LWN.net Logo

LWN.net Weekly Edition for June 17, 2004

The Grumpy Editor's guide to mail clients: introduction

This article is part of the LWN Grumpy Editor series.
Your editor's desktop system is currently running Fedora Core 2, mostly as a result of that distribution's combination of near-bleeding-edge software and the x86_64 architecture. There is much that is good about Fedora, but your editor was more than disconcerted to find out that nmh, the current form of the MH mail client, was no longer included. This is not an isolated point of view; a threat to write a Grumpy Editor column on this topic still yields an occasional message of support. This is, indeed, an ideal topic for such a column; the MH mailer, which was first put together in the late 1970's, still has lessons to offer the current crop of mail clients.

Your editor will have to request some patience, however. A proper review of mail clients will take more than one column, along with a significant amount of time. Those wanting an instant review of bleeding-edge graphical mailers will have to wait a while; this column, instead, will attempt to provide an introduction to the topic by looking at the standards set by MH.

MH was, at the outset, different from any other mail client out there, and it remains different. Mail clients tend to be classic examples of monolithic design; everything (one hopes) that a user might want to do with electronic mail is built in to one single, large application. The designers of MH concluded that this design did not fit well with the Unix way of doing things, which is to have a relatively large number of small programs, each of which does one thing well. As a consequence, MH is not one program, but many: the current nmh distribution contains 39 separate utilities.

When dealing with MH at this level, the user is never "in" the mail system; instead, all commands are typed directly to the regular shell. The inc command brings in new mail; scan lists a folder; show, next, and prev display individual messages; repl generates a reply; rmm, refile, and others dispose of messages; and so on. There is a command (pick) which can perform complicated searches through folders. All of these commands (and many not mentioned) manipulate a global state, giving the full set the feel of a single, integrated application.

MH folders, incidentally, are also unique: they are simply directories containing each message in a separate file. A number of modern mailers support MH folders, though usually not as the preferred format.

The result of this organization is that it is possible to build software on top of the MH primitives with great ease. Over the years, developers have created numerous interfaces for MH, including xmh (an old graphical interface still shipped with XFree86), exmh (a Tk-based graphical client), and MH-E (an emacs-based interface favored by your editor). The scriptability of the MH primitives also makes it easy to integrate the mail client into any other task-oriented software that the user may need to run.

The availability of multiple interfaces to the same mail system is nicer than one might think. A fancy, graphical interface may be useful when one is in the office and near to the mail system. When one is stuck behind a slow network connection (a GPRS link from a nearby mountain, say), the command line interface may be the only way to work through a batch of mail quickly and with minimum pain. There is great value in not being locked into a single mode of interaction with the mail system.

Unfortunately, MH is showing its age in a big way. The nmh effort appears to have stalled for lack of developers; it shows no commits to its repository since 2003; the 1.0.4 release - the latest available - came out in April, 2000. A 1.1 release candidate was posted in January, but nothing has happened since then. There is support for MIME in nmh, but that support is awkward at best. The exmh front end does MIME, but there has not been an exmh release in over a year; it, too, is getting harder to find in distributions. MH works with POP, but there is no IMAP implementation in sight. In general, MH is old, unmaintained, and fading from the scene.

This is a shame, because MH got some things right decades ago that modern mail client developers still seem to miss. Your editor does not want to funnel his email into a single-interface black box. He wants to be able to manipulate mail from his desktop, over a modem link, or running through mindterm on a Windows "email garden" system in a remote place. It should be possible to do anything with email - even things that the developer of the mail client might not have thought of. It must be possible to make connections between the mail client and the LWN site code. It should be possible to manipulate messages and folders with shell scripts and programs without great pain. The client should be a powerful tool for working with electronic mail, but it should be just the beginning point, rather than the final destination.

Your editor is now shopping for an email client which can replace MH. This process could be a long one; understanding a mail client well enough to write about it takes a significant amount of effort. The process may also require delving into other parts of the larger email system, such as IMAP servers. Watch for a series of upcoming articles over the (northern hemisphere) summer as this journey unfolds.

As a down payment, here is a quick look at the MH-E interface. Your editor has used MH-E for years; it does a nice job of combining the power of MH with an efficient keyboard interface and the usual benefits of integration with the editor itself. Your editor has long assumed that MH-E has suffered the same fate as MH; the version shipped with the current GNU emacs distribution dates from 2000. This version of MH-E has many shortcomings; it does not even deal with simple things like mail in the quoted-printable encoding correctly.

[MH-E screenshot] So it was interesting to find out that that MH-E hackers have, in fact, been quite busy recently. Version 7.4.3, currently available from the MH-E site, includes a number of new features. It performs threading, has proper MIME support (see screenshot, right), indexed searching, and more. It uses the capabilities of modern versions of emacs to display images and such within the editor itself. There is also a general interface to spam filtering systems, allowing the user to easily train the bayesian filter of his or her choice. It is, in general, a vastly superior implementation of MH-E, and the upgrade is easy; if you are an MH-E user, you probably want to look at the current version.

On the down side, enough commands have been changed to drive a long-time MH-E user nuts for a while, and the documentation is, um, missing. The default colors show a distinct lack of restraint or concern for human factors. It also has adopted the gnus habit of replacing smileys and such with its own built-in icons - behavior which is amusing for about two messages before you realize you'd rather just see what the other person wrote. Fortunately, this behavior is easily turned off with a configuration option.

The new MH-E is apparently slated for inclusion in emacs 21.4. It is good to see that significant work is going into this mail interface; MH-E is too good to allow to slip into obscurity and decay. The fact remains, however, that MH-E is built on a foundation which has not seen any significant maintenance in years.

(For more information on the history and philosophy behind MH, see the classic (if quaintly titled) paper "MH: How to process 200 messages a day and still get some real work done," available in PostScript format).

Comments (71 posted)

The 64-bit question

June 16, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

It was probably too much to hope that all Linux vendors would take the same approach to their distributions for AMD's 64-bit x86 chips and Intel's forthcoming 64-bit x86 chips, or x86_64. While the major commercial vendors (SUSE, Red Hat and Mandrake, to name a few) are shipping mixed distributions for x86_64, the recently-announced Debian x86_64 port is a pure 64-bit distribution without 32-bit libraries.

A pure 64-bit distribution has the advantage of being simpler, and of not having to worry about multiple versions on libraries and such. Thus, while other distributions have relegated the 64-bit libraries to an alternate location, such as /usr/lib64, the Debian project ships with 64-bit libraries in /usr/lib and avoids the problem of rewriting package creation rules to install libraries in /usr/lib64 or a similar situation. However, this results in a system that is unable to run 32-bit x86 binaries.

The original plan for Debian's x86_64 port was to be similar to sparc64, where the default is 32-bit applications and libraries. However, the tide turned in February, and multiarch support was put on the back burner. As Goswin von Brederlow explains:

There was an attempt at doing a mixed port but the resistance by the dpkg developers and the community in general was too big to get it under way, esspecially with the sarge release looming over our heads. A full mixed port means changing every single library package and affects probably all packages. That's nothing one wants to do before sarge.

So instead of going full 32/64 bit mixed mode amd64 in one big step pure64 was started to get 64 bit support fully available with minimum impact to sarge. Merging is multiarch support for mixed 32/64 bit is now step 2 planed for after sarge at the earliest.

This may not end up being a big problem, even for those users who need to run 32-bit x86 applications. As John Goerzen points out, it is possible to run 32-bit binaries in a chrooted environment:

The only reason I can see for even bothering to support 32-bit applications at all is for binary-only proprietary software. And that is not such a concern; it takes all of about 10 minutes to set up a 32-bit chroot with debootstrap to run those things in.

Some have voiced concerns about Debian being incompatible with other x86_64 distributions. Since LSB-compatibility should be the main concern, we wondered whether Debian, or any other Linux distributions, were compatible with the LSB specification for x86_64 chips. Stuart Anderson, lead developer of the LSB written specification, told LWN that none of the distributions currently meet the LSB specification, but for obvious reasons:

That's because there has not yet been an official release of the LSB for that architecture. There is a draft, and it will get released in the very near future, but because it hasn't been, distros have not yet had a chance to certify.

Anderson did say that a distribution can be LSB-compliant, without running 32-bit binaries, since the specification covers only x86_64. He also said that they are working on a "multi-arch" specification, "but it's not really far enough along to say anything specific."

In general, I think a 64 bit distro should be able to support a 32 bit runtime in parallel. It just does so as supporting two specs, and not a single one that mandated both 32 & 64.

No doubt, it will be some time before x86_64 support is uniform across all the various Linux distributions. The hardware is not yet in wide enough use to truly force distributions to standardize, and it's entirely possible that the 32-bit problem will disappear as x86_64 hardware becomes commonplace.

Comments (13 posted)

Time for a SCO update

It has been a busy week in the SCO universe; time for an update.

The company released its second quarter results on June 10; those who are interested can see the press release or, for far more detail, the 10-Q filing. The results were as bad as expected; actually, they were even worse. The company lost $15 million on $10 million in revenue. The SCOsource program brought in all of $11,000 over the quarter. SCO management says things will get better soon, of course.

About one year ago, SCO acquired a web services company called Vultus; this acquisition, somehow, involved the transfer of some 300,000 shares of SCO stock to the Canopy Group. Quite a few questions were raised at the time; there did not seem to be any sort of legitimate business reason for SCO to make this acquisition; it seemed, instead, to be a way of shifting money over to Canopy. The questions have come back; this quarter's 10-Q filing includes a $2.4 million writeoff acknowledging that Vultus is, in fact, worthless.

Also found in the 10-Q is the fact that SCO has spent $2.4 million of its scarce cash buying back its own stock. These purchases appear to have done little to prop up the company's stock price, however.

The most significant news of the week was almost certainly the rulings in the Novell case. Three separate motions were decided:

  • Novell had tried to get the case dismissed on the grounds that SCO did not show that Novell's copyright claims are false. Judge Kimball denied this motion for now, though he noted that the question of falsity remains open.

  • Novell also moved for dismissal on the grounds that SCO did not plead any specific damages. This motion was granted; as of this writing, SCO's suit against Novell is officially dismissed. SCO, however, got 30 days to refile the case with the required pleadings; SCO claims it will do so.

  • SCO had moved to get the trial shifted back to Utah state court; this motion was denied.

The most important ruling by far was the one keeping the case in Federal court. SCO was hoping for a quick contract case where it could talk about the "intent" of the agreement that transferred the Novell license administration business to (old) SCO. State courts cannot rule on the validity of actual copyright transfers, which are a Federal issue. Judge Kimball has decided, however, that the existence (or lack thereof) of a copyright transfer is a crucial part of this case. If no copyrights were transferred to old SCO, then the current SCO Group has no basis for a "slander of title" claim. And the Judge has his doubts on whether that transfer happened:

The Amendment also contains no transfer language in the form of 'seller hereby conveys to buyer.' Given the similarly ambiguous language in the APA with respect to the transfer of assets -- seller 'will' sell, convey, assign, and buyer 'will' purchase and acquire -- it is questionable on the face of the documents whether there was any intention to transfer the copyrights as of the date the amendment was executed. Moreover, the use of the term 'required' in Amendment No. 2 without any accompanying list or definition of which copyrights would be required for SCO to exercise its rights in the technology is troublesome given the number of copyrighted works involved in the transaction. There is enough ambiguity in the language of Amendment No. 2 that, at this point in the litigation, it is questionable whether Amendment No. 2 was meant to convey the required copyrights or whether the parties contemplated a separate writing to actually transfer the copyrights after the 'required' copyrights were identified.

In state court, SCO would not have had to face this particular line in inquiry. In Federal court, instead, the company will have to start by proving that it does, indeed, own the copyrights it has been claiming; furthermore, this proof will have to be made to a clearly skeptical judge.

One might well think that this whole issue is irrelevant. Beyond the small bit of Unix code leaked into the kernel by SGI (and long since removed), there has been no evidence that any proprietary Unix code has found its way into Linux. Even if SCO wins its case against Novell, it loses against Linux. But the fact that its copyright ownership claims are being challenged in Federal court may yet be the factor that brings the whole enterprise crashing down. Sales of "Linux licenses" will be even harder than before, and, if the judge rules that SCO does not own the copyrights, the rest of SCO's legal offensives will simply collapse.

Judge Kimball also issued some rulings in the IBM case. SCO's motion to bifurcate the case (an attempt to split IBM's patent counterclaims into a separate trial) was denied by the judge. This motion was denied without prejudice, so it could come back at some future time. SCO's motion to delay the case was partly granted, however; the actual trial, should it ever happen, will be in November, 2005. The judge has made it clear that he is not interested in any further delays after this one.

In the AutoZone case, SCO has filed a memorandum opposing AutoZone's motions to put the case on hold, or, at least, to move it to Tennessee. Says SCO:

Granting a stay under the procedural posture of the cases that AutoZone has relied upon would amount to giving AutoZone free license to continue to infringe upon SCO's copyrights for the foreseeable future, while preventing SCO from even obtaining discovery concerning the breadth of such copyright infringements and the damages such infringements may have caused.

In other words, poor SCO would not be able to go fishing through AutoZone's files looking for actual evidence.

Finally, the SCO Group is, for the first time in a while, making a big show of wanting to be a software company. One announcement was for UnixWare 7.1.4, which includes a number of bleeding-edge features: support for disks larger than 128GB, pluggable authentication modules, MySQL, PostgreSQL, Apache 2.0.49, Tomcat, Perl, PHP, Samba 3.0, Sendmail, and more. It seems that free software isn't such a bad thing after all. SCO has also announced an embedded offering, "SCOoffice server," and "Legend," an upcoming version of OpenServer with support for "64-bit advanced computing." All told, it looks like the company is truly putting some effort into its (still proprietary and obsolete) Unix offerings.

One might well wonder why SCO is doing that. The company had been told by BayStar that its litigation was its only worthwhile effort; why drain money from the lawyers to prop up its software offerings? One clue was to be found in the conference call that accompanied the second-quarter earnings report. While SCO claims to be staying the course (and doing great), the whole tone of the conference was subdued. Those who sat through the "Chris&Darl shows" of last year note that, now, the swagger is gone (and Chris Sontag, SCOsource manager, has been just about invisible recently). SCO's management may well have gotten past the denial and figured out that it has lost. If so, they might just be thinking about trying to run a software company once the litigation storm has run its course. That might even work as a "plan B," but only if SCO can overcome a couple of small obstacles: having any sort of company left after those it has attacked are done with it, and offering software that people actually want to buy.

Comments (7 posted)

Page editor: Jonathan Corbet

Security

The Metasploit Framework

Version v2.1 of the Metasploit Framework has been released. Metasploit looks like a script kiddie's dream tool; it is a convenient packaging of some two dozen tools for exploiting known vulnerabilities. A would-be attacker need only choose the weapon of choice from a menu, and turn it loose.

In fact, it's better than that. Combined with the exploit engine is the "payload generator"; there is also an online version available. Simply pick the sort of behaviour you would like, set the relevant parameters (e.g. which port to listen to), and the corresponding code pops out the other end. Fit the payload onto your chosen exploit, and your weapon is armed and ready.

Metasploit does not bring any new capabilities to the cracker's toolbox, but it does make life easy for those who are unable to craft their own exploits. It can also serve as a useful instructional and testing tool for those of us who are charged with keeping systems secure. Metasploit can quickly tell you if a target system is vulnerable to a given exploit, and it shows what a breakin looks like from the outside. The attackers have it; defenders might as well get a copy and see how it works. See the Metasploit Project page for more information.

Comments (1 posted)

New vulnerabilities

Apache mod_proxy: denial of service

Package(s):apache CVE #(s):CAN-2004-0492
Created:June 11, 2004 Updated:October 14, 2004
Description: A buffer overflow vulnerability in the apache mod_proxy module can be exploited to create a denial of service.
Alerts:
Fedora-Legacy FLSA:1737 2004-10-13
Mandrake MDKSA-2004:065 2004-06-29
Debian DSA-525-1 2004-06-24
Gentoo 200406-16 2004-06-21
OpenPKG OpenPKG-SA-2004.029 2004-06-11

Comments (none posted)

chora: remote command execution

Package(s):chora CVE #(s):
Created:June 15, 2004 Updated:June 15, 2004
Description: Chora, a CVS/SVN repository viewer written by the HORDE project, has a vulnerability which can allow a remote attacker to inject shell code. Uploading and running of malicious binaries is also possible. Upgrading to version 1.2.2 fixes the problem.
Alerts:
Gentoo 200406-09 2004-06-15

Comments (none posted)

Horde-IMP: improper input validation

Package(s):Horde-IMP CVE #(s):
Created:June 16, 2004 Updated:August 10, 2004
Description: An input validation error exists in Horde-IMP through version 3.2.4; a specially crafted message could be used to run scripts in the context of the target's browser.
Alerts:
Gentoo 200408-07 2004-08-10
Gentoo 200406-11 2004-06-16

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CAN-2004-0554
Created:June 15, 2004 Updated:July 5, 2004
Description: 2.4 and 2.6 kernels running on the i386 and x86_64 kernels have a vulnerability which can allow a local attacker to lock up the system. See this LWN article for a description of the problem.

Many of the updates for this problem also fix various potential driver vulnerabilities found while instrumenting the code for automated auditing.

Alerts:
Gentoo 200407-02 2004-07-03
Fedora FEDORA-2004-186 2004-06-23
Mandrake MDKSA-2004:062 2004-06-23
Whitebox WBSA-2004:255-01 2004-06-21
tinysofa TSSA-2004-011 2004-06-18
Conectiva CLA-2004:845 2004-06-22
EnGarde ESA-20040621-005 2004-06-21
Red Hat RHSA-2004:260-01 2004-06-18
Trustix TSLSA-2004-0035 2004-06-18
Red Hat RHSA-2004:255-01 2004-06-17
Trustix TSLSA-2004-0034 2004-06-16
SuSE SuSE-SA:2004:017 2004-06-16
Slackware SSA:2004-167-01 2004-06-15
Fedora FEDORA-2004-171 2004-06-14

Comments (none posted)

Subversion: Remote heap overflow

Package(s):subversion CVE #(s):CAN-2004-0413
Created:June 11, 2004 Updated:March 7, 2005
Description: Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:
Fedora-Legacy FLSA:1748 2005-03-07
SuSE SuSE-SA:2004:018 2004-06-17
Fedora FEDORA-2004-166 2004-06-11
Fedora FEDORA-2004-165 2004-06-11
OpenPKG OpenPKG-SA-2004.028 2004-06-11
Gentoo 200406-07 2004-06-10

Comments (none posted)

webmin: denial of service

Package(s):webmin CVE #(s):CAN-2004-0582 CAN-2004-0583
Created:June 16, 2004 Updated:July 28, 2004
Description: Versions of webmin prior to 1.150 suffer from denial of service and information disclosure vulnerabilities. See advisories for the disclosure and lockout problems for more information.
Alerts:
Mandrake MDKSA-2004:074 2004-07-27
Conectiva CLA-2004:848 2004-07-16
Debian DSA-526-1 2004-07-03
Gentoo 200406-12 2004-06-16

Comments (none posted)

Updated vulnerabilities

apache2: stack-based buffer overflow in ssl_util.c

Package(s):apache2 CVE #(s):CAN-2004-0488
Created:June 1, 2004 Updated:October 14, 2004
Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:
Fedora-Legacy FLSA:1888 2004-10-13
Debian DSA-532-2 2004-07-27
Debian DSA-532-1 2004-07-22
Red Hat RHSA-2004:245-01 2004-06-14
Gentoo 200406-05 2004-06-09
Slackware SSA:2004-154-01 2004-06-02
OpenPKG OpenPKG-SA-2004.026 2004-05-27
Trustix TSLSA-2004-0031 2004-06-02
Mandrake MDKSA-2004:054 2004-06-01
Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

cvs: heap overflow

Package(s):cvs CVE #(s):CAN-2004-0396
Created:May 19, 2004 Updated:June 11, 2004
Description: CVS (through version 1.11.15 or 1.12.7) contains a remotely exploitable heap overflow vulnerability; see this advisory from Stefan Esser for details. If you are running cvs with the "pserver" protocol, a quick upgrade is recommended (dropping pserver is also a very good idea for security-conscious sites).
Alerts:
Whitebox WBSA-2004:190-01 2004-06-10
Fedora-Legacy FLSA:1620 2004-06-02
Slackware SSA:2004-140-01 2004-05-19
Gentoo 200405-12 2004-05-20
OpenPKG OpenPKG-SA-2004.022 2004-05-19
Mandrake MDKSA-2004:048 2004-05-19
Fedora FEDORA-2004-131 2004-05-19
Fedora FEDORA-2004-126 2004-05-19
SuSE SuSE-SA:2004:013 2004-05-19
Red Hat RHSA-2004:190-01 2004-05-19
Debian DSA-505-1 2004-05-19

Comments (none posted)

cvs: new vulnerabilities

Package(s):cvs CVE #(s):CAN-2004-0414 CAN-2004-0416 CAN-2004-0417 CAN-2004-0418
Created:June 9, 2004 Updated:June 15, 2004
Description: Several new vulnerabilities have been found in CVS; these include a null-termination error, a double-free vulnerability, a format-string vulnerability, and a few others; see this advisory for the details. Some of these vulnerabilities are remotely exploitable; updating soon would be a good idea.
Alerts:
Debian DSA-519-1 2004-06-15
Whitebox WBSA-2004:233-01 2004-06-10
Fedora FEDORA-2004-170 2004-06-11
Fedora FEDORA-2004-169 2004-06-11
OpenPKG OpenPKG-SA-2004.027 2004-06-11
Gentoo 200406-06 2004-06-10
Debian DSA-517-1 2004-06-10
Mandrake MDKSA-2004:058 2004-06-09
Slackware SSA:2004-161-01 2004-06-09
SuSE SuSE-SA:2004:015 2004-06-09
Red Hat RHSA-2004:233-01 2004-06-09

Comments (none posted)

ethereal: more protocol dissector issues

Package(s):ethereal CVE #(s):
Created:June 3, 2004 Updated:June 11, 2004
Description: The 0.10.3 version may crash when you select a SIP packet. See this post to the ethereal-users mailing list for details.
Alerts:
Whitebox WBSA-2004:234-01 2004-06-10
Red Hat RHSA-2004:234-01 2004-06-09
Gentoo 200406-01 2004-06-04
Fedora FEDORA-2004-153 2004-06-03
Fedora FEDORA-2004-152 2004-06-03

Comments (1 posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

gallery: unauthenticated access

Package(s):gallery CVE #(s):
Created:June 2, 2004 Updated:June 15, 2004
Description: The "gallery" photo album has a vulnerability which can allow access to the administrative account without authentication.
Alerts:
Gentoo 200406-10 2004-06-15
Debian DSA-512-1 2004-06-02

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

racoon: denial of service vulnerability

Package(s):ipsec-tools racoon iputils CVE #(s):CAN-2004-0403
Created:April 26, 2004 Updated:July 29, 2004
Description: racoon does not check the length of ISAKMP headers. Attackers may be able to craft an ISAKMP header of sufficient length to consume all available system resources, causing a Denial of Service. This advisory contains additional details.
Alerts:
Red Hat RHSA-2004:308-01 2004-07-29
Mandrake MDKSA-2004:069 2004-07-14
Fedora FEDORA-2004-197 2004-06-28
Whitebox WBSA-2004:165-01 2004-06-10
Fedora FEDORA-2004-132 2004-05-19
Red Hat RHSA-2004:165-01 2004-05-11
Gentoo 200404-17 2004-04-24

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kde: URI Handler Vulnerabilities

Package(s):kde Opera CVE #(s):CAN-2004-0411
Created:May 17, 2004 Updated:June 15, 2004
Description: iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that similar vulnerabilities exists in all version of KDE, up to KDE 3.2.2 inclusive. See this advisory for more information.
Alerts:
Debian DSA-518-1 2004-06-14
Conectiva CLA-2004:843 2004-05-26
SuSE SuSE-SA:2003:014 2004-05-26
Gentoo 200405-19 2004-05-25
Gentoo 200405-11 2004-05-19
Fedora FEDORA-2004-122 2004-05-19
Mandrake MDKSA-2004:047 2004-05-18
Fedora FEDORA-2004-121 2004-05-17
Slackware SSA:2004-238-01 2004-05-17
Red Hat RHSA-2004:222-01 2004-05-17

Comments (none posted)

kernel: symlink overflow in the iso9660 filessytem

Package(s):kernel CVE #(s):CAN-2004-0109
Created:April 14, 2004 Updated:July 15, 2004
Description: The 2.4 and 2.6 kernels contain a vulnerability in the iso9660 (CDROM) filesystem which can be used by a local attacker to obtain root privileges. The exploit requires creating a specially-crafted filesystem and getting the kernel to mount it. Many systems are configured to automatically mount CDs on insertion, however, so the possibility of this vulnerability being exploited by users with physical access to the system is real. The 2.4.26 kernel contains the fix, which will also be merged into the upcoming 2.6.6 release.
Alerts:
Conectiva CLA-2004:846 2004-07-15
Red Hat RHSA-2004:106-01 2004-04-21
Red Hat RHSA-2004:105-01 2004-04-21
Debian DSA-489-1 2004-04-17
Debian DSA-491-1 2004-04-17
Debian DSA-479-2 2004-04-14
SuSE SuSE-SA:2004:009 2004-04-14
Mandrake MDKSA-2004:029 2004-04-14
Fedora FEDORA-2004-101 2004-04-14
Debian DSA-482-1 2004-04-14
Debian DSA-481-1 2004-04-14
Debian DSA-480-1 2004-04-14
Debian DSA-479-1 2004-04-14

Comments (none posted)

kernel - root exploit in MCAST_MSFILTER

Package(s):kernel CVE #(s):CAN-2004-0424
Created:April 22, 2004 Updated:June 11, 2004
Description: A locally exploitable integer overflow has been found the multicast code of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A successful exploit could lead to full superuser privileges.
Alerts:
Whitebox WBSA-2004:183-01 2004-06-10
SuSE SuSE-SA:2004:010 2004-05-05
Slackware SSA:2004-119-01 2004-04-28
Mandrake MDKSA-2004:037 2004-04-27
Red Hat RHSA-2004:183-01 2004-04-22
Fedora FEDORA-2004-111 2004-04-22
Trustix TSLSA-2004-0022 2004-04-21

Comments (1 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

krb5: unauthorized root privileges

Package(s):krb5 CVE #(s):CAN-2004-0523
Created:June 3, 2004 Updated:June 29, 2004
Description: Multiple buffer overflows exist in the krb5_aname_to_localname() library function that if exploited could lead to unauthorized root privileges. In order to exploit this flaw, an attacker must first successfully authenticate to a vulnerable service, which must be configured to enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname, which is not a default configuration. See the this MIT krb5 Security Advisory for more information.
Alerts:
Gentoo 200406-21 2004-06-29
Debian DSA-520-1 2004-06-16
Whitebox WBSA-2004:236-01 2004-06-10
Mandrake MDKSA-2004:056-1 2004-06-09
Red Hat RHSA-2004:236-01 2004-06-09
Fedora FEDORA-2004-150 2004-06-04
Fedora FEDORA-2004-149 2004-06-04
Mandrake MDKSA-2004:056 2004-06-03

Comments (none posted)

LHA: stack buffer overflows and directory traversal flaws

Package(s):LHA CVE #(s):CAN-2004-0234 CAN-2004-0235
Created:April 30, 2004 Updated:June 11, 2004
Description: LHA is an archiving and compression utility for LHarc format archives. Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. See this advisory+patch for more details.

CAN-2004-0234: An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim.

CAN-2004-0235: An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory.

Alerts:
Whitebox WBSA-2004:178-01 2004-06-10
Debian DSA-515-1 2004-06-05
Red Hat RHSA-2004:178-01 2004-05-26
Fedora FEDORA-2004-119 2004-05-11
Gentoo 200405-02 2004-05-09
Conectiva CLA-2004:840 2004-05-06
Slackware SSA:2004-125-01 2004-05-04
Red Hat RHSA-2004:179-01 2004-04-30

Comments (2 posted)

libpng: denial of service vulnerability.

Package(s):libpng CVE #(s):CAN-2004-0421
Created:April 29, 2004 Updated:June 11, 2004
Description: The PNG library can accesses memory that is out of bounds when creating an error message, this can be exploited by a malformed PNG image file.
Alerts:
Whitebox WBSA-2004:180-01 2004-06-10
Red Hat RHSA-2004:180-01 2004-05-19
Gentoo 200405-06 2004-05-14
Fedora FEDORA-2004-106 2004-05-05
Fedora FEDORA-2004-105 2004-05-05
Slackware SSA:2004-124-04 2004-05-02
Red Hat RHSA-2004:181-01 2004-04-30
Trustix TSLSA-2004-0025 2004-04-30
Debian DSA-498-1 2004-04-30
Mandrake MDKSA-2004:040 2004-04-29
OpenPKG OpenPKG-SA-2004.017 2004-04-29

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

log2mail: format string vulnerability

Package(s):log2mail CVE #(s):CAN-2004-0450
Created:June 3, 2004 Updated:June 9, 2004
Description: jaguar -at- felinemenace.org discovered a format string vulnerability in log2mail, whereby a user able to log a specially crafted message to a logfile monitored by log2mail (for example, via syslog) could cause arbitrary code to be executed with the privileges of the log2mail process. By default, this process runs as user 'log2mail', which is a member of group 'adm' (which has access to read system logfiles).
Alerts:
Debian DSA-513-1 2004-06-03

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

mailman: password disclosure

Package(s):mailman CVE #(s):CAN-2004-0412
Created:May 27, 2004 Updated:July 20, 2004
Description: In mailman versions above 2.1, third parties can retrieve member passwords from the server.
Alerts:
Fedora-Legacy FLSA:1734 2004-07-19
Fedora FEDORA-2004-168 2004-07-01
Fedora FEDORA-2004-167 2004-07-01
Gentoo 200406-04 2004-06-09
Mandrake MDKSA-2004:051 2004-05-26

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

MySQL: temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0381 CAN-2004-0388
Created:April 14, 2004 Updated:August 18, 2004
Description: The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system.
Alerts:
Gentoo 200405-20 2004-05-25
Mandrake MDKSA-2004:034 2004-04-19
OpenPKG OpenPKG-SA-2004.014 2004-04-14
Debian DSA-483-1 2004-04-14

Comments (none posted)

neon: buffer overflow

Package(s):neon CVE #(s):CAN-2004-0398
Created:May 19, 2004 Updated:September 30, 2004
Description: The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:
Fedora-Legacy FLSA:1552 2004-09-29
Mandrake MDKSA-2004:078 2004-07-29
Gentoo 200406-03 2004-06-05
Gentoo 200405-25b 2004-06-02
Gentoo 200405-25 2004-05-30
Conectiva CLA-2004:841 2004-05-25
Gentoo 200405-15 2004-05-20
Gentoo 200405-13 2004-05-20
OpenPKG OpenPKG-SA-2004.024 2004-05-19
Mandrake MDKSA-2004:049 2004-05-19
Fedora FEDORA-2004-130 2004-05-19
Fedora FEDORA-2004-129 2004-05-19
Red Hat RHSA-2004:191-01 2004-05-19
Debian DSA-507-1 2004-05-19
Debian DSA-506-1 2004-05-19

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

postgresql buffer overflow in ODBC driver

Package(s):postgresql CVE #(s):
Created:June 7, 2004 Updated:July 28, 2004
Description: A buffer overflow has been discovered in the ODBC driver of PostgreSQL, an object-relational SQL database, descended from POSTGRES. It possible to exploit this problem and crash the surrounding application. Hence, a PHP script using php4-odbc can be utilized to crash the surrounding Apache webserver. Other parts of postgresql are not affected.
Alerts:
Mandrake MDKSA-2004:072 2004-07-27
Debian DSA-516-1 2004-06-07

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

rsync remote file write attack

Package(s):rsync CVE #(s):CAN-2004-0426
Created:April 30, 2004 Updated:July 12, 2004
Description: See the rsync homepage for the April 2004 advisory: "There is a security problem in all versions prior to 2.6.1 that affects only people running a read/write daemon WITHOUT using chroot. If the user privs that such an rsync daemon is using is anything above "nobody", you are at risk of someone crafting an attack that could write a file outside of the module's "path" setting (where all its files should be stored). Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected."
Alerts:
Gentoo 200407-10 2004-07-12
Fedora FEDORA-2004-116 2004-07-01
Whitebox WBSA-2004:192-01 2004-06-10
Debian DSA-499-2 2004-06-02
OpenPKG OpenPKG-SA-2004.025 2004-05-21
Red Hat RHSA-2004:192-01 2004-05-19
Mandrake MDKSA-2004:042 2004-05-10
Slackware SSA:2004-124-01 2004-05-02
Debian DSA-499-1 2004-05-01
Trustix TSLSA-2004-0024 2004-04-29

Comments (none posted)

squid: buffer overflow

Package(s):squid CVE #(s):CAN-2004-0541
Created:June 9, 2004 Updated:September 30, 2004
Description: The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Alerts:
Red Hat RHSA-2004:462-01 2004-09-30
Mandrake MDKSA-2004:093 2004-09-15
Gentoo 200409-04 2004-09-02
Gentoo 200406-13 2004-06-17
Whitebox WBSA-2004:242-01 2004-06-10
Trustix TSLSA-2004-0033 2004-06-10
Mandrake MDKSA-2004:059 2004-06-09
SuSE SuSE-SA:2004:016 2004-06-09
Red Hat RHSA-2004:242-01 2004-06-09
Fedora FEDORA-2004-164 2004-06-09
Fedora FEDORA-2004-163 2004-06-09

Comments (none posted)

SquirrelMail cross site scripting vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2004-0519 CAN-2004-0520 CAN-2004-0521
Created:May 21, 2004 Updated:October 4, 2004
Description: Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found in SquirrelMail versions 1.4.2 and lower. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
Alerts:
Fedora-Legacy FLSA:1733 2004-10-02
Conectiva CLA-2004:858 2004-08-12
Whitebox WBSA-2004:240-01 2004-06-21
Gentoo 200406-08 2004-06-15
Red Hat RHSA-2004:240-01 2004-06-14
Fedora FEDORA-2004-160 2004-06-09
Fedora FEDORA-2004-159 2004-06-09
Gentoo 200405-16:02 2004-05-25
Gentoo 200405-16 2004-05-21

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

tripwire format string vulnerability

Package(s):tripwire CVE #(s):CAN-2004-0536
Created:June 4, 2004 Updated:July 7, 2004
Description: The code that generates email reports contains a format string vulnerability in pipedmailmessage.cpp. With a carefully crafted filename on a local filesystem an attacker could cause execution of arbitrary code with permissions of the user running tripwire, which could be the root user. See this advisory on SecurityFocus for more details.
Alerts:
Mandrake MDKSA-2004:057-1 2004-07-06
Red Hat RHSA-2004:244-01 2004-06-14
Mandrake MDKSA-2004:057 2004-06-07
Gentoo 200406-02 2004-06-04

Comments (none posted)

utempter problems with symlink and strncpy

Package(s):utempter CVE #(s):CAN-2004-0233
Created:April 19, 2004 Updated:June 11, 2004
Description: Steve Grubb discovered two potential issues in the utempter program:
  1. If the path to the device contained /../ or /./ or //, the program was not exiting as it should. It would be possible to use something like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to another important file, programs that have root privileges that do no further validation can then overwrite whatever the symlink pointed to.

  2. Several calls to strncpy without a manual termination of the string. This would most likely crash utempter.
Alerts:
Whitebox WBSA-2004:174-01 2004-06-10
Red Hat RHSA-2004:174-01 2004-05-26
Fedora-Legacy FLSA:1546 2004-05-18
Gentoo 200405-05 2004-05-13
Red Hat RHSA-2004:175-01 2004-04-30
Mandrake MDKSA-2004:031-1 2004-04-21
Fedora FEDORA-2004-108 2004-04-21
Slackware SSA:2004-110-01 2004-04-19
Mandrake MDKSA-2004:031 2004-04-19

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

Resources

June CRYPTO-GRAM Newsletter

Bruce Schneier's CRYPTO-GRAM newsletter for June is out; it looks at the breaking of Iranian codes, biometric IDs, whether Microsoft should provide security updates for pirated copies of its software, the Witty worm, and more. "Witty represents a new chapter in malware. If it had used common Windows vulnerabilities to spread, it would have been the most damaging worm we have seen yet. Worm writers learn from each other, and we have to assume that other worm writers have seen the disassembled code and will reuse it in future worms. Even worse, Witty's author is still unknown and at large -- and we have to assume that he's going to do this kind of thing again."

Full Story (comments: 2)

FTC's release on "do not spam" list

Here is the U.S. Federal Trade Commission's press release on its decision not to create a national "do not spam" list at this time. "A registry of individual email addresses also suffers from severe security/privacy risks that would likely result in registered addresses receiving more spam because spammers would use such a registry as a directory of valid email addresses. It ultimately would become the National Do Spam List. Furthermore, a registry of domains would have no impact on spam and a third-party forwarding service model could have a devastating impact on the e-mail system." There will be an "email authentication summit" in the (northern hemisphere) Fall to address what the FTC sees as the real problem.

Comments (10 posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 kernel is 2.6.7, which was announced by Linus on June 15. Changes since the last release candidate include a fix for the latest denial of service vulnerability (see below), an NTFS update, some more CPU frequency controller work, and lots of fixes. The biggest changes since 2.6.6 include scheduling domains, a big rework of the reverse-mapping VM code, filtered waitqueues, the removal of the InterMezzo filesystem, quota and extended attribute support in reiserfs, a new API for NUMA systems, the removal of IDE tagged command queueing support, and the usual pile of fixes. See the long-format changelog for the details.

Linus's BitKeeper repository contains no patches beyond 2.6.7 as of this writing.

The current tree from Andrew Morton is 2.6.7-rc3-mm2. Recent additions to -mm include ext3 resizing support (see below), a O_NOATIME option to open(), and various fixes.

The current 2.4 prepatch is 2.4.27-pre6, which was released on June 15. It includes the FPU denial of service fix, of course, along with some architecture updates, DVD-RW write support, and a fair number of fixes.

Comments (2 posted)

Kernel development news

Quote of the week

This is all part of what responsible release management is about. I was the junior whiz kid in professional release management teams before starting Namesys. I listened to my elders and learned from them. My standards for professional conduct in this arena are higher than yours as a result of that. You are a bunch of young kids who lack professional experience in release management. That is ok, but don't get aggressive about it.

-- Hans Reiser

Comments (11 posted)

A nasty FPU bug

The problem was initially reported as a gcc bug. If you execute this code:

    static void Handler(int ignore)
    {
	char fpubuf[108];
	__asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
	__asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
    }

in a signal handler, the system (or, at least, the CPU that was running the code) will freeze up hard. Ways of locking up the system from an unprivileged user-space program are generally considered to be bad news; they also, in general, are not seen as compiler bugs. A bit of digging turned up the real problem, and the latest kernel denial of service vulnerability was found.

In theory, the fsave instruction above saves the floating-point unit (FPU) status into the fpubuf array; the subsequent frstor should simply restore the same state back into the FPU. Unfortunately, the above code is incorrect; the assembly instructions should read "m"(*fpubuf) to actually store the state into the fpubuf array. The code, as written, restores from the wrong address, corrupting the state of the FPU and, in particular, setting some exception flags.

FPU exceptions do not result in immediate kernel traps; instead, the trap happens when the next floating-point command is executed. As it happens, the kernel checks when a signal handler returns and, if that handler has used any floating-point instructions, the kernel performs an fwait instruction to ensure that the last operation is complete. That fwait causes the floating point exception caused by the corrupt restore to be delivered as a kernel trap.

The kernel has a way of dealing with floating point traps; it saves the FPU state and queues up a floating point exception signal for the current process. It also sets the TS ("task switched") processor flag to indicate that the FPU state may be other than expected. At that point, it returns to the place where the exception occurred.

Normally, as part of returning from the trap, the kernel would simply deliver the floating-point exception signal to user space and get on with life. But, in this case, the kernel is returning back to kernel space, and back to the same fwait instruction that caused the problem in the first place. That instruction sees the TS flag and generates another trap. The handler for this trap knows just what to do in response to a TS flag; it restores the saved FPU state and returns. The saved FPU state is, however, the corrupted state which was in effect before the first attempt to execute fwait. So, at this point, the loop is closed and a new floating-point trap will be generated. This will go on for a while.

The fix is relatively straightforward, once the problem is understood. The kernel simply clears any pending exceptions before executing fwait, and the problem goes away. All that is left is the updating and rebooting of large numbers of vulnerable systems.

(Thanks to Sergey Vlasov, whose analysis of the problem made this article much easier to write.)

Comments (9 posted)

Online resizing of ext3 filesystems

One of the patches which slipped into 2.6.7-rc3-mm2 is one by Andreas Dilger and others which makes it possible to resize a running ext3 filesystem on the fly. This patch has been shipped with Fedora kernels for a little while, but has not seen a lot of wider use. That could change, of course, if the resize patch finds its way into the mainline.

The resize patch is conceptually quite simple. It simply adds one or more block groups which make use of extra space which, one hopes, is sitting there idle at the end of the existing filesystem. Once the block groups are hooked into the filesystem data structures, a simple ioctl() call or remount will make the space available. Behind this apparent simplicity, of course, is a significant amount of code which makes the resize operation happen on a modern, complex filesystem in a robust manner.

People wanting to try out resizing will need a few things:

  • A kernel (such as 2.6.7-rc3-mm2) with the online resize patch included.

  • A patch to e2fsprogs to make use of the resize capability; it is available from the ext2resize SourceForge download area.

  • Free disk space into which the filesystem can expand. Usually this means that the filesystem should live in a device mapper partition which can be expanded as well.

  • A very good backup of your filesystem.

This patch and its associated documentation (or lack thereof) still require some work before being ready for widespread deployment. Once they get there, however, life should get easier for system administrators who, throughout history, have routinely found out that all that "extra space" they figured into their filesystems is never enough.

Comments (2 posted)

On the alignment of IP packets

Device drivers for network interfaces must allocate a "socket buffer" ("skb") for each incoming packet. A standard idiom in the skb allocation code is a line like this:

    skb_reserve(skb, 2);

This call tells the socket buffer code to set aside the first two bytes of the data buffer. The reason why this is done can be seen by looking at the resulting layout of an IP packet in the buffer:

[Packet header layout]

The network stack makes frequent use of the IP addresses stored in the packet. By padding the beginning of an ethernet-style packet by two bytes, a network driver can cause those addresses to be aligned on a four-byte boundary. On some architectures, at least, that alignment will speed access to the addresses and make the networking system faster.

Or so it might seem. As Anton Blanchard recently figured out, this padding is not always helpful. A number of modern architectures (Anton works with PPC64, but Intel-style architectures qualify too) have no real problem with unaligned memory accesses, so the two-byte offset on IP packets does not necessarily help things. Unfortunately, the DMA engines in a number of systems do have trouble working with unaligned addresses. A padded packet buffer does not start on an aligned address, with the result that DMA operations to that buffer can be slower than they should be. As network adapters get faster, the DMA performance penalty becomes increasingly significant.

Anton's proposal was to change the skb_reserve() calls into calls to a new skb_align() function, which could, depending on the architecture, decide whether to insert the padding or not. David Miller pointed out, however, that the magic constant "2" appears in quite a few places, and simply removing the padding could create bugs elsewhere in the driver code.

The real solution is likely to be the addition of a defined constant called something like NET_IP_ALIGN; this constant would be the amount of padding needed for packet alignment on the current architecture. Yes, things probably should have been done that way from the beginning, but life is like that. In any case, once the constant is in, each individual driver can be looked over and fixed up as need be. And one small obstacle to top performance on high-end network adapters will have been removed.

Comments (4 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Kernel building

  • Sam Ravnborg: kbuild. (June 15, 2004)

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

LILO vs. GRUB

June 16, 2004

This article was contributed by Ladislav Bodnar

Up until a few years ago there was no arguing about a Linux distribution's bootloader. With LILO (LInux LOader) as the dominant software for this purpose, many seasoned Linux system administrators had mastered the art of creating a lilo.conf file out of thin air, without having to look through any LILO documentation. Unfortunately for them, the release notes of Red Hat 7.2, released in October 2001, informed us that "we now use GRUB as the default bootloader."

Back in those days, only Caldera OpenLinux was supplying GNU's GRUB (GRand Unified Bootloader) as its preferred bootloader, but this sudden push by Red Hat was about to give GRUB a major boost. Indeed, many distributions soon followed Red Hat's example and started providing GRUB as an option, although few of them displaced LILO altogether. Then in March 2003, the just-released Red Hat Linux 9 re-emphasized Red Hat's commitment to GRUB by placing LILO on a list of deprecated packages that may be removed from a future Red Hat release. Although this has yet to happen, the fact is that Red Hat (as well as Fedora) have not updated their LILO version since August 2000.

Does this mean that LILO is dead? Well, not quite. Firstly, LILO has been around for so many years (I was unable to find out exactly how many, but LILO version 15 was released in October 1994), that it is firmly entrenched in many a sysadmin's arsenal of tools. Secondly, GRUB is still considered alpha software - even its most recent release, version 0.95, is only available from alpha.gnu.org, rather than from GNU's stable directory. As for the Linux distributions, most of the major ones seem to be slowly moving towards GRUB as their preferred bootloader, although this has not happened across the board. While SUSE's installation program does default to GRUB, Mandrake's still defaults to LILO. The Debian installer that came with Woody did not provide GRUB at all, but the recent Sarge beta installers now use GRUB by default. Gentoo used to demonstrate a clear preference for GRUB, but its most recent installation documentation gives equal exposure to both bootloaders. This leaves Slackware as the only major distribution that does not provide GRUB, but this is hardly surprising given its target market and its reputation for staying with well-established UNIX/Linux tools.

The LILO versus GRUB argument is one of those never-ending and passionate discussions that resurface from time to time on various public forums, not too different from the notorious vi vs. emacs or KDE vs. GNOME verbal battles. Although we all know that these debates are pointless and that the choice of software is a simple matter of personal taste, few of us are able to control the urge to reply as soon as we read a derogatory comment ridiculing our preferred piece of software.

So what exactly makes GRUB better than LILO? Here is a list of some of GRUB's frequently cited advantages:

  • GRUB has a more powerful, interactive command line interface. LILO, on the other hand, only allows one command with arguments.

  • LILO stores information about the location of the kernel or other operating system on the Master Boot Record (MBR). Every time a new operating system or kernel is added to the system, the Stage 1 LILO bootloader has to be manually overwritten, otherwise there is no way to boot the new OS or kernel. This method is more risky than the method used by GRUB because a mis-configured LILO configuration file may leave the system unbootable (a popular way to fix this problem is to boot from Knoppix or another live CD, chroot into the partition with mis-configured lilo.conf and correct the problem). On the other hand, correcting a mis-configured GRUB is comparatively simple as GRUB will default to its command line interface where the user can boot the system manually. This flexibility is probably the main reason why many users nowadays prefer GRUB over LILO.

  • Unlike LILO, GRUB has a web site. It also has a manual, FAQ, a bug tracker, a developer mailing list and a logo. LILO has none of those.
Here is a short list of some advantages of LILO over GRUB:
  • With more than a decade of development behind it, LILO is one of the most widely-used, well-tested and dependable Linux applications ever written. Most experienced system administrators are well-versed in configuring the LILO and skilled enough to deal with any emergency situation.

  • The Red Hat Linux Reference Guide claims that GRUB may have difficulties booting certain hardware. It does not provide any further details, though.

  • GRUB is, according to its developers, alpha-quality software. Use at your own risk.
Finally, a mind-opening quote by one of the GRUB developers Gordon Matzigkeit, as published in O'Reilly's Essential System Administration:

Some people like to acknowledge both the operating system and kernel when they talk about their computers, so they might say they use 'GNU/Linux' or 'GNU/Hurd'. Other people seem to think that the kernel is the most important part of the system, so they like to call their GNU operating systems 'Linux systems'. I, personally, believe that [both are] a grave injustice, because the boot loader is the most important software of all. I used to refer to the above systems as either 'LILO' or 'GRUB' systems. Unfortunately, nobody ever understood what I was talking about; now I just use the word 'GNU' as a pseudonym for GRUB. So, if you ever hear people talking about their alleged 'GNU' systems, remember that they are actually paying homage to the best boot loader around: GRUB!

Some distributors - and their users - may continue to disagree for some time, however.

Comments (24 posted)

Distribution News

Debian x86_64 port ready

A message has gone out stating that the Debian x86_64 port is complete (modulo a tiny number of outstanding bugs) and ready for incorporation into the unstable distribution. Congratulations are due to the porting team, which has worked a long time for this moment.

Full Story (comments: 27)

Debian Weekly News

The June 15 issue of the Debian Weekly News is out; topics this week include the AMD64 port, Firefox 0.9 packaging, kernel maintenance, and more.

Full Story (comments: none)

Fedora News Updates #13

Issue #13 of the Fedora News Updates is available. This issue looks at the "Wombat" release, the perfect yum.conf file, the Basilisk live CD, and more.

Comments (none posted)

Fedora Core

Fedora Core updates:
  • FC1 - samba 3.0.4-1.FC1: has been tested, no complaints.
  • FC1 - gaim .78-1.FC1: upstream upgrade plus CVS fix backports.
  • FC2 - gaim 0.78-1.FC2: upstream upgrade plus CVS fix backports.

Comments (none posted)

Gentoo Weekly Newsletter

The latest Gentoo Weekly Newsletter is out; it claims to be for May 31, but it's different from the other May 31 GWN. The main topic this week is the completion of the not-for-profit paperwork; there is also a discussion of how to get involved in the Gentoo project.

Full Story (comments: none)

Updated mdkonline packages

Mandrakelinux has issued a security update for Mdkonline. "Mdkonline as shipped in 10.0 has some issues comparing squid release versions. This package is a mandatory upgrade to get fully functional Mandrake Online services."

Full Story (comments: none)

The first Slackware 10.0 release candidate

The current Slackware changelog entry for June 15 notes that release candidate 1 for Slackware 10.0 is out.

Comments (none posted)

End of support for SUSE 8.0

SUSE has sent out a notice that, as of June 30, no more updates will be produced for version 8.0 of the SUSE Linux distribution. Versions 8.1 and newer will continue to be supported.

Full Story (comments: 4)

Announcements from Xandros

Xandros has announced the availability of premium memberships to the Xandros Networks single-click update service and community store.

Xandros and Opera Software have announced that the new Open Circulation Edition of the Xandros Desktop operating system (OS) will be the first Linux desktop distribution to offer Opera as the default browser.

Comments (none posted)

New Distributions

The APODIO bootable CD

APODIO is a new bootable CD audio workstation. "APODIO is a live bootable cd, containing major audio tools (under Gnu/Linux) and a whole operating system (based on Mandrake 9.2) working from boot, without the need to install or change anything on the hard disk. You can try it out very easily and if you like it you can simply install it directly on your harddisk and run it locally. And if you whish, you can make your own apodio version."

Comments (none posted)

Minor distribution updates

BLAG10000 Released

BLAG Linux and GNU 10000 has been released. This single-disk distribution (now based on Fedora Core 1) contains a number of interesting packages, especially for audio enthusiasts and system administrators. Click below for the details.

Full Story (comments: none)

KNOPPIX 3.5 "maxi edition" at LinuxTag

As seen on knoppix.com: KNOPPIX 3.5 will be an extra-large version of the distribution, containing over 5GB of software. It will not fit on a CD; instead, this will be a DVD-based version. It will only be available at the upcoming LinuxTag conference, though one presumes it may escape onto the net afterward.

Comments (2 posted)

New Quantian release 0.5.9.1 available

Quantian release 0.5.9.1 is available. "Quantian is a remastering of Knoppix, the self-configuring and directly bootable cdrom that turns any pc or laptop into a full-featured Linux workstation, and clusterKnoppix, which adds support for openMosix. However, Quantian differs from (cluster)Knoppix by adding a large set of programs of interest to applied or theoretical workers in quantitative or data-driven fields." This version is now based on based on Knoppix 3.4 and features numerous changes.

Full Story (comments: none)

Page editor: Forrest Cook

Development

Changes in the upcoming Python 2.4 Release

The first alpha release of Python version 2.4 is scheduled for release during July, 2004, according to the Python 2.4 Release Schedule. After several alpha releases and one beta release, the plan is to have Python 2.4 ready to go around September, 2004. A Python 2.4a1 pre-announcement has been sent out:

The purpose of this notice is to give people a heads up - if you have a bug that you want to see fixed for 2.4, start looking at it now. Fixes are welcome through the release cycle, although after the first beta fixes that result in a change to behaviour will be much less likely to be accepted.

A.M. Kuchling's What's New in Python 2.4 document details some of the changes that will occur in the language. There are a number of new Python Enhancement Proposals (PEPs) that go with this release. Here are some of the changes:

PEP 218: Built-In Set Objects

Two new built-in types, set(iterable) and frozenset(iterable) provide high speed data types for membership testing, for eliminating duplicates from sequences, and for mathematical operations like unions, intersections, differences, and symmetric differences.

PEP 229: Generator Expressions

Now, simple generators can be coded succinctly as expressions using a syntax like list comprehensions but with parentheses instead of brackets. These expressions are designed for situations where the generator is used right away by an enclosing function. Generator expressions are more compact but less versatile than full generator definitions and they tend to be more memory friendly than equivalent list comprehensions.

PEP 322: Reverse Iteration

A new built-in function, reversed(seq), takes a sequence and returns an iterator that returns the elements of the sequence in reverse order.

PEP 237: Unifying Long Integers and Integers is not yet finished, the title is self-explanatory.

The Other Language Changes section mentions modifications to these functions: dict.update() ljust(), rjust(), center(), sort() zip() itertools.izip().
Also, there will be a new string rsplit() function and a new sorted(iterable) built-in function.
A number of optimizations for lists and tuple operations are also mentioned.

The New, Improved, and Deprecated Modules section details changes to the Python standard library. Here are some of the changes:

  • Transparency support has been added to the curses module, the bisect module has improved performance, There are now improved Asian encodings, and a new collections module for various specialized collection datatypes has been added.

  • The ConfigParser and heapq modules have had performance improvements. The imaplib module has support for the IMAP THREAD command. The itertools module gained several new functions.

  • The POSIX module has a new getsid() function, the operator module gained two new functions, and the random module can now generate arbitrarily large random numbers.

  • The re (regular expression) module has new conditional expression support, and the weakref module has expanded capabilities.

Finally, the cookielib library now supports client-side cookie handling.

The Porting to Python 2.4 section mentions some issues that developers may want to look at when porting code to Python 2.4.

Writing and testing all of that code should keep the Python developers busy for a while.

Comments (none posted)

System Applications

Audio Projects

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include the announcement for the first Fedora Core 2 version of Planet CCRMA, and new versions of Specimen, Cinepaint, OpenEXR, Gtkmm2, Ceres3, Faad2, Hyperspec, Cmt, and Pmidi.

Comments (none posted)

Database Software

Berkeley DB Java Edition

Sleepycat has announced a new, Java-oriented version of its Berkeley DB offering. "Berkeley DB Java Edition features full ACID transactions and recovery for high reliability, record-level locking for high concurrency, schema neutrality for data storage in its native format, and zero administration for low cost of ownership. Berkeley DB Java Edition offers the same storage services as the popular Berkeley DB engine, but the new product was completely redesigned in Java to take advantage of Java's portability and services such as deeply integrated threading and NIO." The usual dual licensing applies.

Full Story (comments: 1)

Glom 0.8.1 announced

Version 0.8.1 of Glom, a database table designer GUI, is out. This release features locale handling improvements, menu restructuring, improved internationalization, and more.

Full Story (comments: none)

knoda 0.7-test3 released

Version 0.7-test3 of knoda, a database-frontend for MySQL, PostgreSQL and ODBC, is out. "Knoda has a completely new GUI now, which is much more KDE like".

Full Story (comments: none)

phpMyAdmin 2.5.7 is released (SourceForge)

Version 2.5.7 of phpMyAdmin is out. "The main reason of this release is to add support for MySQL 4.1.2 in a stable version. It includes also some bug fixes. phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web."

Comments (none posted)

PostgreSQL 7.4.3 Now Available

Version 7.4.3 of the PostgreSQL database is available. "After several fixes were backpatches to the 7_4_STABLE branch, we have now released a 7.4.3. As the list of Changes since 7.4.2 is quite small, they are included in this email".

Full Story (comments: none)

PostgreSQL Weekly News

The June 15, 2004 edition of the PostgreSQL Weekly News is available. "Well the big news for the week was the release of PostgreSQL 7.4.3 today."

Also, see this correction concerning the article on PostgreSQL 7.4.3.

Full Story (comments: none)

Libraries

Botan 1.3.14 is out

Version 1.3.14 of Botan, a library of cryptographic algorithms, has been released. "This is the first release candidate for 1.4.0. Please report any bugs or problems as soon as possible. The new AEP engine is available, along with many portability fixes, minor optimizations, and so on."

Comments (none posted)

Mail Software

Bogofilter 0.91.2 released

Version 0.91.2 of Bogofilter, an email spam filter, is out with bug fixes.

Full Story (comments: none)

Milter.org news

The milter.org site has moved to a new server and features a new look. New mail filter software includes milter-spamc/0.19, milter-gris/0.3, milter-bcc/0.1 and milter-sender/0.56.

Comments (none posted)

The Evolution of Perl Email Handling (O'Reilly)

Simon Cozens covers Perl email handling issues on O'Reilly. "There are many modules on the CPAN for slicing and dicing email, and we're going to take a whistlestop tour of the major ones. We'll also concentrate on an effort started by myself, Richard Clamp, Simon Wistow, and others, called the Perl Email Project, to produce simple, efficient and accurate mail handling modules."

Comments (none posted)

Web Site Development

ht://Dig version 3.2.0b6 released

Version 3.2.0b6 of ht://Dig, a web site search engine, is out. "It fixes several bugs from 3.2.0b5, and runs somewhat faster, although still much slower than 3.1.6 (no significant speed improvements are expected in the near future, although we are working on it). Calling this release a "beta" simply means that exhaustive testing, especially on non-Linux platforms, is not yet complete. However, we consider it stable enough for most production use."

Full Story (comments: none)

Tiki 1.8.3 -Polaris- released (SourceForge)

Version 1.8.3 of Tiki, a CMS/Groupware package, has been announced. The change summary says: "This release further stabilizes the Polaris 1.8.x Many bugs fixed, a few features & plugins added."

Comments (none posted)

Yaws 1.48 released

Version 1.48 of Yaws, an Erlang-based web server and applications server, is out. "This release contains both bugfixes as well as some minor new features. There was also a fairly ugly security hole in the example code which describes file uploads found and fixed".

Full Story (comments: none)

ZopeMag Weekly News

The June 10, 2004 edition of the ZopeMag Weekly News is online with more Zope and Plone articles.

Comments (none posted)

Miscellaneous

WASTE v1.5 beta 1 released (SourceForge)

Version 1.5 beta 1 of WASTE is out. "WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users."

"WASTE reaches a new milestone with the new v1.5 beta 1 released today. It both marks WASTE's re-entry into beta, as well as starts the new line of v1.5."

Comments (none posted)

Desktop Applications

Accessibility

GOK 0.11.4 is here!

Version 0.11.4 of GOK, the GNOME Onscreen Keyboards Suite, is out with bug fixes and new user override features.

Full Story (comments: none)

CAD

Fifteenth release of PythonCAD now available

Release fifteen of PythonCAD is available. "This release includes several more undo/redo improvements. The addition and removal of points on a polyline can now be undone or redone, and assorted other editing operations have improved undo/redo handling as well. A variety of bug fixes have also been added in this release."

Full Story (comments: none)

Desktop Environments

GNOME Development Release 2.7.2

Development Release 2.7.2 of the GNOME desktop environment is available. "We're doing something a bit different with this release - finally splitting up the Desktop, Platform and Bindings suites, and releasing them all in one hit. Enjoy!"

Full Story (comments: none)

GNOME System schedule configurator 0.0.1 announced

Initial version 0.0.1 of the GNOME System schedule configurator is out. "System-config-schedule is a GUI for configuring a users crontab. It was made for Vixie cron whom comes with Fedora Linux, but should work with other cron servers aswell if the format of the config file is similar."

Full Story (comments: none)

gnome-bluetooth 0.5 and libbtctl 0.4 released

New releases of gnome-bluetooth 0.5 and libbtctl 0.4 have been announced. "gnome-bluetooth is a suite of tools for managing Bluetooth devices and sending/receiving data under the GNOME desktop. libbtctl is a GObject-based library for the Bluetooth and OBEX operations on Linux. It comes with Python and Mono language bindings."

Full Story (comments: none)

GNOME CPU Frequency Scaling Monitor 0.2 is out

Version 0.2 of the GNOME CPU Frequency Scaling Monitor is available. Changes include new display modes, a GTK+ 2.4 port, and more.

Full Story (comments: none)

GDM 2.6.0.3 (stable) released

Stable version 2.6.0.3 of GDM, the GNOME Display Manager, is out. "I have uncovered the evil incarnate that hides in the deepest parts of the GDM code. Yes. The evil so horrible, we may have to go to war with some country (to be picked by a reality tv show). An evil so disgusting, so vile, that it is worse then Stalin, Saddam, Ivan the Terrible and Britney Spears combined. Yes, I am talking about the antichrist, the anti-<insert your favourite prophet name>, the cause of all that is bad (such as industrial pollution and cheese that was left on the sone just a bit too long). I am talking about blinking cursors on the login screen."

Full Story (comments: none)

KDE 3.2.3 released

KDE 3.2.3 is out; see the announcement for details. This is a maintenance release, concentrating on bug fixes and improvements to translations.

Comments (none posted)

KDE-CVS-Digest (KDE.News)

The June 11, 2004 KDE-CVS-Digest is available. Here's the content summary: "More Enriconian optimizations to Konqueror. Qt only KJSEmbed made easier. Kolourpaint adds zoom. Kitchensync adds ability to sync calendar resources. KOrganizer adds a journal editor. Digikam adds image editor plugins. KOffice continues work on OASIS file format save and load. amaroK adds streaming support using GStreamer. KDevelop adds win32 Qt templates."

Comments (none posted)

Planet KDE Discovered (KDE.News)

KDE.News looks at the new Planet KDE site. "Planet KDE is an aggregation of public weblogs written by contributors to the K Desktop Environment. The opinions expressed in these weblogs and hence this aggregation are those of the original authors."

Comments (none posted)

Electronics

gEDA News

The latest releases from the gEDA project include new versions of the Icarus Verilog electronic simulation language compiler and PCB, the printed circuit CAD program.

Comments (none posted)

Games

Mapacman .02 released

Version .02 of Mapacman, a multi-player game in the style of Pac-Man, is available on the Pygame site.

Comments (none posted)

Alpha PCGen 5.7.2 is Available (SourceForge)

Alpha version 5.7.2 of the PCGen character generator for role-playing games is available. "Normally we list all the fixed items since the previous release, but it's been a while since our last release. Many of the trackers that were closed were related to the 5.6.1 release and separating out the trackers is a bit tricky if not impossible. The GMGen area (available only under the full download) has received a *lot* of attention - check it out and let us know what you think!"

Comments (none posted)

GUI Packages

FLU 2.11 is out

Version 2.11 of FLU, the FLTK Utility Widgets, has been announced. Changes include a new Flu_Dual_Slider widget, and improvements and bug fixes to other components.

Comments (none posted)

GTK+-2.4.3 released

Version 2.4.3 of GTK+ has been released. "This is a bug fix release and is source and binary compatible with 2.4.0. The main reason for this quick followup release is a problem with the button size allocation logic in 2.4.2, which showed up in the Gimp. A number of other bugfixes have been included as well."

Full Story (comments: none)

Gtk2-Perl 2.6.2 announced

Stable version 2.6.2 of Gtk2-Perl, the Perl bindings to GTK+, has been announced. Changes include improved portability, better documentation, bug fixes, and more.

Full Story (comments: none)

gob2 2.0.8 released

Version 2.0.8 of gob2, a GTK+ object generator, is out. Changes include better documentation, a new --output-dir switch, and bug fixes.

Full Story (comments: none)

The Python GUI API Project

The PyGUI project is developing a cross-platform GUI API for Python. Version 1.3 of PyGUI was just released. "This version includes two implementations, one for MacOS X built on Carbon, and one for X11 built on Gtk. Python 2.3 or later is required. The MacOS X version should work on a standard installation of MacPython. The X11 version requires PyGtk-2.2.0 or later, plus the Gtk library itself (Gtk+-2.2 or later)"

Comments (none posted)

Interoperability

Wine Traffic

The June 11, 2004 edition of Wine Traffic has been published. Take a look for the latest WINdows Emulator news.

Comments (1 posted)

Mail Clients

Mozilla Thunderbird 0.7 released

The Mozilla Foundation has announced the release of Thunderbird 0.7. New features include improved IMAP support, and new extension and theme managers.

Comments (1 posted)

Medical Applications

Tkfp 56 released (SourceForge)

Version 56 of Tkfp, a Family Practice management system, has been announced. Here is a project summary: "For Family Physicians, Pediatricians, Internists or Primary Care. Used in a 4 doctor group for 5 years. Network enabled. Tk GUI and web browser based interfaces. HCFA1500 claim form." The latest release adds support for connecting Tkfp clients to a Tkfp database server.

Comments (none posted)

Music Applications

MusE 0.7pre3 released

Version 0.7pre3 of MusE, a MIDI/Audio sequencer, has been released. Changes include new shortcuts, a new logo and icons, lots of bug fixes, and more.

Comments (none posted)

Office Applications

GENIUS 0.6.1 released

Version 0.6.1 of Genius, a GNOME calculator, has been released and features a long list of improvements.

Full Story (comments: none)

Office Suites

Native postgresql driver for OpenOffice.org

Version 0.6.0 of the native postgresql driver for OpenOffice.org has been announced. "The current version 0.6.0 contains some major improvements compared to 0.5.0, but it can still be considered to be in a alpha state. About 80 % of the features a professional driver should have, are implemented now. Beside the missing features, there are some known bugs. The main purpose of this version is to collect input from the community in an early development stage."

Full Story (comments: none)

PDA Software

Evolusync 1.1 released (SourceForge)

Version 1.1 of Evolusync, an application that can synchronize an Evolution address book with IR and Bluetooth-based mobile devices, is available. "New features include BlueTooth support, OBEX or GSM mobile device phonebook compatibility, and more."

Comments (none posted)

Guikachu 1.5.0 released

Version 1.5.0 of Guikachu, the GNOME Resource editor for PalmOS projects, is out. "This is a GNOME 2 port of Guikachu 1.4, no new features are implemented yet."

Full Story (comments: none)

Peer to Peer

Gnomoradio 0.13 announced

Version 0.13 of the Gnomoradio peer to peer music playing system is out. "Version 0.13 fixes many things involving the downloading and caching of music. A download status indicator, advanced search criteria, and other interface improvements were added."

Full Story (comments: none)

Web Browsers

Epiphany 1.2.6

Version 1.2.6 of Epiphany, the GNOME browser, is out with support for Mozilla 1.7 and lots of bug fixes.

Full Story (comments: none)

Epiphany Extensions 0.9.1

Beta version 0.9.1 of the Epiphany Extensions are available. This release adds support for Mozilla 1.7.

Full Story (comments: none)

Mozilla Firefox 0.9 released

It's official: Firefox 0.9 is now available. "Faster, more secure, easier to use and sporting a new look, this latest Firefox release sets a new standard for web browser innovation."

There is also a Thunderbird 0.7 release candidate available for testing.

Comments (31 posted)

Independent Status Reports (MozillaZine)

The Mozilla Independent Status Reports for June 14, 2004 are online. "The latest set of status reports includes updates from Checky, MozillaBook, Mozilla Archive Format, Enigmail, MozManual, the Mozilla-Delphi Project, wmlbrowser and Firefox Help."

Comments (none posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

The June 7, 2004 mozilla.org staff meeting minutes are available. "Issues discussed include Mozilla 1.7 final, Mozilla Firefox 0.9, Mozilla Thunderbird 0.7, CVS over SSH, MPL translations and merchandise status."

Comments (none posted)

Miscellaneous

Alexandria 0.2.0 released

Version 0.2.0 of Alexandria, a book collection management application for GNOME, is out with lots of new features and bug fixes.

Full Story (comments: none)

GNOME Network Tool 0.99.1

Version 0.99.1 of the GNOME Network Tool, a GUI wrapper for ping, whois, traceroute, etc, is out. "Version 0.99.1 is feature complete, and will be released as 1.0 after some testing period."

Full Story (comments: none)

Languages and Tools

C++

C++ const Correctness (Linux Journal)

Dave Berton looks at C++ const and related topics on Linux Journal. "Even thorough this article is titled "C++ const Correctness", we're not going to talk about const yet. Instead, we're going to start by talking about functions and their parameters."

Comments (none posted)

Java

JOFFAD 2.0 released ! (SourceForge)

Version 2.0 of JOFFAD has been released. JOFFAD is a blank J2EE project for JOnAS that integrates a simple project structure, a generic Ant script, and open source tools like XDoclet or Struts

Comments (none posted)

Quartz 1.4.0 released (SourceForge)

Version 1.4.0 of Quartz, a J2EE Application Job Server, is out. "This is release contains feature enhancements, performance improvments, and bug fixes. There are a few backward compatibility issues that you should pay attention to, which are listed in the change-list."

Comments (none posted)

Replacing reflection with code generation (IBM developerWorks)

Dennis Sosnoski compares Java reflection to code generation on IBM's developerWorks. "Dennis Sosnoski wraps up his Java programming dynamics series by demonstrating how you can use runtime classworking to replace reflection code with generated code that runs at full speed ahead."

Comments (none posted)

JSP

Improving JSF by Dumping JSP (O'ReillyNet)

Hans Bergsten looks at issues with JavaServer Faces (JSF) 1.0 on O'Reilly. "In this article, I focus on one specific area of the JSF specification that I feel is riddled with problems: namely, the use of JavaServer Pages (JSP) for creating JSF views. I also discuss alternatives to JSP that you can develop today and that I hope will make it into a future version of the specification."

Comments (none posted)

Perl

This Week on perl5-porters (use Perl)

The June 7-13, 2004 edition of This Week on perl5-porters is available. "This week, a small summary is better than no summary at all."

Comments (none posted)

This Week on Perl 6 (O'Reilly)

The June 6, 2004 edition of This Week on Perl 6 is out. Take a look for the latest Perl 6 issues.

Comments (none posted)

Cultured Perl: Managing Linux configuration files (IBM developerWorks)

Teodor Zlatanov uses perl and CVS to manage system configuration files on IBM's developerWorks. "The average developer spends more time navigating, learning, and debugging configuration files than you'd expect. But you can save that time -- and loads of energy and frustration -- with one of the tools you probably use every day: your CVS tree. Take these tips on backing up, distributing, and making portable your peskiest Linux (and UNIX) config files."

Comments (none posted)

PHP

Bif 3 0.3.11 released

Version 0.3.11 of Bif 3 is available. "Build it Fast (BIF) is a PHP Framework. It contains several classes that help you develop complex Web applications in a short amount of time. It brings the concept of the 'widget' to Web development. It features Cascade Skins and transparent session management."

Comments (none posted)

PHP Weekly Summary for June 9, 2004

The PHP Weekly Summary for June 9, 2004 is out. Topics include: Error handling changes to both PHP versions, preparations for RC3.

Comments (none posted)

PHP Weekly Summary for June 10, 2004

The PHP Weekly Summary for June 10, 2004 is out. Topics include: 4.3.7 released, 5 RC 3 still in preparation.

Comments (none posted)

PHP Weekly Summary for June 14, 2004

The PHP Weekly Summary for June 14, 2004 is out. Topics include: PHP 5 RC3 released; DIO support for win32; memory leak fixed in tidy; old build systems never die.

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The June 14, 2004 edition of Dr. Dobb's Python-URL! is available with the latest Python article links.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The June 15, 2004 edition of Dr. Dobb's Tcl-URL! is out with the latest Tcl/Tk article links.

Full Story (comments: none)

XML

Describe open source projects with XML, Part 3 (IBM developerWorks)

Edd Dumbill continues his IBM developerWorks series with part three of describe open source projects with XML. "In this installment of XML Watch, Edd Dumbill continues the development of a vocabulary for describing open source software projects, presenting a schema for the new vocabulary and example project descriptions."

Comments (none posted)

Improve XML transport performance, Part 2 (IBM developerWorks)

Dennis M. Sosnoski has written part two of his IBM developerWorks series on improving XML transport performance. "Dennis Sosnoski presents actual size and processing overhead comparisons for text, gzip, and XBIS representations of a range of XML documents. He concludes with a look at the growing movement toward standardization of non-text representations for XML."

Comments (none posted)

IDEs

Java Development on Eclipse, Part 1 (O'ReillyNet)

O'Reilly has published part one of a two part book excerpt series by Steve Holzner. "Steve Holzner contends that Eclipse makes it easier to create Java code from scratch. In this excerpt from Chapter 2 of his book, Eclipse, Steve shows how Eclipse makes it easy to create new methods, classes, and packages, as well as how to build and run the code."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Linux in Government: Federal Contracts, a New Era of Competition (Linux Journal)

Linux Journal covers the release of GPL code by the US government. "Earlier this year, a major open-source event came and went without much community notice and with little media attention. A Cabinet-level federal agency released a software product under the GPL, making it the first tool of its kind to be licensed by the US government free of charge to public and private sector organizations."

Comments (5 posted)

Microsoft Loses Munich Contract to Linux (Bloomberg)

Bloomberg reports that, as expected, the city of Munich has voted to press forward with its program to convert to Linux. "The city's council voted in a closed-door meeting 50-29 in favor of a detailed plan to switch to Linux from Windows. Munich, which has spent more than a year studying how to make the move, will accept bids within a few months from Linux vendors. Companies such as International Business Machines Corp. and Novell Inc. are expected to fight for orders."

Comments (4 posted)

The SCO Problem

SCO Keeps Sinking (Motley Fool)

This Motley Fool article (via Yahoo) is a good example of the kind of press SCO is getting now. "President and CEO Darl McBride paid more lip service to 'increasing shareholder value,' but you really have to wonder about the viability of his vision when his firm's most engrossing initiative brings in less money than the guys who mow lawns in my neighborhood. By the way, McBride was paid more than $1 million last year -- most of it in cash -- to preside over this impending disaster."

Comments (13 posted)

AutoZone's Reply Memoranda (Groklaw)

Groklaw has AutoZone's latest filing in its SCO case. It's a memo supporting its motions to stay or move the case to Tennessee; some lawyers had a great time shredding SCO's legal arguments. "If SCO was genuinely concerned about irreparable harm associated with the continued distribution and use of Linux, common sense suggests that SCO would be seeking to move the Red Hat case forward as quickly as possible -- rather than pursuing a single end user."

Comments (7 posted)

Companies

Microsoft delivers 'the Facts' about Linux (The Register)

The Register reports on a new Microsoft seminar series in the UK that is aimed at convincing customers that Linux isn't exactly free. "According to Nick McGrath, head of platform strategy at Microsoft UK, independent and funded research shows that Windows 2003 is less expensive than Red Hat or SuSE in some examples. He attacked the "myth" that Linux was free. Linux has strengths, McGrath said (without saying what they might be -spoil sport) before arguing that "Windows offers a more comprehensive environment"."

Comments (16 posted)

In surprise move, Red Hat CFO resigns (News.com)

News.com reports that Red Hat's chief financial officer has quit. "Brooks Gray of Technology Business Research was similarly apprehensive. 'It's certainly a red flag, and the company needs to be watched closely as its results are detailed this week.'"

Comments (none posted)

Red Hat's Red Flags (Motley Fool)

The Motley Fool comments on the departure of Red Hat's chief financial officer. "When a company's 39-year-old CFO quits just days before quarterly earnings to pursue new opportunities, it's a clue to invest your money elsewhere. When the same company's stock is priced beyond perfection, that's proof it's time to sell."

Comments (17 posted)

Linux Adoption

Wimbledon serves Linux volley (BBC)

The BBC reports on the infrastructure behind the Wimbledon tennis tournament. "Following a pilot project in 2003, the internal computer network at the All-England Club has been converted to the open source operating system. The change means that both the public-facing website for Wimbledon and its internal intranet are now using Linux." (Thanks to Jonathan Lucas).

Comments (3 posted)

Interviews

A Q&A with LTSP's Jim McQuillan (NewsForge)

Joe Barr talks with Jim McQuillan, project leader of the Linux Terminal Server Project, on NewsForge. "McQuillan: We started LTSP to solve a problem for a customer. They wanted 35 new terminals to access an AS/400 and a SCO Unix server. We really didn't want to continue using Windows, so we decided to figure out a way to do it with Linux."

Comments (none posted)

Resources

Spam Filtering with Sendmail Milters and Greylisting (O'ReillyNet)

Here's an O'ReillyNet article on writing spam filters using the sendmail "milter" interface. "Milter is a scalable, easy-to-use solution for MTA-level filtering. The API is quite straightforward to use and hides very few pitfalls. It's easy to start and to develop complex filtering techniques. It is indeed a great opportunity to have it in the battle against spam and viruses."

Comments (none posted)

Build a WAP gateway On Linux (IBM developerWorks)

Manas Ranjan Behera shows how to make a WAP gateway from a Linux machine on IBM's developerWorks. "The hottest technology for implementing mobile services is the Wireless Application Protocol (WAP). This article discusses the advantages of working with the open source gateway for WAP, which performs the protocol conversion between a Web server and a mobile phone."

Comments (none posted)

Windows Compatibility for the Linux Desktop (O'Reilly)

David Collier-Brown explores various windows emulation solutions on O'Reilly. "In any business switching to Linux, there's at least one person who's stuck. These people need to use files from some Windows-only program, and usually have to do so by dual booting to and from Windows. Dual booting is very slow when all you really want to do is cut and paste a few screenfuls of data. Worse, because it is so slow, there is a real temptation to remain in Windows and use programs such as Outlook and Exchange, this year's favorite virus targets."

Comments (none posted)

Reviews

Linux Lite: Cobind and the Simpler Life (OSNews)

OSNews is running a review of Cobind 0.2, a distribution aimed at Linux newcomers. "There are many things I like about Cobind. First among them is the window manager. XFce 4 has a crispness and elegance that reminds me of the Macintosh's OS X.... XFce is clearly snappier than Gnome or KDE. It uses fewer system resources. More to the point, XFce is what you get -- there are no other choices."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Aonix Joins Eclipse

The open-source Eclipse IDE community has announced Aonix as a new member.

Full Story (comments: none)

OSIA Suggests Discussion Topics for Gates' Meeting with Australian Prime Minister

OSIA has suggested some discussion topics for the Australian prime minister and Bill Gates. "OSIA, Australia's Open Source industry body, notes with interest the recent announcement that Microsoft chairman Bill Gates will be having discussions with the Prime Minister. While we are happy that the Prime Minister is sending the message to the community that the ICT industry is increasingly important to the government, we have the following topics, which we hope can be raised in the discussions between the Prime Minister and Mr. Gates during their forthcoming meeting."

Full Story (comments: none)

Commercial announcements

Adobe Expands Reach of Adobe Reader and PDF on Consumer Electronics Devices

Adobe Systems Incorporated has announced the release of a consumer version of its Adobe PDF Reader for Linux-based PDA platforms. "Now, consumers will have new ways to access information in Adobe PDF without being connected to a PC."

Comments (2 posted)

Announcing CrossOver Office, Version 3.0.1

Version 3.0.1 of CrossOver Office has been announced. "This release is entirely a bug fix release, and is primarily intended to fix a bug in our handling of Fedora Core 2. However, there are a number of other fixes as well."

Full Story (comments: none)

Linux-based adware from Concurrent

Concurrent Computer is a member of the Linux TV alliance, and sells its own embedded Linux distribution. The company's latest announcement makes it clear, however, that "Linux inside" is not enough. Concurrent's latest ("patent pending") software enables digital video recorder systems to force viewers to view all advertisements at normal speed, even when fast-forwarding or skipping. "Concurrent's ad files technology replicates the advertisements appearing in the original content and inserts those advertisements in the on-demand trick files, making it impossible to skip the advertisements by fast-forwarding, since whether in normal or trick play, the advertisements play at the predetermined speed.... For example, rather than playing a complete ad in fast-rewind mode, the inserted content could be a shorter ad, or a still, or the ad in forward rather than reverse. The possibilities are spectacular."

Comments (20 posted)

IBM in Brazil

Here is IBM's press release about its new Linux services in Brazil. "Casas Bahia, one of the largest non-food retailers in Brazil, has had tremendous success by taking advantage of IBM's retail Linux solution for storefront systems. It faced the challenges of bringing costs down, while increasing the functionality and scalability of its point-of-sale solution in the stores. Working with IBM to deploy Linux for its POS system, the company was able increase the flexibility, stability and security in its existing environment."

Comments (none posted)

Rent a Mandrakelinux server

A company called Nexedi has announced a new service called "rentalinux." For €95/month, companies in the EU can rent a server running Mandrakelinux for their network. "Nexedi rentalinux Desktop Linux Server solution combines server hardware rental, software setup, custom configuration, support and maintenance service in a single package which makes it the easiest, least intrusive and most effective way to provide Linux Desktop applications for small to medium-sized networks."

Full Story (comments: none)

Mandrakesoft Partners with Codehost

Mandrakesoft and Codehost have announced a new partnership. "Codehost's advanced Linux and Unix printing solution, BrightQ, will be distributed with Mandrakelinux 10, Mandrakesoft's newest desktop Linux release."

Comments (none posted)

Novell Expands Commitment to Open Source Standards With IPsec Initiatives

Novell, Inc. has announced its sponsorship of the Openswan project. "Novell today announced that it is sponsoring the Openswan project, a Linux* implementation of the IPsec (IP Security) standard that provides a common approach to securing Internet-based communications."

Comments (none posted)

Red Hat "previews" first quarter results

Red Hat is due to report its quarterly results on June 17, but has sent out a press release "previewing" some of the numbers. It seems the company sold 98,000 RHEL subscriptions over the quarter, and is reporting a net income of over $10 million.

Comments (3 posted)

PXA255 embedded SBC breaks sub-$100 barrier

Strategic Test Corporation has announced a new Single Board Computer (SBC), here are the technical specs: "400 MHz CPU, 16 MB SDRAM, 8 MB Flash in DIMM 144 format. TRITON-ECO is priced at $99 for 1000 quantity, runs Linux".

Full Story (comments: none)

Symbio Technologies Offers Free Symbiont Workstation Manager Software

Symbio Technologies has announced that it is offering The Symbiont Workstation Manager, a Linux-based thin client management tool, as a free download and as an open source project on SourceForge.

Comments (none posted)

Turbolinux to manage Chinese package delivery

Turbolinux has announced an agreement with the China Ministry of Railways to build a Linux-based system to handle package delivery operations. "The package delivery system in China utilizes the postal service and rail transportation. To modernize the package delivery process, the Ministry of Railways selected Turbolinux to develop a consolidated digital infrastructure. The widely deployed Linux-based system will link package delivery facilities and the Ministry of Railway Systems computer network, and will process 95% of the total freight volume -- nearly 200 million parcels annually."

Comments (none posted)

New Books

Syngress Releases "Stealing the Network: How to Own a Continent"

Syngress Publishing has published the book Stealing the Network: How to Own a Continent by Ryan Russell, Kevin Mitnick, and others.

Full Story (comments: 1)

Resources

List of Active FOSS EMR/EHR's (LinuxMedNews)

LinuxMedNews has posted a summary of open source Electronic Health Record (EHR) and Electronic Medical Record (EMR) projects. "Here's about as good a summary as you can get of currently active Free and Open Source Software EHR/EMR projects courtesy of Dan Johnson, MD. Dr. Johnson is the author of the earliest known writings on Free and Open Source Software in medicine. He continues his activity in this area."

Comments (none posted)

The LDP Weekly News

The June 16, 2004 edition of the Linux Documentation Project Weekly News is online with the latest new Linux documentation releases.

Full Story (comments: none)

Contests and Awards

Nominations Open for 2004 Linux Medical News Achievement Award (LinuxMedNews)

LinuxMedNews has announced that nominations are open for the fourth annual Linux Medical News Software Achievement Award. The entry deadline is July 15, the award will be presented at the Medinfo conference on September 7-12.

Comments (none posted)

Upcoming Events

CCRMA summer workshops in Banff, Canada

The Stanford University Center for Computer Research in Music and Acoustics (CCRMA) will be holding a set of summer workshops in Banff, Canada during July and August, 2004.

Full Story (comments: none)

LAMP area at LinuxTag 2004

There will be a LAMP Area at the LinuxTag 2004 conference in Karlsruhe, Germany on June 23-26, 2004. "In over 40 presentations prominent experts and well known Apache-, MySQL and PHP-developers including Rasmus Lerdorf, Ken Coar, Brian Aker and Derick Rethans will be talking on the use of LAMP projects in medium and large businesses as well as the newest technological developments in the field, rounding off this years, rounding off this year’s LAMP area program."

Comments (none posted)

OSDC Australia 2004 CFP

A call for papers has gone out for the Open Source Developers Conference Australia 2004. The event will take place on December 1-3, 2004 in Melbourne.

Full Story (comments: none)

European Summary on Free Software for Multimedia Streaming over Internet

The first european seminar on Free software for multimedia streaming over the internet will be held at IRCAM in Paris, France on June 23 and 24, 2004.

Full Story (comments: none)

Events: June 17 - August 12, 2004

Date Event Location
June 17 - 18, 2004Yet Another Perl Conference(YAPC::NA::2004)(University at Buffalo)Buffalo, NY
June 17 - 18, 200418th European Conference on Object-Oriented Programming(ECOOP-2004)(The University of Oslo)Oslo, Norway
June 23 - 24, 2004Free Software for Multimedia Streaming over the Internet(Ircam)Paris France
June 27 - July 2, 2004USENIX 2004(Boston Marriott Coppley Place)Boston, MA
June 28 - 30, 2004GNOME User and Developer European Conference(GUADEC)Kristiansand, Norway
June 28 - July 1, 2004JavaOne(Moscone Center)San Francisco, CA
June 29 - July 1, 2004Perl Workshop 6.0(Barbara-Künkelin-Halle)Schorndorf, Germany
July 12 - 15, 2004Real-time and Embedded Systems WorkshopWashington, DC
July 19 - 20, 2004Italian Perl Workshop(Polo Fibonacci)Pisa, Italy
July 21 - 24, 2004Linux SymposiumOttawa, Canada
July 26 - 30, 2004O'Reilly Open Source Software Convention 2004(OSCON)Portland, OR
July 26 - 30, 2004IBM pSeries Technical ConferenceCairns, Australia
July 31 - August 2, 2004Vancouver Python WorkshopVancouver, Canada
August 2 - 5, 2004LinuxWorld Conference & Expo(Moscone Center)San Francisco, California

Comments (none posted)

Mailing Lists

OpenJay Development Krew [OJDK]

The OpenJay Development Krew [OJDK] mailing list has been created to discuss open-source DJ (Disk Jockey) software.

Full Story (comments: none)

Web sites

GrokDoc launches

GrokDoc, another offshoot from Groklaw, has hit the net. "Our goal is to create a useful manual on basic tasks that new users will find simple and clear and easy to follow, using what we learn from our study."

Comments (none posted)

Technocrat.net returns

Bruce Perens has put his old news site Technocrat.net back online. Some years ago, Technocrat was a reliable source for interesting news around free software and online liberty; we welcome its return.

Comments (2 posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds