LWN.net Logo

LWN.net Weekly Edition for June 3, 2004

A look at SpamAssassin 3.0

June 2, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

For many of us, SpamAssassin is all that stands between us and an inbox clogged to the gills with unwanted e-mail. With the much-anticipated 3.0 release just around the corner, we decided to see what anti-spam fighters would have to work with in the near future. To that end, we touched base with SpamAssassin developers Theo Van Dinter and Craig Hughes. Hughes left the project recently, but was heavily involved in the development of 3.0 and still has his finger on the pulse of SpamAssassin development.

What's different from the current release, and why the version jump? Both Van Dinter and Hughes noted some important technical improvements in the 3.0 release. Hughes said that the most important feature for 3.0 is its modularity. The 3.0 release is "more modular, easier to write plugins for...easier to plug in other pieces of functionality that aren't distributed with the core package," said Hughes. He noted that prior to 3.0, it was difficult to add in custom code for functions that were not part of SpamAssassin.

Both Hughes and Van Dinter also noted the replacement of SpamAssassin's "genetic algorithm" with a "perceptron learner" for score generation. Van Dinter noted that the new score generation is vastly improved, taking the average time from "[around] 14 hours to less than five minutes per scoreset (there are four)." Van Dinter also told LWN that the message/mime parser for SpamAssassin has been rewritten "essentially from scratch."

Another big improvement for 3.0 is improved scalability. The new version supports installations with larger numbers of mailboxes, with preferences stored in an SQL database or LDAP server. The primary focus there, according to Hughes, was for large ISPs that wanted to use SpamAssassin without having a Unix login or home directory for every user.

While there are plenty of technical improvements in SpamAssassin, Hughes also noted that there's a non-technical rationale for the bump to 3.0. SpamAssassin is in the process of becoming a top-level project of the Apache Software Foundation. This also means a licensing change for the project, which was quite a bit of work according to Hughes:

It's going to be using the Apache License instead of using Perl's licensing, and we've gone through a tremendously long, laborious, tedious even, process of sourcing every line of code...making sure that every author really did have the rights to publish it.

Hughes said that the project met little resistance in switching from the former licensing scheme -- which allowed licensing under either the GPL or the Perl Artistic License -- to the Apache Software License. Hughes said that "only a handful" of developers said they wouldn't allow their code to be relicensed, as well as "two or three we couldn't contact." The end result, he said, was that nothing substantial had to be removed due to licensing issues.

Because of the nature of the project, we were also curious how SpamAssassin manages to stay ahead of spammers. According to Van Dinter, it's not so much staying ahead as an "arms race" between SpamAssassin and spammers:

We filter, they mutate, we start filtering the mutation, they mutate again. Lather, Rinse, Repeat. I'm actually not really involved in the rules (I work on the back-end code more than anything else,) but it basically comes down to looking at the spam that's coming in, seeing which ones aren't caught, and figuring out how to catch them in the future. There are also other useful data points unrelated to the messages themselves. For instance, verifying that the sender isn't forged via SPF (Sender Policy Framework) and utilizing the information provided by SenderBase.

Hughes told LWN that there are two things that help SpamAssassin stay ahead of spammers:

One is that you only have to stay ahead of most spammers. There may be one percent that may be particularly good [at getting by SpamAssassin] but if you can block 99 percent of it, it doesn't matter that much...we're not shooting to be perfect, we're shooting to be as good as we can without trying to squeeze out that last one percent.

The other thing is the sheer complexity of SpamAssassin. It's not just a Bayesian filter, it's not just looking up things in RBLs...it's all those things together. It's actually very, very non-trivial for a human to be able to craft a message that's a piece of spam and get through...to defeat all of the system requires a great deal of work, or a lot of luck.

Another piece of good news for SpamAssassin enthusiasts, is that it shouldn't be hard to upgrade. According to Hughes, it "should be simple, as long as you're not doing anything really funky" in terms of tweaking and customizing the SpamAssassin code. He noted that the 3.0 release is designed to recognize file format changes, and to automatically upgrade user files that are in the old format.

If the SpamAssassin 3.0 meta-bug dependency tree is any indication, there's not much left to do before the 3.0-final release. Hughes said that the project "looks like it's on target" to meet the June 30 release date. Users are encouraged to help test SpamAssassin prior to the final release.

Comments (20 posted)

BayStar leaves the building

Back in October, 2003, the $50 million PIPE investment in the SCO Group by BayStar and the Royal Bank of Canada was seen as good news for SCO. In May, 2004, things have changed to the point that the dissolution of that investment is also seen as good news for the company. SCO, it seems, is in a different world than it was late last year.

BayStar had been left holding 40,000 of the 50,000 shares of "series A-1" preferred stock created by the initial investment. BayStar had also been very public about its desire to redeem those shares and its lack of faith in SCO's management. The result was a dark cloud of potential litigation lurking over SCO; it is not surprising that SCO was looking for a way to settle the issue. As it turns out, SCO did pretty well for itself.

The full stock repurchase agreement is available via the SEC. It calls for SCO to buy back those 40,000 shares of preferred stock; the cost will be $13 million in cash and just over 2.1 million shares of SCO common stock. So, in the end, SCO sold that stock for $50 million, and was able to buy it back (including the 10,000 shares redeemed by RBC) for $13 million and some paper. This is, indeed, a good deal for SCO; BayStar must have wanted out badly.

There are a couple of interesting provisions in the agreement. One is that BayStar is limited in how quickly it can sell the common stock; it can't make up more than 10% of the average volume on any given day. The two companies also agree not to badmouth each other. The effect of that agreement would seem to be immediately apparent. In April, BayStar was complaining about SCO's attempts to continue to look like a software company, SCO's management, and its lack of focus on the IBM case. In the press release describing the new agreement, instead, we read:

"After productive and substantial discussions with SCO's management team, board of directors and legal team, BayStar is extremely satisfied with SCO's current operating and cash management plans, new initiatives, management of the litigation, and plans for improving its business going forward," said Larry Goldfarb, managing general partner, BayStar Capital.

It is true that the company would appear to have muzzled Darl McBride recently. Other than that, however, there has been little change. The same management team is in charge, and it's doing the same things. If BayStar were so happy with SCO's progress, what reason could it possibly have for cashing out its investment now at a serious loss? BayStar, instead, gives every indication of running for the exit at full speed, preferably ahead of the quarterly earnings announcement (which has been delayed until June 10).

One other interesting feature of the non-disparagement clause:

...the Company's obligation not to disparage or defame BayStar as set forth above shall be limited to the actions or comments of the Company's executive officers, directors, attorneys, advisors [sic], consultants, representatives and The Canopy Group, Inc.

Canopy is not a party to this agreement. One might well wonder how SCO is able to commit Canopy to keeping its mouth shut.

The end result of all this is that the SCO Group has freed itself from a major distraction, cleared a liability off its books (including the 8% dividends it was supposed to start paying BayStar next year), and obtained $37 million of obligation-free cash (excluding lawyer fees, of course). The company is, indeed, in a better position to concentrate on its many open court cases. It may even be able to turn Darl loose in the near future; life hasn't been the same without his strange pronouncements.

[Looking forward: the next events in SCO's legal calendar include a hearing in the DaimlerChrysler case (June 9), and a ruling due anytime in the Novell case. The Novell ruling will include Novell's motion to dismiss, and, if that is denied, SCO's motion to move the case back to Utah state court.]

Comments (4 posted)

SCO shows more code

On the surface, the declaration of Todd. M. Shaugnessy filed by IBM in the SCO case looks like fairly boring stuff. It consists of a long list of exhibits filed by IBM. Some of those exhibits, however, have not been seen before, and some of those warrant a look. In particular, exhibit 28 covers SCO's answers to the motions to compel discovery. SCO has now "shown the code," and we can see what the company is claiming.

The first part of the declaration covers code contributed from AIX and Dynix to Linux. In the former case, SCO now contents itself with listing the JFS filesystem. From Dynix, SCO notes the read-copy-update technique and some NUMA support code. The broader claim over Linux's SMP code appears to have quietly gone away.

IBM keeps asking SCO to identify the specific lines of System V code which, SCO claims, IBM contributed to Linux. SCO continues to evade that question. The company did, under duress, provide listings of parts of AIX and Dynix that, it claims, derive from Unix. The bulk of the AIX listing is the curses and terminfo libraries; no kernel files are listed there. For Dynix, some kernel files are listed (along with the source of utilities like awk), but there appears to be no intersection with the Dynix files that, SCO claims, IBM contributed to Linux. SCO says that doesn't matter:

In fact, SCO steadfastly maintains that this item is not relevant to this litigation nor is it likely to lead to the discovery of admissible evidence. The main issue in this case is whether IBM has breached its contract with SCO because it contributed or otherwise disposed of a part of AIX or Dynix/ptx to others in contravention of the terms of the license agreement.

In other words, there is not actually any SCO-owned code in IBM's contributions to Linux, but SCO claims control over those contributions anyway. Nothing particularly new there.

Finally, and, perhaps, most interestingly, SCO has included a set of other files (exhibit 28-G) for which it claims ownership. The first part of this list consists of the Linux streams (LiS) patch which has never been part of the mainline kernel. Interestingly, the LiS distribution was hosted at Caldera for some time. But the company formerly known as Caldera would rather forget that now; the company claims, in its filing, the LiS has not appeared in "any Linux-related product distributed by SCO."

The Free Software Foundation recently claimed that the reason SCO went after the kernel and not the FSF was the latter's copyright assignment policies. So the FSF should be interested to see that SCO claims rights over significant chunks of the glibc and binutils packages. In particular, SCO claims ownership of just about anything which touches the ELF executable file format. Many tens of thousands of lines of FSF-owned code are claimed by SCO. Some of the claims are amusing in typical SCO fashion; for example, the exhibit lists elf/interp.c from glibc, which consists of the copyright header and exactly one line of code:

const char __invoke_dynamic_linker__[] __attribute__ ((section (".interp")))
  = RUNTIME_LINKER;

SCO has also added claims to the ELF code in the 2.4.21 kernel, along with the SYSV filesystem and the SYSV interprocess communication code.

SCO acknowledges that it distributed all of the above code (except for LiS), but claims it was unaware that "its intellectual property" was present at the time. One might well question how, if the SCO group claims to own the ELF file format, it could be unaware that it was distributing ELF-related code. ELF is, after all, the fundamental file format used by Linux. But one should not be surprised by this sort of claim from the SCO Group.

The interesting question, instead, is whether the SCO Group will attempt to pursue its claims to the ELF code. These claims could be used to launch attacks against the FSF, any Linux distributor, or even any of the BSD variants. The last thing SCO needs is yet another lawsuit, but that has not stopped this company before. As SCO's claims against the Linux kernel fall apart, its management may well be tempted to cast a wider net.

Comments (11 posted)

Page editor: Jonathan Corbet

Security

The CVS pserver bug - a timeline

Quick response to security incidents is considered one of the strong points of the free software community. It is also seen as a vital component of a site's defenses against attacks. With that in mind, it is worth taking a look at how the recent CVS vulnerability played out:

May 2 Stefan Esser discovers a vulnerability in CVS, up to versions 1.11.15 and 1.12.7. A buffer overflow in the "entry" line parsing code would allow an attacker to execute arbitrary code on the system when the "pserver" access technique is being used. Mr. Esser informs the CVS developers, and is told almost immediately that a fix has been prepared.
May 3 Various high-profile CVS sites are informed of the problem and its fix.
May 12 A new patch is prepared after SourceForge discovers a problem with the previous versions.
May 19 The "coordinated public disclosure" happens, just in time to screw up the LWN publication deadline. Updates are released by Debian, Fedora, Mandrake, Red Hat, Slackware, and SUSE.
May 20 Gentoo releases its updated cvs package.
May 27 CERT gets around to sending out an advisory on the vulnerability.

A few quick conclusions can be drawn from this sequence of events:

  • The coordinated disclosure mechanism had some glitches in its early days, but it seems to be working well now. The problem was kept quiet for a couple of weeks, after which most major distributors were able to issue patches almost simultaneously.

  • One may well wonder, again, what the relevance of CERT is; it took just over a week to get an advisory out after the public disclosure. By then, anybody who was paying attention had already closed the hole.

  • Some distributions do not yet have updates out. These include Conectiva, Whitebox, and Trustix. (Update: Trustix lacks an update because it does not ship CVS, our mistake). Red Hat Linux users are also exposed; the Fedora Legacy project has not yet issued a cvs update.

The last item is somewhat troubling. Given the nature of this vulnerability and the availability of information, no serious distributor should have failed to have an update ready on the disclosure day. One can thus conclude that some distributors are more serious than others. In particular, it is worth noting that the projects which rework Red Hat distributions and updates (Whitebox, CentOS, Fedora Legacy) have failed to react to this vulnerability in a timely way. It may well be that, if you lack the structure necessary to create a distribution in the first place, you will be hard pressed to keep that distribution secure.

Comments (8 posted)

New vulnerabilities

apache2: stack-based buffer overflow in ssl_util.c

Package(s):apache2 CVE #(s):CAN-2004-0488
Created:June 1, 2004 Updated:October 14, 2004
Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:
Fedora-Legacy FLSA:1888 2004-10-13
Debian DSA-532-2 2004-07-27
Debian DSA-532-1 2004-07-22
Red Hat RHSA-2004:245-01 2004-06-14
Gentoo 200406-05 2004-06-09
Slackware SSA:2004-154-01 2004-06-02
OpenPKG OpenPKG-SA-2004.026 2004-05-27
Trustix TSLSA-2004-0031 2004-06-02
Mandrake MDKSA-2004:054 2004-06-01
Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

gallery: unauthenticated access

Package(s):gallery CVE #(s):
Created:June 2, 2004 Updated:June 15, 2004
Description: The "gallery" photo album has a vulnerability which can allow access to the administrative account without authentication.
Alerts:
Gentoo 200406-10 2004-06-15
Debian DSA-512-1 2004-06-02

Comments (none posted)

gatos: privilege escalation

Package(s):gatos CVE #(s):CAN-2004-0395
Created:June 2, 2004 Updated:June 2, 2004
Description: The xatitv program, part of the gatos package, fails to drop root privileges after an initialization failure. For added fun, it then calls system() with unsanitized environment variables.
Alerts:
Debian DSA-509-1 2004-05-29

Comments (none posted)

jftpgw: format string vulnerability

Package(s):jftpgw CVE #(s):CAN-2004-0448
Created:June 2, 2004 Updated:June 2, 2004
Description: jftpgw (an FTP proxy) contains a format string vulnerability which could allow the execution of arbitrary commands with the privileges of the server process.
Alerts:
Debian DSA-510-1 2004-05-29

Comments (none posted)

kerberos: buffer overflows

Package(s):kerberos5 CVE #(s):
Created:June 2, 2004 Updated:June 2, 2004
Description: MIT Kerberos 5 suffers from multiple buffer overflows which could lead to a remote root exploit, though the exploit looks difficult. Versions through krb5-1.3.3 are affected; see this advisory for more information.
Alerts:
Trustix TSLSA-2004-0032 2004-06-02

Comments (none posted)

mailman: password disclosure

Package(s):mailman CVE #(s):CAN-2004-0412
Created:May 27, 2004 Updated:July 20, 2004
Description: In mailman versions above 2.1, third parties can retrieve member passwords from the server.
Alerts:
Fedora-Legacy FLSA:1734 2004-07-19
Fedora FEDORA-2004-168 2004-07-01
Fedora FEDORA-2004-167 2004-07-01
Gentoo 200406-04 2004-06-09
Mandrake MDKSA-2004:051 2004-05-26

Comments (none posted)

Updated vulnerabilities

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CAN-2003-0993 CAN-2003-0020 CAN-2003-0987 CAN-2004-0174
Created:May 12, 2004 Updated:May 26, 2004
Description: Versions of apache 1 through 1.3.30 include several minor vulnerabilities, including the writing of unescaped data to the error log file, a denial of service vulnerability, and a parsing failure in Allow/Deny rules on big-endian, 64-bit platforms. See the apache 1.3.31 announcement for details.
Alerts:
Gentoo 200405-22 2004-05-26
Mandrake MDKSA-2004:046-1 2004-05-20
Mandrake MDKSA-2004:046 2004-05-17
Trustix TSLSA-2004-0027 2004-05-13
Slackware SSA:2004-133-01 2004-05-12
OpenPKG OpenPKG-SA-2004.021 2004-05-12

Comments (none posted)

cvs: heap overflow

Package(s):cvs CVE #(s):CAN-2004-0396
Created:May 19, 2004 Updated:June 11, 2004
Description: CVS (through version 1.11.15 or 1.12.7) contains a remotely exploitable heap overflow vulnerability; see this advisory from Stefan Esser for details. If you are running cvs with the "pserver" protocol, a quick upgrade is recommended (dropping pserver is also a very good idea for security-conscious sites).
Alerts:
Whitebox WBSA-2004:190-01 2004-06-10
Fedora-Legacy FLSA:1620 2004-06-02
Slackware SSA:2004-140-01 2004-05-19
Gentoo 200405-12 2004-05-20
OpenPKG OpenPKG-SA-2004.022 2004-05-19
Mandrake MDKSA-2004:048 2004-05-19
Fedora FEDORA-2004-131 2004-05-19
Fedora FEDORA-2004-126 2004-05-19
SuSE SuSE-SA:2004:013 2004-05-19
Red Hat RHSA-2004:190-01 2004-05-19
Debian DSA-505-1 2004-05-19

Comments (none posted)

ethereal - multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2004-0176 CAN-2004-0365 CAN-2004-0367
Created:March 29, 2004 Updated:June 2, 2004
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from ethereal.com and in this Eye on Security advisory.
Alerts:
Debian DSA-511-1 2004-05-30
OpenPKG OpenPKG-SA-2004.015 2004-04-16
Red Hat RHSA-2004:137-01 2004-03-31
Mandrake MDKSA-2004:024 2004-03-30
Conectiva CLA-2004:835 2004-03-31
Red Hat RHSA-2004:136-01 2004-03-30
Netwosix NW-2004-0007 2004-03-29
Gentoo 200403-07 2004-03-28

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

firebird: Locally exploitable stack overflow

Package(s):firebird CVE #(s):
Created:May 24, 2004 Updated:May 26, 2004
Description: A buffer overflow exists in three Firebird database binaries (gds_inet_server, gds_lock_mgr, and gds_drop) that is exploitable by setting a large value to the INTERBASE environment variable. An attacker could control program execution, allowing privilege escalation to the UID of Firebird, full access to Firebird databases, and trojaning the Firebird binaries. An attacker could use this to compromise other user or root accounts. See also this bug report.
Alerts:
Gentoo 200405-18 2004-05-23

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

heimdal: missing input sanitizing

Package(s):heimdal CVE #(s):CAN-2004-0472
Created:May 18, 2004 Updated:May 27, 2004
Description: Evgeny Demidov discovered a potential buffer overflow in a Kerberos 4 component of heimdal, a free implementation of Kerberos 5. The problem is present in kadmind, a server for administrative access to the Kerberos database. This problem could perhaps be exploited to cause the daemon to read a negative amount of data which could lead to unexpected behavior.
Alerts:
Gentoo 200405-23 2004-05-27
Debian DSA-504-1 2004-05-18

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

racoon: denial of service vulnerability

Package(s):ipsec-tools racoon iputils CVE #(s):CAN-2004-0403
Created:April 26, 2004 Updated:July 29, 2004
Description: racoon does not check the length of ISAKMP headers. Attackers may be able to craft an ISAKMP header of sufficient length to consume all available system resources, causing a Denial of Service. This advisory contains additional details.
Alerts:
Red Hat RHSA-2004:308-01 2004-07-29
Mandrake MDKSA-2004:069 2004-07-14
Fedora FEDORA-2004-197 2004-06-28
Whitebox WBSA-2004:165-01 2004-06-10
Fedora FEDORA-2004-132 2004-05-19
Red Hat RHSA-2004:165-01 2004-05-11
Gentoo 200404-17 2004-04-24

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kde: URI Handler Vulnerabilities

Package(s):kde Opera CVE #(s):CAN-2004-0411
Created:May 17, 2004 Updated:June 15, 2004
Description: iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that similar vulnerabilities exists in all version of KDE, up to KDE 3.2.2 inclusive. See this advisory for more information.
Alerts:
Debian DSA-518-1 2004-06-14
Conectiva CLA-2004:843 2004-05-26
SuSE SuSE-SA:2003:014 2004-05-26
Gentoo 200405-19 2004-05-25
Gentoo 200405-11 2004-05-19
Fedora FEDORA-2004-122 2004-05-19
Mandrake MDKSA-2004:047 2004-05-18
Fedora FEDORA-2004-121 2004-05-17
Slackware SSA:2004-238-01 2004-05-17
Red Hat RHSA-2004:222-01 2004-05-17

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Fedora FEDORA-2004-133 2004-05-19
Gentoo 200404-02 2004-04-06
Whitebox WBSA-2004:005-01 2004-02-12
Conectiva CLA-2004:810 2004-01-20
Slackware SSA:2004-014-01 2004-01-14
Mandrake MDKSA-2004:003 2004-01-14
Red Hat RHSA-2004:006-01 2004-01-07

Comments (none posted)

kernel: symlink overflow in the iso9660 filessytem

Package(s):kernel CVE #(s):CAN-2004-0109
Created:April 14, 2004 Updated:July 15, 2004
Description: The 2.4 and 2.6 kernels contain a vulnerability in the iso9660 (CDROM) filesystem which can be used by a local attacker to obtain root privileges. The exploit requires creating a specially-crafted filesystem and getting the kernel to mount it. Many systems are configured to automatically mount CDs on insertion, however, so the possibility of this vulnerability being exploited by users with physical access to the system is real. The 2.4.26 kernel contains the fix, which will also be merged into the upcoming 2.6.6 release.
Alerts:
Conectiva CLA-2004:846 2004-07-15
Red Hat RHSA-2004:106-01 2004-04-21
Red Hat RHSA-2004:105-01 2004-04-21
Debian DSA-489-1 2004-04-17
Debian DSA-491-1 2004-04-17
Debian DSA-479-2 2004-04-14
SuSE SuSE-SA:2004:009 2004-04-14
Mandrake MDKSA-2004:029 2004-04-14
Fedora FEDORA-2004-101 2004-04-14
Debian DSA-482-1 2004-04-14
Debian DSA-481-1 2004-04-14
Debian DSA-480-1 2004-04-14
Debian DSA-479-1 2004-04-14

Comments (none posted)

kernel - root exploit in MCAST_MSFILTER

Package(s):kernel CVE #(s):CAN-2004-0424
Created:April 22, 2004 Updated:June 11, 2004
Description: A locally exploitable integer overflow has been found the multicast code of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A successful exploit could lead to full superuser privileges.
Alerts:
Whitebox WBSA-2004:183-01 2004-06-10
SuSE SuSE-SA:2004:010 2004-05-05
Slackware SSA:2004-119-01 2004-04-28
Mandrake MDKSA-2004:037 2004-04-27
Red Hat RHSA-2004:183-01 2004-04-22
Fedora FEDORA-2004-111 2004-04-22
Trustix TSLSA-2004-0022 2004-04-21

Comments (1 posted)

kernel: exploitable bug in the cpufreq code

Package(s):kernel CVE #(s):CAN-2004-0228
Created:May 24, 2004 Updated:May 26, 2004
Description: Brad Spender discovered an exploitable bug in the cpufreq code in the Linux 2.6 kernel.
Alerts:
Mandrake MDKSA-2004:050 2004-05-21

Comments (none posted)

Linux kernel 2.2.10 failing function and TLB flush vulnerability

Package(s):kernel-source-2.2.10 CVE #(s):CAN-2004-0077
Created:March 18, 2004 Updated:June 4, 2004
Description: A local root exploit is possible due to early flushing of the TLB.
Alerts:
Debian DSA-514-1 2004-06-04
Debian DSA-466-1 2004-03-18

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

kolab: password disclosure

Package(s):kolab CVE #(s):
Created:May 5, 2004 Updated:May 27, 2004
Description: Kolab stores passwords in plain text format, and these passwords can read from the underlying LDAP database. See this advisory for more information.
Alerts:
Mandrake MDKSA-2004:052 2004-05-26
OpenPKG OpenPKG-SA-2004.019 2004-05-05

Comments (3 posted)

LHA: stack buffer overflows and directory traversal flaws

Package(s):LHA CVE #(s):CAN-2004-0234 CAN-2004-0235
Created:April 30, 2004 Updated:June 11, 2004
Description: LHA is an archiving and compression utility for LHarc format archives. Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. See this advisory+patch for more details.

CAN-2004-0234: An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim.

CAN-2004-0235: An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory.

Alerts:
Whitebox WBSA-2004:178-01 2004-06-10
Debian DSA-515-1 2004-06-05
Red Hat RHSA-2004:178-01 2004-05-26
Fedora FEDORA-2004-119 2004-05-11
Gentoo 200405-02 2004-05-09
Conectiva CLA-2004:840 2004-05-06
Slackware SSA:2004-125-01 2004-05-04
Red Hat RHSA-2004:179-01 2004-04-30

Comments (2 posted)

libpng: denial of service vulnerability.

Package(s):libpng CVE #(s):CAN-2004-0421
Created:April 29, 2004 Updated:June 11, 2004
Description: The PNG library can accesses memory that is out of bounds when creating an error message, this can be exploited by a malformed PNG image file.
Alerts:
Whitebox WBSA-2004:180-01 2004-06-10
Red Hat RHSA-2004:180-01 2004-05-19
Gentoo 200405-06 2004-05-14
Fedora FEDORA-2004-106 2004-05-05
Fedora FEDORA-2004-105 2004-05-05
Slackware SSA:2004-124-04 2004-05-02
Red Hat RHSA-2004:181-01 2004-04-30
Trustix TSLSA-2004-0025 2004-04-30
Debian DSA-498-1 2004-04-30
Mandrake MDKSA-2004:040 2004-04-29
OpenPKG OpenPKG-SA-2004.017 2004-04-29

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Conectiva CLA-2004:842 2004-05-25
Red Hat RHSA-2004:156-01 2004-04-14
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:019-01 2004-02-09

Comments (1 posted)

mc: multiple vulnerabilities

Package(s):mc CVE #(s):CAN-2004-0226 CAN-2004-0231 CAN-2004-0232
Created:April 29, 2004 Updated:May 26, 2004
Description: Midnight Commander has multiple vulnerabilities including buffer overflows, insecure temp files, and format string problems.
Alerts:
Gentoo 200405-21 2004-05-26
Red Hat RHSA-2004:172-01 2004-05-19
Slackware SSA:2004-136-01 2004-05-14
SuSE SuSE-SA:2004:012 2004-05-14
Red Hat RHSA-2004:173-01 2004-04-30
Mandrake MDKSA-2004:039 2004-04-29
Debian DSA-497-1 2004-04-29

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

MySQL: temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0381 CAN-2004-0388
Created:April 14, 2004 Updated:August 18, 2004
Description: The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system.
Alerts:
Gentoo 200405-20 2004-05-25
Mandrake MDKSA-2004:034 2004-04-19
OpenPKG OpenPKG-SA-2004.014 2004-04-14
Debian DSA-483-1 2004-04-14

Comments (none posted)

neon: buffer overflow

Package(s):neon CVE #(s):CAN-2004-0398
Created:May 19, 2004 Updated:September 30, 2004
Description: The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:
Fedora-Legacy FLSA:1552 2004-09-29
Mandrake MDKSA-2004:078 2004-07-29
Gentoo 200406-03 2004-06-05
Gentoo 200405-25b 2004-06-02
Gentoo 200405-25 2004-05-30
Conectiva CLA-2004:841 2004-05-25
Gentoo 200405-15 2004-05-20
Gentoo 200405-13 2004-05-20
OpenPKG OpenPKG-SA-2004.024 2004-05-19
Mandrake MDKSA-2004:049 2004-05-19
Fedora FEDORA-2004-130 2004-05-19
Fedora FEDORA-2004-129 2004-05-19
Red Hat RHSA-2004:191-01 2004-05-19
Debian DSA-507-1 2004-05-19
Debian DSA-506-1 2004-05-19

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

passwd: various problems

Package(s):passwd CVE #(s):
Created:May 17, 2004 Updated:June 2, 2004
Description: Steve Grubb found some problems in the passwd program. Passwords given to passwd via stdin are one character shorter than they are supposed to be. He also discovered that pam may not have been sufficiently initialized to ensure safe and proper operation. A few small memory leaks have been fixed as well.
Alerts:
Mandrake MDKSA-2004:045 2004-05-17

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

rsync remote file write attack

Package(s):rsync CVE #(s):CAN-2004-0426
Created:April 30, 2004 Updated:July 12, 2004
Description: See the rsync homepage for the April 2004 advisory: "There is a security problem in all versions prior to 2.6.1 that affects only people running a read/write daemon WITHOUT using chroot. If the user privs that such an rsync daemon is using is anything above "nobody", you are at risk of someone crafting an attack that could write a file outside of the module's "path" setting (where all its files should be stored). Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected."
Alerts:
Gentoo 200407-10 2004-07-12
Fedora FEDORA-2004-116 2004-07-01
Whitebox WBSA-2004:192-01 2004-06-10
Debian DSA-499-2 2004-06-02
OpenPKG OpenPKG-SA-2004.025 2004-05-21
Red Hat RHSA-2004:192-01 2004-05-19
Mandrake MDKSA-2004:042 2004-05-10
Slackware SSA:2004-124-01 2004-05-02
Debian DSA-499-1 2004-05-01
Trustix TSLSA-2004-0024 2004-04-29

Comments (none posted)

SquirrelMail cross site scripting vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2004-0519 CAN-2004-0520 CAN-2004-0521
Created:May 21, 2004 Updated:October 4, 2004
Description: Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found in SquirrelMail versions 1.4.2 and lower. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
Alerts:
Fedora-Legacy FLSA:1733 2004-10-02
Conectiva CLA-2004:858 2004-08-12
Whitebox WBSA-2004:240-01 2004-06-21
Gentoo 200406-08 2004-06-15
Red Hat RHSA-2004:240-01 2004-06-14
Fedora FEDORA-2004-160 2004-06-09
Fedora FEDORA-2004-159 2004-06-09
Gentoo 200405-16:02 2004-05-25
Gentoo 200405-16 2004-05-21

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

utempter problems with symlink and strncpy

Package(s):utempter CVE #(s):CAN-2004-0233
Created:April 19, 2004 Updated:June 11, 2004
Description: Steve Grubb discovered two potential issues in the utempter program:
  1. If the path to the device contained /../ or /./ or //, the program was not exiting as it should. It would be possible to use something like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to another important file, programs that have root privileges that do no further validation can then overwrite whatever the symlink pointed to.

  2. Several calls to strncpy without a manual termination of the string. This would most likely crash utempter.
Alerts:
Whitebox WBSA-2004:174-01 2004-06-10
Red Hat RHSA-2004:174-01 2004-05-26
Fedora-Legacy FLSA:1546 2004-05-18
Gentoo 200405-05 2004-05-13
Red Hat RHSA-2004:175-01 2004-04-30
Mandrake MDKSA-2004:031-1 2004-04-21
Fedora FEDORA-2004-108 2004-04-21
Slackware SSA:2004-110-01 2004-04-19
Mandrake MDKSA-2004:031 2004-04-19

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: malicious code execution

Package(s):xine-lib CVE #(s):CAN-2004-0433
Created:May 3, 2004 Updated:May 28, 2004
Description: A vulnerability exists in xine-lib where playing a specially crafted Real RTSP stream could run malicious code as the user playing the stream. More details can be found in this advisory. The problem has been fixed in xine-lib 1-rc4.
Alerts:
Gentoo 200405-24 2004-05-28
Slackware SSA:2004-124-03 2004-05-02

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xpcd: buffer overflow

Package(s):xpcd CVE #(s):CAN-2004-0402
Created:May 24, 2004 Updated:June 1, 2004
Description: Jaguar discovered a vulnerability in one component of xpcd, a PhotoCD viewer. xpcd-svga, part of xpcd which uses svgalib to display graphics on the console, would copy user-supplied data of arbitrary length into a fixed-size buffer in the pcd_open function.
Alerts:
Mandrake MDKSA-2004:053 2004-06-01
Debian DSA-508-1 2004-05-22

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.7-rc2, released on May 29. Most of the patches this time around are aimed at stabilization after the big changes in -rc1, but -rc2 also contains an ALSA update, a whole bunch of new __user annotations (intended to help find misuses of user-space pointers - see below), an XFS update, some IPSec fixes, and some architecture updates. See the long-format changelog for the details.

Linus's BitKeeper repository contains, as of this writing, some stack usage reduction patches, more __user annotations, some architecture updates, and a few other fixes.

The current prepatch from Andrew Morton is 2.6.7-rc2-mm1. Recent additions to -mm include NFS, MD, and DMI updates, the x86 performance counters patch, some read-copy-update scalability work, and the usual pile of fixes.

The current 2.4 prepatch is 2.4.27-pre4, which was released by Marcelo on May 30. There are some XFS and JFS updates, a number of 2.6 networking backports (including TCP Vegas support and receiver-side RTT estimation) some driver updates, and the usual set of fixes.

Comments (4 posted)

Kernel development news

x86 NX support

Marking regions of memory as not containing executable code is not a particularly new technique; some processors have recognized this mode for years. The processor that everybody actually uses, however (the x86 family) does not have a "no-execute" bit.

At least, it didn't until very recently. AMD added a no-execute (NX) permission bit to the page table entries in its 64-bit processors; Intel has recently said it will be supporting this mode as well. So the hardware will be able to avoid executing code from certain regions of memory, making various types of buffer overflow attacks harder. At least, that will be true if the operating system supports and uses the NX mode.

To that end, Ingo Molnar has posted a patch bringing NX support to the x86 architecture; his patch is based on previous work done by Intel and the x86_64 NX support by Andi Kleen. This patch allows applications to mark areas as being non-executable; such areas, typically, will include the stack and heap zones. It also applies the NX bit to the kernel itself; kernel text is marked executable, but kernel data is not. As a result, the next time a buffer overflow turns up in the kernel, it, too, will be harder to exploit.

The NX bit only works when the processor is running in the PAE mode. Most x86 Linux systems currently do not run in that mode; it is normally only turned on when large amounts of memory (more than 4GB) are installed. This mode adds a third level of page tables, and makes the page table entries themselves larger, so users and distributors normally turn it off if it is not needed. Most modern x86 processors support the PAE mode, however; security considerations may lead to it being used more heavily in the future.

Linus's main concern about the patch would appear to be how many old applications it might break. The reply from Arjan van de Ven is that pretty much everything "just works." The no-execute permission is not applied unless the code is specially marked in the image file, and gcc apparently does a good job of not setting that flag when it would break things. If this experience holds true, NX support could go in fairly quickly, and a longstanding x86 security weakness will be no more.

For people interested in testing this patch, Arjan has merged it into the latest Fedora Core test kernels. See the patch announcement for a pointer. There is also a "quickstart" document for those who would like to test out NX in their own kernels.

Comments (5 posted)

The staircase scheduler

As the 2.6.0 release approached, some developers worried that the CPU scheduler would be the downfall of this particular stable series. Complaints of poor interactive performance were common, NUMA systems were not supported well, and so on. Over time, most of these problems have been addressed; massive amounts of interactivity work and the domain scheduler have smoothed over most of the problems. Complaints about the scheduler have been relatively rare in recent times.

One thing that does still bother some people, however, is the complexity of the current 2.6 scheduler. The interactivity work, in particular, added a great deal of very obscure code. The scheduler goes to great lengths to try to identify interactive tasks and to boost their priority accordingly. This process involves numerous strange computations involving a number of magic constants; it is difficult to understand, much less improve.

Con Kolivas, who had his hand in much of the interactivity work, has just posted a new version of his "staircase scheduler" patch. This patch aims to greatly simplify the scheduler while simultaneously improving interactive response; it deletes 498 lines of code, while adding less than 200. Much of what is deleted is the "black magic" interactivity calculations; it is all replaced with a relatively simple, rank-based scheme.

The staircase scheduler implements a single, ranked array of processes for each CPU. Initially, each process goes into the array at the rank determined by its base priority; the scheduler can then locate and run the highest-priority process in the usual way. So far, not much has changed.

In the current scheduler, processes which use up their time slice get moved over to a separate "expired" array; there they languish until the rest of the processes in the mix have used up their time (or blocked) as well. The staircase scheduler does away with the expired array; instead, an expired process will be put back into the staircase, but at the next lower rank. It can, thus, continue to run, but at a lower priority. When it exhausts another time slice, it moves down again. And so on. The following little table shows how long the process spends at each priority level:

Priority rank
Iteration Base -1-2-3-4-5 -6-7-8-9...
1 1 1 1 1 1 1 1 1 1 1

When a process falls off the bottom of the staircase, an interesting thing happens: it gets moved back up to one level below its previous maximum, and it gets two time slices at that level. Thereafter, it once again works its way down the steps to the bottom. The next time, it goes up to two steps below the maximum, for three time slices. The above table, with three iterations through the staircase, would look like this:

Priority rank
Iteration Base -1-2-3-4-5 -6-7-8-9...
1 1 1 1 1 1 1 1 1 1 1
2 2111 11111
3 311 1111 1

Each descent down the staircase thus involves the same number of time slices, but, each time, more slices are spent at the top priority level for that iteration. This algorithm helps maintain the relative priorities. A process at priority n will, after falling off the staircase, find itself competing with all the processes at priority n-1, but it will get a longer slice of time relative to those other processes, which have a lower base priority.

If a process sleeps for a reasonable interval, it gets pushed back up the staircase. Thus interactive tasks, which normally sleep quite a bit, should stay near the top of the staircase and be responsive, while CPU hogs spend much of their time on the lower steps.

The kernel community may not be up for another big scheduler change at this point in the stable series; many people would like to see 2.6 actually stabilize and 2.7 begin. This patch appears worthy of consideration, however, for its simplification of a complex part of the kernel if nothing else.

Comments (8 posted)

Finding kernel problems automatically

In past years, this page has looked at the work done by the "Stanford checker," which analyzes code in search of various types of programming errors. The checker has found a lot of problems over the years, with the result that a lot of problems have been fixed before they had a chance to bite users of production kernels.

The only problem with the Stanford checker is that it is not free software; it is, in fact, completely unavailable to the world as a whole. Rather than release the code, the checker group went off and formed Coverity to commercialize the checker software (now called "SWAT" and touted, ominously, as being "patent pending"). Developers at Coverity still occasionally post reports of potential bugs found by SWAT, but, for the most part, their attention seems focused on potential revenue opportunities.

It is hard to complain about this outcome. Before heading on this course, the Coverity folks uncovered vast numbers of bugs, and all Linux users benefited from that work. They also demonstrated how valuable static code testing tools can be. The community, however, was left in the position of having to actually write its own checker if it wanted one. Fortunately, this is the sort of thing the community can be good at.

A while back, none other than Linus Torvalds started work on his own tool, which came to be called "sparse." There has recently been a flurry of new activity around sparse, so it seems like a good time to take a look.

sparse is normally obtained by cloning the BitKeeper repository at bk://kernel.bkbits.net/torvalds/sparse. For those who don't use BK, a checked-out version is available (as a bunch of SCCS files) on kernel.org. There is a low-bandwidth sparse mailing list as well.

Essentially, sparse is a parsing and analysis library for the C language. One could put a number of different backends onto it; for example, a code-generation backend would turn it into a simple compiler. For the purposes of the kernel, however, the backend of interest is the analysis code which looks for various types of errors. The analyzer checks for quite a few different types of errors. Many of these (many sorts of type mismatches, for example) are also found by the compiler, but other tests are unique to sparse.

The core test done by sparse is still the check for improper use of user-space pointers. A quick look through the kernel will turn up liberal use of a type attribute called __user; for example, the read() method invoked from system calls is prototyped as:

    ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);

When the kernel is being compiled, __user is defined as the empty string, so gcc doesn't see it at all. When sparse is being used, instead, it marks the pointer as (1) being in a separate address space, and (2) not being legal to dereference. sparse will use those flags to catch any mixing of user- and kernel-space pointers, and any attempt to directly dereference user-space pointers.

These checks have turned up a surprising number of errors. The kernel normally sets up the virtual address space in such a way that direct dereferencing of user-space pointers actually works - most of the time. Using user-space addresses in this way will fail, however, if the user page is not actually resident in memory at the time. More importantly, perhaps, this sort of direct dereferencing bypasses the normal access controls; every such error could, thus, become a security hole.

Catching such mistakes automatically seems like a good idea. It does require, however, that every variable holding a user-space pointer be marked with the __user attribute. Since much of the kernel (including every device driver) deals with user-space pointers, this is not a trivial job. This job is proceeding, however; several dozen patches adding __user annotations (and fixing problems found on the way) have been merged for 2.6.7.

Other checks performed include finding constants which are overly long for their target type, mistakes in embedded assembly language code, empty switch statements, assignments in conditionals, and so on. Its output is rather noisy still, but one assumes that will improve over time. If you have sparse installed, running it on the kernel is simply a matter of adding "C=1" to the make command. External modules can also be checked in this way.

sparse is still clearly far behind the Stanford checker in terms of the variety of errors it can find. Unlike the checker, however, sparse is free software. The core parsing infrastructure is in place, so the addition of new checks should be relatively straightforward. All that's needed is the application of a bunch of developer time.

Comments (8 posted)

Diskdump: a new crash dump system

A standard feature of most commercial operating systems is a "crash dump" facility. If something goes wrong in the operating system kernel, the system saves its entire state to a file and reboots; the contents of that file can then be examined at leisure to try to figure out what went wrong. The Linux kernel, however, lacks this capability. There are a few possible reasons for this omission: the kernel never crashes (not quite true, unfortunately), kernel developers rarely want crash dumps for their own work, and there is a certain degree of unhappiness with all of the crash dump patches currently in circulation. The fact of the matter, however, is that a number of Linux vendors would like to have a good crash dump system in place so they can better support their customers.

A recent patch posted by Takao Indoh may provide that capability. The new "diskdump" system has taken a simpler approach to crash dumps that, with some fixes, may just get enough core hacker support to be considered for merging into the (presumably 2.7) mainline.

Diskdump works by taking absolute control of the system when a panic occurs. It shuts down all interrupts to keep the processor from getting distracted; it also freezes all other processors on SMP systems. It then checksums its own code, comparing against a value computed at initialization time; if the checksums fail to match, diskdump assumes that it has been corrupted as a result of whatever went wrong and refuses to run.

The next step involves finding a place to store the crash dump. Diskdump can be set up with multiple dump partitions. For each possibility, it queries the state of the driver, then reads and verifies the entire crash dump space. The diskdump authors are (rightly) fearful of overwriting important data while the system is in an unstable state, so diskdump requires that every block of the crash dump partition be initialized with a special pattern. If any blocks fail the test, that destination will not be used.

When a suitable location has been found, diskdump writes a header with the system state and panic information, followed by a memory image. At that point the system can be rebooted; once things are stable again, the "savecore" utility turns the memory image into a proper core dump and reinitializes the crash dump partition. All is then in readiness for debugging and, if need be, the next crash.

Diskdump needs some significant block driver modifications to be able to do its job. The driver must export a new set of operations:

    struct disk_dump_device_ops {
        int (*sanity_check)(struct disk_dump_device *);
        int (*quiesce)(struct disk_dump_device *);
        int (*shutdown)(struct disk_dump_device *);
        int (*rw_block)(struct disk_dump_partition *, int rw, unsigned long
            block_nr, void *buf);
    };

The sanity_check() call checks to ensure that the device in question is ready to accept a crash dump. If that function finds that, for example, the device is offline or somebody, somewhere is holding a spinlock for the device, the sanity check will fail and the dump will have to go somewhere else. A call to quiesce() follows, in case any preparation is needed. The current implementation (which only works with some SCSI devices) performs a full SCSI bus reset at this point. The actual I/O is done via rw_block, which is expected to transfer one page per call. This I/O should be done without interrupts (which are, remember, disabled when the panic happens), so the typical implementation will work by polling the device. At the end, shutdown() is called to ensure that all blocks have been flushed to the media.

Perhaps the ugliest part of the patch - and the part which some developers have complained about - is the rerouting of timer and tasklet calls. Since all interrupts are disabled, the normal timer and software interrupt mechanisms will not function. Diskdump does not need those capabilities itself, but a number of disk drivers do. As a result, diskdump must, somehow, run tasklets and timers expected by the driver, but without running arbitrary code unrelated to the dump process. To this end, diskdump sets up its own private timer and tasklet lists which come into action once the system is locked down and the dump process begins.

Currently, all this works by modifying the drivers to call diskdump's functions rather than the core kernel variants. So, for example, instead of setting up a timer with add_timer(), a driver implementing dumps would call this little wrapper:

    static inline void diskdump_add_timer(struct timer_list *timer)
    {
        if (crashdump_mode())
            _diskdump_add_timer(timer);
        else
            add_timer(timer);
    }

But that function is only available if crash dumps are configured into the system, so some preprocessor macros are used to redefine add_timer() if need be. This solution is not going to make it into the mainline kernel, however. The preferred approach would appear to be integrating this functionality directly into the core timer and tasklet routines; that change will make the driver changes smaller, but at the cost of intruding into some of the core kernel code.

Comments (3 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Memory management

Architecture-specific

Security-related

Page editor: Jonathan Corbet

Distributions

News and Editorials

If you Need a Firewall...

June 2, 2004

This article was contributed by Ladislav Bodnar

The flexibility of Linux and other open source software is clearly demonstrated by projects that use the available software to build specialist distributions. Among them, Linux-based firewalls have attracted much attention by the developers. Many of these projects evolved into successful businesses, while others continue as community projects. As a general rule, these firewalls are capable of filtering packets, performing network address translation, and blocking unwanted traffic. Some of them go beyond these basic functions and offer more advanced features, such as secure connections using the IPSec protocol, intrusion detection, and even mail filtering and virus protection. Many of the products offer Webmin or Webmin-like web-based interface for configuring the firewall over the network. Prices of these products range from free (or free for non-commercial use) to thousands of dollars. Below is a quick tour of what is available on the market today, in alphabetical order. One interesting observation: 9 of the 11 firewall products originate in Europe.

Astaro Security Linux. The German-based Astaro has been developing security and firewall solutions since January 2000. Now in version 5, Astaro Security Linux offers not only a firewall and VPN, but also virus scanning for all inbound and outbound email, spam protection, intrusion detection, and an excellent web-based interface for configuring services. The product is free for home use, but any commercial deployment requires a license fee starting at $390.

ClarkConnect Firewall/VPN. The Red Hat-based ClarkConnect Broadband Gateway project has been around for several years, but a dedicated Firewall/VPN edition has only been introduced to the market in April this year. The pages detailing the product features are still under construction, but if the Canadian company's main product (which does include firewall features) is anything to go by, it is worth a closer look, especially by users familiar with Red Hat Linux or Fedora Core.

Devil-Linux. Devil-Linux is a run-from-CD firewall, a community project developed by Heiko Zuerker. According to the author, the main advantage of a CD-based firewall is that the content on the CD cannot be modified by an intruder - a simple reboot will restore the firewall to its original state. Also, a CD-based firewall requires no installation, consumes less power, is immune to hard disk failures, and is simple to get up and running in a very short time. Devil-Linux does not offer any graphical configuration utilities, but a console-mode setup wizard is provided for setting up the firewall. Configuration files can be saved to a floppy disk, hard disk or a USB storage device. Devil-Linux is released under the GPL.

Euronode Firewall. Euronode Firewall is a new community project, a Debian-based firewall product sponsored by a French-based GNU/Linux services company of the same name. Two firewall products are available - Euronode Simple Firewall and Euronode Advanced Firewall; the latter includes a mail server (Postfix), an antivirus program (ClamAV) and a spam control program (SpamAssassin), in addition to standard firewalling functions. Both products come with Webmin. Euronode does not include any proprietary software; it is built from packages available in standard Debian, but stripped to a minimum that's required for a functional firewall.

Gibraltar Firewall. The Debian-based Gibraltar Firewall is a commercial product of Austria's eSYS Informationssysteme. In development since July 2000, it finally reached a stable state in November 2003 when Gibraltar 1.0 was released. Like Devil-Linux, Gibraltar also runs entirely from a CD, with configuration files optionally stored on hard disk, floppy disk or a USB storage device. Two editions of the product are available - the only differences between the free edition and the $999 commercial edition is a web-based configuration utility called GibADMIN and formal support.

IPCop Firewall. IPCop Firewall, originally started as a fork of SmoothWall, is a community project released under the GPL. It is geared towards home and small office use. Although the development tends to be slow (there has been no new release for over a year), IPCop has received surprisingly good reviews by the media, even when compared with some of the expensive commercial firewalls on this list. IPCop provides a web-based interface to configure the firewall. One major advantage of IPCop over similar community projects is excellent documentation available in many languages.

m0n0wall. The Swiss-based m0n0wall project is the odd man on this list because it is based on FreeBSD, rather than Linux. It comes with a long list of features, including a web-based configuration interface with SSH support (webGUI - a nicely designed application written in PHP, with configuration files stored in XML format), wireless support, IPSec VPN tunnels, DHCP client, DynDNS client, and configuration backup/restore, just to name a few. Version 1.0, based on FreeBSD 4.9, was released in February 2004 under the BSD license.

redWall Firewall. Also from Switzerland comes redWall Firewall, a community project hosted at SourceForge and based on Red Hat Linux 9. It belongs to the category of live CDs. Besides the usual firewall and VPN features, the product comes with plenty of extras, including intrusion detection, web caching, mail relaying, spam filtering and virus scanning. All configuration is done via Webmin's graphical interface and the resulting configuration files can be stored on a floppy disk, hard disk or USB storage media, or they can be sent by email. redWall Firewall is a free product released under the GPL.

Securepoint Firewall & VPN Server. Securepoint is a well-established German Linux company specializing in firewall products and solutions. Their Securepoint Firewall is based on Red Hat Linux and it includes the usual range of intrusion protection, virus scanning, content filtering and other features. The product is free for home use, but any business use requires hefty licensing fees ranging between €799 and €4,995.

Sentry Firewall CD. Sentry Firewall CD is another CD-based firewall with intrusion detection, based on Slackware Linux. Its kernel is heavily patched with various security enhancements, including OpenWall, FreeS/WAN, Ebtables bridge + netfilter patch, Linux-WLAN modules, and MPPE (Microsoft Point-to-Point Encryption). In the true Slackware tradition, all configuration is done by editing text files. Sentry Firewall CD has been in development for over 3 years and is released under the GPL.

SmoothWall. The UK-based SmoothWall firewall is probably the best-known firewall on the market. Although the infamous Richard Morrell, the man who founded SmoothWall Ltd., is no longer with the company, the development continues in two directions: the free SmoothWall Express released under the GPL, and the £180 SmoothWall Corporate Server available under a commercial license. Compared to most other products on this list, SmoothWall Express limits itself to be a firewall only, but it does include a graphical interface for easy setup. SmoothWall Express continues to receive good reviews in the media, especially after the release of version 2.0 in January 2004.

Product Origin Based on Price GUI Licence
Astaro Germany Red Hat $390, free for home use yes, web-based Commercial
ClarkConnect Canada Red Hat Free yes, web-based GPL
Devil-Linux Germany Linux From Scratch Free no GPL
Euronode France Debian Free yes, Webmin GPL
Gibraltar Austria Debian $0 - $999 depending on features yes, GibADMIN Commercial
IPCop USA SmoothWall Free yes, web-based GPL
m0n0wall Switzerland FreeBSD Free yes, webGUI, written in PHP BSD
redWall Switzerland Red Hat Free yes, Webmin GPL
Securepoint Germany Red Hat €799+, free for home use yes, web-based Commercial
Sentry USA Slackware Free no GPL
SmoothWall UK -- £0 - £180 yes, web-based GPL

Comments (4 posted)

Distribution News

Debian GNU/Linux

An updated Debian From Scratch is available. Changes include a new amd64 kernel name and more documentation.

The Debian Project will be represented at LinuxWochen and Wizards of OS conferences. LinuxWochen is over now, but look for Debian at Wizards of OS in Berlin next week.

GnomeDesktop reports on the availability of GNOME 2.6 in Debian unstable.

Comments (none posted)

Unofficial Fedora FAQ for Fedora Core 2

The Unofficial Fedora FAQ, hosted at fedorafaq.org, has now been updated for Fedora Core 2. Click below for the announcement.

Full Story (comments: 4)

Fedora Core

The first Fedora Core 2 based tree of Aurora SPARC Linux, build-1.91 (wombat) has been released.

FC1 and FC2 updates:

  • FC1 - gimp: improvements in the handling of multibyte locales
  • FC1 - vsftpd: upgrades vsftpd to the code shipped in Fedora Core 2, fixes bugs
  • FC2 - subversion: includes the latest stable release of Subversion, including three user-visible bug fixes
  • FC2 - php: includes the latest stable release of PHP 4 with a large number of bug fixes since the previous 4.3.4 release

Comments (none posted)

Slackware Linux

There are plenty of changes in slackware-current this week. Upgrades include vim-6.2.532, gail-1.6.5, procps-3.2.1, util-linux-2.12a, clisp-2.33.1, gnopernicus-0.9.4, libbonobo-2.6.1, LPRng-3.8.27, reiserfsprogs-3.6.17, tcsh-6.13.00, Python-2.3.4, alsa-1.0.5, joe-3.1 (with Klingon support), lftp-3.0.5 and slacktrack-1.20_1. X has been switched to X11R6.7.0 from X.Org.

Comments (none posted)

Lycoris releases FontPaks powered by Bitstream Technology

Lycoris and Bitstream Inc. announced that Lycoris will offer Bitstream FontPaks on the Lycoris website. They will also be available in retail outlets and through authorized resellers.

Full Story (comments: none)

DistroWatch Weekly

The DistroWatch Weekly for May 31, 2004 compares Mandrakelinux, Red Hat/Fedora and SUSE and contains several other topics.

Comments (none posted)

New Distributions

Interview: Nirav Mehta of newly launched Utkarsh.org (NewsForge)

NewsForge interviews Nirav Mehta of the Utkarsh Linux distribution. "Today marks the official launch of a new open source project. Utkarsh is an operating system based on Linux and localized in the Gujarati language, spoken by more than 5.5 million in India's Gujarat state and worldwide. Utkarsh (which means progress or rising high) version 0.1 is now in beta testing, and the team is bubbling with ideas for future growth. Recently Mayank Sharma spoke with the young Gujarati entrepreneur behind the project, Nirav Mehta."

Comments (4 posted)

X-Evian

X-Evian is a complete Debian GNU/Linux operating system compilation that comes with 300Mb of copyleft material for the socialization of knowledge and technologies. X-Evian joins the list at version 0.4.1-beta, released June 1, 2004.

Comments (none posted)

Minor distribution updates

Astaro Security Linux

Astaro Security Linux has released v5.010 with minor bugfixes. "Changes: This new version included all recently released Up2Date packages, bugfixes in the installer, and new hardware support for SCSI RAID controllers (COMPAQ DL 360, Dell PowerEdge 1750, AHA-39160). The installer now displays the MAC addresses of the detected interfaces."

Comments (none posted)

Aurox Linux

Aurox Linux has released v9.4 with major feature enhancements. "Changes: English and Italian are now supported. There is now only one CD set, and CDs are now "apt-enabled". KDE 3.2.1 was included along with a lot of code from 3.2.2 and several new KDE applications. OpenOffice.org 1.1.1 was included. Also updated were the kernel, ALSA, and multimedia apps (mplayer, xine). Many bugs were fixed."

Comments (none posted)

blueflops

blueflops has released v2.0.3 with minor feature enhancements. "Changes: Updates were made for kernel 2.6.6, links-2.1pre15, and busybox-1.00-pre10 with init.c taken from pre-8. The ethernet drivers that support probing are now in the kernel and therefore are automagicaly detected. There is support for USB keyboard and mouse (those emulated as PS/2 by the BIOS were already supported). There is also automatic mouse detection, and support for PCMCIA serial devices. A necessary feature is finally added: automatic DNS assignment for dial-up connections."

Comments (none posted)

Desktop ROCK Linux

Rock Linux has released Desktop ROCK Linux v2.0.1 with minor feature enhancements. "Changes: dRock 2.0.1 is based uppon the current 2.0.1 ROCK Linux release. It features the same security and maintenance updates including improved SPARC and PowerPC support, as well as the build fixes for SuSE, Red Hat, etc."

Comments (none posted)

Devil-Linux

Devil-Linux has released development version 1.2 beta 1 with major feature enhancements. "Changes: Many new programs, software updates, and security features were added along with support for booting from IDE CF cards."

Comments (none posted)

Trustix Secure Linux

Trustix has released bug fixes for various problems in cyrus-imapd, dhcp, openssl, and samba.

Full Story (comments: none)

wrt54g-linux

wrt54g-linux has released v0.5 with minor feature enhancements. "Changes: This release adds two user-contributed pcakages: dropbear, a small SSH daemon, and iptraf, an IP traffic monitoring utility. Neither package is installed by default. To install either, add their files to the "distro.tar" file and modify the wrt54g.sh script to set them up on each install. Additional iptables commands have been added to the startup script to account for PPPOE. There are small cleanups."

Comments (none posted)

Distribution reviews

SUSE LINUX 9.1: The Complete Review (DesktopOS.com)

DesktopOS.com has a five page review of SUSE LINUX 9.1. "SUSE LINUX has been around for a long time, and the developers at SUSE have always prided themselves on the user-friendliness of their distribution. SUSE LINUX 9.1 is the first version of the company's consumer product line to be released following its acquisition by Novell last year, and is described as being "more than just an alternative to Windows". SUSE has always been a general-purpose distribution with packages and tools for servers as well as desktops. Given the importance being placed by Novell on desktop Linux, how does SUSE LINUX 9.1 compare to its specifically desktop-oriented commercial rivals, Lycoris Desktop/LX, Xandros Desktop and Lindows Linspire?"

Comments (none posted)

Review: Fedora Core 2 (linux.com)

Linux.com reviews Fedora Core 2. "After the software was installed, real testing began well. FC2 runs noticeably faster than FC1, which in turn ran faster than its competitors from Mandrake and SuSE. There are a great many other improvements as well, such as support for CD burners without a SCSI emulation layer and better support for laptop hardware."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Building Packages From Source With CheckInstall

June 2, 2004

This article was contributed by Joe Klemmer

Most Linux distributions today use some form of package management to deal with dependencies and to make upgrades and installation of software easier for the ever-overworked systems administrators. The most popular formats for packages are Red Hat based RPM files, Debian DEB files, Slackware TGZ files and the build-from-source Ports-like method of distributions such as Gentoo, Lunar Linux, et. al. However, there exist many apps and tools which are only released as source tarballs using the ubiquitous "configure; make; make install" or binary only tarballs.

If you want to use these tarballs but also manage them in the same way you do the rest of your OS you had to deal with jumping through the hoops required of the package management systems used by your distribution. That is until now, thanks to a wonderful little utility called CheckInstall.

Developed and maintained by Felipe Eduardo Sánchez Díaz Durán, CheckInstall consists of a collection of shell scripts and a library. With it, you can build an .rpm or .deb or .tgz package that will install using the associated packaging tools.

The easiest way to use CheckInstall is in place of the "make install" portion of a typical build process. Executing CheckInstall will run "make install" using the installwatch script. This script keeps track of the "make install", then feeds the results info to CheckInstall in order for it to build the package. These tools allow for the ability to build and manage any self-made packages as easily as any binary package you might download from the net. They give you great flexibility in how you build the package, and even how dependencies are managed.

Let's see what a typical run of CheckInstall might look like:

Please choose the packaging method you want to use.
Slackware [S], RPM [R] or Debian [D]? R

This package will be built according to these values:
1 -  Summary: [ libcgi 1.0 ]
2 -  Name:    [ libcgi ]
3 -  Version: [ 1.0 ]
4 -  Release: [ 1 ]
5 -  License: [ GPL ]
6 -  Group:   [ Applications/System ]
7 -  Architecture: [ i386 ]
8 -  Source location: [ libcgi-1.0 ]
9 -  Alternate source location: [  ]
10 - Provides: [  ]
11 - Requires: [  ]

Enter a number to change any of them or press ENTER to continue:

As you can see, CheckIinstall allows you to edit all of the basic fields that describe a package, in this case an RPM package. The fields are pre-filled with reasonable data, however you can change any of the fields to new values. It's likely that you'll want to change #6 and possibly #5, #7 and #11. You also have the ability to run pre and post install scripts as well as pre and post removal scripts.

There are a few things you need to do to get setup for building a package with CheckInstall. First, you'll need a file named "description-pak" which should contain the program name and version, followed by a description. You should also create a subdirectory named "doc-pak" in which you can put the text files like README, ChangeLog and the like.

One very nice thing you can do with CheckInstall is tell it to run a specific program or script for the software installation. For example, you might find a very good program that is only released in binary format with a script called "setup" that's used to install it. You can build a package for it by telling CheckInstall to use the "setup" script for the install portion.

An example command might look like this:

$ checkinstall -R --install=yes ./setup

This command line will build and install an RPM but using the setup script to do the actual installing. By default CheckInstall builds the package but doesn't install it. The "--install=yes" option causes CheckInstall to perform the package installation. You can also use the switch "--rpmu" to do an upgrade of a package that is already installed.

Once a package is made using CheckInstall it is virtually impossible to tell it apart from a package built with a hand-generated spec file. There's even a nice feature for saving the spec file that checkinstall makes in order to build the packages. This generated spec file is normally deleted after the package has been built but if you pass the switch "--delspec=no", it will leave the spec file behind. With this as a starting point, you can easily ramp up your skill at hand building spec files.

Lastly, whenever you install a package with CheckInstall, it will automatically make a backup tarball of the currently installed package, if one exists. You'll find a file named: "backup-<datetime>-pre-<packagename>-<version>.tgz" in the directory from which you built the package. Should anything go wrong with the newly created package, you can roll back to the previous version using a command like: "tar xzvf backup-<datetime>-pre-<packagename>-<version>.tgz -C /".

As for the future direction of CheckInstall development, Felipe said this:

One interesting feature planned for the not-so-distant future is the evolution of CheckInstall into a tool that will do the whole software install for you: download the source, configure, compile, install and package it. All in one step.

If he is able to get this functionality into CheckInstall, it will become an even more required tool for systems administrators, along with yum and apt.

Bottom line: CheckInstall is a fantastic tool that should be on every administrators and developers need-to-have list.

Comments (3 posted)

System Applications

Audio Projects

ALSA 1.0.5 released

Version 1.0.5 of the ALSA sound driver and associated utility software is out. This release adds numerous bug fixes and improved support for many sound cards. Version 1.0.5a of the ALSA driver also came out this week, it is available on the ALSA Site.

Full Story (comments: none)

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include new versions of Specimen, Rosegarden 4, and Cinelerra.

Comments (none posted)

Database Software

CLSQL 2.11.0 released

Version 2.11.0 of CLSQL, a Common Lisp interface to SQL databases, is out. "This version adds full Oracle support, and now runs on the AMD64 platform under Allegro CL."

Full Story (comments: none)

PostgreSQL Weekly News

The June 1, 2004 edition of the PostgreSQL Weekly News has been published. Take a look to for development news from the PostgreSQL database project.

Full Story (comments: none)

Libraries

libgdamm 1.3.3 released

Version 1.3.3 of libgdamm, a set of C++ wrappers for the libgda database API, is available. "libgdamm is now usable, with actual working examples."

Full Story (comments: none)

libgda/libgnomedb 1.1.3 released

Version 1.1.3 of libgda and libgnomedb, the database support libraries for GNOME, are available. "This is another development release in the road to 1.2, which will be the next stable release, and which shows a preview of the new features getting into the 1.2 final release. It is not intended for production use, but by people wanting to experiment with the new features and to help on the development."

Full Story (comments: none)

liboggz 0.8.3 is out

Version 0.8.3 of liboggz, a C library for reading and writing Ogg encoded audio streams, is out. Changes include Theora header parsing updates, improved API documentation, and more.

Full Story (comments: none)

Mail Software

Perdition 1.15 released

Version 1.15 of Perdition, a POP3 and IMAP4 proxy server, is available. "I have released perdition 1.15. This includes a fix to the ldap code which resolves various errors including bogus usernames being returned when username_from_database is in effect. This change was included in 1.15beta1. The other changes are minor packaging and documentation fixes."

Full Story (comments: none)

Networking Tools

Linux InfiniBand beta release (SourceForge)

SourceForge has an announcement for the first beta-level tarball release of the Linux InfiniBand Project.

"The InfiniBand Architecture (IBA) is an industry standard that defines a new high-speed switched fabric subsystem designed to connect processor nodes and I/O nodes to form a system area network. This new interconnect method moves away from the local transaction-based I/O model across busses to a remote message-passing model across channels. The architecture is independent of the host operating system (OS) and the processor platform."

Comments (7 posted)

Network Your Shell Scripts with Netpipes (O'Reilly)

Robert Bernier discusses netpipes on O'Reilly. "Netpipes is a suite of utilities for shell-script writers that builds on the idea of conventional pipes to allow different processes to communicate and share data using both TCP and Unix domain-based sockets across the network! Not only does it duplicate the pipe's behavior, but it uses a novel technique called Session Control Protocol (SCP) that provides a simple mechanism for creating multiple, lightweight connections over a single TCP session connection. You can have many datastreams at the same time instead of just one."

Comments (none posted)

Printing

Common UNIX Printing System 1.1.21rc1

Version 1.1.21rc1 of CUPS, the Common UNIX Printing System has been announced. "CUPS 1.1.21 is primarily a bug fix and performance tuning release and includes fixes for the IPP, LPD, parallel, serial, and USB backends, authentication and status processing issues in the CUPS API, and various PostScript and PDF printing issues. The new release also adds support for Zebra label printers and IPP device URI options."

Comments (none posted)

Web Site Development

Chrooting Apache (NewsForge)

NewsForge is running an article that shows how to run the Apache web server in a protected filesystem. "The chroot daemon allows you to run a program and have it see a given directory as the root (/) directory. This effectively locks the process into its very own filesystem ("chroot jail") isolated from the real / filesystem. In this article we will look at how to install the Apache Web server in such an environment."

Comments (none posted)

ht://Check 1.2.3 released

Version 1.2.3 of ht://Check, a site-wide html checker, is out: "I proudly announce the release of ht://Check 1.2.3, which introduces important new features regarding Web accessibility."

Full Story (comments: none)

MediaWiki 1.2.6 released (SourceForge)

Version 1.2.6 of MediaWiki has been announced. "This will likely be the last release in the 1.2.x series, as we work on finishing up 1.3.0. MediaWiki is the collaborative editing software that runs Wikipedia, the free encyclopedia, and other projects. It's designed to handle a large number of users and pages without imposing too rigid a structure or workflow."

Comments (none posted)

Zope X3 3.0.0 alpha 2 released

Version X3 3.0.0 alpha 2 of the Zope web development platform is available. "Zope X3 is the next major Zope release and has been written from scratch based on the latest software design patterns and the experiences of Zope 2. The "X" in the name stands for "experimental", since this release does not try to provide any backward-compatibility to Zope 2."

Full Story (comments: none)

ZopeMag Weekly News

Issue #32 of the ZopeMag Weekly News is out with the latest Zope web development platform news. "This is Issue 32. Full of Plone tips and tricks mined from the Mailinglists."

Comments (none posted)

Desktop Applications

Accessibility

gnopernicus 0.9.4

Version 0.94 of Gnopernicus, a screen reader for the visually impaired, is out. "Gnopernicus has now an improved behaviour with gdm."

Full Story (comments: none)

CAD

PythonCAD Release Fourteen

Release fourteen of PythonCAD is available. "The fourteenth release builds on the undo/redo work added in the previous release. The undo/redo abilities of the program in regards to entity addition and removal have been made more significantly more robust. Also, the ability to undo or redo entity splitting, moving, mirroring have been both added and enhanced. The ability to undo or redo entity transfers between image layers is now available. Changing the various entity properties now has more undo and redo features."

Full Story (comments: none)

Desktop Environments

Bag of Software (GnomeDesktop)

GnomeDesktop.org presents another Bag of Software for the GNOME desktop. "New releases of Gnotify, Drivel, MVideo, gThumb and Gnomoradio are now available."

Comments (none posted)

Bakery 2.3.4 announced

Version 2.3.4 of Bakery, a C++ Framework for creating document-based GNOME applications, is out. Changes include gcc 3.4 build fixes, new constructors, and several new functions.

Full Story (comments: none)

gconf-editor 2.7.0 released

Development release 2.7.0 of gconf-editor, a GNOME configuration editor, is out with bug fixes and numerous improvements.

Full Story (comments: none)

gwget2 0.11 released

Version 0.11 of gwget2, a download manager for GNOME 2, is out. This release features a number of GUI changes.

Full Story (comments: none)

Hardware Monitor applet 1.0.1 released

Version 1.0.1 of the Hardware Monitor applet for GNOME is out. "A lot of translations have been committed lately so I thought I would get them out to the masses. This release also fixes an annoying bug with GTK+ 2.4 where the applet shows up without anti-aliasing."

Full Story (comments: none)

KDE-CVS-Digest (KDE.News)

The May 28, 2004 edition of the KDE-CVS-Digest is online, here's the content summary: "Code folding and syntax highlighting improvements in Kate. Kdevelop has a new file template system. KGeography adds more maps and flags. Digikam improves EXIF tag editing and display. KMail adds detailed new mail notification and anti-virus tool support. Kontact adds support for SUSE Linux OpenExchange Server. Konqueror adds spring loading Folders. KMyFirewall adds rule plugins."

Comments (none posted)

Some notes about Xfce 4.2

A document entitled Some notes about Xfce 4.2 has been published, it details some of the development directions that Xfce 4.2 will be taking.

Comments (none posted)

Electronics

Gerber Viewer 0.16 released

Version 0.16 of Gerber Viewer (gerbv), an application for viewing electronic CAD files, is out. The main new feature is support for projects, see the release announcement for more information.

Comments (none posted)

PCB 20040530 released

Release 20040530 of PCB, a printed circuit board drawing package, has been announced "Many improvements have been made in the program as well as additions and improvements to the footprint library."

Comments (none posted)

XCircuit 3.2.21 is out

Version 3.2.21 of XCircuit, an electronic schematic drawing package, is available. Changes include bug fixes and distribution library updates.

Comments (none posted)

Financial Applications

MyBudget-0.5 Personal Finance Program announced (GnomeDesktop)

GnomeDesktop.org has the announcement for the initial release (version 0.5) of MyBudget, a personal finance application. "The aim of the program is to make it as easy as possible for people to do their own personal budgets and keep track of their finances."

Comments (none posted)

Games

Cyphesis 0.3.0 available

Version 0.3.0 of the game Cyphesis is available from the WorldForge game project. "New features in this version are support for Mercator terrain, oriented box collision detection, IPv6 support, improved security, variable sight ranges, world persistence and a complete new default world map. Performance and reliability are massively improved since the last stable release."

Comments (none posted)

gnome-games 2.7.2 available

Version 2.7.1 of gnome-games, a collection of games for the GNOME desktop, is available. "Mostly this is because I get a kick out of having the largest version number, but it is also because Jon McCann has made blackjack resizeable."

Full Story (comments: none)

Monster Masher 1.6 released

Version 1.6 of the game Monster Masher is out with a new splash screen, bug fixes, and a revised Portuguese translation. Version 1.6.1 was also released this week, it features a fix for a bug that was found in version 1.6.

Full Story (comments: none)

Release: StepMania 3.9 alpha 20 (SourceForge)

Version 3.9 alpha 20 of StepMania is available. "StepMania is a music/rhythm game. The player presses different buttons in time to the music and to note patterns that scroll across the screen. Features 3D graphics, visualizations, support for gamepads/dance pads, a step recording mode, and more!"

Comments (none posted)

Graphics

DiaCanvas 0.13.0 released

Version 0.13.0 of DiaCanvas, a digram widget for GTK, is out with bug fixes and a change in the behavioral code.

Full Story (comments: none)

GUI Packages

PyQt v3.12 Released

Version 3.12 of PyQt, the Python Language Bindings for Qt, is available. "Changes since the last release include support for Qt v3.3.2, and the provision of an evaluation version for Windows to be used with the evaluation version of Qt."

Full Story (comments: none)

wxWidgets 2.5.2 has been released

Version 2.5.2 of the wxWidgets GUI Toolkit is available. "Amongst other improvements, sizers are working properly again in 2.5.2, and wxMac has come on leaps and bounds."

Comments (none posted)

Instant Messaging

Gaim 0.78 ''Worth the Wait'' released. (GnomeDesktop)

Version 0.78 of Gaim, an instant messaging client, has been announced. "Version 0.78 fixes all kinds of WYSIWYG formatting bugs, MSN bugs, restores compatibility with Gtk 2.0, adds support for the SILC protocol, among many other things. Oh yeah, and preferences should be less confusing now!"

Comments (none posted)

Music Applications

MusE 0.7 Pre 3 released

Version 0.7pre3 of the MusE MIDI and audio sequencer is available with a long list of changes and bug fixes.

Comments (none posted)

Rosegarden-4 0.9.8 released

Version 0.9.8 of Rosegarden-4, a MIDI sequencer and score editor, is out. "This release is primarily focused on bugfix, performance and usability improvements over 0.9.7, including significant optimisations to the main editing canvas, sequencer and GUI memory leak fixes, faster and better notation editing and printing, and dozens of other fixes. It also contains a handful of new features including MIDI mixer window, ottava and fingering marks in notation, and a redesigned audio segment manager."

Full Story (comments: none)

Office Suites

OpenOffice.org build 1.1.56 is out

Build 1.1.56 of OpenOffice.org has been released. "This package contains Desktop integration work for OpenOffice.org, several back-ported features & speedups, and a much simplified build wrapper, making an OO.o build / install possible for the common man. It is a staging ground for up-streaming patches to stock OO.o."

Full Story (comments: none)

OpenOffice.org Newsletter 05/2004

The May edition of the OpenOffice.org Newsletter is out, with about the OOoCon 2004 Call For Papers; the approach of OpenOffice.org 2.0; and several other topics.

Full Story (comments: 1)

PDA Software

jSyncManager v3.2 alpha 01 released (SourceForge)

Version 3.2 alpha 01 of jSyncManager, a cross-platform Java data synchronization solution for PalmOS based devices, has been released. "Included in this release are the jSyncManager Core Application Set, the jSyncManager API, the jSyncManager jConduits plug-ins bundle, and a special Jar Bundle version for systems running Mac OS X."

Comments (none posted)

Peer to Peer

Azureus 2.1.0.0 released (SourceForge)

Version 2.1.0.0 of Azureus, a Java-based BitTorrent client, is out. "This long-awaited Azureus 2.1 series release brings many new features and bug fixes to the java bittorrent client, as well as major usability enhancements for plugin writers."

Comments (none posted)

BTQueue 0.0.8 has been released (SourceForge)

Version 0.0.8 of BTQueue, a text-based BitTorrent client, is available. "This version supports download rate limitation, access control list based on ip range, network name (taken from whois), and country, and many bugs fixed."

Comments (none posted)

Web Browsers

Epiphany 1.3.0 released

Version 1.3.0 of Epiphany, a browser for GNOME, is out. The changes are numerous, they include bug fixes, removal of unused features, interface improvements, translation updates, and improved documentation.

Full Story (comments: none)

Epiphany Extensions 1.1.0 released

Version 1.1.0 of Epiphany Extensions, a collection of extensions for the Epiphany browser, are available. This release updates compatibility with the latest Epiphany versions, and includes bug fixes.

Full Story (comments: none)

Galeon 1.3.15 is out

Version 1.3.15 of the Galeon browser is available. The release announcement says: "As promised, here's the first gtk+ 2.4 based release. We also made a bunch of other updates - the most significant of which is a serious overhaul of the downloading subsystem - most significantly meaning it doesn't crash all the time :-) In the feature restoration department, we see the return of the off-line mode and user stylesheets."

Comments (none posted)

Word Processors

AbiWord Weekly News

Issue #198 of the AbiWord Weekly News has been published. It starts off with a request for help: "Attention Indic and Arabic users! We need more of you to attempt to use and report bugs on CVS Head. As we continue to improve the glyph-shaping engine, we will need to know what is working and what is not."

Comments (none posted)

Miscellaneous

3dFB 0.5.5 released

Version 0.5.5 of 3dFB is out. "3dFB is a 3d File Manager. 2d file managers work nicely, but with 3d you can display much more information. The aim of this project is to make a viable, workable, 3d file manager that is not a hog on resources and can actually be usable."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The June 1, 2004 edition of the Caml Weekly News is available with the latest Caml language discussion topics.

Full Story (comments: none)

Erlang

Erlang/OTP R9C-1 released

Version R9C-1 of Erlang/OTP has been released. "This is mainly a bugfix release and user can safely upgrade their development environment. It fixes many small bugs regarding all the aspects of the Erlang/OTP distribution."

Full Story (comments: none)

Java

JJack 0.1 is available

The initial release of JJack, version 0.1, is available. "JJack is a framework for the Java programming language that allows creating and running portable audio processor clients for the JACK Audio Connection Kit."

Full Story (comments: none)

Java 2D imaging for the Standard Widget Toolkit (IBM developerWorks)

Yannick Saillet works with Java graphics on IBM's developerWorks. "Most Java developers agree that there's only one domain where Swing/AWT is superior to the Eclipse platform's Standard Widget Toolkit, and that's Java 2D. Until now there has been no easy way to integrate the time-saving features of Java 2D with the superior portability, functionality, and performance of SWT's user interface components, but that's all about to change. In this follow up to his popular tutorial on migrating Swing applications to SWT, Java developer and Eclipse enthusiast Yannick Saillet shows you how easy it can be to paint Java 2D images on your SWT components and Draw2D figures."

Comments (none posted)

Nested Classes, Part 3 (O'ReillyNet)

O'Reilly has published part three in a series by Robert Simmons, Jr. on Java nested classes. "Kn this third and final installment on nested classes, excerpted from Hardcore Java, author Robert Simmons covers static nested classes, double nested classes, and nested classes in interfaces."

Comments (none posted)

SableVM 1.1.5 released (SourceForge)

Version 1.15 of SableVM, a Java virtual machine implementation, has been announced "In this version, we synchronized sablevm-classpath with the latest GNU Classpath CVS (as of May 29, 2004.), we improved the support for Ant 1.6, we switched to using libtool handling to find the right library suffixes (this helps some platforms like OpenBSD and Cygwin), we fixed a corner case problem with class loading, and we made some other small bug fixes."

Comments (1 posted)

SSS (Small, Simple, Safe) (O'ReillyNet)

Alper Coskun examines SSS on O'Reilly. "Teaching Java is complicated both by the language's syntax and the huge number of classes in its standard libraries. According to Alper Coskun, one solution might be "Small Simple Safe" (SSS), which tries to alleviate this by giving the user an opportunity to create and relate objects in a very simple GUI."

Comments (none posted)

Perl

This Week on perl5-porters (use Perl)

The May 24-30, 2004 issue of This Week on perl5-porters is available. "This week, you'll read in this summary more about the uninitialized warning plans for 5.8.($n+1), some XS tricks, intriguing bugs, and the different types of UIDs."

Comments (none posted)

This Week on Perl 6 (O'Reilly)

The May 23, 2004 edition of This Week on Perl 6 has been published. "Yes. I know. This week's summary is a week late. So it's a summary of the last two weeks. So let's get straight to perl6-internals shall we?"

Comments (none posted)

PHP

PHP Weekly Summary

The PHP Weekly Summary for May 25, 2004 is available. Topics include: "var_dump() change, gif support, PHP 5 release schedule, PDO design and more.."

Comments (none posted)

Python

Python 2.3.4 (final) Released

Python 2.3.4 (final) is out with more than 20 bug fixes.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The May 26, 2004 edition of Dr. Dobb's Python-URL! is available with numerous Python language article links.

Full Story (comments: none)

Charming Python: The Python Enterprise Application Kit (IBM developerWorks)

David Mertz introduces PEAK on IBM's developerWorks. "PEAK is a Python framework for rapidly developing and reusing application components. While Python itself is already a very high-level language, PEAK provides even higher abstractions, largely through the clever use of metaclasses and other advanced Python techniques. In many ways, PEAK does for Python what J2EE does for the Java™ language. Part of the formalization in PEAK comes in the explicit specification of protocols, specifically in the separately available package, PyProtocols."

Comments (none posted)

Shells

PySH - The Python Shell

For those of you who just can't get enough of the Python language, PySH is a command line shell that allows you to use Python-style commands.

Comments (none posted)

Scripting GNU in the 21st Century (Linux Journal)

Nick Moffitt uses a bash shell script to calculate train schedules. "In order to save time, I decided to write a shell script that would fetch the train arrival information for my station and display it in a colored ASCII table on stdout. It should accept station codes for any arbitrary trip but use defaults specified in a per-user configuration file. I did not want to write the schedule analysis code, so I decided to perform a screen scrape of the BART trip planner. wget would submit the trip planner form, and the resulting Web page would be formatted with various tools."

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The June 1, 2004 edition of Dr. Dobb's Tcl-URL! is out with the latest Tcl/Tk article links.

Full Story (comments: none)

XML

Gaphor 0.4.0 Announced

Version 0.4.0 of Gaphor, the GTK/GNOME UML modeling tool, is available. This release adds action diagram, interfaces, a new look and feel, and no more C code.

Full Story (comments: none)

Miscellaneous

flawfinder 1.25 released

Version 1.25 of flawfinder, a tool for locating security problems in C and C++ source code, is out. "Version 1.25 adds more rules for finding security flaws involving cuserid, getlogin, getpass, mkstemp, getpw, memalign, gsignal, ssignal, ulimit, and usleep. Flawfinder now has 137 rules that it checks automatically. Its documentation now has lengthy text to explain exactly how to use flawfinder with vim and emacs."

Full Story (comments: none)

Extensible Programming for the 21st Century

Dr. Gregory V. Wilson writes about Extensible Programming. The Daily Python-URL has a summary of the article: "This article argues that next-generation programming systems will [allow programmers to add entirely new kinds of information to programs, and to control how that information is processed] by combining three specific technologies: compilers, linkers, debuggers, and other tools will be plugin frameworks, rather than monolithic applications; programmers will be able to extend the syntax of programming languages; and programs will be stored as XML documents, so that programmers can represent and process data and meta-data uniformly."

Comments (none posted)

Elements of Service-Oriented Analysis and Design (IBM developerWorks)

Olaf Zimmermann, Pal Krogdahl and Clive Gee discuss Service-Oriented Architecture and Design on IBM's developerWorks. "Experience from first Service-Oriented Architecture (SOA) implementation projects suggest that existing development processes and notations such as Object-Oriented Analysis and Design (OOAD), Enterprise Architecture (EA) frameworks, and Business Process Modeling (BPM) only cover part of what is required to support the architectural patterns currently emerging under the SOA umbrella; hence, there is a need for an enhanced interdisciplinary service modeling approach."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

SuperCharging Innovation - Why The State Should Release Its Software As Open Source (Groklaw)

Groklaw has posted a paper by Australian attorney Brendan Scott on the benefits of governments releasing their code under open-source licenses. "He points out that when governments do not release their software as open source, it's the taxpayers who lose value. And a desire to commercialize software is not a reason not to release as open source, he says, because there is the option of dual licensing or using a services model".

Comments (5 posted)

ESR does Samizdat

For those of you who haven't had enough of this sort of thing, Eric Raymond has posted his critique of the Alexis de Tocqueville Institute's attack on Linux. "I began reading the excerpts skeptical of the widespread conspiracy theory that this book is a paid hatchet job commissioned by Microsoft. Now I find this theory much more credible. I can't imagine how anyone would want their names on a disgrace like this unless they were getting paid extremely well for undergoing the humiliation."

Comments (21 posted)

Man AdTI Hired to Compare Minix/Linux Found No Copied Code (Groklaw)

Groklaw looks at some email correspondence by Andrew Tanenbaum on whether early versions of Linux had any Minix code within. "Apparently, Ken was expecting me to find gobs of copied source code. He spent most of the conversation trying to convince me that I must have made a mistake, since it was clearly impossible for one person to write an OS and 'code theft' had to have occured. So, I guess what I want to say is, pay no attention to this man. . ."

Comments (16 posted)

Companies

HP expands open-source support (News.com)

News.com covers some open source news from HP. "The computing giant will certify and support MySQL, the leading open-source database program, and JBoss, a popular Java-based application server, on HP's industry standard servers."

Comments (16 posted)

Macromedia adds SOAP to Linux Flash Player (News.com)

Macromedia has added SOAP capabilities to the Linux Flash Player, according to this article on news.com. "The company said the latest Flash Player, released Thursday, offers increased performance and security. Simple Object Access Protocol (SOAP), a Web services protocol that allows independent applications to exchange messages in real time, helps companies integrate their applications and improve overall efficiency."

Comments (1 posted)

Sun warms to open source for Solaris (News.com)

News.com covers Jonathan Schwartz's talk in Shanghai, where he said Sun would "open source" Solaris. "A problem that Schwartz wants to avoid is having Solaris splintered into different distributions like Linux, which he said creates application incompatibilities. Going the way of Linux-type licensing, he suggested, creates open source but not open standards."

Comments (9 posted)

Symantec may go with Linux (MercuryNews.com)

Symantec is considering a corporate switch to Linux, according to the San Jose Mercury News. "Somewhere, Bill Gates is frowning. Symantec Chief Executive John Thompson said today his company may use Linux software to run its desktop computers instead of Microsoft's Windows. Bloomberg News says Cupertino's Symantec, the largest maker of consumer anti-virus software, is considering whether to switch some or all employees to Linux, a free operating system developed by programmers around the world, Thompson said at a conference in New York."

Comments (13 posted)

Linux Adoption

Novell Australia leads global Linux migration (ComputerWorld)

ComputerWorld Australia covers Linux adoption at Novell Australia. "The migration, which will see staff across the globe using SuSE Linux systems running OpenOffice, is partly motivated by broader commercial concerns. Novell completed its $US210 million acquisition of SuSE in January this year, and the company wants to use itself as a showcase for both SuSE and Ximian, which it also purchased last year."

Comments (none posted)

Oracle to be Linux shop by end of year (silicon.com)

Silicon.com reports that Oracle plans to switch its in-house programming staff to Linux by the end of 2004. "In October, the company finished the Linux transition for the 5,000 programmers of its Oracle Applications software. Now the transformation has begun for those who work on the database product, said Wim Coekaerts, director of Linux engineering, in an interview at the CeBit trade show in New York."

Comments (4 posted)

IBM's Linux Push (IT-Director)

IT-Director takes a look at IBM's role in Linux adoption. "According to Adam Jollins, who is part of IBM's Linux Marketing Strategy team, the adoption of Linux is happening most quickly in Banking, Government and Retail, followed by sectors that use scientific or engineering applications (automotive, pharmaceuticals, life sciences, education etc.) This is unusual in some respects as the Banking industry is normally and early adopter of technology whereas Government is normally a late adopter, but these two sectors appear to be driving Linux adoption along with Retail."

Comments (2 posted)

Interviews

Interview: Daniel Glazman, Nvu Developer (MozillaNews)

MozillaNews has an interview with Daniel Glazman, author of the Nvu HTML editor. "I'd like Nvu to become the companion standalone editor to Firefox and Thunderbird. The third and last element missing from the Mozilla Application Suite. I want it to become a good wysiwyg editor that we won't be afraid to compare to the big players on the market. I want Nvu to be a disruptive innovation* in the HTML editors' market, reaching success from the low-end market share, the one that the big players don't want to or can't address. And don't forget Nvu is cross-platform..."

Comments (none posted)

Paul Graham on Hacking (O'ReillyNet)

O'ReillyNet interviews Paul Graham, hacker, painter, essayist and author of Hackers & Painters. "ORN: When you first face a new project, how do you approach it? PG: I try to build big programs out of small ones. So, when I approach a new project, I look for the subset of the problem that I can solve with the smallest program. Then I start adding things."

Comments (none posted)

Ben Goodger from the Mozilla Foundation (Neowin.net)

Neowin.net interviews Firefox developer Ben Goodger. "Over the last couple of months, Neowin has tracked the development of perhaps one of the most promising open source projects for a long time : Mozilla Firefox, or Firefox. We've managed to have a talk to Ben Goodger, chief developer of Firefox, about whats new in the upcoming release, and much much more."

Comments (none posted)

Red Hat CEO Szulik on business, SCO, and other topics (IT Manager's Journal)

IT Manager's Journal interviews Red Hat CEO Matt Szulik. "The challenge is to be a good steward for the open source community. Most people understand Red Hat is there to make money. That said, the company contributes around 21 percent of its R&D back into the public domain to do public license. To contribute the kind of public functionality that Red Hat puts back into the public domain, the Fedora, which cannibalized $9 million of revenue stream that they had to make up -- Red Hat walks the walk and talks the talk."

Comments (6 posted)

Resources

Arch for CVS Users (Linux Journal)

The Linux Journal provides a whirlwind introduction to arch for people already familiar with version control. "Arch is, at its heart, a distributed system. There is no special server process, and each developer's machine can serve as an arch repository. The result is that advanced use of arch can require more work on the client side."

Comments (43 posted)

Documenting Projects with Apache Forrest (O'ReillyNet)

Kyle Downey looks at the use of Apache Forrest for working with software documentation. "Apache Forrest helps you develop the documentation to accompany your application, automatically providing a number of neat features such as menus, links, cross-references, and breadcrumb navigation. Kyle Downey provides an introduction."

Comments (none posted)

New Linux Audio Musings

Dave Phillips has updated his Linux audio musings column this month. Also, an updated version of the New Additions list of Linux audio applications is available. "As you can tell from this month's New Additions the Linux audio software base continues to grow and improve. I'm always heartened by the list of updated software, it indicates the dedication many authors have towards their work, and of course we users get to enjoy the fruits of an ever-improving software collection. There's a lot of neat stuff in the new listings for this month, so I suggest you stop reading this column and start checking out that software..."

Comments (none posted)

The Python Enterprise Application Kit (developerWorks)

IBM developerWorks introduces PEAK, the Python Enterprise Application Kit. "PEAK is a Python framework for rapidly developing and reusing application components. While Python itself is already a very high-level language, PEAK provides even higher abstractions, largely through the clever use of metaclasses and other advanced Python techniques. In many ways, PEAK does for Python what J2EE does for the Java language. Part of the formalization in PEAK comes in the explicit specification of protocols, specifically in the separately available package, PyProtocols."

Comments (3 posted)

Building a Linux Media PC (O'Reilly)

John Littler explains how to turn a Linux box into an entertainment system on O'Reilly. "In this article I'm going to look at a particular sort of setup of a Linux home theatre PC — one where the primary consideration is space. Suppose you have a small studio apartment, or a bedroom or study where you want to work on your computer, watch movies and TV, and play music and maybe games as well."

Comments (none posted)

Reviews

Linux gets 802.11g Intel Centrino driver (ZDNet)

ZDNet UK looks at a pre-beta version of Intel's Linux-based 802.11g driver for its Centrino platform. ""The pre-beta drivers are intended to provide the Linux open-source developer community an opportunity to evaluate the drivers in their own environment, and provide Intel with feedback," said [an Intel] spokesman." (Thanks to James Pearson-Kirk)

Comments (2 posted)

The Little Engine That Could (PBS)

Robert X. Cringely proclaims the virtues of Linux as found in the Linksys WRT54G router. "...the WRT54G with Sveasoft firmware is all you need to become your cul de sac's wireless ISP. Going further, if a bunch of your friends in town had similarly configured WRT54Gs, they could seamlessly work together and put out of business your local telephone company. That's what I mean by a disruptive technology."

Comments (2 posted)

ipfilter on GNU/Linux: Is It Finally Here? (Linux Journal)

Linux Journal takes a look at the latest release of ipfilter. "For the better part of a decade, users of FreeBSD, OpenBSD, NetBSD, Solaris and IRIX have used Darren Reed's ipfilter software to firewall networks and protect individual systems from network-based attacks. Now, with the release of ipfilter 4.1.1, GNU/Linux is moving into the fold as a supported platform."

Comments (6 posted)

Project in the spotlight: JaMBW (Bioinformatics.org)

Bioinformatics.org takes a look at JaMBW, a Java-based Molecular Biologist's Workbench. "The software and documentation are made available to molecular biologists to give free access to the most common bioinformatic operations, according to the project pages. ``The peculiar aspect of JaMBW, however, is to take advantage of the foremost developments in computer science in order to deliver information in a way simple to use. The latter includes, therefore, point-and-click, drag-and-drop, plug-and-play.''"

Comments (none posted)

Subversion: The new-generation CVS (DevChannel)

OSDN DevChannel looks at Subversion. "Subversion is tightly integrated with the Apache Web server, which allows it to provide a robust back end for repositories in areas such as authentication, path-based authorization, and browsing, although support is provided by an external module. This configuration is very Apache-specific, so we will not address any details here. As an alternative, Subversion offers a lightweight solution named svnserve which uses a proprietary protocol running over TCP. For our simple needs svnserve will do."

Comments (23 posted)

Miscellaneous

EFF Starts Patent-Busting Project (Groklaw)

Groklaw reports on the EFF's Patent-Busting Project. ""We are concerned about the growing number of illegitimate software and Internet patents," said Glenn Parker, trustee of The Parker Family Foundation. "By investing in EFF, we know that we will be helping to protect the rights of individuals, nonprofits and others that have legitimate noncommercial uses of software and Internet technology.""

Comments (1 posted)

Play Donkey Kong, go to jail? (NewsForge)

NewsForge questions the legality of LiveCD distributions for playing arcade games. "The software for most of these arcade games is not free. If you do not have a legal license for a game you are playing under MAME, you are infringing on someone's copyright."

Comments (3 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

An open letter from Alan Cox

Alan Cox has sent out an open letter encouraging Europeans (and UK citizens in particular) to vote in the upcoming European Parliament elections, and to keep software patents in mind while doing so. "The turnout in the UK is expected to be 18%. That favours anyone who can mobilize and get out and vote. It's a one off opportunity to kick the pro-patent lobby somewhere that hurts."

Full Story (comments: 26)

AGNULA project needs editors

The AGNULA audio distribution project sent out an announcement asking for newsletter editors.

Full Story (comments: none)

AGNULA needs a webmaster

The AGNULA project is in need of a volunteer webmaster.

Full Story (comments: none)

Apache Software Foundation Announces Apache Geronimo as an Official Project

Apache Software Foundation has announced that Apache Geronimo has been approved as an official project of the ASF. The objective of the Apache Geronimo project is to produce an open source, certified implementation of the Java 2 Platform, Enterprise Edition (J2EE) specification licensed under the Apache License and offered to the public at no charge.

Comments (17 posted)

Creation of YAPC::Europe Foundation announced (use Perl)

Use Perl has an announcement for the new YAPC::Europe foundation. "The new committee will be part of YAPC, which is part of YAS, also known as TPF."

Comments (none posted)

Commercial announcements

Arabella Announces Linux USB Host and Device Support for the PowerQUICC(TM) Processor

Arabella Software has announced Linux USB support for the PowerQUICC processor. "Arabella Software, a leading supplier of "Customized Linux Solutions" for embedded applications, today announced that its Arabella Linux for the PowerQUICC(TM) integrated communication processors has been extended to include fully integrated support for USB Host and Device functionality."

Comments (none posted)

Euroland initiates research coverage of Mandrakesoft

Mandrakesoft has announced the availability of a report from Euroland entitled "Mandrakesoft: the rising star of the Linux Market". Click below for more information.

Full Story (comments: none)

Intel to open source EFI firmware code

Intel has announced that it will be releasing its "foundation code" implementing the extensible firmware interface (EFI) specification. This release raises the prospect of having a system with a completely free BIOS. CollabNet will be handling the actual release, which is due "later this year."

Comments (10 posted)

Lineox Announces Migration Instructions from Red Hat Linux 9

Lineox is offering a solution for migration off of Red Hat Linux version 9. "Lineox Enterprise Linux 3.0 is an enterprise level Linux distribution with almost 5 years of planned support life. In the past Lineox has provided updated program packages with feature enhancements, bug and security fixes for free. The update service will be fee based starting fall 2004."

Full Story (comments: none)

Macromedia Flash Player 7 for Linux Now Available

Macromedia has announced the immediate availability of Macromedia Flash Player 7 for Linux.

Comments (none posted)

Pingtel Forms Technical Advisory Board

Pingtel Corporation has announced the formation of the Pingtel Technical Advisory Board to assist in the development of open source IP telephony.

Comments (none posted)

The Sendmail messaging integrity pilot program

Sendmail, Inc. has announced the launch of the "Sendmail messaging integrity pilot program," a public testbed for various sender authentication schemes. Included at the beginning is a free implementation of Yahoo's "DomainKeys" system. "'Sender-based email authentication is set to change the way email is used. Instead of focusing on filtering out unwanted mail, organizations will need to think about filtering in the mail they want,' said Eric Allman, CTO at Sendmail."

Comments (1 posted)

Sun Announces Java WSDP 1.4

Sun Microsystems has announced the release of version 1.4 of its Java Web Services Developer Pack (WSDP).

Comments (none posted)

New Books

NoSCOpyright - SCO contro Linux

A group known as the "NMI Club" has written an entire book (in Italian) on the SCO Group and its attacks. This book, called NoSCOpyright - SCO contro Linux, is available in bookstores; it has also been released online under a copyleftish Creative Commons license. Click below for the full announcement (again, in Italian).

Full Story (comments: 3)

Upcoming Events

OMG Information Day: London, June 10, 2004

An OMG Information Day will take place in London. "LogOn and the Object Management Group are announcing an OMG Information Day, taking place at the New Connaught Rooms in London, on June 10, 2004."

Full Story (comments: none)

Wizards of OS 3

Wizards of OS 3 conference will be held at the Berlin Congress Center on June 10-12, 2004.

Full Story (comments: none)

Debian Project at Wizards of OS

Look for representatives of the Debian Project at the Wizards of OS conference in Berlin, Germany on June 10-12, 2004.

Full Story (comments: none)

Tim Ney's GUADEC Blotter (GnomeDesktop)

GnomeDesktop.org mentions the availability of online coverage from the GNOME Users and Developers European Conference on June 28-30. "TIm Ney, the GNOME foundation director wrote in to let us know that he will be blogging various news items relating to GUADEC at his new blog."

Comments (none posted)

European Revolution Conference

The Autumn European Revolution Conference will be held on November 14-16, 2004 in Malta.

Full Story (comments: none)

YAPC::Australia::2004 Call for Papers (use Perl)

A Call for Papers has gone out for the Open Source Developers Conference and YAPC::Australia::2004, according to this notice on Use Perl.

Comments (none posted)

Events: June 3 - July 29, 2004

Date Event Location
June 3 - 4, 20042004 GCC and GNU Toolchain Developer's Summit(Ottawa Congress Centre)Ottawa, Canada
June 3 - 6, 2004DebConf4Porto Alegre, Brazil
June 3 - 4, 2004Web.It 2004Milano, Italy
June 3 - 4, 2004inbox, the email event(San Jose Marriott)San Jose, CA
June 6 - 7, 2004French Perl WorkshopParis, France
June 7 - 9, 2004EuroPython(Chalmers University of Technology)Göteborg, Sweden
June 10, 2004OMG Information Day(The New Connaught Rooms)London, England
June 10 - 12, 2004Wizards of OS 3(Berlin Congress Center)Berlin, Germany
June 13, 20041st European Lisp and Scheme WorkshopOslo, Norway
June 14 - 18, 200418th European Conference on Object-Oriented Programming(ECOOP-2004)(The University of Oslo)Oslo, Norway
June 16 - 18, 2004Yet Another Perl Conference(YAPC::NA::2004)(University at Buffalo)Buffalo, NY
June 28 - 30, 2004GNOME User and Developer European Conference(GUADEC)Kristiansand, Norway
June 29 - July 1, 2004Perl Workshop 6.0(Barbara-Künkelin-Halle)Schorndorf, Germany
July 12 - 15, 2004Real-time and Embedded Systems WorkshopWashington, DC
July 19 - 20, 2004Italian Perl Workshop(Polo Fibonacci)Pisa, Italy
July 21 - 24, 2004Linux SymposiumOttawa, Canada
July 26 - 30, 2004O'Reilly Open Source Software Convention 2004(OSCON)Portland, OR
July 26 - 30, 2004IBM pSeries Technical ConferenceCairns, Australia

Comments (none posted)

Web sites

KDE Users Database (KDE.News)

KDE.News has an announcement for a new KDE Users Database site. "A few days ago, we've opened a new section on our Polish K Desktop Environment website called "KDE Users Database". This is not only for Polish users, it's international. After some time it'll be good rate of KDE users number all over the world. Every registered user can save generated certificates and put them on his desktop or website."

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

qmail

From:  Charles Cazabon <web-letters-lwn.net-AT-discworld.dyndns.org>
To:  LWN Letters to the Editor <letters-AT-lwn.net>
Subject:  qmail
Date:  Thu, 27 May 2004 08:40:06 -0600

Greetings,
 
In your issue of 27 May, 2004, you talked about the recent license change for
Movable Type 3.0, and warned your readers about the dangers of "almost free"
proprietary software. All well and good, but you then went on to make several
parallels with qmail (by Dan Bernstein) which I do not believe were quite apt,
for reasons I'll discuss.
 
You said qmail:
 
> [...] comes with a non-free license which forbids distribution of modified
> versions, and which makes the distribution of binary packages difficult.
 
Fair enough, and true. You do clarify later that qmail doesn't come with an
explicit license; instead, if you obtain a copy of qmail, the author believes
you have various rights granted to you by copyright law (such as the ability
to modify and use it as you see fit) that he does not need to explicitly
grant. These rights are ones that click-through "license agreements" of
commercial proprietary software typically tend to try to abrogate. The author
also notes that copyright law does not permit you to copy and redistribute the
software (under any conditions), so he then explicitly grants the right to
redistribute unmodified copies of the source code, plus binary packages that
meet certain criteria. It's all laid out fairly clearly in these two pages:
 
http://cr.yp.to/qmail/dist.html
http://cr.yp.to/qmail/var-qmail.html
 
I will grant that creating a binary package of qmail that satisfies the above
criteria and /also/ meets criteria for inclusion in a modern Linux or Unix
distribution would be problematic. But installing qmail from source is so
simple that I don't personally find that to be an obstacle.
 
The more troublesome statements follow later:
 
> There has not been a new qmail release since June, 1998.
 
The author has not released a new qmail tarball since that time. People used
to "release early, release often" might see that as indication of abandonment,
but it isn't the case with djb's software. Despite qmail-1.03 being six years
old, it /still/ has not had any security holes found in it, despite two cash
awards being available for the discovery of such.
 
> But, due to the redistribution restrictions, nobody can take over qmail
> maintenance and release a new version.
 
Some of us have tried. "netqmail-1.05" is a package which includes an
(unmodified) qmail-1.03 source tarball, a few (small) patches, and a script
which applies them. netqmail runs just fine on modern systems and fixes a
couple of tiny, non-security-related bugs later found in qmail. netqmail is
available from the qmail.org community site:
 
http://qmail.org/netqmail/
 
The most problematic statement you make almost qualifies as FUD:
 
> If qmail's author were ever to proclaim a new license, it would be hard for
> users to prove that any other terms had ever been in force.
 
The author has had these claims directed at him before. He points out, quite
rightly, that:
 
  -he has explicitly granted the right to copy and distribute unmodified
  source, with no expiration on this permission.
  -this statement is clearly present on his website, and is archived in
  many different places. Even if he changed his site, it would not
  retroactively revoke the permissions he has granted.
  -his statements granting such permission would definitely be taken into
  account if he ever tried to use the courts to revoke such rights. You
  cannot assure people you do not object to a hehaviour and then try to
  extort damages from them for such behaviour.
 
The qmail community feels there is no risk here.
 
One additional correction:
 
> [...] it seems pretty clear that qmail's author has long since lost interest
> in working on the code; the chances of there ever being another qmail
> release appear small.
 
I don't think this is true; qmail version 2 is under development. It simply
won't be visible to the public until djb feels it is alpha-quality (which is
better than most project's "release-quality" releases). Keep in mind
development may be somewhat slow; in addition to his research and teaching
duties as a professor at the University of Illinois at Chicago, the author has
also spent much of the last few years developing a BIND replacement (djbdns),
fighting the United States Department of Commerce over the restriction of
cryptography software distribution, and writing various other software.
 
Charles
--
-----------------------------------------------------------------------
Charles Cazabon <web-letters-lwn.net@discworld.dyndns.org>
-----------------------------------------------------------------------

Comments (7 posted)

Re: Movable type and "almost free" software

From:  Russell Nelson <nelson-AT-crynwr.com>
To:  qmail-AT-list.cr.yp.to
Subject:  Re: Movable type and "almost free" software
Date:  Thu, 27 May 2004 10:28:13 -0400
Cc:  letters-AT-lwn.net

Sam Johnston writes:
 > <>This week's LWN (http://lwn.net/Articles/86020/) compares qmail to
 > Movable type (with reference to Six Apart's recent announcement[1] which
 > has upset users left[2], right[3] and centre[4]). It talks about there
 > being no qmail releases since June 1998,
 
Why does this LWN article ignore netqmail? One might as reasonably
criticize the PBM package because the author has not put out any new
releases. They'll say that the critical difference is in the
licensing. They're wrong. qmail has always been licensed under a
freely copyable without modification license. That is exactly what
the netqmail package is. Freely copyable without modification. The
only thing that you lose in the qmail->netqmail transition is the
ability to distribute unmodified pre-compiled binaries. Guess what?
Nobody does that anyway! Of course, there are people distributing
modified pre-compiled binaries now (can you say Plesk?); they could
easily switch to distributing netqmail instead, and be equally at
fault under the law.
 
Note that I haven't read the article because it is a proprietary
article. I find it VERY IRONIC that they criticize software that
isn't freely copyable in an article that isn't freely copyable.
 
--
--My blog is at angry-economist.russnelson.com | You know you have a
Crynwr sells support for free software | PGPok | politician that can't hurt
521 Pleasant Valley Rd. | +1 315 268 1925 voice | you when you see the hearse
Potsdam, NY 13676-3213 | FWD# 404529 via VOIP | go by.

Comments (2 posted)

LINUX Security - Buffer Overflows

From:  Troy Klein <Y2k-AT-ieee.org>
To:  lwn-AT-lwn.net
Subject:  LINUX Security - Buffer Overflows [Corrected]
Date:  Thu, 27 May 2004 02:50:11 +0000

 
LWN Editors:
 
The problem of buffer overflows has been around a long, long, long time . . . . . about 50 years! I have found the following steps to be very effective in detecting, defending from, and inhibiting buffer overflows:
 
1. Receiving buffers are placed in their own (virtual memory) segment (this technique unfortunately requires very detailed knowledge of the hardware platform and may not be a generally applicable technique).
2. Receiving buffers are preceded and followed by defensive buffers that are at least twice the size of the receiving buffer. These defensive buffers are filled with repeated (randomly generated and never x'00' or x'ff') identical byte contents. Those repeated identical byte contents checked by an asynchronous highest priority task for any changes, with the frequency for the check based on the speed of whatever is filling the receiving buffer. If any changes are detected in the defensive buffers, whatever is filling the receiving buffer is suspended and a very emphatic alert is generated. If the receiving buffer is filled by an process internal to the program, this check is done each time the receiving buffer is filled.
 
The size of the defensive buffers may be reduced overtime as confidence builds, but should never be eliminated. Defensive buffers will catch a lot of the programmer's logic errors!
 
The arguments against defensive buffers are a lot like the history of arguments against protective gear in sports (football, baseball, snow skiing, etc.); only after someone else is severely hurt does leadership arise that requires defensive measures. Perhaps LINUX and other operating systems have not yet hurt their users enough for users to mandate defensive measures.
 
Regards,
Troy Klein
Y2k-AT-ieee.org

Comments (4 posted)

BE May Editorial -- How Many Nines Is That, Again?

From:  "Jay R. Ashworth" <jra-AT-baylink.com>
To:  editor-AT-primediabusiness.com
Subject:  BE May Editorial -- How Many Nines Is That, Again?
Date:  Wed, 26 May 2004 12:01:45 -0400
Cc:  letters-AT-lwn.net

I hate to have to ruin your day, after you put all that work into it
and all...
 
But "5-nines reliability" does indeed mean 99.999, *not* 99.99999 --
it's a count of the *total* number of nines in the number.
 
And pat that IT guy on the back -- a *system-level* reliability of 99.99%
(four nines) means he has *really* done his homework; probably
including redundant network cabling to everything and dual switches.
 
And, alas, slap yourself in the face for screwing up. And I expect you
to do it in letters as large as the ones you screwed up in -- that is,
*on the editorial page*. Feel free to do the research you should have
done in the first place; if I'm wrong, you can use that space to slap
*me* around instead. But I don't think you will.
 
See the first 3 or 4 hits at http://www.google.com/search?q=five%20nines
for example, and note that 32 seconds a year is *six* nines... and
remember that each nine costs an order of magnitude modre, in
general... and remember also that system uptime is the product of the
uptimes of *every component on the critical path*.
 
Don't go dissin' IT people. Modulo our ability to get management to
spend enough to buy the gear they need for the reliability they ask
for, we'll make sure they get it. Ask a Wall Street trading firm.
 
Oh, and more and more of them have dumped Microsoft for Linux, for
precisely this reason. Windows often has a time between reinstalls
that is longer than the average Linux box's time between reboots -- and
*that* is often done solely because the operator wants to do a kernel
version upgrade; I believe the uptime record for a Linux box is
currently over 500 days.
 
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Baylink RFC 2100
The Suncoast Freenet The Things I Think
Tampa Bay, Florida http://baylink.pitas.com +1 727 647 1274
 
        "They had engineers in my day, too." -- Perry Vance Nelson

Comments (9 posted)

Page editor: Jonathan Corbet

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds