LWN.net Logo

LWN.net Weekly Edition for February 26, 2004

FOSDEM 2004 trip report

Your editor was once told by a free software conference organizer that charging a registration fee was mandatory; without the fee, potential attendees would not take the event seriously and would not show up. The Free and Open Source Developers' European Meeting (FOSDEM) shows that this view does not always match up to reality. Perhaps uniquely among major Linux events, FOSDEM charges no registration fee, and, indeed, dispenses with the registration process altogether. That did not stop some 2000 people from showing up last weekend and packing the lecture halls to a level that would have sent a U.S. fire marshal into a complete panic. FOSDEM, clearly, is a successful event.

FOSDEM is organized in a way which is well described by its name: it is a meeting of developers. As such, it features a series of talks which are likely to be of interest to the development community and a distinct lack of presentations on how to configure the print system or on how Linux will leverage your business paradigm shifts into the next generation. Additionally, a set of "developer rooms" was occupied by various projects and interest groups (Debian, KDE, embedded Linux, Tcl, etc.). Each of those rooms was a place to gather, and most put up their own schedules of talks as well. Throw in a (problematic) wireless network, a beautiful city with no shortage of good food and beer, and support from a set of sponsors, and you have all the makings of a free software conference with a distinctly European flavor.

Keynote speaker Tim O'Reilly told the gathering that, while it is clear that free software is changing the computing industry, nobody, least of all the free software community, knows how. He pointed out that there are already user-friendly Linux-based desktop applications which are used by millions of people; they go by names like Google, Amazon, and Yahoo. These companies are building massive proprietary applications with free software, and, in many cases, giving little back. Tim would like to see free software developers think more about the use of their code in web application settings. He is also concerned about the implications of the large databases being created by these companies; those databases, too, are proprietary, and they can pose serious privacy threats. Do we, asks Tim, need a "web services bill of rights" which is analogous to the licenses which accompany free software?

Tim was immediately followed by Richard Stallman, who gave a fairly predictable talk about the importance of freedom, "Linux" and "GNU/Linux," etc. The freedom issues are important, but will be familiar to most readers of LWN. More amusing, perhaps, was the final part of the talk, where Richard addressed charges that he adopts a "holier than thou" attitude. Says Richard: "It's my job to be holy, I'm a saint." He then donned his disk platter halo and proclaimed himself to be Saint Ignucius of the Church of Emacs. Anybody can be a saint in this church, it seems; all that is required is (1) to free your computers of all proprietary software, and (2) make the profession of faith: "There is no operating system but GNU, and Linux is one of its kernels." (In the same humorous vein, Richard proclaimed that use of vi is not a sin according to the Church of Emacs; it is, instead, a penance).

Richard did also address the web services issue. He is not concerned about companies like Google failing to share their own code; what Google runs on its servers is its own business, and has nothing to do with anybody else's freedom. He is concerned about data stored on other people's servers; his response is to not keep his data there. Richard allowed as to how there could be freedom issues with web services, but he does not see those as free software issues in particular. One gets the impression he thinks he has taken on a big enough fight as it is; web services will be somebody else's problem.

There have been persistent rumors that a third revision of the General Public License would require that changes to code which are deployed in public web services be released. When questioned about this idea, Richard did not have much to say; there has been little time to work on such ideas, apparently, though that could change soon. He did mention the possibility of a "download source" clause. With this clause, the author of web-oriented software could include a "download source" link which would do exactly that. An optional license feature would require those deploying that code to retain the source download capability - and to ensure that it provides the source for the actual, deployed application. It is hard to see such an intrusive license winning a lot of followers.

The final keynote speaker was, inevitably, Jon 'maddog' Hall. Maddog talks resemble sitting in front of the fire with Grandpa and hearing his stories from before you were born. The stories are interesting, well told, and fun, but after a while you realize you've heard most of them before. You're always there when Grandpa tells another set of stories, however.

Keith Packard gave a heavily-attended talk on the future of the X server. In order to support many of the visually pleasing features envisioned for the future Linux desktop, some fundamental server changes will be required. In the new scheme, X clients no longer draw directly into the frame buffer; instead, they draw into off-screen memory which is then combined, under the control of a new "composition manager" process, into the screen seen by the users. Keith demonstrated some of his "eye candy" work which showed (1) how slick the Linux desktop can be, and (2) how slow it can be when all of this work is done in software.

In the future, Keith sees the X server moving into a fundamentally three-dimensional mode and speaking GL directly to the low-level graphics drivers. Many 3D applications will also be able to send GL directly to the hardware, and bypass the X server altogether. The current crop of two-dimensional applications will be handled in a compatibility mode. This change would pave the way for a new generation of 3D Linux applications, improve performance greatly, and would make vendor support easier; most video card vendors stopped wanting to deal with 2D modes years ago.

Keith also addressed the political issues currently being faced by the X community; see Zonker's article (below) for more information on that side of things.

LWN editor Jonathan Corbet presented two talks at FOSDEM; the slides from those talks are now available. The first was a variant on the "2.6 kernel changes from the inside" talk which has been presented at other events. Making its debut at FOSDEM was "kobjects, ksets, and ktypes: the device model from the bottom up," a low-level technical tutorial on the glue which holds the 2.6 device model together.

Other presentations seen by your editor include Robert Love on providing better support for the Linux desktop in the kernel (it is a good thing some developers are finally seeing this support as an important priority), Bill Haneman showing the features of the GNOME Onscreen Keyboard, Hans Reiser on the underpinnings of the Reiser4 filesystem, and an interesting developer room session on hacking into embedded Linux systems. There was far more going on than any one person could possibly see; FOSDEM is an event which truly showcases the vitality of the free software development community. It is not surprising that attendance has been growing strongly every year; this is one event which may have to find a larger venue for 2005.

Comments (9 posted)

X11: Where do we go from here?

February 25, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

The XFree86 license change announced by the XFree86 project has caused a great deal of fuss in the development community. One month later, the new shape of things is beginning to come into focus. Unless something happens in the near future, the XFree86 Project's time as the custodian of the X Window System has come to an end, but X development will continue in a new home.

Ostensibly, the new license was to be applied as of the third XFree86 4.4.0 release candidate, but, according to longtime X developer Keith Packard, project leader David Dawes first checked in code under the license last September and updated the list of XFree86 licenses to include the license without any prior notice. Then the announcement that the new license was to be the "official" license for code copyrighted by the XFree86 Project was made by David Dawes at the end of January. The new license does not affect all code distributed by XFree86, but it touches enough code to create a major backlash among vendors and projects that are using and distributing XFree86.

The new license is a valid open source license, but it is a BSD-style license with an "advertising clause" that many find objectionable. The license is not GPL-compatible, which some say is a sure way to make a project irrelevant. Criticism of the new license is not limited to advocates of the GPL, however. It also seems to offend some ardent supporters of the BSD license, including Theo de Raadt:

Like other projects, we will not be incorporating new code from David Dawes into the XFree86 codebase used in OpenBSD. All such changes have to be skipped, rewritten, or you can contact the XFree86 group and place your own efforts to repair this damage.

This leaves the community at an impasse. With XFree86 sticking to the new license, and a large number of projects rejecting said license, other solutions must be sought. In the short term, many projects and vendors are planning on shipping XFree86 4.3 rather than using 4.4. Frederic Lepied, CTO of MandrakeSoft, says that Mandrake has reverted to XFree86 4.3 for the short term. Joseph Eckert, VP of corporate communications for SUSE, also confirms that SUSE will not be utilizing code licensed under the XFree86 1.1 license.

However, utilizing an older version of XFree86 is not a long-term solution. Daniel Stone, a Debian Developer, is one of many predicting a fork of the project to solve the long-term issues:

More than ever before, XFree86 has backed itself into a hole. The challenge now lies with the community to dig X out of the hole it's now in. Unfortunately, as kdrive and other solutions are not yet mature enough, it is my firm belief that this will only come about through a fork of XFree86. Sad, especially when you consider that that's how XFree86 came about; X.Org relicensed X, XFree86 got upset, and forked. We may be about to watch just a little bit of history repeating.

Keith Packard made it clear at FOSDEM that he believes this fork has already taken place; it was done by David Dawes when he changed the license. So now the "trunk" development effort is moving to freedesktop.org. According to Packard:

X.org and various Linux vendors are busy putting together a copy of the XFree86 sources from before the license change and are planning on making that available for developers to work on in producing X releases in the traditional fashion -- a monolithic release of the entire tree. The goal of this process is to ensure continuity of the window system implementation and allow people to get an X server capable of supporting more recent hardware.

Packard also says that the freedesktop.org folks are working on improvements to the X architecture:

A related project that we're also working on is to take the monolithic X build architecture and splitting it into pieces. Libraries, fonts, servers and applications will be released separately. Periodically, released versions of the individual packages will be collected together and bundled as a unified release. The goal is to promote rapid development of some portions of the system (like video drivers) without requiring a rapid release schedule for the entire project.

As Stone said, we may be watching history repeat itself. Barring a change of heart on behalf of the XFree86 Project, it seems that projects and vendors making use of XFree86 will be looking elsewhere. The question is whether or not vendors will unify behind an X Window System produced by freedesktop.org, or another group -- or if the fork ends up creating several splinter projects. With X.org and several of the key developers behind it, freedesktop.org looks well placed to become the new home of X development.

Comments (31 posted)

On Orkut

Some weeks ago, your editor was invited to join the Orkut service. Having never played with a "friend of a friend" service before, your editor found the experience to be naturally gratifying. After all, a system which inspires others to make public declarations of friendship cannot fail to delight such a stereotypical, socially challenged, geekish sort of person. It's nice to know that somebody likes you after all, even if you can never aspire to the triple-digit circles of friends that the truly cool people have.

That said, the free software community may want to think before committing too much to services like Orkut. A good look at the Orkut terms of service would be a place to start. It includes some relatively interesting things, such as prohibitions on reverse engineering and even (surprising, for a Google-affiliated site) indexing the site. The truly fun language, however, is:

By submitting, posting or displaying any Materials on or through the orkut.com service, you automatically grant to us a worldwide, non-exclusive, sublicenseable, transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, publicly perform and display such Materials.

So this site which, among other things, is supposed to facilitate business networking claims the right to make use of any idea which any user might post there. These terms may seem familiar: Microsoft attempted to get Passport users to agree to something similar three years ago. The company backed down after a public outcry; so far, however, Orkut users have been rather more accommodating.

There is a more fundamental question to be asked, however: if we, as a community, really want to document our associations, interests, sexual orientation, editor preferences, etc., do we really want to do so in somebody else's proprietary database? Social networks seem like a field in need of a great deal of experimentation; few people would claim that the best ways to aggregate, represent, and work with such data have already been worked out. If we're going to create a social network database, we should be doing so in a public manner that will allow free software hackers to play around with interesting new applications. We would almost certainly be surprised at what they would come up with.

One effort worth looking at is the FOAF Project. Rather than create a central, proprietary, indexing-prohibited database, this project is pushing for a distributed database built on individual RDF files. Such a scheme puts each participant in charge of their own data while making the whole network available for those who would create interesting interfaces to it. This project shows one approach to the creation of social network databases which avoids the problems of proprietary databases and restrictive terms of use. Doubtless there are others out there as well. We, as a community, do not need to put our time into the creation of somebody else's proprietary database; we can do better than that.

Comments (4 posted)

Page editor: Jonathan Corbet

Security

Brief items

The trouble with backporting fixes

Most Linux distributors, as a matter of standard procedure, do not fix security problems by upgrading their users to the latest version of the affected program. Instead, the specific fix is painstakingly backported to whatever version was originally shipped, and a minimally disruptive (one hopes) update is released. This approach does help protect users from dealing with new issues caused by unplanned software upgrades, but it poses some risks as well.

Consider, for example, this notice sent out to users of Solar Designer's Openwall Linux. On the topic of the recently discovered mremap() vulnerability (the second such), it states:

Luckily, Linux 2.4.23-ow2 and 2.4.24-ow1 are not affected as these patches already included a kernel bug fix which was later determined to be security-critical and needed to avoid this second mremap(2) system call vulnerability. In fact, it's the exact same fix which went into Linux 2.4.25.

We asked Solar how it was that his patch, which fixed the problem long before it was reported, was not more widely distributed. His response was that he had sent a patch around, but most distributors did not see at the time that the bug had security implications, so they left it out in order to distribute a minimal fix for the first mremap() problem. By insisting on a minimal patch, the distributors left their users open to another vulnerability, and forced them to deal with yet another security update shortly thereafter.

The free software community, in fact, has a long history of bug fixes which, at some later point, turn out to close a security hole. Certain members of the black hat community spend a lot of time digging through changelogs looking for just this sort of problem. Some of them have a true gift for seeing vulnerabilities where the original developers see only bugs. For these people, software changelogs are a roadmap of potentially exploitable bugs known to exist on most deployed Linux systems.

Few system administrators enjoy being forced to upgrade a package in a hurry. They have learned through hard experience that such upgrades can introduce no end of problems and make a serious dent in their weekend beer-drinking time. In the end, however, we may be forced to face a simple fact: any bug may potentially have security implications. It may be that the Fedora Project has the right idea: when a security hole must be closed, that should be done by upgrading the whole package to the current version. Relatively young software and the new and unknown bugs it is certain to have may turn out to be safer than staying with an older version, which has old and well-documented bugs.

Comments (9 posted)

New vulnerabilities

hsftp - format string vulnerability

Package(s):hsftp CVE #(s):CAN-2004-0159
Created:February 23, 2004 Updated:February 25, 2004
Description: During an audit, Ulf Harnhammar discovered a format string vulnerability in hsftp. This vulnerability could be exploited by an attacker able to create files on a remote server with carefully crafted names, to which a user would connect using hsftp. When the user requests a directory listing, particular bytes in memory could be overwritten, potentially allowing arbitrary code to be executed with the privileges of the user invoking hsftp. Note that while hsftp is installed setuid root, it only uses these privileges to acquire locked memory, and then relinquishes them.
Alerts:
Debian DSA-447-1 2004-02-22

Comments (none posted)

lbreakout2 buffer overflow

Package(s):lbreakout2 CVE #(s):CAN-2004-0158
Created:February 23, 2004 Updated:February 25, 2004
Description: During an audit, Ulf Harnhammar discovered a vulnerability in lbreakout2, a game, where proper bounds checking was not performed on environment variables. This bug could be exploited by a local attacker to gain the privileges of group "games".
Alerts:
Debian DSA-445-1 2004-02-21

Comments (none posted)

synaesthesia - insecure file creation

Package(s):synaesthesia CVE #(s):CAN-2004-0160
Created:February 23, 2004 Updated:February 25, 2004
Description: During an audit, Ulf Harnhammar discovered a vulnerability in synaesthesia, a program which represents sounds visually. synaesthesia created its configuration file while holding root privileges, allowing a local user to create files owned by root and writable by the user's primary group. This type of vulnerability can usually be easily exploited to execute arbitrary code with root privileges by various means.
Alerts:
Debian DSA-446-1 2004-02-21

Comments (none posted)

Updated vulnerabilities

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Gentoo 200403-04 2004-03-22
Netwosix NW-2004-0006 2004-03-25
Mandrake MDKSA-2003:096-1 2003-10-24
Mandrake MDKSA-2003:096 2003-09-26

Comments (none posted)

bind: cache poisoning

Package(s):bind CVE #(s):CAN-2003-0914
Created:November 26, 2003 Updated:February 19, 2004
Description: A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache.
Alerts:
SCO Group CSSA-2004-003.0 2004-02-19
Debian DSA-409-1 2004-01-05
SuSE SuSE-SA:2003:047 2003-11-28
Trustix 2003-0044 2003-11-27
Immunix IMNX-2003-7+-024-01 2003-10-27
EnGarde ESA-20031126-031 2003-11-26

Comments (none posted)

cgiemail vulnerability allows unauthorized mail relaying

Package(s):cgiemail CVE #(s):CAN-2002-1575
Created:February 13, 2004 Updated:February 18, 2004
Description: A vulnerability in cgiemail, a cgi program, allows mail to be sent to arbitrary addresses, making the host capable of generating spam. New cgiemail packages fix open mail relaying.
Alerts:
Debian DSA-437-1 2004-02-11

Comments (none posted)

CUPS: denial of service

Package(s):CUPS CVE #(s):CAN-2003-0788
Created:November 3, 2003 Updated:March 4, 2004
Description: Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
SCO Group CSSA-2004-012.0 2004-03-03
Conectiva CLA-2003:779 2003-11-07
Mandrake MDKSA-2003:104 2003-11-05
Red Hat RHSA-2003:275-01 2003-11-03

Comments (none posted)

elm: vulnerability in frm command

Package(s):elm CVE #(s):CAN-2003-0966
Created:February 13, 2004 Updated:February 18, 2004
Description: Elm is a terminal mode email user agent. The frm command is provided as part of the Elm packages and gives a summary list of the sender and subject of selected messages in a mailbox or folder.

A buffer overflow vulnerability was found in the frm command. An attacker could create a message with an overly long Subject line such that when the frm command is run by a victim arbitrary code is executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0966 to this issue.

Alerts:
Whitebox WBSA-2004:009-01 2004-02-12

Comments (1 posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 17, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
OpenPKG OpenPKG-SA-2004.012 2004-04-08
Gentoo 200403-10 2004-03-30
Netwosix NW-2004-0002 2004-02-20
SCO Group CSSA-2004-004.0 2004-02-19
Slackware SSA:2003-300-02 2003-10-22
Mandrake MDKSA-2003:101 2003-10-16

Comments (none posted)

fileutils/wu-ftpd: denial of service

Package(s):fileutils CVE #(s):CAN-2003-0854
Created:October 22, 2003 Updated:March 2, 2004
Description: There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details.
Alerts:
SCO Group CSSA-2004-006.0 2004-03-01
Trustix 2003-0042 2003-11-15
Mandrake MDKSA-2003:106 2003-11-12
Red Hat RHSA-2003:309-01 2003-11-03
Immunix IMNX-2003-7+-026-01 2003-10-31
Conectiva CLA-2003:771 2003-10-24
Conectiva CLA-2003:768 2003-10-22

Comments (none posted)

GnuPG: ElGamal signing keys compromised

Package(s):gnupg CVE #(s):CAN-2003-0971
Created:November 28, 2003 Updated:March 3, 2004
Description: A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds."
Alerts:
SCO Group CSSA-2004-009.0 2004-03-02
Debian DSA-429-2 2004-02-13
Debian DSA-429-1 2004-01-26
Gentoo 200312-05 2003-12-12
Fedora FEDORA-2003-025 2003-12-10
Red Hat RHSA-2003:395-01 2003-12-10
Red Hat RHSA-2003:390-01 2003-12-10
Conectiva CLA-2003:798 2003-12-09
SuSE SuSE-SA:2003:048 2003-12-03
Mandrake MDKSA-2003:109 2003-11-28

Comments (3 posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Fedora FEDORA-2004-133 2004-05-19
Gentoo 200404-02 2004-04-06
Whitebox WBSA-2004:005-01 2004-02-12
Conectiva CLA-2004:810 2004-01-20
Slackware SSA:2004-014-01 2004-01-14
Mandrake MDKSA-2004:003 2004-01-14
Red Hat RHSA-2004:006-01 2004-01-07

Comments (none posted)

kernel: local root exploit

Package(s):kernel CVE #(s):CAN-2003-0961 CAN-2003-0985 CAN-2004-0077
Created:February 18, 2004 Updated:March 8, 2004
Description: Another vulnerability has been found in the 2.4.24 and 2.6.2 mremap() system call; once again, this hole can be exploited by a local user to obtain root access. See this advisory from Paul Starzetz for details.
Alerts:
Gentoo 200403-02 2004-03-06
Debian DSA-456-1 2004-03-06
Fedora-Legacy FLSA:1284 2004-03-02
Debian DSA-454-1 2004-03-02
Debian DSA-453-1 2004-03-02
Debian DSA-450-1 2004-02-27
Immunix IMNX-2004-7+-001-01 2004-02-26
Mandrake MDKSA-2004:015-1 2004-02-25
Mandrake MDKSA-2004:015 2004-02-24
Trustix 2004-0008 2004-02-23
Netwosix NW-2004-0003 2004-02-20
Whitebox WBSA-2004:066-01 2004-02-19
Debian DSA-444-1 2004-02-20
Conectiva CLA-2004:820 2004-02-20
Red Hat RHSA-2004:066-01 2004-02-19
Fedora FEDORA-2004-080 2004-02-18
SuSE SuSE-SA:2004:005 2004-02-18
Red Hat RHSA-2004:069-01 2004-02-18
Fedora FEDORA-2004-079 2004-02-18
Debian DSA-441-1 2004-02-18
Trustix 2004-0007 2004-02-18
Slackware SSA:2004-049-01 2004-02-18
Debian DSA-438-1 2004-02-18
Red Hat RHSA-2004:065-01 2004-02-18
Debian DSA-439-1 2004-02-18
Debian DSA-440-1 2004-02-18

Comments (none posted)

kernel: local root exploit in 2.4.22

Package(s):kernel CVE #(s):CAN-2003-0961
Created:December 1, 2003 Updated:April 5, 2004
Description: A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable.

The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.

Alerts:
Debian DSA-475-1 2004-04-05
Debian DSA-470-1 2004-04-01
Debian DSA-442-1 2004-02-19
Debian DSA-433-1 2004-02-04
Debian DSA-423-1 2004-01-15
Red Hat RHSA-2003:368-01 2003-12-19
Conectiva CLA-2003:796 2003-12-05
Gentoo 200312-02 2003-12-04
SuSE SuSE-SA:2003:049 2003-12-04
Yellow Dog YDU-20031203-1 2003-12-03
Red Hat RHSA-2003:389-01 2003-12-01
Fedora FEDORA-2003-026 2003-12-02
Slackware SSA:2003-336-01 2003-12-01
Red Hat RHSA-2003:392-00 2003-12-01
Trustix 2003-0046 2003-12-01
Mandrake MDKSA-2003:110 2003-12-01
Debian DSA-403-1 2003-12-01

Comments (1 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libtool - Insecure handling of temporary files

Package(s):libtool CVE #(s):
Created:February 5, 2004 Updated:March 8, 2004
Description: GNU libtool consists of a set of shell scripts used to build shared libraries.

Joseph S. Myers and Stefan Nordhausen independently found a vulnerability in the way the ltmain.sh script (which is part of the libtool package) creates temporary directories for its use.

A local attacker could exploit this vulnerability to change/delete arbitrary files in the system on behalf of the user who is calling the script. The vulnerability has been fixed in the 1.5.2 version of libtool.

Alerts:
OpenPKG OpenPKG-SA-2004.004 2004-03-08
Conectiva CLA-2004:811 2004-02-05

Comments (none posted)

mailman: cross-site scripting vulnerabilities

Package(s):mailman CVE #(s):CAN-2003-0965 CAN-2003-0992
Created:February 6, 2004 Updated:March 5, 2004
Description: Dirk Mueller discovered a cross-site scripting bug in the admin interface in versions of Mailman 2.1 before 2.1.4. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0965 to this issue.

A cross-site scripting bug in the 'create' CGI script affects versions of Mailman 2.1 before 2.1.3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0992 to this issue.

Alerts:
Fedora FEDORA-2004-060 2004-03-04
Debian DSA-436-2 2004-02-21
Debian DSA-436-1 2004-02-08
Red Hat RHSA-2004:020-01 2004-02-05

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Conectiva CLA-2004:842 2004-05-25
Red Hat RHSA-2004:156-01 2004-04-14
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:019-01 2004-02-09

Comments (1 posted)

mc: arbitrary code execution

Package(s):mc CVE #(s):CAN-2003-1023
Created:January 16, 2004 Updated:April 5, 2004
Description: A vulnerability was discovered in Midnight Commander, a file manager, whereby a malicious archive (such as a .tar file) could cause arbitrary code to be executed if opened by Midnight Commander.
Alerts:
OpenPKG OpenPKG-SA-2004.009 2004-04-05
Gentoo 200403-09 2004-03-29
Conectiva CLA-2004:833 2004-03-31
SCO Group CSSA-2004-014.0 2004-03-25
Whitebox WBSA-2004:035-01 2004-02-12
Fedora FEDORA-2004-058 2004-02-09
Red Hat RHSA-2004:035-01 2004-01-19
Mandrake MDKSA-2004:007 2004-01-26
Red Hat RHSA-2004:034-01 2004-01-19
Debian DSA-424-1 2004-01-16

Comments (none posted)

metamail: integer and buffer overflows

Package(s):metamail CVE #(s):CAN-2004-0104 CAN-2004-0105
Created:February 18, 2004 Updated:May 21, 2004
Description: Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message.
Alerts:
Gentoo 200405-17 2004-05-21
Debian DSA-449-1 2004-02-24
Mandrake MDKSA-2004:014 2004-02-18
Slackware SSA:2004-049-02 2004-02-18
Red Hat RHSA-2004:073-01 2004-02-18

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mpg123: heap overflow

Package(s):mpg123 CVE #(s):CAN-2003-0865
Created:November 12, 2003 Updated:February 19, 2004
Description: Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details.
Alerts:
SCO Group CSSA-2004-002.0 2004-02-19
Debian DSA-435-1 2004-02-06
Conectiva CLA-2003:781 2003-11-12

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

mutt: buffer overflow

Package(s):mutt CVE #(s):CAN-2004-0078
Created:February 12, 2004 Updated:March 26, 2004
Description: mutt suffers from a buffer overflow in its "index menu" code. This overflow can be exploited via a hostile message to crash mutt and, perhaps, execute arbitrary code. Version 1.4.2 fixes the problem; see this advisory for details.
Alerts:
SCO Group CSSA-2004-013.0 2004-03-25
OpenPKG OpenPKG-SA-2004.005 2004-03-09
Netwosix NW-2004-0001 2004-02-16
Trustix 2004-0006 2004-02-13
Whitebox WBSA-2004:050-01 2004-02-12
Mandrake MDKSA-2004:010 2004-02-11
Slackware SSA:2004-043-01 2004-02-12
Red Hat RHSA-2004:051-01 2004-02-11
Red Hat RHSA-2004:050-01 2004-02-11
Fedora FEDORA-2004-061 2004-02-11

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

perl information leak

Package(s):perl CVE #(s):CAN-2003-0618
Created:February 2, 2004 Updated:April 21, 2004
Description: Paul Szabo discovered a number of bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.
Alerts:
Debian DSA-431-2 2004-04-16
Debian DSA-431-1 2004-02-01

Comments (none posted)

phpMyAdmin: directory traversal

Package(s):phpMyAdmin CVE #(s):
Created:February 17, 2004 Updated:February 18, 2004
Description: A component of the phpMyAdmin software package (export.php) does not properly verify input that is passed to it from a remote user. Since the input is used to include other files, it is possible to launch a directory traversal attack.
Alerts:
Gentoo 200402-05 2004-02-17

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

PWLib: possible Denial of Service

Package(s):PWLib CVE #(s):CAN-2004-0097
Created:February 13, 2004 Updated:April 9, 2004
Description: PWLib is a cross-platform class library designed to support the OpenH323 project. OpenH323 provides an implementation of the ITU H.323 teleconferencing protocol, used by packages such as Gnome Meeting.

A test suite for the H.225 protocol (part of the H.323 family) provided by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker could trigger these bugs by sending carefully crafted messages to an application. The effects of such an attack can vary depending on the application, but would usually result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0097 to this issue.

Alerts:
Gentoo 200404-11 2004-04-09
Mandrake MDKSA-2004:017 2004-03-03
Fedora FEDORA-2004-078 2004-03-02
Debian DSA-448-1 2004-02-22
Whitebox WBSA-2004:047-01 2004-02-18
Red Hat RHSA-2004:047-01 2004-02-18
Red Hat RHSA-2004:048-01 2004-02-13

Comments (none posted)

rsync - remotely exploitable heap overflow

Package(s):rsync CVE #(s):CAN-2003-0962
Created:December 4, 2003 Updated:March 3, 2004
Description: An advisory has gone out warning of a remotely exploitable heap overflow vulnerability in rsync versions 2.5.6 and prior. If you are running an rsync server, you will want to apply a distributor patch or upgrade to 2.5.7 in the near future.
Alerts:
SCO Group CSSA-2004-010.0 2004-03-02
Immunix IMNX-2003-73-001-01 2003-12-05
Mandrake MDKSA-2003:111 2003-12-04
Red Hat RHSA-2003:399-01 2003-12-04
Red Hat RHSA-2003:398-01 2003-12-04
Fedora FEDORA-2003-030 2003-12-04
Conectiva CLA-2003:794 2003-12-04
Gentoo 200312-03 2003-12-04
EnGarde ESA-20031204-032 2003-12-04
Debian DSA-404-1 2003-12-04
OpenPKG OpenPKG-SA-2003.051 2003-12-04
SuSE SuSE-SA:2003:050 2003-12-04
Trustix 2003-0048 2003-12-04
Slackware SSA:2003-337-01 2003-12-03

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

samba: access to disabled accounts

Package(s):samba CVE #(s):CAN-2004-0082
Created:February 18, 2004 Updated:February 19, 2004
Description: Samba 3.0.0 and 3.0.1 contains a difficult-to-exploit vulnerability which could give an attacker access to a disabled account.
Alerts:
Whitebox WBSA-2004:064-01 2004-02-18
Red Hat RHSA-2004:064-01 2004-02-18

Comments (none posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
SCO Group CSSA-2004-005.0 2004-02-19
SuSE SuSE-SA:2003:046 2003-11-18
Conectiva CLA-2003:769 2003-10-22
Mandrake MDKSA-2003:099 2003-10-09
Red Hat RHSA-2003:278-01 2003-10-07
Debian DSA-379-1 2003-09-11

Comments (none posted)

screen: privilege escalation

Package(s):screen CVE #(s):CAN-2003-0972
Created:November 28, 2003 Updated:March 3, 2004
Description: According to this advisory a buffer overflow in GNU screen allows privilege escalation for local users. Usually screen is installed either setgid-utmp or setuid-root.

It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and older versions are vulnerable.

Alerts:
SCO Group CSSA-2004-011.0 2004-03-02
Fedora-Legacy FLSA:1187 2004-01-26
Conectiva CLA-2004:809 2004-01-20
Debian DSA-408-1 2004-01-05
Mandrake MDKSA-2003:113 2003-12-08
OpenPKG OpenPKG-SA-2003.050 2003-11-28

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: flaws in the ISAKMP decoding routines

Package(s):tcpdump CVE #(s):CAN-2003-0989 CAN-2004-0057 CAN-2004-0055
Created:January 15, 2004 Updated:April 6, 2004
Description: George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.

Jonathan Heusser discovered two additional flaws in the ISAKMP decoding routines of tcpdump versions up to and including 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue.

Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue.

Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these packets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user.

Alerts:
Gentoo 200404-03 2004-03-31
Fedora FEDORA-2004-091 2004-03-04
SCO Group CSSA-2004-008.0 2004-03-02
Fedora FEDORA-2004-092 2004-03-02
Whitebox WBSA-2004:008-01 2004-02-12
Fedora-Legacy FLSA:1222 2004-01-31
Mandrake MDKSA-2004:008 2004-01-26
EnGarde ESA-20040119-002 2004-01-19
Debian DSA-425-1 2004-01-16
OpenPKG OpenPKG-SA-2004.002 2004-01-16
Trustix 2004-0004 2004-01-05
SuSE SuSE-SA:2004:002 2004-01-14
Red Hat RHSA-2004:008-01 2004-01-15
Red Hat RHSA-2004:007-01 2004-01-14

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

util-linux: information leak in the login program

Package(s):util-linux CVE #(s):CAN-2004-0080
Created:February 3, 2004 Updated:April 8, 2004
Description: The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function.

In some situations, the login program could use a pointer that had been freed and reallocated. This could cause unintentional data leakage.

Alerts:
Netwosix NW-2004-0010 2004-04-08
Gentoo 200404-06 2004-04-07
Fedora-Legacy FLSA:1256 2004-03-04
Whitebox WBSA-2004:056-01 2004-02-12
Red Hat RHSA-2004:056-01 2004-02-02

Comments (1 posted)

XFree86: buffer overflow

Package(s):XFree86 CVE #(s):CAN-2004-0083 CAN-2004-0084 CAN-2004-0106
Created:February 12, 2004 Updated:February 23, 2004
Description: The XFree86 code which reads "fonts.alias" files suffers from a buffer overflow which may be turned into a local root exploit; see this advisory for details.
Alerts:
SuSE SuSE-SA:2004:006 2004-02-23
Debian DSA-443-1 2004-02-19
Conectiva CLA-2004:821 2004-02-20
Whitebox WBSA-2004:061-01 2004-02-17
Red Hat RHSA-2004:061-01 2004-02-13
Fedora FEDORA-2004-069 2004-02-13
Mandrake MDKSA-2004:012 2004-02-14
Red Hat RHSA-2004:060-01 2004-02-13
Red Hat RHSA-2004:059-01 2004-02-13
Immunix IMNX-2004-73-002-01 2004-02-12
Slackware SSA:2004-043-02 2004-02-12
Gentoo 200402-02 2004-02-11

Comments (none posted)

Events

ICICS 2004

The 2004 International Conference on Information and Communications Security has issued a call for papers. The conference takes place October 27 - 29, 2004 in Malaga, Spain. Submissions are due by May 31st.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 kernel is 2.6.3; Linus has made no kernel releases or prepatches in the last week. His BitKeeper repository is full, however; it contains support for Intel's "ia32e" architecture (see below), a new syscalls.h include file with prototypes for the various sys_* functions, various network driver fixes, a UTF-8 tty mode, dynamic PTY allocation (allowing up to a million PTY devices), sysfs support for SCSI tapes and bluetooth devices, the "large number of groups" patch (covered in the October 2 Kernel Page), the generic kernel thread code (January 7 Kernel Page), and a massive number of other fixes -- over 500 changesets in all.

It's worth noting that Linus is now using a PPC64 system as his home machine. Before long that should result in improved support for that architecture; meanwhile, he finds himself unable to fix his own kernel.

The current tree from Andrew Morton is 2.6.3-mm3. Recent additions to the -mm series include a new HFS filesystem implementation, multipath and crypto target support in the device mapper, a big ide-scsi update, the MODULE_VERSION macro (finally), some virtual memory tweaks, a (read-only) UFS2 filesystem implementation, a big set of parallel port fixes, many big architecture updates, and a large number of fixes.

The current 2.4 kernel is 2.4.25. Marcelo has started off the 2.4.26 process with 2.4.26-pre1; it contains a small set of fixes and a fair number of networking patches, including an SCTP update, a bonding driver update, and the nVidia Force driver.

For 2.2 users, Marc-Christian Petersen has released 2.2.26, which contains the latest security fixes.

Comments (3 posted)

Kernel development news

Quote of the week

I'm happy you put it that way, because otherwise I'd have had to take out my chain saw and run around naked trying to kill you.

-- Linus, as if the Australian swimsuit episode weren't enough.

Comments (none posted)

invalidate_mmap_range() again

The question of whether invalidate_mmap_range() should be exported to non-GPL modules was discussed here last week. There still has been no (public) resolution of the question as of this writing, but the discussion has progressed somewhat. This issue may give some hints as to how other export requests may be viewed in the future.

Andrew Morton posted two criteria which should be used in considering the request. The first is: does the export make sense from a technical point of view? In other words, is the ability to clear page table entries which point at the page cache a legitimate feature for filesystems to want? The consensus answer here appears to be "yes"; distributed filesystems, in particular, will need this capability.

Andrew also noted that the technical question really should be the only one that matters. If there is a valid technical reason for filesystems to use that function, it should be exported to them. In the real world, however, a second question must also be considered: is IBM's proprietary GPFS filesystem, being the module driving the proposed export change, a derived product of the kernel or not? Here there is less of a consensus.

IBM's claim is that GPFS was developed under AIX and simply ported to Linux; it is thus an independent development and clearly not derived from the Linux kernel. Critics point to the large, BSD-licensed layer of glue code which is required to make GPFS actually work with Linux; this layer, they say, shows that GPFS does so much messing around with kernel internals (rather than using the existing, exported interface) that it must be a derived product. Interestingly, IBM supporters also point to the large glue layer. If GPFS were truly derived from the kernel, they say, there would be no need for a large impedance-matching layer.

Without access to the GPFS source, it is going to be hard for any independent party to make a real determination on the status of GPFS. In the end, however, somebody is going to have to make a decision anyway. The odds would appear to favor IBM getting what it wants in this case. But a clear message is being sent: the kernel developers are increasingly suspicious of (and hostile to) changes which make life easier for vendors of closed-source modules.

Comments (11 posted)

Intel's new 64-bit architecture and Linux

Intel has run into a problem that, sooner or later, catches up with many major vendors in the computing industry: customers like standard technologies. It is difficult to introduce a product which ignores the prevailing standards - even if you are the company which set those standards in the first place. Thus, the "Intel" name has not been enough to push the industry toward its Itanium processors. Instead, vendors have been incorporating AMD's 64-bit processors, which retain x86 compatibility and extend that architecture in a relatively natural way.

In response, Intel has finally unveiled its own 64-bit extensions, under the "ia32e" name. Intel itself does not say this, but a review of the new architecture revealed fairly quickly that Intel has adopted (for the most part) AMD's 64-bit architecture. Intel is now in the business of selling AMD-compatible processors. Linus was rather annoyed at Intel for not coming out and just saying this, to the point that he toyed with the idea of renaming the kernel's x86-64 architecture "AMD64." Calm thinking prevailed, however, and Linus chose to stick with a vendor-neutral name.

Support for the new architecture has already been merged into the (upcoming) 2.6.4 kernel; the patch came from Andi Kleen. Given the great similarities with the AMD64 architecture, this support was relatively easy to implement. Intel may not have been entirely straightforward about the path it has taken, but, where it matters, Intel has done the right thing.

Comments (none posted)

CDROM drives and partitioning

It is rare for a CD to be built with partitions; in the modern world, a CD's capacity is considered small enough as it is without splitting it up further. Many of the other reasons for using partitions (robustness in case one partition's filesystem gets corrupted, containing excessive space usage, etc.) also do not apply to the CD medium. As a result, the Linux CD driver does not support partitioning at all.

It turns out, however, that some companies do produce CDs with partition tables on them. Linux systems will be unable to mount and read the filesystems on such CDs. Most users have never encountered this problem, but, for those who have, Steven Hill has posted a patch which adds CDROM partition support to the SCSI CDROM driver.

The good news is that, in the 2.6 kernel, the block layer handles partitioning. So the active part of the patch boils down to the following:

    -	disk = alloc_disk(1);
    +	disk = alloc_disk(partitions + 1);

So it turns out to be a relatively easy patch to design and implement. (See this Driver Porting Series article for details alloc_disk() and the rest of the 2.6 gendisk interface).

The only problem is that, as one might expect, the minor device numbers for the partitions will be allocated immediately after the minor number for the CD device as a whole. /dev/scd0, the first SCSI CDROM device, has device number 11,0, so the first partition on that device would be assigned numbers 11,1. The only problem is that 11,1 is where most systems expect to find /dev/scd1, the second CDROM device. No space was ever set aside for partitions in the SCSI CDROM device number range.

In the relatively near future, dealing with this sort of issue will not be a problem; a small set of udev rules will ensure that the right device names are created to correspond to the hardware which is actually present on the system. Until then, however, users of partitioned CDs will have to deal with a conflict in how the kernel and the distributions see the SCSI CD device number space.

Comments (none posted)

Patches and updates

Kernel trees

  • Andrew Morton: 2.6.3-mm2. (February 22, 2004)
  • Andrew Morton: 2.6.3-mm3. (February 24, 2004)

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Benchmarks and bugs

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Linux in Brazil

February 25, 2004

This article was contributed by Ladislav Bodnar

Few countries have taken to Linux with as much enthusiasm as Brazil. The sheer number of Open Source Software developers, community projects, commercial Linux companies and users coming from Brazil is unparalleled by any other middle-income country. Indeed, Brazil's programming talent is an important contributor to the success of Linux and Linux software not only within its borders, but also internationally. Let's take a look at some of the more interesting projects developed recently in the largest South American country. (Note: unless stated otherwise, links in this article lead to web sites with content in Portuguese.)

Probably the best known Linux effort coming from Brazil is Conectiva Linux. In development since 1997, Conectiva is a privately held commercial company providing a localized distribution, training and other services for the Latin American market. It is best known for developing a port of Debian's apt for RPM-based distributions, as well as a graphical package management tool called Synaptic. During the course of the last few years, Conectiva provided employment to a number of well-known Linux developers, including Marcelo Tosatti, the current maintainer of the 2.4 kernel series, Alfredo Kojima, the creator of the WindowMaker window manager, and Esveraldo Coelho, the designer of the popular Conectiva Crystal icon sets for KDE. It is interesting to note that all code developed by Conectiva has been released under GPL. The Conectiva Linux distribution is in active development and the upcoming version 10, currently in beta testing and scheduled for release in the 2nd quarter of 2004, will incorporate the latest kernel 2.6, KDE 3.2 and GNOME 2.6.

Compared to Conectiva, Kurumin Linux is a much younger distribution, a community-driven project led by Carlos Morimoto and Flavio Moreira. Based on Knoppix, but stripped down to fit on a mini CD and with support for installation on hard disk, Kurumin has converted a substantial number of computer users to Linux. The two main reason for its dramatic success are great looks and a wealth of documentation written in Portuguese. Kurumin Linux is a well-designed distribution with plenty of eye-candy, logical menu structures, a custom control panel for common configuration tasks and a feature called "magic icons" (see screenshot). Perhaps even more importantly, the Kurumin developers have contributed an enormous amount of quality documentation for novice Linux users, in an easy-to-understand language. No wonder that its forums are buzzing with interest and new versions are released on a regular basis. Kurumin Linux is one of the most influential Linux community projects created anywhere in the world!

The success of Kurumin is evidenced by a number of other projects that use Kurumin Linux as a base. One of the more ambitious among them is Kalango Linux, which attempts to expand the original small set of applications to include some of the often requested ones, thus creating a more complete distribution for desktops. Another Kurumin-based distribution is the newly launched Tupiserver Linux, which as the name suggests, is specifically designed for servers and excludes desktop software. Yet another project with Kurumin as its immediate parent is Dizinha Linux, a distribution designed for old computers, where all resource-intensive applications are substituted with smaller and lighter alternatives.

Brazil's commercial Linux companies face the same challenges as their counterparts in other parts of the world and several attempts at creating commercial Linux distributions for the local market appear to have failed. Tech Linux and LuminuX are two RPM-based distributions which have not produced new releases for nearly two years, while the Slackware-based Definity Linux is a commercial Linux distribution with a comparatively small user base.

One of the most unique projects developed in Brazil is GoboLinux (web site in English). GoboLinux is a Linux distribution which attempts to redefine the UNIX file system hierarchy and replace it with a more intuitive one; see our recent coverage here. GoboLinux's latest release, version 010, was included as a cover disk in the January 2004 edition of Brazil's most influential Linux magazine - Revista do Linux. Other projects from Brazil include MURIX (web site in English), a fairly quiet source-based distribution for advanced users, CEMF Linux, a Slackware-based distribution that can be installed on a FAT32 partition and Litrix, another Slackware-based project, a live CD derived from SLAX and fully localized into Brazilian Portuguese. Also based on Slackware is Projecto JoLinux, one of the first distributions shipping with kernel 2.6 earlier this year.

The wealth of locally developed open source projects has not gone unnoticed by Brazil's authorities. In October 2003, the country's government signed a letter of intent with IBM pledging to develop initiatives that will promote the use of Linux in Brazil. Some of these initiatives include Linux training for government officials and programs to encourage deployments of Linux-based systems in small and medium-sized businesses. The implementation of these programs will be monitored by a small team comprising of government experts and IBM employees. Earlier last year, Brazil launched a program to migrate 80% of public sector computers from Windows to Linux, starting with a 3-year pilot migration in one ministry.

Brazil is often referred to by the general population as a "country of football and samba" (pun not intended). As for the computer enthusiasts among us, it is safe to call it a "country of Linux and Free Software".

Comments (2 posted)

Distribution News

Conectiva Linux 10 Beta 1

The first beta released of Conectiva Linux 10 is now available. "It's quite stable and now we have kernel 2.6.3rc2 and KDE 3.2 final as main updates."

Full Story (comments: none)

cAos 1.0 released

Version 1.0 of cAos, a project "focused on becoming an enterprise-level community-produced distribution," has been released. Click below for the announcement and a pointer to a list of mirrors.

Full Story (comments: 2)

ekkoBSD BETA 2 Now Available!

ekkoBSD.org has announced the second beta release of the ekkoBSD Operating System. "This release features some fixes, new stuff in bin/sbin, new features to fdialog, fetch/libfetch, and the new installation documentation. This release has not fixed EINSTein (the GUI installer)."

Full Story (comments: none)

OpenPKG 2.0 released

Version 2.0 of the OpenPKG meta-distribution is available. OpenPKG now supports 16 flavors of Unix-like systems and offers a significantly expanded set of packages.

Full Story (comments: none)

Debian GNU/Linux

The Debian Weekly News for February 24, 2004 is out. This issue looks at sending mail using Morse code, packages broken by a broken tar version, investigation of the new XFree86 license, and more.

Colin Watson provides a "sarge" update. Much work remains, of course, but a possible freeze date has been tentatively set for March 15th.

There will be a bug squashing party on March 13 at Sydney University to help stomp out those remaining RC bugs in "sarge".

As most of you know, it's time once again for the Debian Project Leader election. The nomination period is almost over (ends February 28th). The campaign period follows, with voting to commence on March 20, 2004.

A general resolution concerning the status of the non-free section is currently under discussion. The actual text of the GR is: "The next release of Debian will not be accompanied by a non-free section; there will be no more stable releases of the non-free section. The Debian project will cease active support of the non-free section. Clause 5 of the social contract is repealed." Voting on this issue begins March 8th.

DebianPlanet reports that XFree86 4.3.0-2 has entered unstable.

Comments (none posted)

Fedora

Fedora News Updates #6, for February 18, 2004, is out. This issue covers the launching of Fedora Core 2 test1, a new online-based forum, as well as tips on dealing with FC2 test1. Also rolling your own Fedora-based ISOs, why Linux uses all its available resources, and lots of software pointers.

Updates for Fedora Core 1:

Comments (none posted)

Gentoo Weekly Newsletter - Volume 3, Issue 8

The Gentoo Weekly Newsletter for the week of February 23, 2004 is available, with a look at FOSDEM Brussels and a call for dialup developers; among other topics.

Full Story (comments: 2)

Mandrake Linux

The Mandrake Linux Community Newsletter for February 13, 2004 is available. This week's top story covers Mandrake Linux 10.0 Beta 2.

Updates for Mandrake Linux 9.2:

  • mkinitrd-net: corrects a problem getting an IP with certain NICs when booting etherboot images
  • ldetect-lst: adds entries for sagem800 modems

Comments (1 posted)

DistroWatch Weekly, Issue 37

The DistroWatch Weekly for February 23, 2004 is out. Topics include understanding live CDs, new and upcoming releases, and more.

Comments (none posted)

Long list of Live CDs

The number of Live-CD distributions is growing is growing at a rapid rate. Keeping up with them all is a challenge, but this List of Live CDs is doing a great job so far.

Comments (none posted)

SUSE Linux

Novell is offering SUSE Linux training at Novell BrainShare 2004 happening March 21 - 26 in Salt Lake City.

SUSE Linux has a contest going on, to see how the distribution has helped its North American customers. If you have a successful operation using SUSE Linux let them know. You could win a dual AMD Opteron-64 PC.

Comments (none posted)

Xandros pre-installed on LinuxCertified Laptop

Xandros and LinuxCertified have announced the release of LinuxCertified Xandros laptops targeting students, educators, researchers and developers.

Full Story (comments: none)

LindowsOS

Lindows.com announced support for Intel Centrino technology. "Centrino laptops pre-loaded with LindowsOS Laptop Edition will hit the market in 30-45 days."

Lindows has also announced that hardware manufacturer Albatron is now shipping select micro-ATX motherboards bundled with LindowsOS 4.5.

Comments (none posted)

Slackware Linux

There are lots of changes this week in the slackware-current changelog, including an updated ncurses shared libraries, an upgrade to Linux-2.4.25, and much more.

Comments (none posted)

Skolelinux Interview by Waldo Bastian

The KDE Edutainment Project has an interview with Skolelinux developers about the distribution and KDE. "Knut Yrvin: Skolelinux is the Debian-edu project's Custom Debian Distribution (CDD) in development. It's aiming to provide an out-of-the-box localised environment tailored for schools and universities. The out-of-the-box environment comes with 75 applications aimed at schools, as well as 15 network services pre-configured for a school environment. Coupled with an easy, three question installation, this means that the amount of technical knowledge required is minimal."

Comments (none posted)

Minor distribution updates

Astaro Security Linux

Astaro Security Linux has released stable v4.021 with major security fixes. "Changes: This Up2Date fixes the kernel mremap (CAN-2003-0077) vulnerability and updates the anti-spam settings for MS Outlook."

Comments (none posted)

Buffalo Linux

Buffalo Linux has released v1.1.4 with major feature enhancements. "Changes: This release features kernel 2.6.3, an automatic patch and upgrade feature, and upgrades to gcc, module-init-tools, samba, perl, and others. Users of the previous version can upgrade by installing a 45MB package."

Comments (none posted)

ClusterKnoppix

ClusterKnoppix has released v3.3-2004-02-16-EN-cl1 with minor bugfixes. "Changes: This version syncs with the latest Knoppix release, upgrades to gomd 0.2beta, fixes the OpenMosix restart script, fixes a terminal server bug (chown problem), fixes the atmel wlan drivers, adds a French OpenMosix terminal server translation, and adds a new parameter that allows the user to export the Knoppix image from disk instead of running from the CDROM (to allow speedups)."

Comments (none posted)

Compact Flash Linux Project

Compact Flash Linux Project has released v0.1.4-pre1 with minor feature enhancements. "Changes: The system is upgraded to use the Linux Kernel 2.4.25. And now it should compile with gcc version 3."

Comments (none posted)

Coyote Linux

Coyote Linux has released v2.10 Beta 1 with major feature enhancements. "Changes: This package contains the Linux 2.4.25 kernel, uClibc 0.9.26, DNSMasq 2.2, and Busybox 1.00-pre7. This new version of Coyote allows for DHCP to DNS updates, DNS query caching, and DHCP reservations."

Comments (none posted)

INSERT

INSERT has released v1.2.3 with minor feature enhancements. "Changes: The ClamAV antivirus database has been updated to the latest version."

Comments (none posted)

Lineox

Always Current Lineox Enterprise Linux 3.001 is the first revision of Lineox Enterprise Linux 3.0 in the Always Current series. Always Current means the CD-ROM images available for download always contain the latest patches and fixes available. Lineox expects to release new revisions of the Always Current Lineox Enterprise Linux once or twice every week.

Full Story (comments: none)

Linux Live

Linux Live has released v4.0.1 with major bugfixes. "Changes: Copying symlinks to initrd was fixed by copying the link's target along with its absolute pathname. The program's own tempfile function was created (for Mandrake users). The error message for mkzftree was updated. The copy2ram boot parameter was modified. A script to insert LiveCD modules on the fly (while running the LiveCD) was created."

Comments (none posted)

NSA Security Enhanced Linux

NSA Security Enhanced Linux has released v2004021907 with major feature enhancements. "Changes: The base kernel versions have been updated to 2.4.24 and 2.6.3. The 2.6.3 kernel patches include significant enhancements including port-based controls, mount context options, and conditional policy extensions. libselinux now includes code for a userspace AVC and discovers the selinuxfx mount point at runtime. Many other updates and bugfixes have been applied."

Comments (none posted)

Openwall Linux kernel packages 2.4.25-ow1, 2.2.25-ow2

Two Openwall Linux kernel patch updates have been released recently, one is a simple update to Linux 2.4.25, the other is a second revision of the patch for Linux 2.2.25 adding a number of kernel security bug fixes.

Full Story (comments: none)

Orange Linux

Orange Linux has released v1.0.1 with major feature enhancements. "Changes: This version adds the operating system to OSKit."

Comments (none posted)

Recovery Is Possible!

RIP has released v7.3 with minor bugfixes. "Changes: The libraries in /lib were replaced because they were no good, and UFS2 read-only filesystem support was added to the kernel. Some of the software was also updated."

Comments (none posted)

RxLinux

RxLinux has released v1.6.0 with major feature enhancements. "Changes: RxMaster now supports simple or expert configurations. Packages of type ETC can now be edited online using the RxMaster. The kernel as been updated to 2.6.1 and glibc to 2.3.2. There is new bootsplash support in 800x600. Some software packages has been updated: Perl 5.8.3, PHP 4.3.4, and Apache 2.0.48."

Comments (none posted)

Sentry Firewall

Sentry Firewall has released v1.5.0-rc10 with major bugfixes. "Changes: There are two important updates in this release. The Linux kernel has been upgraded to version 2.4.25-ow1, and the bridge+netfilter patch has also been updated to brnf-5. Those folks using -rc9 or below should upgrade."

Comments (none posted)

uClinux

uClinux has released v20030218 with major feature enhancements. "Changes: This release includes lots of app updates, uClibc-0.9.26, and kernel 2.6.2, 2.4.24, and 2.0.39."

Comments (none posted)

Distribution reviews

Review: Lycoris Desktop/LX Personal (linux.com)

Linux.com reviews Lycoris Desktop/LX Update 3. "Lycoris Desktop/LX Update 3, released last September, is a Linux distro aimed primarily at home user desktops. Lycoris has been widely heralded for its user-friendliness. If newbies can handle some manual configuration, they may be happy with Lycoris, but it won't satisfy more experienced users."

Comments (none posted)

A Comprehensive Review of Lycoris Software (DesktopOS.com)

DesktopOS.com has published a review of Lycoris Desktop/LX. "At the time of this writing, Lycoris Desktop/LX is my primary operating system. As you'll immediately discover, I'm quite fond of Desktop/LX and the manner in which Lycoris operates as well as continually proving their commitment to their users. After being a Linux user since 1994 and a Unix Administrator from 1993 to 1998, I've found a complete platform that anyone can use with ease and freedom."

Comments (none posted)

Review of ALT Linux Compact 2.3 (Virtual Sky)

Virtual Sky takes a look at the upcoming ALT Linux Compact 2.3 release. "I've been testing this new contribution to the Linux desktop, and I'd have to say that the ALT Linux team have not disappointed me. Back in October, I was a bit concerned with some of the choices ALT Linux made for this new distribution. However, over the past five months, I've seen the beta releases make wonderful progress. Besides a few minor bugs, I believe that Compact 2.3 is ready for the computing public."

Comments (none posted)

A week with Slackware 9.1 (LinuxBeginner.org)

Here's a look at Slackware 9.1 from LinuxBeginner.org. "I found by day 5 my system was pretty much the way I liked, I do not believe a desktop system should need constant tweaking. Slackware allows us to run right out of the box and is not bloated to the point of slowing you down. I like Slackware because I like to fiddle with my os an make it work for me."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The Next Generation of Mail Clients

February 25, 2004

This article was contributed by Kristian Eide

E-mail is the "killer app" of the Internet; an enormous number of messages are exchanged every day, and while web-based mail has become very popular in recent years, many people still prefer the added speed and flexibility of a stand-alone mail client application.

The mail client is in principal a very simple application which allows the user to read and send mail, but all modern mail clients include a host of features to help better manage the ever-increasing number of messages we have to deal with. Graphical mail clients allow for easy sorting of messages into folders, easy searching on a number of criteria, address book management and automatic filtering based on custom-defined rules.

The development of new features does not stop there. The next generation of mail clients include features such as virtual folders (also known as search folders), faster and more flexible searching, easier creation of filters and lots of small things to make common tasks quicker. This review is a comparison of the features available in the next generation of mail clients and their usability in dealing with large numbers of messages.

Reviewed mail clients:
(click on icon to jump directly to review)

Evolution 1.5.2 (unstable)
KMail 1.6 (part of KDE 3.2)
Opera 7.50 (preview 2)
Mozilla 1.6 / Thunderbird 0.5
Microsoft Outlook 2002 SP-1 (part of Microsoft Office XP)

Except for Evolution (the latest stable version is recommended over the tested development version), all of these mail clients were quite stable. I did not encounter any problems which would preclude me from recommending them for daily use.

Note that Outlook has been included for completeness, both because of its popularity and for use as a reference. I did not include Eudora, even though the latest version does include unique features such as a Content Concentrator, Contextual Filing, MoodWatch and Email Usage Stats. Eudora is both closed source and not available for any UNIX platforms.

Quick overview of supported features:

   Evolution  KMail Opera Mozilla Outlook
Mail import No Yes Only Windows Only Windows Only Windows
New mail notification Only beep Yes Only beep Only beep Yes
Encryption Yes Yes No Yes Yes
Follow-ups Yes No No No Yes
Forward attached/Inline Yes Yes Yes Yes Only inline
Write HTML mail Yes No No Yes Yes
Multiple accounts Yes Yes Yes Yes Yes
Customizable keybindings No Yes No No No
Full index search Yes Disabled Yes No No
Advanced searching Yes Yes Yes Yes Yes
IMAP search Yes No No Yes No
Search folders Yes Yes Yes No No
Spam filter Yes No Yes Yes Yes
Handle mailing lists Yes Yes Yes No No
Do not download mail rules Yes Yes Yes Yes Yes
Labels for e-mail Yes Yes Yes Yes Yes
Create filter from message Yes Yes Yes Yes Yes
Emoticons No No No Yes No
LDAP Yes Yes No Yes Yes

How I reviewed

In order to get a feel for how each mail client handles daily tasks, I conducted my review by performing a number of tasks:

  • Download a reasonably large amount of messages, about 2100 in total
  • Create some additional folders and set up filters for sorting messages to them
  • Add some contacts to the address book
  • Perform several searches
  • Compose and reply to a few messages
  • Set up some virtual folders (for mail clients which support this)

To provide a way to compare the different mail clients, I then divided the review into the following sections:

  • Mail import from other mail clients
  • Account setup
  • Filters
  • Address book
  • Searching
  • Reading messages
  • Composing messages
  • IMAP
  • Virtual folders
  • Encryption

Note that I did not actually test the encryption features, and I just comment on whether they are present or not. Also, while several of the mail clients now include integrated support for detecting spam mail, I did not test this feature as I plan to take a closer look at this aspect in a future review, and also perform a comparison with external spam filters such as SpamBayes and POPFile.

Final words

This review is extensive and I might have left out something important from your favorite mail client or have written something in error. I very much appreciate any feedback.

Comments (40 posted)

System Applications

Audio Projects

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include the addition of XMMS LADSPA, and new versions of Pd, Snd, Libjackasyn, Xmms Jack plugin, and Tdb.

Comments (none posted)

Database Software

Firebird 1.5 Final Release

Version 1.5 of the Firebird relational database is available. "The v1.5 release represents a major upgrade to the engine, which has been developed by an independent team of voluntary developers from the InterBase(tm) source code that was released by Borland under the InterBase Public License v.1.0 on 25 July 2000. Development on the Firebird 2 codebase began early in Firebird 1 development, with the porting of the Firebird 1 C code to C++ and the first major code-cleaning. Firebird 1.5 is the first release of the Firebird 2 codebase. It is a significant milestone for the developers and the whole Firebird project, but it is not an end in itself. As Firebird 1.5 goes to release, major redevelopment continues toward the next point release on the journey to Firebird 2."

Comments (7 posted)

phpPgAdmin 3.3 released (SourceForge)

Version 3.3 of phpPgAdmin, a web-based administration utility for PostgreSQL, is available. "New features include: Database dump feature, which uses pg_dump; Large speed improvements by reducing number of database connections and using external style sheet; SQL pop-up window now defaults to the current database; Display aggregates and operator classes; Integration with the PostgreSQL statistics collector."

Comments (none posted)

Embedded Systems

BusyBox 1.0.0-pre8 released

BusyBox version 1.0.0-pre8 is out. "We really want to get a release out we can all be proud of. We are still aiming to finish off the -pre series in February and move on to the final 1.0.0 release... So if you spot any bugs, now would be an excellent time to send in a fix to the busybox mailing list. It would also be very helpful if people could help review the BusyBox documentation and submit improvements. It would be especially helpful if people could check that the features supported by the various applets match the features listed in the documentation." See the Change Log for more information.

Comments (none posted)

Mail Software

New Milter Software

New mail filtering software on milter.org includes milter-date 0.8, milter-7bit 0.2, and PMilter 0.4.0.

Comments (none posted)

Printing

Foomatic 3.0.1 released

Version 3.0.1 of the Foomatic printer database has been announced. "Compared to Foomatic 3.0.0 the most notable new features are: CUPS drivers can be used with any spooler, better compatibility of the PPDs to the Adobe specifications and to Windows, better PJL support, workaround for bug in OpenOffice.org 1.1, LPRng improvements, clean-up of Perl scripts, enhancements on *BSD compatibility."

Also on LinuxPrinting.org, Epson has released the PPDs for their PostScript printers under the MIT license.

Comments (none posted)

AFPL Ghostscript 8.14 release

AFPL Ghostscript version 8.14 is available. "This releases fixes a common issue with antialiased rendering and upgrading is recommended. Also new in this release if support for encrypted PDF output."

Comments (none posted)

Web Site Development

Cooking with Apache, Part 3 (O'ReillyNet)

Rich Bowen and Ken Coar complete their series on Apache with part three. "In this third and final batch of recipes from the recently released Apache Cookbook, authors Rich Bowen and Ken Coar provide solutions to problems related to authentication, symbolic links, and the ever-troublesome trailing slash."

Comments (none posted)

Using MySQL to Stop Editing Web Pages

Russell Dyer discusses web site management with Perl and MySQL. "Although there's much that can be done with web design, sometimes I find it to be extremely boring. When I'm deep into a Perl project, the last thing I want is to meet with other department managers to discuss changes in the text on the corporate web site. It's not a good (or interesting) use of my time. As a result, over the last few years I've developed CGI scripts for sites in Perl and databases in MySQL so that non-technical staff can manage and update site content with little help from me."

Comments (none posted)

Find What You Want with Plucene (O'Reilly)

Simon Cozens introduces Plucene, a Perl-based web site search engine. "For the past few months, my former employers and I have been working on a port of the Java Lucene search engine toolkit. On the February 3rd, Plucene was released to the world, implementing almost all of the functionality of the Java equivalent."

Comments (none posted)

Miscellaneous

Linux X10 universal device drivers Version 2.0 alpha 1 (SourceForge)

For the world of home-automation, version 2.0 alpha 1 of the X10 device drivers for Linux are available. "X10 device drivers for Linux creating a /dev device for each X10 unit in the house. This allows command line, script, and program access to the X10 network.This driver currently supports the PowerLinc Serial, PowerLinc USB, CM11A, and Firecracker/CM17A. Version 2.0 works with kernel 2.6 and is ready for alpha testing."

Comments (1 posted)

Desktop Applications

Data Visualization

gnuplot-3.8k.0 (candidate 4.0) released (SourceForge)

Version 3.8k.0 of gnuplot, a scientific plotting package, has been announced. "This is intended as the release candidate #1 for the planned release 4.0 of gnuplot --- the first major release in well over a decade! Please, everybody test this rigorously and report any problems quickly, to make 4.0 as great a success as we can."

Comments (none posted)

Desktop Environments

Changelog (GnomeDesktop)

A slightly delayed GNOME changelog has been announced. "I've compiled a changelog for those that requested it. I've been slacking lately, and haven't put together a changelog since the GNOME 2.5.0 development release. This changelog includes all the relevant NEWS file entries for modules that made new releases for the 2.5.1 thru 2.5.5 development releases."

Comments (none posted)

gDesklets 0.26 released (GnomeDesktop)

Version 0.26 of gDesklets, tiny displays sitting on your desktop in a symbiotic relationship of eye candy and usefulness, is out. This release includes bug fixes, support for GNOME 2.6, better performance, and more.

Comments (none posted)

GNOME CPUFreq Applet first release! (GnomeDesktop)

The first release of the GNOME CPUFreq Applet is available. "GNOME CPUFreq Applet is a CPU Frequency Scaling Monitor for GNOME Panel. This is the first release".

Comments (none posted)

GNOME Platform Bindings 2.5.5 (GnomeDesktop)

Version 2.5.5 of the GNOME Platform Bindings have been announced. "Please note that we hit Bindings API freeze on March 1st, so now is probably your last chance to suggest API corrections or additions. Here is another scheduled release of the GNOME Platform Bindings, which provide a GNOME development platform for programming languages other than C, in the style of those languages."

Comments (none posted)

This week's GNOME Summary

The GNOME Summary for the week ending February 21 is now available. It looks at several new development releases and includes an interview with Rhythmbox lead developer Collin Walters. "I want a music player that's really easy to use and intuitive, and I think we're actually doing pretty well on that now. Mostly what we're doing now is fleshing the project out with features such as iPod support, better automatic playlists, and using GStreamer's awesome new features."

Comments (none posted)

KDE-CVS-Digest (KDE.News)

The February 20, 2004 KDE-CVS-Digest is out, here's the summary: "Valgrind gets a heap profiler. KStars can show the sky object's distance from earth. Kopete has refactors password and KWalletManager code. Many bugfixes in Khtml, Kopete and KMail."

Comments (none posted)

Desktop Publishing

JabRef 1.19 released (SourceForge)

Version 1.19 of JabRef, a GUI for managing BibTeX databases, has been released. "Version 1.19 is a sort of preview of version 1.2. It gives a significant improvement in the user interface, due to the application of Incors' great free Look and Feel, Kunststoff, and the use of antialiased fonts. This version contains HTML and Docbook features, but these will be improved in the forthcoming 1.2 release."

Comments (none posted)

LyX 1.3.4 is released

Version 1.3.4 of LyX, a GUI front-end to the TeX typesetting system, is available.

Full Story (comments: none)

Electronics

Icarus Verilog Snapshot 20040220

Snapshot 20040220 of the Icarus Verilog electronic simulation language compiler has been announced. See the Release Notes for change details.

Comments (none posted)

XCircuit 3.2.9 available

Development version 3.2.9 of XCircuit, an electronic schematic drawing utility, is available Change information is in the source code.

Comments (none posted)

Graphics

Image Restoration and Inpainting (SourceForge)

Image Restoration and Inpainting is a cross-platform C++ "image processing project about enhancing, denoising, restoring and detecting/removing parts of images/pictures (Old painting cracks, image characters)".

Comments (none posted)

GUI Packages

wxWidgets 2.5.1 has been released

Development version 2.5.1 of wxWidgets (formerly wxWindows) is available. Change information is in the source code.

Comments (none posted)

Imaging Applications

GQview 1.4.0, stable release (GnomeDesktop)

Version 1.4.0 of GQview, an image viewing application, has been announced. "This is the first stable release since 1.2.2. This specific release updates the translations for bg, cs, de, es, fi, fr, nl, sk, and zh_TW." Version 1.4.0 has been ported to GTK 2, and features many new features and improvements.

Comments (none posted)

Interoperability

Wine 20040213 released (SourceForge)

Version 20040213 of Wine has been announced. "This release includes a number of enhancements and bug fixes."

Comments (none posted)

Wine Traffic

The February 20, 2004 edition of Wine Traffic is out with the latest news from the Wine project.

Comments (none posted)

Medical Applications

TORCH-2.0.0-alpha2 Released (LinuxMedNews)

LinuxMedNews looks at the latest release of TORCH. "TORCH is a content management application specifically designed to manage personal health record information. Using this approach TORCH avoids the stale data and context problems that are exhibited by purely relational systems after years of service. The latest content management technology in TORCH allows it to store the appropriate data in the appropriate storage whether it is object based or relational."

Comments (none posted)

Music Applications

caps 0.1.0 released

The initial release of caps is available. "caps, the C* Audio Plugin Suite, is a collection of refined LADSPA units including instrument amplifier emulation, stomp-box classics, versatile 'virtual analog' oscillators, fractal oscillation, reverb, equalization and others."

Development of caps is moving rapidly, version 0.1.4 was also released this week.

Full Story (comments: 1)

Gungirl Sequencer 0.2.0 is out

Version 0.2.0 of Gungirl Sequencer, an audio sequencing utility, has been released. "This is the new Release 0.2.0 of Gungirl Sequencer, it comes with a bunch of new Features, and for your convinience is provided in the preferred standard Distribution Formats for both Linux and MS Windows".

Full Story (comments: none)

simsam-0.1.7 released

Version 0.1.7 of simsam, a MIDI sample playback program, has been released. This version adds multiple instruments, multiple JACK outputs, config loading, and more.

Full Story (comments: none)

TAP-plugins 0.4.0 released

Version 0.4.0 of TAP-plugins is out. New features include a Pitch Shifter, a Rotary Speaker simluator, and a Vibrato effect. Bug fixes are also included.

Full Story (comments: none)

wcnt 1.1001 released

Version 1.1001 of wcnt, wav composer not toilet, is out. Wcnt is a "not-real-time modular synthesis sampling sequencing, audio WAV file generator." This version includes a bunch of new features.

Full Story (comments: none)

News Readers

RSSOwl ver. 0.7b released (SourceForge)

Version 0.7b of RSSOwl, an RSS newsreader, is available. "After more than 2 months of development, lots of features have been added and bugs fixed. Some of the cool new features are: Internal Browser, AmphetaRate (rate news, receive personalized recommendations), integrated RSS / RDF search-engine, customizable hotkeys, new languages (dutch, greek, russian, portuguese, bulgarian, norwegian), large tutorial and much more."

Comments (none posted)

PDA Software

Minimo 0.1 Released: Mozilla for Small Devices (MozillaZine)

MozillaZine looks at Minimo, a Mozilla browser for PDAs and other devices with limited resources. "Much of the Minimo effort has focussed on reducing code size and memory footprint, work that can benefit anyone embedding Mozilla in environments where memory and storage is tight. In addition, several optimisations have been made specifically for small devices, including a small screen rendering mode (an extension to enable small screen rendering in the Mozilla Application Suite and Mozilla Firefox is available) and a slimmed down user interface (though this is not final)."

Comments (none posted)

Opie Source Development Kit Released

The Opie Source Development Kit is now available for the Open Palmtop Integrated Environment (OPIE). "The package contains the API and full integration into the award-winning KDevelop3 open source IDE through templates for applications and plugins. Additionally Python bindings are available (PyQt) as well as support for easy deployment and packaging."

Full Story (comments: none)

Science

GRAMPS 1.0.1, the ''Revenge of Ed Wood'' release (GnomeDesktop)

Version 1.0.1 of GRAMPS, a genealogical system, is out. "This is a bug fix release on the heels of the version 1.0.0. The bug that triggered this release is a unicode translation problem that caused a traceback when adding a child under a language other than English."

Comments (none posted)

Web Browsers

Epiphany 1.1.10 released

Version 1.1.10 of Epiphany, a lightweight browser, has been announced. This version includes bug fixes and improved translations.

Comments (none posted)

Mozilla 1.7 Alpha Released (MozillaZine)

Version 1.7 Alpha of the Mozilla browser has been announced. "This release features improved popup blocking, with a better method for detecting and stopping popups and the ability to open blocked popups. Mail & Newsgroups now supports multiple mail identities per mail account (though there is no user interface for this yet) and also sports several usability enhancements."

Comments (none posted)

Word Processors

XML for word processors (IBM developerWorks)

David Mertz covers the use of XML in word processing applications on IBM's developerWorks. "Recent versions of the three major free software word processing programs have all adopted XML as their native document format. The approaches to XML taken by AbiWord, KOffice's KWord, and OpenOffice.org Writer differ somewhat between the applications -- largely reflecting the underlying development focus of each project. Here, David takes a look at how these projects and all open source word processor developers have realized the advantages of XML as a document format: componentization of parsers and writers; openness and formality of format specification; and applicability of XSLT and other transformation APIs."

Comments (none posted)

Miscellaneous

GNU Aspell 0.50.5 Released

Version 0.50.5 of GNU Aspell, a spell checker that is designed to replace Ispell, is out. See the release announcement for change details.

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The February 17-24, 2004 edition of the Caml Weekly News is out with the latest Caml language news.

Full Story (comments: none)

Java

Java Desktop Development (O'ReillyNet)

O'Reilly is running a comparison of three Java GUI toolkits. "Java developers can choose between three primary GUI toolkits for desktop applications: AWT, Swing, and SWT. Andrei Cioroianu looks at the history, pros, and cons of each in this first article in a series on standalone Java development."

Comments (none posted)

Fixing the Java Memory Model (IBM developerWorks)

Brian Goetz discusses problems with the Java memory model on IBM's developerWorks. "JSR 133, which has been active for nearly three years, has recently issued its public recommendation on what to do about the Java Memory Model (JMM). Several serious flaws were found in the original JMM, resulting in some surprisingly difficult semantics for concepts that were supposed to be simple, like volatile, final, and synchronized. In this installment of Java theory and practice, Brian Goetz shows how the semantics of volatile and final will be strengthened in order to fix the JMM."

Comments (none posted)

Security in Struts: User Delegation Made Possible (O'ReillyNet)

Werner Ramaekers writes about struts security issues on O'Reilly. "Struts may not have an all-encompassing security scheme, but what it does offer is extensibility. Werner Raemakers looks at how to extend Struts' security by allowing one group of users to delegate permissions to others."

Comments (none posted)

Lisp

Common Lisp Utilities release 1.2 (SourceForge)

Version 1.2 of the Common Lisp Utilities is available. "The new release contains some bug fixes as well as new features for the package rsm.fuzzy."

Comments (none posted)

Perl

Perl 5.005_04 RC2 (use Perl)

Perl version 5.005_04 RC2 is available. "This release fixes a suidperl security issue and a minor Mac OS X Jaguar test issue. If there are no serious negative reports, then I hope to release the real thing in a week."

Comments (none posted)

This Week on perl5-porters (use Perl)

The February 16-22, 2004 edition of This Week on perl5-porters has been published. "This week is to be filed in the category "busy" for the Perl 5 porters. Read about new optimisations, new ideas, new warnings, bugs, fixes, and other future plans for the next major version of Per 5."

Comments (none posted)

This week on Perl 6

The February 15, 2004 edition of This week on Perl 6 is out with the latest Perl 6 news.

Comments (none posted)

PHP

Using MySQL from PHP (O'ReillyNet)

John Coggeshall shows how to connect to MySQL from PHP on O'Reilly. "In today's column, I will begin to use everything I have shown you thus far to work with and create database-driven web pages using PHP. Let's get started by discussing how a database interacts with a web application."

Comments (none posted)

PHP Weekly Summary for February 23, 2004

The PHP Weekly Summary for February 23, 2004 is out. Topics include: Zend API changed in PHP 5 beta 4, PHP in fink/MacOS X, Continued exceptions change discussion, PHP 5 without XML on Win32, Enhance run-tests.php, ext/tidy API changes from PHP 4 to 5, Static methods in PHP 5.

Comments (none posted)

Python

python-dev summary

The python-dev summary for January, 2004 is available.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The Dobb's Python-URL! for the week of February 24, 2004 is now available with news and links for the Python community.

Full Story (comments: none)

Tcl/Tk

Tcllib 1.6 released (SourceForge)

Version 1.6 of Tcllib is available. "This release is a minor version change which fixes numerous bugs and provides enhancements as well."

Comments (none posted)

Dr. Dobb's Tcl-URL!

Dr. Dobb's Tcl-URL! for February 23, 2004 has been published. Take a look for the latest Tcl/Tk article links.

Full Story (comments: none)

Editors

Leo 4.1 final released (SourceForge)

Version 4.1 Final of Leo, a programmer's outlining editor, has been announced. "Leo 4.1 Final is the culmination of four months of work. No significant bugs have been reported since 4.1 rc4. Several people have contributed nifty plugins recently."

Comments (none posted)

Version Control

Introducing Codeville

Codeville is a Python-based version control system. "Why yet another version control system? All other version control systems require that you keep careful track of the relationships between branches so as not have to repeatedly merge the same conflicts. Codeville is much more anarchic. It allows you to update from or commit to any repository at any time with no unnecessary re-merges."

Comments (none posted)

Learning CVS Using KDE's Cervisia (OSNews)

Carlos Leonhard Woelz explains CVS and Cervisia, a KDE front-end to CVS, on OSNews. "CVS is a tool to record, manage and distribute different versions of files. In other words, CVS is a version control system. It allows easy collaborative work, as each of the contributors can work in his local copy at the same time, without fear of overriding each other modifications. It allows the recovery of past versions (useful for tracking bugs), the creation of branches (for experimental development or for releases) and more."

Comments (none posted)

subversion 1.0 is released

Version 1.0 of Subversion, an open-source version control system that aims to replace CVS, is out. "If you see a Subversion developer, documenter, or tester in the street, buy 'em a beer -- they've earned it."

Full Story (comments: 41)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Let Java Go

Eric S. Raymond wrote this open letter to Scott McNealy, CEO of Sun. The response from Sun can be found in this PCPro article, leading to a follow-up letter from ESR. "We don't presume to dictate Sun's strategy. But what we do require of anyone before we will accept them as a "friend of the open-source community" is more honesty than this. Sun should be nervous about the consequences of allowing its spokespeople to indulge in flames, spin, and prevarication when there are serious issues on the table. Because an attempt to shoot the messenger won't make those issues go away; indeed, it makes some of them worse."

Comments (33 posted)

EU Council agitates for unlimited software patents

Heise Online covers the software patent battle going on inside the EU council. ""Cancelled" or "reformulated" is the standard comment in the footnotes whenever the new text speaks about the changes of the Parliament. The Council does some small concessions to the software patent opponents, i.e. the impact of the EU legislation for "small and mid-sized companies and the Open Source movement" shell be examined. This is however, no "compromise" in any way, FFII counters the Council's terminology. "It's as if in a debate on whether or not we should raise the speed limits on the roads, the compromise would be to raise them and additionally remove the requirement to wear seat belts", Belgian FFII spokesman Jonas Maebe comments on the proposal." (Thanks to Dirk Hillbrecht)

Comments (8 posted)

Trade Shows and Conferences

The Eclipse Project Looks Ahead (O'ReillyNet)

O'Reilly covers the recent EclipseCon. "EclipseCon revealed the Eclipse project as not just an IDE, but a rich client platform with a flexible architecture, an active community, and a bright future. Daniel Steinberg gives a summary of the week's events."

Comments (none posted)

Preview: Open Source in Government Conference (NewsForge)

Tony Stanco provides a preview of this year's Open Source in Government Conference, in this NewsForge article. "At the conference, a number of government officials will present existing cases where open source has already delivered value to the government. One government implementation in particular may become a precedent for how governments around the world can do open source. The Department of Labor's (DoL) WorkforceConnections software makes it easy for non-technical individuals to create, acquire, share and control Web content in real time. WorkforceConnections lets users build and maintain traditional Web sites, online courses, knowledge repository, online coach, and communities of practice portals."

Comments (none posted)

The SCO Problem

SCO's year of living litigiously (CNN)

Here's a CNN article on SCO's alleged plans to sue a Linux end user. "Whereas the RIAA could point to services such as Apple's iTunes Music Store and RealNetworks's Rhapsody as legitimate means for downloading songs, SCO's 'legal' alternative -- persuading users to pay for licensing -- is untested in a court of law. It's not clear that Linux users are in fact breaking any intellectual property laws."

Comments (6 posted)

Legal

MandrakeSoft ordered to drop trademark (ZDNet)

ZDNet UK reports that a French court has ruled against MandrakeSoft in an intellectual-property dispute with United States-based Hearst Holdings and King Features Syndicate. "The decision could force the Paris-based software company to surrender its trademark and domain names and to pay nearly $90,000 (70,000 euros) in damages to the U.S. companies, holders of the rights to the comic strip character Mandrake the Magician. The comic strip marks its 70th anniversary this year."

Comments (46 posted)

Interviews

People Behind KDE: Back With Matthias Ettrich (KDE.News)

KDE.News announces the return of the 'People Behind KDE' series, beginning with an interview with Matthias Ettrich. " In what ways do you make a contribution to KDE?
Qt development, some financial support (sponsoring people and events), some development resources (letting my engineers work on KDE), talking, bringing people together, initiating events like Trysil and NoveHrady.
"

Comments (none posted)

Q&A With Everaldo (LinuxCult)

LinuxCult interviews Everaldo Coelho. "..for the near future I intent to concentrate all my efforts to create (together with Ingo) a new desktop experience for LindowsOS, anybody who has used LindowsOS knows how wonderful of a system it is, and it has the tools to make the Linux desktop accessible to anybody liek no other. Their Click'n Run system is just fantastic. My big challenge is to make Lindows even more pleasant to use, that will be a great task, as we will have to design allot of graphics for the entire system, a task much bigger than a simple icon theme."

Comments (none posted)

Spreadsheet: Best-of-Breed (Open)

Open Magazine talks with Jody Goldberg about Gnumeric. "Fans of the Open Source Gnumeric spreadsheet program are rather proud of their project. Being Open Source, Gnumeric enthusiasts can point to yet another community project that demonstrates how free software can engender best-of breed applications. Gnumeric, part of the GNOME desktop environment, is good enough to say, "See? Excel and Lotus are not the be all and end all."" (Found on Footnotes)

Comments (none posted)

Stallman on XFree86 License Change (OfB.biz)

Open for Business talks with Richard Stallman about the XFree86 license modifications. "So what is the problem with the new license? "The details of the requirement conflict with the GNU GPL," Stallman explained, "anyone linking GPL-covered applications with that XFree86 code would be violating the GPL.""

Comments (33 posted)

Resources

A Computer Lab with No Windows, Part II (Linux Journal)

Linux Journal continues a study of building a computer lab using a Linux terminal server network. "Most of the common programming languages, such as shell scripts, C and C++, are included in the LTSP download. If you want to have the latest Java development environment installed, however, you can download your choice of Java SDK from Sun and install it. Sun offers Java SDKs in both source as well as binary code. After installation, you might want to add a path to /opt/ltsp/i386/etc/lts.conf so any user can have access to the language."

Comments (none posted)

Reviews

A first look at the new GIMP 2.0 (NewsForge)

NewsForge reviews version 2.0 of the GIMP. "A monumental change in GIMP 2.0 is a much-improved text tool. The new tool boasts enhanced font selection and allows for multi-line entries. All changes are immediately reflected on the canvas, making it much easier for designers to preview their text within the image context. Further, you can export text as a path in order to tweak its shape, fill style, or scale."

Comments (12 posted)

Introducing openMosix (O'ReillyNet)

O'ReillyNet looks at openMosix. "One of the differences between openMosix and other clustering environments, such as Beowulf-style clusters, is that for an application to run on an openMosix cluster there is no need for recompilation or integration of other libraries. Programs such as Flac, Bladeenc, Povray, and mjpeg tools work without any modifications, as does MPI."

Comments (none posted)

Deep inside the K Desktop Environment 3.2 (ArsTechnica)

ArsTechnica has a lengthy review of KDE 3.2. "The K Desktop Environment, while being a highly integrated system itself, is platform- and system-agnostic. Officially supported platforms using The X Window System as the base for the GUI range from the diverse Linux distributions to *BSD, IBM AIX and Sun Solaris. X Window dependent builds for Mac OS X are available through the Fink project, ditto for Windows through KDE on Cygwin." (Thanks to Joergen Ramskov)

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Bakbone Software joins OSDL

Bakbone Software has become the newest member of the Open Source Development Labs. "Through participation in OSDL's Data Center Linux Working Group, BakBone will help the working group focus on enterprise Linux data protection technologies. Data storage and protection are recognized as key to the acceleration of enterprise-wide adoption of Linux-based applications."

Full Story (comments: none)

Alan Cox wins free software award

A quick update from FOSDEM 2004 in Brussels: this year's FSF award for the advancement of free software was awarded to Alan Cox, seemingly as much for his support for GNOME as for his kernel work. The award was presented by Richard Stallman.

Comments (5 posted)

FFII alert on EU's IP enforcement directive

The Foundation for a Free Information Infrastructure (FFII) warns that the EU Parliament's Legal Affairs committee is set to rubber stamp a new text on Monday for the EU Directive on the Enforcement of Intellectual Property Rights.

Full Story (comments: 2)

Wikipedia reaches 500,000 articles in 50 languages

The Wikipedia online Free Content Encyclopedia has reached a new milestone of 500,000 articles in 50 languages.

Full Story (comments: none)

wxWindows library renamed to wxWidgets

The wxWindows project has a new name, wxWidgets. "the "wxWindows" library has been renamed "wxWidgets" because of the similarity of the name to a certain known product from a US based software company."

Full Story (comments: 13)

Commercial announcements

MySQL Licensing Survey

MySQL AB is running a licensing survey. "MySQL AB is always interested in getting feedback from customers and the open source community on the best way to communicate our licensing policy. In order to continue to gather input, we have a short five question survey."

Comments (none posted)

OpenOffice.org BizDev Project

The OpenOffice.org Business Development (BizDev) project has been launched. "The goals of this project are to build a business partners' network around OpenOffice.org. In this regard the BizDev project is the place where commercial leads, and business and consulting information can be discussed. It is a project for services professionals who are looking for customers, projects, and for contributing the way they want."

Full Story (comments: none)

Linuxant releases DriverLoader 1.6

Linuxant has released version 1.6 of its DriverLoader software."DriverLoader is a revolutionary compatibility-wrapper allowing standard Windows NDIS (Network Driver Interface Specification) drivers shipped by hardware vendors to be used as-is on Linux x86 systems."

Full Story (comments: none)

JBoss Closes $10 Million in Venture Financing

JBoss, Inc. has announced it has secured $10 million in an oversubscribed first round of venture financing led by Matrix Partners.

JBoss has also announced a successful fourth quarter for 2003.

Comments (none posted)

Opersys releases Quick Reference Guide

Opersys has released a quick reference guide providing the key commands for building embedded Linux systems straight from source. Opersys' quick reference guide is available here.

Full Story (comments: 1)

VMware Announces New Virtual Infrastructure Software

VMware has announced the release of its GSX Server 3 virtual infrastructure software.

Full Story (comments: none)

Wind River & Redhat

Wind River is working with Red Hat to build an embedded platform based on Red Hat Enterprise Linux. (Thanks to Esben Nielsen)

Comments (5 posted)

New Books

Exploiting Software: How to Break Code

Addison-Wesley has published Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw.

Full Story (comments: none)

Resources

LDP Weekly News

The February 18, 2004 edition of the Linux Documentation Project Weekly News is out with the latest new documentation.

Full Story (comments: none)

LSB-VSX2.0 Beta Release Available

The beta release of the LSB-VSX test suite is available. "This release is targeted for use with the LSB version 2.x testing and certification program. There are a number of new tests added over previous releases."

Full Story (comments: none)

Slides from Daniel Glazman's Talk on Nvu (MozillaZine)

MozillaZine points to some slides from FOSDEM 2004. "The slides from Daniel Glazman's talk on Nvu at this weekend's Mozilla Developers Meeting in Europe 4.0 at FOSDEM 2004 are now available. Consisting mostly of technical information, the slides also cover how the Nvu project was started, what's been developed so far and what's coming up in the future."

Another set of FOSDEM slides are available. "The visuals from Gervase Markham's presentation on the Mozilla Foundation are online too. In the talk, Gerv discussed the how the Mozilla Foundation started, who works there, how the decisions are made and what's coming next."

Comments (none posted)

Upcoming Events

OSBC 2004 adds Larry Lessig to discuss open source legal issues

Lawrence Lessig has been added to the schedule for the Open Source Business Conference 2004. The event runs March 16 and 17 at the Westin St. Francis hotel in San Francisco.

Full Story (comments: none)

LinuxUser & Developer Expo

The LinuxUser & Developer Expo will be held in London, England on April 20 and 21, 2004.

Full Story (comments: none)

2004 gcc summit call for papers

The 2004 GCC & GNU Toolchain Developers' Summit will be happening June 2 to 4 in Ottawa. The call for papers is out now; if you would like to present at the summit, you need to get a proposal in by the beginning of March.

Comments (none posted)

LogOn Briefings at CeBIT 2004

LogOn Technology Transfer and Deutsche Messe AG will present the LogOn Briefings at the CeBIT 2004 conference in March, 2004. "The events, to be held at the CeBIT Convention Center, will feature a program of tutorials for technical IT professionals, as well as a free business conference with focus on IT management issues."

Full Story (comments: none)

Austrian Perl Workshop (use Perl)

The first Austrian Perl Workshop has been announced. The event will take place from May 20-22, 2004 in Vienna, Austria.

Comments (none posted)

Nordic Perl Workshop Welcomes You (use Perl)

Use Perl has an announcement for the Nordic Perl Workshop. The event will be held in Copenhagen, Denmark on March 27 and 28, 2004.

Comments (none posted)

YAPC::NA::2004 Registration Open (use Perl)

Use Perl has announced the YAPC::NA::2004 Perl conference. The event will take place in Buffalo, NY on June 16-18, 2004.

Comments (none posted)

Open Source Forum 2004

The Open Source Forum 2004 will be held in Sydney, Australia on March 25 and 26, 2004.

Comments (none posted)

Hands-on Linux Demo in Davis, CA

The Linux Users' Group of Davis, CA will hold a Linux demonstration on Saturday, February 28, 2004.

Full Story (comments: none)

The 4th Annual Meeting of Bioinformatics.Org

The 4th Annual Meeting of Bioinformatics.Org has been announced. The event will take place in Boston, Massachusetts on March 30 - April 1, 2004.

Comments (none posted)

Events: February 26 - April 22, 2004

Date Event Location
February 26 - 27, 2004PostgreSQL Bootcamp(Big Nerd Ranch, Inc.)Atlanta, GA
February 26, 2004UKUUG LISA/Winter Conference and Tutorial(Lansdowne Campus, Bournemouth Univ.)Bournemouth, UK
February 26 - 27, 2004GNU/Linux Summit 2004(Finlandia Hall)Helsinki, Finland
February 27, 2004Mozilla Developer DayMountain View, CA
March 1 - 5, 2004PHP|CruiseThe Caribbean
March 4 - 5, 2004Linux Automation KonferenzHannover, Germany
March 5, 2004Perl Workshop 2004Amsterdam, the Netherlands
March 6 - 7, 2004Linux-Day ChemnitzChemnitz, Germany
March 15 - 17, 2004Open Source in Government Conference(George Washington University)Washington, DC
March 16 - 17, 2004Open Source Business Conference 2004(The Westin St. Francis)San Francisco, CA
March 18 - 24, 2004CeBIT(Hannover Exhibition Center)Hannover, Germany
March 21 - 26, 2004Novell BrainShare 2004Salt Lake City, Utah
March 24 - 26, 2004PyCon DC 2004Washington, D.C.
March 25 - 26, 2004Open Source Forum 2004(The Sydney Marriott Hotel)Sydney, Australia
March 27 - 28, 2004Nordic Perl Workshop 2004(Symbion Science Park)Copenhagen, Denmark
March 27 - 28, 2004YAPC::Taipei::2004Taipei, Taiwan
April 5 - 7, 2004Samba eXPerience 2004(Hotel Freizeit In)Göttingen, Germany
April 13 - 15, 2004Real World Linux 2004 Conference & Expo(Metro Toronto Convention Centre)Toronto, Ontario, Canada
April 14 - 16, 2004MySQL Users Conference and Expo 2004(Peabody Hotel Orlando)Orlando, FL
April 14 - 17, 2004ACCU Spring Conference 2004(Randolph Hotel)Oxford, England
April 20 - 21, 2004LinuxUser & Developer Expo(Olympia)London, England
April 22 - 23, 20042004 Desktop Linux Summit(Del Mar Fairgrounds)San Diego, California

Comments (none posted)

Mailing Lists

KDE Usability Process Strengthened (KDE.News)

A new moderated mailing list has been set up for discussion of KDE usability issues. "The primary goal of this new email list will be to find, promote and implement methods to integrate ongoing usability efforts with existing KDE design methodologies. KDE developers will be encouraged and given the tools to include usability as a primary concern at the earliest phases of application development."

Comments (none posted)

Web sites

LinuxQuestions.org adds a Linux Wiki

LinuxQuestions.org has added a new Linux Wiki to its site.

Full Story (comments: none)

PHP Editors webpage - moved

The PHP Editors site has moved. "The page now features a filtering mechanism to allow readers to list editors by platform and/or licence." Thanks to Keith Edmunds.

Comments (none posted)

New Polish Mozilla Firefox Website Launches (MozillaZine)

A Polish language web site devoted to the Mozilla Firefox browser has been announced.

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds