LWN.net Logo

LWN.net Weekly Edition for August 15, 2002

Engage with government - or ignore it?

There is no doubt that much of what is going on in legislative systems worldwide is hostile to both free software and the larger principles of fair use of ideas and copyrighted works. Laws like the DMCA or the upcoming UK copyright law ban the writing of programs which provide "unauthorized" access to legitimately purchased materials. Proposed laws like the CBDTPA (seen defined as "Consume, But Don't Try Programming Anything") could outlaw broad classes of free software outright. There is clearly cause to worry. But what should we do about these threats?

Columnist Dan Gillmor tells us to get involved and pressure government for better laws:

But I'm convinced that we can preserve our rights, if we can only persuade Congress that they're worth preserving. There's little or no constituency for fair use and other rights, partly because lawmakers are only hearing one side. But if the community of readers, listeners, viewers, scholars, researchers and others who don't ``own'' copyrights doesn't at least challenge the terms of the debate, it will surely lose.

Mr. Gillmor tells us that we need to "reeducate" Congress and press technology companies to be more assertive about the rights and needs of its customers, rather than those of big media. With enough political pressure, our rights can be preserved.

Before going off to pressure Congress (or Parliament, or whatever), though, it is worth taking a look at another view. Declan McCullagh, who has covered Congress and technology for years, has recently posted a column questioning the value of the political path:

Here's the bitter truth: These efforts are mostly a waste of time. Sure, they may make you feel better, but they're not the way to win.

His suggestion, instead, is to take the classic cypherpunk approach: write code.

Put another way, who made a bigger difference: Yet another letter-scribbling activist or Phil Zimmermann, who wrote the Pretty Good Privacy (PGP) encryption software? How about Shawn Fanning, the man who created Napster? Or the veterans of the Internet Engineering Task Force, which oversees the fundamental protocols of the Internet?

He has a point: had Phillip Zimmermann not written PGP when he did, the battle for the right to use strong encryption may well have been lost a decade ago.

In general, the wide diffusion of technology makes it harder to outlaw or control that technology. In 1990, it might just have been possible to pass a CBDTPA-like law which would have made the distribution of free operating systems impossible. In 2002, Linux and *BSD are everywhere, serving many critical functions; outlawing them is not a practical possiblity. Hackers should, indeed, be creating and distributing code. Getting that code out where it can not be recalled is an important activity for the defense of our freedom.

But wouldn't it be a nicer world if free software hackers did not need to fear arrest and incarceration for releasing the wrong code? Wouldn't it be better if copyright law were to swing back toward the longstanding values of fair use, first sale, and compromise between control and the free exchange of ideas? To claim that the only worthwhile work is writing code is to see the future as a sort of guerilla war against an entrenched copyright regime. This does not sound like a fun future, and it should not be seen as inevitable.

Sustained political effort can yield results. But success requires engaging and interest and support of a large number of people. Governmental representatives can easily ignore the noise from a small group of concerned programmers; they need to hear from a wider constituency before they will pay attention. Somehow we need to get Aunt Tillie worried about copyright law. That is going to be a difficult task, but it's an important one.

Comments (10 posted)

The Digital Software Security Act

One example of engagement with government is the Digital Software Security Act (DSSA), which is proposed for enactment in the state of California. This bill is strongly supported by Red Hat, to the point that CTO Michael Tiemann is leading a march to the San Francisco city hall on August 15. The law may look good at a first glance, but it is not clear that this is really the best way to promote the free software cause.

The DSSA is strict and unambiguous in its requirements. If a given software package does not come with source, and the ability to modify and redistribute that source, the state of California would not be able to buy it. If no suitable open source package exists for, say, the management of mineral rights or the operation of automated tollbooths, then state would simply have to do without. Chances are, some of the operations of the state of California would be adversely affected by this law.

The proposed law is extreme, and its chances of passage are minimal. Which is just as well. Imagine the backlash that would result once people figured out that, since nobody has gotten around to creating a SourceForge project for welfare case management, tracking of health insurance complaints, or the secure creation of drivers licenses, the state would no longer be able to perform those functions. This law would not last long.

More generally, free software is supposed to be about choices and freedom. That includes the freedom to choose software that does not necessarily meet the Open Source Definition. There are situations where a mandate of openness makes sense for governments: file formats for the storage of public data and electronic voting software come readily to mind. It is certainly in the interests of governments - and the governed - to use free software in situations where that software can do the job. But a heavy-handed law that requires the use of free software in all situations - even where such software does not exist - is excessive and counterproductive. World Domination is best achieved through better software and respect for freedom, not by legislative fiat.

Comments (8 posted)

LinuxWorld

The LinuxWorld Conference & Expo is happening without LWN's presence this year - but they seem to be getting along just fine without us. Our coverage is thus less that it might other wise be. Thanks to Russell Pavlicek, we do have reports from the first and second days at the event.

Beyond that, there are a few things of interest that have come out of this LinuxWorld iteration, including:

  • The Free Standards Group has announced that three distributors (MandrakeSoft, Red Hat, and SuSE) have won "LSB-compliant" certification for their distributions. Actual implementation by the distributors was an important part of the whole Linux Standard Base process, so this is good news.

  • Sun has jumped into the business of selling commodity PCs with Linux installed. This has proved to be a difficult living for many, but it's possible that Sun's experience will be different.

  • Dell's announcements show clearly where that company thinks money is to be made with Linux: large clusters and migration from proprietary Unix.

  • By the end of September, we're told, we'll see the Xandros 1.0 and UnitedLinux beta releases.

  • Oracle has joined the GPL community by releasing its "cluster filesystem" for Linux. The company seems to think that the Linux platform is important enough to be worth improving.

See this week's Linux in Business page for more LinuxWorld press releases than you would ever really want to see. The Linux business world has changed, but LinuxWorld still seems to be its meeting place.

Comments (none posted)

SourceForge goes to DB2

Among the many announcements from LinuxWorld this week is this one from VA Software stating that the SourceForge software would be adapted to work with a number of proprietary IBM products, including the DB2 database manager and WebSphere. VA and IBM will also cooperate in the marketing of each other's products. Oh, and, incidentally, OSDN (owned by VA) has announced that SourceForge.net will be converted over to run DB2 exclusively.

This arrangement does not lack its good features. SourceForge becomes more interoperable and gains a new marketing channel. No details have been released, of course, but it is reasonable to expect that IBM will help support SourceForge.net's continued existence as part of this deal. Given the obvious cost of running a facility like SourceForge and the number of free software projects which depend on it, this is good news for the free software community.

The fact remains, however, that SourceForge is moving steadily away from free software. The site itself has not been pure free software for some time, and is now becoming a showcase for IBM's proprietary applications. There has not been a release of the SourceForge site code - the free part - since November, 2001. References to "open source" are most rare on the VA Software web site. Even the VA Software products FAQ shows an interesting emphasis:

Q: What platform (hardware/software) does SourceForge run on?

SourceForge runs on SPARC based Solaris servers using Solaris version 8 10/01 and higher. SourceForge also runs on Red Hat Linux versions 7.1 and higher on Intel processor-based platforms.

"Also runs" is better than nothing...

Almost exactly one year ago, Eric Raymond posted a message on how SourceForge wasn't really going proprietary:

So the real news here is that VA is still about open source -- if I didn't believe that, I'd be off their board of directors so fast it would make your head spin. We're just being pragmatic about how we sell the idea. Change peoples' behavior first, show them the advantages in doing so, and their hearts and minds will follow.

Given that, it is interesting to note that Mr. Raymond's name has been quietly dropped from VA's Board of Directors page.

We are, thus, in a position where a large portion of the free software community's work is hosted on a site owned by a company that no longer sees free software as part of its mission. The concentration of projects onto a single site (any single site) has been a cause of concern for some time; now it makes the community's position look truly precarious. SourceForge is still useful to VA as a demonstration of the scale on which its software can work. But it's an expensive advertisement which is increasingly being turned to the interests of those who are paying the bills. SourceForge remains a valuable contribution to the free software community, as it has been for years. But the need for alternatives (beyond Savannah and Berios, which are a good start) is more urgent than ever.

Comments (7 posted)

LWN status update

There is relatively little to report on the status of LWN since last week - despite the fact that we have been as busy as ever. Here's what's going on:
  • Our disagreement with our credit card clearing company is heading toward resolution - slowly. A small portion of the money given as donations (and advertising payments) to LWN has found its way into our bank account; we're working on getting the rest. Meanwhile, however, we lack the ability to accept credit card payments - something we have to fix before subscriptions can start.

  • Implementation of site code for the handling of subscriptions is proceeding - slowly. When writing code that does things like charge money to credit cards, it's best not to be in too much of a hurry.

Thanks yet again for your support. We'll do our best to keep you informed as things happen.

Comments (5 posted)

Page editor: Jonathan Corbet

Security

Brief items

USENIX security 2002 wrap up

Jose Nazario has provided LWN with a brief wrap up of this year's USENIX Security 2002 conference. "Linux's LSM kernel features, part of the Linux Security Module feature kit, were presented by folks from WireX (makers of Immunix, StackGuard and FormatGuard), NAI labs (part of the SELinux development team), and others. Their paper gave an overview of the architecture, some example code, work to bring other Linux security projects into the LSM architecture, and some benchmarks. Overall an excellent report, showing how much work and research has gone into the project."

Full Story (comments: none)

Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG

A followup, addressing implementation issues, to the recent paper on chosen-ciphertext attacks against PGP and GnuPG by K. Jallad, J. Katz, and B. Schneier is available (PDF or Postscript format).

Werner Koch posted this partial rebuttal noting that countermeasures are defined in the OpenPGP drafts since October 2000.

The Mercury News covers the subject PGP flaw which could allow attackers to read mail intended for someone else only if they can be tricked into sending tampored mail back to the attacker after they receive it.

Full Story (comments: none)

Security pros create resource on flaws (News.com)

Here's a News.com article about the Internetworked Security Information Service (ISIS), which brings together four independent projects--the Open Source Vulnerability Database, the Alldas.de defacement-tracking service, the PacketStorm software database and the vulnerability watchdog VulnWatch.

Comments (none posted)

Defcon coverage

Wired and ZDNet covered the festival of just-for-fun denial of service attacks, system break-ins and other activities at this year's Defcon conference in Las Vegas.

Comments (none posted)

OUSPG Software vulnerability reporting survey

The Finnish Oulu University Secure Programming Group (OUSPG) is conducting a survey of "vendors who receive bug reports, to coordinators of the reporting process (e.g. mailing list moderators and national CERTs), and to reporters of software vulnerabilities."

If you do any of these functions we encourage you to participate.

Full Story (comments: none)

Security reports

Trojan horse in OpenSSH 3.4p1 source distribution

As described in this Bugtraq posting, the source distribution for OpenSSH 3.4p1 contains a trojan horse. Said trojan is apparently activated only during the build process; people who are running binary versions (from a trusted source!) should not need to worry. No word as yet on just how this came to be; stay tuned, we'll update things as we learn more. (Thanks to Christof Damian).

Updates:
An advisory from the OpenBSD folks has been issued. "OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the OpenBSD ftp server and potentially propagated via the normal mirroring process to other ftp servers....Anyone who has installed OpenSSH from the OpenBSD ftp server or any mirror within that time frame should consider his system compromised."

Tomi Nylund has compiled this list of mirrors that carried the trojaned OpenSSH.

Full Story (comments: 3)

L-Forum XSS, upload spoofing and SQL injection vulnerabilities

Ulf Harnhammar reports that L-Forum version 2.4.0, and possibily others, has got two different XSS (Cross-Site Scripting) holes and a distinct upload spoofing vulnerabiity

In a separate report, Matthew Murphy discovered an SQL injection flaw in L-Forum.

Full Story (comments: none)

TinySSL basic constraints vulnerability fixed

TinySSL version 1.03 has a server side fix for this IE SSL vulnerability. TinySSL is an open source, compact (125k jar), SSLv3 client implementation written in Java (1.1+).

Full Story (comments: 1)

New vulnerabilities

Bug in SunRPC-derived XDR libraries

An integer overflow in xdr_array() function when deserializing the XDR stream that originated in the SunRPC library has been propagated into, at least, glibc, Kerberos 5, OpenAFS and dietlibc. The result, in most cases, is a potential remote code or root access vulnerability.

According to the CERT Vulnerability Note, "this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information."

The result, so far, is the four new vulnerabilities (below) for glibc, Kerberos 5, OpenAFS and dietlibc.

News.com covers the bug and its impact on Kerberos Key Distribution Center authentication functions. "Several sellers of Unix and Unix-like operating systems, including Red Hat, Debian, FreeBSD, Sun and NetBSD, said that their software was affected by the issue, and issued fixes. HP said it was investigating the bug's impact."

Comments (none posted)

Potential remote root exploit in glibc

Package(s):glibc CVE #(s):CAN-2002-0391
Created:August 14, 2002 Updated:June 30, 2003
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library which is used in glibc.This bug could be exploited to gain unauthorized root access to software linking to glibc.

Updating as soon as practical is a good idea.

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-333-1 2003-06-27
Conectiva CLA-2002:535 2002-10-29
Trustix 2002-0070 2002-10-17
EnGarde ESA-20021003-021 2002-10-03
Gentoo glibc-20020927 2002-09-27
Gentoo dietlibc-20020927 2002-09-27
Debian DSA-149-2 2002-09-26
Mandrake MDKSA-2002:061 2002-09-23
Gentoo glibc-20020905 2002-09-05
SuSE SuSE-SA:2002:031 2002-08-30
Trustix 2002-0067 2002-08-13
Eridani ERISA-2002:036 2002-08-13
Red Hat RHSA-2002:166-07 2002-08-12
Debian DSA-149-1 2002-08-13

Comments (none posted)

Kerberos 5 unauthorized root access to KDC host vulnerability

Package(s):krb5 CVE #(s):
Created:August 14, 2002 Updated:October 29, 2002
Description: A bug in the Kerberos 5 remote administration service, "kadmind", could be exploited to gain unauthorized root access to a KDC host. It is believed that the attacker needs to be able to authenticate to the kadmin daemon for this attack to be successful.

Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system.

Updating now is recommended.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Gentoo 200210-011 2002-10-28
Conectiva CLA-2002:515 2002-08-07
Debian DSA-143-1 2002-08-05

Comments (none posted)

OpenAFS potential remote code execution vulnerability

Package(s):openafs CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: The OpenAFS database server is subject to the integer overflow bug in code derived from the SunRPC library.

This bug could be exploited to crash certain OpenAFS servers (volserver, vlserver, ptserver, buserver) or to obtain unauthorized root access to a host running one of these processes.

Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places including openafs.

Updating now is recommended.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-142-1 2002-08-05

Comments (none posted)

Potential unauthorized root access vulnerability in dietlibc

Package(s):dietlibc CVE #(s):CAN-2002-0391
Created:August 14, 2002 Updated:December 5, 2002
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library with is used in dietlibc, a libc optimized for small size. The bug could be exploited to gain unauthorized root access to software linking to dietlibc.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
SCO Group CSSA-2002-055.0 2002-12-04
Debian DSA-146-2 2002-08-08
Debian DSA-146-1 2002-08-08

Comments (none posted)

Local denial of service vulnerability in sendmail

Package(s):sendmail CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: A local user can stop local mail service by holding an exclusive read lock on specific sendmail files. The user must have permission to read a file such as /var/log/sendmail.st, which is world readable by default.

The problem is described in this advisory

Alerts:
Conectiva CLA-2002:xxx-1 2002-08-05

Comments (none posted)

Off by one buffer overflow vulnerability in cvsd

Package(s):cvs CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: cvs version 1.11, and possibily earlier versions, has a locally exploitable off by one buffer overflow vulnerability. The details are available here.
Alerts:
SCO Group CSSA-2002-035.0 2002-08-08

Comments (none posted)

Buffer overflow and format string vulnerabilities in ipppd

Package(s):i4l CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: The ipppd program, in the i4l package, has various buffer overflows and format string bugs. Since ipppd is installed setuid to root, attackers with appropriate group membership may be able to execute arbitrary commands as root. The i4l package for ISDN connectivity is installed by default in at least one distribution; you are vulnerable even if you do not have an ISDN connection.

The SuSE Security Team is aware of a published exploit for ipppd that gives a local attacker root privileges so you should either update the package or remove the setuid bit from ipppd.
Alerts:
SuSE SuSE-SA:2002:030 2002-08-12

Comments (none posted)

Buffer overflow vulnerability in the Jabber plug-in module for gaim

Package(s):gaim CVE #(s):CAN-2002-0384 CAN-2002-0377
Created:August 14, 2002 Updated:September 11, 2002
Description: gaim versions prior to 0.58 contained a buffer overflow in the Jabber plug-in module. The problem is fixed in gaim 0.59 which is available here. "Gaim is an instant messaging client written in GTK and is based on the published TOC messaging protocol from AOL."
Alerts:
Mandrake MDKSA-2002:054-1 2002-09-05
Yellow Dog YDU-20020810-4 2002-08-10
Red Hat RHSA-2002:107-11 2002-08-05

Comments (none posted)

Tcl/Tk local root vulnerability

Package(s):tcltk expect CVE #(s):CAN-2001-1374 CAN-2001-1375
Created:August 14, 2002 Updated:September 24, 2002
Description: Tcl/Tk searches for its libraries in the current working directory before other directories. A local user could execute arbitrary code by inserting a Trojan horse library in the current working directory.

Versions of the expect application prior to 5.32, search for its libraries in /var/tmp before searching in other directories. A local user could gain root privleges by inserting a Trojan horse library in /var/tmp and then getting the root user to run mkpasswd.

Alerts:
Mandrake MDKSA-2002:060 2002-09-23
Eridani ERISA-2002:037 2002-08-14
Red Hat RHSA-2002:148-06 2002-08-12

Comments (none posted)

Remotely exploitable vulnerabilities in l2tpd

Package(s):l2tpd CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: l2tpd, a layer 2 tunneling client/server program, does not initialize the random generator. Since this makes all generated random number 100% guessable, the oversight could lead to remote exploits. There is also a buffer overflow vulnerability. Both problems are fixed in the updates below.
Alerts:
Debian DSA-152-1 2002-08-13

Comments (none posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):wwwoffle CVE #(s):CAN-2002-0818
Created:August 14, 2002 Updated:October 1, 2003
Description: The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on."

CAN-2002-0818

Alerts:
SCO Group CSSA-2002-048.0 2002-11-18
Debian DSA-144-1 2002-08-06
SuSE SuSE-SA:2002:029 2002-08-01

Comments (none posted)

Remote execution vulnerability in gallery

Package(s):gallery CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: A remote attacker could execute commands under the uid of the web server by passing in the GALLERY_BASEDIR variable remotely. Gallery is a web-based photo album toolkit.
Alerts:
Debian DSA-138-1 2002-08-01

Comments (none posted)

File exposure vulnerability in interchange

Package(s):interchange CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: A problem has been discovered in interchange which may allow a remote attacker to read any file for which the user of the Interchange daemon has sufficient permissions. Interchange must be running in "INET mode" (internet domain socket) to be vulnerable. This is not the default setting, at least in Debian packages.

Interchange is an e-commerce and general HTTP database display system.

Alerts:
Debian DSA-150-1 2002-08-13

Comments (none posted)

Remote arbitrary code execution vulnerability in mantis

Package(s):mantis CVE #(s):
Created:August 14, 2002 Updated:August 20, 2002
Description: Mantis is a php based bug tracking system. Joao Gouveia and the Debian Security Team found multiple insecure uses of uninitialized variables in mantis.

When these occasions are exploited, a remote user is able to execute arbitrary code under the webserver user id on the web server hosting the mantis system.
Alerts:
Debian DSA-153-1 2002-08-14

Comments (none posted)

Local root access vulnerability in super

Package(s):super CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: A format string bug in super may allow a local user to gain unauthorized root accesss. Super is a setuid-root program that offers restricted setuid-root access to executables and a relatively secure environment for scripts.
Alerts:
Debian DSA-139-1 2002-08-01

Comments (none posted)

Potential MIME encoded email arbitrary coded execution vulnerability

Package(s):mpack CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: The munpack program is used in the Debian distribution for decoding binary files in MIME (Multipurpose Internet Mail Extensions) format mail messages. Eckehard Berns discovered a buffer overflow in munpack which may allow a mailiciously formed email to run arbitrary code.
Alerts:
Debian DSA-141-1 2002-08-01

Comments (none posted)

Potential arbitrary code execution vulnerability in tinyproxy

Package(s):tinyproxy CVE #(s):
Created:August 14, 2002 Updated:August 15, 2002
Description: Tinyproxy, a lightweight HTTP proxy, handles some invalid proxy requests incorrectly.

Under some circumstances, an invalid request may result in a allocated memory being freed twice. This can potentially result in the execution of arbitrary code.
Alerts:
Debian DSA-145-1 2002-08-07

Comments (none posted)

Denial of service vulnerability in xinetd

Package(s):xinetd CVE #(s):
Created:August 14, 2002 Updated:December 3, 2002
Description: A file descriptor leak into services started from xinetd may be used, by programs it stats, to crash xinetd. Xinetd is a replacement for the BSD derived inetd.
Alerts:
Red Hat RHSA-2002:196-19 2002-12-02
Red Hat RHSA-2002:196-09 2002-10-14
Mandrake MDKSA-2002:053 2002-08-26
Gentoo xinetd-20020814 2002-08-14
Debian DSA-151-1 2002-08-13

Comments (none posted)

Updated vulnerabilities

Heap corruption vulnerability in at

Package(s):at at, sudo, xchat CVE #(s):CAN-2002-0004
Created:May 21, 2002 Updated:May 15, 2003
Description: The at command has a potentially exploitable heap corruption bug. (First LWN report:  January 17th).
Alerts:
EnGarde ESA-20030515-015 2003-05-15
Yellow Dog YDU-20020127-9 2002-01-27
SuSE SuSE-SA:2002:003 2001-01-16
Slackware sl-1011706104 2002-01-22
Red Hat RHSA-2002:015-15 2002-02-07
Red Hat RHSA-2002:015-13 2002-01-22
Mandrake MDKSA-2002:007 2002-01-18
Debian DSA-102-2 2002-01-18
Debian DSA-102-1 2002-01-16

Comments (none posted)

Denial of service vulnerability in version 9 of BIND

Package(s):bind CVE #(s):CAN-2002-0400
Created:June 5, 2002 Updated:August 19, 2002
Description: Here is an advisory from the Computer Emergency Response Team (CERT) regarding the denial of service vulnerability in version 9 of the BIND nameserver, up to 9.2.1. An attacker can send a properly crafted packet which triggers a check within BIND and causes it to shut down. The vulnerability can not be exploited for any purpose beyond denial of service, but that is bad enough; if you are running BIND 9, an upgrade is probably a good idea.

Note that many or most systems out there will still be running BIND 8, and thus will not be vulnerable.

News articles on the vulnerability appear in the Register and Network World Fusion News.

Alerts:
Mandrake MDKSA-2002:038-1 2002-08-15
Yellow Dog YDU-20020606-6 2002-06-06
Conectiva CLA-2002:494 2002-06-06
SuSE SuSE-SA:2002:021 2002-06-06
Mandrake MDKSA-2002:038 2002-06-04
Red Hat RHSA-2002:105-09 2002-06-04

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Ethereal buffer overflow, infinite loop and memory management vulnerabilities

Package(s):ethereal CVE #(s):CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404
Created:June 12, 2002 Updated:October 27, 2002
Description: Ethereal 0.9.4 was released on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
  • The SMB dissector could potentially dereference a NULL pointer in two cases.
  • The X11 dissector could potentially overflow a buffer while parsing keysyms.
  • The DNS dissector could go into an infinite loop while reading a malformed packet.
  • The GIOP dissector could potentially allocate large amounts of memory.

No known exploits exist "in the wild" at the present time for any of these issues.

Ethereal 0.9.2 has several packet handling vulnerabilities that are best avoided by upgrading to 0.9.4. The PROTOS test suite found some flaws in SNMP and LDAP protocols support. Malformed packets could also crash ethereal 0.9.2 due to a ASN.1 zero-length g_malloc problem. The zlib "double free" vulnerability was addressed by the updates for that bug from many distributors.
Alerts:
SCO Group CSSA-2002-037.0 2002-10-24
Conectiva CLA-2002:505 2002-07-04
Yellow Dog YDU-20020606-7 2002-06-06
Red Hat RHSA-2002:088-06 2002-06-04
Eridani ERISA-2002:023 2002-06-06

Comments (none posted)

GNU fileutils race condition

Package(s):fileutils ucdsnmp CVE #(s):CAN-2002-0435
Created:May 21, 2002 Updated:May 16, 2003
Description: A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).
Alerts:
Immunix IMNX-2003-7+-010-01 2003-05-16
Red Hat RHSA-2003:015-05 2003-02-12
Trustix 2002-0052 2002-06-06
SuSE SuSE-SA:2002:012 2002-04-08
Mandrake MDKSA-2002:031 2002-05-16
SCO Group CSSA-2002-018.1 2002-05-13

Comments (none posted)

Buffer overflow in groff

Package(s):groff CVE #(s):CAN-2002-0003
Created:May 21, 2002 Updated:December 9, 2002
Description: The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely.
Alerts:
SCO Group CSSA-2002-057.0 2002-12-06
Gentoo groff-20021019 2002-10-19
Yellow Dog YDU-20020127-11 2002-01-27
Trustix 2002-0020 2002-01-18
Red Hat RHSA-2002:004-06 2002-01-14
Mandrake MDKSA-2002:012 2002-02-07

Comments (none posted)

HylaFAX 4.1.3 fixes multiple vulnerabilities

Package(s):hylafax CVE #(s):CAN-2001-1034
Created:July 30, 2002 Updated:October 9, 2002
Description: The HylaFAX team has released version 4.1.3 fixing denial of service, elevated system privilege and possible remote code execution vulnerabilities.

HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX.
Alerts:
SuSE SuSE-SA:2002:035 2002-10-04
Mandrake MDKSA-2002:055 2002-08-28
Debian DSA-148-1 2002-08-12

Comments (none posted)

UW imapd remotely exploitable buffer overflow

Package(s):imap CVE #(s):CAN-2002-0379
Created:June 5, 2002 Updated:December 20, 2002
Description: UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23).
Alerts:
SuSE SuSE-SA:2002:048 2002-12-20
Trustix 2002-0054 2002-06-06
EnGarde ESA-20020607-013 2002-06-07
Yellow Dog YDU-20020606-1 2002-06-06
Red Hat RHSA-2002:092-11 2002-05-22
Mandrake MDKSA-2002:034 2002-05-27
Eridani ERISA-2002:018 2002-05-25
Conectiva CLA-2002:487 2002-05-24
SCO Group CSSA-2002-021.0 2002-05-15

Comments (2 posted)

Apache mod_ssl off-by-one local code execution and DoS vulnerability

Package(s):libapache-mod-ssl mod_ssl CVE #(s):CAN-2002-0653
Created:July 2, 2002 Updated:August 14, 2002
Description: Mod-ssl provides strong cryptography for the Apache webserver via the Secure Sockets Layer (SSL). A maliciously-crafted .htaccess file, may be used by an attacker to execute arbitrary commands as the httpd user or launch a denial of service attack. The problem is fixed in mod_ssl 2.8.10 which is available from here.

For more information see the announcement.

Alerts:
Mandrake MDKSA-2002:048 2002-08-08
Yellow Dog YDU-20020801-1 2002-08-01
Eridani ERISA-2002:029 2002-07-25
SCO Group CSSA-2002-031.0 2002-07-16
Red Hat RHSA-2002:134-12 2002-07-16
EnGarde ESA-20020702-017 2002-07-02
Conectiva CLA-2002:504 2002-07-02
Debian DSA-135-1 2002-07-02

Comments (none posted)

libpng buffer overflow vulnerability

Package(s):libpng libpng2 libpng3 CVE #(s):
Created:July 17, 2002 Updated:August 19, 2002
Description: Versions of libpng prior to 1.2.4 and 1.0.14 have a buffer overflow vulnerability that could lead to remote code execution. Since libpng is used by programs that talk to the outside world (i.e. mozilla), it is worth upgrading.

libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over five years.
Alerts:
Eridani ERISA-2002:030 2002-07-25
Conectiva CLA-2002:512 2002-07-17

Comments (2 posted)

LPRng accepts jobs from any host.

Package(s):LPRng CVE #(s):CAN-2002-0378
Created:June 12, 2002 Updated:October 31, 2002
Description: Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.

This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public.

Alerts:
SuSE SuSE-SA:2002:040 2002-10-31
Mandrake MDKSA-2002:042 2002-07-04
Red Hat RHSA-2002:089-07 2002-06-09

Comments (none posted)

Mailman 2.0.11 fixes two cross-site scripting vulnerabilities

Package(s):mailman CVE #(s):CAN-2002-0388
Created:June 5, 2002 Updated:August 28, 2002
Description: Barry A. Warsaw announced the release of Mailman 2.0.11 "which fixes two cross-site scripting exploits, one reported by "office" in the admin login page, and another reported by Tristan Roddis in the Pipermail index summaries. It is recommended that all sites upgrade their 2.0.x systems to this version."
Alerts:
Debian DSA-147-2 2002-08-26
Debian DSA-147-1 2002-08-08
Red Hat RHSA-2002:101-06 2002-06-27
Red Hat RHSA-2002:099-04 2002-06-06
Red Hat RHSA-2002:100-03 2002-06-06
Conectiva CLA-2002:489 2002-05-24

Comments (none posted)

Temporary file vulnerability in mm library

Package(s):mm CVE #(s):CAN-2002-0658
Created:July 30, 2002 Updated:August 14, 2002
Description: The OSSP mm library (libmm) is frequently used in Apache setups using mod_ssl and/or mod_php. A temporary file vulnerabiity in OSSP mm library (libmm) before version 1.2.0 permits a local Apache user to gain privileges. It can be exploited to obtain root privilege in some circumstances.

Upgrading sooner, rather than later, is recommended.

Alerts:
Yellow Dog YDU-20020810-2 2002-08-10
Red Hat RHSA-2002:156-04 2002-08-05
SuSE SuSE-SA:2002:028 2002-07-31
Debian DSA-137-1 2002-07-30
SCO Group CSSA-2002-032.0 2002-07-30
Red Hat RHSA-2002:153-07 2002-07-30
OpenPKG OpenPKG-SA-2002.007 2002-07-30
Mandrake MDKSA-2002:045 2002-07-29

Comments (none posted)

PHP Remote Compromise/DOS Vulnerability

Package(s):mod_php4 CVE #(s):
Created:July 22, 2002 Updated:February 18, 2003
Description: PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.

According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.

Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2.

For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team.

CERT Advisory: CA-2002-21 Vulnerability in PHP

Alerts:
SuSE SuSE-SA:2003:0009 2003-02-18

Comments (1 posted)

Mozilla XMLHttpRequest file disclosure vulnerability

Package(s):mozilla CVE #(s):CAN-2002-0354
Created:May 21, 2002 Updated:October 18, 2002
Description: This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2).
Alerts:
Red Hat RHSA-2002:192-13 2002-10-09
Red Hat RHSA-2002:079-13 2002-05-13
Conectiva CLA-2002:490 2002-05-29

Comments (none posted)

String format bug in pam_ldap logging

Package(s):nss_ldap CVE #(s):CAN-2002-0374
Created:June 5, 2002 Updated:October 29, 2002
Description: The nss_ldap package includes the pam_ldap module for authenticating a user with an LDAP database. Pam_ldap versions prior to 144 have a string format bug in the logging mechanism.
Alerts:
SCO Group CSSA-2002-041.0 2002-10-28
Yellow Dog YDU-20020606-2 2002-06-06
Red Hat RHSA-2002:084-17 2002-05-26
Eridani ERISA-2002:019 2002-05-28

Comments (none posted)

OpenSSL remotely-exploitable buffer overflow vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659
Created:July 30, 2002 Updated:September 24, 2002
Description: Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit. Both client and server applications are affected. The vulnerabilities are described in this security alert from the OpenSSL team.

A nasty exploit for one of the vulnerabilities is described in CERT Advisory CA-2002-27 Apache/mod_ssl Worm.

Compromise by the Apache/mod_ssl worm indicates that a remote attacker can execute arbitrary code as the apache user on the victim system. It may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain root access to the victim system. Furthermore, the DDoS capabilities included in the Apache/mod_ssl worm allow victim systems to be used as platforms to attack other systems.

If you haven't already, applying an update is a very good thing to do today.

Mitel Networks has an update available which closes this vulnerabilty for their SME Server software.

CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL

Alerts:
SuSE SuSE-SA:2002:033 2002-09-19
Debian DSA-136-2 2002-09-15
Yellow Dog YDU-20020810-1 2002-08-10
Conectiva CLA-2002:516 2002-08-08
EnGarde ESA-20020807-020 2002-08-07
Mandrake MDKSA-2002:046-1 2002-08-06
Red Hat RHSA-2002:160-21 2002-08-05
Eridani ERISA-2002:034 2002-08-06
Yellow Dog YDU-20020801-3 2002-08-01
SCO Group CSSA-2002-033.0 2002-07-31
Gentoo openssl-20020730 2002-07-30
Eridani ERISA-2002:033 2002-07-30
SuSE SuSE-SA:2002:027 2002-07-30
Mandrake MDKSA-2002:046 2002-07-30
Conectiva CLA-2002:513 2002-07-31
Red Hat RHSA-2002:155-11 2002-07-29
Trustix 2002-0063 2002-07-29
OpenPKG OpenPKG-SA-2002.008 2002-07-30
EnGarde ESA-20020730-019 2002-07-30
Debian DSA-136-1 2002-07-30

Comments (none posted)

Remotely exploitable vulnerability in pine

Package(s):pine CVE #(s):CAN-2002-0014
Created:May 21, 2002 Updated:November 27, 2002
Description: Pine has an unpleasant vulnerability in URL handling vulnerability which can lead to command execution by remote attackers. (First LWN report:  January 17th).

This vulnerability is remotely exploitable; updating is a good idea.

Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein).

Alerts:
SuSE SuSE-SA:2002:046 2002-11-25
Yellow Dog YDU-20020127-8 2002-01-27
Slackware sl-1010936849 2002-01-13
Red Hat RHSA-2002:009-06 2002-01-14
EnGarde ESA-20020114-002 2002-01-14
Conectiva CLA-2002:460 2002-01-31

Comments (none posted)

Sharutils potential privilege escalation using uudecode

Package(s):sharutils CVE #(s):CAN-2002-0178
Created:May 21, 2002 Updated:October 31, 2002
Description: According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands." (First LWN report: May 16).
Alerts:
Gentoo 200210-012 2002-10-30
SCO Group CSSA-2002-040.0 2002-10-28
Mandrake MDKSA-2002:052 2002-08-14
Yellow Dog YDU-20020522-4 2002-05-22
Red Hat RHSA-2002:065-13 2002-05-14
Eridani ERISA-2002:014 2002-05-16

Comments (none posted)

Multiple vulnerabilities fixed in Squid-2.4.STABLE7

Package(s):squid CVE #(s):
Created:July 8, 2002 Updated:November 15, 2002
Description: Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7. Several of the bugs are believed to allow remote code execution.

The security advisory lists the following changes:

  • Several bugfixes and cleanup of the Gopher client, both to correct some security issues and to make Squid properly render certain Gopher menus.
  • Security fixes in how Squid parses FTP directory listings into HTML
  • FTP data channels are now sanity checked to match the address of the requested FTP server. This to prevent theft or injection of data. See the new ftp_sanitycheck directive if this sanity check is not desired.
  • The MSNT auth helper has been updated to v2.0.3+fixes for buffer overflow security issues found in this helper.
  • A security issue in how Squid forwards proxy authentication credentials has been fixed
Alerts:
SCO Group CSSA-2002-046.0 2002-11-14
Eridani ERISA-2002:031 2002-07-26
Mandrake MDKSA-2002:044 2002-07-17
Trustix 2002-0062 2002-07-15
SuSE SuSE-SA:2002:025 2002-07-09
Conectiva CLA-2002:506 2002-07-05

Comments (none posted)

Malformed NFS packet buffer overflow vulnerability in tcpdump

Package(s):tcpdump CVE #(s):CAN-2002-0380
Created:June 5, 2002 Updated:October 9, 2002
Description: A buffer overflow in tcpdump can be triggered by a bad NFS packet when tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
Alerts:
Red Hat RHSA-2002:094-16 2002-10-04
Yellow Dog YDU-20020606-3 2002-06-06
Trustix 2002-0055 2002-06-05
SCO Group CSSA-2002-025.0 2002-06-04
Conectiva CLA-2002:491 2002-06-05
Red Hat RHSA-2002:094-08 2002-05-29
Eridani ERISA-2002:020 2002-05-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

Multiple vulnerabilities in SNMP implementations

Package(s):ucdsnmp ucd-snmp CVE #(s):CAN-2002-0012 CAN-2002-0013
Created:May 21, 2002 Updated:September 17, 2002
Description: Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14).
Alerts:
Red Hat RHSA-2002:036-26 2002-09-12
Yellow Dog YDU-20020211-1 2002-02-11
Red Hat RHSA-2001:163-20 2002-02-12
Mandrake MDKSA-2002:014 2002-02-15
Debian DSA-111-2 2002-02-28
Debian DSA-111-1 2002-02-14
Conectiva CLA-2002:462 2002-02-14
SCO Group CSSA-2002-004.0 2002-01-22

Comments (none posted)

Local root vulnerability in chfn

Package(s):util-linux CVE #(s):CAN-2002-0638
Created:July 30, 2002 Updated:October 31, 2002
Description: chfn (change finger information) is one of the utilities in the util-linux package. The BindView RAZOR Team has discovered a local root vulnerability in chfn which is described in the Bindview Advisory.

Under certain conditions, "a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility, and, as a result, alter /etc/passwd to escalate privileges in the system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any but the last 4 kB chunk of the file.

CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility

Alerts:
SCO Group CSSA-2002-043.0 2002-10-29
Conectiva CLA-2002:523 2002-09-12
Mandrake MDKSA-2002:047 2002-08-08
Yellow Dog YDU-20020801-4 2002-08-01
Trustix 2002-0064 2002-07-30
Red Hat RHSA-2002:132-14 2002-07-29
Eridani ERISA-2002:032 2002-07-29

Comments (none posted)

webalizer: reverse DNS buffer overflow vulnerability

Package(s):webalizer CVE #(s):
Created:May 21, 2002 Updated:January 27, 2003
Description: The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report:  April 18th, 2002).
Alerts:
Yellow Dog YDU-20030127-4 2003-01-27
Red Hat RHSA-2002:254-05 2002-12-04
SCO Group CSSA-2002-036.0 2002-10-22
EnGarde ESA-20020423-009 2002-04-23
Conectiva CLA-2002:476 2002-04-26

Comments (none posted)

Webmin/Usermin vulnerabilities

Package(s):webmin CVE #(s):
Created:May 21, 2002 Updated:January 10, 2003
Description: Webmin is a web-based interface for system administration for Unix. Webmin has cross-site scripting and session ID spoofing vulnerabilities which are fixed in the May 6, 2002 release of version 0.970. (First LWN report: May 9).

This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication.

Alerts:
SCO Group CSSA-2003-002.0 2003-01-09
Yellow Dog YDU-20020522-7 2002-05-22
Mandrake MDKSA-2002:033 2002-05-21

Comments (1 posted)

Problems with libgtop_daemon

Package(s):wuftpd libgtop CVE #(s):
Created:May 21, 2002 Updated:May 7, 2003
Description: The libgtop_daemon package is a GNOME program which makes system information available remotely. LWN reported the remotely exploitable format string and buffer overflow vulnerabilities in that package on December 6th. On November 28th disabling the libgtop_daemon on systems where it is running until an update is available.

Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway.

Alerts:
Debian DSA-301-1 2003-05-07
Mandrake MDKSA-2001:094 2001-12-19
Debian DSA-098-1 2002-01-09
Conectiva CLA-2002:448 2002-01-03

Comments (1 posted)

xchat IC server based dns query vulnerability

Package(s):xchat CVE #(s):CAN-2002-0382
Created:June 5, 2002 Updated:September 24, 2002
Description: A malicious IRC server may return a response to a /dns query that executes arbitrary commands with the privileges of the user running XChat. Versions of XChat prior to 1.8.9 are vulnerable.
Alerts:
Conectiva CLA-2002:526 2002-09-23
Mandrake MDKSA-2002:051 2002-08-14
Yellow Dog YDU-20020606-5 2002-06-06
Eridani ERISA-2002:021 2002-06-05
Red Hat RHSA-2002:097-08 2002-06-04

Comments (none posted)

Resources

Linux Security Week and Advisory Watch

The August 12th Linux Security Week and August 9th Linux Advisory Watch newsletters from LinuxSecurity.com are available.

Comments (none posted)

Xprobe2 - Tool & Paper release

Ofir Arkin announces the release of the Xprobe2 source code and white paper (PDF format). The code is licensed under the GPL.

Xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 rely on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database.

Full Story (comments: none)

Nmap 3.00 Released

Fyodor announces the release of Nmap Security Scanner version 3.00.

Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques (determine what services the hosts are offering), and TCP/IP fingerprinting (remote host operating system identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Most UNIX and Windows platforms are supported in both GUI and command-line modes.

Full Story (comments: none)

The Security Digest Archives

The 'Security Digest' Archives is attempting to build "a history of the early 'Security Digest' archives, from the Unix 'Security Mailing List', through the Zardoz 'Security Digest' to the Core 'Security List'." If you're interested in contributing, or just curious, please take a look.

Comments (none posted)

Events

CodeCon 2003 Call for Papers

CodeCon 2003 will be held February 2003 in San Francisco CA, USA. The deadline for papaers and proposals is December 1, 2002.

Full Story (comments: none)

HiverCon 2002, Ireland - Earlybird registration now available

HiverCon 2002 is scheduled for November 26th and 27th, 2002 in Dublin Ireland.

Full Story (comments: none)

Upcoming Security Events

Date Event Location
August 19 - 21, 2002Canadian Security & Intelligence Conference(CSICON)(Hyatt Regency)Calgary, Alberta Canada
August 28 - 30, 2002Workshop on Information Security Applications(WISA 2002)Jeju Island, Korea
September 19 - 20, 2002SEcurity of Communications on the Internet 2002(SECI'02)Tunis, Tunisia
September 23 - 26, 2002New Security Paradigms Workshop 2002(The Chamberlain Hotel)Hampton, Virginia, USA
September 23 - 25, 2002University of Idaho Workshop on Computer Forensics(University of Idaho)Moscow, Idaho, USA
September 26 - 27, 2002HiverCon 2002(Hilton Hotel)Dublin, Ireland
September 27 - 29, 2002ToorCon 2002(San Diego Concourse)San Diego, CA, USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Comments (none posted)

Page editor: Dennis Tenney

Kernel development

Brief items

Current release status

The current development kernel is 2.5.31, released by Linus on August 10. It includes an ISDN update, more driverfs work, a JFS update, a lot of ethernet driver updates, a number of ARM, Alpha, and SPARC64 updates, and more. This tree also includes the "User-mode Linux preparation" patches, which make various changes to core code needed by UML - but UML itself has not yet been merged. The long format changelog is available for people wanting the details.

Linus's BitKeeper tree - which will become 2.5.32 - currently contains Andrew Morton's controversial "printk from userspace" patch (to support boot-time message logging), the pthreads-support patches from Ingo Molnar (see below), more device model/driverfs work, a new realtime clock driver, some USB update, and the usual pile of fixes.

The latest 2.5 kernel status summary from Guillaume Boissiere is dated August 14.

The current stable is still 2.4.19. Marcelo released 2.4.20-pre2 on August 12; it includes a big S/390 update, a ReiserFS update, a number of small VM tweaks, some new netfilter modules, the "block I/O from high memory" patch, a set of NFS updates, and a very long list of other fixes and updates.

The current prepatch from Alan Cox is 2.4.20-pre2-ac2; the main item of interest in this patch is the merging of LVM2, the new Linux volume manager implementation.

Comments (none posted)

Kernel development news

Making Linux safe for pthreads

The Linux kernel has long been criticized for its thread support. This criticism is surprising to some, since the Linux clone() system call provides a great deal of flexibility in the creation of threads that share resources with their parent process. But clone() is not enough to allow Linux to fully support the Posix thread (pthreads) standard with good performance - especially for applications which create thousands of threads.

And such applications do exist. A lot of kernel hackers dismiss highly threaded applications as being poorly written - having more threads than processors on the system is almost always a loss from a performance point of view, and truly robust thread programming is difficult. But Linux must support what users want to do, or they will use a different system. This week has seen the culmination of quite a bit of work aimed at improving the kernel's basic thread support.

The push to improve thread support began some months ago with Rusty Russell's "Futex" (fast user-space mutex) patch. Futexes allow the implementation of pthread mutexes and condition variables in a fast manner that only requires a system call when there is contention. This patch was merged in 2.5.7 and has been refined since then.

More recently, Ingo Molnar has been working on thread support issues. His first thread-local storage (TLS) patch was posted on July 25; it was merged in 2.5.29 and is still being hacked upon. The purpose of TLS, of course, is to give each thread access to a region of memory which is not shared with all other threads. Ingo's patch, which is implemented only for the x86 architecture, supports TLS with the following changes:

  • Doing thread-local storage right on the x86 requires using the segment mechanism. The patch sets aside a few entries in the processor's global descriptor table (GDT) to implement the TLS segments. In the most recent patch as of this writing (tls-2.5.31-D9) creates three segments: one for glibc (and, thus, pthreads), one for Wine, and one unassigned.

  • A new set_thread_area() system call allows library code to set up thread-local storage using one of the TLS segments.

  • At every context switch, the kernel copies the new process's TLS entries into the appropriate part of the GDT.

With these changes, each thread can have its own, transparent, local storage area. There was just one last complication: the x86 GDT was global and shared on SMP systems. So Ingo had to create a separate GDT for each processor, with the interesting result that context switches got a little faster.

Next problem: what if you want to create lots of threads in a quick and safe manner? The classic Unix fork() system call has a problem in that the newly-created child process could exit before the process ID is ever returned to the parent; if the parent loses this race, it can be left in a position where it no longer knows what is going on with its children. This problem can be worked around, but the workaround involves more system calls, which slow down thread creation.

Ingo's solution comes in the form of a couple of new flags to the clone() system call. The pthread library can throw in CLONE_SETTID, which causes the process ID of the new thread to be written back to a variable in the parent's address space before the new thread begins running. There is also a CLONE_SETTLS flag which causes the equivalent of a set_thread_area() call to happen as well. The result is a robust way of creating new threads with a single system call.

Finally, the pthreads code has a couple of issues to deal with when threads die. The stack used by the thread must be deallocated - and the dying thread can not do that itself. With enough system calls, pthreads handles that now, but thread exit should really be a lightweight event, and a system call-heavy solution defeats that purpose.

Much of the overhead can be eliminated if the thread library can be told about thread exit without the usual SIGCHLD signal - signals are expensive. The new pthreads code can do that with the futex mechanism - almost. It is still difficult to know, without a signal, when the thread has truly finished using its stack, so that said stack can be freed. If the stack gets freed before the thread is done with it, the result is a big mess and a new interest on the developer's part in Windows threading packages; this outcome needs to be avoided.

Ingo's first attempt to solve this problem was through the addition of an exit_free() system call, which would simply write a special value in the parent's address space to indicate that the stack could be freed. Linus, however, called this patch "too ugly to live." After some discussion, the solution that emerged was to add another clone() flag: CLONE_RELEASE_VM. If a thread is created with that flag, a word is set aside at the top of the thread's stack. When the thread releases its current virtual memory - by exiting, or by execing another program - that word is written with a flag value. The parent can see that value and know that the stack can be freed.

Finally, Ingo has posted yet another patch implementing the CLONE_DETACHED flag. If a thread is created with that flag, no signal is sent to the parent process when the thread exits. This solution is faster than having the parent simply ignore SIGCHLD, and also does not require the parent to do without notification for all of its children.

The other half of all this work, of course, is a new pthreads library that actually uses all of these new features. The code is in progress and will be part of a future glibc release. Then, maybe, people will stop complaining about thread support in Linux.

Comments (5 posted)

Memory management and patents

Linux VM hackers are engaged in ongoing discussions on both large page support (covered last week) and improving the performance of the new reverse mapping mechanism. That conversation slowed down, however, when Alan Cox pointed out that a number of the techniques being discussed are covered by SGI patents. In fact, a closer look by Daniel Phillips shows that a number of existing Linux technologies, including reverse mapping in general and the buddy allocator, are covered by these patents. This is a problem, he said, that we can't ignore.

That was Linus's cue to jump in with his policy on software patents and kernel code:

I do not look up any patents on _principle_, because (a) it's a horrible waste of time and (b) I don't want to know.

The fact is, technical people are better off not looking at patents. If you don't know what they cover and where they are, you won't be knowingly infringing on them. If somebody sues you, you change the algorithm or you just hire a hit-man to whack the stupid git.

Linus followed up with a note that the above "may not be legally tenable advice." But he sticks by his point that, anymore, it's impossible to write an interesting program without running into somebody's patent. Rather than worry about it, it's better to just proceed and deal with any problems as they emerge.

This is probably the only rational approach; otherwise kernel hackers would go nuts trying to find and avoid all of the applicable patents. It's probably only a matter of time, though, until one of these patents bites the kernel in a big way - at least in the U.S. Those are the times we live in, though.

Comments (8 posted)

NFSv4 is coming

The integration of an NFS version 4 implementation into the Linux kernel got one step closer this week when Kendrick Smith announced the availability of a set of patches for 2.5.31. These patches are not for casual users quite yet - there are 38 of them, they only implement a small part of the NFSv4 protocol, and a fair amount of work is needed to get it all going. The purpose of this set of patches is to get a conversation started toward the merging of NFSv4 into the kernel. Once the minimal code is in, the rest of the protocol (which works in a 2.4 version of the patch) can be ported forward and merged.

Comments (none posted)

Patches and updates

Kernel trees

  • Marc-Christian Petersen: WOLK v3.5 FINAL, Codemane 'Fin' alias 'Birthday Release'. "<span>Also I am a kind of happy that this is the last release of the 'Working Overloaded Linux Kernel', because I don't have the time that WOLK needs for further good development.</span>" (August 14, 2002)

Core kernel code

  • john stultz: tsc-disable_B9. "<span>This patch enables a workaround for multi-node NUMA systems that are experiencing gettimeofday returning "old" time values.</span>" (August 9, 2002)
  • Erich Focht: ACPI_NUMA for SRAT/SLIT table parsing. "<span>The attached patch implements the parsing of the ACPI SRAT (Static Resource Affinity Table) and SLIT (System Locality Information Table) which are meanwhile the standard for providing NUMA information on IA64 platforms and started to spread on IA32, too.</span>" (August 12, 2002)

Development tools

Device drivers

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

  • H. Peter Anvin: klibc development release. "<span>klibc is a tiny C library subset intended to be integrated into the kernel source tree and being used for initramfs stuff.</span>" (August 9, 2002)

Page editor: Jonathan Corbet

Distributions

News and Editorials

icepack linux

Icepack Linux is a built-from-scratch, easy-to-use, desktop distribution. Adrian Hilgardth is the father, maintainer and main developer of icepack linux. There have been a few recent changes at the icepack website, including Adrian's Corner, with articles intended for Linux beginners, computer newbies, and Windows users taking their first steps. A French language web site has joined the existing German web site. Icepack is currently at version 2.5, and a new i3 development site is now available to track the the road to version 3.0.

Graham Todd has written a review of icepack linux 2.5. "First, Icepack-Linux 2.5 is a desktop distro. It comes without a hint of Apache in sight, but it comes with more games than I've ever seen in a Linux release. Almost two A4 pages of titles make up the list, and whilst I am not a games player and so can only go on the standard of games I tried from the list, they're not bad. To get a better selection, you're going to have to use WineX, which can be downloaded separately from the Codeweavers website."

Comments (1 posted)

Technical Bulletin #12 - Getting started with uClinux

This technical bulletin by Snap Gear's David McCullough provides an introduction for embedded developers to familiarize themselves with uClinux, embedded Linux for deeply embedded microprocessors.

Comments (none posted)

Xandros nears first release: set to announce at LinuxWorld (DesktopLinux)

Here's an interview with Xandros president Michael Bego and Dr. Frederick Berenstein, co-chairman of Linux Global Partners (the financial backer of Xandros), on DesktopLinux.com. "Bego said . . . 'Xandros 1.0 will appear in late September or early October. Our beta users say Beta 2 was one of the best solutions out there. We currently have about 25 developers on the team . . . We expect to be among the first crop of profitable Linux companies . . . Mandrake is more oriented toward hobbyist users. Our emphasis is on one-button control, and the creation of a quality Linux product that corporations won't have difficulty introducing into their environment. Lycoris is heading in a great direction, but they're primarily packaging Open Source components. Between Xandros and Corel, we've invested $32 million above and beyond that, and it shows'..."

Comments (none posted)

Distribution News

The first three LSB-certified distributions

The Linux Standard Base has been official for some time, but, thus far, there have been no distributions that have truly implemented the standard. That has now changed with this press release from the Free Standards Group: MandrakeSoft, Red Hat, and SuSE all now have distributions which have achieved LSB certification.

Comments (11 posted)

Debian GNU/Linux

The Debian Weekly News for August 6 is out; it looks at HP's DMCA threat, backing up Debian systems, Sarge CD images, the lack of truly free truetype fonts, and more.

The Debian Weekly News for August 13 is also available. This week's issue contains a Free Software licensing quiz, a compiled list of reasons to avoid certain non-free systems, and more.

Comments (none posted)

Mandrake Linux

The second Beta of Mandrake Linux 9.0 is available for download and testing.

The Mandrake Linux Community Newsletter, Issue #53 and Issue #54 are available.

Comments (none posted)

Yellow Dog Linux

Terra Soft Solutions, Inc., makers of Yellow Dog Linux, announced the availability of Apple computers with Yellow Dog Linux pre-installed.

The version of netatalk that shipped with Yellow Dog Linux 2.3 was misconfigured. The location of the netatalk configuration file did not match the location of that file passed at compile time. Read more.

The version of python2 that shipped with Yellow Dog Linux 2.3 did not specify an rpm 'provide' for /usr/bin/python2. This causes some problems when using the 'apt' utility to install or update software requiring python2.

The latest revision of the Apple Titanium PowerBook G4 has a new natural resolution and video card. This update adds initial information about the new revision to the Xconfigurator monitor database. Here is a solution to the problem.

Comments (none posted)

ASPLinux

ASPLinux has announced (in Russian) the release of ASPLinux 7.3 (vostok). You can find some additional details at the DistroWatch ASP Linux page.

Comments (none posted)

Red Flag Linux

Red Flag Linux has announced (in Chinese) the release of Red Flag Linux Desktop 3.2 beta.

Comments (none posted)

New Distributions

Cool Linux CD

Cool Linux CD is a bootable CD that contains a live Linux distribution based on Red Hat 7.3. It also includes the XFS filesystem, devfs, IceWM, QVWM, ROX-filer, OpenOffice.org, Opera, Mozilla, Sylpheed, Pan, Licq, X-chat, GFTP, ppp-redialer, xmms, xine, mplayer, gqview, LinNeighborhood, IPTraffic, VMWare, and more. Version 1.30a was just released.

Comments (none posted)

Linuxin GNU/Linux

Linuxin GNU/Linux is a new distribution from Spain. The recently released version 1.0 is based on Debian woody, with some additional ease-of-use features, like a graphical installer and autodetection and configuration of hardware. Found on DistroWatch.

Comments (none posted)

UHU-Linux

UHU-Linux is a Hungarian distribution. Now at beta 4, this distribution is aimed at beginners. It is based on partly on Mandrake and features fully automatic hardware detection and is dpkg-based. Found on DistroWatch.

Comments (none posted)

Minor distribution updates

Arch Linux

Arch Linux has released version 0.3 (firefly) with major feature enhancements.

Comments (none posted)

Astaro Security Linux

Astaro Security Linux has released 3.203 with major security fixes. Bug fix releases 3.204 and 3.205 are also out now.

Comments (none posted)

The Aurora SPARC Linux Project

The Aurora SPARC Linux Project has announced the released of Build 0.31 (Phoenix Rising). This build is mostly 0.3, with some minor bugfixes and sparc64 isos.

Full Story (comments: none)

Debian-Ham

Debian-Ham has released v0.4 with major bug fixes.

Comments (none posted)

floppyfw

floppyfw has released floppyfw-1.9.99. See the change log for details.

Comments (none posted)

MkLinux

MkLinux has a new release candidate, Pre-R2. Changes between Pre-R1 and Pre-R2 can be found here.

Comments (none posted)

The openMosix Project

The openMosix Project has announced the port of openMosix to version 2.4.19 has been released.

Full Story (comments: none)

PXES Linux Thin Client

PXES Linux Thin Client has released version 0.5-RC10. Support for many network devices was added with this release.

Comments (none posted)

Trustix Secure Linux bug fix advisories

Here is a minor bug fix for the samba package. The previous package did not create the /var/cache/samba directory and therefore browsing did not work. Fixed in this package.

This openssl patch fixes a typo in the previous patch.

Comments (none posted)

Distribution reviews

Friendly Linux Alternative to Windows (PC World)

Lycoris Desktop/LX receives a favorable review from PC World magazine. "Looking for an inexpensive, simple-to-use alternative to the Windows operating system? Linux may leap to mind, but since Corel abandoned its effort, no vendor has concentrated strictly on making Linux friendly enough for newbies. Now, the $30 Desktop/LX distribution from upstart Lycoris demonstrates that Microsoft's monopoly on friendly operating systems for the PC could be coming to a close."

An older review on PC World UK gives Desktop/LX four out of five stars.

Comments (none posted)

Another Look at Yellow Dog Linux (LowEndMac)

Here is a review of Yellow Dog Linux on LowEndMac. "The list of included applications is impressive -- arguably you'd never need to install another package, but the problem is that the Mac applications which we've all grown used to are not available. GIMP offers Photoshop users a similar interface and most of the functions they're used to, but it lacks the ability to handle CMYK separations, and so is of no use in professional print scenarios."

Comments (none posted)

Page editor: Rebecca Sobol

Development

System Applications

Audio Projects

Rosegarden-4 v0.2.0

A pre-beta release of the Rosegarden-4 version 0.2.0 sequencer and music notation editor for KDE has been released. "This is a pre-beta release and while not yet stable enough for end-users it has many interesting features and is suitable for Audio and MIDI recording, playback and editing and notational composition." The project works with the JACK Audio Connection Kit.

Full Story (comments: none)

Ogg Traffic for August 8, 2002

The August 8, 2002 edition of Ogg Traffic covers the latest developments in the Ogg Vorbis audio compression project.

Comments (none posted)

Embedded Systems

Matchbox -- a Small Footprint Window Manager for Embedded Devices

LinuxDevices introduces the Matchbox window manager. "In this technical article, Matchbox project leader Matthew Allum introduces his creation: a small footprint window manager for PDAs and other resource-constrained embedded devices. Allum recalls why he decided to embark on the project, outlines its key objectives, describes its architecture and unique characteristics, and ponders its future.."

Comments (none posted)

Printing

HP OfficeJet Linux driver version 0.90

Version 0.90 of the HP OfficeJet Linux driver is available. Changes include "new and improved support for scanning, photo-card access, CUPS printing, and FreeBSD". LinuxPrinting.org covers the release in more detail.

Comments (none posted)

LPRng-3.8.15 released

Version 3.8.15 of the LPRng print spooler system is available. The release notes are distributed with the source code.

Comments (none posted)

Web Site Development

mnoGoSearch 1.63 released

Version 1.63 of the MnoGoSearch web site search engine is available. A new version of MnoGoSearch-php is also available.

Comments (none posted)

Zope Members News

This week, new software on the Zope Members News includes QuickLinks-0.1.2, EasyLanguageService 0.0.1 (beta), 30 Zope RPM packages for Mandrake, ZUBB 0.7.5, My Zope 0.2, CMF 1.3, and more.

Comments (none posted)

Getting started with freeVSD (IBM developerWorks)

Joe Brockmeier introduces freeVSD on IBM's developerWorks. "In this article Joe Brockmeier looks at freeVSD, a "virtual server daemon" for Linux that allows multiple virtual servers to operate on one physical machine. Each virtual server has its own separate Web-hosting environment. This is typically used for hosting, but it can also be deployed to allow one machine to serve as a development testbed for several developers."

Comments (none posted)

Writing Apache Modules (Dr. Dobb's)

L. Blunt Jackson discusses the writing of Apache modules on Dr. Dobb's. "In this article, I'll present a module for Apache 1.3 (the most commonly used flavor), illustrating key points of Apache design along the way. I'll then upgrade the module to Apache 2.0, recently released as the current production version."

Comments (none posted)

Miscellaneous

Restoring the transparent network, Part 1 (IBM developerWorks)

Todd E. Sundsted writes about network transparency issues on IBM's developerWorks. "Distributed applications benefit from network transparency. Unfortunately, many common network devices -- like firewalls and NAT gateways -- destroy network transparency, often at the edge of the network where the potential for innovative distributed applications is greatest. In this article, veteran Java programmer Todd Sundsted explains how network transparency can be compromised by these devices, and then lays the foundation for a solution."

Comments (none posted)

New CORBA 3.0 and CCM 3.0 specs

The Object Management Group has released new CORBA 3.0 and CCM 3.0 specifications, which are available here. Click below for a description of the specification changes. Thanks to Karel Gardas.

Full Story (comments: none)

Desktop Applications

Desktop Environments

GNOME 2.0.1 Desktop Release Candidate 1

Version 2.0.1 RC 1 of the GNOME Desktop has been announced. "The GNOME 2.0.x Desktop releases are devoted to bugfixes, translations, user interface consistency, and general polish of our major 2.0 Desktop release. In this release, you'll see the results of our user interface review, and continued performance and stability fixes".

Comments (none posted)

Developing Gnome Apps with Glade and Anjuta - Part 2

Part Two of Eddy Ahmed's tutorial on Developing Gnome Apps with Glade and Anjuta has been published.

Comments (none posted)

Interoperability

Wine 20020804 developers release

A new developers release of Wine, dated 20020804, has been announced. The new features include:
  • The beginnings of an IDL compiler.
  • Several new winedbg features.
  • More OLE and shell improvements.
  • NAS and AudioIO sound drivers.
  • Still more Sparc portability fixes.
  • Lots of bug fixes.

Comments (none posted)

Wine Weekly News

The August 7, 2002 edition of the Wine Weekly News looks at Wine20020804, CrossOver Office 1.2, WineX 2.1, Xandros beta 3, and a DIB Engine Update.

Comments (none posted)

Office Applications

AbiWord Weekly News #104

Issue #104 of the AbiWord Weekly News is out, with the latest AbiWord development news. If you missed it, last week's edition is also available.

Comments (none posted)

Kernel Cousin GNUe #41

Issue #41 of Kernel Cousin GNUe is out, with the latest GNU enterprise developments.

Comments (none posted)

Gnumeric 1.1.7 available

Version 1.1.7 of the Gnumeric spreadsheet has been released. This release features UI improvements, better Excel exports, bug fixes, and more.

Full Story (comments: none)

KDE Ships Release Candidate of Integrated Office Suite (KDE.News)

KDE.News has an announcement for KOffice 1.2 rc1, the last test release before the 1.2 version. A number of bug fixes and stability enhancements are included.

Comments (none posted)

OpenOffice license changes

The OpenOffice project has adopted the Public Documentation License (PDL) for its documentation, and has changed to a new Joint Copyright Assignment (JCA) for software developers. "Under the JCA, developers may now also keep all rights to any code and related material they commit to the source. Everyone benefits from this strategy: developers may do as they please with their code and at the same time a single, coherent entity jointly holds the copyright for the OpenOffice.org source."

Full Story (comments: none)

Web Browsers

MozillaZine News

MozillaZine looks at the OEone HomeBase Desktop, a list of Mozilla's accomplishments in 2001, the creation of the Mozilla 1.1 branch, changes to the Bugzilla search interface, and more.

Comments (none posted)

Mozilla.org status update

The Mozilla.org status report for August 3, 2002 covers the latest Mozilla development news.

Comments (none posted)

Miscellaneous

GnomeICU 0.99 alpha 1 for Gnome 2 is out!

Gnotices has an announcement for version 0.99 alpha 1 of the GnomeICU ICQ package. "This is the first release of GnomeICU for the Gnome 2 platform. It contains lots of nice improvements like a GtkTreeView of the groups, full group support, a nice Gnome 2 applet, customizable emoticons and its even possible to connect to AIM with it..."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The Caml Weekly News for July 23 through August 14, 2002 has been published. Take a look for the latest Caml developments.

Full Story (comments: none)

The Caml Hump

This week's entries on The Caml Hump include the OCaml module for the SWIG compiler, OCaml'OLE, the BioCaml bioinformatics library, and the lablglut GLUT binding.

Comments (none posted)

Java

Build Flexible Logs With log4j (O'Reilly)

Vikram Goyal covers log4j on O'Reilly. "log4j is the open source logging tool developed under the Jakarta Apache project. It is a set of APIs that allows developers to write log statements in their code and configure them externally, using properties files. This article explains the main concepts of this tool, followed by some advanced concepts using a Web-based example application."

Comments (none posted)

10 Reasons We Need Java 3.0 (O'Reilly)

Elliotte Rusty Harold writes about the need for Java 3.0 on O'Reilly. "It's now a little more than 11 years after James Gosling began working on OAK, the language that would eventually become Java, and seven years since Sun posted the first public release of Java. The language, class library, and virtual machine collectively known as "Java" are all showing their age. There are many parts of Java that everyone agrees should be fixed but can't be, for reasons of backwards compatibility. Until now, revisions of Java have attempted to maintain "upwards compatibility;" that is, all earlier code should continue to run unchanged in later versions of Java. This has limited the changes that can be made to Java, and prevented Sun from fixing many obvious problems."

Comments (none posted)

Perl

This Week on perl5-porters (use Perl)

The August 5-11, 2002 edition of the Perl 5 Porters digest is out. Topics include Experiments with the defined-or operator, Improving $^H and %^H, v-strings, Plans for Perl 5.10, Pseudo-hashes, and more.

Comments (none posted)

This week on Perl 6 (O'Reilly)

The August 11, 2002 edition of This Week on Perl 6 looks at Array vs. PerlArray, Unifying PMCs and Buffers for GC, Register allocation for the JIT, Stack mark ops & such, Exceptions, a Regex speedup, and much more.

Comments (none posted)

Acme::Comment (O'Reilly)

Jos Boumans explains how to extend Perl's comment capabilities with the Acme::Comment source code filter for Perl.

Comments (none posted)

PHP

PHP Weekly Summary

The PHP Weekly Summary for August 12, 2002 topics include PHP PECL Certificate Authority, Array initialization, copy() and "empty" files, tcsetattr() function, Callbacks for pcntl, Register globals issues, Java on Mac OS X, Sybase extension features, and the php_error_docref function.

Comments (none posted)

Develop rock-solid code in PHP, Part 1 (IBM developerWorks)

Amol Hatwar writes about PHP coding on IBM's developerWorks. "The Develop rock-solid code in PHP series is about solving practical real-life problems in medium- to large-scale applications. With a sharp focus on new features available in PHP 4, the articles shed light on numerous tips and tricks that make life easier. Inside, you will find plenty of examples and techniques to learn, with lots of sample code. In this first article, PHP veteran Amol Hatwar gives a higher perspective for designing and writing bug-free, maintainable code for medium- to large-scale Web applications."

Comments (none posted)

The Pear Weekly News

The latest Pear Weekly News "Always a busy week in PEAR world, with 5 new releases, and 2 new packages added, along with discussion on the status of the pear web site, Forum coming back to life, and an MDB release candidate."

Comments (none posted)

Python

Dr. Dobb's Python-URL! - weekly Python news and links (Aug 12)

Here is this week's Python-URL, with news and links for the Python commumity.

Full Story (comments: none)

Daily Python-URL

The Daily Python-URL looks at Probability and Statistics Utilities, Enforcing validity with the gnosis.xml.validity library, the Pypect replacement for Expect, Python list.sort() improvements, Making the Python Cookbook, BEEPy, the scgi replacement for CGI, and more.

Comments (none posted)

Ruby

The Ruby Weekly News

Topics on this week's Ruby Weekly News include Radiuslib 0.5, Sys::ProcTable 0.3.0, JRuby beta 1.6/0.5.1, Ruby ViM updates, YAML 0.38, the FXCalendar class, TomsLib, and more.

Comments (none posted)

Scheme

Scheme Weekly News

The August 13, 2002 edition of the Scheme Weekly News is out. Topics include a new Guile snapshot, SXML Revision 2.5, STklos 0.53, the new Scheme Boston web site, and the Fifth Annual ICFP Programming Contest.

Full Story (comments: none)

Tcl/Tk

This week's Tcl-URL

Dr. Dobb's Tcl-URL for August 12 is out, with the latest from the Tcl/Tk development community.

Full Story (comments: none)

Apache Tcl Project Announces Websh 3.5.0

The Apache Software Foundation's Tcl group has announced the transfer of the Websh application programming framework to the Apache Software Foundation.

Full Story (comments: none)

XML

Converting between Java objects and XML with Quick (IBM developerWorks)

Brett McLaughlin introduces Quick on IBM's developerWorks. "Quick is an open source data binding framework with an emphasis on runtime transformations. This instructional article shows you how to use this framework to quickly and painlessly turn your Java data into XML documents, without the class generation semantics required by other data binding frameworks. Extensive code samples are included."

Comments (none posted)

XHTML 2.0: The Latest Trick (O'Reilly)

Kendall Grant Clark examines the latest draft specification for XHTML 2.0 on O'Reilly. "Since HTML is going to be around for a very long time, it makes sense to rationalize it, continue evolving it, and, in general, to make it more powerful and more amenable to the kinds of things people want to do with it. There are signs, encouraging in such an early draft, that the W3C Working Group responsible for XHTML 2.0 understands and is working to enact this ideal."

Comments (none posted)

Miscellaneous

Mastering Linux debugging techniques (IBM developerWorks)

Steve Best illustrates Linux debugging tools and techniques on IBM's developerWorks. "There are various ways to watch a running user-space program: you can run a debugger on it and step through the program, add print statements, or add a tool to analyze the program. This article describes methods you can use to debug programs that run on Linux. We review four scenarios for debugging problems, including segmentation faults, memory overruns and leaks, and hangs."

Comments (none posted)

CASE Tools: Large System Development (O'Reilly)

David HM Spector covers progress in the area of Computer-Aided Software Engineering (CASE) tools for Linux. "A few years ago, it would have been impossible for a Linux system to play in this sandbox: the limitations of the file systems alone would have squelched the idea. Fortunately, the Linux world moves very quickly. The availability of larger SMP systems, in fact whole IBM 390 Mainframes running Linux, and fast, journaling file systems like ext3 or ReiserFS without the old 2GB limit, and logical volume management, all mean that there are few limitations beyond cultural inertia and bias that are stopping Linux from becoming a player in this space."

Comments (none posted)

Jext 3.1 released

Version 3.1 of the Jext programmer's editor, and four new plugins are available for download.

Comments (none posted)

Page editor: Forrest Cook

Linux in Business

Business News

OSDL Announces Major Achievements for Data Center and Carrier Grade Linux

The Open Source Development Lab (OSDL) announced the formation of the Data Center Linux (DCL) Working Group with the launch of a financial services initiative and two deliverables for Data Center Linux. According to a Giga Information Group, Inc. report, the OSDL Data Center Linux Initiative will fuel Linux use in financial services.

Comments (none posted)

Red Hat Linux Advanced Server for AMD's Hammer processor

Here is the announcement from Red Hat and AMD that Red Hat will be producing a version of its distribution for the AMD "Hammer" architecture. There is still no timeline for when one can actually get one of these nice boxes, but they will be demonstrating one at LinuxWorld.

Comments (none posted)

Xandros Desktop 1.0 due on September 30

Xandros has put out a press release fixing the date of the first release of its Corel-derived distribution. "The product, due to be released on September 30, 2002 and available for purchase within three weeks after that date, is built upon Linux kernel 2.4.19, XFree86 4.2, Debian 3.0, Corel LINUX 3.0, and enhanced KDE."

Comments (none posted)

Sun's Linux server offering

Here is the press release from Sun describing its new "LX50" Linux-based server. It comes with one or two 1.4-GHz x86 processors, a bunch of Sun software (Sun ONE, Java 2 SDK, Grid Engine, Sun Streaming Server), and an (unspecified) Linux distribution. Entry cost is $2800.

Comments (1 posted)

Oracle's clustered filesystem

Here's the press release from Oracle on the release of its cluster filesystem for Linux. "'By contributing source code for the Oracle cluster file system under the General Public License, Oracle accelerates the development of key enterprise-class clustering technologies into the Linux kernel and helps build a truly open solution in this fast growing area,' said Alan Cox, Systems Engineer and Fellow at Red Hat. 'This announcement reinforces Oracle's strong commitment both to Linux and to building the best Internet software available for the open source community.'" The filesystem was not yet posted on Oracle's site as of this writing.

Comments (none posted)

HP Unveils Enhanced Linux Product Portfolio Delivering Powerful, Flexible Business Platform

HP revealed its post-merger Linux strategy along with an updated Linux portfolio of products and services.

Comments (none posted)

IBM to demo DB2 database on Mandrake Linux

IBM will demonstrate its DB2 relational database software running on Mandrake Linux at the LinuxWorld Expo next week. The DB2 database can be downloaded here.

Comments (none posted)

Behavioral IDS Case Study - CylantSecure

Here is a case study discussing how CylantSecure, a kernel-enabled intrusion detection and defense system by the company Cylant, has successfully thwarted nearly 100 attacks in the last three months for an Illinois user deploying mail, name and Web service on his Linux server.

Full Story (comments: 1)

Press Releases

Open Source Announcements

Distributions and Bundled Products

Software for Linux

Products and Services Using Linux

Hardware with Linux support

Cross Platform/Porting Product

Linux at Work

Java Products

Books and Documentation

Trade Shows and Conferences

Partnerships

Financial Results

Personnel and New Offices

Miscellaneous

Page editor: Rebecca Sobol

Linux in the news

Recommended Reading

Bring on the WiFi Radios (Linux Journal)

Linux Journal looks at the future of internet radio. "Okay, so the record industry and the feds are committing industrial genocide on US-based internet radio (with a few exceptions that include popular public radio stations like WUNC and KUOW). But there are plenty of places in the world where webcasting is still legal, and nobody's keeping you from listening. So let's stop for a moment and ponder the opportunities here."

Comments (none posted)

UCITA drafters don't go far enough for Red Hat (Register)

The Register reports on the reaction of Red Hat lawyer Carol Kunze to recent changes to the UCITA. "A software contract may not prohibit reverse engineering that is done for the purposes of making a piece of software work with other software. Open Source software is exempt from UCITA when that software is not sold for a profit. But that last change doesn't go far enough, says Carol Kunze, a lawyer working for Red Hat on UCITA issues. Before the commission's meeting, Kunze wrote a letter asking the group to kill UCITA altogether. Red Hat and other Open Source companies have long objected to UCITA's requirement that Open Source software provide warranties to customers."

Comments (2 posted)

Open source's new weapon: The law? (News.com)

News.com reports on a new legal proposal to be unveiled at LinuxWorld next week: "Open-source software advocates will unfurl a legislative proposal next week to prohibit the state of California from buying software from Microsoft or any other company that doesn't open its source code and licensing policies."

Comments (15 posted)

White-Hat Hate Crimes on the Rise (Wired)

Wired reports that a group of black-hat hackers, in a campaign called "Project Mayhem," have declared war on white-hat hackers who've gone to work for security firms. "Why so much venom against white hats, the hackers who ostensibly break software in order to help make the Internet safer? The el8 zines don't clearly spell out the group's motivations, but Project Mayhem appears to be a violent incarnation of the "anti-sec" movement, a campaign to persuade hackers not to publish information about the security bugs they uncover."

Comments (none posted)

Companies

ActiveState loses CEO, enlists chairman (News.com)

News.com reports on changes at ActiveState. "Dick Hardt, the founder and chief executive of ActiveState, has resigned, the company said Thursday. At the same time, the provider of software and services for users of open-source programming languages such as Perl, PHP, Python and Tcl announced that it has named a new chairman in an effort to increase the 45-person company's size and revenue."

Comments (none posted)

Dell services tap Red Hat partnership (News.com)

News.com looks at Dell's LinuxWorld announcements. "Imax, the company behind the wraparound, vertigo-inducing movie screen, is a new customer of Dell's high-performance cluster. It's using a 60-server cluster with 120 Intel processors to transform ordinary movies, starting with Apollo 13, into the higher-resolution Imax format."

Comments (none posted)

Linux server specialist updates line (News.com)

Penguin Computing introduced new hardware. News.com reports: "Penguin Computing, which specializes in servers running the Linux operating system, will announce two new products and a new executive in charge of operations, Will Thomas, at the LinuxWorld Conference and Expo on Tuesday. The Relion 130 and 240 both are rack-mountable machines that accommodate a pair of Intel's Xeon server processors by using Intel's E7500 chipset."

Comments (none posted)

Linuxcare returns with mainframe provisioning software (Register)

The Register covers news from Linuxcare, Inc. "Little has been heard of Linux services vendor Linuxcare Inc since its planned merger with Turbolinux Inc bit the dust in May 2001, but the company is now back with a new software product for the provisioning and configuration of the Linux operating system on mainframe systems." ZDNet has also posted an article about Linuxcare's new direction.

Comments (none posted)

Microsoft Puts On the Tux (Wired)

Wired takes a look at one of the new kids on the block at this year's LinuxWorld. "This year, one of the booths in the LinuxWorld "Rookery," section, billed as the event's headquarters for "new, up-and-coming companies -- a place where you can watch companies hatch and grow right before your eyes," belongs to Microsoft."

Comments (none posted)

MS 'Software Choice' scheme a clever fraud (Register)

Bruce Perens wrote this article about Microsoft's 'Software Choice' scheme. "Microsoft has responded with a clever Software Choice campaign that, read quickly, appears to fight discrimination and call for choice, while actually promoting policies that would lock out Free Software. For example, it promotes the embedding of royalty-bearing software patents into "open" standards. Of course Free Software producers don't charge copyright royalty fees, and thus can't afford to pay for patent royalties, so they would not be able to implement any standard that contains royalty-bearing patents."

Comments (none posted)

SAP DB: The Other Open-Source Database (TechWeb)

TechWeb covers the addition of another open source database, SAP DB 7.2. "SAP has donated SAP DB 7.2, the latest release of its database, to the open-source movement under the Gnu LGPL. Its motivation appears to be simple -- to paraphrase: This is not our core product, and both we and the open-source community can benefit from SAP DB."

Comments (none posted)

Dishin' the Dirt at LinuxWorld (Wired)

Wired reports from LinuxWorld. "In typical McNealy fashion, Sun's CEO peppered his keynote with frequent barbs aimed at virtually everyone in the tech industry from Microsoft ("Office is not the answer") to Dell ("Don't buy computers from Dell, go to Wal-Mart and buy them. You'll get just as much technical support"). Few escaped the infamous McNealy mouth."

Comments (none posted)

Sun casts shadow before Linux gathering (ZDNet)

Here's a Reuters article on ZDNet, covering Sun's particpation in LinuxWorld. "The wolf potentially lurking just outside the door, some Linux-boosters say, is Sun Microsystems, the high-end computer maker, which is expected to unveil its first general-purpose, low-end Linux machine, and its own version of Linux, on the eve of a major convention for the cooperatively developed software."

Comments (none posted)

Sun to fund open-source Java efforts (News.com)

Sun's new scholarship program will help fund open-source Java efforts. "The new scholarship stems from a spat Sun had earlier this year with key a open-source group called the Apache Software Foundation, which accused Sun of making it difficult for open-source groups to participate in the Java Community Process by which Sun and others govern the future of Java. "Open source" means every software developer can view the source code for software, modify it, and use it for free."

Comments (none posted)

Worlds collide in IBM-VA Software deal (News.com)

News.com reports on the deal (to be announced today) between IBM and VA Software. "VA Software will move its SourceForge repository of open-source software projects to a foundation of proprietary IBM software, the companies plan to announce at the LinuxWorld Conference and Expo here. At the same time, VA will promote use of IBM's DB2 and WebSphere software for those employing a commercial version of the SourceForge collaborative programming software."

Comments (6 posted)

Business

Server sellers bang Linux drum (News.com)

News.com looks at the increasing adoption of Linux by corporations. "Big Blue will announce that two major customers, Deutsche Telekom and Air New Zealand, are using the Linux operating system on IBM mainframes, while an HP customer, L-3 Communications, is using Linux to run airport baggage scanning systems. The new customers augment others that server makers have trotted out to convince computer buyers that Linux is ready for prime time."

Comments (none posted)

The Desktop Dilemma (Open for Business)

This Open for Business article warns that Linux distributors that concentrate on the server to the exclusion of the desktop will lose out in the long run. "I believe this is the critical flaw with most of today's Linux companies' narrow focus on the server. What they fail to understand is that their strength in the server market will never be secure so long as they ignore the client market. By conceding the desktop market to Microsoft, or anyone else for that matter, in essence they cede the server market as well."

Comments (5 posted)

Linux, at your service (Info World)

Info World looks at Linux as an application server platform (ASP). "Eric Packman, CTO and cofounder of Boston-based Coradient, a provider of monitoring and management services for ASPs, agreed that Linux is popular among service providers. "The vast majority [of ASPs] I know use Linux up front [as a Web server] because [it's] really cheap and really fast," he said. "So any time you want to handle a larger load of customers and more people that turn up [at a Web site], you can turn on a bunch of Linux machines." Officials at Oracle, which uses Linux in its application outsourcing, see Linux becoming a deployment platform for applications."

Comments (none posted)

Air NZ cuts costs with Linux (NZ Herald)

The New Zealand Herald looks at another IBM mainframe Linux deployment. "The penguin may be flightless, but the Linux mascot has become the bird of choice at Air New Zealand, leaving Microsoft grounded." (Thanks to Kanchana Wickremasinghe).

Comments (none posted)

Interviews

gobeProductive to be Released under the GPL (OS News)

OS News reports news from Gobe Software. "The news from the Gobe Software front seem to be slightly sad, but only at first glance. Sad because, Gobe as we know it is no more, as it sold the gobeProductive source code and rights to FreeRadicalSoftware, Inc. However, FreeRadicalSoftware's business plan requires them to GPL the popular office suite, allowing everyone to access gobeProductive's source for Windows, Linux and even BeOS. The official announcement is expected next week. FreeRadicalSoftware was created recently by the ex-boss of Gobe Software, Bruce Hammond, and some other ex-Gobe and non-Gobe people. Read more for our exclusive interview with Bruce regarding the open sourcing of GP3 under the GPL."

Comments (none posted)

Quicken and QuickBooks and Visio, oh my! (on Linux, that is) (DesktopLinux)

DesktopLinux.com previews a beta version of CodeWeavers CrossOver Office 1.2, and interviews CodeWeavers CEO Jeremy White to learn what else is coming. "White: Actually, that's the whole point behind WINE being open source. There is an enormous amount of work being done by developers all over the world on WINE, all of it flowing through www.winehqorg. That's why it has always been so very important to us that we help the WINE community, and not harm it -- we find those contributions invaluable to our own efforts." (Thanks to Jay R. Ashworth)

Comments (none posted)

OEone's Peter Bojanic on HomeBase, Mozilla (Open for Business)

OfB talks with OEone's Peter Bojanic about the new HomeBase DESKTOP and SUITE software. "OEone started active development using Mozilla milestone releases in February, 2001. Initially we were working in relative isolation from mozilla.org and its development community. Gradually, we became better acquainted with Mozilla developers and eventually made connections with staff at mozilla.org. Our Penzilla project pushed the limits of the Mozilla technology, and was one of the most ambitious XUL-based projects under development."

Comments (none posted)

Resources

Embedded Linux Newsletter for August 8, 2002

The August 8, 2002 edition of the Linux Devices Embedded Linux Newsletter is out with the latest embedded Linux developments.

Full Story (comments: none)

Getting started with freeVSD (IBM DeveloperWorks)

IBM DeveloperWorks has an article on beefing up your development environment with freeVSD. "If you're working in a Linux environment, however, there's a way to set up a machine so that several developers can have administrative access without interfering with the environment that the other developers work in. It's called freeVSD (Virtual Server Daemon), and it allows one Linux server to have several "virtual" servers. Using freeVSD allows a company to stretch their resources a little farther and still allow each developer or group of developers to have their own environment. While freeVSD was developed primarily with hosting companies in mind, you'll find that it can also be a boon to your production environment."

Comments (none posted)

Reviews

High-class, low-bloat office suite goes open source (Register)

The Register reports on the potential open-sourcing of the Gobe Productive office suite. "But this is very good news, because Gobe Productive is a lean, nimble, and highly functional package that already has enough good taste built-in to survive even the most ideologically insane faction fighting. It's everything that OpenOffice isn't - and has matured without adding cruft."

Comments (none posted)

IMHO: Why Lindows Ultimately Won't Matter (ExtremeTech)

In this opinion piece on Lindows, from ExtremeTech, the author doesn't see a large market for the upcoming OS. "Well I'm sorry to be the one that has to do it but, in the end, Lindows isn't going to matter. It's a flash in the pan that will ultimately be proven irrelevant. Now don't get me wrong, I'm not "anti-Lindows." I admire the efforts of Michael Robertson's company to bring an easy-to-use Linux distro to market. But over time there just isn't enough there to sustain the product." (Thanks to Jay R. Ashworth)

Comments (none posted)

Is Windows or Linux easier to install? (LinuxWorld.com)

Joe Barr writes about his experience installing both Red Hat 7.3 and Windows 2000 on a laptop. "My goal was to install each OS, get Internet connectivity via a Netgear PCMCIA NIC working, make each OS recognize a USB IBM PC Camera, and apply the latest security and bug fixes to the OS and default applications. Since Microsoft has been in the operating system business for exactly 21 years (DOS 1 debuted August 12, 1981), and employs 50,000 souls, I expected Windows 2000's installation would be seamless, fast, and lightyears ahead of upstart Red Hat's by any measure I could concoct. It turns out the Windows 2000 Pro installation is superior to Linux, but in two dubious categories."

Comments (none posted)

Professional Audio Closer to Linux (OSNews)

OS News looks at audio tools for Linux. "Browsing Freshmeat tonight, the premier online Linux software repository, I came across to these two great (and brand new) applications, ReBorn and ReZound. Reborn, a Rebirth clone that will soon become open source according to the developer, provides a software emulation of three of Roland's most famous electronic musical instruments. It got me thinking as to how much more viable Linux is today as a professional (or semi-professional) audio platform than it used to be two years ago."

Comments (none posted)

Miscellaneous

UnitedLinux prepares first beta (ZDNet)

ZDNet reports that the first open UnitedLinux beta will come out sometime in September. "The first version of UnitedLinux will essentially be the next version of SuSE's advanced server edition augmented with other companies' features. Those improvements include better support for Asian language characters from Turbolinux and basic 'failover' software from Conectiva, which lets one server take over when another fails."

Comments (none posted)

Linux kernel makes Xbox appearance (ZDNet)

ZDNet provides an update on progress made by the Xbox Linux Project. "The Xbox Linux Project, a volunteer effort aimed at running the Linux operating system on Microsoft's Xbox gaming console, said it has succeeded in booting the Linux kernel--a small but important step forward."

Comments (none posted)

Open-source cosmic clockwork (StarStuff)

Here's an article at StarStuff.org about open source code in astronomy. "... a group of astronomers recently announced that they will release their white dwarf evolution code and begin developing it into a state-of-the-art computer model to be called OpenWD." OpenWD will be released under the terms of the GPL. (Thanks to Nick LeRoy)

Comments (2 posted)

Annual Linux Operating-System Expo Has Come A Long Way

The San Jose Mercury News says LinuxWorld Expo is not for hackers anymore. "The show's evolution from geek fest to conservative trade show is simply mirroring the progression of Linux, which has evolved from a grass-roots phenomenon on the Internet to the back room of corporate data centers."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Resources

Audacity Tutorial (QuickToots)

QuickToots has posted a new tutorial by Daniel James that describes audio file editing with Audacity.

Comments (none posted)

Upcoming Events

Linux Around the World Conference in San Francisco (Linux Journal)

Jon "maddog" Hall introduces Linux Around the World (LAW), a special event being held on August 14th at the Moscone Center in San Francisco during the LinuxWorld Conference and Expo. "Sponsored by Linux International and two of its member companies, Hewlett-Packard and IDG, LAW is not a part of the conference program, but it is open to all tradeshow attendees at no additional charge. The event will be held at a special place on the show floor where 150 seats will be arranged auditorium style."

Comments (none posted)

Linux 11th Anniversary Picnic

The Linux 11th anniversary picnic will be held on August 17, 2002 in Sunnyvale, California.

Full Story (comments: none)

ESC Boston, November 18-21, 2002

This fall's Embedded Systems Conference will be held in Boston, Mass. from November 18-21, 2002.

Full Story (comments: none)

CodeCon 2003 Call for Papers

CodeCon 2.0 ("the premier showcase of active hacker projects") will be held next February in San Francisco. The call for papers has just gone out, with a December 1 deadline.

Full Story (comments: none)

Usenix 2003 Call For Papers

A call for papers has been issued for the 2003 USENIX conference, to be held in San Antonio, Tx from June 9 through 14, 2003. Submissions are due by November 18, 2002.

Full Story (comments: none)

Damian Conway to speak in London (use Perl)

Use Perl has announced that Damian Conway will have two appearances in London on August 27 and 29, 2002.

Comments (none posted)

Events: August 15 - October 10, 2002

August 15, 2002Linux World Conference & Expo(Moscone Center)San Francisco, California
August 24 - 31, 2002Linux Beer Hike(Russell Community Centre)Doolin, Co. Clare
August 27, 2002Seattle Ruby Brigade MeetingSeattle, Washington
September 4 - 6, 2002Linux Kongress 2002(Physics Institutes, University of Cologne)Cologne, Germany
September 5 - 6, 2002SciPy '02(CalTech)Pasadena, CA
September 11 - 13, 2002Open source GIS - GRASS users conference 2002(GRASS)(Centro Servizi Culturali S. Chiara)Trento, Italy
September 12 - 13, 2002Perl 6 Mini::Conference(ETF, E1, ETH Zurich)Zurich, Switzerland
September 16 - 20, 20029th Annual Tcl/Tk ConferenceVancouver, BC, Canada
September 18 - 20, 2002Yet Another Perl Conference Europe 2002(YAPC::Europe 2002)Munich, Germany
September 27 - 29, 2002Lulu Tech Circus(State Fairgrounds Complex)Raleigh, North Carolina, USA

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (1 posted)

Miscellaneous

The Samba Survey is back

A new version of the Samba Survey is available, active Samba users are encouraged to participate.

Comments (none posted)

Open Projects Net name and status change

The Open Projects IRC Network has been adopted by the non-profit Peer-Directed Projects Center. OPN is also changing its name to Freenode. Click below for the full story.

Full Story (comments: none)

Page editor: Forrest Cook

Letters to the editor

Thomas Warden's letter

From:  "Robert A. Knop Jr." <rknop@pobox.com>
To:  letters@lwn.net
Subject:  Thomas Warden's letter
Date:  Thu, 8 Aug 2002 09:15:29 -0500

This is in response to Thomas Wardman's letter on August 1.  That letter
was evidently written by an outsider trying to understand why LWN needs
what it claims it needs in order to continue.  I am in a similar
situation, and write this letter from a similar uninformed position.  My
opinions, however, are quite different.

I don't know if Mr. Wardman has ever run a volunteer website for any
length of time, but unless the maintenance on a site you run is
relatively lightweight, or it is part of one of your significant hobbies
and quite different from what you do at work, burnout is a significant
issue.  What is fun to do gratis for a few months after a while becomes
one more thing that you have to get done.  It becomes one more drain on
your time.  I know, I have experience with this.  A friend and I run
www.dramex.org, and have since 1994.  The maintenance of that site
really does not take much time at all, certainly much less than what
goes into LWN.net.  Theatre is one of my great loves, and it is indeed
quite different from what I do at work.  And, yet, we still frequently
manage to get months (and in two cases, years) behind on maintaining the
site.

Consider the simple economics of the matter, from two points of view.
First, the people who run LWN.net *can* get jobs somewhere else, doing
similar things, that pay, leaving them without the time (or,
significantly, the energy) to do the same sort of thing gratis for
LWN.net.  Second, there are jobs out there doing things similar to what
must be done LWN.net, jobs that pay.  (It sounds like the same thing
stated twice, but there are two points: the people could get jobs, and
the things the people are doing are very similar to what other people
are paid for.)  Given that, it just doesn't make economic sense for
LWN.net to be maintained at its current level completely gratis by a
small number of people.

Mr. Wardman compares LWN.net to Kuro5shin.org, wondering why LWN.net
would require more money than k5 to maintain.  I hear this comparison
often, or a comparison between LWN.net and slashdot.  I don't understand
it.  Yes, K5 takes time to maintain.  However, it is a very different
site from LWN.net.  It is a community contribution site, and most of
what you see written on the front page are written by the readers.
Rusty, the maintainer of the site, is there to keep it running; it's a
real job, yes, but he's not *writing* the most important text for site,
and can keep it up as one (full-time) person.  LWN.net is much more akin
to a traditional magazine.  Yes, a lot of it is finding and culling
material from the web, but there are also insightful editorials, and
there is a sane, clear, intelligent "voice".  You wouldn't expect the
editors of Linux Journal to edit the magazine as a hobby, charging
subscribers only what is necessary for the direct physical costs of
printing.  It would be insane; they would go edit another magazine where
they would get paid, leaving them with money to eat and time for a life.
Similarly, you can't demand that LWN.net maintain their level of
excellence simply because we as a community are entitled to their
donation of time.

I have long scratched my head as to why slashdot.org every year wins the
"best Linux website" readers' choice award from Linux Jounral.  Sure, I
like Slashdot-- but if you're talking *Linux* news, LWN.net is far, far
superior.  The signal to noise is tremendously higher, the editorial
"voice" is more consistent, more mature, more clearheaded, and better
written.  Slashdot's value comes in collecting nerd stories from the net
and the discussion.  LWN.net collects Linux stories from the net-- but
does much more than that.  It organizes and comments on that, and
provides clear, cogent summaries and discussions of some of the most
important trends and issues (including the all-important "intellectual
property" issues which are every bit as key to the continued health of
Linux as technical kernel issues).

Does LWN.net really need five full-time people?  I don't know, I'm not
there.  But I do know that it is vaguely insulting to demand (even if
only by implication) that they should continue what they are doing
completely on a volunteer basis, and like it.  Mr. Wardman is right in
saying that the Linux community shouldn't have to shoulder the habits of
the LWN.net employees simply because they are all brilliant software
engineers.  On the other hand, he is very wrong to imply that the Linux
community should expect LWN.net to continue to exist in a form and
quality approaching it's current state if they aren't willing to
"shoulder the habits" of those who maintain it.  The connection he fails
to make is that not shouldering the burdern means not having LWN.net.
If he really believes that a site as good as LWN.net could be run on a
volunteer basis: I invite him to do so.

-Rob Knop
rknop@pobox.com

Comments (none posted)

Re: Where has the pioneer spirit of LWN gone?

From:  Joey Hess <joey@kitenet.net>
To:  letters@lwn.net
Subject:  Re: Where has the pioneer spirit of LWN gone?
Date:  Wed, 7 Aug 2002 22:59:09 -0400

While I disagree with Thomas Wardman's letter on some points, I find I
must agree with his central analogy and point. LWN, it seemed to me when
I read that first short issue way back when, was being made for two
reasons: To do a little bit of indirect promoting for a small consulting
firm we'd never heard of called Eklektix Inc., and because the couple of
people who were putting it out had something important to contribute to
the linux community, and had the desire to do so. Between then and now
the focus changed so that LWN itself became the business that was
supposed to make the money. And then that began to look less and less
viable.

I belive that Thomas's suggestion that you try to farm out some parts of
LWN to volenteer third parties, and go back to working on LWN only,
well, 50% of the time, is feasable. For years I wrote Debian Weekly
News, and was happy to see LWN refine my already condensed summary of
what was happening in Debian, and satisfied to see you sometimes quote
whole sections as most of a week's Debian coverage. I would miss Jon's
writing about the kernel and editorials, but the summaries of basic
news, security, development etc, could be contributed by talented
volenteers.

Some of the extraneous bits could even be stripped out -- this week's
"mini-LWN" was still LWN, despite its relative brevity (though you
trimmed entirely the wrong sections this week. :-P).

Anyway, I can think of a dozen reasons why you probably don't want to
follow this suggestion; one reason is that it would mean probably 75% of
the company losing their jobs. But if the subscription service should
fail to live up to your hopes, and there is no other choice, I hope it
*will* be done -- I hope that you at LWN are still in this for what
Thomas terms the "pioneering spirit" of the original LWN.

In the meantime, best of luck with the subscription service! I for one
will continue to support LWN in any ways I can.

-- 
see shy jo

Comments (none posted)

Crippleware vs. Guiltware

From:  Talin
To:  letters@lwn.net
Subject:  Crippleware vs. Guiltware
Date:  Fri, 09 Aug 2002 03:31:53 -0700

Dear LWN folk,

I have a friend who runs a payment processing service for shareware 
authors (plug: www.kagi.com). Just as free software is often categorized 
by the license, shareware is generally categorized by the payment scheme 
and/or business model. Two popular types are "guilt-ware", in which the 
author of the program makes a humanitarian plea for payment, and 
"cripple-ware", in which certain advanced features of the program are 
disabled unless a payment is made.

According to my friend, crippleware programs bring about 5 times as much 
revenue for their authors on average as guiltware programs do. The 
lesson here is clear: All of the appeals to the good side of human 
nature will only get you so far. About 20 cents on the dollar, as a 
matter of fact. (You might think this view is cynical, but that's only 
true if you place a negative moral judgement on people who use things 
and don't pay for them. I don't.)

What makes a good crippleware program? Well, for one thing, the crippled 
version needs to be useful and addictive in its own right - it needs to 
leave you "hungry for more". It must not be time-limited - that's called 
"demo-ware", and is a different (and IMHO less effective) category of 
shareware. It should be useful enough that it is readily incporporated 
into the user's habitual work pattern. Yet the extra features should be 
beneficial enough that once you discover how useful it is, you'll 
realize how much more you could get for a small fee.

A lot of websites have moved to this model as well. A lot of good 
examples can be found in the many fan-maintained web sites for online 
games. For example, the site http://everquest.allakhazam.com is 
essentially a huge database of EverQuest game items and player tips. If 
you pay nothing, you get full access to the entire database, forums, 
user accounts, etc. However, if you pay their low fee ($20 a year or 
so), you get: 1) elimination of all ads, 2) an advanced query tool, 3) 
automatic character wishlist creation, and a bunch more really neat 
features.

I am even beginning to see the development of aggregated subscriptions - 
you pay one fee and you get access to "enhanced features" for a bunch of 
thematically related websites, maintained by different authors and editors.

Finally, I'd like to respond to the gentleman who wrote in last week 
complaining about the reported costs of maintaining the site. I believe 
he misses a number of important points:

    1) In a sea of near-infinite information, the role of editor adds a 
huge amount of value.
    2) In a sea of near-infinite information, being a good editor is 
really, really hard.

For example, I used to read Kernel Traffic on a weekly basis, but I gave 
it up because I just don't have the time to pick through all the content 
and decide which items are relevant to me and which are not. Your few 
paragraphs of highly-distilled explanation of kernel activity 
highlights, with the background context filled in (so I don't have to 
remember last week's edition) as well as your filling in of the human 
story behind the kernel design process, all this is just exactly the 
right information I want, in the right amount. Simply giving me a raw 
data feed is exactly what I don't want. I don't imagine that creating 
this is a particularly easy task.

-- Talin
(please withold my email, if they want to contact me they can search for 
me on Google. I get too much spam as it is)


Comments (none posted)

CBDTPA and others

From:  Tres Melton <class5@pacbell.net>
To:  letters@lwn.net
Subject:  CBDTPA and others
Date:  Tue, 13 Aug 2002 00:49:37 -0700


LWN readers 

I seem to have missed reading the part of the CBDTA bill that defines
the penalties that this ludicrous legislation would impose.  Judging
from what I have read the penalties for violations seem to be quite
extreme: in ALL cases.  This obviously includes the penalties for us
average citizens that want to utilize our fair use rights on a variety
of platforms and in a variety of places and, god forbid, enable our
friends to do the same.  These penalties also encompass the case of the
media industry limiting our fair-use rights.  Even if the penalty is a
'small' fine.  

Exactly what constitutes fair use is debatable in most cases but the US
Supremes have declared that "time shifting" is legal courtesy of one of
the bill's sponsors: SONY.  When Sony went to court to fight for the
rights of consumers to record programs using their Betamax video system
I don't believe that they were a content company.  Well they are now! 
We can thank Sony for putting the ability to destroy the entertainment
industry into case law.  I realize that the penalties for removing our
fair use rights might simply be a few hundred dollars in fines; I also
realize that the destruction of the industries that provide the
addictive drug for "herion in a box" - I mean television - is just a
fantasy that will never be realized.  However the bill (or more
accurately: case law) provides that penalty for EACH offense. 

That is each person that cannot time shift a program!  If just one
broadcast that is viewed by millions of people does not provide the
ability for them to view that program at a later time then the penalties
should be somewhere in the range of hundreds of millions of dollars. 
That amount of money would make any greedy class action lawyer salivate
at the thought. 

Let's run through some numbers:  Imagine the Superbowl.  The last one
was viewed by 131,200,000 viewers (according to superbowl.com).  Now
imagine all of the interactive digital devices that must function
"reliably" that could be sitting in everybody's home.  There must be
thousands of different ones and many more versions of every one at
that.  The media circus is required not only to be able to work with
each of these devices in preventing piracy but more importantly NOT
prevent fair use.  I assume this also means that the live broadcast must
also work.  At this point I must start to guesstimate the numbers: my
apologies.  Assume 90% of the devices work perfectly; that still leaves
13,120,000 people that are going to get screwed in one way or another. 
Put another way that leaves over 13 million people that will have a
legal claim against someone for hosing their chance to view the
superbowl.  Let's assume that the bill carries a $100 fine for
noncompliance.  That leaves a 1.3 billion dollar liability bill that
someone is going to have to foot!  Just for good measure let's assume
that the pre-game and post-game shows use the same technology; that
kicks the bill up into the neighborhood of 3.9 billion. 

Are we having fun yet?  If not then lets throw in the suits from the
advertisers who are paying how many millions in advertising to reach the
stated audience.  If that audience is reduced by 10% don't you think
that there is a possibility that they will want a 10% refund?  Not to
mention that the offer could be construed as fraudulent. 

What about your local pub that is having a superbowl party, goes to
great expense buying new big screen high definition televisions, and
ends up with a room full of rowdy drunks that can't watch the program
that they got all lubricated to see.  Are the content owners responsible
for the ensuing chaos?  Now consider that one of those well lubricated
drivers goes flying across town to see the show at their house and has
an accident.  American jurisprudence is rife with attorneys going after
the people with the "deep pockets". 

I could go on and on but I trust that I have made my point.  Perhaps we
should take a page out of the book of congressional lobbying:  instead
of trying to stop the bill from passing in the first place we should
seek enough amendments to poison the bill for the sponsors!  I think
that I may have found a way to take the fair-use provisions seriously! 

I realize that this is probably fantasy; wouldn't it be fun though. 
This community has the resources to change the world; if we could just
unite!  Unfortunately the task is futile by definition. 

The best defense is most often a strong offense; since the courtroom is
to be the ultimate battleground let's get the best litigators we can
find.  If we started a legal fund and convinced every open source
afficionado to forgo the purchase of just one CD/DVD/Monopoly tax
payment and donate that to the legal fund then we could mount a
formidable challenge to their oligopoly. 

Best Regards, 
Tres Melton 


P.S. My preferred plans: 

CASE 1:

Imagine a class action suit against the studios for every US soldier
that lived overseas, purchased a DVD player, and purchased some movies.
According to intellectual property laws, as I understand them, there are
a few relevant facts worth mentioning.  Fact(1):  the said individual
has purchased the physical medium that contains the work of Intellectual
Property. Fact(2):  the said individual has purchased the legal rights
to listen/view/enjoy the contents of the aforementioned physical medium.
Fact(3):  the actual rights that were purchased have never been clearly
defined from either party's point of view.  Court case is as follows: 

Plaintiff John Doe and others seek judicial relief from the obligation
of repurchasing both things that were above described in statements one
and two.  John recently returned to the US and has found the following
facts to be true:  

1)  That the DVD player that this American Soldier purchased while on
active duty in Europe is incapable of playing DVDs that were legally
purchased in the United States after his return.  
2)  That the new player that his wife has for the bedroom is incapable
of playing the movies that this soldier, representing America in the
'War on Terrorism' while abroad, has purchased in a location other than
the United States.  
3) The Macrovision incorporated into both of the DVD players prevents
him from making copies on VHS tapes for viewing in other areas of the
home.

Plaintiff Doe recognizes the costs associated with manufacturing the
plastic cookie with the dimpled metal center and therefore agrees to pay
for the replacement costs of the physical medium.  However, since
plaintiff Doe has already purchased the pattern of dimpled bits -
otherwise known as the intellectual property - he should be under no
obligation to repurchase them.  Further plaintiff Doe should enjoy the
right to copy the DVDs to VHS form for his enjoyment in the children's
rec room.

CASE 2:

A law abiding citizen arrives home to find that is home, located in the
forests that are prone to fires, has burned to the ground.  Thinking
ahead the individual has video taped the contents of his home to prove
their existence to an insurance company of the need ever arises. 
Discovering that the homeowner has a limited policy on his audio/video
equipment and the media for its use the insurance carrier does not fully
reimburse the plaintiff in the case for his losses to his CD
collection.  A collection of approx. 500 CDs that has taken many years
and many thousands of dollars to accumulate.  The plaintiff realizes
that intellectual property cannot actually be destroyed and that it
still exists; he just no longer has access to it.  The plaintiff in this
case should be able to sue the recording industries into replacing the
contents of his collection for the cost of the physical medium alone. 
Why should he have to pay twice for the same intellectual property.

CASE 3:

The recoding industry finally comes out with an audio DVD format. 
Desiring the new format a consumer may want to replace his existing CD
collection with audio DVDs.  Once again the consumer has already
purchased the right to listen to the contents of the CDs in question so
why should he have to pay the same price for an audio DVD as someone who
never purchased the CD version.

CONCLUSION:

If we could force the content creators to define what percentage of the
price of an item is for the content (intellectual property) and what
percentage is for the medium upon which it was recorded then we will
have made great strides in reigning in these seriously over compensated
oligopolies.


Obviously these are fantasy cases; but fun to think about none the less!



Comments (none posted)

Page editor: Jonathan Corbet

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds