The road to World Domination
Linux, it seems, is on a roll. In the past week we've had news of the LLNL
cluster sale (see below),
of Norway's decision to drop its exclusive contract with
Microsoft (despite losing the substantial discounts that contract
provided), of Steve Ballmer's admission that Linux is giving Microsoft some
trouble, of MandrakeSoft's improving bottom line, and more. The world
increasingly understands that free software is better, cheaper, and, of
course, free.
Those of us who wish to promote the free software cause can't rest yet,
however. Free software still has a great many hurdles to overcome,
including:
- Security. The free software community likes to claim greater
security, and this claim may even be true. The security of free
software is not yet good enough, however. Recent bugs in packages
like Apache, Squid, and OpenSSH have put large numbers of systems at
risk; they are the stuff that large-scale destructive worms are made
of. There are still too many silly mistakes turning up in free
software; we need to do better.
- Interoperability. The free office suites currently available
are more than good enough for most users at this point. At least,
until those users need to exchange documents with people using
proprietary packages. Until this problem is solved, people will stay
with proprietary systems. Linux systems also need to do better at running
software written for other operating systems. Progress is being made,
but we are not yet there.
- Proprietary software support. It will be a long time before
free packages rival the variety of proprietary software out there.
Where are the free business plan writers, training systems, contact
managers, math tutors, foreign language instructors, genealogy
assistants, home designers, tax preparers, high-end games, etc.?
Until we have filled in those gaps, we should be friendlier to
software vendors who make Linux systems more attractive to more
people. That means standards compliance, stable interfaces, and an
end to outright hostility toward software vendors. As long as those
vendors comply with the licenses of the free software they are using,
they are only helping the Linux cause by porting their products.
- Business models. Some companies seem to be doing OK, if not
great, as free software businesses. Consider Red Hat, Zope Corp.,
Sleepycat, Collabnet, IBM, etc. Many others are hurting, or have gone
out of business. Free software needs successful businesses to keep up
its current rate of growth, and it would be better if we didn't end up
with just a small number of huge companies employing most free
software hackers. There is still work to be done on the business side
of free software.
- Legal issues. Intellectual property law, including repressive
copyright terms, "anti-circumvention" provisions, software patents,
and more, threatens to hamper (or ban outright) Linux in many parts of
the world. Somehow we have got to get a handle on our legislative
systems and not allow free software to be pushed aside by laws
favoring a small number of large corporations. This battle will not
be easy; the opposing interests are powerful and this is not an issue
that is interesting or understandable to most people. We must fight
it anyway, though, or much of the rest of our work may turn out to be
in vain.
There is, in other words, a lot of work to do still. Free software has
always been surprising in what it has been able to accomplish, though. The
free software community has a great chance of being able to handle these
challenges as well.
Comments (4 posted)
The largest Linux cluster
Linux NetworX has sent out
a press release
proclaiming the sale of "the largest and most powerful Linux cluster"
ever. This system has been sold to Lawrence Livermore National Laboratory,
and should be operational this fall. This cluster, which will employ 1920
2.4-GHz Intel Xeon processors, is expected to be one of the five fastest
supercomputers in the world.
LWN has long maintained that Linux-based clusters were going to take over
the supercomputing field. The economics of clusters built with commodity
hardware and free software are simply too good to ignore. The biggest
impediment to cluster World Domination, perhaps, has been the "some
assembly required" nature of Linux clusters. Supercomputers are, in
general, not low-maintenance devices, but Linux clusters have tended to
require even more than the usual amount of work. To be truly successful,
Linux clusters must become polished, easy to manage products.
Linux NetworX, like other cluster vendors, has long understood the need for
more refined cluster products. Some of the features of their current
cluster offerings are worth a look as an indication of how far Linux
clustering has come. Linux NetworX is certainly not the only vendor
offering these sorts of features; in the context of this sale, however,
they make a good example.
Early Linux clusters consisted of large numbers of beige boxes with even
larger numbers of cables between them. Modern cluster vendors have long
since moved past that mode, which is wasteful of energy, space, and system
administrator time. In this case, Linux NetworX is employing its
"Evolocity II" product, which crams two processors into a "sub 1U" rack
space. Throw in easy interconnects and the basic job of plugging the
cluster together becomes much easier.
Then, throw in the "ICE Box," a small, Linux-powered box which performs
console management, power management, and temperature monitoring for a set
of cluster nodes. Among other things, this box allows a (remote)
administrator to power down sets of nodes when they are not in use; when
your cluster has thousands of nodes, turning off unneeded nodes can yield
significant power savings.
What about when you want to bring those idle nodes back up to get some work
done? One of the interesting things that Linux NetworX has done is to work
with the LinuxBIOS project.
LinuxBIOS replaces the regular BIOS on the motherboard, allowing a system
to boot into a Linux kernel in as little as three seconds.
Finally, there is the issue of how one manages a cluster with almost 2000
nodes. The Simple
Linux Utility for Resource Management (SLURM) is a cooperative project
between Linux NetworX and LLNL; it gives administrators the ability to
control access to groups of processors in an easy manner. SLURM appears to
be in an early state of development at this time; the plan is to release it
under the GPL at some point.
All of this, of course, leaves out one crucial part of the problem: making
the customer's applications work on a clustered system. Parallelizing a
program so that it makes the best use of a cluster is a hard task. There
is still no easy way around this one. A cluster-optimizing version of gcc
remains the stuff of dreams at this point.
Even with the programming challenges, Linux clusters are earning an
increasing amount of respect in the high performance computing world. They
are getting steadily more powerful, easier to buy, and easier to run. Brad
Rutledge of Linux NetworX tells us: "We anticipate this is the first of
many Linux clusters that will measure as top supercomputers within in the
next year." Things look likely to turn out just that way.
Comments (1 posted)
Some advertising changes on LWN.net
We're trying out a new way of selling advertising space on LWN. The old
"cost per thousand" scheme is out; instead, advertisers get a percentage of
the total site impressions proportional to the amount of money they wish to
spend on the campaign. So, if advertising demand is low (as it generally
is), a small investment will buy a great many exposures on the site. In
other words, advertising on LWN has just gotten cheaper; please see
the announcement for the details.
Comments (none posted)
Page editor: Jonathan Corbet
Security
Security Vulnerabilities in Sharp Zaurus
On July 10th, a
report of
remote filesystem access and screen-locking passcode disclosure
vulnerabilities
in Sharp Zaurus was released by
the
Syracuse
University Center for Systems
Assurance.
The first is a little scary: the sync service gives anybody with network access to the Zaurus (through a wireless net, say) the ability to overwrite any file on the filesystem. The second is a problem with relatively weak encryption of passwords.
It was
pointed out, on posts to BugTraq, that Sharp did mitigate,
but not resolve, the remote filesystem access risk by restricting access to the vulnerable port.
Sharp has apparently known about these problems for more than a month, but no update is yet available
that fixes them.
The Zaurus developer community apparently knew about the
remote filesystem access
vulnerability as early as March 29th.
An independently compiled list of problems with the Zaurus, that
last updated May 6th, includes the remote filesystem access vulnerability
and some pointed comments on Sharp's management.
The Zaurus SL5000D and SL5500 are palmtop computers with great potential, but the maker, Sharp Electronics, has botched several things and has not taken any steps to deal with the issues even though they have had feedback about most of the problems below on the developer web site for months. Unfortunately Sharp has not answered the concerns raised by developers during the beta period. The SL5500 is now a released product and the general public will begin to run into these problems. It is sad that Sharp has refused to fix the problems with their unit as the Zaurus may be a first introduction to Linux/Unix systems for many users. The problems the Zaurus has will give the false impression to new users that the problems are with Linux in general rather than with the choices that Sharp made in implementing Linux on the Zaurus.
Richard Shim reported on the security vulnerabilities for
News.com, including his own
comments on Sharp's management
of Zaurus development.
Linux is an open-source operating system, giving developers equal access to the code. Many consider that an advantage in a situation like this, as security flaws are found quickly and fixes and other software improvements can be added by a whole community of programmers, not just those employed by a particular company. However, Sharp has not released the source code for the Zaurus' particular operating system to the open-source community, nor has it integrated any community updates to its OS, choosing instead to go a more proprietary route.
[...]
"Sharp committed to Linux and the open-source community, but they've realized that they don't want to live the lifestyle," said a source familiar with the company's plans.
Comments (1 posted)
Security news
Linux attacks on the rise? (Register)
The Register
speaks about a recent security study from security
consultancy
Mi2g.
"
Attacks on Linux and open source Web applications appear to have risen sharply
this year, while attacks on Windows systems are markedly down. That's the
conclusions of a study by security consultancy mi2g after it compiled a
database on attacks culled from data from defacement archives (such as
alldas.org), hacker bulletin boards and 'information from automatic
robots'."
Comments (2 posted)
Hack attacks on Linux on the rise (News.com)
News.com
writes about
a report by U.K.security consultancy MI2g that claims that successful
hacks on Linux web servers are on the rise.
"
In the past, hackers and virus writers have largely focused their efforts on the Windows platform, as its dominance on desktop PCs makes it a ready target. However, Linux has a large share of the Web server market, and Linux server applications are often vulnerable to attack because of mismanagement, according to the study."
Comments (none posted)
Debian GNU/Linux 2.2 updated (r7)
This is the seventh revision of Debian GNU/Linux 2.2 (codename `potato')
which mainly adds security updates to the stable release, along with a
few corrections of serious bugs.
Full Story (comments: none)
Cyberterrorists don't care about your PC (ZDNet)
ZDNet looks at
vulnerabilities in SCADA systems
"
Currently, power grids, dams, and other industrial facilities are monitored by Supervisory Control and Data Acquisition (SCADA) systems; approximately three million of these exist throughout the world. Based on telemetry and simple data acquisition, they give scant regard to security, often lacking the memory and bandwidth for sophisticated password or authentication systems. SCADA typically runs on DOS, VMS, and Unix platforms, although vendors are now shipping Windows NT and Linux versions, as well."
Comments (none posted)
July CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for July is out; it looks at
security threats to embedded devices, the "Perrun" virus, and more.
"
I have long suspected a cozy little link between virus writers and
antivirus software makers. The latter certainly needs the former, both to
keep viruses in the news and to provide a steady revenue stream from
updates. And here's an example of them sharing information."
Full Story (comments: 1)
Security reports
CARE 2002 file disclosure and sql injection vulnerabilities
CARE 2002
version 1.0.0.2 fixes file disclosure and sql injection vulnerabilities.
CARE 2002 is an open source software package for hospitals,
clinics and private medical practices.
The first beta version of CARE 2002 was created by
Elpidio Latorilla.
Full Story (comments: none)
Double Choco Latte multiple vulnerabilities
Ulf Harnhammar reports file upload, file download and cross site scripting vulnerabilities in
Double Choco Latte which are fixed in
version 20020706.
Double Choco Latte is a package that provides basic project
management capabilities, time tracking on tasks, call tracking,
email notifications, online documents, statistical reports,
a report engine, and more features are either working or being
developed/planned. It is licensed under the GPL (GNU Public License),
which means it is free to study, distribute, modify, and use.
Full Story (comments: none)
Vulnerabilities in the GoAhead Web Server
Matt Moore reports two vulnerabilities in
GoAhead Web Server v2.1:
- Cross Site Scripting via 404 messages.
- Read arbitrary files from the server running GoAhead(Directory Traversal)
Full Story (comments: none)
New vulnerabilities
libpng buffer overflow vulnerability
| Package(s): | libpng libpng2 libpng3 |
CVE #(s): | |
| Created: | July 17, 2002 |
Updated: | August 19, 2002 |
| Description: |
Versions of libpng prior to
1.2.4 and 1.0.14 have a buffer
overflow vulnerability that could lead to remote code execution.
Since libpng is used by programs that talk to the outside
world (i.e. mozilla), it is worth upgrading.
libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over five years.
|
| Alerts: |
|
Comments (2 posted)
Updated vulnerabilities
Acrobat reader temporary files
| Package(s): | acroread |
CVE #(s): | |
| Created: | July 8, 2002 |
Updated: | July 10, 2002 |
| Description: |
There is a symlink attack vulnerability in Acrobat Reader 5.05.
Acroread uses a file it creates with wide open permissions (mode 666) in /tmp; it also follows symlinks.
See the report of the bug in Acrobat Reader
5.05 for the details. The problem has also been
reported in version 4.05.
|
| Alerts: |
|
Comments (none posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
Denial of service vulnerability in version 9 of BIND
| Package(s): | bind |
CVE #(s): | CAN-2002-0400
|
| Created: | June 5, 2002 |
Updated: | August 19, 2002 |
| Description: |
Here is an advisory from the Computer Emergency Response Team (CERT)
regarding the denial of service vulnerability in version 9 of the BIND
nameserver, up to 9.2.1. An attacker can send a properly crafted packet
which triggers a check within BIND and causes it to shut down. The
vulnerability can not be exploited for any purpose beyond denial of
service, but that is bad enough; if you are running BIND 9, an upgrade
is probably a good idea.
Note that many or most systems out there will still be running
BIND 8, and thus will not be vulnerable.
News articles on the vulnerability appear in the
Register
and
Network World Fusion News. |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
CAN-2002-0353
CAN-2002-0401
CAN-2002-0402
CAN-2002-0403
CAN-2002-0404
|
| Created: | June 12, 2002 |
Updated: | October 27, 2002 |
| Description: |
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
- The SMB dissector could potentially dereference a NULL pointer in two cases.
- The X11 dissector could potentially overflow a buffer while parsing keysyms.
- The DNS dissector could go into an infinite loop while reading a malformed packet.
- The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow problem in glibc
| Package(s): | glibc glibc/shlibs, glibc, nscd |
CVE #(s): | CAN-2001-0886
|
| Created: | May 20, 2002 |
Updated: | July 14, 2002 |
| Description: |
The glibc filename globbing code has a buffer overflow problem.
For those who are interested, Global InterSec LLC has provided
a detailed description
of this vulnerability.
This problem was first reported by LWN on December 20th.
|
| Alerts: |
|
Comments (2 posted)
Buffer overflow in groff
| Package(s): | groff |
CVE #(s): | CAN-2002-0003
|
| Created: | May 20, 2002 |
Updated: | December 9, 2002 |
| Description: |
The groff package has a buffer overflow
vulnerability; if it is used with the print system, it is conceivably
exploitable remotely.
|
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
Apache mod_ssl off-by-one local code execution and DoS vulnerability
| Package(s): | libapache-mod-ssl mod_ssl |
CVE #(s): | CAN-2002-0653
|
| Created: | July 2, 2002 |
Updated: | August 14, 2002 |
| Description: |
Mod-ssl provides strong cryptography for the Apache webserver
via the Secure Sockets Layer (SSL).
A maliciously-crafted .htaccess file, may
be used by an attacker to execute arbitrary
commands as the httpd user or launch a denial of service attack.
The problem is fixed in mod_ssl 2.8.10 which is available
from here.
For more information see the announcement. |
| Alerts: |
|
Comments (none posted)
LPRng accepts jobs from any host.
| Package(s): | LPRng |
CVE #(s): | CAN-2002-0378
|
| Created: | June 12, 2002 |
Updated: | October 31, 2002 |
| Description: |
Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators
with systems exposed to the general public.
|
| Alerts: |
|
Comments (none posted)
Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
| Package(s): | mailman |
CVE #(s): | CAN-2002-0388
|
| Created: | June 5, 2002 |
Updated: | August 28, 2002 |
| Description: |
Barry A. Warsaw announced
the release of Mailman 2.0.11
"which fixes two
cross-site scripting exploits, one reported by "office" in the admin
login page, and another reported by Tristan Roddis in the Pipermail
index summaries.
It is recommended that all sites upgrade their 2.0.x systems to this
version."
|
| Alerts: |
|
Comments (none posted)
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla |
CVE #(s): | CAN-2002-0354
|
| Created: | May 20, 2002 |
Updated: | October 18, 2002 |
| Description: |
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
nn remote code execution vulnerability
| Package(s): | nn |
CVE #(s): | |
| Created: | July 9, 2002 |
Updated: | July 10, 2002 |
| Description: |
A NNTP server may be used, maliciously, to
remotely execute code through the nn client.
Nn is a popular Unix newsreader. Versions prior to
6.6.3 are vulnerable.
The problem is fixed in nn 6.6.4 which is available here.
For more information, see the
security advisory.
|
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (none posted)
String format bug in pam_ldap logging
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0374
|
| Created: | June 5, 2002 |
Updated: | October 29, 2002 |
| Description: |
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism. |
| Alerts: |
|
Comments (none posted)
Remotely exploitable vulnerability in pine
| Package(s): | pine |
CVE #(s): | CAN-2002-0014
|
| Created: | May 20, 2002 |
Updated: | November 27, 2002 |
| Description: |
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
|
| Alerts: |
|
Comments (none posted)
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils |
CVE #(s): | CAN-2002-0178
|
| Created: | May 20, 2002 |
Updated: | October 30, 2002 |
| Description: |
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
|
| Alerts: |
|
Comments (none posted)
Squid DNS vulnerability fixed in Squid-2.4.STABLE6
| Package(s): | squid |
CVE #(s): | CAN-2002-0163
|
| Created: | July 8, 2002 |
Updated: | July 10, 2002 |
| Description: |
A malicously crafted DNS reply can cause Squid
versions up to and including 2.4.STABLE4
to crash.
Squid-2.4.STABLE6 fixes the vulnerability; see
the updated
advisory from the squid team for the details. |
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid |
CVE #(s): | |
| Created: | July 8, 2002 |
Updated: | November 15, 2002 |
| Description: |
Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following
changes:
- Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
- Security fixes in how Squid parses FTP directory listings into
HTML
- FTP data channels are now sanity checked to match the address
of the requested FTP server. This to prevent theft or injection
of data. See the new ftp_sanitycheck directive if this sanity
check is not desired.
- The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
- A security issue in how Squid forwards proxy authentication
credentials has been fixed
|
| Alerts: |
|
Comments (none posted)
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump |
CVE #(s): | CAN-2002-0380
|
| Created: | June 5, 2002 |
Updated: | October 9, 2002 |
| Description: |
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
|
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in SNMP implementations
| Package(s): | ucdsnmp ucd-snmp |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
|
| Created: | May 20, 2002 |
Updated: | September 17, 2002 |
| Description: |
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
|
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
|
| Alerts: |
|
Comments (1 posted)
xchat IC server based dns query vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2002-0382
|
| Created: | June 5, 2002 |
Updated: | September 24, 2002 |
| Description: |
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable. |
| Alerts: |
|
Comments (none posted)
Resources
Flawfinder 1.20, a security auditing tool for C/C++
David A. Wheeler has released
Flawfinder
version 1.20,
"a
tool that examines C/C++ code and reports possible security flaws
in the code (sorted by risk level)."
Flawfinder works by using a built-in database of C/C++ functions with well-known problems,
such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family),
format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(),
chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter
dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()).
Comments (none posted)
Linux Advisory Watch
The
July 12th Linux Advisory Watch newsletter
from LinuxSecurity.com is available.
Comments (none posted)
Papers from the 11th USENIX Security Symposium
A number of interesting papers considering security and open source
will be presented at
the
11th USENIX Security Symposium
the week of August 5th in San Francisco, California, USA.
We noticed a few that have already been released by the authors.
-
Linux Security Modules: General Security Support for the Linux Kernel (HTML format).
"The Linux
Security Modules (LSM) project has developed a lightweight, general purpose,
access control framework for the mainstream Linux kernel that enables many
different access control models to be implemented as loadable kernel modules.
A number of existing enhanced access control implementations, including Linux
capabilities, Security-Enhanced Linux (SELinux), and Domain and Type
Enforcement (DTE), have already been adapted to use the LSM framework. This
paper presents the design and implementation of LSM and discusses the
challenges in providing a truly general solution that minimally impacts the
Linux kernel."
-
Linux Security Module Framework
(PDF format).
"This
paper presents the design and implementation of the LSM framework, a
discussion of performance and security impact on the kernel, and a brief
overview of existing security modules."
-
Deanonymizing Users of the SafeWeb Anonymizing Service
(PDF
format).
"The SafeWeb anonymizing system has been lauded by the press and
loved by its users; self-described as "the most widely used online
privacy service in the world," it served over 3,000,000 page views
per day at its peak. SafeWeb was designed to defeat content blocking
by firewalls and to defeat Web server attempts to identify users,
all without degrading Web site behavior or requiring users to
install specialized software. In this paper we describe how these
fundamentally incompatible requirements were realized in SafeWeb's
architecture, resulting in spectacular failure modes under simple
JavaScript attacks."
-
Secure Execution Via Program Shepherding
(PDF
format).
"
We introduce program shepherding, a method for monitoring control flow
transfers during program execution to enforce security policies. Program
shepherding provides three techniques as building blocks for security
policies. [...]
This system operates on unmodified native binaries, requires no
special hardware or operating system support, and runs on existing IA-32
machines under both Linux and Windows."
-
Setuid Demystified
(PDF
format).
"Access control in Unix systems is mainly based on user IDs, yet
the system calls that modify users IDs (uid-setting system calls),
such as setuid, are poorly designed, insufficiently documented, and
widely misunderstood and misused. This has caused many security
vulnerabilities in application programs.
[...]
Finally, we provide general
guidelines on the proper usage of the uid-setting system calls, and
we propose a high-level API that is more comprehensible, usable, and
portable than the usual Unix API."
-
Infranet: Circumventing Web Censorship and Surveillance
(PDF format).
"An increasing number of countries and companies routinely block or monitor
access to parts of the Internet. To counteract these measures, we propose
Infranet, a system that enables clients to surreptitiously retrieve sensitive
content via cooperating Web servers distributed across the global
Internet."
-
Trusted Paths for Browsers: An Open-Source Solution to Web Spoofing
(PDF
format).
"The security of the vast majority of "secure" Web services rests on SSL
server PKI. However, this PKI doesn't work if the adversary can trick
the browser into appearing to tell the user the wrong thing about the
certificates and cryptography.
[...]
This paper reports the results of our work to systematically defend against
Web spoofing, by creating a trusted path from the browser to the
user."
Comments (none posted)
Events
Black Hat Briefings 2002 Keynote Speakers
Black Hat Inc has announced the keynote speakers for
Black Hat Briefings 2002 coming up July 31st to August 1st in Las Vegas, Nevada, USA.
Full Story (comments: none)
Upcoming Security Events
| Date | Event | Location |
| July 31 - August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
| August 19 - 21, 2002 | Canadian Security & Intelligence Conference(CSICON) | (Hyatt Regency)Calgary, Alberta Canada |
| August 28 - 30, 2002 | Workshop on Information Security Applications(WISA 2002) | Jeju Island, Korea |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
Comments (none posted)
Page editor: Dennis Tenney
Kernel development
Release status
Current kernel release status
The current development kernel is 2.5.26, which was
announced by Linus on July 16. Changes
include some ACPI updates, the "direct to BIO for O_DIRECT" patch (see
last week's LWN Kernel Page), a number of NTFS
updates, some USB changes, some IDE fixes, an ARM update, and a great many
other changes. The
long-format changelog is
also available.
The latest prepatch from Dave Jones (as of this writing) is 2.5.25-dj2, released on July 12. The most
significant feature of this release, perhaps, is that Dave has included the
2.4 IDE "foreport" (also discussed last
week).
The latest 2.5 status summary from Guillaume
Boissiere came out on July 17.
The current stable kernel is still 2.4.18. The second 2.4.19
release candidate showed up on the kernel.org sites on July 17, but
Marcelo has not posted any sort of changelog or announcement.
The current prepatch from Alan Cox is 2.4.19-rc1-ac7. Alan has been merging a lot of
code for the IBM "Summit" architecture, PA-RISC, and more.
Comments (1 posted)
Kernel development news
Read-copy-update
One of the biggest challenges in kernel programming is managing
concurrency. If multiple threads try to access the same resources at the
same time, the result can be chaos. Users tend to have a dislike for
chaos, so kernel programmers work hard to avoid uncontrolled access to
shared data.
In the Linux kernel, this sort of mutual exclusion is usually done with
spinlocks. By obtaining a spinlock, a process running in kernel mode can
ensure that it is the only one working with the data structures protected
by that lock. A variant on spinlocks, called the "reader writer lock,"
allows numerous threads to access a data structure as long as they do not
modify it, but provides exclusive access to processes which make changes.
Spinlocks work well in most situations, but they are not free. Taking out
a lock takes time, especially on SMP machines, where the cache line
containing the lock must be moved between processors. The overhead of a
heavily used lock can be significant. So kernel hackers interested in
scalability have long kept an eye out for alternatives; one such
alternative is a technique called "read-copy-update," or RCU. A "new and shiny" RCU patch was posted by Dipankar
Sarma recently (the code credits Paul McKenney, Andrea Arcangeli, Rusty
Russell, Andi Kleen, and "etc."). So it seems like a good time to give RCU
a look.
RCU works by requiring shared kernel data structures to be accessed via
pointers. Code needing read-only access to a given data structure (a
network routing table entry, say) follows a pointer and is able to work
with the data with no locking at all (OK, almost none, see below). The
reader case is, thus, handled in a fast and efficient manner. When the
code needs to make a change to the data, however, life gets rather more
complicated; the sequence of steps required is, roughly:
- The writer allocates a new data structure and makes a copy of the
structure to be changed.
- The new structure is then modified to reflect the new state of the
world.
- The writer saves the pointer to the old version of the data, and sets
the global pointer to the new structure. Kernel threads that access
the data after this change will see the new version; any thread that
came along before will still be working with the old copy.
- The writer asks for a callback when the kernel knows that no code
has any reference to the old version of the data.
- When the callback happens, the old data can be freed, and the RCU
cycle is complete.
This technique is clearly optimized for situations where the data is read
frequently and modified rarely. For frequently-changed data, the overhead
of the RCU cycle would likely exceed that of simply using spinlocks. The
"frequent reads/infrequent writes" mode of operation is quite common in the
kernel, though, so there are many places where this technique could be
employed. For example, Rusty Russell's hotplug CPU patch uses RCU, on the
assumption that processors do not actually come and go very often.
All of the above, however, has glossed over one interesting detail: how,
exactly, does the kernel know when it is safe to release an old data
structure? The RCU patch handles this with a basic assumption: kernel code
will not retain pointers to RCU-protected data after it sleeps or returns
to user space. Thus, it is sufficient to wait until every processor in the
system has been seen to be running in user space or to be idle. The RCU
patch describes such a processor as being "quiescent." Each CPU in the
system has a quiescent counter, which is incremented by the scheduler
whenever a quiescent state is observed.
To call the RCU writer callbacks at the right time, the RCU code maintains
a list of pending RCU completions on each processor. A tasklet runs
periodically on any processor with pending RCU callbacks; it polls the
quiescent counter for all CPUs and waits until every one of them has
changed. Once that has happened, it is safe to free any old RCU data, so
the list of callbacks is processed. If, by that time, a new list of
pending callbacks has accumulated, the whole thing starts over again.
All of this works until you throw in one other little detail: the
preemptive kernel. If a process is preempted while running in kernel
space, it could retain a pointer to old RCU data even though the CPU
appears to be quiescent. The RCU patch provides two different ways of
dealing with this problem. One is that code accessing RCU data for reading
can bracket that access with calls to rcu_read_lock() and
rcu_read_unlock(), which simply disable preemption in the critical
section. Spinlocks, of course, do the same thing.
Alternatively, code can read the RCU data in an unprotected mode as
always. In this case, the RCU callback code gets even a little more
complicated; it must now wait until every process which had been preempted
in kernel mode either exits or is rescheduled normally. This waiting is
not quite as bad as it might seem; it is handled with a couple of atomic
counters. It does, however, introduce an indeterminate delay
between when the new data appears and the old can be freed. If the memory
areas involved are large, quite a bit of kernel memory could be tied up
waiting for RCU callbacks; disabling preemption is a safer way to go in
most cases.
RCU thus involves some complexity, but it holds out a promise of better
performance for certain kinds of data access patterns. Will it get into
the 2.5 kernel? There is one little problem, being that Linus doesn't like
the RCU approach. From a message posted last
October:
RCU obviously has major subtle issues, ranging from memory ordering
to "what is quiescent", ie the scheduling points. And "subtlety"
directly translates into bugs and hard-to-debug seldom-seen
problems that end up being "unexplainable".
In short, RCU seems to be a case of "hey, that's cool", but it's a
solution in search of a problem so severe that it is worth it.
There are no indications that Linus believes such a problem has yet come
up. Work continues on RCU patches (and other patches that use it),
however, so the story is not yet finished. (For information in numbing
detail about RCU - but without the preemptive kernel changes - see this
page on the LSE site).
Comments (3 posted)
Documenting and enforcing locking requirements
As was discussed
last week, one problem with
an increasingly fine-grained kernel is that it becomes difficult to know
which locks, out of thousands, must be held at any given point. Some
functions include documentation on their locking requirements (and
sometimes it's even current), but many others don't. And there is no way
for the code to actually enforce those requirements.
That may be about to change, however. Jesse Barnes, in discussion with
Daniel Phillips and others, has posted a
patch which addresses both problems. A function which expects to be
called with a given lock held simply includes a line like:
MUST_HOLD_SPIN(&some_lock);
In kernels compiled for production use, this macro expands to nothing and
serves as documentation only - anybody looking at the code sees immediately
that some_lock must be held before calling the function. The
CONFIG_DEBUG_SPINLOCK compilation option gives the macro some
teeth, however: if the given lock is not actually held at that point the
kernel panics immediately. The end result is that erroneous calls are
likely to get fixed in a hurry.
Dave Jones jumped in with a suggestion for
tracking down a related (and common) problem: code which sleeps while
holding a spinlock. Sleeping while holding a lock is against the rules,
since it can cause other processors to spin for a very long time. But it
is easy, while programming the kernel, to call a function which, three
functions later, goes to sleep. Once again, one could try to document the
"can sleep" status of every function and expect programmers to follow that
documentation. But, says Dave, why not just add a line like:
FUNCTION_SLEEPS();
to any function that can sleep? If the macro is called while a lock is
held, a bug exists. A quick kernel panic will allow the kernel hackers to
track down the offending call in a hurry.
Neither of these changes has found its way into a mainline kernel yet. If
they do, though, they could well help in the early detection of a number of
programming errors.
Comments (5 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
- Andre Hedrick: IDE/ATAPI in 2.5. A new 'foreport' of 2.4 IDE to 2.5.25.
(July 12, 2002)
Filesystems and block I/O
- Andrew Morton: readahead optimisations. "<span>This patch teaches readahead to detect the situation where no IO is
actually being performed as a result of its actions.</span>"
(July 17, 2002)
Janitorial
Kernel building
Memory management
- Robert Love: strict VM overcommit. "<span>We introduce new overcommit policies
that attempt to never succeed an allocation that can not be fulfilled by
the backing store and consequently never OOM. This is achieved through
strict accounting of the committed address space and a policy to
allow/refuse allocations based on that accounting.</span>" A reworking of Alan Cox's patch.
(July 12, 2002)
- Andrew Morton: minimal rmap. "<span>The code adds a pointer to struct page, consumes additional storage for
the pte chains and adds computational expense to the page reclaim code
(I measured it at 3% additional load during streaming I/O). The
benefits which we get back for all this are, I must say, theoretical
and unproven.</span>"
(July 17, 2002)
Networking
Architecture-specific
- Jeff Dike: UML 2.5.26. "<span>After a long, relaxing period of ignoring 2.5, I decided that it was about [time]
to catch up.</span>"
(July 17, 2002)
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
Distribution News
Debian Weekly News - July 16th, 2002
The July 16, 2002 edition of the Debian Weekly News is out with
coverage of the latest developments in the Debian community.
Full Story (comments: none)
Debian GNU/Linux 2.2 updated (r7)
This is the seventh revision of Debian GNU/Linux 2.2 (codename `potato')
which mainly adds security updates to the stable release, along with a
few corrections of serious bugs.
Full Story (comments: none)
Debian Jr. -- How are we doing?
Ben Armstrong provides some insight into the progress of Debian Jr.
Full Story (comments: none)
Interview with Ian Jackson (Debian Planet)
Debian Planet
has interviewed the dpkg author, Ian Jackson.
"
As well as being a former DPL, a current member of the technical commitee and
the author of dpkg, the original BTS, debiandoc-sgml, constitution, policy and
other documents, and several other free software projects including SAUCE,
userv and adns, he holds a doctorate in computer security and is the owner of
the machine chiark.greenend.org.uk, home to multiple nefarious internet geeks,
projects like PuTTY, and 'a few other weirdos too'."
Comments (none posted)
Mandrake Linux Community Newsletter - Issue #50
Issue number 50 of the Mandrake Linux Community Newsletter
has been published. Check it out for the latest Mandrake Linux
developments.
Full Story (comments: none)
Red Hat Linux bug fixes
Red Hat has an
updated miniChinput package
which fixes the way Chinese characters are displayed when the locale is
set to zh_CN. Available for RH 7.3 - i386.
GDB 5.2 packages are available for a variety
of Red Hat releases, from 7.0 through 7.3, including alpha and ia64 in
addition to i386 versions.
Comments (3 posted)
Minor distribution updates
Familiar Linux
Familiar Linux has released
v0.5.3 with minor
feature enhancements.
Comments (none posted)
LEAF (Linux Embedded Appliance Firewall)
LEAF has announced updates for
several branches.
WISP-Dist release 2290
has been announced. Updates we missed last week include a
delayed release
of Mosquito 3.4 and Shorewall 1.3.3 has also been
announced.
Comments (none posted)
Mindi Linux
Mindi
Linux has released
v0.65 with minor feature
enhancements.
Comments (none posted)
Openwall
The Openwall GNU/*/Linux (Owl) CVS tree may now be accessed via the
anonymous CVS server.
Full Story (comments: none)
RxLinux
RxLinux has released
v1.0.4 with major feature
enhancements.
Comments (none posted)
Trustix Secure Linux
TSL has issued a bug fix advisory. It seems older versions of imap and the
samba package manipulated the configuration file /etc/inetd.conf in their
post install scripts. The imap package also manipulated the /etc/services
system file. Since this is not considered nice behaviour, these
manipulations have been removed.
Full Story (comments: none)
uClinux
uClinux has released
20020701.
Comments (none posted)
Distribution reviews
Is SuSE 8 SuPERB? (Open for Business)
Open for Business
reviews
SuSE Linux 8.0. "
SuSE Linux is one of the most usable Linux
distributions on the market today. Rivaled only by Mandrake Linux as a
mainstream desktop Linux distribution, SuSE offers a nicely setup user
interface with everything needed for a productive office."
Comments (none posted)
Preview: Limbo Time (OS News)
OS News
takes a
look at Limbo, the latest Red Hat Linux beta. "
For the most
part, though, what Red Hat brings to the table is a Linux based OS that
can truly compete on the desktop. Make no mistake about it - Linux is not
for the average user, but it is getting closer. You still need the
command line for true system performance, but almost everything can be
performed from within the GUI once you learn where the controls
reside. Is Limbo a Windows killer, then? For some, it may be. For some of
the more experienced, it may appear to be no more than a hack target. But
for the middle ground users, those who are UNIX-capable, but not experts,
who are just searching for a robust, flexible but powerful, alternative
desktop OS, I wouldn't hesitate to say "Hey, let's do the Limbo
rock!""
Comments (none posted)
[Lindows] Applications have a spotty performance
The San Jose Mercury News
takes a look at Lindows' Click-N-Run Warehouse. "
Although the
Click-N-Run Warehouse for Lindows is a great idea in theory, real-world
users will run smack into the many ragged edges of open-source
software. None of the Click-N-Run applications have been developed by
Lindows.com, the creator of the Lindows operating system; the company is
merely gathering open-source software from elsewhere on the Web and
putting it one place for easy access by LindowsOS users."
Comments (1 posted)
Page editor: Rebecca Sobol
Development
System Applications
Database Software
Ten MySQL Best Practices (O'Reilly)
O'Reilly has published
a tutorial that shows how to manage a MySQL database.
"
MySQL is a complex piece of software that may seem overwhelming when you're first trying to learn it. This article describes a set of best practices for MySQL administrators, architects, and developers that should help in the security, maintenance, and performance of a MySQL installation.
"
Comments (1 posted)
Mail Software
Mailman 2.0.12 released
Version 2.0.12 of the stable tree for
Mailman,
the GNU Mailing List Manager, has been released.
Click below for the list of changes included in this version.
Full Story (comments: none)
Web Site Development
Web Development in Heavy Traffic (O'Reilly)
Pier Fumagalli
writes about tuning JVM for optimal performance on high-bandwidth web sites.
"
It happens from time to time: you spend a few years working on one peculiar aspect of a problem, you believe you become "experienced" in that problem, and, once your environment changes, you notice how you were looking at it with the eyes of a blind man."
Comments (none posted)
Getting Started With Cocoon 2 (O'Reilly)
Steve Punte gives
an overview
of the Cocoon 2 XML publishing framework on O'Reilly.
"
Cocoon 2, part of the Apache XML Project, is a highly flexible web publishing framework built from reusable components. Although reusability is an oft-touted quality of software frameworks, Cocoon stands out because of the simplicity of the interface between the components. Cocoon 2 uses XML documents, via SAX, as its intercomponent API. As long as a component accepts and emits XML, it works."
Comments (none posted)
Improving mod_perl Sites' Performance: Part 3 (Perl.com)
Stas Bekman continues his series on tuning mod_perl with
part 3.
"
This time we talk about tools that help us with code profiling and memory usage measuring."
Comments (none posted)
Zope Members News
This week, the
Zope Members News
looks at the Silva through-the-web authoring system for structured content,
DTMLTeX 0.2, and a new WebMail release.
Comments (none posted)
Web Services
Clustering with JBoss 3.0 (O'Reilly)
Bill Burke and Sacha Labourey
introduce JBoss 3.0 on O'Reilly.
"
Whenever an organization thinks about building and deploying a J2EE application, they think scalability and reliability. How can my Web site stay up 24/7? Will my infrastructure be able to handle the traffic? How can I ensure that I don't lose any transactions or data? How do I manage large server farms?"
"To answer these questions, many Java architects look to their application server's clustering features. This article looks at the kinds of features needed to develop robust J2EE applications and how JBoss 3.0, an open source J2EE application server, can be the solution of choice."
Comments (none posted)
Miscellaneous
Koha Library Management System Released (use Perl)
Use Perl has
an announcement for Koha version 1.2.1, Koha is a freely redistributable application for managing book libraries.
Comments (1 posted)
Desktop Applications
Desktop Environments
KDE 3.1 Alpha1: Brings New Eye Candy, New Features
KDE.News
looks at
the new KDE 3.1 Alpha 1 development release.
"
This release sports everything from wonderful new eye candy to
tons of popular new features including new and exciting "easter eggs" (aka
bugs) just waiting to be discovered. Remember, this is not a stable release".
Comments (none posted)
Bringing KDE Closer to Joe User's Desktop (OSNews)
OSNews has posted
a review of KDE 3.
"
It lacks two things: integration with the underlying system and UI
polishing. Today, I will mostly talk about the polishing part, as a lot has
been already said elsewhere about the seemingly unsolvable integration issue
(because of the modularity and completely independant/remote software
projects.) Update: And as I was just publishing this article, KDE 3.1-Alpha was
released. I hope that some of my recommendations will make it to the final
version of KDE 3.1."
Comments (none posted)
Kernel Cousin KDE #40
Kernel Cousin KDE
Issue #40 is out.
Topics include
KOffice Clipart, new artwork for
Atlantik, printing issues, new OpenGL screensavers and an upcoming website
on
debunking KDE Myths.
Comments (none posted)
Games
Humongous Python (O'Reilly)
Stephen Figgins
writes about the use of Python by Humongous Entertainment.
"
While several game companies are now using Python in their games, Dawson says they are one of the few companies using Python as the base language of their game. "In most games, the game itself is written in C++ and they call out to the scripting language for a few triggers or AI events or something. With our games, and the Disney game Toontown, the executable is Python.exe. You boot up with a python script that starts the game, and it calls out the C++ modules to do the heavy lifting, like the graphics and sound. The game logic is written in Python, with the C++ off in the leaf nodes, instead of the reverse, which is much more common.""
Comments (none posted)
Interoperability
Wine release 20020710
A new developer release of Wine, dated July 10, 2002
has been announced.
New features include:
- DirectSound 8 and DirectInput 8 support.
- Many OLE improvements.
- Support for font downloading in Postscript driver.
- ALSA sound driver.
- More portability fixes, particularly for Sparc.
- Lots of bug fixes.
Comments (none posted)
Wine Weekly News
The July 10, 2002 edition of the
Wine Weekly News
covers Winamp Plugins in XMMS,
Wine DGA Input, Running Warcraft 3, Running AutoCAD R14, and more.
Comments (none posted)
Office Applications
AbiWord Weekly News #100
Issue #100 of the
AbiWord Weekly News is out with the latest developments on the
AbiWord word processor. Long-time editor Jesper Skov is contemplating stepping down in the near future.
Comments (none posted)
Web Browsers
Mozilla Status Update
The
Mozilla Status Update for July 11, 2002 is out. Work is being done on
Mail/News, Java