LWN.net Weekly Edition for October 9, 2003

The future of the FUD mill

There's yet another Microsoft-funded analyst study out there; this one, done by VeriTest, compares deployment times for Microsoft Windows Small Business Server and Red Hat Enterprise Linux. No doubt everybody will be surprised to hear that the study (available in PDF format) concludes that Windows is better. Four tasks were set out: install the system with basic services, set up performance monitoring and reporting, set up an intranet web site, and configure the network for remote management. Doing these tasks with Windows took, they say, 4 1/2 hours and 125 steps. Linux required 7 1/2 hours and 555 steps.

It is not hard to poke holes in the study, of course. Somehow it was possible to set up an intranet server on Windows with zero steps - but it still took seven minutes. Somehow the report didn't comment on the discouraging time per step required to accomplish this task on Windows. Errors made by the (Microsoft-hired) consultants performing the Linux installation were counted as steps. Tasks like checking the system with nmap were also counted. Setting up remote administration took 100 steps; we could suggest a shorter way of doing that:

1. Enable sshd.

The VeriTest people, instead, set out on a series of tasks involving installing the kernel source, setting up PPTP, and carrying out several tasks on the Windows client - all of which counted as steps, of course.

One could go on about this report for a long time; see, for example, the letter from Leon Brooks on this week's Letters Page. The more interesting development, however, is that Forrester Research has, after having Microsoft trumpet one of its studies, issued this statement on the integrity of its reports.

Forrester, in other words, is getting out of the analyst-for-hire FUD business. Given that this business can only be lucrative, Forrester's decision to leave it behind is worthy of note.

FUD-for-hire has long been an important business tool in the technology world. Analysts have been happy to have the business, and they have been able to live with the fact that their output always seems to support the sponsor's agenda. Technical journalists have long liked these reports; they can easily be cast into a story without requiring much in the way of creative or critical thought. The whole system worked smoothly as a way of shaping public perception of technology products.

Something has happened over the last decade or so, however. The net has made it easy for interested parties to rip apart biased or poorly-done studies. And the rise of free software has greatly increased the number of people who feel some sort of ownership interest in the systems they use. As a result, anybody publishing a report critical of free software had better be very sure of his ground, because that report will be subjected to intense scrutiny. Some of the people performing that scrutiny will know far more about the subject manner than the analysts who wrote the text, and they will not be afraid to say, in public, what they think. Shoddy research and skewed studies do not fare well in the modern environment.

It has been noted for years that FUD attacks on Linux tend to backfire; even Microsoft has commented on this fact. The combination of the net and the Linux community has managed to neutralize - or at least strongly diminish the effect of - FUD. Analyst companies which are seen as taking part in outright FUD attempts have seen their own credibility suffer; remember MindCraft? Now some analyst companies, concerned about the perception of their integrity, are realizing that the FUD business is a poor place to be in the long run. That is a victory for the Linux community, and for the level of technology industry discourse in general.

Comments (5 posted)

An Evening with Bruce Perens

Bruce Perens was in Denver this week for IBM's Linux strategy briefing and offered to speak to the Colorado Linux Users and Enthusiasts (CLUE) Linux User Group the night before the IBM event. The talk was billed as "The Future of GNU/Linux and Free Software," but Perens talked a great deal about the history of free software as well.

After covering his history with Linux and the open source movement, Perens turned to current events. He talked a little bit about how many companies doing Linux-related business suffer from multiple personality disorder. On the one hand companies like HP are looking to push Linux and are trying to embrace Linux and do the right thing for the Linux community. On the other hand, these companies have to maintain relationships with companies like SCO and Microsoft and participate in groups like CompTIA that actively work against open source. Perens cautions the community to pay attention to everything a company does, not just its support for open source.

Perens also noted that the next likely legal attack against open source would be via software patents, and said he thinks its unlikely that corporations like HP or IBM would help the community in that event.

Though Perens says he hasn't made up his mind yet, he indicated he was thinking seriously about trying to form a community-driven answer to Red Hat's enterprise products.

After the talk, we caught up with Bruce for a few minutes one-on-one to ask about issues not covered during his talk, and to get further information on the grass-roots enterprise Linux effort. The first question was about the disagreement between the Free Software Foundation and the Debian Project over the GNU Free Documentation License (FDL). Perens has helped mediate between the groups, and says that they're on their way to working it out.

Perens also clarified his thoughts on a possible "grass-roots" enterprise-ready Linux distribution:

We also asked Perens how he felt about companies that use open source software, but do not contribute substantially to the projects they use.

Finally, we asked Perens if he had any thoughts on Eric Raymond's prediction that Sun is doomed.

We thank Bruce for taking the time to talk with us.

Comments (27 posted)

VeriSign backs down - for now

The September 18 LWN Weekly Edition asked "whose Internet is it?" in response to VeriSign's deployment of its "SiteFinder" service. SiteFinder is an attempt to profit from mistyped domain names; it is implemented as a set of wildcard entries in .com and .net which direct the user to VeriSign's paid index pages. VeriSign's unilateral change broke a number of network services, modified how DNS works with no input from anybody else involved, and raised a great many privacy concerns. Nonetheless, VeriSign seemed determined to weather the storm and keep its changes in place. That is not a surprising position, given that the company expected SiteFinder to generate a revenue stream in the millions of dollars.

Among other things, VeriSign had ignored a request from the Internet Corporation for Assigned Names and Numbers (ICANN) to suspend the service. It would seem, however, that ICANN is not entirely without clout - or value. On October 3, ICANN sent a more strongly written letter to VeriSign:

In response, VeriSign grumbled a little, then removed its wildcard entries and turned off the service. However, anybody who thinks that VeriSign has seen the light and realized that, as the steward of a public resource, it needs to act in a more responsible manner would be well advised to read this column by Mark McLaughlin, a VeriSign VP.

The company also had some strong words at the special ICANN meeting held on October 7. Among other things, it said that it may have other surprises to spring on the net in the future. VeriSign, in other words, is absolutely unrepentant. This company's history suggests that it will not give up on the SiteFinder idea anytime soon. At the moment, it appears that the net's governance mechanisms have brought about the right result. But it would be a mistake to assume that this particular episode is over.

Comments (5 posted)

Quick SCO update

Many people have wondered how it could be that SCO's stock price continues to increase even as the company's claims are publicly torn to pieces. A partial answer to that question came to light this week, in the form of this SEC filing. It would seem that Royce & Associates, the manager of the "Royce Technology Value Fund," now owns over 1.4 million shares of SCO. That is, as it turns out, over 10% of all the outstanding shares in the company, and almost 20% of the shares in active circulation. For whatever reason, Royce has made a huge bet on SCO, and has managed to keep the price high in the process.

This fund is managed by Jonathan Cohen; some information about Mr. Cohen and SCO can be found on this page. Among other things, he has been talking up SCO stock in a number of forums; see, for example, this posting on MSN/CNBC. "Cohen said the company's stock has done well this year on the back of solid fundamentals. It has an enormous base of intellectual property rights, he added." Solid fundamentals indeed.

Meanwhile, more documents on the IBM case, and, in particular, the pre-trial discovery process have come to light; they can be found on the always useful Groklaw site. There's some fun stuff there. Consider the following from "Exhibit E," SCO's response to IBM's discovery demands:

SCO responds to a number of questions in this way. One way of translating this response into English would be something like "we don't know, we were hoping IBM would tell us." It is hard to imagine a judge being impressed.

IBM also asked for information on "any person on whom plaintiff intends to rely as a witness, declarant, or affiant in this action." SCO's response was "None at this time." Could the company really have no witnesses at all?

IBM has filed a motion with the court attempting to compel SCO to back up its claims. The company has also asked for an oral argument before the judge on the issue.

In other words, if SCO can't back up its charges, it's time to call the show over. Nobody ever thought IBM's lawyers would make it easy for SCO.

Finally, Drew Streib is still trying to buy an SCO "Linux license," but still has not succeeded. "I can't believe that a sales force is this incompetent, or instead of that possibility, that SCO could be so blatantly outright in their lying about license availability." SCO also continues to state that it will not be sending out invoices because the "response has been adequate." One might conclude that the company is having second thoughts about its licensing program.

Comments (1 posted)

Authors wanted

It has been the better part of a year since we first started taking externally written articles for LWN. That effort has had its ups and downs, but, overall, we have been pleased with the result. Externally contributed material has allowed us to bring new content and viewpoints to LWN. We have convinced ourselves that we can bring in more content and maintain the quality of our publication.

So, the time has come to expand our external author program. Writing for LWN will not be easy; as editors, we are fussy and difficult to please. And it certainly will not be a path to riches, or even away from the day job. But it is a way to get your byline out there and help us make a better LWN. If you think you might be interested, please take a moment to look at our author guide. If you're still interested afterward, we would like to hear from you.

Comments (none posted)

Page editor: Jonathan Corbet

Security

Brief items

The EFF's report on trusted computing

The Electronic Frontier Foundation has released, to a fair amount of fanfare, its report on trusted computing. The report's author (Seth Schoen) has concluded that, while trusted computing architectures offer a number of security benefits, there are also potential problems that need to be addressed.

The report mentions four different technologies that make up current trusted computing efforts:

• Memory curtaining. Modern operating systems already go to considerable lengths to keep one process from being able to mess with another process's memory. Memory curtaining takes things further by improving memory isolation support in the hardware, so that even the kernel cannot modify one process's memory while working on behalf of another process.

• Secure I/O is the creation of a data path from the keyboard (or other input devices) to the application, and from the application to the screen which cannot be seen or modified by other processes. It is an attempt to stop software keystroke loggers, screen readers, and other eavesdropping tools.

• Sealed storage works by hiding encryption keys within the system hardware, so that encrypted data cannot be read anywhere else.

• Remote attestion is a hardware-supported mechanism for ensuring that the software running on a system has not been modified. The technology allows the generation of certificates that can allow a remote application (a web server, say) to be sure of the software it is talking to.

The report acknowledges that all of these technologies can help to improve the security of computer systems. With a trusted computing architecture in place, a worm which is able to exploit a hole in one program will find its ability to do anything interesting on the system much reduced. The EFF does not have any real problem with most of the technologies discussed.

That is not true, however, for remote attestation:

A few cases where the remote attestation feature could backfire on users are mentioned. One is web servers which refuse to talk to anything other than the One Chosen Browser. There are sites which do that now, but most modern browsers are capable of masquerading as something else, so these techniques are not effective. Remote attestion would change that. Other examples include software interoperability (i.e. eliminating Samba forevermore), forced upgrades, and forced use of digital rights management schemes.

As a solution, the EFF suggests an "owner override" feature. The owner of a system could, while physically present at the machine, force it to produce an attestation for software that the owner has modified or replaced, making it look like something else. This feature would solve the problem for suitably capable users. It is hard to imagine users developing a widespread ability to safely perform overrides, however.

The real conclusion to be taken from this report is that the owners and users of computers need to maintain control over their machines. When your own computer treats you like an attacker, it has ceased to be truly yours, and it becomes a tool for controlling your behavior. Free software users have understood this point for years, of course. We have built a system that allows us to stay in control. But we need to be careful that the hardware platforms of the future do not take that control away from us.

Comments (10 posted)

New vulnerabilities

cfengine: stack overflow

Package(s):	cfengine	CVE #(s):
Created:	October 8, 2003	Updated:	October 8, 2003
Description:	Versions of cfengine prior to 2.0.8 contain a stack overflow in the network I/O code which can be exploited remotely. See this advisory for details.
Alerts:	Gentoo 200310-2 2003-10-04

Comments (none posted)

Updated vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):	2.4 kernel	CVE #(s):	CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:	July 21, 2003	Updated:	December 24, 2003
Description:	Several security issues have been discovered affecting the Linux kernel: CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry. CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash. CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd. CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors. CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries. CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default. CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service. CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:	Red Hat RHSA-2003:408-00 2003-12-19 Gentoo 200308-01 2003-08-14 Debian DSA-358-4 2003-08-13 SuSE SuSE-SA:2003:034 2003-08-12 Debian DSA-358-2 2003-08-05 Debian DSA-358-3 2003-08-04 Debian DSA-358-1 2003-07-31 EnGarde ESA-20032407-018 2003-07-24 Red Hat RHSA-2003:238-01 2003-07-21

Comments (none posted)

apache2: Denial of Service vulnerability

Package(s):	apache2	CVE #(s):
Created:	September 29, 2003	Updated:	March 25, 2004
Description:	A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:	Gentoo 200403-04 2004-03-22 Netwosix NW-2004-0006 2004-03-25 Mandrake MDKSA-2003:096-1 2003-10-24 Mandrake MDKSA-2003:096 2003-09-26

Comments (none posted)

autorespond: buffer overflow

Package(s):	autorespond	CVE #(s):	CAN-2003-0654
Created:	August 18, 2003	Updated:	October 1, 2003
Description:	Christian Jaeger discovered a buffer overflow in autorespond, an email autoresponder used with qmail. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond. This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply. CAN-2003-0654
Alerts:	Debian DSA-373-1 2003-08-16

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):	bind glibc	CVE #(s):	CAN-2002-0651 CAN-2002-0684
Created:	July 8, 2002	Updated:	October 1, 2003
Description:	The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here. No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago. Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries CAN-2002-0651 CAN-2002-0684
Alerts:	Mandrake MDKSA-2002:050 2002-08-13 Yellow Dog YDU-20020810-3 2002-08-10 Eridani ERISA-2002:035 2002-08-09 Red Hat RHSA-2002:133-13 2002-08-08 SCO Group CSSA-2002-034.0 2002-08-05 Yellow Dog YDU-20020801-2 2002-08-01 Eridani ERISA-2002:028 2002-07-25 Red Hat RHSA-2002:139-10 2002-07-22 EnGarde ESA-20020724-018 2002-07-24 Mandrake MDKSA-2002:043 2002-07-16 Trustix 2002-0061 2002-07-15 Gentoo glibc-20020713 2002-07-13 Conectiva CLA-2002:507 2002-07-11 SuSE SuSE-SA:2002:026 2002-07-09 OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):	canna	CVE #(s):	CAN-2002-1158 CAN-2002-1159
Created:	December 10, 2002	Updated:	October 1, 2003
Description:	Canna is a kana-kanji conversion server which is necessary for Japanese language character input. A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt CAN-2002-1158 CAN-2002-1159
Alerts:	SCO Group CSSA-2003-005.0 2003-01-21 Debian DSA-224-1 2002-01-08 Gentoo 200212-8 2002-12-20 Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

eroaster: insecure temporary file

Package(s):	eroaster	CVE #(s):	CAN-2003-0656
Created:	August 19, 2003	Updated:	October 1, 2003
Description:	A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. This vulnerability could be exploited to overwrite arbitrary files with the privileges of the user running eroaster. CAN-2003-0656
Alerts:	Gentoo 200309-04 2003-09-02 Mandrake MDKSA-2003:083 2003-08-19 Debian DSA-366-1 2003-08-05

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):	ethereal	CVE #(s):	CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:	June 23, 2003	Updated:	November 10, 2003
Description:	Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:	SCO Group CSSA-2003-030.0 2003-11-07 Yellow Dog YDU-20030718-2 2003-07-18 Red Hat RHSA-2003:203-01 2003-07-03 Gentoo 200306-13 2003-06-25 Conectiva CLA-2003:662 2003-06-25 Mandrake MDKSA-2003:070 2003-06-23

Comments (none posted)

exim: buffer overflows

Package(s):	exim exim-tls	CVE #(s):	CAN-2003-0743
Created:	September 5, 2003	Updated:	October 1, 2003
Description:	A buffer overflow exists in exim, which is the standard mail transport agent in Debian. By supplying a specially crafted HELO or EHLO command, an attacker could cause a constant string to be written past the end of a buffer allocated on the heap. This vulnerability is not believed at this time to be exploitable to execute arbitrary code. CAN-2003-0743
Alerts:	Gentoo 200309-09 2003-09-15 Debian DSA-376-2 2003-09-07 Conectiva CLA-2003:735 2003-09-05 Debian DSA-376-1 2003-09-04

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):	fam	CVE #(s):	CAN-2002-0875
Created:	August 19, 2002	Updated:	January 5, 2005
Description:	"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:	Red Hat RHSA-2005:005-01 2005-01-05 Debian DSA-154-1 2002-08-15

Comments (none posted)

fdclone: insecure temporary directory

Package(s):	fdclone	CVE #(s):	CAN-2003-0596
Created:	July 23, 2003	Updated:	October 1, 2003
Description:	fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control. CAN-2003-0596
Alerts:	Debian DSA-352-1 2003-07-22

Comments (none posted)

fetchmail: buffer overflow

Package(s):	fetchmail	CVE #(s):	CAN-2002-1365
Created:	December 17, 2002	Updated:	October 20, 2003
Description:	Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:	Immunix IMNX-2003-7+-023-01 2003-10-17 Mandrake MDKSA-2003:011 2003-01-27 EnGarde ESA-20030127-002 2003-01-27 SCO Group CSSA-2003-001.0 2003-01-09 SuSE SuSE-SA:2003:001 2003-01-02 Debian DSA-216-1 2002-12-24 Red Hat RHSA-2002:293-09 2002-12-17 Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

freesweep: buffer overflow

Package(s):	freesweep	CVE #(s):	CAN-2003-0828
Created:	October 1, 2003	Updated:	October 1, 2003
Description:	freesweep contains a buffer overflow vulnerability which may be exploited by a local user to obtain access to the "games" group.
Alerts:	Debian DSA-391-1 2003-09-28

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):	glibc	CVE #(s):	CAN-2002-1146
Created:	November 7, 2002	Updated:	February 5, 2004
Description:	DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331) The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).
Alerts:	Mandrake MDKSA-2004:009 2004-02-04 Red Hat RHSA-2002:197-09 2002-11-06 Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

gnupg: key validation

Package(s):	gnupg	CVE #(s):	CAN-2003-0255
Created:	May 16, 2003	Updated:	November 18, 2003
Description:	A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:	SCO Group CSSA-2003-034.0 2003-11-17 Conectiva CLA-2003:694 2003-07-11 Yellow Dog YDU-20030602-4 2003-06-02 Mandrake MDKSA-2003:061 2003-05-22 Slackware ssa:2003-141-04 2003-05-22 Red Hat RHSA-2003:175-01 2003-05-20 Gentoo 200305-04 2003-05-16 OpenPKG OpenPKG-SA-2003.029 2003-05-16 EnGarde ESA-20030515-016 2003-05-15

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):	gtkhtml	CVE #(s):	CAN-2003-0133 CAN-2003-0541
Created:	April 14, 2003	Updated:	April 18, 2005
Description:	GtkHTML is the HTML rendering widget used by the Evolution mail reader. GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.
Alerts:	Debian DSA-710-1 2005-04-18 Mandrake MDKSA-2003:093 2003-09-18 Conectiva CLA-2003:737 2003-09-12 Red Hat RHSA-2003:264-01 2003-09-09 Mandrake MDKSA-2003:046 2003-04-15 Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

KDE: Two issues in KDM

Package(s):	kde, xfree86	CVE #(s):	CAN-2003-0690 CAN-2003-0692
Created:	September 16, 2003	Updated:	December 19, 2003
Description:	According to this advisory two issues have been discovered in KDM: CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable. CAN-2003-0692: Session cookies generated by KDM are potentially insecure All versions of KDM as distributed with KDE up to and including KDE 3.1.3 are affected.
Alerts:	Mandrake MDKSA-2003:118 2003-12-19 Gentoo 200311-01 2003-11-15 Debian DSA-388-1 2003-09-19 Conectiva CLA-2003:747 2003-09-19 Mandrake MDKSA-2003:091 2003-09-16 Red Hat RHSA-2003:269-01 2003-09-16

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):	kernel-utils	CVE #(s):	CAN-2003-0019
Created:	February 7, 2003	Updated:	January 21, 2005
Description:	The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities. The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net
Alerts:	Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpam-smb: exploitable buffer overflow

Package(s):	libpam-smb, pam-smb	CVE #(s):	CAN-2003-0686
Created:	August 26, 2003	Updated:	October 1, 2003
Description:	libpam-smb is a PAM authentication module which makes it possible to authenticate users against a password database managed by Samba or a Microsoft Windows server. If a long password is supplied, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. See this advisory for more information. CAN-2003-0686
Alerts:	Conectiva CLA-2003:734 2003-09-05 SuSE SuSE-SA:2003:036 2003-09-03 Gentoo 200309-01 2003-09-01 Red Hat RHSA-2003:261-01 2003-08-26 Debian DSA-374-1 2003-08-26

Comments (1 posted)

libpng, libpng3: buffer overflow

Package(s):	libpng, libpng3	CVE #(s):	CAN-2002-1363
Created:	December 19, 2002	Updated:	July 14, 2004
Description:	Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:	Gentoo 200407-06 2004-07-08 OpenPKG OpenPKG-SA-2004.030 2004-07-06 Mandrake MDKSA-2004:063 2004-06-29 Whitebox WBSA-2004:249-01 2004-06-21 Fedora FEDORA-2004-176 2004-06-18 Fedora FEDORA-2004-174 2004-06-18 Fedora FEDORA-2004-175 2004-06-18 Fedora FEDORA-2004-173 2004-06-18 Red Hat RHSA-2004:249-01 2004-06-18 Conectiva CLA-2003:564 2003-01-23 Mandrake MDKSA-2003:008 2003-01-20 OpenPKG OpenPKG-SA-2003.001 2003-01-15 Yellow Dog YDU-20030114-2 2002-01-14 SuSE SuSE-SA:2003:0004 2003-01-14 Red Hat RHSA-2003:006-06 2003-01-09 Debian DSA-213-1 2002-12-19

Comments (none posted)

lsh: remotely exploitable buffer overflow

Package(s):	lsh	CVE #(s):	CAN-2003-0831
Created:	October 1, 2003	Updated:	October 1, 2003
Description:	lsh (an ssh implementation) 1.5.2 and prior has a remotely exploitable buffer overflow vulnerability; see this advisory for details.
Alerts:	SuSE SuSE-SA:2003:041 2003-10-01

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):	lynx	CVE #(s):	CAN-2002-1405
Created:	November 19, 2002	Updated:	October 1, 2003
Description:	If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. CAN-2002-1405
Alerts:	Conectiva CLA-2003:720 2003-08-11 Mandrake MDKSA-2003:023 2003-02-24 OpenPKG OpenPKG-SA-2003.011 2003-02-18 Red Hat RHSA-2003:029-06 2003-02-12 Trustix 2002-0085 2002-12-19 Debian DSA-210-1 2002-12-13 SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

marbles: buffer overflow

Package(s):	marbles	CVE #(s):	CAN-2003-0830
Created:	October 1, 2003	Updated:	October 1, 2003
Description:	The 'marbles' game contains a buffer overflow in its processing of the HOME environment variable. A local user can exploit this vulnerability to obtain access to the "games" group.
Alerts:	Debian DSA-390-1 2003-09-26

Comments (none posted)

mikmod: buffer overflow

Package(s):	mikmod	CVE #(s):	CAN-2003-0427
Created:	June 16, 2003	Updated:	June 16, 2005
Description:	Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:	Fedora FEDORA-2005-405 2005-06-16 Red Hat RHSA-2005:506-01 2005-06-13 Fedora FEDORA-2005-404 2005-06-09 Gentoo 200307-01 2003-07-02 Debian DSA-320-1 2003-06-13

Comments (none posted)

mindi: insecure file creations

Package(s):	mindi	CVE #(s):	CAN-2003-0617
Created:	September 2, 2003	Updated:	October 1, 2003
Description:	Mindi versions prior to 0.86 creates files in /tmp which could allow local user to overwrite arbitrary files. CAN-2003-0617
Alerts:	Gentoo 200309-05 2003-09-02 Debian DSA-362-1 2003-08-02

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):	mplayer	CVE #(s):	CAN-2003-0835
Created:	September 29, 2003	Updated:	April 6, 2004
Description:	A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:	Mandrake MDKSA-2004:026 2004-04-05 Gentoo 200403-13 2004-03-31 Conectiva CLA-2003:760 2003-10-06 Mandrake MDKSA-2003:097 2003-09-30 Gentoo 200309-15 2003-09-27

Comments (none posted)

mysql: arbitrary code execution

Package(s):	mysql	CVE #(s):	CAN-2003-0780
Created:	September 15, 2003	Updated:	October 9, 2003
Description:	Frank Denis reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users are stored in the "Password" field of the "User" table, part of the "mysql" database. The passwords are hashed and stored as a 16 characters long hexadecimal value. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0780 to the problem.
Alerts:	Red Hat RHSA-2003:281-01 2003-10-09 SuSE SuSE-SA:2003:042 2003-10-01 Mandrake MDKSA-2003:094 2003-09-18 Conectiva CLA-2003:743 2003-09-18 EnGarde ESA-20030918-025 2003-09-18 Trustix 2003-0034 2003-09-17 Gentoo 200309-08 2003-09-15 OpenPKG OpenPKG-SA-2003.038 2003-09-15 Debian DSA-381-1 2003-09-13

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):	nessus	CVE #(s):
Created:	May 27, 2003	Updated:	August 12, 2004
Description:	Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:	Gentoo 200305-10 2003-05-27

Comments (none posted)

netris: buffer overflow

Package(s):	netris	CVE #(s):	CAN-2003-0685
Created:	August 18, 2003	Updated:	October 1, 2003
Description:	Shaun Colley discovered a buffer overflow vulnerability in netris, a network version of a popular puzzle game. A netris client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking. This vulnerability could be exploited to gain the priviliges of the user running netris in client mode, if they connect to a hostile netris server. CAN-2003-0685
Alerts:	Debian DSA-372-1 2003-08-16

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):	net-snmp	CVE #(s):	CAN-2002-1170
Created:	December 17, 2002	Updated:	November 7, 2003
Description:	The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:	Conectiva CLA-2003:778 2003-11-07 Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):	nfs-utils	CVE #(s):	CAN-2003-0252
Created:	July 14, 2003	Updated:	March 8, 2004
Description:	Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:	Trustix TSLSA-2004-0009 2004-03-05 SCO Group CSSA-2003-037.0 2003-11-17 Conectiva CLA-2003:700 2003-07-22 Mandrake MDKSA-2003:076 2003-07-21 Gentoo 200307-07 2003-07-19 Yellow Dog YDU-20030718-1 2003-07-18 Slackware SSA:2003-195-01b 2003-07-15 Immunix IMNX-2003-7+-018-01 2003-07-14 SuSE SuSE-SA:2003:031 2003-07-15 Slackware SSA:2003-195-01 2003-07-14 Debian DSA-349-1 2003-07-14 Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: multilple PAM vulnerabilities in Portable OpenSSH versions 3.7p1 and 3.7.1p1

Package(s):	openssh	CVE #(s):
Created:	September 23, 2003	Updated:	October 1, 2003
Description:	Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). See this advisory for details.
Alerts:	Trustix 2003-0036 2003-09-27 Slackware SSA:2003-266-01 2003-09-24 OpenPKG OpenPKG-SA-2003.042 2003-09-24 Gentoo 200309-14 2003-09-23

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):	openssh	CVE #(s):	CAN-2003-0190
Created:	May 2, 2003	Updated:	November 30, 2004
Description:	From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:	Ubuntu USN-34-1 2004-11-30 OpenPKG OpenPKG-SA-2003.035 2003-08-06 Red Hat RHSA-2003:222-01 2003-07-29 Gentoo 200305-02 2003-05-13 Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSH: buffer management error

Package(s):	OpenSSH	CVE #(s):	CAN-2003-0693
Created:	September 16, 2003	Updated:	October 1, 2003
Description:	All versions of OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete. See the second advisory for details. CAN-2003-0693
Alerts:	SCO Group CSSA-2003-027.0 2003-10-02 Debian DSA-383-2 2003-09-21 Debian DSA-382-3 2003-09-21 SuSE SuSE-SA:2003:039 2003-09-18 EnGarde ESA-20030918-024 2003-09-18 Yellow Dog YDU-20030917-1 2003-09-17 Conectiva CLA-2003:741 2003-09-17 Debian DSA-383-1 2003-09-17 Sorcerer SORCERER2003-09-17 2003-09-17 Slackware SSA:2003-260-01 2003-09-17 Red Hat RHSA-2003:279-02 2003-09-17 Mandrake MDKSA-2003:090-1 2003-09-17 Trustix 2003-0033 2003-09-17 OpenPKG OpenPKG-SA-2003.040 2003-09-17 Immunix IMNX-2003-7+-020-02 2003-09-16 Gentoo 200309-12 2003-09-16 Debian DSA-382-2 2003-09-17 SuSE SuSE-SA:2003:038 2003-09-16 Slackware SSA:2003-259-01 2003-09-16 Mandrake MDKSA-2003:090 2003-09-16 Immunix IMNX-2003-7+-020-01 2003-09-16 Debian DSA-382-1 2003-09-16 Red Hat RHSA-2003:279-01 2003-09-16 EnGarde ESA-20030916-023 2003-09-16 Conectiva CLA-2003:739 2003-09-16

Comments (none posted)

openssl: vulnerabilities in ASN.1 code

Package(s):	openssl	CVE #(s):	CAN-2003-0543 CAN-2003-0544 CAN-2003-0545
Created:	September 30, 2003	Updated:	November 4, 2003
Description:	Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all versions of SSLeay. An attack against other applications that use OpenSSL could result in a Denial of Service. See CAN-2003-0543 and CAN-2003-0544. It may be possible for an attacker to exploit this issue to execute arbitrary code. See CAN-2003-0545. CERT has an updated OpenSSL advisory identifying additional OpenSSL vulnerabilities.
Alerts:	EnGarde ESA-20031104-029 2003-11-04 Debian DSA-394-1 2003-10-11 Conectiva CLA-2003:759 2003-10-03 EnGarde ESA-20031003-028 2003-10-03 Tawie 2003-0001 2003-10-02 SuSE SuSE-SA:2003:043 2003-10-01 Slackware SSA:2003-273-01 2003-09-30 Mandrake MDKSA-2003:098 2003-09-30 Gentoo 200309-19 2003-10-01 Debian DSA-393-1 2003-10-01 Conectiva CLA-2003:751 2003-09-30 EnGarde ESA-20030930-027 2003-09-30 Immunix IMNX-2003-7+-022-01 2003-09-29 OpenPKG OpenPKG-SA-2003.044 2003-09-30 Red Hat RHSA-2003:292-01 2003-09-30 Red Hat RHSA-2003:291-01 2003-09-30

Comments (none posted)

pam-pgsql: format string vulnerability

Package(s):	pam-pgsql	CVE #(s):	CAN-2003-0672
Created:	August 11, 2003	Updated:	October 1, 2003
Description:	Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the username to be used for authentication is used as a format string when writing a log message. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the program requesting PAM authentication. CAN-2003-0672
Alerts:	Debian DSA-370-1 2003-08-08

Comments (none posted)

perl: cross site scripting vulnerability in CGI.pm module

Package(s):	perl	CVE #(s):	CAN-2003-0615
Created:	July 29, 2003	Updated:	October 1, 2003
Description:	obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package. CAN-2003-0615
Alerts:	Red Hat RHSA-2003:256-02 2003-10-03 Red Hat RHSA-2003:256-01 2003-09-22 OpenPKG OpenPKG-SA-2003.039 2003-09-15 Mandrake MDKSA-2003:084 2003-08-20 Debian DSA-371-1 2003-08-11 OpenPKG OpenPKG-SA-2003.036 2003-08-06 Conectiva CLA-2003:713 2003-07-29

Comments (none posted)

PHP: vulnerability in mail function

Package(s):	php	CVE #(s):	CAN-2002-0985 CAN-2002-0986
Created:	November 13, 2002	Updated:	October 1, 2003
Description:	Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. CAN-2002-0985 CAN-2002-0986
Alerts:	SCO Group CSSA-2003-008.0 2003-03-04 Gentoo 200211-005 2002-11-20 EnGarde ESA-20021122-031 2002-11-22 Conectiva CLA-2002:545 2002-11-13 Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

phpgroupware - cross-site scripting and other exploits

Package(s):	phpgroupware	CVE #(s):	CAN-2003-0504 CAN-2003-0582
Created:	July 16, 2003	Updated:	October 1, 2003
Description:	Several vulnerabilities were discovered in all versions of phpgroupware prior to 0.9.14.006. This latest version fixes an exploitable condition in all versions that can be exploited remotely without authentication and can lead to arbitrary code execution on the web server. This vulnerability is being actively exploited. Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies. See this Security Corportation report for more information. CAN-2003-0504 CAN-2003-0582
Alerts:	Debian DSA-365-1 2003-08-05 Conectiva CLA-2003:703 2003-07-23 Mandrake MDKSA-2003:077 2003-07-23 Conectiva CLA-2003:697 2003-07-16

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):	postfix	CVE #(s):	CAN-2003-0468 CAN-2003-0540
Created:	August 5, 2003	Updated:	May 27, 2004
Description:	The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:	Mandrake MDKA-2004:028 2004-05-26 Trustix 2003-0029 2003-08-04 Mandrake MDKSA-2003:081 2003-08-04 EnGarde ESA-20030804-019 2003-08-04 Conectiva CLA-2003:717 2003-08-04 SuSE SuSE-SA:2003:033 2003-08-04 Red Hat RHSA-2003:251-01 2003-08-04 Debian DSA-363-1 2003-08-03

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):	postgresql	CVE #(s):
Created:	February 12, 2003	Updated:	November 7, 2003
Description:	A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:	Debian DSA-397-1 2003-11-07 Immunix IMNX-2003-7+-005-01 2003-04-08 Trustix 2003-0004 2003-02-20 Mandrake MDKSA-2002:062-1 2003-02-11

Comments (1 posted)

proftpd: remote root shell

Package(s):	proftpd	CVE #(s):	CAN-2003-0831
Created:	September 24, 2003	Updated:	January 2, 2004
Description:	The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information.
Alerts:	Mandrake MDKSA-2003:095-1 2003-12-31 Conectiva CLA-2003:750 2003-09-29 Gentoo 200309-16 2003-09-28 Trustix 2003-0037 2003-09-27 Mandrake MDKSA-2003:095 2003-09-26 OpenPKG OpenPKG-SA-2003.043 2003-09-25 Slackware SSA:2003-259-02 2003-09-23

Comments (2 posted)

Local arbitrary code execution vulnerability in Python

Package(s):	python	CVE #(s):	CAN-2002-1119
Created:	August 28, 2002	Updated:	October 1, 2003
Description:	Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. CAN-2002-1119
Alerts:	Red Hat RHSA-2002:202-33 2003-02-12 OpenPKG OpenPKG-SA-2003.006 2003-01-23 Red Hat RHSA-2002:202-25 2003-01-21 Mandrake MDKSA-2002:082-1 2002-12-09 Mandrake MDKSA-2002:082 2002-11-25 SCO Group CSSA-2002-045.0 2002-11-14 Trustix 2002-0073 2002-10-17 Gentoo python-20021003 2002-10-03 Conectiva CLA-2002:527 2002-10-01 Debian DSA-159-2 2002-09-09 Debian DSA-159-1 2002-08-28

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):	Safe.pm	CVE #(s):	CAN-2002-1323
Created:	October 9, 2002	Updated:	February 20, 2004
Description:	usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:	SCO Group CSSA-2004-007.0 2004-02-20 Gentoo 200212-6 2002-12-20 Trustix 2002-0087 2002-12-19 OpenPKG OpenPKG-SA-2002.014 2002-12-16 Debian DSA-208-1 2002-12-12

Comments (none posted)

sane-backends: several vulnerabilities

Package(s):	sane-backends	CVE #(s):	CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:	September 11, 2003	Updated:	February 20, 2004
Description:	Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf. You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe. Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf). CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault. CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel. CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters. CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur. CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:	SCO Group CSSA-2004-005.0 2004-02-19 SuSE SuSE-SA:2003:046 2003-11-18 Conectiva CLA-2003:769 2003-10-22 Mandrake MDKSA-2003:099 2003-10-09 Red Hat RHSA-2003:278-01 2003-10-07 Debian DSA-379-1 2003-09-11

Comments (none posted)

semi: insecure temporary file

Package(s):	semi, wemi	CVE #(s):	CAN-2003-0440
Created:	July 7, 2003	Updated:	October 1, 2003
Description:	semi, a MIME library for GNU Emacs, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and semi, potentially with contents supplied by the attacker. wemi is a fork of semi, and contains the same bug. CAN-2003-0440
Alerts:	Gentoo 200308-02 2003-08-14 Yellow Dog YDU-20030723-2 2003-07-23 Red Hat RHSA-2003:234-01 2003-07-23 Debian DSA-339-1 2003-07-06

Comments (none posted)

sendmail: bad DNS reply causes crash

Package(s):	sendmail	CVE #(s):	CAN-2003-0688
Created:	August 26, 2003	Updated:	October 1, 2003
Description:	There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x versions with respect to DNS maps. The bug did not exist in versions before 8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9, released March 29, 2003. See this advisory for more information. CAN-2003-0688
Alerts:	Conectiva CLA-2003:727 2003-08-29 Red Hat RHSA-2003:265-01 2003-08-28 OpenPKG OpenPKG-SA-2003.037 2003-08-28 SuSE SuSE-SA:2003:035 2003-08-26 Mandrake MDKSA-2003:086 2003-08-26

Comments (none posted)

sendmail: remotely exploitable buffer overflow

Package(s):	sendmail	CVE #(s):	CAN-2003-0694 CAN-2003-0681
Created:	September 17, 2003	Updated:	November 18, 2003
Description:	Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix.
Alerts:	SCO Group CSSA-2003-036.0 2003-11-17 SuSE SuSE-SA:2003:040 2003-09-20 OpenPKG OpenPKG-SA-2003.041 2003-09-19 Conectiva CLA-2003:742 2003-09-18 Yellow Dog YDU-20030917-2 2003-09-17 Immunix IMNX-2003-7+-021-01 2003-09-17 Mandrake MDKSA-2003:092 2003-09-17 Debian DSA-384-1 2003-09-17 Red Hat RHSA-2003:283-01 2003-09-17 Slackware SSA:2003-260-02 2003-09-17 Gentoo 200309-13 2003-09-17

Comments (none posted)

stunnel: signal handler reentrancy DoS

Package(s):	stunnel	CVE #(s):	CAN-2002-1563
Created:	July 25, 2003	Updated:	November 25, 2003
Description:	Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over a secure connection (encrypted using SSL or TLS) or to provide a secure means of connecting to services that do not natively support encryption. When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service.
Alerts:	Red Hat RHSA-2003:296-01 2003-11-24 SCO Group CSSA-2003-026.0 2003-10-03 Conectiva CLA-2003:736 2003-09-05 Trustix 2003-0030 2003-08-07 EnGarde ESA-20030806-020 2003-08-06 Red Hat RHSA-2003:221-01 2003-07-25

Comments (none posted)

sup: insecure temporary file

Package(s):	sup	CVE #(s):	CAN-2003-0606
Created:	July 29, 2003	Updated:	October 1, 2003
Description:	sup, a package used to maintain collections of files in identical versions across machines, fails to take appropriate security precautions when creating temporary files. A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running sup. CAN-2003-0606
Alerts:	Debian DSA-353-1 2003-07-29

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):	tar unzip	CVE #(s):	CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:	October 1, 2002	Updated:	April 10, 2006
Description:	The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:	Fedora-Legacy FLSA:183571-1 2006-04-04 Red Hat RHSA-2006:0195-01 2006-02-21 Conectiva CLA-2002:538 2002-10-29 Mandrake MDKSA-2002:066 2002-10-10 Mandrake MDKSA-2002:065 2002-10-10 EnGarde ESA-20021003-022 2002-10-03 Gentoo unzip-20021001 2002-10-01 Gentoo tar-20021001 2002-10-01 Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

teapop: SQL injection

Package(s):	teapop	CVE #(s):	CAN-2003-0515
Created:	July 9, 2003	Updated:	October 1, 2003
Description:	teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated. CAN-2003-0515
Alerts:	Gentoo 200309-18 2003-09-30 Debian DSA-347-1 2003-07-08

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):	telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5	CVE #(s):
Created:	May 21, 2002	Updated:	October 5, 2004
Description:	This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:	Gentoo 200410-03 2004-10-05 Yellow Dog YDU-20010810-2 2001-08-10 Yellow Dog YDU-20010810-1 2001-08-10 SuSE SuSE-SA:2001:029 2001-09-03 Slackware sl-997726350 2001-08-09 Red Hat RHSA-2001:100-02 2001-08-09 Red Hat RHSA-2001:099-09 2002-02-07 Red Hat RHSA-2001:099-06 2001-08-09 Progeny PROGENY-SA-2001-27 2001-08-14 Mandrake MDKSA-2001:093 2001-12-17 Mandrake MDKSA-2001:068 2001-08-13 HP HPSBTL0202-023 2002-02-12 Debian DSA-075-2 2001-08-14 Debian DSA-075-1 2001-08-14 Conectiva CLA-2001:413 2001-08-24 SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

unzip: directory traversal vulnerability

Package(s):	unzip	CVE #(s):	CAN-2003-0282
Created:	July 1, 2003	Updated:	November 13, 2003
Description:	A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information.
Alerts:	SCO Group CSSA-2003-031.0 2003-11-07 Debian DSA-344-2 2003-08-26 Slackware SSA:2003-237-01 2003-08-25 Mandrake MDKSA-2003:073-1 2003-08-19 Conectiva CLA-2003:724 2003-08-18 Red Hat RHSA-2003:199-02 2003-08-15 Yellow Dog YDU-20030710-1 2003-07-10 Gentoo 200307-02 2003-07-11 OpenPKG OpenPKG-SA-2003.033 2003-07-10 Debian DSA-344-1 2003-07-08 Mandrake MDKSA-2003:073 2003-07-07 Conectiva CLA-2003:672 2003-07-02 Immunix IMNX-2003-7+-017-01 2003-07-02 Red Hat RHSA-2003:199-01 2003-07-01

Comments (none posted)

vim - modeline vulnerability

Package(s):	vim	CVE #(s):	CAN-2002-1377
Created:	January 16, 2003	Updated:	February 10, 2004
Description:	VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:	Conectiva CLA-2004:812 2004-02-10 Mandrake MDKSA-2003:012 2003-02-03 Yellow Dog YDU-20030127-3 2003-01-27 Gentoo 200301-13 2003-01-22 OpenPKG OpenPKG-SA-2003.003 2003-01-21 Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

vixie-cron: Local vulnerability

Package(s):	vixie-cron	CVE #(s):	CVE-2001-0559
Created:	April 17, 2003	Updated:	October 3, 2003
Description:	From the ISS advisory: "Vixie Cron is a scheduling daemon that ships with several Linux distributions. Vixie Cron version 3.0pl1 could allow a local attacker to gain root privileges. Crontab fails to properly drop privileges in certain cases after a crontab modification operation. A local attacker could exploit this vulnerability to gain root privileges on the system since crontab is installed setuid root." Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page.
Alerts:	Conectiva CLA-2003:758 2003-10-03 Conectiva CLA-2003:757 2003-10-03 Conectiva CLA-2003:628 2003-04-17

Comments (none posted)

webfs: buffer overflows, file and directory exposure

Package(s):	webfs	CVE #(s):	CAN-2003-0832 CAN-2003-0833
Created:	September 29, 2003	Updated:	October 1, 2003
Description:	Jens Steube reported two vulnerabilities in webfs, a lightweight HTTP server for static content. CAN-2003-0832 - When virtual hosting is enabled, a remote client could specify ".." as the hostname in a request, allowing retrieval of directory listings or files above the document root. CAN-2003-0833 - A long pathname could overflow a buffer allocated on the stack, allowing execution of arbitrary code. In order to exploit this vulnerability, it would be necessary to be able to create directories on the server in a location which could be accessed by the web server. In conjunction with CAN-2003-0832, this could be a world-writable directory such as /var/tmp.
Alerts:	Debian DSA-392-1 2003-09-29

Comments (none posted)

webmin: session ID spoofing

Package(s):	webmin	CVE #(s):	CAN-2003-0101
Created:	June 13, 2003	Updated:	November 18, 2003
Description:	miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges.
Alerts:	SCO Group CSSA-2003-035.0 2003-11-17 Debian DSA-319-1 2003-06-12

Comments (none posted)

wget:directory traversal bug

Package(s):	wget	CVE #(s):	CAN-2002-1344
Created:	December 10, 2002	Updated:	October 1, 2003
Description:	Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system. FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3). If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine. See also this Bugtraq article from 1997. CAN-2002-1344
Alerts:	Immunix IMNX-2003-7+-011-01 2003-06-03 OpenPKG OpenPKG-SA-2003.007 2003-01-23 SCO Group CSSA-2003-003.0 2003-01-16 Gentoo 200212-7 2002-12-20 Trustix 2002-0089 2002-12-19 Conectiva CLA-2002:552 2002-12-13 Debian DSA-209-1 2002-12-12 Mandrake MDKSA-2002:086 2002-12-11 Red Hat RHSA-2002:229-10 2002-12-04

Comments (none posted)

wget: buffer overflow

Package(s):	wget	CVE #(s):	CAN-2003-1565
Created:	August 5, 2003	Updated:	December 10, 2003
Description:	The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution.
Alerts:	Red Hat RHSA-2003:372-01 2003-12-10 SCO Group CSSA-2003-025.0 2003-10-03 Conectiva CLA-2003:716 2003-08-04

Comments (1 posted)

wu-ftpd: off-by-one bug

Package(s):	wu-ftpd	CVE #(s):	CAN-2003-0466
Created:	July 31, 2003	Updated:	October 5, 2003
Description:	An off-by-one bug has been discovered in versions of wu-ftpd up to and including 2.6.2. On a vulnerable system, a remote attacker would be able to exploit this bug to gain root privileges. See this advisory for more details.
Alerts:	SCO Group CSSA-2003-024.0 2003-09-26 Immunix IMNX-2003-7+-019-01 2003-08-06 Conectiva CLA-2003:715 2003-08-01 Debian DSA-357-1 2003-07-31 SuSE SuSE-SA:2003:032 2003-07-31 Mandrake MDKSA-2003:080 2003-07-31 Red Hat RHSA-2003:245-01 2003-07-31

Comments (none posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):	wwwoffle	CVE #(s):	CAN-2002-0818
Created:	August 14, 2002	Updated:	October 1, 2003
Description:	The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on." CAN-2002-0818
Alerts:	SCO Group CSSA-2002-048.0 2002-11-18 Debian DSA-144-1 2002-08-06 SuSE SuSE-SA:2002:029 2002-08-01

Comments (none posted)

XFree86 4.3.0 integer overflows in font libraries

Package(s):	XFree86	CVE #(s):	CAN-2003-0730
Created:	September 12, 2003	Updated:	November 25, 2003
Description:	Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details.
Alerts:	Red Hat RHSA-2003:286-01 2003-11-25 Red Hat RHSA-2003:287-01 2003-11-25 Red Hat RHSA-2003:288-01 2003-11-17 Debian DSA-380-1 2003-09-12 Mandrake MDKSA-2003:089 2003-09-11

Comments (none posted)

xinetd: Memory leak in xinetd 2.3.10

Package(s):	xinetd	CVE #(s):	CAN-2003-0211
Created:	May 13, 2003	Updated:	November 13, 2003
Description:	Xinetd is a 'master server' that is used to to accept service connection requests and start the appropriate servers. Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavailable. In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations. All users of xinetd are advised to update to xinetd-2.3.11 which is not vulnerable to these issues.
Alerts:	Conectiva CLA-2003:782 2003-11-12 Yellow Dog YDU-20030602-1 2003-06-02 Gentoo 200305-08 2003-05-19 Mandrake MDKSA-2003:056 2003-05-14 Red Hat RHSA-2003:160-01 2003-05-13

Comments (none posted)

zblast: buffer overflow

Package(s):	zblast	CVE #(s):	CAN-2003-0613
Created:	August 11, 2003	Updated:	October 1, 2003
Description:	Steve Kemp discovered a buffer overflow in zblast-svgalib, when saving the high score file. This vulnerability could be exploited by a local user to gain gid 'games', if they can achieve a high score. CAN-2003-0613
Alerts:	Debian DSA-369-1 2003-08-08

Comments (1 posted)

Resources

Analysis of the MediaMax CD3 copy-prevention system

John A. Halderman has analyzed the "CD3" copy protection system for audio CDs and posted his results. It seems that this technology works by loading a special driver via the Windows autorun feature; the driver interferes with read operations, thus thwarting copy attempts. But only if the driver is actually loaded. "MediaMax's protections are ineffective because the driver program can easily be disabled or, depending on the system configuration, it might never be installed to begin with. As a result, audio content is vulnerable to copying in virtually 100% of deployed systems.... Computers running Linux or Mac OS 9 can't run the MediaMax software at all, so they can always copy the recording." Sometimes the lack of Linux support is a good thing.

Comments (21 posted)

LinuxSecurity.com newsletters

This week's Linux Advisory Watch and Linux Security Week newsletters from LinuxSecurity.com are available.

Comments (none posted)

Events

EICAR 2004

The 13th Annual EICAR Conference will be held at the Hilton Luxembourg in Luxemburg City from May 1 to 4, 2004. "Participants can expect a variety of academic and leading edge technical presentations from around the world, with an emphasis not only on technical aspects of IT-security, but also the legal and social issues rapidly becoming the new thorn in everyone's collective side." The call for papers has gone out, with a submission deadline of January 15.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current development kernel is 2.6.0-test7, which was released by Linus on October 8. Changes this time include a bunch of janitorial work, some IDE driver updates, a new filesystem mount option parsing scheme, a change to how module array parameters are declared, some video for Linux updates, an ACPI update, an XFS update, a reserved system call for the vserver project, and lots of fixes. See the long-format changelog for the details.

As part of the announcement, Linus has stated that he is tightening up the criteria for accepting patches.

The current stable kernel is 2.4.22; the last 2.4.23 prepatch was 2.4.23-pre6 on October 1.

Comments (1 posted)

Kernel development news

Alternative kernel trees

Much attention is paid to official kernel releases from Linus and Marcelo. There are, however, a number of other kernel trees out there, many of which offer different views of how the kernel should be or where its development should go. It has been a while since we've looked at the alternative kernel trees which are currently being maintained, so it is a good time for an update. We'll start with the 2.6-based trees.

Andrew Morton's -mm tree (currently at 2.6.0-test6-mm4) remains the largest staging area for code headed toward the mainline. The -mm kernels give big patches a place where they can be examined and tested without breaking the mainline kernel. This tree currently contains, beyond lots of fixes, a full set of kgdb patches, the current versions of the must-fix and should-fix lists, a bunch of VFS work from Al Viro (aimed at making hot removal of disks work properly), the CFQ disk I/O scheduler, Intel MSI and EFI support, the 4G/4G large memory patch, a lot of direct and asynchronous I/O work, and a patch called "support-zillions-of-scsi-disks."

Stephen Hemminger recently released 2.6.0-test6-osdl1. This relatively small patch has been reborn; it now concerns itself with features that will be merged after the 2.6.0 release, if ever. Thus, it includes a patch adding file extents to ext3, Ingo Molnar's ExecShield, the Linux kernel crash dump facility, the kexec system call, and a few others.

Martin Bligh continues to release occasional -mjb kernels; the latest is 2.6.0-test6-mjb1. These kernels have "mainly scalability and NUMA stuff, and anything else that stops things from irritating me." The patch currently includes a configuration option for the internal clock speed, a number of tunable parameters for the scheduler, the lockmeter patch, the object-based reverse mapping patch, and a number of NUMA-related patches.

Randy Dunlap posts an occasional -kj tree; 2.6.0-test6-kj1 was released on September 29. This is not the tree for people seeking exciting new features; its purpose is to serve as a collection area for janitorial patches that might otherwise fall through the cracks.

Alan Cox's departure from the kernel scene has left a large hole where his 2.4-base -ac tree used to be. Many distributors based their stock kernels on something close to Alan's tree. The -ac tree has technically been taken over by Bernhard Rosenkraenzer, but his last release was 2.4.23-pre4-pac2 on September 17.

Andrea Arcangeli has, of late, started announcing more of his -aa trees to the world. His latest (2.4.23pre6aa2) includes a new "desktop" boot parameter which sets several options for optimal desktop performance, run-time configurable internal clock speed, some virtual memory work, the TUX HTTP server, kgdb, the 2.6 "futex" feature, XFS version 13, Jens Axboe's "laptop mode" patch, and many others. Andrea plans to include Jeff Garzik's "libata" disk drivers soon.

James Bourne maintains a "-uv" patch series which is limited to compilation and security fixes for the current stable kernel. The latest is 2.4.22-uv2.

Comments (1 posted)

Relayfs

Tom Zanussi has posted a new version of the "relayfs" filesystem code; the full set of patches can be found in the "patches" section, below. Relayfs is an attempt to provide a common framework for kernel code which must exchange large amounts of data with user space. The initial application would appear to be for kernel event tracing and profiling, but one can certainly imagine other ways to use such a system as well.

Relayfs is, of course, yet another virtual filesystem implemented by the kernel; it must be explicitly mounted by user space to be available. Kernel code can then create a relay with relay_open(); it will show up as a file under relayfs. User space can then open the relay and employ all of the usual file operations - including mmap() and poll() - to exchange data with the kernel. To an application, a relayfs file descriptor looks much like a Unix-domain socket, except that the other end is a piece of kernel code rather than another process.

The interface on the kernel side is a bit more complex. The expected relay_read() and relay_write() functions exist and can be used to move data to and from user space. But relayfs also exposes much of the internal structure to kernel code that needs to know about it. So special-purpose code can obtain a pointer into the relayfs buffer and copy data there directly, for example. There is also a set of callbacks for kernel code that wants to know about relayfs events, and a set of utilities for manipulating the buffer size, optimizing the locking used, etc.

Relayfs is a non-intrusive patch - it does not affect parts of the kernel that are not explicitly changed to make use of it. So it is conceivable that this patch could yet make it into a 2.6 release. The reimplementation of printk() which uses relayfs might have to wait a little longer, however.

Comments (none posted)

Driver porting

kobjects and hotplug events

Last week, in the article about kobjects, it was mentioned that a kset has a set of hotplug operations. This week we will introduce the hotplug operations, and detail how they work.

Remember that a kset is a group of kobjects which are all embedded in the same type of structure. In the definition of a kset, a pointer to a struct kset_hotplug_ops is specified. If this pointer is set, whenever a kobject that is a member of that kset is created or destroyed by the kernel, the userspace program /sbin/hotplug will be called. If a kobject does not have a kset associated with it, the kernel will traverse up the kobject hierarchy (using the parent pointer) to try to find a kset to use for this test.

struct kset_hotplug_ops is a structure containing three function pointers and is defined as:

    struct kset_hotplug_ops {
	int (*filter)(struct kset *kset, struct kobject *kobj);
	char *(*name)(struct kset *kset, struct kobject *kobj);
	int (*hotplug)(struct kset *kset, struct kobject *kobj, 
                       char **envp, int num_envp, 
		       char *buffer, int buffer_size);
    };

Hotplug filters

The filter function will be called by the kernel before a hotplug operation happens. The kobject and the kset which are being used for the hotplug event are passed as parameters to the function. If this function returns 1 then the hotplug event will be generated; otherwise (if the function returns 0), the hotplug event will not be generated. This function is used by the driver core and the block subsystem to filter out hotplug events for kobjects that are owned by these systems but which should not have hotplug events generated for them.

As an example, the driver core's hotplug filter is contained in the file drivers/base/core.c and looks like:

static int dev_hotplug_filter(struct kset *kset, struct kobject *kobj)
{
	struct kobj_type *ktype = get_ktype(kobj);

	if (ktype == &ktype_device) {
		struct device *dev = to_dev(kobj); 
		if (dev->bus)
			return 1;
	}
	return 0;
}

In this function, the first thing that happens is the type of the kobject is checked. If this really is a device type of kobject, then we know it is safe to cast this kobject to a struct device, which is done in the line:

    struct class_device *class_dev = to_class_dev(kobj);

If this class device has a class assigned to it (dev->bus), the filter function tells the kobject core that it is acceptable to generate a hotplug event for this object. If any of these tests fail, the function returns 0 stating that no hotplug event should be generated.

The filter function allows objects in the device tree to own kobjects themselves (to create subdirectories, and for other uses) and prevent hotplug events from being created for these child kobjects.

Hotplug event names

When /sbin/hotplug is called by the kernel, it only has one argument passed to it, the name of the subsystem creating the event. All other information about the hotplug event is passed in environment variables. For detailed examples of some of the hotplug events and environment variables, see the Linux Hotplug project website.

For the kobject core to know what kind of name to provide to this hotplug event, the name function callback is provided. If the kset associated with this kobject wants to override the name of the kset for the hotplug event, then this function needs to return a pointer to a string that is more suitable. If this function is not provided, or it returns NULL, then the kset's name will be used.

For example, all struct device objects in the kernel belong to the same device kset (the device, driver, and class model sits on top of kobjects and ksets, making it simpler for driver authors to use). This kset is called "devices". It would not make much sense for every USB or IEEE1394 device that was plugged into, or removed from the system to generate a hotplug event with the name "devices". Because of this, the device subsystem has a name function for its hotplug operations:

static char *dev_hotplug_name(struct kset *kset, struct kobject *kobj)
{       
	struct device *dev = to_dev(kobj);

	return dev->bus->name; 
}       

In this function, the kobject is converted to a struct device, and then the name of the bus associated with this device is returned. This allows USB devices to create hotplug events with the name "usb" and IEEE1394 devices to create hotplug events with the name "ieee1394".

One note about this function: the only way that we know it is safe to directly cast this kobject into a struct device is that it has passed the filter function first. In that function, the type of the kobject and the fact that the device had a pointer to a bus was verified. Without that filter function, that information would have to be checked before blindly casting and following two levels of pointer indirection.

Hotplug environment variables

All calls to /sbin/hotplug provide the majority of information within environment variables. The three variables that are always set for every hotplug call are the following:

Variable	Value	Description
ACTION	add or remove	Describes if the kobject is being added or removed from the system.
SEQNUM	numeric	Provides the sequence number of the hotplug event. It is used for userspace to determine if it has received the hotplug event out of order or not. The value starts out a 0 when the kernel boots, and increments with every /sbin/hotplug call. It is a 64-bit number, so it will not roll over for a very long time.
DEVPATH	string	The path to the kobject that the hotplug event is happening on, within the sysfs file system. To get the true filesystem location for this kobject, add the mount point for sysfs (usually /sys) to the beginning of this string.

These variables are usually enough for userspace to determine what is happening with this hotplug event, but a lot of subsystems want to provide more information. This is especially true when a kobject is removed from the system, as the sysfs entry for the device will also be removed, preventing userspace from being able to look up any attributes about the device that was just removed. Because of this, the hotplug callback is provided for the kset to provide any additional environment variables that it wants to.

The hotplug function callback is allowed to add any additional environment variables that the kset might want added for this call to /sbin/hotplug. To review the prototype for this function:

    int (*hotplug)(struct kset *kset, struct kobject *kobj, 
                   char **envp, int num_envp, 
		   char *buffer, int buffer_size);

Here, kset and kobj are the objects for which the event is happening, envp is a pointer to an array of environment variables (in the usual "NAME=value" format), num_envp is the length of envp, buffer is a buffer where additional variables can be put, and buffer_size is the size of buffer. The hotplug function should create any additional environment variables that are called for, store pointers to them in envp, and terminate envp with a NULL. If the hotplug callback returns a non-zero value, the hotplug event is aborted, and /sbin/hotplug will not be called.

The driver and class subsystems pass hotplug calls down to the bus and class owners of the kobject that is being created or removed, allowing these individual subsystems to add their own environment variables. For example, for all devices located on the USB bus, the function usb_hotplug() in the drivers/usb/core/usb.c file will be called. This function is defined as (with much of the boring code removed):

static int usb_hotplug(struct device *dev, char **envp, int num_envp,
		       char *buffer, int buffer_size)
{
	struct usb_interface *intf;
	struct usb_device *usb_dev;
	char *scratch;
	int i = 0;
	int length = 0;

	/* ... */
	intf = to_usb_interface(dev);
	usb_dev = interface_to_usbdev(intf);

	/* ... */
	scratch = buffer;
	envp[i++] = scratch;
	length += snprintf(scratch, buffer_size - length, "PRODUCT=%x/%x/%x",
			   usb_dev->descriptor.idVendor,
			   usb_dev->descriptor.idProduct,
			   usb_dev->descriptor.bcdDevice);
	if ((buffer_size - length <= 0) || (i >= num_envp))
		return -ENOMEM;
	++length;
	scratch += length;

	/* ... */
	envp[i++] = NULL;
	return 0;
}

The lines:

	scratch = buffer;
	envp[i++] = scratch;

set up the environment pointer to point to the next location in the buffer passed to us. Then the big call to snprintf creates a variable called PRODUCT which is assigned the value of the USB device's vendor, product and device ids separated by a '/' character. If snprintf succeeded in not overrunning the buffer provided to us, and we still have enough room for one more environment variable, then the function continues on. The last environment variable pointer is set to NULL before returning.

All that work for a simple result

With the combined effort of the kset hotplug function callbacks every kset can customize the call to /sbin/hotplug in whatever way it likes while still providing userspace a consistent interface from the kernel. Every kobject that is registered with sysfs can generate this call easily, so all parts of the kernel that use kobjects and ksets automatically get the /sbin/hotplug interface for free. This allows userspace projects such as the module loading scripts, devlabel, udev, and D-BUS valuable information as to what the kernel is doing whenever a change in the kobject tree occurs.

Comments (1 posted)

Patches and updates

Kernel trees

• Linus Torvalds: Linux 2.6.0-test7 - stability freeze. (October 8, 2003)

• Andrew Morton: 2.6.0-test6-mm3. (October 6, 2003)

• Andrew Morton: 2.6.0-test6-mm4. (October 7, 2003)

• Martin J. Bligh: 2.6.0-test6-mjb1. (October 7, 2003)

• Stephen Hemminger: 2.6.0-test6-osdl1. (October 2, 2003)

• Andrea Arcangeli: 2.4.23pre6aa1. (October 2, 2003)

• Andrea Arcangeli: 2.4.23pre6aa2. (October 6, 2003)

• James Bourne: 2.4.22-uv2 patch set released. (October 7, 2003)

Core kernel code

• Peter Aechtler: [1/2] posix message queues. (October 3, 2003)

• Peter Aechtler: [2/2] posix message queues. (October 3, 2003)

Development tools

• Robert Williamson: Linux Test Project October Release Announcement. (October 3, 2003)

Device drivers

• Long Nguyen: Updated MSI Patches. (October 6, 2003)

• Greg KH: USB fixes for 2.6.0-test6. (October 6, 2003)

• Jeff Garzik: libata update posted. (October 6, 2003)

• Gerd Knorr: v4l: videobuf update. (October 7, 2003)

• Gerd Knorr: v4l: saa7146 driver update. (October 7, 2003)

• Gerd Knorr: v4l: bttv driver update. (October 7, 2003)

• Gerd Knorr: saa7134 driver update. (October 7, 2003)

• David Brownell: [patch 2.6.0-test6] usbcore and driver model (0/3). (October 8, 2003)

• David Brownell: [patch 2.6.0-test6] rm interface.driver (1/3). (October 8, 2003)

• David Brownell: [patch 2.6.0-test6] usbfs updates (2/3). (October 8, 2003)

• David Brownell: [patch 2.6.0-test6] usbnet (3/3). (October 8, 2003)

• Greg KH: gadget serial driver -- patch for 2.6. (October 8, 2003)

Documentation

• H. Peter Anvin: Horribly overdue update to unicode.txt. (October 6, 2003)

Filesystems and block I/O

• Roman Zippel: new HFS(+) driver. (October 2, 2003)

• Tom Zanussi: relayfs (1/4) (Documentation). (October 8, 2003)

• Tom Zanussi: relayfs (2/4) (include files). (October 8, 2003)

• Tom Zanussi: relayfs (3/4) (VFS and scheme-specific code). (October 8, 2003)

• Tom Zanussi: relayfs (4/4) (public API and common code). (October 8, 2003)

Networking

• Jim Keniston: Net device error logging. (October 3, 2003)

• Netfilter Core Team: Release of iptables-1.2.9rc1. (October 8, 2003)

Benchmarks and bugs

• Christian Kujau: crypto benchmark results with 2.6.0-test6. (October 6, 2003)

• Mike Benoit: File System shootout.... (October 8, 2003)

Page editor: Jonathan Corbet

Distributions

News and Editorials

A Feature Tour of New Distribution Releases

A flurry of recent release announcements from Slackware, Mandrake and SUSE have created plenty of excitement, so characteristic of this time of the year, when many commercial Linux companies are finalizing their new products. What can we expect? At first sight, it would seem that this round of distribution releases lacks any visible advancements - at least compared to the March/April release round with the then new XFree86 4.3.0, KDE 3.1, new font anti-aliasing technologies, NPTL threading library, zeroconf and many other interesting features. Six months later, we have a new GNOME 2.4, as well as the first edition of the GNOME Office suite, version 1.0, but the much awaited 2.6 Linux kernel series is still in heavy development and so are XFree86 4.4 and KOffice 1.3, while KDE 3.2 has only just entered the alpha stage. Let's take a brief tour of the features found in the latest distribution releases.

Slackware Linux 9.1

Slackware Linux 9.1, released last week, is a pleasant surprise. Gone are the ugly default fonts from version 9.0 and the overall look and feel of both GNOME 2.4 and KDE 3.1.4, as well as half a dozen of other desktop environments is much improved. This is the first time ever that Slackware Linux ships on two installation CDs - despite the developers' best efforts, it is no longer possible to include the latest versions both GNOME and KDE together with a base Linux system on a single CD. The kernel is version 2.4.22 with support for SCSI and ATA RAID volumes, PCMCIA, CardBus, APM for notebooks and USB hotplug. Advanced package management tools for Slackware packages (slackpkg and swaret) are now included in the /extra directory, so keeping a Slackware installation up-to-date with security patches has never been easier. Also worth mentioning is "ZipSlack", claimed to be the fastest Linux installation ever: "ZipSlack provides a basic text-based Linux system as a 41 megabyte ZIP archive. Simply unzip on any FAT or FAT32 partition, edit your boot partition in the LINUX.BAT batch file, and you can be running Linux in less than five minutes." A highly positive early review of Slackware Linux 9.1 has been published by OSNews.

SUSE LINUX 9.0

SUSE has announced SUSE LINUX 9.0 with general availability on October 24 (slightly earlier in Europe). The occasion was accompanied by substantial design changes to SUSE's web sites, its logo, slogan and even the product name - from "SuSE Linux" to "SUSE LINUX": "As part of the overall effort to update our look, it was felt that upper casing all of SUSE LINUX brought more attention to the name." SUSE's new slogan is "Simply Change", which is: "on one hand a challenge to switch from monopolistic software to the flexibility of SUSE and on the other signifies how simple this shift can be."

On the technical side of things, the LSB-certified SUSE Linux 9.0 comes with a new NTFS partition resizing tool and a much improved -- especially in terms of compatibility with MS Office -- OpenOffice 1.1 final. The overall theme is that of an easy migration from Windows to Linux, both for home and office users. Other improvements include new features for mobile computer users, where the already excellent range of networking and power management features have been expanded by an increased number of supported Winmodems as well as a "profile manager" with a single-click hardware re-configuration for frequent travelers and commuters. The YaST setup tool now comes with a remote administration feature through a web browser and VNC. Last but not least, SUSE 9.0 also comes in a 64-bit edition for the Athlon 64 PC processor.

Mandrake Linux 9.2

MandrakeSoft has yet to provide a full release announcement of the upcoming Mandrake Linux 9.2, expected to ship on October 15, but its beta information page does give some details of what we can look forward to. Besides the usual range of package updates and a new network profiles manager called "Netprofiles", this version seems to be a consolidation release, with main improvements focusing on its look-and-feel, localization and Mandrake configuration utility - DrakConf. Like SUSE, MandrakeSoft has also announced a 64-bit edition of Mandrake Linux 9.2 for AMD64 processors and the first beta release is now available for download and testing.

Technical aspects aside, MandrakeSoft's most significant changes seem to be taking place in the way the company conducts its business. Up until version 9.1, Mandrake Linux ISO images were always available for download immediately after being finalized, and often many weeks before the boxed sets were offered for purchase via Mandrake's online store or traditional software shops. This is no longer the case. Although beta testing of Mandrake Linux 9.2 was completed last week, the product will not be released until boxed sets are manufactured and ready for shipping. Even then, the ISO images will initially be offered exclusively to members of the MandrakeClub and to contributors, with general availability scheduled for the end of November. These measures are designed to help MandrakeSoft overcome its financial setbacks and ensure a speedy recovery.

Comments (3 posted)

Distribution News

Debian GNU/Linux

The Debian Weekly News for October 7, 2003 is out. This week: an amusing DivisionTwo.com article about a fictitious Barbie OS based on Debian; LPI certification manuals from LinuxIT now available under a free license; a look at emDebian; European conferences; and much more.

The Debian project will be at several conferences in Europe this month. Interested people are invited to attend these conferences and meet Debian developers and users.

Debian Planet reports that Russian Debian, a site for the Russian Debian community, is now online.

Comments (none posted)

Gentoo Weekly Newsletter

The October 6 Gentoo Weekly Newsletter is available; the main topic this time around is Gentoo performance metrics. "The conclusions we can glean from this are that the default optimizations in Gentoo Linux for Pentium III make a significant difference in in 'real world' application load-time performance."

Full Story (comments: 7)

Slackware Linux

Slackware Linux has a variety of bug fixes available for slackware-current. OpenSSL libraries have been rebuilt, followed by some applications using those libraries. Missing swat files in Samba have been fixed, and many other applications have been upgraded. See the change log for details.

Comments (none posted)

SUSE LINUX Unveils New Advertisement Campaign, Corporate Design and Logo

Here is a press release from SUSE LINUX explaining their new look.

Full Story (comments: 1)

Tawie Server Linux

Tawie Server Linux has released bug fixes for proftpd, rsync, rpm, release, and swup/swupconf.

Full Story (comments: none)

New Distributions

Linux Router Project

A new Linux Router Project - LR101 was started in the summer of 2003 with the goal of developing a real hardware based Linux router. The web site is in German, but there are PDF files available in English on the site, such as this English language info sheet (pdf format).

Comments (2 posted)

Phlak

Phlak is a LiveCD Linux distribution with a focus on pen-testing, forensics, and network analysis. It includes two lightweight GUIs (XFCE4 and Fluxbox) and loads of tools, including crackers, sniffers, MITM utilities, and data recovery and duplication utilities. It includes a seven-step GUI to install to your hard drive if you desire. The initial version, 0.1, was released October 1, 2003.

Comments (none posted)

Snootix

Snootix is a source-based distribution that installs Linux From Scratch and allows users to add BLFS and Snootix-specific packages of their choice. It features a number of game console emulators and more up-to-date packages than those featured in the BFLS book. The initial version, 0.1, was released October 5, 2003, followed by version 0.2 beta on October 6, 2003.

Comments (none posted)

Minor distribution updates

Bernhard's Bootable Linux CD

Bernhard's Bootable Linux CD (BBLCD) has released v0.7.10 with major feature enhancements. "Changes: The varimg.tgz file was created from a configuration file. Manual editing ("cleaning") of the /var-directory is no longer necessary."

Comments (none posted)

BG-Rescue Linux

BG-Rescue Linux has released v0.2.2 with minor feature enhancements. "Changes: This release adds ms-sys 1.1.0, a program that writes MS-compatible boot-records to fat12, fat16, and fat32 partitions/floppies. This makes BG-Rescue Linux a full backup/restore system for MS Windows up to ME. The optional F-Prot is now loaded before executing "/bgrescue.rc" and "/bgrescue/bgrescue.rc" from the CDROM at startup, so you can now automate the virus scanning of your system with the scripts."

Comments (none posted)

ClusterKnoppix

ClusterKnoppix has released v3.3-2003-09-24-EN-cl1 with minor bugfixes. "Changes: This release syncs with latest Knoppix release, updates gomd to 0.1beta, removes OpenOffice, upgrades gcc to 3.3.2, fixes the terminal server/etherboot bug, and adds a working bcm4400 driver."

Comments (none posted)

Devil-Linux

Devil-Linux has released v1.0-RC1. A few highlights include:

• enhanced Kernel security (GRSecurity)
• almost all program are compile with the stack smashing protector
• entire OS is on CD, only variable data is loaded into the ramdisk
• harddisk support for storage of large data or for permanent storage
• USB and PCMCIA support
• Spam and Virus Protection

Full Story (comments: none)

dyne:bolic

dyne:bolic has released v1.1 with major bugfixes. "Changes: This release fixes OpenMosix cluster configuration, unencrypted nesting, encryption support in mailsystem, and various other minor issues."

Comments (none posted)

Mepis Linux

Mepis Linux has released v2003.08.01 with major feature enhancements. "Changes: In this release, the contents of CD #1 and CD #2 were tweaked in response to user feedback. Now CD #2 contains 865 additional packages. This version also includes the MEPIS Installation Center, MEPIS Control Center, and MEPIS User Tweaks apps."

Comments (none posted)

NSA Security Enhanced Linux

NSA Security Enhanced Linux has released v2003100110 with major feature enhancements. "Changes: Kernel patches for 2.6.0-test6 and 2.4.21 are available. The updated kernel patches include support for an selinux boot parameter and improved auditing. A number of bugfixes and improvements have been integrated into the user space tools and utilities. SRPMs for newer Red Hat packages are available. The star package has been added. The example policy has been updated. Improvements have been made to existing policy tools, and a new policy analysis tool has been added."

Comments (none posted)

Oralux

Oralux has released v0.05 with major feature enhancements. "Changes: Based on Knoppix 3.3 (2003-09-24). Emacspeak Festival MBROLA (EFM) is included. It supplies English or French software synthesis. The Castillan Spanish or German files of the DECtalk software (a commercial voice synthesis) can be automatically installed. If the ALSA driver is required, the ALSA cheatcode will be typed once, and will be automatically restored for the following boots. The introductory menu is now available in 4 languages (Castillan Spanish and German have been added)."

Comments (none posted)

Quantian

Quantian has released 0.4 (which is identical to 0.3.9.3).

Full Story (comments: none)

Sentry Firewall

Sentry Firewall has released v1.5.0-rc5 with minor feature enhancements. "Changes: Snort, OpenSSH, OpenSSL, sendmail, and ProFTPD were upgraded. The default Linux kernel was updated to include the bridge+netfilter patches. The ebtables utility was also added."

Comments (none posted)

stresslinux

stresslinux has released v0.2.6 with major bugfixes. "Changes: Busybox, lshw, smartmontools, netio, openssl, and openssh have been upgraded to new versions. A new Tyan S2723 sensors.conf and three new mainboards in sl-wizard have been added."

Comments (none posted)

TopologiLinux

TopologiLinux has released v4.0Beta1 with major feature enhancements. "Changes: This release is based on Slackware 9.1rc2, and a new boot manager for Windows NT/XP is included. KDE and kernel source are temporary removed in this beta version, and will be back with many other apps in the final 4.0 release."

Comments (none posted)

Distribution reviews

Mepis Linux Developer Interview (PCLinuxOnline)

PCLinuxOnline interviews Mepis Linux creator Warren Woodford. "I plan to use MEPIS LLC to develop new technologies and business opportunities in the Morgantown area. MEPIS Linux is a labor of love and I don't know if it will be commercially successful. I'm building MEPIS to work the way I want Linux to work. Want you see now, is just a start."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The Linux Brochure Project

The first stable version (1.0.0) of the Linux Brochure Project, an application that is used for the generation of Brochures, has been announced.

The project was conceived by a small group of developers working with the Victoria Linux Users Group (VLUG). The group needed to build and maintain a Linux Information Brochure, and decided to package and release their efforts.

The LBP is composed of a collection of existing open-source packages: "The software consists of LaTeX and pdfLaTeX scripts; Sketch input files; and a Makefile to keep the brochure build organized."

The project documentation also mentions the use of ps2eps, pstops from the ps-utils package, and montage from the ImageMagick suite. In other words, LBP is an example of a solution to a specific task that is built from a collection of general purpose open-source tools.

A few example brochures exist, more are apparently on the way.

The Linux Brochure Project has been released under the GPL, the code is available here.

Comments (8 posted)

System Applications

Audio Projects

Ogg Traffic

The September 30, 2003 edition of Ogg Traffic is out with the latest Ogg Vorbis audio compression software news. "The bad news is that Vorbis 1.0.1 is being held hostage by Win32 build problems, but the good news is that Monty is already bravely charging ahead to work on Vorbis 1.1."

Comments (none posted)

Planet CCRMA news

The latest changes from the Planet CCRMA audio application packaging project include new versions of Anjuta, Libzvt, and Snd.

Comments (none posted)

Database Software

MetaCoretex DB Security Scanner

The initial public release of MetaCoretex, a database capable security scanner, has been released.

Full Story (comments: none)

PostgreSQL Beta4 Tag'd and Bundle'd ...

The Beta 4 release of PostgreSQL 7.4 is available. "This release, depending on the bug reports received, will most likely flow into our first Release Candidate by end of next week, so we encourage every(and any)one that can to download and test her, so that our first Release Candidate can be as clean as possible ..."

Full Story (comments: none)

PostgreSQL Weekly News

The October 8, 2003 edition of the PostgreSQL Weekly News is out with the week's PostgreSQL database news.

Full Story (comments: none)

SwingSet 0.5.0-alpha released

Version 0.5.0-alpha of SwingSet, a Java toolkit that makes the Java Swing components database-aware, has been released. For more information, see this NewsForge review. Thanks to Brian E. Pangburn.

Comments (none posted)

ZODB 3.2 release candidate 1

Version 3.2 rc 1 of ZODB, the Zope Object DataBase, has been released. This version features improved performance, a new ZEO authentication protocol and configuration language, bug fixes and documentation updates.

Full Story (comments: none)

Mail Software

New milter mail filters

The milter.org site has an announcement for new versions of the milter-sender, milter-spamc, and milter-date mail filters for sendmail.

"milter-sender has a new -M option that will probably replace FullCallback and -m, better support for virtual users under Cyrus IMAP, and several fixes."

"milter-spamc has a new -A and -R options. The -R option is of significant interest since it patches Sendmail 8.12.10 to support a new type of libmilter return code: "

"milter-date likewise has a new -R that uses the same patch from milter-spamc."

Comments (none posted)

Networking Tools

Big Sister NUT UPS monitoring module released (SourceForge)

A new UPS monitoring module is available for the Big Sister SNMP aware network and system monitor. "The "nut" module monitors uninterruptable power supplies under control of the NUT (Network UPS Tools) free software suite. It sends alerts on power breakages, overload and battery problems. The longterm graphing may point you to battery aging problems."

Comments (none posted)

Purify 0.1 released

The initial release of Purify has been announced. Apparently, IBM also has a project with the same name, so the search is on for a new name. "Purify is a graphical tool used to make the management of PureFTPd a little easier. It uses the GTK+2.x widgets for its GUI and thus are not dependent on a specific desktop environment such as GNOME or KDE. It is, however, designed with the GNOME Human Interface Guidelines in mind so it should integrate nicely with at least GNOME."

Comments (3 posted)

Web Site Development

Bricolage 1.6.6 Released

Version 1.6.6 of Bricolage, a web site content management and publishing system, has been released. "This maintenance release addresses a number issues discovered since the release of version 1.6.5."

Full Story (comments: none)

HarvestMan 1.2 released

Version 1.2 of HarvestMan, a Python-based web crawler, is available.

Full Story (comments: none)

Introducing mod_python (O'ReillyNet)

Gregory Trubetskoy introduces mod_python on O'Reilly. "mod_python is an Apache module that gives Python programmers full access to the Apache API. If that's not enough, it can speed up your Python web programming substantially."

Comments (none posted)

Miscellaneous

The first stable Xen release

The first stable release of the Xen "virtual machine monitor" has been announced. Xen is an x86 emulation system that allows the running of multiple operating systems simultaneously; it serves a function similar to, for example, VMWare or Bochs. The project's developers claim just "a few percent" overhead, however, making Xen rather faster than the alternatives. There is a Linux 2.4.22 kernel running over Xen now; FreeBSD and Windows XP are in the works. Click below for the announcement, or see the Xen web page for more information.

Full Story (comments: 6)

Desktop Applications

Audio Applications

jackEQ 0.3.3 released

Version 0.3.3 of jackEQ, an audio equalizer for the JACK audio system, has been announced. "This is just to let those who are interested know that I just commited some fixes which greatly improve the sound quality in jackEQ and allow the crossfaders to be fully functional including mute and all fader options. Apart from being able to internally assign jack i/os I feel this version qualifies for professional mixing use."

Full Story (comments: none)

WaveSurfer 1.5.4 released

Version 1.5.4 of WaveSurfer, an audio editing package, is out. The changes include a menu reorganization, help system improvements, and more.

Comments (none posted)

Desktop Environments

XFree86 4.4.0 Release Schedule

The release plans have been published for version 4.4.0 of the XFree86 window system.

Comments (none posted)

KDE Under The Microscope

KDE.News covers a couple of studies done on the KDE project. "While the KDE project continues to research and develop the ideal desktop environment, the KDE community and development processes itself have been researched and examined by two different efforts: Christian Reinhardt of University of Innsbruck chose to study KDE for his "Collaborative Knowledge Creation in Virtual Communities of Practice" Master's thesis." The article also contains excerpts from another study of the KDE project.

Comments (3 posted)

Wallpaper Tray 0.4.0 Released (GnomeDesktop)

Version 0.4.0 of Wallpaper Tray, a wallpaper manager, is available for GNOME.

Comments (none posted)

KDE-CVS-Digest

The October 3, 2003 edition of the KDE-CVS-Digest is online. Here's the content summary: "Quanta gets a table editor. KSvg improves with new gradient algorithms. KStars implements suggestions from the KGUS, aka K Girlfriend Usability Study. Many bugfixes in KMail, KHTML and elsewhere."

Comments (none posted)

KDE Traffic

KDE Traffic has come out in two parts this week. The KDE.News summary for part 1 says: "This issue covers KDE 3.2, KDE 3.1.4, apidox, KMail, audiocd, db-aware applications, giving KDE a flak jacket, Jabber, JPEG, and more."

The part 2 summary says: "This traffic contains news on KPovModeler, the kdesupport module, Konqueror (what issue would be complete without it?), KMail, KPaint and last but not least, giant pink fluffy bunnies. OK, nix the bunnies, but it's still a decent issue."

Comments (none posted)

Desktop Publishing

Conglomerate 0.7.5 released

Conglomerate version 0.7.5 ("Now you see it, now you don't") has been released. Conglomerate is an XML editor which we reviewed just over a month ago. This version is still considered to be unstable, but it does address one of the major issues we had with 0.7: Conglomerate now has an "undo" feature. A number of other improvements have gone in as well; see the announcement for details.

Full Story (comments: none)

Games

PCGen 5.3.11 is available (SourceForge)

A new version of PCGen, a cross-platform Java-based RPG character generator and maintenance program, has been announced.

Comments (none posted)

Graphics

GIMP 1.3.21 released (GnomeDesktop)

GnomeDesktop.org mentions the release of version 1.3.21 of the GIMP, the GNU Image Manipulation Program. "The GIMP developers have released a new development snapshot, version 1.3.21 aka the path to excellence release. Among numerous bug-fixes, this release features an improved path tool with SVG import/export and much nicer path stroking based on libart2."

Comments (1 posted)

Mail Clients

Mozilla Gains Support for Adding and Editing vCards (MozillaZine)

MozillaZine reports on new support for vCards in Mozilla Messenger. "A vCard is like a business card attached to your message as a .vcf file."

Comments (none posted)

Office Suites

OpenOffice.org Newsletter

The October OpenOffice.org newsletter is out; it looks at the 1.1 release, the new Community Council, the QA project, and a vast number of other topics. "45,0% of the respondents in a German online survey (Computerwoche) say that their company will switch to StarOffice or OpenOffice.org instead of Office 2003."

Full Story (comments: none)

Web Browsers

Epiphany 1.0.1 released (GnomeDesktop)

GnomeDesktop.org has an announcement for version 1.0.1 of the Epiphany web browser for GNOME. "This new release features numerous bugfixes and support for mozilla 1.4.1 and 1.6a."

Comments (none posted)

Minutes of the mozdev Admin Meeting

The minutes have been posted from the October 6, 2003 Mozdev admin meeting. Topics include: abandoned projects, backups, non-profit status, admin tools, spam, and integrated projects.

Comments (none posted)

Word Processors

AbiWord Weekly News

Issue #164 of the AbiWord Weekly News is available. "This week's concept is flow control, specifically, writing over images and around tables, gold stars if you can guess how that affects the development our favourite presentation programme, criawips! Win32 still suffers without aide. Marc brings us the fine world sweet, sweet SVG rendering (with screenshot!). And, why you should worry about Fedora (unless your an archeologist). Plusse, have you ever seen me write in another linguie? Well, here's proof that you're hallucinating!"

Comments (none posted)

Miscellaneous

Arkpandora TTF - The MS Webfonts Replacement (GnomeDesktop)

GnomeDesktop.org mentions the availability of the Arkpandora font set. "Many people are still getting (by whatever means) the core MS fonts for their Linux Desktop. This project is meant to be as a replacement for some of these main fonts. They have been designed to match similarly with the fonts they replace."

Comments (none posted)

Languages and Tools

C

Manipulating Fixed-Width Integer Data Types (O'ReillyNet)

Michael Barr writes about fixed data size issues and the ISO C99 standard on O'Reilly. "In the process of manipulating memory-mapped I/O registers, embedded programmers who use C or C++ often require fixed-size integer data types that aren't provided by the language standards. Here's a new look at this old problem, complete with a final solution to the issue of naming fixed-width integer data types."

Comments (none posted)

Caml

Caml Weekly News

The September 30 - October 7, 2003 edition of the Caml Weekly News is out with another week of Caml language news, links, and projects.

Full Story (comments: none)

The Caml Light / OCaml Hump

New Caml language software on The Caml Light / OCaml Hump includes the CamlTemplate template processor library, a ViM extension for parsing .annot files, and OX for integration of XML into Objective-Caml.

Comments (none posted)

Java

IRClib 1.01 (SourceForge)

Version 1.0.1 of IRClib has been announced. "IRClib is a Java library for IRC client applications." This is a bug-fix release.

Comments (none posted)

Advanced DAO programming (IBM developerWorks)

Sean C. Sullivan illustrates the use of Data Access Object patterns on IBM's developerWorks. "J2EE developers use the Data Access Object (DAO) design pattern to separate low-level data access logic from high-level business logic. Implementing the DAO pattern involves more than just writing data access code. In this article, Java developer Sean C. Sullivan discusses three often overlooked aspects of DAO programming: transaction demarcation, exception handling, and logging."

Comments (none posted)

Lucene Intro (O'Reilly)

Erik Hatcher introduces Jakarta Lucene, a Java-based text search engine. "Lucene is a high-performance, scalable, search engine technology. Both indexing and searching features make up the Lucene API. The first part of this article takes you through an example of using Lucene to index all the text files in a directory and its subdirectories. Before proceeding to examples of analysis and searching, we'll take a brief detour to discuss the format of the index directory."

Comments (none posted)

Lisp

SBCL 0.8.4 released

Version 0.8.4 of Steel Bank Common Lisp (SBCL) has been released.

Full Story (comments: none)

Perl

This Week on perl5-porters (use Perl)

The September 29 - October 6, 2003 edition of This Week on perl5-porters has been published. Topics include: a few Perl 5.8.1 bugs, hidden dependencies, a bleadperl snapshot, documentation patches, 64 bit configurations, and more.

Comments (none posted)

Identifying Audio Files with MusicBrainz (O'Reilly)

Paul Mison shows how to access the MusicBrainz audio CD database with Perl. "During 1999 and 2000, however, the CDDB (after its acquisition by Gracenote) moved from an open position (with GPLed downloads of its data files) to a proprietary one. During this time it stopped access to clients speaking the first version of the CDDB protocol, and instead moved to licensing -- at some cost -- CDDB2 clients, and stopped offering downloads of its data. However, a few projects started up, taking advantage of the data that had been freely available until this point. One of these was FreeDB, which quickly established an open replacement for the CDDB. The other is MusicBrainz, which is much more interesting."

Comments (1 posted)

PHP

Apply probability models to Web data using PHP (IBM developerWorks)

Paul Meagher explains probability modeling on IBM's developerWorks. "To help developers learn to fit the benefits of probability modeling into Web application development, Paul Meagher introduces you to basic concepts, techniques, and PHP-based tools that define the area of probability modeling and probability distributions. He demonstrates how to develop univariate probability models in PHP; discusses how to fit empirical data distributions to a theoretical probability distribution; and showcases an important tool for all this -- the Probability Distributions Library (PDL)."

Comments (none posted)

PHP Weekly Summary for October 5, 2003

The PHP Weekly Summary for October 5, 2003 is out. Topics include: 4.3.4 RC 1, error message length, array_merge_replace, array_merge_recursive, SAPI input filter.

Comments (none posted)

Modular PHP Development with FastTemplate (O'Reilly)

Daniel Solin writes about FastTemplate on O'Reilly. "I don't know about you, but all these documents about dividing web programming into logic, presentation, and content always irritate me. Most of them miss an important point: often at least three people develop a web page--the programmer (i.e, the PHP or Perl guru), the web designer who provides the presentation (the HTML designer), and the content developer (perhaps a marketing person). If you're working for a multilingual company, you probably have to make the pages available in several different languages as well, with one marketing person responsible for each language. Most documentation on this subject tends to forget, or at least doesn't bother to notice, either the web designer or the marketing person."

Comments (none posted)

Python

Python 2.3.2 (final) released

The final release of Python 2.3.2 is available. "Python 2.3.2 is a bug-fix release, to repair a couple of build problems and packaging errors in Python 2.3.1."

Full Story (comments: none)

Dr. Dobb's Python-URL!

The Dr. Dobb's Python-URL for October 2, 2003 is available, with weekly news and links for the Python community.

Full Story (comments: none)

Python Glossary Wiki

A new Python glossary wiki is being assembled. "This is a Wiki used to collect terms for a Python glossary. For the time being, simply edit this page and add your definitions. Once it's got enough terms, I'll add a glossary section to the appropriate piece(s) of Python documentation (perhaps at the back of the Language Reference Manual)."

Comments (none posted)

Dive Into Python 4.3

Version 4.3 of Mark Pilgrim's online Python book Dive Into Python is online. "This book is still being written. The first three chapters are a solid overview of Python programming. Chapters covering HTML processing, XML processing, and unit testing are complete, and a chapter covering regression testing is in progress." See the book's revision history for a list of new contents.

Comments (none posted)

Tcl/Tk

This week's Tcl-URL

Dr. Dobb's Tcl-URL for October 6 is out with the usual collection of happenings in the Tcl/Tk development community.

Full Story (comments: none)

Cross Compilers

Alpha Release 2.90 of GDC for 68HC11/68HC12

For those of you who are interested in developing microprocessor applications under Linux, release number 2.90 Alpha of the GNU Development Chain for 68HC11 & 68HC12 is available. "It is based on Binutils 2.14, Gcc 3.3.1, Gdb 5.2.1 and Newlib 1.11.0."

Comments (none posted)

Debuggers

GDB 6.0 released

Version 6.0 of the GNU debugger (GDB) has been released. The project website has still not been updated as of this writing, but the announcement can be found in the download area. There's a lot of new stuff in this release, including Objective C support, "useable" Java support, the ability to work with the new Native POSIX Threads and thread-local storage, the ability to separate executables and debugging symbol information, and much more. (Thanks to Marko Myllynen).

Comments (5 posted)

Editors

Leo 4.0 beta 2 released (SourceForge)

Version 4.0 beta 2 of Leo has been announced. Leo is a Python scriptable cross-platform programmer's editor, browser, data organizer, and project manager. This release includes quite a few bug fixes.

Comments (none posted)

Miscellaneous

Corejava Release 1.1.1 (SourceForge)

Version 1.1.1 of Corejava has been released with some minor improvements and bug fixes. "It contains Java source code for Z annotated syntax trees, reading and writing XML files etc." Z is the Z specification language, see the Community Z Tools (CZT) site for more information.

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Seth Nickell on Replacing the Aging Init Procedure on Linux (OSNews)

OSNews talks with Seth Nickell about his current projects. "Seth Nickell: I'm planning to fully replace the init system, not just bridge to it. I *am* providing full backward compatibility with initscripts (SystemServices can use them), but of course they will only offer as many features as initscripts already have written into them (not much :-)."

Comments (27 posted)

After Sun goes out (NewsForge)

NewsForge has an essay by Eric S. Raymond on the Sun's future. "Nobody should cheer the prospect of Sun's demise. Sun screwed up some major decisions very badly, from wrecking Unix standardization efforts in the 1980s to throttling the dream of Java ubiquity by keeping the language proprietary. But nobody should forget that Sun was founded by Unix hackers for Unix hackers. For most of its lifespan Sun remained the archetype of an engineering-driven company. Sun was, mostly, among the good guys; to hackers and geeks, disputing with Sun was almost a family quarrel."

Comments (28 posted)

Open-Source, Closed Minds (CIO Insight)

Lawrence Lessig wrote this article on CIO Insight. "The point in each case is not that we'd be better off without proprietary technology, or without property at all. The point, instead, is one that has been obvious since the birth of our republic--that a balance between proprietary and nonproprietary property is better than either extreme. As Bradford Smith, general counsel of Microsoft Corp. has written about software, "Both open-source and commercial software are integral parts of the broader software ecosystem." Either alone, I might add, would produce a weaker "software ecosystem.""

Comments (6 posted)

Trade Shows and Conferences

Free software in Russia? Da! (NewsForge)

NewsForge takes a look at Linux in Russia. "In July, more than 200 Linux enthusiasts from across the former Soviet Union met up in Borovsk in Russia's Kaluga region -- in other words, in the middle of nowhere -- for Linuxfest. Linux devotees from as far away as Kazakhstan and Ukraine showed up to pitch tents in the woods and share experiences and expertise. The informal weekend conference has become an important annual event for open sourcers here, underscoring how the movement remains as much about philosophy and community as about making money."

Comments (none posted)

The SCO Problem

SCO's case gets clearer (CNN)

CNN looks at the SCO case from an investor's point of view. "SGI's code comparison gave observers their first glimpse of how much infringement there actually is. Granted, SGI's tests don't carry the same weight that a neutral party's might (SGI is due to lose its SCO Unix license on Oct. 14 unless the companies can reach an agreement), but the 200 lines of infringing code SGI found is a far cry from SCO's claim of 119,130 infringing lines. In SCO's suit against IBM, it claims 'over a million' lines of infringing code."

Comments (11 posted)

Companies

AOL Lays Off Netscape/Mozilla Transition Team (MozillaZine)

MozillaZine reports on the layoff of the last Netscape employees by AOL. "AOL has not completely ended its involvement with the Mozilla project yet - the transition is not entirely complete and the online giant has promised to give the Mozilla Foundation $1 million in addition to the $1 million donated so far. All the members of the transition team are expected to be hired by the Mozilla Foundation in the next few weeks."

Comments (none posted)

VeriSign fends off critics at ICANN confab (News.com)

News.com's Declan McCullagh went to the special ICANN meeting on VeriSign's "SiteFinder" service, and has written this report. "But VeriSign made clear during the open meeting convened by ICANN's Security and Stability Advisory Committee that it had no intention of turning Site Finder off for good. Executives from the company said they were considering turning on Site Finder again but disabling the 'wild card' service for e-mail deliveries to nonexistent domains..." Declan has also posted a set of photos from the meeting.

Comments (10 posted)

Linux Adoption

Some like it cold (Economist)

The Economist looks at technology spending trends. "The hottest 'cold' technology is Linux, an operating system that comes free, except for maintenance costs. In March, Forrester, an IT consultancy, found that 72% of corporate IT managers were intending to move their server-computers to Linux from Microsoft and Unix software."

Comments (6 posted)

Interviews

Interview: SCO sets out its defence (PC Pro)

PC Pro interviews SCO PR director Blake Stowell. "Linux users need to respect the copyrights that SCO has that they are infringing upon.... Can the community replace the code in question? They can certainly try, but programs like NUMA, RCU, JFS, XFS and others have taken multiple years to develop and would be very difficult to replace overnight." Of course, SCO has no copyrights over the subsystems ("programs") listed by Mr. Stowell...

Comments (47 posted)

Interview with Jeroen Wijnhout of Kile (KDE.News)

KDE.News interviews Jeroen Wijnhout, maintainer of the TeX/LaTeX editor and GnuPlot frontend Kile: "programming is alot of fun and even more so if you can work on a program that is used by many people all over the world. Editing TeX/LaTeX source files can be a pain sometimes and, since I love KDE so much, it would be a pity if there wouldn't be a tool available for KDE."

Comments (none posted)

Building an open source-based business in Jordan (NewsForge)

NewsForge talks with Kefah Issa about building an open source business in Amman, Jordan. "Your desktop looks slick. Is it Arabic-only, or something I should look at/test/review in English? (It looks a lot like Lycoris. Or is that just the background image and icons?) And are many individual or corporate customers using it yet?
It is not Arabic only, but it targets the Arab corporate users specifically. freeDESKTOP introduces Arabic enhancements (fonts, Arabic-supporting software, and several fixes). The look and feel is important to minimize the learning curve. We also have plans to certify freeDESKTOP against ICDL (International Computer Driver's License), a common education certification in Jordan."

Comments (none posted)

Interview with the Master Chef of Linux Cuisine, Marcel Gagne (Tinyminds)

Tinyminds.org interviews Marcel Gagne about his new book, which is about moving to Linux. "MG: I've been using Linux for so long, and before Linux I was a Unix user. I have to admit that if I'm going to be moving a number of files from one directory to another, I'm not going to bring up a graphical interface and click on this and that. It is so much easier for me to just type in "mv blah blah". I had to train myself, in the course of writing "Moving to Linux", to think like a Windows user."

Comments (none posted)

Resources

Quickly Create Graphical Applications with SashXB (Linux Journal)

Here's a Linux Journal how-to on using SashXB to create graphical applications. "You can't write ultra-complex code or fast embedded applications with SashXB. SashXB is a good choice, however, for any small networked graphical programming project."

Comments (none posted)

Reviews

Mozile: What You See is What You Edit (O'ReillyNet)

Conor Dowling reviews Mozile on O'Reilly. "Today, developers compose most of the Web in stand-alone web editing applications or in simple text editors. Modern browsers render, but they don't allow users to edit what they see. There is no fundamental reason for this gulf between editing and viewing. After all, the Web is about interaction, not dumb page flipping, so you should be able to hit "edit" in your favorite browser and manipulate content as easily as you view it, WYSIWYG-style. Mozile, which stands for Mozilla Inline Editor, is a new Mozilla plug-in for in-browser editing. This article provides an overview of Mozile and what in-browser editing means today."

Comments (none posted)

An introduction to Mozilla Firebird (Nidelven IT)

Kay Frode reviews the Mozilla Firebird on Nidelven IT. See part one and part two in the series.

Comments (none posted)

Mad Hatter Preview (Linux Voodoo)

Linux Voodoo reviews the Mad Hatter desktop preview. "This Sun Java Desktop System is a good product overall, built on the well-established SuSE system with integration from Sun. It delivers what appears to be a very useful desktop OS and it has the chance to make a dent in the Windows monopoly. The same holds true for all of the key Linux players though, so Sun will have to differentiate itself on its quality, hardware, services and reputation."

Comments (5 posted)

pcHDTV: for the Linux geek on your shopping list (NewsForge)

NewsForge looks at the HD-2000 High definition TV card for Linux. "HDTV, in case you haven't kept up, is to regular TV what the monster mega-pixel digital cameras available today are to the first digital cameras made a few years ago. More mega-pixels means a picture that is bigger, sharper, and clearer. Oh, and HDTV includes 5.1 channel Dolby digital sound as well. There is a wonderful article about how HDTV differs from regular TV on howstuffworks.com if you're interested in learning more."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

SourceForge.net update (SourceForge)

The folks at SourceForge.net have published their September 30, 2003 news update. "SourceForge.net is approaching its 4-year birthday. Forty-six months ago the site started off with only a handful of second-hand computers, two megabits of bandwidth, a few hundred projects, and a goal. The goal was, and continues to be, to create a place for Open Source projects and the Open Source community to thrive and be successful. When we launched the site, we never dreamed that it would be so successful, or that its growth rate would be so high. Today, we host nearly 70,000 projects on 85 computers. The amount of bandwidth we consume at any one time, including the mirrors, is approximately 225 megabits. We continue to add about 700 new users and 70 new projects per day. In fact, we just crossed our 700,000 registered user milestone."

Comments (none posted)

Commercial announcements

IBM brings Linux to British and Russian governments

IBM has sent out two press releases describing its latest governmental Linux deals. The first release describes nine "proof of concept pilots" being run by the British Office of Government Commerce and Office of the eEnvoy. The pilot programs are meant to support the Offices' policy of increasing use of free software as an alternative to proprietary offerings. "These initial trials are being run by IBM and will measure the effectiveness and cost-benefits of IT systems based on OSS products, when compared against proprietary software solutions". In Russia, instead, IBM is setting up a Linux "competency center" in Moscow. "The new center will be set up to help customers of every size from industry, academia and government to take full advantage of the reliability, flexibility and total cost of ownership that Linux provides."

Comments (1 posted)

Jupitermedia Announces Sponsors for Its Enterprise Linux Forum

Jupitermedia Corporation has announced the sponsors for its Enterprise Forum Conference & Expo this Fall. Oracle, IBM, Red Hat and NetIQ will sponsor the event.

Comments (none posted)

Linux Networx Provides Cluster for John Deere

Linux Networx has announced that it has sold a Linux-based cluster to John Deere, a tractor and heavy equipment manufacturer. "John Deere is using the Linux Networx cluster for advanced engineering analysis including computational fluid dynamics and structural finite element analysis. The cluster has demonstrated improved computing performance for the company, performing several classes of analysis jobs at more than double their previous speed."

Comments (none posted)

SuSE launches Standard Server 8

SuSE has announced the expansion of the SUSE LINUX Server family with the release of SUSE LINUX Standard Server 8 - aimed at small and medium-sized businesses. "Available for Intel and AMD 32-bit processors (x86) and supporting up to two CPUs, SUSE LINUX Standard Server 8 includes features such as Internet access, e-mail, file and print services, plus graphical configuration wizards - enabling Linux novices in small and medium-sized organizations to easily set up the server as a Windows domain controller, file and print server in Windows environments, Internet gateway, E-Mail server, application server, DNS server and DHCP server."

Full Story (comments: 3)

New Books

"The Art of UNIX Programming" by Eric S. Raymond Released

Addison-Wesley has announced the release of "The Art of UNIX Programming", by Eric S. Raymond.

Full Story (comments: 20)

Resources

EFFector 16.26

The Electronic Frontier Foundation has sent out issue 16.26 of its EFFector newsletter. This one features the EFF's report on trusted computing, library book tagging, a new report on the DMCA ("still damaging after all these years"), and several other topics.

Full Story (comments: none)

LDP Weekly News

The Linux Documentation Project Weekly News for October 7, 2003 is available with a look at new and updated documentation, HOW-TOs and more.

Full Story (comments: 2)

Linux Gazette #95

Linux Gazette issue 95 for October 2003 is now available. Some of the articles in this edition: Quick and Dirty Data Extraction in AWK, by Phil Hughes; Integrating Tomcat and Apache on RedHat 9, by Mike Millson; Linux Through an Oscilloscope, by Pramode C.E; Software Engineering, by Gustavo Rondina; Mexico is conquered by FLOSS, by Felipe Barousse Boue; and more, plus the usual monthly features.

Comments (none posted)

Contests and Awards

2003 Linux Medical News Achievement Award Nominees (LinuxMedNews)

LinuxMedNews has posted its list of 2003 Achievement Award nominees. They are the care2x project, and doctors Thomas Beale, David Kibbe, and Stanley Saiki Jr. The list is a good view of what kind of work is being done in the area of free medical software.

Comments (none posted)

Event Reports

Report from the SCO road show

"Compactible Dave" reports from SCO's road show in Toronto. "During the 'we be so profitable' section of the spiel, one reseller in the crowd asked 'where does the money come from?' The response was largely a pointer to the SCO source initiative. The response? 'What you are profitable in will not make me profitable.'"

Comments (2 posted)

Upcoming Events

CONASOL Call-for-Papers (GnomeDesktop)

GnomeDesktop.org mentions the upcoming CONASOL conference. "The Congreso Nacional de Software Libre call-for-papers is up now. The conference will be held in Talca, Chile, on November 10-12 2003. Rodrigo Moya and Federico Mena, from the GNOME project, will be speaking."

Comments (none posted)

Lightweight Languages 2003

Presentation proposals for the Lightweight Languages 2003 conference are due in by October 17, 2003. The conference will take place on November 8 at MIT in Cambridge MA.

Comments (none posted)

Linux.Conf.Au 2004 program posted

The schedule for Linux.Conf.Au 2004 has been posted. The conference has gone to a four-track program this year with a number of interesting talks. There are also several single-topic "miniconfs" happening before the main event; see the announcement for details.

Full Story (comments: none)

GNU/LINUX Free software and copyright seminar, Finland

A GNU/LINUX Free software and copyright seminar has been announced in Finnish and in English. The event will take place in Vaasa, Finland on October 22 and 23, 2003. Thanks to Niklas Vainio.

Comments (none posted)

Events: October 9 - December 4, 2003

Date	Event	Location
October 12 - 15, 2003	International Lisp Conference 2003(ILC 2003)	New York, NY
October 14 - 16, 2003	10th Linux-Kongress	Saarbrücken, Germany
October 15 - 17, 2003	The First Plone Conference	(Tulane University)New Orleans, Louisiana
October 21 - 24, 2003	PHP-Con West	Santa Clara, CA
October 22 - 23, 2003	Enterprise Linux Forum	(Washington Convention Center)Washington, D.C.
October 26, 2003 October 27 - 31, 2003	Large Installation Systems Administration Conference(LISA)	(Town & Country Resort Hotel)San Diego, CA
October 27 - 29, 2003	LinuxWorld Conference & Expo 2003	(Fairgrounds Frankfurt)Frankfurt, Germany
October 29 - 31, 2003	Asian Enterprise Open Source Conference(AEOSC)	(Suntec International Convention and Exhibition Centre)Singapore
October 30 - 31, 2003	4to Encuentro Linux	Valparaiso, Chile
November 2 - 3, 2003	International PHP Conference 2003	(Astron Hotel Frankfurt-Mörfelden)Frankfurt, Germany
November 6 - 7, 2003	HiverCon 2003	(Davenport Hotel)Dublin, Ireland
November 6, 2003	Netherlands Unix Users group fall conference	(Conference Center De Reehorst)Ede, the Netherands
November 8, 2003	Lightweight Languages 2003(LL3)	(MIT)Cambridge MA
November 10, 2003	Desktop Linux Conference	(Boston University Corporate Education Center)Tyngsboro, Massachusetts
November 10 - 11, 2003	Congreso Nacional de Software Libre(CONASOL)	(Universidad de Talca)Talca, Chile
November 14 - 16, 2003	Third International Ruby Conference	(Red Lion Hotel)Austin, Texas
November 16 - 19, 2003	ApacheCon 2003	Las Vegas, Nevada
November 22, 2003	Southern California Linux Expo(SCALE)	(Los Angeles Convention Center)Los Angeles, CA
November 24 - 26, 2003	Open Standards and Libre Software in Government Conference(EGOVOS 3)	Paris, France
December 2 - 4, 2003	Linux Bangalore/2003	Bangalore, India

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

• Sorted alphabetically,
• Sorted by license.

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

Only a fool would believe a Microsoft study after this!

From:		Leon Brooks <leon-AT-cyberknights.com.au>
To:		lwn-AT-lwn.net
Subject:		Only a fool would believe a Microsoft study after this!
Date:		Thu, 9 Oct 2003 00:19:52 +0800

This Microsoft-sponsored Microsoft-engineered report caught my eye, but 
a few things in it really were outstanding, and I mean outstanding like 
large lime green and orange paint squares chequerboarded onto a Rolls.

    http://www.veritest.com/clients/reports/microsoft/mssmbiz.pdf

The "Linux consultants" mentioned in this study wanted 24 programmer 
hours to be able to automatically email out server stats?

    unlike Windows SBS 2003, the monitoring and reporting solution
    used for Red Hat Enterprise Linux ES did not support sending
    performance and usage reports to an email address at regular
    intervals. Linux consultants estimated that this support could
    be added through custom scripting at a cost of 24 hours of
    development time.

urpmi wget metamail
cat > send-usage-updates.sh
    #!/bin/sh
    #
    # send usage charts by email
    # works OOtB for MRTG, RRDtool and Webalizer but for the URL
    # might want to change to and from addresses to suit
    #
    SCRATCH=/tmp/stats-$!.tmp
    mkdir $SCRATCH
    cd $SCRATCH
    wget -nH -nd -p http://url.of.stats/page/index.html
    metasend -F tux-AT-propaganda.morons.inc -z -t billg-AT-morons.inc \
      -s "Stats for $(hostname) at $(date)" -e base64 -b \
      -D "Stats for $(hostname) at $(date)" -f index.html -m text/html \
      $(ls *.png | gawk '{ print "-n -m image/x-png -D image -f",$1 }'
    cd
    rm -rf $SCRATCH

Seventeen minutes including testing ("yup, them's my server stats"), 
while doing other stuff in background. Gawrsh, that was hard. AUD$34.00 
at my normal rates, except I have a one-hour minimum.

I guess I have to charge AUD$120.00*24*60/17 == AUD$10165.00 an hour for 
programming time now, to stay on the same efficiency level as 
Microsoft's amazing Linux consultants.

If our performance ratios are generalisable, it would have taken me two 
minutes and three steps to do the Linux OEM install, three minutes and 
four steps for the full install (roughly 29 and 75 times faster than 
Microsoft SBS 2003, respectively).

I'm not quite that good, just ask anyone who knows me, but experience 
tells me that whacking in an enterprise edition of Mandrake 9.1 as far 
as Step 1 with Yes against every single feature listed for both 
platforms, plus a whole lot more, takes about 35 minutes for a single 
internet domain on a dual P3-1000 box with 2GB of RAM and paired 18GB 
SCSI hard drives.

With Wayne's permission, I can show you that box running thin clients 
today. This is not a theory.

I'm not a Red Hat fan, but I don't understand how Microsoft's testers 
managed to *avoid* Red Hat's installation wizard - maybe it didn't have 
"Wizard" printed all over it, or had more than one choice per page? 
Shrug.

Again I can't speak for Red Hat, but setting up a DHCP server on 
Mandrake is one checkbox in DrakConnect. If ("Ooh, Lordy, Lordy! Oh, 
please, Brer Fox, don't make me edit the config file!") I had to edit a 
DHCP config, it's all of - what, six or eight lines of code? Horrors!

I feel compelled to ask this: is a person incapable of doing or 
unwilling to do that very simple chore the kind of person you want 
running your Internet-exposed servers? Really?

As for wizards reducing download/install times for new packages, even 
Red Hat's very boring GUI package manager must have been too awesome 
for these skilled testers to dirty by touching. It sounds kind of like 
they were drag-racing against a sleigh in summer.

I must admit, however, that Windows SBS 2003 does win on Step 3, "Build 
an intranet web site for information worker collaboration". Sounds 
impressive, doesn't it? Um, question for VeriTest: how do zero steps 
occupy seven minutes and nineteen seconds?

Putting up a Wiki or PostNuke does involve either opening a shell and 
typing a short one-liner or 5 clicks to accomplish (either 29 or 17 
times more efficient than their "Linux consultants").

Again I'm pressed to ask: isn't Windows constantly getting into hot 
water for having services switched on by default? Why then is it a good 
thing that SBS 2003 arrives with them enabled?

I'm also wondering how "urpmi vncviewer rdesktop openssh-server" and the 
installation of PuTTY and TightVNC on the XP workstation managed to 
chew up over 100 minutes for VeriTest's Linux gurus. That's all you 
need to do to complete Step 4 on Mandrake, maybe twenty seconds for the 
server and three or four minutes on the XP workstation for full 
connectivity both ways.

You could even add vnc2swf to that urpmi line and make Flash movies of 
the XP box doing stuff while you waited for the Microsoft guys to win 
the battle with their wizards.

Maybe I should apply for a job at VeriTest? I could charge triple time 
and they'd still save buckets of money on consultants.

It seems the war of words has degenerated here into a war of headlines. 
Anyone looking at the details with half a brain will be either totally 
gobsmacked or laughing too hard to protest. It seems that either 
VeriTest have shifted their research labs into the Ministry of Truth 
building - and no longer seriously claim objectivity - or their 
calendar is six months out of sync.

This only serves to throw Forrester's recent decision to actively avoid 
participating in such charades into sharper relief. It's nice to see 
that at least a few consultancies still take their audience seriously.

Cheers; Leon

-- 
http://cyberknights.com.au/     Modern tools; traditional dedication
http://plug.linux.org.au/       Committee Member, Perth Linux User Group
http://slpwa.asn.au/            Committee Member, Linux Professionals WA
http://linux.org.au/            Committee Member, Linux Australia

Comments (1 posted)

After Sun goes out

From:		"Eric S. Raymond" <esr-AT-snark.thyrsus.com>
To:		wire-service-AT-snark.thyrsus.com
Subject:		After Sun goes out
Date:		Thu, 2 Oct 2003 07:43:59 -0400

Sun Microsystems crossed the line from "troubled" to "doomed" yesterday.
This is sad news for the open-source community, and we need to think
about how we're going to deal with it.  The most pressing questions
are "What becomes of Java?" and "What becomes of OpenOffice.org?"
These are questions that matter.

Sun's troubles have been mounting for a while.  Founder Bill Joy's
departure was an ominous recent symbol, but the substance of their
problem is that their hugh-margin server business is being eroded from
the low end by PCs running Linux at a rate that doesn't leave it
much of a future.

Nobody should cheer the prospect of Sun's demise.  Sun screwed up some
major decisions very badly, from wrecking Unix standardization efforts
in the 1980s to throttling the dream of Java ubiquity by keeping the
language proprietary.  But nobody should forget that Sun was founded
by Unix hackers for Unix hackers.  For most of its lifespan Sun
remained the archetype of an engineering-driven company. Sun was,
mostly, among the good guys; to hackers and geeks, disputing with Sun
was almost a family quarrel.

But inside Sun, I hear that talent is bailing out of the company
because they just don't believe the Solaris-will-prevail story
management is peddling.  Most of Sun's techies are running Linux on
their PCs at home.  They can see the handwriting on the wall.

In retrospect, the recent pronunciamento that Sun has no Linux
strategy was their final admission of failure. Sun can't run at the
lean profit margins that are all a commoditized Linux server market
will support, their cost structure is all wrong for it.  They got
trapped in a classic innovator's dilemma and didn't cannibalize their
own business while they had the investor confidence and maneuvering
room to do so.  Cuddling up to SCO didn't help, either.

And now it's too late[1]. Moody's has just about dropped Sun into the
junk-bond basement.  The stock closed at $3.31, 15% off for the day
and falling in heavy trading.  The recent product announcements have
been duds, and the upcoming quarterlies are going to be a disaster.
Wall street analysts are calling for drastic job cuts and speaking the
code phrases that mean "run for the hills!"  The smell of death is in
the air.

Any of Sun's people and tangible assets that don't scatter to the four
winds will probably wind up in the hands of IBM, HP, and Dell -- three
companies that have shown they do know how to play the
commodity-computing game.  The SCO lawsuit probably won't be
affected. Sun was the lesser-known of of SCO's sugar daddies along
with Microsoft, but Redmond can pick up Sun's share of funding the
lawsuit out of petty cash -- and it undoubtedly will.

The real question is twofold: can OpenOffice.org survive without Sun, and
where will Java land?  Probably not at Microsoft; with C# in the 
picture, it is unlikely that Microsoft even wants to own Java any more.
I have to guess that IBM is the most likely to shoulder both technologies, 
simply because nobody else is really positioned to do it.  But that,
of course, raises other worries -- is it really good for us if IBM
has a lead position in everything?

[1] http://reuters.com/financeNewsArticle.jhtml?type=hotStocksNews&storyID=3535714
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

All governments are more or less combinations against the
people. . .and as rulers have no more virtue than the ruled. . .
the power of government can only be kept within its constituted
bounds by the display of a power equal to itself, the collected
sentiment of the people.
	-- Benjamin Franklin Bache, in a Phildelphia Aurora editorial 1794

Comments (none posted)

Page editor: Jonathan Corbet