Two of the Democratic candidates for president have announced open source
efforts to help their campaigns. Howard Dean's campaign has launched
DeanSpace, a software package for
running websites for Dean supporters. Wesley Clark's campaign recently
announced
the creation of Clark's
TechCorps, which is supposed to
provide "a framework for involving open source software developers in the
Clark campaign."
Since both campaigns are boasting their use of open source, we decided we
should get in touch with the Clark and Dean campaigns to see where they
stand on open source and related issues. The high-profile usage of open
source by the Dean and Clark campaigns may have given the open source
community the impression that 2004 might be "the year" that open source and
tech issues will become a high profile issue in election-year debates. It
might also cause people to get the impression that both candidates are
staunch supporters of open source usage.
Unfortunately, that doesn't seem to be the case. We managed to get in touch
with representatives from both campaigns, to find out if their use of open
source would translate into advocating open source in government, and saner
polices regarding tech policy We also wanted to get a lead on their
positions on other issues, such as software patents and the Digital
Millennium Copyright Act (DMCA). Due to the rigors of the campaign trail,
neither candidate was personally available for questions.
We first spoke with Josh Lerner, who is the director of technology for the
Clark campaign. Lerner said that they have "no bias in favor of, for or
against any particular model, we can't afford to be religious about it."
Lerner said that the Clark campaign had decided to use open source out of
"expedience."
We didn't have the time to do a lot of evaluation of software, you go with
what works. The OS and tools and all that stuff just works for the most
part... we are [also] using proprietary software where it makes sense.
According to Lerner, Clark is "putting together a bunch of heavy-weight
technology people" to form a policy on technology use in government. At
this time, however, Clark has not yet put forth an official policy on tech
issues and it may be some time before any policies are forthcoming. We also
asked Lerner if he thought that these issues would play a big part in the
upcoming election. He said that he thought it might be an issue, and that
"people in the campaign are talking about it. Not everything makes it out
the door."
Unfortunately, we were unable to schedule a phone interview with anyone
from the Dean campaign. However, we did manage to track down Zephyr
Teachout, the director of Internet Organizing & Outreach for the Dean
campaign via e-mail. We asked why the campaign had chosen open source
software for DeanSpace, whether
cost was a factor or if proprietary software wasn't up to the task.
Cost is only one of the factors in our use of open-source software. We
also greatly value the reliability and security that is inherent in mature
open-source software. Additionally, using open-source allows us to focus
our resources more effectively. Recently, we launched an official Dean web
site for every state. Rather than building all of the site functionality
from scratch, we chose to build on top of DeanSpace (an open-source tool
developed by our grassroots supporters for creating Dean-related community
websites). DeanSpace itself was built on top of the open-source Drupal
community system. This is just one example of how open-source software has
allowed us to focus our energy on getting Howard Dean elected.
Not everyone is a fan of the use of open source by the campaigns. Dave
Winer had some harsh words
for both campaigns, which elicited a response from Jim Moore --
the Director of Internet and Information Services for the Dean campaign:
At Dean for America, it is our policy to purchase software rather than to
make it, and to work with vendors large and small to help them be
successful while also pursuing our own success as a grassroots-powered
presidential campaign. We strongly support small businesses for a variety
of reasons, including that they are the major contributors to employment
growth in our nation.
...Like most enterprises we prefer to buy software and services, but
sometimes must make our own. The make/buy decision can be tough. In many
cases, vendors do not provide solutions that integrate the features that
campaigns need, and companies may not see campaigns as a particularly
attractive market. In such cases we sometimes need to make internal changes
to existing software and services or develop our own. This is particularly
the case in a campaign like ours that is innovating in grassroots
philosophy and the use of information and communication technology.
We asked the Dean campaign about Moore's response, and asked if they had a
position on the use of open source in government.
We do not have a position on open-source in government.
Within our campaign, we use a mix of open-source and commercial software.
Often, we work with commercial vendors when deploying open-source tools.
We recently put our main website into the open-source Bricolage content
management system, but did so with the assistance of Kineticode a vendor
that supports this open-source product. Our primary goal is to focus our
human and financial resources on winning the Democratic nomination and the
election next November. Sometimes this goal is best accomplished by buying
a commercial product, often it means deploying open-source, and other times
it means developing tools in-house.
We also asked if the Dean campaign had a position on the DMCA or digital
rights, and got this response:
Issues of intellectual property are very important to a knowledge-based
society. Ultimately we are going to need to find a solution that both
encourages innovation and protects consumers from out-of-control corporate
tactics.
Finally, since open source development is based on collaboration, we asked
both campaigns if there was any cross-pollination between DeanSpace and
TechCorps. At the moment, it would appear not. Neither campaign was aware
of any collaboration between the two efforts. Lerner did say that his group
is "hoping we can get some of these other independent efforts to join
up, and we'll announce it as it happens." He also said that he wants
to see TechCorps continue, even past Clark's campaign. "Our stuff is
out there and it's going to stay out there... as a separate issue, we want
the TechCorps site to live on and be self-sustaining."
Comments (34 posted)
Linux.Conf.AU (LCA) is the down-under
implementation of the classic Linux
developers' conference pattern. This conference takes an interesting
approach in that it is organized by a different group of people, in a
different city, every year. Linux Australia helps to ensure the
continuity of the operation, and Rusty Russell, organizer of the first
Linux.Conf.AU, maintains an influential presence. But the real work falls
to a new set of volunteers each year. That organization ensures a steady
supply of organizers with fresh energy, and gives each event a distinct
feel.
The 2004 Linux.Conf.AU landed in Adelaide (2005 will be in Canberra; the rumor mill says that New Zealand is being considered for 2006). The
conference facility, provided by the University of Adelaide, is beautiful,
even if they won't let the attendees play with the gorgeous pipe organ in
Elder Hall.
Attendance, at just over 500 people, is the highest yet for this event.
Just as significantly from the organizers' point of view, it seems, a dozen
journalists have signed up to attend this year. Much of the media interest
was due to the "open source in government" mini-conference held before LCA
proper. But the simple fact is that Australia is a country with a large
and increasing interest in Linux and free software.
As conference organizer Michael Davies stated in his opening remarks, the
real purpose of LCA is to have fun. Sure, there is a whole series of
technical talks, hacking sessions, etc. But the events that attendees are
really looking forward to include the "dunk the speakers" tank (with
non-speaker Linus as the guest of honor), the water gun wars,
and the IBM-sponsored "penguin dinner." What other conference would hand
out a ticket for four free ice creams? LCA does, indeed, look like fun.
LWN editor Jonathan Corbet is privileged to be here at LCA, thanks some generous support from HP.
The conference is just getting started as the LWN Weekly
Edition deadline hits, so there is not (yet) much opportunity for
substantial reporting. That will come later, stay tuned.
Comments (2 posted)
Novell has been fairly busy on the Linux front the last few days. The
company wrapped up its
acquisition of SUSE Linux and
announced an indemnification
program for its enterprise Linux customers on Tuesday. The company has also
released its
correspondence with the SCO group from May 12, 2003 to January 7, 2004
concerning SCO's suit against IBM and other issues related to the suit.
For the most part, it would seem to be business as usual for SUSE. Novell spokesperson Bruce Lowry said that there are no changes afoot, at this time, for SUSE's product line as a result of the acquisition. Though some have expressed concern about SUSE's commitment to KDE now that Novell owns both SUSE and Ximian, Lowry said that there are no plans to cease the inclusion of KDE in SUSE's Linux distribution or SUSE's work on KDE.
We're about empowering choice, not eliminating it...it's something that we will be looking at, but our DNA would say that we want to continue to support choice. Both are great desktop solutions. We'll just have to evaluate how we want to proceed in the coming months.
Apparently, Novell has decided it needs to go ahead with an indemnification plan to assure its customers. The plan does not apply to all SUSE Linux customers. Instead, the plan covers customers who are using SUSE Enterprise Linux Server 8 and obtain "upgrade protection" from Novell and a technical support contract from Novell or SUSE channel partner. According to this article the indemnification is capped at 1.25 times the purchase price, or $1.5 million. It is interesting to note that Novell's indemnification plan announced this week covers claims of copyright infringement only, not patent suits. Since many have speculated that patent suits will be the next legal hurdle for Linux, Novell customers may not receive quite as much joy from the indemnification program as they might have hoped.
Naturally, SCO CEO Darl McBride couldn't resist commenting on Novell's indemnification plan:
We believe Novell's indemnification announcement is significant for a couple of reasons. By announcing the program they are acknowledging the problems with Linux. Through the restrictions and the limitations on the program, they are showing their unwillingness to bet very much on their position.
Lowry said that Novell's indemnification is not "to protect people from SCO, it's to give software buyers the same level of comfort" that they receive when purchasing proprietary software. Lowry said that Novell has no plans to contribute to the Open Source Development Labs' (OSDL) legal fund, though they are a member of OSDL, since they are offering their own indemnification plan.
Novell also released 31 pieces of correspondence between Novell and the SCO Group concerning Novell's contractual and ownership rights over UNIX. The filings are, to say the least, interesting reading. (LWN readers can find many of the letters in plain text format in this Groklaw posting.) Much of the correspondence is one-way, with no response from SCO on several issues raised by Novell.
After it was made public that Novell was planning to acquire SUSE, McBride said in a conference call that they would "take measures to enforce the noncompete agreement with Novell. I don't know that it will turn into a lawsuit. That depends upon how they respond, and if they put a competitive product in the marketplace."
One of the pieces of correspondence to SCO from Novell is a letter dated November 19, 2003, taking issue with McBride's claims that the acquisition would violate any non-compete provisions, and noting that SCO has not raised the issue directly with Novell. There is no response from SCO regarding that letter in the correspondence released by Novell. Despite a number of public threats of legal action made by SCO, and threats contained in SCO's correspondence with Novell, Lowry said that no legal filings had taken place in either direction at this time.
One concern that Linux users and companies might have is that, if Novell does have claim to the UNIX copyrights and other intellectual property, Novell could someday cause the same kinds of legal troubles that SCO has. Lowry said that he acknowledges that is a theoretical possibility, but notes that Novell has done nothing to indicate that it would want to harm Linux. "Novell has shown with its words and actions that it is 100 percent committed to promote Linux, not impede it."
At the moment, Novell's acquisition of SUSE appears to be a good thing for SUSE and the Linux community as a whole. Novell appears to have taken a mostly "hands-off" approach with Ximian, and may be prepared to do the same with SUSE. Novell's position in the industry is also likely to open doors for Linux that might not have been open otherwise.
Comments (3 posted)
January 14, 2004
By Pamela Jones, Editor of Groklaw
[Editor's note: This article may seem similar to the previous article,
however we believe it adds further clarification to the SCO/Novell
dispute.]
There is a new front in the SCO wars, or more accurately a newly revealed
front. The new player, stage front and center, is Novell. Some of SCO's
otherwise puzzling decisions in the last nine months have become more
comprehensible, now that Novell's behind-the-scenes role has come to light.
It turns out that Novell strongly challenged SCO each step of the
way, based on contractual rights Novell says it retained in its 1995
deal with the Santa Cruz Organization (now Tarantella), which
subsequently sold certain Unix assets to Caldera, which is now the SCO
Group. SCO denies Novell retained those rights. Nevertheless, its
decision not to go forward with mailing invoices in the fall and not to
sue SGI, or file copyright infringement claims against IBM may be at
least in part influenced by Novell's claims.
Some now expect legal action between the two companies, if only
because Novell's asserted rights could pull the rug out from under
SCO's law suit against IBM and prevent any copyright infringement
action against Linux end users, if Novell's rights prove solid.
Everything came to light this week when Novell announced it had
completed its SuSE acquisition and said
that it will offer enterprise SuSE customers indemnification, covering
legal fees and damage awards up to $1.5 million or 125% of a customer's
contract with Novell. It also put up on its web site
its increasingly cold correspondence with SCO, going back to May of 2003,
when SCO sent it a Letter
to Linux Customers. There is a connection between the correspondence
and the indemnification. The foundation of Novell's confidence in offering
indemnification is found in the legal analysis it sets forth in the
correspondence.
Jack Messman, CEO of Novell, says
the company is in a unique position and is able to indemnify customers
because it retained the copyright to Unix in that 1995 deal and also has a
contractual right to license Unix to its customers. In October, when SCO
said it was about to send invoices to Linux users, Novell reminded
them of the "Technology
License Agreement", which it says gives Novell the license to not only
use the "licensed technology" but also to "authorize its customers to use,
reproduce and modify" it and to sublicense and distribute same "in source
and binary form". Further, Novell points to a section II.B., where
restrictions on Novell cease to exist in the event of a change of control
of SCO, which Novell says the agreements define as such an event as Santa
Cruz selling the assets it got from Novell to Caldera.
If you were wondering why SCO didn't sue SGI, an October
7 letter and another letter,
dated October 10, shed some light. Novell first directed SCO "to waive
any purported right SCO may claim to terminate SGI's SVRX license" and to
"waive any purported right SCO may claim to require SGI to treat SGI Code
itself as subject to the confidentiality obligations or use restrictions
of SGI's SVRX license", saying that Section 2.01 of the license
specifically states that 'ATT-IS claims no ownership interest in any
portion of such a modification or derivative work that is not part of a
SOFTWARE PRODUCT.'" SCO failed to waive as directed, so on October 10,
Novell waived
all SCO's purported rights to terminate SGI's license.
Novell flexed its muscles, based on its interpretation of the 1995
Asset
Purchase Agreement, the Technology
License Agreement, and Amendment
2, to the APA. On that basis, Novell in its June
9, 2003 letter says SCO has no right to unilaterally terminate IBM's
SVRX Licenses and that it is inappropriate for SCO to make such threats.
Amendment No. X granted IBM the "irrevocable, fully paid-up, perpetual
rights". It eventually waived
SCO's "termination" of IBM's license.
Additionally, as the annoyance level rose on both sides, each
claiming the other was harming its business, hints of legal action
began to appear. Aspects to their contract that Novell had apparently
let slide for years, such as their right to audit SCO's collection of
royalties for Novell, are now scrupulously being required by Novell.
They began an audit
of SCO in August, something that had not happened since 1998, for example.
Novell also demanded
SCO supply copies of the source and binary code for all versions of UNIX
and UnixWare under SCO's control.
More significantly, Novell demanded
copies of the Microsoft and Sun licenses with SCO and asked SCO to
explain why SCO thinks the Asset Purchase Agreement allows them to do
this. Novell demanded it cease "all such negotiations and other
communications with licensees concerning any such transaction without
Novell's prior written consent and continued participation". After they
address any "violation of the Asset Purchase Agreement", there will be the
matter of "royalties and other amounts owed to Novell based on the
above-mentioned license agreements" to discuss. Insofar as the demand is
to licensees of SVRX, SCO has, it believes, no right to proceed without
Novell's approval, reminding SCO of Novell's 95% interest in revenues from
preexisting SVRX licenses.
In turn, SCO has put up some documents on its web site. In the
letter of June 11, SCO writes that it "acquired all of Novell's
right, title and interest: (a) to the AT&T Software and Sublicensing
Agreements, including the AT&T/IBM Software Agreement, and (b) to all
claims against any parties. SCO therefore acquired all right, title and
interest to enforce the Software and Sublicensing Agreements against
IBM, without answering to Novell."
Not so, Novell
replies. Novell retained certain rights "critical to protecting the
interests that Novell retained as part of the Asset Purchase Agreement
(including its interests in royalty payments and the contractual
commitments Novell made in return for royalty payments)." SCO acquired
certain assets from Novell but acquired those assets subject to certain
rights of Novell. "You can't have one without the other," Novell asserts.
"We don't agree with your interpretation of our contracts," SCO writes
back. It appears to them, it says, that Novell "is acting in concert
with IBM to destroy the value of SCO UNIX and UnixWare intellectual
property acquired from Novell in the Asset Purchase Agreement."
SCO's copyrights in Unix are now in dispute. Novell lists all of
its registered copyrights on its web site. What we now learn is that
they have been in dispute consistently from day one. In a letter
dated August 4, Novell writes to Darl McBride, SCO CEO, that according to
their agreements, copyrights were not to be transferred to Santa Cruz
Operation unless SCO could demonstrate that such a right was required.
They never did that and they don't need copyrights, Novell says, "in
order to exercise the limited rights granted SCO" and so unless or until
SCO demonstrates such a need, all copyrights remain with Novell. Of
course, SCO disagrees with Novell on this utterly.
Finally, Novell
on SCO's behalf "waives any purported right SCO may claim to require IBM
to treat IBM Code, that is code developed by IBM, or licensed by IBM from
a third party, which IBM incorporated in AIX but which itself does not
contain proprietary UNIX code supplied by AT&T under the license
agreements between AT&T and IBM, itself as subject to the confidentiality
obligations or use restrictions of the Agreements."
SCO's position regarding Novell's waivers on behalf of SGI and IBM? In
an October
13 letter: "Novell is without authority to make such a waiver and thus
it is of no force and effect."
So now you know the rest of the
Novell-SCO story.
Comments (8 posted)
Page editor: Rebecca Sobol
Security
Brief items
Sometimes it is worthwhile to step back and look at a condensed picture of
the Linux and free software security situation. To that end, we have
thrashed up our security database and produced a big table listing the
vulnerabilities exposed in 2003 and the alerts issued by several major
distributors in response. We turned up over 300 vulnerabilities which
resulted in over 1200 security alerts. In other words, 2003 was a busy
year.
Glancing through the table, one sees that certain packages are responsible
for relatively large numbers of vulnerabilities; these include apache (6
vulnerabilities), ethereal (6), glibc (5), KDE (6), the kernel (6),
and sendmail (5). The kernel wins the prize for the most security alerts,
having been responsible for 47 of them - almost 4% of the total. The full
picture, however, shows a vast number of security problems afflicting a
wide range of packages. The security of our free operating system has some
ground to cover yet before it will be something we can be truly proud of.
Here's the first part of the table:
Those are all of the packages beginning with "A". The full table, in all
its browser-straining glory, can be found on
this page.
Comments (3 posted)
New vulnerabilities
inn: vulnerability in INN 2.4.0
| Package(s): | inn |
CVE #(s): | |
| Created: | January 8, 2004 |
Updated: | January 15, 2004 |
| Description: |
A buffer overflow has been discovered in a portion of the control message
handling code introduced in INN 2.4.0. It is fairly likely that this
overflow could be remotely exploited to gain access to the user innd runs
as. INN 2.3.x and earlier are not affected. The INN CURRENT tree is
affected. See this advisory for more
details. |
| Alerts: |
|
Comments (none posted)
mod-auth-shadow: password expiration
| Package(s): | mod-auth-shadow |
CVE #(s): | CAN-2004-0041
|
| Created: | January 12, 2004 |
Updated: | January 14, 2004 |
| Description: |
David B Harris discovered a problem with mod-auth-shadow, an Apache module
which authenticates users against the system shadow password database,
where the expiration status of the user's account and password were not
enforced. This vulnerability would allow an otherwise authorized user to
successfully authenticate, when the attempt should be rejected due to the
expiration parameters. |
| Alerts: |
|
Comments (none posted)
phpgroupware: missing filename sanitizing, SQL injection
| Package(s): | phpgroupware |
CVE #(s): | CAN-2004-0016
CAN-2004-0017
|
| Created: | January 9, 2004 |
Updated: | January 14, 2004 |
| Description: |
The authors of phpgroupware, a web based groupware system written in PHP,
discovered several vulnerabilities. The Common Vulnerabilities and
Exposures project identifies the following problems:
CAN-2004-0016: In the "calendar" module, "save extension" was not enforced
for holiday files. As a result, server-side php scripts may be placed in
directories that then could be accessed remotely and cause the webserver to
execute those. This was resolved by enforcing the extension ".txt" for
holiday files.
CAN-2004-0017: Some SQL injection problems (non-escaping of values used in
SQL strings) the "calendar" and "infolog" modules. |
| Alerts: |
|
Comments (none posted)
vbox3: privilege leak
| Package(s): | vbox3 |
CVE #(s): | CAN-2004-0015
|
| Created: | January 8, 2004 |
Updated: | January 14, 2004 |
| Description: |
A bug was discovered in vbox3, a voice response system for isdn4linux,
whereby root privileges were not properly relinquished before executing a
user-supplied tcl script. By exploiting this vulnerability, a local user
could gain root privileges. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
jitterbug: improperly sanitized input
| Package(s): | jitterbug |
CVE #(s): | CAN-2004-0028
|
| Created: | January 12, 2004 |
Updated: | January 14, 2004 |
| Description: |
Steve Kemp discovered a security related problem in jitterbug, a simple CGI
based bug tracking and reporting tool. Program executions may use
improperly sanitized input which allows an attacker to execute arbitrary
commands on the server hosting the bug database. As mitigating factors
these attacks are only available to non-guest users, and accounts for these
people must be setup by the administrator making them "trusted". |
| Alerts: |
|
Comments (none posted)
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache |
CVE #(s): | CAN-2003-0542
CAN-2003-0789
|
| Created: | October 28, 2003 |
Updated: | February 13, 2004 |
| Description: |
André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's
mishandling of CGI redirect paths could result in CGI output going to the
wrong client when a threaded MPM is used.
CAN-2003-0789. |
| Alerts: |
|
Comments (none posted)
apache2: Denial of Service vulnerability
| Package(s): | apache2 |
CVE #(s): | |
| Created: | September 29, 2003 |
Updated: | March 25, 2004 |
| Description: |
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details. |
| Alerts: |
|
Comments (none posted)
bind: cache poisoning
| Package(s): | bind |
CVE #(s): | CAN-2003-0914
|
| Created: | November 26, 2003 |
Updated: | February 19, 2004 |
| Description: |
A cache poisoning vulnerability in BIND may be exploited causing a
temporary denial of service until the bad record expires from the cache. |
| Alerts: |
|
Comments (none posted)
CUPS: denial of service
| Package(s): | CUPS |
CVE #(s): | CAN-2003-0788
|
| Created: | November 3, 2003 |
Updated: | March 4, 2004 |
| Description: |
Paul Mitcheson reported a situation where the CUPS Internet Printing
Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get
into a busy loop. This could result in a denial of service. In order to
exploit this bug an attacker would need to have the ability to make a TCP
connection to the IPP port (by default 631).
|
| Alerts: |
|
Comments (none posted)
cvs: possible root compromise
| Package(s): | cvs |
CVE #(s): | CAN-2003-0977
|
| Created: | December 29, 2003 |
Updated: | February 13, 2004 |
| Description: |
Stable CVS 1.11.11 has been released,
adding code to the CVS server to prevent it from continuing as root after a
user login, as an extra failsafe against a compromise of the CVSROOT/passwd
file. |
| Alerts: |
|
Comments (none posted)
ethereal: protocol dissector and other vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0925
CAN-2003-0926
CAN-2003-0927
CAN-2003-1012
CAN-2003-1013
|
| Created: | December 19, 2003 |
Updated: | February 13, 2004 |
| Description: |
Serious issues have been discovered in two ethereal protocol dissectors.
Both vulnerabilities will make the Ethereal application crash. The Q.931
vulnerability also affects Tethereal. It is not known if either
vulnerability can be used to make Ethereal or Tethereal run arbitrary
code. (CAN-2003-1012 and CAN-2003-1013) |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail may crash on specially crafted message
| Package(s): | fetchmail |
CVE #(s): | CAN-2003-0792
|
| Created: | October 17, 2003 |
Updated: | April 8, 2004 |
| Description: |
A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.
|
| Alerts: |
|
Comments (none posted)
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils |
CVE #(s): | CAN-2003-0854
|
| Created: | October 22, 2003 |
Updated: | March 2, 2004 |
| Description: |
There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. |
| Alerts: |
|
Comments (none posted)
fsp: buffer overflow and directory traversal
| Package(s): | fsp |
CVE #(s): | CAN-2003-1022
CAN-2004-0011
|
| Created: | January 7, 2004 |
Updated: | January 7, 2004 |
| Description: |
fsp suffers from both a buffer overflow vulnerability (which can be exploited to run arbitrary code) and a directory traversal problem. |
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
GnuPG: ElGamal signing keys compromised
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0971
|
| Created: | November 28, 2003 |
Updated: | March 3, 2004 |
| Description: |
A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to
ElGamal sign+encrypt keys. This
email message from Werner Koch contains more information. "Phong
Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal
keys for signing. This is a significant security failure which can lead to
a compromise of almost all ElGamal keys used for signing. Note that this
is a real world vulnerability which will reveal your private key within a
few seconds." |
| Alerts: |
|
Comments (3 posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
jabber: denial of service
| Package(s): | jabber |
CVE #(s): | CAN-2004-0013
|
| Created: | January 7, 2004 |
Updated: | January 26, 2004 |
| Description: |
A vulnerability was discovered in jabber, an instant messaging server,
whereby a bug in the handling of SSL connections could cause the
server process to crash, resulting in a denial of service. |
| Alerts: |
|
Comments (1 posted)
kernel: two vulnerabilities in 2.4.23
| Package(s): | kernel |
CVE #(s): | CAN-2003-0984
CAN-2003-0985
|
| Created: | January 5, 2004 |
Updated: | January 19, 2004 |
| Description: |
Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux
kernel versions 2.4.23 and previous which may allow a local attacker to
gain root privileges. No exploit is currently available; however, it is
believed that this issue is exploitable (although not trivially.) The
Common Vulnerabilities and Exposures project has assigned the name
CAN-2003-0985 to this issue. There is also a minor information leak in the
real time clock (rtc) routines. The Common Vulnerabilities and Exposures
project has assigned the name CAN-2003-0984 to this issue. See this advisory for
more information. |
| Alerts: |
|
Comments (1 posted)
kernel: local root exploit in 2.4.22
| Package(s): | kernel |
CVE #(s): | CAN-2003-0961
|
| Created: | December 1, 2003 |
Updated: | April 5, 2004 |
| Description: |
A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. |
| Alerts: |
|
Comments (1 posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
lftp buffer overflows
| Package(s): | lftp |
CVE #(s): | CAN-2003-0963
|
| Created: | December 15, 2003 |
Updated: | February 13, 2004 |
| Description: |
According to this advisory versions of lftp
prior to 2.6.10 are vulnerable to two exploitable buffer overflow
problems. Both occur when you connect to a web server with lftp using HTTP
or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared
directories on the web server. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mpg123: heap overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0865
|
| Created: | November 12, 2003 |
Updated: | February 19, 2004 |
| Description: |
Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
nd: buffer overflows
| Package(s): | nd |
CVE #(s): | CAN-2004-0014
|
| Created: | January 6, 2004 |
Updated: | January 7, 2004 |
| Description: |
Multiple vulnerabilities were discovered in nd, a command-line WebDAV
interface, whereby long strings received from the remote server could
overflow fixed-length buffers. This vulnerability could be exploited
by a remote attacker in control of a malicious WebDAV server to
execute arbitrary code if the server was accessed by a vulnerable
version of nd. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
Net-SNMP: security bugs in versions before 5.0.9
| Package(s): | Net-SNMP |
CVE #(s): | CAN-2003-0935
|
| Created: | December 2, 2003 |
Updated: | February 13, 2004 |
| Description: |
The Net-SNMP project includes various Simple Network Management Protocol
(SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could
allow an existing user/community to gain access to data in MIB objects that
were explicitly excluded from their view.
Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition,
Net-SNMP 5.0.9 fixes a number of other minor bugs. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
rsync - remotely exploitable heap overflow
| Package(s): | rsync |
CVE #(s): | CAN-2003-0962
|
| Created: | December 4, 2003 |
Updated: | March 3, 2004 |
| Description: |
An advisory has gone out warning of a
remotely exploitable heap overflow vulnerability in rsync versions 2.5.6
and prior. If you are running an rsync server, you will want to apply a
distributor patch or upgrade to 2.5.7 in the near future. |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
sane-backends: several vulnerabilities
| Package(s): | sane-backends |
CVE #(s): | CAN-2003-0773
CAN-2003-0774
CAN-2003-0775
CAN-2003-0776
CAN-2003-0777
CAN-2003-0778
|
| Created: | September 11, 2003 |
Updated: | February 20, 2004 |
| Description: |
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
-
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
-
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
-
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
-
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
-
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
|
| Alerts: |
|
Comments (none posted)
screen: privilege escalation
| Package(s): | screen |
CVE #(s): | CAN-2003-0972
|
| Created: | November 28, 2003 |
Updated: | March 3, 2004 |
| Description: |
According to
this advisory a buffer overflow in GNU screen allows privilege
escalation for local users. Usually screen is installed either setgid-utmp
or setuid-root.
It also has some potential for remote attacks or getting control of another
user's screen. The problem is that you have to transfer around 2-3 gigabytes
of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and
older versions are vulnerable. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
xsok: bad privilege handling
| Package(s): | xsok |
CVE #(s): | CAN-2003-0949
|
| Created: | January 7, 2004 |
Updated: | January 7, 2004 |
| Description: |
Steve Kemp discovered a problem in xsok, a single player strategy game
for X11, related to the Sokoban game, which leads a user to execute
arbitrary commands under the GID of games. |
| Alerts: |
|
Comments (none posted)
zebra: denial of service vulnerability
| Package(s): | zebra |
CVE #(s): | CAN-2003-0795
CAN-2003-0858
|
| Created: | November 13, 2003 |
Updated: | January 7, 2004 |
| Description: |
Zebra an open source implementation of TCP/IP routing software.
Jonny Robertson reported that Zebra can be remotely crashed if a Zebra
password has been enabled and a remote attacker can connect to the Zebra
telnet management port. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0795 to this issue.
Herbert Xu reported that Zebra can accept spoofed messages sent on the
kernel netlink interface by other users on the local machine. This could
lead to a local denial of service attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to
this issue. |
| Alerts: |
|
Comments (none posted)
Resources
The LinuxSecurity.com Linux Advisory Watch for January 9, 2004 is out, with
a look at some recent security vulnerabilities.
Full Story (comments: none)
The LinuxSecurity.com Linux Security Week for January 12, 2004 is out.
"
This week, perhaps the most interesting articles include "Syscheck:
a new OS file integrity checker," "Book Review: The Effective Incident
Response Team," and "Managing the Network Security Challenge.""
Full Story (comments: none)
Page editor: Rebecca Sobol
Kernel development
Brief items
The current 2.6 kernel is 2.6.1, which was
released on January 8. The contents of
this kernel are pretty much as described last week: a whole lot of fixes
along with a few new features (MSI support, EFI support, a couple of
internal API changes, etc.). See
the
long-format changelog for the details.
The latest patch from Andrew Morton, as of this writing, is 2.6.1-mm3. Recent additions to the -mm tree
include some anticipatory I/O scheduler work ("This is the 114th
patch against the anticipatory scheduler and we're nearly finished,
honest"), improved CPU scheduler support for hyperthreaded
processors, working modular IDE drivers, a number of big architecture
updates, some SELinux updates, several NFS fixes, an ALSA update, the
kthread abstraction (discussed here last
week), and many other fixes and updates.
The current 2.4 kernel is 2.4.24; Marcelo has released no 2.4.25
prepatches since 2.4.25-pre4 on
January 6.
Comments (none posted)
Kernel development news
This week's Kernel Page is a little thin as a result of its normal editor being in Australia to attend Linux.Conf.AU. There are limits to the sort of kernel content that can be written over a conference wireless link while simultaneously making a show of listening to whoever is speaking. This page will be back to its normal form next week.
Comments (none posted)
The read-copy-update (RCU) algorithm has found many applications since it
was added to the 2.5 kernel. By eliminating lock contention in many
situations, RCU can greatly improve performance and scalability on
multiprocessor systems. For more information on how RCU works, see
this description or
this Driver Porting Series
article. Or talk to the SCO Group, which claims to own any code which
ever even dreamed of using RCU.
It turns out, however, that there is one little problem with RCU - its
effect on interrupt response times. RCU works by setting aside cleanup
work until a later time, when it is known that the data structures of
interest have no further references in the kernel. That cleanup work is
done with a software interrupt, meaning it can happen after a hardware
interrupt or at rescheduling time. But the list of RCU-protected data to
be cleaned up can get quite long; it is used, for example, in high-turnover
data structures like the dentry cache. So that software interrupt can,
potentially, take a long time to run. The RCU cleanup code, in other
words, can monopolize a processor for a relatively long period at just the
times when a high-priority process might be trying to run.
Dipankar Sarma has taken a look at the
situation and found that processing RCU callbacks can, in some
situations, take as much as 400 microseconds or so. That may not seem like
a lot of time, but it can be enough to significantly increase response
latencies. So he has sent out a set of patches which address the problem.
In modern-day kernel programming, it sometimes seems like there is a
standard answer to every problem: create a new kernel thread. Dipankar's
patch does exactly that; it adds a new per-CPU "krcud" thread which handles
RCU cleanup whenever the list of callbacks gets to be too long. Short
callback lists are still dealt with at software interrupt time, since that
is a faster way of doing things. But, if the list is too long (256
entries, by default) and, in particular, if there is a real-time process
waiting to run, the tail end of the list is delegated over to krcud and
control is returned to the scheduler.
Dipankar reports good results in his tests, with overall system latencies
of less than 400 microseconds. He's not pushing this patch for inclusion
yet; it needs more testing first. But, if things pan out, a
faster-responding 2.6 kernel may result in the near future.
Comments (8 posted)
Log messages from the kernel can often be an indispensable aid in tracking
down problems or generally figuring out what is going on inside the
system. As most system administrators find out sooner or later, however,
kernel logging can also become a problem in its own right. If a situation
develops which causes the kernel to continually spew out logging
information, disks can fill up and log messages can be lost. What can be
worse, however, is when log messages sent to the console cause the kernel
to spend all of its time just scrolling the console frame buffer. In this case,
the system can become completely unresponsive.
The logging code already tries to mitigate this problem by detecting and
suppressing streams of identical messages. That simple mechanism breaks
down, however, when the messages being logged differ from each other.
As a way of improving the situation, Anton Blanchard has put together a new
rate limiting scheme which has found its way into the -mm patch tree. This
code, which is derived from a rate limiting mechanism used in the
networking subsystem, does not automatically solve the problem, since it
requires explicit changes to code which could generate message floods.
Such code is often easy to identify, however, and easy to fix.
The patch adds a new function:
int printk_ratelimit(void);
Code which could generate lots of messages should call
printk_ratelimit() and only call printk() if the return
value is nonzero. Thus, printk_ratelimit() returns a failure
status if rate limiting is currently in effect and printk() output
should be avoided.
By default, the code limits messages to one every five seconds. It will,
however, allow ten messages through in a short period before the rate
limiting clamps down on the rest. These values are, of course, tuneable via
sysctl parameters.
A mechanism like this is only useful if it is used throughout the code.
Core kernel code can be fixed up relatively easily; the patch includes a
fix for the page allocator, for example. The source of message floods,
however, is often a driver which want to be sure that its "my device has
joined the Dark Side" messages are heard. Fixing all of those is a
daunting task, but even a partial solution leaves the kernel less
susceptible to this particular problem than before.
Comments (6 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Architecture-specific
Miscellaneous
Page editor: Forrest Cook
Distributions
News and Editorials
According to this
development
schedule, Fedora Core 2 will enter a period of feature freeze next week,
which should be followed by its first beta release on February, 2. The two
main new features of the product will be Linux kernel 2.6 and SELinux
functionality. The capabilities of the new kernel have been extensively
documented and we also
mentioned some of the more prominent ones in last week's
coverage of the pre-beta release of
Mandrake Linux 10.0, but what exactly is "SELinux functionality"? And how
will it affect the users of Fedora Core?
First, some background on Security-Enhanced Linux, or SELinux for short. Developed by the US
National Security Agency, Security-enhanced Linux is a research prototype of
the Linux kernel with enhanced security. It contains new architectural
components, which provide support for enforcement of mandatory access control
policies that confine user programs to the minimum amount of privilege they
require to do their jobs. In other words, users running SELinux can define
explicit rules about what subjects (users and programs) can access which
objects (files and devices). It can be thought of as an internal firewall
with the ability to separate programs, thus ensuring a high level of security
within the operating system. SELinux is distributed under GPL.
The concepts of mandatory access control have been incorporated into the 2.6
kernel series. This is perhaps one of the less glamorous aspects of the new
kernel, interesting only to security experts and system administrators
running mission critical servers. Yet, it is one of the most fundamental and
far-reaching changes in the 2.6 kernel series and it will have major
implications on the way we run Linux servers. Up until now, all default Linux
kernels had a concept of a "superuser", with complete access to all files and
devices on the system. This concept has now been modularized into several
alternative security modules. While the concept of a superuser remains
available, administrators will also be able to choose from one of the more
restrictive modules at boot time, in which case certain programs and files
will not be accessible to the superuser. Even if an attacker is successful in
obtaining superuser privileges (as was the case in the recently compromised
Debian machines), the attacker will not be able to modify the critical parts
of the system - there is no such thing as "chmod 777" on a SELinux
system.
Unfortunately, the kernel itself only provides the means for mandatory access
control together with an example of how to create one's own access control
policies. It is up to Linux distributions to create and implement a system
that includes these controls and integrate them with the rest of the product.
It is obvious that Red Hat's main goal is to include these controls into a
future Red Hat Enterprise Linux release, but not before they are implemented
and well-tested on Fedora Core, starting with the upcoming Fedora Core 2.
This could be a major selling point of the company's enterprise line of
products; of the major distributions, only Debian and Gentoo, both of which
are non-commercial projects, have implemented SELinux functionality into
their respective distributions.
How does this access control mechanism work in practice? On a standard Linux
system not enhanced by SELinux, an attacker might get root privileges in
cases where a program or process running as root is compromised (through
buffer overflow or misconfiguration). If that happens, the attacker has
unlimited access to the entire system. The situation is different on a system
running SELinux with properly defined access control policies. If a program
or process running as root is compromised, the damage is limited to whatever
the process can access. Yes, trying to access files as root on an SELinux
system can return "permission denied"!
This is what Red Hat/Fedora's role in the entire process is - write access
control policies for applications and provide ways for users to customize
these policies. The policies can get fairly complex and thorough
understanding of the SELinux Policy
Document is essential for effective use of the SELinux features. It will
be interesting to see Red Hat's implementation of these policies and we
will certainly revisit the subject once we've been through the first few
weeks of Fedora Core 2 beta testing. For those who'd like to start looking
into the subject straight away, this page provides an
excellent collection of SELinux-related links.
Comments (2 posted)
Distribution News
The
Debian Weekly News for January 13, 2004
is out. This week Taran Rampersad talks about GNU/Linux, usability,
freedom; packages.debian.org has been restored, even better than before; an
argument supporting non-free; and much more.
BugWatcher 0.22 is now available. It is a
graphical tool for viewing and editing bug reports. The package name is
debbuggtk and it should be available on a mirror near you.
DebianPlanet takes a
look at Planet Debian.
"A very cool site which has already made it into my daily reading
bookmark folder, and is tempting me to take up blogging too..."
Comments (none posted)
Fedora News Updates
#2 is out, with all the latest Fedora news.
This glibc update fixes lots of bugs in the
regular expression matcher and speeds it up. It fixes a couple of other
bugs as well.
Dave Jones has made a patched 2.4.22 kernel
available, with EXT2/3 fixes from 2.4.25pre and some 2.4.23pre patches.
This php update includes the latest stable
release of PHP 4 with a large number of bug fixes since the previous 4.3.3
release.
Comments (none posted)
The Gentoo Weekly Newsletter for the week of January 12, 2004 is out. This
issue announces the winners of the 2003 Gentoo Bug Hunt and much more.
Full Story (comments: none)
The first issue of the
Mandrake Linux News
Digest, dated January 12, 2004, is out with a look at MandrakeMove,
Mandrake Linux for AMD64, Mandrake 10.0 Pre-Beta, and more.
A kdebase-servicemenu update is available
for Mandrake Linux 9.1. The update corrects problems in zipping files via
konqueror.
Comments (none posted)
LinuxDevices
takes a look at
Monterey Linux, a distribution from Pigeon Point Systems.
"
According to Pigeon Point, Monterey Linux is a narrowly focused
Linux distribution that emphasizes high quality, cost-effective support for
selected System-on-Chip (SoC) processors, including the TMS320DM310,
TMS320VC547x, and TMS320DA180. These chips provide a general purpose CPU, a
C54x DSP, and numerous peripheral interfaces on a single inexpensive,
low-power chip."
Comments (2 posted)
NewsForge
delves into
the process of getting and installing NetBSD-current. "
The BSD
family of Unix-like operating systems evolved from the last release of
4.4BSD, released by the University of California some years ago. As with
Linux, they have full releases and a live CVS tree. This article discusses
why you might want to run the -current branch of NetBSD, how you would go
about it, and a bit of what could go wrong."
Comments (none posted)
New Distributions
The Ares Desktop has been created by merging two existing projects, Blue
Linux and J.A.M.D. The merger creates a larger pool of developers with the
common goals of building a free operating system for computers aimed at the
educational, home and small business markets.
Full Story (comments: none)
Gentoo
For Zaurus is a port of the Gentoo Distribution to the Zaurus PDA,
based on Cacko X11 Rom and The Emerde Project. It can be mounted over NFS
so no changes to a current configuration are needed. It includes a native
gcc environment for ARM, the zgcc-3.3.1 cross compiler for the main PC with
distcc configured so that the main PC does the actual compiling, and X11
for testing applications. The current version is 0.2, dated January 12,
2004.
Comments (1 posted)
LinuxDefender Live! CD is a Rescue CD based on Knoppix. It features
full NTFS write support (using Captive). It also includes instant antivirus
and antispam SMTP protection, which is managed via Webmin. Desktop
antivirus protection is integrated into the KDE interface, using
BitDefender for Linux technology. The first version of the LinuxDefender
Live! CD (2003-12-18) was launched at the Romanian LUG event LinuxConf
2003.
Comments (none posted)
XoL is a diskless Linux
"Live CD" distribution from the makers of SoL (Server optimized
Linux). Nothing is written to the hard drive unless the user really wants
to save it. It offers both KDE and GNOME, OpenOffice.org, and USB storage
device support for storing data. XoL joins the list at version
17.00o.BETA, released January 14, 2004.
Comments (none posted)
Minor distribution updates
Buffalo Linux has released
v1.1.0
with major feature enhancements. "
Changes: This major release
includes five kernels, all based on 2.4.24. It also includes the available
updates from Slackware "current". Many bugfixes were made, and much better
integration with Codeweavers CrossOver Office was added. The 2.4.24 kernels
for i486, i586, i686, ipent3, and ipent4 are also available as separate
downloads. These can be used to upgrade the earlier "rc3" release to the
latest kernel."
Comments (none posted)
Feather Linux has released
v0.3.2
with minor feature enhancements. "
Changes: A dpkg-get script has
been added. The Opera install script has been tweaked. gpart, socat,
prozilla, traceroute, and Midnight Commander have been added. nedit has
been replaced with SciTE because of space reasons."
Comments (none posted)
Fli4l (Floppy ISDN/DSL) has released
development v2.1.5 with minor feature enhancements.
"
Changes: This version adds a new kernel (2.4.23 with security fix
from 2.4.24), a new version of BusyBox, and a new DNS server (dnsmasq). It
now supports the AVM Fritz!Card DSL SL. Support for LCDs with "Winamp"
wiring was added. dropbear was added as an SSH2 server; using SSH1 is now
deprecated. There are new features for the W-LAN package. There is a VPN
package with OpenVPN and CIPE. There are also many bugfixes."
Comments (none posted)
GoboLinux has released
v010
with major feature enhancements. "
Changes: Among the new features
are a new installer, hardware detection, and new custom themes. As usual,
several packages were also upgraded, including KDE 3.1.4, GCC 3.3.2,
XFree86 4.3 (with NVidia support), Glibc 2.3.2, and OpenOffice 1.1. The ISO
is simultaneously an installation disc and a Live CD."
Comments (none posted)
Local Area Security Linux
has released
v0.4.1
with major feature enhancements. "
Changes: All packages have been
upgraded to current. There is a new theme, background, and many other menu
and cosmetic improvements. Many packages have been added to increase the
size to 210 MB." Note: a smaller version is still available.
Comments (none posted)
Rock Linux has released
v2.0.0-rc4
with minor feature enhancements. "
Changes: This release updates
many package (including gcc33, gdb, alsa, subversion, xscreensaver,
rdesktop, gimp, epiphany, galeon, and cpufreqd), adds packages (such as
xfig, transfig, nxcomp, and nxproxymany), improves the download system, and
improves partitioning in the installer."
Desktop
Rock v2.0.0-rc3 has also been released. "Changes: This
release is based on ROCK Linux 2.0.0-rc3 and so features the various
package version updates and additions, as well as the improved download
system, and enhanced partitioning in the installer."
Comments (none posted)
SLAX has released
v3.0.25
with major feature enhancements. "
Changes: SLAX is now based on
version 3.0.25 of the linux live scripts. This version features KDE
3.2beta2 and KOffice 1.3rc2, and uses overlay filesystem (ovlfs) to make
the CD and the whole root filesystem pseudo-writable. More enhancements:
Floppy automounting was added. KDE language support was added for Czech
(cs), German (de), Brazilian (pt_BR), and French (fr). HorizSync was
modified in the X config file in an attempt to get a better display. Mouse
detection was enhanced. The monkeyd httpd server was added with its home in
/root/public/www. The "nopcmcia" kernel parameter was added."
Comments (none posted)
ThePacketMaster has released
v1.2.0
with major security fixes. "
Changes: This release updates the
kernel to 2.4.24 to address issues found in 2.4.23 and earlier. It adds new
packages for forensic analysis and vulnerability testing. /usr is now in a
cloop filesystem for a smaller ISO image. XFree86 is now included, as well
as the Enlightenment window manager, the Mozilla Web browser, and
Java."
Comments (none posted)
Page editor: Rebecca Sobol
Development
Since the announcement went out on December 24th, many may have missed the release of MySQL 5.0 while they were on holiday. The 5.0 release is the next stage in MySQL evolution, and includes a few "enterprise" features that may be of interest. The release is considered alpha-quality, and is mainly targeted at developers. However the
announcement does note that "all old features should be reasonable [sic] stable."
The most interesting feature for many will be stored procedures. A stored procedure is a statement that is stored in the database server. This means that a series of SQL statements need only be issued once, and then clients can refer to that stored procedure rather than re-issuing the commands each time they need to be executed. This feature is already included in the MaxDB product from MySQL (formerly SAP DB) and other open source databases like PostgreSQL.
This release also includes server-side cursor support, new functions, and a new binary log format. According to the MySQL documentation, it should be possible to upgrade from a current version of MySQL to 5.0 to take advantage of stored procedures with existing databases. The MySQL website has binaries available for a number of platforms, including tarballs with pre-compiled binaries for Linux on x86, Alpha, S/390, AMD's X86-64, IA-64, and RPMs for x86, IA64 and X86-64. There are also pre-compiled binaries for FreeBSD, OpenBSD, MacOS X and a number of other *nix platforms, and Windows. Source is also available, though MySQL AB recommends using the provided binaries.
If history is any guide, it will be some time before 5.0 is declared production-ready. The 4.0.0 alpha release was made available October 16, 2001, the 4.0.x release declared production-ready was the 4.0.12 release about a year and half later on March 18, 2003.
Comments (7 posted)
System Applications
Audio Projects
Version 1.0.1 of the ALSA sound driver has been released.
"
This is our first final ALSA release with number 1.0.1. As you all
expected, there are only minor fixes against 1.0.0rc2."
Full Story (comments: none)
Version 0.94.0 of JACK, the JACK Audio Connection Kit, is available with
"
Mostly minor, internal changes".
Full Story (comments: none)
The
latest changes from the
Planet CCRMA audio utility packaging project include
new versions of Muse, Chaos, Pd Cxc, and Pd Creb.
Comments (none posted)
Backup Software
Dan Langille
reviews Bacula, a cross-platform backup utility.
"
When people ask around about open source backup solutions, Amanda usually comes up first. I started there, but before I finished my implementation, I found what I think is a much better solution: Bacula. It may sound campy, but it works well."
Comments (none posted)
Database Software
Satya Komatineni
illustrates the database join construct in Java.
"
A join construct helps you effectively use select statements to mine
relational databases. This article examines syntax, surprises, and rules of
thumb for the use of joins."
Comments (none posted)
John Coggeshall
introduces MySQL in part two of an O'Reilly series.
"
The previous article explained how to use the SELECT statement to retrieve data from a table within the database. As you may have suspected, the SELECT statement is much more complex. There are several different clauses that can control exactly what data you will retrieve from a table. The first of these is the WHERE clause."
Comments (none posted)
Version 3.3 alpha 2 of ZODB, the Zope Object DataBase, has been released.
"
This release
includes support for new-style persistent classes and multi-version
concurrency control. It's an alpha release, so we could use feedback on
the new features and helping testing them."
Full Story (comments: none)
The January 12, 2004 edition of the PostgreSQL Weekly News
is available for your consumption. Take a look for the latest
PostgreSQL database news.
Full Story (comments: none)
Filesystem Utilities
GnomeDesktop.org
reports on the availability of the GNOME Volume Manager.
"
GNOME Volume Manager is a simple GNOME daemon that acts as a
policy agent on top of the Project Utopia stack, which includes
the kernel, hotplug, udev, and HAL. GNOME Volume Manager
listens for HAL events and responds with user-configurable
reactions. Currently it supports automount of new media and
hot-plugged devices, autorun, autoplay of CDs and DVDs, and
automatic camera management."
Comments (none posted)
Libraries
KDE.News
covers recent developments with the QtGTK library.
"
Integration of GTK+ applications in KDE has taken another leap forward.
This has historically been a bit of a problem; the fact that Qt and GTK+ rely
on different event loops was making it impossible to, for example, use
dialogs from one toolkit while building the GUI in another. QtGTK is a
library which integrates the Qt event loop in the Glib event loop. This makes
it possible to freely use KDE dialogs, DCOP, KDE IO and other KDE technology
in any GTK+ application just like they would be native."
Comments (1 posted)
Mail Software
Sean Reifschneider
explains the use of UUCP for email.
"
I have found that UUCP (Unix to Unix CoPy) provides a compelling alternative to the more typical email solutions for mobile users. I converted over to a laptop as my primary machine back in January of 2000, and UUCP was an important part of that setup. Without it, I'm sure I wouldn't have been as happy with my untethered lifestyle."
Comments (none posted)
Printing
Version 0.1.2 of
Jipsi
(in German), an implementation of the Java Print Service API for the
CUPS printing system, is available.
Comments (none posted)
Web Site Development
Version 1.2.2 of ht://Check, which is "
more than a link-checker",
is out.
"
New features include document type recognition (DOCTYPE) and storing,
as well as META description and keywords of HTML documents.
Sources have been strongly modified in order to be more robust and to
support latest releases of the autotools (autoconf, automake and
libtool)."
Full Story (comments: none)
David Simpson
explains the use of Perl and CGIScripter on Linux Journal.
"
This article describes how Perl is used to generate Perl CGI code using the multi-platform CGIScripter application. The resulting output code automates SQL table creation commands (in this example, for a MySQL database), HTML pages and Perl code. Web security issues, data validation and image handling functionality are incorporated into the resulting Perl code. By automating the development of Perl CGI scripts, even entry-level developers can create CGI scripts that contain most of the commonly requested features in a short period of time--without manually writing any code."
Comments (none posted)
Zope Corp. has announced the release of Zope 2.6.3. Included in this
release is a set of fixes for security problems found in a detailed
audit of the code, so upgrading is probably a good idea.
Full Story (comments: none)
Version 2.7.0 beta 4 of Zope is available.
"
Zope 2.7.0 beta 4 contains a number of security related fixes
for issues resolved during a comprehensive security audit conducted
n Q4 2003."
Full Story (comments: none)
Miscellaneous
Version 0.31.1 of the GNOME System Tools
has been announced.
"
This release mostly wants to
amend some building failures shipped in 0.31.0, but also adds support for
mandrake-9.2, improves services-admin support for slackware and provides
basic network support for slackware (eth and eth-like wireless devices at the moment)".
Comments (none posted)
Version 3.0 of the
Real Time
Application Interface (RTAI) has been released. There are many changes
in 3.0, including new architecture support, emulators for several
commercial real-time systems to ease migration, new development tools, and
much more.
Comments (none posted)
Desktop Applications
Audio Applications
Version 1.0.2 stable of Glame, an audio file editor, is available.
"
This is a bugfixing release
focussing on fixing the known issues with the New Posix Threading Library
(NPTL) shipped with recent libc and 2.6 Linux kernel (and unfortunately
also with RedHat 9.0 and Fedora distributions). Apart from this you'll
notice some improvements in the importing of Mp3 and Ogg files, namely,
you can cancel them now."
Full Story (comments: none)
Version 1.6.0 of
WaveSurfer,
an audio file editing package, is out.
One new feature is a Python API for adding plugins.
See the
change history for more information on what's new.
Comments (none posted)
Desktop Environments
Version 2.5.2 of the GNOME Platform Bindings
has been released.
"
Here is another scheduled release of the GNOME Platform Bindings,
which provide a GNOME development platform for programming languages
other than C, in the style of those languages. This release set gives
some bindings a schedule and rules to work within, so we can endorse
those bindings."
Comments (none posted)
David Sansome
explains
the GTK-Qt theme engine.
"
The GTK-Qt theme engine is a nifty hack for GTK+ applications that uses the currently selected KDE/Qt style to do its drawing in a very similar fashion to the recently announced KDE Native Widget Framework for OpenOffice.org. Basically, what this means is that it will make your GTK apps look just like KDE/Qt ones and hence integrate better into your desktop."
Comments (none posted)
The January 4-10, 2004
GNOME Summary is available. Take a look for the week's GNOME desktop
news.
Comments (none posted)
Version 3.1.5 of KDE
has been announced.
"
KDE 3.1.5 is a maintenance release which provides corrections of problems reported using the KDE bug tracking system and a vulnerability in the .VCF file information reader."
Comments (7 posted)
The January 9, 2004
KDE-CVS-Digest
is available. The summary says:
"
Many changes in KDE-PIM; gpgme now used in KMail. Knode integration in Kontact completed. A KPilot plugin for Kontact. IMAP addressbook resources, used in Kolab, is complete. And an initial version of a PIM configuration wizard. In Kexi, read-write queries are supported and dragging relations together now works. An KJSEmbed envelopemaker example is available. FileLight can be used in Konqueror. And the usual bugfixes."
Comments (none posted)
Version 4.0.3.1 of the
XFce
lightweight desktop environment has been released.
"
It's a small bug fix release for xfwm4 that ships with xfce 4.0.3. It fixes a focus problem when using multiple screens (not using Xinerama). xfwm4 is the only package impacted by this release."
Comments (none posted)
Educational Software
GnomeDesktop.org has
an announcement for gretools, a vocabularity building tool for GNOME.
"
Gretools consists of a synonym quiz and a word guessing game and
also allows you to look up words. It automatically remembers the words you
got wrong and helps you revise those words."
Comments (none posted)
Electronics
Version 3.1.34 of XCircuit, an electronic schematic drawing application,
is available.
Change information is in the source code.
Comments (none posted)
Games
The
Pygame project has released
new versions of the games SolarWolf and Pydance
Comments (none posted)
Graphics
Version 2.0 pre1 of the GIMP
has been announced.
"
Not everything is in its final state, but we think this is close to a final
2.0 release. Your feedback will help make the 2.0 release even better, and we
particularly appreciate testing efforts. New bugs can be reported to us at
http://bugzilla.gnome.org/".
Comments (none posted)
Version 1.0 of Thuban, a GIS Data Viewer, has been announced.
"
Thuban is an interactive viewer for geographic data layers. It can
handle Shapefiles, PostgreSQL/PostGIS spatial databases and raster
data. The user interface makes data exploration easy. Notable
features are the legend editor with some automatic classification,
projection support and management of attribute tables."
Full Story (comments: none)
Instant Messaging
GnomeDesktop.org
covers the release of Gaim version 0.75.
"
Gaim 0.75 has just been released for public consumption.
Yahoo! works in it
(again), and it has a bunch of real important fixes you should grab."
Comments (none posted)
Interoperability
Version 3.0.2pre1 of Samba has been released.
"
This is a preview release of the Samba 3.0.2 code base and
is provided for testing only. This release is *not* intended
for production servers. However, there have been several bug
fixes since 3.0.1 that we feel are important to make available
to the Samba community for wider testing."
Full Story (comments: none)
Music Applications
Version 0.8.0 is the first stable release of JAMin,
the JACK Audio Mastering interface.
"
JAMin is a GPL licenced, state-of-the-art realtime mastering processor
designed to bring out the detail in recorded music and provide the
final layer of polish. Every effort has been made to ensure a clean,
distortion-free signal path. All processing elements use linear-phase
filtering, ensuring that no phase distortion is introduced."
Full Story (comments: none)
Version 4-0.9.6 of Rosegarden, an
audio and MIDI sequencer and score editor, has been released.
"
This release is primarily to address a significant problem with 0.9.5
that was seriously affecting sequencer timing performance for some
users. For this reason we strongly recommend an upgrade."
Full Story (comments: none)
Office Applications
The Vim editor
can be used under Evolution.
"
Jason_Hildebrand writes "In the last few months (off and on) I've done a lot of work and it's now possible to use Vim within Evolution. Thanks to the people who sent encouragement."
Comments (none posted)
Office Suites
An OpenOffice.org Native Widget Framework for KDE
has been announced.
"
A development version of the OOo KDE Native Widget Framework is now available for download. So far, it can draw KDE-styled push buttons, radio buttons, check boxes and list boxes (screenshot1, screenshot2, Plastik)."
Comments (none posted)
Web Browsers
The minutes from the January 9, 2004 Mozdev Admin Meeting are online.
The
MozillaZine summary says:
"
Issues discussed include the splitting of mozdev
services, mirrors, abandoned projects in category listings, site statistics,
newsfeeds, the home page redesign and meeting times."
Comments (none posted)
The minutes
of the January 5, 2004 Mozilla.org staff meeting are available.
"
Issues discussed include Mozilla 1.6 final, Mozilla Firebird 0.8, CD status, the new Talkback server, plans for the next few months and public relations."
Comments (none posted)
MozillaZine
reports on a plea for developer help for the Securita project.
"
Robert Accettura writes: "The Securita project is looking for help and
leadership, as it attempts to restart." Securita is a project to build a word
filter extension for Mozilla, allowing parents and the like to restrict the
sites their children go to."
Comments (1 posted)
Word Processors
Issue #178 of the
AbiWord Weekly News is available, here's the summary:
"
New AbiDevelopers and an AbiTranslator with positive attitudes shine on this week, while the ability to translate the Windows installer has already been taken advantage of, and MacOS X gets an automatic builder. Also included is an exclusive present for AbiLovers from FootNotes' own stro! Additionally AbiWord 2.0.3 is anticipated to be tagged this Wednesday! See! You wouldn't know that if this came out on time!"
Comments (none posted)
Miscellaneous
Version 1.2.0 of the Linux Brochure Project has been released.
This version "
includes a simplified build process, Western
European language build support, and an improved look for the generated
brochures."
Full Story (comments: none)
GnomeDesktop.org
mentions Miguel De Icaza's latest Mono status report.
"
Miguel de Icaza has written a little status update on the progress of Mono. Lots of bug fixing and performance optimizations happening.
Also much progress on a port of SharpDevelop to GTK#".
Comments (none posted)
Languages and Tools
Caml
The January 6-13, 2004 edition of the Caml Weekly News is out
with several new Caml language articles.
Full Story (comments: none)
Java
Ori Kushner
writes about the Java Units Specification on O'Reilly.
"
This article discusses JSR-108, the Java Units Specification, which allows developers to create systems of units and to define conversion and representation rules in Java. Using an implementation of the Java Units spec, you would be able to attach a unit to a number so that when defining a rectangle in your program, it is clear that its length equals six feet, six meters, six miles, six light years, or some other standard unit of length, rather than just six."
Comments (none posted)
Barry Feigenbaum and Tom Brunet
program 2D animations with Java on IBM's developerWorks.
"
Why code your animated sequences when you can draw what you want and let a program do the rest? In this article, Barry Feigenbaum and Tom Brunet show you how to combine lossless images, Swing technology, and the authors' own Java-based animation engine to generate movement sequences for fixed objects in 2D animation."
Comments (none posted)
Lisp
Paolo Amoroso mentioned the creation of the new
Planet Lisp site.
"
Planet Lisp is a new site that aggregates via RSS the weblogs of Lisp
users, and is inspired to similar aggregation pages in the Open Source
world."
Comments (none posted)
Pascal
Version 1.9.2 of Free Pascal has been released.
"
Compared with 1.9.0 there are a lot of bug fixes as well as some new
features like register calling for i386 or a powerpc compiler."
Full Story (comments: none)
Perl
Release Candidate #1 of Perl 5.8.3
is available.
"
This is a regular maintenance release for perl 5.8.x, providing bug fixes and integrating module updates from CPAN."
Comments (none posted)
Adam Turoff
covers
the state of Perl on O'Reilly.
"
I repeated the same answer I've used for years when people ask me if Perl has a future:
Perl certainly is alive and well. The Perl 6 development team is
working very hard to define the next version of the Perl language.
Another team of developers is working hard on Parrot, the next-
generation runtime engine for Perl 6. Parrot is being designed to
support dynamic languages like Perl 6, but also Python, Ruby and
others. Perl 6 will also support a transparent migration of
existing Perl 5 code."
Comments (none posted)
Use Perl
mentions the availability of an article on Perl
certification in The Perl Journal.
"
YUMPY writes "Did you miss the panel discussion on Perl Certification at TPJ 7.0, which ended with the audience voting strongly in favor of the development of a certification procedure for Perl programmers? Did you miss the October article called "Is it Time for Perl Certification?" in The Perl Journal? If so, thanks to the generosity of the TPJ folks, you can now catch up on these developments by reading the TPJ article for free."
Comments (none posted)
PHP
Version 4.3.5RC1 of
PHP has been released.
"
This is the first release candidate and should have a very low number of problems and/or bugs. Nevertheless, please download and test it as much as possible on real-life applications to uncover any remaining issues."
Comments (none posted)
Python
The Python-dev Summary for December 1-30, 2003 is out with
a summary of the python-dev mailing list traffic.
Full Story (comments: none)
Roberto Alsina
explains
how to develop a PyQt application using Eric3.
"
Hello, I am Roberto Alsina and I will be your host for this evening's demonstration. I will develop a useful application using PyQt and Eric3, and document the process here. In realtime."
Comments (none posted)
Tcl/Tk
Dr. Dobb's Tcl-URL! is available for January 12, 2004.
Take a look for the latest Tcl/Tk news.
Full Story (comments: none)
Miscellaneous
Version 4.6 of the Q language has been released.
"
Q is a multi-platform functional programming language based on term
rewriting, which comes with a collection of useful addon modules for
system, scientific and multimedia programming. Release 4.6 of Q is now
available, along with Q-Audio 1.2 and Q-Midi 1.12."
Full Story (comments: none)
Peter Seebach
explains
the process behind the creation of generic Linux tools.
"
As a developer, you may have found that existing utilities don't always solve your problem. While you can solve many problems easily by stringing together existing utilities, solving other problems requires at least some amount of real programming. These latter tasks are often candidates for creating a new utility that, when combined with existing utilities, will solve the problem with a minimum of effort. This article looks at the qualities that make for a good utility and the design process that goes into it."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
BBC News is running
a column from the
Consumer Electronics Show; the author is not entirely impressed with
what he saw. "
And [Carly Fiorina] claimed that the way entertainment is
'created, distributed, managed and consumed' is changing forever, in ways
that highlight 'the power of democracy', and are about 'giving power the
people.' Then she went and spoiled it all by committing HP to putting
digital rights management software in every one of its consumer devices,
encrypting any recorded content stored on HP systems so that it can't be
transferred to other computers or players, stopping people copying their
old videos to DVD, and even making sure that HP home computers can't record
broadcast television programmes."
Comments (22 posted)
First Monday
takes a look
at the structure of motivation in open source software. "
A growing
body of economic literature is addressing the issue of incentives for
individuals who take part in the Open Source Software (OSS) movement, while
empirical analyses focus on individual developers but neglect firms that do
business with it. During 2002, we conducted a large-scale survey on 146
Italian firms supplying OSS in Italy and this paper compares our data on
firms' motivations with data emerging from surveys made on individual
programmers. Our objective is to analyse the role played by different
classes of motivations (social, economic and technological) in determining
the involvement of different groups of agents in Open Source
activities." (Thanks to David A. Wheeler)
Comments (5 posted)
Trade Shows and Conferences
Open Sector
reports on
the Open Source in Government conference, going on now in Adelaide,
Australia, with pointers to stories on
ZDNet and
Computerworld.
Comments (none posted)
Doc Searls
searches for open
source news at Macworld, on Linux Journal. "
Sure enough, I
couldn't even find mentions of Darwin or open source among any of the
breakout sessions. (Maybe they were there and I missed them; still, the
point is the same.) That's a far cry from three years ago, when a session
on Yellow Dog Linux packed one room while nearby Darwin sessions spilled
into the halls."
Comments (5 posted)
KDE.News
covers
progress by the KDE Personal Information Management (PIM) team
at a recent German hackfest.
"
This year the plan was to make a a roadmap for future KDE-PIM Development. The developers took the opportunity to discuss complicated issues in detail and sit together for brainstorming or in order to fight evil bugs."
Comments (none posted)
The SCO Problem
Groklaw
points out that SCO's regulatory filings are missing one important "risk factor" for its investors. "
If you look through the SCO SEC filings as I have been doing, you may find, as I have been finding so far, that SCO appears not to have listed receiving those letters from Novell or mentioned that Novell was still contesting SCO's copyright claims on UNIX as a risk factor in their recent filings."
Comments (3 posted)
Groklaw covers some of SCO's moves in its case against IBM. SCO
presented a
Motion to
Compel Discovery and
Memorandum
in Support of its Motion to Compel. "
SCO says it needs all
versions back to 1985 "in order to analyze the ways in which AIX has
changed and the ways in which its structures, methods and information based
on UNIX have evolved. The evidence adduced from this discovery is likely to
identify evidence of infringement and/or contract violations by IBM by
improper contributions of such items to Linux.""
Comments (5 posted)
According to Groklaw, SCO has posted a Notice of Compliance that
states that they have not fully produced the evidence required
by the court order.
"
The notice claims they have fully complied with the court's order with respect to answering Interrogatories 1-9, 12 and 13, but they reserve the right to supplement after they get more code from IBM.
However, they say they have *not* produced all the documents requested by IBM, specifically files of certain directors and officers. Because of the holiday, they didn't have time to fully review them yet. That is another way of saying they have not fully complied."
Comments (5 posted)
News.com
reports on efforts by SCO to broaden the scope of their
licensing quest to a worldwide arena.
"
Companies outside the United States that use Linux could already buy a license from SCOsource under the existing license program running within the United States. But the explicit offer of licenses worldwide brings with it the implicit threat of legal action for those who do not comply.
The first lawsuits are now only weeks away, according to Sontag. "I would expect within the next few weeks we will have a number of Linux end users who we will have identified and taken legal action (against)," Sontag told ZDNet UK. "We will probably see that ramping up over time.""
Comments (1 posted)
Companies
News.com
reports
that Red Flag Linux and Miracle Linux are working together to create
"Asianux". "
The companies confirmed that they will base upcoming
product releases such as Red Flag DC 4.1 and Miracle Linux 3.0 on Asianux
but did not reveal when these products will be available. The two companies
also aim to set up a joint support center at Oracle's Beijing facility to
provide technical assistance to Chinese customers using Asianux-based
products. U.S.-based Oracle is a majority stakeholder in Miracle Linux and
a longtime partner of Red Flag on the mainland."
Comments (none posted)
News.com
reports
that claims submitted through the MSfreePC site will not be recognized.
"
In November 2003, Microsoft asked the court to reject any claims
filed via MSfreePC, saying the Lindows site violated the terms of
Microsoft's settlement by using so-called digital signatures to process
submissions. (Digital signatures are online validation agreements used to
verify individuals' identities.) Lindows argued in response that Microsoft
only opposed the site because it hoped to escape paying as much of the
settlement as possible by making the claims process "arduous and
time-consuming" for Californians."
Comments (none posted)
Here's
a News.com article on Novell's new protection offer.
"
Under Novell's plan, the company will provide customers with protection from copyright infringement lawsuits to the tune of $1.5 million, or a factor of 1.25 of their software purchase price. To get the protection, customers must buy SuSE Linux and support from Novell and sign a licensing agreement..."
Comments (12 posted)
Linux Adoption
Groklaw
examines several situations where Linux is gaining strength,
including on IBM executives' desktops.
"
The Inquirer has a leaked internal IBM memo, they say from IBM CIO Bob Greenberg, asking all IBM executives to switch their desktops to Linux by the end of next year. After they do it, don't you suppose that will be the end of FUD along the lines of "Linux isn't ready for the desktop"? Everyone will just know that if IBM runs Linux on the desktop, so can any other business."
This
ZDNet article
looks at the IBM decision in more depth.
Comments (none posted)
IT-Director
reports that a company known as CA is switching to Linux.
"
There are two reasons why it is worth taking note of CA with respect to Linux. The first is that CA believes, as I do, that Linux is going to become the standard OS. I know this because I heard Yogesh Gupta, the CTO of CA, say so at the last CA World. The second is that CA believes that it can generate a respectable revenue stream from Linux."
Comments (none posted)
Ryan Benner
explains the monetary details behind his company's switch to Linux.
"
Nearly three years ago I rebuilt my company's corporate network, comprising six geographically dispersed offices and approximately 300 users, using a budget smaller than what most system administrators and IT managers make in a year. Our migration to Linux servers and software was a success, and offers a lesson for other administrators."
Comments (none posted)
Legal
TechWeb
looks into efforts by Massachusetts Senator Marc Pacheco to derail
his state's Open Source/Open Standards Policy.
"
Pacheco, a Democrat, said the new policy is "perceived to be an exclusionary policy that excludes proprietary software." He is chairman of the Post Audit and Oversight Committee and said he has received "lots of calls" from software companies whose business revolves around proprietary software, many of whom are concerned that they will be locked out of Massachusetts' $80 million IT budget."
Comments (none posted)
eWeek
reports that the Massachusetts IT policy has been weakened in
regards to the use of open-source software.
"
Essentially, rather than focus on open source as a priority, the new policy demands that new IT investments be open standards compliant.
The state's new Enterprise Open Standards Policy defines open standards as: "Specifications for systems that are publicly available and are developed by an open community and affirmed by a standards body." The policy gives HTML as an example of such a standard and adds: "Open standards imply that multiple vendors can compete directly based on the features and performance of their products."
Comments (9 posted)
Interviews
Linux.com
interviews fiction writer and Linux user Valerie MacEwan.
"
Microsoft can't get it right and the people who listen to me (or other Linux voices) are the ones who've been hacked, attacked, wormed, virused, and have had to spend $100s on security software. That's one of the biggest things that drove me back to Linux in 2003. I priced all the Norton, AdAware, and more programs and the combined cost was unbelievable. And there, on the shelf next to it was SuSE 9 Professional for $79 and I knew once I put it on my computer and learned how to drive it (mainly, got it to find my Sony digital camera, my laser printer, and my scanner), my odds for keeping other people out of my computer were more in my favor."
Comments (none posted)
The
FOSDEM Website has two new
interviews dedicated to
BRASS and to
JOnAS. In this
interview
Roger Butenuth talks about accessibility to Linux for blind users. Then Florent Benoit
introduces
JOnAS, an open source J2EE application server.
Comments (none posted)
Reviews
Christian Schaller
writes about GStreamer on OS News.
"
The core concept in GStreamer is that of a pipeline system which your media streams through. This means you have one or more sources which can be anything like a file, an URL or a hardware device. Depending on how you construct your pipeline you can then have lots of things happening to that media stream before it ends up in one or more sinks at the other end of your pipeline. The sinks can be like the sources; a web stream, a file or hardware device; all depending on what plugins and elements you have installed."
Comments (none posted)
In this
Linux
Journal article Pat Eyler presents mini reviews of
Computer Science
& Perl Programming,
Games, Diversions & Perl Culture,
Essential CVS, and
The Linux Development Platform.
Comments (none posted)
Miscellaneous
Haaretz
examines
what the Israeli government is up to with Microsoft and free software.
"
The treasury began investing in open code more than a year and a
half ago, when its relations with Microsoft were still smooth. Now,
entangled in a dispute with the giant, the Finance Ministry is enjoying
kicking Microsoft where it hurts, even though it really has no real
intention of replacing Windows with Linux, or Office with Open
Office." (Thanks to "Dewd").
Comments (9 posted)
MozillaZine
reports on the relicensing of the Mozilla codebase.
"
Over the coming months, the majority of the Mozilla codebase will be
relicensed under an MPL/GPL/LGPL tri-license. The change will mean that
developers building products based on Mozilla will be able to choose whether
to use the code under the terms of the Mozilla Public License, the General
Public License or the Lesser General Public License."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Open Source Development Labs (OSDL) has announced the creation of a
Linux legal defense fund. The fund will defray legal expenses of Linux
users involved in litigation with The SCO Group on issues that affect the
Linux community and industry. OSDL aims to raise $10 million for this fund
and will accept donations from individuals, organizations and companies.
Full Story (comments: 2)
The netfilter/iptables project needs volunteers to help with documentation,
scripting, web site maintenance, and mailing list management.
Full Story (comments: none)
Lindows.com
is offering
a free download of LindowsOS to all KDE developers.
Comments (none posted)
For those who are interested in reading the decision by the Borgarting
Appellate Court in the "DVD Jon" trial, Lovdata has
made available
an English version (as a .doc) and the link to the original Norwegian.
(Thanks to Erik I. Bolsø)
Comments (none posted)
A new Debian Perl Group has been founded.
"
Most developers often
realize that modules available on CPAN are not included in the Debian
archive. This hinders the packaging of Perl applications and other
modules.
After discarding the idea of automatically dumping all CPAN modules
into the Debian archive, a collective effort to improve the packaging
of Perl modules in Debian was proposed. This consists of creating new
packages of needed Modules as well as of bugfixing and updating
existing packages."
Full Story (comments: none)
Red Hat has
announced
that it will assign all of its copyrights in the eCos open source
operating system to the Free Software Foundation (FSF). "
The
contribution will enable the Free Software Foundation to act as the sole
copyright steward of the project and work directly with the eCos community
and its maintainers on future development."
Comments (10 posted)
New Zealand's Tertiary Education Commission has funded the
following project:
Open Source e-Learning Environment and Community Platform
Adopting and developing open source e-learning application software for
adoption throughout NZs tertiary education sector.
Full Story (comments: none)
GnomeDesktop.org
has announced the passing of Developer Mark Finlay.
"
Mark was the driving force behind the creation of the GNOME Users Board, where he helped numerous people learn to use GNOME. He was also a contributor to Rhythmbox, Gossip and numerous other GNOME projects."
Comments (none posted)
Commercial announcements
Ineo Concepts has workstations, servers, and gaming machines built
specifically for Linux. As far as we know, they are the first to offer
boxes with Gentoo Linux preinstalled.
Full Story (comments: 2)
Eridani has released version 1.1.3 of MailStripper, a commercial
SMTP Spam Filter.
Full Story (comments: none)
McObject has announced the availability of their eXtremeDB in-memory
database for x86 Linux.
Full Story (comments: none)
MySQL AB has
announced the availability of version 5.0 of the MySQL database.
"
The new release includes the addition of stored procedures as well
as other advances designed to enhance the development of large-scale
enterprise database applications. The MySQL 5.0 alpha development release
is now available for testing and evaluation by the open source
community."
Comments (3 posted)
Here's the press release from Novell announcing the completion of its
acquisition of SUSE LINUX. The closing of the $210 million cash deal also
opens the door for completion of the $50 million investment of IBM in
Novell announced November 4.
Full Story (comments: 3)
With the acquisition of SUSE LINUX now complete, Novell has also announced
it will offer its SUSE LINUX Enterprise Server customers a new
indemnification program designed to provide an additional measure of
protection against certain intellectual property challenges to Linux.
Full Story (comments: none)
Pigeon Point Systems
has announced
the support of Texas
Instruments' digital media processors by their Monterey Linux distribution.
Comments (none posted)
Training videos for the Red Hat Certified Engineer certification
are available from CBT Nuggets, Inc.
"
The training contains a variety of on-screen demonstrations and examples
of Red Hat Linux as well as tips and hints to assist you in making the
most of the product."
Full Story (comments: none)
IBM has announced a new Linux-based IBM point-of-sale (POS) solution, based
on SUSE LINUX.
Full Story (comments: 1)
New Books
O'Reilly has published the book
Relax NG by Eric van der Vlist.
Full Story (comments: none)
O'Reilly has published the book
Sendmail Cookbook,
by Craig Hunt.
Full Story (comments: none)
Resources
Andrew Josey from The Open Group has sent us his coverage of the January 8
Austin Group teleconference minutes.
Full Story (comments: none)
An ISO Technical Report that documents conflicts between the
Linux Standard Base Specification and POSIX is available.
Full Story (comments: 1)
The Linux Documentation Project Weekly News for January 7, 2004 has
been published. Take a look for the latest new documentation.
Full Story (comments: none)
The Linux Documentation Project Weekly News for January 14, 2004
is available with the latest new and changed documentation.
Full Story (comments: none)
The latest news from the Linux Professional Institute covers a verification
system; the use of Linux in Brazil; a German article on the LPI Translation
Program; looking for community assistance for Exam Development; Linux World
- New York; LPI in South Africa; and Linux Australia Conference in
Adelaide.
Full Story (comments: none)
GnomeDesktop.org
reports on the fourth release of the Sodipodi flag collection.
"
This collection of SVG flags made available under the Creative Commons Public Domain dedication has now reached over 300 flags. All
independent countries, many major regional flags, historical flags and
organisational flags are now part of the package."
Comments (none posted)
The December newsletter for Translate.org.za is out. This project seeks to
bring Opensource software to all South Africans. A project of the Zuza
Software Foundation. Zuza - given freely, get as a gift, obtained freely.
Full Story (comments: none)
Contests and Awards
The polls for the 2003 LinuxQuestions.org Members Choice awards are closed
and the
results are in. Winners include Slackware for Distribution of the
year, MySQL for Database of the year, KDE for Desktop Environment of the
year and OpenOffice.org for Office Suite of the year. The
full results are also available.
Comments (none posted)
A computer versus human chess contest will be held at NordU/USENIX 2004.
"
The technical conference NordU/USENIX 2004 will host the ChessBrain
project's attempt to establish a world record for the "Largest number of
distributed computers used to play a single game of chess". ChessBrain
is the world's first distributed network of computers which work
together to play chess."
Full Story (comments: none)
Upcoming Events
The Fifth European Gnome Users and Developers Conference (
GUADEC 2004) has issued a Call for Papers.
GUADEC is scheduled for June 28 - 30, 2004 in Kristiansand, Norway.
In other GNOME news, GNOME.conf.au
will debut at Linux.conf.au. See the GNOME
Lovers Guide to linux.conf.au for more info.
Full Story (comments: none)
A Call for Papers has gone out for the Samba eXPerience 2004
conference. The event will take place in Göttingen, Germany
on April 5-7, 2004.
Full Story (comments: none)
The website for the 2004
Ottawa
Linux Symposium is online, along with a
call for papers. The
6th annual OLS will be held July 21 - 24, 2004.
Comments (none posted)
A Call for Papers has gone out for the
New Security Paradigms Workshop 2004. The event
will take place on September 20-23, 2004 in Nova Scotia.
Full Story (comments: none)
The 2004 GCC and GNU Toolchain Developer's Summit
will be held in Ottawa, Ontario, Canada on
June 2-4, 2004. A call for papers has
gone out for the event.
Full Story (comments: none)
The Open Source Business Conference will be held in
San Francisco, CA on March 16-17, 2004.
Full Story (comments: none)
Open Source Software Chicago will be offering a presentation entitled
"Effective Security using Open Source Security Tools"
by Bob Radvanovsky. The event will take place on January 22, 2004.
Full Story (comments: none)
The Linux Users' Group of Davis and the UC Davis Computer Science
Club will be holding a Linux Installfest workshop on January 17, 2004.
Full Story (comments: none)
LinuxMedNews has
an announcement for the next VistA open-source health care meeting.
The event will take place at Rice University in Houston, TX on
March 11-14, 2004.
Comments (none posted)
| Date | Event | Location |
| January 15 - 17, 2004 | Linux.conf.au | Adelaide, Australia |
| January 20 - 23, 2004 | LinuxWorld Conference & Expo 2004 | (Jacob K. Javits Convention Center)New York, New York |
| January 20 - 21, 2004 | FSF Free Software Licensing Seminars | (Columbia Law School)New York, NY |
| January 22 - 23, 2004 | Vancouver PHP Conference | (SFU Harbour Centre)Vancouver, BC, Canada |
| January 28 - February 1, 2004 | NordU/USENIX 2004 | Copenhagen, Denmark |
| January 31 - February 1, 2004 | WineConf 2004 | (Court International Building)St. Paul, Minnesota |
| February 2 - 6, 2004 | EclipseCon 2004 | (Disneyland Hotel)Anaheim, CA |
| February 2 - 4, 2004 | Open Standards and Certification Conference | (San Diego Marriott Mission Valley)San Diego, CA |
| February 3 - 5, 2004 | Linux Solutions 2004 | Paris, France |
| February 9 - 12, 2004 | O'Reilly Emerging Technology Conference(ETech) | (The Westin Horton Plaza)San Diego, CA |
| February 20 - 22, 2004 | CodeCon 2004 | (Club NV)San Francisco, CA |
| February 20 - 24, 2004 | PaWS PHP and Web Standards UK 2004 | Manchester, UK |
| February 21 - 22, 2004 | Mozilla Developers Meeting in Europe 4.0 | Brussels, Belgium |
| February 21 - 22, 2004 | FOSDEM 2004 | (SOLBOSCH)Brussels, Belgium |
| February 23 - 27, 2004 | PostgreSQL Bootcamp | (Big Nerd Ranch, Inc.)Atlanta, GA |
| February 25 - 26, 2004 | UKUUG LISA/Winter Conference and Tutorial | (Lansdowne Campus, Bournemouth Univ.)Bournemouth, UK |
| March 1 - 5, 2004 | PHP|Cruise | The Caribbean |
Comments (none posted)
Mailing Lists
KDE.News has
an announcement
for two KDE mailing lists.
"
I'm pleased to announce that the dot-stories and dot-headlines mailing lists are finally back online. For those of you who don't know, dot-stories is the list to be on if you wish to receive the latest KDE Dot News in your inbox, and dot-headlines is the list you should subscribe to if you wish to receive the headlines only."
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Miscellaneous
MozillaZine
ranks the Mozilla Project's most significant event for 2003,
the demise of Netscape.
"
The top choice was the demise of Netscape, which
received 35% of the 1,947 votes cast. The launch of the Mozilla Foundation
came second, with 29%, followed by the new end user focus (16%) and the new
Roadmap (12%)."
Comments (none posted)
Page editor: Forrest Cook