LWN.net Logo

LWN.net Weekly Edition for April 22, 2004

Lindows goes for an IPO - a detailed look

Digging through IPO registrations is hard work; they tend to be long, legalese-infested, and full of hype. Your editor, however, has been spending much of the last year looking at lawsuit filings, which are a lot worse. The chance to get into an IPO filing was too good to pass up, so, when Lindows submitted its form S-1, we dug right in. Besides, how many SEC filings come with screen shots?

Lindows proposes to sell $57.5 million worth of shares in its initial offering. The company will be using WR Hambrecht's "OpenIPO" process, which seeks to price the stock at the highest level the market will bear via an auction process. Other companies which have used this method include Salon and Andover.Net (which is now OSDN and part of VA Software).

So what is Lindows? From the filing:

We are a developer and vendor of Linux-based operating systems, application software and services designed specifically for desktop and laptop computers in homes, schools and businesses. We use technology and software developed by the collaboration of independent Linux developers, referred to as the open source community, with our own technology and software to offer affordable, easy-to-use software products and services, many of which are similar in feel and functionality to our higher-priced competitors. The cornerstone of our product line is our Linspire operating system.

The company states that, as computers get cheaper, the cost of Windows becomes more predominant, especially for desktop systems. Price pressures, they say, will cause manufacturers and consumers to look more seriously at Linux. And Lindows, of course, hopes to have the version of Linux which is best suited to this market.

A big part of the Lindows plan is to get its distribution installed widely in a short period of time. The company is targeting small computer manufacturers, offering them a "low cost" licensing program. There is also a deal with Seagate, which is pre-installing Linspire on some of its drives. Remember, ten years ago, how you could buy disks with Linux preinstalled? That market is back, it would seem.

Similarly, Elektra, a retail store chain with over 800 stores throughout Mexico, sells a low-cost computer with Linspire pre-installed. According to Elektra, since December 2003 and as of April 2004, Elektra's best selling computer was the Linspire system, outselling all other desktop computers it offers running other operating systems.

How does Lindows plan to use the money?

We expect to use a majority of the net proceeds of this offering to further develop the distribution channels for our Linux-based operating system, application software and services, to expand our sales and marketing activities, to continue to develop existing and new products, technologies and services, to increase personnel, and to repay substantially all of our outstanding debt obligations to our founder of approximately $10,400,000.

In other words, the day Lindows goes public will be a good day for Michael Robertson. Lindows says it may also use some of the money for acquisitions.

Lindows has to disclose its financial state as part of this offering, of course. The company, it turns out, brought in all of $63,131 in 2002, but that jumped up to just over $2 million in 2003. Even so, Lindows managed to lose over $4 million that year. As of the end of 2003, the company had $250,000 in the bank, a "working capital" figure of $-1.8 million, and $4.7 million in debt. How that figure squares with the $10 million owed to Mr. Robertson (and earning 10% interest) is not entirely clear.

From the obligatory "scary risk factors" section:

  • They just might run into some financial problems when trying to compete directly with Microsoft for desktop sales.

  • "We have not demonstrated the success of our open source software business model, which gives our customers the right to freely copy and distribute some of the software in our operating system and in the applications we develop and distribute. There is uncertainty in connection with open source business models, particularly as to whether or not businesses based on open source software can operate profitably."

  • Customers may not go for a model based on service and license fees.

  • Their Japanese distributions are handled by Livedoor, which, having just acquired Turbolinux, may lose interest in Lindows. Livedoor was responsible for 11% of the company's 2003 revenue.

  • Third-party applications for Linux may not be forthcoming.

  • "We have received an audit report from our independent auditors containing an explanatory paragraph stating that our historical losses and negative cash flows from operations raise substantial doubt about our ability to continue as a going concern."

  • The trademark fight with Microsoft could yet sink them. They are also, it appears, in a court battle with their insurance carrier over whether the costs of the Microsoft litigation are covered.

Lindows claims a little over 250,000 installed systems. How do they know?

Each time a computer running the Linspire operating system is connected to the Internet for the first time, our CNR technology automatically records this connection on our servers. We refer to this connection as a light up. We use light ups to monitor the growth of our installed base, the effectiveness of our marketing and distribution efforts and the quality and breadth of our products and services.

Among other things, Lindows learns who sold you the system when the "light up" occurs. These end-user systems generated some 1.7 million in revenue in 2003.

The company has spent some $1.4 million in legal fights with Microsoft. It has extracted most of that back from its insurance carrier through lawsuits, but that case is still outstanding. If things go badly, Lindows may have to repay the insurance carrier, which would hurt. There are still outstanding Microsoft suits in Spain, Canada, and France, and a fight in South Africa would appear to be in the works. Lindows has also sued Xandros, as it turns out. It would appear that Lindows loaned Xandros $750,000 which has not been repaid.

As of the end of March, Lindows has 62 employees, 38 of whom are software engineers. The CEO is Michael Robertson, of course, who, under a new agreement, is to be paid $410,000 per year, plus bonuses. Mr. Robertson owns something over 48 million shares of the company - 81% of the total. The number of shares to be sold in the IPO has not yet been specified, but it seems clear that Mr. Robertson will remain in possession of a majority of the outstanding shares. The next biggest holder is the "Burcham Community Property Trust," which is controlled by the parents of Mr. Robertson's wife. Kevin Carmony, the company's president, holds 3 million shares.

The aggregate message from this filing is clear: Lindows is trying to go public now because it very much needs the money. The company has large debts, a series of ongoing legal battles, and a need for money to carry its business plan forward. If the IPO fails, Lindows will have to come up with another source of funds in a hurry, or, as its accountants warn, its "ability to continue as a going concern" will be very much in doubt. Someday there will be a thriving market around desktop Linux, and Lindows may, indeed, be well positioned to profit in that market. Getting there will be a challenge, however.

Comments (16 posted)

Report from the SCO front

It has been a busy week in the SCO world. Remember last October, when BayStar and the Royal Bank of Canada invested $50 million into SCO? That was when SCO's stock hit its high point; it has been all downhill from there. On April 15, BayStar sent SCO a letter saying that it wants its money ($20 million) back. BayStar has concluded that SCO is in breach of the investment agreement, and thus must return the money - plus interest. BayStar has not said, in any public way, how it believes that SCO has breached the agreement; speculation centers, among other things, on SCO's creative representations of its intellectual property rights and failure to disclose Novell's letters contesting the ownership of the Unix copyrights. RBC has not yet tried to call back its share, but may well do so in the next few days.

Where this will go is hard to predict. Extracting money by force in this way is not an easy thing to do; BayStar must face the threat that SCO will choose to spend the money on more lawyers fighting the recall rather than hand it over. BayStar's lawyers do have some leverage, however; among other things, the amended agreement reads (Section XV(g)):

[SCO] acknowledges that a breach by it of its obligations hereunder will cause irreparable harm to the holders of Series A-1 Preferred Stock and that the remedy at law for any such breach may be inadequate. The Corporation therefore agrees, in the event of any such breach or threatened breach, that the holders of Series A-1 Preferred Stock shall be entitled, in addition to all other available remedies, to an injunction restraining any breach, without the necessity of showing economic loss and without any bond or other security being required.

That language would suggest that BayStar can go to a judge and have a good chance at getting an injunction forcing the money to be escrowed until the issue is resolved. Regular stockholders will lose out (not that they had great prospects anyway) but BayStar and RBC will do better.

This recall has serious implications for SCO. If both investors pull their money, SCO's remaining bank account will be tiny. The chances of finding other investors are also tiny. SCO's legal fees are not going to get any smaller anytime soon; the prospect of a legal battle with BayStar and RBC can only make that problem worse. Unless some sort of more overt aid comes from companies like Microsoft or Sun, SCO could find itself looking at bankruptcy in the near future.

SCO's April 21 announcement that its chief financial officer, Robert Bench, has been replaced may just be coincidental. Mr. Bench will become the "acting vice president of corporate development" until he retires later this year. His new responsibilities will be to "focus on external growth opportunities and industry partnerships" - scrambling for money, in other words. The new CFO will be Bert Young, whose history with companies like Waste Management, Inc. would seem to suit him well to SCO's way of business.

Red Hat, meanwhile, has filed a motion for reconsideration in its suit against SCO. The company claims:

Red Hat will suffer manifest injustice from a stay, since SCO apparently intends to continue to harass and threaten suit against Red Hat's customers in other jurisdictions, while Red Hat's declaratory judgment suit here, which was intended to prevent this precise harm to it and its customers, is forced to languish.

Getting the judge to rethink her ruling (which put the case on hold until the IBM case has run its course) looks like a difficult prospect, but Red Hat had to try.

In the IBM case, the latest events have to do with IBM's subpoena for information from S2 Strategic Consulting. S2, remember, is the company that helped to bring Microsoft, BayStar, and SCO together, so it's not surprising that IBM is interested in what was going on there. S2 is objecting to the subpoena, stating that it is not part of this battle and that much of the requested information is confidential. There is some interesting information to be found in this document, however, including:

Without waiver of those objections, S2 responds that it has in its possession, custody and control documents that entail communications between it and Microsoft, that relate to parties in this litigation...

S2 would appearing to be pushing for a protective order to keep these documents from being publicly disclosed. Chances are it will succeed. So we may never see just what was going on between these companies, but IBM can be expected to have some fun with that information.

Finally, this whole mess has drawn the attention of another species of shark: lawyers who do shareholder lawsuits. Among those trolling the message boards for potential plaintiffs are Ademi & O'Reilly and, inevitably, Milberg Weiss Bershad Hynes & Lerach. If you were silly enough to buy stock in SCO, believe that SCO should be held legally responsible for the predictable loss of your money, feel like enriching this particular class of lawyer, and believe that there might actually be something left for a settlement with shareholders when the dust settles, these folks would like to talk with you.

Comments (7 posted)

Open Source Risk Management's protection plan

April 21, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

On Monday, Open Source Risk Management (OSRM) put out several interesting press releases. The company has "certified" that the Linux kernel is free of "source code that could provide a basis for meritorious copyright infringement claims." OSRM has also announced the "Open Source Legal Defense Center" (OSLDC) based in Washington D.C., which will offer membership programs for developers and corporations that might find themselves being sued by SCO or another company looking to make claims on the Linux kernel. We contacted OSRM executive director John St. Clair and OSRM director of research Pamela Jones about the announcements. Jones was kind enough to respond to several questions via e-mail, and St. Clair took the time to grant LWN a phone interview.

One might wonder how OSRM could "certify" that the Linux kernel is free of infringement. According to St. Clair, OSRM is not saying that they have proven that none of the code in the Linux kernel is tainted. However, he says that the company has done due diligence and is willing to take the risk of providing legal protection for copyright infringement claims against the kernel. According to Jones:

OSRM's certification can never mean that there will be no claims in the future; it means that they've taken a look and believe the risk is de minimus and insurable, and OSRM is sufficiently confident that it is willing to put its money where its mouth is.

St. Clair declined to provide specifics of the process that OSRM used to research the Linux kernel, but he did say that OSRM has built up "an extensive database of Unix variants... and compared that database against two versions of the kernel, 2.4 and 2.6, to detect matches between those two groups of source code." According to St. Clair, OSRM used in-house technology "unique to OSRM in terms of pattern-matching" and looked for straight text matches and "more obfuscated" code that might be taken from Unix. We asked whether OSRM might release the tools that they used for this research to the community, but St. Clair said there were no plans to do so at this time.

We were also curious how the OSLDC would work for developers, and whether $25,000 would be sufficient protection for developers if SCO or another party were to sue them. According to St. Clair:

This will provide developers, who are off on their own many times, a cost-effective way at $250 to be able to get advice and legal counsel with respect to their contributions to the Linux kernel. Should they be served with a subpoena or other legal action regarding their contributions they would receive up to $25,000 in legal protection from that.

He said that the $25,000 amount should be "pretty sufficient to cover much of their exposure." St. Clair stressed that the OSRM offering is vendor-neutral, and allows developers and corporations to make changes to the code and still receive protection, unlike some of the vendor-specific indemnification plans. He also pointed out that OSRM is not selling insurance, but rather "certifying and indemnifying our work around the kernel and with these clients to provide them an indemnification that we as OSRM have an insurance policy behind us that provides the financial wherewithal to offer that indemnification."

Since much of Microsoft's FUD these days is aimed at convincing customers that the Total Cost of Ownership (TCO) for Linux is higher than for Microsoft products, we asked St. John whether it was likely that their offering would be seen as raising the TCO of Linux. St. Clair said that the Legal Defense Center membership fees shouldn't harm Linux in the TCO discussion. "This is something that end users can choose to have or not have, it's not automatically bundled as part of Linux." Even adding in the cost of OSRM's offerings, St. Clair said that he believes that Linux will still have a lower TCO than its competitors. He also said that OSRM's offerings "put a stake in the ground" to show what indemnification may cost, rather than an unknown figure that opponents may exaggerate when debating TCO.

OSRM is not planning to limit itself to copyright issues or the Linux kernel. We asked whether OSRM was planning to examine other open source software commonly used with the Linux kernel, and whether the company would be expanding its protection to patent issues. The answer is yes on both counts. St. Clair told LWN that dealing with legal issues from patents is "absolutely in our plans," and Jones replied that she is currently doing research on providing protection for patent issues:

Obviously, this is is a very large and complex undertaking that will require help from numerous kernel developers, organizations, specialized technical and legal experts, and hopefully volunteers in the community. We will be asking for help finding and collecting prior art through our new Grokline project, for example, which will go online shortly.

St. Clair said he believes that the SCO lawsuit will go away, but that SCO has "pointed to a potential vulnerability" that will last beyond SCO's suits. He said that OSRM also recognizes a need to go "up the stack" of open source software beyond the kernel that is also widely used. St. Clair said that he could not specify any software that would be covered by OSRM beyond the kernel at the moment, or give a timeline for announcing additional software.

Another area where OSRM is working, according to St. Clair, is in helping companies with risk assessment and developing indemnification programs that they can offer to their customers. He said that OSRM also helps "place their risk with third parties to provide that [indemnification] for their customers."

There is a "heavy amount of interest" in OSRM's offerings, according to St. Clair. It will be interesting to see if OSRM is successful in making a business out of offering indemnification for Linux and open source software, and whether they remain the sole business that offers this service if it proves to be popular.

Comments (1 posted)

Page editor: Jonathan Corbet

Security

TCP vulnerability: cancel red alert

The mainstream press has been quick to proclaim a new vulnerability which threatens the entire Internet. CNN, for example, tells us: "Flaw could shut down Internet traffic". A bit of time spent actually understanding the problem will quickly make it clear, for most users, there is little to worry about.

There are several parameters which identify a particular TCP packet. The source and destination addresses are exactly that: who sent the packet, and who is to receive it. The destination port number allows the packet to be routed to the proper process on the receiving system; on the server side of a connection, the destination port will usually be a well-known number assigned to a specific service. For example, the process which receives electronic mail will be expecting it to arrive on port 25. The source port identifies the process which sent the packet. On the client (initiating) side of a connection, the source port is ostensibly a random number, though, in practice, they tend to be assigned in a sequential (and thus predictable) way. Yet another parameter is the sequence number, which describes where the packet fits within the overall stream. The initial sequence numbers for a connection are assigned randomly; they then increase as data is sent over the connection.

TCP packets also have a "flags" field for control purposes. One of those flags is called "reset" or "RST"; it indicates that the sending side is shutting down the connection immediately. Resets typically happen when one side receives a packet for a connection it knows nothing about. Suppose you log into a remote system with ssh, then go out for lunch; while you are eating, the remote system is rebooted. When you return and try to type over the connection, the remote system will have no record of it, so it will send back a reset packet. That's when you get that fun "connection reset by peer" message.

Suppose you were an Internet vandal looking to shut down other people's connections. This could be accomplished by sending the right sort of reset packet. Crafting this packet is not an entirely easy thing to do: you have to match all five of the parameters listed above. Presumably coming up with source and destination addresses would not be too hard, if you know which connection you are targeting. One of the two port numbers will probably be a well-known service number, and thus easily accessible. The other port number will require a guess, but the range of possible numbers is, in many cases, small. The hardest part is the sequence number; it is a randomly-chosen, 32-bit number. In the past, poor initial sequence number generation has allowed protocol attacks, but most of those problems are long since fixed. To mount a reset attack against a modern TCP implementation, the attacker must work through the entire space of 4 billion possible sequence numbers; by the time that has been accomplished, chances are the target connection will have shut down normally anyway.

Except, as it turns out, that is not entirely true. TCP uses a "receive window" to control the flow of data. The window gives a range of sequence numbers for which the destination is prepared to receive data; this window can vary widely between systems, but 32KB is a fairly common size. Since the two sides of a TCP connection may not share the exact same idea of what the current sequence number is (one side may have sent packets that the other has not received), a reset packet with a sequence number that falls anywhere inside the receive window will be honored. Thus an attacker need not try every possible sequence number; attempts may, instead, be spaced as widely as the probable receive window. That changes the situation significantly; if the other four parameters are correct, a usable sequence number can be found with less than 100,000 attempts. It does not take very long to send that many (very short) packets, even over a relatively slow connection.

So, a dedicated attacker stands a fairly good chance of shutting down a connection. What are the implications of this? Very few, for the most part. In general, the damage caused by a prematurely closed connection is small; the user swears and restarts their download operation. It would be hard to use this technique to shut down a web server; HTTP connections tend to be short-lived to begin with. That is why the largest threat is seen to be for applications which use long-lived TCP connections for some important task. The BGP protocol used for much of the core Internet routing is one such case; most of the affected systems have already been fixed, however.

For those who are in a situation where this sort of attack could pose a threat, there are a few things which can be done, including using IPSec, which is not vulnerable to this sort of problem, or configuring networking to use a smaller window size (but be aware that performance can be reduced). The IETF has also come up with a proposed protocol change which addresses the problem: when a reset packet is received which, while falling within the receive window, does not exactly match the sequence number, the receiving side will send an acknowledgment rather than immediately resetting the connection. That acknowledgment will contain the current sequence number as seen by the side receiving the reset, which will allow the sending of a second reset packet with the exact sequence number.

Some vendors (mostly router manufacturers) are issuing software updates to implement the IETF suggestion. Most of us, however, can sit back and look for something else to worry about.

Comments (13 posted)

New vulnerabilities

kernel: ext3 information leak

Package(s):kernel CVE #(s):CAN-2004-0177
Created:April 21, 2004 Updated:April 26, 2004
Description: Solar Designer turned up a bug in the ext3 filesystem where blocks allocated to the journal file are not properly cleaned prior to use. This failure could expose some (random) kernel memory to an attacker, but only if that attacker can perform raw I/O to the device.
Alerts:
Debian DSA-495-1 2004-04-26
Red Hat RHSA-2004:166-01 2004-04-21
Trustix TSLSA-2004-0020 2004-04-15

Comments (1 posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

ssmtp format string vulnerability

Package(s):ssmtp CVE #(s):CAN-2004-0156
Created:April 15, 2004 Updated:May 7, 2004
Description: Max Vozeler discovered two format string vulnerabilities in ssmtp, a simple mail transport agent. Untrusted values in the functions die() and log_event() were passed to printf-like functions as format strings. These vulnerabilities could potentially be exploited by a remote mail relay to gain the privileges of the ssmtp process (including potentially root).
Alerts:
OpenPKG OpenPKG-SA-2004.020 2004-05-07
Gentoo 200404-18 2004-04-26
Debian DSA-485-1 2004-04-14

Comments (none posted)

utempter problems with symlink and strncpy

Package(s):utempter CVE #(s):CAN-2004-0233
Created:April 19, 2004 Updated:June 11, 2004
Description: Steve Grubb discovered two potential issues in the utempter program:
  1. If the path to the device contained /../ or /./ or //, the program was not exiting as it should. It would be possible to use something like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to another important file, programs that have root privileges that do no further validation can then overwrite whatever the symlink pointed to.

  2. Several calls to strncpy without a manual termination of the string. This would most likely crash utempter.
Alerts:
Whitebox WBSA-2004:174-01 2004-06-10
Red Hat RHSA-2004:174-01 2004-05-26
Fedora-Legacy FLSA:1546 2004-05-18
Gentoo 200405-05 2004-05-13
Red Hat RHSA-2004:175-01 2004-04-30
Mandrake MDKSA-2004:031-1 2004-04-21
Fedora FEDORA-2004-108 2004-04-21
Slackware SSA:2004-110-01 2004-04-19
Mandrake MDKSA-2004:031 2004-04-19

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xonix fails to drop privileges

Package(s):xonix CVE #(s):CAN-2004-0157
Created:April 15, 2004 Updated:April 21, 2004
Description: Steve Kemp discovered a vulnerability in xonix, a game, where an external program was invoked while retaining setgid privileges. A local attacker could exploit this vulnerability to gain gid "games".
Alerts:
Debian DSA-484-1 2004-04-14

Comments (none posted)

zope: potential code execution

Package(s):zope CVE #(s):CVE-2002-0688
Created:April 21, 2004 Updated:April 21, 2004
Description: The ZCatalog component of the Zope application server can allow anonymous users and untrusted code to call arbitrary methods in the catalog indexes.
Alerts:
Debian DSA-490-1 2004-04-17

Comments (1 posted)

Updated vulnerabilities

apache - denial of service in mod_ssl

Package(s):apache CVE #(s):CAN-2004-0113
Created:April 13, 2004 Updated:May 25, 2004
Description: A memory leak has been discovered in mod_ssl that may be triggered by sending normal HTTP requests to the Apache HTTPS port. An attacker can exploit this vulnerability to consume all memory available in the server, thus causing a denial of service condition. This problem has been fixed in Apache 2.0.49.
Alerts:
Fedora FEDORA-2004-117 2004-05-25
Mandrake MDKSA-2004:043 2004-05-10
Red Hat RHSA-2004:182-01 2004-04-30
Conectiva CLA-2004:839 2004-04-13

Comments (none posted)

automake: symbolic link attack

Package(s):automake CVE #(s):
Created:April 8, 2004 Updated:April 14, 2004
Description: Automake may be vulnerable to a symbolic link attack which may allow an attacker to modify data or escalate their privileges. This is due to the insecure way Automake creates directories during compilation. An attacker may be able to create symbolic links in the place of files contained in the affected directories, which may potentially lead to elevated privileges due to modification of data.
Alerts:
Netwosix NW-2004-0009 2004-04-08
Gentoo 200404-08 2004-04-08

Comments (none posted)

cvs: client-side file overwrite vulnerability

Package(s):cvs CVE #(s):CAN-2004-0180
Created:April 14, 2004 Updated:May 18, 2004
Description: The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem.
Alerts:
Fedora FEDORA-2004-110 2004-04-22
Whitebox WBSA-2004:153-01 2004-04-19
Slackware SSA:2004-108-02 2004-04-17
Netwosix NW-2004-0011 2004-04-18
Debian DSA-486-1 2004-04-16
Gentoo 200404-13 2004-04-14
OpenPKG OpenPKG-SA-2004.013 2004-04-14
Red Hat RHSA-2004:153-01 2004-04-14
Red Hat RHSA-2004:154-01 2004-04-14
SuSE SuSE-SA:2004:008 2004-04-14
Mandrake MDKSA-2004:028 2004-04-14

Comments (none posted)

ethereal - multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2004-0176 CAN-2004-0365 CAN-2004-0367
Created:March 29, 2004 Updated:June 2, 2004
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from ethereal.com and in this Eye on Security advisory.
Alerts:
Debian DSA-511-1 2004-05-30
OpenPKG OpenPKG-SA-2004.015 2004-04-16
Red Hat RHSA-2004:137-01 2004-03-31
Mandrake MDKSA-2004:024 2004-03-30
Conectiva CLA-2004:835 2004-03-31
Red Hat RHSA-2004:136-01 2004-03-30
Netwosix NW-2004-0007 2004-03-29
Gentoo 200403-07 2004-03-28

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Fedora FEDORA-2004-133 2004-05-19
Gentoo 200404-02 2004-04-06
Whitebox WBSA-2004:005-01 2004-02-12
Conectiva CLA-2004:810 2004-01-20
Slackware SSA:2004-014-01 2004-01-14
Mandrake MDKSA-2004:003 2004-01-14
Red Hat RHSA-2004:006-01 2004-01-07

Comments (none posted)

kernel: symlink overflow in the iso9660 filessytem

Package(s):kernel CVE #(s):CAN-2004-0109
Created:April 14, 2004 Updated:July 15, 2004
Description: The 2.4 and 2.6 kernels contain a vulnerability in the iso9660 (CDROM) filesystem which can be used by a local attacker to obtain root privileges. The exploit requires creating a specially-crafted filesystem and getting the kernel to mount it. Many systems are configured to automatically mount CDs on insertion, however, so the possibility of this vulnerability being exploited by users with physical access to the system is real. The 2.4.26 kernel contains the fix, which will also be merged into the upcoming 2.6.6 release.
Alerts:
Conectiva CLA-2004:846 2004-07-15
Red Hat RHSA-2004:106-01 2004-04-21
Red Hat RHSA-2004:105-01 2004-04-21
Debian DSA-489-1 2004-04-17
Debian DSA-491-1 2004-04-17
Debian DSA-479-2 2004-04-14
SuSE SuSE-SA:2004:009 2004-04-14
Mandrake MDKSA-2004:029 2004-04-14
Fedora FEDORA-2004-101 2004-04-14
Debian DSA-482-1 2004-04-14
Debian DSA-481-1 2004-04-14
Debian DSA-480-1 2004-04-14
Debian DSA-479-1 2004-04-14

Comments (none posted)

Linux kernel 2.2.10 failing function and TLB flush vulnerability

Package(s):kernel-source-2.2.10 CVE #(s):CAN-2004-0077
Created:March 18, 2004 Updated:June 4, 2004
Description: A local root exploit is possible due to early flushing of the TLB.
Alerts:
Debian DSA-514-1 2004-06-04
Debian DSA-466-1 2004-03-18

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Conectiva CLA-2004:842 2004-05-25
Red Hat RHSA-2004:156-01 2004-04-14
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:019-01 2004-02-09

Comments (1 posted)

metamail: integer and buffer overflows

Package(s):metamail CVE #(s):CAN-2004-0104 CAN-2004-0105
Created:February 18, 2004 Updated:May 21, 2004
Description: Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message.
Alerts:
Gentoo 200405-17 2004-05-21
Debian DSA-449-1 2004-02-24
Mandrake MDKSA-2004:014 2004-02-18
Slackware SSA:2004-049-02 2004-02-18
Red Hat RHSA-2004:073-01 2004-02-18

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

monit: buffer overflow and DOS

Package(s):monit CVE #(s):
Created:March 31, 2004 Updated:April 19, 2004
Description: The monit system administration program through version 4.1 suffers from remotely exploitable buffer overflow and denial of service vulnerabilities.

Two additional vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code.

Alerts:
Gentoo 200404-16 2004-04-19
Netwosix NW-2004-0008 2004-04-06
Gentoo 200403-14 2004-03-31

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

MySQL: temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0381 CAN-2004-0388
Created:April 14, 2004 Updated:August 18, 2004
Description: The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system.
Alerts:
Gentoo 200405-20 2004-05-25
Mandrake MDKSA-2004:034 2004-04-19
OpenPKG OpenPKG-SA-2004.014 2004-04-14
Debian DSA-483-1 2004-04-14

Comments (none posted)

neon: format string vulnerabilities

Package(s):neon CVE #(s):CAN-2004-0179
Created:April 14, 2004 Updated:May 18, 2004
Description: The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org.
Alerts:
Fedora FEDORA-2004-103 2004-04-14
Gentoo 200405-04 2004-05-11
Gentoo 200405-01 2004-05-09
Red Hat RHSA-2004:163-01 2004-04-30
Whitebox WBSA-2004:160-01 2004-04-19
Mandrake MDKSA-2004:032 2004-04-19
Gentoo 200404-14 2004-04-19
OpenPKG OpenPKG-SA-2004.016 2004-04-16
Netwosix NW-2004-0012 2004-04-18
Debian DSA-487-1 2004-04-16
Red Hat RHSA-2004:159-01 2004-04-15
Red Hat RHSA-2004:160-01 2004-04-14
Red Hat RHSA-2004:157-01 2004-04-14
Red Hat RHSA-2004:158-01 2004-04-14

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

perl information leak

Package(s):perl CVE #(s):CAN-2003-0618
Created:February 2, 2004 Updated:April 21, 2004
Description: Paul Szabo discovered a number of bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.
Alerts:
Debian DSA-431-2 2004-04-16
Debian DSA-431-1 2004-02-01

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

samba privilege escalation

Package(s):samba CVE #(s):CAN-2004-0186
Created:March 15, 2004 Updated:April 20, 2004
Description: Samba, a LanManager-like file and printer server for Unix, was found to contain a vulnerability whereby a local user could use the "smbmnt" utility, which is setuid root, to mount a file share from a remote server which contained setuid programs under the control of the user. These programs could then be executed to gain privileges on the local system.
Alerts:
Mandrake MDKSA-2004:035 2004-04-19
Debian DSA-463-1 2004-03-12

Comments (none posted)

Scorched3D: format string vulnerability

Package(s):Scorched 3D CVE #(s):
Created:April 9, 2004 Updated:April 14, 2004
Description: The server from the game Scorched 3D is vulnerable to a format string attack that can lead to a denial of service and possibly to the execution of arbitrary code.
Alerts:
Gentoo 200404-12 2004-04-09

Comments (none posted)

squid - vulnerability in URL decoding

Package(s):squid CVE #(s):CAN-2004-0189
Created:March 29, 2004 Updated:April 20, 2004
Description: A bug was found in the processing of %-encoded characters in a URL in versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses Access Control Lists (ACLs), a remote attacker could create URLs that would not be correctly tested against Squid's ACLs, potentially allowing clients to access prohibited URLs.
Alerts:
Whitebox WBSA-2004:133-01 2004-04-19
Fedora FEDORA-2004-104 2004-04-15
Red Hat RHSA-2004:133-01 2004-04-14
Conectiva CLA-2004:838 2004-04-12
Debian DSA-474-1 2004-04-03
OpenPKG OpenPKG-SA-2004.008 2004-04-01
Mandrake MDKSA-2004:025 2004-03-30
Gentoo 200403-11 2004-03-30
Red Hat RHSA-2004:134-01 2004-03-29

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

Resources

April CRYPTO-GRAM newsletter

Bruce Schneier's CRYPTO-GRAM newsletter for April is out; it looks at national ID cards, the risk of attacks on computerized voting machines, man-in-the-middle attacks, "BeepCard," Bluesnarfing, and TSA-approved locks. "The general concept, known as key escrow, key recovery, or trusted third-party encryption, hung around for a few years and was eventually forgotten. Who would have thought it would come back in the form of a luggage lock?"

Full Story (comments: 8)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.6-rc2, which was announced by Linus on April 20. This patch is more concerned with fixes than new stuff, but it still includes some VFS work, message queues for the x86_64 and s390 architectures, a network packet timestamping optimization, various architecture updates, some of Hugh Dickins's reverse mapping VM patches (see last week's Kernel Page), and a device mapper update. See the long-format changelog for the details.

Prior to that, 2.6.6-rc1 was released (without announcement) on April 15. A huge number of patches were merged for -rc1; these include POSIX message queues, laptop mode, 4KB kernel stacks on i386, non-executable stack support, the lightweight auditing framework, the "completely fair queueing" I/O scheduler, and a bunch of virtual memory work; see last week's Kernel Page for a more complete list. The long-format changelog (all 280KB worth) has the details.

Linus's BitKeeper tree contains some SELinux fixes, support for generic filesystem snapshotting (taken from XFS), a fix for the ext3 data disclosure vulnerability, and a small number of other fixes.

The current prepatch from Andrew Morton is 2.6.6-rc2-mm1. Recent additions to -mm include a single-threaded workqueue option, an input driver update, the full set of Hugh Dickins's VM patches (including the anonmm reverse mapping scheme), ext3 block reservation (see below), ongoing scheduler work, and lots of fixes.

The current 2.4 kernel is 2.4.26. No 2.4.27 prepatches have yet been released. Marcelo has indicated, however, that an updated serial ATA driver will be merged in 2.4.27; it will, he says, be the last new feature to go into 2.4.

Comments (1 posted)

Kernel development news

Scheduling domains

Back in the 2.6.0-test days, there was a lot of concern that the 2.6 CPU scheduler wasn't up to the task. In particular, performance on higher-end systems - those with hyperthreaded processors, NUMA architectures, etc. - wasn't as good as the developers would have liked. The scheduler front has been quiet for some time, but it has not been forgotten; a set of hackers (including Nick Piggin, Ingo Molnar, Con Kolivas, and Rusty Russell) has been steadily working behind the scenes to improve scheduling in 2.6. The result, broadly known as "scheduling domains," has been evolving in the -mm tree for some time, but this work looks like it is getting close to ready to break into the mainline. So, it would seem that a look at scheduling domains is in order.

The new scheduler work is a response to the needs of modern hardware and, in particular, the fact that the processors in multi-CPU systems have unequal relationships with each other. Virtual CPUs in a hyperthreaded set share equal access to memory, cache, and even the processor itself. Processors on a symmetric multiprocessing system have equal access to memory, but they maintain their own caches. NUMA architectures create situations where different nodes have different access speeds to different areas of main memory. A modern large system can feature all of these situations: each NUMA node looks like an SMP system which may be made up of multiple hyperthreaded processors.

One of the key problems a scheduler must solve on a multi-processor system is balancing the load across the CPUs. It doesn't do to have some processors being heavily loaded while others sit idle. But moving processes between processors is not free, and some sorts of moves (across NUMA nodes, for example, where a process could be separated from its fast, local memory) are more expensive than others. Teaching the scheduler to migrate tasks intelligently under many different types of loads has been one of the big challenges of the 2.5 development cycle.

The domain-based scheduler aims to solve this problem by way of a new data structure which describes the system's structure and scheduling policy in sufficient detail that good decisions can be made. To that end, it adds a couple of new structures:

  • A scheduling domain (struct sched_domain) is a set of CPUs which share properties and scheduling policies, and which can be balanced against each other. Scheduling domains are hierarchical; a multi-level system will have multiple levels of domains.

  • Each domain contains one or more CPU groups (struct sched_group) which are treated as a single unit by the domain. When the scheduler tries to balance the load within a domain, it tries to even out the load carried by each CPU group without worrying directly about what is happening within the group.

It's time for your editor to try to explain this structure via a series of cheesy diagrams. Imagine a system with two physical processors, each of which provides two hyperthreaded CPUs. We'll diagram the processors in this way:

[Two processors]

Here, the four hyperthreaded processors are shown bonded together into two physical packages. When this system boots, it will put each pair of processors into a scheduling domain, with a result that might look something like this:

[Two domains]

In this setup, our four processors are gathered into two scheduling domains. Each domain contains two CPU groups, and each group contains exactly one CPU. These domains reflect the fact that, while each CPU appears to be a distinct processor, a pair of hyperthreaded processors has a different relationship internally than with the other processors.

This system will have a two-level hierarchy of scheduling domains; when we add the top level the picture becomes:

[Top-level domain]

This top-level domain is the parent of the processor-level domains. It contains two CPU groups, each of which contains the CPUs contained within one hyperthreaded processor package.

If this were a NUMA system, it would have multiple domains which look like the above diagram; each of those domains would represent one NUMA node. The hierarchy would have a third, system-level domain which contains all of the NUMA nodes.

Note that, in the actual code, the hierarchy is represented a little differently than has been portrayed above; each CPU has its own copy of every domain it belongs to. So our little system would actually contain eight sched_domain structures: one copy of the CPU-level domain and one copy of the top-level domain for every processor. Things are implemented this way for performance reasons: the scheduler must be very fast, which contraindicates sharing this fundamental data structure between processors. The structure is, in any case, almost entirely read-only after it has been set up, so it can be replicated without trouble.

Each scheduling domain contains policy information which controls how decisions are made at that level of the hierarchy. The policy parameters include how often attempts should be made to balance loads across the domain, how far the loads on the component processors are allowed to get out of sync before a balancing attempt is made, how long a process can sit idle before it is considered to no longer have any significant cache affinity, and various policy flags. These policies tend to be set as follows:

  • At the hyperthreaded processor level: balancing attempts can happen often (every 1-2ms), even when the imbalance between processors is small. There is no cache affinity at all: since hyperthreaded processors share cache, there is no cost to moving a process from one to another. Domains at this level are also marked as sharing CPU power; we'll see how that information is used shortly.

  • At the physical processor level: balancing attempts do not have to happen quite so often, and they are curtailed fairly sharply if the system as a whole is busy. Processor loads must be somewhat farther out of balance before processes will be moved within the domain. Processes lose their cache affinity after a few milliseconds.

  • At the NUMA node level: balancing attempts are made relatively rarely, and cache affinity lasts longer. The cost of moving a process between NUMA nodes is relatively high, and the policy reflects that.

The scheduler uses this structure in a number of ways. For example, when a sleeping process is about to be awakened, the normal behavior would be to keep it on the same processor it was using before, on the theory that there might still be some useful cache information there. If that processor's scheduling domain has the SD_WAKE_IDLE flag set, however, the scheduler will look for an idle processor within the domain and move the process immediately if one is found. This flag is used at the hyperthreading level; since the cost of moving processes is insignificant, there is no point in leaving a processor idle when a process wants to run.

When a process calls exec() to run a new program, its current cache affinity is lost. At that point, it may make sense to move it elsewhere. So the scheduler works its way up the domain hierarchy looking for the highest domain which has the SD_BALANCE_EXEC flag set. The process will then be shifted over to the CPU within that domain with the lowest load. Similar decisions are made when a process forks.

If a processor becomes idle, and its domain has the SD_BALANCE_NEWIDLE flag set, the scheduler will go looking for processes to move over from a busy processor within the domain. A NUMA system might set this flag within NUMA nodes, but not at the top level.

The new scheduler does an interesting thing with "shared CPU" (hyperthreaded) processors. If one processor in a shared pair is running a high-priority process, and a low-priority process is trying to run on the other processor, the scheduler will actually idle the second processor for a while. In this way, the high-priority process is given better access to the shared package.

The last component of the domain scheduler is the active balancing code, which moves processes within domains when things get too far out of balance. Every scheduling domain has an interval which describes how often balancing efforts should be made; if the system tends to stay in balance, that interval will be allowed to grow. The scheduler "rebalance tick" function runs out of the clock interrupt handler; it works its way up the domain hierarchy and checks each one to see if the time has come to balance things out. If so, it looks at the load within each CPU group in the domain; if the loads differ by too much, the scheduler will try to move processes from the busiest group in the domain to the most idle group. In doing so, it will take into account factors like the cache affinity time for the domain.

Active balancing is especially necessary when CPU-hungry processes are competing for access to a hyperthreaded processor. The scheduler will not normally move running processes, so a process which just cranks away and never sleeps can be hard to dislodge. The balancing code, by way of the migration threads, can push the CPU hog out of the processor for long enough to allow it to be moved and spread the load more widely.

When the system is trying to balance loads across processors, it also looks at a parameter kept within the sched_group structure: the total "CPU power" of the group. Hyperthreaded processors look like independent CPUs, but the total computation power of a pair of hyperthreaded processors is far less than that of two separate packages. Two separate processors would have a "CPU power" of two, while a hyperthreaded pair would have something closer to 1.1. When the scheduler considers moving a process to balance out the load, it looks at the total amount of CPU power currently being exercised. By maximizing that number, it will tend to spread processes across physical processors and increase system throughput.

The new scheduling code has been under development for some time, and it has seen a great deal of tweaking. The domain mechanism has done a lot to make it possible to make good scheduling decisions, but much of detail work was still required. It would appear that that work is now reaching a point where the domain mechanism may soon be merged into the mainline. At that point, with luck, people will be able to stop complaining about the 2.6 scheduler.

(Thanks to Nick Piggin for his comments on an early version of this article).

Comments (10 posted)

ext3 block reservation

Like most modern filesystems, ext3 tries to lay out files contiguously on the disk. This layout allows files to be read and written quickly, without a lot of disk head seeks in the middle. This strategy can be thwarted, however, by the fact that ext3 allocates blocks as they are actually needed by a file. By the time a file requests a new block, the space immediately after the file on disk may well have been allocated for some other file. At that point, a contiguous allocation will be impossible.

Mingming Cao has attempted to fix this problem with a set of "block reservation" patches for ext3; those patches are currently part of the -mm tree. The core idea behind these patches is that the filesystem should think ahead of time about where it might place blocks for growing files and reserve that space. That way, when the file does grow, there will be blocks available in a useful part of the disk.

To that end, the ext3 block allocator has been replaced by a reservation-oriented version. The first time a block is needed for a file, the filesystem creates a "reservation window" which sets aside a range of blocks (eight of them, initially); the actual block allocations are then taken from the window. When the window is exhausted, a new, possibly expanded window is allocated, as near as possible to the old window, to replace it. Reservations only last until the process writing the file closes it; thereafter, the blocks become free once again.

Interestingly, nothing in the filesystem itself tracks block reservations; they are all handled by a single, in-core linked list (per filesystem). A block reservation will not actually prevent blocks inside the window from being allocated to some other file. Since the filesystem allocates out of reservation windows whenever possible, however, and those windows do not overlap, the reservations are almost always honored. In some situations (such as when all remaining free blocks are reserved) the filesystem will forget about reservations and allocate blocks from anywhere.

Some benchmark results show significant performance improvements, especially when large numbers of processes are running. To some extent, this improvement comes about because block reservations narrow down the area of the disk that must be searched for free blocks and increase the chances that a block will be found quickly. The real benefit, however, is that the on-disk layout of the files is much improved. Unless problems turn up, this patch may find its way into the mainline fairly quickly.

Comments (5 posted)

Patches and updates

Kernel trees

Core kernel code

Device drivers

Documentation

Filesystems and block I/O

Kernel building

Memory management

Architecture-specific

Benchmarks and bugs

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Review of SUSE LINUX 9.1 Professional

April 21, 2004

This article was contributed by Ladislav Bodnar

SUSE LINUX 9.1 was released to manufacturing (and journalists) late last week, which gave us an opportunity to take an early look at the new product. The operating system was installed on a computer equipped with a Pentium 4 1.4GHz processor and ASUS P4T mainboard (Intel 850 chipset), with 384MB or RDRAM, NVIDIA GeForce4 Ti4200 graphics card, Lemel 17" LCD monitor, two IDE hard disks (/dev/hda and /dev/hdc), a Panasonic DVD drive (/dev/hdb) and a Plextor PlexWriter CD-RW drive (/dev/hdd). The configuration included a SoundBlaster Live! sound card (emu101k) and a Realtek (8139too) network card. We installed the Professional Edition of SUSE LINUX 9.1.

Installation. SUSE's installation program is part of YaST (Yet another Setup Tool). Compared to previous versions, there are only minor cosmetic changes, as YaST has proven itself to be a very competent system installer. Some reviewers have found it somewhat complex and even intimidating for users new to Linux, especially in this era where some distributions promote a "4-click installation" technology. However, SUSE LINUX Professional is designed for system administrators and power users, many of whom will appreciate the many choices available to them during installation. Following the usual partitioning choices, YaST will first install the base system, after which it reboots, then proceeds with the rest of the installation by copying the requested files from the remaining CDs or DVD. The program also performs an online security and bugfix update, and it even offers to download and install Microsoft True Type fonts and the proprietary NVIDIA driver. The hardware autodetection was near-flawless, the only exception was the USB mouse - its wheel wasn't setup correctly, but a quick post-installation trip to YaST's hardware module brought an easy fix to the problem.

YaST. YaST is one of the main components distinguishing SUSE LINUX from other Linux distributions. Some users seem to have a love-hate relationship with the tool, although there is little doubt that YaST is a beautiful piece of software providing quick access to dozens of configuration options ranging from software and hardware configuration to networking and services. Critics will argue that YaST is slow, it tends to reset some of the manually edited configuration files, and that some of the configuration files generated by YaST can be messy. But as most of us are familiar with certain configuration files, but not with others, and given the number of available options, it sure is a welcome relief to effect a quick change through the pleasant graphical interface of YaST, instead of having to scroll through a file with vim while looking for the option to modify. Besides the ability to change configurations, YaST also provides a powerful package management and software updating utility. Most of the tools are nicely integrated and have the same interface as the main YaST module, although some, like the SaX2 module for graphics card and monitor configuration, and the package manager are clearly independent applications.

The desktop. SUSE has always shown a clear preference for KDE on the desktop and version 9.1 has not departed from this tradition. As an example, menu structures in KDE have undergone substantial modifications, while those in GNOME and other desktop environments were left at their default settings. This can result in some inconsistent behavior - KDE icons are set up for single-click action, while those in GNOME need to be double-clicked to get a response. The KDE menu has a Xandros-like "Switch User" tool to switch between virtual terminals, but this menu entry is missing from menus on other desktops: if you happen to start a second virtual session and log into GNOME, the only way to get back to the KDE session is by remembering its virtual terminal and pressing Ctrl-Alt+[F7-F12]. It is clear that GNOME is treated as a second-class desktop in SUSE. This is in sharp contrast to Mandrakelinux 10.0, which provides identical menus and themes, as well as similar default settings across both the KDE and GNOME desktops.

Multimedia. Multimedia is a mixed bag in SUSE LINUX 9.1. The presence of an automounter and auto-detection of media disks are a welcome addition to this SUSE release, now on par with Xandros and Linspire, but not without some minor annoyances. For example, inserting an audio CD into the CD-RW drive (/dev/hdd) correctly launched the KsCD application, although it refused to play the CD because it was configured to play it from the DVD drive (/dev/hdb). Surely, if the system is able to detect where the CD is inserted, it should be able to perform a quick KsCD re-configuration before launching the application? As expected, DVDs, even non-encrypted ones, and proprietary media formats do not play in SUSE LINUX 9.1, but MP3 files do. Inserting a Video CD did not launch any media player. Overall, SUSE has made good effort to make the multimedia experience as smooth as possible, but unfortunately, the user is still left with plenty of configure && make && make install, as well as some post-install tweaking, before this experience is on par with other operating systems.

New applications. Having read through the list of new features and applications in SUSE LINUX 9.1, I was looking forward to trying out Moneyplex, a new home banking software from German software maker Matrica. Unfortunately, the installation of the program was quickly followed by a disappointment: the user interface of Moneyplex is exclusively in German. Other new applications fared better - Rekall, an MS Access-like database program from theKompany is a welcome addition, and some might perhaps find use for Textmaker and Planmaker, two MS Office-compatible word processing and spreadsheet applications from Softmaker Software. Other than the above, the usual wide range of desktop and server applications, together with development tools, are bound to satisfy even the most demanding Linux user.

Comparing SUSE 9.1 and Mandrakelinux 10.0. Following the recent official release of Mandrakelinux 10.0, SUSE is the second major distributor delivering the new 2.6 kernel to the general public. How do the two compare? Both distributions have been given highly positive early reviews by the Linux media, so deciding on one or the other is going to be a tough call. One noticeable difference between the two is speed. On the same hardware, Mandrakelinux 10.0 feels considerably more responsive: testing launch times of several randomly selected applications indicated that Mandrakelinux is up to twice as fast as SUSE on the same hardware. GNOME users might also be more inclined to choose the French product as SUSE clearly does not treat the two main desktop environments as equal. On the other hand, SUSE's configuration utility and package management tools provide more power than the "drak" equivalents in Mandrakelinux. Also, SUSE is one of only two distributions with active hardware and third-party software certification programs, which might be a decisive factor in some corporate environments.

Conclusion. Overall, SUSE LINUX 9.1 is a solid incremental release. Besides kernel 2.6 and application updates, there aren't any major breathtaking new features in this release, but the many small usability and design improvements will likely appeal to desktop users. It is easy to see where SUSE is going: while some other major distributions have been reluctant to spend effort on developing a desktop Linux solution for the enterprise, SUSE is pushing ahead regardless. Is it too far-fetched to picture SUSE LINUX as a new standard corporate desktop in the not-too-distant future? With the traditional SUSE quality and with Novell's new Linux-driven revival, it might just happen.

Comments (5 posted)

Distribution News

Linux Business Alliance releases LBA-Linux

The Linux Business Alliance, a consortium formed by SOT, FinnDesign, and Turré, has announced the release of "LBA-Linux," a new distribution. "LBA-Linux R1 is a technologically advanced, versatile, easy-to-use operating system with high aesthetic appeal. Enhanced usability, hardened security, well-tested functionality and a legal safety check are some of the key features that distinguish LBA-Linux from other GNU/Linux distributions."

Full Story (comments: 2)

New OpenWall Linux releases

Solar Designer has sent out an announcement regarding the release of new patches for the 2.0.40 and 2.4.26 kernels (all of which increase security in one way or another) and new releases of OpenWall Linux (Owl) which contain the new kernels and various other updates.

Full Story (comments: 1)

Debian GNU/Linux

The April 20 edition of the Debian Weekly News is out; this week's topics include Java plugins for Mozilla, the eternal proprietary firmware issue, the installer and 2.6 kernels, and several others.

The second call for votes is out on a General Resolution to add editorial changes to the Social Contract.

The release of the third revision of the current stable Debian GNU/Linux "woody" grows ever closer. Here's a status report.

Joachim Breitner has started a collection of licenses that meet the Debian Free Software Guidelines on a wiki page.

Comments (none posted)

Fedora Core

Bill Nottingham responds to questions about the status of SELinx in Fedora Core 2. "SELinux *will* be included in Fedora Core 2 test 3 and the final Fedora Core 2 release. However, SELinux will be disabled by default. To install with SELinux support, pass 'selinux' to the installer on the command line. (Or, configure it appropriately in kickstart)."

Fedora Tracker is now online, with an easy to use index of Fedora apt/yum repositories on the Internet. You can search by repository or by package/filename.

Fedora Core 1 updates:

Comments (none posted)

Gentoo Weekly Newsletter - Volume 3, Issue 16

The Gentoo Weekly Newsletter for April 19, 2004 with a look at the latest Gentoo news.

Full Story (comments: 2)

Slackware Linux

There were security updates to tcpdump, cvs, utempter, xine-ui and xine-lib in slackware-stable this week. The slackware-current branch has updates to xfce, gimp, cvs, kernel-2.4.26, utempter, xine-ui and xine-lib, along with several other minor bug fixes.

Comments (none posted)

Trustix Secure Linux

Trustix has released several bug fixes to ppp and squid, for TSL 1.5, 2.0, 2.1 and TSEL 2. Click below for more information.

Full Story (comments: none)

Minor distribution updates

Damn Small Linux

Damn Small Linux has released v0.6.3 with minor feature enhancements. "Changes: New application include control-panel, hdparm, and the Xtris game. Enhancements were made to xsetup, dsl-hdinstall, knoppix-autoconfig, boot.img, and knoppix-halt. Code was added to bypass the prompt if the "toram" or "frugal" boot-time options are used. A bug in the Alt-tab behavior was fixed. The fluxbox menu was enhanced. The busybox tar applet was replaced with GNU tar. frugal_install was enhanced. A new USBboot image is available."

Comments (none posted)

Devil-Linux

Devil-Linux has released v1.0.6 with major security fixes. "Changes: This release closed the latest mremap and iso9660 kernel vulnerabilities and an ext3 info leak. Many netfilter patch-o-matic patches were not applied."

Comments (none posted)

DNA Linux

DNA Linux has released v0.2 with minor feature enhancements. "Changes: There was a change in the base distro and new bioinformatics tools. The base distro was upgraded from Slax 3.25 to Slax 4.0.1. The most relevant upgrade are a script to install the distro onto a flash disk (USB storage device) or hard disk, and to use new modules on the fly (to extend functionality without remastering the CD). Now there is support for Spanish, Portuguese, and French in the graphical interface (KDE 3.2). The Bioinformatics tools were also upgraded, with 3 new programs and some biological databases."

Comments (none posted)

Feather Linux

Feather Linux has released v0.4.0 with major feature enhancements. "Changes: The Openoffice script was updated to 1.1.1. Fixes were made for localscript.sh, xterm colors, and the Synaptic script. The "noicons" option was added to stop XTDesk loading on bootup. The frequency option was changed to DPI in the X setup routine. A poor man's install script was added. xsri was added to set the background, and bsetbg was fixed. whowto, a script to grab and view HOWTOs, and wdict were added. Scripts to download aMSN, Abiword, and xpuyopuyo were added. xmms-volnorm was included. evilwm was added. The boot image was changed."

Comments (none posted)

LinuxConsole

LinuxConsole has released v0.4 with minor bugfixes.

Comments (none posted)

SLAX-Live CD

SLAX-Live CD has released v4.1.1 with major feature enhancements. "Changes: This release added smb4k (a Samba share browser for KDE), better font and sound handling in KDE, kernel 2.4.26, Netscape plugins 7.1, and parted. X can now handle three mice in parallel. The eject boot parameter was fixed along with the create_bootdisk.sh script (lilo no longer stores MBR backups). memtest and ide-scsi module loading were also fixed."

Comments (none posted)

slimlinux

slimlinux has released v0.7.0 with minor feature enhancements. "Changes: USB support for mass storage devices was changed to modules, and most components were compiled with dynamic libraries. retawq was updated to 0.2.4 and mutt to 1.2.5.1, and Lua 4.01, eForth 1.0e, Clex 3.1.8 file manager, the zile 1.6.2 Emacs clone, and the cmdftp 0.7.3 command line FTP client were added."

Comments (none posted)

Source Mage GNU/Linux

Source Mage GNU/Linux has released v20040414 with major feature enhancements. "Changes: Versions 2.4.25 and 2.6.5 of the kernel (x86) are available. Significant changes were made so that the bulk of configuration happens before installing the system. GRUB has been added, so a choice between LILO or GRUB is now available. The image.tar.bz2 that was unpacked onto the target has been replaced by individual spell caches, giving better control over installation and easy use of caches in rescue mode. For the 2.6.5 kernel version, a choice of static /dev or udev on /dev is offered and automatically setup. For 2.4.25 kernel, the default is still devfs, but a static /dev is possible by editing a few files."

Comments (none posted)

ThinStation

ThinStation has released v2.0rc4. "We are getting closer to the new stable release!"

Comments (none posted)

uClinux

uClinux has released v20040408 with minor feature enhancements. "Changes: This version contains a few fixes, primarily for Microblaze."

Comments (none posted)

Distribution reviews

Conectiva Linux 9 - The Latin American Distribution You Should Know (OS News)

OS News reviews Conectiva Linux version 9. "Conectiva has bundled a fairly standard KDE 3.1 with Conectiva Linux 9. The desktop is thankfully uncluttered, and the background is clearly designed to fit with the Conectiva Crystal icon set, which of course is the default icon set in most distributions' incarnations of KDE nowadays."

Comments (none posted)

An in-depth look at SUSE 9.1 RC2 (linux.com)

linux.com looks at the upcoming SUSE release. "SUSE 9.1 contains OOo 1.1.1, which is quite nice, and SUSE includes an OOo Quickstart applet, which makes it even nicer if you use OOo a lot. It cuts the startup time way down, to about three seconds on my system."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Gnuplot 4.0.0

Gnuplot is a time-tested data plotting utility that is useful for both interactive and automated generation of mathematical plots:

Gnuplot is a portable command-line driven interactive datafile (text or binary) and function plotting utility for UNIX, IBM OS/2, MS Windows, DOS, Apple Macintosh, VMS, Atari and many other platforms. The software is copyrighted but freely distributed (i.e., you don't have to pay for it). It was originally intended as graphical program which would allow scientists and students to visualize mathematical functions and data. It does this job pretty well, and in addition it serves as non-interactive plotting engine for miscellaneous portable third-party applications, like Octave.

Gnuplot features a high level command interface, as demonstrated in the screen shots page. The program can be used to generate both 2D and 3D plots, it can plot mathematical formulas as well as raw numeric data. Gnuplot supports output to a variety file formats including PostScript, pdf, png, and svg. An X11 output mode is available for interactive viewing of plots. A long time ago, in a job far, far away, two LWN editors put together a set of online weather stations using Gnuplot and Perl.

Version 4.0.0 of Gnuplot - the first major release in over a decade - was announced this week. Some of the new features in this release include a new 3d plotting style, mouse interactivity in the X11 display, new output drivers, support for true-type fonts, improvements to the arrow plots, and more.

The official version 4.0.0 What's New document explains the new features in greater detail. The Gnuplot code is available for download here.

Comments (1 posted)

System Applications

Audio Projects

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include updated versions of Speex, liblrdf, libfishsound, and liboggz.

Comments (none posted)

Backup Software

ext2/ext3 Dump 0.4b36 released

Dump 0.4b36 is available. This version improves interoperability with other versions of dump, provides unlimited dump levels, and more.

Comments (none posted)

Database Software

libgda/libgnomedb 1.0.4 released

Version 1.0.4 of the libgda/libgnomedb framework for database applications is out. "libgda/libgnomedb are the base of the database support in the GNOME Office application suite, providing database access for many features in both Gnumeric and Abiword. This is a bugfix release, containing fixes for various bugs found by users in the 1.0.3 release."

Full Story (comments: none)

Improved ODBC support for CLSQL

CLSQL, a Common Lisp interface to SQL databases, has a new ODBC layer. "The backend "has been tested on CMUCL, SBCL, OpenMCL, AllegroCL, and Lispworks on Linux using unixODBC as well as on Windows platforms"."

Full Story (comments: 1)

Filesystem Utilities

Samba 3.0.3rc1 available

The Samba Project has announced the first Samba 3.0.3 release candidate. Among other things, 3.0.3 includes support for local nested groups via winbindd and the ability to specify options to be passed directly to CUPS.

Full Story (comments: none)

Libraries

libcroco 0.5.1 released

Version 0.5.1 of libcroco has been announced, it fixes several bugs.

Full Story (comments: none)

Mail Software

Clam AntiVirus 0.70 release (SourceForge)

Version 0.70 of Clam AntiVirus, an anti-virus toolkit for UNIX systems, has been announced. "On April 24th, a new functionality level will be introduced in the database. There are a few signatures which can't be used by pre-0.70 scanner engines, so we need you to upgrade immediately to 0.70."

Comments (none posted)

Networking Tools

BIND 9.3 released

ISC has announced the release of BIND 9.3. This version includes DNSSEC support and a number of new administrative features. ISC is also launching commercial support services for BIND.

Comments (3 posted)

Web Site Development

Migrating to Velocity (O'ReillyNet)

O'Reilly is running an article that shows how to switch to the Velocity web templating engine. "Velocity offers a compelling way to develop web applications, but converting an existing JSP-based project is no simple task. Jason Briggs shows how he used Velocity servlets to ease the transition."

Comments (none posted)

Miscellaneous

Introducing Cfengine (O'ReillyNet)

O'Reilly has published an introduction to Cfengine. "Automation is the most important skill an administrator can develop. Learning tools that make automation easier usually pay off greatly. Luke A. Kanies claims that Cfengine may be the most important tool in your toolbox and introduces its use and design."

Comments (none posted)

SC-Track Roundup 0.6.9 is out

Maintenance release version 0.6.9 of the Roundup issue tracking system is out with several bug fixes.

Full Story (comments: none)

Desktop Applications

Audio Applications

MuSE 0.9 has been released (and MusE 0.7)

Version 0.9 of MuSE, an audio mixer, encoder, and network streamer, is out. Here is a summary of the changes: "Spotlights on the large rewrite of Engine parts, especially the Input and Encoder channels, the tightening of the FIFO Pipe mechanism, many speed improvements and full documentation of the API. There is a revamped GTK-2 interface now featuring drag&drop capability, Language translations and much better Profile and Playlist handling, a new libSnd (wav player) input channel during the hackmeeting, full support of Icecast2 streaming both with OGG and MP3 and yet more CLI flexibility."

Just to add a bit of namespace confusion, version 0.7 pre 1 of MusE (note the different capitalization), a music editor, is also out with lots of changes.

Full Story (comments: none)

Rhythmbox 0.8.0 released

Version 0.8.0 of the Rhythmbox music management system has been released. "If I had to summarize the development since 0.6, I would say it's just like Rhythmbox, only better :) From stuff like Ogg support for internet radio, ReplayGain support, and automatic playlists based on rating, what we've done is just generally try to flesh everything out. We are also showcasing GStreamer's cool features like metadata reading."

Full Story (comments: none)

Desktop Environments

Bug Buddy 2.6.1 released

Version 2.6.1 of Bug Buddy, a bug reporting tool for GNOME, has been released. "This is a stable release of the GNOME bug reporting tool for the GNOME 2.6.1 release, so please, try it a lot, and of course, reports bugs using itse[lf]! Only a bug fix and translation updates (trasnlators, you rock!!!)"

Full Story (comments: none)

gconf-editor 2.6.1 is out

Stable version 2.6.1 of gconf-editor is available. "Only bug fixes (but important bugs!) and translation additions in this release. The funny stuff will be on cvs HEAD and 2.7.x releases."

Full Story (comments: none)

GNOME Platform Bindings 2.6.0 (GnomeDesktop)

Version 2.6.0 of the GNOME Platform Bindings has been announced. "As scheduled, we now have API/ABI-stable bindings for the GNOME 2.6 Development Platform, for C++, Java, and Perl. That means you can seriously consider those programming languages (and others) when developing GNOME-based applications, and you can be confident that your applications will not break when future versions of these bindings are released."

Comments (none posted)

GNOME Terminal 2.6.1 is available

Version 2.6.1 of the GNOME Terminal, a terminal emulator, is available with improved translations.

Full Story (comments: none)

Crystal Sources United! (KDE.News)

KDE.News reports on an effort to organize the KDE Crystal icon set. "Sources for the Crystal icon set are everywhere. They are at many places in KDE's CVS, so many, it's hard to download them. Artists more skillful with sketchbooks than CVS, will be gladly surprised that Frans Englich wrote a script which collects them all, and that Philip Scott provided a high speed server for the resulting zip."

Comments (none posted)

KDE 3.2.2 is Released

The KDE project has announced the immediate availability of KDE 3.2.2, a maintenance release with lots of bug fixes since KDE 3.2.1.

Comments (1 posted)

KDE-CVS-Digest (KDE.News)

The April 16, 2004 edition of the KDE-CVS-Digest has been published. Here's the summary: "KJSEmbed adds shell calls and now builds with QT. KDevelop has a new documentation viewer, with bookmarks, printing, plugins and full text search. KSVG2 ecma support added. KNotes is now network enabled. Konqueror gets an enhanced version of caret mode. Kopete supports KIMproxy, the generic IM interface. Many bugfixes in Juk, Kate, Umbrello and others."

Comments (none posted)

KDE Traffic

The April 16, 2004 edition of KDE Traffic has been published. "After a long break, KDE Traffic is back. KDE Traffic #76 includes tons of news about KMail, KOffice, Konqueror, K3b, KolourPaint and more of your favorite KDE apps."

Comments (none posted)

Xfce 4.0.5 is out

Version 4.0.5 of Xfce, a light weight desktop environment, is out. "As usual, this is a maintenance release, aimed at bug-fixing; no new features are being added to the 4.0 branch. The main purpose of this release is compatibility with the recent GTK+ 2.4.x release along with other fixes."

Comments (none posted)

Accessibility

gnopernicus 0.9.0 released

Version 0.9.0 of gnopernicus, a GNOME screen reader for the visually impaired, is out following two other releases this week. Changes include improved table presentation, translation work, and more.

Full Story (comments: none)

GOK 0.10.2 is here!

Version 0.10.2 of GOK, the GNOME Onscreen Keyboards Suite, has been announced. This version adds a number of new capabilities.

Full Story (comments: none)

Financial Applications

SQL-Ledger 2.2.6 released

Version 2.2.6 of SQL-Ledger, a web-based accounting system, is out. The changes include a fix for database backups, an Spanish translation, and more.

Comments (none posted)

Games

FreedroidRPG 0.9.12 released (SourceForge)

Version 0.9.12 of FreedroidRPG, a cross-platform role playing game, has been announced. "Again we're offering Windows and Linux packages for download. The changlog is lengthly and lists improvements of all aspects of the game."

Comments (none posted)

gnome-games 2.6.1 announced

Version 2.6.1 of gnome-games is available. Here are the changes: "Bug fixes for mahjongg and blackjack. Translation updates for Hungarian and Gujarati. What more could you ask from a stable release ?"

Full Story (comments: none)

GNOME War Pad 0.2.12 is available

GNOME War Pad 0.2.12, a VGA Planets strategy game client for GNOME, is out. "This game is being played since Fidonet times, and have lots of fans that still play on those old DOS clients, it's time for a GNU/Linux one :-)"

Full Story (comments: none)

GTetrinet 0.7.6 and 0.7.7 are out

Two new versions of GTetrinet, a multi-player Tetris game, are available. "It's been a while since our last release. Most of the work is being done on our libtetrinet branch which will hopefully be ready soon, but in the meanwhile quite some translations had been updated in CVS. Dani also fixed another keyboard input bug and made it possible to resize the gtetrinet main window."

Full Story (comments: none)

Monster Masher 1.5.1 is out

Version 1.5.1 of the action game Monster Masher is out. "A translation-update-and-bug-fix release. More translations than bug fixes, though."

Full Story (comments: none)

GUI Packages

Glade 2.6.0 announced

Version 2.6.0 of Glade, a user interface builder for GTK+ and GNOME, is out with several bugs fixed.

Full Story (comments: none)

PyGTK 2.3.91 unstable is out

Version 2.3.91 (unstable) of PyGTK, the Python bindings for GTK, is out. "It includes a number of changes since the last pygtk release; We'd really appreciate testing and bug reports on this release; please take the time out to download and test it to ensure it works for your application[s]."

Full Story (comments: none)

A Taste of Qt 4

TrollTech has published a document that lists some of the features of the upcoming Qt version 4. "With Qt 3.3.0 out the door, the Qt 3.x series is drawing closer to an end. Trolltech is now focusing on the next major release, Qt 4, to come out later this year. With Qt 4, we hope to make Qt programming faster, easier, and more powerful than it has ever been."

Comments (none posted)

Imaging Applications

GIMP 2.0.1 Released (GnomeDesktop)

Version 2.0.1 of the GIMP is out. "GIMP version 2.0.1 is available for download from ftp.gimp.org and its mirrors. This is a bug-fix release in the stable 2.0 series. The CVS tree has been branched after the release was made, so that development can proceed towards GIMP 2.2 which is scheduled for this summer. Also released, the GIMP Animation Package, or short GAP, is a collection of plug-ins to extend the GIMP with capabilities to edit and create animations as sequences of single frames."

Comments (none posted)

ImageMagick 6.0.0-2 (stable) released

Version 6.0.0-2 (stable) of ImageMagick, an image display and manipulation program, has been announced. See the News page for information on this version.

Comments (none posted)

Superchick 0.3 is out

The PyGame site lists version 0.3 of Superchick. "Superchick is a program to view manga, that is, Japanese comics. It can also be easily used to view American comics, or any other collection of images."

Comments (none posted)

Instant Messaging

Silky 0.5.1 released!

Version 0.5.1 of Silky, a secure chat client for GTK+, has been released.

Full Story (comments: none)

Interoperability

Wine Traffic

Issue #219 of Wine Traffic is available for your reading pleasure.

Comments (none posted)

Multimedia

GStreamer 0.8.1 and GStreamer Plugins 0.8.1 released (GnomeDesktop)

Version 0.8.1 of the GStreamer multimedia framework, and the associated plugins have been announced. Changes include improved internationalization, bug fixes, and the rework of several components.

Comments (none posted)

PyMedia 1.2.0 released

Version 1.2.0 of PyMedia, a Python library for multimedia, is out. Features include audio and video decoding and encoding, access to sound devices and CDDA tracks, and cross-platform portability.

Full Story (comments: none)

totem 0.99.11 released

Version 0.99.11 of Totem, a GNOME movie player, is out with lots of bug fixes and better translations.

Full Story (comments: none)

Music Applications

Ecamegapedal 0.4.4 released

Version 0.4.4 of Ecamegapedal, a real-time audio effects processor is out. "Minor bugs in JACK support have been fixed. Now Ecamegapedal makes sure it won't launch the JACK daemon by accident when probing for available devices on startup. The manual pages have been updated with some new sections."

Full Story (comments: none)

Q 5.3 and Q-Midi 1.14 are out

A bug fix release of the Q language and Q-Midi computer music application is out. "Q is an equational programming language based on term rewriting. Q-Midi is an add-on module for the Q language which provides an interface to MidiShare, Grame's cross-platform MIDI library. If you want to try out programming computer music applications in a high-level functional programming language, then these might be for you."

Full Story (comments: none)

Radium 0.63 Alpha Linux Port

The initial Linux port of Radium, an Amiga graphical music editor, is available.

Full Story (comments: none)

Science

AISF and ASTRIX released

AISF and ASTRIX are parts of an astronomical control system. "For the past few months the Virginia Astronomical Instrumentation Laboratory has been working on a piece of software to control its observing systems. These systems are built on the GNU/Linux Operating System. The system we have designed is a new form of modular instrument control. In the spirit of the GNU/Linux operating system we are making this framework open source."

Full Story (comments: none)

PhpGedView 3.0 released (SourceForge)

Version 3.0 of PhpGedView, an online genealogy viewer, is out. "PhpGedView version 3.0 adds several new features and fixes lots of bugs. You will definately want to upgrade. The phpGedView project, SourceForge.net's December 2003 Project of the Month, parses GEDCOM 5.5 genealogy files and displays them on the internet in a format similar to PAF. All it requires to run is a php enabled web server and a gedcom file."

Comments (none posted)

Video Applications

kdetv 0.8.0 Released! (KDE.News)

Version 0.8.0 of kdetv has been announced. "After more than two years of development, the long anticipated successor of KWinTV has reached its first public release. kdetv is an application to watch TV using Xv or video4linux compatible video cards. With this release of kdetv, Linux users can now enjoy a user-friendly desktop TV viewing experience. Features of kdetv include three view modes, a channel scanner, the ability to import the channel files of three other TV programs, teletext and closed caption decoding, and an easy-to-use graphical user interface."

Comments (none posted)

Xawdecode [xdTV] 1.9.1 released! (SourceForge)

Version 1.9.1 of xawdecode, also called xdTV, has been released. Changes include: "A lot of xaw GUI adds and updates, BSD and non-i386/bigendian linux systems now supported, XviD 1.0 and FFmpeg 1032 build 4708 support added, xinerama support added, xscreensaver is now managed, better memory copy management, fullscreen switch mode fixed, Alevt with Hellenic set, Added option to edit/view record scripts....."

Comments (none posted)

Web Browsers

Epiphany 1.2.3 is available

Version 1.2.3 of the Epiphany browser for GNOME has been released with code cleanup, bug fixes, and improved translations.

Full Story (comments: none)

Tree Branches for Mozilla 1.7 (MozillaZine)

The Mozilla 1.7 tree branch has happened. "On Monday, the new Mozilla 1.7 branch was cut from the trunk, in preparation for the final release of Mozilla 1.7 in mid-May. As well as 1.7, the branch will also provide the foundation for Mozilla Firefox 1.0 and several other Mozilla-based applications. Post-1.7, the new branch will replace 1.4 as the stable development baseline."

Comments (none posted)

Mozilla Links Newsletter

The April 14, 2004 edition of the Mozilla Links Newsletter has been published. Take a look for lots of information on the Mozilla browser and related topics.

Full Story (comments: none)

Miscellaneous

Alexandria 0.1.2 released

Version 0.1.2 of Alexandria, a book management system for GNOME, is out. This version fixes a couple of bugs and adds a default to the add book dialog.

Full Story (comments: none)

GGV 2.6.1 released

Version 2.6.1 "Quadlibet for Tender Feet" of the GGV PostScript viewer is available with bug fixes and some updated translations.

Full Story (comments: none)

GtkSourceView 1.0.1 stable is out

Version 1.0.1 stable of GtkSourceView, a text widget that extends the standard Gtk+ 2.x GtkTextView, has been released. This version adds bug fixes, translations, C99 keyword highligting, and more.

Full Story (comments: none)

Languages and Tools

Caml

Caml Weekly News

The April 13-20, 2004 edition of the Caml Weekly News is available for your reading pleasure.

Full Story (comments: none)

Java

Java and Sound, Part 2 (O'Reilly)

Part two of David Flanagan's series on Java and Sound is online. "Editor's note: This second installment in a two-part series of excerpts from Java Examples in a Nutshell, 3rd Edition follows on last week's (which showed how to play streaming sounds in both sampled audio and MIDI formats) with examples that show how to read a simple musical score and convert it into a MIDI sequence. Author David Flanagan also shows you how to make music by directly controlling a MidiChannel of a Synthesizer, thereby bypassing the need to play a Sequence of MIDI events through a Sequencer object."

Comments (none posted)

JSP

Automating Your Desktop with KJSEmbed (KDE.News)

KDE.News points to a set of articles on KJSEmbed. "KJSEmbed is the KDE JavaScript engine with bindings for Qt/KDE. These bindings allow people to create scripts that can tightly integrate into KDE quickly with simple JavaScript. This article covers how to use the DCOP API from KJSEmbed and sports a simple demo script that shows off how to use this API."

Comments (none posted)

Perl

Apocalypse 12 released

Larry Wall has posted Apocalypse 12, the next in his series of articles on the design of Perl 6. Yes, he has skipped a few apocalypses in the middle; one assumes he'll fill them in eventually. This one deals with the Perl 6 object model. "Usually in these Apocalypses, I discuss the design with respect to each of the RFCs. However, in this case I won't, because most of these RFCs fail in exactly the same way--they assume the Perl 6 object model to be a set of extensions to the Perl 5 object model. But as it turns out, that would have been a great way to end up with Second System Syndrome Done Wrong. Perl 5's OO system is a great workbench, but it has some issues that have to be dealt with systematically rather than piecemeal."

Comments (14 posted)

Perl 5.8.4 RC2 is Out (use Perl)

Release Candidate 2 of Perl 5.8.4 has been announced. "This wasn't the plan, but testing has revealed that RC1 has unexpected surprises with suidperl (the set user ID perl binary which is not compiled by default). Apart from 2 CPAN module upgrades, RC2 differs from RC1 only in how suidperl is installed, so if you use suidperl you should check that RC2 is a drop in replacement for earlier 5.8.x."

Comments (none posted)

This Week on perl5-porters (use Perl)

The April 18, 2004 edition of This Week on perl5-porters is out. "This was an RC-2 week, rich in events and discussions. Read about the little-known dualvars, the always popular version strings, the set UID perl, Unicode classes, and various other bugs."

Comments (none posted)

PHP

PHP 4.3.6 released!

Version 4.3.6 of PHP has been released. "This is is a bug fix release whose primary goal is to address two bugs which may result in crashes in PHP builds with thread-safety enabled. All users of PHP in a threaded environment (Windows) are strongly encouraged to upgrade to this release. All in all this release fixes approximately 25 bugs that have been discovered since the 4.3.5 release. For a full list of changes in PHP 4.3.6, see the Change Log."

Comments (none posted)

Python

Dive Into Python

Version 5 of Dive Into Python, a free, online Python book, is out. See the revision history for a list of changes.

Comments (none posted)

Python-dev Summary

The Python-dev Summary for March 16-31, 2004 is out with another summary of traffic on the python-dev mailing list.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The Apr 18, 2004 edition of Dr. Dobb's Tcl-URL! is out with the week's Tcl/Tk article links.

Full Story (comments: none)

UML

Gaphor 0.3.1 is available

Version 0.3.1 of Gaphor, a Python UML modeling tool for GTK/GNOME, is out with a bug fixes in the installation procedure.

Full Story (comments: none)

XML

Release of libxml2 2.6.9

Version 2.6.9 of libxml2 has been announced. "This release has one small new item, the implementation of xml:id draft, otherwise it is mostly bugfixes and small improvements".

Full Story (comments: none)

Developing Wireless Content using XHTML Mobile (O'Reilly)

Jean-Luc David works with XML and mobile devices on O'Reilly. "This article will show you how to create XHTML Mobile Profile documents that render on multiple devices. We will also demonstrate how set up an XML-based multiserving framework. Finally, we will show you can transform your XHTML to WML without having to make any changes to your XHTML code."

Comments (none posted)

Python SOAP libraries, Part 5 (IBM developerWorks)

Scott Archer and Uche Ogbuji present part five of their series on Python SOAP libraries. "As with its sister project, ZSI, SOAPpy has enjoyed a recent increase in activity and is now in version 0.11.3. This version includes WSDL support and many other improvements. Uche Ogbuji and Scott Archer try out this new version with the same complex Web service they tried accessing with ZSI 1.4.1 and ran into a different set of difficulties."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Why MySQL grew so fast (O'ReillyNet)

Andy Oram examines MySQL's success on O'ReillyNet. "So MySQL succeeds at maintaining two faces. To paying customers, it's a traditional, responsible vendor. To programmers and database administrators, it's a flexible, responsive network of independently-minded developers in free-software style."

Comments (9 posted)

Mozilla: Curiouser and Curiouser (IT-Director)

Recommended reading: Robin Bloor's followup to his "Will Mozilla Fly?" article on IT-Director.com. "One of Microsoft's problems is that its interface designers suck. I believe that Microsoft is repeating a mistake IBM made in the 1990s. IBM was afraid of the PC market at first, but then it launched the IBM PC and very quickly took control of the market. It thought it had won, but actually it had lost. The PC players quickly got big enough and ugly enough to block IBM. The same is happening to Microsoft and Open Source is what's bringing the giant down."

Comments (3 posted)

Trade Shows and Conferences

Real World Linux Conference 2004: Day 2 (NewsForge)

NewsForge reports from the Real World Linux 2004 Conference and Expo in Toronto. "Companies, [Jon "maddog" Hall] said, aren't using open source because the applications they want to use for their specific specialized purpose are not supported under Linux. The companies that make the applications don't want to make the applications available under Linux or other open source operating systems because no companies are using them. It's a vicious circle."

Comments (none posted)

Real World Linux 2004, Day 3: The conclusion (NewsForge)

NewsForge covers day three of the Real World Linux 2004 conference in Toronto. Ed Kilroy, president of IBM Canada, delivered a keynote where he explained one Linux success story: "The 300mm wafer is for IBM's "power technology" processor, he said, and it is used in all sorts of applications, including Microsoft's X-Box game console. The assembly line is fully automated, start to finish, with no human intervention. It is controlled entirely by Linux computers and has been running 25 months without any failures or outages."

Comments (none posted)

MySQL's annual conference: They came to learn (NewsForge)

Robin 'Roblimo' Miller is attending the MySQL conference in Orlando, Florida on behalf of NewsForge. "These are not amateurs getting together to discuss their hobby. These are professionals who live and breathe databases. Their jobs depend on the databases and data warehouses for which they are responsible working correctly, securely, and all the time."

Comments (1 posted)

PyCon DC 2004 (Linux Journal)

The Linux Journal is carrying a lengthy report from PyCon DC 2004. "So what is a sprint? A sprint is a group of people hacking together on the same software project.... 2003 had twice as many sprint groups as last year. There were sprint groups for the Python core, Zope, Twisted, Chandler, Plone, Docutils and Guido van Robot (a language for teaching programming fundamentals). One side benefit of sprinting is the opportunity to see Python luminaries at work, often on projects different from what they are known for."

Comments (none posted)

The SCO Problem

IBM's response to the motion to bifurcate (Groklaw)

As reported on Groklaw: IBM has filed a response to SCO's attempt to split IBM's patent charges from the rest of the case. "The big news is that they clearly intend to go for the jugular the minute discovery and pretrial motion practice is complete. They reveal that they will be asking for summary judgment, and they say they expect most, if not all, the issues will be resolved that way, without ever going to trial. On that basis, they argue that it's way too soon to even know what needs to be separated out, if anything." Groklaw also has the response itself available in text format.

Comments (none posted)

Companies

Sun releases first J2EE 1.4-compliant app server (NewsForge)

NewsForge covers Sun's release of a new J2EE application server. "Sun Microsystems, still smarting from yet another poor financial quarter -- a $760 million loss in fiscal Q3 -- Friday announced some good news: the general availability of the first J2EE 1.4-compliant standard application server. The new server follows two key Sun development product releases in the last two weeks: the open source NetBeans 3.6 and the graphical Java Studio Creator IDE."

Comments (none posted)

Linux Adoption

Linux to work for welfare (News.com.au)

News.com.au has a report about Centrelink, the Australian welfare agency, which is looking hard at Linux. "Among various projects, Centrelink was investigating the performance potential for Linux as a platform for the 400-odd servers delivering its collaboration software, Lotus Notes. Those servers presently run on Microsoft Windows server platform."

Comments (3 posted)

Linux on desktop PCs (Economist)

The Economist examines the prospects for Linux on the desktop. "More specifically, two windows, so to speak, of opportunity appear to be opening. One is that the next version of Windows, called Longhorn, has been delayed to 2006 at the earliest, in part by Microsoft's realisation that it has to tighten up security a lot more.... If Linux can establish a good reputation during this period, it might look even more attractive once Longhorn, which will be expensive and is likely to require new hardware, is released."

Comments (1 posted)

Linux at Work

Linux for Grandma, Part 2 (PC World)

Matthew Newton puts together a Linux computer for his Grandmother, as described in PC World. "As I've said, Grandma has zero experience with PCs. Every single concept that gets introduced to her is going to be new, so the easier those concepts are to digest, the better; the more related to the real world that Grandma has known for the better part of a century, the better. I don't ever want her to hear the words "hierarchical file system." But she can handle putting files into folders. So I want an interface that provides the most pure, consistent, unadulterated files-and-folders experience I can find." (Found on Footnotes)

Comments (4 posted)

Legal

Patent Office asked to review Microsoft FAT patent (Register)

A group called the Public Patent Foundation is challenging Microsoft's patent on the FAT filesystem. "According to the Public Patent Foundation's request, "the '517 patent is causing immeasurable injury to the public by serving as a tool to enlarge MicrosoftÂ’s monopoly while also preventing competition from Free Software." "Microsoft is using its control over the interchange of digital media to aid its ongoing effort to deter competition from Free and Open Source Software. Specifically, Microsoft does not offer licenses to the '517 patent for use in Free Software."

Comments (3 posted)

Interviews

Linux Creator Calls Backporting 'Good Thing' (InternetNews.com)

InternetNews.com talks with Linus Torvalds and others about backporting. "Torvalds comments, in an e-mail interview with internetnews.com, came after SUSE'S CTO, Juergen Geck, told an audience at the Real World Linux Conference in Toronto that Red Hat's practice of backporting features from the 2.6 kernel into the 2.4 Kernel is a "bad thing" because it interferes with standardization of the open source operating system."

Comments (8 posted)

Don't make Linux desktop a Windows clone (vnunet)

Novell's Matt Asay suggests that Linux vendors should avoid cloning the Microsoft desktop experience. ""All enterprise Linux vendors are trying to push a Linux desktop that looks exactly like Microsoft [Windows desktop]. But it is difficult to compete with someone on his own territory," he said. Instead, he said, a Linux desktop that played to its own strengths would work better and be more interesting."

Comments (1 posted)

Interview with Con Zymaris of Open Source Victoria (PCLinuxOnline)

PCLinuxOnline has an interview with Con Zymaris of Open Source Victoria. "Con Zymaris: Open Source Victoria is an Industry Cluster consisting of over 100 Victorian firms, consultants and developers which provide services and technology related to Free and Open Source Software (FOSS). Victoria is one of Australia's most populous states, with a highly industrialised and business-focused capital city, Melbourne."

Comments (none posted)

The People Behind KDE: Ariya Hidayat (KDE.News)

This week in the People Behind KDE, meet Ariya Hidayat, and Indonesian hacker currently living in Germany. "At the moment my playgound is KOffice (especially KSpread), I write some code, fix bugs and possibly introduce new bugs. I also follow koffice mailing-list, either with little participation or simply in "lurking mode"." (Found at KDE.News)

Comments (none posted)

Resources

OpenOffice.org Off the Wall: Fonts of Wisdom (Linux Journal)

Bruce Byfield explains font selection issues when using OpenOffice.org. "What follows is an introduction to some of the basic issues as they apply to Linux and OpenOffice.org: What fonts are available? How are they installed? What tools in OpenOffice.org allow you to make use of them? Most important of all, what do you need to consider when selecting and customizing fonts? A complete answer to even one of these questions could fill a book. However, the brief answers that follow should help you make more informed choices about using fonts."

Comments (14 posted)

Reviews

Will Mozilla Fly? (IT-Director)

IT-Director.com is running another Robin Bloor column; this one describes a recent browser experience. "However, the initial (test) version of this applet was created for the Mozilla Firefox browser rather than Internet Explorer so I had to download the browser in order to try it out. So I did. It took me a whole five minutes to decide to ditch Internet Explorer and switch to Firefox."

Comments (10 posted)

Book Review: Linux Pocket Guide (OS News)

OS News reviews O'Reilly's Linux Pocket Guide. "Users migrating to Linux are definitely in need of a book that gives them an introduction to the most relevant tools in fundamental functional areas. This first edition of the Linux Pocket Guide will indeed prove quite useful to these users, but I look forward to a slightly expanded second edition that covers more real-world examples and basic "tricks" of our favorite and most essential command line tools."

Comments (none posted)

Getting the Most Out of XMMS (O'ReillyNet)

Rickford Grant reviews the capabilities of the XMMS media player on O'Reilly. "XMMS (X Multimedia System), available with just about every Linux distro, is simple enough to use, yet many users fail to reach below the surface and take advantage of its many capabilities. In this article, Rickford Grant takes you from the basics of using XMMS to its more advanced features, such as creating playlists, playing Internet radio broadcast streams, and more."

Comments (14 posted)

Miscellaneous

Hackers hit computer giants (CNN)

CNN reports that "hackers" have cracked into computers at Stanford University, the San Diego Supercomputer Center, the University of Illinois' National Center for Supercomputing Applications and other supercomputing facilities. Systems running Linux and Solaris have been compromised. "Hackers used insecure machines to gain root privileges, which let them make the kinds of changes normally reserved for authorized administrators. But even computers with the latest patches were used to run password-decoding software after hackers logged on using a compromised account, according to the Stanford bulletin."

Comments (7 posted)

Page editor: Jonathan Corbet

Announcements

Non-Commercial announcements

Netfilter gets a GPL-enforcement injunction

The Netfilter/iptables project, which has been aggressively enforcing its GPL license for a while now, has sent out a press release stating that it has obtained a preliminary injunction in Germany against Sitecom Germany GmbH. Sitecom's WL-122 wireless router contains the GPL-licensed code, but the manufacturer has not been living up to its obligations. Unless Sitecom comes into compliance, the injunction will prohibit the company from distributing the infringing products. Click below for the details.

Full Story (comments: 23)

Mozilla Foundation Offering Autographed T-Shirts to Donors (MozillaZine)

MozillaZine has announced that Mozilla contributors will receive an autographed T-shirt until the end of April. "The new Mozilla gear is now shipping, and to celebrate the availability of cool new T-shirts, polo shirts and stuffed firefoxes, we are sending autographed Mozilla or Firefox T-shirts to anyone who makes a contribution of $50 from the Mozilla store by the end of this month (Friday, April 30)."

Comments (none posted)

Japanese Systems Integrator Ten Art-ni joins OSDL

The Open Source Development Labs has announced that Ten Art-ni, a Japanese open source technology integrator, has joined OSDL and will participate in OSDL's Data Center Linux and Carrier Grade Linux working groups to advance Linux in Japan.

Full Story (comments: none)

PUBPAT challenges Microsoft's FAT patent

The Public Patent Foundation has put out a press release stating that it has filed a request with the U.S. Patent and Trademark Office to have one of Microsoft's patents on the FAT filesystem revoked. "Last fall, Microsoft began to demand royalty bearing licenses for the entire portfolio of patents around the FAT File System. However, the fact that Microsoft has not offered licenses for use in Free and Open Source Software has led some to speculate that Microsoft intends to use its patents to fight the competitive threat posed by Free Software."

Comments (3 posted)

the wxWidgets Bounties program

The wxWidgets GUI library project has come up with an interesting way to spur development of needed features, the wxWidgets Bounties program. "Need a particular feature or bug fix? Set a price here, giving a short description, your name and email address. Hopefully, one or more people will contact you and you can arrange the terms of this development work."

Comments (none posted)

Commercial announcements

Fluendo, GStreamer-based streaming media company, launched

Fluendo, a company dedicated to creating streaming media services using free software technology, was launched today. Fluendo will build services on top of GStreamer and will provide funding for the Xiph.org Foundation to complete the Ogg/Theora bitstream specification.

Full Story (comments: 1)

HP and DreamWorks Give Innovation a Starring Role in "Shrek 2"

This Shrek 2 commercial (click below) from HP and DreamWorks mentions HP's Utility Rendering Service (HP URS), developed by HP in collaboration with DreamWorks. "The HP URS was built by researchers at HP Labs in Palo Alto using a 1,000-processor compute farm built on industry-standard systems, including HP ProLiant DL360 servers running Linux and HP ProCurve network switches. It is linked via a secure, high-speed network to DreamWorks Animation studios to provide an extension of DreamWorks' internal data center. This gives the studio a pooled set of resources that can be tapped as needed without having to make a major capital investment."

Full Story (comments: 4)

Quest Software Announces Support for MySQL with New Database Development Freeware Tool

Quest Software's Development Solutions has announced the availability of a new version of its Quest Toad database tool. The new version will support the MySQL database.

Comments (none posted)

Red Hat Enterprise Linux v.3 Achieves LSB Internationalization Runtime Environment Certification

Red Hat has issued a press release claiming that Red Hat Enterprise Linux 3 is the first OS certified by the Free Standards Group to conform with the Linux Standard Base (LSB) Internationalized Runtime Environment.

Comments (none posted)

New Books

No Starch Press releases "The Official GNOME 2 Developer's Guide"

No Starch Press has published The Official GNOME 2 Developer's Guide by Matthias Warkus.

Full Story (comments: none)

Resources

GNOME Installation Guide for GNOME-2.6 online (GnomeDesktop)

GnomeDesktop.org has an announcement for a new GNOME Installation Guide for GNOME 2.6. "The GNOME Installation Guide was written to help unfamiliar users install a stable GNOME system that includes more than the default applications. It teaches readers how to compile GNOME on their own instead of installing precompiled packages. It also covers installation of extra GNOME programs, both those hosted by the GNOME project and those which are not."

Comments (none posted)

LM: Introduction to Linux Audio

Richard Brown has announced a new introductory article about Linux audio on the LinuxMusician.com site.

Full Story (comments: none)

New Linux Audio Applications

Dave Phillips has updated his New Additions page of Linux audio applications.

Comments (none posted)

The LDP Weekly News - 20040421

The Linux Documentation Project Weekly News for April 21, 2004 is out with all the latest documentation news.

Full Story (comments: none)

LPI News for March, 2004

Linux Professional Institute's March LPI Newsletter has been published. Take a look to see the latest Linux certification issues.

Full Story (comments: none)

New OpenPKG slideset now available online!

A slide set for the OpenPKG package management system is available. "During the last weeks we've prepared a completely new official slideset for OpenPKG which now replaces the old one."

Full Story (comments: none)

Event Reports

Notes from the MySQL Users Conference & Expo 2004

Lenz Grimmer has posted a report from the MySQL Users Conference in Orlando, Florida.

Full Story (comments: none)

Upcoming Events

Grid Today 2004 Conference Announces Panels

A preview of the GridToday 2004 conference events is available. "GridToday'04 (Gt'04), the premiere enterprise Grid computing conference, has developed multiple panels focused on the most critical and timely information in Grid technology deployment. Each panel will be presented as a plenary session in Philadelphia this May 24-26, allowing Gt'04 attendees to participate in all sessions."

Full Story (comments: none)

Record Numbers To Attend This Year's LinuxUser & Developer Expo

The LinuxUser & Developer Expo 2004 has a press release announcing that over 100 companies are signed up as exhibitors. The expo begins April 20 in Olympia London.

Full Story (comments: none)

Ottawa Linux Symposium speakers announced

The list of speakers for this year's Ottawa Linux Symposium (July 21 to 24) has been posted. If anything, it looks like an even more solid technical program than usual. This year's keynote will be given by Andrew Morton.

Comments (1 posted)

YAPC NA 2004 schedules available (use Perl)

Use Perl links to the schedules for the YAPC::NA 2004 conference. The event will take place in Buffalo, NY on June 16-18, 2004.

Comments (none posted)

OpenOffice.org Conference CFP

A Call for Papers has gone out for the Second OpenOffice.org Conference. The event will take place in Berlin, Germany on September 22-24, 2004.

Full Story (comments: none)

GCC Developer's Summit Speaker List

The list of speakers and events are available for the GCC Developers' Summit.

Full Story (comments: none)

Events: April 22 - June 17, 2004

Date Event Location
April 22 - 23, 20042004 Desktop Linux Summit(Del Mar Fairgrounds)San Diego, California
April 26 - 27, 2004Digital Media Project Traditional Rights and Usages WorkshopLos Angeles, CA
April 29 - May 2, 20042nd Linux Audio Developers Conference(Institute for Music and Acoustics)Karlsruhe, Germany
May 3 - 5, 2004International PHP Conference 2004 Spring EditionAmsterdam, Netherlands
May 6 - 8, 2004TheServerSide Java Symposium(The Venetian)Las Vegas, NV
May 6 - 8, 2004Web.It 2004Padova, Italy
May 11 - 12, 2004LinuxWorld Conference & Expo(Hotel Istana)Kuala Lumpur, Malaysia
May 16 - 18, 2004European Firebird Conference 2004Fulda, Germany
May 17 - 20, 2004Fifth LCI International Conference on Linux Clusters(University of Texas)Austin, TX
May 17 - 19, 2004Enterprise Software Summit(The Palace Hotel)San Francisco, CA
May 17 - 20, 2004Black Hat Briefings Europe 2004(Grand Hotel Krasnapolsky)Amsterdam, the Netherlands
May 17 - 21, 2004Apache Boot CampAtlanta, GA
May 20 - 22, 2004Austrian Perl WorkshopVienna, Austria
May 24 - 26, 2004GridToday 2004(Philadelphia Convention Center)Philadelphia, PA
May 25 - 26, 2004LinuxWorld Conference & Expo(Suntec)Singapore
May 26 - June 6, 2004DebConf4Porto Alegre, Brazil
May 26 - 29, 20042nd International Symposium on Computer Music Modeling and RetrievalEsbjerg, Denmark
June 2 - 4, 20042004 GCC and GNU Toolchain Developer's Summit(Ottawa Congress Centre)Ottawa, Canada
June 3 - 4, 2004Web.It 2004Milano, Italy
June 6 - 7, 2004French Perl WorkshopParis, France
June 7 - 9, 2004EuroPython(Chalmers University of Technology)Göteborg, Sweden
June 13, 20041st European Lisp and Scheme WorkshopOslo, Norway
June 14 - 18, 200418th European Conference on Object-Oriented Programming(ECOOP-2004)(The University of Oslo)Oslo, Norway
June 16 - 18, 2004Yet Another Perl Conference(YAPC::NA::2004)(University at Buffalo)Buffalo, NY
June 16 - 18, 2004YAPC::NA 2004(University at Buffalo)Buffalo, NY

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Rebecca Sobol

Letters to the editor

What an excellent article! (-:

From:  Leon Brooks <leon-AT-cyberknights.com.au>
To:  Fran Foo <fran.foo-AT-zdnet.com.au>
Subject:  What an excellent article! (-:
Date:  Wed, 21 Apr 2004 10:55:39 +0800
Cc:  Linux Weekly News letters <letters-AT-lwn.net>, Linux Australia <linux-aus-AT-linux.org.au>

From http://www.zdnet.com.au/news/software/0,2000061733,39145388,00.htm
> "The two things Microsoft does not want to hear are open source
> and Linux. Even if a customer isn't interested in investigating
> or deploying Microsoft alternatives, it's a great way to get
> some discounts," said one Sydney-based IT manager.   

OK... squinting between the lines a bit here... "It's harmless, and 
everybody's doing it".

There is no better time to get this message across, since it will incite 
some IT managers who would otherwise have not touched Open Source with 
a barge-pole to toy with it. Because of this some of them will start
seriously considering it for the first time ever, and the number of 
defections at end-of-contract will rise.

This must be terrifying to Microsoft, because Open Source is now 
becoming most popular in precisely those areas where they have the 
widest margins and greatest dominance. The one bastion remaining to 
them is the desktop, OpenOffice.org is making huge inroads there.

Their control has garnered enough cash to operate with zero income for 
about five years, and has also powered attempts to invade and dominate 
new markets. If the cash flow brought by their control dries up with 
that control, they'll be reduced to playing almost fairly with their 
competitors, which will pretty much kill their business model and leave 
them unable to force entry into markets which might have sustained them 
through changes in market conditions.

For now, they seem happy to spend enormous wads of cash to cut a few 
albatrosses off their corporate neck, and they've offered some pretty 
extreme discounts to large customers, so it seems like a good time to 
be demanding better terms of them yourself.

In order to obtain best results, wannabee discount recipients should be 
setting up a few machines with Linux on them (Mandrake Linux is one of 
the easiest to set up, and can be downloaded for no dollars to get 
started without paperwork), and if a conversation is to be held with a 
rep, hold it in the same room as the Linux machines, leave them running 
stuff, and demonstrate some familiarity with what's running on them. It 
will be like negotiating with a werewolf in front of a display of 
silverware. (-:

> "Right now, only very few leading-edge organisations are looking
> at open-source databases," said Barnes, vice president for Meta's
> technology research services in Asia-Pacific.   

I think Michael is fooling himself to some degree. For an obvious 
counterexample, Telstra is already adopting Open Source extensively, 
and they are hardly "leading edge" - they practically define 
conservativism in the IT world.

> For IT professionals, the trick is to cull the "right" information --
> fashion your arguments for IT budgets after solid statistics or case
> studies and not fatuous media reports.

This is sound advice, and Microsoft are your worst enemy here because in 
the absence of convincing studies which are truly independent, they are 
working very hard to blur the line between media reports and forensic 
comparisons. They have a whole area of their website carrying almost 
nothing but carefully orchestrated and paid-for studies of corner cases 
designed to make themselves look good, and the media frequently quote 
from or allude to these and similar studies as if they were fact.

I also enjoyed the irony of seeing "fatuous media reports" condemned in 
a media report. (-:

Cheers; Leon

-- 
http://cyberknights.com.au/     Modern tools; traditional dedication
http://plug.linux.org.au/       Vice President, Perth Linux User Group
http://slpwa.asn.au/            Committee Member, Linux Professionals WA
http://linux.org.au/            Past Committee Member, Linux Australia
http://osia.net.au/             Member, Open Source Industry Association

Comments (none posted)

Page editor: Jonathan Corbet

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds