It has been disclosed that the compromise of the Debian Project's servers
was made possible, in part, by a previously unpatched vulnerability in the
kernel's memory management code. For the curious, this article describes
how that vulnerability works, and what is required to exploit it. We'll
also look at how it could have remained unfixed for months.
| Process memory |
| 0x00000000-0x08047FFF
Unmapped area
|
| 0x08048000-0x08??????
Program text
|
| 0x08??????-
Named memory and heap
|
| 0x40000000-0x4???????
Shared libraries, shared memory segments
|
| 0x4???????-0xbfffcfff
Unmapped area
|
| 0xbfffd000-0xc0000000
Stack
|
The kernel organizes a process's memory in a way vaguely similar to the
diagram at the right. The addresses shown there correspond to the default
ia-32 implementation. This picture has been simplified somewhat, but it
conveys the basic idea. The real picture on a specific system can be had
by running "
cat /proc/self/maps".
The bulk of the memory used by a program for its variables and heap storage is
found in the section marked "named memory and heap" in the diagram. This
memory area is initially made large enough to hold the static variables
created by the program, but, as soon as more memory is required (to satisfy
malloc() calls, perhaps) that region of memory must be expanded.
Since the beginning, Unix-like systems have provided a system call (named
brk()) which can be used to change the size of the heap area. The
caller simply passes in the virtual address indicating where the new
"break point" should be set, and the area is expanded or contracted as need
be.
Back in September, Andrew Morton noticed that no sort of bounds checking
was being applied to the address passed to brk(). In theory, this
omission means that a process could request an arbitrarily large heap
area. In practice, most programs would not get that far. The kernel does
not allow virtual memory areas to overlap each other, so any expansion of
the heap area that caused it to impinge upon the shared library areas
starting at
0x40000000 would be rejected with an error. So it would appear
that the lack of bounds checking was never that serious of a problem; all
it could do is allow a user to set up some huge page tables.
Obviously, the situation is worse than that. The memory layout diagram is
missing one important area; on ia-32 systems, the kernel itself is mapped
in starting at 0xc0000000 - right above the process stack area. Processes
normally do not have any access to that part of memory, of course. But, as
it turns out, if you can convince brk() to expand your heap area
up into the kernel's address range, you have direct access to the kernel
code and data areas. At that point, the integrity of the system is lost.
The key to cracking the system is changing the process memory layout so that
the heap area can be expanded into the kernel's space. You cannot easily
do that with a normal C program, but, with a bit of assembly trickery
things become easier.
A proof of concept
exploit has already been posted to Bugtraq, so one can see how it is
done. It is really a matter of (1) moving the program origin up into
the highest part of virtual memory, where the stack usually lives, and
(2) shorting out the C library's startup code which sets up the
address space in the first part. Once you do that, an unpatched system
will happily expand your heap area into kernel space.
So, as the Debian Project learned at great cost, this little omission in
the implementation of the brk() system call is fully usable for a
complete local root exploit.
There have been a lot of questions about how such a vulnerability could
remain unfixed for so long. In fact, it was patched in the 2.6.0-test
series almost as soon as it was found. The fix also went to Marcelo
Tosatti, the 2.4 maintainer, but it was too late for the 2.4.22 release, which happened on
August 25. So the fix was merged into 2.4.23-pre7, which came out on October 9.
The current 2.4.23 kernel is not vulnerable - but that was too late to help
Debian.
The real problem, of course, is that nobody realized the severity of this
bug. Had the kernel developers understood that current kernels were
vulnerable to this sort of attack, the alert would have gone out and the
various distributors would have sent out the usual set of updates. But
this patch was just one of over 2000 patches merged by Linus in September.
It would seem that it simply became part of the stream of fixes, and nobody
looked at it particularly closely.
Except, of course, somebody did. Chances are, the posting of this fix
drew an attacker's attention to the brk() code. With a bit of effort, the
exploit got written, and now thousands or millions of systems are at risk.
What the kernel (along with most other projects) needs is more friendly
eyes looking for this sort of problem. We do reasonably well, in that most
vulnerabilities are found and fixed by the good guys before they can be
exploited. There are cases where that doesn't happen, however, and the
brk() bug was one of them. Security auditing is hard work, and
usually unrewarding. But it would have been nice if somebody had looked
hard enough at this problem to raise the alarm.
Comments (34 posted)
You win some, you lose some. While the free software community has lost an
ally (by some peoples' reckoning, anyway)
with the defection of SCO,
Wind
River seems to be coming around, at least to some degree. Until
recently, the company had been
fairly critical of the GPL and
Linux as an embedded solution. The company surprised many in October when
the announcement went out that Wind River would be
providing tools
for Linux development.
This week, Wind River upped the ante with the announcements that it would
be joining two open source industry groups, the Eclipse Consortium and the Open Source Development Labs (OSDL). Wind
River is joining OSDL to participate in OSDL's Carrier Grade Linux (CGL)
Working Group, and focusing on embedded tools that are compatible with the
Eclipse framework.
We spoke with Michel Genard, general manager of Wind River's Hardware
Assisted and Stand-alone Tools product division about the company's change
of heart. Why has Wind River changed its tune with regards to Linux? Genard
first explained that Wind River's previous stance towards Linux and the GPL
was based in part on fear.
We were not very sure about exactly what to do, and definitely some fear
[of Linux], that it would cannibalize some of our business. We had an
internal [Linux] project, gave up based on GPL fear and issues. In 2001 we
announced acquisition of BSD assets. We thought that what customers wanted
was attributes of Linux, delivered with BSD. This year, you know, through a
lot of thinking and changes... we realized we were wrong.
Dave Fraser, Wind River's group vice president of products acknowledged
in an interview with eWeek that Wind River had backed the wrong horse in
trying to supplant Linux with a BSD-derived solution:
The primary market focus is on Linux and not [Unix]. We took a risky bet
that BSD was going to be the business-friendly alternative to Linux, but
that turned out not to be the case. [Unix] became Betamaxed to Linux's
VHS.
Being the Betamax of embedded OSes can be painful. According to the
company's SEC filings, its revenue peaked in its 2001 fiscal year at almost
$438 million, dropping to $351 million in 2002 and $249 million in
2003. (Wind River's fiscal year begins in April of the previous year.) Wind
River seems to be headed for a disappointing 2004 fiscal year as well, with
revenue for the six months ending July 31, 2003 falling off by almost $31
million compared to the previous year. Wind River also notes in recent SEC
filings that open source may be more popular "where our customer's budget
constraints may make such software more appealing than Wind River products
for their initial project development."
Recent changes in management also help to ease Wind River's transition to a
Linux-friendly company. Kenneth Klein has taken
the CEO job after Tom St. Dennis resigned in late June. St. Dennis had been
critical of Linux and the GPL, while Klein seems open to working with Linux
and the free software community.
As Wind River tries to overcome its past missteps, it will likely face some
skepticism. The company's past statements regarding the GPL aren't likely
to be forgotten easily, nor the firing of Slackware's development team
shortly after the BSDi acquisition.
More recently, Darl McBride has cited
Wind River as one of the companies "on this side of the table as SCO is
on." Though McBride seemed to be merely citing Wind River since the company
had previously criticized the GPL, we asked Genard where Wind River stood
on SCO's claims. Genard said Wind River has no position on SCO's claims
that the GPL is invalid, but said that the suit was "a wake-up call for the
customer."
When you manage and design software, you have to use best practices to
understand how you don't contaminate your own code with other IP, whether
it's coming from a third-party or open source...but I think we should let
the people involved [determine] if the GPL is really enforceable or an
issue or not.
There is also some concern that embedded companies are disregarding
the GPL, so we asked Genard if Wind River would be working to educate
their customers about their obligations when using GPL-licensed code in embedded
devices. Genard said that, at the moment, they are only offering tools to
develop Linux-based solutions and that the company isn't planning to "do
any recommendation to the customer what to do with Linux."
One need not look too deeply to understand why Wind River has changed its
attitude towards Linux. Its past strategy of dismissing embedded Linux
simply wasn't working, and an ever-shrinking market share was probably not
very appealing to Wind River's customers. Wind River is being squeezed on
two sides in the embedded space. On one side is Linux, a robust solution
that is royalty-free and extremely flexible. On the other side is
Microsoft, which outguns Wind River by several orders of magnitude when it
comes to dollars spent on marketing and R&D.
Whatever the reasons, it's good to see that a company can change its tune
for the better. We hope that Wind River continues this process and becomes
an active contributor to the free software community.
Comments (3 posted)
Things have been quiet enough on the DeCSS front that one might be forgiven
for thinking that the issue had run its course. The software remains
freely available on the net, and there are no high-profile DeCSS cases left
in the U.S. We are now being treated to a reminder that the U.S. is far
from alone when it comes to repressive legislation, however.
Jon Johansen is one of the original authors of the DeCSS code, which may be
employed to play a DVD on a Linux system. The Motion Picture Association
of America (MPAA), not content with its efforts to suppress any mention of
the code in the U.S., went to the Norwegian economic crime authorities and
asked that charges be pressed against Mr. Johansen in Norway. The agency
(Økokrim) obliged, and Jon went to trial in 2002 for violations of Norway's
anti-circumvention law. The court, however, decided that, if you buy a DVD
with a film on it, you have bought the right to access that film. Jon
Johansen was acquitted on all counts.
The Norwegian government appealed the ruling, and the new trial started on
December 2. It is expected to last for eight days. Jon and his
lawyers have expressed confidence that the appeal will come to the same
conclusion as the original trial, but there is never any certainty when an
issue goes to court. One can only hope that the appeals court will see
reason and realize that it makes no sense to convict somebody for breaking
into their own property.
Regardless of the outcome, however, the MPAA will have achieved an
important goal. It has been made clear that, if you write the wrong sort
of code, you can be arrested and threatened with jail. Even if the
ultimate outcome is a complete acquittal, few people will want to avail
themselves of the opportunity to learn how the justice system works in such
a close way. The prosecution of hackers like Jon Johansen can only have a
chilling effect on other developers, whether or not that prosecution is
successful.
(See also: this IP
Justice press release).
Comments (5 posted)
December 3, 2003
By Pamela Jones, Editor of Groklaw
[
Editor's note: last week's article on
GPL attacks drew some questions on just why the GPL cannot be enforced like
a contract. We're pleased to announce that we have convinced Pamela Jones
to expand on that issue for us.]
There has been considerable FUD of late asserting that, if a company
inadvertently incorporates GPL code into its proprietary code, it can
be forced to release its proprietary code under the GPL. This isn't
new FUD. It's old FUD, but it is coming from some new sources. Even some attorneys have been saying this in the media and at
various conferences. While it's not a crime to misunderstand the GPL,
and it certainly isn't rare, it does arouse unnecessary fears about whether
the GPL is safe to use or work with. Is it true? Can you lose your code
this way? No, and the reason why hinges on
the GPL being a license and not a contract.
A lot of the confusion about the GPL stems from this central issue:
Is the GPL a license or a contract? The reason this issue matters is
that contracts are enforced under contract law, which is done
state by state, and there are certain necessary elements to qualify as a
valid contract. Licenses, instead, are enforced under copyright
law at the federal level. The penalties available are not the
same.
Let's analyze and see how this all relates to the recent FUD. First of
all, what is a license? A license is just a
permission to do something you otherwise wouldn't be allowed to do. When
I want to go fishing, for example, I have to get a fishing license from
the local municipality. That's a license, as its name implies. But
why? Why isn't it a contract? Because there are no further agreed-upon
promises, no reciprocal obligations. It would be a contract if I said
to the owner of a pond: if you give me a license to fish in this pond,
I'll give you half of all the fish I catch. In that scenario, each of
us has voluntarily entered into a kind of promise. We each give the
other something of value, so if I get the license and then I don't give
over half of all my catch of the day, the pond owner can sue me for not
living up to the terms of the contract.
Eben Moglen, the Free Software Foundation's attorney, who is primarily
responsible for enforcing
the GPL, explains the difference between contracts and licenses like
this:
The word 'license' has, and has had for hundreds of years, a
specific technical meaning in the law of property. A license is a
unilateral permission to use someone else's property. The
traditional example given in the first-year law school Property
course is an invitation to come to dinner at my house. If, when
you cross my threshold, I sue you for trespass, you plead my
'license,' that is, my unilateral permission to enter on and use my
property.
A contract, on the other hand, is an exchange of obligations,
either of promises for promises or of promises of future
performance for present performance or payment. The idea that
'licenses' to use patents or copyrights must be contracts is an
artifact of twentieth-century practice, in which licensors offered
an exchange of promises with users: 'We will give you a copy of
our copyrighted work,' in essence, 'if you pay us and promise to
enter into certain obligations concerning the work.' With respect
to software, those obligations by users include promises not to
decompile or reverse-engineer the software, and not to transfer the
software.
Very clear, but what about
the GPL?
First, the name tells you what the
authors intended: General Public License. It doesn't say
"General Public Contract" or even "General Public License Contract". So
they intended it to be a license, not a contract. Does it fit the
definition? Professor Moglen:
The GPL, however, is a true copyright license: a unilateral
permission, in which no obligations are reciprocally required by
the licensor. Copyright holders of computer programs are given, by
the Copyright Act, exclusive right to copy, modify and redistribute
their programs. The GPL, reduced to its essence, says: 'You may
copy, modify and redistribute this software, whether modified or
unmodified, freely. But if you redistribute it, in modified or
unmodified form, your permission extends only to distribution under
the terms of this license. If you violate the terms of this
license, all permission is withdrawn.'
Suppose a company really did mingle GPL code into
a program with its own proprietary code and then distributed the
merged product under a proprietary license or without living up to the
terms of the GPL? Now what happens? What will the judge do now?
Order the code released under the GPL over the wishes of the owner?
Stop and think. What happens if you violate the terms of a fishing
license? For example, the license may restrict how much fish you can
catch on a particular day or what kinds of fish you can keep, what
sizes, etc. Suppose you violate the terms of the license. What
happens? You lose your license to fish. There may be a fine to pay.
That's essentially the same thing that happens under the GPL,
except it's nicer, because the company gets to choose what it wishes to
do under the terms of the GPL. If it still isn't resolved, and it goes
to a judge, however, it's enforced as a violation of copyright law, not
contract law. Here is Professor Moglen's explanation of what happens:
Because the GPL does not require any promises in return from
licensees, it does not need contract enforcement in order to work.
A GPL licensor doesn't say in the event of trouble "But, judge, the
licensee promised me he wouldn't do what he's doing now." The
licensor plaintiff says 'Judge, the defendant is redistributing my
copyrighted work without permission.' The defendant can then
either agree that he has no permission, in which case he loses, or
assert that his permission is the GPL, in which case he must show
that he is obeying its terms. A defendant cannot simultaneously
assert that the GPL is valid permission for his distribution and
also assert that it is not a valid copyright license, which is why
defendants do not 'challenge' the GPL.
The claim that a GPL violation could lead to the forcing open of
proprietary code that has wrongfully included GPL'd components is
simply wrong. There is no provision in the Copyright Act to
require distribution of infringing work on altered terms. What
copyright plaintiffs are entitled to, under the Act, are damages,
injunctions to prevent infringing distribution, and--where
appropriate--attorneys' fees. A defendant found to have wrongfully
included GPL'd code in its own proprietary work can be mulcted in
damages for the distribution that has already occurred, and
prevented from distributing its product further. That's a
sufficient disincentive to make wrongful use of GPL'd program code.
And it is all that the Copyright Act permits.
So when you read claims that the GPL is perhaps not
enforceable because you don't sign it or click on a form, or because of
a lack of privity, or because there is a lack of consideration, or some
such, you'll know that the person misunderstood the GPL and thought in
terms of contract law. It's a common error. They don't shoot you at
dawn for not fully understanding the GPL. But at the same time, it's
good to know that the problems people think they see in the GPL
generally are the result of not understanding it, not from any weakness
in the GPL itself.
Similarly, when you hear that the
GPL is viral and can force proprietary code to become GPL, which a
couple of lawyers have been saying, you'll know that isn't true. If
you steal GPL code, you can expect an enforcement action.
But this action can only be enforcement of a license, not a contract, and
a forced release under the GPL can't be imposed on you under copyright
law. It's not one of the choices, as Professor Moglen has explained.
You do have a choice under the GPL: you can stop using the
stolen code and write your own, or you can decide you'd rather release
under the GPL. But the choice is yours. If you say "I choose neither,"
the court can impose an injunction to stop you from further
distribution, but it won't order your code released under the GPL. Your
code remains yours, as you can see, even in a worst case scenario.
Of course, you could avoid all such troubles in the first place by
not stealing GPL code to begin with. But if something happens
inadvertently and some rogue employee sneaks some GPL code into your
proprietary product, the sky isn't falling. It's a manageable risk and a
solvable problem. No one wants to steal your code in retaliation or
force it to be something you don't want it to be. The GPL is
unequivocally a license, and that's the truth.
Comments (87 posted)
Page editor: Jonathan Corbet
Security
Brief items
December 3, 2003
This article was contributed by Jake Edge.
One necessary precondition for true freedom of speech is a way to
communicate that does not identify the speaker or the listener. Several
projects are working to provide that ability through peer-to-peer
networking protocols that use cryptography to enable this kind of
communication:
Freenet,
Entropy, and
GNUnet.
The goals of these projects are quite similar, to provide for the free
exchange of ideas while thwarting any attempts to censor the information
or punish the participants.
The basic framework for each of these networks is a decentralized,
peer-to-peer communications model where a node in the network talks to
some number of other nodes, sending requests to these peer nodes and
handling requests that come from them. The messages sent between nodes
are encrypted using a session key that has been negotiated between the
nodes using public key encryption. This encryption should be sufficient
to deny a 'man in the middle' from determining anything useful about the
traffic (other than its existence).
When a node sends a request to one
of its peers, there is no reason to assume that the request actually
originated on that node as nodes will forward requests that they receive,
but cannot satisfy. Any response that is generated to a node is likewise not
necessarily ultimately bound for that node and could be the response
to a request that was forwarded by the node. With a sufficient number of
nodes and amount of traffic, no analysis of the traffic to or from nodes
will reveal the true source and destinations of the requests.
This stands in stark contrast to the more common peer-to-peer networks
where, once the content is found, a direct connection is made from the
destination to the source to retrieve the content.
Each node that fully participates in the network provides some local
storage for information in the network and can immediately
satisfy requests for any data that it has stored locally. In order to
provide deniability for the operators of these nodes, this data is
encrypted and the operators are unable to determine what content actually
resides on their node at any given time. Cryptographic hash functions on
the file contents are typically used to identify particular files that
have been inserted into the network. These identifiers are not
particularly user friendly - for instance a copy of Kevin Mitnick's book
The Art of Deception can be found in the Entropy network using
the identifier:
SSK@zpxOK~ounTzoDwJKguoUHib8G7sBCMA/ArtOfDeception//
To make the system easier to use, various
network users have put together directories of content to help navigation.
The popularity of a file governs how long it stays in the network and how
often it is replicated. Each of the networks has limits on the amount
of storage available to it (based on the number of active nodes and the
amount of storage allocated to the nodes by each operator) and must
sometimes prune content when new content is added.
GNUnet tries to overcome the problem of 'freeloaders' (nodes that request
content but do not serve any) by adding an 'economic' layer to its network.
Each node
keeps track of its 'opinion' of the other nodes that it has talked to;
nodes that satisfy requests have a better reputation and will be treated
preferentially under higher network loads.
Both Freenet and Entropy provide an HTTP proxy that allows the use of
standard web browsers as clients to view some of the content on the
network. Entropy also adopted the Freenet Client Protocol so that all
of the client applications originally written for Freenet will work
with Entropy as well.
Frost is one of the most
widely used clients and provides file sharing and message board functionality.
GNUnet appears to mainly use command line
tools, though gnunet-gtk provides a graphical front-end.
Security is clearly taking precedence over performance, as it should, but
this causes the user
experience browsing Freenet or Entropy (at least) to be fairly frustrating.
Sites can take tens of minutes to load or fail to load altogether,
presumably because the information has either dropped out of the network
or any sites that contain the information are currently offline or too
far away (in network, not geographic, terms).
Critics of these projects complain that they could be used by criminals
for nefarious purposes and, obviously, that is true. There is no way to
provide for anonymous communication that cannot be abused and these projects
have decided that freedom of communication is more important than stopping
illegal uses. In the end, these networks are tools like computers or
phones and they can be used for good or for ill. It would be impossible
and a serious affront to liberty to outlaw all tools that could be
used to commit a crime.
Comments (10 posted)
Security reports
If you go to
Savannah,
the GNU project's development server, you'll find a note stating that it,
too, has been broken into. "
The compromise seems to be of the same
nature as the recent attacks on Debian project servers; the attacker seemed
to operate identically." Savannah will be down until (at least)
December 5. (Thanks to "sdoyon", who
posted the news in an LWN
comment).
Comments (22 posted)
New vulnerabilities
bind: cache poisoning
| Package(s): | bind |
CVE #(s): | CAN-2003-0914
|
| Created: | November 26, 2003 |
Updated: | February 19, 2004 |
| Description: |
A cache poisoning vulnerability in BIND may be exploited causing a
temporary denial of service until the bad record expires from the cache. |
| Alerts: |
|
Comments (none posted)
GnuPG: ElGamal signing keys compromised
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0971
|
| Created: | November 28, 2003 |
Updated: | March 3, 2004 |
| Description: |
A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to
ElGamal sign+encrypt keys. This
email message from Werner Koch contains more information. "Phong
Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal
keys for signing. This is a significant security failure which can lead to
a compromise of almost all ElGamal keys used for signing. Note that this
is a real world vulnerability which will reveal your private key within a
few seconds." |
| Alerts: |
|
Comments (3 posted)
kernel: local root exploit in 2.4.22
| Package(s): | kernel |
CVE #(s): | CAN-2003-0961
|
| Created: | December 1, 2003 |
Updated: | April 5, 2004 |
| Description: |
A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. |
| Alerts: |
|
Comments (1 posted)
Net-SNMP: security bugs in versions before 5.0.9
| Package(s): | Net-SNMP |
CVE #(s): | CAN-2003-0935
|
| Created: | December 2, 2003 |
Updated: | February 13, 2004 |
| Description: |
The Net-SNMP project includes various Simple Network Management Protocol
(SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could
allow an existing user/community to gain access to data in MIB objects that
were explicitly excluded from their view.
Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition,
Net-SNMP 5.0.9 fixes a number of other minor bugs. |
| Alerts: |
|
Comments (none posted)
screen: privilege escalation
| Package(s): | screen |
CVE #(s): | CAN-2003-0972
|
| Created: | November 28, 2003 |
Updated: | March 3, 2004 |
| Description: |
According to
this advisory a buffer overflow in GNU screen allows privilege
escalation for local users. Usually screen is installed either setgid-utmp
or setuid-root.
It also has some potential for remote attacks or getting control of another
user's screen. The problem is that you have to transfer around 2-3 gigabytes
of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and
older versions are vulnerable. |
| Alerts: |
|
Comments (none posted)
stunnel: file descriptor leak
| Package(s): | stunnel |
CVE #(s): | CAN-2003-0740
|
| Created: | November 26, 2003 |
Updated: | December 3, 2003 |
| Description: |
A vulnerability was discovered in stunnel versions 3.24 and earlier, as
well as 4.00, by Steve Grubb. It was found that stunnel leaks a critical
file descriptor that can be used to hijack stunnel's services. See this
advisory for more information. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 24, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache |
CVE #(s): | CAN-2003-0542
CAN-2003-0789
|
| Created: | October 28, 2003 |
Updated: | February 13, 2004 |
| Description: |
André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's
mishandling of CGI redirect paths could result in CGI output going to the
wrong client when a threaded MPM is used.
CAN-2003-0789. |
| Alerts: |
|
Comments (none posted)
apache2: Denial of Service vulnerability
| Package(s): | apache2 |
CVE #(s): | |
| Created: | September 29, 2003 |
Updated: | March 25, 2004 |
| Description: |
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details. |
| Alerts: |
|
Comments (none posted)
CUPS: denial of service
| Package(s): | CUPS |
CVE #(s): | CAN-2003-0788
|
| Created: | November 3, 2003 |
Updated: | March 4, 2004 |
| Description: |
Paul Mitcheson reported a situation where the CUPS Internet Printing
Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get
into a busy loop. This could result in a denial of service. In order to
exploit this bug an attacker would need to have the ability to make a TCP
connection to the IPP port (by default 631).
|
| Alerts: |
|
Comments (none posted)
ethereal: multiple remote and local vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0925
CAN-2003-0926
CAN-2003-0927
|
| Created: | November 10, 2003 |
Updated: | December 17, 2003 |
| Description: |
Multiple vulnerabilities have been found in
ethereal versions below 0.9.16. Remote attackers can craft
packets, and local users can build corrupt trace files,
resulting denial of service and remote code execution. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail may crash on specially crafted message
| Package(s): | fetchmail |
CVE #(s): | CAN-2003-0792
|
| Created: | October 17, 2003 |
Updated: | April 8, 2004 |
| Description: |
A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.
|
| Alerts: |
|
Comments (none posted)
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils |
CVE #(s): | CAN-2003-0854
|
| Created: | October 22, 2003 |
Updated: | March 2, 2004 |
| Description: |
There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. |
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
KDE: Two issues in KDM
| Package(s): | kde, xfree86 |
CVE #(s): | CAN-2003-0690
CAN-2003-0692
|
| Created: | September 16, 2003 |
Updated: | December 19, 2003 |
| Description: |
According to this advisory two issues have
been discovered in KDM:
- CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
- CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3
are affected. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libnids: remotely exploitable buffer overflow
| Package(s): | libnids |
CVE #(s): | CAN-2003-0850
|
| Created: | October 29, 2003 |
Updated: | January 6, 2004 |
| Description: |
libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mpg123: heap overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0865
|
| Created: | November 12, 2003 |
Updated: | February 19, 2004 |
| Description: |
Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
Pan: denial of service
| Package(s): | Pan |
CVE #(s): | CAN-2003-0855
|
| Created: | November 25, 2003 |
Updated: | December 10, 2003 |
| Description: |
Pan is a Gnome/GTK+ newsreader. A bug in Pan versions prior to 0.13.4 can
cause Pan to crash when parsing an article header containing a very long
author email address. This bug causes a crash (denial of service) but is
not further exploitable. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
proftpd: remote root shell
| Package(s): | proftpd |
CVE #(s): | CAN-2003-0831
|
| Created: | September 24, 2003 |
Updated: | January 2, 2004 |
| Description: |
The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
sane-backends: several vulnerabilities
| Package(s): | sane-backends |
CVE #(s): | CAN-2003-0773
CAN-2003-0774
CAN-2003-0775
CAN-2003-0776
CAN-2003-0777
CAN-2003-0778
|
| Created: | September 11, 2003 |
Updated: | February 20, 2004 |
| Description: |
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
-
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
-
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
-
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
-
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
-
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
|
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
wget: buffer overflow
| Package(s): | wget |
CVE #(s): | CAN-2003-1565
|
| Created: | August 5, 2003 |
Updated: | December 10, 2003 |
| Description: |
The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. |
| Alerts: |
|
Comments (1 posted)
zebra: denial of service vulnerability
| Package(s): | zebra |
CVE #(s): | CAN-2003-0795
CAN-2003-0858
|
| Created: | November 13, 2003 |
Updated: | January 7, 2004 |
| Description: |
Zebra an open source implementation of TCP/IP routing software.
Jonny Robertson reported that Zebra can be remotely crashed if a Zebra
password has been enabled and a remote attacker can connect to the Zebra
telnet management port. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0795 to this issue.
Herbert Xu reported that Zebra can accept spoofed messages sent on the
kernel netlink interface by other users on the local machine. This could
lead to a local denial of service attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to
this issue. |
| Alerts: |
|
Comments (none posted)
Resources
A new mailing list (called "SC-L") has been set up for the discussion of
secure application development. It is a moderated list. Click below for
the full announcement, and instructions for signing up.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current development kernel is 2.6.0-test11, otherwise known as
"Beaver in Detox," which was
released by
Linus on November 26. This release contains a very small number of
important fixes;
the long-format changelog
has the details.
The -test11 announcements says "And after that it will be up
to Andrew to say how to go on from here." Even so, Linus's
BitKeeper tree contains a handful of other patches which, presumably, will
find their way into a release at some point.
The current stable kernel is 2.4.23, which was released by Marcelo on November 28. No
changes were made between -rc5 and the final release.
Comments (none posted)
Kernel development news
The first test release for RTAI 3.0 is now available. RTAI is an extensive
set of real-time extensions for the Linux kernel; this release includes a
great many improvements, which are described in the announcement.
Full Story (comments: none)
The Advanced Linux Sound Architecture (ALSA) project has been
working at the creation of a new audio subsystem
for the Linux kernel (along with user-space support) since
early 1998. Now, almost six years later, the project has
announced its first 1.0 release candidate.
This release is not that far removed from what is in the 2.6.0-test11
kernel; still, it might be a good time for audio enthusiasts to test things
out one last time.
Comments (1 posted)
After the 2.4.23 release, maintainer Marcelo Tosatti
let it be known that the development period for
the 2.4 series is coming to an end. His plans are to accept relatively
intrusive patches for 2.4.24 - especially driver patches. But, starting
with 2.4.25, only serious bug fixes will be accepted. People will be
running 2.4 kernels for some time yet, but the 2.4 series will not be
acquiring new features.
The result of this sort of announcement is always predictable: people start
coming forward with the the patches that they feel, for whatever reason,
absolutely have to be merged before the gate closes. One of those
is Jeff Garzik's "libata" driver, which provides much improved serial ATA
support. Marcelo initially said that he would incorporate libata, but has
since changed his mind, saying that people
who want libata should use 2.6.
The big discussion, however, concerned the inclusion of the XFS
filesystem. XFS is relatively controversial because it requires some
significant core VFS changes, and not everybody is happy with the quality
of the code. There was enough clamor, however, that Marcelo has relented
to the extent that, if some of the core filesystem maintainers can be made
to agree, he will let XFS in.
The reasoning behind the policy change for 2.4 is that the 2.6
kernel is on the horizon. 2.6.0 may well be released before a 2.4.24
kernel could be prepared. At that point, attention is expected to shift to
2.6, and there won't be much interest in 2.4 anymore. This approach does
worry some people who remember that the 2.4 kernel took almost a year to
truly stabilize after 2.4.0 came out. If 2.6 follows the same path, Linux
users could be left for several months with no kernel which is being
updated with new drivers, bug fixes, etc.
The general expectation, however, is that the early part of the 2.6.x
series will be rather more successful than 2.4 was. The 2.6.0-test kernels
seem to be far more stable than 2.4 was at this stage, and there is a high
level of confidence in Andrew Morton's willingness and ability to stabilize
things further. Not everybody realizes how differently the development
process is working this time around. The year-old feature freeze has
(mostly) held, which is a nice difference. But the big change is that
Linus will be handing 2.6.0 to Andrew Morton from the beginning. In the
past, Linus has always continued to manage the stable kernel releases until
he felt confident in moving on to the next development series. Linus, by
his own admission, is not the best release manager for a stable kernel; he
would much rather be breaking things. So his early handoff of 2.6 could
make a big difference in how quickly that kernel becomes truly usable.
That said, 2.6.0 is still not going to be the best kernel to use to run
your nuclear power plant. A small set of fixup releases will certainly be
required first. But the confidence in 2.6 is high enough that the
distributors are looking in that direction for their future releases.
There is little interest in building a new distribution release on 2.4;
that, more than anything else, is the reason for putting 2.4 into a
"critical fixes only" mode in the near future.
Comments (4 posted)
The Linux developers have long, and with reason, been pleased with
the performance of the kernel's networking subsystem. For
various
reasons, there is also a longstanding rivalry between the Linux
networking hackers and their Sun counterparts. So when The Register posted
an article
about the "Fire Engine" networking stack which will be part of future
Solaris releases, it drew some attention. This quote from John Fowler,
Sun's software CTO:
Also we focused on CPU utilization. One of the little secrets of
networking is high speed interfaces can in fact pump lots of bits,
but they chew up lots of CPU, which means you aren't doing other
things. We worked hard on efficiency, and we now measure, at a
given network workload on identical x86 hardware, we use 30 percent
less CPU than Linux.
also didn't help.
The dissection of Sun's claim was quick to begin. It was pointed out that
we don't know which version of Linux is being referred to in the quote.
There's a lot of differences between the 2.4 and 2.6 kernels, and it would
not be quite sporting for Sun to be comparing its upcoming, unreleased
technology with an old version of Linux.
Sun's performance improvements appear to be based on the use of "TCP
Offload Engine" (TOE) technology. The idea of a network adaptor which can
take on the network protocol overhead is not particularly new; such
hardware has been available for many years. The Linux networking hackers
have always had a low opinion of the TOE approach, however. TOE hardware
may offload a bit of work from the processor, but it suffers from a number
of disadvantages:
- When you use TOE hardware, you have just moved your networking
stack into a firmware-based, close-source module. This code can not
be inspected, fixed, or improved.
- TOE-based networking suffers from latency problems. The setup and
teardown of network connections still requires the processor's
intervention, and that means several round trips over the bus for each
connection.
- As Larry McVoy heard from "Sun employee
#1," processors are getting faster much more quickly than TOE hardware
is. Even if a TOE adaptor performs reasonably when it is released, it
will be quickly outstripped by processor-based TCP implementations.
The 2.6 networking stack is happy to offload some functions to smart
interfaces; examples include packet checksumming and TCP segmentation. But
the full TCP offload approach is likely to remain unpopular into the
future.
In general, the networking hackers do not feel threatened by "Fire Engine."
That didn't stop them from having a discussion of how Linux networking
could be made faster, however. The conversation was based around a shopping list of possible improvements posted
by Andi Kleen. This list includes a number of good ideas, but the bulk of
the debate concerned a relatively obscure topic: timestamp generation.
Certain applications want to get each packet packaged with a timestamp
saying exactly when that packet was received. Tools like tcpdump, for
example, make use of this capability. The socket interfaces were designed
in such a way that the networking subsystem cannot know if any particular
packet needs to be timestamped or not; as a result, it generates timestamps
for all incoming packets, even though they are rarely used.
The problem is that this timestamp generation gets to be expensive when you
have thousands of packets flowing through the system every second.
Depending on the architecture Linux is running on, generating the timestamp
can involve talking to a (slow) off-CPU timer or moving cache lines
frequently between processors. Improving the timestamp generation might be
the most straightforward way of speeding up Linux networking, at least at
the high end.
That fix is not entirely easy, however. Networking maintainer David Miller
is unwilling to make any changes that would reduce the accuracy of the
timestamps returned to user space. Any such changes would be seen as an
API change; somebody, somewhere, would be badly affected by it.
The proper solution, as proposed by David,
is the creation of a new fast_timestamp_t type which is quicker to
generate, but which can be converted to a real time when the need arises.
The optimal implementation of this type would be highly dependent on the
underlying architecture; on many systems the CPU cycle timer could be used,
but that approach would not work universally. A default,
architecture-independent "fast timestamp" implementation is easy to add,
however. Creating that sort of structure for the architecture maintainers
to play with may be one of the first things to happen when the 2.7 series
opens up.
Comments (4 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Security-related
Page editor: Jonathan Corbet
Distributions
News and Editorials
With the recent
compromise of
several Debian servers, nobody needs a reminder about the importance of
security on publicly accessible production machines. Diligent applying of
security patches is one form of guarding against known vulnerabilities, but
as in Debian's case, how can one prevent (or at least reduce the
likelihood) of an attacker exploiting an unknown vulnerability? Some of the
solutions include various kernel patches protecting the kernel from buffer
and stack overflows, security enhanced kernels, User Mode Linux with critical
processes confined to "jails", Linux intrusion detection systems with
mandatory access control policies and other solutions.
However, most mainstream Linux distributions, as well as Linux kernel
developers have yet to be persuaded about the need to implement any of the
above solutions in their products. As a result, a wave of various "secure"
distributions came into existence in the past several years, attempting to
fill the gap and appealing to the more careful or paranoid amongst the system
administrators running mission critical servers. Some of these distributions
provide little more than sensible default settings with all unnecessary
services turned off, while others attempt more sophisticated protection
mechanisms against common exploits. Among the oldest of these distributions
are SME Server (formerly e-smith) by
Mitel and Immunix, by Immunix, Inc.
(formerly WireX Communications, Inc.).
Both Mitel and Immunix made interesting announcements last week. Mitel's
Director of Product Management Dan York posted a message on the
distribution's mailing list saying that the upcoming SME Server 6.0 would be
the last unsupported developer (i.e. freely download-able) release.
"Mitel is a commercial enterprise," asserts the writer,
"and has decided to focus our developers on our commercial
products." Future releases, if any, are up to the SME Server
user community and even the distribution's mailing lists, forums and bug
reporting facilities will no longer be hosted by Mitel.
The announcement was met with various emotions ranging from anger at Mitel for
abandoning their long-term users and contributors to hope that the product
will continue, albeit in a different form. Despite its relatively
low-profile status in the media, e-smith SME Server is a popular
distribution with highly active mailing lists, a satisfied user base and
several community web sites, including SME-Fr (in French) and contribs.org. The latter has now
accepted the challenge of setting up a complete development framework, thus
providing continuity in the development of the community supported SME
Server.
The other interesting announcement was a quiet release of Immunix Secured
OS, version 7.3. Unlike the company's previous releases, version 7.3 is no
longer free: "Immunix Secured OS 7.3 is not free software. Immunix
does employ many GPL components, among other licenses, and source code for
GPL software is available under the terms of the license." All
previous versions of Immunix were available in the form of freely
download-able ISO images for non-commercial use, although all of them have
now reached end of life.
What makes SME Server and Immunix Secured OS worth paying for? SME Server
falls into a category of server distributions where security is achieved
through simplicity and transparency, elimination of non-essential services
and replacement of certain services with more secure alternatives. It also
provides a unique, template-driven configuration system written in Perl. On
the other hand, Immunix has developed its own set of technologies guarding
against various common exploits. As an example, Immunix 7.3 comes with
StackGuard, a set of patches for the GCC compiler (presently only
available for GCC 2.96) which forces the binaries to perform additional
checks on stack operations to prevent stack overflows. Another interesting
technology is SubDomains, a mandatory access control mechanism for
limiting privileges given to critical programs and processes. There is a lot
more and if all these features work as advertised, the $200 price tag does
not seem excessive. Still, the decision to discontinue the non-commercial
edition was not well received by many long-term Immunix users.
What do these changes at Mitel and Immunix mean for the Linux user community?
They seem to confirm a trend in the direction of several Linux companies
which have decided to focus exclusively on the corporate market. They
probably see small businesses and private users as somebody contributing very
little to their overall profit margins, while draining precious developer
resources. Although this seems to be an understandable direction from the
business point of view, these companies sometimes forget the power of
non-tangible benefits that a large user base brings them in terms of product
recommendations, bug reports, exchange of ideas on forums and mailing lists,
suggestions and other non-monetary values. And abandoning one's users, even
if those users don't provide immediate material benefits, does not seem like
a smart idea in the long run.
Comments (none posted)
1. Introduction
APT-RPM is a port of Debian's APT tool to RPM based distributions
(Conectiva Linux, Fedora Linux, SuSE Linux, ALT-Linux, etc), written and
maintained by Conectiva. APT is an advanced package management utility
front-end which allows one to easily perform package installation,
upgrading and removal. Dependencies are automatically handled, so if one
tries to install a package that requires others to be installed, it will
download all needed packages and install them.
Recently, an intensive amount of development has been happening under the
hood in the APT-RPM world, but unfortunately, most of the features are only
perceived by a small number of people that follow the development
closely. This article is an attempt to introduce the reader to some of the
latest features available today in the RPM port of APT.
2. Dealing with local packages
One of the recently introduced features, which was on the top of the TODO
list for a long time, is the capability of dealing with random local
packages using APT's ability to handle dependencies. With this feature,
installing a local package with dependency handling is as easy as
installing a file in any remote repository. Here is an example, assuming
that the file is in the current working path:
% apt-get install rpmver-2.0-13498cl.i386.rpm
Reading Package Lists... Done
Building Dependency Tree... Done
Selecting rpmver to represent rpmver-2.0-13498cl.i386.rpm
The following NEW packages will be installed: rpmver
0 upgraded, 1 newly installed, 0 removed and 8 not upgraded.
Need to get 0B/6404B of archives.
After unpacking 5552B of additional disk space will be used.
Committing changes...
Preparing... ########################################### [100%]
1:rpmver ########################################### [100%]
Done.
This is valid for operations dealing with source packages as well. The
following example shows an operation that checks every build-time
dependency of the given source package, asks for confirmation, fetches, and
installs them locally.
% apt-get build-dep apt-listchanges-1.49-11104cl.src.rpm
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
rpmver
0 upgraded, 1 newly installed, 0 removed and 8 not upgraded.
Need to get 6404B of archives.
Need to get 6404B of archives.
After unpacking 5552B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 ftp://mapi8.distro.conectiva latest/conectiva/all rpmver 2.0-13498cl [6404B]
Fetched 6404B in 8s (798B/s)
Committing changes...
Preparing... ########################################### [100%]
1:rpmver ########################################### [100%]
Done.
3. Local repositories
Dealing with package files directly is just one way to use APT-RPM.
Another easy way is to set up a local repository. Traditionally, local
repositories are always available, but they require maintenance of
meta-information, which APT-RPM expects to find in the base/
subdirectory. Now APT-RPM has learned to deal with a special kind of local
repository, which does not require the maintenance of
meta-information. Instead, information is fetched directly from the
packages, and new packages dropped into these directories are automatically
recognized.
The configuration of this new kind of local repository is
straightforward. One only needs to replace the rpm source
type with the rpm-dir source type in the sources.list
repository configuration file. For example, to maintain a repository in
/repos/conectiva/RPMS.local and to have every package dropped in
this directory automatically recognized by APT-RPM, one should include the
following line in the sources.list file:
rpm-dir file:///repos conectiva local
No additional configuration is needed.
The same rules apply to source
repositories as well, using rpm-src-dir instead of
rpm-src in the sources.list repository configuration
file. Extending the example above, the following line would allow one to
maintain SRPM packages in /repos/conectiva/SRPMS.local without any
further work:
rpm-src-dir file:///repos conectiva local
4. Installing packages by filenames
One feature that seems logical for most package tool users is the ability
to install packages by providing file names instead of package names. This
feature was only available in APT-RPM through an external Lua extension,
until recently. Now this is available internally in APT-RPM, which is able
to translate any filename included in the meta information of the remote
repository.
The following example shows the feature working. The filename is translated
to the package name, and with user confirmation, the package is downloaded
and installed.
% apt-get install /usr/bin/rpmver
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
rpmver
The following NEW packages will be installed:
rpmver
0 upgraded, 1 newly installed, 0 removed and 8 not upgraded.
Need to get 6404B of archives.
After unpacking 5552B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 ftp://mapi8.distro.conectiva latest/conectiva/all rpmver 2.0-13498cl [6404B]
Fetched 6404B in 17s (376B/s)
Committing changes...
Preparing... ########################################### [100%]
1:rpmver ########################################### [100%]
Done.
Notice that it's possible to exclude some files from the meta-information,
for space saving purposes.
5. APT Shell
Another interesting feature developed recently is the apt-shell.
This is a tool which offers a shell to make the user experience more
pleasant while navigating through the APT cache and installing, erasing, and
upgrading packages.
Here is a very short list of available features to leave the reader excited
enough to look further:
- Stateful cache. Mark packages as you want and when satisfied with the
current selection, commit to the system.
- Gradual selection. Each time you select a package that will include
more changes in the cache than was requested, you'll be notified about what
changes will be made, and given the option to cancel.
- Smart completion. Command line completion for commands, package names,
and versions. When removing, only installed packages will complete. When
keeping, only packages selected for changing will complete.
- New list/ls command, allowing one to list packages in a comfortable
way, including shell wildcards. Also, options for listing only installed
packages, only upgradeable packages, listing installed and candidate
versions, and listing summaries.
- Wide set of commands, including most of the apt-get and
apt-cache functionality.
- Inline help.
Here is an interactive sample section, hacked for objectiveness.
Reading Package Lists... Done
Building Dependency Tree... Done
Welcome to the APT shell. Type "help" for more information.
apt> install dum [TAB pressed]
dummy dump
apt> install dummy= [TAB pressed]
0.1-1cl 1.0-1cl 1:1.0-1cl 1:1.5-1cl
apt> install dummy=1:1.0-1cl
apt> install alsa-lib-devel
Unrequested changes are needed to execute this operation.
The following packages will be upgraded
alsa-lib-devel libalsa2
(...)
Do you want to continue? [Y/n] n
Abort.
apt> commit
The following NEW packages will be installed:
dummy
(...)
Executing RPM (-Uvh)...
Preparing... ########################################### [100%]
1:dummy ########################################### [100%]
(...)
apt> ls dum*
dummy dump
apt> ls -v dum*
Name Installed Candidate
---- --------- ---------
dummy 1:1.0-1cl 1:1.5-1cl
dump - 0.4b28-11400cl
apt> ls -s dum*
dummy - Dummy package doing weird stuff.
dump - Programs for backing up and restoring filesystems.
6. Meta-components
Unlike the Debian strategy of maintaining main, contrib,
and a few other major components, some users of APT-RPM, like Conectiva
Linux, have chosen to split components in a more finely grained fashion
with, for example, devel, doc, audio, and many
others. This introduces some interesting possibilities, as users may
"subscribe" to just those components they are really interested in. On the
other hand, splitting components like this also introduces some annoyance
to those who want to simply subscribe to every available component. It also
creates problems when a new component is created, since nobody is currently
subscribed to it, and would take some time to discover that the new
component was available.
The meta-component was created to solve these issues. Using
meta-components one is able to create components that contain the
information of other real components. For APT-RPM users, there's no
difference between a meta-component and a real component. For repository
maintainers who want to create a meta-component, it's just a matter of
using the appropriate genbasedir options.
For example, suppose that the components main, extra,
kde, and gnome are available, one may create an
additional all meta-component which includes information from all
of them with the following command:
genbasedir --meta=all /repos/path main extra kde gnome
Doing this, users may either include any combination of individual
components in their sources.list repository configuration file, or
use the meta-component.
7. Lua interface
One exciting new capability recently introduced into APT-RPM is the
embedding of the Lua interpreter. This
allows customization and extension of APT-RPM in any direction, being
limited mostly by the imagination and scripting ability of anyone who needs
extensive packaging features.
The scripting interface is done using a slot concept. Slots are
places in APT-RPM execution where any number of scripts may be plugged in
to introduce special behavior. Some of these slots allow scripts to
introduce new commands in the APT-RPM tools apt-get,
apt-cache and apt-shell. Additionally, scripts may also
be called with the script subcommand.
Currently, a good part of the APT API is already available to Lua scripts,
and complete documentation is available at AptRpm/Scripting.
To give you an idea of how it works, the following script may be executed
with apt-get script install-devel.lua (assuming it has
this name), to install development packages with suffixes -devel
and -devel-static, as long as the main package is already
installed.
function installdevel(name)
pkg = pkgfind(name.."-devel")
if pkg and not pkgvercur(pkg) then
markinstall(pkg)
end
pkg = pkgfind(name.."-devel-static")
if pkg and not pkgvercur(pkg) then
markinstall(pkg)
end
end
for i, pkg in pairs(pkglist()) do
if pkgvercur(pkg) then
installdevel(pkgname(pkg))
end
end
8. Upgrading algorithm
Some changes in APT-RPM go mostly unnoticed by the everyday user. One of
these changes happened during the release period of Conectiva Linux
9.0. Several days were spent to improve the behavior of APT-RPM in complex
situations, like when whole distributions are upgraded. Today, APT-RPM is
the only tool used for upgrading Conectiva Linux, and heavy tests were
done, even upgrading two distribution versions in a single step. Recently,
users of other distributions have reported that the upgrading algorithm is
indeed working more reliably, as they are also able to upgrade their own
distributions, and problems during upgrades are mostly related to packaging
bugs.
9. Internal committing of changes
One behavior that many users disliked, was the way it committed the
programmed changes to the system. Until recently, APT-RPM did this by
executing the rpm binary itself.
This behavior indeed had a few disadvantages, like splitting the transition
into more than one unit, since the rpm binary doesn't currently
support installation and erasure of packages in a single step.
Fortunately, since version 0.5.15cnc3, APT-RPM supports internal committing
of changes, through the use of the rpmlib API, which leaves the
mentioned problems behind. Using the old method is still supported, and is
runtime configurable.
10. Synaptic
Synaptic is very good graphic interface for package installation which
supports both APT-RPM and APT. Lately this software is receiving special
attention, and is evolving at large steps. If one would like to have access
to the features of APT-RPM or APT with a graphical interface, looking at
the Synaptic project is highly advisable.
11. Changes in the original APT
Changes being done in the original version of APT, maintained by Debian
developers, are constantly being integrated in APT-RPM as well. A small
example of this is the recently introduced argument of the install
subcommand of apt-get which shows which versions are going to be
installed in the system, if the transaction is committed, as shows the
following example:
% apt-get install -V rpmver
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
rpmver (2.0-13498cl)
0 upgraded, 1 newly installed, 0 removed and 8 not upgraded.
Need to get 6404B of archives.
(...)
12. Credits
The core maintenance of APT-RPM is done by the Conectiva developer Gustavo
Niemeyer, but it would be unfair to take the credits and not mention other
people (without any special order), like Panu Matilainen and Richard Bos,
which have always been persistent APT-RPM contributors; Michael Vogt, a
Debian developer that has been doing a wonderful job maintaining Synaptic
with Gustavo, Jeff Johnson, the RPM software maintainer; ALT-Linux, which
constantly send patches "upstream"; Vine Linux, which pushes APT-RPM in the
oriental side of the world; the Debian developers which contribute to the
original APT project, and many others which contribute to the continuous
progress of APT-RPM.
13. Links
Comments (18 posted)
Distribution News
The
Debian Weekly News for November 26, 2003
is available with the latest news from the Debian Project. Topics include
the breach of Debian servers, an interview with several developers from
freedesktop.org, results for new SPI Board of Directors Member Vote, and
more.
The Debian Weekly News for December 2 is
out; this issue looks at Mozilla problems, Debian GNU/KNetBSD, Virtual
Stallman discrepancies, and several other topics.
The Debian Project has posted a lengthy
report on the compromise of its servers. Most of what is here has also
been disclosed elsewhere, but this report is a comprehensive summary in a
single place. A couple of important things are, seemingly, still not known,
however: who did it, and when the maintainers' accounts will be unlocked.
Anthony Towns reports on the progress of the
'sarge' release, with a summary of the progress to date and what still
needs to be done.
Comments (none posted)
The Gentoo Project has sent out
an alert to
the effect that one of the servers which makes up rsync.gentoo.org has been
compromised. "
However, the compromised
system had both an IDS and a file integrity checker installed and we have a
very detailed forensic trail of what happened once the box was breached, so
we are reasonably confident that the portage tree stored on that box
was unaffected." Gentoo users may have gotten off relatively easy,
as Debian's users did before. At this point, however, it is clear that the
level of attacks on the free software community's infrastructure is
increasing. Be careful out there.
Comments (32 posted)
The Gentoo Weekly Newsletter for the week of December 1st, 2003 is out. The
Gentoo Documentation Project is looking for for more translators. Read
more on this and other Gentoo news by clicking below.
Full Story (comments: none)
MandrakeSoft has
announced the first release
candidate of MandrakeMove. MandrakeMove is a 9.2 system on a live CD.
Personal data and configuration settings may be stored on a dedicated USB
Key so you can take your Mandrake system with you where ever you go.
Mandrake Linux 9.2 updates:
- Numerous bugs have been fixed in drakxtools. Many are covered in
this advisory, but additional fixes are addressed here.
- New kopete packages are available
that bring back MSN capabilities.
- New kde-i18n-es packages are
available that provided updated Spanish translations for kmail that fix
some display issues.
- New mandrake_doc packages are
available that provide last-minute updates to the documentation included
with Mandrake Linux 9.2.
Comments (none posted)
Bruce Perens has posted (in draft form) a document called
UserLinux: Repairing the
Economic Paradigm of Enterprise Linux. It describes his complaints
with the current state of "enterprise" distributions and what he proposes
to do about it. "
We, the Free Software developers, created this
software to empower everyone, and for everyone to share. But today's
Enterprise Linux is a lock-in play, designed to draw the customer into
expensive subscriptions and single-vendor service.... We have no problem
with payment for service, when service is
rendered. But the $1000 per year or greater that many customers now pay for
their Linux systems goes not for service, but for a brand and the
endorsement of a few application providers like Oracle."
Comments (49 posted)
For those who are interested, Red Hat has posted
a new draft
leadership scheme for the Fedora Project. Changes are listed at the
end. "
The idea of voting bodies was removed. It was creating too
much complexity in infrastructure to retain the amount of control that Red
Hat requires for its participation in the project, for no real gain. It was
also contrary to existing practice, both in Linux and Red Hat's experience
building a distribution."
Comments (9 posted)
Here are this week's Fedora updates:
- PostgreSQL client programs and libraries, bug fixes and more in
these rh-postgresql-7.3.4-11 packages.
- The rhdb-utils package contains
miscellaneous, non-graphical tools developed for PostgreSQL.
- The panel applet in rhn-applet-2.1.4-3 should fix most of the
problems found with the Red Hat Network applet during the migration to
Fedora Core infrastructure.
- New initscripts-7.42.2-1 fix several
bugs.
Comments (1 posted)
The
slackware-current
changelog shows an upgrade to bind-9.2.3, gnupg-1.2.3 with support for
ElGamal keys removed, an upgrade to kernel-2.4.23, alsa-driver-0.9.8 added
to the kernel, and more.
Comments (none posted)
Trustix
notes that the sym53c8xx module in
Linux kernel 2.4.22 has been renamed to sym53c8xx_2 in 2.4.23 which could
cause some systems to not upgrade properly. The fix is fairly
straightforward, and definitely worthwhile.
There are updates to freeswan to upgrade to
the latest upstream version.
Comments (none posted)
Lindows.com has
announced
the availability of the LindowsOS Laptop Edition, a version of its distribution oriented toward laptop use.
"
LindowsOS Laptop Edition includes improved power management, high
compatibility with WiFi cards, and the ability to take advantage of keyboard
shortcuts to browsers and email programs."
Comments (6 posted)
New Distributions
cAos is a Linux distribution created by
the community, for the community. The purpose is to provide a stable Linux
solution for organizations and individuals that do not need or want to
purchase their Linux solution. The kernel and almost every application that
makes up a Linux distribution are free and supported by their respective
development groups. cAos is simply a project that allows them to integrate
together into a usable product. This distribution is focused on becoming an
enterprise level community produced solution. The project was announced
November 8, 2003. The first alpha version was released December 1, 2003.
Comments (none posted)
The Linux Business Alliance (LBA) has announced the creation of LBA-Linux.
The new distribution is the result of professional co-operation between
the members of the LBA, and is based on SOT's GNU/Linux distribution, SOT
Linux. LBA-Linux is considered a successor to SOT Linux.
Full Story (comments: none)
Feather Linux is a Linux
distribution which runs completely off a CD and takes up under 50Mb of
space. It is suitable especially for business-card sized CDs. It is a
Knoppix remaster (based on Debian), and tries to include software which
most people would use every day on their desktop. Feather joins the list
at version 0.2, released November 30, 2003.
Comments (none posted)
Minor distribution updates
2-Disk
Xwindow embedded Linux has released
source
code v1.2.4 with minor bugfixes. "
Changes: Cleanups were made
to the taskbar, script, and graphics. New build options for
CD/USB/hard-disk systems. The new expunge application build system adds
support for auto-building Mozilla, XMame, GTK, MPlayer, and Apache. A
humungous build option was added. Boot-time speedups were made. Many other
minor changes were made."
Comments (none posted)
Astaro Security Linux has released
v4.017
with major security fixes. "
Changes: This version includes a kernel
vulnerability fix and support for new hardware. It fixes the USB keyboard
support and the port scan notification."
Comments (none posted)
Aurox Linux has released
beta
v9.2 with major feature enhancements. "
Changes: This version
features GNOME 2.4.1, KDE 3.1.4, fluxbox 0.1.14, and OpenOffice.org 1.1
with dictionaries. During the install users can now choose 'Light Desktop'
with fluxbox, mozilla-firebird, rox-filer, and sylpheed. The new
dvd+rw-tools with k3b 0.10.2 allows users to write DVDs. Other new
applications include Sodipodi, Blender, Scribus, QtParted, and tools for
mobile phones (gnokii and gscmxx)."
Comments (none posted)
ClusterKnoppix
v3.3-2003-11-19-EN-cl1 has been released. This version has been upgraded
to the latest Knoppix and OpenMosix 2.4.22-2. Click below for more information.
Full Story (comments: none)
DeLi Linux has released
v0.4
with minor feature enhancements. "
Changes: The setup script has
been rewritten. Minor bugfixes were made."
Comments (none posted)
Mepis Linux has released
v2003.10
with major feature enhancements. From the
change log, "
With
release 2003.10, MEPIS has expanded the functionality of the MEPIS
Installation Center to allow the user to install MEPIS or repair the boot
loader, Xconfig, make a floppy, or test the hard drive all while running
from the Live-CD."
Comments (none posted)
Recovery
Is Possible! has released
v6.6.
"
Changes: The kernel and some of the software has been
updated."
Comments (none posted)
Sentry Firewall has released
v1.5.0-rc7
with minor bugfixes. "
Changes: Snort, FreeS/WAN, iptables,
ebtables, and net-snmp have been updated. The rc.inet1 init script has also
been updated to utilize the rc.inet1.conf file introduced in Slackware
9.1."
Comments (none posted)
Webfish Linux has
released
v2.0pre1.
"
Changes: This version is built using the new LFS-5 packages as a
base. Work has begun on sets of packages to extend functionality. These
will be downloadable as binary, or as source with a nALFS XML defintion to
build and install them. Installation is currently achieved using the same
old method."
Comments (none posted)
White Box Enterprise Linux is
an attempt to make a free distribution based on Red Hat Enterprise
Linux 3. The second release candidate for the "White Box Enterprise
Linux 3.0" release is now available. White Box, if it can put
together the developers to keep up with security updates and such, could
eventually become another alternative for Red Hat Linux users looking for a
new distribution. (Thanks to Xose Vazquez Perez).
Full Story (comments: none)
Distribution reviews
Here's a NewsForge
review
of the ADIOS Linux Boot CD. "
Developed by the Queensland University
of Technology in Brisbane, Australia, ADIOS is an acronym that stands for
"Automated Download and Installation of Operating Systems." The original
idea was to create a tool for easy installation of multiple operating
systems on students' workstations, but as the project evolved and the
original needs changed, more and more effort went into a Red Hat-based live
CD, which is now known as ADIOS Linux Boot CD. Version 2.00, based on Red
Hat Linux 9, was released last week."
Comments (none posted)
NewsForge
takes a
look at Sentinix and talks with developer Michel Blomgren.
"
Reboot the system and it starts with openMosix running and the
pre-configured network and service monitoring tools are started and
working. Where most CD distributions try to "do it all" or "do only one
thing well", SENTINIX does just two."
Comments (none posted)
Page editor: Rebecca Sobol
Development
Version 1.0 of
KimDaBa,
the KDE Image Database,
was announced
this week on KDE.News:
After exactly one year of coding, several months of bothering people with demos, and 2 long holidays (also used for coding), I've finally gotten my act together enough to make a public release of KimDaBa. If you have a large pile of digital images and need a sane solution for managing them, KimDaBa could well be the answer to your prayers.
The design of KimDaBa was aimed at achieving these goals:
- Images should be easily described, individually, and as part of a group.
- The system should be able to search for images, based on their metadata properties.
- Browsing through large numbers of images should be easy and fast.
Typical image viewing operations such as Zoom, rotate, and full screen
display are included in the application.
KimDaBa also includes a built-in slide show mode
for manual and automatic cycling through images.
Image metadata may be displayed with the image.
One interesting feature is the ability to overlay circles,
rectangles, and arrows on the image to highlight certain parts of
the image.
KimDaBa differs from simple image display programs in that it
maintains a database of image metadata, which can be used to
speed up the process of quickly locating and grouping images.
The program has been set up so that it is easy to switch from
one search thread to another, allowing one to follow a tangential
search pattern.
In the examples shown on the
KimDaBa home page,
image properties include categories for persons, locations, and keywords.
High level searching functions allow groups of images to be specified
according to search patterns with boolean qualifiers.
For example, it is possible to search for all pictures of your brother
in Spain.
KimDaBa looks to be a useful addition to the Linux user's
digital photography toolkit.
Comments (1 posted)
System Applications
Audio Projects
Version 1.0.0 rc 1 of the
ALSA sound driver is out.
The notes say:
"
intel8x0 driver fixes, OSS PCM emulation fixes".
Comments (none posted)
Version 0.90.1 of JACK, the Jack Audio Connection Kit, is out.
This release fixes one minor bug.
Full Story (comments: none)
The
latest changes from the
Planet CCRMA audio utility packaging project include
new versions of Rosegarden4, RTMix, Qjackctl, Qsynth, Raptor,
and more.
Comments (none posted)
Release 0.4.3 of swh plugins is out with a bunch of new audio
filter plugins and other improvements.
Full Story (comments: none)
Database Software
GnomeDesktop.org
has announced version 1.0.2 of libgda/libgnomedb, a set of libraries which implement a framework for developing database applications.
"
This is a bugfix release, containing fixes for various bugs found by users in the 1.0.1 release."
Comments (none posted)
The PostgreSQL Weekly News for December 1, 2003 is available
with the latest happenings in the world of PostgreSQL.
Full Story (comments: none)
Version 3.2 of phpPgAdmin
has been released.
"
This release adds many features to the already popular 3.1 codebase, PostgreSQL 7.4 support, some new translations and bug fixes. phpPgAdmin is a PHP web-based administration application for all 7.x versions of PostgreSQL."
Comments (none posted)
The
Firebird
database project has merged the code from the Yaffil project.
"
Yaffil, a Russian, Windows-only version of the Firebird database engine, was built originally from the open source Firebird code with a number of additional features. It began life as a private project, before becoming available as a commercial distribution from iBase.ru, of Moscow. Separate Yaffil development has since ceased, product sales have been stopped and all the sources have been released for merging into the Firebird 2.0 code base by the Firebird development team."
Comments (none posted)
Mail Software
New versions of milter-spamc and milter-sender are available from
milter.org.
"
Yes! A new release of milter-spamc/0.11 now supports access database white listing using the -f option; also another new option -F to allow redirecting to individual spam mail boxes; Unix domain socket support with spamd; IPv6 support; and few other fixes and enhancements."
"In light of "Brain Damaged..." behaviour in Sendmail's handling of HELO, milter-sender-0.47 has been released. Also a bug related to formatting the TZ for the full callback message has been fixed."
Comments (none posted)
Printing
Version 3.8.23 of the
LPRng print system has been
released.
Change information is in the source code.
Comments (none posted)
Web Site Development
Version 0.82 of Araneida, an extensible HTTP server written in Common Lisp,
is out.
"
The main feature of this
version is the integration with the SLIME debugger. The debugger can
now be used to debug errors that occur in handlers."
Full Story (comments: none)
Version 1.5.3 of bbla, the Big Brother Log Analyzer for web servers,
has been announced.
"
1.5.3 is a revision which includes several bug fixes, and improvements to the installation procedure."
Comments (none posted)
Version 1.6.8 of Bricolage, a web site content management and
publishing system, has been released.
"
This maintenance release addresses a few issues discovered
since the release of version 1.6.7."
Full Story (comments: none)
Version 1.7.1 of Bricolage-Devel is available.
"
It gives me great pleasure to announce the release of
Bricolage-Devel 1.7.1,
the second development release for what will eventually become Bricolage
1.8.0. This version of the open-source content management system
addresses all of the bugs discovered since the release of the first
development release, 1.7.0."
Full Story (comments: none)
Version 0.4.1 of CLiki, a Common-Lisp based hypertext authoring program,
is out. "
This version has been updated
to work with recent Araneida and SBCL, improves documentation, changes
the CLIKI-INSTANCE class graph, supports multiple looks and feels,
provides cookie-based authentication, and more."
Full Story (comments: none)
Version 1.4.1 of Gallery, a web-based photo gallery system,
has been announced.
"
1.4.1 contains lots of new features that will give Gallery owners dramatic new control over their Galleries. The most notic[e]able one is skins, which allow you to chose between nineteen different looks for your gallery - or develop (and share) your own! Other eagerly anticipated new features include voting, email updates and user self-registration. And there are now thirty-three language packs, available as separate downloads."
Comments (none posted)
Version 3.0.4 of
Mod_python
has been released, it works with Apache 2.0.
"
This is a Beta release, therefore it is likely to contain bugs and is not of production quality. We strongly recommend that you try out your application in a test environment with this release and report any incompatibilities or problems you may encounter."
Comments (none posted)
Version 0.5.0 of Samizdat, an
RDF-based engine for building collaboration and open publishing
web sites, is available.
"
This
version introduces basic focus management, completing the minimal set of
features required for an open publishing part of the engine, and making
Samizdat ready for public beta testing. Other major changes in this
release include Pingback support, many user interface improvements,
another rewrite of multimedia upload, testing framework, and more."
Full Story (comments: none)
The
ZopeMag Weekly News
for November 27 through December 1, 2003 is available with lots
of information on the Zope web development platform.
Comments (none posted)
Desktop Applications
Desktop Environments
As reported on FootNotes, the GNOME 2.5.0 development release is out. This is, of course, just the beginning of this development cycle, so there is not much exciting new stuff yet. Quite a few new modules have been
proposed for inclusion, however.
Comments (none posted)
The
release notes for GNOME 2.4.1 are available.
"
As most of you have realized we did a silent 2.4.1 release some time
back. I just wanted to get the release notes out so that we have some
clue as to what changed between 2.4.0 and 2.4.1."
Comments (none posted)
This GNOME Summary for November 23-29, 2003 looks at the 2.5.0 release,
the latest GAIM release, a Dropline GNOME review, and much more.
Full Story (comments: none)
The November 28, 2003
KDE-CVS-Digest has been
announced.
"
In this week's CVS-Digest:
khtml regressions and font handling fixed.
amaroK, another media player, now has a resume feature, and can play streams.
Plus many bugfixes in all applications."
Comments (none posted)
Issue #69 of KDE Traffic
has been announced.
"
Topics include usability issues, Kafka progress, KDE apps in ECMAScript, importing KDevelop projects into KDE CVS and more."
Comments (none posted)
Electronics
Version 3.1.30 of XCircuit, an electronic schematic drawing
package,
is available. Change information is in the source code.
Comments (none posted)
Games
Version 0.3 of
Gweled,
a game that involves aligning gem icons on the screen,
has been announced.
"
Main features are the cool SVG graphics and
the smooth animations (for a board-game)."
Comments (none posted)
Graphics
Version 0.33 of Sodipodi, a vector drawing application,
has been announced.
"
This release incorporates lots of bugfixes and enhancements that have
accumulated over the past 6 month period."
Comments (none posted)
Interoperability
Version 0.29 of Mono, the open-source implementation of .Net,
is available. This release includes updated versions of Monodoc,
mod_mono, and more.
Comments (none posted)
Version 0.81 of MultiSync
has been announced.
"
MultiSync allows you to synchronize Evolution, mobile phones (IrMC, SyncML), Opie/Zaurus devices, PocketPC devices, Palm devices and LDAP directories. Palm and LDAP support is new with this release."
Comments (none posted)
The November 28, 2003 edition of
Wine Traffic is out with the latest Wine news.
Comments (none posted)
Multimedia
Version 0.7.2 of Gstreamer, a multimedia framework,
is out.
"
A new GStreamer development release is available sporting many improvements.
In addition to a host of bugfixes and infrastructure cleanup so does this
release introduce support for AAC and WMA in GStreamer."
Comments (none posted)
Music Applications
Josh Green is working on a new standard for compressing MIDI instrument
patch files, called FlacPak.
"
This format
uses FLAC (Free Lossless Audio Codec) and zlib to compress audio and
binary data respectively. By using FLAC for audio and exploiting other
characteristics of instrument files (stereo samples, differing bit
widths, etc) much better compression can be achieved then if just using
a binary compressor."
Full Story (comments: none)
Version 0.9.5 of Rosegarden 4, an audio and MIDI sequencer and score editor,
is available.
"
This release contains a host of new features and improvements
over the previous release, and is nearly feature complete for 1.0."
Full Story (comments: none)
Office Applications
Version 0.11 of Planner, a project management application, formerly called
MrProject,
has been released.
"
This release is mainly a bugfix release. If you have problem loading
files with MrProject 0.10, you should upgrade to this release."
Comments (none posted)
Office Suites
The OpenOffice.org Scripting Framework is now available.
"
The Scripting Framework will be a new feature in OpenOffice 2.0. It is
available in developer builds from 680_m15 onwards in order for the
community to evaluate the feature and give us usefull feedback. Please
use this opportunity to tell us what you think."
Full Story (comments: none)
Science
Version 1.0rc1 of Thuban, a Python-based an interactive geographic data viewer, is available.
Full Story (comments: none)
Web Browsers
MozillaZine
reports on a new Mozilla Firebird download manager.
"
The Downloads sidebar and progress windows have been replaced by a new combined Downloads window that lists all current and completed downloads."
Comments (none posted)
The November 25, 2003 edition of the Mozilla Links Newsletter
has been published. Take a look to see what's been happening in
the world of Mozilla.
Full Story (comments: none)
MozillaZine's
summary of the November 24, 2003 Mozilla.org staff meeting
minutes says:
"
Issues discussed include the website, Mozilla 1.5.1, Mozilla 1.6 Beta, Mozilla Thunderbird, localised language packs and builds on CD, points of contact for questions, CVS over SSH and relicensing."
Comments (none posted)
Word Processors
The December 1, 2003 edition of
This Program Lets You Write Letters Weekly News, formerly
known as the
AbiWord Weekly News, is out. Here's the summary:
"
Features are enhanced, screenshots are taken and the City of Largo likes to do things the hard way. Meantime, Nadav shows off a little OTS power, as Tomas creates a new commandline option for regular AbiWord users and he recently gives Iomega AD buildability to whomever wants it. Plusse, some final preparations for the soon-to-be-released 2.0.2! Also, due to some technical review of usability, AbiWord name changed."
Comments (none posted)
Miscellaneous
KDE.News
reports on version 1.30 of
Krusader.
"
Krusader, the old school file manager for KDE, now supports tabbed-browsing
in the 1.30 release. Each panel can create unlimited tabs, thereby keeping
the twin-panel look and feel while allowing you to keep local folders, ftp,
ssh open all at once."
Comments (none posted)
Languages and Tools
Caml
The Caml Weekly News for November 25 - December 2, 2003 is out with
the week's Caml language news.
Full Story (comments: none)
Java
Hetal C. Shah
writes about Java regular expression processing on O'Reilly.
"
JDK 1.4 supports regular expressions in the java.util.regex package. Use of this package and supporting classes makes string search and manipulation very easy. It helps reduce the development effort, and at the same time significantly improves the maintenance of code. Since classes in this package are a standard part of core Java, they don't have to be distributed separately, and can be assumed to be present."
Comments (1 posted)
Lisp
Steel Bank Common Lisp 0.8.6 has been released.
Full Story (comments: none)
Perl
Continuing a long standing holiday tradition, the 2003
Perl Advent Calendar
is online.
Comments (none posted)
The November 24-30, 2003 edition of
This Week on perl5-porters has been published.
"
A quiet week for the Perl 5 porters, but some threads are worth noting. Notably, I have now a reason to mention Leon Brocard in the summary without appealing to any running joke."
Comments (none posted)
PHP
The
PHP Weekly Summary for December 1, 2003 is out. Topics include:
PHP 5 compatibility, MySQL, Apache 2, GD image sharpening, stat() via streams.
Comments (none posted)
Python
The Python-dev Summary for October 16 through November 15, 2003 has
been published.
Full Story (comments: none)
The
Python Learning Foundation
has been revived, as reported on the
Daily Python-URL.
"
The newly rechristened Python Learning Foundation is a website dedicated to the assistance of people learning the Python programming language. Features include: daily lists of new and recent Python-related web articles, Sourceforge projects, and Vaults of Parnassus listings; daily postings of new and recent web articles, Sourceforge projects and etcetera for four additional categories, Zope, Jython, Tkinter, and wxPython, as well as historical listings of web articles on these subjects; links to 76 online tutorials about Python and Python-related subjects; more than 28 reviews of books about Python."
Comments (none posted)
GnomeDesktop.org
covers an effort by Mark Shuttleworth to start up a Python-based
scripting interface that is common across GNOME applications.
"
I'm prepared to fund Python scripting interfaces for OpenOffice,
Blender, AbiWord, Gnumeric and The GIMP.
I'd really like to see the development of common document object model
standards and terminology across OpenOffice, Abiword, Gnumeric, Sodipodi and
other Gnome applications. This would accelerate the learning curve of someone
who has already learned to script one app in Python, when they try to learn
to script another."
Comments (none posted)
The December 3, 2003 edition of Dr. Dobb's Python-URL!
is out. Take a look for the latest Python article links.
Full Story (comments: none)
XML
Nigel McFarlane
describes XML overlays in an article on informIT.
"
What do you do if XML information is split across several documents? The Mozilla platform has a neat solution to this problem. Documents written in Mozilla's XUL dialect of XML can be merged automatically into a single, final document using a system called overlays."
Comments (none posted)
John E. Simpson
explains
how to merge two XML source trees into one on the O'Reilly XML Q & A
column.
Comments (none posted)
Andrew Odewahn
explains his graph visualization system on O'Reilly.
"
For the past several months, I've been researching and developing a "graph visualization" system. That's the technical term for the burgeoning field of creating pretty pictures from relational data. To those of you not steeped in graph theory, "graph" in this context refers not to the familiar X-axis and Y-axis plots from high school algebra but instead to a set of "nodes" that may be connected by "edges" to indicate a relationship."
Comments (none posted)
Michael Fitzgerald has written
an introductory article on XSLT.
"
I know what you're up against. You've just inherited a new project at work that requires you to learn XSLT, but you don't have a clue where to start. If that's your problem, this article should give you a leg up over the wall. It will quickly cover five basics of XSLT found in the first chapter of Learning XSLT, O'Reilly's new hands-on guide to get you using XSLT with XPath by close of business today."
Comments (none posted)
Debuggers
Version 2.0 of Kodos, the Python regular expression debugger, is out.
New features include a replace capability, a match all tab,
code cleanup, and more.
Full Story (comments: none)
Editors
Version 3.2 BE 1 of Quanta, a web development tool for KDE,
has been announced.
"
Quanta 3.2 BE 1 features a number of new improvements including an "awesome new CSS editor", KFileReplace support, auto save and crash recovery, and much more."
Comments (none posted)
IDEs
Version 0.9.2b of SimTeEc, an Eclipse IDE plugin for generating source code
files from velocity templates,
has been announced.
"
The version 0.9.2b also offers a custom ant task for
generating files from velocity templates.
This feature is based upon the Texen tool from the velocity project."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
The Economist has
an
article about Internet security. "
The issue boils down to the
question of how much anonymity society can tolerate on the
internet. Drivers' licences and registration plates dramatically reduce the
incidence of hit-and-run accidents. Crack cocaine is never bought by credit
card. If everybody on the internet were easily traceable, people would
think twice about hacking. 'I'm kind of a fan of eliminating
anonymity,' says Alan Nugent, the chief technologist at Novell, a
software company, 'if that is the price for security.'"
Comments (25 posted)
The Linux Journal has launched a new regular column on Linux Audio by Dave Phillips.
The first column looks at audio-oriented mailing lists.
"
As you can see, the discussions on LAU are focused on presenting and
resolving user-land problems with Linux audio applications. Message types
also include exclamations of joy/pain over available (or unavailable)
software, as well as general questions regarding kernel preparation and
distribution-specific issues."
Comments (none posted)
Trade Shows and Conferences
Doc Searls presents
part II and
part III of
Linus & the Lunatics on Linux Journal. Part 2 is a transcript of the
Q&A portion of Linus' talk on this year's Linux Lunacy cruise. In part 3,
Linus and friends hold a Q&A with the Victoria Linux Users Group in
Victoria, BC.
Comments (none posted)
Linux Journal
looks at Linux
Bangalore/2003, which starts December 2. "
Linux Bangalore/2003
continues to succeed because of its low cost model. Preregistered
delegates pay only Rs.300 (US $6.50) and walk-ins pay Rs.500 (US $11) for
access to all the talks and sub-events. The registration fee includes lunch
and snacks and a conference T-shirt. The event itself is funded entirely
through sponsorships and the sale of expo space."
Comments (none posted)
Companies
ZDNet
reports that Sun will not be joining the Eclipse consortium after all.
"
The failure of Sun and Eclipse to reach a collaborative arrangement effectively creates a split between two of the largest open-source tools projects in the industry."
Comments (4 posted)
Linux Adoption
asahi.com is running
a brief
article stating that NTT DoCoMo (a huge Japanese cellphone operator)
wants to standardize on Linux-based phones. "
The company is already
in talks with handset manufacturers to develop the system and aims to
market its first Linux-based cellphone-a third-generation (3G) model based
on its Foma platform-in the autumn of 2004."
Comments (none posted)
Legal
The Register
reports that "DVD Jon" Johansen is headed back to court in Norway, despite having been acquitted almost a year ago. "
Norway's special division for white-collar crimes, Økokrim, acting at the behest of Hollywood studios, appealed against this verdict. Økokrim is appealing against the 'application of the law and the presentation of evidence' during the original trial."
Comments (8 posted)
Interviews
News.com
talks with Martin Fink, HP's Linux VP. The conversation was dominated by HP's indemnification offer. "
There was an extensive amount of due diligence. We took an analysis of the risk profile and said we were willing to accept that risk on behalf of our customers. If you look at what some of the others did, IBM and Red Hat countersued. But from a customer's perspective, that didn't solve the problem. The indemnity solved a real problem today."
Comments (2 posted)
Resources
The EDRI-gram newsletter for December 3 is out; it looks at the worsening
situation with the draft intellectual property rights enforcement
directive, electronic voting in Ireland, biometric identification cards,
the Jon Johansen retrial, an attempt to block cryptographic cellphones in
the Netherlands, and several other topics.
Full Story (comments: none)
Linux Journal
presents a case
study in rapid Python development. "
Our rapid development
environment meant that changes had to be visible immediately to both the
developer and the customer representative. Coding sessions frequently would
involve work on a remote device during which time changes would be made and
feedback would be gathered. Use of a compiled language inhibited our
ability to prototype on a remote device, because it required maintaining a
build environment."
Comments (none posted)
Reviews
OSNews
reviews
GnomeMeeting, a video-conferencing application that comes with GNOME 2.4.
"
To start chatting you need to connect to a lookup directory (the
"server"). The default Gnomemeeting directory is ils.seconix.com and
searching for all users usually reveals between 90 and 180 visible members
online, depending on the time of the day (some users choose to be
hidden). You can engage on a video chat and if something goes wrong in the
connection (e.g. bad firewall setup preventing connection), there is always
the fail safe traditional text chat."
Comments (none posted)
eWeek
takes a
look at Sun's Java Desktop System. "
In eWeek Labs' tests of the
final build, we found Java Desktop System (formerly code-named Mad Hatter)
approachable and functional, with design tweaks to make the product match
more closely to Windows for the benefit of users unfamiliar with
Linux."
Comments (5 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Linux Standards Base has expired a number of
authorized indicators of compliance for the LSB Runtime Environment 1.3.
"
Results from these are no longer accepted for LSB
Certification".
Full Story (comments: none)
Mark Shuttleworth
will pay bounties to Mozilla developers for work on various projects.
"
I'm offering some bounties to Mozilla developers
that are looking for small projects to work on. All work to be given to the
Mozilla Foundation."
Comments (none posted)
The Open Source Development Labs (OSDL) has issued a
press release announcing a new initiative to raise awareness about how
the Linux kernel is developed. Hopefully this campaign will help
counteract FUD with facts.
Comments (15 posted)
Progeny has launched a new open source project site.
Full Story (comments: none)
Project UTF-8 has been announced with the goal of
evangelizing and
documenting proper Unicode support in free software.
See
the initial announcement on GnomeDesktop.org.
Comments (none posted)
Commercial announcements
The Lineox LIFF documentation project has been announced.
"
Lineox Inc, a company dedicated to Linux products, consulting and
education, has today released Lineox LIFF, which is a completely new
kind of documentation product. Lineox LIFF combines innovatively many
techniques to make it the best Linux documentation product in the market
today. The product can be downloaded as a CD-ROM image from
www.lineox.com and bought as a CD-R disk."
Full Story (comments: none)
Progeny has
announced the availability of support services for Red Hat Linux 7.2 and 7.3 (but, apparently, not for versions 8 or 9). For $5/month per machine, customers will get ongoing security updates after Red Hat ceases to produce them. Over the longer term, the program will help Red Hat Linux users transition to another (unspecified) distribution.
Comments (3 posted)
Red Hat has
announced a program which makes its Enterprise Linux services available to staff and students of educational institutions at a reduced price. Enterprise Linux WS subscriptions are available for $25/year, while Advanced Server subscriptions can be had for $50/year.
Comments (2 posted)
The Open Source Development Labs has sent out
a
press release proclaiming its latest member: Wind River, which sells
proprietary embedded systems tools and which has not always seen Linux as a
beneficial force. Wind River has also
announced
that it is joining the Eclipse Consortium.
Comments (6 posted)
New Books
A new introductory book called
Hello Linux! has been published.
"
"Although the Linux operating system has existed for several years, it is
now virtually exploding in popularity. We feel that if Linux is going to
give Microsoft a run for its money, it has to be much more accessible at
the introductory level," says Clyde Boom of Lancom Technologies, a veteran
publisher of computer books."
Full Story (comments: none)
The third edition of
UNIX Network Programming by Rich Stevens
has been published.
Full Story (comments: none)
Addison-Wesley & Prentice Hall PTR have released the book
Rapid Application Development With Mozilla by
Nigel McFarlane.
Full Story (comments: none)
Resources
The November 25, 2003 edition of the Linux Documentation Project Weekly News
is out with the latest new documentation. This edition includes a discussion
of free documentation license issues.
Full Story (comments: none)
Contests and Awards
MozillaZine
has announced that Mozilla Composer 1.5 won third place in the
CNET Builder.com Readers' Choice Awards.
"
Their commentary says: 'Mozilla's relatively high showing is
a bit of a surprise because, frankly, I never considered it to be a
development tool. Perhaps those members using Mozilla would like to share
with us what they like about it as a Web development tool.' Obviously they've
never heard of Venkman."
Comments (none posted)
Event Reports
KDE.News
covers KDE advocacy
in Chile. "
You might know me as the original author of Kopete, the
instant messanger for KDE. This week I have some news from Chile where
after having reclaimed the kde.cl domain and having organized the site with
the help of Matias Fernandez, hard work to promote KDE has begun. I was
invited to talk about open source at a very important business conference
organized by Entel -- perhaps the most important telecommunications company
of Chile."
Comments (none posted)
Upcoming Events
Registration has begun for the Pycon 2004 conference.
The event will be held at George Washington University in
Washington, DC from March 24-26, 2003.
Full Story (comments: none)
The
Linux.Conf.Au 2004
will host several FIXIT sessions, there is still room for more
sessions.
"
What's a FIXIT you ask? It's basically the same as a BoF, but with an
intended outcome; that is, hands-on group sessions where you can
contribute back to open source through discussions and problem solving."
Full Story (comments: none)
LogOn Technology Transfer GmbH has announced three series of
Briefings which will be held in Amsterdam, Zurich, and
Frankfurt during January, 2004.
The briefings include OMG (Integrating the Enterprise),
Open Source & Linux@work, and Security (Protect your Business).
Full Story (comments: none)
An update has been published for the Linux.Conf.Au 2004 conference,
take a look to see what's in store for attendees.
Full Story (comments: none)
USELINUX will be one (or possibly two) day special interest track hosted as
part of the 2004 USENIX Annual Technical Conference in Boston (June 27
through July 2, 2004). The focus of USELINUX, as the name implies, will be
on showcasing ways in which creative members of the Linux community are
making use of Linux. Click below for more information.
Full Story (comments: none)
| Date | Event | Location |
| December 4, 2003 | Linux Bangalore/2003 | Bangalore, India |
| December 4, 2003 | IEEE International Conference on Cluster Computing(Cluster2003) | (Sheraton Hong Kong Hotel & Towers)Kowloon, Hong Kong |
| December 9 - 13, 2003 | International Conference on Logic Programming(ICLP'03) | Mumbai (Bombay), India |
| January 12 - 13, 2004 | Linux.Conf.au Miniconfs | Adelaide, Australia |
| January 12 - 13, 2004 | EducationaLinux 2004 | Adelaide, Australia |
| January 14 - 17, 2004 | Linux.conf.au | Adelaide, Australia |
| January 20 - 23, 2004 | LinuxWorld Conference & Expo 2004 | (Jacob K. Javits Convention Center)New York, New York |
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Alan Cox <alan-AT-lxorguk.ukuu.org.uk> |
| To: |
| editor-AT-lwn.net |
| Subject: |
| Will the real Linuxgazette please stand up |
| Date: |
| Tue, 02 Dec 2003 20:48:30 +0000 |
John Fisk founded Linux Gazette in 1995. He's not visibly part of either
side of the argument which begs the question who did he give it to
Well I had a dig both in the old copies I have and the email. In 1997
LGEI (The italian translation) ran this interview, the contents of which
I've verified are untampered from my copies (and you can too using
archive.org)
Most importantly it says the following (again remember back in 1997
before the argument blew up)
------
Francesco: When and why did SSC decide to publish Linux Gazette in the
current version? Originally, LG was edited only as an extra-curricular
activity by John M. Fisk.
Margie: During the summer of 1996, John Fisk decided he no longer had
the time to keep Linux Gazette up in the fashion it deserved. LG had
become very popular, and readers were wanting it to come out on regular
monthly basis. Between school and work, John just didn't have time to do
this, so he put out feelers looking for someone to take it over. We
responded and he accepted us as the right people to continue LG.
------
Now I don't like what SSC have done to Linux Gazette but from the 1997
discussion the question of ownership seems not to be in dispute unless
John has anything to add.
Mike Orr and friends may be the writers and their site may be the true
progression of the original magazine but it doesn't seem to alter the
facts that SSC obtained LG from John in 1997.
Comments (3 posted)
| From: |
| dlang <dlang-AT-invendra.net> |
| To: |
| dlang-AT-invendra.net |
| Subject: |
| interesting security article |
| Date: |
| Tue, 2 Dec 2003 21:07:53 -0800 (PST) |
HTTP://www.asktog.com/columns/058SecurityD'ohlts.html
With the Debian server compromise fresh in mind I would like to go on a
minor rant about people's use of ssh.
All to frequently people use ssh and consider themselves completely secure
(as an example look at the comments on the latest story of the Debian
server compromise and how people are reacting to the password sniffing
with 'this isn't possible unless there is a hole in ssh')
Ssh doesn't not ensure security.
Ssh doesn't even tell you who is connecting to your server.
That's right, ssh doesn't tell you who is connecting to your server, it
tells you who the remote machine wants to tell you is connecting to your
server. This is not the same thing.
Ssh can do three things.
1. Prevent people from sniffing/hijacking the communications session
2. Only allow connections from a machine that knows the secret ssh key
3. Only allow connections from specific IP addresses
However the only thing that it does to identify a user is to ask for a
normal password (if it's even configured to do that, frequently people say
that certificates are in use so they don't even need the password). Yes if
the remote host has the secret key configured to require a pass-phrase you
can assume that someone typed that in, but you have no idea if that person
is the person that you intend to grant access to your server to, or if
it's anyone else that has had access to the remote host. Anyone who has
root access on the remote host has the ability to sniff the pass-phrase and
to then use the certificate as that user.
No matter what encryption you use the prompt and pass-phrase need to be in
plain text by the time they get to the end-user, if you have access to the
raw keystrokes and screen IO you can capture it (and before you say that
that should be protected as well go read the proposals by Microsoft to try
and do exactly that for their trusted computing stuff, the implications
are scary and you still are vulnerable if there are bugs in the system)
The ssh, ssl, and tls algorithms all have ways to 'verify a user' based
on the certificate that they have, but this is only valid if you can trust
the remote machine.
Ssh is a valuable tool to use (the importance of preventing the
communications from being intercepted is pretty high) but is is far from
being the solution to all problems.
If you really care about who is accessing your systems you need to use
something that isn't vulnerable to a compromised remote host. You can't
prevent a compromised remote host from letting a legitimate user start a
session and then hijacking it, but you can make sure that once that
session is terminated the remote attacker cannot get back in to your
server.
In many cases it may be actually safer to user telnet with good user
authentication then to use ssh with poor user authentication.
As surprising as this statement is all that it takes to make it true is
for the probability that you are logging in from a compromised host be
higher then the probability that there is a person in the middle waiting to
hijack your session (this is assuming that the actual text of the session
is not valuable so that someone who looks over a transcript of it 5
minutes later doesn't gain anything).
How do you do this?
It's simple, Challenge-response authentication of some sort.
There are a lot of tools out there to do this, but the basic approach is
to have the server send some challenge and the user compute some response
and send it back. The person who has compromised the remote server can
gather this information, but it's useless to them unless the server issues
the same challenge again.
This challenge may or may not be explicitly shown to the user.
One example would be a one-time password sheet, the user knows to use the
next one on the list and crosses it out, the server doesn't need to say
'use password 63'.
Another would be sKey tokens, they have a clock in them that's synced to
the server and have a different password every minute so the 'challenge'
half of this is the time.
As one example where there is an explicit challenge there is the snk-004
protocol implemented in software and in hardware tokens sold by passgo in
their defender hand-held token. When using this the server sends a random
number to the user who types it into a token which DES encrypts the
number, displaying it to the use who types it in as the password.
Another option that is becoming possible is to use a smart-card to do this
for you so that you can skip the steps of having to type the challenge and
response into equipment. for it to be secure you still have the
challenge-response going on under the covers. In some cases the smart
cards implement certificate authentication which would seem to put them
back in the same risk as the remote servers, but since the smart-card is
not used for anything else the probability of it being compromised is MUCH
lower.
Which option you choose to use doesn't matter much (the all have
advantages and disadvantages) the important thing is to use one of them
and to keep the entire security picture in mind as you are doing your
planning.
One thing to note is that biometric identification devices (fingerprint
scanners, etc) do not always meet these criteria. If you have an eye
scanner that is just a camera and a bunch of software then this is not
safe as an attacker can capture the output of the camera and feed it back
to the program at a later time when it thinks it's reading from the
camera. you need to have your biometric reader actually participate in the
authentication like a smart card It must also be self-contained. Even
depending on data files on the systems hard drive (to store fingerprints
to compare against for example) puts you at risk because an attacker
could shuffle the files around so that their fingerprint becomes the valid
one for every user.
David Lang
Comments (11 posted)
| From: |
| Przemek Klosowski <przemek-AT-tux.org> |
| To: |
| letters-AT-lwn.net |
| Subject: |
| SCO's medieval tendencies |
| Date: |
| Mon, 1 Dec 2003 00:57:49 -0500 |
Slashdot published recently more info on SCO communications related
to their Linux lawsuit. I wanted to share some thougths with you on that.
I always maintained that there is an analogy between the software
technology and scientific knowledge. Just like science is the basis
for our civilization, software underlies the expanding digital sphere
of our lives. The development model of both science and sofware can vary
between proprietary and public, and the society has to make a policy choice
about supporting the right mix.
Even though scientific and technological knowledge started as
proprietary, we as society made a historical choice, dating back to
the age of Enlightenment, to develop knowledge in a collegial, public
fashion. This model, of course, works rather well, and no one
seriously argues that it should be rolled back to some kind of
proprietary science development.
Similarly, I argue that software, whose importance tracks the growing
influence of computing on our lives, must be developed in a public
model; the Free Software is currently the closest approach, which
eventually will be augmented by some sort of peer-reviewed public
commitment, just as is the case for scientific research.
The analogy of software and science is not perfect; but I argue that,
firstly, the negative effects of closed software are almost identical
to negative effects of closed knowledge: it forces duplicate work,
creates artificial monopolies, and slows down progress. Secondly,
because software _IS_ the infrastructure of the digital age, there is
the issue of public interest, and the development model must
accomodate that.
In this context, the strategy of SCO in their Linux lawsuit is
especially retrograde. Their position, as laid out in their
recently issued letters
http://sco.tuxrocks.com/Docs/IBM/Doc-41-I.pdf
seems to counter the very idea of a public stake in technical
knowledge. It occurred to me to modify their argument, substituting
'human knowledge' for 'software'. Here's what we'd get:
As you may know, the development process for public scientific
knowledge has differed substantially from the development process
for other enterprise scientific research. Commercial research is
built by carefully selected and screened teams of scientists
working to build proprietary scientific results. The process is
designed to monitor the security and ownership of intellectual
property rights associated with the knowledge.
By contrast, much of human scientific knowledge has been built
from contributions by numerous unrelated and unknown scientists,
each contributing a small scientific discovery. There is no
mechanism inherent in the public science development process to
assure that intellectual property rights, confidentiality or
security are protected. The public science process does not
prevent inclusion of knowledge that has been stolen outright, or
developed by improper use of proprietary methods and concepts.
Put this way, their argument is nonsensical, and would find no support
in anyone even a tiny bit familiar with the scientific process, which
arguably forms the basis of our civilization.
Przemek Klosowski, Ph.D. <przemek@tux.org>
Comments (none posted)
Page editor: Jonathan Corbet