Remember Adobe Systems? They are the folks who used the DMCA to bring
about the arrest of Dmitry Sklyarov and the whole Elcomsoft case. Adobe
has now found out that the DMCA, like software patents, can cut both ways.
TrueType fonts include a couple of bits stating whether the font may be
embedded in documents or not. Tweaking these bits has been taken, by font
companies, as "circumvention" in the past, and the DMCA invoked in attempts
to shut down distribution of useful tools. See, for example, the history of
the dispute regarding the simple "embed" program. In the case of embed,
the program's author has resisted, and the program is still available on the net.
It turns out now, however, that Adobe's Acrobat software is capable of
ignoring the "do not embed" bits at times. Adobe claims that things work
this way because the company has secured a contractual right to distribute
the fonts in question within PDF documents. Font producers ITC and Agfa
Monotype disagree, and have invoked the DMCA. Acrobat, it seems, is a
circumvention device.
Adobe has taken the
offensive and gone to court to secure its rights to the fonts and to be
freed of the DMCA charges. The company could have an interesting battle on
its hands, however. Adobe may well be within its rights when it claims
that embedding of the fonts is legal. But the DMCA makes no exceptions for
"circumvention" which enables the exercise of existing rights. Adobe has
no sympathy for those wanting to use Elcomsoft's eBook processor to
exercise their fair use rights against electronic books. There is no
reason to believe that Acrobat should be treated differently.
There is a certain sense of poetic justice in watching Adobe take this
fall. But the use of laws like the DMCA to prevent legitimate activities
is wrong, no matter who the victim is. Every one of these actions makes us
all a little less free. It appears that Adobe's rights (and those of its
customers) are being violated here; we should be just as willing to
challenge the excesses of the DMCA in this case as in others.
Comments (8 posted)
Many electrons have been expended in the discussion of Microsoft's
"Palladium" trusted computing initiative. Many fear that Palladium
will become the digital rights management (DRM) system of the future,
threatening to bring a definitive end to fair use rights and our control
over our own computers in general. Microsoft has done its best to distance
Palladium from DRM; in fact, it may have distanced itself a little
too far. Consider
this
message from Lucky Green, posted to the cryptography mailing list in
early August:
Peter Biddle, Product Unit Manager for Palladium, very publicly and
unambiguously stated during Wednesday's panel at the USENIX
Security conference that the Palladium team, despite having been
asked by Microsoft's anti-piracy groups for methods by which
Palladium could assist in the fight against software piracy, knows
of no way in which Palladium can be utilized to assist this end.
Palladium, they say, is just a way to protect users from rogue software -
no DRM stuff there, honest.
Lucky, however, is apparently a little more creative in this regard; thus
he has announced:
I, on the other hand, am able to think of several methods in which
Palladium or operating systems built on top of TCPA can be used to
assist in the enforcement of software licenses and the fight
against software piracy. I therefore, over the course of the night,
wrote - and my patent agent filed with the USPTO earlier today - an
application for an US Patent covering numerous methods by which
software applications can be protected against software piracy on a
platform offering the features that are slated to be provided by
Palladium.
As Lucky points out, there is no way that the Microsoft Palladium team
could be unaware of any prior art with regard to his patent filing; their
public statement that no such art exists must thus be true. The patent
might just be granted.
One assumes that the licensing terms for such a patent might be other than
favorable. One could even imagine that, in a fantastic scenario, this
patent could end Palladium's usefulness as a platform for DRM systems. Of
course, that scenario does require a great deal of fantasy about one's
ability to stand up to the industry's lawyers.
Many of us worry a great deal about the use of software patents to gain a
lock on the many worthwhile things that can be done with computers. The
offensive use of patents in an attempt to shut down things that somebody
thinks should not be done with computers is a rather different way
of doing
things. It is an approach that carries a number of risks: legal expenses,
for example, not to mention the lack of any sort of consensus on what
techniques, if any, should be blocked in this manner. Of course, with
enough fantasy, one can envision another outcome from use use of blocking
patents: a wider realization of the damage caused by software patents and a
reform of software patent law. One can always hope.
(Thanks to NTK, which always
beats us to the really good stuff.)
Comments (7 posted)
Page editor: Jonathan Corbet
Security
Brief items
Here is
an
article in the Register on the U.S. National Security Agency's
contribution to open-source security, Security-Enhanced Linux. "
The
most secure software in the world doesn't improve security if nobody runs
it, or if it's incompatible with what the vast majority of people
run. Standard is better than better. VINES networks might be more secure
than TCP/IP but it does little to secure the Internet as a whole. MD5
password hashing was always more secure than old Unix crypt password
hashes, but until vendors started shipping the code, and integrating it via
Pluggable Authentication Modules, it made little difference."
Comments (none posted)
Brian McWilliams
reports, in Wired, that a security oversight which allowed unauthorized
web access to some customer's
identifying information and credit card numbers has resulted in
Ziff-Davis Media agreeing to pay $500 each to about 50
affected customers and an additional $100,000 to the state of New York.
An investigation led by New York with the assistance of Neohapsis
revealed that Ziff-Davis failed to follow industry-standard security
practices, such as encrypting and password-protecting the data, and
keeping track of who accessed it.
According to the settlement agreement (PDF), the attorneys general
concluded that Ziff-Davis was guilty of violating their states'
business laws prohibiting deceptive business practices and false
advertising.
Comments (none posted)
Security reports
A proof of concept has been published for a denial of
service attack on version 0.1.0 of the
SWS Web Server.
Full Story (comments: none)
Knights of the Routing Table reports three low priority security issues in
Cacti version 0.9.8, and possibily earlier versions.
A valid username and password with administrator rights
is required to exploit any of the vulnerabilities.
Cacti is a complete frondend to rrdtool, it stores all of the nessesary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering also. There is also SNMP support for those used to creating traffic graphs with MRTG.
Full Story (comments: none)
A cross-site scripting vulnerability was reported in
Aestiva's HTML/OS.
Full Story (comments: none)
New vulnerabilities
Ethereal 0.9.6 fixes potential remote code execution vulnerability
| Package(s): | ethereal |
CVE #(s): | CAN-2002-0834
CAN-2002-0821
CAN-2002-0822
|
| Created: | September 4, 2002 |
Updated: | September 11, 2002 |
| Description: |
Ethereal 0.9.6 was released
on August 20, 2002 fixing a serious
buffer overflow vulnerability in the ISIS protocol dissector in Ethereal 0.9.5 and earlier versions.
It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems.
Ethereal 0.9.4 has multiple buffer overflow and other
vulnerabilities hat are best delt with by upgrading to 0.9.6.
These vulnerabilities may allow remote attackers
to cause a denial of service or execute arbitrary code.
Updating now, rather than later, is recommended. |
| Alerts: |
|
Comments (none posted)
Scrollkeeper temporary file vulnerability
| Package(s): | scrollkeeper |
CVE #(s): | CAN-2002-0662
|
| Created: | September 4, 2002 |
Updated: | September 4, 2002 |
| Description: |
There is
a tempfile vulnerability in ScrollKeeper versions between 0.3 and 0.3.11.
The scrollkeeper-get-cl command generates temporary files
with predictable names and follows symbolic links.
"These files are created when a user logs in to a GNOME session and are
created as the user who logged in. This means an attacker with local
access can easily create and overwrite files as another user."
For more information see this security advisory
from Spybreak.
ScrollKeeper is a cataloging system for documentation on open
systems. It manages documentation metadata (as specified
by the Open
Source Metadata Framework(OMF)) and provides a simple
API to allow help browsers to find, sort, and search
the document catalog.
|
| Alerts: |
|
Comments (none posted)
KDE 3.0.3 fixes X.509 certificate check vulnerability
| Package(s): | kde |
CVE #(s): | |
| Created: | September 4, 2002 |
Updated: | September 11, 2002 |
| Description: |
The SSL implementation used by previous version of KDE
accepted, without alerting the user, any X.509 certificate signed
by any entity under specific conditions.
This bug allows
"for undetected MITM attacks ("man in the mittle"), which
could compromise an encrypted HTTPS session."
|
| Alerts: |
|
Comments (none posted)
PXE server denial of service vulnerability
| Package(s): | pxe |
CVE #(s): | CAN-2002-0835
|
| Created: | September 4, 2002 |
Updated: | November 11, 2002 |
| Description: |
The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
|
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 21, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | December 5, 2002 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream |
| Alerts: |
|
Comments (none posted)
Light remotely-exploitable code vulnerability
| Package(s): | epic4-script-light |
CVE #(s): | |
| Created: | August 28, 2002 |
Updated: | August 28, 2002 |
| Description: |
J. S. Connell recently discovered
that "the IRC script for EPIC4 that I maintain is
vulnerable to a fairly easy remote attack."
All versions of Light prior to 2.7.30p5 (on the 2.7 branch) or 2.8pre10 (on
the 2.8 branch) running under any version of EPIC4 on any platform are
vulnerable to a remotely-exploitable bug that can execute nearly-arbitrary
code. All Light users are very strongly urged to upgrade to stable release
2.7.30p5 or beta 2.8pre10 immediately.
|
| Alerts: |
|
Comments (none posted)
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
CAN-2002-0353
CAN-2002-0401
CAN-2002-0402
CAN-2002-0403
CAN-2002-0404
|
| Created: | June 12, 2002 |
Updated: | October 27, 2002 |
| Description: |
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
- The SMB dissector could potentially dereference a NULL pointer in two cases.
- The X11 dissector could potentially overflow a buffer while parsing keysyms.
- The DNS dissector could go into an infinite loop while reading a malformed packet.
- The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 21, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow vulnerability in the Jabber plug-in module for gaim
| Package(s): | gaim |
CVE #(s): | CAN-2002-0384
CAN-2002-0377
|
| Created: | August 14, 2002 |
Updated: | September 11, 2002 |
| Description: |
gaim versions prior to 0.58
contained a buffer overflow in the Jabber plug-in module.
The problem is fixed in
gaim 0.59 which is available here.
"Gaim is an instant messaging client written in GTK and is based on the
published TOC messaging protocol from AOL." |
| Alerts: |
|
Comments (none posted)
Remote arbitrary code execution vulnerability in gaim
| Package(s): | gaim |
CVE #(s): | |
| Created: | August 28, 2002 |
Updated: | September 4, 2002 |
| Description: |
gaim versions prior to 0.59.1
contained a arbitrary code execution vulnerabilty in the
the hyperlink handling code.
The 'Manual' browser command passes an untrusted
string to the shell without escaping or reliable quoting, permitting
an attacker to execute arbitrary commands on the users machine.
Unfortunately, Gaim doesn't display the hyperlink before the user
clicks on it. Users who use other inbuilt browser commands aren't
vulnerable.
The problem is fixed in
gaim 0.59.1 which is available here.
Versions prior to 0.58 also contained a buffer overflow in the Jabber plug-in module which, of course, is still fixed in 0.59.1.
"Gaim is an instant messaging client written in GTK and is based on the
published TOC messaging protocol from AOL."
|
| Alerts: |
|
Comments (1 posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 30, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
Buffer overflow in groff
| Package(s): | groff |
CVE #(s): | CAN-2002-0003
|
| Created: | May 21, 2002 |
Updated: | December 9, 2002 |
| Description: |
The groff package has a buffer overflow
vulnerability; if it is used with the print system, it is conceivably
exploitable remotely.
|
| Alerts: |
|
Comments (none posted)
HylaFAX 4.1.3 fixes multiple vulnerabilities
| Package(s): | hylafax |
CVE #(s): | CAN-2001-1034
|
| Created: | July 30, 2002 |
Updated: | October 9, 2002 |
| Description: |
The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
|
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
Denial of service vulnerability in irssi IRC client
| Package(s): | irssi-text |
CVE #(s): | |
| Created: | August 28, 2002 |
Updated: | August 28, 2002 |
| Description: |
When a user attempts to join a channel that has an overly long topic
description,and a specific string is appended to the topic,
the irssi IRC client will crash. |
| Alerts: |
|
Comments (none posted)
Kernel update for RedHat 7.3 i810 video
| Package(s): | kernel |
CVE #(s): | |
| Created: | August 28, 2002 |
Updated: | September 4, 2002 |
| Description: |
Red Hat has issued a kernel update that fixes an "i810 video oops".
"Updated kernel packages are now available which fix an oops in the i810 3D
kernel code. This kernel update also fixes a difficult to trigger race in
the dcache (filesystem cache) code, as well as some potential security
holes, although we are not currently aware of any exploits."
|
| Alerts: |
|
Comments (none posted)
Kerberos 5 unauthorized root access to KDC host vulnerability
| Package(s): | krb5 |
CVE #(s): | |
| Created: | August 14, 2002 |
Updated: | October 29, 2002 |
| Description: |
A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this
potential division by zero bug in
code derived from the SunRPC library which is used
in many places, including the Kerberos 5 administration system.
Updating now is recommended.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
Locally exploitable buffer overflow in linuxconf
| Package(s): | linuxconf |
CVE #(s): | |
| Created: | August 28, 2002 |
Updated: | August 28, 2002 |
| Description: |
The widely-shipped linuxconf system administration utility has a buffer overflow vulnerability which can be exploited by a local user to obtain a root shell. This exploit only matters, of course, if linuxconf is installed setuid root, but a number of distributions do exactly that. If you have linuxconf installed on systems with untrusted local users, you will probably want to remove the setuid bit until a fix comes out.
For more information check out the full advisory from iDEFENSE. |
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (none posted)
LPRng accepts jobs from any host.
| Package(s): | LPRng |
CVE #(s): | CAN-2002-0378
|
| Created: | June 12, 2002 |
Updated: | October 31, 2002 |
| Description: |
Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators
with systems exposed to the general public.
|
| Alerts: |
|
Comments (none posted)
Mailman 2.0.12 closes cross-site scripting vulnerability
| Package(s): | mailman |
CVE #(s): | CAN-2002-0855
|
| Created: | August 28, 2002 |
Updated: | September 4, 2002 |
| Description: |
Mailman 2.0.12, released on July 2nd, closed a minor
cross-site scripting vulnerabilty and implemented
"a guard against some reply loops and 'bot
subscription attacks."
Upgrading to Mailman 2.0.13, which also
fixes
some Python 1.5.2 incompatabilities, is recommended. |
| Alerts: |
|
Comments (none posted)
Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
| Package(s): | mailman |
CVE #(s): | CAN-2002-0388
|
| Created: | June 5, 2002 |
Updated: | August 28, 2002 |
| Description: |
Barry A. Warsaw announced
the release of Mailman 2.0.11
"which fixes two
cross-site scripting exploits, one reported by "office" in the admin
login page, and another reported by Tristan Roddis in the Pipermail
index summaries.
It is recommended that all sites upgrade their 2.0.x systems to this
version."
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in mantis
| Package(s): | mantis |
CVE #(s): | |
| Created: | August 20, 2002 |
Updated: | September 4, 2002 |
| Description: |
The Mantis project has reported a number of bugs in the Mantis bug tracking
system, including:
Needless to say, upgrading to a version later than 0.17.3 is recommended. |
| Alerts: |
|
Comments (none posted)
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 |
CVE #(s): | |
| Created: | July 22, 2002 |
Updated: | February 18, 2003 |
| Description: |
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
CERT Advisory: CA-2002-21 Vulnerability in PHP |
| Alerts: |
|
Comments (1 posted)
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla |
CVE #(s): | CAN-2002-0354
|
| Created: | May 21, 2002 |
Updated: | October 18, 2002 |
| Description: |
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
String format bug in pam_ldap logging
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0374
|
| Created: | June 5, 2002 |
Updated: | October 29, 2002 |
| Description: |
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism. |
| Alerts: |
|
Comments (none posted)
OpenSSL remotely-exploitable buffer overflow vulnerabilities
| Package(s): | OpenSSL |
CVE #(s): | CAN-2002-0655
CAN-2002-0656
CAN-2002-0657
CAN-2002-0659
|
| Created: | July 30, 2002 |
Updated: | September 24, 2002 |
| Description: |
Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit.
Both client and server applications are affected.
The vulnerabilities are described in this security alert from the OpenSSL team.
A nasty exploit for one of the vulnerabilities is described in
CERT Advisory CA-2002-27 Apache/mod_ssl Worm.
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
If you haven't already, applying an update is a very good thing
to do today.
Mitel Networks has an update available which
closes this vulnerabilty for their SME Server software.
CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL |
| Alerts: |
|
Comments (none posted)
Safemode vulnerability in PHP
| Package(s): | PHP |
CVE #(s): | CAN-2001-1246
|
| Created: | August 20, 2002 |
Updated: | October 9, 2002 |
| Description: |
PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers. |
| Alerts: |
|
Comments (none posted)
Remotely exploitable vulnerability in pine
| Package(s): | pine |
CVE #(s): | CAN-2002-0014
|
| Created: | May 21, 2002 |
Updated: | November 27, 2002 |
| Description: |
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL |
CVE #(s): | |
| Created: | August 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions. |
| Alerts: |
|
Comments (none posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | October 1, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils |
CVE #(s): | CAN-2002-0178
|
| Created: | May 21, 2002 |
Updated: | October 31, 2002 |
| Description: |
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid |
CVE #(s): | |
| Created: | July 8, 2002 |
Updated: | November 15, 2002 |
| Description: |
Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following
changes:
- Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
- Security fixes in how Squid parses FTP directory listings into
HTML
- FTP data channels are now sanity checked to match the address
of the requested FTP server. This to prevent theft or injection
of data. See the new ftp_sanitycheck directive if this sanity
check is not desired.
- The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
- A security issue in how Squid forwards proxy authentication
credentials has been fixed
|
| Alerts: |
|
Comments (none posted)
Tcl/Tk local root vulnerability
| Package(s): | tcltk expect |
CVE #(s): | CAN-2001-1374
CAN-2001-1375
|
| Created: | August 14, 2002 |
Updated: | September 24, 2002 |
| Description: |
Tcl/Tk searches for its libraries in the current working
directory before other directories.
A local user could
execute arbitrary code by inserting a Trojan horse library
in the current working directory.
Versions of the expect application prior to 5.32, search for its libraries
in /var/tmp before searching in other directories.
A local user could
gain root privleges by inserting a Trojan horse library
in /var/tmp and then getting the root user to run mkpasswd.
|
| Alerts: |
|
Comments (none posted)
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump |
CVE #(s): | CAN-2002-0380
|
| Created: | June 5, 2002 |
Updated: | October 9, 2002 |
| Description: |
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
|
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in SNMP implementations
| Package(s): | ucdsnmp ucd-snmp |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
|
| Created: | May 21, 2002 |
Updated: | September 17, 2002 |
| Description: |
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
|
| Alerts: |
|
Comments (none posted)
Local root vulnerability in chfn
| Package(s): | util-linux |
CVE #(s): | CAN-2002-0638
|
| Created: | July 30, 2002 |
Updated: | October 31, 2002 |
| Description: |
chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a
carefully crafted attack sequence can be performed to exploit a
complex file locking and modification race present in this utility,
and, as a result, alter /etc/passwd to escalate privileges in the
system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any
but the last 4 kB chunk of the file.
CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility |
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
|
| Alerts: |
|
Comments (1 posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | October 1, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
xchat IC server based dns query vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2002-0382
|
| Created: | June 5, 2002 |
Updated: | September 24, 2002 |
| Description: |
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable. |
| Alerts: |
|
Comments (none posted)
Denial of service vulnerability in xinetd
| Package(s): | xinetd |
CVE #(s): | |
| Created: | August 14, 2002 |
Updated: | December 3, 2002 |
| Description: |
A file descriptor leak into services started from xinetd
may be used, by programs it stats, to crash xinetd.
Xinetd is a replacement for the BSD derived inetd. |
| Alerts: |
|
Comments (none posted)
Resources
The latest CERT summary, dated August 30, 2002, is available.
Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Full Story (comments: none)
The September 2nd Linux Security Week newsletter from LinuxSecurity.com is available.
Full Story (comments: none)
Sacha Faust announces the release of Metis 1.4.1 to fix
a bug in last week's release of version 1.4.0.
"This is a tool I wrote to collect
information from web servers."
Metis was written for the
Open Source Security Testing Methodology (OSSTM).
Full Story (comments: none)
Events
| Date | Event | Location |
| September 19 - 20, 2002 | SEcurity of Communications on the Internet 2002(SECI'02) | Tunis, Tunisia |
| September 23 - 26, 2002 | New Security Paradigms Workshop 2002 | (The Chamberlain Hotel)Hampton, Virginia, USA |
| September 23 - 25, 2002 | University of Idaho Workshop on Computer Forensics | (University of Idaho)Moscow, Idaho, USA |
| September 26 - 27, 2002 | HiverCon 2002 | (Hilton Hotel)Dublin, Ireland |
| September 27 - 29, 2002 | ToorCon 2002 | (San Diego Concourse)San Diego, CA, USA |
| October 16 - 18, 2002 | Recent Advances in Intrusion Detection 2002(RAID 2002) | Zurich, Switzerland |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
Comments (none posted)
Page editor: Dennis Tenney
Kernel development
Brief items
The current development kernel is 2.5.33, which was
announced by Linus on August 31.
Among other things, this
kernel includes support for the SCTP protocol, offloading of TCP
segmentation into network cards (see below), some IDE work, more memory
management and file I/O improvements from Andrew Morton, more input driver
work, and, perhaps, a floppy driver that actually works. The
long format changelog is also available.
As of this writing, Linus's BitKeeper tree includes the removal of
list_t (once again, see below), a number of memory management
changes from Andrew Morton (including the NUMA discontiguous memory patch),
more floppy driver fixes, and a number of other fixes and updates.
The current 2.5 Status Summary from Guillaume
Boissiere came out on September 4.
The current stable kernel is 2.4.19. Marcelo released 2.4.20-pre5 on August 28; it includes a
long list of fixes and a big merge from Alan Cox.
Speaking of Alan, he released 2.4.20-pre5-ac2
on September 4. It includes a number of fixes and a small bit of IDE
work, but this prepatch was aimed more at stabilizing things than adding
new work.
Alan has also released 2.2.22-rc2. It
contains more fixes than one might expect for a release candidate; among
other things, it contains some worthwhile security fixes.
Comments (none posted)
Kernel development news
The direction of Linux IDE development - now that most of the work
previously done for 2.5 had been thrown out - is becoming a little
clearer. Andre Hedrick has
posted a 2.5 IDE
patch, his first in many months. Along with the patch, Andre states:
We are back. We is a development team being composed to reduce my
load and import fresh ideas. If you wnat to help please join in,
we can make the halloween party.
The initial 2.5 patch consists mostly of relatively small cleanups, but
Andre tells us that much more ambitious changes are in the works.
Actually, much of the relevant work has already been done for the 2.4 (or
2.4-ac) series, and the rest, should Alan Cox and Marcelo Tosatti be
willing, should go in soon. This work includes complete support for memory
mapped ATA controllers, which is a precondition for serial ATA support
(which is also on the list); fixes for a number of Promise controller
issues; support for split-channel operations; and a tagged command queueing
implementation which, says Andre, avoids some potential problems found in Jens
Axboe's version. Additional work envisioned for 2.5 includes a
standardization of the ATAPI layer and automatic loading of subdrivers.
The auto-loading feature is aimed at the classic CD burner problem: regular
tasks are handled as standard ATAPI operations, but burning a disk requires
loading the IDE-SCSI module. Andre's plan is to have the IDE layer select
the appropriate subdriver based on which device the user-space application
opened, making this switch be automatic and transparent.
That, of course, is a long list of changes to get into the kernel in less
than two months. To that end, Andre has recruited help from a number of
directions. Alexander Viro is "the BUZZIT guy" helping to improve code
quality, as well as continuing his work on things like partition table
handling. Bartlomiej Zolnierkiewicz has his hands in the code, as do a
number of other people. And all the changes, of course, must pass Alan
Cox's inspection on their way into the 2.4-ac tree. Alan has already demonstrated that he will not take IDE patches
that don't pass muster, and Andre seems to be doing his best to rework the
patches accordingly.
Things, thus, seem to be off to an encouraging start. The list remains
long, however, and the deadline is close. And Linus hasn't looked at the
code yet. The IDE work is going to have to proceed quickly to get that
halloween treat.
Comments (none posted)
Most people who dig through the kernel source eventually run into
struct list_head, the structure used for the management of
generic, doubly-linked lists in the kernel. The kernel list implementation
has some interesting features, including the fact that every entry in the
list is a "list head." The lists are circular, and no one node is special.
Recently, a typedef (list_t) was added as an equivalent name for
the list_head structure; rumor has it Ingo Molnar added the name
to help keep his source lines within 80 columns. One would think that
people would not get overly worked up about this addition, but this
is the kernel hacker community we are dealing with. The prevailing
opinion among kernel hackers has swung strongly against typedef in
recent times. Use of typedef is seen as a useless hiding of
information that programmers need to see. Defined types also complicate
include file dependencies. Structures can be "predeclared" with a line
like:
struct my_struct;
and references to that structure (pointers, in particular) can be used as
long as the internals of the structure are not accessed. Defined types can
not be predeclared in this way, making it harder to mix mutually-dependent
types across files.
So Rusty Russell posted a patch which removes
list_t from the kernel. Nobody really complained about that
change, but some wondered: why not rename the list_head structure
to struct list at the same time. As William Irwin rather
graphicly put it: "Throw the whole frog
in the blender, please, not just half."
In the end, a big renaming of struct list_head throughout the
kernel tree (and external code) wasn't to most peoples' taste. And Linus
isn't into blended frogs. So the patch
removing list_t went into Linus's BitKeeper tree (and will be in
2.5.34), but struct list_head remains.
Comments (2 posted)
One of the many tasks performed by the networking stack is TCP segmentation
- turning a large chunk of data sent by an application into a series of
packets small enough to fit within the maximum transfer size. The
segmentation task involves performing checksums, making headers to match
each segment, perhaps copying the data to assemble the packet, and
transfering that packet to the network controller. This work is a
significant part of the overhead of sending data over a network.
Some modern controllers, though, have the ability to do segmentation
internally. In this case, the operating system passes in a set of template
headers and a single, large chunk of data; the adaptor handles the rest.
Much of the segmentation work goes away, and a number of smaller I/O
operations turn into one big, fast transfer.
As of 2.5.33, the Linux kernel understands segmentation offloading, and the
e1000 driver supports it; the work was done mostly by Alexey Kuznetsov and
Chris Leech. Some results posted by Scott
Feldman show what this change buys. In general, transfers do not go any
faster, for a simple reason: the Linux network stack was already able to
drive the interface at the speed of the wire. On a send of a long file,
however, CPU usage dropped from 40% to 19%. This seems like an
optimization worth having.
Comments (2 posted)
Larry Augustin has sent out notice that Leonard Zubkoff, a longtime Linux
kernel hacker and former CTO of VA Linux Systems, was killed in a
helicopter crash in Alaska. Leonard was the source of many contributions
to the Linux community, as well as being a generally nice person; he will
be greatly missed.
Full Story (comments: 3)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Kernel building
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
Distribution News
This week's Debian Weekly News contains good news from Venezuela; wearable
Debian; the Debian Bug-Fixing Game; and much more.
Full Story (comments: none)
The Mandrake Linux 9.0
Release Candidate 1
is out. Beta testers, start bashing.
The Mandrake Linux Community Newsletter for
August 29, 2002 is available. This week's issue contains information
about the ML 9.0 Beta 4 and 9.0 commercial RPMs that are ready for
testing; there's also a marketing survey; and much more.
Mandrake has issued an update advisory for cdrecord. "In some situations, noteably
with xcdroast, the mkisofs utility creates pseudo-empty filesystems. The
filesystem is the proper size, but the contents of the filesystem are not
available. This update corrects this problem."
Comments (none posted)
Slackware Linux has announced
the Slackware-9.0-beta, based on gcc-3.2. See the
change
log for details.
Comments (none posted)
New Distributions
FireCast is a Linux-based
software suite for building and managing interactive kiosk networks. It
is designed for use with standard PC hardware, and bundles a
tamper-resistant kiosk environment, customizable user interface, Web
browser, and full multimedia support with a plug-and-play Linux operating
system. Version 2.0, the initial Freshmeat announcement, was released
August 31, 2002.
Comments (none posted)
Minor distribution updates
The
2-Disk
Xwindow System has released
v1.4rx128 with minor
feature enhancements.
Comments (none posted)
The
Aurora SPARC Linux Project
announced the release of Build 0.32 (Nashville).
Full Story (comments: none)
BU Linux (Boston University) has
released v2.5 (a.k.a Gigantic). This release is based on Red Hat Linux
7.2 and 7.3, and features an automated update system based around the
Debian apt-get tool.
Comments (none posted)
Cool
Linux CD has released
v1.34 with updates to
Opera, Mozilla and other packages.
Comments (none posted)
Devil-Linux has released
v0.5 with bug fixes and a
kernel upgrade to 2.4.19.
Comments (none posted)
Lunar Linux has released
1.0
beta for your testing pleasure.
Comments (none posted)
MkLinux has released Security Update
2002-08-28 with updates to sendmail.
Full Story (comments: none)
PXES Linux Thin Client has
released
v0.5-final
with some minor security enhancements and bug fixes.
Comments (none posted)
Source Mage GNU/Linux has
released
Sorcery
version 0.8.0.1 with many bug fixes.
Comments (none posted)
uClinux has released
v2.5.32-uc0 with kernel
2.5.32 and other major feature enhancements. Version 2.5.33-uc0 is also
available, with bug fixes and more enhancements.
Comments (none posted)
Page editor: Rebecca Sobol
Development
Version 0.7.1 of the
Omni printer driver has been released by the IBM
Linux Technology Center.
"The Omni printer driver provides support for over 400 printers using the Ghostscript framework. In addition, it provides a model for dynamically loading printer drivers, creating new devices by editing device description files, and simplifies new printer driver development by allowing for the subclassing of previous device features."
This version has a long list of new features including:
- A new GhostScript patch.
- Better Foomatic entry generation to support the Linuxprinting.org printer database.
- Improved support for gcc.
- Updated CUPSToOmni support.
- New job properties: Copy, Collation, Destination, Stapling, Jogging, Duplex, Booklet, NUp, and Scaling.
- Epson PDC Blitter support for a number of printers.
- Initial XMLDevice support for using XML files directly.
- A large number of bug fixes.
Printing has long been a weak point in Unix-based systems, and it
is critical to both server and desktop systems. The Omni project and
LinuxPrinting.org
appear to be making real progress in this area.
See the Omni
ChangeLog file for the complete project history.
Comments (none posted)
System Applications
Audio Projects
An integer-based Ogg Vorbis playback library, known as Tremor
has been released under a BSD-style license.
"
Xiph.Org has re-released the 'Tremor' integer only Vorbis playback library under a BSD-like, totally royalty-free license. This is an ANSI C compliant library intended for embedded and FPU-less applications, such as portable players and player packages for PDAs." See the
Ogg Vorbis site
for more information.
Comments (none posted)
Database Software
Version 4.0.3-beta of the MySQL database has been released, with a long
list of changes. Click below for more details.
Full Story (comments: none)
Education
The August 26, 2002 edition of the
GNU/Linux in education report is out. Topics include
GEO, DemoLinux, learning objects, Free Software for music classes,
free and open-source software in the Mississippi public school system,
rescuing nonprofits from the grip of licensed software, and more.
Comments (none posted)
Mail Software
Michael Stevens
illustrates the use of PerlMx and Mail::Audit on O'Reilly's
Perl.com.
"
There are many ways to filter your e-mail with Perl. Two of the more popular and interesting ways are to use PerlMx or Mail::Audit. I took a long look at both, and this is what I thought of them."
Comments (none posted)
Web Site Development
NewsForge
reviews two Perl-based Content Management Frameworks, E2 and LJ.
"
The two content management engines that I have been most interested in lately are the engines used for Everything2 and LiveJournal. The E2 and LJ engines are both Open Source and both have a good record of being security conscious. I also respect the developers who own the projects, and for me that makes a difference when I choose Open Source projects to use.
The two engines have been designed around similar ideas. They both allow multiple users to create their own content and manage it from the Web. The major difference between them is that LJ focuses content creation and ownership on the individual creator of the information, while E2 concentrates information into a collective resource."
Comments (none posted)
Use Perl has
an announcement for version 1.4.0 of Bricolage, a content management
and publishing system.
Comments (none posted)
Version 1.64 of the PHP frontend for the
mnoGoSearch
web site search engine has been released.
Comments (none posted)
This week, the
Zope Members News
looks at preview version 1.0 beta 1 of the WhoZnext, Zwiki 0.10.0,
a DTML addition to emacs, a new Plone i18n mailing list,
NeoBoard 1.0b, the release of OrderedObjectManager, and more.
Comments (none posted)
Tom Syroid
covers dynamic web site security issues on IBM's developerWorks.
"
This article details how to secure dynamic content on an Apache Web server. Topics covered include general security issues pertaining to dynamic content, securing Server Side Includes, configuring Apache's Common Gateway Interface, and wrappering dynamic content. The article is targeted primarily at Webmasters and system administrators responsible for maintaining and securing a Web server; however, anyone with a need or desire to server dynamic content will benefit from the topics covered."
Comments (none posted)
Miscellaneous
Version 1.0 of GNU Bayonne, the GNU Telephony Server
has been announced.
"
In this 1.0 release, we have established a Free Software
platform for the delivery of quality telephony services everywhere",
said David Sugar, GNU Bayonne project leader. "We are committed to
establishing Free Software as the primary means to advance
telecommunications services as part of enterprise software
infrastructure that respects software freedom, and supports both
current and next generation telephone networks"."
Comments (1 posted)
IBM's developerWorks has
an article on the RockyRoad P2P framework.
"
Get a taste of RockyRoad, an open-source, peer-to-peer framework designed to exploit the strengths of P2P: excellent scalability, ease of deployment, and robustness. RockyRoad allows both mobile and stationary peers to communicate with one another directly through a common language, and lets applications subsist on little RAM and few CPU cycles."
Comments (none posted)
Desktop Applications
Audio Applications
Version 1.44 of the
WaveSurfer
audio visualization and manipulation tool has been released.
Changes
include new support for video, and bug fixes.
Comments (none posted)
Desktop Environments
Version 0.14.0 of the
GARNOME
bleeding-edge GNOME distribution
is now available. The
FootNotes
site says: "
A new release of GARNOME is available containing what will most likely be the GNOME 2.0.2 RC2 tarballs. New additions include goats (a sticky notes applet), gcalctool (a scientific calculator), quick-lounge-applet (a launcher applet), and some cool stuff from Red Hat's latest beta (without the copyrighted and trademarked stuff). Please note that there are still a few issues with menu editing in this release which will be fixed for GNOME 2.0.2."
Comments (none posted)
The GNOME Summary for August 12-16, 2002 is out.
Topics include the return of Medusa, Gstreamer status, gftp,
a ZDNet review of Evolution, AbiWord table support, the GNOME 2
todo list, Gtk 0.4, GNOME in Arabic, and more.
Full Story (comments: 5)
Games
The Pygame site mentions a
new release of Civil,
a turn based network civil war strategy game.
Comments (none posted)
Interoperability
Issue #133 of the
Wine Weekly News
is out with the latest Wine news.
Comments (none posted)
A Samba 2.2.6pre2 Non-Production Release
has been made available
for testing.
Comments (none posted)
Multimedia
Howard Wen
writes about video recording with Linux and VDR on O'Reilly.
"
VDR serves as a user interface for those who want to build their own digital satellite-TV receiver and recorder box running under Linux. It is based mainly on the DVB-S digital satellite TV receiver card from Fujitsu Siemens, and upon drivers developed by the LinuxTV project."
Comments (none posted)
Office Applications
Issue #44 of
Kernel Cousin GNUe is out with the latest GNU Enterprise
development news. Topics include
documentation on using GNUe Designer, a
possible GNUe consultancy, a
new GNU Enterprise website,
working on GNU Enterprise,
ebXML and e-business in Australia,
using GNUe Application Server with phpGW,
GNUe on linuxfund,
wxGTK2 driver for Forms,
wxPython debugging whilst developing GNUe Designer, and
transparent blocks in forms.
Comments (none posted)
Web Browsers
Mozilla.org mentions that Netscape 7.0
has been released.
"
Netscape Communications has launched Netscape 7.0 the latest version of Netscape's browser software, which is based on Mozilla 1.0.1."
Comments (none posted)
The latest news on
MozillaZine
includes a new guid on making web pages compatible with Mozilla,
a Mozilla 1.2 Alpha trunk freeze, a Mozilla installation and
setup checklist, and more.
Comments (none posted)
Languages and Tools
Caml
This week's Caml Weekly News looks at OCaml 3.06, LablGTK 1.2.5,
CIL, Ocaml-Weblib, OCamOLE pre.3 and pre.3b, Music in Caml,
SpamOracle, Cameleon 1.0, Cash 0.20, ocamlgsl, the data structure
library, and PXP 1.1.92.
Full Story (comments: none)
The Caml Hump
shows off their new web site, with the latest Caml language
development news.
Comments (none posted)
Java
Longtime Linux contributor Jim Pick has started publishing the
Kaffe Weekly News, a
summary of developments with the Kaffe Java virtual machine.
Comments (none posted)
Perl
The September 1, 2002 edition of
The Perl Review
has been published. Topics include
Extreme Mowing, Perl Assembly Language,
What Perl Programmers Should Know About Java,
Filehandle Ties, and The Iterator Design Pattern.
Comments (none posted)
PHP
The September 2, 2002 edition of the
PHP Weekly Summary is out. Topics include:
"
Apache Hooks, expat upgrade, Ext/pdf, bundled gd, PEAR installer in 4.3.0, DOM-XML leaking, socket_recvfrom, XML-RPC configuration, sort() with 4.2.3 RC 1, COM leak in 4.2.3 RC 1, XSLT problems".
Comments (none posted)
This week's
Pear Weekly News is out.
"
This week has seen a flood of new package proposals, PEAR continues to
grow into a high quality library of PHP code and extensions. This week
sees 1 new Release, along with 6 proposed packages and news on peardoc2,
working through issues with environment variables in system and a steady
flow of CVS commits."
Comments (none posted)
Python
The Dr. Dobb's Python-URL for September 4 is out. Among other things, it looks
at a new Psyco release and PiP - a Python interpreter embedded in PHP.
Full Story (comments: none)
This week, the
Daily Python-URL
looks at the SiPy discrete event simulation package, secure protocols,
shell utilities, Python for digital photography,
literate programming with Leo, MySQL connectivity with Python,
operators and string formatting in Python, XMLdiff, and more.
Comments (none posted)
Ruby
This week,
The Ruby Garden
covers local variables and blocks, Ruby Conference 2002, and more.
Comments (none posted)
Scheme
The September 2, 2002 edition of the Scheme Weekly News
looks at new entries in the ReadScheme library
including PLT Scheme v202, SchemeQL version 0.04, and eGuile 1.2.
Full Story (comments: none)
Tcl/Tk
Dr. Dobb's Tcl-URL for September 2 is out; it contains the usual set of
news items from the Tcl/Tk community and pointers to some hints about the
new company being started by Tcl creator John Ousterhout.
Full Story (comments: none)
XML
Rich Salz
shows how
to use SOAP for transporting binary data on O'Reilly.
"
XML doesn't handle embedded binary data very well. Naive developers first try to embed the data directly into their document, reasoning that since Unicode uses all possible byte values, they'll be able to do this. They realize their mistake as soon as their embedded content has a byte with a special value like 0x3C (less than) or perhaps 0x26 (ampersand). The clever naïf might try to fix this by wrapping their content in a CDATA construct, but that only makes the problem less likely, rather than removing it. Suppose the content is a SAX library -- it's quite possible that the CDATA terminator string, "]]>", will show up."
Comments (none posted)
Miscellaneous
KDE.News
introduces
KCachegrind, a KDE front end for the Valgrind memory profiling tool.
Comments (none posted)
Page editor: Forrest Cook
Linux in Business
Business News
SAP has published
a paper that details why the Linux platform can save corporations money.
"
More and more established companies and organizations, such as Hilfiger in the USA or the German Bundestags Administration Section, are changing over to Linux. And a growing number of these companies are also SAP customers. The triggers for this change include tremendous stability, security and a generally lower Total Cost of Ownership. Added to these are a wider range of hardware and enhanced support provided by the partner companies in the SAP Linux Lab."
Thanks to Ed Tomlinson.
Comments (none posted)
This study from D. H. Brown Associates, Inc concludes that Sun Linux
with J2EE is competitively priced with Dell-based Microsoft .NET.
"
The D.H. Brown Associates, Inc. (DHBA) study found that Sun's new LX
50 Intel server with Sun Linux and the Sun ONE J2EE application server is
competitive with Microsoft .NET on Dell hardware on a value-offered
basis. Further, the J2EE platform offers the lowest acquisition cost with
the open-source J2EE server - JBoss - on Linux."
Thanks to Maya
Tamiya.
Comments (none posted)
The Salt Lake Tribune
examines recent financial results from Caldera/SCO. "
The latest
development for the Lindon-based enterprise came Wednesday and was upbeat:
Third-quarter revenues exceeded $15.4 million, around $1.4 million more
than earlier projected."
The Register takes a dimmer view of
the same numbers.
Comments (none posted)
Press Releases
Open Source Announcements
Software for Linux
Hardware with Linux support
Linux at Work
Java Products
Books and Documentation
Trade Shows and Conferences
Partnerships
Investments and Acquisitions
Miscellaneous
Page editor: Rebecca Sobol
Linux in the news
Recommended Reading
The Linux Journal
reports on
Lawrence Lessig's OSCON keynote.
"
As a call for the defense of freedom, it was the
geek culture equivalent of Martin Luther King's 'I have a dream'
speech."
Comments (none posted)
The Register
reports on Venezuela's new pro-GPL software purchasing policy.
"
Apparently, from now on all software purchased by or developed for the
government must be licensed under the GPL. Even software used for Internet
access to e-government must run GPL'd apps on a GPL'd operating system.
Reasons for the switch include a desire to promote the local development
community rather than enriching those in bondage to foreign software
behemoths, and of course assisting in the good work of stamping out
unlicensed software from government bureaux."
Comments (10 posted)
SFGate.com
reports on efforts by Bruce Perens to establish open standards for
software that is used by government offices.
"
One thing most technology experts can agree on is that California's state government has squandered billions on ill-conceived information-technology (IT) projects in recent years. Whether it was the more than $100 million in taxpayer funds that state authorities admit were wasted on the state's automated child-support system or the more recent purchase of thousands of unneeded software licenses from Oracle, the sorry record is painfully clear. California desperately needs a more workable IT plan.
Fortunately, in the spirit of the open-source software movement, free-software evangelist Bruce Perens has just offered one up."
Comments (1 posted)
Companies
News.com
writes about
a new Dell Linux-based cluster that is being deployed at SUNY.
"
The Austin, Texas-based company and The University at Buffalo, the State University of New York (SUNY Buffalo) on Tuesday will unveil a cluster of 2,008 Dell PowerEdge servers running Red Hat Linux. Researchers will use the cluster to study the structure and orientation of human proteins, a crucial step in finding cures for many diseases. The Buffalo cluster, one of the largest of its kind in the world, is the latest in a string of high-tech projects for upstate New York."
Comments (none posted)
This Register article
looks at Red Hat's
plans to build out a growing portfolio of enterprise products with a
desktop Linux offering targeted at business users. "
Red Hat's
desktop offering is expected next year and the company is considering
subscription-based pricing. News of the launch comes after Red Hat launched
Advanced Server, Content and Collaboration Management, and Database
products for corporates and small and medium sized businesses
(SMBs)."
Comments (3 posted)
Doc Searls
shares his
thoughts on the newly named SCO Group.. "
The message: SCO is older
than Linux by a long shot (the company was founded in 1979), and UNIX is
senior to both. UNIX businesses have been around for eras in Linux and
Internet prehistory. Some of those businesses involve extremely deep and
abiding relationships between vendors and customers. The dependencies are
often extreme to the degree that the customers can't live without them. SCO
had a bunch of those relationships, long before Linux came along, and many
of those relationships are still alive and well. In fact, they're saving
the former "Linux company's" butt. What's more, those relationships give
SCO a big advantage over Red Hat, SuSE and other Linux companies that still
have nothing comparable to offer SCO's traditional kinds of customers--for
now."
Comments (none posted)
The Register
reports that
Sun is working on a set of XML data standards for use in desktop
productivity applications. "
Once standards for data formats are
established, Sun believes two factors will drive development of Office
rivals. One is increased maturity of open source browsers such as Mozilla
and the Linux operating system - Fowler cited Red Hat 7.3 and SuSE 8.0 as
good examples, which he said have "reasonable" install and
management."
Comments (4 posted)
TechWeb
ponders
the future of Java and Sun:
"
Is it too late for Java? Despite some 80 percent of enterprises saying they use Java, the once-steaming development platform seems to have lost its grip on the spotlight. Long after .Net and Linux have become household words, only now is Sun trying to make up for Java's lost time in the low-end Web services and Linux server scenes."
Comments (none posted)
ZDNet
covers the results of the Gartner Group's analysis of TurboLinux.
"
Given SRA's narrow management experience, geography and market recognition, the remaining hope for the Turbolinux distribution to succeed on its own lies with the UnitedLinux effort, in which Turbolinux participates. If UnitedLinux fails to gain market momentum--Gartner believes it will have little effect on the market through 2004 (0.7 probability)--the Turbolinux distribution will also have minimal market impact and little hope of profitability except as an embedded part of SRA's portfolio (0.7 probability)."
Comments (none posted)
Business
Linux gets more mainstream press coverage in the form of
this article on CNN.
"
During the Cold War, the initials ABM used to mean Anti-Ballistic Missile. In the late '90s, they stood for Anybody But Microsoft, a reaction to the fact that Bill Gates' Windows operating system was in 90 percent of the world's computers and critics didn't like the restrictions Microsoft Corp. placed on computer companies that licensed its software.
But now Microsoft is a convicted monopolist, forced to ease up on those restrictions. The biggest beneficiaries of the New Millennium ABM Club may be proponents of Linux, the open-source operating system, long considered to be as potentially disruptive to Microsoft's dominance as a missile strike on Communist-era Moscow. "
Comments (none posted)
Open For Business
writes about the coming of age for Linux on the desktop.
"
Linux has had numerous obstacles to overcome before being truly viable in a corporate desktop environment. Issues such as hardware compatibility, usability, technical support, and software compatibility have restricted Linux' acceptance among IT professionals. Through the hard work and dedication of Open Source Software developers, most of whom write code for free, Linux has overcome these obstacles in the past couple years. Because of this, the recent announcements concerning Linux on the desktop have less to do with Linux than they do with Microsoft Windows. Many companies and IT professionals have come to understand the single biggest reason for Linux' upcoming success on the corporate desktop: There is no longer a compelling reason to run Microsoft Windows on a corporate desktop."
Comments (none posted)
ZDNet is carrying
a
Gartner pronouncement on the future of Linux in the enterprise.
"
Microsoft will be pressured to change strategies by enabling easier
integration and interoperability, and encouraging more open-source-software
ports to Windows and .Net. We believe Microsoft will resist these
pressures--it will not port Office to Linux--as it attempts to get buy-in
by enterprise CIOs for the .Net framework. But the tide has already turned:
Most large enterprises are looking for flexibility, leverage, and
lower-cost alternatives and believe they have more options in the server
world than on the desktop."
Comments (none posted)
MIS Magazine
examines the effect that Microsoft's version 6 licensing is having on
their user base.
"
For users, the time will inevitably come when they either succumb or jump to alternative suppliers. US Giga Group analyst Julie Giera told CNET in May 2002 that of the third intending not to sign to version 6.0 licensing, 80 per cent are installing Linux somewhere in their organisation.
However, Kablau says he does not believe the alternatives are a significant threat."
Thanks to Con Zymaris.
Comments (3 posted)
Interviews
The Linux Journal
interviews
Linux High Availability (HA) expert Alan Robertson.
"
The goal of the HA Project is to provide an HA clustering solution
for Linux via community development, and the goal of OCF might be even
more ambitious: to define APIs that provide basic clustering functions
and to provide a reference implementation of the API."
Comments (none posted)
ZDNet's David Berlind
further covers an interview with Sun's Rob Gingell on such topics as
Java and Linux.
"
In my previous column on Sun's future reliance on Java as a core asset, I analyzed Sun Chief Engineer Rob Gingell's assertion that Java has succeeded the Solaris/Sparc duo as the company's crown jewel. Now, I've gleaned and analyzed several other noteworthy nuggets from my lengthy interview (Part I and Part II) with Gingell."
Comments (none posted)
Mstation has
an interview
with Iain Duncan on the use of Csound in the world of techno music.
"
Csound is essentially a programming language ( well scripting or mark up language if we want to get picky ) for digital audio, including software synthesis, effects, and other digital manipulation. The main difference between Csound and things like Reaktor, PD, or Max/MXP, is that it is a text based programming language with similarities to basic, C, and assembly."
Comments (none posted)
Resources
The August 29, 2002 edition of the LinuxDevices
Embedded Linux Newsletter is out with all of the latest embedded
Linux news.
Full Story (comments: none)
Troubleshooting Professional Magazine has split in two. The Linux content
is now contained in a monthly magazine called
Linux
Productivity Magazine. The current issue describes the download,
installation, and configuration of the IceWM window manager.
Comments (none posted)
Reviews
According to the Register, the Xbox Linux Project
has made a big step forward in booting SuSE 8.0 on
the Microsoft gaming platform.
"
The hardware they're using has been subject to "minor" modification, so this
falls into category A of the Project. Category B aims to run unsigned code on
unmodded hardware, which is a much less do-able looking target."
Comments (none posted)
LinuxOrbit
has reviewed TransGaming Technologies' WineX by running eight
different windows games.
Comments (none posted)
News.com
looks at the
release of Tremor, an Ogg Vorbis player which uses no floating point
arithmetic. "
The [Xiph] organization emphasized that adding Ogg Vorbis
support would cost hardware makers nothing in license fees, and the group
is offering to provide them with any engineering help they may need to
integrate the format."
Comments (none posted)
LinuxWorld.com
reviews
Borland's Kylix software development platform, and gives some tips on
making it work under RedHat 7.3.
"
The big news about Kylix 3 is that this excellent RAD for Linux now supports C++ as well as Delphi. Delphi, if you don't already know, is Borland's extended Pascal. Borland, if you don't know, is one of the premier makers of software development tools in the world. Borland has tons of experience bringing Pascal/Delphi, database managers, C, and C++ development tools to market."
Comments (none posted)
Miscellaneous
Earlier this year, the European Commission signed a contract for
the use of a project known as
OpenEvidence.
"
OpenEvidence produces technology for "evidence" creation and validation of electronic documents, meaning "evidence" a document certified by some authority that guarantees the data it contains.
The technology developed by the project can be used as basic building blocks to support such services as non-repudiation of electronic business transactions, property right protection and notarisation."
Thanks to Hector Martinez.
Comments (none posted)
The Register
covers the departure of Enrico Kern from the Xbox Linux
Project.
"
The founder of the high-profile Xbox Linux Project has left the group over
concerns about the direction of the project and disagreements with the
anonymous donor who's contributed $200,000 to port Linux to the Microsoft
gaming device."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Resources
The
September
issue of the Linux Gazette is now available. Contents include a guide
to digital photography, adaptive Linux firewalls, Kerberos, and more.
Comments (none posted)
Use Perl has
an announcement for the availability of the 1998 Perl Conference CD.
Comments (none posted)
Upcoming Events
Use Perl mentions the availability of two OSCON 2002 lightning talks
online, Dan Brian on "What Sucks and What Rocks", and
Brian Ingerson on "Your Own Personal Hashbang".
Full Story (comments: none)
Henri Bergius will give a presentation on the Midgard
application server at the
OSCOM Open Source CMS Conference in Berkeley, California on
September 25, 2002 at 11:00 am.
Full Story (comments: none)
The third annual Linux Expo in Toledo OH is called "Think-Linux, The
Solutions Show". Think-Linux will be held October 30 - 31, 2002.
Full Story (comments: none)
Linux Med News has
an announcement for the
PICNIC Conference.
"
PICNIC was initiated by regional health care providers, who are developing the next generation of regional health care networks supporting new ways of providing health and social care. PICNIC will deliver open source components, develop a model for future regional health care networks, and make the European market for telematic care services more cohesive."
The conference will be held in
Paris, France on September 26 and 27, 2002.
Comments (none posted)
The Third Annual Bioinformatics.Org meeting
has been announced, it will be held in San Diego, California
on February 3-6, 2002.
Comments (none posted)
| September 5 - 6, 2002 | Linux Kongress 2002 | (Physics Institutes, University of Cologne)Cologne, Germany |
| September 5 - 6, 2002 | SciPy '02 | (CalTech)Pasadena, CA |
| September 11 - 13, 2002 | Open source GIS - GRASS users conference 2002(GRASS) | (Centro Servizi Culturali S. Chiara)Trento, Italy |
| September 12 - 13, 2002 | Perl 6 Mini::Conference | (ETF, E1, ETH Zurich)Zurich, Switzerland |
| September 16 - 20, 2002 | 9th Annual Tcl/Tk Conference | Vancouver, BC, Canada |
| September 18 - 20, 2002 | Yet Another Perl Conference Europe 2002(YAPC::Europe 2002) | Munich, Germany |
| September 25 - 27, 2002 | The Second Open Source Content Management Conference(OSCOM) | (Lawrence Hall of Science, University of California)Berkeley, CA |
| September 27 - 29, 2002 | Lulu Tech Circus | (State Fairgrounds Complex)Raleigh, North Carolina, USA |
| October 11 - 13, 2002 | V Congreso Hispalinux | San Sebastian-Donostia, Spain |
| October 14 - 16, 2002 | The Singapore Linux Conference 2002 | (Le Meridien Singapore)Singapore |
| October 14 - 15, 2002 | The Open Group Conference | (Hotel Martinez Palace)Cannes, France |
| October 17 - 18, 2002 | Open Source for E-Government | Washington, DC |
| October 28 - 31, 2002 | International Lisp Conference 2002 - The Art of Lisp | San Francisco, CA |
| October 30 - 31, 2002 | Think-Linux, The Solutions Show | (The Pinnacle)Toledo OH |
Comments (none posted)
Web sites
Gnotices
mentions
a new site that is home to a collection of themes,
themedepot.org.
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Miscellaneous
The GNOME foundation
has announced the
GNOME Users and Contributors Survey. GNOME users might want to
take a few minutes to fill it out.
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Joe Klemmer <klemmerj@webtrek.com> |
| To: |
| letters@lwn.net |
| Subject: |
| Re: Red Hat as the "next Redmond" |
| Date: |
| 29 Aug 2002 13:53:18 -0400 |
> There is a backlash against Red Hat from many consumers and government
> agencies...
What?!? I missed this the first time around. I work with many
"Government Agencies" and they are damn near standardizing on Red Hat. I
know there's a backlash in the Linux "Power User" community but, as I
said on some other site which I can't remember, it's more related to the
"fight the establishment" attitude in the Software Libre community.
See, the reason many people moved to Linux is because it was
"radical". Now that Red Hat is seen as the main Linux vendor it is now
look upon as the establishment. If SuSE or Caldera or any distro vendor
were in the same position now that Red Hat is in you would see the same
backlash against them.
--
Attention all planets of the Solar Federation.
We have assumed control.
Comments (3 posted)
Page editor: Jonathan Corbet