LWN.net Logo

LWN.net Weekly Edition for April 8, 2004

The first X.Org release

The X.Org Foundation has announced the release of X11R6.7. This is, in some sense, a relatively minor release X.Org with little in the way of new features (see the release notes for the details). It is, however, a milestone in the development of the X Window System, and worthy of note.

Readers of LWN will be familiar with the tensions which have stressed the XFree86 project over the last year. There have long been disagreements over how the development of X should be managed, and core developers have been leaving the project for some time. The issue came to a head with the the adoption of the XFree86 1.1 license, which is widely seen as being incompatible with the GPL. That move led to the formation of the X.org Foundation under the umbrella of FreeDesktop.org. It also led to many distributors saying that they would not incorporate the XFree86 4.4 release.

The X11R6.7 release is the first official release from X.Org, though some distributions (e.g. Fedora Core 2 Test 2) have incorporated pre-release versions from the Foundation. It is intended to be a transitional release, a way for distributors to move over to the new code base. As such, it deliberately does not include much in the way of radical new changes. There will be a couple more X11R6.x releases this year which will add more new stuff.

The real plan for the future, however, is to split the X release into a number of components, including the server, client libraries, and applications. This split will allow each part of the system to progress at its own pace; it will be possible to release support for the latest graphics hardware without dragging along all of the applications as well. The X hackers have all kinds of schemes for reworking the server and the X protocol to better support modern 3D hardware to to get Linux, finally, out of its old, two-dimensional world.

Conventional wisdom says that forks in free software projects are a bad thing. But one of the valuable aspects of free software is that it can be forked. The X fork looks like a necessary one; with luck it will lead to a reinvigorated development process and good things for the future Linux desktop.

Comments (2 posted)

First SELinux impressions

April 7, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

With the recent release of the second Fedora Core 2 test, many users are getting their first exposure to Security Enhanced Linux (SELinux). We decided to take a look at SELinux in Fedora Core to give readers a taste of what's to come.

SELinux introduces new layers of security, enforced by the kernel, in addition to the standard Discretionary Access Control (DAC) model that Linux users are already familiar with. The DAC model applies security based only on a user's identity and the permissions associated with files and processes. SELinux adds Mandatory Access Control (MAC) over processes and files based on a policy set by the administrator, rather than based solely on user or process identity.

SELinux also provides Type Enforcement (TE) for files and devices, otherwise known as "objects," and Role-Based Access Control for users and processes. TE in conjunction with Role-Based Access Control (RBAC) provides the ability to set policies based on the type of object, rather than its DAC permissions. The practical upshot of this is that a user or process must not only have the appropriate DAC permissions to access an object, but also must meet the RBAC requirements to access an object.

It's important to note that SELinux does not do away with the standard DAC model. For example, if a normal user attempts to execute a file owned by root with the mode 500, they will be denied the ability to do so without SELinux features coming into play. However, SELinux goes beyond that level of control. For example, an administrator can set policy that prevents a user from granting access to files to other users even if that user owns the file.

To paraphrase Spider Man's tagline, with great power comes great complexity. Getting up to speed with SELinux tools and policy will take some time. While SELinux gives an administrator a greatly enhanced security toolbox, it also complicates the job of administrating a system. The integration of SELinux adds a number of new programs and configuration files for the administrator to familiarize themselves with, as well as adding new options to familiar programs like ps and ls. It is safe to say that the syntax for SELinux's policy configuration files is less than user-friendly.

Administrators who plan to tweak the SELinux policy settings should plan to set aside a fair amount of time to learn the syntax and procedure for updating policy. To edit a system's policy requires the administrator to edit one or more of dozens of configuration files under /etc/security/selinux/src/policy, then compile and load the new policy using make.

Users should also be aware that the additional security checks involved with SELinux may come at the price of a performance impact. The Fedora SELinux FAQ notes that SELinux decreased performance by 7% for "completely untuned code" when SELinux was last tested and may have become worse due to changes made since then. Of course, a 7% drop in system performance is generally considered preferable to a 100% compromised system.

Administrators considering SELinux should note that it may limit their choice of filesystems, at least with Fedora's implementation. The popular ReiserFS in Fedora does not support file labeling, making it unsuitable for use with SELinux. This writer also found that the ability to turn enforcement on and off, using "setenforce" is quite invaluable during SELinux testing. It is possible to disable logins to a system simply by setting /etc/passwd's security context incorrectly. For those who don't want to jump into SELinux with both feet, setting the enforcement policy to "permissive" will cause the system to print warnings whenever access to an object would have been denied, but to not restrict any access beyond what the traditional discretionary controls dictate.

For the most part, the end-user experience is, with luck, largely unchanged. Though some users have reported problems with various end-user applications not working with SELinux enabled, this writer did not encounter any problems using FC2 on the desktop or at the shell for normal work.

Despite its complexity, SELinux shows a great deal of promise for improving the overall security of Linux systems. It seems likely that the tools for creating and customizing SELinux will improve over time and make the task less difficult. Even at the current level of complexity, it would be well worth an administrator's time to learn and deploy SELinux for systems that are directly connected to the Internet or other hostile environments.

Comments (11 posted)

Motion in Red Hat v. SCO

After a lengthy period of inactivity, there has finally been a bit of movement in Red Hat's lawsuit against SCO. The news is mixed.

SCO's motion to dismiss the case was denied; Judge Robinson reached the reasonable conclusion that Red Hat did, indeed, have reason to fear a lawsuit from the SCO Group. So the case will go forward; SCO will not be able to shake it quite so quickly.

This case will not go forward anytime soon, however. Instead, it has been put on hold until the IBM case is worked out. Both sides have to file every 90 days giving their view of the state of the IBM case. If that case looks like it is not going anywhere, the court may restart the Red Hat case.

For now, however, the Red Hat suit is suspended. Given the speed at which things have moved in this case to date, it may be hard to tell the difference. This ruling does, however, free SCO from the need to fight on this front for now; SCO can concentrate its resources on the IBM, Novell, DaimlerChrysler, and AutoZone suits. Plus any others that SCO might, in its wisdom, decide to file. That should be enough to keep the lawyers busy for a while. (See Groklaw for more information).

Comments (3 posted)

The User-Accessible Filesystem Hierarchy Standard

The User-Accessible Filesystem Hierarchy Standard is a proposed standard which has recently been put forward for wider review. The problem this standard attempts to address is: how do users of desktop Linux systems install software for their personal use without using the root password or hosing the system? The problem is real enough; as Linux shows up on more desktops, and more interesting applications become available, people will want to be able to do their own installations. Anything which can make those installations easier and safer should encourage desktop Linux adoption. It is not clear that this proposal will do the trick, however.

The UAFHS states that every user should have a directory (.system) in their home directory for the installation of personal software. This directory would have the usual subdirectories: .system/bin, .system/lib, etc. The placement of software there would contain it within one subtree and make it easy to find. The standard also suggests the creation of a .config directory under the home directory and moving all application configuration files there.

The next problem is that users of a shared system may want to install software for others to use as well. To that end, the standard says that /home/shared/.system should be available and writable for all users. The authors seem to have anticipated one of the possible complaints with this setup:

An additional concern regarding security is that all users will be able to easily install programs. This is not a security flaw, and is in fact a way to strengthen security. All users are already capable of installing software, it is merely difficult.

The argument here seems to be that, since the root password will not be required for software installation, the system will be more secure. The simple fact, however, is that making it easy for unprivileged users to install programs into the path of other users is not the best way to secure a system. This sort of mechanism could easily become a favored way of escalating access to a user account into a full root compromise.

This standard also fails to address the real issue. Unprivileged users who want to install software are not much concerned about where it is going to go. They will be far more interested in easy management of installed software. Mixing packages together into one big directory tree does little to help somebody who wants to get rid of things in response to the inevitable "no space left on device" or "quota exceeded" message. This standard says "put software over there," but does not concern itself with how users will actually manage that software.

Making software installation easier is a worthy goal. Part of achieving that goal can even be the designation of a target directory for installations. But anybody who wants to concern themselves with making this aspect of desktop Linux easier really needs to be dealing with the package management issue. Creating a version of rpm or dpkg which can do per-user package management could be harder than writing up a proposed standard, but it would do far more to address the issue at hand.

Comments (22 posted)

Legislative fun worldwide

Linux Australia has published a lengthy position paper on the free software implications of the recently negotiated "free trade agreement" (FTA) with the United States. This agreement uses the trade treaty approach to bring American-style anti-circumvention and software patents to Australia. Linux Australia is now working to prevent the adoption of the FTA, and is looking for help. Among other things, there is an online petition to be signed, but the first priority for Australians is probably to contact their members of Parliament. See the Linux Australia FTA page for more information.

Meanwhile, on the European front: there will be a two-day gathering at the European Parliament in Brussels starting April 14 in an attempt to, once again, stop the threat of software patents in Europe; see this press release and the demonstration home page for details. The European Parliament voted against patents on software, but the European Commission and Council of Ministers have the last word - and they are considering a very different course of action. If Europe is going to avoid the imposition of U.S.-style software patents, Europeans will have to make their voices heard.

In the U.S., the House of Representatives is busily addressing our pressing national problems by considering the Piracy Deterrence and Education Act (PDEA - available in PDF format). This act calls for the FBI to "facilitate the sharing among law enforcement agencies, Internet service providers, and copyright owners" of information related to file sharing. The Attorney General's office is to set up an "education program" on "the value of copyrighted works and the effects of the theft of such works on those who create them," along with the security risks of file sharing. Most fun of all, however, is the provision for three-year jail sentences for anybody convicted of sharing a single file valued (by the copyright owner) at over $1000. The PDEA has passed the House Judiciary Intellectual Property Subcommittee; no word on when it may be voted on by the entire House.

Comments (5 posted)

Page editor: Jonathan Corbet

Security

Brief items

Red Hat Linux: the end is near

For those who haven't been paying attention: Red Hat has sent out a reminder that the end of an era is approaching. After April 30, Red Hat will no longer produce security updates for Red Hat Linux 9, the last product in the Red Hat Linux line. If you have systems running Red Hat Linux, you should be well into the execution of your migration plan. We have been getting enough mail asking for articles about Red Hat Linux alternatives, however, that we suspect many sites have not yet figured out what they are going to do.

For those still in the planning process, here is a quick summary of alternatives to letting your Red Hat Linux systems go unpatched:

  • Get Red Hat Linux security updates from elsewhere. The Fedora Legacy Project has been issuing updates for Red Hat Linux 7.2, 7.3, and 8; updates for Red Hat Linux 9 should start coming out once Red Hat ceases support. Fedora Legacy updates are free and, so far, have been reliable, but its users are depending on a volunteer project for updates into the future.

    A commercial alternative is the Progeny Transition Service which, for a small monthly fee, will provide updates through at least the end of 2005.

  • Switch to a Red Hat Enterprise product. These products offer high-quality support for years into the future, but the price tag is relatively steep. See the Red Hat Enterprise Linux page for more information.

  • Switch to an RHEL knockoff distribution. Distributions like White Box Enterprise Linux and cAos Linux use the RHEL packages and do their best to provide the RHEL feel and support. These distributions are small and unproven, however, and, to some people, they push the "free rider" approach a little too far.

  • Switch to Fedora. Fedora Core is the successor to Red Hat Linux, and will be familiar to Red Hat administrators. It is also Red Hat's testing and development ground for features intended for eventual inclusion in RHEL. Fedora Core 1 was a reasonably solid release; Fedora Core 2 may be somewhat more challenging. Note that Fedora has a different security update policy than Red Hat Linux did: affected packages are updated to the latest version, rather than having the specific fix backported. Updates for specific Fedora Core releases should be available for extended periods of time through the Fedora Legacy Project.

  • Switch to another distribution entirely. SUSE or Mandrake Linux would be the most obvious (least disruptive) choices for Red Hat Linux refugees, but many other distributions are available.

The one option we don't recommend is "do nothing and hope for the best."

Many Red Hat Linux users will find this transition inconvenient and annoying. But this whole episode demonstrates one of the great strengths of free software: Red Hat Linux users have several entirely viable alternatives available to them. Users of proprietary operating systems tend not to be so lucky.

Comments (13 posted)

Joint Statement about GNU/Linux Security

Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". "Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities as equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."

Full Story (comments: none)

New vulnerabilities

clamav: denial of service

Package(s):clamav CVE #(s):
Created:April 7, 2004 Updated:April 7, 2004
Description: The Clam AntiVirus utility through version 0.68 is vulnerable to a denial of service attack.
Alerts:
Gentoo 200404-07 2004-04-07

Comments (none posted)

fte buffer overflows

Package(s):fte CVE #(s):CAN-2003-0648
Created:April 5, 2004 Updated:April 7, 2004
Description: Steve Kemp and Jaguar discovered a number of buffer overflow vulnerabilities in vfte, a version of the fte editor which runs on the Linux console, found in the package fte-console. This program is setuid root in order to perform certain types of low-level operations on the console.
Alerts:
Debian DSA-472-1 2004-04-03

Comments (none posted)

heimdal cross-realm vulnerability

Package(s):heimdal CVE #(s):CAN-2004-0371
Created:April 6, 2004 Updated:April 9, 2004
Description: According to a security advisory from the heimdal project: All releases prior to 0.6.1 and 0.5.3 have a cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path.
Alerts:
Gentoo 200404-09 2004-04-09
Debian DSA-476-1 2004-04-06

Comments (none posted)

interchange missing input sanitizing

Package(s):interchange CVE #(s):CAN-2004-0374
Created:April 2, 2004 Updated:April 7, 2004
Description: A vulnerability was discovered recently in Interchange, an e-commerce and general HTTP database display system. This vulnerability can be exploited by an attacker to expose the content of arbitrary variables. An attacker may learn SQL access information for your Interchange application and use this information to read and manipulate sensitive data.
Alerts:
Debian DSA-471-1 2004-04-02

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

shar: buffer overflow

Package(s):sharutils CVE #(s):
Created:April 7, 2004 Updated:April 7, 2004
Description: The shar utility (as found in the sharutils package through version 4.2.1) suffers from a stack-based buffer overflow vulnerability; see this advisory for details.
Alerts:
OpenPKG OpenPKG-SA-2004.011 2004-04-07

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

Updated vulnerabilities

courier - Remote buffer overflow vulnerabilities

Package(s):Courier CVE #(s):CAN-2004-0224
Created:March 29, 2004 Updated:April 1, 2004
Description: Remote buffer overflow vulnerabilities have been found in Courier-IMAP and Courier MTA. These exploits may allow the execution of arbitrary code, allowing unauthorized access to a vulnerable system.
Alerts:
Gentoo 200403-06 2004-03-26

Comments (2 posted)

emil: Buffer overflow and format string vulnerabilities

Package(s):emil CVE #(s):CAN-2004-0152 CAN-2004-0153
Created:March 25, 2004 Updated:March 31, 2004
Description: The emil mail filter utility has buffer overflow and format string vulnerabilities that can be exploited locally and remotely, It may be possible to craft an email that exploits the vulnerability and executes arbitrary code.
Alerts:
Debian DSA-468-1 2004-03-24

Comments (none posted)

ethereal - multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2004-0176 CAN-2004-0365 CAN-2004-0367
Created:March 29, 2004 Updated:June 2, 2004
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from ethereal.com and in this Eye on Security advisory.
Alerts:
Debian DSA-511-1 2004-05-30
OpenPKG OpenPKG-SA-2004.015 2004-04-16
Red Hat RHSA-2004:137-01 2004-03-31
Mandrake MDKSA-2004:024 2004-03-30
Conectiva CLA-2004:835 2004-03-31
Red Hat RHSA-2004:136-01 2004-03-30
Netwosix NW-2004-0007 2004-03-29
Gentoo 200403-07 2004-03-28

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 17, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
OpenPKG OpenPKG-SA-2004.012 2004-04-08
Gentoo 200403-10 2004-03-30
Netwosix NW-2004-0002 2004-02-20
SCO Group CSSA-2004-004.0 2004-02-19
Slackware SSA:2003-300-02 2003-10-22
Mandrake MDKSA-2003:101 2003-10-16

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Fedora FEDORA-2004-133 2004-05-19
Gentoo 200404-02 2004-04-06
Whitebox WBSA-2004:005-01 2004-02-12
Conectiva CLA-2004:810 2004-01-20
Slackware SSA:2004-014-01 2004-01-14
Mandrake MDKSA-2004:003 2004-01-14
Red Hat RHSA-2004:006-01 2004-01-07

Comments (none posted)

kernel: local root exploit in 2.4.22

Package(s):kernel CVE #(s):CAN-2003-0961
Created:December 1, 2003 Updated:April 5, 2004
Description: A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable.

The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.

Alerts:
Debian DSA-475-1 2004-04-05
Debian DSA-470-1 2004-04-01
Debian DSA-442-1 2004-02-19
Debian DSA-433-1 2004-02-04
Debian DSA-423-1 2004-01-15
Red Hat RHSA-2003:368-01 2003-12-19
Conectiva CLA-2003:796 2003-12-05
Gentoo 200312-02 2003-12-04
SuSE SuSE-SA:2003:049 2003-12-04
Yellow Dog YDU-20031203-1 2003-12-03
Red Hat RHSA-2003:389-01 2003-12-01
Fedora FEDORA-2003-026 2003-12-02
Slackware SSA:2003-336-01 2003-12-01
Red Hat RHSA-2003:392-00 2003-12-01
Trustix 2003-0046 2003-12-01
Mandrake MDKSA-2003:110 2003-12-01
Debian DSA-403-1 2003-12-01

Comments (1 posted)

Linux kernel 2.2.10 failing function and TLB flush vulnerability

Package(s):kernel-source-2.2.10 CVE #(s):CAN-2004-0077
Created:March 18, 2004 Updated:June 4, 2004
Description: A local root exploit is possible due to early flushing of the TLB.
Alerts:
Debian DSA-514-1 2004-06-04
Debian DSA-466-1 2004-03-18

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Conectiva CLA-2004:842 2004-05-25
Red Hat RHSA-2004:156-01 2004-04-14
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:019-01 2004-02-09

Comments (1 posted)

mc: arbitrary code execution

Package(s):mc CVE #(s):CAN-2003-1023
Created:January 16, 2004 Updated:April 5, 2004
Description: A vulnerability was discovered in Midnight Commander, a file manager, whereby a malicious archive (such as a .tar file) could cause arbitrary code to be executed if opened by Midnight Commander.
Alerts:
OpenPKG OpenPKG-SA-2004.009 2004-04-05
Gentoo 200403-09 2004-03-29
Conectiva CLA-2004:833 2004-03-31
SCO Group CSSA-2004-014.0 2004-03-25
Whitebox WBSA-2004:035-01 2004-02-12
Fedora FEDORA-2004-058 2004-02-09
Red Hat RHSA-2004:035-01 2004-01-19
Mandrake MDKSA-2004:007 2004-01-26
Red Hat RHSA-2004:034-01 2004-01-19
Debian DSA-424-1 2004-01-16

Comments (none posted)

metamail: integer and buffer overflows

Package(s):metamail CVE #(s):CAN-2004-0104 CAN-2004-0105
Created:February 18, 2004 Updated:May 21, 2004
Description: Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message.
Alerts:
Gentoo 200405-17 2004-05-21
Debian DSA-449-1 2004-02-24
Mandrake MDKSA-2004:014 2004-02-18
Slackware SSA:2004-049-02 2004-02-18
Red Hat RHSA-2004:073-01 2004-02-18

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

monit: buffer overflow and DOS

Package(s):monit CVE #(s):
Created:March 31, 2004 Updated:April 19, 2004
Description: The monit system administration program through version 4.1 suffers from remotely exploitable buffer overflow and denial of service vulnerabilities.

Two additional vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code.

Alerts:
Gentoo 200404-16 2004-04-19
Netwosix NW-2004-0008 2004-04-06
Gentoo 200403-14 2004-03-31

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

oftpd - denial of service

Package(s):oftpd CVE #(s):
Created:March 29, 2004 Updated:April 5, 2004
Description: A remotely-exploitable overflow exists in versions of oftpd 0.3.6 and earlier, allowing an attacker to crash the oftpd daemon. Issuing a port command with a number higher than 255 causes the server to crash. The port command may be issued before any authentication takes place, meaning the attacker does not need to know a valid username and password in order to exploit this vulnerability.
Alerts:
Debian DSA-473-1 2004-04-03
Gentoo 200403-08 2004-03-29

Comments (1 posted)

openldap: denial of service

Package(s):openldap CVE #(s):
Created:March 31, 2004 Updated:March 31, 2004
Description: Versions of the OpenLDAP server through 2.1.12 suffer from a remotely exploitable denial of service vulnerability; some more information can be found in the OpenLDAP bug tracker.
Alerts:
Gentoo 200403-12 2004-03-31

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pam-pgsql - missing input sanitizing

Package(s):pam-pgsql CVE #(s):CAN-2004-0366
Created:March 29, 2004 Updated:March 31, 2004
Description: Primoz Bratanic discovered a bug in libpam-psgl, a PAM module to authenticate using a PostgreSQL database. The library does not escape all user-supplied data that are sent to the database. An attacker could exploit this bug to insert SQL statements.
Alerts:
Debian DSA-469-1 2004-03-29

Comments (none posted)

perl information leak

Package(s):perl CVE #(s):CAN-2003-0618
Created:February 2, 2004 Updated:April 21, 2004
Description: Paul Szabo discovered a number of bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.
Alerts:
Debian DSA-431-2 2004-04-16
Debian DSA-431-1 2004-02-01

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

PWLib: possible Denial of Service

Package(s):PWLib CVE #(s):CAN-2004-0097
Created:February 13, 2004 Updated:April 9, 2004
Description: PWLib is a cross-platform class library designed to support the OpenH323 project. OpenH323 provides an implementation of the ITU H.323 teleconferencing protocol, used by packages such as Gnome Meeting.

A test suite for the H.225 protocol (part of the H.323 family) provided by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker could trigger these bugs by sending carefully crafted messages to an application. The effects of such an attack can vary depending on the application, but would usually result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0097 to this issue.

Alerts:
Gentoo 200404-11 2004-04-09
Mandrake MDKSA-2004:017 2004-03-03
Fedora FEDORA-2004-078 2004-03-02
Debian DSA-448-1 2004-02-22
Whitebox WBSA-2004:047-01 2004-02-18
Red Hat RHSA-2004:047-01 2004-02-18
Red Hat RHSA-2004:048-01 2004-02-13

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

samba privilege escalation

Package(s):samba CVE #(s):CAN-2004-0186
Created:March 15, 2004 Updated:April 20, 2004
Description: Samba, a LanManager-like file and printer server for Unix, was found to contain a vulnerability whereby a local user could use the "smbmnt" utility, which is setuid root, to mount a file share from a remote server which contained setuid programs under the control of the user. These programs could then be executed to gain privileges on the local system.
Alerts:
Mandrake MDKSA-2004:035 2004-04-19
Debian DSA-463-1 2004-03-12

Comments (none posted)

squid - vulnerability in URL decoding

Package(s):squid CVE #(s):CAN-2004-0189
Created:March 29, 2004 Updated:April 20, 2004
Description: A bug was found in the processing of %-encoded characters in a URL in versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses Access Control Lists (ACLs), a remote attacker could create URLs that would not be correctly tested against Squid's ACLs, potentially allowing clients to access prohibited URLs.
Alerts:
Whitebox WBSA-2004:133-01 2004-04-19
Fedora FEDORA-2004-104 2004-04-15
Red Hat RHSA-2004:133-01 2004-04-14
Conectiva CLA-2004:838 2004-04-12
Debian DSA-474-1 2004-04-03
OpenPKG OpenPKG-SA-2004.008 2004-04-01
Mandrake MDKSA-2004:025 2004-03-30
Gentoo 200403-11 2004-03-30
Red Hat RHSA-2004:134-01 2004-03-29

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: flaws in the ISAKMP decoding routines

Package(s):tcpdump CVE #(s):CAN-2003-0989 CAN-2004-0057 CAN-2004-0055
Created:January 15, 2004 Updated:April 6, 2004
Description: George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.

Jonathan Heusser discovered two additional flaws in the ISAKMP decoding routines of tcpdump versions up to and including 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue.

Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue.

Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these packets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user.

Alerts:
Gentoo 200404-03 2004-03-31
Fedora FEDORA-2004-091 2004-03-04
SCO Group CSSA-2004-008.0 2004-03-02
Fedora FEDORA-2004-092 2004-03-02
Whitebox WBSA-2004:008-01 2004-02-12
Fedora-Legacy FLSA:1222 2004-01-31
Mandrake MDKSA-2004:008 2004-01-26
EnGarde ESA-20040119-002 2004-01-19
Debian DSA-425-1 2004-01-16
OpenPKG OpenPKG-SA-2004.002 2004-01-16
Trustix 2004-0004 2004-01-05
SuSE SuSE-SA:2004:002 2004-01-14
Red Hat RHSA-2004:008-01 2004-01-15
Red Hat RHSA-2004:007-01 2004-01-14

Comments (none posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

util-linux: information leak in the login program

Package(s):util-linux CVE #(s):CAN-2004-0080
Created:February 3, 2004 Updated:April 8, 2004
Description: The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function.

In some situations, the login program could use a pointer that had been freed and reallocated. This could cause unintentional data leakage.

Alerts:
Netwosix NW-2004-0010 2004-04-08
Gentoo 200404-06 2004-04-07
Fedora-Legacy FLSA:1256 2004-03-04
Whitebox WBSA-2004:056-01 2004-02-12
Red Hat RHSA-2004:056-01 2004-02-02

Comments (1 posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 kernel is 2.6.5, which was announced by Linus on April 3. Changes since -rc3 include another ALSA update, some architecture updates, and various fixes.

Linus's BitKeeper repository has no new patches; he is off the net for the week. In its place, Andrew Morton has put together a "merge candidate" tree, the current release of which is 2.6.5-mc2. This tree contains the laptop mode patches, a set of ReiserFS updates, IPv6 support for SELinux, the lightweight auditing framework (see below), the POSIX message queues patch, the fcntl() file_operations method (covered here last month), some virtual memory improvements, non-exec stack support, various architecture updates, and lots of fixes - 207 patches in all.

The current -mm tree is 2.6.5-mm2; recent additions to -mm include some software suspend fixes, an autofs4 update, and more fixes. The 4G/4G virtual memory patch has been dropped for now; it was suspected of causing some problems, and it gets in the way of the other virtual memory work being done.

The current 2.4 prepatch is 2.4.26-rc2, which was released by Marcelo on April 5. This patch adds a relatively small number of fixes, including adds some IDE updates, and an XFS update.

Comments (1 posted)

Kernel development news

A new device naming scheme

A recent posting on linux-kernel announced the creation of a new mailing list, hosted at OSDL, for the discussion of device naming schemes. The Linux Standard Base does not currently specify device names, but its maintainers would like to change that. To that end, they are seeking input on how devices should be named on Linux systems.

The discussion, so far, has centered around a proposal (available in PDF format) from SUSE. Its purpose is to create a set of persistent device names which will remain valid even in a hotpluggable world where the hardware configuration can change at any time. To that end, the proposal creates a version of /dev which is radically different from anything seen on current Linux systems.

All of the current device names found in /dev are relegated to the category of "compatibility names." They will still exist, but the proposal suggests that they should be maintained by udev, rather than being a static part of the system. The new names, instead, will all be found in subdirectories under /dev. Disks will be in /dev/disk (with a "k"), and the obvious things will be found in other directories, such as /dev/printer, /dev/cdrom (these, evidently, are not "disks"), or /dev/modem.

The proposal calls for another level of subdirectories before you find any actual device names. Each of the /dev subdirectories would be further divided into by-path, which names each device by how it is connected to the system; by-serial, which uses the device's model name and serial number; by-uuid, which uses a device's "universal unique identifier"; and by-label, which uses a device's filesystem label. Thus, a system's root partition might have all of the following names:

  • /dev/disk/by-path/ide-0.0-part1
  • /dev/disk/by-serial/ata-ST340810A-53-5BIN-part1
  • /dev/disk/by-label/label-ROOT
  • /dev/disk/by-uuid/uuid-0bee1954-b245-4df1-b2af-785fecd75b8f

The use of multiple names for the same device does not sit well with everybody; fears have been expressed that it could confuse users and applications which perform user-space locking by device name. The by-path names were received critically; since the path can change on a modern system, those names will never be persistent. There were also complaints about by-label and by-uuid; those names are meant to allow Linux systems to find and mount disks regardless of their position in the device hierarchy, but the mount utility already implements that functionality.

While there have been complaints about the SUSE proposal, there have not, thus far, been a lot of alternatives put forward. Something, however, is clearly going to have to change. A Fedora Core 2 Test 2 system has almost 19,000 entries under /dev; this mass of names can only get larger and increasingly unmaintainable. And it fails to address the dynamic nature of devices in modern systems. Device naming looks to be an interesting issue for some time to come.

Comments (6 posted)

Capabilities in 2.6

The kernel capability mechanism gives (relatively) fine-grained control over what actions any given process can perform. The various capabilities include the ability to override file permissions, send signals to other processes, bind to low-numbered ports, and many other tasks. There have been visions over the years of exporting capabilities to user space and eliminating the "all-powerful superuser" concept, but none of those visions have been implemented in any sort of widely-distributed sort of way.

One of the capabilities is called CAP_IPC_LOCK; it gives a process the ability to lock a region of virtual memory into physical RAM. This capability needs to be controlled; otherwise a rogue process could lock up all of physical memory and effectively shut down the system. There are, however, legitimate reasons for giving this capability to normal users. Programs which handle encryption (such as gpg) would like to lock in some of their memory so that passphrases and clear text do not get written out to swap. Systems like Oracle need the capability to lock in their shared segments (since they do their own paging, essentially) and to be able to allocate large page "hugetlb" segments.

To this end, Andrea Arcangeli posted a patch which allows the system administrator to disable CAP_IPC_LOCK checking via a sysctl variable. With those checks disabled, any non-privileged process can lock pages into memory or allocate large-page shared memory segments. Andrea asked for the patch to be incorporated into the 2.6 mainline.

The patch inspired some thinking on how best to make certain capabilities available to users. There has been a patch in circulation for a while which simply opens up memory locking to everybody, but which puts a resource limit on the number of pages which can be locked. The default limit is a single page, which works for gpg but which does not easily threaten the system as a whole. With a suitably adjusted limit, this patch should work for Oracle as well - but it does not address the large-page shared memory issue.

William Lee Irwin put together a different patch which allows the administrator to turn off checks for any capability via a set of sysctl variables. It differs from Andrea's patch in its generality, but also by virtue of using the security module framework rather than direct changes to the kernel core. Some people seemed to like this patch better, though there was some nervousness about its overall security which led William to add a strong comment and a lockdown capability to the patch.

Given that the whole idea behind capabilities was to be able to give specific capabilities to individual users, however, some developers wondered why the current system couldn't be used. To this end, Andrew Morton looked into hacking login to enable it to give capabilities to users. He was not impressed with what he found once he started trying to work with kernel capabilities:

It turns out that the whole "drop capabilities and then run something" thing does not work in either 2.4 or 2.6. And hasn't done since forever. What we have in there is no more useful than suser()...

I must say that I'm fairly disappointed that we developed and merged all that fancy security stuff but nobody ever bothered to fix up the existing simple capability code. Particularly as, apparently, the new security stuff STILL cannot solve the extremely simple Oracle-wants-CAP_IPC_LOCK requirement.

It was pointed out that SELinux can, in fact, solve this problem. But that will be little comfort to those who are not yet ready to adopt SELinux for their production systems.

The problem may originate from the fact that the visions of fully capability-driven systems involve assigning capabilities to all executables and having a process's capabilities tweaked every time a new program is run. That part of the system has never been merged into the mainline, partly because nobody has ever really figured out how to deal with system administration when every file has another 32 permissions bits added onto it. The end result, in any case, is that the capability subsystem has never worked quite as it should. Given that Andrew is the gatekeeper, chances are good that some sort of fix for that problem will get into the kernel before any sort of more complicated solution to the problem of giving capabilities to users.

Comments (5 posted)

The lightweight auditing framework

One of the patches in Andrew Morton's "merge candidate" tree is the lightweight audit framework. This patch, written by Rik Faith, is intended to be a way for the kernel to get various types of audit information out to user space without slowing things down, especially when auditing is not being used. The framework is meant to serve as a complement to SELinux; it is already being shipped as a part of the Fedora Core 2 test 2 kernel.

There are two kernel-side components to the audit code. The first is a generic mechanism for creating audit records and communicating with user space. All of that communication is performed via netlink sockets; there are no new system calls added as part of the audit framework. Essentially, a user-space process creates a NETLINK_AUDIT socket, writes audit_request structures it, and reads back audit_reply structures in return.

The generic part of the audit mechanism can control whether auditing is enabled at all, perform rate limiting of messages, and handle a few other tasks. On the kernel side, it provides a printk()-like mechanism for sending messages to user space. This code also implements a user-specified policy on what happens if memory is not available for auditing; truly paranoid administrators can request that the kernel panic in such situations.

The audit patch includes some SELinux tweaks to make it use the audit functions rather than printk() when it has something to log.

The audit logging code expects an audit daemon to be running to accept messages via the netlink socket. Code for an example daemon is available in Rik's Red Hat web area. Should there be no daemon running, log messages are simply passed to printk() instead.

In addition to the generic support code, the audit patch includes a mechanism for auditing system calls. One gets the sense that this was the real purpose for the patch. System call auditing is off by default, but a suitably privileged user-space process can turn it on and load a whole set of rules describing what should be logged. Rules can test on various attributes of the calling process, including its process ID, user and group ID (both "real" and "effective"), etc. Rules can also be set to fire on accesses to particular devices or files. Finally, there are also tests on specific system call arguments, whether the call succeeds, or for a specific return value.

Included with the audit daemon is an auditctl utility which can be used for setting and tweaking rules.

The audit mechanism will give system administrators a new tool for looking at what is going on between user space and the kernel. With the addition of some user-space utilities, it could become a powerful facility for tracking down system problems and security issues - or for any number of big-brotherish applications. Expect to see it in 2.6.6.

Comments (6 posted)

Patches and updates

Kernel trees

  • Andrea Arcangeli: 2.6.5-aa1. (April 4, 2004)
  • Andrea Arcangeli: 2.6.5-aa2. (April 5, 2004)
  • Andrea Arcangeli: 2.6.5-aa3. (April 5, 2004)

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Which is the best distribution?

April 7, 2004

This article was contributed by Ladislav Bodnar

An email from an editor of an online business publication asked a simple question: what is the best Linux distribution for deploying on personal, small business and enterprise desktops, and personal, small business and enterprise servers? Based on user experiences and feedback over the last couple of years, online discussions and general trends among the major Linux distributions, the following would be my recommendations.

Personal desktop OS. Xandros Desktop or LindowsOS for not-technical users, and Mandrakelinux or SUSE LINUX for the rest. Both Xandros and LindowsOS have succeeded in bringing the Linux desktop closer to the masses, with many user-friendly enhancements, excellent hardware autodetection and support for popular consumer hardware, such as digital cameras, scanners and wireless network cards. They are excellent for general computing tasks. Those users who need more power will be better off with either Mandrakelinux or SUSE LINUX. These two distributions are a lot more powerful and complete than either Xandros or LindowsOS, and both can be obtained for free from the Internet. Some would argue that Fedora Core should also be considered in this category. However, its lack of out-of-the-box multimedia support, as well as the obvious tendency of its developers to concentrate on enterprise-level features, such as scalability and SELinux, would make Fedora Core a better choice for the enterprise desktop than personal desktop.

Small business desktop OS. Fedora Core and SUSE LINUX are both excellent choices. For a small company with a limited IT budget, SUSE LINUX is probably the best choice - it can be downloaded for free and it is one of the most complete and well-designed distributions on the market. Fedora Core 1 has to be the second favorite, its only drawback being its current transition to Linux kernel 2.6 with SELinux functionality, which is far from smooth. Xandros Business Desktop is also an excellent product, but at US$495 for a 5-license pack, it is too expensive to compete effectively with the other two, especially while the company still lacks brand recognition and official support from major hardware vendors. Most recent releases by Mandrakesoft had a reputation for being somewhat buggy, which makes Mandrakelinux a less appealing candidate for a small business desktop, at least until the company improves its quality control mechanisms.

Enterprise-level desktop OS. A lot depends on the company's IT budget and the level of desired integration with the rest of its computing infrastructure. If money is no object, it would be wise to get in touch with both Red Hat and SUSE and obtain a quote for a complete solution. If money is tight, Fedora Core is a very good choice - free and well supported by the Fedora community. Having said that, it would be unfair to exclude other vendors - Mandrakesoft is recovering from a financial disaster, so it might be willing to offer an equivalent package for a fraction of the cost of Red Hat or SUSE solutions. Another option is Sun Java Desktop System (based on SUSE), but we don't hear much about this comparatively new product so it is harder to voice an informed opinion.

Personal server OS. Debian or Slackware are the hardest to beat. Besides being free, both of them have a reputation as the most solid, reliable and trustworthy Linux operating systems on the market. Their development models ensure superior quality control and both of them enjoy unparalleled community support from many web sites and user communities. Debian has always been the best distribution in terms of upgradeability to new releases, but the inclusion of the "swaret" tool in the latest Slackware means that Slackware can now also be upgraded with one command. Needless to say, both Debian and Slackware pride themselves in providing timely security updates.

Small business server OS. Same as above. Although Red Hat Linux and its newly launched Fedora Core are still the dominant Linux operating systems in most server rooms around the world, the company has alienated many users by unpopular policy changes, pushing them towards its more expensive enterprise products. On the other hand, Debian and Slackware have been around for a long time and major policy changes are unlikely. For a small business on a tight budget there really is no reason to spend money on a operating system running its servers, except perhaps in some special circumstances.

Enterprise-level server OS. If money is no object and the company requires solid hardware support or the services of Oracle and other third-party commercial applications, then it is probably best to get in touch with either Red Hat or SUSE. In fact, Red Hat and SUSE are the only two Linux distributions which are officially certified and supported by Oracle. Enterprises on a tighter budget could possibly consider deploying Debian on their servers. If support is needed, Red Hat and SUSE are in the best position to offer it, albeit at a price. Third-party commercial support is also available for Debian. Slackware is somewhat less appealing in this category, simply because it might be a lot harder to find support and personnel familiar with the distribution.

As always, these kinds of comparisons are bound to raise some controversy and many will no doubt disagree with the choices. Nevertheless, writing things down this way has resulted in an interesting conclusion: SUSE seems to be providing the widest range of products for a variety of scenarios. These vary from its biannual SUSE LINUX releases and specialized Linux Desktop and Office Desktop solutions, to the company's Standard, Enterprise and Openexchange server products. It also has the backing of Novell and its long marketing arm to take on Red Hat. Are the prices too steep? In that case, serious consideration could be given to deploying Debian, especially on servers.

Comments (23 posted)

Distribution News

Debian GNU/Linux

The Debian Weekly News for April 6, 2004 contains the final call for DPL votes, a call for DebConf talk ideas, a request for hotplug support, search for packages in the snapshot archive, a few April Fools pranks, and more.

The Debian Project has announced that Debian Security Advisories (DSA) have been declared CVE-compatible. "In an effort to cooperate with the Common Vulnerabilities and Exposures (CVE) project to standardise the names for all publicly known vulnerabilities and security exposures, new security advisories[3] have carried CVE names since June 2002. Debian formally applied for CVE compatibility in May 2003."

Once known as Debian Internal projects, Custom Debian Distributions are alive and well. Custom Debian Distributions provide a solution for special groups of target users with different skills and interests.

Here's an update on the preparation of stable Debian 3.0r3, which now includes several updated kernel packages.

The final call for votes in the Debian Project Leader election, is out. All votes must be received by April 10, 2004.

Comments (none posted)

Fedora Core

The April 1st issue of the Fedora News Updates is available, with news about Fedora Core 2 test 2, the new X.org X11 implementation, SELinux revisited, and several other topics.

Fedora has fixed several bugs in gnome-session. This FC1 gaim update solves the history plugin crash, makes Yahoo protocol work, and has "hundreds of other fixes".

Comments (none posted)

Gentoo Weekly Newsletter - Volume 3, Issue 14

The Gentoo Weekly Newsletter for the week of March 29, 2004 is available. Gentoo is seeking additional kernel developers and newsletter contributors.

Full Story (comments: none)

Xandros Launches Business Desktop as Business 30-Day Trial Edition

Xandros has launched a 30-day evaluation version of the Desktop OS Business Edition. The 30-day evaluation version of the Desktop OS Business Edition is fully functional for 30 days and includes a PDF of the abridged User Guide. The guide includes instructions on installing and configuring Xandros Desktop OS as well as procedures for using the Windows networking capabilities.

Full Story (comments: none)

Trustix Secure Enterprise Linux 2

Trustix has announced a range of pricing models for Trustix Secure Enterprise Linux.

Full Story (comments: none)

GNOME 2.6 Release available for FreeBSD (GnomeDesktop)

Footnotes announces the GNOME 2.6 Release is now available for FreeBSD.

Comments (none posted)

Mandrakelinux update to fileutils

The version of ls bundled with fileutils and, in later versions of Mandrakelinux, coreutils would segfault on listing directories with a large number of files in them, on the amd64 platform. The updated packages correct the problem.

Full Story (comments: none)

Slackware Linux

There are plenty of upgrades this week, according to the slackware-current changelog, including the 2.6.5 kernel in testing.

Comments (none posted)

New Distributions

Vigyaan

Vigyaan is a new special-purpose live CD distribution that serves as an electronic workbench for computational biology and computational chemistry. It has been designed to meet the needs of both beginners and experts, with ready to use modeling software. VigyaanCD v0.1 is based on KNOPPIX v3.3. VigyaanCD v0.1-beta was released on March 22, 2004.

Comments (none posted)

Minor distribution updates

CDLinux

CDLinux has released stable v0.4.8 with minor bugfixes. "Changes: This release fixes a mount failure problem on some sluggish USB devices. It fixes some bugs in the dhcpcd, iptables, nic-detect, and kernel-module packages. There are many package updates."

Comments (none posted)

Inside Security Rescue Toolkit

INSERT has released v1.2.7 with major feature enhancements. "Changes: Using the Multivalent PDF Tools, the included information material was compressed to about half the original size. This made room for avscan (a GUI for clamav) and freshclam. A few small but quite useful tools were also added, including BashBurn, iftop, and bash-programmable-completion. Memtest was updated to its latest version, as was the clamav virus database."

Comments (none posted)

LinVDR

LinVDR has released v0.6 with major feature enhancements. "Changes: Kernel 2.6.4 is now used. ACPI support was improved. Several new plugins and patches were added, including graphic LCD, improved OSD, serial buttons, signal strength, vbox, and media detection. The installation system is now faster and smaller and allows user interaction on any state of installation."

Comments (none posted)

MoviX

MoviX has released v0.8.3 with minor bugfixes. "Changes: A boot bug has been fixed, so it now boots again from nearly any boot device you can think of. When booting from the hard drive, you get full features with as little as 64MB of RAM. You can automatically install it on disk partitions. French and Russian translations have been improved. Pre-made international ISO images are available in the downloads page."

Comments (none posted)

Recovery Is Possible!

RIP has released v8.1. "Changes: The kernel and some software have been updated."

Comments (none posted)

SLAX

SLAX Linux has released v4.0.4 with major feature enhancements. "Changes: This release added Xfree 4.4.0, KDE 3.2.1, floppy tools, K3B 0.11.9, and an 845patch boot option for Intel's i845G chipset. The lang= functionality was removed and a load=... boot option that loads all specified modules from the /optional/ directory (eg. load=wine,xmms,lang_fr) was implemented. smbmount was fixed, as were FTP upload directory permissions."

Comments (none posted)

Distribution reviews

A quick look at the SUSE 9.1 beta (linux.com)

Linux.com takes a look at SUSE Linux 9.1 beta. "OK, so things didn't work perfectly. That's fine. This is a beta. Bugs are expected. Work will be done before it goes gold. Most of the problems I ran into were the result of trying to swim upstream by using Gnome instead of KDE. I expect the glitches will be gone by the time SUSE 9.1 ships. That said, there were still a couple of things I didn't care for."

Comments (none posted)

Just About Right: Revisiting Mandrake 9.2 and Fedora Core 1 (OfB.biz)

Open for Business evaluates Mandrake Linux 9.2 and Fedora Core 1. "Fortunately, while neither Fedora Core 1 or Mandrake Linux 9.2 are where we would have liked to have seen them, their successors are just around the corner. Fedora Core 2 is nearly out, and Mandrake Linux 10.0 Official Edition will be out in May."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Bacula - The Network Backup Solution

Bacula is a cross-platform backup solution that licensed under version 2 of the GPL.

Bacula is a set of computer programs that permit you (or the system administrator) to manage backup, recovery, and verification of computer data across a network of computers of different kinds. In technical terms, it is a network client/server based backup program. Bacula is relatively easy to use and efficient, while offering many advanced storage management features that make it easy to find and recover lost or damaged files.

[Bacula] The project's motto is somewhat amusing: It comes by night and sucks the vital essence from your computers. [Insert evil laugh here.]

Bacula is a cross-platform project. The server side works on Linux, Solaris, and FreeBSD. The client side works on the above server platforms plus other Unix variants, Irix, MacOS X, and many versions of Windows.

Bacula has a fairly length list of features including:

  • A centralized director program.
  • Automatic execution via an internal scheduler.
  • Parallel execution of backups.
  • A job sequencing priority system.
  • Interactive file restore operation.
  • Support for whole-system restores.
  • Command line and GUI control via the Console program.
  • File verification for break-in detection.
  • Optional file compression with gzip.
  • CRAM-MD5 password authentication.
  • Support for daemon configuration files.
  • Backup catalogs can be stored under several different SQL databases.
  • Support for multiple backup volumes.
  • Support for pool and volume library management.
  • A message system that can email client messages to the administrator.
  • Support for tape library hardware and barcodes.
  • Data spooling to disk for streaming tape operation.
The Bacula User's Guide describes the software and its component utilities in greater detail.

Stable version 1.34.0 of Bacula was recently announced, the code is available on the GNU Directory Listing.

If you are looking for an open-source solution for performing network backup functions, Bacula looks like a good package to consider.

Comments (3 posted)

System Applications

Audio Projects

ALSA 1.04 release

Version 1.04 of the ALSA sound driver is available with "mostly bug-fixes and cleanups".

Comments (none posted)

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include new versions of Spiral Synth Modular, Rosegarden 4, Noteedit, Hydrogen, Specimen, Timemachine, the Caps LADSPA Plugins, STK, Unison, Ocaml, Lablgtk1, Libsndfile, and Libsamplerate.

Comments (none posted)

Database Software

Release 2.3 of DbForms is available (SourceForge)

Bug fix release 2.3 of DbForms has been announced. "Tired of writing same code again and again? Try DbForms! DbForms is a Java (Servlet,JSP/Taglib) - based Rapid Application Development environment which enables developers to build web based database applications in _very_ short time."

Comments (none posted)

libgda/libgnomedb 1.1.1 released

Version 1.1.1 of libgda/libgnomedb, a database development framework for the GNOME environment, is out. "This is another development release in the road to 1.2, which will be the next stable release, and which shows a preview of the new features getting into the 1.2 final release. It is not intended for production use, but by people wanting to experiment with the new features and to help on the development."

Full Story (comments: none)

libgdamm 1.3.2 released

Version 1.3.2 of libgdamm is out with some new features. "libgdamm provides C++ wrappers for libgda for use with gtkmm. libgda is a generic database API with several database provider implementations."

Full Story (comments: none)

Mergeant 0.50 released

Version 0.50 of Mergeant is available. "Mergeant is a database user and administration tool based on GNOME-DB. It allows users to easily manage any database supported by GNOME-DB. This is a development release, the first one after the splitting of Mergeant into libmergeant and the GUI frontend, resulting in a much better architecture."

Full Story (comments: none)

PL/R - R Procedural Language for PostgreSQL

Version 0.6.0 alpha of PL/R, the R Procedural Language for PostgreSQL, is available. This version features bug fixes, support for the latest versions of PostgreSQL, and improved documentation.

Comments (none posted)

PostgreSQL Weekly News

The April 5, 2004 edition of the PostgreSQL Weekly News has been published.

Full Story (comments: none)

Filesystem Utilities

ntfsprogs 1.9.1 released (SourceForge)

Version 1.9.1 of ntfsprogs has been announced. "This release is a minor update featuring a mostly rewritten ntfsinfo, mkntfs now creates bootable volumes, some 64-bit architecture fixes and lots of cleanups. Update is recommended for people using 64-bit architectures."

Comments (none posted)

Mail Software

New milter.org releases

The milter.org site lists new versions of milter-spamc, milter-sender and milter-gris.

Comments (none posted)

Web Site Development

Gallery v1.4.3 Release Candidate 1 Available! (SourceForge)

Version 1.4.3 Release Candidate 1 of Gallery, a web-based photo management system, is available. "This version is a combination of lots of bugfixes and several new features: Lots of bug fixes, minor feature enhancements, and increased security; Gallery works when register_globals is turned off; GeekLog, phpBB2, MamboCMS, and NSNnuke integration; Image watermarking; Fullscreen fit-to-screen slideshow."

Comments (none posted)

Photo Galleries with Mason and Imager (O'Reilly)

Casey West makes a photo gallery with Perl's HTML::Mason on O'Reilly. "Creating a photo gallery is usually considered a daunting task. Lots of people have tried it, not many have succeeded. One of the reasons for so many similar projects is that they don't often integrate well into an existing web site. In this article we're going to build a photo gallery using two important components, Mason and Imager. Writing our gallery in Mason will make it much easier to integrate into an existing web site."

Comments (none posted)

Krang v1.014 released (use Perl)

Version 1.014 of Krang, an Open Source web publishing system, has been announced. "Krang v1.014, the first public release, is now available. Krang is an Open Source web-publisher / content-management system designed for large-scale magazine-style websites. It is a 100% Perl application using Apache/mod_perl and MySQL, as well as numerous CPAN modules."

Comments (none posted)

Web Services

Web services programming tips and tricks: Roundtrip issues in Java coding conventions

Russell Butek and Richard Scheuerle, Jr. present some web services programming tips on roundtripping and data integrity in an IBM developerWorks article. "Java APIs for XML-Based Remote Procedure Call's (JAX-RPC's) Java-to-WSDL/WSDL-to-Java mapping rules do not try to preserve Java constructs during roundtripping. Many constructs are preserved, but not all. This tip describes, in particular, why following Java coding conventions is very important to maintaining the ability to roundtrip."

Comments (none posted)

Desktop Applications

Audio Applications

abcde 2.1.16 released

Version 2.1.16 of abcde, a CD ripping and writing utility, is out with lots of new features.

Comments (1 posted)

Muine 0.5.1 announced

Version 0.5.1 of Muine is out with new backends, bug fixes, improved translations, and more. "Muine is a new music player using some new UI ideas. The idea is that it will be much easier and comfortable to use than the iTunes model, which is used by both Rhythmbox and Jamboree."

Full Story (comments: none)

Rhythmbox 0.7.2 released

Version 0.7.2 of Rhythmbox, a music management system, is out. "Here's a new version in the Rhythmbox development series. We're rapidly approaching 0.8.0. A lot of bugs have been fixed."

Full Story (comments: none)

Data Visualization

DiaCanvas 2.0.12.0 released

Version 2.0.12.0 of DiaCanvas, the GTK/Gnome diagramming widget, is out with an improved API, better Python support, and memory leak fixes.

Full Story (comments: none)

EarthSight 1.0

Version 1.0 of EarthSight, has been announced. "EarthSight is an Earth viewer application using NASA satellite imagery". A Linux version is forthcoming.

Comments (2 posted)

PyX 0.6.1 was released

Version 0.6.1 of PyX, the Python graphics package is available. The Change Log file lists a bug fix and new documentation.

Comments (none posted)

Desktop Environments

GNOME Platform Bindings: Release Candidate (2.5.7) (GnomeDesktop)

Version 2.5.7 of the GNOME Platform Bindings are available. "murraycu writes "This is the last development release before our totally ABI/API-stable 2.6.0 release on April 12th. Please note that the GNOME Platform Bindings are now in API freeze, so only very important API changes will be allowed before the fully-frozen GNOME Platform Bindings 2.6.0 release, on April 12th."

Comments (none posted)

Revelation 0.3.0 revealed

Version 0.3.0 of Revelation, a password manager for the GNOME 2 desktop, has been released. This version features an integrated password generator, password hiding, ui improvements, code cleanup, and more.

Full Story (comments: none)

KDE-CVS-Digest (KDE.News)

The April 2, 2004 edition of the KDE-CVS-Digest is online. Here's the content summary: "KStars adds ability to use V4L devices. KPilot adds interface to Python and Perl conduits. Kontact adds groupware configuration wizards for Kolab and eGroupware. KWord and KSpread support OpenOffice format natively."

Comments (none posted)

Quick Lounge Applet 2.1.1 released (GnomeDesktop)

Version 2.1.1 of the Quick Lounge Applet for GNOME is available. "The Quick Lounge Applet is an applet for the GNOME desktop similar to quick launch for Windows."

Comments (none posted)

New software releases (GnomeDesktop)

GnomeDesktop.org has a multiple announcement for new GNOME software. "New releases of the GRAMPS genealogy program, GNOME-IOR 0.3 a GUI for CORBA object reference parsing and object lifeness tests, and the Gnomoradio peer-to-peer music playing system are now available."

Comments (none posted)

Electronics

XCircuit 3.2.15 released

Version 3.2.15 of XCircuit, an electronic schematic drawing package, is available. Change information is in the source code.

Comments (none posted)

Games

New PyGame releases

The PyGame site lists new versions of KCB, a coloring book application, and LEISERSELT, a game involving snowballs.

Comments (none posted)

GUI Packages

Tutorial: Custom Widgets using PyQt (KDE.News)

Roberto Alsina has announced the availability of a tutorial on using PyQt. "Everyone who has programmed an application knows that sometimes you create a gadget that can be reused in other situations, and that code reuse is good. In the specific case of GUI applications, often what you would want to reuse is a widget. I wrote a short tutorial explaining how to create easy-to-reuse custom widgets using PyQt."

Comments (none posted)

gtkmm 2.2.11 released

Version 2.2.11 of gtkmm, a C++ interface to GTK+, is out." gtkmm 2.2.10 had an incorrect configure-time test, that mistakenly disabled some template code for gcc, used to convert from intermediate C++ containers to STL containers."

Full Story (comments: none)

SLgtk 0.5.6 and Vwhere 1.2.0 released

Version 0.5.6 of SLgtk, an S-Language binding to Gtk2 and GtkExtra, is out. Version 1.2.0 of Vwhere is also included. "SLgtk also includes a visual version of the powerful S-Lang "where" command, extensions to and performance enhancements for several GtkExtra widgets, and a pixbuf loader for the FITS image file format widely used within astronomy."

Full Story (comments: none)

wxPython 2.5.1.5 released

Version 2.5.1.5 of the wxPython GUI toolkit has been announced. "The changes in this version are too numerous to list here, please see the following websites for more details. If you are upgrading from 2.4.x then please do read the MigrationGuide fully before as there are some backwards incompatible changes."

Comments (none posted)

Instant Messaging

Gaim 0.76 Released! (GnomeDesktop)

Version 0.76 of the Gaim instant messaging client is available with lots of changes. "To prove even further that Gaim isn't dead, you should read the ChangeLog, which is quite extensive."

Comments (none posted)

GnomeICU 0.99.5 released (GnomeDesktop)

GnomeICU version 0.99.5 is out. "Its been a long year since the last release, but GnomeICU is not dead... GnomeICU is a Gnome fully featured ICQ client. We are slowly moving towards GnomeICU 1.0, the full ICQ release. This is an intermediate release, so that you, as our beloved users, can enjoy all of the bug fixes that are in our CVS."

Comments (none posted)

Interoperability

Samba 3.0.3pre2 Available for Download

Version 3.0.3pre2 of Samba has been released. "This is the second preview release of the Samba 3.0.3 code base and is provided for testing only. This release is *not* intended for production servers. Use at your own risk. There have been several bug fixes since the 3.0.2a release that we feel are important to make available to the Samba community for wider testings."

Full Story (comments: none)

Wine Traffic

Issue #248 of Wine Traffic is online with the latest Wine project news.

Comments (none posted)

Mail Clients

Perdition 1.14 released

Perdition 1.14, a Mail Retrieval Proxy, is out. Here are the changes: "Various minor bug fixes and feature enhacements. In particular pid file creation on FreeBSD (and possibly others) has been fixed. A segmentation fault problem in the ldap module has been resolved. And enhanced logging".

Full Story (comments: none)

Office Suites

ooo-build 1.1.52 is available

Build 1.1.52 of OpenOffice.org is out. "This package contains the Gnome integration work for OpenOffice.org, and a much simplified build wrapper, making an OO.o build / install possible for the common man. It is a staging ground for up-streaming patches to OO.o. The major change in this release is targetting OO.o 1.1.1, which includes a number of bug fixes - particularly a fix for the "occasionally you loose random images" nasty that people suffered too long."

Full Story (comments: none)

Science

JChemPaint 1.9.11 is out (SourceForge)

Version 1.9.11 of JChemPaint, a Java 2 program for drawing chemical structures, is available. "This release is mostly a bug fix release, and also includes other minor improvements, like a more efficient Rendering engine and a GUI periodic table for selecting the drawing element."

Comments (none posted)

Web Browsers

Mozilla 1.7 to Become New Long-Lived Stable Branch (MozillaZine)

MozillaZine reports that the stable Mozilla 1.4 branch will be replaced by the new stable Mozilla 1.7 branch. Mozilla Firefox 1.0, a new milestone of Mozilla Thunderbird, a new Camino release and several third party Mozilla based products will be based on Mozilla 1.7.

Comments (none posted)

Replacing DHTML Menus with XUL (MozillaZine)

MozillaZine mentions a new article on XUL by Nigel McFarlane. "I've written another article highlighting the features of Mozilla. To the best of my knowledge this is the first 'dirty XUL trick' that might appeal to web developers. It's nice to see that the Mozilla styling and layout systems are robust enough to support this kind of fiddling. It would be wonderful to see a full Web toolkit of XBL objects spring up to replace the junk we do in Dynamic HTML."

Comments (none posted)

Mozilla and the potential for interaction (O'Reilly)

Jono Bacon discusses web programming and XUL on O'Reilly. "I have been playing with XUL recently and I have been really motivated with the potential for building truly interactive system type web applications. You only need to take a look at the Amazon application that is bandied around by pro-XUL hackers to see an example of what is possible with it."

Comments (none posted)

Word Processors

AbiWord 2.0.6 Released (GnomeDesktop)

Version 2.0.6 of AbiWord is out. "The AbiWord development team is happy to release version 2.0.6 of AbiWord. This release solves quite some problems reported against the previous versions of AbiWord, and fixes for example the longstanding Copy & Paste bug."

Comments (none posted)

Miscellaneous

GanttProject 1.9.11 (SourceForge)

Version 1.9.11 of GanttProject has been announced. "GanttProject is a project management tool written in Java. Release 1.9.11 is a bugfix/usability release although there are some new features."

Comments (none posted)

SC-Track Roundup 0.6.8 released

Version 0.6.8 of Roundup, a Python-based issue tracker is out. "I'm pleased to announce Roundup 0.6.8, a maintenance release which fixes some bugs".

Full Story (comments: none)

Languages and Tools

C

Self-Diagnostic APIs: Software Quality's Next Frontier (Linux Journal)

Steve Graves writes about Self-Diagnostic APIs under C and C++ in a Linux Journal article. "With embedded software adding intelligence to so many everyday objects, it seems remarkable that the tools used to create these programs aren't smarter when it comes to catching highly destructive bugs. In assigning blame for such errors, one culprit lies in the application programming interfaces (APIs) provided by software publishers."

Comments (none posted)

Caml

Caml Weekly News

The March 30 - April 6, 2004 edition of the Caml Weekly News is available with the latest Caml language articles.

Full Story (comments: none)

New Caml Software

The latest new Caml software includes OCaml-TDL, an OCaml library for dealing with TODO lists in XML format, and Contfrac, an OCaml module for working with continuous fractions.

Comments (none posted)

Java

MX4J 2.0.1 released (SourceForge)

Version 2.0.1 of MX4J is available. "MX4J 2.x is an implementation of JMX 1.2.1 and JSR 160 (JMX Remote API) 1.0. MX4J is an Open Source implementation of the Java Management Extensions technology, for both JSR 3 (JMXTM) and JSR 160 (JMX Remote API). MX4J 2.0.1 is a bug fix release."

Comments (none posted)

Java and Sound, Part 1 (O'ReillyNet)

O'Reilly has published part one in a series on sound with Java by David Flanagan. "Where can you learn how to play simple audio clips with the java.applet.AudioClip class, as well as how to use the javax.sound.sampled and javax.sound.midi packages to do such things as load and play sound clips, and monitor and change the playback position within a clip? In these first excerpts in a two-part series of excerpts from Chapter 17 ("Sound") of Java Examples in a Nutshell, 3rd Edition."

Comments (none posted)

Bug Prevention with Code Generation: A J2EE Case Study (O'ReillyNet)

O'Reilly is running an article on J2EE bug detection by Francesco Aliverti-Piuri. "If you had to drill 12,000 holes, would you prefer a manual drill, or its automated equivalent? Francesco Aliverti-Piuri describes using code generation for discovering bugs in a J2EE example."

Comments (none posted)

Taming Tiger: Formatted output (IBM developerWorks)

John Zukowski discusses the use of Tiger for working with C printf statements in Java. "Tiger brings printf-style formatted output to the world of Java programming; and this month, columnist John Zukowski discusses all facets of the C-inspired support for printf and format strings."

Comments (none posted)

JSP

Developing Applications with KJSEmbed (KDE.News)

KDE.News points to an article series on KJSEmbed development. "KJSEmbed is the KDE JavaScript engine with bindings for Qt/KDE. These bindings allow people to create scripts that can tightly integrate into KDE quickly with simple JavaScript. This article goes through the process of how to build a core script, add database connectivity and to add GUI control."

Comments (none posted)

Perl

Perl 5.8.4 RC1 is out (use Perl)

Version 5.8.4 RC1 of Perl has been released. "This is a regular maintenance release for perl 5.8.x, providing bug fixes and integrating module updates from CPAN."

Comments (none posted)

This Week on perl5-porters (use Perl)

The March 29 - April 5, 2004 edition of This Week on perl5-porters is online. "Elizabeth Mattijsen writes "With a little delay comes this week the weekly Perl 5 Porters Summary from the centre of reality that is Echt, the Netherlands. About 250 messages were posted in the last week. A lot was said about documentation. And a Release Candidate was released! Well, technically not inside the week, but inside of the bounds of this summary, anyway.""

Comments (none posted)

This week on Perl 6

The March 28, 2004 edition of This week on Perl 6 is online. "... and we're back! Another interesting week in Perl 6. Your Summarizer even wrote some [parrot] code and it's been simply ages since he did that. In accordance with ancient custom, we'll start the summary with perl6-internals."

Comments (none posted)

PHP

PHP 4.3.6RC2 released

Release Candidate 2 of PHP version 4.3.6 is available. "This release addresses 2 major bugs introduced in the 4.3.5 release. One of these bugs caused problems when loading dynamic extensions on Windows and thread-safe (ZTS) builds and the other involves incorrect handling of daylight savings time. A few other minor bugs were fixed as well."

Comments (none posted)

PHP Weekly Summary for April 7, 2004

The PHP Weekly Summary for April 7, 2004 is out. Topics include: PHP 4.3.6, PHP 5 RC2, mysqli not in sync, CLI and STDIN/OUT/ERR, and Bundling libxml.

Comments (none posted)

PostScript

GGV 2.6.0.1 is available

Version 2.6.0.1 of the GGV PostScript previewer is available. "As some of you might have noticed, 2.6.0 sometimes used an indecent amount of time to start, due to do a number of dumb existance checks on recent files when starting up; if those files were not local, this lasted and lasted and lasted and then it lasted some more. therefore the checks were eliminated."

Full Story (comments: none)

Python

Dr. Dobb's Python-URL!

The Dr. Dobb's Python-URL for April 5, 2004 is out; with this week's news and links.

Full Story (comments: none)

Two Python new-style objects articles

Shalabh Chaturvedi has published two articles on new-style objects for Python 2.2 and later.

Full Story (comments: none)

'Dive into Python' versions 4.8 and 4.9

Mark Pilgrim has published versions 4.8 and 4.9 of his online book Dive into Python. "Version 4.8 finished the chapter on dynamic functions and fixed some broken links. Version 4.9 splits the chapter introducing unit testing into two, finishes the chapter on regression testing, and fixes some typos in the chapter on dynamic functions." (Found on the Daily Python-URL.)

Comments (none posted)

Smalltalk

Two new versions of Squeak

Two new versions of the Unix Squeak smalltalk implementation are available. Versions 3.7b-5 and 3.6.3 are out, both feature numerous bug fixes.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The April 5, 2004 edition of Dr. Dobb's Tcl-URL! is available with the week's Tcl/Tk article links.

Full Story (comments: none)

XML

Use XML namespaces with care (IBM developerWorks)

Uche Ogbuji writes about XML namespace issues on IBM's developerWorks. "XML namespaces are an imperfect solution to a difficult problem. From basic information architecture to difficulties with APIs, namespaces can open up rather painful gotchas if used carelessly. In this article, Uche Ogbuji covers some of the more important design principles which, if followed, can minimize problems with namespaces."

Comments (none posted)

Using libferris with XML

Ben Martin explains XML and libferris, a user-mode virtual filesystem, on O'Reilly's XML.com. "This article presents the benefits of using libferris with your XML applications. libferris presents a uniform interface to hierarchical data. This data can be persisted using many providers including the filesystem, an RDBMS, or even XML."

Comments (none posted)

Version Control

darcs version 0.9.18

Version 0.9.18 of the darcs revision control system is available. "'darcs' is an advanced revision control system along the lines of CVS or arch. It has two particularly distinctive features which differ from other revision control systems: each copy of the source is a fully functional branch, and underlying it is a consistent and powerful theory of patches (the latter being darcs' most important feature)."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Commercial Linux (InfoWorld)

InfoWorld gives some suggestions on how to turn Linux into a successful desktop product. "Don't pull anything out of the OS to reduce intimidation. Don't rip out any capabilities for fear that a timid user will stumble over them and think Linux is some kind of Frankenstein. Instead, vendors should make the system's most-used capabilities more accessible and guide customers through the process of deciding what they need to learn at each stage of development and deployment."

Comments (6 posted)

Sitting for the RHCE (NewsForge)

Here's a NewsForge article recounting one person's experience taking the Red Hat Certified Engineer exam. "To my knowledge, there are only two IT industry certifications that require a candidate to set up and repair an actual running system. Red Hat's is one of them; the other is a Cisco exam. There are no multiple-choice questions to answer; you spend the entire session repairing a broken system and then building a new one from scratch. At the end of the day, the things you've been asked to do either work, or they do not -- and you pass or fail on that basis alone. It's not as easy as it sounds. The failure rate hovers around 40%."

Comments (6 posted)

Fork in Linux Road? (eWeek)

eWeek revisits Linux fragmentation fears, and finds them unfounded. "When Unix forked, each variant had a different kernel. In other words, the core code of each Unix system was unique, which often resulted in incompatibilities and difficult cross-platform application integrations. In contrast, the Linux kernel is tightly controlled by Linus Torvalds and some core Linux code keepers. As long as these people are around, there is little chance that the Linux kernel will fork like the Unix kernel did. The only differences among Linux distributions in terms of kernel is which version of the kernel each is based on."

Comments (9 posted)

Trade Shows and Conferences

PyCon 2004: Making Python Faster and Better (O'Reilly)

Kendall Grant Clark reports on the recent PyCon event in Washington, DC. "One of the issues Guido talked about during his keynote is the development of Python 2.4, which will feature real, hard-won performance gains, many of which are due to the fine work of Raymond Hettinger. Armin Rigo -- of Psyco and PyPy fame -- is also working to reduce the costs function calls by reducing the size of stack frames. The expected relative performance of 2.4 versus 2.3 was the first occurrence of the performance motif at PyCon; we'll see it return in the discussion of IronPython, Starkiller, and PyPy."

Comments (none posted)

The SCO Problem

SCO Loses Motion to Dismiss Red Hat Complaint (Groklaw)

Groklaw reports that, as expected, SCO's motion to dismiss the Red Hat suit has been denied. That suit will go forward, but slowly: "The judge has also stayed any further activity in the Red Hat case until after the IBM case in Utah is resolved, unless things get bogged down there."

Comments (2 posted)

Companies

Asian Linux goes into beta (Star TechCentral)

The Star covers the release of Asianux 1.0 Beta. "The Asianux Certification Programme aims to help software vendors and hardware vendors certify their products through an application programme, access to a variety of resources, including the latest Asianux version, technical information and support, as well as early access to Red Flag and Miracle Linux products."

Comments (none posted)

Sun plans Solaris subscription pricing (News.com)

Sun Microsystems is working to counter competitive pressures from Linux, according to this article. ""I think we need to come up with a subscription price for Solaris that allows it to become a lot more transparently competitive with Red Hat," Schwartz said. The subscription plan will make it clear that Solaris costs less than Linux and will dovetail with Sun's argument that its version of Unix performs better as well. And Red Hat can't throw in a free server as part of a software promotion the way Sun can."

Comments (17 posted)

Tadpole to offer Linux-based Opteron notebooks

The market for Linux on laptop systems is, perhaps, finally beginning to develop. Tadpole has announced a forthcoming notebook based on the AMD Opteron processor and Sun's "Java Desktop" system. Availability is later in this quarter.

Comments (5 posted)

Linux Adoption

Linux on desktop gaining in OS race (Mercury News)

Dan Gillmor is rethinking his position on desktop Linux in this Mercury News column. "It looks like I'm going to have to reconsider something I'd been taking for granted -- that Linux on the desktop, and especially the laptop, was a non-starter in the operating systems race. While I wasn't paying sufficient attention, the proverbial tortoise has been playing some serious catch-up."

Comments (7 posted)

Desktop Guerrilla Tactics: a Portable Thin Client Approach (Linux Journal)

Linux Journal looks at the process of rolling out a desktop Linux pilot project. "So, here was the challenge: how could we bring Linux quickly onto the desktop to penetrate the users' defenses? Just as importantly, how could we take Linux out of the environment in case the opposition proved overwhelming? We would have to take a guerrilla approach to conquering the desktop."

Comments (2 posted)

Legal

House panel approves copyright bill (News.com)

News.com covers more legislative fun, this time on the House side of the capitol. "One section that first surfaced last year punishes an Internet user who makes available $1,000 in copyrighted materials with prison terms of up to three years and fines of up to $250,000. If the PDEA became law, prosecutors would not have to prove that $1,000 in copyrighted materials were downloaded--they would need only to show that those files had been publicly accessible in a shared folder."

For an interesting contrast, see this Globe and Mail article on a ruling by the Federal Court of Canada that ISPs cannot be forced to reveal the names of file swappers. "As part of his ruling, the judge found that simply downloading a song or having a file available on peer-to-peer software such as Kazaa doesn't constitute copyright infringement."

Comments (11 posted)

Triple setback for music giants' global jihad (Register)

The Register reports on the general failure of the recording industry's efforts to shut down peer-to-peer music sharing. "The music industry's war on file swapping has suffered major three setbacks in recent weeks, and today's rebuff by a Canadian federal court is only the latest tactical defeat. We're now seeing indications that not only are the legal threats not working, but neither are the carrots of "legitimate" music download services, which even after a year of hype, comprise less than half of one per cent of the "illegal" P2P downloads every day."

Comments (12 posted)

Interviews

The People Behind KDE: Wilbert Berendsen (KDE.News)

KDE.News introduces this interview with Wilbert Berendsen. "I'm the webmaster of www.kde.nl and translated substantial parts of KDE 3.2 to Dutch. I also am a KDE user and occasionally report bugs :-)"

Comments (none posted)

Interview with the author of KSirtet, Nicolas Hadacek

KDE.nl has an English translation of an interview with Nicolas Hadacek, author of KSirtet, a game that resembles Tetris.

Comments (none posted)

OSDL CEO: Linux is coming and Portland is its capital (NewsForge)

NewsForge talks with Stuart Cohen, chief executive officer of the Open Source Development Labs. "Fans of the penguin love to talk about their assault on Windows, but the worldwide growth of Linux and open source is coming at the expense of Unix, according to Cohen."

Comments (none posted)

The XML.com Interview: Jeff Barr (O'Reilly)

O'Reilly has an interview with Amazon.com's Jeff Barr. "As part of XML.com's ongoing series of interviews with personalities from the XML world, I talked to Jeff about XML, web services and Amazon."

Comments (none posted)

Resources

OpenOffice.org Off-the-Wall: Style Is Everything, Right? (Linux Journal)

The Linux Journal has posted a guide to working with OpenOffice styles. "Most word processors offer character and paragraph styles, but OpenOffice.org also includes frame, page and numbering styles. Even more importantly, OpenOffice.org extends the concept of styles to other applications. Impress, for example, has a system of styles, whereas PowerPoint, its MS Office equivalent, has none. The same is true of OOo's Calc and MS Excel. Once you understand why you should use styles and when, you'll find OpenOffice.org's tools for managing and applying styles second to none."

Comments (1 posted)

Open Source Software: What Is It and How Does It Work? - By Dr. Ben Kremer (Groklaw)

Groklaw republishes an essay by Dr. Ben Kremer on open source and the GPL. "The hardest conceptual problem about open source software is how to ensure people play by the rules. There are many models, but the most common is to require any person who redistributes an open source program (whether in its original form, or with any changes they have made) to also redistribute the accompanying source code."

Comments (none posted)

Reviews

Linux on the GameCube (O'ReillyNet)

O'ReillyNet looks into a Linux port to the GameCube and talks with the developers. "The GameCube port of Linux works by transferring the code to the console's hardware via an exploit in the game Phantasy Star Online. Another method involves a hardware hack to the console, replacing the GC's serial BIOS chip with an Complex Programmable Logic Device (CPLD), to allow users to start a binary through the network adapter."

Comments (1 posted)

Linux on IPod: 2.4.24 Kernel Available (LinuxWorld)

LinuxWorld Magazine notes the release of the Linux on iPod 2.4.24 kernel. "The project's overall goals are "to make a fully functional Linux from the iPod that will be able to play a greater variety of formats, have better features and even be compatible with external hardware like flash card readers so you can copy your camera photos directly to your Linux iPod.""

Comments (none posted)

EmPOWERing the Linux developer

IBM developerWorks covers various enterprise Linux distributions that run on POWER architecture. "With offerings from affordable two-way servers to vertically scaled super computers to the cutting-edge JS20 BladeCenter, POWER-based machines run the gamut of size and scale, always exceeding the expectations placed on enterprise-class hardware. The opportunity to run Linux or AIX, along with innovative configurations such as Dynamic Logical Partitioning, provides a unique platform for development and deployment of applications that feed on the POWER architecture's performance. This article will arm you with the tools and knowledge you need to make the most of your code and the POWER platform."

Comments (6 posted)

A taste of Wine (developerWorks)

developerWorks looks at Wine and how to use it to run Windows applications. "Since Wine supports the running of Windows executables, it would be natural to assume that you can install a program from scratch using the program installer. Unfortunately, that is rarely the case."

Comments (1 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Finnish Software Entrepreneurs Vote NO to Software Patents

The Finnish Software Entrepreneurs Society voiced their opinion on European software patents. "The Software Entrepreneurs Society, an association of the owners of Finnish software houses, rejected the idea of software patents in a discussion forum in Helsinki last Monday. Over 60% of the software entrepreneurs attending the forum voted "no" to software patents in Europe."

Full Story (comments: none)

Perl Monger Leadership Changes (use Perl)

Use Perl reports on several Perl Monger group leader changes.

Comments (none posted)

Serhiy Brytskyy Taking Over From Henrik Lynggaard as MozillaTranslator Project Lead (MozillaZine)

The head of the MozillaTranslator is passing the torch to another developer. "Henrik Lynggaard writes: "MozillaTranslator (the Java program to help translate Mozilla) is now changing hands. After having been semi-dormant for the last year since I have not had the time to actively maintain it, I have now decided to step down as project lead. The project is now in the hands of Serhiy Brytskyy, who is actively maintaining it.""

Comments (none posted)

Commercial announcements

CadSoft Eagle version 4.11r2

CadSoft has released version 4.11r2 of Eagle, a CAD system for designing printed circuit boards. A free version of the software is available for non-commercial use.

Comments (3 posted)

gumstix Introduces Tiny Linux Boards and Computers

Tiny commercially available Linux boards and computers were officially introduced by gumstix, inc., a start-up that produces and sells high performance Single Board Computers (SBCs) and peripherals. Based on Intel's PXA255 processor with Xscale technology, gumstix tiny boards measure 20mm x 80mm x 8mm.

Full Story (comments: none)

KDE Executor 2.0 beta released

Beta version 2.0 of the KDE Executor, record and playback tool for Qt and KDE applications, has been released. "Today, Klarälvdalens Datakonsult AB released the first beta version of KD Executor 2.0; our tool for testing and automation. We are proud to make available a free version of this to the KDE community. (Free as in beer, not as in speech)."

Full Story (comments: none)

LynuxWorks Introduces Industry's First Embedded Linux 2.6 Offering

LynuxWorks has claimed that they are the first company to bring the Linux 2.6 kernel to an embedded platform.

Comments (none posted)

Sharp's New Zaurus Handheld

Here's a press release for the Sharp Zaurus SL-6000, a Linux-based handheld with a VGA screen. "For fast wireless access to corporate data, the Zaurus SL-6000 has built-in 802.11b network capability. It includes extensive protected flash memory, a built-in, sliding QWERTY keyboard and is readily expandable with both Compact Flash(TM) and SD expansion slots."

Comments (6 posted)

The Yankee Group on Linux deployment costs

Laura DiDio strikes again in this Yankee Group press release on a recent survey on deployment costs. "In large enterprises, a significant Linux deployment or total switch from Windows to Linux, would be three to four times more expensive and take three times as long to deploy as an upgrade from one version of Windows to newer Windows releases." The PR actually isn't saying anything all that earthshaking: a complete switch to a new system is, at the outset, more expensive than staying with what you have. Strangely, that's not how the rest of the press is reporting it, though.

Comments (14 posted)

Press releases from ClusterWorld Expo 2004

Here are a few of the press releases that are coming from ClusterWorld:
  • PathScale announced suite of high-performance Linux compilers for AMD Opteron and Athlon64 processor-based systems.
  • Penguin Computing announced availability of turnkey Linux cluster systems based on the AMD Opteron and Intel Xeon architectures.
  • Scyld Software announced availability of the 29-series release of Scyld Beowulf for the Intel Xeon and AMD Opteron platforms.

Comments (1 posted)

Linux Networx sells a cluster in Japan

Linux Networx (a Canopy company, incidentally) has sent out a press release proclaiming its sale of a 556-processor cluster to the Japanese National Institute of Advanced Industrial Science and Technology. It will join the "supercluster" already there and help out by processing some of the "smaller jobs."

Comments (none posted)

Resources

April 2004 Web Server Survey

The Netcraft Web Server Survey, with information up to April 1, 2004 is online.

Comments (4 posted)

GNOME 2.6 Desktop documentation

A new set of GNOME desktop documents are available. "The GNOME 2.6 Desktop User Guide, System Administration Guide, and Accessibility Guide are available now in various formats from http://www.gnome.org/learn."

Full Story (comments: none)

Announcing publication of Austin Group TC2

A new Technical Corrigendum has been published. "IEEE and The Open Group publish Second Technical Corrigendum to POSIX 1003.1-2001 and the Single UNIX Specification Version 3. We are pleased to announce the publication of Technical Corrigendum No. 2."

Full Story (comments: none)

Contests and Awards

The Second PHP Programming Marathon

The Second PHP Programming Marathon, an online competition, will take place on April 24, 2004.

Comments (none posted)

Event Reports

CeBIT: KDE Impresses At World's Largest Computer Expo (KDE.News)

KDE.News covers the activity at the KDE booth during CeBIT in Hannover, Germany this March. "Some developers used the opportunity to fix bugs as they were reported or at least assisted and motivated people to file bugs reports or to search for already existing ones and comment and vote for them."

Comments (none posted)

Upcoming Events

Next Week's MySQL Users Conference & Expo to be Hub of MySQL and Open Source News

MySQL AB has provided a preview of the news announcements and top attractions expected at next week's MySQL Users Conference & Expo.

Comments (none posted)

Montreal Perl Mongers Meeting (use Perl)

The Montreal Perl Mongers will be meeting on April 8, 2004.

Comments (none posted)

XML Europe 2004

The XML Europe 2004 conference will be held in Amsterdam, the Netherlands on April 18-21, 2004.

Comments (none posted)

Desktop Presentation at Linux User & Developer Expo 2004 (KDE.News)

Jono Bacon will speak at the Linux User & Developer Expo. "Just a quick note to let you know that I will be doing a presentation about the potential for Linux as a desktop platform at this year's Linux User & Developer Expo in London on April 20th from 15:25 - 15:55. The talk is entitled "Linux as a viable desktop platform" and I will be covering a number of subjects to do with desktop Linux, of which KDE plays a big part. I will also be discussing GNOME, FreeDesktop.org, Project Utopia and other technologies in the presentation."

Comments (none posted)

Linux Installfest workshop in Davis - Sunday, April 18th

The Linux Users' Group of Davis will be holding another Linux Installfest workshop in Davis, CA on April 18, 2004.

Full Story (comments: none)

14-15 April 2004: Brussels is the Hub to go (KDE.News)

KDE.News reports on an upcoming Linux install-fest in Brussels. "Most European legal frame related to new technologies is cooked up at Brussels. Its future members will decide on the patentability of software, on data privacy issues, TPRM, and so on. On 14th and 15th April a conference and Linux User Group event chaired by Daniel Cohn-Bendit (member of European parlament) takes place. Join an install party within European Parliament (and bring your favorite MEP with you). Attend a panel with eg. Alan Cox, Georg Greve, Jon Lech Johansen (of decss fame)."

Comments (none posted)

International XUL Meetup Days Announced (MozillaZine)

A series of International XUL Meetup Day events have been announced. "Now you can join and link up with fellow XUL coders and designers at local cafes (and other places) in 612 cities across 51 countries. Every 1st Tuesday of every month is now officially International XUL Meetup Day! Meetup with other local XML User Interface Language (XUL) coders and designers to discuss the future of the rich internet for everyone."

Comments (none posted)

KDE Community World Summit 2004 'aKademy' (KDE.News)

The KDE Community World Summit 2004 (aKademy) conference has been announced. "The first edition of this new international event will be held in Ludwigsburg, Germany, near Stuttgart. Taking place from August 21st to 29th 2004, the Summit will include an exciting program of talks, presentations, tutorials and joint development, bug-fixing, design and polishing work on the leading Linux and Unix desktop environment."

Comments (none posted)

Events: April 8 - June 3, 2004

Date Event Location
April 8, 2004ClusterWorld Conference & Expo(San Jose Convention Center)San Jose, California
April 13 - 15, 2004Real World Linux 2004 Conference & Expo(Metro Toronto Convention Centre)Toronto, Ontario, Canada
April 14 - 16, 2004MySQL Users Conference and Expo 2004(Peabody Hotel Orlando)Orlando, FL
April 14 - 17, 2004ACCU Spring Conference 2004(Randolph Hotel)Oxford, England
April 16 - 18, 2004Penguicon 2.0(Detroit Sheraton Novi Hotel)Novi, MI
April 16 - 17, 2004Python UK Conference(Randolph Hotel)Oxford, England
April 18 - 21, 2004XML Europe 2004(RAI Centre)Amsterdam, the Netherlands
April 20 - 21, 2004LinuxUser & Developer Expo(Olympia)London, England
April 22 - 23, 20042004 Desktop Linux Summit(Del Mar Fairgrounds)San Diego, California
April 26 - 27, 2004Digital Media Project Traditional Rights and Usages WorkshopLos Angeles, CA
April 29 - May 2, 20042nd Linux Audio Developers Conference(Institute for Music and Acoustics)Karlsruhe, Germany
May 3 - 5, 2004International PHP Conference 2004 Spring EditionAmsterdam, Netherlands
May 6 - 8, 2004TheServerSide Java Symposium(The Venetian)Las Vegas, NV
May 11 - 12, 2004LinuxWorld Conference & Expo(Hotel Istana)Kuala Lumpur, Malaysia
May 16 - 18, 2004European Firebird Conference 2004Fulda, Germany
May 17 - 20, 2004Fifth LCI International Conference on Linux Clusters(University of Texas)Austin, TX
May 17 - 19, 2004Enterprise Software Summit(The Palace Hotel)San Francisco, CA
May 17 - 20, 2004Black Hat Briefings Europe 2004(Grand Hotel Krasnapolsky)Amsterdam, the Netherlands
May 17 - 21, 2004Apache Boot CampAtlanta, GA
May 20 - 22, 2004Austrian Perl WorkshopVienna, Austria
May 25 - 26, 2004LinuxWorld Conference & Expo(Suntec)Singapore
May 26 - June 6, 2004DebConf4Porto Alegre, Brazil
May 26 - 29, 20042nd International Symposium on Computer Music Modeling and RetrievalEsbjerg, Denmark
June 2 - 4, 20042004 GCC and GNU Toolchain Developer's Summit(Ottawa Congress Centre)Ottawa, Canada

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Miscellaneous

April is Mozilla International Month (MozillaZine)

April has been designated Mozilla International Month. "The primary aims are to promote and educate about the localisation (l10n) and internationalisation (i18n) capabilities of Mozilla software, and to show how truly global the software can be and the community is."

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

An LWN subscription vulnerability

From:  Kipp C Cannon <kcannon-AT-phys.ualberta.ca>
To:  letters-AT-lwn.net
Subject:  An LWN subscription vulnerability
Date:  Thu, 1 Apr 2004 13:30:51 -0700 (MST)

Hello All,
 
I would like to draw to the attention of Linux Weekly News subscribers the
existence of a site by the name of "lwm.net" (that's with an "m", rather
than an "n"). I myself am a Linux Weekly News subscriber, and this week I
accidentally typed this URL into my web browser. I was met with a
standard pop-up window asking me to enter my login id. and password.
 
I assumed my LWN subscription cookie had expired, and that it was time to
enter my login id. and password again. I *almost* went ahead and entered
these, but it seemed strange to me that the people at LWN had changed
their non-subscriber front page to such an unfriendly welcome. This
second thought gave me just enough time to notice my typo in the URL.
 
I believe that the operators of "lwm.net" are aware of the similarity
between their URL and that of "lwn.net", and are perhaps intentionally
trying to collect the login id.'s and passwords of unsuspecting LWN
subscribers.
 
Perhaps LWN could draw subscribers' attention to this, and ask everyone to
think twice before typing their passwords into something that doesn't look
familiar.
 
                                                        -Kipp

Comments (8 posted)

Page editor: Jonathan Corbet

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds