LWN.net Logo

LWN.net Weekly Edition for February 12, 2004

A grumpy user's browser review

An LWN editor's job requires spending vast amounts of time each day operating a web browser. As a result, we have become very sensitive to browser features which make it easier to get things done - or which get in the way. In an effort to find a better tool for the creation of LWN, your editor decided to spend some serious time working with some of the current crop of web browsers. With luck, it was hoped, the least evil browser could be identified and used on into the future.

One note before we get going: Konqueror is not included in this review. Konqueror is a highly capable browser (and file manager) which is worthy of consideration, but it suffers from one fatal flaw (from your editor's point of view): it will not run without the whole KDE infrastructure running behind it. Your editor is not currently a KDE user, so Konqueror is not an available option.

This effort was motivated at this time in particular by the announcement of the Mozilla Firefox 0.8 release. Firefox is the new name for the browser formerly known as "Firebird." Those who are curious about the name change can peruse the "brand name FAQ" and this weblog entry describing the lengthy process involved in changing the browser's name.

We'll start, however, with Galeon, which has been your editor's browser of choice for some time. Galeon has been slowly falling out of favor, however, since the 1.3 branch was begun and all the work that went into making 1.2.x a top-quality power user's browser was thrown away. Galeon 1.3 suffers from the GNOME "don't confuse those poor, helpless users by letting them configure things" disease - though it is possible to have more control if you know the proper secret gconf registry codes. Even so, some nice 1.2 features, such as the ability to configure the toolbar for maximal functionality in minimal space or remembering the preferred zoom level for each site, are still missing.

The real problem with 1.3.x, however, is the seemingly endless series of Weird Bugs. The bookmark editor has not worked well for a long time, and rearranging bookmarks can result in strange little windows with URLs in them floating across the screen long after the user has moved on to other tasks. The "type ahead find death grip" has caused your editor to put his fist through more than one monitor while attempting to fill in web forms. The browser grows without limit; it usually has to be killed and restarted around when it hits 200MB or the entire system slows to a crawl.

Despite all these complaints, Galeon has served well for a long time, and will be a hard browser to beat.

The Mozilla Firefox 0.8 release is easy to download in binary form and install. The initial impression it made was not the greatest, however; Firefox appears to be unable to find or use the beautiful Bitstream Vera antialiased fonts that Galeon uses so happily. The result is an ugly, hard-to-read screen which is reminiscent of the old Netscape 4.x days. Firefox behaves this way on Debian sid and Red Hat Linux 9 systems. Comments from others suggest that this is a problem that can be overcome, but it is clearly not a straightforward thing to do. Update: as noted by a few commenters, the fix is to install the "gtk2+xft" version; it can be found on the FTP site but is not mentioned on the download page.

The browser also makes an immediate impression, however, for its speed. Even when freshly started, current versions of Galeon are not so zippy on your editor's desktop. Firefox seems robust; a day's worth of serious browsing failed to turn up a single site which crashed the browser or which did not render properly. Most of the features one has come to expect in a modern browser (tabbed browsing, search fields, printing, bookmark editing, password management, javascript, history tracking with search, etc.) work well. Firefox gives a relatively high degree of control over things like popup windows and active content; there is a list of actions which can be allowed or denied to Javascript scripts, for example. Firefox has far more theme support than the other browsers reviewed.

The browser's process size appeared to stabilize at "only" 98MB; huge by any rational standards, but Galeon has a hard time putting up its splash screen with that much space. Firefox appears to have a solid base at this point.

That said, some things are missing. At the top of your editor's list is the ability to control image animation. One forgets how annoying the web can be with things bouncing around the screen; Firefox provides no evident way to turn animation off. The download manager is a little strange; it provides no way to place a file in an arbitrary directory at download time. Instead, you have to choose a single download directory via the configuration dialogs and everything will go there. By default, downloaded files go into the home directory. Control-T creates a new tab, as one might expect, but it comes up blank; Galeon's practice of bringing up the home page in new tabs seems preferable.

All of the above items would appear to be fixable with a (relatively) small amount of effort. Firefox may not be ready to displace Galeon from your editor's desktop, but it's not far from that point either.

Once this process was begun, it seemed logical to give Epiphany 1.07 a spin as well. Epiphany makes a first good impression; the toolbars are clean and don't take up a whole lot of space, and antialiased fonts are the rule. It's a nice-looking browser. Epiphany, like the other browsers, also offers the usual set of expected features.

Epiphany's configuration dialog is the most sparse of the three browsers reviewed here. It does provide control over the toolbars, which is nice, but many other things are missing - including that all-important control over image animation. There also does not appear to be any sort of explicit control over popup windows. Another obnoxious little limitation with Epiphany is that it does not allow a URL to be "pasted" into the browser with the middle mouse button - a feature supported by both Galeon and Firefox. Epiphany 1.07 suffers from the "typeahead find death grip." Given that many users probably do not use the typeahead find feature at all, it sure would be nice to have an (obvious) way to turn it off.

Epiphany also manifests some strange behavior when the user types a URL into the location field and there are multiple windows open: completion windows show up on each browser window and must be chased away individually. Epiphany grew to over 100MB during a day of testing, and appeared to be set to continue to inflate. It bloats far more slowly than Galeon, however. Beyond that, however, Epiphany seems stable; your editor could not make it crash.

Epiphany is closer to Galeon than Firefox in rendering speed: generally good enough, but not strikingly fast. To try to get a handle on things, we ran an ultra-scientific test: see how long each browser takes to render a local copy of this page, which consists of a huge table listing vulnerabilities and alerts from 2003. Epiphany and Galeon consistently required about 6.5 seconds to present the page; Firefox can do it in 5.4.

Perhaps the most striking realization from this whole exercise, however, is just how similar these three browsers are. The fact that they all use the Gecko rendering engine will certainly create a degree of uniformity, but the resemblance goes beyond that. Your editor often had to look carefully to see which browser was in use at any given time. To a great extent, they can be substituted for each other; the differences between them come down to little nits and pet peeves.

One might well wonder why three groups of people are working so hard to build complex applications which resemble each other so strongly. If we are going to have multiple Gecko-based browsers, it would make some sense for them to differentiate themselves somehow. Why can't one of them be the power user's browser, providing full control over every aspect of its operation without fear of confusing the user with too many configuration options? Couldn't one of them be an experimental browser, trying out interesting new ways of presenting the web to users? We could dedicate one project to each of those goals, and still have one trying to do the Same Old Stuff in the best way possible. As it is, each of the three browsers reviewed is an advanced and capable application, but it is increasingly hard to find a reason to choose one over another.

Comments (104 posted)

SCO update

SCO and IBM had a new day in court on February 6, when a hearing was held to determine whether SCO had complied with IBM's motion to compel discovery. IBM's position is that SCO has failed to comply. As of this writing, the judge has not made a ruling. The preliminary indications from the transcript of the hearing (available on Groklaw, of course) do not bode well for SCO, however.

IBM noted in court that SCO is no longer alleging any sort of disclosure of trade secrets on IBM's part. SCO did provide a small number of files and line numbers of Linux code which, it says, violates IBM's contract with SCO. These files were in the expected parts of the kernel: the read-copy-update code, the JFS filesystem, etc. In every case, the code in question was indisputably written by IBM, and is owned by IBM. Some of it is even patented by IBM.

In other words, as we have noted in the past, SCO has been pushed back to one of its original claims: that it has the right to control the disclosure of any code which has ever breathed the same air as SYSV Unix. IBM sees this, of course, and isn't making it easy. From the hearing:

The notion is, Your Honor, that somehow IBM is prohibited from disclosing that code because in some way it is derived from Unix System Five. What we asked for in our responses is that they tell us, if that is the theory, exactly where it is in Unix System Five that the code derives from.

The point, of course, is that code independently written by IBM does not derive from SYSV Unix at all. This point has been fairly clear to people who have been paying attention for some time. For the rest (i.e. SCO and the bulk of the news media), IBM has to work to get the idea across.

SCO has also requested permission to amend its complaint against IBM yet again. If this change is allowed, it will modify the case in some interesting ways. Much noise has been made in the wider media about the addition (finally) of a copyright infringement charge. This charge says nothing about IBM's contributions to Linux, however; instead, SCO claims infringement because IBM continues to distribute AIX despite having had its license "terminated" by SCO. Unless SCO can convince a court that IBM has breached its contracts with SCO, this charge will evaporate.

The charges of export violations have been fleshed out. It seems that SCO has concluded that IBM's contracts never gave it the right to distribute Unix code in India. Since Linux is clearly available in India, SCO concludes that its contract has been breached yet again.

Perhaps most amusing is the new claim of "interference with contract." Those who have been following this case will recall that Novell has made some interesting claims, including (1) that it still owns the Unix copyrights, and (2) that it has the right to keep SCO from terminating Unix licenses. SCO, it seems, sees the shadowy hand of IBM behind Novell's actions, and is now charging IBM with causing Novell to act the way it has. Novell's own interest in the success of Linux seemingly does not enter into this picture.

Finally, as noted above, the latest version of the complaint deletes the charge of "misappropriation of trade secrets" which had appeared in earlier versions.

Novell, meanwhile, has sent a new letter to SCO in an (undoubtedly IBM-directed) attempt to clarify its view of the "derived works" argument. Novell has dug up some old communications from AT&T regarding its interpretation of the Unix licenses and some changes the company made to make that interpretation more explicit:

AT&T then followed up by adding to section 2.01 a sentence clarifying that AT&T "claims no ownership interest in any portion of such a modification or derivative work that is not part of a SOFTWARE PRODUCT." Even more clearly, the August 1985 edition of $ echo explained that this "sentence was added to assure licensees that AT&T will claim no ownership in the software that they developed -- only the portion of the software developed by AT&T."

SCO's view of derived works never did seem likely to stand up in Court, but Novell has thrown up yet another obstacle in SCO's path. Novell also pulls out its "override clause" from the asset purchase agreement:

Accordingly, pursuant to Section 4.16(b) of the Asset Purchase Agreement, Novell hereby directs SCO to waive any purported right SCO may claim to require Sequent (or IBM as its successor) to treat Sequent Code as subject to the confidentiality obligations or use restrictions of Sequent's SVRX license.

Novell directs SCO to take these actions by noon, MDT, February 11, 2004, and to notify Novell that it has done so by that time.

That deadline has passed as of this writing. One assumes that SCO did not comply.

Novell has also filed a motion to dismiss SCO's "slander of title" suit against it, and another motion to move the case (in case it is not dismissed) to federal court.

For those who are curious about the Red Hat (Delaware) case: it remains on hold until the judge gets around to ruling on SCO's motion to dismiss the suit. The wheels of American justice never move particularly quickly, but Delaware seems to be especially slow.

The Open Source Development Labs has published another paper on SCO by Eben Moglen; it is available in PDF format. This one is about the Novell suit:

Even if one is unsympathetic to SCO, one can't help but feel sorry for the quandary its lawyers faced in deciding whether to sue Novell. Had they not done so, their client's ultimate fate would have been sealed. But suing Novell destroys SCO's licensing campaign for the present just as fully.

Finally, Don Marti has noted that the Canopy Group has removed all mention of SCO from its web site and appears to be generally backing away from SCO. Perhaps Canopy, too, sees the end of the game on the horizon.

Comments (7 posted)

OSDL Looks at Linux for the Data Center

February 12, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

The Open Source Development Labs (OSDL) released their second capabilities document for Linux last week, and is asking for input. The Data Center Linux (DCL) Technical Capabilities 1.0 document is about 119 pages long (available in PDF) and defines and rates Linux capabilities needed for Linux in the data center. The DCL Technical Capabilities document is, to say the least, comprehensive.

This document has been quite some time in the making. The DCL working group was announced by OSDL in August, 2002. The document contains evaluations for hundreds of Linux features in eight categories; Scalability, performance, RAS (Reliability, Availability, Serviceability), manageability, clusters, standards, security and usability. The evaluations are ranked by maturity level, ranging from "investigation" for projects in the concept phase, to "completed" for features or projects that are available and fully adequate for customer needs. It provides quite a comprehensive picture of the state of Linux for use in the data center, and a roadmap of where it needs to go.

We spoke with OSDL CEO Stuart Cohen and OSDL strategic marketing manager Lynn de la Torre about the capabilities document, how it was put together, and what OSDL plans to accomplish with the capabilities document. According to de la Torre, the DCL Technical Capabilities document is designed to help OSDL and its members "solidify our priorities," with regards to Linux usage in the data center, and to get feedback on the priorities listed. She noted that OSDL was interested from hearing from the community at large on the priorities as laid out in the document.

We asked de la Torre how OSDL would try to see that the features outlined in the DCL Technical Capabilities document would be implemented, since OSDL doesn't have the resources to do all of the work itself. She said that it would be up to OSDL members and the community to work on the features needed for data center Linux.

What we're doing is trying to leverage our membership as much as possible. Our membership is growing and we are trying to really drive it from the point of view of the member companies. If we can all get on the same page, if you will, that's probably the best way we've come up with so far to do that.

De la Torre also acknowledged that the scope of this project was much more broad than the Carrier Grade Linux project:

Part of why we have to do a capabilities [document], in the first place and why we think the first step is prioritization, is exactly for that reason, which is that the data center is almost what I call 'boiling the ocean,' it's so broad yet we've gone so deep in our analysis. 350 items is a pretty large thing to look at, so obviously no technical project can address something that big so that's why we especially feel that prioritization is key to go forward.

She noted that OSDL is now looking for public feedback on its priorities for DCL. Anyone interested in participating in the working group can find the details here. She also said that the work done so far by OSDL's members indicates that Linux is ready for the data center, though more mature in some areas than others.

On edge and infrastructure, it's very mature. In database it's emerging and in some areas it's almost completely there...the overall message is that it's ready for the data center, especially if you look at 2.6 and some of the functionality in 2.6.

Since the DCL working group is following a similar path to the Carrier Grade Linux working group, we asked Cohen how successful the CGL project has been:

I think it's been very successful. If you just look at the number of RFCs around the world that telecommunications equipment manufacturers or carriers have been issuing related to carrier grade initiatives, it's been extensive. That work is really an outgrowth of work done by Nokia, Alcatel, Ericsson, Cisco, MontaVista, so... a number of industry players have been involved in that definition. That is the biggest reason that NTT joined, and we have many carriers and other telecommunications equipment manufacturers interested in participating because they want to take a leadership position in putting together those requirements and registrations and specifications going forward.

We also asked Cohen how OSDL's legal fund was progressing, and what happens to the money in the event that SCO doesn't sue anyone. Cohen said that OSDL has raised over $3 million so far with a goal of $10 million. If the money isn't used for legal fees, Cohen said that it will probably be kept in place until the board sub-committee in charge of the fund decides the "best use" for the fund.

For those more interested in Linux on the desktop, OSDL has also announced a working group for the Linux desktop. This is in the early stages of development, and Cohen says that anyone is welcome to join, once the project has been officially launched. Cohen said that OSDL would be having the kick-off meeting for the desktop group next week. Like the CGL and DCL working groups, participation should be open to anyone through the mailing lists.

Comments (none posted)

Page editor: Jonathan Corbet

Security

Brief items

One thing we truly do better

This EEYE alert describes what looks like a fairly run-of-the-mill Microsoft vulnerability. It is a buffer overflow in the ASN.1 library; the list of software affected includes a few small things like NT 4.0, Windows 2000, Windows XP, Internet Explorer, Outlook, IIS, etc. It is said to be difficult to exploit, but that is not a statement that will bring comfort to many.

The interesting thing is that EEYE claims to have reported this vulnerability to Microsoft in July, 2003. Microsoft has only now responded with a fix. In other words, the company left its customers open to a known security bug for a good six months.

Free software suffers from far too many security vulnerabilities as well. Some of them are truly serious. Many of them are embarrassing. But it is rare indeed for a hole to remain unclosed for such a long time. Free software developers will, almost without exception, respond to problems much more quickly than that. They know that, should they fail to respond, the community will simply fix the problem for them. We have a lot of ground to cover before our security is even remotely good enough, but that should not stop us from taking some pride in the things we do right.

Comments (5 posted)

New vulnerabilities

gallery: code injection

Package(s):gallery CVE #(s):
Created:February 12, 2004 Updated:February 12, 2004
Description: Gallery (through versions 1.4.1) suffers from a PHP code injection vulnerability which can provide a remote attacker with access to the web server process.
Alerts:
Gentoo 200402-04 2004-02-11

Comments (none posted)

libtool - Insecure handling of temporary files

Package(s):libtool CVE #(s):
Created:February 5, 2004 Updated:March 8, 2004
Description: GNU libtool consists of a set of shell scripts used to build shared libraries.

Joseph S. Myers and Stefan Nordhausen independently found a vulnerability in the way the ltmain.sh script (which is part of the libtool package) creates temporary directories for its use.

A local attacker could exploit this vulnerability to change/delete arbitrary files in the system on behalf of the user who is calling the script. The vulnerability has been fixed in the 1.5.2 version of libtool.

Alerts:
OpenPKG OpenPKG-SA-2004.004 2004-03-08
Conectiva CLA-2004:811 2004-02-05

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Conectiva CLA-2004:842 2004-05-25
Red Hat RHSA-2004:156-01 2004-04-14
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:019-01 2004-02-09

Comments (1 posted)

mailman: cross-site scripting vulnerabilities

Package(s):mailman CVE #(s):CAN-2003-0965 CAN-2003-0992
Created:February 6, 2004 Updated:March 5, 2004
Description: Dirk Mueller discovered a cross-site scripting bug in the admin interface in versions of Mailman 2.1 before 2.1.4. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0965 to this issue.

A cross-site scripting bug in the 'create' CGI script affects versions of Mailman 2.1 before 2.1.3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0992 to this issue.

Alerts:
Fedora FEDORA-2004-060 2004-03-04
Debian DSA-436-2 2004-02-21
Debian DSA-436-1 2004-02-08
Red Hat RHSA-2004:020-01 2004-02-05

Comments (none posted)

monkeyd: denial of service

Package(s):monkeyd CVE #(s):
Created:February 12, 2004 Updated:February 12, 2004
Description: The monkeyd HTTP server suffers from a parsing bug which can be exploited to crash the server process. Upgrading to version 0.8.2 fixes the problem.
Alerts:
Gentoo 200402-03 2004-02-11

Comments (none posted)

mutt: buffer overflow

Package(s):mutt CVE #(s):CAN-2004-0078
Created:February 12, 2004 Updated:March 26, 2004
Description: mutt suffers from a buffer overflow in its "index menu" code. This overflow can be exploited via a hostile message to crash mutt and, perhaps, execute arbitrary code. Version 1.4.2 fixes the problem; see this advisory for details.
Alerts:
SCO Group CSSA-2004-013.0 2004-03-25
OpenPKG OpenPKG-SA-2004.005 2004-03-09
Netwosix NW-2004-0001 2004-02-16
Trustix 2004-0006 2004-02-13
Whitebox WBSA-2004:050-01 2004-02-12
Mandrake MDKSA-2004:010 2004-02-11
Slackware SSA:2004-043-01 2004-02-12
Red Hat RHSA-2004:051-01 2004-02-11
Red Hat RHSA-2004:050-01 2004-02-11
Fedora FEDORA-2004-061 2004-02-11

Comments (none posted)

PHP setting leaks from .htaccess files on virtual hosts

Package(s):php CVE #(s):
Created:February 9, 2004 Updated:February 12, 2004
Description: If the server configuration "php.ini" file has "register_globals = on" and a request is made to one virtual host (which has "php_admin_flag register_globals off") and the next request is sent to the another virtual host (which does not have the setting) through the same Apache child, the setting will persist.

Depending on the server and site, an attacker may be able to exploit global variables to gain access to reserved areas, such as MySQL passwords, or this vulnerability may simply cause a lack of functionality. As a result, users are urged to upgrade their PHP installations.

Alerts:
Gentoo 200402-01 2004-02-07

Comments (none posted)

XFree86: buffer overflow

Package(s):XFree86 CVE #(s):CAN-2004-0083 CAN-2004-0084 CAN-2004-0106
Created:February 12, 2004 Updated:February 23, 2004
Description: The XFree86 code which reads "fonts.alias" files suffers from a buffer overflow which may be turned into a local root exploit; see this advisory for details.
Alerts:
SuSE SuSE-SA:2004:006 2004-02-23
Debian DSA-443-1 2004-02-19
Conectiva CLA-2004:821 2004-02-20
Whitebox WBSA-2004:061-01 2004-02-17
Red Hat RHSA-2004:061-01 2004-02-13
Fedora FEDORA-2004-069 2004-02-13
Mandrake MDKSA-2004:012 2004-02-14
Red Hat RHSA-2004:060-01 2004-02-13
Red Hat RHSA-2004:059-01 2004-02-13
Immunix IMNX-2004-73-002-01 2004-02-12
Slackware SSA:2004-043-02 2004-02-12
Gentoo 200402-02 2004-02-11

Comments (none posted)

Updated vulnerabilities

apache: buffer overflows in mod_alias, mod_rewrite

Package(s):apache CVE #(s):CAN-2003-0542 CAN-2003-0789
Created:October 28, 2003 Updated:February 13, 2004
Description: André Malo discovered buffer overflows in the mod_alias and mod_rewrite modules of the Apache webserver. These occurred if a regular expression with more than 9 capturing parenthesis was configured. To exploit this, an attacker would need to be able to locally create a carefully crafted configuration file (.htaccess or httpd.conf). CAN-2003-0542

Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789.

Alerts:
Whitebox WBSA-2004:015-01 2004-02-12
Fedora FEDORA-2003-004 2004-01-08
Red Hat RHSA-2003:405-00 2003-12-18
Red Hat RHSA-2003:320-01 2003-12-16
Red Hat RHSA-2003:360-01 2003-12-10
Gentoo 200310-03 2003-10-28
Trustix 2003-0041 2003-11-15
Conectiva CLA-2003:775 2003-11-05
Slackware SSA:2003-308-01 2003-11-03
EnGarde ESA-20031105-030 2003-11-05
Mandrake MDKSA-2003:103 2003-11-03
Gentoo 200310-04 2003-10-31
Immunix IMNX-2003-7+-025-01 2003-10-28
OpenPKG OpenPKG-SA-2003.046 2003-10-28

Comments (none posted)

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Gentoo 200403-04 2004-03-22
Netwosix NW-2004-0006 2004-03-25
Mandrake MDKSA-2003:096-1 2003-10-24
Mandrake MDKSA-2003:096 2003-09-26

Comments (none posted)

bind: cache poisoning

Package(s):bind CVE #(s):CAN-2003-0914
Created:November 26, 2003 Updated:February 19, 2004
Description: A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache.
Alerts:
SCO Group CSSA-2004-003.0 2004-02-19
Debian DSA-409-1 2004-01-05
SuSE SuSE-SA:2003:047 2003-11-28
Trustix 2003-0044 2003-11-27
Immunix IMNX-2003-7+-024-01 2003-10-27
EnGarde ESA-20031126-031 2003-11-26

Comments (none posted)

crawl: buffer overflow

Package(s):crawl CVE #(s):CAN-2004-0103
Created:February 3, 2004 Updated:February 4, 2004
Description: Steve Kemp from the GNU/Linux audit project discovered a problem in crawl, another console based dungeon exploration game, in the vein of nethack and rogue. The program uses several environment variables as inputs but doesn't apply a size check before copying one of them into a fixed size buffer.
Alerts:
Debian DSA-432-1 2004-02-03

Comments (none posted)

CUPS: denial of service

Package(s):CUPS CVE #(s):CAN-2003-0788
Created:November 3, 2003 Updated:March 4, 2004
Description: Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
SCO Group CSSA-2004-012.0 2004-03-03
Conectiva CLA-2003:779 2003-11-07
Mandrake MDKSA-2003:104 2003-11-05
Red Hat RHSA-2003:275-01 2003-11-03

Comments (none posted)

cvs: possible root compromise

Package(s):cvs CVE #(s):CAN-2003-0977
Created:December 29, 2003 Updated:February 13, 2004
Description: Stable CVS 1.11.11 has been released, adding code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file.
Alerts:
Whitebox WBSA-2004:004-01 2004-02-12
Fedora-Legacy FLSA:1207 2004-01-28
Conectiva CLA-2004:808 2004-01-20
Debian DSA-422-1 2004-01-13
Red Hat RHSA-2004:003-01 2004-01-09
Gentoo 200312-08 2003-12-28

Comments (none posted)

ethereal: protocol dissector and other vulnerabilities

Package(s):ethereal CVE #(s):CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 CAN-2003-1012 CAN-2003-1013
Created:December 19, 2003 Updated:February 13, 2004
Description: Serious issues have been discovered in two ethereal protocol dissectors. Both vulnerabilities will make the Ethereal application crash. The Q.931 vulnerability also affects Tethereal. It is not known if either vulnerability can be used to make Ethereal or Tethereal run arbitrary code. (CAN-2003-1012 and CAN-2003-1013)
Alerts:
Whitebox WBSA-2004:002-01 2004-02-12
Fedora-Legacy FLSA:1193 2004-01-31
Red Hat RHSA-2004:002-01 2004-01-05
Mandrake MDKSA-2004:002 2004-01-13
Conectiva CLA-2004:801 2004-01-07
Red Hat RHSA-2004:001-01 2004-01-07
Debian DSA-407-1 2004-01-05
Fedora FEDORA-2003-040 2003-12-18

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 17, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
OpenPKG OpenPKG-SA-2004.012 2004-04-08
Gentoo 200403-10 2004-03-30
Netwosix NW-2004-0002 2004-02-20
SCO Group CSSA-2004-004.0 2004-02-19
Slackware SSA:2003-300-02 2003-10-22
Mandrake MDKSA-2003:101 2003-10-16

Comments (none posted)

fileutils/wu-ftpd: denial of service

Package(s):fileutils CVE #(s):CAN-2003-0854
Created:October 22, 2003 Updated:March 2, 2004
Description: There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details.
Alerts:
SCO Group CSSA-2004-006.0 2004-03-01
Trustix 2003-0042 2003-11-15
Mandrake MDKSA-2003:106 2003-11-12
Red Hat RHSA-2003:309-01 2003-11-03
Immunix IMNX-2003-7+-026-01 2003-10-31
Conectiva CLA-2003:771 2003-10-24
Conectiva CLA-2003:768 2003-10-22

Comments (none posted)

gaim: remote overflows

Package(s):gaim CVE #(s):CAN-2004-0006 CAN-2004-0007 CAN-2004-0008
Created:January 26, 2004 Updated:February 17, 2004
Description: Stefan Esser has discovered several vulnerabilities in Gaim 0.75. This advisory has details of 12 separate vulnerabilities.
Alerts:
Fedora FEDORA-2004-070 2004-02-16
Whitebox WBSA-2004:033-01 2004-02-12
Conectiva CLA-2004:813 2004-02-10
Red Hat RHSA-2004:045-01 2004-02-09
Debian DSA-434-1 2004-02-05
Mandrake MDKSA-2004:006-1 2004-01-30
SuSE SuSE-SA:2004:004 2004-01-29
Gentoo 200401-04 2004-01-27
Mandrake MDKSA-2004:006 2004-01-26
Slackware SSA:2004-026-01 2004-01-26
Red Hat RHSA-2004:033-01 2004-01-23
Red Hat RHSA-2004:032-01 2004-01-23

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

GnuPG: ElGamal signing keys compromised

Package(s):gnupg CVE #(s):CAN-2003-0971
Created:November 28, 2003 Updated:March 3, 2004
Description: A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds."
Alerts:
SCO Group CSSA-2004-009.0 2004-03-02
Debian DSA-429-2 2004-02-13
Debian DSA-429-1 2004-01-26
Gentoo 200312-05 2003-12-12
Fedora FEDORA-2003-025 2003-12-10
Red Hat RHSA-2003:395-01 2003-12-10
Red Hat RHSA-2003:390-01 2003-12-10
Conectiva CLA-2003:798 2003-12-09
SuSE SuSE-SA:2003:048 2003-12-03
Mandrake MDKSA-2003:109 2003-11-28

Comments (3 posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Fedora FEDORA-2004-133 2004-05-19
Gentoo 200404-02 2004-04-06
Whitebox WBSA-2004:005-01 2004-02-12
Conectiva CLA-2004:810 2004-01-20
Slackware SSA:2004-014-01 2004-01-14
Mandrake MDKSA-2004:003 2004-01-14
Red Hat RHSA-2004:006-01 2004-01-07

Comments (none posted)

kernel: privilege vulnerability on AMD64

Package(s):kernel CVE #(s):CAN-2004-0001
Created:January 16, 2004 Updated:February 17, 2004
Description: On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue.
Alerts:
Gentoo 200402-06 2004-02-17
Red Hat RHSA-2004:017-01 2004-01-13

Comments (none posted)

kernel: local root exploit in 2.4.22

Package(s):kernel CVE #(s):CAN-2003-0961
Created:December 1, 2003 Updated:April 5, 2004
Description: A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable.

The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.

Alerts:
Debian DSA-475-1 2004-04-05
Debian DSA-470-1 2004-04-01
Debian DSA-442-1 2004-02-19
Debian DSA-433-1 2004-02-04
Debian DSA-423-1 2004-01-15
Red Hat RHSA-2003:368-01 2003-12-19
Conectiva CLA-2003:796 2003-12-05
Gentoo 200312-02 2003-12-04
SuSE SuSE-SA:2003:049 2003-12-04
Yellow Dog YDU-20031203-1 2003-12-03
Red Hat RHSA-2003:389-01 2003-12-01
Fedora FEDORA-2003-026 2003-12-02
Slackware SSA:2003-336-01 2003-12-01
Red Hat RHSA-2003:392-00 2003-12-01
Trustix 2003-0046 2003-12-01
Mandrake MDKSA-2003:110 2003-12-01
Debian DSA-403-1 2003-12-01

Comments (1 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

lftp buffer overflows

Package(s):lftp CVE #(s):CAN-2003-0963
Created:December 15, 2003 Updated:February 13, 2004
Description: According to this advisory versions of lftp prior to 2.6.10 are vulnerable to two exploitable buffer overflow problems. Both occur when you connect to a web server with lftp using HTTP or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared directories on the web server.
Alerts:
Whitebox WBSA-2003:404-01 2003-12-17
Conectiva CLA-2004:800 2004-01-06
Debian DSA-406-1 2004-01-05
Gentoo 200312-07 2003-12-16
OpenPKG OpenPKG-SA-2003.053 2003-12-17
Red Hat RHSA-2003:404-01 2003-12-16
Red Hat RHSA-2003:403-01 2003-12-16
Mandrake MDKSA-2003:116 2003-12-15
Fedora FEDORA-2003-034 2003-12-15
SuSE SuSE-SA:2003:051 2003-12-15
Immunix IMNX-2003-73-002-01 2003-12-09
Slackware SSA:2003-346-01 2003-12-12

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

mc: arbitrary code execution

Package(s):mc CVE #(s):CAN-2003-1023
Created:January 16, 2004 Updated:April 5, 2004
Description: A vulnerability was discovered in Midnight Commander, a file manager, whereby a malicious archive (such as a .tar file) could cause arbitrary code to be executed if opened by Midnight Commander.
Alerts:
OpenPKG OpenPKG-SA-2004.009 2004-04-05
Gentoo 200403-09 2004-03-29
Conectiva CLA-2004:833 2004-03-31
SCO Group CSSA-2004-014.0 2004-03-25
Whitebox WBSA-2004:035-01 2004-02-12
Fedora FEDORA-2004-058 2004-02-09
Red Hat RHSA-2004:035-01 2004-01-19
Mandrake MDKSA-2004:007 2004-01-26
Red Hat RHSA-2004:034-01 2004-01-19
Debian DSA-424-1 2004-01-16

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mpg123: heap overflow

Package(s):mpg123 CVE #(s):CAN-2003-0865
Created:November 12, 2003 Updated:February 19, 2004
Description: Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details.
Alerts:
SCO Group CSSA-2004-002.0 2004-02-19
Debian DSA-435-1 2004-02-06
Conectiva CLA-2003:781 2003-11-12

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

Net-SNMP: security bugs in versions before 5.0.9

Package(s):Net-SNMP CVE #(s):CAN-2003-0935
Created:December 2, 2003 Updated:February 13, 2004
Description: The Net-SNMP project includes various Simple Network Management Protocol (SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view.

Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs.

Alerts:
Whitebox WBSA-2004:023-01 2004-02-12
Red Hat RHSA-2004:023-01 2004-01-15
Mandrake MDKSA-2003:115 2003-12-11
Red Hat RHSA-2003:335-01 2003-12-02

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

perl information leak

Package(s):perl CVE #(s):CAN-2003-0618
Created:February 2, 2004 Updated:April 21, 2004
Description: Paul Szabo discovered a number of bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.
Alerts:
Debian DSA-431-2 2004-04-16
Debian DSA-431-1 2004-02-01

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

rsync - remotely exploitable heap overflow

Package(s):rsync CVE #(s):CAN-2003-0962
Created:December 4, 2003 Updated:March 3, 2004
Description: An advisory has gone out warning of a remotely exploitable heap overflow vulnerability in rsync versions 2.5.6 and prior. If you are running an rsync server, you will want to apply a distributor patch or upgrade to 2.5.7 in the near future.
Alerts:
SCO Group CSSA-2004-010.0 2004-03-02
Immunix IMNX-2003-73-001-01 2003-12-05
Mandrake MDKSA-2003:111 2003-12-04
Red Hat RHSA-2003:399-01 2003-12-04
Red Hat RHSA-2003:398-01 2003-12-04
Fedora FEDORA-2003-030 2003-12-04
Conectiva CLA-2003:794 2003-12-04
Gentoo 200312-03 2003-12-04
EnGarde ESA-20031204-032 2003-12-04
Debian DSA-404-1 2003-12-04
OpenPKG OpenPKG-SA-2003.051 2003-12-04
SuSE SuSE-SA:2003:050 2003-12-04
Trustix 2003-0048 2003-12-04
Slackware SSA:2003-337-01 2003-12-03

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
SCO Group CSSA-2004-005.0 2004-02-19
SuSE SuSE-SA:2003:046 2003-11-18
Conectiva CLA-2003:769 2003-10-22
Mandrake MDKSA-2003:099 2003-10-09
Red Hat RHSA-2003:278-01 2003-10-07
Debian DSA-379-1 2003-09-11

Comments (none posted)

screen: privilege escalation

Package(s):screen CVE #(s):CAN-2003-0972
Created:November 28, 2003 Updated:March 3, 2004
Description: According to this advisory a buffer overflow in GNU screen allows privilege escalation for local users. Usually screen is installed either setgid-utmp or setuid-root.

It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and older versions are vulnerable.

Alerts:
SCO Group CSSA-2004-011.0 2004-03-02
Fedora-Legacy FLSA:1187 2004-01-26
Conectiva CLA-2004:809 2004-01-20
Debian DSA-408-1 2004-01-05
Mandrake MDKSA-2003:113 2003-12-08
OpenPKG OpenPKG-SA-2003.050 2003-11-28

Comments (none posted)

slocate: buffer overflow

Package(s):slocate CVE #(s):CAN-2003-0848
Created:January 20, 2004 Updated:February 16, 2004
Description: A vulnerability was discovered in slocate, a program to index and search for files, whereby a specially crafted database could overflow a heap-based buffer. This vulnerability could be exploited by a local attacker to gain the privileges of the "slocate" group, which can access the global database containing a list of pathnames of all files on the system, including those which should only be visible to privileged users. This problem, and a category of potential similar problems, can be fixed by modifying slocate to drop privileges before reading a user-supplied database.
Alerts:
Fedora-Legacy FLSA:1232 2004-02-11
Whitebox WBSA-2004:041-01 2004-02-12
SCO Group CSSA-2004-001.0 2004-02-10
Fedora FEDORA-2004-059 2004-01-26
Red Hat RHSA-2004:041-01 2004-01-22
Mandrake MDKSA-2004:004 2004-01-23
Trustix 2004-0005 2004-01-21
Debian DSA-428-1 2004-01-20

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: flaws in the ISAKMP decoding routines

Package(s):tcpdump CVE #(s):CAN-2003-0989 CAN-2004-0057 CAN-2004-0055
Created:January 15, 2004 Updated:April 6, 2004
Description: George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.

Jonathan Heusser discovered two additional flaws in the ISAKMP decoding routines of tcpdump versions up to and including 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue.

Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue.

Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these packets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user.

Alerts:
Gentoo 200404-03 2004-03-31
Fedora FEDORA-2004-091 2004-03-04
SCO Group CSSA-2004-008.0 2004-03-02
Fedora FEDORA-2004-092 2004-03-02
Whitebox WBSA-2004:008-01 2004-02-12
Fedora-Legacy FLSA:1222 2004-01-31
Mandrake MDKSA-2004:008 2004-01-26
EnGarde ESA-20040119-002 2004-01-19
Debian DSA-425-1 2004-01-16
OpenPKG OpenPKG-SA-2004.002 2004-01-16
Trustix 2004-0004 2004-01-05
SuSE SuSE-SA:2004:002 2004-01-14
Red Hat RHSA-2004:008-01 2004-01-15
Red Hat RHSA-2004:007-01 2004-01-14

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

util-linux: information leak in the login program

Package(s):util-linux CVE #(s):CAN-2004-0080
Created:February 3, 2004 Updated:April 8, 2004
Description: The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function.

In some situations, the login program could use a pointer that had been freed and reallocated. This could cause unintentional data leakage.

Alerts:
Netwosix NW-2004-0010 2004-04-08
Gentoo 200404-06 2004-04-07
Fedora-Legacy FLSA:1256 2004-03-04
Whitebox WBSA-2004:056-01 2004-02-12
Red Hat RHSA-2004:056-01 2004-02-02

Comments (1 posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Conectiva CLA-2004:812 2004-02-10
Mandrake MDKSA-2003:012 2003-02-03
Yellow Dog YDU-20030127-3 2003-01-27
Gentoo 200301-13 2003-01-22
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 kernel is 2.6.2. The most recent 2.6.3 prepatch is 2.6.3-rc2, which was released on February 9. This prepatch is large, with many changes merged; the big ones include more network driver cleanup work, a USB update (including the removal of the USB scanner code), the new DMA pool abstraction (covered in last week's LWN Kernel Page), an ACPI update, an NFS update, and more. See the long-format changelog for the details.

The removal of the USB scanner code has concerned some readers. It was removed because it is broken and unmaintained, and because the accepted way of driving USB scanners in 2.6 is via the user-space libusb library.

2.6.3-rc1 was released on February 6. This one contained a lot of network driver cleanups, a number of gcc-3.5 fixes, various architecture updates, a big ALSA update, and more; once again, the long-format changelog has the details.

Linus's BitKeeper tree contains some architecture updates, a filesystem scalability improvement, some CPU frequency control updates, and a few other fixes.

The current tree from Andrew Morton, as of this writing, is 2.6.3-rc1-mm1. Recent additions include a lot of fixes, some performance improvements, but little in the way of new features.

The current 2.4 kernel is 2.4.24; the first 2.4.25 release candidate was announced on February 5.

The current stone-age kernel is 2.0.40, which was released by David Weinehall on February 8. It contains some security fixes, so if you have any systems still running 2.0 you may want to consider upgrading.

Comments (1 posted)

Kernel development news

Bringing kgdb into 2.6

The kernel development community has long been divided over the topic of interactive debuggers. Many hackers find debuggers to be an indispensable part of their development toolkits. Others claim that debuggers lead people to fix symptoms rather than problems; rather than use such a crutch, these people say, it is better to truly understand the code. Once you have "become one" with the code, finding bugs is not that hard.

The latter view is held by Linus Torvalds, who explained his approach in very clear terms back in 2000:

You can use a kernel debugger if you want to, and I won't give you the cold shoulder because you have "sullied" yourself. But I'm not going to help you use one, and I would frankly prefer people not to use kernel debuggers that much. So I don't make it part of the standard distribution, and if the existing debuggers aren't very well known I won't shed a tear over it.

The end result is that there has never been support for interactive debuggers in the mainline kernel - at least, for the more popular architectures.

The 2.6 kernel is now Andrew Morton's turf, however, and Andrew is more open to the value of debugging tools. In fact, he has carried a version of the kgdb patch in his -mm tree for a long time. Might Andrew merge kgdb into the 2.6 kernel at some point?

The answer from Andrew seems to be "maybe":

I wouldn't support inclusion of i386 kgdb until it has had a lot of cleanup, possible de-featuritisification and some thought has been applied to splitting it into arch and generic bits. It's quite a lot of work.

In other words, there is no disagreement with the idea of merging kgdb, but the code needs some work first. Problems include a large number of #ifdefs, and the fact that the patch is relatively intrusive, touching many files. There are also objections to how the debugger works with the virtual memory subsystem, especially for the i386 architecture. All of these problems are probably solvable, given enough development time. The interest in a mainline kgdb is probably high enough that the cleanup work will happen, and kgdb may well be merged; a kgdb CVS repository has been established for those interested in this effort. An eventual merge into 2.6 seems unlikely to carry forward into 2.7, however.

Comments (none posted)

How likely should likely() be?

Newcomers to the kernel code base are often surprised by the appearance of (what seems to be) a bunch of calls to functions called likely() and unlikely(). These calls always appear in conditional tests, along these lines:

    if (likely(some_condition)) {
	/* Do something */
    }

In fact, likely() and unlikely() are not function calls at all; instead, they are hints to the compiler. If the compiler knows that one outcome is far more likely than the other, it can optimize the code it generates accordingly. On some architectures, this information can also be encoded into the object code, where it will override the branch prediction normally done by the processor.

David Woodhouse noted that the differing interpretation of these directives by different architectures makes it hard to know when likely() and unlikely() should be used. If the result of one of those directives is just a bit of code optimization, they should be used liberally whenever the programmer knows that one outcome will happen more often than the other. On some architectures, however, the cost of guessing wrong is fairly high, and these directives should only be used where the odds are overwhelmingly in favor of one outcome.

David's proposal is to replace likely() and unlikely() with a new probable() macro:

    probable(condition, percent)

Where "percent" is the programmer's estimation of how often the condition will evaluate true. Each architecture could then decide what to tell the compiler based on the given percentage.

Rusty Russell has a more straightforward answer, saying that these directives should be rarely used.

Sometimes, unlikely()/likely() help code readability. But generally it should be considered the register keyword of the 2000's: if the case isn't ABSOLUTELY CRYSTAL CLEAR, or doesn't show up on benchmarks, disdain is appropriate.

The "disdain" approach seems more likely to be adopted than a new macro. There will be very few code paths where these directives will make a measurable difference. And the fact is that programmers often guess wrong about which code paths will be taken how often.

David would also like to add a probability to the get_unaligned() macro, which is used to access data which might not have the alignment required by the processor. Some architectures can handle any alignment; on those, get_unaligned() expands to a direct pointer dereference. Others require that unaligned access be done via multiple, smaller fetches or stores. Of those, some architectures can fix up an unaligned access attempt in an exception handler, and others cannot. For architectures which can fix unaligned accesses, it might be faster to take an occasional exception if the probability of an unaligned access is small. Adding a probability to the get_unaligned() macro (and put_unaligned() as well) would allow each architecture to optimize those accesses. Whether the resulting performance improvement would justify the effort remains to be seen.

Comments (2 posted)

A warning for BSD pseudo terminal users

H. Peter Anvin wants to know if anybody is still using the old BSD pseudo terminal ("pty") interface. These devices show up on most systems as /dev/ptyXX; they were once used for applications like network logins. Most applications on most Linux systems have not used BSD ptys for some years now; instead, the newer /dev/pts devices are used.

Peter is asking because he has plans for the pseudo terminal subsystem; he'd like to clean it up, make it more dynamic, and make use of the larger device numbers available in 2.6. The need to maintain compatibility with the BSD interface is, it seems, interfering with that work. So Peter would like to remove the BSD pty interface if possible.

There have been a few complaints. The bootlogd utility used by some distributions apparently uses BSD terminals in some cases. Truly old systems may still use the old interface for network logins or terminal emulator windows; this is not functionality that one breaks lightly. Peter may yet find a way to maintain BSD pty support while making his other changes. Even so, the BSD pty interface may be headed toward the end of its life sometime in the 2.7 development series.

Comments (5 posted)

Safe sysfs support

It has long been intended that the sysfs virtual filesystem would contain information about all of the hardware (and more) installed on a given system. Implementation of this intention has lagged in places, however, and there are still parts of the system which lack sysfs support. One of those areas is the frame buffer device code. In an attempt to fill in that gap, James Simmons recently posted a patch adding sysfs support for frame buffer devices; this patch was merged into 2.6.3-rc1.

There is only one problem with this patch: it can oops the kernel when frame buffer driver modules are unloaded. The problem is the same one which has afflicted other subsystem sysfs implementations: lifecycle rules. Once a data structure has been exposed via sysfs, user space can hold references to that structure indefinitely. Open sysfs files can persist long after the underlying device has been removed from the system, and long after the relevant module has been unloaded. If the behavior of sysfs-exposed data structures has not been carefully laid out, the kernel can be left holding references to structures or code which no longer exist.

This sort of problem hit the networking subsystem hard. Once net_device structures were exposed via sysfs, it was no longer possible to allow individual network drivers to control what the lifecycle of those structures is. As a result, it is now necessary to allocate all net_device structures dynamically, and to let the networking subsystem decide when and how to free those structures. The networking code is also very careful not to access any module code after a net_device has been shut down. The end result is that net_device structures can persist in the system long after the module which created them has been removed. It all works, but the cost was a lengthy cleanup operation which has only now reached something close to completion.

The frame buffer patches attempted to do things right from the beginning by making the fb_info structure into a dynamic object. A support function exists to allocate the structure, and it is automatically freed when the last reference is removed. The only problem is that the frame buffer drivers do not use this interface; they allocate and destroy fb_info structures on their own. As a result, in the 2.6.3-rc1 (and -rc2) kernel, fb_info structures can be freed twice (or staticly-allocated structures can be freed once). That sort of error tends to create displays on the frame buffer that the user does not want to see.

Fixing this problem requires updating every frame buffer driver to use dynamically-allocated fb_info structures. James has stated his intent to make this change. In the mean time, the "stable" kernel release candidate has a known problem which will require a wide-ranging set of changes to fix. Al Viro, a master of this sort of transition, has grumbled that these changes should have been done in the opposite order, so as to avoid breaking things. Others have complained that this sort of change is too big for a stable kernel series and should have waited for 2.7.

Yet another approach, however, would be to use the "class_simple" interface, which was merged in 2.6.2-rc1. This interface makes it easy to retrofit a /sys/class interface into existing drivers without having to deal with some of the more complex lifecycle issues. The interface is straightforward; one starts by creating a class:

    struct class_simple *class_simple_create(struct module *owner,
                                             char *name);

The owner argument should almost always be passed as THIS_MODULE; the name will show up under /sys/class. The resulting class can be removed at some later time with:

    void class_simple_destroy(struct class_simple *class);

Entries for individual devices can be added with:

    struct class_device *class_simple_device_add(struct class_simple *class,
                                                 dev_t dev,
						 struct device *device,
						 const char *fmt, ...);

Here, class is the class which was created above, dev is the device number for the device, device is a struct device structure for this device (it can be NULL), and the rest is a printk()-style format string to create the name for the entry. The result (on success) is a sysfs directory with exactly one attribute: a file called dev which contains the device number. That is adequate for a tool like udev to create corresponding device nodes.

The entry can be removed, of course:

    void class_simple_remove(dev_t dev);

The whole thing works without maintaining references into the calling driver, so most of the lifetime rule issues are avoided. More recent changes to the class_simple interface include (in 2.6.3-rc) hotplug support.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Filesystems and block I/O

Janitorial

Architecture-specific

Security-related

Benchmarks and bugs

Page editor: Jonathan Corbet

Distributions

News and Editorials

Slackware-based Live CDs: SLAX and STUX

February 11, 2004

This article was contributed by Ladislav Bodnar

As live CDs go, there is plenty to choose from, especially if you are a Debian user, and to a lesser extent, a Red Hat or Mandrake user. But what if your expertise lies in Slackware? Are there any Slackware-based live CDs to carry around and use in case of emergency? Well, the Slackware installation CD itself does serve as a bootable live CD, with basic rescue functions in runlevel 1, but that's not much fun. Instead, Slackware users could consider either SLAX or STUX as a full-featured live CD based on the original work of Patrick Volkerding's famous distribution.

SLAX-Live CD (formerly Slackware-Live and only recently renamed to SLAX, due to trademark issues over the name "Slackware") is the better known product of the two. It is developed by Tomas Matejicek in the Czech Republic. After perusing the project's web site and the final product, it becomes obvious that a lot of design effort has been expended to create an aesthetically pleasing distribution. Similarly, much thought has also gone into the selection of included applications, especially since the downloadable ISO image is less than 200MB in size. This makes SLAX useful as a multimedia distribution - on a computer with as little as 256MB of RAM, the entire CD content can be loaded into memory, freeing the CD- or DVD-ROM drive to play media disks with MPlayer (the libdvdcss library is included).

Choosing to copy SLAX into RAM is only one of the several available options at boot time. Others include loading the IDE CD-ROM drive with SCSI emulation enabled (for burning CDs), disabling probing for USB or other hotpluggable devices and passing of other hardware and screen related parameters to the kernel. The system then proceeds with a normal boot-up and hardware auto-detection routine. As a proper Slackware-based system, it boots into command line mode and awaits the user to log in. Once done, the user has a choice to run one of the two graphical user interfaces: command "gui" will start up a full KDE session (the latest version of SLAX comes with beta2 of KDE 3.2), while typing "guifast" will launch Fluxbox, suitable for machines with limited processing power.

Given the small size of the CD, the number of included applications is on the low side, although the most common KDE applications, as well as KOffice, are all present. Konqueror is the only available graphical web browser, while Kopete is the default instant messenger. You won't find OpenOffice.org, Mozilla, Emacs or Gimp on the CD. One of the more interesting aspects of SLAX is that the author provides instructions and a set of scripts to build a custom CD; these can be applied to any Linux distribution, not just Slackware. The project's web-based user forum is very active, making it the best place to seek help.

In contrast to SLAX, STUX GNU/Linux is a fairly new project, created by Giacomo Picconi in Italy. There are two live CDs on offer. The first one (called "STUX") is a full-featured 650MB CD with a complete KDE (including all of the internationalization files), GNOME, WindowMaker, OpenOffice and other major application one would expect to find in a Linux distribution. The second product (called "DINO-STUX") is a small CD reduced to 255MB of data with KDE, KOffice, Mozilla, Samba and Xine, but not much else beyond the base system. Like SLAX, the STUX project also provides tools for building a custom bootable CD image from an existing Linux installation.

An interesting point of STUX is the availability of additional packages directly from the distribution's web site. These can be downloaded from within STUX, installed on a hard disk partition and executed from the main menu. The current list of packages is not very long yet, but it should be of interest to gamers as it includes the NVIDIA driver, WINE and a number of free games or playable game demos: Quake I - III, Unreal Tournament, Doom, and Return to Castle Wolfenstein. The list of available packages is updated frequently and the author welcomes suggestions for package inclusion.

While talking about Slackware-based live CDs, there are two other related projects worth mentioning. The first is LinuxNetwosix, a specialist live CD designed for system recovery, forensic analysis, penetration tests and other security-related tasks. Created by a 17-year old Italian programmer Vincenzo Ciaglia, LinuxNetwosix 1.0, with kernel 2.6.1 was released and provided for free download last month. The second project is a Slackware-based live USB, called RUNT (an acronym for ResNet USB Network Tester) and designed to run from a 128MB USB pen drive. Developed by the North Carolina State University, RUNT is a complete Slackware Linux on a USB, capable of autoconfiguring networks via DHCP. A boot floppy is required to load the USB kernel modules before loading the rest of the system from the USB pen drive.

To sum up: with its good looks, relative maturity and an active user community, SLAX is probably the most likely candidate for being that perfect Slackware-based live CD to carry around in a wallet. It even fits on one of those 80mm mini CDs.

Comments (2 posted)

Distribution News

Debian GNU/Linux

The Debian Weekly News for February 10, 2004 is out. This week's topics include the project UTF-8; LILO support for device mapper; KDE support in UserLinux; GCC transition status; aging of "experimental" packages; XFree86 license problems; and more.

DebConf4 registration is open. This is the 5th annual Debian Conference, to be held in Porto Alegre, Brazil, May 26 to June 2, 2004.

Comments (2 posted)

EnGarde Secure Linux

Guardian Digital has announced a new release of EnGarde Secure Linux with an available 2.6 kernel and lots of other new features.

The Guardian Digital Newsletter for February 10, 2004 is out. This issue looks at some of Guardian Digital's small business solutions; the new EnGarde Secure Linux; the new Secure Mail Suite Reviewer's Guide; and more.

Comments (none posted)

Fedora Core

A new schedule has been posted for Fedora Core 2. The delayed "test 1" release is now planned for February 12.

Update notices for Fedora Core 1:

  • iptables version 1.2.9 is now available, with more documentation and other enhancements.
  • Updated gnome-libs fix some issues when building GNOME 1 apps on x86_64.
  • This pango update enables dual 32/64bit installs of the Pango libraries on x86_64.
  • The nss_ldap fails to perform schema mapping.
  • pam_krb5 does not honor ticket_lifetime setting in /etc/krb5.conf's [appdefaults] section.
  • Three bugs have been fixed in gdm.
  • A newer foomatic printer driver database is now available.
  • This ghostscript update includes an updated HP Inkjet driver (hpijs).
  • The gimp-print driver has been updated.

Comments (none posted)

Gentoo Weekly Newsletter - Volume 3, Issue 6

Here is the Gentoo Weekly Newsletter for the week of February 9, 2004. This week's edition has a call for a dialup developer, introduces a new gentoo-science mailing list and some international forums, and more.

Full Story (comments: none)

Slackware Linux

This week the slackware-current changelog has details about upgrades to many GNOME and KDE packages, as well as GIMP, ALSA and several other programs. Also QT 3.3 is in testing, as is Linux kernel 2.6.2.

Comments (none posted)

New Distributions

Rox OS

Rox OS is a Linux distribution which is being designed around bringing a simpler experience to home users. Initially Rox OS will build upon the idea of application directories (AppDirs), that allow for easy drag and drop installation of applications and system utilities, and a simplified file system hierarchy.

Comments (none posted)

Minor distribution updates

Buffalo Linux

Buffalo Linux has released v1.1.3 with major feature enhancements. "Changes: The changes in this version are directed towards sysadmins. It can now directly install RPM, deb, and Slackware tgz packages, and also supports bz2 and tar.gz on the fly. The kernel has been upgraded to 2.6.2. The 'newkernel' build feature has been ported to kernels 2.4.24 and 2.6.2. A new Buffalo ISO feature has been added for creating a specialized install CD incorporating both kernel and software package changes."

Comments (none posted)

Compact Flash Linux Project

Compact Flash Linux Project has released v0.1.3 with minor feature enhancements. "Changes: This release adds a PostgreSQL client. Some minor bugs have been fixed. Busybox 1.00-pre7 is used. Pppd with radius now accounts for traffic in 64 bits. The PCMCIA configuration method was wrong and has been fixed."

Comments (none posted)

KNOPPIX

KNOPPIX has released v20040209 with minor feature enhancements.

Comments (none posted)

Linux LiveCD

Linux LiveCD has released v1.9.0 with major feature enhancements. "Changes: The Webmin Web Manager and the Shorewall Firewall were added. Linux kernel 2.4.24 is now used. A driver for BeWAN PCI ADSL is included. The documentation in /opt/doc was updated."

Comments (none posted)

Quantian

Quantian v0.4.9.3 has been released, with lots of new packages.

Full Story (comments: none)

Recovery Is Possible!

RIP has released v7.1 and v7.2. "Changes: The kernel and some of the software have been updated. The program captive-ntfs has been added to enable read-write mounting of NTFS WinXP partitions. The UDF filesystem support in the kernel was updated, and LVM2 device-mapper support was added to the kernel. There are also a couple of software updates."

Comments (none posted)

slimlinux

slimlinux has released v0.6.0 with minor feature enhancements. "Changes: This release adds mutt 1.0 with IMAP instead of smtpclient and fetchpop. BusyBox is updated to 1.00-pre7 and retawq to version 0.2.2."

Comments (none posted)

ThinTUX

ThinTUX has released v0.11 with documentation now available in English.

Comments (none posted)

Distribution reviews

Linux gets small: LNX-BBC and DamnSmall Linux (Linux.com)

Linux.com looks at two small distributions, LNX-BBC and DamnSmall Linux. "These two BBCs are clearly meant for two different purposes. LNX-BBC is the power tool for experienced sysadmins involved in hardcore rescue operations, while DamnSmall is a reasonably friendly miniature general purpose system. If I had a system that required serious network diagnosis or intrusion analysis, I would choose LNX-BBC because of its superb toolkit. If I had a system that needed simple edits to files or just an alternate operating environment, I'd probably go with DamnSmall."

Comments (none posted)

Arch Linux: An End To My Distro Shuffle? (OSNews)

OSNews test drives Arch Linux. "Now here's the best part of running Arch Linux, the whole frigging thing just works! Installing XFCE automatically installed everything I needed for XFree86. Fonts are anti-aliased and sized well in both Mozilla and Sylpheed, two programs which typically look hideous in most other distributions I've tried. Getting my sound card working was as simple as installing the alsa-driver with pacman, adding the sound card driver to the list of drivers to load and adding a couple permission lines to another configuration file. Which leads me to another nice feature about Arch. Most configuration only has to be done in a handful of files which are well documented in the installation instructions. No hunting through mailing list archives to get your system up and running."

Comments (none posted)

Spawn of Debian faceoff: final chapter (Linux.com)

Linux.com concludes the "Spawn of Debian faceoff" series. "One thing is certain, Debian provides the DNA for some excellent Linux distributions. Mepis emerged as the final victor with a rating of 92. LindowsOS came in second, with an 88, barely nosing out Xandros who scored 87. LibraNet rounded out the field with an 80. Another thing for certain: just looking at the score doesn't begin to do justice to the distributions. They are all very good. In that spirit, I am going to make some special awards that go above and beyond the criteria used for comparison."

Comments (none posted)

Page editor: Rebecca Sobol

Development

MJPEG Tools for working with Video on Linux

MJPEG Tools is a set of tools for working with video under Linux.

The mjpeg programs are a set of tools that can do recording of videos and playback, simple cut-and-paste editing and the MPEG compression of audio and video under Linux. Recording is supported for the Zoran based cards like the Buz (Iomega), DC10 (MIRO, Pinnacle), Matrox Marvel cards and the LML33 (Linux Media Labs).

Some of the video operations that can be performed by MJPEG Tools include:

  • Recording of video streams.
  • Editing video data.
  • Compression of video data.
  • Pulling sound and video from pre-recorded files.
  • Joining of video and audio files into a single file.
  • Transitioning from one video stream to another.
  • Scaling from one video encoding to another.
  • Performance of video frame rate conversion.
  • Support for variable bit-rate multiplexing.
  • Creation of video CDs.
A partial list of standards supported by MJPEG Tools includes:
  • Input from PAL and NTSC video inputs.
  • Capture from AVI and Quicktime formatted video.
  • MPEG 1 and 2 video encoding.
  • Support for stereo audio.
  • Output to VCD, SVCD, DVD, and DIVX media.
  • Support for the ALSA and OSS/Free sound drivers.
The MJPEG HOWTO and FAQ documents show how the tools are used to perform a wide variety of operations, and the type of hardware that is required for useful performance.

Some still-frame examples show a few examples of the quality that can be achieved from the captured video.

Version 1.6.2 of MJPEG Tools was recently announced, change information is in the source code.

Comments (none posted)

System Applications

Audio Projects

ALSA 1.0.2c released

Version 1.02c of the ALSA sound driver is out. The change notice says: "More fixes for compilation problems".

Comments (none posted)

Ogg Traffic

The February 9, 2004 edition of Ogg Traffic is out with the latest Ogg Vorbis audio compression software news.

Comments (none posted)

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include support for the Fedora Core distribution, new versions of Libsndfile, and several Common Lisp Music components.

Comments (none posted)

Database Software

PostgreSQL Weekly News

The PostgreSQL Weekly News for February 9, 2004 is available. "There are a number of updates for proposed features for 7.5, but first let's take a look through the list of changes committed to code this past week."

Full Story (comments: none)

Embedded Systems

BusyBox 1.0.0-pre7 released

BusyBox version 1.0.0-pre7 has been released. "There was a bug in -pre6 that broke argument parsing for a number of applets, since a variable was not being zeroed out properly. This release is primarily intended to fix that one problem. In addition, this release fixes several other problems, including a rewrite by mjn3 of the code for parsing the busybox.conf file used for suid handling, some shell updates from vodz, and a scattering of other small fixes."

Comments (none posted)

Mail Software

Siesta Mailing List Manager

Simon Wistow looks at Siesta, a Perl-based mailing list manager program. "By some quirk of fate Greg McCarroll, Richard, and I were all simultaneously 'resting' between jobs. Being fun-loving, crazy people we decided that the most constructive use of time was to congregate at Greg's, drink his booze, and watch Kevin Smith films. Instead, we wrote a mailing list manager. Well, I say "instead", but we managed to do the other stuff too, which explains the Jay-and-Bob-themed test suite."

Comments (none posted)

Printing

LPRng 3.8.25 released

Version 3.8.25 of the LPRng print system has been released. Change information is in the source code.

Comments (none posted)

Telecom

Linux Untethered

Brian Jepson writes about successes and failures involving Linux and wireless modems. "I had a data connection up not long ago with my Merlin G100 for 1 hour and 45 minutes, and experienced 5.2 Kilobytes per second (just over 40kbps) on a sustained download of an 8-megabyte compressed file. I used to go out of my mind when I tried that with a Bluetooth connection on either my Nokia 3650 or Sony Ericsson T68i. But I still swear by Bluetooth for things like sync, remote control, or transferring applications, ring tones, or wallpaper."

Comments (none posted)

Web Site Development

Introducing LAMP Tuning Techniques (O'ReillyNet)

Adam Pedersen shows how to tune LAMP (Linux-Apache-MySQL-PHP/Perl/Python) applications on O'Reilly. "I'm getting to know far more about servers than I ever wanted to, after hundreds of hours of Google research trying to squeeze/beat performance out of Apache. I do have 15 years programming experience in other areas, and I've reached the conclusion that the only experts in Apache/Linux are the programmers who wrote (and poorly documented) all this stuff. So I've gathered everything I could learn after countless hours of frustration and I'm writing this up in return for the immense amount of help I've received from the documentation of others."

Comments (none posted)

Client and server-side templating with Velocity (IBM developerWorks)

Sing Li writes about the Velocity template processor on IBM's developerWorks. "Velocity is a versatile, open source templating solution that can be used standalone in report generation/data transformation applications, or as a view component in MVC model frameworks. In this article, Sing Li introduces Velocity and reveals how you can integrate its template-processing capabilities into your own client-side standalone application, server-side Web application, or Web services."

Comments (none posted)

Tiki 1.8 -Polaris- released (SourceForge)

Version 1.8 of Tiki, a web wiki, is available. "Main new features and enhancements: - Databases suported: MySql, PostgreSQL, Oracle, Sybase; - Switch from PEAR::DB to adodb; - Mapserver; - Integrator: Integrate other applications in tiki; - New database independent search engine (use the "search_new" module); - Enhancements in installer, articles, forums, newsletters and wiki, including some new plugins and modules;"

Comments (none posted)

Documentation

Documenting your project using the Eclipse help system (IBM developerWorks)

Arthur Barr shows how to use Eclipse for documentation purposes. "The Eclipse Platform, which provides a very powerful IDE, includes its own help system based on an XML table-of-contents referencing HTML files. What isn't immediately obvious is that you don't have to write Eclipse plug-ins to use it. Any project can use a cut-down version of the platform to provide professional, easy-to-use, and searchable documentation."

Comments (none posted)

Miscellaneous

GNOME System Tools 0.32.0 is out! (GnomeDesktop)

Version 0.32.0 of GNOME System Tools has been announced. "A new GNOME System Tools release is out! The g-s-t are cross-platform configuration utilities for unix/linux, among lots of other good stuff, this new release has been mostly dedicated to some UI polishing, fixing a BE/FE communication bug and adding support for PLD 1.1 and 1.99".

Comments (none posted)

Desktop Applications

Audio Applications

Audacity 1.2.0-pre4 released

Version 1.2.0-pre4 of Audacity, an audio editor, is out. "This version fixes many minor bugs found in Audacity 1.2.0-pre3. This is a "release candidate" version. If no new bugs are found, we will release the new stable version 1.2.0 later this month."

Comments (none posted)

WaveSurfer 1.6.2 released

Version 1.6.2 of the WaveSurfer audio editor has been released. See the Change History document for details.

Comments (none posted)

Desktop Environments

GNOME Desktop & Developer platform 2.4.2 released (GnomeDesktop)

GNOME version 2.4.2 has been announced. "On behalf of the GNOME foundation, the release team and all the various maintainers, documenters, translators and bughunters I have the honor of announcing a new point release from the stable series of 2.4.x releases of the GNOME Desktop and developer platform."

Comments (none posted)

GNOME Summary

The GNOME Summary is out for February 1-7, 2004. Take a look for the latest GNOME desktop news. "This weeks GNOME summary contains news about the new Sound Juicer release, "Vino", the Solutions Linux Gnome Exhibit in Paris, and major changes to jhbuild."

Comments (none posted)

Release: gTask v0.1 (GnomeDesktop)

The initial release of gTask has been announced. "gTask is a daemon and client library that allows programs to communicate the progress of certain long running operations (ie downloading files, printing, etc) to a central daemon. This is the first stable release of the core and user interface libraries."

Comments (1 posted)

KDE-CVS-Digest (KDE.News)

The February 6, 2004 KDE-CVS-Digest is available. Here's the intro: "KStars now has constellation lines. Gwenview is now a KPart, for embedded use in Konqueror. Plus many bug fixes and improvements in KMail and Konqueror."

Comments (none posted)

Desktop Publishing

CL-PDF 2.1 and cl-typesetting 0.70 released

Two new Lisp-based PDF packages have been announced. "CL-PDF is a Common Lisp library for generating documents in Adobe Acrobat format. It is a standalone library that does not need any Adobe or third-party tools."

"cl-typesetting is a complete typesetting system written in Common Lisp, and it is based on CL-PDF for the direct generation of PDF documents. It is intended as an alternative to the TeX typesetting system."

Full Story (comments: none)

Electronics

Gnucap 0.34 released

Version 0.34 of Gnucap, a circuit analysis program, is out. "This is primarily a bug fix and compatibility release."

Comments (none posted)

XCircuit 3.2.7 (development) available

Development version 3.2.7 of the XCircuit electronic schematic drawing package is out. "XCircuit-3.2 is the development version of XCircuit. Current work includes the integration of automatic schematic capture (ASG) with Stephen Frezza of Gannon University, and the addition of comprehensive "undo" and "redo" functions. This should keep us occupied for a while."

Comments (none posted)

Financial Applications

GNUe Traffic

The February 4, 2004 edition of GNUe Traffic is out with the latest GNU Enterprise news. ""

Comments (none posted)

Games

WorldForge Weekly News

The February 6, 2004 edition of the WorldForge Weekly News is out with the latest development news from the WorldForge game project.

Comments (none posted)

GUI Packages

New FLTK Software

The latest new software releases for FLTK, the Fast Light Toolkit, include new versions of the Table widget, TesselSphere, IFLTK from the Colorado Eiffel Users Group, and SPTK.

Comments (none posted)

The Tk Canvas Widget (Linux Journal)

Derek Fountain introduces the Tk Canvas Widget in the Linux Journal. "The canvas widget in the Tk graphical user interface toolkit is a free software tool used to present graphical data. Like the Tk text widget, which I discussed in my previous article, the canvas widget is accessible from most modern scripting languages, including Tcl, Perl and Python. It provides those languages with a best of breed facility for structured graphics work."

Comments (none posted)

Interoperability

Samba 3.0.2 Available for Download

Samba 3.0.2 is the latest stable release of Samba. This is the version that all production Samba servers should be running to take advantage of all current bug fixes.

Full Story (comments: none)

Vstserver 0.3.1 released

Version 0.3.1 of vstserver is out. "Vstserver is a program that must be running when using programs using vstlib. Vstlib is a library that can be used by programs to run windows vst audio plugins under i386linux/i386freebsd/i386solaris/i386etc."

Full Story (comments: none)

Wine Traffic

The February 3, 2003 edition of Wine Traffic has been published and features a WineConf 2004 Summary.

Comments (none posted)

Mail Clients

Two Critical Bugs in KMail 1.6 Detected (KDE.News)

Two critical bugs have been found in KMail 1.6. One is related to POP filters and the other to spam filtering and both cause mail loss. They are fixed in CVS and patches are linked on the KDE 3.2 Info Page.

Comments (none posted)

Mozilla Thunderbird 0.5 Released (MozillaZine)

Version 0.5 of the Mozilla Thunderbird email and newsgroup application has been released. "This release features Palm address book synchronisation, IMAP performance improvements, better LDAP support, enhanced Netscape 4.x migration, spell check/dictionary improvements, and many other bug fixes and minor tweaks."

Comments (none posted)

Medical Applications

OpenEMR with new Practice Management and Reporting Features (LinuxMedNews)

LinuxMedNews looks at the latest version of OpenEMR, a medical record system. "OpenEMR now incorporates PostCalendar from PostNuke, and phpMyAdmin for reporting. Create a report with phpMyAdmin, save it and create a web link for the report."

Comments (none posted)

Multimedia

Release: GStreamer 0.7.4 ''Wooden Slugs'' (GnomeDesktop)

A new development release of the GStreamer streaming-media framework has been announced. "The goal of this release series is to stabilize towards a 0.8 release series which will be part of the GNOME 2.6 releases and hopefully eventually KDE 4.x."

Comments (none posted)

Rhythmbox 0.70 Released (GnomeDesktop)

Rhythmbox 0.70, a music player, is out. "This is the first release in the Rhythmbox development series, featuring numerous new features thanks to new developments in the latest development release of Gstreamer."

Comments (none posted)

Music Applications

lakai 0.1 released

The initial release of lakai, a Linux utility for communicating with an Akai S2000 sampler, is out. "Right now, everything is just shell-based, no GUI yet, and the tools are rather rudimentary, the source is ugly and sprinkled with TODOs and printf's etc. pp., but at least it WorksForMe(tm)."

Full Story (comments: none)

liblrdf v0.3.5 released

Version 0.3.5 of liblrdf is available.

Full Story (comments: none)

Office Suites

OpenOffice.org developers digest

Week 5, 2004 of the OpenOffice.org developers digest has been published.

Comments (none posted)

Digital Photography

Building Panoramic Images in The GIMP (Linux Journal)

Andrew Burton shows how to use the GIMP to combine multiple photographs into a panoramic image on Linux Journal. "There are two ways to use The GIMP to create a panoramic photo, easy and hard. The hard way is to set up layers out of the different photos, edit filter and layer masks, mess about with transparency and layer them together, manually. The easy way is to use Pandora. Pandora is a plugin for The GIMP that takes photos and tries to match the edges of the photos together, using a best guess at where one photo ends and the next begins."

Comments (none posted)

Video Applications

xawdecode [xdTV] 1.9.0 (SourceForge)

xawdecode version 1.9.0 is available. "Featuring: Better Lirc support for remotes: new eventmap support added, new xawdecode_cmd commands added; Better methods to schedule records with At and Cron, xdTV can now record AVI files without any codec installed, xdTV become a simple Xvid / uncompressed AVI player, xawdecode TV server and Client : Streaming possibilities through HTTP, and a lot of updates and fixes".

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The February 10, 2004 Caml Weekly News is available with the week's Caml language news.

Full Story (comments: none)

Java

Using JUnit With Eclipse IDE (O'ReillyNet)

Alexander Prohorenko and Olexiy Prohorenko explore JUnit on O'Reilly. "This article is going to introduce you to JUnit, a tool for project testing and debugging. After introducing the theory of test-driven development, we'll move on to a step-by-step explanation of how you can create your JUnit tests with the help of the popular Eclipse IDE. We'll show how something as simple as a Hello World program can be exposed to a JUnit test."

Comments (none posted)

Eye on performance: Exceptions to exceptions (IBM developerWorks)

Jack Shirazi and Kirk Pepperdine explain performance tuning for Java exceptions on IBM's developerWorks. "Java performance enthusiasts Jack Shirazi and Kirk Pepperdine, Director and CTO of JavaPerformanceTuning.com, follow performance discussions all over the Internet to see what's troubling developers. In this month's stop at the JavaRanch, they counter the campfire stories about exceptions with a detailed look at the story behind the story."

Comments (none posted)

Perl

Perl 5.005_04 RC1 (use Perl)

Version 5.005_04 RC1 of Perl has been announced. Change information is in the source code.

Comments (none posted)

This Week on perl5-porters (use Perl)

The January 26 - February 8, 2004 edition of This Week on perl5-porters is available. "This week, a very special summary indeed, because it actually covers two weeks. Two quiet weeks, that is. Read below for new proposals to the Perl 5 language, to its packaging, and for selected bugs and fixes."

Comments (none posted)

This week on Perl 6 (O'Reilly)

The February 1, 2004 edition of This week on Perl 6 is out with the latest Perl 6 discussions.

Comments (none posted)

PHP

PHP Weekly Summary for February 10, 2004

The PHP Weekly Summary for February 10, 2004 is out. Topics include: Enable bcmath by default, HTTP digest authentication in PHP 5, PHP on Netware, SOAP extension, PHP 5.0.0 RC1.

Comments (none posted)

Python

When Pythons Attack (O'ReillyNet)

Mark Lutz gives some advice to Python programmers on O'Reilly. "Mark Lutz, coauthor of the recently released Learning Python, 2nd Edition, offers tips, gleaned from his first-hand experience as a Python trainer, on the most common programming and coding mistakes that new Python programmers make. For seasoned Python programmers, Mark offers tips on working with Python's larger features, such as datatypes, functions, modules, and classes."

Comments (3 posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

Dr. Dobb's Tcl-URL! is out for February 11, 2004. Take a look for lots of links to new Tcl/Tk articles.

Full Story (comments: none)

XML

An Introduction to FOAF (O'Reilly)

Leigh Dodds introduces FOAF on O'Reilly. "The FOAF ("Friend of a Friend") project is a community driven effort to define an RDF vocabulary for expressing metadata about people, and their interests, relationships and activities. Founded by Dan Brickley and Libby Miller, FOAF is an open community-lead initiative which is tackling head-on the wider Semantic Web goal of creating a machine processable web of data."

Comments (none posted)

Miscellaneous

Kodos 2.4.0 Released

Version 2.4.0 of Kodos, a Python-based regular expression tool, is out. "The widget used for the "Group" tab has been changed to allow for the proper display of matches that span multiple lines."

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Kernel comparison: Web serving on 2.4 and 2.6 (developerWorks)

developerWorks reports on IBM's kernel benchmarking work. "We've shown that, using a typical test scenario -- Apache/WPT on an 8-way SMP IBM xSeries system -- the Apache server has better scalability and performance on the 2.6 kernel compared to the 2.4 kernel. On the same system under the same workload, the Apache server with 2.6.0-test5 kernel more effectively used system resources and served 5 times more Web pages than the 2.4.18 kernel did."

Comments (1 posted)

Red Hat CTO: Can Eclipse End 'Java Apartheid'? (eWeek)

eWeek covers an EclipseCon keynote by Red Hat CTO Michael Tiemann. "Tiemann also spoke of the divisiveness between the Java community and the open-source community, claiming that to be one reason Sun Microsystems Inc.'s NetBeans open-source development platform has not taken off and been accepted by as many developers as has the Eclipse open-source development platform."

Comments (22 posted)

On the ALSA Track (Linux Journal)

The Linux Journal has posted an introduction to the ALSA sound system by Dave Phillips. "Like Linux itself, ALSA began with rather modest goals: Jaroslav [Kysela] simply wanted more out of his Gravis UltraSound soundcard than the existing API could deliver, and he was willing and able to meet the demands of the task. Like Linus Torvalds, Jaroslav eventually found himself at the center of a group of talented developers, all dedicated to the development of a superior audio API for Linux."

Comments (4 posted)

Trade Shows and Conferences

Sun explains open source at EclipseCon (NewsForge)

Here is Joe Barr's latest report from EclipseCon. "Simon Phipps, formerly an IBM employee and for the last two years Chief Technology Evangelist for Sun Microsystems, gave his EclipseCon keynote address Thursday. As you might expect, he took exception to a couple of remarks from Wednesday morning's keynoter, Michael Tiemann of Red Hat. Phipps's talk was on "The Business of Open Source." It was interesting, almost a through-the-looking-glass experience, to hear a suit from Sun stand on a stage and try to explain open source to an audience of mostly proprietary developers. It should be noted that the ballroom where the keynote was given was not far from Disney's Fantasyland."

Comments (5 posted)

The SCO Problem

Leave poor SCO alone... the poor little lambs (Inquirer)

The Inquirer has a long and cynical article on SCO's legal and press campaigns. "Smart money says that SCO will walk out of the courtroom today clutching their backsides, unable to sit down for weeks because of the chewing out they get. Emergency rooms around the world will be filled with people if SCO produces what it claims to have, and people will be so stunned they fall over and hit their heads. Personally, I expect nothing, or at least nothing said, in volumes of obfuscation. With that background, imagine the odds of SCO taking today to launch what appears to be a very lucrative set of claims against IBM. Golly. I would say it is without precedent, but it isn't."

Comments (16 posted)

Perth company gives SCO Australia deadline (The Age)

The Age covers Leon Brooks's ongoing challenge to SCO's claims. A new letter has been sent by registered mail: "'Take notice that such claims are fraudulent, and unless they are retracted as publicly as they were made, CyberKnights Pty Ltd will vigorously pursue a conviction of fraud against TSG-ANZ,' it said."

Comments (none posted)

Companies

Novell/SUSE Saga Part II (KDE.News)

KDE.News covers details from the recent Novell/SUSE deal. "As a followup to our previous Novell/SUSE article, we have further good news. Following the completion of the acquisition of SUSE by Novell, SUSE CEO Richard Seibt, who had previously expressed a strong commitment to KDE, has been promoted to president of Novell-EMEA and is now in a position to not only to maintain SUSE's strong KDE support but also to help deploy it more widely around the world."

Comments (none posted)

Linux Adoption

German finance unit chooses Linux (News.com)

News.com is carrying a Reuters article on another European governmental shift toward Linux. "IBM said that the finance ministry department, which is responsible for paying public sector employees and for managing certain taxes, installed two large IBM mainframe computers that run both IBM's operating system and Linux." Of course, the article also carries the obligatory SCO paragraph.

Comments (2 posted)

Munich Open Source Plows Ahead (Wired)

Wired takes a look at the difficulties encountered by the Munich administration as it switches over to free software. "Reports in Computerwoche also stated that local vendors who currently code applications for the city were experiencing problems in developing applications for the open-source operating system, since they are more familiar with Windows than Linux. Munich may opt to install an emulation program on city workers' computers that will allow Windows applications to run on Linux."

Comments (8 posted)

Legal

Lindows.com wins one

Here's another press release from Lindows.com on its ongoing trademark battle with Microsoft. The company states that it has won a ruling in U.S. District Court that "windows" is a generic term and that no amount of marketing can change that. The fight now moves up to the appeals court level.

Comments (13 posted)

Interviews

Another set of FOSDEM interviews

The FOSDEM organizers have posted three more interviews with people who will be speaking at the event. They are Bill Haneman (on GOK and accessibility), Matthias Brossard (Cryptonit), and Dave Cross (Perl).

Comments (none posted)

Reviews

Automating Security with GNU cfengine (Linux Journal)

Linux Journal looks at the sysadmin tool, cfengine. "Once cfengine is installed (from www.cfengine.org) and running, making changes to your group of systems becomes almost as easy as changing a single system. This gives you more time to decide what to do and how to do it, something that remains the primary responsibility of an administrator to this day."

Comments (none posted)

Introduction to the Firebird Database (Linux Journal)

Linux Journal takes a look at the Firebird database. "Firebird originally started its life as the Borland InterBase database. As the product reached version 6.0, Borland decided Borland the product was going to be aged out, and so the code was released under an open-source license. Later on, however, Borland apparently had a change of mind about aging out the product. To this day, internally, Borland continues to develop the InterBase database, with the latest version being 7.1. Firebird 1.0 essentially was the open-source code behind InterBase 6.0. As of this writing, the first major development effort of the Firebird branch is Firebird 1.5."

Comments (3 posted)

Review of Mozilla Firefox 0.8 from the Perspective of a Galeon User (MozillaZine)

MozillaZine points to this article by Dave Whitinger, reviewing Mozilla Firefox 0.8. "Has Mozilla Firefox finally broken the speed and stability barriers in order to bring about a browser change to this long-time Galeon user? After all this time, Firefox finally won me over and caused me to change my regular web browser."

Comments (17 posted)

KDE is so cool because... (NewToLinux)

NewToLinux.org has a series of articles looking at different features in KDE. So far there are three complete articles: Managing Websites, Extending Konqueror with View Profiles, and Using KPrinter in Any App.

Comments (3 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Linux Crypto Software Gets FIPS 140-2 Validation

The US and Canadian governments have approved MOVEit Crypto Linux by Standard Networks as fully meeting the stringent requirements of Federal Information Processing Standard 140-2. This makes MOVEit Crypto one of the first FIPS 140-2 validated cryptographic software products available for Linux.

Full Story (comments: none)

New Dazuko brings more security to Linux operating systems

The "Dazuko" kernel module, developed by the open source community together with the German security specialists H+BEDV Datentechnik GmbH, is now available for the FreeBSD operating system. This module provides on-access virus scanners as well as other 3rd-party security tools can be integrated with Linux and now FreeBSD.

Full Story (comments: none)

New Evans Data Study Reports on North American Software Development Populations

Evans Data Corporation's new North American Developer Population Study finds that there are more than 1.1 million developers in North America spending at least some of their time working on Open Source development projects.

Comments (2 posted)

Keel 2.0 released

Version 2.0 of the Keel framework has been announced. "Founders of the open source Keel framework today released Keel 2.0 to the development community. This new version is an upgrade from version 1.0 and dramatically improves the development process for web-based applications. Keel 2.0 is a Java server side meta-framework or "framework of frameworks" that provides standard interfaces for a variety of other open source frameworks and components."

Full Story (comments: none)

opensurveypilot update

A new version of opensurveypilot, a web-based voting system, is under active development. Version 1.2 is planned for release in May, 2004.

Full Story (comments: none)

Call for Participation: Rural eDisease Management (LinuxMedNews)

LinuxMedNews has published a call for help from the Open Source community for the development of a Rural eDisease Management system.

Comments (none posted)

Commercial announcements

MontaVista 2003 Results

MontaVista Software, Inc. announced it has ended its 2003 fiscal year with revenue growth of 77 percent over the previous year and became cash flow positive in the fourth quarter of 2003.

Full Story (comments: none)

New Books

"Java Examples in a Nutshell, Third Edition" Released by O'Reilly

O'Reilly has published Java Examples in a Nutshell, Third Edition by David Flanagan.

Full Story (comments: none)

New Linux Programming Book

Jonathan Bartlett has written a book on Linux programming. "It is an introduction to computer science using Linux assembly language. Assembly language was chosen because by learning assembly language you learn how the computer itself operates, not how an individual language operates." The book is available online and in printed form.

Full Story (comments: none)

'C++ GUI Programming with Qt 3' Book (KDE.News)

KDE.News has an announcement for a new book on Qt by Jasmin Blanchette and Mark Summerfield. "Perhaps the recent KDE and Qt releases made you want to contribute to KDE or to start your own Qt/KDE application? Then you may be interested in the new "C++ GUI Programming with Qt 3" book, the first official Trolltech guide to Qt 3.2 programming."

Comments (none posted)

New security book published

The book "Security Assessment: Case Studies for Implementing the NSA IAM" has been published.

Full Story (comments: none)

Resources

Free version of HOOPS Stream Toolkit released

A free version of the HOOPS Stream Toolkit has been announced. "The OpenHSF Initiative today made available the free source-code version of the HOOPS Stream Toolkit (HOOPS/Stream) v10.0, the import/export SDK for the HSF format." HSF is used for sharing engineering graphics.

Full Story (comments: none)

LDP Weekly News

The Linux Documentation Project Weekly News for February 4, 2004 is out with the week's new documentation. "The Hardware HOWTO, by Steven Pritchard, has finally been updated after a long period of inactivity."

Full Story (comments: none)

LDP Weekly News

The Linux Documentation Project Weekly News for February 11, 2004 is available with the latest new documentation releases.

Full Story (comments: none)

LPI News-letter January 2004

Here is the monthly newsletter from the Linux Professional Institute. This issue looks at Evan Leibovitch's article about the United Nations conference, LPI looks at Level 3 tasks, translations, and several other topics.

Full Story (comments: none)

OSDL releases Linux Technical Capabilities 1.0

The Open Source Development Labs has announced the release of the "Data Center Linux Technical Capabilities" document, and is asking for feedback from the community. It's another shopping list from OSDL's members, of course; they are presumably hoping that, by opening up the process of creating the requirements document, they can bring about a better reception for Data Center Linux than the Carrier Grade Linux effort got.

Full Story (comments: 2)

New Linux Audio Software

Dave Phillips has updated his list of Linux audio applications and resources on linux-sound.org.

Comments (none posted)

Contests and Awards

Perl Accepted For BCS Programming Competition (use Perl)

According to Use Perl, Perl is now allowed as a language choice for the BCS programming competition. "For the first time ever, the British Computer Society have been convinced to allow competitors in their annual UK programming competition to code entries in Perl. Entry for the first round closes on the 20th February."

Comments (none posted)

QtForum.org Announces Qt Developer Contest (KDE.News)

A Qt Developer Contest has been announced. "QtForum.org, the independent Qt community Website launched October 2003, today announced the QtForum.org Developer Contest. The subject for the contest is edutainment." Several cash prizes will be awarded.

Comments (none posted)

ActiveState Perl Haiku Contest

The winners of the ActiveState Perl Hiaku contest have been announced. We like this one:
"ugliness that grows
into beauty inside of
your favorite shell"

Comments (none posted)

Upcoming Events

Maddog and Stallman at the GNU/Linux Summit

This year's GNU/Linux Summit presents top speakers Jon "Maddog" Hall and Richard Stallman. The GNU/Linux Summit will be held February 26 - 27, 2004 in Helsinki, Finland.

Full Story (comments: 5)

Free Software 2004 (Register)

The Register reports that the Free Software Forum 2004 call for papers is out. Proposals are due by March 7, 2004.

Comments (3 posted)

Open Source in Government Conference

The Open Source in Government Conference will be held in Washington, DC on March 15-17, 2004.

Full Story (comments: none)

Linux Installfest workshop in Davis, CA

The Linux Users' Group of Davis will hold another Linux installfest on February 15th in Davis, CA.

Full Story (comments: none)

Call for Participation for Nordic Perl Workshop (use Perl)

A call for papers and open registration have been announced for the Nordic Perl Workshop 2004. The event will take place in Copenhagen, Denmark on March 27 and 28, 2004. Papers are due in by February 15.

Comments (none posted)

PyCon 2004 - Second Annual Python Developers Conference

A press release has been sent out for PyCon 2004, the second annual Python developers conference. "PyCon 2004, the second annual Python developers conference, will be held at George Washington University's Cafritz Conference Center in Washington DC on March 24-26, 2004. Mitchell Kapor, founder of Lotus Development Corporation and the Open Source Applications Foundation, will be the keynote speaker."

Comments (none posted)

LinuxWorld Conference & Expo Opens Call For Papers

IDG World Expo has issued a Call for Papers for the LinuxWorld Conference & Expo, taking place at San Francisco's Moscone Center, August 2-5, 2004. Proposals are due by February 27, 2004.

Full Story (comments: none)

Events: February 12 - April 8, 2004

Date Event Location
February 12, 2004O'Reilly Emerging Technology Conference(ETech)(The Westin Horton Plaza)San Diego, CA
February 20 - 22, 2004CodeCon 2004(Club NV)San Francisco, CA
February 20 - 24, 2004PaWS PHP and Web Standards UK 2004Manchester, UK
February 21 - 22, 2004Mozilla Developers Meeting in Europe 4.0Brussels, Belgium
February 21 - 22, 2004FOSDEM 2004(SOLBOSCH)Brussels, Belgium
February 23 - 27, 2004PostgreSQL Bootcamp(Big Nerd Ranch, Inc.)Atlanta, GA
February 25 - 26, 2004UKUUG LISA/Winter Conference and Tutorial(Lansdowne Campus, Bournemouth Univ.)Bournemouth, UK
February 26 - 27, 2004GNU/Linux Summit 2004(Finlandia Hall)Helsinki, Finland
February 27, 2004Mozilla Developer DayMountain View, CA
March 1 - 5, 2004PHP|CruiseThe Caribbean
March 4 - 5, 2004Linux Automation KonferenzHannover, Germany
March 5, 2004Perl Workshop 2004Amsterdam, the Netherlands
March 6 - 7, 2004Linux-Day ChemnitzChemnitz, Germany
March 15 - 17, 2004Open Source in Government Conference(George Washington University)Washington, DC
March 16 - 17, 2004Open Source Business Conference 2004(The Westin St. Francis)San Francisco, CA
March 18 - 24, 2004CeBIT(Hannover Exhibition Center)Hannover, Germany
March 21 - 26, 2004Novell BrainShare 2004Salt Lake City, Utah
March 24 - 26, 2004PyCon DC 2004Washington, D.C.
March 27 - 28, 2004Nordic Perl Workshop 2004(Symbion Science Park)Copenhagen, Denmark
March 27 - 28, 2004YAPC::Taipei::2004Taipei, Taiwan
April 5 - 7, 2004Samba eXPerience 2004(Hotel Freizeit In)Göttingen, Germany

Comments (none posted)

Web sites

Planet Lisp's new URL

The Planet Lisp site has been moved to a new URL.

Full Story (comments: none)

Perl Beginners' Site News and Activity (use Perl)

Use Perl mentions a need for help on the Perl Beginner's Site. "We could use more book reviews and more links. The Wiki is based on an implementation which is a non-portable JavaScript hell and unreliable. (We are planning to switch to TWiki or something else soon). Finally, it is posssible that the site's design is too conventional and unattractive and as such could use a re-structuring of the page."

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

usage of "Free" in RHEL article

From:  Colin Walters <walters-AT-verbum.org>
To:  lwn-AT-lwn.net
Subject:  usage of "Free" in RHEL article
Date:  Thu, 05 Feb 2004 02:54:18 -0500

Hi,
 
Most of the people in the free software and open source community will
use the capitalized word "Free" to emphasize that one is talking about
freedom over price, since the two words are the same in English.
 
The recent article about RHEL is entitled "Substituting RHEL with Free
Alternatives". I realize that it is normal journalistic practice to
capitalize words in a title. However, given that RHEL *is* Free
Software, I think it would have been better to recognize that most of
alternatives are actually just no-cost; i.e. "free".
 
And given that the article points out that several of these alternatives
aren't actually no-cost, it seems to me a much better title for the
article would simply have been something like "RHEL Alternatives", or
"Looking at RHEL Alternatives".
 

Comments (1 posted)

BBC faux pas

From:  Leon Brooks <leon-AT-cyberknights.com.au>
To:  letters-AT-lwn.net
Subject:  BBC faux pas
Date:  Thu, 5 Feb 2004 21:28:35 +0800

Hi, Stephen; I have no direct email address for you, so I post this here
in the hope of someone you know pointing it out to you. This is what I
wrote to the BBC about http://news.bbc.co.uk/2/hi/business/3457823.stm
in the hope of getting you to see past the barrage of misleading
stock-ticker news streams:
 
QUOTE
 
Stephen Evans has made some significant factual errors in his story
"Linux cyber-battle turns nasty" and may be exposing the BBC by his
consequent assertions.
 
"There seems little doubt that SCO was targeted" as a distraction to the
virus, apparently written by and for commercial spammers. Its primary
intent is to act as a relay for spreading more of those intrusive
offers of larger penises and mortgage solutions.
 
The virus is indeed about malice, and it was not written by the
creative, constructive Open Source community. It has been traced back
to Russian spammers.
 
It does not appear that www.sco.com was attacked in anger. The name had
been taken out of circulation before the due date, and the site
http://sco.com/ was reachable throughout, as were the sco.com email
servers, hosted nearby. It seems that The SCO Group (TSG) are crying
"wolf" yet again.
 
TSG have been accusing the authors of Linux of stealing their ideas, and
their code. IBM is being accused of giving TSG's code away (despite
IBM's licence agreement plainly stating that they can sell or give away
derivatives), and being asked for over $3 billion in "damages", yet TSG
won't tell anyone exactly what was "stolen".
 
Their story keeps changing, and whenever more exact information has been
leaked, the code has consistently turned out to be either written by
somebody else, or public domain.
 
Darl MacBride wants to sell Linux as others sell bottled water, which is
fine because Red Hat, Mandrake and other companies do just that. He
wants to do it not by bottling better water, but by making the
harvesting of rain and spring water heavily taxable.
 
Undertandably, the people who've built the software equivalent of dams
and rainwater tanks are outraged at his barratry, false claims and
blackmail. TSG is not "raising the possibility of internet blackmail",
TSG is carrying it out!
 
The Open Source community's response has been to provide evidence of
TSG's insanity, not to write viruses. None of the computers bearing the
virus run Linux. Zero. Nada. Not one.
 
It is impossible to read Stephen's story without interpreting it as
"Linux community members attacked a helpless corporation", which as a
member of the Linux community I find insulting and hurtful.
 
I require a retraction from the BBC and a public apology from Stephen. I
also want his word that he'll not carelessly abuse a news service to
pillory the champions of freedom and fair play ever again.
 
UNQUOTE
 
Cheers; Leon
 
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Committee Member, Perth Linux User Group
http://slpwa.asn.au/ Committee Member, Linux Professionals WA
http://linux.org.au/ Past Committee Member, Linux Australia

Comments (1 posted)

Page editor: Jonathan Corbet

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds