. Blow for blow, the Linux server you speak of is ten
time less buggy than your MS-Windows server already.
But the situation is not even blow-for-blow. Microsoft's idea of a
"critical update" is for something like CodeRed, Nimda or Slammer.
At http://www.mandrakesecure.net/en/advisories/updates.php?dis=9.1 (and
look for red padlocks) we see that Mandrake 9.1 has had 45 total patche
releases to date. 5 of them are duplicates because the packages went
out without an encrypted signature, another is a dupe because the
original fix included things that didn't need fixing, leaving 39. 27 of
those are listed as "critical".
Many of those are for such things as (MDKSA-2003:036) fixing maths
errors in image handling. Of the remainder, the vast majority of
vulnerabilities are _potential_ vulnerabilities; that is, they have no
known working exploit, and in many cases have no theoretical exploit
either.
Leaving that aside, many of the remaining vulnerabilities do not involve
any "privilege escalation" - or as CERT Advisory CA-96.13 puts it, the
case where "Non-privileged primitive users can cause the total
destruction of your entire invasion fleet and gain unauthorized
access to files." Most of Microsoft's do.
We're not finished yet. Consider MDKSA-2003:048, which fixes a
vulnerability in EOG. Eye Of Gnome is an image viewer. Would you ever,
let alone regularly, use it on a server? I have seven image viewers
installed (I like to experiment), not counting potential viewers like
graphics editors, scanner/camera managers, the previewers in file
managers, office suites and so on. Odds are therefore 1/7 that I would
use the impacted application even if I did run it on a server. As it
happens, I don't, I prefer Kuickshow in a GUI, or from the command line
the ImageMagick "display" command.
Counting through all of the listed vulnerabilities and picking out the
ones that would impact a default installation to do secure web-enabled
database activities plus email transport, remote administration and a
GUI interface - the equivalent of MS-Windows, IIS, MS SQL Server and
MS-Exchange rolled into one, there are eight. One of them (a kernel
update) requires a reboot after installation.
So... eight actual critical updates, one of them in the OS and one of
them in the webserver. Since the release of Mandrake 9.1 in March,
MS-Windows 2000 and IIS alone have logged patches for three "invasion
fleet" severity patch bundles beyond Service Pack 4, which in itself
rolled in a large number (difficult to assess) of patches.
Over the last year (well, 14 months), Mandrake Linux (from 8.2) has
recorded 2 OS (kernel 2.4) patches (one of which had a simple and
instant no-reboot workaround) and 3 Apache (webserver) patches and zero
PHP (ASP-equivalent) patches. Total "critical updates" potentially
impacting our hypothetical server, about 25.
MS-SQL-Server 2000 Service Pack 3a was also released, but the
description makes it difficult to decide exactly how many patches that
involves - and if you're using the "Desktop Engine (MSDE 2000)" version
there's more bad news confronting you in the form of a pageful of
directions on finding out what to patch and how before you even start.
Each vulnerability that I can find specifies arbitrary code execution
or worse. Compare this with a total of two (related) vulnerabilities in
the last year for PostgreSQL.
The MS-Exchange 2000 "March 2003 Post-SP3 rollup" contains over 70 new
or patched files and requires you to uninstall (yes!) the previous set
of patches before applying it. All the while your email server is down.
Any of the very rare updates for PostFix (a good example of a Linux
MTA; no patches at all in well over a year) typically involves under
half a second of email outage and no reboots.
I don't even understand how to account for the number and complexity of
the Microsoft patches involved here, so I agree that this is a problem,
but to pluck a figure out of the air? Call it 120 individual patches a
year, one every three days on average.
Each of these Microsoft "patches" may roll together work on multiple
vulnerabilities in multiple systems, whereas the Linux patches
typically fix a single vulnerability and by definition do it in a
single system.
How about response time? The KDE developers once took a vulnerability
from bug report to tested deliverable in 95 minutes.
Accountability? You were reportedly "impressed with Microsoft's response
to the [Slammer] problems" but what about their response to the
"Shatter Attacks?" Microsoft may find a way to fix that ongoing
vulnerability in Longhorn, five years down the track, but probably not.
It is a design insecurity right at the core of MS-Windows and there is
no simple way around it. The corresponding insecurity in Linux doesn't
exist, can't exist, because a completely different mechanism occupies
that spot on the flow diagram.
Then we consider the server population. Even for a relatively light
load, Microsoft would recommend that you have a separate server for
MS-Exchange and another for MS-SQL-Server. That's three servers to
maintain and pay for instead of one. And they'd probably also ask you
to add an expensive Cisco router to the collection to firewall it.
There are also a number of features which make individual services much
easier to lock down under Linux than under Windows. Capabilities,
chrooting, chattr and so on within a single OS image. User Mode Linux
for completely partitioned services - it's a simple matter to run any
service under its own specialised UML kernel that has a no-op (or
scream-the-house-down) response to certain OS functions for managing
ownership of files or opening network sockets other than in prescribed
ways. This means that even if an attacker gains total and complete
control of a service, all it does is call attention to his actions and
replace his victim with a fresh, clean copy a few microseconds later.
The final clincher for me is that I have never had an update break a
server. I could have left all of my Linux servers on auto-update for
about the last five years without a care in the world, were I not
naturally suspicious. On the other side of the fence, Microsoft's
updates are reknowned for breaking things.
Back your statement up with specifics, Hanks, or retract it. As it
stands it is at best irresponsible, and certainly looks clumsy and
ill-informed for a "managing director" at a world-reknowned firm.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Committee Member, Perth Linux User Group
http://slpwa.asn.au/ Committee Member, Linux Professionals WA
http://linux.org.au/ Committee Member, Linux Australia
Comments (5 posted)
Page editor: Jonathan Corbet