LWN.net Logo

LWN.net Weekly Edition for September 18, 2003

Whose Internet is it?

Verisign is, of course, the company that once had a monopoly in the registration of .com and .net domain names. That monopoly has been broken, but Verisign is still the maintainer of the underlying database. This job is a nice cash cow for Verisign; all it needs to do is keep the database running, and it can extract an annual rent from every .com and .net domain out there. Many people would be happy with such a business.

Verisign, it would seem, wants more than that. So, at the beginning of this week, the company slipped a little "wild card" entry into the databases for .com and .net. The wild card entry provides an answer for any domain query that does not otherwise appear in the database; it is a default answer which now appears instead of the "no such domain" response that came before.

What does this wild card do? If you look up something that doesn't exist, say "scolinuxlicense.com", you'll get back an IP address (currently 64.94.110.11). If you send mail to that address, you get the world's stupidest SMTP server (if you're bored, try a command like "telnet bogusverisignhost.net smtp" and type five lines of random junk at it). Web queries, however, go to the company's "sitefinder" service. There, the user is confronted with a search engine and paid links aimed to help said user find what they were really after. Note that, according to the terms of use:

The information provided through the VeriSign Services is not necessarily complete and may be supplied by VeriSign's commericial [sic] licensors, advertisers or others.

In other words, it's really just another low-class domain hijacking scam.

In this case, however, there is more to it. Verisign has, by making this change, fundamentally altered the way the Internet operates. A whole class of diagnostic information - the fact that a given domain lookup has failed - is no longer part of the DNS protocol when .com and .net are involved. This change was not discussed with any of the affected users or other responsible parties, it was simply done. Verisign may have lost its monopoly on front-line domain name registration, but it still seems to think it owns the underlying domains.

The change has had real consequences. For example, spam filtering which relies on domain name existence tests no longer works. Bouncing spam with fake return addresses now has to go through a discussion with Sitefinder's SMTP server. The change is a generally bad idea; to have simply made such a change without so much as a "by your leave" is an act of great arrogance.

The internet, however, is built on free software. There is already a patch available from ISC for BIND 9 which defeats the new wildcard entries. Linux users can find a program on this page which uses netfilter to fix Sitefinder replies; that page also has pointers to patches for a number of DNS servers and mail transfer agents. Verisign may or may not decide to back down on this "service," but, since we own the infrastructure of our net, we can fix the problem regardless - this time, at least. Verisign's next move may not be so easy to counter.

Comments (19 posted)

SCO's quarterly filing

SCO's quarterly 10Q filing is now available. These filings can often give some insight into the internals of a company. Since SCO's actions are, currently, somewhat relevant to the Linux community, this filing is worth a look. What follows is our summary of the current quarterly state of SCO.

The company claims a profitable quarter, of course. Total revenue is reported at $20 million, of which $11 million came from products, $2 million from services, and $7 million from SCOsource. As a result of this revenue, the company's claimed assets have gone from $21 million at the beginning of the fiscal year (October, 2002) to $26 million now; of that, almost $15 million is cash in the bank. $15 million is also, of course, what the company has received in licensing revenue from Microsoft and Sun this year.

The company has spent almost $4 million ($1.7 million in the quarter) on SCOsource. This figure includes internal SCOsource staff along with external legal fees. Most other expenditures are in decline; the company spent 31% less in research and development than it did last year. SCO laid off 35 employes - about 10% of its staff - over the quarter. It also shut down SCO Group Ltd., a subsidiary in the UK.

Litigation

Not surprisingly, ongoing litigation is an important topic in this filing. It mentions the Red Hat suit, stating:

On or about September 15, 2003, the Company filed a motion to dismiss the Red Hat complaint. The motion to dismiss asserts that Red Hat lacks standing and that no case or controversy exists with respect to the claims seeking a declaratory judgment of non-infringement. The motion to dismiss further asserts that Red Hat's claims under the Lanham Act and related state laws are barred by the First Amendment to the U.S. Constitution and the common law privilege of judicial immunity.

It is interesting to hear that "no case or controversy exists" with Red Hat. SCO may well be restricting its options with regard to the creation of future cases against Red Hat. The first amendment defense is interesting; the first amendment rights of companies in the U.S. is currently a topic of much debate - and an ongoing Supreme Court case.

Things are happening in other parts of the world:

The Australian Competition and Consumer Commission (the "ACCC") has contacted the Company and requested information regarding complaints it has received regarding the Company's intellectual property claims and the Company's statements regarding the need for commercial Linux users to obtain a UNIX license. [...]

Several entities in Germany have obtained temporary restraining orders in Germany precluding SCO GmbH, the Company's German subsidiary, in substance, from making statements in Germany that disparage Linux, or entities involved in the Linux business, or implicate Linux as infringing the Company's intellectual property rights. SCO GmbH has received an administrative fine of 10,000 Euro for a technical violation of one of the temporary restraining orders. [...]

Informal letter complaints similar to those raised in Germany have been received from companies in Austria and Poland. [...]

Pursuit and defense of the above-mentioned matters will be costly, and management expects the costs for legal fees and related expenses may be substantial. The ultimate outcome or potential effect of the Company's results of operations or financial position as a result of the above-mentioned matters is not currently known or determinable.

The end result is that the limited countermeasures taken against the company so far are being felt. The "risk factors" section of the filing also has this statement:

We are informed that participants in the Linux industry have attempted to influence participants in the markets in which we sell our products to reduce or eliminate the amount of our products and services that they purchase. They have been somewhat successful in those efforts and will likely continue.

In other words, SCO is discovering the costs involved in angering its customers.

Sun and Microsoft

Of course, SCO's customer base is shifting; a large part of its revenue comes from exactly two companies: Sun Microsystems and Microsoft.

SCO's previous quarterly filing had noted that the "second SCOsource licensee" (being Sun Microsystems) had received, as part of its deal, a warrant allowing it to buy 210,000 shares of SCO stock at $1.83 each. Subsequently, a second warrant for 12,500 shares has been issued to Sun, at the same $1.83 price. There is still no explanation of why SCO stock is being issued to Sun. Most software licensing agreements do not include this sort of equity component.

Sun, which was responsible for 12% of SCO's revenue over the quarter, still owes $2.5 million on its licensing deal. That money is to be paid by the end of November.

Microsoft contributed 25% of SCO's revenue over the quarter. "On July 31, 2003, Microsoft exercised an option to acquire expanded licensing rights. Upon delivery, we expect to recognize additional revenue related to this option." There is no further discussion of what these "expanded licensing rights" are, or what Microsoft is paying for said rights. Chances are, however, that this is the "Fortune 500" customer for SCO's "Linux license" that we heard about in early August.

Vultus and Vista

The quarterly filing gives a few details with regard to SCO's dealings with a couple of other Canopy-funded companies. In June, SCO acquired Vultus, Inc., which is a web services business. The purchase itself required the issuance of 167,590 shares of SCO stock, of which almost 37,000 went to Canopy. But Vultus also owed Canopy a little over $1 million, so another 138,000 shares of stock (worth over $2.5 million now) went in Canopy's direction to take care of that little problem. This deal is a significant transfer of resources from SCO to Canopy; the benefit to SCO remains unclear, however.

We've previously looked at SCO's dealings with Vista, which included the acquisition of $1 million in the company's debt for 800,000 shares of company stock, now worth many times that amount. The company has also fed the company $200,000 in other financing. The current state of that debt?

As of July 31, 2003, the $1,000,000 convertible note receivable discussed above as well as both $100,000 notes receivable were outstanding and in technical default; however, the Company had not demanded repayment. No allowance for the past due notes receivable was recorded as of July 31, 2003 since the Company and Vista continue to work together under the license agreement discussed above and the Company is evaluating its option to convert the notes receivable to equity in Vista.

Vista is fortunate to have such an understanding creditor.

Summary

This filing describes a company whose regular product and service offerings continue to decline in market share and revenue. The filing mentions new initiatives ("web services") but lacks specifics and does not go so far as to predict any sort of revenue from those initiatives. SCO's great hope for the future remains SCOsource. In that context, it is interesting to note that the company's "Linux license" is not mentioned in any significant way here. The first public announcement of this license came after the close of the quarter, but it was clearly in the works at that time. If SCO thought it would get any kind of real revenue from this license, it would not have hesitated to say so. Instead, we continue to hear about exactly two companies - Sun and Microsoft - which are keeping SCO on life support and, apparently, intend to continue doing so. Meanwhile, attacks through the courts and the market are making themselves felt; SCO is finding itself fighting an increasingly defensive battle.

Anybody who is considering investing in SCO would be well advised to read this filing in its entirety.

Comments (17 posted)

OSDL hires analyst Stacey Quandt

[This article was contributed by Joe 'Zonker' Brockmeier]

The Open Source Development Labs (OSDL) have been on a bit of a high-profile hiring spree this year. First OSDL managed to sign Linus Torvalds to their roster, then followed quickly with kernel maintainer Andrew Morton. Now OSDL is bringing on open source analyst Stacey Quandt as Principal Analyst.

Quandt has worked for Giga Information Group, where she started Giga's Open Source Research program, and for Forrester after Giga was acquired by Forrester. As an analyst that specializes in open source, Quandt has been widely quoted in the tech press and she has been a longtime proponent of Linux and open source -- even on the desktop, judging by this quote from a June story on Ximian on Newsfactor: "The desktop is Microsoft's last stand for near dominance, which will gradually erode with greater awareness of the maturity of Linux desktop offerings."

Unlike many analysts, Quandt has not been willing to parrot the party line that Microsoft solutions are cheaper. After IDC released a study last year saying that Windows 2000 was more cost-effective, Quandt questioned the numbers cited by IDC according to this article in PC World:

...the acquisition costs for hardware and software that IDC cites are suspect, according to Stacey Quandt, an analyst with Giga Information Group. She said Windows systems would seem to account for more than 10 percent of the total cost due to ongoing licensing fees.

Quandt is also one of the analysts who refused to take SCO's word that Linux contains misappropriated intellectual property at face value. While Laura DiDio of the Yankee Group and several other analysts bought SCO's line, Quandt called for SCO to show its cards, and refused to sign SCO's NDA, calling the offer a publicity stunt.

We wanted to ask Quandt about her new role with OSDL, but she was unavailable to answer questions for this story, as she's on the Linux Lunacy cruise. Nelson Pratt, Director of Marketing, was available. Pratt says that Quandt's job will be working with research firms doing work on Linux:

Our members have consistently cited the lack of extensive Linux ROI, TCO and Migration Cost research as a problem for them. Several existing research companies are starting to address this, and many are interested in having OSDL participate in some way. Stacey's research background makes her the right person to represent OSDL in its work with industry research firms. Original research is also a possibility in the future depending on our members' needs.

The release also notes that Quandt will be principal speaker for OSDL at conferences and tradeshows. Pratt declined to comment on any other Linux luminaries that may be joining OSDL in the near future.

Comments (2 posted)

Page editor: Jonathan Corbet

Security

Brief items

A bad week

As a quick perusal of this week's "new vulnerabilities" section will confirm, this has not been a good week for the security of Linux systems. New holes have turned up in KDE, MySQL, OpenSSH (twice), pine, sendmail, XFree86, and more. Almost every Linux system out there will be affected by at least one of these problems.

The OpenSSH and sendmail vulnerabilities are of particular concern. Almost every system of interest runs OpenSSH, and vast portions of the net still run sendmail. Any vulnerability in those programs automatically opens up large numbers of systems to exploitation. These are the sorts of problems that will, someday, be used for the creation of a virulent worm which attacks Linux systems. If we are lucky, no such event will strike us this time around, but let there be no doubt about it: as long as software which is so widely deployed has remotely exploitable holes, we are vulnerable to that sort of mass attack.

Now that the obligatory scary talk is done, let's take a look at the better news here. It is not clear that the bugs in either OpenSSH or sendmail are exploitable in any large-scale way. Even if they are, once again the problems have been found first by the good guys and fixes have been made quickly available by the Linux distributors. The patches being released are small and relatively non-disruptive; administrators can apply them quickly and with confidence. So most systems will be patched in a relatively short period of time. These vulnerabilities were a scary warning, but it does not appear that there will be any great consequences this time around.

Nonetheless, this episode is a warning. Our security, while arguably better than that of the competition, is nowhere near good enough. We are still encountering bugs in crucial, highly-audited code; one can only imagine what lurks in programs which get less attention. And the network environment we are creating is still too monocultural. The network as a whole will be safer when there are multiple, interoperable programs capable of performing the basic infrastructural tasks.

Comments (11 posted)

New vulnerabilities

KDE: Two issues in KDM

Package(s):kde, xfree86 CVE #(s):CAN-2003-0690 CAN-2003-0692
Created:September 16, 2003 Updated:December 19, 2003
Description: According to this advisory two issues have been discovered in KDM:
  • CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
  • CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3 are affected.
Alerts:
Mandrake MDKSA-2003:118 2003-12-19
Gentoo 200311-01 2003-11-15
Debian DSA-388-1 2003-09-19
Conectiva CLA-2003:747 2003-09-19
Mandrake MDKSA-2003:091 2003-09-16
Red Hat RHSA-2003:269-01 2003-09-16

Comments (none posted)

mysql: arbitrary code execution

Package(s):mysql CVE #(s):CAN-2003-0780
Created:September 15, 2003 Updated:October 9, 2003
Description: Frank Denis reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users are stored in the "Password" field of the "User" table, part of the "mysql" database. The passwords are hashed and stored as a 16 characters long hexadecimal value. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0780 to the problem.
Alerts:
Red Hat RHSA-2003:281-01 2003-10-09
SuSE SuSE-SA:2003:042 2003-10-01
Mandrake MDKSA-2003:094 2003-09-18
Conectiva CLA-2003:743 2003-09-18
EnGarde ESA-20030918-025 2003-09-18
Trustix 2003-0034 2003-09-17
Gentoo 200309-08 2003-09-15
OpenPKG OpenPKG-SA-2003.038 2003-09-15
Debian DSA-381-1 2003-09-13

Comments (none posted)

OpenSSH: buffer management error

Package(s):OpenSSH CVE #(s):CAN-2003-0693
Created:September 16, 2003 Updated:October 1, 2003
Description: All versions of OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete. See the second advisory for details.

CAN-2003-0693

Alerts:
SCO Group CSSA-2003-027.0 2003-10-02
Debian DSA-383-2 2003-09-21
Debian DSA-382-3 2003-09-21
SuSE SuSE-SA:2003:039 2003-09-18
EnGarde ESA-20030918-024 2003-09-18
Yellow Dog YDU-20030917-1 2003-09-17
Conectiva CLA-2003:741 2003-09-17
Debian DSA-383-1 2003-09-17
Sorcerer SORCERER2003-09-17 2003-09-17
Slackware SSA:2003-260-01 2003-09-17
Red Hat RHSA-2003:279-02 2003-09-17
Mandrake MDKSA-2003:090-1 2003-09-17
Trustix 2003-0033 2003-09-17
OpenPKG OpenPKG-SA-2003.040 2003-09-17
Immunix IMNX-2003-7+-020-02 2003-09-16
Gentoo 200309-12 2003-09-16
Debian DSA-382-2 2003-09-17
SuSE SuSE-SA:2003:038 2003-09-16
Slackware SSA:2003-259-01 2003-09-16
Mandrake MDKSA-2003:090 2003-09-16
Immunix IMNX-2003-7+-020-01 2003-09-16
Debian DSA-382-1 2003-09-16
Red Hat RHSA-2003:279-01 2003-09-16
EnGarde ESA-20030916-023 2003-09-16
Conectiva CLA-2003:739 2003-09-16

Comments (none posted)

pine: remote exploits

Package(s):pine CVE #(s):CAN-2003-0720 CAN-2003-0721
Created:September 11, 2003 Updated:September 17, 2003
Description: Pine, developed at the University of Washington, is a tool for reading, sending, and managing electronic messages (including mail and news).

A buffer overflow exists in the way unpatched versions of Pine prior to 4.57 handle the 'message/external-body' type. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0720 to this issue.

An integer overflow exists in the Pine MIME header parsing in versions prior to 4.57. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0721 to this issue.

Both of these flaws could be exploited by a remote attacker sending a carefully crafted email to the victim that will execute arbitrary code when the email is opened using Pine.

Alerts:
Gentoo 200309-10 2003-09-16
Conectiva CLA-2003:738 2003-09-12
Slackware SSA:2003-253-01 2003-09-10
EnGarde ESA-20030911-022 2003-09-11
SuSE SuSE-SA:2003:037 2003-09-11
Red Hat RHSA-2003:273-01 2003-09-11

Comments (1 posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
SCO Group CSSA-2004-005.0 2004-02-19
SuSE SuSE-SA:2003:046 2003-11-18
Conectiva CLA-2003:769 2003-10-22
Mandrake MDKSA-2003:099 2003-10-09
Red Hat RHSA-2003:278-01 2003-10-07
Debian DSA-379-1 2003-09-11

Comments (none posted)

sendmail: remotely exploitable buffer overflow

Package(s):sendmail CVE #(s):CAN-2003-0694 CAN-2003-0681
Created:September 17, 2003 Updated:November 18, 2003
Description: Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix.
Alerts:
SCO Group CSSA-2003-036.0 2003-11-17
SuSE SuSE-SA:2003:040 2003-09-20
OpenPKG OpenPKG-SA-2003.041 2003-09-19
Conectiva CLA-2003:742 2003-09-18
Yellow Dog YDU-20030917-2 2003-09-17
Immunix IMNX-2003-7+-021-01 2003-09-17
Mandrake MDKSA-2003:092 2003-09-17
Debian DSA-384-1 2003-09-17
Red Hat RHSA-2003:283-01 2003-09-17
Slackware SSA:2003-260-02 2003-09-17
Gentoo 200309-13 2003-09-17

Comments (none posted)

XFree86 4.3.0 integer overflows in font libraries

Package(s):XFree86 CVE #(s):CAN-2003-0730
Created:September 12, 2003 Updated:November 25, 2003
Description: Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details.
Alerts:
Red Hat RHSA-2003:286-01 2003-11-25
Red Hat RHSA-2003:287-01 2003-11-25
Red Hat RHSA-2003:288-01 2003-11-17
Debian DSA-380-1 2003-09-12
Mandrake MDKSA-2003:089 2003-09-11

Comments (none posted)

Updated vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 24, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:408-00 2003-12-19
Gentoo 200308-01 2003-08-14
Debian DSA-358-4 2003-08-13
SuSE SuSE-SA:2003:034 2003-08-12
Debian DSA-358-2 2003-08-05
Debian DSA-358-3 2003-08-04
Debian DSA-358-1 2003-07-31
EnGarde ESA-20032407-018 2003-07-24
Red Hat RHSA-2003:238-01 2003-07-21

Comments (none posted)

apache: multiple vulnerabilities in Apache HTTP server

Package(s):apache CVE #(s):CAN-2003-0192 CAN-2003-0253 CAN-2003-0254
Created:July 11, 2003 Updated:September 22, 2003
Description: The Apache Software Foundation and the Apache HTTP Server Project have announced the release of the Apache HTTP Server 2.0.47. This release fixes four security vulnerabilities:
  • Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [CAN-2003-0192]

  • Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]

  • Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. [CAN-2003-0254]

  • The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. [VU#379828]
Alerts:
Red Hat RHSA-2003:243-01 2003-09-22
Red Hat RHSA-2003:240-01 2003-09-04
Mandrake MDKSA-2003:075-1 2003-08-28
Mandrake MDKSA-2003:075 2003-07-21
Conectiva CLA-2003:698 2003-07-21
Trustix 2003-0025 2003-07-11

Comments (none posted)

autorespond: buffer overflow

Package(s):autorespond CVE #(s):CAN-2003-0654
Created:August 18, 2003 Updated:October 1, 2003
Description: Christian Jaeger discovered a buffer overflow in autorespond, an email autoresponder used with qmail. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond. This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply.

CAN-2003-0654

Alerts:
Debian DSA-373-1 2003-08-16

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:October 1, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
SCO Group CSSA-2003-005.0 2003-01-21
Debian DSA-224-1 2002-01-08
Gentoo 200212-8 2002-12-20
Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

eroaster: insecure temporary file

Package(s):eroaster CVE #(s):CAN-2003-0656
Created:August 19, 2003 Updated:October 1, 2003
Description: A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. This vulnerability could be exploited to overwrite arbitrary files with the privileges of the user running eroaster.

CAN-2003-0656

Alerts:
Gentoo 200309-04 2003-09-02
Mandrake MDKSA-2003:083 2003-08-19
Debian DSA-366-1 2003-08-05

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):ethereal CVE #(s):CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:June 23, 2003 Updated:November 10, 2003
Description: Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:
SCO Group CSSA-2003-030.0 2003-11-07
Yellow Dog YDU-20030718-2 2003-07-18
Red Hat RHSA-2003:203-01 2003-07-03
Gentoo 200306-13 2003-06-25
Conectiva CLA-2003:662 2003-06-25
Mandrake MDKSA-2003:070 2003-06-23

Comments (none posted)

exim: buffer overflows

Package(s):exim exim-tls CVE #(s):CAN-2003-0743
Created:September 5, 2003 Updated:October 1, 2003
Description: A buffer overflow exists in exim, which is the standard mail transport agent in Debian. By supplying a specially crafted HELO or EHLO command, an attacker could cause a constant string to be written past the end of a buffer allocated on the heap. This vulnerability is not believed at this time to be exploitable to execute arbitrary code.

CAN-2003-0743

Alerts:
Gentoo 200309-09 2003-09-15
Debian DSA-376-2 2003-09-07
Conectiva CLA-2003:735 2003-09-05
Debian DSA-376-1 2003-09-04

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fdclone: insecure temporary directory

Package(s):fdclone CVE #(s):CAN-2003-0596
Created:July 23, 2003 Updated:October 1, 2003
Description: fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control.

CAN-2003-0596

Alerts:
Debian DSA-352-1 2003-07-22

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Immunix IMNX-2003-7+-023-01 2003-10-17
Mandrake MDKSA-2003:011 2003-01-27
EnGarde ESA-20030127-002 2003-01-27
SCO Group CSSA-2003-001.0 2003-01-09
SuSE SuSE-SA:2003:001 2003-01-02
Debian DSA-216-1 2002-12-24
Red Hat RHSA-2002:293-09 2002-12-17
Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 16, 2003 Updated:November 18, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
SCO Group CSSA-2003-034.0 2003-11-17
Conectiva CLA-2003:694 2003-07-11
Yellow Dog YDU-20030602-4 2003-06-02
Mandrake MDKSA-2003:061 2003-05-22
Slackware ssa:2003-141-04 2003-05-22
Red Hat RHSA-2003:175-01 2003-05-20
Gentoo 200305-04 2003-05-16
OpenPKG OpenPKG-SA-2003.029 2003-05-16
EnGarde ESA-20030515-016 2003-05-15

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

inetd: DoS attack

Package(s):inetd CVE #(s):
Created:September 8, 2003 Updated:September 10, 2003
Description: inetd has a hard-coded limit of 256 connections-per-minute, after which the given service is disabled for ten minutes. An attacker could use a quick burst of connections every ten minutes to effectively disable a service.

Once upon a time, this was an intentional feature of inetd, but in today's world it has become a bug. Even having inetd look at the source IP and try to limit only the source of the attack would be problematic since TCP source addresses are so easily faked.

Alerts:
Slackware SSA:2003-251-01 2003-09-08

Comments (3 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpam-smb: exploitable buffer overflow

Package(s):libpam-smb, pam-smb CVE #(s):CAN-2003-0686
Created:August 26, 2003 Updated:October 1, 2003
Description: libpam-smb is a PAM authentication module which makes it possible to authenticate users against a password database managed by Samba or a Microsoft Windows server. If a long password is supplied, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. See this advisory for more information.

CAN-2003-0686

Alerts:
Conectiva CLA-2003:734 2003-09-05
SuSE SuSE-SA:2003:036 2003-09-03
Gentoo 200309-01 2003-09-01
Red Hat RHSA-2003:261-01 2003-08-26
Debian DSA-374-1 2003-08-26

Comments (1 posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:October 1, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
Conectiva CLA-2003:720 2003-08-11
Mandrake MDKSA-2003:023 2003-02-24
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Red Hat RHSA-2003:029-06 2003-02-12
Trustix 2002-0085 2002-12-19
Debian DSA-210-1 2002-12-13
SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

mah-jong: buffer overflows, denial of service

Package(s):mah-jong CVE #(s):CAN-2003-0705 CAN-2003-0706
Created:September 8, 2003 Updated:September 10, 2003
Description: Nicolas Boullis discovered two vulnerabilities in mah-jong, a network-enabled game.

CAN-2003-0705 (buffer overflow): This vulnerability could be exploited by a remote attacker to execute arbitrary code with the privileges of the user running the mah-jong server.

CAN-2003-0706 (denial of service): This vulnerability could be exploited by a remote attacker to cause the mah-jong server to enter a tight loop and stop responding to commands.

Alerts:
Debian DSA-378-1 2003-09-07

Comments (none posted)

perl-MailTools: remote command execution

Package(s):MailTools CVE #(s):CAN-2002-1271
Created:November 5, 2002 Updated:September 19, 2003
Description: The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

Alerts:
Debian DSA-386-1 2003-09-18
Gentoo 200302-01 2003-02-02
Mandrake MDKSA-2002:076 2002-11-07
Gentoo 200211-001 2002-11-06
SuSE SuSE-SA:2002:041 2002-11-05

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mindi: insecure file creations

Package(s):mindi CVE #(s):CAN-2003-0617
Created:September 2, 2003 Updated:October 1, 2003
Description: Mindi versions prior to 0.86 creates files in /tmp which could allow local user to overwrite arbitrary files.

CAN-2003-0617

Alerts:
Gentoo 200309-05 2003-09-02
Debian DSA-362-1 2003-08-02

Comments (none posted)

mpg123 - buffer overflow

Package(s):mpg123 CVE #(s):CAN-2003-0577
Created:July 16, 2003 Updated:September 30, 2003
Description: The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file.
Alerts:
Gentoo 200309-17 2003-09-30
Mandrake MDKSA-2003:078 2003-07-23
Conectiva CLA-2003:695 2003-07-15

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netris: buffer overflow

Package(s):netris CVE #(s):CAN-2003-0685
Created:August 18, 2003 Updated:October 1, 2003
Description: Shaun Colley discovered a buffer overflow vulnerability in netris, a network version of a popular puzzle game. A netris client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking. This vulnerability could be exploited to gain the priviliges of the user running netris in client mode, if they connect to a hostile netris server.

CAN-2003-0685

Alerts:
Debian DSA-372-1 2003-08-16

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Conectiva CLA-2003:778 2003-11-07
Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

pam-pgsql: format string vulnerability

Package(s):pam-pgsql CVE #(s):CAN-2003-0672
Created:August 11, 2003 Updated:October 1, 2003
Description: Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the username to be used for authentication is used as a format string when writing a log message. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the program requesting PAM authentication.

CAN-2003-0672

Alerts:
Debian DSA-370-1 2003-08-08

Comments (none posted)

perl: cross site scripting vulnerability in CGI.pm module

Package(s):perl CVE #(s):CAN-2003-0615
Created:July 29, 2003 Updated:October 1, 2003
Description: obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package.

CAN-2003-0615

Alerts:
Red Hat RHSA-2003:256-02 2003-10-03
Red Hat RHSA-2003:256-01 2003-09-22
OpenPKG OpenPKG-SA-2003.039 2003-09-15
Mandrake MDKSA-2003:084 2003-08-20
Debian DSA-371-1 2003-08-11
OpenPKG OpenPKG-SA-2003.036 2003-08-06
Conectiva CLA-2003:713 2003-07-29

Comments (none posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:October 1, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
SCO Group CSSA-2003-008.0 2003-03-04
Gentoo 200211-005 2002-11-20
EnGarde ESA-20021122-031 2002-11-22
Conectiva CLA-2002:545 2002-11-13
Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

phpgroupware - cross-site scripting and other exploits

Package(s):phpgroupware CVE #(s):CAN-2003-0504 CAN-2003-0582
Created:July 16, 2003 Updated:October 1, 2003
Description: Several vulnerabilities were discovered in all versions of phpgroupware prior to 0.9.14.006. This latest version fixes an exploitable condition in all versions that can be exploited remotely without authentication and can lead to arbitrary code execution on the web server. This vulnerability is being actively exploited.

Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies.

See this Security Corportation report for more information.

CAN-2003-0504
CAN-2003-0582

Alerts:
Debian DSA-365-1 2003-08-05
Conectiva CLA-2003:703 2003-07-23
Mandrake MDKSA-2003:077 2003-07-23
Conectiva CLA-2003:697 2003-07-16

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Debian DSA-397-1 2003-11-07
Immunix IMNX-2003-7+-005-01 2003-04-08
Trustix 2003-0004 2003-02-20
Mandrake MDKSA-2002:062-1 2003-02-11

Comments (1 posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:October 1, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Red Hat RHSA-2002:202-33 2003-02-12
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-25 2003-01-21
Mandrake MDKSA-2002:082-1 2002-12-09
Mandrake MDKSA-2002:082 2002-11-25
SCO Group CSSA-2002-045.0 2002-11-14
Trustix 2002-0073 2002-10-17
Gentoo python-20021003 2002-10-03
Conectiva CLA-2002:527 2002-10-01
Debian DSA-159-2 2002-09-09
Debian DSA-159-1 2002-08-28

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

semi: insecure temporary file

Package(s):semi, wemi CVE #(s):CAN-2003-0440
Created:July 7, 2003 Updated:October 1, 2003
Description: semi, a MIME library for GNU Emacs, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and semi, potentially with contents supplied by the attacker.

wemi is a fork of semi, and contains the same bug.

CAN-2003-0440

Alerts:
Gentoo 200308-02 2003-08-14
Yellow Dog YDU-20030723-2 2003-07-23
Red Hat RHSA-2003:234-01 2003-07-23
Debian DSA-339-1 2003-07-06

Comments (none posted)

sendmail: bad DNS reply causes crash

Package(s):sendmail CVE #(s):CAN-2003-0688
Created:August 26, 2003 Updated:October 1, 2003
Description: There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x versions with respect to DNS maps. The bug did not exist in versions before 8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9, released March 29, 2003. See this advisory for more information.

CAN-2003-0688

Alerts:
Conectiva CLA-2003:727 2003-08-29
Red Hat RHSA-2003:265-01 2003-08-28
OpenPKG OpenPKG-SA-2003.037 2003-08-28
SuSE SuSE-SA:2003:035 2003-08-26
Mandrake MDKSA-2003:086 2003-08-26

Comments (none posted)

stunnel: signal handler reentrancy DoS

Package(s):stunnel CVE #(s):CAN-2002-1563
Created:July 25, 2003 Updated:November 25, 2003
Description: Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over a secure connection (encrypted using SSL or TLS) or to provide a secure means of connecting to services that do not natively support encryption.

When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits.

Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service.

Alerts:
Red Hat RHSA-2003:296-01 2003-11-24
SCO Group CSSA-2003-026.0 2003-10-03
Conectiva CLA-2003:736 2003-09-05
Trustix 2003-0030 2003-08-07
EnGarde ESA-20030806-020 2003-08-06
Red Hat RHSA-2003:221-01 2003-07-25

Comments (none posted)

sup: insecure temporary file

Package(s):sup CVE #(s):CAN-2003-0606
Created:July 29, 2003 Updated:October 1, 2003
Description: sup, a package used to maintain collections of files in identical versions across machines, fails to take appropriate security precautions when creating temporary files. A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running sup.

CAN-2003-0606

Alerts:
Debian DSA-353-1 2003-07-29

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

teapop: SQL injection

Package(s):teapop CVE #(s):CAN-2003-0515
Created:July 9, 2003 Updated:October 1, 2003
Description: teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated.

CAN-2003-0515

Alerts:
Gentoo 200309-18 2003-09-30
Debian DSA-347-1 2003-07-08

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

unzip: directory traversal vulnerability

Package(s):unzip CVE #(s):CAN-2003-0282
Created:July 1, 2003 Updated:November 13, 2003
Description: A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information.
Alerts:
SCO Group CSSA-2003-031.0 2003-11-07
Debian DSA-344-2 2003-08-26
Slackware SSA:2003-237-01 2003-08-25
Mandrake MDKSA-2003:073-1 2003-08-19
Conectiva CLA-2003:724 2003-08-18
Red Hat RHSA-2003:199-02 2003-08-15
Yellow Dog YDU-20030710-1 2003-07-10
Gentoo 200307-02 2003-07-11
OpenPKG OpenPKG-SA-2003.033 2003-07-10
Debian DSA-344-1 2003-07-08
Mandrake MDKSA-2003:073 2003-07-07
Conectiva CLA-2003:672 2003-07-02
Immunix IMNX-2003-7+-017-01 2003-07-02
Red Hat RHSA-2003:199-01 2003-07-01

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Conectiva CLA-2004:812 2004-02-10
Mandrake MDKSA-2003:012 2003-02-03
Yellow Dog YDU-20030127-3 2003-01-27
Gentoo 200301-13 2003-01-22
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

vixie-cron: Local vulnerability

Package(s):vixie-cron CVE #(s):CVE-2001-0559
Created:April 17, 2003 Updated:October 3, 2003
Description: From the ISS advisory: "Vixie Cron is a scheduling daemon that ships with several Linux distributions. Vixie Cron version 3.0pl1 could allow a local attacker to gain root privileges. Crontab fails to properly drop privileges in certain cases after a crontab modification operation. A local attacker could exploit this vulnerability to gain root privileges on the system since crontab is installed setuid root."

Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page.

Alerts:
Conectiva CLA-2003:758 2003-10-03
Conectiva CLA-2003:757 2003-10-03
Conectiva CLA-2003:628 2003-04-17

Comments (none posted)

webmin: session ID spoofing

Package(s):webmin CVE #(s):CAN-2003-0101
Created:June 13, 2003 Updated:November 18, 2003
Description: miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges.
Alerts:
SCO Group CSSA-2003-035.0 2003-11-17
Debian DSA-319-1 2003-06-12

Comments (none posted)

wget:directory traversal bug

Package(s):wget CVE #(s):CAN-2002-1344
Created:December 10, 2002 Updated:October 1, 2003
Description: Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system.

FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3).

If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine.

See also this Bugtraq article from 1997.

CAN-2002-1344

Alerts:
Immunix IMNX-2003-7+-011-01 2003-06-03
OpenPKG OpenPKG-SA-2003.007 2003-01-23
SCO Group CSSA-2003-003.0 2003-01-16
Gentoo 200212-7 2002-12-20
Trustix 2002-0089 2002-12-19
Conectiva CLA-2002:552 2002-12-13
Debian DSA-209-1 2002-12-12
Mandrake MDKSA-2002:086 2002-12-11
Red Hat RHSA-2002:229-10 2002-12-04

Comments (none posted)

wget: buffer overflow

Package(s):wget CVE #(s):CAN-2003-1565
Created:August 5, 2003 Updated:December 10, 2003
Description: The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution.
Alerts:
Red Hat RHSA-2003:372-01 2003-12-10
SCO Group CSSA-2003-025.0 2003-10-03
Conectiva CLA-2003:716 2003-08-04

Comments (1 posted)

wu-ftpd: off-by-one bug

Package(s):wu-ftpd CVE #(s):CAN-2003-0466
Created:July 31, 2003 Updated:October 5, 2003
Description: An off-by-one bug has been discovered in versions of wu-ftpd up to and including 2.6.2. On a vulnerable system, a remote attacker would be able to exploit this bug to gain root privileges. See this advisory for more details.
Alerts:
SCO Group CSSA-2003-024.0 2003-09-26
Immunix IMNX-2003-7+-019-01 2003-08-06
Conectiva CLA-2003:715 2003-08-01
Debian DSA-357-1 2003-07-31
SuSE SuSE-SA:2003:032 2003-07-31
Mandrake MDKSA-2003:080 2003-07-31
Red Hat RHSA-2003:245-01 2003-07-31

Comments (none posted)

wu-ftpd: insecure program execution

Package(s):wu-ftpd CVE #(s):CVE-1999-0997
Created:September 5, 2003 Updated:September 24, 2003
Description: wu-ftpd, an FTP server, implements a feature whereby multiple files can be fetched in the form of a dynamically constructed archive file, such as a tar archive. The names of the files to be included are passed as command line arguments to tar, without protection against them being interpreted as command-line options. GNU tar supports several command line options which can be abused, by means of this vulnerability, to execute arbitrary programs with the privileges of the wu-ftpd process.
Alerts:
Slackware SSA:2003-259-03 2003-09-23
Conectiva CLA-2003:748 2003-09-22
Debian DSA-377-1 2003-09-04

Comments (1 posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):wwwoffle CVE #(s):CAN-2002-0818
Created:August 14, 2002 Updated:October 1, 2003
Description: The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on."

CAN-2002-0818

Alerts:
SCO Group CSSA-2002-048.0 2002-11-18
Debian DSA-144-1 2002-08-06
SuSE SuSE-SA:2002:029 2002-08-01

Comments (none posted)

xinetd: Memory leak in xinetd 2.3.10

Package(s):xinetd CVE #(s):CAN-2003-0211
Created:May 13, 2003 Updated:November 13, 2003
Description: Xinetd is a 'master server' that is used to to accept service connection requests and start the appropriate servers.

Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavailable.

In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations.

All users of xinetd are advised to update to xinetd-2.3.11 which is not vulnerable to these issues.

Alerts:
Conectiva CLA-2003:782 2003-11-12
Yellow Dog YDU-20030602-1 2003-06-02
Gentoo 200305-08 2003-05-19
Mandrake MDKSA-2003:056 2003-05-14
Red Hat RHSA-2003:160-01 2003-05-13

Comments (none posted)

zblast: buffer overflow

Package(s):zblast CVE #(s):CAN-2003-0613
Created:August 11, 2003 Updated:October 1, 2003
Description: Steve Kemp discovered a buffer overflow in zblast-svgalib, when saving the high score file. This vulnerability could be exploited by a local user to gain gid 'games', if they can achieve a high score.

CAN-2003-0613

Alerts:
Debian DSA-369-1 2003-08-08

Comments (1 posted)

Resources

CRYPTO-GRAM newsletter

Bruce Schneier's CRYPTO-GRAM newsletter for September is out. This month's topics include accidents and security incidents (in particular the northeast blackout), reactions to his new book Beyond Fear, licensing computer users, prohibiting hats in banks, California's security breach disclosure law, and benevolent worms. "Experimentation, most of it involuntary, proves that worms are very hard to debug successfully: in other words, once worms starts spreading it's hard to predict exactly what they will do. Some viruses were written to propagate harmlessly, but did damage -- ranging from crashed machines to clogged networks -- because of bugs in their code. Many worms were written to do damage and turned out to be harmless (which is even more revealing)."

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current development kernel is 2.6.0-test5; Linus has released no kernels since September 8. It has been a relatively slow period for kernel development in general.

Patches in Linus's BitKeeper repository include a Coda filesystem update, some initramfs tweaks, improvements in random driver locking, the removal of some ext3 debugging hooks, direct I/O support for reiserfs, some CPU frequency work, an Intel SpeedStep-SMI driver, a substantial amount of janitorial work, and various fixes.

The current stable kernel is 2.4.22. Marcelo released 2.4.23-pre4 on September 12; it includes some VM improvements (including the removal of the much-maligned out-of-memory killer), an ia-64 update, some NFS work, a wireless update, and various other fixes.

Comments (1 posted)

Kernel development news

Solving out-of-memory situations the Linux way

The out-of-memory (OOM) killer is a longstanding source of controversy in Linux development circles. The killer comes into play if the kernel encounters a memory shortage so severe that the ongoing functioning of the system is endangered. Rather than panic or lock up, the kernel brings in the OOM killer, which goes looking for processes to kill. The killer has a complicated set of heuristics built into it in an attempt to have it target the processes that are least likely to be missed. Anybody who has seen the OOM killer in action, however, knows that it can still make unfortunate choices. Choosing the process which (1) is among the least valuable on the system, and (2) is a significant part of the memory problem is a difficult task.

As a result of discomfort with this grim reaper lurking within the kernel, and of recently merged VM improvements, the OOM killer has been removed from the 2.4.23 prepatch series.

For 2.6, Rusty Lynch has just posted a different answer that should, perhaps, have been obvious from the beginning. Rather than trying to come up with a set of OOM killer heuristics that works for everybody, Rusty's patch sets up a notifier-based mechanism that allows for pluggable OOM killer modules. With this patch, anybody who wants to set up a different response to memory shortages need only write a module implementing that technique.

The patch includes the standard OOM killer, along with an example alternative which simply panics the system. But there is already talk of creating OOM killer modules implementing different policies. One, which has been posted already, targets processes if they are seen to be forking children which fall victim to the OOM killer; it works on the assumption that the parent is the real source of the problem. A "blame Mozilla" module has been suggested. And Alan Cox has suggested involving the security module code so that a site's security policies can be part of the OOM reaction process.

It's unclear how far this process will go. But pluggable OOM killers is a clear way of ending the long discussion over what the right policy should be. Linux is, after all, about choice, even when the choices are unpleasant.

Comments (8 posted)

OpenBIOS releases a Forth kernel

The OpenBIOS project has announced the release of a Forth kernel, known as "BeginAgain." Most users, who are strangely uninterested in typing Forth code at something close to bare hardware, will probably not rush out to install this release. But it is a step forward for the OpenBIOS project and for everybody wanting to run their systems with free software all the way down to the bare metal. The BeginAgain platform is mostly useful for testing at this point, but when a few more pieces are added (a device interface and the client layer which will allow the system to boot operating systems) OpenBIOS should start to get interesting for a wider group of users.

Comments (none posted)

ACPI gets a new maintainer

Andrew Grover has announced that he is no longer the ACPI maintainer; his duties have been passed on to Len Brown. ACPI is still not popular among all developers and users, but the simple fact is that good ACPI support is now required to get many systems to function properly. Andrew and his team have put massive amounts of work into the Linux ACPI implementation over the last few years, with the result that Linux does, indeed, have good ACPI support. Thanks, Andrew; we're looking forward to your next project, whatever it may be.

Comments (none posted)

Driver porting

Driver porting: Char devices and large dev_t

This article is part of the LWN Porting Drivers to 2.6 series.
Much 2.5 kernel development work went toward increasing the size of the dev_t device number type. That work has necessarily forced some changes in how device drivers work with the rest of the kernel. This article describes the changes as seen from the point of view of char drivers. It is current as of the 2.6.0-test9 kernel. Note that the interfaces describe here are still volatile and could change significantly before 2.6.0-final is released.

Major and minor numbers

With the expanded dev_t, it is no longer be possible to assume that major and minor numbers fit within eight bits. To the greatest extent possible, the relevant interfaces have been changed in ways that will not break existing drivers. In particular, a driver which uses the longstanding register_chrdev() function to register a char device will never see minor device numbers greater then 255. Attempts to open a device node with a larger minor number will simply fail with a "no such device" error.

One change that is visible to all drivers, however, is the elimination of the kdev_t type. Device numbers are now a simple dev_t throughout the kernel. The place where this change is most apparent for most will be the change in the type of the inode i_rdev field. Drivers which need to get major or minor numbers from inodes should use the two new helper functions:

    unsigned iminor(struct inode *inode);
    unsigned imajor(struct inode *inode);

Use of these functions will help keep a driver working in the future, even if the representation within inodes changes again.

The new way

register_chrdev() continues to work as it always did, and drivers which use that function need not be changed. Unchanged drivers, however, will not be able to use the expanded device number range, or take advantage of the other features provided by the new code. Sooner or later, it is worthwhile to get to know the new interface.

The new way to register a char device range is with:

    int register_chrdev_region(dev_t from, unsigned count, char *name);

Here, from is the device number of the first device in the range, count is the number of device numbers to register, and name is the base name of the device (it appears in /proc/devices). The return value is zero if all goes well, and a negative error number otherwise.

Note that from is a device number, not a major number. This interface allows the registration of an arbitrary range of device numbers, starting from anywhere. So the from argument specifies both the beginning major and minor number. If the count argument exceeds the number of minor numbers available, the allocation will continue on into the next major number; this is a design feature.

register_chrdev_region() works if you know which major device number you wish to use. If, instead, your driver expects to work with dynamic major number allocation, it should use:

    int alloc_chrdev_region(dev_t *dev, unsigned baseminor, 
                            unsigned count, char *name);

In this case, dev is an output-only parameter which will be set to the first device number of the allocated range. The input parameters are baseminor, the first minor number to use (usually zero); count, the number of device numbers to allocate; and name, the base name of the device. Once again, the return value is zero or a negative error code.

Connecting up devices

Some readers may have noticed that the above functions, unlike register_chrdev(), do not have a file_operations argument. Registering a device number range sets those numbers aside for your use, but it does not actually make any device operations available to user space. There is now a separate object (struct cdev) which represents char devices, and which must be set up by your driver to actually make a device available.

To work with struct cdev, you code should include <linux/cdev.h>. Then, the usual way of getting one of these structures is with:

    struct cdev *cdev_alloc(void);

If all goes well, the return value will be a pointer to a newly allocated, initialized cdev structure. Check that value, though; there is a memory allocation involved, and things can always fail.

It is also possible to declare a static cdev structure, or to embed one within another structure. In this case, you should pass it to:

    void cdev_init(struct cdev *cdev, struct file_operations *fops);

before doing anything else with it.

Your driver will need to set a couple of fields in the cdev structure before adding it to the system. The owner field should be set to the owning module, usually THIS_MODULE. The device's file_operations structure should be pointed to by the ops field. And, to get a directory in sysfs, you should also set the name field in the embedded kobject, with something like:

    struct cdev *my_cdev = cdev_alloc();
    kobject_set_name(&cdev->kobj, "my_cdev%d", devnum);

Note that kobject_set_name() takes a printf()-like format string and associated arguments.

Once you have the structure set up, it's time to add it to the system:

    int cdev_add(struct cdev *cdev, dev_t dev, unsigned count);

cdev is, of course, a pointer to the cdev structure; dev is the first device number handled by this structure, and count is the number of devices it implements. This, one cdev structure can stand in for several physical devices, though you will usually not want to do things that way.

There are two important things to bear in mind when calling cdev_add(). The first is that this call can fail. If the return value is nonzero, the device has not been added and is not visible to user space. If, instead, the call succeeds, the device becomes immediately live. You should not call cdev_add() until your driver is completely ready to handle calls to the device's methods.

Adding a device also creates a directory entry under /sys/cdev, using the name stored in the kobj.name field. As of this writing, that directory is empty, but one assumes that all sorts of good things (the associated device numbers, if nothing else) will eventually show up there.

Deleting devices

If you need to get rid of a cdev structure, the usual way of doing things is to call:

    void cdev_del(struct cdev *cdev);

This function should only be called, however, on a cdev structure which has been successfully added to the system with cdev_add(). If you need to destroy a structure which has not been added in this way (perhaps cdev_add() failed), you must, instead, manually decrement the reference count in the structure's kobject with a call like:

    kobject_put(&cdev->kobj);

Calling cdev_del() on a device which is still active (if, say, a user-space process still has an open file reference to it) will cause the device to become inaccessible, but it will not actually delete the structure at that time. The reference count in the structure will keep it around until all the references have gone away. That means that your driver's methods could be called after you have deleted your cdev object - a possibility you should be aware of.

The reference count of a cdev structure can be manipulated with:

    struct kobject *cdev_get(struct cdev *cdev);
    void cdev_put(struct cdev *cdev);

Note that these functions change two reference counts: that of the cdev structure, and that of the module which owns it. It will be rare for drivers to call these functions, however.

Finding your device in file operations

Most of the methods provided by the driver in the file_operations structure take a struct inode (or a struct file which can be used to find the associated inode) as an argument. Traditionally, Linux drivers have looked at the device number stored in the inode's i_rdev field to determine which device is being operated upon. That technique still works, but, in many cases, there is a better way. In 2.6, struct inode contains a field called i_cdev, which contains a pointer to the associated cdev structure. If you have embedded one of those structures within your own, device-specific structure, you can use the container_of() macro (described in the kobject article) to obtain a pointer to that structure.

Why things were done this way

The new interface may seem rather more complex to many. Before, a single call to register_chrdev() was all that was necessary; now a driver has to deal with the additional hassle of managing cdev structures. This approach provides a great deal of flexibility, however, in how the device number space can be managed. Each device gets exactly the number range it needs, and its operations will never be invoked for device numbers outside that range. In the past, it has been noted that many drivers had incorrect range checks on minor numbers; with the new scheme, all those range checks can go away altogether.

The new method also makes it easy for each device to have its own file_operations structure without the need for big switch statements in the open() method. Separate cdev structures can also have separate entries in /sys/cdev. In general, char devices have become proper objects within the kernel, with all the advantages that come with that status. A little bit of extra object management is a small price to pay.

Comments (7 posted)

Patches and updates

Kernel trees

Core kernel code

  • Con Kolivas: O20.2int. (September 16, 2003)
  • Con Kolivas: O20.3int. (September 16, 2003)

Development tools

Device drivers

Documentation

Filesystems and block I/O

Memory management

Networking

Security-related

Benchmarks and bugs

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Revisiting RPM Package Management

[This article was contributed by Ladislav Bodnar]

The anticipated announcement by Red Hat, Inc. about the future direction of the Red Hat Linux Project, originally scheduled for publishing early this week, was rudely postponed by the imminent arrival of hurricane Isabel in North Carolina. But even as preparations for the potential natural disaster took precedence over writing code, Red Hat still found time to update us on the progress. "We are excited to announce that we are working on an alliance with another well-known provider of Red Hat compatible packages", claims the updated Red Hat Linux Project page. It also promises to release a full announcement, and possibly a new Red Hat beta, on Monday, September 22.

One of the more exciting aspects of this change in direction for Red Hat Linux is introduction of an advanced RPM package manager into the distribution. Traditionally, a lack of one, especially a lack of one with the ability to auto-resolve dependencies, has been a sore point with many users of Red Hat, SuSE and most other RPM-based distributions who often found it frustrating to install or upgrade software. In recent years, many settled on using a third-party application, such as apt-get, apt4rpm or yum, but nevertheless, Red Hat and SuSE's reluctance to provide and support any of them was not appreciated. Luckily, the Linux world is changing fast and Red Hat no longer sees the traditional retail boxed sets as a major income provider. This was possibly one of the reasons for introducing "yum" into Red Hat Linux.

Before we get to explore the wonderful world of advanced package managers, let's take a look at the RPM. Often incorrectly referred to as "Red Hat Package Manager", the abbreviation actually stands for "RPM Package Manager", a recursive acronym often found in UNIX and Linux worlds. "The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating computer software packages.", asserts the rpm.org website. The format was developed by Red Hat Inc. at some point in mid-nineties, when the Linux distribution market was utterly dominated by Slackware Linux and its TGZ package format. TGZ packages were (and still are) nothing more than simple compressed archives of individual files along with a script that places them into correct directories during installation. When RPM arrived, it was seen as a huge improvement over TGZ. It is not unreasonable to conclude that the RPM package format played a crucial role in the dramatic swing in Linux market share - away from Slackware and towards Red Hat. In the following years, the RPM package format was also adopted by SuSE, Mandrake, Caldera, Turbolinux and many other distributions.

As wonderful as RPM was compared to TGZ, it was the non-commercial Debian project which sprinted ahead in the package management game in March 1999 with the introduction of APT in Debian 2.1. APT is a front-end to Debian's own package management with an ability to resolve software and library dependencies. This proved to be a very successful tool and the RPM package manager was soon to be subjected to crude jokes by Debian users and developers. However, they only lasted till December 2000 when Conectiva Linux ported APT to create apt-rpm and incorporated it into its own distribution. Many other RPM-based distributions followed suit and apt-rpm was soon spotted in projects ranging from Russia's ALT Linux to Japan's Vine Linux. Confidence in RPM was slowly returning into the world of Linux users - except for the users of the Red Hat distribution who will have to wait until late this year before they can enjoy supported advanced package management with dependency resolution.

Those of you who monitor the Red Hat beta mailing list or the Red Hat development branch called Rawhide, have already noticed the presence of "yum" among the long list of packages. What is "yum"? "Yellow dog Updater, Modified is an automatic updater and package installer/remover for RPM systems. It automatically computes dependencies and figures out what things should occur to install packages. It makes it easier to maintain groups of machines without having to manually update each one using rpm." Dependency information is extracted from RPM header files, which list library and software requirements, as well as conflicts with other packages. It is simple to use with commands such as 'yum check-update', 'yum update' and 'yum install <packagename>'.

Useful as yum is, many Red Hat veterans have already standardized on apt-get, with its Debian-like commands of 'apt-get update', 'apt-get dist-upgrade' and 'apt-get install <packagename>'. However, apt-get has not been spotted in Rawhide, so those who prefer to use it will have to continue relying on an unofficial version. We have seen very little technical information about Red Hat's reasons for favoring yum over apt-get, but this is something that will no doubt be explained in the coming weeks. Both apt-get an yum are supported by the Fedora Linux community project, which is one of the largest and most popular third-party repositories of Red Hat compatible RPM packages, while the other main repository at Fresh RPMs only provides apt-enabled package sources.

With Mandrake's own 'urpmi' package management and now Red Hat's inclusion of 'yum', SuSE Linux is the only major Linux distribution still stubbornly refusing to provide and support any apt-like, dependency resolving package management tool. How long before it too succumbs to the power of modern software management?

Comments (46 posted)

Distribution News

Debian GNU/Linux

The Debian Weekly News for September 16, 2003 is out. This week: audio players revisited, which Tcl, package migration to testing, the second revision of Woody, Dueling Banjos, and much more.

Martin Michlmayr talks about the conferences he's been to, a dedicated Opteron machine for Debian, LSB compliance and cooperation with other projects in this edition of Bits from the DPL.

Colin Watson presents Bits from the BTS with an overview of some recent changes to the Bug Tracking System.

Raphael Hertzog presents Bits from the PTS with a look at some new features in the Package Tracking System.

The Debian-Installer team has a new Debian-Installer HOWTO which needs some testing, so check it out.

Comments (none posted)

Gentoo Weekly Newsletter -- Volume 2, Issue 37

The Gentoo Weekly Newsletter for the week of September 15, 2003 is out. The top news this week - an official port of Gentoo to IA64 is in the works.

Full Story (comments: none)

Mandrake Linux Community Newsletter

The September 12 issue of the Mandrake Linux Community Newsletter is out, with coverage of Mandrake 9.1 ProSuite, Mandrake's fifth anniversary, and various other topics.

Full Story (comments: none)

Slackware Linux

Slackware has had a very busy week according to the slackware-current changelog, including the addition of slackpkg, a simple apt-get-like tool for keeping a Slackware system up-to-date. Slackware 9.1 beta-1 was released September 12. If you want to grab a copy please consider using a mirror, which can be found at AbnormalPenguin and AlphaGeek.

Comments (none posted)

Red Hat Linux

The KDE for RedHat project has released KDE 3.1.3(a) RPMs to the stable repository. Get 'em while they're hot.

Red Hat has an updated printer configuration tool which fixes some SMB problems.

Comments (none posted)

Trustix Secure Linux

TSL has bug fixes available for many packages, including bind, cyrus-imapd, cyrus-sasl, grub, hwdata, initscripts, kernel, make, mdadm, ncurses, postfix, ppp, rp-pppoe, samba, setup, and stunnel.

Full Story (comments: none)

Engarde Secure Linux

Engarde fixes a bug introduced in 3.25 version of stunnel, which was released to fix the original SIGCHLD vulnerability, in the new SIGCHLD handling which caused defunct/zombie processes in local mode (-l or -L) on some systems. It also fixes a problem where the accepting socket could hang under certain conditions which is the common method of use on an EnGarde system.

Full Story (comments: none)

Minor distribution updates

2-Disk Xwindow embedded Linux

2-Disk Xwindow embedded Linux has released v1.2.1 (source code) with minor feature enhancements. "Changes: busybox and uclibc were updated. maplay was added. USB, CDROM, and other boot methods were added. Bugfixes were made in the browser. Email requests are no longer available for this distribution due to the number of bounced returns."

Comments (none posted)

Ark Linux

Ark Linux has released 1.0 alpha9. Click below for the release notes.

Full Story (comments: none)

BG-Rescue Linux

BG-Rescue Linux has released v0.2.1 with minor feature enhancements. "Changes: Support for 3c509/3c529 (MCA)/3c579 "Etherlink III" ethernet cards was added. A Freedos BOOT floppy was added to boot BG-Rescue Linux on systems on which booting with syslinux fails."

Comments (none posted)

ClusterKnoppix

ClusterKnoppix has released 3.2-2003-06-06-EN-cl1. "Changes: Some debug messages were removed, and the 2.4.21-rc7 kernel and openmosix 3 release were included. knx-hdinstall was fixed to work with boot288.img. Some changes were made to the terminal server, and various scientific tools from Quantian were included."

Comments (1 posted)

Cool Linux CD

Cool Linux CD has released v2.3. "Changes: This release fixes bug with CD mount, changes the default options for more comfortable use, and updates some software and filesystem programs (ext2, XFS, and ReiserFS)."

Comments (none posted)

Damn Small Linux

Damn Small Linux has released v0.4.7. "Changes: This release adds parted (a partition tool), rdesktop (an RDP client for Windows NT/2000 Terminal Server), and xpacman (a fun and tiny Pacman game). It updates the Firebird script to 0.6.1, updates lilo, and adds an option to set the frequency for the Xvesa server. There has been a lot of bugfixing and cleanups, fixing some post-install bugs with sudo and swap, cleaning the post-install script, and fixing IRC and screensaver bugs."

Comments (none posted)

GENDIST

GENDIST has released v1.6.0 with major feature enhancements. "Changes: Support for media type "Bochs" has been added. This allows you to directly create a bootable Bochs HD image. There is a fix for make 3.80, which breaks GENDIST."

Comments (none posted)

KNOPPIX

KNOPPIX has released v3.2-2003-09-05. "Changes: This is an experimental 3.3 prerelease. Kernel 2.4.22 with xfs and HIGHMEM (4GB) support is included. cloop 1.02 (block layer rewrite). katomic was reinstalled, since it got lost somehow in the past release. New unofficial development boot options were added for testing: toram and tohd=hda1, which copy the CD to RAM or hard disk and runs from there. A "gprs" option was added to pon to provide GPRS Internet access."

Comments (none posted)

Quantian

Quantian has released 0.3.9.1. This is test version of a 0.4 release, planned for the end of September. Click below for the release notes.

Full Story (comments: none)

ROOT Linux

ROOT Linux has released v1.4 beta 1 with major feature enhancements. "Changes: This release features a new, more advanced package system, lots of installation improvements, general polishing of init scripts and packages, and loads of updated packages."

Comments (none posted)

Server optimized Linux

Server optimized Linux has released v17.00 with major feature enhancements. "Changes: This version uses the SoLIv2 installation system, which features software RAID support, a quick-install mode for automatic mass-installations, and a clear step-by-step installation menu. Servers can be installed within 30 minutes. It also included an enhanced XML boot system, SoL-diag 2.0, which facilitates fast and easy diagnosis of computers, and music from three Austrian bands."

Comments (none posted)

Distribution reviews

A Free Desktop for Free People (OfB.biz)

Open for Business reviews Mandrake Linux 9.1. "I have been using Mandrake since the 8.2 version. I was a previous user of Red Hat (up to version 7.2), and Mandrake attracted me because it offered features such as the excellent font installer, the apt-get-like urpmi package manager, i586 optimization, a desktop focus with an excellent breadth and scope of packages, user friendliness without dumbing down the system, easy GUI administration tools but with the command-line in full force and readily available should one prefer it, and many other perceived advantages."

Comments (none posted)

SuSE Linux Professional 8.2 Review (Linux Journal)

The Linux Journal reviews SuSE Linux Professional 8.2. "YaST 2, SuSE's second-generation setup tool, is a total dream. (Keep in mind this is a Debian fan talking here.) The software installer looks very much like the install screen and shows you which CDs you need to use and for how long; I imagine it's much of the same code. The system tool lets you do everything from edit /etc/sysconfig files to back up the system. The firewall tool, under Security, allows for some fairly advanced configuration, including DMZ and IP masquerade, right there under the GUI."

Comments (4 posted)

Is the Leader of the Linux Pack Also the Best of Breed? (ServerWatch)

ServerWatch reviews Red Hat Linux 9. "Red Hat's configuration tools are fairly solid for the basics, and turn up, thanks to their Open Source licensing, in several other distributions: Network configuration, hardware management, printer configuration, and activataion/deactivation of running services (such as sendmail or Apache) are available through these simple but usable tools. In all, Red Hat's GUI is polished and usable for any professional system administrator. Red Hat has put a reasonable amount of effort into its own approach to the Linux GUI, which it codenamed "Blue Curve," and for day-to-day management we have no complaints."

Comments (none posted)

A distro revisited - Libranet 2.8.1

MadPenguin looks at Libranet. "Libranet has included everything that is important to a solid desktop distro and left out the extra fluff... all the while keeping a truly 'Linux feel' that some other desktop distros have lost. It's a perfect balance and a difficult one to maintain if you ask me. There is a fine line, or rather a large gap, between a traditional Linux system and a true desktop system."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The Screem HTML/XML Editor

Screem, the Site CReation and Editing EnvironMent, is a web site development environment that provides a combination HTML and XML editor. The project's aim is a bit different from WSYWIG HTML editors.

[Screem]

In general WYSIWYG editors do not produce good clean valid HTML, and can also slow you down if they do not support an element that you wish to insert. By utilising a text based editing system you can use the markup you want rather than what the application thinks you need, and also provide quick access to commonly used elements via toolbar buttons which insert the markup at the current cursor position.

Screem provides a number of useful features:

  • Page Previewing to render the html.
  • Support for previewing with an external browser.
  • Syntax Highlighting to highlight code keywords.
  • DTD/Doctype Parsing for identifying and parsing DTD files.
  • Inline Tagging with popup menus for various tags.
  • Intelligent Closing (intelliclose) for assisted tag closing.
  • Support for Helper Applications for extending Screem's capabilities.
  • Document Structure Display for a big-picture view of the document.
  • Broken Link Checking for testing link validity.
  • Publishing with Sitecopy for keeping track of what files have changed.
  • Search and Replace that works on a site-wide scope.
  • A Task Management system for making lists of work to do.
  • Spell Checking with support for the edited language.
  • Link Fixing for assistance with site rearrangement.
  • Page Templates for building new pages.
  • Select Context for moving sections around the document.
  • CTags File Support for linking to multiple files.

Take a look at the Screem Screenshots and Documentation for further information.

Version 0.8.0 of Screem was announced on GnomeDesktop.org this week, followed shortly by the bug-fix release, Screem 0.8.1. The version 0.8.0 announcement says: "This release incorporates all the changes made in the development versions over the past 7 months, and should hopefully fix some of the complaints about 0.6.x. Screem stands for Site CReation and Editing EnvironMent, and is an HTML/XML editor incorporating site management features such as templates, automatic link updating, broken link checking, and uploading changes to remote sites."

Comments (6 posted)

System Applications

Audio Projects

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include updates to Muse and Qjackctl.

Comments (none posted)

Lemux version 0.1 available

Version 0.1 of Lemux has been released. "Lemux is a collection of (GPL) LADSPA instruments based on devices from the openMSX emulator and other sources (e.g. sidplay2). It is long from finished, but some instruments are already very usable."

Full Story (comments: none)

Vstserver v0.2.7 released

Version 0.2.7 of Vstserver has been released. "Vstserver is a program that must be running when using programs using vstlib."

Full Story (comments: none)

Database Software

Firebird 1.5 Release Candidate 6

Version 1.5 Release Candidate 6 of the Firebird database is available. "The development of Firebird 1.5 release is in final development stage ! The Release Candidate means that we're "almost there", and we turned our focus to remaining known issues and rough edges, final testing and bug squashing. We made a lot of progress with it thanks to your feedback. The sixth Release Candidate should become the final release, so we are eager to hear about your experience (good or bad) with it."

Comments (none posted)

MySQL 3.23.58 has been released

Version 3.23.58 of the MySQL database is available. "This is a bugfix release for the recent production version. It includes a fix for a potential local security vulnerability which has already been applied to MySQL 4.0.15 as well."

See the MySQL 4.0.15 release notes for more information on that version.

Full Story (comments: none)

libgda/libgnomedb 0.99.0 released (GnomeDesktop)

GnomeDesktop.org reports on the release of libgda/libgnomedb 0.99.0. "libgda/libgnomedb are a complete framework for developing database-oriented applications, and actually allow access to PostgreSQL, MySQL, Oracle, Sybase, SQLite, FireBird/Interbase, IBM DB2, mSQL and MS SQL server, as well as MS Access and xBase files and ODBC data sources. This release is RC1 for the final 1.0 release, so it should be almost identical as the final 1.0." A number of bug fixes and updated translations are included.

Comments (none posted)

PostgreSQL Weekly News

The PostgreSQL Weekly News for September 11, 2003 has been published. Take a look to see what's been happening in the PostgreSQL database world.

Full Story (comments: none)

Python Database Objects (PDO)

Python Database Objects (PDO) is now available. "Python Database Objects (PDO) provides an easy to use Object riented API for database developers. PDO utilizes DB-API modules for database access, but allows for a Common Object Oriented API across RDBMS. Thus, PDO can be thought of as a 'wrapper' around the DB-API and database specific modules."

Full Story (comments: none)

Embedded Systems

BusyBox 1.0.0-pre3 released

Version 1.0.0-pre3 of BusyBox, a compressed collection of command line utilities for embedded systems, is out. "Here goes the third pre-release for the new BusyBox stable series. The last prerelease has held up quite well under testing, but a number of problems have turned up as the number of people using it has increased. Thanks everyone for all the testing, bug reports, and patches!"

Comments (none posted)

Networking Tools

Ethereal 0.9.15 has been released

Version 0.9.15 of Ethereal, a network protocol analyzer, is available. " Many often-requested features have been added with this release. If you're running an older version of Ethereal you may want to have a look. Conversation List (aka "top talker") support has been added to Ethereal and Tethereal. Protocol statistics in general have been updated. Searching capture files has been improved even more -- a new "contains" display filter operator that searches for strings in PDUs has been added. The Find dialog now supports case-insensitive searches, hex data searches, and more." Thanks to Richard Sharpe.

Comments (none posted)

Web Site Development

Gallery v1.4-pl1 released (SourceForge)

Version 1.4-pl1 of Gallery, a web-based photo gallery, is available for download. "Version 1.4 premieres some major new features: Gallery is now internationalized, and can be displayed in more than 20 languages, with more on the way! In addition, we've completely overhauled the documentation and made it more accessible and more informative. Other changes include ownership of individual album items, not just of albums, and a slew of minor improvements and bugfixes."

Comments (none posted)

The Quixote Web Framework

A white paper and several tutorials are avilable on Andrew Kuchling's new site, The Quixote Web Framework, which not surprisingly, documents the Quixote web framework.

Comments (none posted)

Miscellaneous

Twisted networking framework 1.0.7

Version 1.0.7 of the Twisted networking framework is available. This release adds client Jabber support, the twisted.xish XML package, numerous improvements, and bug fixes.

Full Story (comments: none)

Desktop Applications

Audio Applications

jackEQ dj eq and meter

A new application for the JACK Audio Connection Kit called jackEQ is out. "For those of you who are interested in DJ/CJ tools, tools for live performance, and LADSPA plugin guis, you may be interested in a new app we are creating based on the code from JAMin. It's called jackEQ. The core is a new plugin Steve Harris released recently called DJ EQ which is a three band EQ commonly found on dj mixing consoles."

Full Story (comments: none)

WaveSurfer Version 1.5.3 released

Version 1.5.3 of WaveSurfer, an audio editing package, is out. The changes include support for Snack 2.2.3, bug fixes, and more.

Comments (none posted)

Desktop Environments

GNOME 2.4.0 Desktop & Developer Platform (GnomeDesktop)

The GNOME project has announced the release of GNOME 2.4.0. "Released on schedule, to the day, it is the culmination of six months effort by GNOME contributors around the world: hackers, documentors, usability and accessibility specialists, translators, maintainers, sysadmins, companies, artists, users and testers. Due to their hard work, we have another great release to be proud of - thanks very much to every GNOME 2.4.0 contributor!"

Comments (1 posted)

Boog day 2.4.0 (GnomeDesktop)

Now that there is a new GNOME, it is time for a new GNOME bug day to help squash those brand new bugs as they are found.

Comments (none posted)

New GNOME Installation (GnomeDesktop)

A new version of the GNOME Installation Guide has been announced. "The GNOME Installation Guide has recently been updated. It now describes also a source based installation of GNOME 2.4.0."

Comments (none posted)

KDE 3.1.4 Released!

The KDE Project has announced KDE 3.1.4. The release includes many bugfixes and improved translations. KDE 3.1.4 also contains two fixes for security issues in KDM.

Comments (none posted)

KDE-CVS-Digest

The September 12, 2003 edition of the KDE-CVS-Digest is available. The summary says: "KJSembed, the KDE javascript implementation now supports event handlers. KDevelop adds support for code completion databases. Kexi now has a PostgreSQL driver. Kopete integrates with Kaddressbook for IM contacts. The KWin rewrite continues, with a window decoration API added. Plus many bugfixes throughout."

Comments (none posted)

KDE 3.2 Alpha 1 Finally on FTP

KDE 3.2 Alpha 1 is available on FTP. " I've finally managed to get the last bits of the KDE 3.2 Alpha 1 (codenamed "Brokenboring") including KDevelop 3.0 Alpha 6 on the ftp server. The mirrors should soon pick it up. There won't be any binary packages for this release because the KDE "Pi" release is coming out soon. Everyone using Brokenboring is asked to compile it with --enable-debug, so that we can get valuable feedback."

Comments (none posted)

XFce 4.0-RC4 released

Version 4.0-RC4 of the XFce light weight desktop environment has been announced. "Xfce 4.0-rc4 is the fourth release candidate for the next generation of the XFce desktop environment. If no show stopper is found in this is release candidate, it is intended to become 4.0." Thanks to Joe Klemmer.

Comments (none posted)

Desktop Publishing

Scribus 1.1.0 released

Version 1.1.0 of Scribus, a Linux Desktop Publishing system, is out with lots of new features.

Full Story (comments: 1)

Educational Software

MimerDesk 2.0 available

Version 2.0 of MimerDesk, a web-based collaborative learning and groupwork environment, is out. "The new stable release of MimerDesk introduces Type sets for the freedom of choice in pedagogical methodologies, a better structured and more intuitive user interface and new tools to further enhance effective collaboration."

Full Story (comments: none)

Electronics

XCircuit 3.1.23 released

Version 3.1.23 of XCircuit, an electronic schematic drawing application, is available here. Change information is in the source code.

Comments (none posted)

Financial Applications

GnuCash 1.8.6 and 1.8.7 Released (GnomeDesktop)

Version 1.8.6 of GnuCash has been announced. Features include updated translations, bug fixes, and more.

In typical fashion, a few new bugs were discovered in 1.8.6, so version 1.8.7 was announced.

Comments (none posted)

Graphics

KDE Conquers the Vectors with KSVG (KDE.News)

KDE.News reports on the addition of KSVG to kdegraphics. "KSVG has recently been moved to the kdegraphics module, meaning that KSVG will now be part of the KDE 3.2 release. KSVG aims to be a full flavored implementation of the W3C SVG standard. Some of you will think of icons when we speak of SVG but SVG is much more: It is a web technology with full ECMAScript/DOM support. With the number of SVG powered sites growing steadily, Konqueror will soon be able to display these sites with a high-quality and open-source viewer."

Comments (none posted)

GUI Packages

FLTK Updates

The latest new software for FLTK, the Fast Light ToolKit, includes flPhoto 1.1 and SPTK 2.0 beta 4.

Comments (none posted)

Interoperability

Samba-3.0.0 RC4 available for download

Version 3.0.0 RC4 of Samba is out. "The Samba Team is proud to announce the availability of the fourth release candidate of the Samba 3.0.0 code base. A release candidate implies that the code is very close to a final release, but remember that this is still a non-production snapshot intended for testing purposes. Use it at your own risk."

Full Story (comments: none)

Mail Clients

New Mozilla Thunderbird Roadmap Published (MozillaZine)

MozillaZine reports on the release of a new Thunderbird Roadmap. "The document outlines the near-term development plans for the standalone mail and newsgroups application and includes details about the forthcoming 0.3 milestone."

Comments (none posted)

Office Applications

Gnumeric 1.2.0 aka "Emb-Ext" is now available.

Version 1.2.0 of the Gnumeric spreadsheet has been released. "The next generation of Gnumeric is ready for general use. It has taken almost 20 months to make the jump to Gtk+-2.x without feature regressions. We've put the time to good use. This release is faster and lighter than 1.0.x, but boasts an impressive array of new and extended capabilities."

Full Story (comments: none)

Office Suites

GNOME-Office 1.0 Released (GnomeDesktop)

GNOME-Office 1.0 has been released. "The GNOME-Office team is proud to announce the immediate availability of GNOME-Office 1.0. GNOME-Office is a suite of Free Software productivity applications that seamlessly blend with the GNOME Desktop Environment. GNOME-Office includes the AbiWord-2.0 Word Processor, GNOME-DB-1.0 Database Interface and Gnumeric-1.2.0 Spreadsheet."

Comments (none posted)

Video Applications

Updates to mp4live - testing help wanted (SourceForge)

SourceForge has a report on the development of mp4live. Mp4live is an IETF standards-based system for encoding, streaming, and playing MPEG-4 encoded audio and video. "We're finished with the main updates to mp4live. Our in-house test has been running for 10 days still maintaining audio/video sync. These changes were accomplished by updating to the V4L2 driver, and updating faac."

Comments (none posted)

Web Browsers

Galeon 1.3.8 Released (GnomeDesktop)

Version 1.3.8 of Galeon, a light weight web broswer, has been announced. This release works with Mozilla 1.3.X through 1.5b and includes a numer of new features and bug fixes.

Comments (none posted)

Galeon 1.3.9 released

Galeon 1.3.9 has been released on the heels of version 1.3.8. "Ok, we screwed up with the last release and gave you a nasty bug which broke basically all form postings and stylesheets. But don't worry, you can keep the pieces. We'll even offer you this new release, for free! So here goes..."

Comments (none posted)

Mozedit 0.1 Alpha for Mozilla Firebird (MozillaZine)

Version 0.1 Alpha of Mozedit is available for the Firebird browser. "Mark Bokil writes: "I wrote a Notepad-like text editor extension for Firebird. It provides easy editing access to userChrome.css and userContent.css files, buffers similar to Emacs, document history, UI font/color options, and in-line HTML rendering preview, plus access to the JavaScript Console. This is a 0.1 alpha release of Mozedit for Firebird."

Comments (none posted)

Mozilla 1.5 Release Schedule Update (MozillaZine)

The Mozilla 1.5 release schedule has been updated. "Two release candidates are planned, with the final builds set to come out during the week commencing September 29th."

Comments (none posted)

Mozilla.org Staff Meeting minutes available (MozillaZine)

Two sets of Mozilla.org staff note minutes are online, one for September 2, 2003, and another for September 8, 2003.

Comments (none posted)

Miscellaneous

Arabic Wordlist 0.5 Released

Version 0.5 of Arabic Wordlist, an open-source English to Arabic Wordlist is out. "The wordlist is the culminations of many man-months of effort and work. The current release contains in excess of 83,500 words (and growing) and spans a variety of categories (ie. it's general in nature)."

Full Story (comments: none)

Nautilus 2.6 - We're going all spatial (GnomeDesktop)

GnomeDesktop.org reports on UI design changes for the Nautilus file manager. "For the 2.6 cycle, the nautilus crew is trying out a new UI that should give us the best of both worlds. The idea is present an object oriented UI from the desktop, but to allow users to open navigation windows if they prefer them. This means that opening a folder from the desktop will give you an object window. Opening folders from object windows will give you new object windows."

Comments (3 posted)

Languages and Tools

Assembly Language

NASM 0.98.38 is released (SourceForge)

Version 0.98.38 of NASM, the Netwide Assembler for 80x86, has been released. "The most important change to 0.98.38 is that the broken ELF backend in 0.98.37 has (hopefully) been fixed."

Comments (none posted)

Caml

Caml Weekly News

The September 16, 2003 edition of the Caml Weekly News is out with the week's Caml language happenings.

Full Story (comments: none)

COBOL

Tiny COBOL Compiler release 0.61 (SourceForge)

SourceForge has the announcement for Tiny COBOL 0.61. "This release contains mainly bugs fixes, and some enhancements. It includes updates to the main compiler and run-time. Tiny COBOL is a COBOL compiler being developed on the Linux OS. It generates GNU x86 assembler code."

Comments (none posted)

Java

Class transformation with Javassist (IBM developerWorks)

Dennis M. Sosnoski looks at Javassist on IBM's developerWorks. "In this article, Java consultant Dennis Sosnoski kicks his Java programming dynamics series into high gear with a look at Javassist, the bytecode manipulation library that's the basis for the aspect-oriented programming features being added to the widely used JBoss application server."

Comments (none posted)

Jumping into JOGL (O'Reilly)

Chris Adamson writes about JOGL, a cross-platform Java binding to OpenGL. "Announced in July, the partnership of Sun and SGI to provide Java bindings to OpenGL gave a jolt to the Java community, particularly to desktop, graphics, and game developers. While some were disappointed to see Sun back away from Java3D, others were excited to see the popular and widely understood OpenGL exposed in a more direct fashion to Java developers."

Comments (none posted)

Lisp

Etiquette 0.3 announced

Etiquette version 0.3 is out. "Etiquette is "an interaction protocol construction toolkit. The project goal is to build a framework for rapid design of network communication code." The system is written in Common Lisp."

Full Story (comments: none)

Perl

This Week on perl5-porters (use Perl)

The September 8-14, 2003 edition of This Week on perl5-porters is available. "Any busy week for the porters, ends with a busy week-end for the summarizer (old saying). Your traditional weekly summary is out, and many subjects of interest are featured inside."

Comments (none posted)

PHP

PHP Weekly Summary for September 15, 2003

The PHP Weekly Summary for September 15, 2003 is out. Topics include: 64 bit, studlyCaps patch, disabling functions per directory, upload meter, PHP audio, Windows manual.

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The September 15, 2003 edition of Dr. Dobb's Python-URL! has been published. Take a look for many Python article links.

Full Story (comments: none)

Python-dev Summary

The Python-dev Summary covering the second half of August is available. It looks at running Python over Parrot, the upcoming 2.3.1 release, and several other topics.

Full Story (comments: none)

The State of the Python-XML Art, 2003 (O'Reilly)

Uche Ogbuji has updated his list of XML tools for Python with The State of the Python-XML Art, 2003. "This month I update the overall Python-XML survey to encompass notable developments over the past year, many of which I've mentioned in passing in prior articles. I hope this article serves as a ready and rapid index to folks who want to process XML using (in my opinion) the best language available for the purpose."

Comments (none posted)

Metaclasses are evil

Hans Nowak explains how Python metaclasses are evil. "My main gripe with metaclasses is that many people have difficulty understanding them, yet everybody and their daughter seems to use them, even for trivial problem that could have been easily solved without metaclasses. Why is that? Is it just for purposes of showing off? Or is it because it's like a shiny new toy and people absolutely want to use it, even if it's not necessary?"

That article is followed by the Metaclass reprise. "After my little rant about why metaclasses are evil, here's a legitimate use of them: reloadable classes by Ian Bicking."

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The September 11, 2003 edition of Dr. Dobb's Tcl-URL! is out with lots of links to Tcl/Tk articles.

Full Story (comments: none)

Dr. Dobb's Tcl-URL!

The September 15, 2003 edition of Dr. Dobb's Tcl-URL! is out with even more Tcl/Tk article links.

Full Story (comments: none)

XML

nxml-mode for Emacs

A new XML editing mode is available for the Emacs editor. "There is a new Emacs mode for editing XML, guided by RELAX NG schemas."

Full Story (comments: none)

Enhance Ant with XSL transformations (IBM developerWorks)

Jim Creasman explains Ant on IBM's developerWorks. "Ant is a powerful tool for scripting build processes. When combined with XSLT, Ant's power and flexibility increase dramatically. Here, Jim explains and illustrates this concept using real world examples from his previous experience."

Comments (none posted)

Ten Favorite XForms Engines (O'Reilly)

Micah Dubinko reviews ten XForms Engines on O'Reilly. "Although XForms is largely described as an update to the decade old classic HTML forms technology, XForms is also finding a home in many fresh areas where standards are increasingly vital, like content management and workflow systems. As a result, there are a large number of XForms engines currently under development by companies large and small."

Comments (none posted)

An XQuery Update (O'Reilly)

Per Bothner writes about the latest XQuery specifications on O'Reilly. "The XQuery/XSLT working group released another set of Working Drafts on August 22, 2003. This article is my attempt to summarize the significant changes in the new drafts."

Comments (none posted)

Editors

DiaSCE2 v1.4 released (GnomeDesktop)

GnomeDesktop.org has an announcement for DiaSCE 1.4. "After some months of work, the 1.4 version of DiaSCE, the C/C++ Code Editor for Gnome, has been released. DiaSCE is a simple code editor that pretends to be a complement to Glade. This version adds new features like improvements on the management of Makefiles, more search options, some features asked by users and bugfixes."

Comments (none posted)

Profilers

OProfile 0.6.1 has been released

Version 0.6.1 of OProfile, a system-wide profiler for Linux, has been released with a few new features and some bug fixes.

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Is Microsoft Really Less Expensive Than Linux? (CIO)

CIO comments on the Giga Group study claiming that .Net is cheaper than Linux and J2EE for web service applications. "Of course, it's not shocking that a study commissioned by Microsoft should demonstrate the advantages of that company's products over Linux, but the fact that the study was commissioned at all is revealing of the big company's concern. The popularity of Linux - fueled by fear of placing too much control in the hands of a single (notoriously aggressive) vendor and by the widespread conviction that open source software can save you a bucket of money - is rising like the waters of the flood toward the software fortress that Gates built."

Comments (8 posted)

Linux, Threatened (rediff.com)

This article at rediff.com takes a look at Linux and current battles. "Microsoft is feeling the heat from Linux, as the free operating system is improving by leaps and bounds. Unix itself, which could, at one time, have stopped the Microsoft juggernaut in its tracks, was doomed by a schism in the ranks, which pitted Sun Microsystems and AT&T against IBM, DEC, HP, etc. I was in the thick of that battle, and I now see we were irresponsible to fight internecine battles, trying to push our own versions of Unix, while Microsoft ran away with the prize: control over the desktop, and the untold billions that comes with it." (Thanks to Anand Rangarajan)

Comments (3 posted)

Trade Shows and Conferences

Red Hat, Oracle Strengthen Bond (eWeek)

eWeek goes to OracleWorld to see what Red Hat and Oracle are up to. "Although there is as yet no official agreement between the companies about working together on Enterprise Linux 4, Red Hat officials confirmed that work has already begun on that product, which will be based on the Linux 2.6 kernel..."

Comments (none posted)

The SCO Problem

SCO's McBride on his open letter to the Linux community (ComputerWorld)

ComputerWorld interviews Darl McBride on his open letter. "Yes, it is an olive branch. We want to understand how we can move forward together here. Both sides are entrenched in their positions. This could be a 15-year knockdown, drag-out type of fight. At another level, if there's a way of resolving the differences so we move along peacefully in a shorter term that gets resolved, we're all for that."

Comments (65 posted)

Companies

The real future of Linux (ZDNet)

ZDNet looks at Red Hat's strategy. "Many Linux advocates who are appalled by this 'money grab' by Red Hat have been very vocal about their new distaste for Red Hat. Some even go so far as to suggest that Red Hat has outlived its usefulness. But they fail to understand the importance of a healthy company like Red Hat for the entire Linux industry."

Comments (11 posted)

Ford move to Linux not true (NewsForge)

This seems to be a week for rumors. Several alert readers have sent in links to articles that say (with a disturbing lack of detail) that Ford Motors is moving to Linux. NewsForge digs deeper. "[Communications Manager, Joan] Witte said "Like any other company, Ford Motor is looking at Linux, primarily in the application space. We presently have an enterprise-wide agreement with Microsoft to handle our collaborative solutions. We aren't contemplating using Linux in this area, and don't contemplate doing that in the foreseeable future.""

Comments (none posted)

Linux Adoption

Governments like open-source software, but Microsoft does not (Economist)

The Economist examines reasons for governments to prefer open source. "If Microsoft is indeed squeezed out of the government sector by open-source software, three groups stand to benefit: large consultancy firms and systems integrators, such as IBM, which will be called in to devise and install alternative products; firms such as Red Hat or SuSE, which sell Linux-based products and services; and numerous small, local technology firms that can tailor open-source products for governmental users." (Thanks to James Heald)

Comments (8 posted)

Nine German cities poised to adopt Linux (InfoWorld)

InfoWorld reports that nine (more) German cities (Alzey, Kaiserslautern, Koblenz, Landau, Mainz, Neustadt, Speyer, Trier and Worms, all in Rheinland Pfalz) are looking at switching over to Linux. "The cost of licensing Microsoft products and the lack of support for some of them, such as the NT operating system, which is still used widely in many city administrations, are among the chief reasons for the nine German cities to mull a switch from the U.S. software giant to providers of open-source products..."

Comments (16 posted)

Linux wins, but Microsoft rules (CIOL)

CIOL (India) has an article about desktop Linux sales as a cover for use of pirated Microsoft products. "CNS investigation reveals that many a customer, who found the Linux-based machines attractive because of the price factor felt that it was not the same as a Microsoft loaded PC. So they did the next best thing and bought pirated copies of Microsoft software. While none of the vendors were willing to go on record, most of them said that they have long suspected such actions." This is the second article on this theme in a week now; coincidence?

Comments (none posted)

Open source helps education effort in Third World (Mercury News)

Here's a Dan Gillmor column on the use of free software in the developing world. "Around the globe, educators, companies and governments are getting tired of paying the Microsoft tax, which tends to rise inexorably, and sending the money to America. They don't like the upgrade cycle, especially when older computers run Linux just fine. They want to inspire more software innovation at home, and suspect Linux may be the best platform in a world where Microsoft also takes most of the profits in Windows application software."

Comments (2 posted)

Open Asia: Open source in Iran and Israel (NewsForge)

NewsForge takes a look at Open source in Iran and Israel. ""It's a red herring. I challenge anyone to tell me how open source will solve any of our major problems," a prominent professor from the US recently posted on the BytesForAll_Readers mailing list. Arash Zeini of Iran had a very clear answer. "In Iran, we live under sanctions from the US. As an Iranian you cannot do any business with an American company. This may be good, it may be bad. But in any case, the only way we can empower ourselves is FLOSS. This approach gives us the necessary freedom. We have access to the best technology and it is Free/Libre/Open and not restrictive. It does not put us in chains, we do not need to wait till US decides about us. If only the Iranian government would see it this way too!""

Comments (2 posted)

WorldWatch Week in Review (Linux Journal)

Linux Journal carries the WorldWatch Week in Review, which looks at open source news from around the world. "A lot of interesting things are going on right here in Costa Rica. For one thing, I found out that there is a legislative project for FLOSS use in government that shows a great understanding of the real issues."

Comments (none posted)

Interviews

Oracle's unbreakable Linux guru (NewsForge)

NewsForge interviews Wim Coekaerts, Oracle's Linux guru. "Coekaerts: Right now I'm working with a lot of our `high-rent' customers, doing a lot of troubleshooting, bug fixing, and custom design work. I'm involved with a lot of the certification processes and standards groups, which means I have to travel quite a bit. I also work closely with Linux companies like Red Hat and SuSe on bug-fixing and other issues."

Comments (1 posted)

Interview with Havoc Pennington of Red Hat (OSNews)

OSNews interviews Havoc Pennington, the head manager of Red Hat's Desktop department. "In the past (pre-SCO), Red Hat has admitted that was growing wary of patent issues that might arise in the future. Do you believe that desktop open source software written by many different individuals around the globe might be infringing on patents in some cases without the knowledge of these developers? At the end of the day, we have seen some patents that were issued so shortsightedly that many have said that writing software is almost impossible nowadays. What kind of solution for this issue might OSS software developers find, to ensure a future that is not striken by lawsuits left and right?
Havoc Pennington: As you know we've been more aggressive than other Linux vendors about removing potentially patented software from our distribution, specifically we took a lot of criticism for removing mp3 support.
"

Comments (5 posted)

Interview: Linux usage raises big legal concerns (Gulf News)

Gulf News interviews Mohammed Kateeb, the regional director of Microsoft Middle East. "Linux people don't believe in Intellectual Property Rights. This is the biggest problem in the Linux world. How can one be sure that the code of software that has been contributed by programmers across the world to create this Linux software is unique and is not lifted from somewhere else? This is a big legal concern. That is what the latest SCO-Linux lawsuit is all about."

Comments (57 posted)

The Hacker Behind "Hacking the XBox" (O'Reilly)

Howard Wen interviews Bunnie Huang on O'Reilly. "Most authors can blame an editors' questionable taste for rejecting their books, but Andrew Huang has the dreaded DMCA (Digital Millennium Copyright Act) to explain why his book got turned down. Hacking the Xbox, as the title of Huang's tome sums up, details how-tos for modifying your Xbox, and provides various insights into the security and other inner-working code of Microsoft's game console."

Comments (none posted)

Building a Better Game (Linux Journal)

Linux Journal interviews some of the people involved with Neverwinter Nights and Shadows of Undrentide. "How many developers worked on the Linux client project?
Derek French: The Linux client project was organized and managed by BioWare's Live Team. The Live Team operates as a development project and changes size on a regular basis as it takes on new objectives. The core, or permanent, Live Team is a three-member group, but it has grown to as many as 10 people when major projects are underway.
"

Comments (none posted)

Reviews

Sun's Windows killer unveiled (TheAustralian)

TheAustralian looks at Sun's latest Linux product. "The Sun Java Desktop system, which was previously code-named Mad Hatter, runs on the open-source Linux operating system and includes a variety of programs that replace Microsoft's internet browser, productivity suite, and other parts of the Windows package."

Comments (15 posted)

Preview of Rubrica 2 (GnomeDesktop)

GnomeDesktop.org has a review of Rubricka. "Rubrica is an address book for GNOME. While the application has been in existance for quite a while, Rubrica 2 is currently under development. We had a look at this development version and we give you a preview of the promising application."

Comments (none posted)

Miscellaneous

Indian government supports Linux (Economic Times)

India's Economic Times reports on a government sponsored project to localize Linux in 11 different languages. "As part of Project Indix, the government has already released Linux in Hindi. While five more language releases is lined up for Thursday, the technology will be available in six more local languages in three or four months. The five languages lined up now are Sanskrit, Marathi, Malayalam, Tamil and Kannada." (Thanks to Nilesh Trivedi)

Comments (9 posted)

Is Linux Annoying? (O'Reilly)

Paul Weinstein is collecting a list of annoying things about Linux, in order to write a book on the topic. Hopefully, the process will help to improve some of the issues that are raised. "Attentive web surfers for all things Linux have probably already noted that O'Reilly is working on a new Linux book, Linux Annoyances. Indeed O'Reilly wants to follow up its success with the Windows Annoyances books by doing one on Linux. This of course brings to mind the question, what is a Linux Annoyance?"

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

LUGOD Installfest, Davis, CA

The Linux User's Group of Davis (LUGOD), will be holding a Linux install-fest on Sunday, September 28 in Davis, CA.

Full Story (comments: none)

OSDL gets its own analyst

Open Source Development Labs has announced that analyst Stacey Quandt will be leaving the Forrester Group and taking a job at the lab. "In this new role, Quandt is responsible for monitoring key market trends important to IT vendors and corporate end users of Linux. She will also be a principal speaker for the Lab at industry conferences and tradeshows and play a leadership role in developing Lab market research, technical publications and industry opinion pieces."

Comments (4 posted)

Commercial announcements

Dell recognizes CGG's Linux cluster work

Dell has announced that Compagnie Generale de Geophysique has been awarded the first "Dell Center for Research Excellence Award." The award could just as well have been named the "Doing Something Cool While Buying Large Amounts of Dell Products Award," - especially since CGG has just announced it is spending the better part of $3 million for another 1125 Dell servers - but the application is notable. CGG has built a 3000-node Linux cluster for the analysis of seismic data; the company has some 30 teraflops of computing capacity online now.

Full Story (comments: 5)

Advertise with Mandrake Linux 9.2

MandrakeSoft has put up a page describing a new set of advertising options to be made available in the Mandrake Linux 9.2 release. You, too, can see your logo on a Mandrake screen saver, install screen, or default web page. It is an interesting approach, and, if it helps MandrakeSoft gain and keep its financial footing, it could even be a good thing. For additional clarification see this page.

Comments (12 posted)

Resources

An introduction to Thunderbird, part 7 (Nidelven IT)

Kay Frode continues the series on the Mozilla Thunderbird email client with part 7, the topic this week is message filters. "Having a big flow of e-mail's dropping in your inbox can be time consuming to read, to deal with this and save yourself some time, and be able to read the right e-mails first, you might want to add a filter so Thunderbird can place the different mails in different folders. In this article I will try to show you how to make such a filter."

Comments (none posted)

GNOME 2.4 Desktop User Guide Released (GnomeDesktop)

The GNOME 2.4 Desktop User Guide has been announced.

Comments (none posted)

GNOME 2.4 Desktop System Administration Guide Released (GnomeDesktop)

The GNOME 2.4 Desktop System Administration Guide has been announced on GnomeDesktop.org.

Comments (none posted)

New Ximian Desktop ''unstable'' channel (GnomeDesktop)

GnomeDesktop.org reports on a new red carpet channel for the Ximian Desktop. "There is a new, almost painfully unstable, Ximian Desktop in red carpet's 'xd-unstable' channel. Why 'unstable', you ask? When it is based on the uber-wonderful, uber-stable, uber-Khan-like GNOME 2.4?"

Comments (none posted)

Upcoming Events

Registration Opens for ApacheCon 2003

Registration is open for the ApacheCon 2003 conference, to be held in Las Vegas, Nevada from November 16-20, 2003.

Comments (none posted)

Open Source in Government Conference, Paris

The Paris EGOVOS 3, Open Source in Government Conference will be held in Paris, France on November 24-26, 2003.

Full Story (comments: none)

Events: September 18 - November 13, 2003

Date Event Location
September 18, 2003
October 7 - 8, 2003
LogOn Web DaysAcross Europe
September 18, 2003Embedded Systems Conference(ESC)(Hynes Convention Center)Boston, Mass
September 26 - 27, 2003Third DZUG-ConferencePaderborn, Germany
October 12 - 15, 2003International Lisp Conference 2003(ILC 2003)New York, NY
October 14 - 16, 200310th Linux-KongressSaarbrücken, Germany
October 15 - 17, 2003The First Plone Conference(Tulane University)New Orleans, Louisiana
October 26, 2003
October 27 - 31, 2003
Large Installation Systems Administration Conference(LISA)(Town & Country Resort Hotel)San Diego, CA
November 2 - 3, 2003International PHP Conference 2003(Astron Hotel Frankfurt-Mörfelden)Frankfurt, Germany
November 6 - 7, 2003HiverCon 2003(Davenport Hotel)Dublin, Ireland
November 10, 2003Desktop Linux Conference(Boston University Corporate Education Center)Tyngsboro, Massachusetts

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

Why the focus on obscure and ephemere distributions ?

From:  Nicolas Mailhot <Nicolas.Mailhot@laposte.net>
To:  letters@lwn.net
Subject:  Why the focus on obscure and ephemere distributions ?
Date:  Thu, 11 Sep 2003 12:50:57 +0200

I'm a bit disappointed on LWN's focus on full distributions.
 
Not that I do not like having a reference on the birth of death of
distributions in the Linux world, but because for most users they are
simply irrelevant. Specialised distribution are just that - specialised.
Their intended audience is necessarily limited. More general efforts
OTOH directly compete with big Linux names and almost always fail after
the initial burst of energy (as this week review rightfully notes).
 
A smart/informed Linux user will stay clear of the latest experiments in
installer technology/recompilation with more cutting edge gcc flags and
use instead a proven mainstream distribution, focusing on reliable
sources of high-quality third-party addons. This way he will get the
advantages of a well supported, upgradable system core with the ability
to easily install cool new stuff.
 
RedHat's move out of the retail channel for example shows
all-encompassing distributions packaged in a single box at a single
point in time may soon be a thing of the past, and the future is a disc
seed that is then updated/completed using a network installer.
 
For most users now the action is not in new distributions that require
you to dump your existing installation to try a few applications you do
not have yet, but in projects like PLF, Fedora, JPackage, Freshrpms,
Dag, Ximian desktop... that enable you to complete your existing setup
with minimal fuss (I'm writing about the rpm world now because that's
what I know best). This is what LWN should be reviewing today.
 
Connectiva's port of apt to rpm and broadband completely changed the
linux software distribution patterns in the last years. The use of a
common packaging format always enabled contacts between distributions
(see RedHat/Mandrake, rpmfind...). What's new is the large community
projects that now try to complete vendors offerings. It's a shame LWN
still seems to overlook it.
 
Regards,
 
--
Nicolas Mailhot

Comments (3 posted)

Mohammed Kateeb, you have been telling lies!

From:  Leon Brooks <leon@cyberknights.com.au>
To:  yousefk@microsoft.com, mohammedk@microsoft.com, editor@gulfnews.com
Subject:  Mohammed Kateeb, you have been telling lies!
Date:  Mon, 15 Sep 2003 10:39:27 +0800
Cc:  letters@lwn.net

Here...
 
    http://www.gulf-news.com/Articles/news.asp?ArticleID=97436
 
...you say:
 
> Linux people don't believe in Intellectual Property Rights.
 
That's a direct lie, one you need to retract. Linux is licenced under
the GNU GPL, General Public Licence, which _depends_ on copyright law
for its operation. And see below.
 
> How can one be sure that the code of software that has been
> contributed by programmers across the world to create this
> Linux software is unique and is not lifted from somewhere
> else? This is a big legal concern.
 
This is chutzpah (no, I'm not Jewish but it's a singularly appropriate
word). Would you care to explain how Microsoft's SQL Server developers
were exposed to suit from TimeLine over improper dealing with imported
IP if Microsoft's own source control is so good?
 
> That is what the latest SCO-Linux lawsuit is all about. Now
> SCO is suing every single user of Linux because they believe
> parts of their UNIX code is being used in Linux.
 
No, they don't. This is a stock "pump-and-dump" operation, they say
these things primarily to inflate their stock value - and one of the
companies assisting with the pumping has Melinda Gates (yes, the wife
of William Henry "Trey" Gates III) on its board. Can you explain her
involvement?
 
*ALL* of the supposed evidence from The SCO Group so far revealed has
been either a false match (the Linux programmers rewrote it from
scratch "clean room" style so the code really is de novo) or a false
ownership claim (the code is BSD licenced or Public Domain and so
legitimately available for relicencing under the GPL).
 
It seems fairly obvious from what has been revealed that The SCO Group
have been stripping BSD licence headers from code and illegally
incorporating it into their own UnixWare without attribution.
 
Worse than that, practically all of UnixWare's latest drivers are
version-number and spelling-error compatible with the drivers shipped
in SuSE's Enterprise Linux 8, so it looks very much like The SCO Group
have been stealing Linux code only available through the GPL.
 
All of this eventually spells jail time for the officers of The SCO
Group, and massive losses for the stock speculators involved.
 
Finally, you really shouldn't go shooting off your mouth about purported
risks in the GPL when Microsoft themselves sell product under a GPL
licence, notably the majority of your SFU (Services For Unix) package.
 
On top of all of this, you've told many other half-truths in your
interview, and made much unfair and misleading innuendo. You may regard
this as valid competitive behaviour, but that doesn't stop it from
being false and misleading. If you live in ignorance of the conditions
surrounding your business, then you are delinquent in your obligation
to stay informed. None of this is up to the standards proclaimed by the
Emirates.
 
I write only for myself when I ask that you publish a retraction, at
least of your most blatantly errant statements. Bear in mind when
formulating an answer that as you gave the interview to be published,
so you are giving your answer to be published.
 
Cheers; Leon
 
 
PS, Note to the Editor, Gulf News: feel free to publish this in your
Letters section. Could you publish an interview with a suitable
candidate from a local Open Source group? Perhaps the organisations at
http://goldensun.com/linux/ or http://geocities.com/dubailug can supply
an interviewee.
 
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Committee Member, Perth Linux User Group
http://slpwa.asn.au/ Committee Member, Linux Professionals WA
http://linux.org.au/ Committee Member, Linux Australia

Comments (none posted)

Servers are attacked on a statistical basis, film at eleven?

From:  Leon Brooks <leon@cyberknights.com.au>
To:  rnaraine@jupitermedia.com
Subject:  Servers are attacked on a statistical basis, film at eleven?
Date:  Mon, 15 Sep 2003 11:37:18 +0800
Cc:  letters@lwn.net

Hi Ryan!
 
From http://www.internetnews.com/dev-news/article.php/3076701 -
 
> Mi2g, which provides digital risk management research, said 67
> percent of all successful overt digital attacks was done against
> the Linux OS
 
Linux == 67% of breaches.
 
> the company found that 12,892 Linux online servers [...] were
> successfully breached. During the same period, 4,626 Windows
> servers were victims
 
Ergo, Windows == 24% of breaches.
 
http://news.netcraft.com/archives/2003/09/01/september_2003_web_server_survey.html
 
> Active Sites
 
> Developer [...] September 2003 Percent Change
> Apache [...] 13371621 67.45 0.17
> Microsoft [...] 4839624 24.23 -0.21
 
Do you notice any striking similarities here?
 
Would you care to republish that article, noting that the attacks are on
a statistically one-for-one basis despite the fact that the Linux
servers are a more attractive target, often being loaded gunwhale-down
with useful tools as they are?
 
Cheers; Leon
 
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Committee Member, Perth Linux User Group
http://slpwa.asn.au/ Committee Member, Linux Professionals WA
http://linux.org.au/ Committee Member, Linux Australia

Comments (1 posted)

Page editor: Jonathan Corbet

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds