LWN.net Logo

LWN.net Weekly Edition for July 3, 2003

An interview with Linus Torvalds

LWN has been reporting on the Linux and free software community for well over five years now, but, during that time, we've never gotten around to interviewing Linus Torvalds, the creator and maintainer of the Linux kernel. That oversight has now been rectified. In the following interview, Linus talks about 2.5, 2.6, and 2.7, SCO, and how the kernel development process works.

Kernel releases

What are, in your opinion, the most significant accomplishments from the 2.5 development series?

There's a number of them, and the ones I think are most important others may not find as interesting. I personally tend to find "infrastructure" things more important than adding particular drivers support, for example, even though to most _users_ the actual drivers are often more important.

During 2.5.x, the things I thought were most noticeable are a nicer and better VM subsystem, a better block IO layer, and the improved threading support. All of them do help performance in various circumstances, but more importantly (to me) they were all fairly central cleanups and help keep the code maintainable.

Any regrets or things you wish had come out differently in 2.5?

Hey, I always wish we'd do stable releases more often, and I always end up ignoring my own wish and go for "more changes". It makes the release process a lot harder (more things have changed results in more verification and debugging effort), but it does make development more satisfying.

Looking forward to 2.7, do you have any particular goals in mind for that development series?

No, I seldom do. In 2.5.x, we fixed the things I was worried about and that I wanted fixed.

But inevitably, new needs and uses will come up, and I'm not worried about running out of stuff to do. I just don't plan much ahead, I much prefer to take a reactionary stance and see what people actually complain and care about, rather than having a "5-year plan".

Do you have any particular expectations or hopes for the upcoming kernel summit in Ottawa?

To me, the biggest thing is to hear what people are working on or interested in, and get together to just discuss stuff under reasonably organized circumstances. For example, I bet I'll have more of a notion of what people are holding back for 2.7.x..

It took the better part of a year - after 2.4.0 - for the 2.4 series to stabilize sufficiently for the 2.5 fork to happen. Do you foresee doing anything differently to stabilize 2.6 more quickly?

It's always hard to tell. One big problem for the 2.4.x series was the VM, and I think we're _already_ in better shape in 2.5.x than we ever were in 2.4.x. So I'm pretty optimistic, but it's always hard to anticipate everything that pops up when a lot of new people start moving over from 2.4.x to 2.6.x.

Development process

Over the course of 2.5, a number of developers, some of whom have contributed useful stuff, bowed out of the kernel project after facing too much criticism that was too harsh. Do you think this is a "if you can't stand the heat, get out of the kitchen" sort of situation, or could the process perhaps change to be a little more friendly?

I do believe that the kernel mailing list has become too acerbic at times. It can be amusing to read the flame wars if you take them the right way, but not everybody is willing or able to stand back and enjoy the fireworks. It's something I worry about - it tends to be always easier to criticise than to actually fix things.

I'll see what I can do about it, if anything.

There have been complaints that recent development has been strongly oriented toward large-system scalability at the expense of the rest of us with "normal" systems. Over the longer term, however, a high priority has been placed on not allowing support for high-end systems to compromise performance for everybody else. How do you feel about the balance between the kernel's support for large and small systems? Does anything need to be done to ensure scalability to the low end?

I think the drive toward "sexy" systems (lots of power, lots of CPU's, tons of memory, etc) is a fairly natural one, and it's something that gets attention, and I think that's also why people see that development more.

And yes, scalability has improved a lot, but at the same time you should realize that 99% of all Linux development is still done on basic desktop machines. So most developers still care mostly about that kind of hardware, and so while the "big iron" thing gets most attention and is most visible, it's not where most of the action _really_ is.

I personally, for example, always just work with a "high end desktop" system, expecting that what is high end today will be pretty much regular in another year or two.

In many ways, the kernel development process appears to be working better than it ever has. The flow of patches into the mainline is astounding, and most of the major developers seem to be relatively happy. Things appeared rather rougher at the beginning of 2.5; to what do you attribute the improvement? Is it all due to BitKeeper, or are there other things going on?

I definitely think BitKeeper helped, but on the whole people are always happier in development kernels than they are when you have to be careful. So expect some grumbling during 2.6.x when developer frustrations mount, when they can't just go wild.

The lawsuit

SCO has finally fingered some specific contributions to the kernel as, they say, infringing on their rights. Do you think there's a chance that things like RCU and JFS will have to come out before 2.6 can be released? How do you think you might respond if SCO demands their removal?

I don't think it's likely, especially since everything that SCO has fingered as being stuff they object to, they don't actually seem to have any IP rights claim over. They're all stuff written by IBM (or Sequent, which was bought by IBM), and everything looks very much above board as far as IBM goes.

I'd find it very unlikely that IBM had given exclusive licenses to SCO for the thing, especially as IBM apparently used some of the same technology for other projects earlier (ie OS/2). So from what I can tell, SCO really doesn't have a case - at least on the IP side of things.

Whether SCO has a case on the contract side, I just don't know. I'd be surprised. But I don't even have to care, since any contractual issues are clearly between IBM and SCO, and have nothing to do with me or the kernel (and contract law is a whole different area from IP rights, so SCO's blathering about Linux not respecting IP rights seems to be just a rabid rat frothing at the mouth, as far as I can see).

Do you foresee any changes to the kernel development process in the future to avoid the possibility of proprietary code being incorporated?

Hey, I claim that open source is a lot safer than proprietary code bases: people have full visibility in what goes in, and we can go back through archives etc to see who did what. In other words, we already _have_ the process in place to make sure that people don't try to misuse IP rights.

Miscellaneous topics

You've just announced a move over to OSDL, to work full-time on the kernel. Do you have any great plans for your extra time?

I've never had problems with "extra time". As far as I know, "extra time" as a concept is right up there with Santa Claus and the Tooth Fairy.

Recently you have been peppering the kernel with __user annotations which can be used by the "sparse" tool to find improper use of user-space pointers. I've always wondered why the kernel doesn't simply define a "userptr" type which would allow mistakes to be caught by the compiler?

The problem with a "userptr" type is that there is not just _one_ type of user pointer, there are hundreds. User pointer to _what_? You need a bit outside/perpendicular the regular type system, to say it's a "user pointer to a 'struct stat'".

I mentioned that to some gcc people, and nothing ever appeared, so I decided to do it myself.

Would it not make sense to make a similar distinction between physical and kernel virtual addresses?

It could certainly be done, with the tool I already wrote. We've never really had that as a major problem, though. Usually we use "unsigned long" for physical addresses (or things like "page frame numbers", ie they are an index to physical pages, not a whole address). Those have never been directly dereferencable, so we've not had the same kind of "buggy code works by mistake" situation that we've had with user pointers.

Thank you, Linus, for taking the time to answer these questions.

Comments (21 posted)

Gentoo forks

[This article was contributed by Joe 'Zonker' Brockmeier]

The Gentoo project is experiencing a few growing pains. The Gentoo project announced some major management changes for the project itself last week, while Zachary Welch has announced his intention to form a non-profit called the Zynot Foundation and a plan to fork the Gentoo distribution.

Why the "Zynot Foundation?" Apparently, because it was available. The project's FAQ says the new name was chosen because the domains were available, and because it's a name that can easily be spoken and spelled. The name of the actual distribution is still up in the air, according to the Zynot FAQ, and will be chosen by the community. Welch's "Reasons for Forking A Linux Distribution" details his reasons to break off from Gentoo and to form a new project. It's a lengthy read, but to put it succinctly, Welch had a number of issues with Gentoo lead Daniel Robbins and the way that the project was being managed -- both from a business perspective, and from a developer's perspective. Welch had hoped to further Gentoo in the embedded market, and eventually decided that it was too risky to move forward using the Gentoo name.

...the current situation that appears to place the Gentoo Linux distribution and brand arguably in the sole possession of Gentoo Technologies, Inc., and any sane business that contributes to the project should be very careful about balancing their expectations with the possibilities that such a monopoly entails... Every contribution made to Gentoo builds the brand of the distribution, value that is not being fairly shared with those members of the community that have helped build it.

Welch isn't the only developer to express dissatisfaction with Robbins' leadership of the project. Last April, Geert Bevin left the project and wrote up a summary of his reasons for doing so. According to Welch's "Welcome to Zynot" e-mail, the Zynot Foundation will be putting out some kind of release in time for LinuxWorld Expo in August, as well as having a booth at the show.

While the Zynot Foundation is getting started, the Gentoo project will be busy implementing a formalized management structure. The proposal, put forth by Robbins, seems to be fairly straightforward. It establishes a formal management hierarchy and responsibilities, channels of communication and so forth. The document doesn't address process by which one would become a project manager, so it seems they will be granted their position by the "Chief Architect," which would be Robbins himself.

Welch's departure also means that Gentoo will need to find some new hardware and hosting. Apparently, much of Gentoo's infrastructure, including CVS, their Web server, Wiki and Gentoo Bugzilla are hosted on machines owned by Welch and co-located at Oregon State University.

Regardless of Welch's reasons for doing so, it remains to be seen whether many in the Gentoo community will be willing to follow Welch's fork of the project. Gentoo has a fairly devoted user community as well as a fair number of core developers. According to Welch's estimate, Gentoo currently has a user base of about 150,000 people. It will take some doing to achieve the same kind of success with a new project.

Comments (3 posted)

Interview with Gaël Duval

LWN editor Jonathan Corbet talks with Gaël Duval, creator of Mandrake Linux and co-founder of MandrakeSoft.

____

LWN: You were the creator of the original Mandrake Linux distribution, and a co-founder of MandrakeSoft. What is your current role with the distribution and the company?

GD - I'm officially taking care of MandrakeSoft's communication, but I'm helping for other things and projects as well.

LWN: In an OSNews interview last March, you said "9.1 sales and club subscriptions are going to be key." How are sales and subscriptions going at this point? Are they at the level you need?

GD - The levels of Club subscriptions and 9.1 sales have been very good. That's one of the reasons why our future is becoming better every day. Mandrake 9.1 is an excellent product, that made it successful. On the other hand, the Mandrake Club and all its benefits, in particular the huge application repository that can be interfaced with the Mandrake application manager and dependency solver (URPMI/RPMDrake), has gained popularity among Mandrake users. As a result, the Club is turning into a real business model (in short: a free product plus value-added online services). As the whole Linux retail market has been dramatically and continuously decreasing during the past 3 years (mostly due to high-speed domestic Internet connections), this new business model for selling Free Software products really makes sense, and we certainly are one of the first Linux makers to enter this model.

LWN: The Mandrake Linux distribution has become difficult to find - at least, in U.S. stores. Do you plan to try to get back onto retail shelves (if so, how?), or are retail sales no longer a priority for MandrakeSoft?

GD - There is a simple reason for that: we broke our agreement with distributor Pearson recently. They are not interested in Linux as they have been in the past, and we weren't very happy with the sales. So we made the decision to take time to look for new distributors in the USA, and we encouraged users to come to MandrakeStore.com where our margins are really much more interesting than with traditional retail sales. Anyway Mandrake packs should be back in many US stores with the 9.2 version, with a new distributor. This is important at least for MandrakeSoft's brandname exposure and presence.

LWN: How is the reorganization process going in general? What changes is MandrakeSoft making, and how do you expect them to help the company's long-term survival?

GD - The reorganization is nearly completed. We had to review the company's priorities in term of technology and businesses. We had to scale the structure down to the point where we do not spend more money than we earn. We also had to convince everyone at MandrakeSoft that sales are now the big priority.

LWN: When does MandrakeSoft expect to emerge from the bankruptcy process?

GD - We plan to emerge somewhere by the end of the year. So far this has been a very positive action for us.

LWN: Mandrake Linux tends to be perceived as a desktop-oriented distribution. Is that how you see it internally? Where do you expect to see Mandrake deployed most in the future?

GD - The mission of MandrakeSoft is to simplify Linux and make it available to all. This means: providing full-featured Linux systems that are easy to install, easy to set up, easy to use. But this doesn't mean that we focus on the desktop, because we ship many server products, including very complex ones such as the Multi Network Firewall or MandrakeClustering... Additionally, simple command line tools such as our package management tool "URPMI", are often as important as graphical wizards or applications. The result is now a large range of MandrakeSoft products, from the "Standard 9.1" which is a desktop OS, to server and dedicated security products such as the Corporate Server 2.1 and the Multi Network Firewall. Such a large offering is perfect for answering companies' needs, and that's good for MandrakeSoft because this is currently a growing market.

LWN: Increasingly, other distributors are coming forward with versions of their products aimed at the desktop. The trickle of reports of companies and governments choosing Linux for desktop use is growing. Do you have a sense of when desktop Linux may take a serious part of the market? How does Mandrake plan to succeed in a larger but more competitive desktop market?

GD - This desktop thing has been the most recent Linux' hype. Currently it's clear that "joe user" is not ready yet to migrate his Windows desktop to a Linux desktop, for many reasons that are not only technical reasons. This doesn't mean that there is not a growing base of users who have definately made the switch to Linux on the desktop (this includes myself). But the point here is that the real market in the desktop field, which is not a big market yet, is inside corporations, and that is the market we are currently interested in.

LWN: You have mentioned that MandrakeSoft will be introducing a clustering product. Clustering seems like an increasingly crowded marketplace - though, perhaps, one in which a fair amount of money should be made. What has drawn Mandrake into this market at this time?

GD - There are two simple answers: 1) we had the chance to get funding for a research project in this area, and this has resulted into a great and powerful Clustering product. 2) We don't plan yet to sell this product everywhere in the world like we do with Mandrake Linux: there are very few actors in the field of Clustering solutions in France, so we are going to sell it in France and Europe first. Additionally, it's not only a product, it's a complete solution that doesn't make sense without the support and knowledge-transfer which are are provided with this solution.

LWN: What is MandrakeSoft's position on the SCO lawsuit? Are you taking any steps in response to SCO's allegations?

GD - Our position is very simple: so far there are mostly FUD and rumours. Let's wait for facts. Anyway, the whole story could possibly impact Linux' image negatively so we have to take care of that. But in the end my guess is that SCO is doing a huge error and is going to suffer much from the situation.

LWN: What enhancements can Mandrake Linux users look forward to in the next release?

GD - Wait and see :-)

LWN: Is there anything else you would like our readers to know?

GD - Producing and selling Free Software products makes sense. It only needs a good business model.

Comments (2 posted)

JBoss

[This article was contributed by Joe 'Zonker' Brockmeier]

A few weeks ago a group of JBoss developers split from The JBoss Group and decided to strike it out on their own as the Core Developers Network (CDN). We spoke with Greg Wilkins, one of the Core Developer Network members as well as the founder and director of Mort Bay Consulting. Mort Bay sponsors development of the Jetty Java HTTP server and servlet container. Marc Fleury, President of the JBoss Group, refused to comment for this story.

Wilkins wrote that his experience with JBoss Group had been less than profitable. "I got 6 hours of support work for being on call for 2 years - I also was not pushing my own Jetty support business to JBG clients so I was loosing sales of my own." Wilkins also said that Fleury demanded a cut of a deal that he had negotiated through Mort Bay for out-source development that used JBoss "among many other things."

We did not expect to make money from writing our code. But when somebody started making lots of money by selling access to US the developers (not selling distributions of the code or anything) - then we felt we at least deserved a fair share of the branding and scalable income. Not just to get paid for the hours we worked - we can get that anywhere.

Since leaving the project, Wilkins noted that the names of the Core Developers have been removed from the JBoss site as contributors, though they still have CVS access to JBoss and continue to contribute to the project. JBoss has also replaced Jetty with Tomcat as the default Web container. Wilkins says that the Core Developers do not want to fork JBoss, but "we can see situations that may force that to happen." In the end, there are really two main issues, says Wilkins:

I guess for me there are two aspects to this. One is commercial dispute between parties - no real big issue there I think they are bastards who have screwed me and I'm sure they think the same about me - we are probably both right :-)

But the other is the control of an open source project. It appears that getting control over just the trademark and CVS write access can be used to build a very good control mechanism over an open source community. This can be used to build a near monopoly on commercial services sold for that project and distribution of those benefits.

While Fleury refused to comment for this story, it's interesting to note something he said in an interview on TheOpenEnterprise.com:

The answer is yes. I also believe there's a monopolistic opportunity in open source infrastructure, just like Microsoft has a monopoly on the desktop. Free software will create a market that is much more open than that, but we see ourselves becoming a standard, used everywhere, while other application server vendors are struggline. That's our end goal, to become a monopolistic but responsible provider of Web infrastructure.

As open source continues to grow in popularity, and profitability, this will undoubtably be an increasingly important issue. While the JBoss code is available for anyone to use, distribute and modify, the trademark is controlled by a single party. The ability to contribute code and participate in the direction of the project is also controlled by the same people who are making it a business venture. Certainly these abilities could be abused to give one party an advantage over other companies or individuals seeking to make money from the code. Withholding the ability to use the trademark, for example, could certainly hinder the ability of other parties to build a business that centers around JBoss.

Free and open source software licenses only protect access to the code itself. Any business based on an open source project will need to be able to advertise and promote itself -- something that could prove difficult if they are unable to use the name of the project in their advertising or marketing materials. Developers who are contributing to other open source projects may wish to ask the owners of those projects to clarify their long-term intentions for the projects. If nothing else, the JBoss situation may prove a cautionary tale for other business-minded open source developers. According to Wilkins, things would have been much different if they had gotten the business aspects taken care of earlier.

...by the time we came to really formalize it, it was too late as Marc owned the trademark, the company, had the client contracts, the www site and the CVS access. So we were had all lost our bargaining positions. If we had formalized it two years earlier before JBoss was really big and was generating significant revenue - the deal would have been substantially different.

Comments (1 posted)

Page editor: Rebecca Sobol

Security

Brief items

Email Virus Scanning for Linux: A review of alternatives to RAV Antivirus

[This article was contributed by tummy.com]

With the purchase of RAV by Microsoft, many Linux email providers and ISPs, are looking for an affordable, reliable replacement for RAV Antivirus.

Kevin Fenzi, Senior Member Technical Staff of tummy.com, ltd. and the co-author of the Linux Security HOWTO, has reviewed some of the currently available alternatives.

Kevin evaluated the alternatives on several different criteria, including Pricing policy (unlimited use is better than a per-domain or per-user price), broad support for Mail Transport Agents, and ease of installation and configuration.

Criteria Used:

  • Pricing policy: Unlimited use got the highest score. Per-domain pricing was next best, and per-user pricing was last. Those products that did not have pricing information on their website received no score in this category.

  • Support for MTAs: A point was awarded for each of the popular Mail Transport Agents supported (Qmail, Postfix, Exim, SuSE, Sendmail+Milters, Sendmail, Dmail).

  • Ease of Installation: Is the product easy to download and install?

  • Ease of Configuration: Is the product easy to configure with your local MTA?

  • Scores are on a 'bad, fair, good, excellent' scale.

Read the full article here.

Comments (10 posted)

New vulnerabilities

gtksee: buffer overflow

Package(s):gtksee CVE #(s):CAN-2003-0444
Created:June 30, 2003 Updated:July 11, 2003
Description: Viliam Holub discovered a bug in gtksee whereby, when loading PNG images of certain color depths, gtksee would overflow a heap-allocated buffer. This vulnerability could be exploited by an attacker using a carefully constructed PNG image to execute arbitrary code when the victim loads the file in gtksee.
Alerts:
Gentoo 200307-05 2003-07-11
Debian DSA-337-1 2003-06-29

Comments (none posted)

imagemagick: insecure temporary file

Package(s):imagemagick CVE #(s):CAN-2003-0455
Created:June 30, 2003 Updated:July 10, 2003
Description: There are circumstances in which imagemagick's libmagick library creates temporary files without taking appropriate security precautions. This vulnerability could be exploited by a local user to create or overwrite files with the privileges of another user who is invoking a program using this library.
Alerts:
OpenPKG OpenPKG-SA-2003.034 2003-07-10
Debian DSA-331-1 2003-06-27

Comments (none posted)

PHP: Cross site scripting vulnerability

Package(s):PHP CVE #(s):CAN-2003-0442
Created:July 2, 2003 Updated:August 13, 2003
Description: In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack.
Alerts:
Mandrake MDKSA-2003:082-1 2003-08-12
Mandrake MDKSA-2003:082 2003-08-04
Yellow Dog YDU-20030710-2 2003-07-10
Debian DSA-351-1 2003-07-16
Conectiva CLA-2003:691 2003-07-08
OpenPKG OpenPKG-SA-2003.032 2003-07-07
Red Hat RHSA-2003:204-01 2003-07-02

Comments (none posted)

phpbb: sql injection

Package(s):phpbb CVE #(s):CAN-2003-0486
Created:June 28, 2003 Updated:July 2, 2003
Description: An SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the topic_id parameter.
Alerts:
Gentoo 200306-15 2003-06-28

Comments (none posted)

proftpd: SQL injection

Package(s):proftpd CVE #(s):
Created:June 30, 2003 Updated:June 30, 2003
Description: runlevel [runlevel@raregazz.org] reported that ProFTPD's PostgreSQL authentication module is vulnerable to a SQL injection attack. This vulnerability could be exploited by a remote, unauthenticated attacker to execute arbitrary SQL statements, potentially exposing the passwords of other users, or to connect to ProFTPD as an arbitrary user without supplying the correct password.
Alerts:
Debian DSA-338-1 2003-06-29

Comments (none posted)

tcptraceroute: problems dropping root privileges

Package(s):tcptraceroute CVE #(s):CAN-2003-0489
Created:June 28, 2003 Updated:July 10, 2003
Description: tcptraceroute 1.4 and earlier does not fully drop privileges after obtaining a file descriptor for capturing packets. This may allow local users to gain access to the descriptor via a separate vulnerability in tcptraceroute.
Alerts:
Gentoo 200306-14 2003-06-28
Debian DSA-330-1 2003-06-23

Comments (none posted)

unzip: directory traversal vulnerability

Package(s):unzip CVE #(s):CAN-2003-0282
Created:July 1, 2003 Updated:November 13, 2003
Description: A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information.
Alerts:
SCO Group CSSA-2003-031.0 2003-11-07
Debian DSA-344-2 2003-08-26
Slackware SSA:2003-237-01 2003-08-25
Mandrake MDKSA-2003:073-1 2003-08-19
Conectiva CLA-2003:724 2003-08-18
Red Hat RHSA-2003:199-02 2003-08-15
Yellow Dog YDU-20030710-1 2003-07-10
Gentoo 200307-02 2003-07-11
OpenPKG OpenPKG-SA-2003.033 2003-07-10
Debian DSA-344-1 2003-07-08
Mandrake MDKSA-2003:073 2003-07-07
Conectiva CLA-2003:672 2003-07-02
Immunix IMNX-2003-7+-017-01 2003-07-02
Red Hat RHSA-2003:199-01 2003-07-01

Comments (none posted)

xgalaga: buffer overflows

Package(s):xgalaga CVE #(s):CAN-2003-0454
Created:June 30, 2003 Updated:July 2, 2003
Description: Steve Kemp discovered several buffer overflows in the game xgalaga, which can be triggered by a long HOME environment variable. This vulnerability could be exploited by a local attacker to gain gid 'games'.
Alerts:
Debian DSA-334-1 2003-06-28

Comments (none posted)

Updated vulnerabilities

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:October 1, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
SCO Group CSSA-2003-005.0 2003-01-21
Debian DSA-224-1 2002-01-08
Gentoo 200212-8 2002-12-20
Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

CUPS: vulnerability in the CUPS IPP implementation

Package(s):cups CVE #(s):CAN-2003-0195
Created:May 27, 2003 Updated:July 22, 2003
Description: Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP (Internet Printing Protocol) implementation. The IPP implementation is single-threaded, which means only one request can be serviced at a time. An attacker could make a partial request that does not time out and therefore creates a denial of service. In order to exploit this bug, an attacker must have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
Conectiva CLA-2003:702 2003-07-22
Gentoo 200306-09 2003-06-14
Debian DSA-317-1 2003-06-11
SuSE SuSE-SA:2003:028 2003-06-06
Yellow Dog YDU-20030602-3 2003-06-02
Mandrake MDKSA-2003:062 2003-05-29
Slackware ssa:2003-149-01 2003-05-29
Red Hat RHSA-2003:171-01 2003-05-27

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):ethereal CVE #(s):CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:June 23, 2003 Updated:November 10, 2003
Description: Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:
SCO Group CSSA-2003-030.0 2003-11-07
Yellow Dog YDU-20030718-2 2003-07-18
Red Hat RHSA-2003:203-01 2003-07-03
Gentoo 200306-13 2003-06-25
Conectiva CLA-2003:662 2003-06-25
Mandrake MDKSA-2003:070 2003-06-23

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Immunix IMNX-2003-7+-023-01 2003-10-17
Mandrake MDKSA-2003:011 2003-01-27
EnGarde ESA-20030127-002 2003-01-27
SCO Group CSSA-2003-001.0 2003-01-09
SuSE SuSE-SA:2003:001 2003-01-02
Debian DSA-216-1 2002-12-24
Red Hat RHSA-2002:293-09 2002-12-17
Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

Potential remote root exploit in glibc

Package(s):glibc CVE #(s):CAN-2002-0391
Created:August 14, 2002 Updated:June 30, 2003
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library which is used in glibc.This bug could be exploited to gain unauthorized root access to software linking to glibc.

Updating as soon as practical is a good idea.

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-333-1 2003-06-27
Conectiva CLA-2002:535 2002-10-29
Trustix 2002-0070 2002-10-17
EnGarde ESA-20021003-021 2002-10-03
Gentoo glibc-20020927 2002-09-27
Gentoo dietlibc-20020927 2002-09-27
Debian DSA-149-2 2002-09-26
Mandrake MDKSA-2002:061 2002-09-23
Gentoo glibc-20020905 2002-09-05
SuSE SuSE-SA:2002:031 2002-08-30
Trustix 2002-0067 2002-08-13
Eridani ERISA-2002:036 2002-08-13
Red Hat RHSA-2002:166-07 2002-08-12
Debian DSA-149-1 2002-08-13

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

gnocatan: buffer overflows, denial of service

Package(s):gnocatan CVE #(s):CAN-2003-0433
Created:June 12, 2003 Updated:June 28, 2003
Description: Bas Wijnen discovered that the gnocatan server is vulnerable to several buffer overflows which could be exploited to execute arbitrary code on the server system.
Alerts:
Gentoo 200306-17 2003-06-28
Debian DSA-315-1 2003-06-11

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 16, 2003 Updated:November 18, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
SCO Group CSSA-2003-034.0 2003-11-17
Conectiva CLA-2003:694 2003-07-11
Yellow Dog YDU-20030602-4 2003-06-02
Mandrake MDKSA-2003:061 2003-05-22
Slackware ssa:2003-141-04 2003-05-22
Red Hat RHSA-2003:175-01 2003-05-20
Gentoo 200305-04 2003-05-16
OpenPKG OpenPKG-SA-2003.029 2003-05-16
EnGarde ESA-20030515-016 2003-05-15

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

IMP - SQL injection vulnerability

Package(s):imp CVE #(s):CAN-2003-0025
Created:January 15, 2003 Updated:July 8, 2003
Description: The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem.
Alerts:
Conectiva CLA-2003:690 2003-07-08
SuSE SuSE-SA:2003:0008 2003-02-18
Debian DSA-229-2 2003-01-15

Comments (1 posted)

kde: arbitrary code execution

Package(s):kde CVE #(s):CAN-2003-0204
Created:April 10, 2003 Updated:June 30, 2003
Description: The KDE Security team has issued an advisory on a vulnerability present in all versions of KDE that allow a remote attacker to execute arbitrary commands under your account. KDE 3.0.5b and KDE 3.1.1a have been released to address this problem. For KDE 2.2.2 patches to the KDE 2.2.2 sources have been made available.

KDE uses Ghostscript software for processing of PostScript (PS) and PDF files in a way that allows for the execution of arbitrary commands that can be contained in such files.

An attacker can prepare a malicious PostScript or PDF file which will provide the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled.

An attacker can provide malicious files remotely to a victim in an e-mail, as part of a webpage, via an ftp server and possible other means.

Alerts:
Conectiva CLA-2003:668 2003-06-30
Red Hat RHSA-2003:002-01 2003-05-12
Debian DSA-296-1 2003-04-30
Mandrake MDKSA-2003:049-1 2003-04-24
SuSE SuSE-SA:2003:0026 2003-04-24
Debian DSA-293-1 2003-04-23
Slackware sl-1050682024 2003-04-18
Mandrake MDKSA-2003:049 2003-04-17
Sorcerer SORCERER2003-04-12 2003-04-12
Debian DSA-284-1 2003-04-12
Gentoo 200304-05 2003-04-11
Gentoo 200304-04 2003-04-10

Comments (none posted)

kernel - ptrace-related vulnerability

Package(s):kernel CVE #(s):CAN-2003-0127
Created:March 17, 2003 Updated:June 30, 2003
Description: Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in ptrace() which may be exploited by a local user to obtain root access. This announcement contains the details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released which contains the fix.
Alerts:
Debian DSA-336-2 2003-06-29
Debian DSA-336-1 2003-06-29
Debian DSA-332-1 2003-06-27
Red Hat RHSA-2003:098-03 2003-06-02
SCO Group CSSA-2003-020.0 2003-05-09
Mandrake MDKSA-2003:038-1 2003-04-09
Red Hat RHSA-2003:135-00 2003-04-08
Conectiva CLA-2003:618 2003-04-07
Debian DSA-276-1 2003-04-03
Mandrake MDKSA-2003:039 2003-03-27
Mandrake MDKSA-2003:038 2003-03-27
Debian DSA-270-1 2003-03-27
SuSE SuSE-SA:2003:021 2003-03-25
Gentoo 200303-17 2003-03-21
Sorcerer SORCERER2003-03-19 2003-03-20
Red Hat RHSA-2003:088-01 2003-03-20
EnGarde ESA-20030318-009 2003-03-18
Trustix 2003-0007 2003-03-18
Red Hat RHSA-2003:098-00 2003-03-17

Comments (none posted)

kernel 2.4 - two new vulnerabilities

Package(s):kernel CVE #(s):CAN-2003-0244 CAN-2003-0246
Created:May 14, 2003 Updated:July 25, 2003
Description: The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
  • The ioperm() system call doesn't perform proper checking, allowing a local user to manipulate arbitrary I/O ports.

  • The networking code contains a remotely exploitable denial of service condition; see the May 24 Security Page for details.

Alerts:
Mandrake MDKSA-2003:066-2 2003-07-25
Conectiva CLA-2003:701 2003-07-22
Mandrake MDKSA-2003:066-1 2003-07-21
Mandrake MDKSA-2003:074 2003-07-15
Slackware SSA:2003-168-01 2003-06-17
Mandrake MDKSA-2003:066 2003-06-11
Debian DSA-312-1 2003-06-09
Debian DSA-311-1 2003-06-08
Red Hat RHSA-2003:187-01 2003-06-03
Red Hat RHSA-2003:145-01 2003-05-27
EnGarde ESA-20030515-017 2003-05-15
Red Hat RHSA-2003:172-00 2003-05-14

Comments (2 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

kopete: vulnerabiliy in GnuPG plugin

Package(s):kopete CVE #(s):CAN-2003-0256
Created:May 8, 2003 Updated:June 27, 2003
Description: A vulnerability was discovered in versions of kopete prior to 0.6.2. Kopete is a KDE instant messenger client. This vulnerabiliy is in the GnuPG plugin that allows for users to send each other GPG-encrypted instant messages. The plugin passes encrypted messages to gpg, but does no checking to sanitize the commandline passed to gpg. This can allow remote users to execute arbitrary code, with the permissions of the user running kopete, on the local system.
Alerts:
Conectiva CLA-2003:665 2003-06-27
Gentoo 200305-03 2003-05-14
Mandrake MDKSA-2003:055 2003-05-08

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:October 1, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
Conectiva CLA-2003:720 2003-08-11
Mandrake MDKSA-2003:023 2003-02-24
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Red Hat RHSA-2003:029-06 2003-02-12
Trustix 2002-0085 2002-12-19
Debian DSA-210-1 2002-12-13
SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

perl-MailTools: remote command execution

Package(s):MailTools CVE #(s):CAN-2002-1271
Created:November 5, 2002 Updated:September 19, 2003
Description: The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

Alerts:
Debian DSA-386-1 2003-09-18
Gentoo 200302-01 2003-02-02
Mandrake MDKSA-2002:076 2002-11-07
Gentoo 200211-001 2002-11-06
SuSE SuSE-SA:2002:041 2002-11-05

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

nethack: buffer overflow

Package(s):nethack, slashem, falconseye CVE #(s):CAN-2003-0358 CAN-2003-0359
Created:February 18, 2003 Updated:July 15, 2003
Description: Overflowing a buffer in nethack may lead to privilege escalation to games uid.

Read the the full advisory for the details.

Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages.

Alerts:
Debian DSA-350-1 2003-07-15
Debian DSA-316-3 2003-06-17
Debian DSA-316-2 2003-06-11
Debian DSA-316-1 2003-06-11
Gentoo 200302-08 2003-02-18

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Conectiva CLA-2003:778 2003-11-07
Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

noweb: insecure temporary files

Package(s):noweb CVE #(s):CAN-2003-0381
Created:June 17, 2003 Updated:June 28, 2003
Description: Jakob Lell discovered a bug in the 'noroff' script included in noweb whereby a temporary file was created insecurely. During a review, several other instances of this problem were found and fixed. Any of these bugs could be exploited by a local user to overwrite arbitrary files owned by the user invoking the script.
Alerts:
Gentoo 200306-16 2003-06-28
Debian DSA-323-1 2003-06-16

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

pam_xauth: root exploit

Package(s):pam_xauth CVE #(s):CAN-2002-1160
Created:February 13, 2003 Updated:July 10, 2003
Description: The pam_xauth module is used to forward xauth information from user to user in applications such as 'su'.

Andreas Beck discovered that versions of pam_xauth supplied with Red Hat Linux since version 7.1 would forward authorization information from the root account to unprivileged users. This could be used by a local attacker to gain access to an administrator's X session. In order to exploit this vulnerability, the attacker would have to get the administrator, as root, to use su to the account belonging to the attacker.

Alerts:
Conectiva CLA-2003:693 2003-07-10
Mandrake MDKSA-2003:017-1 2003-04-28
Red Hat RHSA-2003:035-10 2003-02-12

Comments (none posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:October 1, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
SCO Group CSSA-2003-008.0 2003-03-04
Gentoo 200211-005 2002-11-20
EnGarde ESA-20021122-031 2002-11-22
Conectiva CLA-2002:545 2002-11-13
Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Debian DSA-397-1 2003-11-07
Immunix IMNX-2003-7+-005-01 2003-04-08
Trustix 2003-0004 2003-02-20
Mandrake MDKSA-2002:062-1 2003-02-11

Comments (1 posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:October 1, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Red Hat RHSA-2002:202-33 2003-02-12
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-25 2003-01-21
Mandrake MDKSA-2002:082-1 2002-12-09
Mandrake MDKSA-2002:082 2002-11-25
SCO Group CSSA-2002-045.0 2002-11-14
Trustix 2002-0073 2002-10-17
Gentoo python-20021003 2002-10-03
Conectiva CLA-2002:527 2002-10-01
Debian DSA-159-2 2002-09-09
Debian DSA-159-1 2002-08-28

Comments (none posted)

radiusd-cistron: possible remote system compromise

Package(s):radiusd-cistron CVE #(s):CAN-2003-0450
Created:June 13, 2003 Updated:July 11, 2003
Description: The package radiusd-cistron is an implementation of the RADIUS protocol. Unfortunately the RADIUS server handles large NAS numbers incorrectly. This leads to overwriting internal memory of the server process and may be abused to gain remote access to the system the RADIUS server is running on.
Alerts:
Gentoo 200307-03 2003-07-11
Conectiva CLA-2003:664 2003-06-27
Debian DSA-321-1 2003-06-13
SuSE SuSE-SA:2003:030 2003-06-13

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Conectiva CLA-2004:812 2004-02-10
Mandrake MDKSA-2003:012 2003-02-03
Yellow Dog YDU-20030127-3 2003-01-27
Gentoo 200301-13 2003-01-22
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

vixie-cron: Local vulnerability

Package(s):vixie-cron CVE #(s):CVE-2001-0559
Created:April 17, 2003 Updated:October 3, 2003
Description: From the ISS advisory: "Vixie Cron is a scheduling daemon that ships with several Linux distributions. Vixie Cron version 3.0pl1 could allow a local attacker to gain root privileges. Crontab fails to properly drop privileges in certain cases after a crontab modification operation. A local attacker could exploit this vulnerability to gain root privileges on the system since crontab is installed setuid root."

Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page.

Alerts:
Conectiva CLA-2003:758 2003-10-03
Conectiva CLA-2003:757 2003-10-03
Conectiva CLA-2003:628 2003-04-17

Comments (none posted)

webmin: session ID spoofing

Package(s):webmin CVE #(s):CAN-2003-0101
Created:June 13, 2003 Updated:November 18, 2003
Description: miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges.
Alerts:
SCO Group CSSA-2003-035.0 2003-11-17
Debian DSA-319-1 2003-06-12

Comments (none posted)

wget:directory traversal bug

Package(s):wget CVE #(s):CAN-2002-1344
Created:December 10, 2002 Updated:October 1, 2003
Description: Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system.

FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3).

If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine.

See also this Bugtraq article from 1997.

CAN-2002-1344

Alerts:
Immunix IMNX-2003-7+-011-01 2003-06-03
OpenPKG OpenPKG-SA-2003.007 2003-01-23
SCO Group CSSA-2003-003.0 2003-01-16
Gentoo 200212-7 2002-12-20
Trustix 2002-0089 2002-12-19
Conectiva CLA-2002:552 2002-12-13
Debian DSA-209-1 2002-12-12
Mandrake MDKSA-2002:086 2002-12-11
Red Hat RHSA-2002:229-10 2002-12-04

Comments (none posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):wwwoffle CVE #(s):CAN-2002-0818
Created:August 14, 2002 Updated:October 1, 2003
Description: The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on."

CAN-2002-0818

Alerts:
SCO Group CSSA-2002-048.0 2002-11-18
Debian DSA-144-1 2002-08-06
SuSE SuSE-SA:2002:029 2002-08-01

Comments (none posted)

xbl: buffer overflows

Package(s):xbl CVE #(s):CAN-2003-0451 CAN-2003-0535
Created:June 20, 2003 Updated:July 9, 2003
Description: Steve Kemp discovered several buffer overflows in xbl, a game, which can be triggered by long command line arguments. This vulnerability could be exploited by a local attacker to gain gid 'games'. This has been assigned CVE # CAN-2003-0451.

Another buffer overflow was discovered in xbl which could also be exploited by a local attacker to gain gid 'games'. This has been assigned CVE # CAN-2003-0535.

Alerts:
Debian DSA-345-1 2003-07-08
Debian DSA-327-1 2003-06-19

Comments (none posted)

xterm: command execution and denial of service

Package(s):XFree86 xterm CVE #(s):CAN-2001-1409 CAN-2002-1472 CAN-2002-0164 CAN-2003-0063 CAN-2003-0071
Created:June 25, 2003 Updated:July 2, 2003
Description: A couple of new vulnerabilities have been found in the xterm application shipped with XFree86. There is yet another "execute arbitrary commands by setting the window title" vulnerability, along with a bug which can allow an attacker to lock up an exterm window.
Alerts:
Red Hat RHSA-2003:067-02 2003-07-01
Red Hat RHSA-2003:064-01 2003-06-25
Red Hat RHSA-2003:067-01 2003-06-25
Red Hat RHSA-2003:066-01 2003-06-25

Comments (none posted)

xinetd: Memory leak in xinetd 2.3.10

Package(s):xinetd CVE #(s):CAN-2003-0211
Created:May 13, 2003 Updated:November 13, 2003
Description: Xinetd is a 'master server' that is used to to accept service connection requests and start the appropriate servers.

Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavailable.

In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations.

All users of xinetd are advised to update to xinetd-2.3.11 which is not vulnerable to these issues.

Alerts:
Conectiva CLA-2003:782 2003-11-12
Yellow Dog YDU-20030602-1 2003-06-02
Gentoo 200305-08 2003-05-19
Mandrake MDKSA-2003:056 2003-05-14
Red Hat RHSA-2003:160-01 2003-05-13

Comments (none posted)

Xpdf - command execution vulnerability

Package(s):Xpdf CVE #(s):CAN-2003-0434
Created:June 18, 2003 Updated:July 24, 2003
Description: Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters.
Alerts:
Mandrake MDKSA-2003:071-1 2003-07-23
Yellow Dog YDU-20030723-1 2003-07-23
Red Hat RHSA-2003:196-02 2003-07-17
Conectiva CLA-2003:674 2003-07-04
Mandrake MDKSA-2003:071 2003-06-27
Gentoo 200306-11 2003-06-25
Yellow Dog YDU-20030620-1 2003-06-20
Red Hat RHSA-2003:196-01 2003-06-18

Comments (none posted)

ypserv: denial of service

Package(s):ypserv CVE #(s):CAN-2003-0251
Created:June 25, 2003 Updated:July 11, 2003
Description: From the Red Hat advisory: "A vulnerability has been discovered in the ypserv NIS server prior to version 2.7. If a malicious client queries ypserv via TCP and subsequently ignores the server's response, ypserv will block attempting to send the reply. This results in ypserv failing to respond to other client requests." The fix is up upgrade to version 2.8.0.
Alerts:
Gentoo 200307-04 2003-07-11
Yellow Dog YDU-20030627-1 2003-06-27
Mandrake MDKSA-2003:072 2003-06-27
Red Hat RHSA-2003:173-01 2003-06-25

Comments (none posted)

Resources

Linux Advisory Watch

The June 27 issue of the Linux Advisory Watch newsletter from LinuxSecurity.com is available.

Full Story (comments: none)

Linux Security Week

The June 30 issue of the Linux Security Week newsletter from LinuxSecurity.com is available.

Full Story (comments: none)

Events

NEbraskaCERT Conference

NEbraskaCERT is holding the 5th annual NEbraskaCERT conference, the leading Security Conference in the midwest. The conference will be held August 5 - 7, 2003 at the Peter Kiewit Institute, Scott Conference Center, Omaha, NE USA.

Comments (none posted)

Page editor: Rebecca Sobol

Kernel development

A Note to Kernel Page Readers

For the next two weeks, the normal Kernel Page editor will be away having a good time on the beach. Please bear with your temporary guest editor as he tries to make sense of the complexities of the Linux Kernel development process. A few of the below patches may be mis-categorized.

Comments (none posted)

Brief items

Kernel release status

The current development kernel is 2.5.74, which was released by Linus on July 2. The summary says: "Updates all over, the patch itself is big largely because of a MIPS/MIPS64 merge (and SH, for that matter). Network driver updates, USB updates, PnP, SCTP, s390, you name it. See the changelog for more details."

The current stable kernel is 2.4.21.

Marcelo has released the second 2.4.22 prepatch. This one includes some network driver updates, a big aic7xxx update, and many other fixes.

Comments (none posted)

Status 2.5

Guillaume Boissiere has posted a 2.5 status summary.

Full Story (comments: none)

2.5.73-mm3 Released

Andrew Morton has released 2.5.73-mm3.

Full Story (comments: none)

Kernel development news

perfctr-2.6.0-pre1 released

Mikael Pettersson has released a new version of perfctr, the Linux/x86 performance monitoring counters driver.

Full Story (comments: none)

Driver porting

Using read-copy-update

This article is part of the LWN Porting Drivers to 2.6 series.
Read-copy-update (RCU) is a mutual exclusion technique which can operate without locking most of the time. It can yield significant performance benefits when the data to be protected is accessed via a pointer, is read frequently, changed rarely, and references to the structure are not held while a kernel thread sleeps. The core idea behind RCU is that, when the data requires updating, a pointer to a new structure containing the new data can be stored immediately. The old structure containing the outdated data can then be freed at leisure, after it is certain that no process in the system holds a reference to that structure. For details on the ideas behind RCU, see this LWN article, or (for many details) this paper. Just don't ask SCO, even though they claim to own the technique.

The first step in using RCU within a subsystem is to define a structure containing the data to be protected. Often that structure already exists; for example, RCU has been retrofitted into the dentry cache (using struct dentry), the network routing cache (struct rtable), and several other, similar contexts. The structures need to be allocated dynamically and accessed via a pointer - RCU cannot be used with static structures.

Code which reads data structures protected by RCU need only take a couple of simple precautions:

  • A call to rcu_read_lock() should be made before accessing the data, and rcu_read_unlock() should be called afterward. This call disables preemption (and does nothing else) - a fast but necessary operation for RCU to work properly. These calls (along with the rest of the RCU definitions) are found in <linux/rcupdate.h>.

  • The code must not sleep while the "RCU read lock" is held.

Thus, code which reads an RCU-protected data structure will look something like:

    struct my_stuff *stuff;

    rcu_read_lock();
    stuff = find_the_stuff(args...);
    do_something_with(stuff);       /* Cannot sleep */
    do_something_else_with(stuff);  /* ditto        */
    rcu_read_unlock();

The write side of RCU is a little more complicated, but not that difficult. To update a data structure, the code starts by allocating a new copy of that structure, and filling in the new information. The code should then replace the pointer to the outdated structure with the new one, keeping a copy of the old pointer. After this operation, kernel code running on any other processor will find the new version of the structure. The old one cannot yet be freed, however, since it is possible that another processor is still using it.

The code should arrange to dispose of the old structure when it is known that it cannot be referenced anywhere else in the system. That is done through a call to call_rcu():

    void call_rcu(struct rcu_head *head, 
                  void (*func)(void *arg),
                  void *arg);

The calling code must provide an rcu_head structure, but need not initialize it in any way. Usually, that structure is embedded within the larger structure protected by RCU. The function func will be called when the structure can be safely freed, with arg as its one argument. All that func need do, normally, is call something like kfree() to free up the structure.

The RCU algorithm works by waiting until every processor in the system has scheduled at least once. Since the rules require that references to RCU-protected structures cannot be held over sleeps, no processor can possibly hold a reference to an old structure after it has scheduled. When all processors have scheduled (after the pointer change), references to the old structure can not exist, and the structure can be freed.

For what it's worth, the RCU code exports the "wait for everybody to schedule" functionality, should it be useful elsewhere. To perform this wait, one need only make a call to synchronize_kernel().

Comments (2 posted)

Patches and updates

Kernel trees

Build system

Core kernel code

Development tools

Device drivers

  • Andries.Brouwer@cwi.nl: cryptoloop. (July 2, 2003)
  • Andries.Brouwer@cwi.nl: cryptoloop. (July 2, 2003)

Documentation

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Benchmarks and bugs

Miscellaneous

Page editor: Forrest Cook

Distributions

News and Editorials

New Debian-based Projects: Adamantix and Bonzai Linux

[This article was contributed by Ladislav Bodnar]

Adamantix and Bonzai Linux are two recently announced Debian-based projects. Both have changed their names since launch; Adamantix used to be known as Trusted Debian, while Bonzai Linux was originally called miniwoody. Let's take a brief look at these projects to see what they are about.

Adamantix http://www.adamantix.org/

The Adamantix project has set a goal to create a highly secure extension of Debian's stable branch. Because it lacks an installer, it is not a distribution which one can download and install independently; instead the project provides a small subset of Debian packages together with a set of Adamantix-specific security software that make the default Debian installation more secure and more resilient to malicious exploits. Peter Busser, who is the project's initiator and maintainer argues that while Linux security patches and features are actively being developed by several projects, the mainstream Linux distributions seem reluctant to incorporate them into their own products. Adamantix is an attempt to remedy this situation for Debian users.

Which security features can we find in Adamantix? One of the more important ones is its protection against buffer overflows. The term "buffer overflow" refers to a software bug, where a program either fails to allocate enough memory for an input string, or fails to test whether the length of the string lies within its valid range. A hacker can exploit such a weakness by submitting an extra-long input to the program, designed to overflow its allocated input buffer and modify the values of nearby variables. This can cause the program to jump to unintended places, or even replace the program's instructions by arbitrary code. Buffer overflows are possibly the most common bugs found in software written in the C language and the subject of many security advisories.

One method to prevent buffer overflow bugs from being exploited is to patch the Linux kernel with PaX. PaX has too many features to mention them all, but the most important one lies in its ability to separate data from code. This prevents the attacker from overwriting data in overflown buffers and executing them as code. Another important feature is the ability of PaX to randomize space and memory allocation, as illustrated here by a stack randomization example. Linux systems not patched with PaX will allocate the same stack address to variables every time the program is executed. A malicious attacker exploiting a buffer overflow knows the address of the stack and knows exactly what gets overwritten by the malicious input. A PaX-enabled kernel allocates the stack address randomly every time the program is executed, so the attacker can never be sure what part of the stack gets overwritten. Besides the stack, PaX applies the same randomization to the heap, shared libraries and executable programs. As long as the attacker cannot figure out the randomization scheme, the effort at exploiting the known overflow is a hit-and-miss situation with odds heavily against the success of the attacker's intent.

Another important kernel patch used by Adamantix is RSBAC. RSBAC stands for Rule Set Based Access Control and, as the name implies, it is an access control framework designed for use with current Linux kernels. Again, its features are too numerous to detail here, but in essence, the RSBAC patch implements a detailed control mechanism for access to files, pipes, network sockets, system control data, devices, users and processes. It provides users with pre-made rules (conceptually similar to iptables rules), as well as methods for creating custom rules, some of which can go as far as eliminating the concept of a superuser - and associated risks. RSBAC also includes a powerful logging system which makes intrusion attempts easily detectable. RSBAC is an open source project, currently free of any patent issues, which sometimes plague other similar efforts.

Installing Adamantix on an existing Debian system (only the current stable version is supported) is done by modifying the sources.list file and pointing its sources to one of the mirrors; in fact many Debian mirrors now carry the complete Adamantix tree. As is the case with most new projects, the documentation on the site leaves a lot to be desired, but Adamantix provides mailing lists with active discussion and information about current development. The project certainly deserves the attention of security conscious system administrators and developers.

Bonzai Linux http://developer.berlios.de/projects/bonzai/

Developed by Marcus Moeller, Bonzai Linux is a modified version of the Debian "netinst" boot CD. The "netinst" CD was introduced shortly before the release of Debian GNU/Linux 3.0 (Woody) and was meant to replace the traditional Debian boot floppies, thus making the installation process less cumbersome. After loading the necessary network kernel modules, a user could initiate a network installation and get all the components from a local network or, more commonly, from a remote FTP or HTTP source.

Bonzai Linux expands on the idea by providing a basic Debian system, including the latest stable kernel and KDE packages on the CD. It is no longer necessary to load kernel modules in the beginning; in fact, it is no longer necessary to have intimate knowledge of the hardware at hand - the "discover" utility is able to auto-detect all common hardware. This, together with a much simplified package selection menu (as opposed to the archaic and unintuitive "dselect") greatly simplifies the installation procedure. Bonzai Linux can be used both as a stand-alone Linux distribution based on Debian Woody, but with the latest KDE, and it can also be used as a more user-friendly Debian installer.

Adamantix and Bonzai Linux are specialist distributions, each suitable for a particular task or solving a particular problem. If some day you require a security solution for your Debian installation, take a close look at Adamantix, and if you need an easy-to-install Debian system, Bonzai Linux might be just the right tool for the job.

Comments (none posted)

A Lindows short story

Last week's article about Lindows inspired some comment. Even though the article stated, "It goes without saying that LindowsOS does not prevent security conscious users from setting up user accounts and passwords.", the perception exists that LindowsOS runs everything as root. That may have been true in version 1.0, but it is not true now.

The following story, subtitled Lindows saves the vacation is a true story, told to me by LWN co-founder Elizabeth Coolbaugh (Liz). Liz was going on a vacation with both her mother and her daughter. Three generations embarking on a trip to meet relatives in Europe. The night before she planned to leave there was a power outage in Liz's neighborhood. Since she was already packed she took her daughter and headed to her parents house early. Only when she arrived she realized that an email with vital information was still on the mail server and had not been printed or copied.

Lindows to the rescue. Liz's father had just bought a brand new Lindows computer. He had usernames set up on the system because during setup he was told to do so. He set up a username for Liz and used Click-and-Run to find and install OpenSSH. Liz got to the mail server and found the email and the information contained therein.

So I, like most of you, have never run Lindows, but I do have it on good authority that setting up usernames and not running everything as root is the default behaviour for the current product.

Comments (2 posted)

Distribution News

Debian Weekly News

The Debian Weekly News for July 1, 2003 is out. This week: The South Australian government discusses a bill that requires government departments to use Free Software where practicable; British scientists found out that debugging in open source projects is always faster than in closed source projects; and much more.

Full Story (comments: none)

Gentoo Weekly Newsletter -- Volume 2, Issue 26

The Gentoo Weekly Newsletter for June 30, 2003 is out. This week's topics include; Gentoo Linux adopts a new management structure, Fork of Gentoo Linux announced, GWN seeking additional translators, and more.

Full Story (comments: none)

Lycoris Desktop/LX

Lycoris, Microtel and www.walmart.com have teamed together to bring back the $199 Desktop/LX powered PC. Click below for details.

Full Story (comments: none)

Mandrake Linux

HP has announced a desktop PC for small and medium businesses (SMB), the HP Compaq Business Desktop d220 Microtower, which offers Mandrake Linux v9.1 as a choice of operating system.

The XFS-related tools released with Mandrake Linux 9.1 were out-dated at release. This update brings all of the XFS-related tools up to date which provide better support for the XFS filesystem, fix bugs, and offer other enhancements.

Comments (none posted)

MontaVista Linux

IDT and MontaVista Software announced the extension of a partnership to provide Linux support for the IDT Interprise family of integrated communications processors. MontaVista Linux Professional Edition 3.0 supports the IDT 79EB438 evaluation board that includes the IDT RC32438 Interprise PCI processor.

Full Story (comments: none)

Trustix Secure Linux

Trustix has released Trustix Secure Linux 2.0 (Cloud). Click below for details.

Full Story (comments: none)

Hitachi H8 Integrated Into uClinux

SnapGear, Inc. has released a technical paper describing its recently completed integration of support for the Hitachi H8 300S processor with the uClinux distribution.

Full Story (comments: none)

Red Hat Linux

Red Hat has an updated redhat-config-date package fixing a symlink-related bug, for Red Hat Linux 8.0 and Red Hat Linux 9.

Full Story (comments: none)

Slackware Linux

Slackware Linux: Some patches were applied to readline, similar to the ones applied previously to bash. See the slackware-current changelog for complete details.

Comments (none posted)

Yellow Dog Linux

Yellow Dog has updated redhat-config-date packages for Yellow Dog Linux 3.0.

Full Story (comments: none)

New Distributions

BSLinux

BSLinux, from Blue Sock Linux Solutions, is a GNU/Debian-based distribution with a very simple installation process based on KDE. It supports many partition types, including XFS, JFS, ReiserFS, VFAT, EXT2, and EXT3. It uses XML and provides many new viewpoints to the way things can be done. Beta 1 was released June 27, 2003.

Comments (1 posted)

LGIS GNU/Linux

LG Internet Solutions has announced the immediate availability of LGIS GNU/Linux 9. LGIS GNU/Linux is a Ximianized version of Red Hat Linux. (Found on GnomeDesktop).

Comments (none posted)

Minor distribution updates

Astaro Security Linux

Astaro Security Linux has released v3.219 (Stable 3.x) with minor feature enhancements. "Changes: This Up2Date adds the "V4 Upgrade" functionality to the "System->Up2Date" menu."

Comments (none posted)

Coyote Linux

Coyote Linux has released v2.00-pre6 with major bugfixes. "Changes: Typos in the init scripts that would prevent static IP address configurations from working properly have been fixed. Code has been added to build a resolver config for DHCP clients so that the internal DHCP server will initialize properly. A bug in the firewalling code that would prevent NAT rulesets from being enabled for PPPoE configurations has been fixed." Then 2.00-beta2 was released with more bug fixes.

Comments (none posted)

Damn Small Linux

Damn Small Linux has released v0.3.11 with minor feature enhancements. "Changes: This release has PCMCIA support, and an experimental routine to grab Mozilla Firebird from the Internet and auto-install the browser while holding it in memory."

Comments (none posted)

MoviX2

MoviX2 has released v0.3.0rc2 with minor bugfixes. "Changes: This release has been done mainly to replace Microsoft's TrueType fonts with OpenSource similar fonts. A few bugs have been also fixed (ISA/SCSI module loading) and a few new features introduced (support for serial remotes and a way to set easily custom defaults for the boot args)."

Comments (none posted)

Pingwinek GNU/Linux

Pingwinek GNU/Linux has released v0.24 with minor feature enhancements. "Changes: This version features many new packages including Evolution, Conglomerate, Apache2, PPP, and others."

Comments (none posted)

Recovery Is Possible! (RIP)

Recovery Is Possible! (RIP) has released v56 with major feature enhancements. "Changes: All the included programs have been updated to the full versions, and the image viewer program zgv has been added. tmpfs is now used, so half of your system memory will be used as virtual disk space."

Comments (none posted)

RxLinux

RxLinux has released v1.4.5 with major feature enhancements. "Changes: This release rebuilds the root filesystem from sources following the Linux From Scratch 4.1 instructions and rebuilds the package selection interface."

Comments (none posted)

uClinux

uClinux has released Linux kernel patches, v2.4.21-uc0, with major feature enhancements. "Changes: Major changes were made to IDE support. A few additions were made to the "asm" include directories, and basic testing was performed on the 68328/Coldfire/ARM/SuperH and H8300. IDE was also tested on the Coldfire 5249."

Comments (none posted)

Distribution reviews

Getting to Know Debian (SitePoint)

Jono Bacon has written an article introducing Debian. "The Debian project is entirely volunteer-run and doesn't seek to generate profit. This essentially means that, while the will is there to continue to improve Debian, the project will always progress, irrespective of economic matters." (Found on Debian Planet)

Comments (none posted)

Page editor: Rebecca Sobol

Development

SCons, a Software Construction Tool

SCons is a software build tool that is intended to replace the common utility Make. It is loosely based on CONS, another build tool.

The SCons FAQ page says: "SCons is implemented as a Python script and set of modules, and SCons "configuration files" are actually executed as Python scripts. This gives SCons many powerful capabilities not found in other software build tools."

Some of the SCons features include:

  • Cross-platform operation.
  • Python-based configuration scripts for solving software build problems with a powerful language.
  • Automatic dependency analysis, no need for make depend/make clean.
  • Support for C, C++, FORTRAN, Java, Yacc, and Lex.
  • Extensible, support for other languages and file types can be added.
  • Support for fetching files via SCCS, RCS, CVS, BitKeeper and Perforce.
  • Works with timestamps and MD5 signatures.
  • Better parallel build support compared to Make.
  • Built-in Autoconf-like support for working with #include files, libraries, functions and typedefs.
  • Global view of all dependencies, multiple build passes are not necessary.
  • Can share pre-built files in a cache, this speeds up multiple builds.
SCons is divided into three source packages.
  • scons: The basic SCons installation and utility tools.
  • scons-local: A component that is intended to be included with other software packages that are built using SCons.
  • scons-src: The complete SCons source distribution tree, useful for those who wish to build SCons itself.
A number of different companies and projects are now using SCons for building software.

For more information, see the online SCons Documentation. Downloads of SCons are availalble on the SCons page at SourceForge. SCons has been released under the MIT license.

Version 0.90 has been released, the authors claim that due to their software building methodology, SCons is already quite stable. A 1.0 release is coming soon. Maybe its time for someone to try setting the Linux kernel up to build under SCons.

Comments (none posted)

System Applications

Audio Projects

Linux Audio Workstation 1.1 released

The Linux Audio Workstation distribution has released version 1.1, named "message in a bottle". This release works with RedHat 7.2, 8.0, and 9 and features ALSA upgrades, documentation pages for all audio applications, and more.

Full Story (comments: none)

Database Software

JDO Persistence, Part 2 (O'ReillyNet)

O'Reilly continues its excerpt series on JDO persistence with part two. "In part two in this three-part series of excerpts on JDO persistence from Java Database Best Practices, author George Reese covers basic JDO persistence best practices for transaction management and query control."

Comments (none posted)

MySQL FULLTEXT Searching (O'ReillyNet)

Joe Stump shows how to do FULLTEXT searching with MySQL. "Have you ever wanted to search text stored in your database, but couldn't figure out how to do it efficiently? Are you lazy like me and don't enjoy maintaining reverse indexes, dictionaries, and word scores? You're in luck. The release of MySQL 4.0 has made searching text stored in databases available to the masses."

Comments (none posted)

PostgreSQL Weekly News

The June 26, 2003 edition of the PostgreSQL Weekly News has been published with the week's roundup of PostgreSQL database news.

Full Story (comments: none)

Mail Software

SpamAssassin Milter 0.2.0 released

Version 0.2.0 of the SpamAssassin Milter Plugin is available. The change summary says: "Lots of new features: Spam can be redirected to a separate email address. Arbitrary netblocks can be excluded from scanning. You can now pass custom arguments to spamc without recompiling. Sends extra headers to spamc to mimic the ones the local sendmail adds. The manpage should now be readable on all OSes. And some minor bugfixes concerning messages with no headers and localhost mail submission."

Comments (none posted)

Defending Your Site Against Spam (O'Reilly)

Dru Nelson discusses Spam filtering on O'Reilly. "Like so many other people out on the Internet, I get unsolicited commercial email or "spam". Until recently, I could handle spam by just deleting it or using email aliases. Unfortunately, my server was rendered useless by a spam attack launched by an unknown spammer. The experience forced me to improve my spam defenses. In two articles, I will share the research and results of my effort to implement an anti-spam system. In this first installment, I will briefly cover various anti-spam systems and the system I chose, a network level defense. In the next installment, I'll dig deeper into the details of an implementation with qmail. (The information is general enough that it could be applied to other email systems such as Postfix or Sendmail.)"

Comments (none posted)

Medical Software

OpenEMR 2.0.0 Release (LinuxMedNews)

Version 2.0.0 of OpenEMR has been released. "OpenEMR is a modular, HIPAA compliant, Open Source, cross-platform Electronic Medical Records system (EMRS) developed by Synitech Incorporated. OpenEMR runs under Apache or IIS, PHP and MySQL, and includes advanced authorization and auditing functionality, automatic timeouts, group-based user configuration, extensive logging, and supports patient-requested file changes."

Comments (none posted)

Networking Tools

Network programming with the Twisted framework, Part 1 (IBM developerWorks)

David Mertz looks at Twisted on IBM's developerWorks. "Twisted is an increasingly popular pure-Python framework for programming network services and applications. While there are a large number of loosely coupled modular components within Twisted, a central concept to the framework is the idea of non-blocking asynchronous servers. In this article, David introduces you to this style of programming -- a novel one for developers accustomed to threading or forking servers, but one capable of great efficiency under heavy loads."

Comments (none posted)

Printing

LinuxPrinting.org news

The latest changes on LinuxPrinting.org include support for the Canon LBP-470, HP OfficeJet 4105, HP OfficeJet 4115, HP OfficeJet 4110, and HP PSC 2175 printers, and improvements to the Samsung GDI printer driver.

Comments (none posted)

Security

Sussen 0.4 released

Version 0.4 of Sussen, a client for the Nessus security scanner, has been released. This release adds an embedded MySQL server backend, customizable report generation capabilities, bug fixes, and more.

Full Story (comments: none)

Web Site Development

mnoGoSearch 3.2.12 released

Version 3.2.12 of mnoGoSearch, a web site search engine, has been released. This release features the ability to create and drop the database structure, as well as several bug fixes. See the Change Log document for details.

Comments (none posted)

Issue Handler 0.8.16 released (ZopeMembers)

Version 0.8.16 of Issue Handler, an information management application for Zope, has been released. "This release features minor feature enhancements".

Comments (none posted)

Scratchy 0.5.1 released

Scratchy is a Python-based Apache log file report generator. "Scratchy is a set of scripts to parse Apache web server log files and extract useful information. From this data, Scratchy will create HTML reports so that website administrators can easily view the information and determine trends and their typical audience."

Comments (none posted)

Silva 0.9.2 released! (ZopeMembers)

ZopeMembers has an announcement for Silva release 0.9.2. The list of new features includes: a revised user interface, a new metadata architecture, text is now stored as unicode, indexing is now done with the Zope catalog, and performance improvements.

Comments (none posted)

Top Ten Tomcat Configuration Tips (O'ReillyNet)

Jason Brittain and Ian F. Darwin write about the configuration of Tomcat on O'Reilly. "Now that writing Java web applications has become a common way to create and deploy new web content, people around the globe are finding the Jakarta Tomcat servlet and JSP container useful. It's free, it's multiplatform, it's rich in features, it's rapidly evolving and improving, and it's never been more popular."

Comments (none posted)

ZShellScripts v0.41 is out with Ruby support (ZopeMembers)

Version 0.41 of ZShellScripts has been announced. "ZShellScripts unifies the Zope notion of scripting by allowing scripts to be written in a bunch of different languages. This version features Ruby support,meaning that you can now write scripts in Python, Perl, Ruby, PHP, Lisp, or Bash and have them executed from within Zope, with a more or less semi-transparent access to Zope objects and variables."

Comments (none posted)

Zope 2.6.2 Beta 3 Released (ZopeMembers)

Versions 2.6.2 Beta 3 of Zope has been released. Changes include bug fixes, Python 2.2 compatibility fixes, several back-port fixes, and more.

Comments (none posted)

ZTimeReg 1.0 Released (ZopeMembers)

ZTimeReg is a Zope product that lets employees register time spent on customers and projects. Version 1.0 stable was just released.

Comments (none posted)

ZWiki 0.20.0 released (ZopeMembers)

Version 0.20.0 of Zwiki, a Zope-based Web Wiki, has been released. The change summary says: "Simpler page types, smarter message handling, auto subscription option; mail, skin and miscellaneous bugfixes; python 2.1 or greater now required."

Comments (none posted)

Web Services

High-impact Web tier clustering, Part 1 (IBM developerWorks)

Sing Li looks at several Java-based web services packages on IBM's developerWorks. "As the J2EE platform has matured, it has opened up the opportunity to deploy commodity servers in networked cluster configurations for scaling of Web services and Web applications at the Web tier. These commodity servers, interconnected through commodity LAN hardware, can provide cost-effective clustering solutions. The last piece of the clustering puzzle is in the software. In this series, Sing Li examines three open source software substrates that can enable high-impact Web tier clustering, beginning with JavaGroups."

Comments (none posted)

Miscellaneous

Gled 1.2.0 released

Version 1.2.0 of Gled is available. "Gled is an implementation of a hierarchic server-proxy-client-viewer model written in C++ and offering a mixture of object oriented framework and toolkit." The Gled status page says: "Gled v1.2 is a functional base upon which higher-level functionality can be built. Minimal changes in the core implementation are expected. Gled as an OO framework/toolkit is stable enough to allow development of user classes and applications."

Comments (none posted)

Desktop Applications

Audio Applications

Ardour 0.9 beta 1 released

A Slackware Linux package for version 0.9 beta 1 of Ardour, a multi-track audio recording application, has been released. This is the initial release of Ardour. "I am happy to announce that the first public tarball release of Ardour, numbered 0.9beta1, is now available for download. This very much a beta release, there are still many bugs to be fixed before 1.0 release scheduled for late July/early August."

Full Story (comments: none)

BEAST/BSE 0.5.3 released

Version 0.5.3 of BEAST/BSE, the Bedevilled Audio SysTem and the Bedevilled Sound Engine, are available. BSE is "a library for music composition, audio synthesis and sample manipulation". "This new development series of BEAST comes with a lot of the internals redone, many new GUI features and a sound generation back-end separated from any GUI activities. The most outstanding new features are the track editor which allowes for easy selection of synthesizers or samples as track sources, loop support and unlimited UnDo/ReDo capabilities."

Full Story (comments: none)

Glame 1.0.1 released

Version 1.0.1 of Glame, an audio editor, is available. This release adds support for importing mp3 and Ogg Vorbis audio files.

Comments (none posted)

Desktop Environments

KDE Traffic #56 is Out

Issue #56 of KDE Traffic is out. The KDE.News summary says: "This week we have some news about LinuxTag, a fun and interesting little contest that I hope a certain developer has a sense of humor about, some news about KOffice (thanks Jürgen!) and more."

Comments (none posted)

KDE-CVS-Digest

The June 27, 2003 KDE-CVS-Digest is out, here's the summary: "Multimedia gets some attention, with fixes to aRts and artsbuilder. KGhostview now has a full screen mode. Work starts on a BIDI mode for Kate. Cervisia, the GUI frontend for CVS, now has an SSH password authentication dialog. KMail encryption plugins as well as IMAP support is improved. Plus bug fixes and improvements in Kopete, KHTML, KWin and many others."

Comments (none posted)

YAGnoBS, GCipher, Heartbeat, & GNOME 2.0 turns 1 (GnomeDesktop)

GnomeDesktop.org has published a multiple announcement for new versions of the YAGNobs GNOME build script, and the Heartbeat system monitoring tool, and GCipher.

Comments (none posted)

Final Modules List for the GNOME 2.4 Desktop Release (GnomeDesktop)

GnomeDesktop.org reports on the contents of the GNOME 2.4 Desktop Release. "Here is the final modules list for the GNOME 2.4 Desktop Release! It was a very tough process, as anyone who watched the d-d-l threads knows, because all of the modules proposed for inclusion are top-notch, brilliant pieces of GNOME software."

Comments (none posted)

Games

Pygame updates

The Pygame site features new versions of Pytego and Pathological.

Comments (none posted)

Graphics

GIMP 1.3.16 Released (GnomeDesktop)

The GIMP version 1.3.16 has been announced and comes with lots of new features.

Comments (none posted)

GUI Packages

SPTK 2.0a3 available

Version 2.0a3 of SPTK, the Simply Powerful ToolKit has been released, it features bug fixes and some improved widgets.

Comments (none posted)

Interoperability

Samba 3.0.0 beta2 released

Samba 3.0.0 beta2 has been released. "The Samba Team is proud to announce the availability of the second beta release of the Samba 3.0.0 code base. While we are significantly closer to the final release, you should be reminded that this is a non-production release provided for testing only."

Full Story (comments: none)

Office Applications

AbiWord Weekly News

The June 29, 2003 edition of the AbiWord Weekly News is out with the latest AbiWord word processor news. "The remainders of GUADEC, the death of the hash downloader, a new preferences mock-up, 2.0 beta, anti-abi advertising, Mac OS X and that has nothing to do with the more interesting stories, like Linux going to Congo schools and Microsoft using DRM to lockout other office competitors, all of this and screenshots are waiting within."

Comments (none posted)

Web Browsers

Epiphany 0.7.2 released (GnomeDesktop)

Version 0.7.2 of the Epiphany web browser for GNOME has been announced, many code changes and bug fixes are included.

Comments (none posted)

Demonstration of Robin Remote XUL Desktop Available (MozillaZine)

MozillaZine reports on a remote XUL desktop environment called Robin, the Remote Operating System Build in Netscape.

Comments (none posted)

The Future of Mozilla Application Development (O'ReillyNet)

O'Reilly covers recent changes to the Mozilla development roadmap. "In April, mozilla.org announced a major update to its development roadmap. Some of the changes in the new document represent a fundamental shift in the direction and goals of the Mozilla community. To help make sense of how these changes will affect Mozilla application developers, this article provides an analysis of the new roadmap and also demonstrates how to convert an existing XPFE-based application into an application that uses the new XUL toolkit."

Comments (none posted)

Mozilla 1.4 Released (MozillaZine)

MozillaZine reports on the release of version 1.4 of the Mozilla web browser. "This release offers several enhancements over Mozilla 1.3.1, including NTLM authentication support (Windows only), bookmarks improvements, click-and-drag image and table resizing in Composer, smooth scrolling (disabled by default), junk mail improvements and proxy auto-config failover."

Comments (6 posted)

Netscape 7.1 Released (MozillaZine)

MozillaZine has an announcement for the newly released Netscape 7.1 web browser. "Netscape Communications Corporation today released its new Netscape 7.1 browser, which is based on Mozilla 1.4. This version — codenamed Buffy during development — offers several new features, including automatic image resizing, which shrinks large images to fit in the browser window, and Find As You Type, a tool that allows users to search for links or text on a webpage just by typing."

Comments (1 posted)

2003-06-24 Release of WaMCom Available (MozillaZine)

MozillaZine has an announcement for a new release of WaMCom, the Web and Mail Communicator. "WaMCom is a distribution of Mozilla 1.3.1 that incorporates 480 additional trunk bug fixes and also some extra features that are not yet part of the Mozilla Application Suite."

Comments (none posted)

Mozilla Status Update

The June 27, 2003 Mozilla Status Update is out. "This status update contains news on Mozilla 1.4 Release Candidate 3, the Mozilla 1.5 Alpha schedule, Composer, Mozilla Thunderbird, ChatZilla, tabbed browsing, the DOM Inspector and more."

Comments (none posted)

Multiple Mozilla Staff Meeting Minutes

The minutes of the Mozilla.org staff meetings from June 16 and June 23, 2003 are available for your inspection.

Comments (none posted)

Miscellaneous

Peacock 0.6.1 released

Version 0.6.1 of Peacock, an HTML Editor for GTK+/GNOME, has been released. New features include find/replace, a shift of file operations to the GnomeVFS architecture, and GtkHTML preview click functionality.

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The July 1, 2003 edition of the Caml Weekly News is out with the latest Caml language development news.

Full Story (comments: none)

Java

Using the Jakarta Commons, Part 1 (O'ReillyNet)

Vikram Goyal writes about the Jakarta Commons on O'Reilly. "Ever find yourself thinking "Someone's surely solved this problem before?" That's the beauty of open source. In this first of three articles, Vikram Goyal explores the Jakarta Commons, mature and well-defined reusable Java components."

Comments (none posted)

Lisp

SBCL 0.8.1 released

Version 0.8.1 of Steel Bank Common Lisp (SBCL) is available.

Full Story (comments: none)

Perl

This Week on perl5-porters (use Perl)

The June 23-29, 2003 edition of This Week on perl5-porters has hit the virtual street. "This week's p5p summary is going to be a bit unusual : a few very long threads will be summarized (logically) in longer paragraphs. Read about hashing algorithm vulnerabilities, new proposed syntax, CHECK and INIT blocks, and other unlittle things."

Comments (none posted)

This week on Perl 6

Two editions of This week on Perl 6 have been published. The summary for the June 22, 2003 report says: "Continuation Passing Shenanigans, evil dlopen() tricks, and controlling method dispatch dominate perl6-internals and perl6-language, according to fearless summarizer Piers Cawley."

The June 29, 2003 summary says: "Exceptions, continuations, patches, and reconstituted flying cheeseburgers all dominated discussion on perl6-internals and perl6-language, according to summarizer Piers Cawley. No kidding."

Comments (none posted)

Perl 6 Design Philosophy

O'Reilly has published an excerpt from the book Perl 6 Essentials. "Perl 6 Essentials is the first book to offer a peek into the next major version of the Perl language. It covers the development of Perl 6 syntax as well as Parrot, the language-independent interpreter developed as part of the Perl 6 design strategy. In this excerpt from Chapter 3 of the book, the authors take an in-depth look of some of the most important principles of natural language and their impact on the design decisions made in Perl 6."

Comments (none posted)

Power Regexps, Part II

Simon Cozens continues his series on Perl regular expressions with Part II. "In the previous article, we looked at some of the more intermediate features of regular expressions, including multiline matching, quoting, and interpolation. This time, we're going to look at more-advanced features. We'll also look at some modules that can help us handle regular expressions."

Comments (none posted)

PHP

PHP Weekly Summary for June 30, 2003

The PHP Weekly Summary for June 30, 2003 is out. Topics include: PHP 5 beta test, Apache 2 support, preg_match_*, Bundling libxml2 (continued), SQLlite extension, PHP 4.4, Major CVS changes.

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The Dr. Dobb's Python-URL for June 30, 2003 is out, with news and links for the Python community.

Full Story (comments: none)

Scheme

Scheme Weekly News

The June 30, 2003 edition of the Scheme Weekly News is out. Take a look for the latest Scheme language news.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The June 30, 2003 edition of Dr. Dobb's Tcl-URL is out with the weeks' Tcl/Tk development news.

Full Story (comments: none)

XML

Unofficial XML-RPC Errata

Fredrik Lundh has published an Unofficial XML-RPC Errata document. "This is an unofficial errata, intended to clarify certain details in the XML-RPC specification, as well as hint at "best practices" to use when designing your own XML-RPC implementations. This errata is mostly based on real-life experiences from early adopters and toolkit implementors (filtered through the brain of one such early adopter/implementor)."

Comments (none posted)

XULMaker 0.50 Released (MozillaZine)

According to MozillaZine, version 0.50 of XULMaker, a visual XUL application builder, is available. "This release includes support for the complete set of XUL elements, attributes and values."

Comments (none posted)

The Open Applications Group Integration Specification (IBM developerWorks)

Michael Rowell inspects The Open Applications Group Integration Specification on IBM's developerWorks. "The Open Applications Group Integration Specification (OAGIS) is an effort to provide a canonical business language for information integration. It uses XML as the common alphabet for defining business messages, and for identifying business processes (scenarios) that allow businesses and business applications to communicate. Not only is OAGIS the most complete set of XML business messages currently available, but it also accommodates the additional requirements of specific industries by partnering with various vertical industry groups."

Comments (none posted)

Web-based XML Editing with W3C XML Schema and XSLT, Part 2 (O'Reilly)

Ali Mesbah and Arjan Vermeij continue their series on web-based XML editing with Part Two. "This article describes a concept in which elements can be inserted into an XML instance document through an automatically created form-based GUI, based on the XML Schema of the instance document." You may want to start with the first article.

Comments (none posted)

How (Not) to Grow a Technology (O'Reilly)

Kendall Grant Clark discusses the growth of the XML standard on O'Reilly. "In this article I consider the two most common ways of growing XML technologies, particularly in the context of standards bodies and the XML development community. While these two methods are well-known, I draw my inspiration from an XML-DEV posting by Roger Costello. His post suggests that there are two ways in which a technology may be developed: by committee or by "the market." In the committee case, a group of people -- often an element of a standards body -- is primarily responsible for the development of the technology."

Comments (none posted)

Editors

Conglomerate XML Editor 0.5.4 Released (GnomeDesktop)

GnomeDesktop.org has an announcement for version 0.5.4 of Conglomerate, an XML editor. This release features bug fixes, build improvements, and more.

Comments (none posted)

IDEs

Anjuta 1.1.97 released (GnomeDesktop)

GnomeDesktop.org has an announcement for version 1.1.97 of the Anjuta IDE for GNOME. This version features support for all text file encodings, line and word selection menu entries, .css files highlighting, bug fixes, and more.

Comments (none posted)

Version Control

Vertoo - simple versioning support tool

A new versioning tool called Vertoo has been released. "Vertoo is a tool that lightens developer's burden to maintain up-to-date versioning information across project's files. Vertoo provides simple interface to change the version (or it's part) and distribute these changes through the project's files. Configuration describes versions used in a project, each in arbitrary, user-specified scheme and formats for each of the occurences of the version's data in the project files."

Comments (none posted)

Miscellaneous

Mono 0.25 released. (GnomeDesktop)

GnomeDesktop.org has an announcement for version 0.25 of Mono, an open source implementation of the .NET Development Framework. See the RELEASE NOTES for more information.

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Windows Refund Day II: Next Steps (Linux Journal)

Linux Journal takes a look at what happened during Windows Refund Day II -- and what still needs to happen. "[Toshiba] will spend thousands of dollars in legal fees to protect the hundreds that would be paid out for this individual refund request. Does anyone honestly think that they would continue to follow this path if only 10 additional customers filed similar actions? Personally, I don't think it is unreasonable to expect at least one case to be filed against a major computer manufacturer in every state of the US. Multiple concurrent claims (regardless of which manufacturer is targeted) will open their eyes to the magnitude of this situation. This is the logical course of action for us to take in order to achieve the change we are seeking."

Comments (2 posted)

Linux Xbox group squeezes Microsoft (ZDNet)

ZDNet reports on a group of Australian XBox hackers. "A group of Xbox security researchers say they have found a way to run Linux on the Xbox game console without a so-called mod chip and will go public with the technique if Microsoft won't talk to them about releasing an official Linux boot loader."

Comments (9 posted)

Open source trade clash (Australian IT)

Here is an article in Australian IT that reveals the backers of an anti-open source lobby. "The Washington-based and Microsoft-backed Initiative for Software Choice (ISC) has condemned South Australian moves to introduce open source preference legislation as "hidden protectionism" that discriminates against US software companies."

Comments (4 posted)

Trade Shows and Conferences

KDE at the Linux User & Developer Conference

Jon Bacon has written a report on the KDE experience at the Linux User & Developer Conference in Birmingham. "Generally at the booth we got some pretty good feedback about KDE. There was an obvious number of of people who had used KDE before and were interested in new features that were in the latest KDE. One particular application that was gaining particular interest was Kexi. It seems that the Linux based LAMP platform is gaining massive popularity and the need for GUI database manager in a similar fashion to Microsoft Access was in great demand. There were quite a few people who got out their pencil and paper and wrote the name down. I suspect the Kexi developers will have a fair few new people interested in the project."

Comments (none posted)

Open source invades middleware (vnunet)

Vnunet takes a look at Tim O'Reilly's speech at LinuxExpo. "Open source is creeping through middleware, turning it into a profit-less commodity and forcing technology companies to seek value further up the food chain, according to two leading open source experts."

Comments (none posted)

Companies

SCO may audit IBM's AIX customers (vnunet)

SCO CEO Darl McBride, it seems, has told vnunet that he may go after AIX users. "McBride claimed that SCO has the right to audit IBM's customers. 'We have other rights under the contract we are looking at. For example, we can audit IBM customers. SCO has audit rights on its customers,' he said. 'The reality is that we are going into discovery right now and that might be the vehicle to be able to investigate what we need there anyway.'" One might well wonder how many AIX (and other proprietary Unix) customers thought they were giving audit rights to SCO when they bought their systems.

Comments (27 posted)

Penguin on Thin Ice? (FindLaw)

FindLaw looks at the SCO suit. "The second principle is that a party's rights can be affected by its later conduct - which can constitute a 'waiver,' giving away rights. Until recently, SCO was a willing player in the Linux movement, releasing code under the open source ('copyleft') license. Everything that happened to Linux was in the open. Yet SCO delayed in suing. That delay triggers not only the waiver doctrine, but also similar equitable doctrines such as laches. Indeed, SCO may run afoul of the relevant statutes of limitations as well."

Comments (14 posted)

Linux Adoption

Electronics makers rally around Linux (News.com)

News.com covers the introduction of CELF, the Consumer Electronics Linux Forum. "CELF grew out of a Linux development alliance between Sony and Matsushita inked last December. At the time, the two companies agreed to collaborate on a new version of the open-source operating system for consumer electronics devices and said they would consider founding a forum to further those goals."

Comments (none posted)

Linux Plays Starring Role in 'Sinbad' (eWeek)

According to eWeek, all of the animation for the movie Sinbad was performed on Linux machines. "More than 250 mostly 3-D accelerated dual-monitor HP workstations running Red Hat Linux made up the the core of DreamWorks' graphics platform for the artists working on "Sinbad.""

Comments (none posted)

At Orbitz, Linux Delivers Double The Performance At One-Tenth The Cost (TechWeb)

TechWeb covers Linux performance at Orbitz, an online travel service. "Privately held Chicago-based Orbitz uses more than 750 Linux-on-Intel Compaq computers in its data center to download fares, service search requests and run the company's booking engine. In the fall, Orbitz migrated its web applications running on Sun Microsystems' Enterprise 4500 servers to Compaq machines. The migration meant moving the software from Solaris running on 168 Sparc processors to Linux running on 100 Intel chips."

Comments (none posted)

Austin, Texas to Begin Linux Pilot Project (Linux Journal)

Linux Journal heads to Austin, Texas to see how Linux in faring in the local government. "As a result of all the above, the city's attitude towards the use of Linux and open source software has taken a 180 degree turn. When I first started tracking the City of Austin/Microsoft/Linux saga two years ago, a deputy director in the IT department told me that if he found Linux being used on a desktop he would have it removed."

Comments (1 posted)

Interviews

Selling Linux keeps getting easier (NewsForge)

Robin 'Roblimo' Miller talks with Teresa Spangler in this NewsForge article. "Teresa Spangler started marketing Linux-based products back in 1997 as co-founder of a small startup company in North Carolina. From there she went to Red Hat. Now she's the U.S. general manager for Trustix. Teresa says Linux is an easier corporate "sell" today than ever before, and is likely to be an even easier one in the future."

Comments (none posted)

Linux: so what's in it for me? (Register)

The Register interviews industry experts at the Linux User & Development Expo in Birmingham this week. "Although they wouldn't speak on the record, several industry figures at Linux User, noted the geekie image continues to be pervasive in the Linux world - even at a time when a majority of visitors to Linux events are suits."

Comments (5 posted)

Interview Jeff Waugh

LinuxMagAu interviews Jeff Waugh, coordinator of the Gnome Release Team. "More seriously, The Next Big Thing in the GNOME world is our 2.4 Desktop release, which will have all sorts of new goodies in it. We're approaching our feature freeze at the moment, so here's a list of all the big features likely to make the cut"...

Comments (none posted)

'Head First Java' Author Interview (O'ReillyNet)

O'Reilly has published an interview with the authors of the book Head First Java. "Kathy Sierra and Bert Bates are the authors of the recently released Head First Java, a language tutorial unlike any other. In this interview, they explain their unique teaching style and how it works in practice."

Comments (none posted)

Andrew Stanley-Jones on KSirc (KDE.News)

KDE.News has posted a recently translated interview with Andrew Stanley-Jones. "In the following interview, Andrew Stanley-Jones, original author of KSirc, gives us some of the insights behind the design of KSirc -- the Internet Relay Chat (IRC) client for KDE. Read on for such gems as "No company I've ever worked for has offered to pay me to write a client that allows you to waste time chatting online" and "I argue [that chatting on IRC] keeps me awake during a chick flick"."

Comments (none posted)

French ex-PM condemns Software Patents

Michel Rocard MEP, former prime minister of France, condemned software patents in an interview with French newspaper Liberation. Click below for a translation of the interview.

Full Story (comments: 4)

Resources

WorldWatch Week in Review (Linux Journal)

Linux Journal presents the WorldWatch Week in Review, with open source news from around the world. "We unsuccessfully tried to ignore the SCO v. IBM fracas, mostly because Eric Raymond came out with an updated position paper that probably will become an amicus curiae brief in the case." We know just how you feel. The OSI position paper can be found here.

Comments (1 posted)

Secure Cooking with Linux, Part 2 (O'ReillyNet)

O'ReillyNet presents more recipes from the Linux Security Cookbook. "This week, we offer recipes that fall into an intermediate-level category. Learn how to restrict access to network services by time of day, and how to use sudo to permit read-only access to a shared file."

Comments (1 posted)

The Journal of Free and Open Source Medical Computing

A new publication called The Journal of Free and Open Source Medical Computing, JOSMC, is now online. " The Journal of Free and Open Source Medical Computing (JOSMC) is open and issuing its first call for papers. The Journal was started after the success of Linux Medical News indicated the need for a more scholarly publication. The Journal '...is an electronic forum for disseminating information on free and open source medical computing. Scholarly work on any aspect of free and open source medical computing will be considered for peer-reviewed"

Comments (none posted)

Linux Access in State and Local Government, Part III (Linux Journal)

Linux Journal continues its tour of Linux in state and local governments with a comparison of Linux in schools. "In the K12Linux domain, if you need an application, you probably would stop at SchoolForge and then click the link to the Seul/Edu Educational Application Index to discover a repository of applications. Here you can find 80 administrative applications that one can download, plus 98 language programs and more. The site contains 612 open-source applications in 23 categories, such as courseware, math and library applications. And that's only one of several K12Linux web sites. Imagine such a collection of government software somewhere."

Comments (none posted)

Reviews

The Killer Kontact

KDE.News has a review of the Kontact PIM integrator by former Microsoft user Savanna. "One of the huge reasons I switched from Microsoft to Linux around a year ago was because Outlook was eating all of my mail. This would happen on average every three to six months, and there was simply nothing that I could do about it. The classic "format and reinstall" solution had become such a feared process for me that I simply didn't want to have anything to do with computers any longer."

Comments (none posted)

Big boost for wireless Linux development (vnunet)

Vnunet looks at a development platform from Metrowerks. "The company claimed that its OpenPDA platform, designed for Motorola's i.MX1 next-generation PDA microprocessor, could help mobile Linux developers to shorten design cycles."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

The European Public Sector Switches on to Open Standards

This week almost a dozen governments announced significant forward strides in their move to adopt Linux, confirming the overwhelming momentum behind the open source operating system. Country by country, governments around the world are adopting Linux in record numbers to save costs, consolidate workloads, increase efficiency and integrate their infrastructure.

Full Story (comments: none)

European Parliament Rejects Attempt to Rush Vote on Software Patent Directive

The European Parliament has postponed the vote on the software patent directive back to the original date of 1st of September. Arlene McCarthy (UK Labour MEP of Manchester) and her supporters were lobbying to rush the vote to June 30, a mere twelve days after publication of the highly controversial report and ten days after the unexpected change of schedule.

Full Story (comments: none)

FSF Statement on SCO v. IBM

Eben Moglen has written an official statement detailing the position of the Free Software Foundation in light of SCO vs. IBM. "The Foundation has no basis to believe that GNU contains any material about which SCO or anyone else could assert valid trade secret or copyright claims. Contributors could have made misrepresentations of fact in their copyright assignment statements, but failing willful misrepresentation by a contributor, which has never happened so far as the Foundation is aware, there is no significant likelihood that our supervision of the freedom of our free software has failed. The Foundation notes that despite the alarmist statements SCO's employees have made, the Foundation has not been sued, nor has SCO, despite our requests, identified any work whose copyright the Foundation holds-including all of IBM's modifications to the kernel for use with IBM's S/390 mainframe computers, assigned to the Foundation by IBM--that SCO asserts infringes its rights in any way." (Thanks to Paul Sladen)

Comments (none posted)

Reasoning Releases Results of a Software Code Audit of the Apache Web Server

Reasoning has announced the results of a study in which the company inspected the code of the Apache Open Source Web Server V2.1. Reasoning found that the Apache Open Source server had a similar defect density compared to the average defect density of several proprietary equivalents.

Comments (4 posted)

Commercial announcements

HP and SuSE Linux Expand Global Alliance

HP and SuSE Linux have announced that HP will resell and support SuSE Linux Enterprise Server 8, powered by UnitedLinux, on industry-standard HP ProLiant servers and HP's Itanium-based servers. This relationship provides customers a single point of purchase, support and maintenance for SuSE Linux Enterprise Server 8 and makes SuSE Linux a preferred vendor for HP.

Full Story (comments: none)

"Learning Perl Objects, References, and Modules" Released by O'Reilly

O'Reilly has published the book "Learning Perl Objects, References, and Modules".

Full Story (comments: none)

MySQL Reference Manual Now Available in French

A French translation of the MySQL database user manual has been announced. "The MySQL reference manual was translated into French by MySQL partner NexenServices.com, a French Web hosting company that provides expert Web hosting with PHP and MySQL."

Comments (none posted)

Neuros Digital Audio Computer Announces Availability of Positron for Linux Platform Support and Ogg Vorbis Playback

Neuros Digital Audio Computer has announced the availability of their Positron open-source synchronization application. The software allows ogg-Vorbis audio files to be transferred from a Linux platform to the Neuros audio device.

Full Story (comments: none)

O'Reilly Releases "Secure Coding: Principles & Practices"

O'Reilly has released Secure Coding: Principles & Practices. "Jeremy Allison, the coauthor of Samba calls "Secure Coding": "A wonderful book...I wish it had been available when I was writing parts of Samba. I might not have had the last two security embarrassments to my name." Stephen E. Hansen, Information Security officer for Google, Inc., agrees: "I wish I had this book years ago as it has taken me years to figure these things out for myself.""

Full Story (comments: none)

Trolltech releases QSA

Trolltech has released Qt Script for Applications, (QSA) Version 1.0. "Trolltech, a leader in multiplatform software development tools, today announced that Qt applications are now scriptable with the release of Qt Script for Applications (QSA). Leveraging the powerful Qt API, QSA takes static Qt/C++ applications, and makes them dynamic."

Full Story (comments: none)

Resources

LDP Weekly News

The July 1, 2003 edition of the LDP Weekly News is out with the latest Linux Documentation news. Volunteers are needed for bringing out of date documents up to date. "In an ever-changing environment, our documents become outdated tremendously fast: a one year old HOWTO is like pre-historic charcoal writing on stone. Apart from people with a technical background, we also need user reviews to check on a document's usability."

Full Story (comments: none)

Event Reports

EuroPython 2003 Conference Report, day 2

Stéfane Fermigier has put together a report for day 2 of the EuroPython conference.

Full Story (comments: none)

ERP5 demonstrated at EuroPython 2003

A public demonstration of ERP5,an Open Source Free Entreprise Resource Planning system, was held at the EuroPython 2003 international conference in Belgium. "A live demonstration of an ERP5 system used by a large apparel factory located 200 Km away from Charleroi was presented. ERP5 is published under GPL license. ERP5 has been the first ERP solution exclusively based on Open Source / Free Software to be successfully implemented in European industry since January 2003."

Full Story (comments: none)

Upcoming Events

Tenth Annual Tcl/Tk Conference

The 10th Annual Tcl/Tk Conference is scheduled for July 28 through August 2 in Ann Arbor, Michigan.

Full Story (comments: none)

Perl Lightning Talk schedule for OSC 2003

The tentative schedule for the OSCon 2003 Perl track is online.

Comments (none posted)

YAPC::EU 2003 Talk Summaries Are Online

The summary of talks for the YAPC::EU 2003 conference are online. The conference will be held at CNAM in Paris, France on July 23-25, 2003. Thanks to Emmanuel Seyman.

Comments (none posted)

Events: July 3 - August 28, 2003

Date Event Location
July 7 - 11, 2003O'Reilly Open Source Convention 2003(OSCON)(Portland Marriot)Portland, Oregon
July 9 - 12, 2003Libre Software MeetingMetz, France
July 10 - 13, 2003LinuxTagKarlsruhe, Germany
July 12 - 17, 2003DebcampOslo, Norway
July 18 - 20, 2003Debconf 3(The University of Oslo)Oslo, Norway
July 23 - 26, 2003Ottawa Linux SymposiumOttawa Canada
July 23 - 25, 2003YAPC::Europe 2003(CNAM Conservatory)Paris, France
July 25 - 27, 2003Fifth Annual Linux Festival in Kaluga Region(bank of the river Protva)Kaluga region, Russia
July 29 - August 2, 2003The 10th Annual Tcl/Tk ConferenceAnn Arbor, Michigan
July 31 - August 3, 2003UKUUG Linux Developers' Conference(LINUX 2003)(George Watson's College)Edinburgh Scotland
August 4 - 7, 2003LinuxWorld Conference and Expo 2003(Moscone Convention Center)San Francisco, CA
August 5 - 7, 20035th Annual CERT Conference(NEbraskaCERT)(Scott Conference Center)Omaha, NE USA
August 7 - 10, 2003Chaos Communication Camp 2003Paulshof, Altlandsberg, Germany
August 18 - 21, 2003New Security Paradigms Workshop 2003(NSPW 2003)(Centro Stefano Francini)Ascona, Switzerland
August 23 - 25, 2003KDE Developers' Conference(Zamek Castle)Nove Hrady, Czech Republic
August 27 - 29, 2003International Conference on Principles and Practice of Declarative Programming(PPDP 2003)(Uppsala University)Uppsala, Sweden

Comments (none posted)

Web sites

The OSPedia Open Source Wiki

OSPedia is a new Web Wiki that's dedicated to the discussion of open source issues. "It is completely open to -anyone- to contribute in anyway they feel they can and there is no editorial agenda other than letting the FOSS communities have their say on any subject regarding FOSS."

Full Story (comments: none)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Miscellaneous

OMG Object Application Awards 2003

The winners of the ninth European OMG Object Application Awards 2003 have been announced.

Full Story (comments: none)

Page editor: Forrest Cook

Letters to the editor

xpdf vulnerability - CAN-2003-0434

From:  Andries.Brouwer@cwi.nl
To:  announce@mandrakesecure.net, bugtraq@securityfocus.com, letters@lwn.net
Subject:  xpdf vulnerability - CAN-2003-0434
Date:  Sat, 28 Jun 2003 19:33:12 +0200 (MEST)

I see RedHat and Mandrake reactions to the vulnerability
in xpdf reported by Martyn Gilmore. But their updates do
not fix the problem.

They change xpdf, and make it filter out backquotes before
invoking urlCommand. I think that was unnecessary.

On the other hand, urlCommand must be very careful what it
does with the URL since it was remote-user-supplied.
A urlCommand like the default "netscape -remote 'openURL(%s)'"
is OK since the %s is protected by single quotes.

A urlCommand like the RedHat "/usr/bin/xpdf-handle-url %s"
is bad since %s is not protected and funny games are possible.
In other words, not xpdf but /etc/xpdfrc must be fixed.

Next, RedHat /usr/bin/xpdf-handle-url is bad as well, since
it does
  xterm -e sh -c "echo Edit $0 to include your URL handler; echo $1; read"
exposing the unquoted URL to sh -c.

For example, on a RedHat 8.0 system that I have here, clicking the URL
like "nailto:me; rm /tmp/abc" will remove the indicated file, also
after the fix is applied.

A testexample for playing with pdflatex:

\documentclass[11pt]{minimal}
\usepackage{color}
\usepackage[urlcolor=blue,colorlinks=true,pdfpagemode=none]{hyperref}
\begin{document}
\href{prot:hyperlink with stuff, say, `rm -rf /tmp/abc`; touch /tmp/pqr}{\textt\
t{Click me}}
\end{document}

All shell metacharacters are dangerous. Not only backquote.

Andries

Comments (2 posted)

SCO can not win "SCO vs Linux" case. Seriously.

From:  Khimenko Victor <khim@sch57.msk.ru>
To:  lwn@lwn.net
Subject:  SCO can not win "SCO vs Linux" case. Seriously.
Date:  Sun, 29 Jun 2003 18:32:12 +0400 (MSD)


I'm looking on "SCO vs IBM" case for some time and every time "SCO vs IBM" 
case is discussed like it's "SCO vs Linux" case. But it's not! Even more: 
even if SCO will win "SCO vs IBM" case SCO can not do ANYTHING to Linux 
(except may be make it illegal to distribute for some time).

How so ? Ok, SCO would like to get license fees from Linux vendors, right ?
SCO is not interested in removing offending code from Linux - they only 
want money, right ? Oops. Thay can not have it. No matter what Linus and 
IBM done. Even if they own rights for half of Linux's code.

Why so ? Linux's license is GPL. Reread this part of GPL once more, please:
-- cut --
7. If, as a consequence of a court judgment or allegation of patent 
infringement or for any other reason (not limited to patent issues), 
conditions are imposed on you (whether by court order, agreement or 
otherwise) that contradict the conditions of this License, they do not 
excuse you from the conditions of this License. If you cannot distribute 
so as to satisfy simultaneously your obligations under this License and 
any other pertinent obligations, then as a consequence you may not 
distribute the Program at all. For example, if a patent license would not 
permit royalty-free redistribution of the Program by all those who receive 
copies directly or indirectly through you, then the only way you could 
satisfy both it and this License would be to refrain entirely from 
distribution of the Program. 
-- cut --

What this means ? This means that even if SCO has some rights for Linux 
code (all or some parts of it) then there are ONLY TWO CHOICES:
  1. SCO grants everyone rights to redistribute Linux for free (like IBM 
     done with RCU patents)
  2. SCO forbids everyone to distribute linux without SCO's license and 
     thus makes linux UNDISTRIBUTABLE IS US FOR ALL INCLUDING SCO ITSELF!

There are NO other choices. Even if RedHat or IBM will buy license from 
SCO they can not redistribute Linux ! If they'll try then EVERYONE who 
EVER contributed to Linux can sue them. IBM, Intel, HP, SGI ...

Oh, of course all those companies can sue SCO for illegal redistribution 
once SCO claims are proven :-) Since SCO obviously redistributed Linux 
while agreements with other parties made it impossible for SCO to even 
show code (or so SCO claims).

Why this side of the issue never discussed ? Why every columnist is 
writing about how "Linux community doing nothing" when THE ONLY THING 
Linux community CAN DO is to remove offending code and it's not possible 
till SCO shows what code should be removed ?

Comments (11 posted)

Page editor: Forrest Cook

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds