LWN.net Logo

LWN.net Weekly Edition for March 4, 2004

This week's SCO fun

It has been a busy week for people watching the rapidly growing set of SCO cases. Here we will try to summarize the current state of affairs.

The company announced its first-quarter results, which were just as bad as had been expected. SCO's revenues are down almost 20% from one year ago, and the reported loss is $2.3 million. The actual loss, however, was $5.2 million; some residual accounting weirdness in the BayStar deal allowed SCO to paper over the difference. SCO will not be able to use that trick in the future, however; instead, the restructuring of the BayStar deal will likely force the reporting of a significant loss in the second quarter.

The end result is that SCO is not making any money. The Unix business is dying, helped along by SCO's "sue your customers" business model. The company has only managed to sell "a handful" (Darl McBride's word) of "Linux licenses" - $20,000 worth in the first quarter. The company's stock has fallen to about half of its peak value ($22.29, last October). Things are not looking good for the SCO group. In such a situation, the quarterly conference call did not look like it would be much fun for SCO's management. So it was time to set up a diversion.

That diversion came in the form of two new lawsuits - the long-promised end-user suits, sort of. The first is against AutoZone, a former SCO customer which switched to Linux. SCO claims "AutoZone violated SCO's UNIX copyrights by running versions of the Linux operating system that contain code, structure, sequence and/or organization from SCO's proprietary UNIX System V code in violation of SCO's copyrights." The actual complaint (available as an 8-page PDF file) is surprisingly vague; the core of the suit can be found in two paragraphs:

On information and belief, parts or all of the Copyrighted Material [Unix] has been copied or otherwise improperly used as the basis for creation of derivative work software code, included one or more Linux implementations, including Linux versions 2.4 and 2.6, without the permission of SCO.

Defendant has infringed and will continue to infringe SCO's copyrights in and relating to Copyrighted Materials by using, copying, modifying, and/or distributing parts of the Copyrighted Materials, or derivative works based on the Copyrighted Materials in connection with its implementations of one or more versions of the Linux operating system, inconsistent with SCO's exclusive rights under the Copyright Act.

In the IBM case, SCO has alleged that IBM helped AutoZone misuse SCO's Unix shared libraries on Linux. When dealing directly with AutoZone, however, that claim has gone away. The complaint as a whole looks like a desultory effort, not something that was months in the making.

The second suit is against DaimlerChrysler. In this case, SCO is picking on a Unix licensee which has refused to answer SCO's "compliance certification" demand from last December. This suit is not directly related to Linux, yet; SCO is just trying to force compliance with a Unix license clause (allegedly) giving SCO the right to demand this sort of certification. Darl McBride admitted in the conference call that less than half of the recipients of the demand letter have responded to it. Conceivably, SCO might actually have a case here - but it has little to do with Linux users.

SCO did announce one new SCOsource customer: EV1Servers.Net. This company (formerly RackShack) bought a license to cover its 20,000-some Linux servers. EV1Servers claims that it is just trying to protect its customers, but quite a few of those customers have been rather vocal in their discontent. Surely EV1Server.Net's appearance in this Microsoft case study last September is purely coincidental.

The Novell case is currently waiting for SCO's response to Novell's motion to dismiss the case. SCO has asked for more time (until March 5) to put together this response; Novell has indicated that it will not oppose that request - but only as long as SCO files no other motions during that time. In this way, perhaps, Novell will be able to get quick consideration of its motion without being slowed down by the usual SCO delaying tactics.

In the IBM case, the long-awaited ruling on the various motions to compel discovery has finally been issued; we have it in PDF format. Both sides are ordered to come up with a lot of stuff. SCO is told to be very specific about what lines of code it's complaining about, and also "the lines of code that SCO distributed to other parties." IBM has to come up with a lot of AIX and Dynix code, and to talk more about its Linux contributions. The ruling does not appear to be a clear victory for either side.

The Utah court also allowed SCO to amend its complaint against IBM, deleting its trade secret claims and adding copyright violation claims. IBM had not contested this change, so there was no real reason for the court to turn it down.

The Red Hat case is still waiting for the judge to rule on SCO's motion to dismiss. This ruling should be easy; SCO, remember, claimed that it was not threatening Red Hat or its customers. Red Hat had plenty of evidence to the contrary already, but the fact that AutoZone was a Red Hat customer has clarified the situation even further.

In Australia, CyberKnights has taken the next step and filed a formal complaint with the Australian Competition and Consumer Commission. The ACCC has already been sitting on one complaint; time will tell if the second complaint results in action. In Germany, SCO reached an out-of-court settlement with Univention stating that SCO will refrain from making claims against Linux without evidence. It is a minimal agreement which does little to truly shut the company up, however.

Increasingly, the SCO story looks as if it is entering the final chapters. Regardless of how many more suits the company files, it appears unable to halt the decline of its stock price and of how the company and its claims are perceived (the questions at the latest conference call were rather less friendly than in the past). SCO, by all appearances, is going down; unfortunately, the company may well be able to make quite a bit more trouble before its story ends.

Comments (10 posted)

The Committee for Economic Development on digital copyright

The Committee for Economic Development is a 60-year-old pro-business think tank. This group has recently dedicated some of its resources to the problems associated with intellectual property rights in a digital setting. The resulting report could easily have become another rabid missive on the evils of "piracy" and the need for heavy governmental involvement. But the CED took a different approach. The report (available as a 100-page PDF file) takes a surprisingly broad view of the situation. It contains little that is truly new for people who have been following the situation, but it does show that the business community is beginning to figure out that there is more to think about than the entertainment industry's immediate complaints.

The introduction talks about the challenges posed to publishers by ubiquitous computers and high-speed networking. It notes that sales of audio CDs have dropped significantly, but also discusses a number of (non-piracy) reasons for why that is happening. Movie sales, in contrast, are better than ever; bandwidth limitations have something to do with that, but the fact that movie customers feel they are getting their money's worth also is relevant.

Potential responses to unwanted copying of copyrighted materials are discussed. The report notes, however:

New business arrangements have consistently emerged in response to new technologies. Over the long term, the creators of advances in science and the arts have profited from advances in new production and distribution technologies. And attempts to protect existing production and distribution arrangements by law have failed.

The report then goes into a detailed history of copyright law. The authors are clear on the fact that the real purpose of modern copyright law is to promote artistic and scientific advancement; the provision of certain monopoly rights to copyright holders is simply a means to that end. It is often repeated that creators of copyrighted materials rely heavily on work that was done before; there is little that is truly and completely original. The importance of fair use rights and the public domain is discussed several times.

There is a discussion of responses to piracy which covers most of the usual topics: the DMCA, various other legislative efforts (broadcast flag, the CBDTPA), enforcement actions, digital rights management schemes, etc. The authors are not enthusiastic about legislative "solutions" to the problem; they see laws like the DMCA and state "super DMCA" proposals as anti-competitive, inimical to fair use rights and the public domain, and ineffective. Among other things, they point out that legally-required copy protection schemes can enshrine weak technology and inhibit the development of stronger alternatives.

The report has little good to say about digital rights management (DRM) systems. For starters, DRM systems usually fail in the long term; once a DRM system has been broken, the exploit code can be spread far and wide over the net. DeCSS is used as an example - and the authors even note that DeCSS was created to play DVDs on Linux systems rather than as a piracy tool. Privacy issues with DRM systems are mentioned. The report talks about the innovation which has resulted from the widespread dissemination of general-purpose computers, and how legally-mandated DRM threatens to put an end to that.

There are a few paragraphs dedicated to the effect on free software:

The role of open source software is being systematically ignored in many of the proposals under discussion in this report, and particularly in the broadcast flag context. Open source software is increasingly important as a source of innovation; it can be far more reliable and secure than proprietary software because talented programmers around the world can examine the code and try to break its security, without having to worry about hidden backdoors or holes. Yet such examination and the resulting improvement appears incompatible with a prohibition on tampering.

There are also societal costs to be paid. Widespread use of DRM systems threatens the public domain and fair use rights, and will thus inhibit further development.

We grant limited privileges to creators because we want them to create and to share their works for the benefit of society as a whole, not in order to give them total control over how their works are used. The central problem with broad use of DRM is not that software code will be regulating users, but that content creators will be unilaterally regulating private uses of content and controlling the course of subsequent innovation.

Almost every innovation is "subsequent" to many others, and, as the authors point out, this subsequent innovation is usually done by new, unrelated creators. Allowing creators to choke off subsequent works will thus result in fewer works being created, which is contradictory to the original purpose of copyright protection.

The biggest complaint that the authors have with DRM, however, would appear to be the fact that such systems shift copy protection costs from copyright holders to consumer electronics manufacturers and users.

Finally, the report points out that oppressive DRM (and rights enforcement in general) is bad for the social contract which holds the whole system together:

The existence of private license agreements containing "unreasonable" terms -- terms inconsistent with shared values -- undermines the societal interest in self-enforcing contracts. The self-enforcement aspect of private agreements is essential; after all, voluntary compliance with private agreements is what makes a society livable. If we create a world where license terms do not appear to represent a fair bargain, and are contrary to shared values, we are likely to have built a world where there is little inclination for voluntary compliance and much delight taken in rule-breaking. Such a world will be filled with obtuse letters threatening dire legal consequences, or (more likely) widespread remote disabling of the machines upon which we rely.

One might well argue that we have already proceeded far down that path.

The report concludes with a set of recommendations:

  1. No quick legislative schemes. The report proposes a two-year moratorium in legal "fixes" while a broader consensus on digital copyright protection is worked out.

  2. A high priority should be placed on the development of new business models around creative content. There should be no legal protection for any particular business model.

  3. Existing enforcement and education efforts should continue. In particular, the industry should use the legal tools it has against commercial pirates.

  4. Despite the report's criticism of DRM systems, it recommends that DRM efforts should continue, but that such systems must respect the fair use and first sale rights of users. The report suggests that the DMCA anti-circumvention clause should be reconsidered.

  5. There should be "economic incentives" for copyright holders to facilitate further use of their works. Compulsory licensing is one idea mentioned in the report. It should also be easier for works to enter the public domain; the report mentions the idea of requiring periodic, low-cost renewals to keep copyrights in force.

For those of us who are concerned about ever-increasing copyright terms, criminal charges against software developers, and the lack of ability to use and control our computers as we see fit, this report will fall short of what we would like to see. It is, however, a clear sign that the wider business community is starting to become aware of the costs of unrestricted copyright rights. We are seeing the beginning of a real debate where, before, there was only the illusion of consensus. That can only be a step in the right direction.

Comments (15 posted)

FreeS/wansong

March 3, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

The FreeS/WAN project is winding down after five years. For those unfamiliar with the project, FreeS/WAN was created by John Gilmore, who has contributed more than his share to the Internet era. He helped create the "alt" newsgroups, co-founded the Electronic Frontier Foundation and Cygnus Solutions (now part of Red Hat), and has contributed to a number of other important projects.

FreeS/WAN was designed to provide a Secure Wide Area Network (S/WAN), and has been widely used to deploy IPSec Virtual Private Networks (VPNs). But Gilmore was looking to go beyond VPNs with FreeS/WAN and to push the concept of Opportunistic Encryption (OE). The idea behind OE was to provide software that would encrypt packets, without intervention from the user, when communicating with machines that support encryption. Using OE, a FreeS/WAN machine would automatically create an ad hoc Virtual Private Network (VPN) when encryption was available at both ends, and send data in the clear when encryption was not available. Either way, the operation would be transparent to the user. Gilmore was optimistic that OE would offer the "fax effect" for encryption:

As each person installs one for their own use, it becomes more valuable for their neighbors to install one too, because there's one more person to use it with. The software automatically notices each newly installed box, and doesn't require a network administrator to reconfigure it. Instead of "virtual private networks" we have a "REAL private network"; we add privacy to the real network instead of layering a manually-maintained virtual network on top of an insecure Internet.

Gilmore wanted to secure 5% of Internet traffic against passive wiretapping by 1999, and eventually all communications on the net. Perhaps someday FreeS/WAN, or similar software, will drive widespread adoption of encrypted communications. But users have been slow to utilize FreeS/WAN for OE, even within the Linux community. FreeS/WAN has been popular for setting up VPNs, but OE just hasn't caught on in a big way. This is one of the FreeS/WAN project's stated reasons for quitting:

Nine months after the release of FreeS/WAN 2.00, OE has not caught on as we'd hoped. The Linux user community demands feature-rich VPNs for corporate clients, and while folks genuinely enjoy FreeS/WAN and its derivatives, the ways they use FreeS/WAN don't seem to be getting us any closer to the project's goal: widespread deployment of OE. For its part, OE requires more testing and community feedback before it is ready to be used without second thought. The project's funders have therefore chosen to withdraw their funding.

Gilmore also wanted to challenge U.S. crypto export regulations with FreeS/WAN, and barred U.S.-based developers from contributing code to the project. While there have been some small victories, including the U.S. government's retreat in the Bernstein case (which Gilmore was heavily involved in), the ability to export strong cryptography from the U.S. is far from guaranteed:

After the watershed Bernstein case, US export regulations were relaxed. Since then, many US companies have exported strong cryptography, without seeming restriction other than having to notify the Bureau of Export Administration for tracking purposes.

This comfortable situation has perhaps created a false sense of security. The catch? Export regulations are not laws. The US government still reserves the right to change its export regulations on short notice, and there is no facility to challenge them directly in a court of law. This leaves the US crypto community and US Linux distributions in a position which seems safe, but is not legally protected -- where the US government might at any time *retroactively* regulate previously released code, by prohibiting its future export. This is why FreeS/WAN has always been developed outside the US (in Canada and in Greece), and why it has never (to the best of our knowledge) accepted US patches.

It probably shouldn't be surprising, then, that FreeS/WAN suffered from lack of community support. The decision to exclude U.S.-based developers from working on FreeS/WAN meant that many kernel developers, including Linus himself, would be unable to contribute to the project. But while U.S.-based developers were barred from contributing to FreeS/WAN, they were not barred from working on other implementations of IPSec. The 2.6 kernel now includes an IPSec implementation of its own, negating the need for an add-in implementation like FreeS/WAN.

Though the FreeS/WAN project is ending, the situation is not as dramatic as it sounds. No open source application is dead if the community does not wish it so, and FreeS/WAN will live on for some time after the last official release. The FreeS/WAN team plans to push out at least one more release, including changes to allow its use with the 2.6 kernel series. Openswan, a fork of the FreeS/WAN project, seems poised to continue development where FreeS/WAN leaves off.

Linux users are not being left out in the unencrypted cold. The code remains, and development of IPSec VPNs for Linux continues without a hitch. At some point, we may even realize Gilmore's goals of a fully-encrypted Internet.

Comments (7 posted)

Page editor: Jonathan Corbet

Security

Brief items

Keeping spamassassin current

Longtime users of SpamAssassin know that it can do an outstanding job of identifying spam. They also know, however, that the effectiveness of any particular SpamAssassin release tends to decline over time as spammers figure out how to craft messages which get past the rules. The Bayesian filter buried inside SpamAssassin can help a lot; it catches a fair amount of spam which evades the rules, and it evolves over time to keep up with what the spammers are doing - especially if you make a point of training the filter with its mistakes. Even so, frustrating amounts of spam can get through.

The situation is not helped much by the fact that the SpamAssassin rule base seems to be evolving slowly in recent times. The SpamAssassin developers have too many other things to do, perhaps, or maybe they would rather see the work done by the filter. In any case, some users would certainly like to see the rules updated more frequently.

The maintenance of an up-to-the-second set of SpamAssassin rules could well be a business opportunity for somebody, if the licensing issues could be worked out. But SpamAssassin users should also be aware of the custom rulesets page hosted on the SpamAssassin Wiki. This is a place where additional rules can be found to deal with specific problems; some of them might cut your spam load considerably.

Currently available rulesets include:

  • One aimed at "pill spam." Those of us not looking to fill our prescriptions over the net may welcome this one.

  • "Bigevil" simply contains URLs found in spam; it's a sort of content-based blacklist.

  • There is a set of rules for filtering out virus warnings.

  • "Tripwire" looks for combinations of letters which do not appear in English text, normally.

Several others exist as well; there is also a "RulesDuJour" script which can be used to automatically keep up to date with the rulesets as they are maintained. The custom rulesets won't solve the spam problem, but they can help to keep a mailbox a bit cleaner.

Comments (16 posted)

New vulnerabilities

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

xboing - buffer overflows

Package(s):xboing CVE #(s):CAN-2004-0149
Created:February 28, 2004 Updated:March 3, 2004
Description: Steve Kemp discovered a number of buffer overflow vulnerabilities in xboing, a game, which could be exploited by a local attacker to gain gid "games".
Alerts:
Debian DSA-451-1 2004-02-27

Comments (2 posted)

Updated vulnerabilities

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Gentoo 200403-04 2004-03-22
Netwosix NW-2004-0006 2004-03-25
Mandrake MDKSA-2003:096-1 2003-10-24
Mandrake MDKSA-2003:096 2003-09-26

Comments (none posted)

CUPS: denial of service

Package(s):CUPS CVE #(s):CAN-2003-0788
Created:November 3, 2003 Updated:March 4, 2004
Description: Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
SCO Group CSSA-2004-012.0 2004-03-03
Conectiva CLA-2003:779 2003-11-07
Mandrake MDKSA-2003:104 2003-11-05
Red Hat RHSA-2003:275-01 2003-11-03

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 17, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
OpenPKG OpenPKG-SA-2004.012 2004-04-08
Gentoo 200403-10 2004-03-30
Netwosix NW-2004-0002 2004-02-20
SCO Group CSSA-2004-004.0 2004-02-19
Slackware SSA:2003-300-02 2003-10-22
Mandrake MDKSA-2003:101 2003-10-16

Comments (none posted)

fileutils/wu-ftpd: denial of service

Package(s):fileutils CVE #(s):CAN-2003-0854
Created:October 22, 2003 Updated:March 2, 2004
Description: There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details.
Alerts:
SCO Group CSSA-2004-006.0 2004-03-01
Trustix 2003-0042 2003-11-15
Mandrake MDKSA-2003:106 2003-11-12
Red Hat RHSA-2003:309-01 2003-11-03
Immunix IMNX-2003-7+-026-01 2003-10-31
Conectiva CLA-2003:771 2003-10-24
Conectiva CLA-2003:768 2003-10-22

Comments (none posted)

GnuPG: ElGamal signing keys compromised

Package(s):gnupg CVE #(s):CAN-2003-0971
Created:November 28, 2003 Updated:March 3, 2004
Description: A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds."
Alerts:
SCO Group CSSA-2004-009.0 2004-03-02
Debian DSA-429-2 2004-02-13
Debian DSA-429-1 2004-01-26
Gentoo 200312-05 2003-12-12
Fedora FEDORA-2003-025 2003-12-10
Red Hat RHSA-2003:395-01 2003-12-10
Red Hat RHSA-2003:390-01 2003-12-10
Conectiva CLA-2003:798 2003-12-09
SuSE SuSE-SA:2003:048 2003-12-03
Mandrake MDKSA-2003:109 2003-11-28

Comments (3 posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

hsftp - format string vulnerability

Package(s):hsftp CVE #(s):CAN-2004-0159
Created:February 23, 2004 Updated:February 25, 2004
Description: During an audit, Ulf Harnhammar discovered a format string vulnerability in hsftp. This vulnerability could be exploited by an attacker able to create files on a remote server with carefully crafted names, to which a user would connect using hsftp. When the user requests a directory listing, particular bytes in memory could be overwritten, potentially allowing arbitrary code to be executed with the privileges of the user invoking hsftp. Note that while hsftp is installed setuid root, it only uses these privileges to acquire locked memory, and then relinquishes them.
Alerts:
Debian DSA-447-1 2004-02-22

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Fedora FEDORA-2004-133 2004-05-19
Gentoo 200404-02 2004-04-06
Whitebox WBSA-2004:005-01 2004-02-12
Conectiva CLA-2004:810 2004-01-20
Slackware SSA:2004-014-01 2004-01-14
Mandrake MDKSA-2004:003 2004-01-14
Red Hat RHSA-2004:006-01 2004-01-07

Comments (none posted)

kernel: local root exploit

Package(s):kernel CVE #(s):CAN-2003-0961 CAN-2003-0985 CAN-2004-0077
Created:February 18, 2004 Updated:March 8, 2004
Description: Another vulnerability has been found in the 2.4.24 and 2.6.2 mremap() system call; once again, this hole can be exploited by a local user to obtain root access. See this advisory from Paul Starzetz for details.
Alerts:
Gentoo 200403-02 2004-03-06
Debian DSA-456-1 2004-03-06
Fedora-Legacy FLSA:1284 2004-03-02
Debian DSA-454-1 2004-03-02
Debian DSA-453-1 2004-03-02
Debian DSA-450-1 2004-02-27
Immunix IMNX-2004-7+-001-01 2004-02-26
Mandrake MDKSA-2004:015-1 2004-02-25
Mandrake MDKSA-2004:015 2004-02-24
Trustix 2004-0008 2004-02-23
Netwosix NW-2004-0003 2004-02-20
Whitebox WBSA-2004:066-01 2004-02-19
Debian DSA-444-1 2004-02-20
Conectiva CLA-2004:820 2004-02-20
Red Hat RHSA-2004:066-01 2004-02-19
Fedora FEDORA-2004-080 2004-02-18
SuSE SuSE-SA:2004:005 2004-02-18
Red Hat RHSA-2004:069-01 2004-02-18
Fedora FEDORA-2004-079 2004-02-18
Debian DSA-441-1 2004-02-18
Trustix 2004-0007 2004-02-18
Slackware SSA:2004-049-01 2004-02-18
Debian DSA-438-1 2004-02-18
Red Hat RHSA-2004:065-01 2004-02-18
Debian DSA-439-1 2004-02-18
Debian DSA-440-1 2004-02-18

Comments (none posted)

kernel: local root exploit in 2.4.22

Package(s):kernel CVE #(s):CAN-2003-0961
Created:December 1, 2003 Updated:April 5, 2004
Description: A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable.

The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.

Alerts:
Debian DSA-475-1 2004-04-05
Debian DSA-470-1 2004-04-01
Debian DSA-442-1 2004-02-19
Debian DSA-433-1 2004-02-04
Debian DSA-423-1 2004-01-15
Red Hat RHSA-2003:368-01 2003-12-19
Conectiva CLA-2003:796 2003-12-05
Gentoo 200312-02 2003-12-04
SuSE SuSE-SA:2003:049 2003-12-04
Yellow Dog YDU-20031203-1 2003-12-03
Red Hat RHSA-2003:389-01 2003-12-01
Fedora FEDORA-2003-026 2003-12-02
Slackware SSA:2003-336-01 2003-12-01
Red Hat RHSA-2003:392-00 2003-12-01
Trustix 2003-0046 2003-12-01
Mandrake MDKSA-2003:110 2003-12-01
Debian DSA-403-1 2003-12-01

Comments (1 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

lbreakout2 buffer overflow

Package(s):lbreakout2 CVE #(s):CAN-2004-0158
Created:February 23, 2004 Updated:February 25, 2004
Description: During an audit, Ulf Harnhammar discovered a vulnerability in lbreakout2, a game, where proper bounds checking was not performed on environment variables. This bug could be exploited by a local attacker to gain the privileges of group "games".
Alerts:
Debian DSA-445-1 2004-02-21

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libtool - Insecure handling of temporary files

Package(s):libtool CVE #(s):
Created:February 5, 2004 Updated:March 8, 2004
Description: GNU libtool consists of a set of shell scripts used to build shared libraries.

Joseph S. Myers and Stefan Nordhausen independently found a vulnerability in the way the ltmain.sh script (which is part of the libtool package) creates temporary directories for its use.

A local attacker could exploit this vulnerability to change/delete arbitrary files in the system on behalf of the user who is calling the script. The vulnerability has been fixed in the 1.5.2 version of libtool.

Alerts:
OpenPKG OpenPKG-SA-2004.004 2004-03-08
Conectiva CLA-2004:811 2004-02-05

Comments (none posted)

mailman: cross-site scripting vulnerabilities

Package(s):mailman CVE #(s):CAN-2003-0965 CAN-2003-0992
Created:February 6, 2004 Updated:March 5, 2004
Description: Dirk Mueller discovered a cross-site scripting bug in the admin interface in versions of Mailman 2.1 before 2.1.4. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0965 to this issue.

A cross-site scripting bug in the 'create' CGI script affects versions of Mailman 2.1 before 2.1.3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0992 to this issue.

Alerts:
Fedora FEDORA-2004-060 2004-03-04
Debian DSA-436-2 2004-02-21
Debian DSA-436-1 2004-02-08
Red Hat RHSA-2004:020-01 2004-02-05

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Conectiva CLA-2004:842 2004-05-25
Red Hat RHSA-2004:156-01 2004-04-14
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:019-01 2004-02-09

Comments (1 posted)

mc: arbitrary code execution

Package(s):mc CVE #(s):CAN-2003-1023
Created:January 16, 2004 Updated:April 5, 2004
Description: A vulnerability was discovered in Midnight Commander, a file manager, whereby a malicious archive (such as a .tar file) could cause arbitrary code to be executed if opened by Midnight Commander.
Alerts:
OpenPKG OpenPKG-SA-2004.009 2004-04-05
Gentoo 200403-09 2004-03-29
Conectiva CLA-2004:833 2004-03-31
SCO Group CSSA-2004-014.0 2004-03-25
Whitebox WBSA-2004:035-01 2004-02-12
Fedora FEDORA-2004-058 2004-02-09
Red Hat RHSA-2004:035-01 2004-01-19
Mandrake MDKSA-2004:007 2004-01-26
Red Hat RHSA-2004:034-01 2004-01-19
Debian DSA-424-1 2004-01-16

Comments (none posted)

metamail: integer and buffer overflows

Package(s):metamail CVE #(s):CAN-2004-0104 CAN-2004-0105
Created:February 18, 2004 Updated:May 21, 2004
Description: Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message.
Alerts:
Gentoo 200405-17 2004-05-21
Debian DSA-449-1 2004-02-24
Mandrake MDKSA-2004:014 2004-02-18
Slackware SSA:2004-049-02 2004-02-18
Red Hat RHSA-2004:073-01 2004-02-18

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

mutt: buffer overflow

Package(s):mutt CVE #(s):CAN-2004-0078
Created:February 12, 2004 Updated:March 26, 2004
Description: mutt suffers from a buffer overflow in its "index menu" code. This overflow can be exploited via a hostile message to crash mutt and, perhaps, execute arbitrary code. Version 1.4.2 fixes the problem; see this advisory for details.
Alerts:
SCO Group CSSA-2004-013.0 2004-03-25
OpenPKG OpenPKG-SA-2004.005 2004-03-09
Netwosix NW-2004-0001 2004-02-16
Trustix 2004-0006 2004-02-13
Whitebox WBSA-2004:050-01 2004-02-12
Mandrake MDKSA-2004:010 2004-02-11
Slackware SSA:2004-043-01 2004-02-12
Red Hat RHSA-2004:051-01 2004-02-11
Red Hat RHSA-2004:050-01 2004-02-11
Fedora FEDORA-2004-061 2004-02-11

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

perl information leak

Package(s):perl CVE #(s):CAN-2003-0618
Created:February 2, 2004 Updated:April 21, 2004
Description: Paul Szabo discovered a number of bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.
Alerts:
Debian DSA-431-2 2004-04-16
Debian DSA-431-1 2004-02-01

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

PWLib: possible Denial of Service

Package(s):PWLib CVE #(s):CAN-2004-0097
Created:February 13, 2004 Updated:April 9, 2004
Description: PWLib is a cross-platform class library designed to support the OpenH323 project. OpenH323 provides an implementation of the ITU H.323 teleconferencing protocol, used by packages such as Gnome Meeting.

A test suite for the H.225 protocol (part of the H.323 family) provided by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker could trigger these bugs by sending carefully crafted messages to an application. The effects of such an attack can vary depending on the application, but would usually result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0097 to this issue.

Alerts:
Gentoo 200404-11 2004-04-09
Mandrake MDKSA-2004:017 2004-03-03
Fedora FEDORA-2004-078 2004-03-02
Debian DSA-448-1 2004-02-22
Whitebox WBSA-2004:047-01 2004-02-18
Red Hat RHSA-2004:047-01 2004-02-18
Red Hat RHSA-2004:048-01 2004-02-13

Comments (none posted)

rsync - remotely exploitable heap overflow

Package(s):rsync CVE #(s):CAN-2003-0962
Created:December 4, 2003 Updated:March 3, 2004
Description: An advisory has gone out warning of a remotely exploitable heap overflow vulnerability in rsync versions 2.5.6 and prior. If you are running an rsync server, you will want to apply a distributor patch or upgrade to 2.5.7 in the near future.
Alerts:
SCO Group CSSA-2004-010.0 2004-03-02
Immunix IMNX-2003-73-001-01 2003-12-05
Mandrake MDKSA-2003:111 2003-12-04
Red Hat RHSA-2003:399-01 2003-12-04
Red Hat RHSA-2003:398-01 2003-12-04
Fedora FEDORA-2003-030 2003-12-04
Conectiva CLA-2003:794 2003-12-04
Gentoo 200312-03 2003-12-04
EnGarde ESA-20031204-032 2003-12-04
Debian DSA-404-1 2003-12-04
OpenPKG OpenPKG-SA-2003.051 2003-12-04
SuSE SuSE-SA:2003:050 2003-12-04
Trustix 2003-0048 2003-12-04
Slackware SSA:2003-337-01 2003-12-03

Comments (none posted)

screen: privilege escalation

Package(s):screen CVE #(s):CAN-2003-0972
Created:November 28, 2003 Updated:March 3, 2004
Description: According to this advisory a buffer overflow in GNU screen allows privilege escalation for local users. Usually screen is installed either setgid-utmp or setuid-root.

It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and older versions are vulnerable.

Alerts:
SCO Group CSSA-2004-011.0 2004-03-02
Fedora-Legacy FLSA:1187 2004-01-26
Conectiva CLA-2004:809 2004-01-20
Debian DSA-408-1 2004-01-05
Mandrake MDKSA-2003:113 2003-12-08
OpenPKG OpenPKG-SA-2003.050 2003-11-28

Comments (none posted)

synaesthesia - insecure file creation

Package(s):synaesthesia CVE #(s):CAN-2004-0160
Created:February 23, 2004 Updated:February 25, 2004
Description: During an audit, Ulf Harnhammar discovered a vulnerability in synaesthesia, a program which represents sounds visually. synaesthesia created its configuration file while holding root privileges, allowing a local user to create files owned by root and writable by the user's primary group. This type of vulnerability can usually be easily exploited to execute arbitrary code with root privileges by various means.
Alerts:
Debian DSA-446-1 2004-02-21

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: flaws in the ISAKMP decoding routines

Package(s):tcpdump CVE #(s):CAN-2003-0989 CAN-2004-0057 CAN-2004-0055
Created:January 15, 2004 Updated:April 6, 2004
Description: George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.

Jonathan Heusser discovered two additional flaws in the ISAKMP decoding routines of tcpdump versions up to and including 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue.

Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue.

Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these packets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user.

Alerts:
Gentoo 200404-03 2004-03-31
Fedora FEDORA-2004-091 2004-03-04
SCO Group CSSA-2004-008.0 2004-03-02
Fedora FEDORA-2004-092 2004-03-02
Whitebox WBSA-2004:008-01 2004-02-12
Fedora-Legacy FLSA:1222 2004-01-31
Mandrake MDKSA-2004:008 2004-01-26
EnGarde ESA-20040119-002 2004-01-19
Debian DSA-425-1 2004-01-16
OpenPKG OpenPKG-SA-2004.002 2004-01-16
Trustix 2004-0004 2004-01-05
SuSE SuSE-SA:2004:002 2004-01-14
Red Hat RHSA-2004:008-01 2004-01-15
Red Hat RHSA-2004:007-01 2004-01-14

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

util-linux: information leak in the login program

Package(s):util-linux CVE #(s):CAN-2004-0080
Created:February 3, 2004 Updated:April 8, 2004
Description: The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function.

In some situations, the login program could use a pointer that had been freed and reallocated. This could cause unintentional data leakage.

Alerts:
Netwosix NW-2004-0010 2004-04-08
Gentoo 200404-06 2004-04-07
Fedora-Legacy FLSA:1256 2004-03-04
Whitebox WBSA-2004:056-01 2004-02-12
Red Hat RHSA-2004:056-01 2004-02-02

Comments (1 posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 release is 2.6.4-rc1, which was announced by Linus on February 27. This large patch contains support for Intel's "ia32e" architecture, a new syscalls.h include file with prototypes for the various sys_* functions, various network driver fixes, a UTF-8 tty mode, dynamic PTY allocation (allowing up to a million PTY devices), sysfs support for SCSI tapes and bluetooth devices, the "large number of groups" patch (covered in the October 2 Kernel Page), the generic kernel thread code (January 7 Kernel Page), an HFS filesystem rewrite, and a massive number of other fixes. See the long-format changelog for the details.

Linus's BitKeeper tree contains a number of parallel port fixes, various architecture updates, the reversion of a patch which had removed threads from /proc (and broke gdb), an XFS update, a FireWire update (including one which notes that IEEE1394 support is no longer experimental), and numerous fixes.

The current kernel tree from Andrew Morton is 2.6.4-rc1-mm2. Recent additions to the -mm tree include more scheduler tweaks, some big NFS updates, the POSIX message queues patch, a 4K stack option for the x86 architecture, some VM optimizations, the removal of some old network device API functions (see below), and numerous other fixes and updates.

The current 2.4 kernel is 2.4.25. Marcelo has released no 2.4.26 prepatches since 2.4.26-pre1 on February 25.

Comments (none posted)

Kernel development news

A retry-based AIO infrastructure

The asynchronous I/O infrastructure was added in 2.5 as a way to allow processes to initiate I/O operations without having to wait for their completion. The underlying mechanism is documented in this Driver Porting Series article. The actual implementation of asynchronous I/O in the kernel has been somewhat spotty, however. It works for some devices (which have specifically implemented that support) and for direct file I/O. Other sorts of potentially interesting uses, such as with regular buffered file I/O, have remained unimplemented.

Part of the problem is that buffered file I/O integrates deeply with the page cache and virtual memory subsystem. It is not all that easy to graft asynchronous I/O operations into those complex bodies of code. So the kernel developers have, for the most part, simply punted on cases like that.

Suparna Bhattacharya, however, has not given up so easily. For over a year, now, she has been working on a set of patches which bring the asynchronous mode to the buffered I/O realm. A new set of patches has recently been posted which trims down the buffered AIO changes to the bare minimum. So this seems like a good time to take a look at what is involved in making asynchronous buffered I/O work.

The architecture implemented by these patches is based on retries. When an asynchronous file operation is requested, the code gets things started and goes as far as it can until something would block; at that point it makes a note and returns to the caller. Later, when the roadblock has been taken care of, the operation is retried until the next blocking point is hit. Eventually, all the work gets done and user space can be notified that the requested operation is complete. The initial work is done in the context of the process which first requested the operation; the retries are handled out of a workqueue.

For things to work in this mode, kernel code in the buffered I/O path must be taught not to block when it is working on an asynchronous request. The first step in this direction is the concept of an asynchronous wait queue entry. Wait queue entries are generally used, surprisingly, for waiting; they include a pointer to the process which is to be awakened when the wait is complete. With the AIO retry patch, a wait queue entry which has a NULL process pointer is taken to mean that actually waiting is not desired. When this type of wait queue entry is encountered, functions like prepare_to_wait() will not put the process into a sleeping state (though it does add the wait queue entry to the associated wait queue), and some functions will return the new error code -EIOCBRETRY rather than actually sleeping.

The next step is to add a new io_wait entry to the task structure. When AIO retries are being performed, that entry is pointed to an asynchronous wait queue entry associated with the specific AIO request. This task structure field is, for all practical purposes, being used in a hackish manner to pass the wait queue entry into functions deep inside the virtual memory subsystem. It might have been clearer to pass it explicitly as a parameter, but that would require changing large numbers of internal interfaces to support a rarely-used functionality. The io_wait solution is arguably less clean, but it also makes for a far less invasive patch. It does mean, however, that work can only proceed on a single AIO request at a time.

Finally, a few low-level functions have been patched to note the existence of a special wait queue entry in the io_wait field and to use it instead of the local entry that would normally have been used. In particular, page cache functions like wait_on_page_locked() and wait_on_page_writeback() have been modified in this way. These functions are normally used to wait until file I/O has been completed on a page; they are the point where buffered I/O often blocks. When AIO is being performed, instead, they will return the -EIOCBRETRY error code immediately.

The AIO code also takes advantage of the fact that wait queue entries, in 2.6, contain a pointer to the function to be called to wake up the waiting process. With an asynchronous request, there may be no such process; instead, the kernel needs to attempt the next retry. So the AIO code sets up its own wakeup function which does not actually wake any processes, but which does restart the relevant I/O request.

Once that structure is in place, all that's left is a bit of housekeeping code to keep track of the status of the request between retries. This work is done entirely within the AIO layer; as each piece of the request is satisfied, the request itself as seen by the filesystem layer is modified to take that into account. When the operation is retried to transfer the next chunk of data, it looks like a new request with the already-done portion removed.

Add in a few other hacks (telling the readahead code about the entire AIO request, for example, and an AIO implementation for pipes) and the patch set is complete. It does not attempt to fix every spot which might block (that would be a large task), but it should take care of the most important ones.

Comments (7 posted)

The end of init_etherdev() and friends

The last few 2.6 kernel releases have seen a lot of patches removing calls to a set of network driver support functions, including init_etherdev(), init_netdev(), and dev_alloc(). With the integration of networking and sysfs, static net_device structures have become impossible to use in a safe way; these structures must now be allocated dynamicly and properly reference counted. See this Driver Porting Series article for details on the currently supported interface.

As of 2.6.3, there are no users of those functions in the mainline kernel tree. There are, however, certain to be out-of-tree drivers which still use them. Those drivers will need to be fixed soon; the 2.6.3-mm4 kernel tree added a patch which removes those functions forevermore. Once that patch works its way into the mainline kernel, any driver relying upon init_etherdev() and friends will cease to work until it is fixed. Don't say you haven't been warned.

Comments (none posted)

pramfs - a new filesystem

Steve Longerbeam (of MontaVista) has sent out an announcement for a new filesystem called "pramfs." He would like to see pramfs merged into the mainline kernel in the near future; let it not be said that embedded Linux companies do not contribute to the kernel.

Pramfs (the "protected and persistent RAM special filesystem") is a specialized filesystem; it is intended for use in embedded systems which provide a bank of non-volatile memory for user data storage. Think, for example, of a phone book housed within a mobile telephone. Such memory tends to be fast, but it is not normally part of the system's regular core memory. It also tends to be important; cell phone users will not tolerate a phone which scrambles their phone numbers.

To meet the special needs presented by non-volatile RAM filesystems, pramfs does a number of things differently than normal filesystems. Since there is no need to worry about the (nonexistent) performance impacts of block positioning, pramfs doesn't. Since pramfs filesystems are expected to live in fast memory, there is generally no performance benefit to caching pages in main memory. So pramfs, interestingly, forces all file I/O to be direct; essentially, it forces the O_DIRECT flag on all file opens. In that way, pramfs gets the benefits of shorting out the page cache without having to change applications to use O_DIRECT explicitly.

Pramfs also goes out of its way to avoid corruption of the filesystem. If the underlying non-volatile RAM is represented in the system's page tables, it is marked read-only to keep a stray write from trashing things. When an explicit write to the filesystem is performed, the page permissions are changed only for the time required to perform the I/O. Pramfs disallows writes from the page cache; one practical result of that prohibition is that shared mappings of pramfs-hosted files are not possible.

See the pramfs web site for more information.

Comments (none posted)

Time to thrash the 2.6 VM?

Those who have been watching kernel development for a little while will remember the fun that came with the 2.4.10 release, when Linus replaced the virtual memory subsystem with a new implementation by Andrea Arcangeli. The 2.4 kernel did end up with a stable VM some releases thereafter, but many developers were upset that such a major change would be merged that far into a stable series. Especially since many of those developers were not convinced that the previous VM was not fixable.

The 2.4 changes are long past, but the memories are fresh enough that when Andrea put forward a set of VM changes which, while they are for 2.4, are said to be applicable to 2.6 as well, people took notice. Andrea's goals this time are little more focused; he is concerned with the performance of systems with at least 32GB of installed memory and hundreds of processes with shared mappings of large files. This, of course, is the sort of description that might fit a high-end database server.

Andrea has found three problems which make those massive servers fail to function well. The first has to do with how 2.4 performs swapout; it works by scanning each process's virtual address space, and unmapping pages that it would like to make free. When a page's mapping count reaches zero, it gets kicked out of main memory. The problem is that this algorithm performs poorly in situations where many processes have the same, large file mapped. The VM will start by unmapping the entire file for the first process, then another, and so on. Only when it has passed through all of the processes mapping the file can it actually move pages out of main memory. Meanwhile, all of those processes are incurring minor page faults and remapping the pages. With enough memory and processes, the VM subsystem is almost never able to actually free anything.

This is the problem that the reverse-mapping VM (rmap) was added to 2.5 to solve. By working directly with physical pages and following pointers to the page tables which map them, the VM subsystem can quickly free pages for other use. Andrea is critical of rmap, however; with his scenario of 32GB of memory and hundreds of processes, the rmap infrastructure grows to a point where the system collapses. Instead, for his patches, he has implemented a variant of the object-based reverse mapping scheme. Object-based reverse mapping works by following the links from the object (a shared file, say) which backs up the shared memory; in this way it is able to dispense with the rmap structures in many situations. There are some concerns about pathological performance issues with the object-based approach, but those problems do not seem to arise in real-world use.

The second problem is a simple bug in the swapout code. When shared memory is unmapped and set up for swap, the actual I/O to write it out to the swap file is not started right away. By the time the system gets around to actually performing I/O, there is a huge pile of pages waiting to be shoved out, and an I/O storm results. Even then, the way the kernel tracks this memory means that it takes a long time to notice that it is free even after it has been written to swap. This problem is fixed by taking frequent breaks to actually shove dirty memory out to disk.

Andrea's final problem came about when he tried to copy a large file while all those database processes were running. It turns out that the system was swapping out the shared database memory (which was dirty and in use) rather than the data from the file just copied (which is clean). Tweaking the memory freeing code to make it prefer clean cache pages over dirty pages straightened this problem out, at the cost of a certain amount of unfairness.

With these patches, Andrea claims, the 2.4 kernel can run heavy loads on large systems which will immediately lock up a 2.6 system. So he is going to start looking toward 2.6, with an eye toward beefing it up for this sort of load. Andrew Morton has indicated that he might accept some of this work - but not yet:

We need to understand that right now, 2.6.x is 2.7-pre. Once 2.7 forks off we are more at liberty to merge nasty highmem hacks which will die when 2.6 is end-of-lined.

I plan to merge the 4g split immediately after 2.7 forks. I wouldn't be averse to objrmap for file-backed mappings either - I agree that the search problems which were demonstrated are unlikely to bite in real life.

The "4g split" is Ingo Molnar's 4GB user-space patch which makes more low memory available to the kernel, but at a performance cost. Before Andrew merges any other patches, however, he wants to see a convincing demonstration of why the current VM patches are not enough for large loads. The 2.6 "stable" kernel may well see some significant virtual memory work, but, with luck, it will not be subjected to a 2.4.10-like abrupt switch.

Comments (8 posted)

Patches and updates

Kernel trees

  • Andrew Morton: 2.6.3-mm4. (February 26, 2004)

Build system

Core kernel code

Device drivers

Documentation

Filesystems and block I/O

Memory management

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Gentoo Linux 2004.0

March 3, 2004

This article was contributed by Ladislav Bodnar

A new version of Gentoo Linux was announced earlier this week, the first new release since version 1.4 in August 2003. Although many people will argue that Gentoo releases are effectively just "reference points", since Gentoo installations are continuously updated, this release has enough innovative new features to warrant a closer look. Also, according to a recent Netcraft report, Gentoo is one of the fast growing Linux distributions in terms of usage as web servers. Although its total market share is still comparatively low, Gentoo Linux is slowly finding its way into server usage statistics, proving that it is no longer just a hobbyist distribution for users with much time on their hands, but a serious product with a lot of potential. Besides the immediately apparent new versioning scheme, what else does Gentoo Linux 2004.0 bring to the table?

Updated software. Source-based distributions tend to keep highly up-to-date and Gentoo Linux 2004.0 is no exception. It comes with Linux kernel 2.6.3, GCC 3.3.2, glibc 2.3.2, KDE 3.2 and GNOME 2.4.2, just to mention the main components. Although this release claims to be fully compatible with the 2.6 kernel series, the two recommended kernels, according to the release notes, are 2.4.24 for uniprocessor machines and 2.6.1-smp for multiprocessor systems. Higher kernel versions are provided in the so-called "unstable" tree; the Gentoo developers were unable to overcome numerous problems with integrating a fully functional 2.6 kernel into the distribution before the release - hence the experimental nature of the 2.6 kernel provided for experts, rather than general use.

Support for five architectures. Gentoo 2004.0 now supports five architectures: x86, AMD64, PowerPC, Sun SPARC, and SGI MIPS. The aim of these individual sub-projects is to provide not only a distribution, but also architecture-specific kernels, stage tarballs, live CDs, specialist packages, and complete documentation.

Increased security. Hardened Gentoo is a Gentoo subproject with the goal of "making Gentoo viable for high security, high stability production server environments". This is an ambitious project with many of the well-known Linux security tools, including SELinux, Propolice, PaX/Grsecurity, Hardened GCC, Prelude and Bastille now incorporated into Gentoo. Secure Auditing for Linux (SAL) with encrypted and protected logs, as well as CryptoAPI support for a cryptographic file system are planned for future releases. Hardened Gentoo is available from mirrors as stage tarballs, marked as "pie-ssp" in their file names, for the x86 architecture.

Because a Gentoo installation is usually compiled from source, implementing some of the security features is easier than with binary distributions. As an example, using Hardened GCC is just a matter of installing the "hardened-gcc" package which is then able to compile all source code into executables with stack smashing protection support. Similarly, those who prefer Propolice as their way to guard against stack overflows can simply add -fstack-protector as one of the CFLAGS in make.conf before compilation. Getting SELinux work is somewhat more complex, but the excellent installation and quick start guides are well-written and in line with other Gentoo documentation. Installation and use of Prelude Intrusion Detection System is also covered. Documentation is definitely one of the strong points of Gentoo.

Catalyst. Although it has been in development for several months, catalyst makes its first official appearance in Gentoo 2004.0. What is catalyst? In simple terms, it is a tool that can be used to build all forms of a Gentoo Linux release: Live CDs, stage tarballs and GRP package sets (more on these momentarily). Its purpose is to provide a reliable tool for those users who wish to build a custom distribution or a live CD. To build one, the user will need the catalyst package, a portage tree snapshot and a "spec" file specifying a handful of variables, such as target, architecture, path to the portage tree and a few identifiers. A stage tarball or a Gentoo live CD can then be built with one simple command. As always, the catalyst project page and its reference manual cover all the details.

Live CDs, stages and GRP. Unlike the products created by most other distributions, Gentoo releases consist of a large number of files, which can be confusing at times. Here is a quick summary of what is available:

  • Gentoo Live CDs. There are three sets of live CDs, two of which (labeled "minimal" and "universal") are bootable, while the third one ("packages") is not. The "minimal" and "universal" ISO images can be used to install Gentoo, while the "packages" ISO contains binary packages of some of the more popular applications. It is provided as a convenience to those users who prefer to setup their Gentoo system fast, without having to undergo the time-consuming compilation process.

  • Gentoo Stages. Stages represent a traditional way of installing Gentoo Linux. The installation program can be launched from an existing Linux installation, from a third-party live CD, such as Knoppix, or from another machine on a network. There are three "stage" tarballs, ranging from a very small (~10MB) "stage1" tarball which requires all software to be compiled by the user, to a large (~90MB) "stage3" tarball, which includes a pre-compiled base system and which can be installed in a relatively short time. The "stages" method of installation has been superseded by the more popular Gentoo Live CD method.

  • Gentoo Reference Platform (GRP). The Gentoo Reference Platform is a pre-compiled, binary release of Gentoo Linux. The release includes not only a base system, but also some of the large packages that would otherwise require long compilation time, such as KDE, GNOME, OpenOffice, Mozilla, etc. This is the fastest method to get Gentoo Linux up and running, at the expense of optimization and control. The packages can however be recompiled at a later stage.

The Gentoo project continues to impress with innovative ideas, their effective implementation, and superb documentation. Gentoo Linux 2004.0 improves on an already excellent product - a multi-platform, highly secure distribution, suitable for both the enthusiast and, increasingly, for the enterprise.

Comments (9 posted)

Distribution News

Debian GNU/Linux

The Debian Weekly News for March 2, 2004 is out. This week read about an upcoming bug squish, the GIF patent, the Debian Project Leader Elections, and more.

Nominations are over and there are three candidates in the running for Debian Project Leader; Martin Michlmayr, Gergely Nagy, and Branden Robinson. Platform statements are available here.

DPL Martin Michlmayr has a conference summary of Open Source World Conference (OSWC) in Spain, FOSDEM in Belgium, and a conference in Italy organized by Firenze Tecnologia.

Comments (none posted)

Gentoo Linux

Gentoo Linux has announced the release of Gentoo Linux 2004.0 for the x86, AMD64, PowerPC, Sun SPARC, and SGI MIPS architectures. Additionally, the Gentoo Hardened team has announced the inaugural release of a security-enhanced Gentoo platform for the x86 architecture.

Here's the Gentoo Weekly Newsletter for the week of March 1, 2004. This week's lead topic is the release of Gentoo Linux 2004.0, several other topics are included.

An ebuild for webapp-config v1.0 has been committed into Portage and should be available on the mirrors now. webapp-config is the first tool to be delivered from GLEP 11.

Comments (none posted)

New LSB Certification for ThizLinux Laboratory

The Open Group has announced that ThizServer for IA64 7.0 conforms to the LSB Runtime Environment for IA64 version 1.3 product standard.

Full Story (comments: none)

A Global Survey of Linux Distributions (O'ReillyNet)

O'Reilly's LinuxDevCenter looks at some of the better known distributions worldwide. "You may be familiar with one or more distributions already, but do you know what's available worldwide? Here are a few of the more popular commercial Linux distributions in various languages of the world. Note that I said commercial -- distributions such as Debian and Gentoo are lead primarily by a community, not a commercial organization, and really have no geographic center. They're fine distributions, though, and well-worth using."

Comments (11 posted)

DistroWatch Weekly

The DistroWatch Weekly for March 1, 2004 has news about SLAX, the Linux Mirror Project and more.

Comments (none posted)

Fedora Core

Updates for Fedora Core 1:

Comments (none posted)

Slackware Linux

This week the slackware-current changelog shows some bug fixes, upgrades to some /bin tools including a SlackBuild rewrite, an upgrade to esound 0.2.33 with a kernel recompile, and more.

Comments (none posted)

New Distributions

DNA Linux

DNA Linux is a live Linux distribution with bioinformatics software preloaded. It is for people who find it hard to install EMBOSS, Primer3, BLAST, and other bioinformatics software or who want to have a test system for class or demonstration purposes.

Comments (none posted)

Tunix

Tunix is a small Linux setup, a toolkit to build your own small Linux image, and boot from a floppy or flash card. It's based on uClibc and busybox, using a pretty straightforward approach, based on KISS principle (Keep it simple, stupid). Tunix joins the list at version 0.11, released February 28, 2004.

Comments (none posted)

Minor distribution updates

2-Disk Xwindow embedded Linux

2-Disk Xwindow embedded Linux has released source code v1.2.10 with major feature enhancements. "Changes: X has become smaller in memory footprint. Further kernel size optimization has been performed. Libraries have been refactored. Numerous other changes have been made. Certain words have pupated into documentation. Obfuscation has been reduced. The project has been cleaned up. Some profanity has been removed. The overall size has been reduced by 120 KB."

Comments (none posted)

Adamantix

Adamantix has released v1.0.3. "Changes: This release has improved RSBAC support, many more packages, security and bug fixes, updated packages and updated kernel patches, XFS support, and more."

Comments (none posted)

ADIOS

ADIOS has released v3.0 with major feature enhancements. "Changes: This release is based on the Fedora Core and Kernel 2.4.24."

Comments (none posted)

Arch Linux

Arch Linux has released v0.6 (widget). From the announcement: "We've made a lot of improvements over the last seven months, and hope you enjoy our efforts. We've seen a surge of activity in the Arch community, and it's resulted in more documentation, a huge increase in packages, and tons of useful information in our forums. Keep it up everyone, Arch Linux is slowly becoming the mature distribution we want it to be."

Comments (1 posted)

BG-Rescue Linux

BG-Rescue Linux has released v0.3.1 with minor feature enhancements. "Changes: Many new keyboard layouts were added, so 30 layouts are now available. Support was added for compressed loop images with transparent decompression. cmdftp was updated to 0.7.3, ntfsprogs was updated to 1.8.4, and reiserfsprogs was updated to 3.6.12. It is now possible to load F-Prot semi-automatically from the harddisk."

Comments (none posted)

Coyote Linux

Coyote Linux has released v2.10 Beta 2 with major bugfixes. "Changes: This release adds missing kernel options that prevented QoS from working properly, better support for DHCP to DNS integration, and new features to the firewall management in the Web admin."

Comments (none posted)

Damn Small Linux

Damn Small Linux has released v0.6.1 with minor feature enhancements. "Changes: The Monkey Web server and Naim have been upgraded. The Firebird download has been switched to a special i586 build of FireFox. A command line FTP client, betaftpd, Mutella (gnutella client), and wmix (Dockapp mixer) have been added. The telnet client has been restored. Some bugs have been fixed and a few usability enhancements added . frugal install is an evolution of the poor man's install."

Comments (none posted)

Deep-Water/Linux

Deep-Water/Linux has released v0.3. "Changes: This version has a new kernel configuration and a new startup to make it easier to mount /system_usr. It also adds a new hackedbox with a new fast panel, a program that creates icons according to the mounted disk partitions, and a new deep view that understands the "working directory" arg."

Comments (none posted)

Feather Linux

Feather Linux has released v0.3.7 with minor feature enhancements. "Changes: This release adds betaftpd, gqcam, e3, lua, ettercap, wavemon, wmsetbg, and iptables (no firewall config script yet). Some changes have been made to sndconfig. The "nolisten tcp" option for the Xvesa and Xfbdev servers has been moved. The menu has been put into some semblance of order. localscript.sh has been added to /home/knoppix to execute custom commands on bootup via USB, floppy, or hard disk restore. A Flash script has been added. The Firefox script has been changed to work with 586 machines. APT has been tweaked a little. SWAT has been removed."

Comments (none posted)

Linux Embedded Appliance Firewall

LEAF has released Bering-uClibc 2.1. "Changes: This is the final release moving to kernel version 2.4.24. The kernel has been patched to fix CAN-2004-0077. PPP and shorewall have been upgraded to new upstream releases. There are some minor fixes and changes."

Comments (none posted)

MoviX

MoviX has released v0.8.1 with major feature enhancements. "Changes: Mouse support is now working, MoviX and MPlayer menus are available in 6 languages (de, en, it, pl, pt, and ru), config files can now be saved automatically in the boot device, and many small bugs have been fixed."

Comments (none posted)

Puppy Linux

Puppy Linux has released v0.8.3. The release notes can be found here.

Comments (none posted)

Quantian

Quantian release 0.4.9.4 is now available. The announcement contains information about some new mailing lists along with the release news.

Full Story (comments: none)

ThinTUX

ThinTUX has released v0.12 with major feature enhancements. "Changes: Support has been added for writing to CD-RW. Kernel 2.6.1 is used. Support for the Open Sound System has been replaced with support for the Advanced Linux Sound Architecture. Clients for 3270 and 5250 emulation have been added, as well as tools to format a floppy, format a CD-RW, and partition and format USB disc."

Comments (none posted)

UHU-Linux

UHU-Linux has released v1.1.

Comments (none posted)

Distribution reviews

Linux on the Opteron (OSNews)

OSNews looks at several Linux distributions on an Opteron box. "TurboLinux claims to have had Opteron support the longest, and it does seem polished, but it does have a few oddities to it (disk install problems, etc) but again, most of these have been fixed with the update CD. Gentoo is moving right along with porting, they now have window managers (for those interested) and they are using the 2.6 kernel on the live CDs. Fedora Core is still beta, but it has never given me any problems (it is the desktop OS of choice on my Opteron) and everything works. I did do some small, highly debatable benchmarking on these different distributions, but I stronly recommend that if you want to use the Opteron for any CPU intensive task, benchmarking of the application to be used should be performed."

Comments (none posted)

Swapping Red Hat for a Fedora (The Star)

The Star Online trades in Red Hat for a new Fedora (Core 1). " When asked about Fedora, I've always offered the same response -- it's meant for those who want to stay on the bleeding edge of Linux development. I feel that Fedora is more a change of concept and mindset for Red Hat users and developers rather than being merely a Linux distribution."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The GNU Compiler Collection Version 3.3.3

Version 3.3.3 of GCC, the GNU Compiler Collection, was recently released. "This release was actually completed on February 14, but technical issues with the transition to new security measures for protecting FSF servers required a delay in the announcement."

The Changes, New Features, and Fixes document details the new features in the larger GCC 3.3.X release. The changes for version 3.3.3 include a ton of bug fixes and some performance optimizations.

A few minor features have been added, including a new --with-sysroot flag, automatic detection of executable stacks, support for SSE3 instructions, and support for thread local storage debugging on the S390 architecture.

The project build status page lists the many operating systems and Linux distributions that this version of GCC has been tested on.

Congratulations to the many contributors for helping to move this huge project forward.

Comments (2 posted)

System Applications

Audio Projects

ALSA 1.0.3 released

Version 1.0.3 of the ALSA sound driver is available. The comments say: "added driver for ATI IXP 150/200/250 chips and HDSP MADI driver".

Comments (none posted)

Ogg Traffic

The February 25, 2004 edition of Ogg Traffic is out with the latest Ogg Vorbis audio compression software news. The search is on for a new Ogg Traffic editor.

Comments (none posted)

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include the addition of XMMS LADSPA, Caps LADSPA Plugins, and Open Music for Linux, and new versions of LADCCA, Fluidsynth, Vkeybd, and the TAP LADSPA Plugins.

Comments (none posted)

Clusters and Grids

MyGrid: version 0.1.4 (Jobs Visualizer) (SourceForge)

Version 0.1.4 of MyGrid, a cross-platform grid computing management system, is available. "Version 0.1.4 adds many structure enhancements to the project. Java 'foundry' of MyGrid now contains 3 projects: visualizer, engine and shell job processor. More to come!"

Comments (none posted)

Database Software

Getting Reacquainted with dbXML 2.0 (O'Reilly)

Tom Bradford writes about dbXML 2.0 on O'Reilly. " dbXML is a native XML database written in in Java. Native XML databases (NXDs) are databases that store XML using an internalized format for faster overall processing, and representational flexibility. NXDs also provide support for indexing XML for improved query performance. The dbXML project has quite a bit of history behind it. Some have likened it to something of a soap opera. Though there has been quite a bit of flux in the project, at its core the focus has remained the same, which is to provide an easy to use native XML database implementation, with both good performance and stability."

Comments (none posted)

Configuring JBoss 4.0 JDBC Connectivity (O'ReillyNet)

Deepak Vohra shows how to use non-default databases with JBoss. "JBoss 4.0, developer edition, is an open source application server configured to use HypersonicDB by default. However, some Java 2 Platform Enterprise Edition (J2EE) developers would like to use databases other than HypersonicDB to develop and deploy applications. In this tutorial, we'll look at how to configure JBoss to use other databases."

Comments (none posted)

PostgreSQL 7.3.6 Now Available

Version 7.3.6 of the PostgreSQL database is available with several bug fixes. "After several fixes were backpatches to the 7_3_STABLE branch, we have now released a 7.3.6."

Full Story (comments: none)

PostgreSQL Weekly News

The March 1, 2004 edition of the PostgreSQL Weekly News is out. Take a look for PostgreSQL database development news.

Full Story (comments: none)

phpMyAdmin 2.5.6 is released (SourceForge)

Version 2.5.6 of phpMyAdmin, a web-based database administration tool, has been released. "Welcome to this new version, aimed at stabilization of the 2.5 branch."

Comments (none posted)

Filesystem Utilities

ntfsprogs 1.8.5 released (SourceForge)

Version 1.8.5 of ntfsprogs, a set of NT filesystem utilities, is available. "This is basically a spring cleaning of the build process with lots of cleanups and a few bug fixes thrown in for good measure. Upgrade is not essential."

Comments (none posted)

Mail Software

Cooking with sendmail (O'Reilly)

Craig Hunt works with sendmail and LDAP in an O'Reilly book excerpt. "Sendmail Cookbook offers hundreds of step-by-step solutions to configuration problems just like the one in today's excerpt, on routing mail with LDAP. If you're an administrator, you know you can't spend hours tracking down the answer to every problem; the solutions and configuration code included with each recipe in the book can be implemented immediately."

Comments (none posted)

Networking Tools

JavaGroups version 2.2.1 released (SourceForge)

JavaGroups version 2.2.1 is available. "JavaGroups provides reliable group communication based on IP multicast and configurable protocol stack. This release includes a number of bug fixes and enhancements."

Comments (none posted)

Twisted 1.2.0 released

Version 1.2.0 of the Twisted networking framework is out with lots of new capabilities.

Full Story (comments: none)

Printing

LPRng 3.8.26 released

Version 3.8.26 of the LPRng print system is available. Change information is in the source code.

Comments (none posted)

Security

Nmap Security Scanner 3.50 Released

Version 3.50 of the Nmap Security Scanner is out. "Nmap has undergone many substantial changes since 3.00 and we recommend that all current users upgrade. Improvements from 41 intermediate releases have gone into 3.50."

Full Story (comments: none)

Telecom

reSIProcate 0.4 available (SourceForge)

Version 0.4 of reSIProcate, an RFC 3261 compliant SIP stack that is used for Voice over IP applications, is out. "A new tarball containing many major improvements is now available. General stability, performance and many bugs have all been fixed or improved."

Comments (none posted)

Web Site Development

MediaWiki 1.2.0rc1 released (SourceForge)

Version 1.2.0rc1 of MediaWiki is out. "This release includes improved inline image and thumbnailing support, smoother account management, and a number of interface tweaks as well as numerous bug fixes and backend features (squid cache purging, authenticated SMTP, tighter upload security, better PHP compatibility). Also fixes an incompatibility with MySQL 3.2.x in the default install that cropped up in 1.1."

Comments (none posted)

Mod_python's PSP: Python Server Pages (O'ReillyNet)

Gregory Trubetskoy explains Python Server Pages on O'Reilly. "For simple web sites, inlining code in the pages themselves s shockingly effective. For more complex sites, it can even work with good MVC design. Fear not, Pythonistas, mod_python's PSP brings the power and clarity of Python to web programming."

Comments (none posted)

PyGoogle 0.6 released

Version 0.6 of PyGoogle, a Python wrapper for Google's web API, is out. "This release adds support for the current SOAPpy module from the Python Web Services project. It also contains significant internal refactorings and API documentation updates."

Full Story (comments: none)

Desktop Applications

Audio Applications

Audacity 1.2.0 released

Stable version 1.2.0 of the Audacity sound editor is available. "This release features major improvements over version 1.0, including new effects, improved audio quality, and an updated user interface." See the release notes for the full change description.

Comments (none posted)

Boss Ogg 0.13.4 released (SourceForge)

Version 0.13.4 of Boss Ogg, a server-based music player for ogg, mp3, and flac files, has been released. "The 0.13.4 release features a new import script, preliminary genre support and tons of stability and bug fixes."

Comments (none posted)

Tkeca-4.0.2 released!

Version 4.0.2 of Tkeca, a GUI front-end to the Ecasound audio utility, has been announced. This version features a bug fix for the mixdown properties window.

Comments (none posted)

Desktop Environments

GNOME CPUFreq Applet 0.1.1 released (GnomeDesktop)

Version 0.1.1 of the GNOME CPUFreq Applet is available. "GNOME CPUFreq Applet is a CPU Frequency Scaling Monitor for GNOME Panel. This specific release adds support for userspace governor."

Comments (none posted)

KDE-CVS-Digest

The February 28, 2004 edition of the KDE-CVS-Digest has been published. The topic summary says: "Kolourpaint adds transparent selections. Some preliminary work on a new control center. KMail adds IMAP folder expiry. KDevelop adds Opie code templates. Plus bugfixes in Quanta and Kopete."

Comments (none posted)

KDE Traffic (KDE.News)

KDE.News summarizes the contents of KDE Traffic #75. "KDE Traffic #75 is out with news regarding KDE's future, KDE Edu, HTML message composition for KMail and more. In case you missed the previous edition, which wasn't announced on the dot due to personal problems, follow the link to KDE Traffic #74."

Comments (none posted)

Connect KDE applications using DCOP

Martyn Honeyford illustrates the use of KDE's Desktop COmmunication Protocol (DCOP) on IBM's developerWorks. "Hidden deep within the KDE desktop lies a powerful set of scripting technologies that can allow the power user to automate many tasks. In this article, Martyn Honeyford introduces us to these technologies and explains how they can be used to the fullest."

Comments (1 posted)

XFree86 Release 4.4.0

Version 4.4.0 of XFree86 has been announced. Changes include updated video and input drivers, IPv6 support, X Server updates, client and library updates, I18N and font updates, and more. See the release notes for more information.

Comments (11 posted)

Electronics

XCircuit 3.2.12 released

Version 3.2.12 of XCircuit, an electronic schematic drawing package, is out. Change information is in the source code.

Comments (none posted)

Games

Pydance 1.0 released

The PyGame site mentions the release of version 1.0 of Pydance, an arcade-style dancing game.

Comments (none posted)

WorldForge Weekly News

The WorldForge Weekly News for February 27, 2004 is out with the latest WorldForge game project news. Also from WorldForge, version 0.1.1 of Sage, an OpenGL extensions library, is out.

Comments (none posted)

Imaging Applications

KolourPaint 1.0 'Seagull' Released (KDE.News)

Version 1.0 of KolourPaint has been announced. "KolourPaint is an easy-to-use paint program for KDE that makes user-friendly painting and image editing a reality for the desktop user. If you're sick of those broken KDE paint programs that can't undo or handle images the size of a screenshot, then KolourPaint is for you."

Comments (none posted)

Interoperability

Wine Traffic

Issue #212 of Wine Traffic is available with the latest Wine project news.

Comments (none posted)

Music Applications

amSynth 1.0.0 released

Version 1.0.0 of amSynth, the Analogue Modeling SYNTHesizer, has been released. Changes include build fixes for alsa version 1 and efficiency improvements.

Full Story (comments: none)

PDA Software

Mozilla Firefox on Sharp Zaurus PDA (MozillaZine)

MozillaZine reports on a port of the Mozilla Firefox browser to the Sharp Zaurus PDA. "Laze writes: "The pdaXrom team, found at www.pdaXrom.org, has been successful in making Mozilla Firefox run on the Sharp Zaurus series PDA (at the moment only the C7X0 series), which means that users now can use this wonderful browser for 'pocket browsing'."

Comments (none posted)

Video Applications

dvd-slideshow 0.5.4 released (SourceForge)

Version 0.5.4 of dvd-slideshow is available. "dvd-slideshow makes a DVD slideshow video with menus from a text file listing of pictures, effects, and audio tracks. You can add some nice effects like fades, crops, scrolls, or Ken Burns effects. The updates are slowing down now since the program does mostly what I want it to do. This update adds some features in the audio system: two audio tracks are possible now, and it is possible to re-define the background image anywhere in the slideshow."

Comments (none posted)

Web Browsers

mozilla.org Status Update #224 (MozillaZine)

The March 1, 2004 mozilla.org Status Update is available. The MozillaZine summary says: "It includes news on Mozilla 1.7 Alpha, Minimo 0.1, the string code, layout, large downloads, support for Sun keyboards and more."

Comments (none posted)

Independent Status Reports (MozillaZine)

The Mozilla Independent Status Reports for February 29, 2004 have been published. "The latest set of status reports includes updates from Feed Parser, JRex, Mycroft, HONcode, Forumzilla, IE View, Compact Menu, QuickNote, MozManual, MessageID-Finder and Launchy."

Comments (none posted)

Mozilla Links Newsletter

The Mozilla Links Newsletter for March 2, 2004 has been published. Take a look for articles on the Mozilla browser and related topics.

Full Story (comments: none)

Miscellaneous

Bidwatcher 1.3.13 released

Version 1.3.13 of Bidwatcher is available. "Bidwatcher is a free auction tool for eBay users, available for Linux and (soon?) Microsoft Windows." See the project news page for recent change information.

Comments (1 posted)

GnomeMeeting 1.00 released (GnomeDesktop)

GnomeMeeting version 1.00, a videoconferencing and VOIP/IP-Telephony application, has been announced. " Major new features include a redesigned configuration assistant, a redesigned preferences window, new status support, audio and video devices plugins with native ALSA support, a new manual, ..."

Comments (none posted)

gkrellsun 0.10.5 released (SourceForge)

Version 0.10.5 of gkrellsun, a sun and moon monitor, is available. "This release combines gkrellsun and gkrellmoon. The user can click on the Sun/Moon image to toggle between them."

Comments (none posted)

OSAF Announces the Release of Chandler 0.3

Version 0.3 of the Chandler personal information manager (PIM) is out. "We are pleased to announce Chandler 0.3! Our architecture is finally stable enough to start developing end-user features. Release 0.3 targets developers who want an early preview into our architecture as we are developing it."

Full Story (comments: none)

Languages and Tools

Caml

Caml Weekly News

The March 2, 2004 edition of the Caml Weekly News is out with links and news about the Caml language.

Full Story (comments: none)

Java

Aspect-oriented changes with Javassist (IBM developerWorks)

IBM's developerWorks has published part six in a series on the Javassist framework. "Java consultant Dennis Sosnoski saves the best for last in his three-part coverage of the Javassist framework. This time he shows how the Javassist search-and-replace support makes editing Java bytecode practically as easy as a text editor's Replace All command. Want to report all writes to a particular field or patch in a change to a parameter passed in a method call? Javassist makes it easy, and Dennis shows you how."

Comments (none posted)

JPOX 1.0.0 Beta 2 released (SourceForge)

The Beta 2 release of JPOX 1.0.0 has been announced. "JPOX is a Java Data Objects (JDO) API full compliant implementation. The Java Data Objects (JDO) API is a standard interface-based Java model abstraction of persistence. JPOX is free and released under an Open Source license, and so the source code is available for download along with the JDO implementation. In the Beta 2 release we reach an important milestone, the JDO compliance verified by the JDO TCK tests."

Comments (none posted)

Taming Tiger: Loading Properties from XML (IBM developerWorks)

John Zukowski works with Java and XML configuration files on IBM's developerWorks. "The Properties class is an old favorite, around since the beginning of Java programming time with very few changes. The Tiger release of J2SE enhances this class, which allows you not only to use it to specify key-value pairs on a single line separated by an equal sign, but also to use XML files to load and save those key-value pairs. In this installment of Taming Tiger, John Zukowski demonstrates how to use this updated work horse."

Comments (none posted)

JSP

Cooking with Java Servlets & JSP (O'Reilly)

O'Reilly has published an excerpt from The Java Servlet & JSP Cookbook by Bruce W. Perry. "In these samples, learn how to use the Java Plug-in HTML Converter tool to generate the tags for embedding an applet, how to configure a javax.sql.DataSource for use in a servlet with the Tomcat web container, and how to use the JSTL's XML and XSLT-related tags."

Comments (none posted)

Lisp

Lisp Resource Kit

A new bootable Lisp Resource Kit CD is available. "The Lisp Resource Kit is "a dedicated development/learning environment on a self-booting CD. It is designed to be an easy to use single resource for those who are interested in exploring Common Lisp, regardless of their experience or domain of expertise". The self booting CD, which is based on Knoppix Linux, includes Common Lisp books, documentation and development environments."

Full Story (comments: none)

Vanilla Lisp Shell: first public release

Version 1.2 of VLS, the Vanilla Lisp Shell, has been announced. "VLS is "an Emacs facility that allows many different kinds of commands for running Lisp Shells (also referred to as an inferior Lisp process)". It provides commands for starting Common Lisp and Scheme sessions and interacting with them via expression evaluation, information, package, debugging and other commands."

Full Story (comments: none)

Dynamically changing running Lisp code

Paolo Amoroso sends along some links to a set of articles called Dynamically changing running Lisp code, by Bill Clementson.

Full Story (comments: none)

ML

MLton 20040227 released

Version 20040227 of MLton, a Standard ML compiler, is out. See the change log for details. Thanks to Stephen Weeks.

Comments (1 posted)

Perl

Perl 5.005_04 Released (use Perl)

Perl 5.005 release 4 is out. "This release updates Perl 5.005 to enable building with current compiler/operating system configurations."

Comments (none posted)

Parrot 0.1.0 Released (use Perl)

Version 0.1.0 of Parrot, a virtual machine for Perl 6 (and more) has been announced. "The Parrot team proudly presents the Parrot 0.1.0 leap release. It provides some milestones like objects and multi-threading and supports many more platforms."

Comments (none posted)

Exegesis 7 (O'Reilly)

Damian Conway has written the Perl Exegesis 7, which delves into formats in Perl 6. "Unlike Perl 5, Perl 6 doesn't have a format keyword. Or the associated built-in formatting mechanism. Instead it has a Form.pm module. And a form function."

Comments (none posted)

This Week on perl5-porters (use Perl)

The February 29, 2004 edition of This Week on perl5-porters has been published. "This week's summary, a bit late, will tell about the approaching development release, the new bugs discovered and fixed, and the side-effects of the new warnings."

Comments (none posted)

This week on Perl 6 (O'Reilly)

The February 22, 2004 edition of This week on Perl 6 is out with the latest Perl 6 developments.

Comments (none posted)

PHP

PHP Weekly Summary for March 2, 2004

The PHP Weekly Summary for March 2, 2004 is out. Topics include: Migration Appendix, Method signature check on inheritance, SimpleXML and elements and attributes as strings, Fixing get_browser().

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The March 3, 2004 edition of Dr. Dobb's Python-URL! is out with another roundup of Python language articles.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The March 1, 2004 edition of Dr. Dobb's Tcl-URL! is online with new Tcl/Tk article links.

Full Story (comments: none)

TclXML, TclDOM and TclXSLT v3.0b2 released (SourceForge)

Version 3.0 of TclXML, TclDOM and TclXSLT are available. "The TclXML family of packages provide XML support for the Tcl scripting language. There are several subprojects: TclXML (the parser), TclDOM, TclXSLT and xmlgen."

Comments (none posted)

XML

A survey of XML standards: Part 4 (IBM developerWorks)

Uche Ogbuji has assembled a cross-reference of XML standards. "The world of XML is vast and growing, with a huge variety of standards and technologies that interact in complex ways. It can be difficult for beginners to navigate the most important aspects of XML, and for users to keep track of new entries and changes in the space. XML is a basic syntax upon which you develop local and global vocabularies. Uche Ogbuji has presented the most important standards relating to XML in three in-depth articles. In this fourth article, he provides a detailed cross-reference of all the covered standards."

Comments (none posted)

Community Developments (O'Reilly)

Kendall Grant Clark writes about two XML projects, RDDL 2.0 and genx. "RDDL provides a kind of XML document suitable to put at the end of an XML namespace URI, a document which describes, by means of typed links, a bundle -- schemas, transformations, even bits and bobs of code -- of related resources in both human and machine readable ways."

"The second, interesting bit of work on XML-DEV in the past few months is the C library, genx, for generating XML."

Comments (none posted)

Cross Compilers

GDC Pre-Release 2.91

Pre-Release 2.91 of GDC, the GNU Development Chain for 68HC11 & 68HC12, is available. "Pre-Release 2.91 of the GNU Development Chain for 68HC11/68HC12 is available. It is based on Binutils 2.14, Gcc 3.3.3, Gdb 6.0 and Newlib 1.11.0."

Comments (none posted)

Small Device C Compiler 2.4.0 released (SourceForge)

Version 2.4.0 of the Small Device C Compiler is available. "A new release of SDCC, the portable optimising compiler for 8051, DS390, and Z80 microprocessors is now available. Included is preliminary support for the HC08, Pic 14, and Pic 16 series."

Comments (none posted)

Editors

Jext developer quits

Romain GUY, the lead developer of the Jext programmer's editor has called it quits. "I've created Jext exactly five years ago and had very good time maintaining it. But it is time for me to quit. I'd like to warmly thank all the people who helped me all along (and particularily Paolo Giarusso, who did incredible job those last months, and Slava Pestov, who'll know why) as well as every single person who took the time to download Jext. But let's be honnest, I'm not any more motivated by this project."

Comments (none posted)

Version Control

Arch 1.2 (stable) released

Stable version 1.2 of Arch, a version control system, is available. See the release notes for details.

Comments (1 posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

How I Lost the Big One (Legal Affairs)

Legal Affairs is running a lengthy retrospective by Lawrence Lessig on the Eldred case. "This case could have been won. It should have been won. And no matter how hard I try to retell this story to myself, I can't help believing that my own mistake lost it."

Comments (7 posted)

The Luxury of Ignorance: An Open-Source Horror Story (catb.org)

Eric S. Raymond writes about his frustration in configuring a popular open source software package. "I've just gone through the experience of trying to configure CUPS, the Common Unix Printing System. It has proved a textbook lesson in why nontechnical people run screaming from Unix. This is all the more frustrating because the developers of CUPS have obviously tried hard to produce an accessible system -- but the best intentions and effort have led to a system which despite its superficial pseudo-friendliness is so undiscoverable that it might as well have been written in ancient Sanskrit."

Comments (118 posted)

IBM urges Sun to make Java open source (News.com)

News.com reports that IBM has sent an open letter to Sun Microsystems urging the company to make Java technology open source. "IBM is proposing that Sun, IBM and others choose which portions of the Java technology -- such as the Java Runtime environment, code libraries or even server software -- should be submitted to open source. Optimally, an official open-source version of Java would emerge to replace a "hodgepodge" of open-source Java technologies and efforts, Mr. Sutor said."

Comments (22 posted)

Trade Shows and Conferences

Eben Moglen's Harvard Speech - Transcript (Groklaw)

Groklaw has posted a transcript of FSF attorney Eben Moglen's talk at Harvard. "The GPL has succeeded for the last decade, while I have been tending it, because it worked, not because it failed or was in doubt. Mr. McBride and his colleagues now face that very same difficulty, and the fellow on the other side is IBM. A big, rich, powerful company that has no intention of letting go."

Comments (9 posted)

The SCO Problem

USENIX Letter to Congress Refuting SCO's Letter (Groklaw)

Groklaw has gotten permission to reproduce a letter written by the Board of Directors of USENIX and sent to Congress, in reply to SCO's open letter to Congress. "SCO specifically argues that open source (free) licensing "undermines our basic system of intellectual property rights." This assertion lacks any legal justification and therefore appears to be merely self-serving. Nothing in our intellectual property laws requires inventors to charge substantial fees for access or use of their inventions. In fact, the laws of copyright and patents, which underlie the intellectual property rights that most often protect computer software programs, give their owners complete discretion in deciding how large their licensing fees should be, or, indeed, whether to impose fees at all."

Comments (6 posted)

The FUD Is Mighty Thick Today (Groklaw)

Groklaw responds to this LinuxInsider article. "LinuxInsider, whoever they are, goes along with the charade, which is a very big giveaway that while they may be insiders, they aren't likely *Linux* insiders. I had never heard of them. SCO's is a campaign of defamation in the press, not in the courts, despite Stowell's sanctimonious hypocrisy. If SCO would stop their defamatory PR, they might have a moral leg to stand on. This interview is a verbal attack on the Linux community. If you attack someone's mom, it doesn't matter that you used a polite tone of voice."

Comments (13 posted)

SCO files suit in Linux-using court (ZDNet)

A ZDNet UK reporter did some research on Netcraft with amusing results. "The Nevada court where SCO Group has filed a lawsuit against US retailer AutoZone could itself theoretically be subject to legal proceedings because the court is using Linux to run its Web site."

Comments (5 posted)

Judge Wells' Order - SCO Doesn't Get All AIX Files, IBM Doesn't Have to Go First (Groklaw)

Here is Groklaw's take on the order in the SCO/IBM case. "What it all means in practical terms is that the court didn't buy SCO's argument that it needed all of AIX and Dynix and it specifically rejected its request that IBM *first* provide AIX and Dynix, so that after that SCO could find what it needed."

Comments (2 posted)

Linux Adoption

Editor of 'The Inquirer' Mike Magee Switches to Mozilla (MozillaZine)

MozillaZine notices that the editor of The Inquirer has switched to Mozilla. "Magee, who also founded The Register, says that Mozilla 1.6 "is fast and has far better features than Internet Explorer, and far less drawbacks too."" We'd like to see him to switch the underlying OS platform as well.

Comments (none posted)

Legal

Court: DeCSS ban violated free speech (News.com)

News.com reports that a California appeals court has reversed an order barring the publication of DeCSS. "The plaintiff, the DVD Copy Control Association, had argued that Andrew Bunner violated its intellectual property rights by posting on the Internet code known as DeCSS that can be used to bypass Hollywood's encryption scheme for DVDs. Bunner's attorneys had countered that the code was no longer a secret by the time he posted it on his Web site. On Friday, California's Sixth Circuit Court of Appeals agreed, reversing a trial judge's order first issued in 1999."

Comments (1 posted)

Interviews

The People Behind KDE: Aaron Seigo (KDE.News)

KDE.News mentions the availability of an interview with Aaron Seigo. "At The People Behind KDE this week an interview with the man who represents what working and contributing to a project like KDE stands for. He is outspoken, always helpful, has broad view of things that KDE needs and it's future, he is passionate about politics and social issues. He is from Cowtown, in The Great White North: Canada's own Aaron Seigo!"

Comments (none posted)

Resources

Linux wireless networking (developerWorks)

developerWorks is running a low-level look at Linux wireless networking support. "You'll first see how WLAN devices work on Linux by tracing the code flow for an example WLAN card. Then you'll see how several Bluetooth devices interface with the Linux Bluetooth stack and other kernel layers. Next, you'll learn how to get GPRS and GSM devices to work with Linux. The article ends with the examination of Linux IrDa support and a brief look at performance issues faced by wireless networking devices."

Comments (5 posted)

Reviews

At the Sounding Edge: OpenMusic and SuperCollider3 (Linux Journal)

The Linux Journal reviews a couple of new Linux sound utilities ported over from MacOS. "OM is similar to its IRCAM synthesis sibling jMax in its use of icons to represent its various classes and libraries. These icons are placed on the canvas and wired together to create a patch. An OM patch may be a note generator, a MIDI event processor or even a simple playback device. OM's icons include classes and functions for arithmetic, list manipulation, random number generation, various MIDI actions, program control and many others."

Comments (1 posted)

February Mini Book Reviews (Linux Journal)

Linux Journal has some mini book reveiws of Learning Perl Objects, Text Processing in Python, Core PHP Programming, 3rd Edition, and MySQL, 2nd Edition. "Part desktop reference and part programming guide, Core PHP Programming is a great book for both the beginning PHP programmer and those with more experience. It has been updated to include PHP 5, as well as new material covering XML, object techniques and design patterns."

Comments (none posted)

Miscellaneous

Toward a new kind of 'Linux distribution' (NewsForge)

NewsForge has an article by Ian Murdock on how Linux distributions are built. "For the commercial Linux-as-product distributors, it is a sensible strategy to portray their distributions as monolithic wholes, as this allows them to position the distributions as platforms unto themselves and, thus, pursue traditional OS business models based on locking users in to a platform (I've argued before this will be a losing strategy in the long run, but that's another topic)."

Comments (6 posted)

The luxury of ignorance: A follow-up (NewsForge)

Eric S. Raymond has gotten some fallout on his CUPS rant. "This rant made it onto all the major open-source news channels, so I was expecting a fair amount of feedback (and maybe pushback). But the volume of community reaction that thundered into my mailbox far surpassed what I had been expecting -- and the dominant theme, too, was a bit of a surprise. Not the hundreds of iterations of "Tell it, brother!", nor the handful of people who excoriated me as an arrogant twerp; those are both normal features of the response when I fire a broadside. No, the really interesting part was how many of the letters said. in effect, "Gee. And all this time I thought it was just me...""

Comments (31 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

EU IP enforcement directive advances

The European Parliament's Legal Affairs committee has voted in favor of the draft "intellectual property enforcement" directive. This directive, which we looked at last August, would add a number of DMCA-like provisions to European law. The full Parliament will take up the directive starting on March 8. Now is the time for Europeans to make themselves heard on this issue; the software patent fight has shown that activism can make a difference. Click below for details from FFII.

Full Story (comments: 3)

AGNULA Libre Music Project launched

The AGNULA team has launched the Libre Music project, a.k.a. the muzik project. "One of the objectives of the AGNULA-IST project is help spreading sensibility on the topics of Libre Software, with specific attention paid to audio/video applications and content distribution."

Full Story (comments: none)

AIST and Free Standards Group Release Multilingual C Library

The National Institute of Advanced Industrial Science and Technology (AIST) of Japan and the Free Standards Group have announced the release of a new library for the multilingualization of software written in the C programming language. The library, known as m17n, has been released under the GNU Lesser General Public License (LGPL).

Comments (5 posted)

Austin Group Minutes of the Feb 26 2004 Teleconference

The minutes are available from the Austin Group's Teleconference of February 26, 2004.

Full Story (comments: none)

Another Netfilter GPL enforcement

The Netfilter/iptables project has announced another successful GPL compliance action - this one is against Fujitsu-Siemens. The company will release source for its AP-600RP wireless router and make donations to Linux-Kongress and the Free Software Foundation Europe.

Netfilter/iptables leader Harald Welte has sent us an article giving some details about how the project is going about enforcing its license and why it is taking a rather different approach than the FSF has. Click below (no subscription required) for the details.

Full Story (comments: 11)

Announcing the KDE Quality Team (KDE.News)

KDE.News has an announcement for the new KDE Quality Team Project. "The KDE Community is pleased to announce the launch of the Quality Team Project, a community of contributors who will serve as a gateway between developers and users in the KDE Project, and as a new way for people to begin contributing."

You can read more about the project on NewsForge.

Comments (none posted)

www.python.org needs YOU!

The folks at www.python.org have sent out a request for volunteer help. "The team that administers www.python.org is looking for additional maintainers, both to keep the text updated and to create automated solutions that require less human interaction."

Comments (none posted)

Commercial announcements

Introduction to Databases with MySQL

MySQL AB will be conducting three instances of a course entitled Introduction to Databases with MySQL. The course will be held in Washington DC, Stockholm, and San Francisco in April, May, and June. "This course covers the fundamentals of SQL and relational databases, using MySQL as a teaching tool."

Comments (1 posted)

SCO sells a license

The SCO Group has announced that it has found a taker for its "Linux license." The company is EV1Servers.Net, a Houston-based hosting provider. No terms have been disclosed, of course. For what it's worth, EV1Servers.Net was featured in a Microsoft case study last September claiming that Windows servers can be deployed faster than the Linux-based variety.

Comments (20 posted)

XNotesPlus Version 3.6 is available

Version 3.6.0 of XNotesPlus, a Personal Information Manager for the Linux and Unix desktop with PalmOS connectivity, is available.

Full Story (comments: none)

New Books

Syngress Releases "Ethereal Packet Sniffing"

Syngress Publishing, Inc. has published the book Ethereal Packet Sniffing by Angela D. Orebaugh and Gilbert Ramirez.

Full Story (comments: none)

Resources

LDP Weekly News

Here's the weekly report from the Linux Documentation Project, where you'll find out what's happening in the world of Linux documentation.

Full Story (comments: none)

LinuxFocus March/April 2004 issue

The LinuxFocus issue for March 2004 is out; with a look at the XFree86 license and several other articles.

Comments (none posted)

PEAR HTML_QuickForm Getting Started Guide

Keith Edmunds has published the PEAR HTML_QuickForm Getting Started Guide, which is available online.

Full Story (comments: none)

Threads for LSB 2.0

The LSB-VSTHlite1.0 Beta Release is available. "This release is targeted for use with LSB version 2.x testing and certification. There are a number of bug fixes and configuration changes over previous releases. The test suite takes 30 minutes to configure install and run."

Full Story (comments: none)

Surveys

Nine Out Of Ten Linux Developers Refute Sco’s Linux Lawsuit (Evans Data Corp.)

Evans Data Corporation has released the results of a survey of Linux users concerning the SCO lawsuit. "More than 90% of Linux developers don’t believe the SCO/Linux lawsuit has any merit, according to the Spring 2004 Linux Development Survey from Evans Data Corporation. Three percent "absolutely" believe the lawsuit has merit, a further 5% think it "probably" has merit but more than half answered "absolutely not"." The survey also looks into the expanding use of the Eclipse development platform and Java on Linux.

Comments (1 posted)

Event Reports

Slides from Brendan Eich's Mozilla Futures Talk (MozillaZine)

The slides from Brendan Eich's Mozilla Developer Day talk on Mozilla Futures are available. "In the presentation, the Mozilla Foundation's Chief Architect outlined Mozilla's strengths and weaknesses and described a future strategy plan. Proposals include accelerating work on integrating SVG, implementing support for more scripting and programming languages (such as JavaScript 2, Python and Perl 5), creating a XUL builder plug-in for the Eclipse platform, improving native widget and desktop integration and setting up a new developer.mozilla.org site with programmer documentation."

Comments (none posted)

O'Reilly Emerging Technology Conference Wrap-up

O'Reilly has sent out some wrap-up coverage of their 2004 Emerging Technology Conference.

Full Story (comments: none)

Upcoming Events

Rally against EU IP Directive

The European Union "Intellectual Property Rights Directive" is coming up for a vote soon. A rally has been set for March 8 in Strasbourg to protest this directive and to call attention to the threat it presents. Click below for the details and a discussion of why this directive should be defeated.

Full Story (comments: none)

PIM Team at Chemnitzer Linux-Tag 2004 (KDE.News)

KDE.News previews the KDE PIM team's involvement at Chemnitzer Linux-Tag 2004 in Germany. "The PIM meeting will be used to discuss integration of groupware servers into the KDE PIM Framework and working on other features listed on the feature plan, which will eventually trigger the release cycle for the pending KDE PIM 3.3 release."

Comments (none posted)

European Firebird-Conference 2004

The 2004 European Firebird Conference will be held in Fulda, Germany on May 16-18, 2004.

Comments (none posted)

Open Source Business Conference speakers announced

The Open Source Business Conference (San Francisco, March 16 and 17) has sent out a press release listing the people who will be speaking at the event. The list includes executives from HP, IBM, Intel, Novell, VERITAS, and others, but the more interesting list is found in the fine print at the bottom: Clayton Christensen, Larry Lessig, Tim O'Reilly, and Eben Moglen.

Comments (none posted)

Ottawa Linux Symposium paper submissions open

The 2004 Ottawa Linux Symposium paper submission site is now open. The window for submissions is short - the deadline is March 15 - so if you would like to speak at OLS this year, now is the time to get a proposal together. See the call for papers for more information.

Comments (1 posted)

International PHP Conference 2004 Spring Edition

The Spring 2004 International PHP Conference will be held in Amsterdam, the Netherlands on May 3-5, 2004.

Comments (none posted)

YAPC::Europe::2004 Call for Papers! (use Perl)

A call for papers has gone out for YAPC::Europe. "They're looking for mostly 20 minute talks, and suggesting that those who want to speak for longer should split their talk into two parts. There will still be room for lightning talks, but they're going to ask for those later."

Comments (none posted)

Perl training courses in Brisbane and Sydney

Two Perl training courses will be held in Brisbane and Sydney, Australia in April, 2004.

Full Story (comments: none)

Events: March 4 - April 29, 2004

Date Event Location
March 4 - 5, 2004PHP|CruiseThe Caribbean
March 4 - 5, 2004Linux Automation KonferenzHannover, Germany
March 5, 2004Perl Workshop 2004Amsterdam, the Netherlands
March 6 - 7, 2004Linux-Day ChemnitzChemnitz, Germany
March 15 - 17, 2004Open Source in Government Conference(George Washington University)Washington, DC
March 16 - 17, 2004Open Source Business Conference 2004(The Westin St. Francis)San Francisco, CA
March 18 - 24, 2004CeBIT(Hannover Exhibition Center)Hannover, Germany
March 21 - 26, 2004Novell BrainShare 2004Salt Lake City, Utah
March 24 - 26, 2004PyCon DC 2004Washington, D.C.
March 25 - 26, 2004Open Source Forum 2004(The Sydney Marriott Hotel)Sydney, Australia
March 27 - 28, 2004Nordic Perl Workshop 2004(Symbion Science Park)Copenhagen, Denmark
March 27 - 28, 2004YAPC::Taipei::2004Taipei, Taiwan
April 5 - 7, 2004Samba eXPerience 2004(Hotel Freizeit In)Göttingen, Germany
April 13 - 15, 2004Real World Linux 2004 Conference & Expo(Metro Toronto Convention Centre)Toronto, Ontario, Canada
April 14 - 16, 2004MySQL Users Conference and Expo 2004(Peabody Hotel Orlando)Orlando, FL
April 14 - 17, 2004ACCU Spring Conference 2004(Randolph Hotel)Oxford, England
April 20 - 21, 2004LinuxUser & Developer Expo(Olympia)London, England
April 22 - 23, 20042004 Desktop Linux Summit(Del Mar Fairgrounds)San Diego, California
April 26 - 27, 2004Digital Media Project Traditional Rights and Usages WorkshopLos Angeles, CA
April 29 - May 2, 20042nd Linux Audio Developers Conference(Institute for Music and Acoustics)Karlsruhe, Germany

Comments (none posted)

Web sites

The GNOME Chinese User Portal goes live (GnomeDesktop)

GnomeDesktop.org has an announcement for a new Chinese GNOME portal site. "This site is designed for both end users and software developers of GNOME and dedicated to improve GNOME by addressing and solving issues related to Chinese processing."

Comments (none posted)

The KDE Wiki Has Moved (KDE.News)

KDE.News reports on the move of the KDE Wiki. "Luciash D' Being (aka luci) has announced the successful completion of the move of the KDE Wiki to the KDE Dot News server. With the move, KDE Wiki gains not only more computing resources, but also a new domain name in the form of wiki.kdenews.org."

Comments (none posted)

Community Driven Geolocation Service

hostip.info is a new site that allows you to look up the physical location of an IP address. "It is running on Linux, releases all the data under GPL, and has a cool (IMHO :-) animation once the city's located (needs java)".

Full Story (comments: none)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

RE: Toward a new kind of 'Linux distribution'

From:  Jamie Katz <jamie-AT-continentalbooks.com>
To:  imurdock-AT-progeny.com, LWN Letters <letters-AT-lwn.net>
Subject:  RE: Toward a new kind of 'Linux distribution'
Date:  Sat, 28 Feb 2004 20:46:53 -0500

I really like the concept of "a componentized distribution."
(http://www.newsforge.com/technology/04/02/25/1548203.shtml) Here are a
few thoughts that may help flesh out the idea more.
 
In the Windows and Mac worlds, you buy (or pirate or "try") one bit of
software at a time. So, to take one example, if you are a web developer,
you get Photoshop or Paint Shop Pro for images, Homesite or BBedit or
Dreamweaver for HTML editing, Cute FTP or Transmit for uploading, and
maybe a few utilities, like some image-map maker.
 
A Linux "componentized distribution" for web-dev could give you:
 
* local Apache with the ability to easily set it up to mirror the setup
of the eventual live server in all important ways (i.e., mod-Perl or
not, mySQL or not, PHP with globals on or not etc)
 
* Konqorer with GUI, fully-integrated SSH wizards to connect to servers
 
* Quanta with default settings to open/save to the correct dirs
 
* Ditto the GIMP
 
* If a "work as a group" option is selected on install, the whole thing
could be CVS driven over a network, with the lan webserver running from
1 designated machine (i.e., the install CD would be passed around, and
would auto-detect the network-setup that the 1st user did)
 
* Pref files for apps would be consistent, and would be made easy to
access and easy to exchange with co-workers (this would make the whole
team use the same default DOCTYPES, same JPG compression, same shh
passwords, same templates, etc.
 
* Documentation would have centralized links to the relevent docs, and
an overview specific for this mini-distro, with a description of
workflow, desired output, arguments in favor of doing things their way.
 
This would be like a "meta-package" but with a bigger emphasis on
configuration, "workgroup" integration, and workflow, so it would be
more of a small distro. Ideally, you'd be able to install it onto any
distro. (Really, the whole thing is just a few docs, a list of programs,
and specific pref settings.)
 
One group's web-dev mini-distro/meta-package could emphasize a process:
planning to graphic design, to copy writing, to PHP coding, to HTML
integration, to testing. Another group could create a competing web-dev
mini-distro/meta-package centered around extreme programming. Yet
another could emphasize J2EE integration or some crap. To say nothing of
those who'd want to push Bluefish over Quanta or Zeus over Apache or...
 
No users would care if anything was GNOME or KDE because the integration
would be geared towards specific real-world tasks, not toward the
romantic vision of an integrated EVERYTHING. Right now, in the Linux
world too, this kind of apps collection and configuration is left to the
user. No distro is set up like this out of the box (maybe MOVIX? or
DEMUNDI? But these seem to be trying to be self-contained...). A lot of
energy is spent by users figuring out a good workflow and a good set of
apps; figuring out optimal and integrated configuration; and figuring
out how to easily mirror settings throughout a group of collaborators.
And people who are experts in making great graphic designs may not know
that FTP is insecure, or may not feel comfortable getting a webserver
running -- in other words, many people end up with sub-optimal tools.
Much of the best work of finding these solutions is not freely and
easily distributed.
 
Adobe and Macromedia are sort of trying to sell groups of expensive
integrated programs to handle everything in web development, but they
feel like awful kludges, and key components are missing or are weird
proprietary half-measures.
 
In Linux, we have key components for various tasks that are more than
"good enough" -- we should be able to create several radically different
complete solutions for various tasks -- not just web development, but
music creation, accounting, researching and writing academic papers,
selling a warehouse of widgets, or teaching english as a second language
to 4th graders. But for god's sake, don't include these things in the
latest Slackware ISO!
 
-Jamie Katz

Comments (4 posted)

Letter of Support to AutoZone

From:  "Eric S. Raymond" <esr-AT-snark.thyrsus.com>
To:  steve.odland-AT-autozone.com
Subject:  Letter of Support to AutoZone
Date:  Wed, 3 Mar 2004 11:21:56 -0500
Cc:  wire-service-AT-snark.thyrsus.com

The Linux community, and the wider open-source software movement of
which it is a part, learned this morning that SCO is suing AutoZone
over alleged IP violations related to its move from SCO Unix to
Linux. We regret that you have become the latest victim in the
campaign of barratry, fraud, and stock-kiting that SCO has been
waging. We want you to know that you are not alone, and that you have
in fact just made a great many friends.
 
Our news channels and web forums are already full of people urging
everybody to go buy something at AutoZone, even if it's as trivial as
an air freshener -- that could be several million new customers for
you. You're also in the same corner with corporate powerhouses like
IBM and cutting-edge outfits like Red Hat Software. These companies
and others have already set up common legal defense funds in
anticipation of further SCO attacks
 
SCO has filed a complaint around allegations that were denied in
public and on the record two weeks ago by the former AutoZone employee
who led your move to Linux. To those of us who have been following
SCO's five-billion-dollar lawsuit against IBM for the last year, this
is unsurprising; they have yet to produce credible evidence or even
settle on a coherent legal theory in that case, either.
 
Accordingly, we urge you to fight this lawsuit with every effort you
can muster. It's the right thing to do by AutoZone's shareholders, and
more generally as well. Thoughtful people everywhere are seeing in
meritless IP lawsuits an increasing drag on innovation and economic
health. AutoZone can both serve its own interests and do good by
helping make such parasitic tactics generally unprofitable.
 
We'll be with you -- and that "we" includes a lot of expertise on the
technical, legal, and historical issues bound up in SCO's lawsuit. If
there is any assistance that I personally or the Open Source
Initiative can reasonably provide, please do not hesitate to ask.
 
(This letter is on the Web at http://www.catb.org/~esr/writings/autozone.html)
--
                <a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
 
I cannot undertake to lay my finger on that article of the
Constitution which grant[s] a right to Congress of expending, on
objects of benevolence, the money of their constituents.
        -- James Madison, 1794

Comments (1 posted)

Page editor: Jonathan Corbet

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds