The whole SCO affair started as a breach-of-contract suit against IBM.
That suit is based on the language of the Unix contracts signed with ATT
almost two decades ago, which reads:
AT&T grants to Licensee a personal, nontransferable and
nonexclusive right to use Software Product solely for Licensee's
own internal business purposes and solely on or in conjunction with
Designated CPUs for such Software Product. Such right to use
includes the right to modify such Software Product and to prepare
derivative works based on such Software Product, provided the
resulting materials are treated hereunder as part of the original
Software Product.
The core of SCO's claim is that anything that IBM has ever allowed to be a
part of a Unix system has become a "derived product" of Unix and must be
treated as if it were Unix itself. SCO cannot make any ownership claims
over this code - a side letter to the contract makes that explicit - but it
does claim the right to keep IBM from disclosing its own code.
Through its public statements, SCO has since made claims of massive direct
copying of SYSV Unix code into Linux. There is still no court case where
SCO has made such claims, however. The company's experience at SCO Forum
and subsequent public statements suggest that the evidence for direct
copying of code - actual copyright violations - is weak at best. SCO
might have a small case against SGI, depending on how a judge might
choose to interpret the copyright status of 32V Unix and the true source of
the ate_malloc() code. But that is between those two companies;
the code in question has already been removed from current Linux kernels.
Increasingly, it seems that SCO is left with its original breach of
contract case. The recently issued open letter from Darl McBride
does nothing to change that impression; it mentions the
ate_malloc() case but does not allege any other direct copying.
Instead, the company's claims are expressed as follows:
To date, we claim that more than one million lines of UNIX System V
protected code have been contributed to Linux through this
model. The flaws inherent in the Linux process must be openly
addressed and fixed.
In SCO's view, "Unix System V protected code" is a rather wider set
than "SCO-owned code." In fact, at SCO Forum, the company put up a slide
discussing the "more than one million lines" that it claims. Here's where
they come from:
| Subsystem |
Files |
Lines |
| Read-copy-update |
46 |
109,688 |
| NUMA |
101 |
56,587 |
| JFS |
44 |
32,224 |
| XFS |
173 |
119,130 |
| Symmetric multiprocessing |
1,185 |
829,393 |
| TOTAL |
1,549 |
1,147,022 |
(SCO has posted the slides to its presentations on this page. You'll have to
click past the cheery warning that things are optimized for Internet
Explorer to view them, though.)
These claims are interesting in a number of ways. Let's look at the RCU
claim for a moment. In a modern Linux kernel (RCU does not appear in 2.4),
the RCU implementation is contained in two files
(include/linux/rcupdate.h and kernel/rcupdate.c), which
add up to an amazing 402 lines. That leaves us 44 files and 109,286 lines
short of the claim made by SCO. Clearly, SCO must also be making claims on
any code that uses RCU in any way. If you look for files that make
any use of the RCU subsystem, the results are:
| File | Lines |
| arch/i386/oprofile/nmi_timer_int.c |
57 |
| drivers/char/ipmi/ipmi_kcs_intf.c |
1275 |
| fs/dcache.c |
1641 |
| include/asm-x86_64/kdebug.h |
44 |
| include/linux/rcupdate.h |
135 |
| include/linux/dcache.h |
316 |
| include/linux/list.h |
565 |
| include/net/dst.h |
254 |
| init/main.c |
604 |
| ipc/util.c |
612 |
| kernel/rcupdate.c |
267 |
| kernel/module.c |
1949 |
| kernel/sched.c |
2594 |
| net/802/psnap.c |
160 |
| net/bridge/br_device.c |
147 |
| net/bridge/br_forward.c |
157 |
| net/bridge/br_if.c |
289 |
| net/bridge/br_ioctl.c |
309 |
| net/bridge/br_input.c |
159 |
| net/core/netfilter.c |
761 |
| net/core/dev.c |
3092 |
| net/ipv4/af_inet.c |
1250 |
| net/ipv4/icmp.c |
1120 |
| net/ipv4/ip_input.c |
433 |
| net/ipv4/route.c |
2797 |
| net/ipv6/af_inet6.c |
895 |
| net/ipv6/icmp.c |
787 |
| net/ipv6/ip6_input.c |
260 |
| net/decnet/dn_route.c |
1843 |
| TOTAL 29 files | 24,772 |
So, even with such an expansive interpretion of SCO's claim, there are 17
files missing. They must be big files as well, since they must account for
the remaining 84,916 lines. The "contamination" caused by RCU is evidently
a very broad thing.
We asked SCO where the missing files were, but were told only
"[T]his level of detail is something
that we will save for our court case in 2005." So we're going to
have to remain in suspense for a while. But one thing is clear: SCO claims
that the old AT&T licenses give it amazing powers over code that has
ever breathed the same air as SYSV Unix. Anybody who claims that the GPL
is overly "viral" or that it threatens intellectual property should take a
good look at the powers that SCO claims its license gives it. The GPL
can't compete in that league.
SCO's legal argument is interesting; the company claims that Linux hackers
have, while having never actually seen the SYSV Unix source, nontheless
created a derived product of SYSV Unix. They are accused of copying
something they never had access to. This argument seems destined to fail;
how can something which contains no SYSV code be a derived product of SYSV?
But that is the core of SCO's argument.
An interesting question comes out of this: what if SCO wins its case? SCO
will have then convinced a court that IBM released IBM's code in violation
of an agreement it had with SCO. The fact that IBM released IBM's code,
however, would not change. SCO does not own that code, how can it
claim a right to payments from Linux users? If SCO wins, it may get a
chunk of money from IBM. But it should still have nothing which entitles
it to license payment from Linux users.
Returning to Darl McBride's open letter, we note that there are no demands
that Linux users buy SCO "licenses," and no threats of suits against
users. Mr. McBride, instead, has taken a bit of a different approach:
A sustainable business model for software development can be built
only on an intellectual property foundation. I invite the Open
Source community to explore these possibilities for your own
benefit within an Open Source model. Further, the SCO Group is
open to ideas of working with the Open Source community to
monetize software technology and its underlying intellectual
property for all contributors, not just SCO.
One might point out that the free software world does, indeed, have an
"intellectual property foundation." It is based on copyright law, and free
licenses, including the GPL, which SCO has said it wants to break. One
might also point out that the community is not in much of a mood for
"working with" SCO at this point. But one's time might be better spent
pondering what SCO was thinking when it published those words.
SCO clearly wants to be able to put a tax on Linux systems. SCO also
clearly sees the GPL as an obstacle; there is no way to make a tax stick to
Linux as long as it remains freely redistributable. Could SCO be casting
around for a scheme to buy off free software developers should its
challenges to the GPL fail? A nice tax for SCO and a few bones tossed to
developers willing to relicense their code? It is hard to see how such a
scheme could possibly succeed, but it is also hard to find another way to
interpret the words quoted above.
In summary, the SCO case remains interesting. SCO has changed its tune
several times, but, for the moment, is back where it began: a breach of
contract suit against IBM. The company has yet to produce any evidence
that Linux users owe it money. It is also now interested in "working with
the open source community." But SCO remains unpredictable. We have not
yet seen the last strange twist in this case.
Comments (13 posted)
[This article was contributed by Joe 'Zonker' Brockmeier]
For years now, Linux users have had to struggle with the omnipresent
Microsoft Office formats. Developers working on OpenOffice.org,
Abiword, KOffice, Gnumeric and other applications have had their hands
full trying to decipher the proprietary and obfuscated MS Office formats
so that users could read and exchange documents with their MS
Office-using colleagues. With Microsoft Office 2003, Redmond is taking
obfuscation to new levels that may mean legal problems for developers
who try to provide compatibility with Office, and huge fees for
companies that try to adopt it.
In addition to the usual slew of new features, Office 2003 Professional
comes with Information Rights Management (IRM) tools. (Users of Office
2003 Standard can not create IRM documents.) Basically, IRM is just
another name for Digital Rights Management (DRM), a term that Microsoft
is avoiding because of the negative connotations that DRM has already
picked up. IRM allows users to restrict what others can do with a
document. Without the proper permissions, recipients of IRM-restricted
documents will be unable to read or print them. Recipients of
IRM-restricted e-mails will be unable to forward them as well. And users
can set documents to expire.
Naturally, these documents will be incompatible with previous versions
of Microsoft Office, to say nothing of competing tools like
OpenOffice.org, Gnumeric or Ximian's Evolution. In addition to the usual
format obfuscation, however, Microsoft also has the Digital Millenium
Copyright Act (DMCA) to protect it from competition. Since the format
includes encryption, Microsoft will be able to threaten developers with
the DMCA if they attempt to include support for IRM-restricted
documents.
Microsoft's IRM also depends on its server-based Rights Management
Services (RMS). This means that any company wanting to adopt IRM is
also forced to adopt Microsoft at the server. It doesn't preclude
companies using a mixture of Microsoft and Linux servers, but it does
mean that organizations that have only adopted Microsoft at the desktop
would be forced to make additional investments in Microsoft software.
Not only is the technology extremely restrictive, the price should be
enough to give any CFO or business owner pause. To deploy RMS within an
organization requires that you run Windows Server 2003. That brings some
hefty licensing fees on its own, but there's more. Every user who
connects to that server has to have a Windows Server 2003 Client Access
License (CAL) and a RMS User CAL, not to mention the licensing
fees for that user's copy of Windows XP and Office 2003 Professional.
The RMS CAL alone runs $37 for a single user, or $185 for a pack of five
CALs. No doubt, large organizations could get the CALs even cheaper, but
it still becomes very expensive. Note that this isn't just for users who
create IRM documents, but also for any user who views an IRM-restricted
document.
That's to use Microsoft's RMS within an organization. Companies that
want to share files with users outside the organization, will need yet
another license from Microsoft. According to Microsoft's pricing
and licensing overview page, this license alone will run an
organization $18,066 for the Windows RMS External Connector License. This
fee may not be a major obstacle for large organizations, but it would
certainly represent a major burden on small companies that need to share
documents with clients.
Believe it or not, Microsoft's new Office suite is potentially
good news for the open souce community. It creates yet another
opening for Linux vendors and proponents to make the case for free and
open software in business. Microsoft has laid out its vision for the
future of software, and it's filled with licensing fees stacked upon
licensing fees -- and technologies that suck the user deeper and deeper
into Microsoft's "stack" of solutions. Many organizations have been
content to adopt Windows on the desktop, and other technologies at the
server level. Redmond's all-or-nothing approach, attempting to force
their customers to adopt their toolchain entirely, may end up driving
them away completely.
To use IRM/RMS, an organization would have to adopt Microsoft across the
board -- and likely will require them to persuade their business
partners to do the same. Few organizations can get by without sharing
documents externally. Expect major levels of frustration when a company
adopts Office 2003 with IRM, and tries to share documents with others
using older versions of Office. Even if a company is gung-ho about IRM,
their business partners may not be.
If the Office 2003 strategy works, and organizations start jumping on
the IRM bandwagon, it's the ultimate lock-in for Microsoft. Game over
for Linux users (and vendors) trying to maintain compatibility with
Windows users. This would have the potential of breaking compatibility
even for reading e-mail, if you work with Outlook users who enable IRM.
But it also has the potential to cause some significant backlash against
Redmond when companies start tallying up the costs of switching and
being fully compatible with Microsoft's document DRM. Let's not forget
that most organizations are being much more stingy with their tech
purchases these days. Many companies are still smarting over Microsoft's
"new and improved" licensing programs and the recent security snafus. If
SoBig.F wasn't enough to send companies over to Linux, Office 2003 might
be the straw that broke the camel's back.
Comments (40 posted)
On September 8, LynuxWorks
announced
the availability of a beta release of BlueCat Linux 5.0. BlueCat is
the company's embedded Linux distribution; 5.0, interestingly, is based on
the (still unreleased) 2.6 kernel. LynuxWorks claims to have applied a
lengthy series of "ISO 9001:2000" reliability tests to this kernel. The PR
also cites some of the features of this kernel which are of interest to the
embedded community, including kernel preemption, the O(1) scheduler, and
the improved threading support. LynuxWorks, they say, is the first
embedded systems company to make these features available in a Linux-based
system.
The interesting thing, of course, is that all of those features were
developed at other companies. Kernel preemption, in particular, was done
by Nigel Gamble and Robert Love at MontaVista - a direct LynuxWorks
competitor. The extensive testing done by LynuxWorks must certainly have
turned up bugs; the 2.6 kernel is still an unreleased product, beta quality
at best. Yet no fixes appear to have been sent back to the community.
Over the last year, only one posting appeared on linux-kernel from either
lynuxworks.com or lnxw.com - a request for help with a compilation
problem. The 2.6 BitKeeper repository, containing all patches merged since
February 2002, shows one set of patches from LynuxWorks.com: a USB Pegasus
driver by Petko Manolov. The last patch was merged in May, 2002.
We asked LynuxWorks if it had a list of recent contributions (which could,
after all, have been sent in from a different email address), but got no
response.
LynuxWorks, in other words, is taking full advantage of the work of others
- including its competitors - to claim to be "first to market" with a set
of new features. And it has done so without contributing much of anything
back to the community from which it draws the software it is selling.
LynuxWorks is far from alone in this behavior, of course. LynuxWorks is
also acting
entirely within its rights. As long as they abide by the GPL, nobody can
complain if they use the software in this way. That is what free software
is all about.
It is also true, however, that being within your rights and being right are
not always the same thing. A company that is making money selling Linux
should feel some obligation to contribute back to Linux. Especially when
that company is in the operating systems business and clearly has the
technical resources to make that sort of contribution.
Contributing back is not just the right thing to do; it is also good
business. Customers feel better when they see that their suppliers have a
good relationship with the development community upon which they depend.
Customers also like the feeling that a supplier understands the software
well enough to make changes and get them accepted; it improves that chances
that bugs can be fixed and requested changes implemented. They feel better
about the software as a whole if the vendor cares enough to make it
better. Software with active support from those selling it has a better
chance of being around and still maintained a few years from now.
Many free software companies understand this well; they point to their free
software contributions as a source of pride. As users of free software
become more sophisticated, they will ask for that information. Customers
need to know that their suppliers can provide them with the support they
need, and that said suppliers are committed to the future of the software
they work with. A history of contributing back to the software in question
is one of the best ways to show customers what they want to see. It also
has the incidental benefits of making the software better and being the
right thing to do.
Comments (13 posted)
One of the many DMCA cases circulating in the U.S. court system is
Chamberlain v. Skylink. Chamberlain manufactures garage door openers and,
of course, the remote units which are used to open and close the garage
door. Recent Chamberlain models use a "rolling code" system which is
intended to protect homeowners against playback attacks; the code
transmitted by the remote is different every time, so a thief with a
recorder would capture nothing useful. This system also has the incidental
result of preventing other companies from selling remotes that work with
Chamberlain openers.
Except that Skylink figured out a way to get around the code, and marketed
a working remote. Chamberlain then took Skylink to court, claiming that,
among other things, the Skylink remote violates the Digital Millennium
Copyright Act. The problem, it seems, is that the Skylink remote
circumvents the "technical measures" employed by Chamberlain to restrict
access to the copyrighted software in its openers. Chamberlain was
sufficiently confident of its position that it asked for a summary
judgement on the DMCA argument. At the end of August, the court denied
that request; the full text of the ruling is available in PDF format.
One might hope that this case would have been an opportunity for the court
to take a serious look at the DMCA. The DMCA, used in this way, is
an effective tool to prevent the creation of interoperable products in a
wide range of industries. All that's needed is a bit of internal code and
a simple "technical measure" to prevent interoperation; the DMCA does the
rest. Unfortunately, the ruling in this case does little to help those who
would like to see the power of the DMCA reduced.
The court denied the judgement for two reasons. The first is that, in the
court's opinion, Chamberlain did not establish that the software inside its
garage door opener was actually protected by copyright - a crucial
precondition for DMCA applicability. This is a true technicality here; it
is difficult to believe that Chamberlain will not have a copyright interest
in the software it created.
The second reason is, essentially, that Chamberlain did not tell its
customers that they couldn't use competing remotes.
In this case, Plaintiff sells a GDO [garage door opener] to a
homeowner who then utilizes the product to access his or her own
garage. As pointed out above, there are no limitations placed on
the homeowner who buys the Chamberlain rolling code GDO, regarding
which type of replacement or additional transmitter he or she
purchases to access the GDO.
This second point may be enough to sink Chamberlain's DMCA argument, but it
leaves the DMCA itself untouched. A simple statement on the box that only
Chamberlain remotes may be used with the opener will close the hole in the
future. This ruling is a defeat for a company attempting to wield the DMCA
for its commercial benefit, but it will do nothing to stop this use of the
DMCA in the future.
Comments (5 posted)
Page editor: Jonathan Corbet
Security
Brief items
Jonathan Zdziarski
announced the release of
mod_dosevasive 1.8 at the beginning of September. mod_dosevasive is an
apache module, licensed under the GPL, which enables a web server to detect
certain kinds of denial-of-service attack and take appropriate action.
The core of mod_dosevasive is a set of hash tables keeping track of recent
page requests. If a particular system (as identified by its IP address)
starts requesting too many pages at once, or it requests the same page
repeatedly too often, the module decides an attack is underway. The next
request from that source will get back a 403 error response, and the site
goes into the blacklist. The default blacklist period is ten seconds; each
request received while the offending system is blacklisted extends its time
there.
mod_dosevasive can also send notification email when it detects an attack,
or execute an arbitrary command. The command capability is intended to
make the module work with firewalls; rather than continually failing
requests with 403 errors, an administrator can set up the firewall to
simply block traffic from the attacking system altogether. That approach,
clearly, will be more effective against large-scale distributed attacks
where the real purpose is to consume bandwidth.
The mod_dosevasive
web page has more information.
Comments (3 posted)
The September quarterly CERT Summary is out, discussing the security issues
which are currently worth noting. Most notable this time around is
the fact that Linux and free software do not figure into any of the
problems covered. According to this summary, all of the serious security
issues of the last three months affect only proprietary software. Enjoy it
while it lasts.
Full Story (comments: none)
New vulnerabilities
exim: buffer overflows
| Package(s): | exim exim-tls |
CVE #(s): | CAN-2003-0743
|
| Created: | September 5, 2003 |
Updated: | October 1, 2003 |
| Description: |
A buffer overflow exists in exim, which is the standard mail transport
agent in Debian. By supplying a specially crafted HELO or EHLO
command, an attacker could cause a constant string to be written past
the end of a buffer allocated on the heap. This vulnerability is not
believed at this time to be exploitable to execute arbitrary code.
CAN-2003-0743 |
| Alerts: |
|
Comments (none posted)
inetd: DoS attack
| Package(s): | inetd |
CVE #(s): | |
| Created: | September 8, 2003 |
Updated: | September 10, 2003 |
| Description: |
inetd has a hard-coded limit of 256 connections-per-minute, after which the
given service is disabled for ten minutes. An attacker could use a quick
burst of connections every ten minutes to effectively disable a service.
Once upon a time, this was an intentional feature of inetd, but in
today's world it has become a bug. Even having inetd look at the
source IP and try to limit only the source of the attack would be
problematic since TCP source addresses are so easily faked. |
| Alerts: |
|
Comments (3 posted)
mah-jong: buffer overflows, denial of service
| Package(s): | mah-jong |
CVE #(s): | CAN-2003-0705
CAN-2003-0706
|
| Created: | September 8, 2003 |
Updated: | September 10, 2003 |
| Description: |
Nicolas Boullis discovered two vulnerabilities in mah-jong, a
network-enabled game.
CAN-2003-0705 (buffer overflow): This vulnerability could be exploited
by a remote attacker to execute arbitrary code with the privileges of the
user running the mah-jong server.
CAN-2003-0706 (denial of service): This vulnerability could be
exploited by a remote attacker to cause the mah-jong server to enter a
tight loop and stop responding to commands. |
| Alerts: |
|
Comments (none posted)
wu-ftpd: insecure program execution
| Package(s): | wu-ftpd |
CVE #(s): | CVE-1999-0997
|
| Created: | September 5, 2003 |
Updated: | September 24, 2003 |
| Description: |
wu-ftpd, an FTP server, implements a feature whereby multiple files
can be fetched in the form of a dynamically constructed archive file,
such as a tar archive. The names of the files to be included are
passed as command line arguments to tar, without protection against
them being interpreted as command-line options. GNU tar supports
several command line options which can be abused, by means of this
vulnerability, to execute arbitrary programs with the privileges of
the wu-ftpd process. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 24, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
apache: multiple vulnerabilities in Apache HTTP server
| Package(s): | apache |
CVE #(s): | CAN-2003-0192
CAN-2003-0253
CAN-2003-0254
|
| Created: | July 11, 2003 |
Updated: | September 22, 2003 |
| Description: |
The Apache Software Foundation and
the Apache HTTP Server Project have announced
the release of the Apache HTTP Server 2.0.47. This release fixes four
security vulnerabilities:
- Certain sequences of per-directory renegotiations and the
SSLCipherSuite directive being used to upgrade from a weak ciphersuite to
a strong one could result in the weak ciphersuite being used in place of
the strong one. [CAN-2003-0192]
- Certain errors returned by accept() on rarely accessed ports could
cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]
- Denial of service was caused when target host is IPv6 but ftp proxy
server can't create IPv6 socket. [CAN-2003-0254]
- The server would crash when going into an infinite loop due to too
many subsequent internal redirects and nested subrequests. [VU#379828]
|
| Alerts: |
|
Comments (none posted)
autorespond: buffer overflow
| Package(s): | autorespond |
CVE #(s): | CAN-2003-0654
|
| Created: | August 18, 2003 |
Updated: | October 1, 2003 |
| Description: |
Christian Jaeger discovered a buffer overflow in autorespond, an email
autoresponder used with qmail. This vulnerability could potentially
be exploited by a remote attacker to gain the privileges of a user who
has configured qmail to forward messages to autorespond. This
vulnerability is currently not believed to be exploitable due to
incidental limits on the length of the problematic input, but there
may be situations in which these limits do not apply.
CAN-2003-0654 |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
eroaster: insecure temporary file
| Package(s): | eroaster |
CVE #(s): | CAN-2003-0656
|
| Created: | August 19, 2003 |
Updated: | October 1, 2003 |
| Description: |
A vulnerability was discovered in eroaster where it does not take any
security precautions when creating a temporary file for the lockfile. This
vulnerability could be exploited to overwrite arbitrary files with the
privileges of the user running eroaster.
CAN-2003-0656 |
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fdclone: insecure temporary directory
| Package(s): | fdclone |
CVE #(s): | CAN-2003-0596
|
| Created: | July 23, 2003 |
Updated: | October 1, 2003 |
| Description: |
fdclone creates a temporary directory in /tmp as a workspace.
However, if this directory already exists, the existing directory is
used instead, regardless of its ownership or permissions. This would
allow an attacker to gain access to fdclone's temporary files and
their contents, or replace them with other files under the attacker's
control.
CAN-2003-0596 |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
gkrellm: buffer overflow
| Package(s): | gkrellm |
CVE #(s): | |
| Created: | August 29, 2003 |
Updated: | September 3, 2003 |
| Description: |
A buffer overflow was discovered in gkrellmd, the server component of the
gkrellm monitor package, in versions of gkrellm 2.1.x prior to 2.1.14.
This buffer overflow occurs while reading data from connected gkrellm
clients and can lead to possible arbitrary code execution as the user
running the gkrellmd server. |
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 16, 2003 |
Updated: | November 18, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
horde: session hijacking
| Package(s): | horde |
CVE #(s): | |
| Created: | September 1, 2003 |
Updated: | September 3, 2003 |
| Description: |
According to this
advisory an attacker could send an email to a victim who used HORDE
MTA, to get the victim to visit a website, which then logs all available
information about the victim's system. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpam-smb: exploitable buffer overflow
| Package(s): | libpam-smb, pam-smb |
CVE #(s): | CAN-2003-0686
|
| Created: | August 26, 2003 |
Updated: | October 1, 2003 |
| Description: |
libpam-smb is a PAM authentication module which makes it possible to
authenticate users against a password database managed by Samba or a
Microsoft Windows server. If a long password is supplied, this can cause a
buffer overflow which could be exploited to execute arbitrary code with the
privileges of the process which invokes PAM services. See this advisory for more information.
CAN-2003-0686 |
| Alerts: |
|
Comments (1 posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | October 1, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mindi: insecure file creations
| Package(s): | mindi |
CVE #(s): | CAN-2003-0617
|
| Created: | September 2, 2003 |
Updated: | October 1, 2003 |
| Description: |
Mindi versions prior to 0.86 creates files in /tmp which could allow local
user to overwrite arbitrary files.
CAN-2003-0617 |
| Alerts: |
|
Comments (none posted)
mpg123 - buffer overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0577
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netris: buffer overflow
| Package(s): | netris |
CVE #(s): | CAN-2003-0685
|
| Created: | August 18, 2003 |
Updated: | October 1, 2003 |
| Description: |
Shaun Colley discovered a buffer overflow vulnerability in netris, a
network version of a popular puzzle game. A netris client connecting
to an untrusted netris server could be sent an unusually long data
packet, which would be copied into a fixed-length buffer without
bounds checking. This vulnerability could be exploited to gain the
priviliges of the user running netris in client mode, if they connect
to a hostile netris server.
CAN-2003-0685 |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
node: buffer overflow, format string
| Package(s): | node |
CVE #(s): | |
| Created: | September 1, 2003 |
Updated: | September 3, 2003 |
| Description: |
Morgan alias SM6TKY discovered and fixed several security related
problems in LinuxNode, an Amateur Packet Radio Node program. The
buffer overflow he discovered can be used to gain unauthorised root
access and can be remotely triggered. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
pam_ldap: non-functioning host restrictions
| Package(s): | pam_ldap |
CVE #(s): | |
| Created: | September 3, 2003 |
Updated: | September 3, 2003 |
| Description: |
pam_ldap 161 contains a bug in the pam_filter module which prevents host-based restrictions from working as advertised; version 1.62 fixes the problem. |
| Alerts: |
|
Comments (none posted)
pam-pgsql: format string vulnerability
| Package(s): | pam-pgsql |
CVE #(s): | CAN-2003-0672
|
| Created: | August 11, 2003 |
Updated: | October 1, 2003 |
| Description: |
Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the
username to be used for authentication is used as a format string when
writing a log message. This vulnerability may allow an attacker to
execute arbitrary code with the privileges of the program requesting
PAM authentication.
CAN-2003-0672 |
| Alerts: |
|
Comments (none posted)
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl |
CVE #(s): | CAN-2003-0615
|
| Created: | July 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
obscure@eyeonsecurity.org reported a
cross site scripting vulnerability in the CGI.pm perl module. This module
is used to facilitate the creation of web forms and is part of the
perl-modules RPM package.
CAN-2003-0615 |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | October 1, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware |
CVE #(s): | CAN-2003-0504
CAN-2003-0582
|
| Created: | July 16, 2003 |
Updated: | October 1, 2003 |
| Description: |
Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site
scripting issues that can be exploited to obtain sensitive information such
as authentication cookies.
See this
Security Corportation report for more information.
CAN-2003-0504
CAN-2003-0582 |
| Alerts: |
|
Comments (none posted)
phpwebsite: SQL Injection, DoS and XSS Vulnerabilities
| Package(s): | phpwebsite |
CVE #(s): | |
| Created: | September 2, 2003 |
Updated: | September 3, 2003 |
| Description: |
phpwebsite contains an sql injection vulnerability in the calendar
module which allows the attacker to execute sql queries. In addition
phpwebsite is also vulnerable to XSS. More information can be found in the
full
advisory. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | October 1, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
semi: insecure temporary file
| Package(s): | semi, wemi |
CVE #(s): | CAN-2003-0440
|
| Created: | July 7, 2003 |
Updated: | October 1, 2003 |
| Description: |
semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug.
CAN-2003-0440 |
| Alerts: |
|
Comments (none posted)
sendmail: bad DNS reply causes crash
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0688
|
| Created: | August 26, 2003 |
Updated: | October 1, 2003 |
| Description: |
There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x
versions with respect to DNS maps. The bug did not exist in versions before
8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9,
released March 29, 2003. See this advisory for more
information.
CAN-2003-0688 |
| Alerts: |
|
Comments (none posted)
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel |
CVE #(s): | CAN-2002-1563
|
| Created: | July 25, 2003 |
Updated: | November 25, 2003 |
| Description: |
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being
invoked by xinetd), stunnel can be configured to either start a thread or a
child process to handle each new connection. If Stunnel is configured to
start a new child process to handle each connection, it will receive a
SIGCHLD signal when that child exits.
Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal
handler which, if interrupted by another SIGCHLD signal, could be unsafe.
This could lead to a denial of service. |
| Alerts: |
|
Comments (none posted)
sup: insecure temporary file
| Package(s): | sup |
CVE #(s): | CAN-2003-0606
|
| Created: | July 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
sup, a package used to maintain collections of files in identical
versions across machines, fails to take appropriate security
precautions when creating temporary files. A local attacker could
exploit this vulnerability to overwrite arbitrary files with the
privileges of the user running sup.
CAN-2003-0606 |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
teapop: SQL injection
| Package(s): | teapop |
CVE #(s): | CAN-2003-0515
|
| Created: | July 9, 2003 |
Updated: | October 1, 2003 |
| Description: |
teapop, a POP-3 server, includes modules for authenticating users
against a PostgreSQL or MySQL database. These modules do not properly
escape user-supplied strings before using them in SQL queries. This
vulnerability could be exploited to execute arbitrary SQL under the
privileges of the database user as which teapop has authenticated.
CAN-2003-0515 |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
unzip: directory traversal vulnerability
| Package(s): | unzip |
CVE #(s): | CAN-2003-0282
|
| Created: | July 1, 2003 |
Updated: | November 13, 2003 |
| Description: |
A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
overwrite arbitrary files during archive extraction by placing invalid
(non-printable) characters between two "." characters. These non-printable
characters are filtered, resulting in a ".." sequence. See the full
advisory for further information. |
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
vixie-cron: Local vulnerability
| Package(s): | vixie-cron |
CVE #(s): | CVE-2001-0559
|
| Created: | April 17, 2003 |
Updated: | October 3, 2003 |
| Description: |
From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in
LWN on the May 10,
2001 security page. |
| Alerts: |
|
Comments (none posted)
webmin: session ID spoofing
| Package(s): | webmin |
CVE #(s): | CAN-2003-0101
|
| Created: | June 13, 2003 |
Updated: | November 18, 2003 |
| Description: |
miniserv.pl in the webmin package does not properly handle
metacharacters, such as line feeds and carriage returns, in
Base64-encoded strings used in Basic authentication. This
vulnerability allows remote attackers to spoof a session ID, and
thereby gain root privileges. |
| Alerts: |
|
Comments (none posted)
wget:directory traversal bug
| Package(s): | wget |
CVE #(s): | CAN-2002-1344
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
See also
this Bugtraq article from 1997.
CAN-2002-1344 |
| Alerts: |
|
Comments (none posted)
wget: buffer overflow
| Package(s): | wget |
CVE #(s): | CAN-2003-1565
|
| Created: | August 5, 2003 |
Updated: | December 10, 2003 |
| Description: |
The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. |
| Alerts: |
|
Comments (1 posted)
wu-ftpd: off-by-one bug
| Package(s): | wu-ftpd |
CVE #(s): | CAN-2003-0466
|
| Created: | July 31, 2003 |
Updated: | October 5, 2003 |
| Description: |
An off-by-one bug has been discovered in versions of wu-ftpd up to and
including 2.6.2. On a vulnerable system, a remote attacker would be able
to exploit this bug to gain root privileges. See this advisory for more details. |
| Alerts: |
|
Comments (none posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | October 1, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd |
CVE #(s): | CAN-2003-0211
|
| Created: | May 13, 2003 |
Updated: | November 13, 2003 |
| Description: |
Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a
connection was refused for any reason. An attacker could exploit this flaw
to crash the xinetd server, rendering all services it controls unavailable.
In addition, other flaws in xinetd could cause incorrect operation in
certain unusual server configurations.
All users of xinetd are advised to update to xinetd-2.3.11 which is not
vulnerable to these issues. |
| Alerts: |
|
Comments (none posted)
zblast: buffer overflow
| Package(s): | zblast |
CVE #(s): | CAN-2003-0613
|
| Created: | August 11, 2003 |
Updated: | October 1, 2003 |
| Description: |
Steve Kemp discovered a buffer overflow in zblast-svgalib, when saving
the high score file. This vulnerability could be exploited by a local
user to gain gid 'games', if they can achieve a high score.
CAN-2003-0613 |
| Alerts: |
|
Comments (1 posted)
Resources
The September 8 Linux Security Week newsletter from LinuxSecurity.com is
available.
Full Story (comments: none)
WebCohort has announced the release of a white paper on "blindfolded SQL
injection," a form of SQL injection attack that does not rely on extracting
information from the target server's error messages.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current development kernel is 2.6.0-test5, which was
released by Linus on September 8. Changes
this time include new, type-safe
ioctl() command code checker (see
below), a USB "gadget" framework which enables the creation of user-space
drivers, a new
CONFIG_64BIT configuration option, a number of
futex improvements, a reworked de4x5 driver, "very basic" VIA 8237 serial
ATA controller support, support for a software-implemented hard disk
activity LED, Intel
High Precision
Event Timers support, Al Viro's first set of large
dev_t
support patches (covered here
two weeks
ago), and his second set (which fixes up filesystems and removes the
kdev_t type) as well, some IDE work, a large USB update, lots of
network driver fixes, a new set of iptables modules, and many other fixes.
The
long-format changelog has all the
details.
Linus's BitKeeper tree contains a number of patches including some
initramfs tweaks, improvements in random driver locking (which was
"consuming 60% of CPU resources in Anton's monster power5 boxes"), the
removal of some ext3 debugging hooks, direct I/O support for reiserfs, some
CPU frequency work, an Intel SpeedStep-SMI driver, and various fixes.
The current stable kernel is 2.4.22; Marcelo has not released any
2.4.23 prepatches since 2.4.23-pre3 on
September 3.
Comments (none posted)
Kernel development news
Al Viro's second set of patches aimed at enabling the support of a larger
dev_t type has been merged into the 2.6.0-test5 kernel. The bulk
of the work is fixing up code in filesystems which made assumptions about
the size of
dev_t. As part of this whole process, however, Al has
been converting kernel code from the
kdev_t type over to using
dev_t directly.
kdev_t, of course, was introduced several major releases ago as a
way of hiding the actual structure of device numbers. The comments in
<linux/kdev_t.h> read:
As a preparation for the introduction of larger device numbers, we
introduce a type kdev_t to hold them. No information about this
type is known outside of this include file.
In practice it didn't work quite that way. When Linus changed the format of
kdev_t early in the 2.5 development series, everything broke.
And when the time came to really change the size of dev_t, it
turned out to be easier and more clear to simply use dev_t
directly. Kernel hackers tend to be skeptical of abstraction interfaces
which are created without being immediately useful; kdev_t is an
example of why that is so.
The seventh patch (of 15) in Al Viro's second
dev_t series changes the type of the much-used i_rdev
inode structure field; it is, of course, a dev_t now. Since Al
had already converted users of that field over to the new iminor()
and imajor() macros, the effect of this change was small. But, as
it turns out, i_rdev was the last kdev_t object in the
kernel. So patch eight removed the type
altogether.
Out-of-tree drivers will, of course, be broken as a result of this change,
but the fixes should not be that difficult. At this point, the bulk of the
large dev_t preparation work should be done. About all that's
left is to decide what the format of the new dev_t will really be
and make the change. Once the dust settles, another one of the 2.6.0 "must
fix" items will have been taken care of.
Comments (1 posted)
The
ioctl() system call includes a general "command" argument
which specifies which operation the calling program wishes to perform. The
Linux kernel has long had a mechanism for defining these command arguments,
with the goal of keeping them all unique. If no two drivers implement the
same command codes, there is no danger of strange things happen if the
wrong code is passed to the wrong driver. A world where "rewind the tape"
for one driver never translates to "initiate self destruct" for another is a
safer place to be for all of us.
The Linux kernel takes things a little further by encoding some useful
information in the command codes. Along with driver-specific "magic" and
command numbers, the ioctl() command code includes the direction
of data movement (if any) between kernel and user space and the size of the
data to be moved. The kernel itself does not do anything with those
values, but their presence does enable a driver to perform some checks.
If, for example, the size of a structure used as an ioctl()
argument changes, the driver can use the size field in the command code to
determine whether the application is using the older version or not. Some
kernel code actually does check the sizes to be sure that things match up.
The command codes are created using some macros in
<asm/ioctl.h>. A driver defining codes would use one
of these macros:
_IOR(type, number, size)
_IOW(type, number, size)
_IORW(type, number, size)
The macro used specifies whether the ioctl() operation reads or
writes kernel-space data (or both); type is the driver's "magic"
code, and number is the command-specific code. The confusion
comes in with the argument called size; it is supposed to be the
type of the data to be passed between kernel and user space. So, for
example, the "get tape position" code is defined as:
#define MTIOCPOS _IOR('m', 3, struct mtpos)
The problem is that a number of hackers saw the size argument and
assumed that they were expected to pass the size of the expected data
transfer. The result was a number of definitions like:
#define CIOC_KERNEL_VERSION _IOWR('c', 10, sizeof (int))
As a result, the actual size value, as encoded within the command, was the
size of the size value, or, on most architectures, four bytes. Since most
code never looks at that size value, things worked, but the values defined
were not as intended. Another problem that occasionally came up was that
some code used very large size values, overflowing the space allotted in
the command word, thus corrupting the rest of the command code. Once
again, things worked, but not quite in the way people expected.
One of the themes of 2.6 development has been the addition of type checking
anywhere that the compiler can be coerced into doing it. So the obvious
thing to do was to add checking to the generation of command codes; Arnd Bergmann
submitted a patch which does exactly that.
It adds a bit of preprocessor magic in the form of this macro:
#define _IOC_TYPECHECK(t) \
((sizeof(t) == sizeof(t[1]) && \
sizeof(t) < (1 << _IOC_SIZEBITS)) ? \
sizeof(t) : __invalid_size_argument_for_IOC)
The first test ensures that an actual type (as opposed to a simple size)
has been passed in; the second makes sure it is not too large.
All that remains is the inconvenient fact that the old, erroneous codes
have found their way into a number of application programs. Changing those
codes would break those applications, and that's something the kernel hackers
try never to do. So, for these cases, a new set of macros (with names like
_IOW_BAD() has been introduced, and the erroneous uses have been
moved over to the new macros. The command codes remain unchanged, but the
mistake is noted so that it is not replicated when somebody copies the code
in question.
Comments (3 posted)
Patrick Mochel has posted
a new set of power
management patches. Power management is, of course, one of the last
unfinished projects in the 2.6.0-test kernel. So developments in that area
are of interest.
Much energy has gone into the suspend-to-disk implementation. Patrick has
been unable to come to an understanding with (2.6) swsusp maintainer Pavel
Machek; rather than keep trying, he has chosen to create his own
implementation (starting with swsusp) called "pmdisk." Should Linus accept
the patches, the 2.6.0-test kernel will have two separate, competing
implementations of the suspend-to-disk functionality. The swsusp version
has been reverted to its previous state; the patch includes the comment
"Note that I would never publically admit to putting such code into
the kernel."
The new pmdisk implementation has since seen some fixes, though it still
does not work on SMP systems, and apparently will not for some time. There
is a /sys/power/state file used to control pmdisk; writing
"disk" to that file will cause the system to suspend itself to
disk. Beyond that, pmdisk is still mostly the swsusp implementation with
a lot of cleanup work and the names of the functions and variables changed.
One remaining question with the suspend-to-disk functionality is what will
happen to all of Nigel Cunningham's work. Nigel has put a great deal of
effort into the 2.4 swsusp implementation, with the result that it has
become a reliable option for many users; see our
review of that work from August. Nigel would like to port his work
forward to 2.6, but is uncertain about what to port to.
This whole situation could be resolved by Linus, who has not yet accepted
the "fork swsusp" patch. Releasing a 2.6.0 kernel with two different
suspend implementations seems like a suboptimal course which could reflect
poorly on the Linux development process. Linus has made no public noises
to this effect, but it would not be surprising if he imposed some sort of
solution that led to a single suspend subsystem in 2.6.0.
Comments (3 posted)
Greg Kroah-Hartman has posted
a patch with
the rather uninspiring title of "add kobject to struct module." What the
patch really does, however, is enable the creation of a
/sys/module directory which will contain information about the
modules currently loaded into the kernel. With this patch, the only
available information (beyond the name of the module) is the reference
count, but that will be expanded in the future. Eventually all of the
information found in
/proc/modules will also appear in the
/sys/module tree, though in the standard sysfs "one value per
file" format. The values of parameters passed to the module will also be
made available for inspection and (permissions willing) change.
This patch continues the process of moving system information from
/proc to /sys. It may take a couple more development
series worth of work, but /proc might just end up being pared down
to the process information it was originally created to hold.
Comments (none posted)
One nice feature that was quietly slipped into the
2.6.0-test4-mm6 release is the
kgdb-over-ethernet patch, by Robert Walsh and San Mehat. As described in
the included documentation, kgdbeth makes it
frighteningly easy to hook into a running Linux kernel over the network and
prowl around in it. It's really just a matter of setting four boot parameters:
- gdbeth=number the device number of the ethernet interface to
use for debugging. Usually zero for eth0.
- gdbeth_remoteip to set the IP address of the machine which is
able to hook in with gdb.
- gdbeth_remotemac to set the remote system's MAC address.
- gdbeth_localmac to tell the kgdb stub what the local system's
MAC address is.
As one would expect, the target system will only respond to debugger
traffic coming from the system designated by the boot-time arguments. Once
you've booted a kernel with the kgdbeth patch and the proper parameters,
hooking in with gdb is simple. Here's a (slightly cleaned up) log from a
quick session done here at LWN Labs:
gdb ./vmlinux
(gdb startup stuff...)
(gdb) target remote udp:victim:6443
warning: The remote protocol may be unreliable over UDP.
warning: Some events may be lost, rendering further debugging impossible.
Remote debugging using udp:victim:6443
do_IRQ (regs=
{ebx = -1069465600, ecx = -1054087008, edx = -216755, esi = 624384,
edi = -1072664576, ebp = 581632, eax = 0, xds = 123, xes = 123,
orig_eax = -251, eip = -1072652202, xcs = 96, eflags = 582,
esp = -1072652057, xss = 0}) at arch/i386/kernel/irq.c:514
warning: shared library handler failed to enable breakpoint
(gdb) print ioport_resource
$2 = {name = 0xc0362e75 "PCI IO", start = 0, end = 65535, flags = 256,
parent = 0x0, sibling = 0x0, child = 0xc03a2a80}
(gdb) print *ioport_resource->child
$3 = {name = 0xc035d94f "dma1", start = 0, end = 31, flags = 2147483648,
parent = 0xc03a40e0, sibling = 0xc03a2a9c, child = 0x0}
(gdb) c
Continuing.
For anybody who has wanted to be able to use gdb on a running kernel, but
who has never gotten around to setting up the requisite serial lines and
such, kgdbeth promises to make things easier than ever.
Matt Mackall has noticed that a number of patches - including Ingo Molnar's
network console code and kgdbeth - each provide their own low-level
ethernet functions. Code which hooks into the kernel at such a fundamental
level needs to be able to send and receive packets without involving the
entire networking subsystem. As a way of addressing this duplication of
code and effort, Matt put together and posted a netpoll API. The patch came accompanied by new
versions of netconsole and kgdbeth, both of which are somewhat cleaned up
and significantly reduced in size. An added bonus is that netpoll supports
almost all interfaces out there without the need for any driver changes.
As of this writing, netpoll has not
found its way into an -mm release, but that could change.
Of course, Linus's feelings on kernel debuggers are well known, so kgdbeth,
while potentially useful for developers, is unlikely to find its way into
the 2.6 mainline. So Andrew Morton will have to keep this one in -mm. At
least, until Linus hands off the 2.6 kernel - to Andrew.
Comments (none posted)
Patches and updates
Kernel trees
- Andrew Morton: 2.6.0-test4-mm6. "<span>Dropped out Nick's CPU scheduler changes, brought back Con's interactivity
work.</span>"
(September 5, 2003)
Core kernel code
- Con Kolivas: O20.1int.
(September 10, 2003)
Development tools
Device drivers
Filesystems and block I/O
- Dave Kleikamp: JFS 1.1.2.
(September 7, 2003)
Networking
Architecture-specific
Security-related
Benchmarks and bugs
- Paul Larson: LTP nightly regression results for
2.6.0-test4,bk1,bk2,bk3,bk5,bk6,mm1,mm2,mm3-1,mm4,mm5,mm6.
(September 7, 2003)
Page editor: Jonathan Corbet
Distributions
News and Editorials
[This article was contributed by Ladislav Bodnar]
New Linux distributions are being created at an alarmingly high rate,
currently perhaps two or three per week worldwide. While most of them will
not survive the initial enthusiasm, which is soon dampened by the
realization of how much work is involved, and disappear in a few short
months after launch, there are undoubtedly many great ideas which might
some day develop into a major project. Just take a quick look back in time
- very few people knew of Gentoo or Knoppix as recently as two years ago,
but today both of these projects are extremely popular distributions with
many thousands of users. It is quite clear that the Linux world is full of
bright people with brilliant ideas. Inevitably, much effort is also wasted
on projects of little value, serving more as a learning curve for the
distribution's creator than a useful tool for the rest of us.
How does one spot a gem among the multitude of new projects? It is not easy,
especially since many developers have little marketing or web page design
talent and often lack fluency in English. But let's take a look at some of
the distribution launched in the past year or so and try to foresee possible
winners or at least identify those projects which are likely to be around for
a while. It helps to organize them into a few simple categories, such as Red
Hat/Mandrake-based distributions, live CDs, distributions for old hardware
and specialist distributions. This is not meant to be an exhaustive list, but
rather a look at some of the more promising, unique or unusual Linux
distributions created recently.
Red Hat/Mandrake-based distributions. These are distributions which
take Red Hat or Mandrake as a base and add many useful applications purposely
left out of Red Hat and Mandrake for various reasons. These are NVIDIA's
proprietary drivers, multimedia applications with codecs of questionable
legal status, Java, Flash, RealPlayer, Acrobat Reader and other commercial or
unsupported applications. While installing and setting up all these is
certainly possible in both Red Hat and Mandrake, it requires some searching
around the Internet as well as time and effort to configure newly added
applications. Several distributions are attempting to fill the gap and come
pre-installed and pre-configured with some or all the above mentioned
software.
One of the best efforts to-date, at least judging by the overwhelmingly
positive user feedback in forums, is JAMD Linux. Despite the low version
number (the latest stable version is 0.0.6) and relatively short time since
the distribution's launch, it has succeeded in attracting a fair amount of
satisfied users and in creating a large user community. Another interesting
distribution falling into this category is Aurox Linux - not so much for technical
reasons, but rather for its innovative distribution model. Aurox Linux is
produced by an large publishing house in Poland and is included as part of a
low-cost multi-lingual Aurox Linux magazine. The idea is to get this
publication out to as many retail outlets as possible, including general
bookstores and supermarkets. By doing so, Aurox is trying to increase the
visibility of Linux and tempt potential impulse buyers. This model has
proved very successful and if you live in Europe look out for a new Aurox
Linux magazine, version 9.1, due to be released this week. Two more
interesting projects worth mentioning here are Canada's EduLinux (based on Mandrake 9.1) and
Mexico's LGIS GNU/Linux
(based on Red Hat 9 with Ximian desktop).
Live CDs. This is probably the fastest growing category of Linux
distributions, since it is fairly trivial to re-master Knoppix or even create
a custom, bootable Linux CD from an existing installation. Damn Small Linux seems to be one
of the more unique Knoppix-based live CDs; it fits on a 50MB business
card-type CD and once booted, it provides a script to download and launch
Firebird, the web browser, which would have taken too much space on the
CD. Other live CD distributions focus on multimedia, with Dyne:bolic GNU/Linux being designed for
live streaming audio while GeeXboX
for general media playback with MPlayer. Another popular use of live CDs is
their deployment as firewalls and Sentinix (formerly a commercial product
called Compledge Sentinel, but "freed" recently) seems to be a very
promising project. The last distribution worth mentioning in this category
is the newly launched MEPIS Linux, a
desktop distribution which one can first boot to confirm hardware
compatibility before proceeding with a supported hard disk
installation. The product tracks Debian's unstable branch, it is frequently
updated and it supplies additional applications on supplementary CDs.
Distributions for old hardware. This is one category of Linux
distributions, which has sadly been neglected by most mainstream Linux
integrators. Many of us have old PCs or notebooks, which not long ago used to
run Windows 95 satisfactorily, but are no longer suitable for daily computing
tasks. Wouldn't it be nice to get them run a light-weight distribution with a
browser, e-mail and, say, a word processor in a graphical mode?
Unfortunately, distributions like that are very hard to find, but perhaps DeLi Linux or Drinou-Linux could fill this
gap. Both of them are based on an older Slackware release and offer
light-weight Sylpheed for email, Dillo for web browsing, SiagOffice for
word processing and other low resource software on top of the Fluxbox
window manager. They are certainly worth a try.
Specialist distributions. Problems need to be solved and Linux seems to
be a perfect solutions for many computing tasks. Puppy Linux is a small distribution
that runs entirely in a 48MB ramdisk and can be booted from floppy, USB or
ZIP drives, as well as the more traditional hard drives or CD. Other USB
pen drive-based distributions include SPB-Linux and RUNT, while NBROK is designed to
be installed and run from a ZIP drive. Both RUNT and NBROK are
Slackware-based distributions. Another interesting new project is BlackRhino GNU/Linux, a
Debian-based distribution for the Sony PlayStation with over 1,200 software
packages. And while on the subject of Debian, it is only appropriate to
mention a brand new project called DebToo, which as you have probably
guessed, is a Gentoo-style Debian distribution "recompiled for your
system".
This is of course just the tip of the iceberg and some other distribution
categories immediately spring to mind. What about the dozens of floppy and
embedded Linux distributions? Or distributions for various non-Intel
architectures? We'll look at these in a future issue of LWN.
Comments (3 posted)
Distribution News
The
Debian Weekly News for September 9, 2003
is out. This week looks at the Rio Karma 20, possibly the first
industrially manufactured digital audio player that supports the Ogg Vorbis
audio format; an open letter to the European Parliament; Debian and the
FSF; Politics in Free Software; and much more.
A second revision of the current stable Debian distribution (woody) is underway. No dates have been set yet for
the 3.0r2 release, which will add many security fixes to the stable
version.
Comments (2 posted)
The Gentoo Weekly Newsletter for the week of September 9, 2003 is out. This
week looks at the success of the second Gentoo BugDay; a continuing look at
Gentoo security issues; and more.
Full Story (comments: none)
eWeek
takes a
look at BlueCat Linux 5.0, due out in November. "
The San Jose,
Calif., company this week will announce availability of a public beta
program for the next version of its embedded Linux operating system,
BlueCat Linux 5.0, which is based on the as-yet-unreleased Linux 2.6
kernel."
LynuxWorks has also put out a
press release announcing the availability of the beta release.
Comments (none posted)
MandrakeSoft has released
9.2RC2. The QA team
would like to get feedback on upgrades from Mandrake 9.1/9.0/8.2, and any
of those last few bugs. (Thanks to Mark Walker)
Comments (none posted)
It's been a busy week at
Slackware
according to the
slackware-current
changelog. Various sources have been patched and recompiled, including
some the kernel 2.4.22 modules. Lots of packages have been upgraded, and
some have been recompiled to take advantage of a new libmad. There are
also more ham radio package updates from Arno Verhoeven.
Comments (none posted)
Trustix reports a speed bump in the mailing lists as they are being moved
to a different machine. If you've been having trouble getting in touch
with Trustix, or haven't been getting mail, this could be why.
Full Story (comments: none)
openMosix has
released the latest clustering extensions to
the Linux kernel, version 2.4.22-1.
uClinux has released v2.6.0-test5-uc0 of its
Linux kernel for MMU-less processors.
Comments (none posted)
New Distributions
evelin is a Linux distribution
based upon Mandrake. Its main purpose is to be kept secure and small, while
providing the basic functionality that system administrators might need. It
runs within its own chroot jail on an existing Linux system. The initial
release is
version 0.1,
dated September 5, 2003.
Comments (none posted)
FootNotes
notes the release of
GNOPPIX 0.5. GNOPPIX is a live CD distribution of the Knoppix variety, but it is based around the GNOME desktop.
Comments (none posted)
Linare Corporation has
announced its entry into the desktop Linux business; the distribution is KDE-based and retails for $19.95.
Comments (7 posted)
wrt54g-linux is a
mini-distribution for the Linksys wrt54g 802.11b/g access point and
router. It includes basic tools such as sh, syslog, telnetd, httpd (with
cgi-bin support), vi, snort, mount, insmod, rmmod, top, grep, find, nfs
modules, etc. The installation script runs in about 20 seconds and installs
strictly to the RAM disk. The initial release,
version 0.1, is dated
September 6, 2003.
Comments (none posted)
Minor distribution updates
Damn Small Linux has released
v0.4.6 with minor
feature enhancements. "
Changes: This version features many patches,
the addition of traceroute, fixes for a rendering problem with
netcardconfig, and modifications to startx so that it will save selected
settings for the next X session."
Comments (none posted)
floppyfw has released
v2.9.5 with major feature
enhancements. "
Changes: This version features bridging with ebtables
and iptables, ISO images, images for the Soekris NET45xx boxes (and
probably other CF/DoC-based systems), and PCMCIA/HostAP support."
Comments (none posted)
RIP!
has released
v6.2 with
minor feature enhancements. "
Changes: PPP/PPPOE support has been
added."
Comments (none posted)
Sentry Firewall has released
v1.5.0-rc4 with minor
bugfixes. "
Changes: In this version, the Linux kernel has been
updated to version 2.4.22-ow1, along with the IPSec+X509 patches and
software. Bind9 and Snort were moved to a chroot environment. The
configuration scripts were also updated to include new NIC module
dependencies, and network configuration support should now work properly
with most 10/100BaseT NICs."
Comments (none posted)
stresslinux has released
v0.2.6 with major feature
enhancements. "
Changes: All boot kernels have been upgraded to
2.4.22 with some extra networking modules. ISA-Bus and ISA-PNP is now
working. Syslinux, smartmontools, and netio were upgraded to new
versions. Pcopy is now included for drive mirroring. A display bug in
sl-wizard at 80x25 mode was fixed. ASUS-CUV4X-D was added to
sl-wizard."
Comments (none posted)
Distribution reviews
Distrowatch
reviews
Debian GNU/Linux. "
Debian - there has never been any other Linux
distro quite like it. Long a favorite of the geek elite, there is no doubt
that Debian is popular. Sign up for the Debian-user mailing list, and you
can expect to receive about 300 messages a day. Perhaps (just perhaps)
there are more people using Redhat, Mandrake or SuSE. However, if bigger
means better, then Debian is the undisputed champion - Debian's "stable"
branch boasts 8710 "packages" (packages = precompiled software bundled up
in a nice format for easy installation). In Debian's "unstable" branch
there are about 13,000 packages (more than six gigabytes worth). If
software was sold by the kilogram, then Debian would fetch top
dollar. However, this massive collection of excellent software is free, the
work of hundreds (or thousands) of unpaid volunteers. Put that in your pipe
and smoke it."
A discussion about this
review can be found at DebianPlanet.
Comments (none posted)
Page editor: Rebecca Sobol
Development
The
Net-SNMP project
(formerly called ucd-snmp) consists of a set of
tools relating to the Simple Network Management Protocol
(
SNMP),
an internet protocol for managing network-connected devices.
The major components of Net-SNMP include:
- An extensible SNMP agent (snmpd) that accepts incoming SNMP connections.
- An SNMP library for developing SNMP-based applications.
- Tools for setting and retrieving information from other SNMP agents.
- Tools for generating and handling SNMP traps.
- An SNMP-based netstat command.
- A Tk/Perl based Management Information Base
(MIB) browser.
The Net-SNMP
documentation
covers the various facets of the project in greater detail.
Version 5.0.9 of Net-SNMP has been
announced.
"This does contain a security fix so all users are encouraged to update their software immediately."
Also included in this release are: kerberos support fixes,
documentation improvements, better augmentation table support,
improved 64 bit handling, and miscellaneous bug fixes.
Net-SNMP should be a useful addition to the list of available
networking tools.
Comments (none posted)
It's finally official:
GNOME
2.4 has been released. The extensive
release notes talk about
what's in this release; there's a lot of good stuff there. Congratulations
are due to the entire GNOME development community.
Comments (none posted)
System Applications
Audio Projects
The
latest changes from the
Planet CCRMA audio packaging project include
new versions of Qjackctl, Lilypond, Guile, Texinfo, and Gmorgan.
Comments (none posted)
Database Software
MySQL 4.0.15 - a bugfix release - is now available. This release includes
a long list of fixes; see the announcement (click below) for the details.
Full Story (comments: none)
The September 4, 2003 edition of the PostgreSQL Weekly News is out.
Read about the PostgreSQL beta 2 release, thread safety issues,
and more.
Full Story (comments: none)
Libraries
Version 1.4 of the GNU Scientific Library
has been released.
"
The GNU Scientific Library (GSL) is a collection of routines for
numerical computing in C. This release is backwards compatible with
previous 1.x releases. GSL now includes support for cumulative
distribution functions (CDFs) contributed by Jason H. Stover."
Comments (none posted)
Version 0.3.2 of liblrdf, a library for working with the
Resource Description Framework (RDF), is available.
"
Doesn't add any features, but builds with raptor 1.0.0 and removes
a dependency on the LADSPA SDK."
Full Story (comments: none)
Mail Software
Version 0.36 beta of milter-sender, a spam filtering package for sendmail,
is available. This version features bug fixes relating to the
parsing of sendmail.cf.
Comments (none posted)
Networking Tools
Version 0.1.2 of SSHVnc, a Virtual Network Console that uses ssh
for secure communications,
is available.
"
This release of our secure VNC application marks a change in our software
distribution policy. The installation is now catered for using the ZeroG
installer, providing distributions for Linux and Windows with and
without the Java 1.4.2 VM. This release also sees the inclusion of
a number of useful configuration options. These include the execution
of commands on connect/disconnect allowing the user to start/stop their
VNC server remotely, and predefined settings for low/high bandwidth
connections."
Comments (1 posted)
Version 0.12 of WAP11GUI
has been released.
"
WAP11GUI is an SNMP management application for the Linksys WAP11 wireless
access point. It provides a Unix/Linux user with a graphical, QT based
interface with which to configure and manage a WAP11 AP over a LAN. The
biggest news (if you could call it that) in this release is that a memory
leak that went unnoticed for 2 years has been fixed."
Comments (none posted)
Printing
Version 1.1.20rc1 of
CUPS, the Common Unix Print System,
has been released. The
release notes
list all that is new, many bug fixes are included.
Comments (none posted)
Version 3.8.22 of the
LPRng printer spool system
is available. Change information is in the source code.
Comments (none posted)
The latest printer database changes on
LinuxPrinting.org
include the following:
"
September 7, 2003: Added Epson Stylus C83, C84, Olympus P-300E, P-300NE, P-300U, P-400, and Canon CP-100; the driver "ljet4" is not recommended any more for PCL-5e printers in the database, instead we recommend "hpijs" now due to better printout quality. The recommendations of "gimp-print" are replaced by "gimp-print-ijs" as the more modern interface of GIMP-Print. For the HP LaserJet 1200 the recommended driver is "pxlmono" now due to the bad graphics performance in the PostScript mode."
Comments (none posted)
Web Site Development
IBM's developerWorks has
an article by Tod Liebeck on Echo, a development framework.
"
This two-part series provides an introduction to the Echo framework, an open source, Java technology-based platform for building Web applications that look and act like rich clients. Part 1 introduces the framework and discusses what it does and how it is best used, providing an introductory walkthrough of its features."
Comments (none posted)
Version 1.4 RC3 of Gallery,
a PHP-based web site photo album management package,
is available.
"
Version 1.4 premieres some major new features: Gallery is now multilingual, and can be displayed in 18 different languages, with more on the way! In addition, we've completely overhauled the documentation and made it more accessible and more informative. Other changes include ownership of individual album items, not just of albums, and a slew of minor improvements and bugfixes."
Comments (none posted)
Version 3.2.1 of
mnoGoSearch,
a web site search engine,
is available. New features and bug fixes are listed in the
Change Log.
Comments (none posted)
Version 3.1.0a Alpha of
Mod_python
has been announced. The
download page says:
"
This is an ALPHA release, therefore it is likely to contain bugs and is not of production quality. Additionally, some functionality may change until first beta release. We strongly recommend that you try out your application in a test environment with this release and report any incompatibilities or problems you may encounter."
Comments (none posted)
Issue 10 of the Zope 3 Newsletter is out, take a look to see what's
happening with the next generation of the Zope web platform.
Full Story (comments: none)
Documentation
Babeldoc 1.1.9
has been released.
"
Babeldoc is integration tool that can plumb together data flows. It is completely configurable and scriptable. It is heavily XML biased but not exclusively so. This is going to be the last development release - the next set of releases are going to be Release candidates to version 1.2.
This now has the J2EE module added. Please test."
Comments (none posted)
Miscellaneous
Qingye Jiang
explains
how to talk to USB devices from Java on IBM's developerWorks.
"
The Java platform has traditionally prided itself on its platform independence. While that independence has many benefits, it makes the process of writing Java applications that interact with hardware quite tricky. In this article, research scientist Qingye Jiang examines two projects that are making the process easier by providing APIs through which Java applications can make use of USB devices. While both projects are still in embryo form, both show promise and are already serving as the foundations of some real-world applications."
Comments (none posted)
Desktop Applications
Audio Applications
Version 0.5.2 of ALSA Patch Bay has been released.
This version fixes a minor build problem.
Full Story (comments: none)
Desktop Environments
GnomeDesktop.org has
a multiple announcement for new versions of PyGTK, Gnome-Python,
and PyOrbit.
Comments (none posted)
Mikael Hallendal and Richard Hult
show how to extend GNOME with virtual file systems on
IBM's developerWorks.
"
This article describes how to use GnomeVFS -- a C library for accessing various file systems -- to extend GNOME and develop your own extensions to the virtual file system. The article is centered around an imaginary example file system that lets you access an in-memory directory tree."
Comments (none posted)
The September 5, 2003
KDE-CVS-Digest
has been published. Here's the content summary:
"
In this week's CVS-Digest: Umbrello now has a document model code generator. Changes in menus and tab configuration in Konqueror.
Optimizations in KConfig, KMail and Konqueror. Drag and drop fixes
in KOrganizer. Bug fixes in KOffice and Kopete."
Comments (none posted)
KDE Traffic #63
is available. The summary on KDE.News says:
"
KDE Traffic #63 was released this week with news about
cookie problems, discussion about Cut and Copy entries in the context
menu of Konqueror,
usability of the Kicker window list, the proposed move of kpdf from
kdenonbeta to kdegraphics and more."
Comments (none posted)
The
KDE.News summary
of issue #64 of
KDE Traffic says:
"
KDE Traffic #64 has been released, with lots of news articles about
KDatePicker, iCalendar, OpenOffice integration in KDE, the software patent
fracas, a neat little devices applet for Kicker, a private extension for
DCOP, and of course, a nice treat at the end."
Comments (none posted)
Electronics
Version 3.1.21 of
XCircuit, an electronic
schematic drawing program, is available. Change information is in the
source code.
Comments (none posted)
The
latest releases
from the
gEDA project
include new versions the Icarus verilog compiler and gaf (gschem and friends).
Comments (none posted)
Games
A new version of Shandy Brown's
PyGame Tutorial
is available. Take a look if you are interested in working with PyGame.
Comments (none posted)
Graphics
Version 1.1rc3 of
flPhoto,
an image management and display program, is out. See the
Release Notes
for change information.
Comments (none posted)
Development version 1.3.20 of the Gimp
has been announced.
"
This release features a
lot of bug-fixes as well a number of improvements over 1.3.19. Definitely
worth an update, especially if you want to participate on the bug week."
Comments (none posted)
The GIMP Bug Week for version pre-2.0
has been announced.
"
As some of you might already know, next week is the pre-2.0 GIMP Bug Week.
The first pre-releases of 2.0 will start coming out the door around the end
of this month, and we need to get some concentrated testing done before then,
as well as classifying known bugs into those
which will be fixed before 2.0 final and those which will be fixed later."
Comments (none posted)
Version 0.0.12 of QGIS, a Geographic Information System built for Linux
and Unix,
has been announced.
"
The biggest change is the ability to select
features in shapefiles and zoom to the selected set. Features can be selected
by dragging the mouse or from the attribute table (thanks to Marco)."
Comments (none posted)
GUI Packages
Version 1.1.4 of
FLTK, the Fast Light ToolKit,
is available. Change info is in the source code.
Comments (none posted)
GnomeDesktop.org has
an announcement for GTK+ 2.2.4.
"
This is a bug fix release and is source and binary compatible with previous releases in the 2.0 and 2.2 series. This is an emergency release to fix a critical GtkTreeView problem which broke context menus in several applications."
Comments (none posted)
Version 2.0.0 of PyGTK, a Python language binding for GTK,
has been announced.
Full Story (comments: none)
Interoperability
The Samba Team has announced Samba-3.0.0 RC3, hopefully the final RC before
the real 3.0.0 release, which should take place early next week.
"
Unless there is a severe bug in the Samba source that would affect a
large number of the community, the source/ directory in RC3 will stay the
same for 3.0.0."
Full Story (comments: none)
Issue #186 of
Wine Traffic has been published.
"
This is the 186th release of the weekly Wine Weekly News publication. Its main goal is to run amok. It also serves to inform you of what's going on around Wine."
Comments (none posted)
Mail Clients
Version 0.2 of the Mozilla Thunderbird email and news client
has been released.
"
Based on Mozilla 1.5 Beta,
Thunderbird 0.2 features a redesigned Options dialogue, spell checker
improvements, enhancements to the default theme and better performance and
stability."
Comments (none posted)
News Readers
GnomeDesktop.org
reports on release 0.14.2 of Pan, a newsreader for GNOME.
"
Pan 0.14.2 fixes a configuration corruption bug in 0.14.1, which was
released a few days ago."
Comments (none posted)
Office Applications
Version 1.9.8 of Ganttproject
has been released.
"
After two release candidate, ganttproject 1.9.8 has been released.
Ganttproject is a pure Java application thats lets you plan project using
Gantt charts. It uses a file format based on XML and can export into HTML Web
pages or PNG images."
Comments (none posted)
Release Candidate 1 of the Gnumeric 1.1.90 spreadsheet is available.
"
This is primarily a spit and polish release. It fixes the missing
documentation files from the 1.1.20 release. There are a few extensions to
the charting engine, and a much improved image selector for objects. The
main substantive change relates to the handling of empty cells passed as
arguments to optional parameters."
Full Story (comments: none)
GnomeDesktop.org
looks at
version 0.2 of Passepartout, a Desktop Publishing package that is in
the early stages of development.
Comments (none posted)
Office Suites
Version 1.1 RC4 of OpenOffice.org 1.1 is available.
Also, the OpenOffice.org SDK for 1.1 RC4 has been released.
Full Story (comments: none)
The September, 2003 edition of the OpenOffice.org newsletter
is available with the latest OpenOffice office suite news.
This issue takes aim at Microsoft Office.
Full Story (comments: none)
Web Browsers
MozillaZine
reports
that Epiphany 1.0 has been released. Epiphany is a GNOME web browser based
on the Gecko rendering engine.
Comments (none posted)
MozillaZine
reports
on the availability of the Mozilla 1.4.1 release candidate builds.
"
Mozilla 1.4.1 is an
updated version of Mozilla 1.4 with around 100 additional bugfixes."
Comments (none posted)
MozillaZine
reports on the progress of the Arabic translation of Mozilla.
"
Nadim Shaikli writes: "With the recent improved Arabic support in Mozilla, a
flurry of activity has taken place to better acknowledge the browser's
enhancements. A complete localization effort is taking shape with a large
percentage of the work already completed. Mozilla's homepage has also been
fully translated to Arabic."
Comments (none posted)
MozillaZine
mentions the availability of a new set of
Mozilla Independent Status Reports.
"
The latest set of status reports includes updates from Firebird Help,
BannerBlind, Next Image, StumbleUpon, Uzilla, MozWho, MultiZilla and Mozex."
Comments (none posted)
According to MozillaZine, version 0.2 of the Project Orb
Mozilla documentation project,
is available.
"
Since release 0.1 additional useful end user preference
customizations are included, as well as several screenshots. The project is
continuing to evolve in scope. Plans are in the works for a French language
version of the project, as well as more information about Camino and
Firebird."
Comments (none posted)
Word Processors
Issue #160 of the
AbiWord Weekly News has been published, take a look for the latest
AbiWord word processor news.
Comments (none posted)
Miscellaneous
Version 0.2 of Gsharp,
an interactive, extensible
editor for musical scores written in Lisp, is available.
Full Story (comments: none)
Version 1.9.1 of Peacock, an HTML editor for the GNOME Desktop,
is available.
"
Admirers of fair creatures and HTML Editor named after them, a new version of
Peacock - An HTML Editor for Gnome, v1.9.1 has been released. Sporting a new
Gnome 2 look and more importantly WYSIWYG (yes! WYSIWYG) HTML Editing
capabilities using the GtkHTML bonobo control (you might have bumped into it
while composing a email in evo)."
Comments (none posted)
Languages and Tools
Caml
The August 26 - September 2, 2003 edition of the Caml Weekly News
is out with the latest Caml language development news.
Full Story (comments: none)
The September 2-9, 2003 edition of the Caml Weekly News is out
with even more Caml news.
Full Story (comments: none)
Java
Mette Hedin
compares
several open-source and proprietary Java data binding tools.
"
Many W3C XML Schema (WXS) data binding tools for Java are now emerging. These tools generate Java code from instances of WXS in order to represent the structures defined therein. The autogenerated code has the ability to convert from XML format to Java objects and vice versa. This gives the user a compile-time Java API customized for the specific schema used, which saves a lot of time and effort compared to utilizing generic interfaces such as DOM and JDOM. In addition it also enables Java developers with little or no XML knowledge to both consume and produce valid XML documents."
Comments (none posted)
Lisp
Version 2.31 of GNU CLISP, a Common Lisp implementation, is available.
Full Story (comments: none)
Perl
The September 1-7, 2003 edition of
This Week on perl5-porters has been published.
"
September begins, holidays are over. Lots of little new things
occured this week. Read about lexical pragmas, syntax warnings and
good style, advancement of the maintainance branches, bugs, fixes,
tests and upgrades."
Comments (none posted)
PHP
The
PHP Weekly Summary for September 8, 2003 is out. Topics include:
iconv compiler issues, studlyCaps, ming extension, Broken locale functionality, Servlet SAPI (continued).
Comments (none posted)
An announcement for version 2.5.3 of phpMyAdmin is on SourceForge.
"
After three release candidates, we are pleased to release this brand new
version. phpMyAdmin is a tool written in PHP intended to handle the
administration of MySQL over the http://www. Currently it can create
and drop databases, create/drop/alter tables,
delete/edit/add fields, execute any SQL statement, manage keys on fields."
Comments (none posted)
Python
Version 1.0 of the InlineEgg library for Python is available.
"
InlineEgg is a collection of python classes (a "library"), that
will help
you write small assembly programs, either to use as eggs/shellcode for your
exploits or for anything else you may need small assembly programs for. But!
without writing assembly, just using python." Hopefully, those
exploits will be non-malevolent.
Full Story (comments: none)
Version 1.0 of
MojoView,
a Python package that assists in building PyGTK2 database applications,
is available.
Comments (none posted)
Hans Nowak has published a document entitled
Python beginner's mistakes.
"
Beginner's mistakes are not Python's fault, nor the beginner's. They're merely a result of misunderstanding the language. However, there is a difference between misunderstanding (often subtle) language features, vs misunderstanding the language as a whole, and what can (and cannot) be done with it. The pitfalls article focused on the former; this article deals with the latter."
Comments (none posted)
Richard Jones has published a document called
Python anti-pitfalls.
"
The following are a quick (random, off the top of various heads) list of things that I think are anti-pitfalls in Python. That is, because the language has these features, it is harder to make programming mistakes."
Comments (none posted)
Version 0.9.3.0 of
PyXR, a Python-language HTML pretty-printing package, is available.
Changes include better line linking and improved config file error
message reporting.
Comments (none posted)
The September 8, 2003 edition of Dr. Dobb's Python-URL!
is out with another round of links to Python language articles.
Full Story (comments: none)
Smalltalk
Version 3.6-beta11 of
Unix Squeak,
a Smalltalk implementation, has been released, take a look to see
the long list of changes.
Comments (none posted)
Tcl/Tk
The September 1, 2003 edition of Dr. Dobb's Tcl-URL!
has been published.
Full Story (comments: none)
Miscellaneous
Jim Creasman
writes about Ant on IBM's developerWorks.
"
n the mid-1990s, most of the source code was C or C++. make was the tool of choice for scripting and managing code compilation. Sprinkle in a dash of batch files or shell scripts to add automation and you had a build process.
Times change. Enter Java technology, XML, XSLT, extreme programming with continuous build, and a host of other new technologies and ideas. By the late '90s the playing field was looking a lot different. Perhaps the single biggest addition to the set of build tools was Ant."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
The Economist
covers
the software patent fight in Europe. "
Now, although many patents
are centrally awarded by the European Patent Office (EPO) in Munich,
national courts have the final say over a patent's validity. In Britain,
business methods are generally not patentable, but they can sometimes be
patented in Germany. The EPO, by the way, granted Amazon a patent in May
covering computerised methods of delivering gifts to third parties, a
descendant of its one-click patent in America."
Comments (3 posted)
John Dvorak
looks at the
European software patent fight in PC Magazine. "
[T]here seems to
be a strong protest movement that has begun in Europe regarding software
patents. It could easily become a juggernaut that will make legislative
bodies reconsider the tendency to approve dubious copyright and patent laws
that benefit nobody but large corporations."
Comments (none posted)
The SCO Problem
ComputerWorld (Australia)
was
present at the Australian Unix Users Group conference, where SCO's
Kieran O'Shaughnessy had the unenviable task of explaining his company's
actions. "
At the event O'Shaughnessy was forced to admit the legal
threat against Linux users remained. With the audience clearly fuming at
what they were hearing, O'Shaughnessy pointed out that the
company's legal pursuits are not targeted at end users, but did make
a reference to businesses that use Linux."
Comments (18 posted)
Companies
Joe Barr
takes a look at
IBM advertising featuring Linux, in this NewsForge article.
"
It's a slick way to instruct the viewing audience on various aspects
of Linux and the free/open source development memes. Alan Cox, currently on
sabbatical from Red Hat and Linux kernel development to further his
education, said of the ad "It's rather cool." Cox added that it is "perhaps
more telling" that IBM made the ad available on its website in MPEG format
as well as in Real and QT formats. Andrew Morton, the current number-two in
the Linux hacker hierachy, found the ad "perhaps a little pretentious, but
it's nice to see that IBM is keeping the faith."
Comments (5 posted)
The Register
responds to
yet another Microsoft-funded study showing that Windows costs less than
Linux. "
Microsoft thinks the problem is getting the message
across. Microsoft thinks Windows 'wins against Linux every time' (although
it appears unwilling to share that particular case study outside its
reseller community), whereas large swathes of customers think Windows is
expensive and Linux much cheaper. Microsoft is therefore convinced that if
it continues to place 'the facts' in front of these sad, deluded people
they will ultimately accept that Microsoft is right, and Windows will
triumph."
Comments (16 posted)
The Register
reports from
Novell's Brainshare conference in Barcelona. "
Driving the adoption
of Linux in the enterprise is central to its plans to return to profit
while reaffirming its commitment to maintain support for its own NetWare
operating system, the company says. Jack Messman, chairman and chief
executive of Novell, (repeatedly) told delegates "we are not abandoning
NetWare, we are adding Linux. It's all about choice for the
customer.""
Novell also
announced a partnership with MySQL AB that bundles a
commercially-licensed version of the MySQL(R) database with Novell NetWare
6.5.
Comments (none posted)
Linux Adoption
The Taipei Times
covers
worries that Taiwan is falling behind China in Linux adoption. "
Currently there are around 20 Taiwanese companies making Linux products,
such as server applications and embedded products. The government hopes to
increase that number to 50 by 2007. The authorities are also setting a
target to have 10 percent of personal computers and 30 percent of Internet
servers used by government agencies and corporate networks run on a
Linux-based system by 2007."
Comments (none posted)
Asia Computer Weekly is carrying
an
article noting that Linux-installed systems are gaining market share in
Thailand, while Windows systems are slipping. But our old friends at the
Gartner Group have an explanation: "
A report [Gartner] released on Aug 18
said that much of Linux's success in Thailand is due to its use as a
cover for software piracy. 'Gartner believes that most of the Linux
shipments will eventually have illegal copies of Windows installed-a
fact that makes Linux's seeming dominance of this market somewhat
misleading,' the report stated."
Comments (27 posted)
VAR Business
looks
at the increasing use of Linux by resellers. "
We aren't just
talking simple Apache Web servers and Dell boxes running Red Hat, but an
entire next generation of applications that takes Java, Web services and
Internet infrastructure as a given and builds new and exciting businesses
on top of all of that. Almost without having been noticed, Linux has become
essential for building these applications."
Comments (none posted)
Resources
In this O'ReillyNet article Mike DeGraw-Bertsch
explains
how FreeBSD's jails can help secure necessary applications. "
Those
familiar with Java recognize the security concept of a sandbox. For those
that aren't, it's the concept that everyone gets a unique, well-equipped
sandbox to play in, and a person in one sandbox isn't allowed into anyone
else's sandbox, not even to share anything with anyone else. On FreeBSD,
jails implement this concept -- they keep processes in their own part of
the system, denying access to anything else."
Comments (1 posted)
Reviews
Ars Technica has posted
a lengthy review of GNOME 2.4.
"
GNOME 2.4 brings to the Linux desktop considerable polish, accessibility and consistency. This release is a culmination of the work done by commercial vendors and the GNOME community, as evidenced by the fact that three vendors--Sun, Red Hat and Ximian--have already shipped desktops focused on the GNOME 2 platform. The end result is a pleasant desktop that is nimble, attractive and unobtrusive. While it's not perfect, the foundation is now there and the overall product has matured."
Comments (2 posted)
A review of KAddressbook 3.2 is online.
"
As preview for the upcoming KAddressbook 3.2 which will be shipped with KDE 3.2 later this year, we have some screenshots here taken from the CVS version of KAddressbook."
Comments (none posted)
Here's a
review
of
Linux+ Certification Bible by Trevor Kay on Help Net Security.
"
Since this is a Certification Bible, each chapter in this book is
preceded by pre-test questions, the answers to which can be found at the
end of the chapter. This gives you a glance into what you will learn that
chapter. Also, at the end of every chapter, you find assessment questions
that help you test the knowledge you gained while reading the
chapter."
Comments (1 posted)
GnomeDesktop.org
reviews the
Storage
project.
"
OSNews is reporting on Storage, an innovative project which aims to replace the traditional hierarchical filesystems with a new document store which is database-based (PostgreSQL). The current implementation, built under Gnome 2.x for now, offers natural language access, network transparency, and a number of other features. The project is currently in alpha (screenshots already available), and it is part of the next major generation of Gnome."
Comments (none posted)
Miscellaneous
ComputerWorld
looks at the National Library of Australia and its IT needs.
"
Couple its physical scope with the plethora of media types
maintained by the organisation, ranging from books and manuscripts to
complex digitised maps, images, audio and online data, and the need for
providing innovative services has made adaptable software from the open
source community appear a necessity." (Thanks to Vladimir Likic)
Comments (none posted)
The BBC
reports that
China, South Korea and Japan are involved in joint research into a new
computer operating system to rival Microsoft Windows. "
An
open-source software forum will then be set up by major Japanese
electronics companies such as Hitachi, Matsushita, NEC and Fujitsu, to
establish what they need from the alternative software. However, Japanese
officials confirmed that they planned more to work with current Windows
alternatives than building a new system entirely from scratch."
Comments (4 posted)
Silicon.com
reports on a
new contender for Governer of California. "
Georgy Russell, is a very
un-geeky 26-year-old who works for Veritas and graduated from Berkley with
a computer science degree. A Democrat, she has launched a campaign
promising the legalisation of drugs, gay marriages and a universal health
care system." Ms. Russell is also promoting the wider use of open
source software.
Comments (26 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Eric Raymond and Bruce Perens have sent out a response to SCO's "open
letter." "
Accordingly, we of the open-source community do not
concede that there is anything to negotiate. Linux is our work and our
lawful property, the distillation of twelve years of hard work, idealism,
creativity, tears, joy, and sweat by hundreds of thousands of cooperating
hackers all over the world. It is not yours, has never been yours, and will
never be yours."
Full Story (comments: 38)
The Greens/European Free Alliance has announced a lengthy press event on
software patents in Europe, to be held in Brussels on September 17. A
number of speakers are scheduled, including representatives from the
scientific, economic, consumer, corporate, and public administration
areas. Correction: Tim Berners-Lee is NOT on the agenda as is listed
below..
Full Story (comments: none)
A vote will be held for the OpenOffice.org Community Council
Representative. Voting closes on Monday, September 15, 2003.
Full Story (comments: none)
Use Perl
reports on
some personnel changes at The Perl Foundation.
"
gav writes "I have stepped into the new public relations role at The Perl Foundation. I'll be resurrecting the newsletter and providing news about TPF activities. If you have any TPF related news or questions please email me. One thing I will be doing is reporting on the events over the last few months, including the YAPCs and the latest round of grants."
"TPF is also looking to fill a new role, one of grant manager."
Comments (none posted)
Translators
are needed
for pgAdmin, the PostgreSQL database admin GUI.
"
pgAdmin, one of the most widely used GUI's for PostgreSQL, is soon to announce it's third major release and needs more translators!
It has been designed from near the beginning to handle multiple languages, and has already been mostly translated into 16 non-English ones so far:
Danish, German, Farsi, French, Croatian, Hungarian, Indonesian, Japanese, Norwegian Bokmål, Polish, Portuguese-Brazilian, Romanian, Russian, Turkish, Chinese simplified, and Chinese traditional
We're trying to organise for a lot more translations to be finished in time for this release, so that PostgreSQL and pgAdmin are available to the widest possible audience."
Comments (none posted)
Commercial announcements
Lindows has
announced
the availability of a 24-hour telephone support service for its
distribution. A $79.95 annual fee buys access to the support line for a
year.
Comments (none posted)
Novell has issued a handful of press releases in conjunction with Novell
BrainShare Europe. News includes the integration of Ximian technology into
Novell Nterprise Linux Services, new versions of Novell exteNd, Nterprise
Branch Office and Nsure SecureLogin, and PartnerNet for ISV/IHVs. Click
below for the full list.
Full Story (comments: none)
Zend Technologies has announced its Zend Studio 3.0 IDE. This is a
development environment targeted at developers building enterprise
applications in PHP, JavaScript and HTML.
Full Story (comments: none)
New Books
O'Reilly has published the book "Kerberos: The Definitive Guide".
Full Story (comments: none)
Resources
David A. Wheeler has published
a paper on how to evaluate
free software programs; it is aimed at those used to buying proprietary
applications. "
Examine the developer mailing list archives - is
there evidence they're actively discussing improvements to the software?
Are there multiple developers (so that if one is lost, the project will
easily continue)? If their version management information is accessible to
the public, take a look - are developers regularly checking in improvements
and bug fixes?"
Comments (none posted)
The September 3, 2003 edition of the Linux Documentation Project
Weekly News is out with the latest documentation change news.
Full Story (comments: none)
The September 9, 2003 Linux Documentation Project Weekly News is out
with another round of documentation updates.
Full Story (comments: none)
The
sixth article by Kay Frode on Mozilla Thunderbird has been
published on Nidelven-it.
"
Changing to a new mail client don't need to be difficult, as long as you have a proper guide to help you. :) In this part of the introduction I will try to show you how to import and migrate all your information from your old mail client. Clients I will talk about are Outlook, Netscape and Eudora. Big topic, so buckle up. :)"
Comments (none posted)
Event Reports
Linux-Aktivaattori ry is a Finnish non-profit organization promoting the
use of Linux and other Open Source software. They recently organized the
first Open Source translation workshop for the Finnish language on 29-31
August 2003 in the city of Turku. Click below for more information.
Full Story (comments: none)
Upcoming Events
The Desktop Linux Consortium has announced the first annual Desktop Linux
Conference, which will take place on November 10, 2003, at Boston
University's Corporate Education Center in Tyngsboro, Massachusetts.
Full Story (comments: 1)
| Date | Event | Location |
| September 11 - 12, 2003 | Python for Scientific Computing Workshop(SciPy'03) | (CalTech)Pasadena, CA |
September 15 - 18, 2003 October 7 - 8, 2003 | LogOn Web Days | Across Europe |
| September 15 - 18, 2003 | Embedded Systems Conference(ESC) | (Hynes Convention Center)Boston, Mass |
| September 26 - 27, 2003 | Third DZUG-Conference | Paderborn, Germany |
| October 12 - 15, 2003 | International Lisp Conference 2003(ILC 2003) | New York, NY |
| October 14 - 16, 2003 | 10th Linux-Kongress | Saarbrücken, Germany |
| October 15 - 17, 2003 | The First Plone Conference | (Tulane University)New Orleans, Louisiana |
October 26, 2003 October 27 - 31, 2003 | Large Installation Systems Administration Conference(LISA) | (Town & Country Resort Hotel)San Diego, CA |
| November 2 - 3, 2003 | International PHP Conference 2003 | (Astron Hotel Frankfurt-Mörfelden)Frankfurt, Germany |
| November 6 - 7, 2003 | HiverCon 2003 | (Davenport Hotel)Dublin, Ireland |
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| "Jay R. Ashworth" <jra@baylink.com> |
| To: |
| letters@lwn.net |
| Subject: |
| Open Query: what replaces RedHat? |
| Date: |
| Thu, 4 Sep 2003 13:14:06 -0400 |
Yeah, I know; RedHat isn't really dying.
But I don't at all know how their Big New Idea is gonna work out, and I'm sure
I'm not the only guy building production customer boxes on RH7.3 because 8
was an orphan and I'm not completely comfortable with 9 yet (for servers;
it's pretty spiffy for the desktop).
Hell, AutoZone (mentioned in all the SCO fuss last week) is shipping RH7.2; I
saw a login prompt at a store recently.
So, what's a guy like me to do? Will there still be a frozen ISO of "the latest
RedHat distribution" that I can bang on, even in The New Environment? Do I
switch to Mandrake? (I'm a RedHat guy; the Debian layout leaves me cold,
alas.) Or do I go back to paying RedHat almost as much money as I always paid
SCO (sign of the cross) and switch to ES and AS, as they so clearly want me to?
Yeah, I need stability, but not as much as the people whom I read as their target
audience for AS and ES.
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Baylink RFC 2100
The Suncoast Freenet The Things I Think
Tampa Bay, Florida http://baylink.pitas.com +1 727 647 1274
OS X: Because making Unix user-friendly was easier than debugging Windows
-- Simon Slavin, on a.f.c
Comments (8 posted)
| From: |
| "Dafydd Walters" <dafydd@walters.net> |
| To: |
| <dmcbride@sco.com> |
| Subject: |
| Reply to Darl McBride's Open Letter to the Open Source Community |
| Date: |
| Tue, 9 Sep 2003 14:05:57 -0700 |
| Cc: |
| <letters@lwn.net> |
September 9, 2003
Open Letter to Darl McBride,
I would like to briefly respond to your open letter to the Open Source
Community, dated today. I consider myself to be a member of that community,
having developed Open Source software myself, although I do not claim to be
any kind of "leader", or to represent the views of other members of the
community.
Firstly, I would like to join you in condemning the Denial of Service
attacks that took place against your web servers. Using vandalism and
illegal tactics is not an appropriate way for people to respond, however
strongly they disagree with you or SCO's words or deeds. In your open
letter, you quoted Eric Raymond's reaction to the DoS attack, but you seemed
to suggest that he knows the identity of the perpetrator. I can't speak for
Mr Raymond, but I believe that in the letter you quoted from, he actually
said that he DID NOT know the perpetrator; it was an associate of the
perpetrator who contacted him. Do you have any evidence to suggest that Mr
Raymond is not co-operating with the authorities in helping them to bring
the perpetrator to justice?
The memory allocation code you mentioned, does, at first blush, appear to
have indeed been copied illegally by SGI, and perhaps SGI have got some
explaining to do. However, this is a very tiny part of Linux as a whole, and
the notion that "one million lines of UNIX System V protected code have been
contributed to Linux" is obviously based on an incredibly improbable reading
of copyright law in terms of what you consider to be "derivative works" (one
that if upheld, would turn copyright law on its head).
Contrary to what you suggest in your letter, in my experience members of the
Open Source community understand very well and fully respect copyright laws.
In fact, a very telling remark in you letter where you talk about
"transferring copyrights in contributed code to Open Source", leads me to
believe that we understand it better than you do Mr McBride. Open Source is
NOT THE SAME as Public Domain. Open Source software relies on Copyright Law
to protect the authors. There is no "transfer" to some nebulous Open Source
status. When I write a piece of software, I as the author, hold the
copyright on that work. When I choose to release it, I license it to my
customers using the GNU General Public License, the BSD license, or some
other Open Source license. My customers agree to the terms of the license.
If they violate the terms of the license (for example, they attempt to
sublicense my work in violation of the GPL), they are in breach of our
agreement, and they are misappropriating my work.
In your letter, you refer to "problems that exist in the current Linux
software development model". The Open Source development model, by its very
nature, is transparent. Any intellectual property problems can be quickly
identified and addressed because the code is out in the open. I contend that
there is absolutely no way for SCO to tell whether a closed-source system
such as Windows, AIX, etc. has code copied within it. You are holding the
Open Source community to a higher standard than the proprietary software
community.
Finally, I'd like to address the 5 points in your summary.
"1. Fair use applies to educational, public service and related applications
and does not justify commercial misappropriation."
I agree.
"2. Copyright attributions protect ownership and attribution rights-they
cannot simply be changed or stripped away."
Absolutely agree. Perhaps SGI have some explaining to do here. But also, I'd
like to hear your explanation of why the Regents of the University of
California attribution is missing from the Berkley Packet Filter that showed
up in your slides at the Las Vegas presentation?
"3. In copyright law, ownership cannot be transferred without express,
written authority of a copyright holder. Some have claimed that, because SCO
software code was present in software distributed under the GPL, SCO has
forfeited its rights to this code. Not so - SCO never gave permission, or
granted rights, for this to happen."
Again, I agree. And there certainly is nothing in the GPL that even mentions
the transferring of ownership of copyright to anybody. However, ANY TIME you
distribute Linux, which is the intellectual property of hundreds of authors,
you are BOUND, by Copyright Law, to the terms of the licenses granted to you
by those hundreds of individual copyright holders (the authors of Linux). So
if you were distributing Linux after you believed that there was tainted
code present in it, you were still bound by the license agreements with
those Linux authors.
Think about it Mr McBride. You are asking others to respect Intellectual
Property. Are you respecting the Intellectual Property of the authors of
Linux?
"4. Transfer of copyright ownership without express written authority of all
proper parties is null and void."
I agree again. Copyright is the property of the author, be it an individual,
IBM, HP, or whoever. I don't know how you can reconcile this statement,
which is clearly true, with your assertion that "one million lines of UNIX
System V protected code have been contributed to Linux"!
"5. One reason SCO sued IBM is due to our assertions that IBM has violated
the terms of the specific IBM/SCO license agreement through its handling of
derivative works. We believe our evidence is compelling on this issue."
I have not seen your agreement with IBM so I can't comment.
Regards,
Dafydd Walters
Open Source Developer.
Comments (1 posted)
| From: |
| SOT Public Relations <prelations@sot.com> |
| To: |
| lwn@lwn.net |
| Subject: |
| Saving the earth from anarchy by eliminating the weakest link |
| Date: |
| Mon, 8 Sep 2003 20:09:18 +0300 |
This article is copyright free. Anyone is permitted to use, link
and publish it.
SAVING THE EARTH FROM ANARCHY BY ELIMINATING THE WEAKEST LINK
Finland, 2003-8-24
By Santeri Kannisto, SOT
The recent massive failure of the US electrical grid has got me thinking.
I've come to realize that our civilization is really quite vulnerable to
events that are completely beyond our control and influence. It didn't
make the international news, but the same kind of catastrophe happened
yesterday evening at an amusement park in Helsinki, Finland.
I was enjoying the fun-filled atmosphere with my 4 and 8 year old kids
when suddenly the electricity was cut off in Helsinki. In the space of
a few seconds, amusement rides became torture devices. Innocent kids and
adults hung upside-down, 10 meters in the air, without any means of
escape. What causes a failure of this magnitude?
Last week I lost my banking card on a hunting trip to northern Finland.
The cash machine accepted the card greedily, considered my transaction for
a disturbingly long time, and then decided to shut itself down...with my
card inside. Later, I learned from bank the reason: their cash machines
had become infected with a Windows virus. I couldn't help wondering what
effect this kind of thing might have had in the US, if it happened on
a larger scale, and for a longer time. No electricity, no cash --- it
could drive a country to anarchy! How is this sort of thing even possible
in the 21st century?
I've been working in the software industry for the last 12 years. I
started out as a software engineer, programming and designing various
systems. Then I moved on to managing projects and finally ended up running
a software house. One of realizations I have come to during my time is
that when it comes to software, problems will happen. It doesn't matter
how skilled people are, or what quality control processes are established.
Software problem can arise from so many causes --- from misunderstandings,
miscommunication, changing requirements, or simply because today's vast
and complicated computer systems are beyond the understanding of any
single human being. The basic weakness is people and the fault always
originates between the chair and keyboard. This is what makes it
impossible to achieve 100% fail-safe and foolproof software, despite
everything we do to reduce risks. Bug-ridden software is the weakest
point of modern society, posing a greater threat than even terrorism or
crime.
What can we do to shore up this weakness? Can we remove the danger
completely? No, unfortunately we can not. We have grown too reliant on
software, trusting it to control all aspects of our lives, even if we
know nothing about it. Airplanes fly with software, banks use software
for handling our money, power plants use software for configuring and
monitoring electric grid, hospitals need it to keeping people alive.
Isn't that scary! We use trust this thing called software to handle
matters of life and death.
We could reduce our vulnerability by employing armies of software
engineers, constantly on-call to deal with problems as they occurs.
We could subject software's source code to the scutiny of thousands of
eyes, alert for every possible flaw. We could ensure that systems are
designed with a thought for security. Are these ideas at all feasible?
How could they be implemented, and what would be the impact on
the software business?
The answer to these questions is Open Source. Open Source software
provides all these benefits and makes it possible for anyone to fix the
faults as fast as they are discovered. Open Source means that software is
being constantly examined by multitudes of people, letting us detect
faults before they risk lives. This new method of software engineering and
business makes customers and users independent of any particular company,
programming team or organization. It does this by giving anyone --- not
just the maker --- the right to fix faulty software. This reduces the risk
of bad software significantly. It's not enough just to be allowed to look
at the source code. What's the point of looking, if you're not allowed to
fix the problems you find?
It has been argued that Open Source will destroy the software industry,
because it makes software free (as in "free beer"). In reality, Open
Source just requires a different approach. It may well destroy or weaken
companies who cling to outdated models, but it creates opportunities for
new, forward-thinking companies who are willing to make the change for
the sake of humanity.
Here's the deal. You don't sell restrictive licenses and patent
everything in sight. Instead, you charge for tailoring software to
individual needs and you sell maintenance, support and development
services for the kind of software that is by nature risk-reducing.
From the business side of things, companies like ours are already
profitable, making nothing other than Open Source software. Whether
Open Source is a viable and sustainable business strategy is no longer
in question. It's just about having sane management, who understand
the concept of Open Source, and who don't expect too much, too quickly.
In my humble opinion I would feel much safer if I knew that the airplane
I fly with used Open Source software, if I knew that power plants relied
on systems they can review by themselves and that banks could fix
emerging security holes right away instead of waiting and hoping for
some third party update. It is my great hope that in the near future,
before it's too late, we will be able to eliminate modern society's
weakest link. We would be that much safer from anarchy caused by
innocent little software bugs.
Santeri Kannisto
tel. +358 440 833 982
e-mail sk@sot.com
[http://www.sot.com/en/press/2003-09-08_Article.txt]
Comments (5 posted)
Page editor: Jonathan Corbet