LWN.net Logo

LWN.net Weekly Edition for September 12, 2002

Spam avoidance techniques

It is said that most free software comes about as the result of some developer scratching a personal itch. It's also said that very little innovative free software development is done; free software projects spend their time "chasing taillights" - catching up to the features offered by proprietary code. The field of spam filtering may well confirm one of those stereotypes while refuting the other. After all, if there is anything that truly itches, it's spam. But some of the free software being developed to combat spam is truly innovative.

Most spam filtering work has involved two techniques: testing mail against patterns indicative of spam and blocking mail from known sources of spam (and other likely sources, such as ISP dialup lines). Source-based blocking can be effective, but it also tends to block a fair amount of legitimate mail along with the spam. For example, some blacklists cause the blocking of mail from kernel.org, despite the fact that no spam originates there. Source-based blocking is unreliable enough that quite a few sites are unwilling to use it, despite a strong desire to be rid of spam.

Pattern matching has shown more promise. Early spam filtering was done with complex procmail scripts, but the current champion of pattern-based spam filtering can only be SpamAssassin. Using a detailed set of rules, SpamAssassin cleans out the trash to great effect. LWN has been using it for some months, and it has made life much easier - lwn@lwn.net gets a lot of spam. SpamAssassin has returned much of our time back to us to work on LWN, as well as keeping us from accidentally deleting mail from readers that tended to get buried in the spam.

One thing that SpamAssassin users tend to notice, however, is that its effectiveness decreases over time. Each new update blocks more spam - a recent upgrade freed us from a whole unpleasant class of Nigeria spam, for example. But pattern-based matching only works as well as its patterns, and they tend to go stale as spammers move on to new tricks. Keeping SpamAssassin effective requires a number of highly dedicated people to actually read all that spam and come up with new rules. Most SpamAssassin users are unlikely to be able (or willing) to write new rules themselves.

Recently, a new approach to spam filtering has attracted a lot of attention, thanks mostly to Paul Graham's paper A Plan for Spam. Rather than try to come up with an endless stream of clever patterns to detect spam, why not just look at the words spammers use? Each word can be assigned a probability that any message that contains it is spam; the probabilities for the words in any specific message are then combined using a Bayesian filter, yielding an overall probability estimate. If that estimate is high enough, the message is classified as spam.

At a first glance, going up against a tool as good as SpamAssassin with such a simple technique seems like a losing battle, but this approach has a number of advantages:

  • Development of the word-based rules can be automated - it is just a matter of feeding the filter enough spam and "ham" (legitimate mail) and letting it work out a probability factor for each word.

  • The filter can be made to follow shifting patterns in spam by passing it each message that it misclassifies. Users can not be expected to master regular expressions and write patterns, but they can be asked to hit a "this is spam" key in their mailer.

  • Each user's spam filter comes to reflect the mail that the user receives. Spam seems like the ultimate in indiscriminate marketing, but the fact is that different people can receive very different spam. An individually derived rule base should prove more effective than a "one size fits all" set of patterns.

  • Classification of mail with a Bayesian filter can be done relatively quickly.

All of the above is irrelevant, however, if the Bayesian approach does not succeed in actually filtering spam. To get a sense for the state of the art, we took 3000 messages received at lwn@lwn.net - a little under two weeks worth. 295 of those messages were real mail, and 2705 were spam. If one were to believe the bulk of our mail, one would conclude that about every part of our anatomy (even those we don't possess) is the wrong size, that we are so honest that people want to extract money from Africa via our bank account, that we're missing out on numerous hot stocks, that we have a strange attraction to domesticated animals, and that the purchase of something called the "TushyClean" would greatly improve our lives. Trust us, this exercise has not been fun, but no sacrifice is too great for our readers.

Once the messages were sorted, we fed them all to SpamAssassin and to bogofilter, a new Bayesian filter written by Eric Raymond. Bogofilter was tested twice: once after training with 15% of the 3000 messages, and once after being trained with the whole set. Then we ran both filters on 5000 recent postings from the linux-kernel list, twelve of which were spam (devfs flames were not counted). The results were:

FilterFalse
positives
False
negatives
Run time
(seconds)
-- 3000 lwn@lwn.net messages --
SpamAssassin 2 250 11,900
Bogofilter (15%) 0 517 108
Bogofilter (100%) 0 94 134
-- 5000 linux-kernel messages --
SpamAssassin 0 6 19,600
Bogofilter 0 4 251

False positives are legitimate mail classified as spam. These, of course, are bad news, since they can cause the loss of real mail. False negatives are spam that slip through - an annoyance. It is appropriate that spam filters tend to err toward false negatives, and both filters shown here do exactly that.

The results indicate that bogofilter requires a substantial amount of training before it reaches the level of effectiveness achieved by SpamAssassin. This training is best done with each individual user's mail, but most users are unlikely to have a few thousand nicely sorted messages sitting around to train their filters with. So bogofilter is likely to be frustrating for many users to adopt - it won't work well until the user has run "about one thousand" (according to Eric Raymond) messages through it.

That said, bogofilter is surprisingly effective for a tool that is so new and very much still in development. And the run time relative to SpamAssassin speaks for itself. Much of the difference there will be explained by the fact that bogofilter is coded in C, while SpamAssassin is in Perl. But bogofilter also owes its speed to a much faster algorithm.

The Bayesian filter idea is not new - see this 1998 paper on the Microsoft site, for example. But recently a great deal of effort has gone into expressing this approach in free software. Bogofilter is one example; another is the spambayes project, which has been set up as a testbed for variants on the Bayesian filter idea. It will be interesting to see where these projects go; they seem to be off to an interesting start. Taking on a tool as effective as SpamAssassin is a difficult challenge, but the free software world likes challenges.

Comments (28 posted)

Where free software should be required by law

RISKS 22.24 includes a detailed article by Rebecca Mercuri on the latest fun with the new voting systems in Florida. That state, of course, was the source of (ongoing) uncertainty in the 2000 U.S. presidential election, due, in part, to its ancient voting equipment. Since then, the voting machines have been upgraded to new, computer-based systems with touchscreen interfaces.

These systems are based on closed source code. There is no external audit trail, no way of verifying that they are recording votes as they were actually cast. Trade secret law forbids the inspection of the code in the systems. One just has to trust the vendor that the results are correct.

A primary election held there recently turned up a whole set of problems, ranging from basic usability issues to outright failure.

There has been a lot of interest recently in laws requiring governments to use free software in many or all situations. It remains unclear, to some people anyway, that such laws are really in the best interest of government, the governed, or the free software community. But, in the case of voting systems, the case seems clear: no part of the system that elects people into positions of power should be opaque. The creation of a free, transparent, verifyable electronic voting system should not be that hard a task for governments or the free software community. There is no excuse for using anything else.

Comments (10 posted)

Page editor: Jonathan Corbet

Security

Brief items

Multics security, thirty years later

Worth a read: Paul Karger and Roger Schell have released a new paper (available in PDF format) entitled "Thirty Years Later: Lessons from the Multics Security Evaluation." It includes an analysis of the security of the Multics operating system, written by the same two authors and published in 1974, along with a new forward describing how things have changed in the mean time. Their assessment of the current state of computer security is harsh:

The unpleasant conclusion is that although few, if any, fundamentally new vulnerabilities are evident today, today's products generally do not even include many of the Multics security techniques, let alone the enhancement identified as essential.

That essential enhancement is the creation of verifiable "security kernel" around which the rest of the system could be built. In 2002, very few systems built around such kernels exist, and the authors are not very enthusiastic about those which do exist:

...the ring 0 supervisor of Multics of 1973 occupied about 628K bytes of executable code and read-only data. This was considered to be a very large system. By comparison, the size of the SELinux module with the example policy code and read-only data has been estimated to be 1767K bytes. This means that just the example security policy of SELinux is more than 2.5 times bigger than the entire 1973 Multics kernel and that doesn't count the size of the Linux kernel itself. Given that complexity is the biggest single enemy of security, this suggests that the complexity of SELinux needs to be seriously examined.

Or, to put things in more general terms:

Given the understanding of system vulnerabilities that existed nearly thirty years ago, today's "security enhanced" or "trusted" systems would not be considered suitable for processing even in the benign closed environment.

So how do we make things better? The paper does not provide a whole lot of new suggestions. The authors talk some about the tools that are used; for example, Multics was mostly free of buffer overflow vulnerabilities, thanks to the use of PL/I as the implementation language. PL/I required an explicit declaration of the length of all strings.

The net result is that a PL/I programmer would have to work very hard to program a buffer overflow error, while a C programmer has to work very hard to avoid programming a buffer overflow error.

Beyond that, one gets the sense that the authors feel they said what needed to be said thirty years ago, and they are still waiting for the message to get across. Their prediction:

It is unthinkable that another thirty years will go by without one of two occurrences: either there will be horrific cyber disasters that will deprive society of much of the value computers can provide, or the available technology will be delivered, and hopefully enhanced, in products that provide effective security.

The authors hope for the latter scenario; so do we.

Comments (8 posted)

Security reports

AFD 1.2.14 multiple local root compromises

AFD ("automatic file distributor") suffers from buffer overflow vulnerabilities which can lead to a local root compromise. Version 1.2.15 of AFD contains fixes for the problems.

Full Story (comments: none)

A couple of KDE security advisories

The KDE project has issued a couple of security advisories:
  • This one describes a cross-site scripting vulnerability in Konqueror (and any other application which uses the KHTML renderer). Javascript code running in one frame can access other frames which should be inaccessible. This problem is fixed in kdelibs 3.0.3a.

  • The second is for a secure cookie problem in Konqueror. The "secure" flag in cookies is not recognized, with the result that "secure" cookes can be transmitted over unencrypted connections. KDE 3.0.3 fixes the problem.

We will, of course, pass on distributor updates as we receive them.

Comments (1 posted)

A security update to XFree86

The XFree86 project has released XFree86 4.2.1, which fixes a few security problems. The most urgent problem is a vulnerability in the internationalization code which can allow an attacker to cause a privileged X client to load and execute arbitrary code. This vulnerability only exists in XFree86 4.2.0; earlier releases are not vulnerable.

No distributor updates have been received as of this writing, though Slackware has updated its XFree86 packages.

Comments (1 posted)

New vulnerabilities

Denial of service vulnerability in amavis

Package(s):amavis CVE #(s):
Created:September 11, 2002 Updated:September 11, 2002
Description: AMaViS is vulnerable to a denial of service attack via maliciously crafted input. Patches exist for AMaViS, but the recommended solution is to upgrade to the (actively developed) amavis-perl tool. See this advisory for details.
Alerts:
Gentoo amavis-20020905 2002-09-05

Comments (none posted)

Input validation vulnerability in cacti

Package(s):cacti CVE #(s):
Created:September 11, 2002 Updated:September 11, 2002
Description: Cacti is a PHP front end to rrdtool; it assists in the creation of plots from a MySQL database. This tool does not properly validate all input, leading to a remote code execution vulnerability in certain, limited conditions. See this Bugtraq posting for details.
Alerts:
Debian DSA-164-1 2002-09-10

Comments (none posted)

Cross-site scripting vulnerability in mhonarc

Package(s):mhonarc CVE #(s):CAN-2002-0738 CAN-2002-1307 CAN-2002-1388
Created:September 11, 2002 Updated:January 3, 2003
Description: Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution.
Alerts:
Debian DSA-221-1 2003-01-03
Debian DSA-199-1 2002-11-19
Debian DSA-163-1 2002-09-09

Comments (none posted)

Multiple vulnerabilities in wordtrans

Package(s):wordtrans CVE #(s):CAN-2002-0837
Created:September 11, 2002 Updated:February 4, 2003
Description: The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details.
Alerts:
Red Hat RHSA-2002:188-08 2002-09-05

Comments (none posted)

Updated vulnerabilities

Heap corruption vulnerability in at

Package(s):at at, sudo, xchat CVE #(s):CAN-2002-0004
Created:May 21, 2002 Updated:May 15, 2003
Description: The at command has a potentially exploitable heap corruption bug. (First LWN report:  January 17th).
Alerts:
EnGarde ESA-20030515-015 2003-05-15
Yellow Dog YDU-20020127-9 2002-01-27
SuSE SuSE-SA:2002:003 2001-01-16
Slackware sl-1011706104 2002-01-22
Red Hat RHSA-2002:015-15 2002-02-07
Red Hat RHSA-2002:015-13 2002-01-22
Mandrake MDKSA-2002:007 2002-01-18
Debian DSA-102-2 2002-01-18
Debian DSA-102-1 2002-01-16

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Potential unauthorized root access vulnerability in dietlibc

Package(s):dietlibc CVE #(s):CAN-2002-0391
Created:August 14, 2002 Updated:December 5, 2002
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library with is used in dietlibc, a libc optimized for small size. The bug could be exploited to gain unauthorized root access to software linking to dietlibc.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
SCO Group CSSA-2002-055.0 2002-12-04
Debian DSA-146-2 2002-08-08
Debian DSA-146-1 2002-08-08

Comments (none posted)

Ethereal 0.9.6 fixes potential remote code execution vulnerability

Package(s):ethereal CVE #(s):CAN-2002-0834 CAN-2002-0821 CAN-2002-0822
Created:September 4, 2002 Updated:September 11, 2002
Description: Ethereal 0.9.6 was released on August 20, 2002 fixing a serious buffer overflow vulnerability in the ISIS protocol dissector in Ethereal 0.9.5 and earlier versions.
It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems.

Ethereal 0.9.4 has multiple buffer overflow and other vulnerabilities hat are best delt with by upgrading to 0.9.6. These vulnerabilities may allow remote attackers to cause a denial of service or execute arbitrary code.

Updating now, rather than later, is recommended.

Alerts:
Debian DSA-162-1 2002-09-06
Eridani ERISA-2002:040 2002-09-03
Gentoo ethereal-20020830 2002-08-30
Red Hat RHSA-2002:169-13 2002-08-28

Comments (none posted)

Ethereal buffer overflow, infinite loop and memory management vulnerabilities

Package(s):ethereal CVE #(s):CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404
Created:June 12, 2002 Updated:October 27, 2002
Description: Ethereal 0.9.4 was released on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
  • The SMB dissector could potentially dereference a NULL pointer in two cases.
  • The X11 dissector could potentially overflow a buffer while parsing keysyms.
  • The DNS dissector could go into an infinite loop while reading a malformed packet.
  • The GIOP dissector could potentially allocate large amounts of memory.

No known exploits exist "in the wild" at the present time for any of these issues.

Ethereal 0.9.2 has several packet handling vulnerabilities that are best avoided by upgrading to 0.9.4. The PROTOS test suite found some flaws in SNMP and LDAP protocols support. Malformed packets could also crash ethereal 0.9.2 due to a ASN.1 zero-length g_malloc problem. The zlib "double free" vulnerability was addressed by the updates for that bug from many distributors.
Alerts:
SCO Group CSSA-2002-037.0 2002-10-24
Conectiva CLA-2002:505 2002-07-04
Yellow Dog YDU-20020606-7 2002-06-06
Red Hat RHSA-2002:088-06 2002-06-04
Eridani ERISA-2002:023 2002-06-06

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

GNU fileutils race condition

Package(s):fileutils ucdsnmp CVE #(s):CAN-2002-0435
Created:May 21, 2002 Updated:May 16, 2003
Description: A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).
Alerts:
Immunix IMNX-2003-7+-010-01 2003-05-16
Red Hat RHSA-2003:015-05 2003-02-12
Trustix 2002-0052 2002-06-06
SuSE SuSE-SA:2002:012 2002-04-08
Mandrake MDKSA-2002:031 2002-05-16
SCO Group CSSA-2002-018.1 2002-05-13

Comments (none posted)

Buffer overflow vulnerability in the Jabber plug-in module for gaim

Package(s):gaim CVE #(s):CAN-2002-0384 CAN-2002-0377
Created:August 14, 2002 Updated:September 11, 2002
Description: gaim versions prior to 0.58 contained a buffer overflow in the Jabber plug-in module. The problem is fixed in gaim 0.59 which is available here. "Gaim is an instant messaging client written in GTK and is based on the published TOC messaging protocol from AOL."
Alerts:
Mandrake MDKSA-2002:054-1 2002-09-05
Yellow Dog YDU-20020810-4 2002-08-10
Red Hat RHSA-2002:107-11 2002-08-05

Comments (none posted)

Remote arbitrary code execution vulnerability in gaim

Package(s):gaim CVE #(s):
Created:August 28, 2002 Updated:September 4, 2002
Description: gaim versions prior to 0.59.1 contained a arbitrary code execution vulnerabilty in the the hyperlink handling code.

The 'Manual' browser command passes an untrusted string to the shell without escaping or reliable quoting, permitting an attacker to execute arbitrary commands on the users machine. Unfortunately, Gaim doesn't display the hyperlink before the user clicks on it. Users who use other inbuilt browser commands aren't vulnerable.

The problem is fixed in gaim 0.59.1 which is available here. Versions prior to 0.58 also contained a buffer overflow in the Jabber plug-in module which, of course, is still fixed in 0.59.1. "Gaim is an instant messaging client written in GTK and is based on the published TOC messaging protocol from AOL."

Alerts:
Conectiva CLA-2002:521 2002-08-30
Mandrake MDKSA-2002:054 2002-08-01
Gentoo gaim-20020827 2002-08-27
Debian DSA-158-1 2002-08-27

Comments (1 posted)

Potential remote root exploit in glibc

Package(s):glibc CVE #(s):CAN-2002-0391
Created:August 14, 2002 Updated:June 30, 2003
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library which is used in glibc.This bug could be exploited to gain unauthorized root access to software linking to glibc.

Updating as soon as practical is a good idea.

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-333-1 2003-06-27
Conectiva CLA-2002:535 2002-10-29
Trustix 2002-0070 2002-10-17
EnGarde ESA-20021003-021 2002-10-03
Gentoo glibc-20020927 2002-09-27
Gentoo dietlibc-20020927 2002-09-27
Debian DSA-149-2 2002-09-26
Mandrake MDKSA-2002:061 2002-09-23
Gentoo glibc-20020905 2002-09-05
SuSE SuSE-SA:2002:031 2002-08-30
Trustix 2002-0067 2002-08-13
Eridani ERISA-2002:036 2002-08-13
Red Hat RHSA-2002:166-07 2002-08-12
Debian DSA-149-1 2002-08-13

Comments (none posted)

Buffer overflow in groff

Package(s):groff CVE #(s):CAN-2002-0003
Created:May 21, 2002 Updated:December 9, 2002
Description: The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely.
Alerts:
SCO Group CSSA-2002-057.0 2002-12-06
Gentoo groff-20021019 2002-10-19
Yellow Dog YDU-20020127-11 2002-01-27
Trustix 2002-0020 2002-01-18
Red Hat RHSA-2002:004-06 2002-01-14
Mandrake MDKSA-2002:012 2002-02-07

Comments (none posted)

HylaFAX 4.1.3 fixes multiple vulnerabilities

Package(s):hylafax CVE #(s):CAN-2001-1034
Created:July 30, 2002 Updated:October 9, 2002
Description: The HylaFAX team has released version 4.1.3 fixing denial of service, elevated system privilege and possible remote code execution vulnerabilities.

HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX.
Alerts:
SuSE SuSE-SA:2002:035 2002-10-04
Mandrake MDKSA-2002:055 2002-08-28
Debian DSA-148-1 2002-08-12

Comments (none posted)

UW imapd remotely exploitable buffer overflow

Package(s):imap CVE #(s):CAN-2002-0379
Created:June 5, 2002 Updated:December 20, 2002
Description: UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23).
Alerts:
SuSE SuSE-SA:2002:048 2002-12-20
Trustix 2002-0054 2002-06-06
EnGarde ESA-20020607-013 2002-06-07
Yellow Dog YDU-20020606-1 2002-06-06
Red Hat RHSA-2002:092-11 2002-05-22
Mandrake MDKSA-2002:034 2002-05-27
Eridani ERISA-2002:018 2002-05-25
Conectiva CLA-2002:487 2002-05-24
SCO Group CSSA-2002-021.0 2002-05-15

Comments (2 posted)

KDE 3.0.3 fixes X.509 certificate check vulnerability

Package(s):kde CVE #(s):
Created:September 4, 2002 Updated:September 11, 2002
Description: The SSL implementation used by previous version of KDE accepted, without alerting the user, any X.509 certificate signed by any entity under specific conditions. This bug allows "for undetected MITM attacks ("man in the mittle"), which could compromise an encrypted HTTPS session."
Alerts:
Mandrake MDKSA-2002:058 2002-09-09
Conectiva CLA-2002:519 2002-08-29

Comments (none posted)

Kernel update for RedHat 7.3 i810 video

Package(s):kernel CVE #(s):
Created:August 28, 2002 Updated:September 4, 2002
Description: Red Hat has issued a kernel update that fixes an "i810 video oops". "Updated kernel packages are now available which fix an oops in the i810 3D kernel code. This kernel update also fixes a difficult to trigger race in the dcache (filesystem cache) code, as well as some potential security holes, although we are not currently aware of any exploits."
Alerts:
Red Hat RHSA-2002:158-09 2002-08-20

Comments (none posted)

Kerberos 5 unauthorized root access to KDC host vulnerability

Package(s):krb5 CVE #(s):
Created:August 14, 2002 Updated:October 29, 2002
Description: A bug in the Kerberos 5 remote administration service, "kadmind", could be exploited to gain unauthorized root access to a KDC host. It is believed that the attacker needs to be able to authenticate to the kadmin daemon for this attack to be successful.

Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system.

Updating now is recommended.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Gentoo 200210-011 2002-10-28
Conectiva CLA-2002:515 2002-08-07
Debian DSA-143-1 2002-08-05

Comments (none posted)

LPRng accepts jobs from any host.

Package(s):LPRng CVE #(s):CAN-2002-0378
Created:June 12, 2002 Updated:October 31, 2002
Description: Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.

This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public.

Alerts:
SuSE SuSE-SA:2002:040 2002-10-31
Mandrake MDKSA-2002:042 2002-07-04
Red Hat RHSA-2002:089-07 2002-06-09

Comments (none posted)

Mailman 2.0.12 closes cross-site scripting vulnerability

Package(s):mailman CVE #(s):CAN-2002-0855
Created:August 28, 2002 Updated:September 4, 2002
Description: Mailman 2.0.12, released on July 2nd, closed a minor cross-site scripting vulnerabilty and implemented "a guard against some reply loops and 'bot subscription attacks." Upgrading to Mailman 2.0.13, which also fixes some Python 1.5.2 incompatabilities, is recommended.
Alerts:
Conectiva CLA-2002:522 2002-09-03
Red Hat RHSA-2002:176-06 2002-08-22

Comments (none posted)

Multiple vulnerabilities in mantis

Package(s):mantis CVE #(s):
Created:August 20, 2002 Updated:September 4, 2002
Description: The Mantis project has reported a number of bugs in the Mantis bug tracking system, including: Needless to say, upgrading to a version later than 0.17.3 is recommended.
Alerts:
Debian DSA-161-1 2002-09-04
Debian DSA-153-2 2002-08-20

Comments (none posted)

PHP Remote Compromise/DOS Vulnerability

Package(s):mod_php4 CVE #(s):
Created:July 22, 2002 Updated:February 18, 2003
Description: PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.

According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.

Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2.

For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team.

CERT Advisory: CA-2002-21 Vulnerability in PHP

Alerts:
SuSE SuSE-SA:2003:0009 2003-02-18

Comments (1 posted)

Mozilla XMLHttpRequest file disclosure vulnerability

Package(s):mozilla CVE #(s):CAN-2002-0354
Created:May 21, 2002 Updated:October 18, 2002
Description: This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2).
Alerts:
Red Hat RHSA-2002:192-13 2002-10-09
Red Hat RHSA-2002:079-13 2002-05-13
Conectiva CLA-2002:490 2002-05-29

Comments (none posted)

String format bug in pam_ldap logging

Package(s):nss_ldap CVE #(s):CAN-2002-0374
Created:June 5, 2002 Updated:October 29, 2002
Description: The nss_ldap package includes the pam_ldap module for authenticating a user with an LDAP database. Pam_ldap versions prior to 144 have a string format bug in the logging mechanism.
Alerts:
SCO Group CSSA-2002-041.0 2002-10-28
Yellow Dog YDU-20020606-2 2002-06-06
Red Hat RHSA-2002:084-17 2002-05-26
Eridani ERISA-2002:019 2002-05-28

Comments (none posted)

OpenSSL remotely-exploitable buffer overflow vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659
Created:July 30, 2002 Updated:September 24, 2002
Description: Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit. Both client and server applications are affected. The vulnerabilities are described in this security alert from the OpenSSL team.

A nasty exploit for one of the vulnerabilities is described in CERT Advisory CA-2002-27 Apache/mod_ssl Worm.

Compromise by the Apache/mod_ssl worm indicates that a remote attacker can execute arbitrary code as the apache user on the victim system. It may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain root access to the victim system. Furthermore, the DDoS capabilities included in the Apache/mod_ssl worm allow victim systems to be used as platforms to attack other systems.

If you haven't already, applying an update is a very good thing to do today.

Mitel Networks has an update available which closes this vulnerabilty for their SME Server software.

CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL

Alerts:
SuSE SuSE-SA:2002:033 2002-09-19
Debian DSA-136-2 2002-09-15
Yellow Dog YDU-20020810-1 2002-08-10
Conectiva CLA-2002:516 2002-08-08
EnGarde ESA-20020807-020 2002-08-07
Mandrake MDKSA-2002:046-1 2002-08-06
Red Hat RHSA-2002:160-21 2002-08-05
Eridani ERISA-2002:034 2002-08-06
Yellow Dog YDU-20020801-3 2002-08-01
SCO Group CSSA-2002-033.0 2002-07-31
Gentoo openssl-20020730 2002-07-30
Eridani ERISA-2002:033 2002-07-30
SuSE SuSE-SA:2002:027 2002-07-30
Mandrake MDKSA-2002:046 2002-07-30
Conectiva CLA-2002:513 2002-07-31
Red Hat RHSA-2002:155-11 2002-07-29
Trustix 2002-0063 2002-07-29
OpenPKG OpenPKG-SA-2002.008 2002-07-30
EnGarde ESA-20020730-019 2002-07-30
Debian DSA-136-1 2002-07-30

Comments (none posted)

Safemode vulnerability in PHP

Package(s):PHP CVE #(s):CAN-2001-1246
Created:August 20, 2002 Updated:October 9, 2002
Description: PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers.
Alerts:
SuSE SuSE-SA:2002:036 2002-10-04
Debian DSA-168-1 2002-09-18
Mandrake MDKSA-2002:059 2002-09-10
Red Hat RHSA-2002:102-26 2002-08-19

Comments (none posted)

Remotely exploitable vulnerability in pine

Package(s):pine CVE #(s):CAN-2002-0014
Created:May 21, 2002 Updated:November 27, 2002
Description: Pine has an unpleasant vulnerability in URL handling vulnerability which can lead to command execution by remote attackers. (First LWN report:  January 17th).

This vulnerability is remotely exploitable; updating is a good idea.

Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein).

Alerts:
SuSE SuSE-SA:2002:046 2002-11-25
Yellow Dog YDU-20020127-8 2002-01-27
Slackware sl-1010936849 2002-01-13
Red Hat RHSA-2002:009-06 2002-01-14
EnGarde ESA-20020114-002 2002-01-14
Conectiva CLA-2002:460 2002-01-31

Comments (none posted)

Buffer overflow vulnerabilities in PostgreSQL

Package(s):PostgreSQL CVE #(s):
Created:August 21, 2002 Updated:January 27, 2003
Description: PostgreSQL 7.2.2 has been released in response to a number of buffer overrun vulnerabilities which have been identified recently. "...it should be noted that these vulnerabilities are only critical on 'open' or 'shared' systems, as they require the ability to be able to connect to the database before they can be exploited."

Buffer overflow vulnerabilities fixed include those reported by "Sir Mordred The Traitor" in the cash_words, repeat, and lpad and rpad functions.

Alerts:
Yellow Dog YDU-20030127-5 2003-01-27
Red Hat RHSA-2003:001-16 2003-01-14
Red Hat RHSA-2003:010-10 2003-01-14
SuSE SuSE-SA:2002:038 2002-10-21
Trustix 2002-0071 2002-10-17
Mandrake MDKSA-2002:062 2002-10-01
Conectiva CLA-2002:524 2002-09-19
Debian DSA-165-1 2002-09-12
Gentoo postgresql-20020826 2002-08-26

Comments (none posted)

PXE server denial of service vulnerability

Package(s):pxe CVE #(s):CAN-2002-0835
Created:September 4, 2002 Updated:November 11, 2002
Description: The PXE server can be crashed using DHCP packets from some Voice Over IP (VOIP) phones. Maliciously formed DHCP packets could be used by a remote attacker to effect a denial of service attack.

The PXE package contains the PXE (Preboot eXecution Environment) server and code needed for Linux to boot from a boot disk image on a Linux PXE server.
Alerts:
SCO Group CSSA-2002-044.0 2002-11-11
Eridani ERISA-2002:041 2002-09-03
Red Hat RHSA-2002:162-12 2002-08-30

Comments (none posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:October 1, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Red Hat RHSA-2002:202-33 2003-02-12
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-25 2003-01-21
Mandrake MDKSA-2002:082-1 2002-12-09
Mandrake MDKSA-2002:082 2002-11-25
SCO Group CSSA-2002-045.0 2002-11-14
Trustix 2002-0073 2002-10-17
Gentoo python-20021003 2002-10-03
Conectiva CLA-2002:527 2002-10-01
Debian DSA-159-2 2002-09-09
Debian DSA-159-1 2002-08-28

Comments (none posted)

Scrollkeeper temporary file vulnerability

Package(s):scrollkeeper CVE #(s):CAN-2002-0662
Created:September 4, 2002 Updated:September 4, 2002
Description: There is a tempfile vulnerability in ScrollKeeper versions between 0.3 and 0.3.11.

The scrollkeeper-get-cl command generates temporary files with predictable names and follows symbolic links. "These files are created when a user logs in to a GNOME session and are created as the user who logged in. This means an attacker with local access can easily create and overwrite files as another user." For more information see this security advisory from Spybreak.

ScrollKeeper is a cataloging system for documentation on open systems. It manages documentation metadata (as specified by the Open Source Metadata Framework(OMF)) and provides a simple API to allow help browsers to find, sort, and search the document catalog.
Alerts:
Gentoo scrollkeeper-20020904 2002-09-04
Debian DSA-160-1 2002-09-03
Red Hat RHSA-2002:186-07 2002-08-28

Comments (none posted)

Sharutils potential privilege escalation using uudecode

Package(s):sharutils CVE #(s):CAN-2002-0178
Created:May 21, 2002 Updated:October 31, 2002
Description: According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands." (First LWN report: May 16).
Alerts:
Gentoo 200210-012 2002-10-30
SCO Group CSSA-2002-040.0 2002-10-28
Mandrake MDKSA-2002:052 2002-08-14
Yellow Dog YDU-20020522-4 2002-05-22
Red Hat RHSA-2002:065-13 2002-05-14
Eridani ERISA-2002:014 2002-05-16

Comments (none posted)

Multiple vulnerabilities fixed in Squid-2.4.STABLE7

Package(s):squid CVE #(s):
Created:July 8, 2002 Updated:November 15, 2002
Description: Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7. Several of the bugs are believed to allow remote code execution.

The security advisory lists the following changes:

  • Several bugfixes and cleanup of the Gopher client, both to correct some security issues and to make Squid properly render certain Gopher menus.
  • Security fixes in how Squid parses FTP directory listings into HTML
  • FTP data channels are now sanity checked to match the address of the requested FTP server. This to prevent theft or injection of data. See the new ftp_sanitycheck directive if this sanity check is not desired.
  • The MSNT auth helper has been updated to v2.0.3+fixes for buffer overflow security issues found in this helper.
  • A security issue in how Squid forwards proxy authentication credentials has been fixed
Alerts:
SCO Group CSSA-2002-046.0 2002-11-14
Eridani ERISA-2002:031 2002-07-26
Mandrake MDKSA-2002:044 2002-07-17
Trustix 2002-0062 2002-07-15
SuSE SuSE-SA:2002:025 2002-07-09
Conectiva CLA-2002:506 2002-07-05

Comments (none posted)

Tcl/Tk local root vulnerability

Package(s):tcltk expect CVE #(s):CAN-2001-1374 CAN-2001-1375
Created:August 14, 2002 Updated:September 24, 2002
Description: Tcl/Tk searches for its libraries in the current working directory before other directories. A local user could execute arbitrary code by inserting a Trojan horse library in the current working directory.

Versions of the expect application prior to 5.32, search for its libraries in /var/tmp before searching in other directories. A local user could gain root privleges by inserting a Trojan horse library in /var/tmp and then getting the root user to run mkpasswd.

Alerts:
Mandrake MDKSA-2002:060 2002-09-23
Eridani ERISA-2002:037 2002-08-14
Red Hat RHSA-2002:148-06 2002-08-12

Comments (none posted)

Malformed NFS packet buffer overflow vulnerability in tcpdump

Package(s):tcpdump CVE #(s):CAN-2002-0380
Created:June 5, 2002 Updated:October 9, 2002
Description: A buffer overflow in tcpdump can be triggered by a bad NFS packet when tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
Alerts:
Red Hat RHSA-2002:094-16 2002-10-04
Yellow Dog YDU-20020606-3 2002-06-06
Trustix 2002-0055 2002-06-05
SCO Group CSSA-2002-025.0 2002-06-04
Conectiva CLA-2002:491 2002-06-05
Red Hat RHSA-2002:094-08 2002-05-29
Eridani ERISA-2002:020 2002-05-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

Multiple vulnerabilities in SNMP implementations

Package(s):ucdsnmp ucd-snmp CVE #(s):CAN-2002-0012 CAN-2002-0013
Created:May 21, 2002 Updated:September 17, 2002
Description: Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14).
Alerts:
Red Hat RHSA-2002:036-26 2002-09-12
Yellow Dog YDU-20020211-1 2002-02-11
Red Hat RHSA-2001:163-20 2002-02-12
Mandrake MDKSA-2002:014 2002-02-15
Debian DSA-111-2 2002-02-28
Debian DSA-111-1 2002-02-14
Conectiva CLA-2002:462 2002-02-14
SCO Group CSSA-2002-004.0 2002-01-22

Comments (none posted)

Local root vulnerability in chfn

Package(s):util-linux CVE #(s):CAN-2002-0638
Created:July 30, 2002 Updated:October 31, 2002
Description: chfn (change finger information) is one of the utilities in the util-linux package. The BindView RAZOR Team has discovered a local root vulnerability in chfn which is described in the Bindview Advisory.

Under certain conditions, "a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility, and, as a result, alter /etc/passwd to escalate privileges in the system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any but the last 4 kB chunk of the file.

CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility

Alerts:
SCO Group CSSA-2002-043.0 2002-10-29
Conectiva CLA-2002:523 2002-09-12
Mandrake MDKSA-2002:047 2002-08-08
Yellow Dog YDU-20020801-4 2002-08-01
Trustix 2002-0064 2002-07-30
Red Hat RHSA-2002:132-14 2002-07-29
Eridani ERISA-2002:032 2002-07-29

Comments (none posted)

webalizer: reverse DNS buffer overflow vulnerability

Package(s):webalizer CVE #(s):
Created:May 21, 2002 Updated:January 27, 2003
Description: The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report:  April 18th, 2002).
Alerts:
Yellow Dog YDU-20030127-4 2003-01-27
Red Hat RHSA-2002:254-05 2002-12-04
SCO Group CSSA-2002-036.0 2002-10-22
EnGarde ESA-20020423-009 2002-04-23
Conectiva CLA-2002:476 2002-04-26

Comments (none posted)

Webmin/Usermin vulnerabilities

Package(s):webmin CVE #(s):
Created:May 21, 2002 Updated:January 10, 2003
Description: Webmin is a web-based interface for system administration for Unix. Webmin has cross-site scripting and session ID spoofing vulnerabilities which are fixed in the May 6, 2002 release of version 0.970. (First LWN report: May 9).

This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication.

Alerts:
SCO Group CSSA-2003-002.0 2003-01-09
Yellow Dog YDU-20020522-7 2002-05-22
Mandrake MDKSA-2002:033 2002-05-21

Comments (1 posted)

Problems with libgtop_daemon

Package(s):wuftpd libgtop CVE #(s):
Created:May 21, 2002 Updated:May 7, 2003
Description: The libgtop_daemon package is a GNOME program which makes system information available remotely. LWN reported the remotely exploitable format string and buffer overflow vulnerabilities in that package on December 6th. On November 28th disabling the libgtop_daemon on systems where it is running until an update is available.

Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway.

Alerts:
Debian DSA-301-1 2003-05-07
Mandrake MDKSA-2001:094 2001-12-19
Debian DSA-098-1 2002-01-09
Conectiva CLA-2002:448 2002-01-03

Comments (1 posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):wwwoffle CVE #(s):CAN-2002-0818
Created:August 14, 2002 Updated:October 1, 2003
Description: The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on."

CAN-2002-0818

Alerts:
SCO Group CSSA-2002-048.0 2002-11-18
Debian DSA-144-1 2002-08-06
SuSE SuSE-SA:2002:029 2002-08-01

Comments (none posted)

xchat IC server based dns query vulnerability

Package(s):xchat CVE #(s):CAN-2002-0382
Created:June 5, 2002 Updated:September 24, 2002
Description: A malicious IRC server may return a response to a /dns query that executes arbitrary commands with the privileges of the user running XChat. Versions of XChat prior to 1.8.9 are vulnerable.
Alerts:
Conectiva CLA-2002:526 2002-09-23
Mandrake MDKSA-2002:051 2002-08-14
Yellow Dog YDU-20020606-5 2002-06-06
Eridani ERISA-2002:021 2002-06-05
Red Hat RHSA-2002:097-08 2002-06-04

Comments (none posted)

Denial of service vulnerability in xinetd

Package(s):xinetd CVE #(s):
Created:August 14, 2002 Updated:December 3, 2002
Description: A file descriptor leak into services started from xinetd may be used, by programs it stats, to crash xinetd. Xinetd is a replacement for the BSD derived inetd.
Alerts:
Red Hat RHSA-2002:196-19 2002-12-02
Red Hat RHSA-2002:196-09 2002-10-14
Mandrake MDKSA-2002:053 2002-08-26
Gentoo xinetd-20020814 2002-08-14
Debian DSA-151-1 2002-08-13

Comments (none posted)

Resources

The IP Security Protocol (Linux Journal)

This Linux Journal article explains IPSec, different levels of security and how to be safe sending and receiving packets over the network. "Several different solutions exist that allow us to cope with this problem, each operating at a different level of abstraction. In this article, we will discuss the differences between and purposes of application-level security, socket-level security and network-level security."

This article continues with part 2 which moves on to encapsulating security payloads and key exchange mechanisms.

Comments (none posted)

This week's Linux Advisory Watch and Security Week

The Linux Advisory Watch and Linux Security Week newsletters from LinuxSecurity.com are available.

Comments (none posted)

"Know Your Enemy: Honeynets" paper updated

The Honeynet Project has announced an update to its "Know Your Enemy: Honeynets" paper. "This update includes far greater detail in explaining how to deploy 1st and 2nd generation Honeynets. Even more exciting, we have released a significant amount of new code, especially for GenII (2nd generation) Honeynets! This should make deploying these technologies much easier, with different options and different operating systems."

Full Story (comments: none)

Events

Security events calendar

September 19 - 20, 2002SEcurity of Communications on the Internet 2002(SECI'02)Tunis, Tunisia
September 23 - 26, 2002New Security Paradigms Workshop 2002(The Chamberlain Hotel)Hampton, Virginia, USA
September 23 - 25, 2002University of Idaho Workshop on Computer Forensics(University of Idaho)Moscow, Idaho, USA
September 26 - 27, 2002HiverCon 2002(Hilton Hotel)Dublin, Ireland
September 27 - 29, 2002ToorCon 2002(San Diego Concourse)San Diego, CA, USA
October 16 - 18, 2002Recent Advances in Intrusion Detection 2002(RAID 2002)Zurich, Switzerland

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current development kernel is 2.5.34, released by Linus on September 9. People who had trouble with 2.5.33 may want to give this one a try; it has some important per-CPU fixes, and the floppy driver is said to really work this time. Also included is a bunch of block I/O work from Al Viro, memory management work from Andrew Morton, a JFS update, and quite a few other fixes and updates. The long-format changelog is available, as usual. Note that this kernel has a bug which can cause IDE partitions to disappear.

Linus's BitKeeper tree, which may be 2.5.35 by the time you read this, contains a large set of patches including a new sys_exit_group() system call (more thread work by Ingo Molnar), a major merge of IDE code from the 2.4-ac tree (which, according to Alan Cox, works "better than expected," but one should still be careful), yet more VM changes via Andrew Morton (see below), and a number of other fixes and updates.

The current 2.5 status summary from Guillaume Boissiere came out on September 10.

The current stable kernel is 2.4.19. Marcelo released 2.4.20-pre6 on September 10; it adds a number of updates and a couple of bugs which make it fail to compile or boot for a number of users.

Alan Cox's current prepatch is 2.4.20-pre5-ac5, which is given over mostly to new IDE code. "You can now load ide pci drivers at boot time or as modules. Don't try unloading the modules yet"

Comments (none posted)

Kernel development news

Linus gets spam filtering

People sending mail to Linus may want to cut back on their LINES OF YELLING, keep an eye on vulgar words in their code comments, and so on. It seems that Linus has started using SpamAssassin, and it is causing him to lose a few patches due to false positives. The number of false positives is small enough that he intends to continue using the filter. And, in the end, most developers probably agree that kernel development benefits if Linus spends less time wading through spam.

Comments (2 posted)

Speeding up reverse mapping

Ever since Rik van Riel's reverse mapping VM implementation was merged into the kernel, people have wondered how it could be made to work more quickly. The rmap code accelerates many memory management operations, but slows down others. It would be nice to get to the point where the performance regressions have been mitigated (or eliminated) while keeping the benefits of the rmap code. Linus's current BitKeeper tree contains one patch from Andrew Morton which is a big step in that direction.

As described here last January, the rmap code works by keeping track of which page tables reference every physical page on the system. This is done by adding a linked list of rmap entries to the page structure; each entry in the list points to one page table entry referencing the page. The maintenance of this list is the source of the bulk of the rmap code's overhead. The many thousands of these pte_chain structures require a lot of processing to keep current, are inefficient (the structure contains two pointers; the one which points to the next pte_chain entry is pure overhead), and put lots of pressure on the memory allocation subsystem.

Andrew's solution to this problem is simply to expand the pte_chain structures to hold multiple page table pointers. Anywhere between seven and 31 PTE pointers can be stored in a single pte_chain entry, depending on the architecture. The chain overhead is reduced accordingly, and the system's cache behavior is improved. This change, it is claimed, takes 10% off that all-important kernel compile time - at least on Andrew's wimpy little 16-processor NUMA system.

One other optimization, which has been in the kernel for a while, is to eliminate the PTE chain entirely for pages which are only mapped into a single process - of which there are many on a typical system. In that case, a flag is set in the page structure, and the pointer for the PTE chain points, instead, directly at the page table entry of interest.

The rmap code still has its performance costs, especially in the fork system call. But those costs are shrinking - as are inefficiencies throughout the kernel.

Comments (none posted)

Other memory management work

Lest one think that tweaking rmap is all that is happening in the memory management world: a great deal of code is currently circulating which makes big changes, and it has been finding its way into Linus's kernel.

For example, 2.5.34 includes Patricia Gaughen's discontiguous memory patch, which is aimed at the needs of large, NUMA systems. On such systems, you no longer just have a simple array of memory; instead, the system's RAM is broken up into zones, each of which is attached to a particular NUMA node. Memory accesses within a node are faster than cross-node references, so the kernel needs to know where any given page resides. Memory on these systems can also have address holes between each node's zone.

The discontiguous memory patch does away with the classic mem_map array, which contained one struct page structure for each page on the system. The memory map is now split into separate, per-node maps, and all references to mem_map in the kernel have been changed. Rather than dealing with simple indexes into mem_map, the kernel now works with page frame numbers; an old reference to mem_map+i is now pfn_to_page(i). For the most part, code which did not access mem_map directly will likely require no changes in response to the discontiguous memory patches. But there will be exceptions...

Andrew Morton's "-mm" patches have become the staging area for memory management changes. The current patch as of this writing (2.5.34-mm1) contains a long list of other changes, including:

  • Directory indexes for the ext3 filesystem (by Daniel Phillips). Calling this one "memory management" is a bit of a stretch, of course, but it is a definite performance improver when large directories are used.

  • A patch by William Lee Irwin which lets the i386 architecture maintain page tables in high memory.

  • A change to the readv and writev system calls (by Janet Morgan) which submits all segments for I/O in parallel; this patch greatly speeds up direct disk I/O operations.

  • Rohit Seth's large page patch for the i386 architecture (covered here last month).

  • A patch which allows copy_from_user and copy_to_user to be called in atomic (non-blocking) situations. If the copy operation encounters a page fault, it simply fails.

  • ..and many other changes.

One interesting side result from work like the atomic copy_*_user functions and the preemptible kernel is a formalization of just when the kernel is performing an atomic operation. Code in the 2.4 (and prior) kernel could check for certain situations where atomic operation was required, such as when servicing an interrupt. In 2.5, other atomic situations (i.e. holding a spinlock) are tracked, and it is easy for code with a need to say "don't interrupt me or sleep now." The result should be more explicit code and fewer bugs.

Comments (2 posted)

Too much attention on large systems?

Paolo Ciarrocchi recently posted an article giving some benchmark results on his laptop; these results generally show that 2.5.33 performs a little more slowly than the 2.4 kernels. Given that much of the work in 2.5 has been oriented around performance, what is happening here? Daniel Phillips summarized things as follows:

I suspect the overall performance loss on the laptop has more to do with several months of focussing exclusively on the needs of 4-way and higher smp machines.

The fear that large systems performance work would slow things down on the hardware that most of us actually use has been present for years. Could it be that the big iron is finally taking over the kernel?

The answer, for now, is probably "no." 2.5 development efforts have indeed emphasized large systems performance so far. The small-systems performance has not been impaired so much as simply passed over for now. As Andrew Morton put it:

It's on the larger machines where 2.4 has problems. Fixing them up makes the kernel broader, more general purpose. We're seeing 50-100% gains in some areas there. Giving away a few percent on smaller machines at this stage is OK. But yup, we need to go and get that back later

Small-systems tuning, of course, is work that can mostly happen after next month's feature freeze. Expect some serious efforts in that direction - small and embedded systems, after all, are a huge part of the Linux user base. It wouldn't do to leave them out in the cold.

Comments (none posted)

Patches and updates

Kernel trees

Build system

Core kernel code

  • Andrew Morton: readv/writev rework. "<span>This is Janet Morgan's patch which converts the readv/writev code to submit all segments for IO before waiting on them, rather than submitting each segment separately.</span>" (September 11, 2002)

Development tools

Device drivers

  • Jens Axboe: 2.5.34 IDE. "<span>I've updated 2.5 IDE code to match what is currently in 2.4.20-pre5-ac4, since is much nicer and better structured.</span>" (September 11, 2002)

Filesystems and block I/O

Memory management

  • Ed Tomlinson: slabnow. (September 10, 2002)

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

Distribution News

Debian Weekly News - September 10th, 2002

This week's Debian Weekly News tells us, "The most interesting news for this week probably is the removal of Qmail from Debian's [1]list server. Thanks to the admin and listmaster team, the [2]server now happily runs Postfix." Of course there are several other topics as well.

Full Story (comments: none)

Libranet GNU/Linux 2.7

Libranet GNU/Linux 2.7 has been released. "Libranet is based on Debian's stable woody release with upgrades to major packages like KDE and the addition of Libranet's custom installer, Libranet Adminmenu, desktop configuration and the excellent OpenOffice suite."

Comments (1 posted)

Mandrake Linux

MandrakeSoft announced the second Release Candidate of the upcoming Mandrake Linux 9.0. This RC2 is the last chance to influence 9.0's development by contributing reports and suggestions.

The Mandrake Linux Community Newsletter -- Issue #58 contains information about the 9.0 Release Candidate and much more.

Open for Business interviews Mandrake co-founder Gaël Duval about the company's past, present, and future. "...I think the commercial dynamics around Mandrake Linux, and the creation of MandrakeSoft, have been key factors for its development and long-term success. But as you know, Mandrake is much like a Free Software project that is financed by a commercial company. This approach makes great difference when compared to other Linux distributions!"

Last week's update to cdrecord had a few problems. In some situations, noteably with xcdroast, the mkisofs utility creates pseudo-empty filesystems. The filesystem is the proper size, but the contents of the filesystem are not available. New xcdroast packages are available that are compatible with this version of cdrecord.

Comments (none posted)

Slackware Linux

Several changes were made to the Slackware current tree this week. There is a security fix, and numerous bug fixes in Xfree86. Other packages have bug fixes as well. Click on Full Story to see the changes for this week, or go to the changelog for complete details.

Full Story (comments: none)

New Distributions

DebianEdu

The DebianEdu subproject is a new project aimed at making Debian the best distribution available for educational use. Still in its early stages, this subproject is actively looking for volunteers.

Full Story (comments: none)

OpenZaurus

The OpenZaurus project aims to build a kernel and filesystem for the Sharp SL-5000d and SL-5500 which will retain binary compatiblity with the existing Sharp system. OpenZaurus will not use proprietary packages, but instead will emphasize GPL licenced packages, such as replacing the Opera browser with Konqueror/Embedded. The ultimate goal is to have a Sharp PDA with enhanced usablility, particularly for developers and power users.

Comments (none posted)

Simply GNUstep

Simply GNUstep is a Linux/GNU distribution aimed at providing an OpenStep feeling from bootup on. This is a stripped down distribution for ease of use. (Think OS X for x86). Version 1 is now available. This release is the first version that installs to the hard disk. It is recommended for installation on a dedicated machine or a virtual machine. Configuration is not complete, the user must manually configure X11 and networking.

Comments (none posted)

Minor distribution updates

herbix

herbix has released v1.0-36. This release has been rewritten from scratch and has major bug fixes.

Comments (none posted)

uClinux

uClinux has released v2.5.34-uc0 with major feature enhancements.

Comments (none posted)

Page editor: Rebecca Sobol

Development

The Jabberwocky IDE for LISP

The first beta release of the new Jabberwocky integrated development environment for LISP has been announced. Jabberwocky supports CLISP versions 2.27 and 2.28 and CMUCL versions 18c and 18d. Support for SBCL and GCL is planned. Jabberwocky works under Linux 2.4 and Windows, and has been released under the GNU GPL.

Jabberwocky's list of features include:

  • A lisp-aware editor with syntax coloring and code completion.
  • An interaction pane for display of the LISP process.
  • A browser for viewing source code, functions, and macros.
  • A source level debugger.

For more information on Jabberwocky, see the following documentation:

As time marches on, the list of IDEs for Linux continues to grow, Jabberwocky looks to be a useful addition to the Lisp developer's toolbox.

Thanks to author Marc Mertens.

Comments (none posted)

System Applications

Audio Projects

Ogg Traffic

The September 5, 2002 edition of Ogg Traffic covers the latest developments in the Ogg Vorbis audio compression project.

Comments (none posted)

Education

Linux in Education Report

Issue #78 of the Linux in education report covers a K-12 educational panel at an upcoming conference, the open-sourcing of the e-education course management system by Jones Knowledge Inc., a Linux documentation CD from Belize, The Rapla resource management and scheduling system, and more.

Comments (none posted)

Electronics

Icarus Verilog 20020907

A new version of the Icarus Verilog electronic simulation language compiler has been released. See the release notes for a list of new features and bugs that have been fixed.

Comments (none posted)

Embedded Systems

Two-Axis, Real-Time Camera Control (Dr. Dobb's)

Cort Dougan shows how he used RTLinux/Pro to write an embedded Linux cat-watching camera panning device. "In this article, I'll present software for viewing live images and controlling a servo-motor-driven, dual-axis mounted camera via a web page. I built this system to watch Kepler, my sick cat, while I was at the office".

Comments (none posted)

Networking Tools

Installing Nagios (O'Reilly)

Oktay Altunergil shows how to install Nagios, a network monitoring system. "'Nagios is a system and network monitoring application. It watches hosts and services that you specify, alerting you when things go bad and when they get better' (from nagios.org). This is the same tool that used to be called NetSaint until recently. Although the NetSaint site is still up, all future development will be done on Nagios."

Comments (none posted)

Printing

AFPL Ghostscript 7.30 developer release

A new developer release of AFPL Ghostscript has been announced. "The major new code here is the DeviceN implementation, recently mearged in to the main development tree. People interested in DeviceN should take a look and help us iron out the remaining issues."

Comments (none posted)

Web Site Development

Zope Members News

The latest Zope Members News items include Persistent Translation Service 0.1, a Forms4ZPT preview, ReplaceSupport 1.0.0, ZopeTestCase 0.5.2, MonZope 1.0, the first public alpha of Z Message Queue, ZShell v1.50, and more.

Comments (none posted)

mnoGoSearch-php-3.2.0.beta6 released

mnoGoSearch-php-3.2.0.beta6, the PHP frontend to the mnoGoSearch web site search engine has been released. MnoGoSearch-php-extension-1.65 is also available.

Comments (none posted)

Connecting middleware to Apache 2.0 (IBM developerWorks)

Uche Ogbuji introduces Apache 2.0 filter modules on IBM's developerWorks. "Apache became the most popular Web server in part because of the rich availability of third-party extensions for the server, and because its open architecture made it quite easy to roll your own extensions. Of course, nothing is ever just easy enough, so in developing Apache 2.0, one of the main goals was to improve the Apache API to make it even easier to develop extensions."

Comments (none posted)

Miscellaneous

Conexant HSF softmodem driver

A new experimental version of the Conexant HSF (softmodem) driver for Linux has been released. The internal HP Omnibook xe4500 series laptop modems are now supported.

Full Story (comments: none)

Open source satellite control (IBM developerWorks)

Cameron Laird writes about a multi-language satellite control system at JPL. "How do you harness a satellite control system written in three languages, on four development platforms, and deployed to multiple client environments? With open source, naturally. When one wrong move can cost millions, rely on teamwork, smart design, and open standards to keep the project -- if not the satellite -- from going down in flames."

Comments (none posted)

Desktop Applications

Audio Applications

WaveSurfer 1.4.4 released.

Version 1.4.4 of the WaveSurfer sound visualization and manipulation tool has been released. Changes include a new video plugin, bug fixes, and minor improvements.

Comments (none posted)

Ardour development continues

Progress continues on the Ardour multi-track audio system. New features include plugin parameter automation, GUI usability tweaks, drag-n-drop redirect re-ordering, on the fly computation of peakfiles, and a "verbose" mouse cursor.

Comments (none posted)

Desktop Environments

FootNotes

The latest additions to the FootNotes site include Sodipodi 0.25, libGDA, libGnomeDB, Mergeant 0.8.193, the GNOME 2.0.2 Desktop Release Candidate 1, GNOME System Tools, Beast/BSE 0.4.1, GEP, and more.

Comments (none posted)

Games

The Chopping Block

The August-September 2002 edition of the Chopping Block is out with the latest WorldForge game development news. Topics include Lagrangian Mechanics, Debian packaging, Kai's pirate tale, the Cronos Project, and more.

Comments (none posted)

Pygame-1.5.3 released

Version 1.5.3 of the Pygame game modules for Python has been released. The WhatsNew document lists new CD utilities, movie rendering capabilities, and bug fixes.

Comments (none posted)

Interoperability

Wine Weekly News

Issue #134 of the Wine Weekly News is out. Topics include the new Wine-20020904, the Quartz multimedia DLL, Native vs. Builtin DLL's, Windows Printer Drivers, Character Sets, Splitting Up Unit Tests, Mono / Winforms + Winelib, and more.

Comments (none posted)

Multimedia

Blender Foundation Newsletter

The Blender Foundation Newsletter for September 10, 2002 is out. News includes the successful purchase of the Blender code from the previous owner, which will allow Blender to be released under the GPL, and the project plan for Open Blender.

Full Story (comments: none)

Office Applications

Open Office 1.0.1 Alpha Software Development Kit released.

The OpenOffice.org 1.0.1 Alpha Software Development Kit (SDK), has been released.

Comments (none posted)

AbiWord Weekly News

Issue #107 and Issue #108 of the AbiWord Weekly News are out, with the latest developments on the AbiWord word processor project.

Comments (none posted)

KDE Ships KOffice 1.2

KDE.News has an announcement for version 1.2 of KOffice. "What with a truly great new (English-only) thesaurus, enhanced scriptability of suite components, WYSIWYG on-screen display, bi-di text, KWord mail-merge and footnotes, KSpread database connectivity, enhanced printing and new sorting functionality, who's to argue?"

Comments (1 posted)

Web Browsers

Mozilla 1.0.1 released

Version 1.0.1 of the Mozilla web browser has been released. The release notes state: "Mozilla 1.0.1 contains over 650 bugfixes including approximately 25 security fixes, and over 130 stability and dataloss fixes. In addition to these important security and crash fixes, 1.0.1 has many more fixes for standards support, UI correctness and polish, performance, and site compatibility."

Comments (none posted)

Mozilla Independent Status Reports

The Mozilla Independent Status Reports for September 6, 2002 are out. Updated packages include XULmine, CaScadeS, Securita, and Beonex.

Comments (none posted)

Miscellaneous

Xft/Fontconfig release 2.0

Version 2.0 of Fontconfig, a library for configuring and customizing font access, has been released.

Full Story (comments: none)

Quanta 3 Picks Up Steam, 3.0 PR2 Released

KDE.News covers the release of version 3.0 PR2 of the Quanta Plus web site development tool for KDE, and other Quanta developments. "So what's new with Quanta? Well, we've released 3.0 PR2, so you're encouraged to check it out for yourself! You'll find auto-completion for HTML and tag attributes, PHP built-in function auto-completion, a revised document structure tree that recurses PHP structures and embedded HTML, and more. One exciting bit of work in progress is the ability to set different DTDs as well as offer tagging functionality in the form of pseudo DTDs to script languages."

Comments (none posted)

Languages and Tools

Caml

The Caml Hump

Check out The Caml Hump for this week's Caml-based software developments. New additions include the O'Caml X Game library, Syndex, the Zen toolkit,the Baire data structure library, and enhanced Ocaml documentation.

Comments (none posted)

Java

Kaffe Weekly News

The September 7 edition of the Kaffe Weekly News is out with news from the Kaffe open-source Java community.

Comments (none posted)

Introducing Nonblocking Sockets (O'Reilly)

Giuseppe Naccarato illustrates the use of nonblocking sockets in Java 2 Standard Edition 1.4. "As of Java 1.4, a programmer can use a brand-new set of APIs for I/O operations. This is the result of JSR 51, which started in January 2000 and has been available to programmers since Java 1.4 beta. Some of the most important new features in Java 1.4 deal with subjects such as high performance read/write operations on both files and sockets, regular expressions, decoding/encoding character sets, in-memory mapping, and locking files. In this article, I will discuss one particular new concept -- the new I/O API: nonblocking sockets."

Comments (none posted)

EJB Inheritance, Part 1 (O'Reilly)

Emmanuel Proulx discusses EJB inheritance in part 1 of a series on O'Reilly. "Entity beans are objects that represent data coming from a persistent store, such as a database. The key word here is objects. Entity beans encapsulate the data and business logic. But what about the two other principles, inheritance and polymorphism? The bad news is that entity beans do not easily enable the use of these principles. The good news is that if you follow certain restrictions and tricks, it can be done. This series of articles describes some techniques to put inheritance and polymorphism back into entity beans."

Comments (none posted)

Lisp

CLISP Oracle Interface Beta

The first Beta version of the CLISP Oracle Interface, a GNU CLISP module for accessing Oracle databases, has been released.

Comments (1 posted)

LambdaTensor 1.0.0 released

The first public version of LambdaTensor, a Common Lisp library for symbolic and numeric Lie algebra and Lie group calculations, has been released under the LGPL.

Comments (none posted)

Perl

This Week on perl5-porters (use Perl)

The September 2-8, 2002 Perl5 Porters Digest covers the CLONE method, v-strings, pseudo-hashes, and more Perl topics.

Comments (none posted)

This week on Perl 6 (O'Reilly)

The September 1-8, 2002 edition of This Week on Perl 6 looks at Parrot 0.0.8, approximate string matching in regexes, regex stack manipulations, ARGDIR, making Parrot non-Perl centric, implementing Scheme pairs, class aliasing, and much more.

Comments (none posted)

Going Up? (O'Reilly)

Sam Tregar covers thread programming with Perl on O'Reilly. "Perl 5.8.0 is the first version of Perl with a stable threading implementation. Threading has the potential to change the way we program in Perl, and even the way we think about programming. This article explores Perl's new threading support through a simple toy application - an elevator simulator."

Comments (none posted)

PHP

PHP 4.2.3 Released

PHP 4.2.3 has been released. This version is a bug-fixing maintenance release, see the ChangeLog for all of the details.

Comments (none posted)

PHP Weekly Summary

Issue #102 of the PHP Weekly Summary is out. Here's the quick summary of topics: "PHP 4.2.3 is out, Win32 ZE2 preview, PHP.net e-mail, ext/sysvmsg, Ext/audio?, “User-agent:” built-in, Not one, but two conferences, Ext/pcre, ./configure –enable-all, Internals – zend_stack, Ext/overload, Mysql_db_query() (continued)."

Comments (none posted)

Introducing Smarty: A PHP Template Engine (O'Reilly)

Joao Prado Maia introduces Smarty on O'Reilly's OnLamp site. "Smarty is a somewhat new development in the PHP world, and it brings several new and unique features. One of these unique features is that Smarty 'compiles' the parsed templates into PHP scripts, and then reuses the compiled template when appropriate. Obviously, this brings a huge performance improvement over other template solutions, as the main PHP script doesn't need to parse and output the same template on every request."

Comments (none posted)

Python

Python-dev summary

After a long absence, the Python-dev summary has returned with Brett Cannon as the author. This issue looks at type categories, lessons from the tempfile.py rewrite, and a number of other topics.

Full Story (comments: none)

Dr. Dobb's Python-URL! - weekly Python news and links (Sep 9)

Here is this week's Python-URL, with news and links for the Python communtity.

Full Story (comments: none)

Daily Python-URL (Pythonware)

This week, the Pythonware Daily Python-URL looks at SemanText 0.72.1, Building an RSS Newsreader, Straw 0.8, SiPy: a small discrete event simulation package for Python, secure protocols and data encryption, shell utilities, and more.

Comments (none posted)

Ruby

The Ruby Garden

This week's Ruby Garden shows how to allow *array expansion anywhere in a list.

Comments (none posted)

Ruby Weekly News

Topics on this week's Ruby Weekly News include RJudy-0.1: Judy Arrays for Ruby, a new home for the Ruby/Tk demos, GridFlow 0.6.1: a multi-dimensional dataflow processing library, Ruby-GNOME and Ruby-GTK 0.30, the YAML.rb 0.40 structured data format, ZenWeb 2.13.1, RDE 0.9.7.0, RubyCocoa 0.2.7, the FreeRIDE IDE, and more.

Comments (none posted)

Scheme

Scheme Weekly News

The September 9, 2002 edition of the Scheme Weekly News covers a number of new versions of several Scheme-based projects.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's TCL-URL!

The September 9, 2002 edition of Dr. Dobb's Tcl-URL! is out with the latest Tcl news.

Full Story (comments: none)

XML

Get ready for XForms (IBM developerWorks)

Joel Rivera and Len Taing introduce XForms on IBM's developerWorks. "Traditional HTML forms violate many of the tenets of good markup language design, frequently mixing presentation and data. In this article, Joel Rivera and Len Taing introduce you to XForms, an extension of XHTML that represents the next generation of Web forms. Though XForms is still in an embryonic state, it holds great promise: For instance, a form written with XForms can be written once and displayed in optimal ways on several different platforms."

Comments (none posted)

Controlling the DOCTYPE and XML Declaration (O'Reilly)

Bob DuCharme explains XML declarations on O'Reilly. "The XML declaration at the beginning of an XML document is not necessary, but it's the best way to say "this is definitely an XML document and here's the release of XML it conforms to."

Comments (none posted)

Debuggers

GNUstep Weekly Editorial

The GNUstep Weekly Editorial for September 8, 2002 is out with the latest GNUstep development news.

Full Story (comments: none)

GDB 5.3 branch created

A new 5.3 branch has been created for the GDB debugger.

Comments (none posted)

Miscellaneous

Taking Kylix 3 for a test drive (LinuxWorld)

Joe Barr writes a small application using Kylix 3 Open Edition (K3OE). "This week, I'll be describing my experiences actually using K3OE, particularly its brand-spanking-new C++ IDE. Previous versions of Kylix have been for Delphi only. I know, I know — true Linux geeks never use RAD tools, or even IDEs. Not unless you consider Emacs to be an IDE, that is. For the rest of the world, RADs and IDEs are very handy tools that provide real productivity gains. Management likes that."

Comments (2 posted)

Page editor: Forrest Cook

Linux in Business

Business News

Winners of the Australian Open Source Awards Announced

The Australian UNIX and Open Systems User Group (AUUG, Inc.) announced the winners of the inaugural Australian Open Source Awards. The awards encourage and recognise the excellence and dedication of Australians contributing in the Open Source arena.

Full Story (comments: none)

Sun to Offer Alternative to Microsoft Desktop

This newspaper article mentions Sun's plans for using StarOffice and Linux to challenge Microsoft's desktop dominance. "Sun intends to combine its own software such as StarOffice with the free open-source operating system Linux to offer business-users a cost-effective alternative to Microsoft Office, which recently became more expensive. It is also likely that Sun will expand its Linux server offering to compete with Microsoft." More detailed announcements will come out during Sun's annual network event on September 18-20, 2002.

Comments (none posted)

Trustix Newsletter September 2002

The Trustix Newsletter for September 2002 looks at what the company has been doing in the past month.

Full Story (comments: none)

Press Releases

Open Source Announcements

Distributions and Bundled Products

Software for Linux

Products and Services Using Linux

Hardware with Linux support

Linux at Work

Java Products

Books and Documentation

Trade Shows and Conferences

Partnerships

Financial Results

Miscellaneous

Page editor: Rebecca Sobol

Linux in the news

Recommended Reading

Corporate Paws Grab for Desktop (Wired)

Wired takes a look at how bills like the Digital Millennium Copyright Act have caused some PC manufacturers to build PCs with hardwired copyright protection. "Today, manufacturers seem more likely to produce computers that operate more like VCRs or DVD players than the PCs people are accustomed to. These machines have copy-protection embedded in the hardware, much like home recorders that keep people from making copies of videos they have purchased."

Comments (2 posted)

Red Hat's founder joins the circus (News.com)

News.com covers Red Hat founder Bob Young's latest venture, the Lulu Tech Circus. ""Attendees that go to trade shows feel somewhat used...like so much cattle fodder for the vendors," Young said. The Circus is about "empowering consumers. It's about knowledge and understanding." Unlike other trade shows, which focus on a common--and often times narrow--theme, Lulu Tech Circus will be a menagerie of all things technology, Young said. The conference is structured around five tracks, called "experiences," which will each have a specific focus."

Comments (1 posted)

Yahoo, ISPs enter Net privacy fray (News.com)

News.com examines subtle details of the DMCA that allows a copyright owner to subpoena subscriber information from an ISP when a copyright violation is suspected. ""What the RIAA is really seeking, at the end of the day, is to shift the burden of copyright enforcement from its own members--who apparently would prefer not to alienate potential customers by suing them outright--to an ISP that does nothing more than provide an Internet connection to the customer," the brief says."

Comments (1 posted)

University to challenge copyright laws (News.com)

News.com reports that the law school at Duke University has received a $1 Million grant, to be used for challenging recent expansions of the U.S. copyright laws. "The school, which plans to announce the gift at a conference in Washington on Thursday, is using the money to fund a center focused on finding "the correct balance" between intellectual property rights and material that should be in the public domain. James Boyle, a Duke law professor and co-director of the school's Center for the Study of the Public Domain, says that the center is likely to look skeptically at recent laws like the Digital Millennium Copyright Act (DMCA) and a measure that extended duration of copyrights by 20 years."

Comments (none posted)

Companies

BEA Pushes Java VM Advantage On Windows, Linux (TechWeb)

TechWeb reports on the release of the JRockit 7.0 Java VM from BEA Systems, which is targeted at Linux and Windows. " The problem, said Stahl, is that those three vendors have bigger priorities than optimizing Intel platforms for Java. Microsoft is pushing it's own .NET framework, Sun focuses on Solaris, and IBM has a slew of legacy platforms to support (though it arguably has done much to advance Java on Linux and Windows)."

Comments (none posted)

There's more to Dell's cluster success than meets the eye (ZDNet)

ZDNet looks at bigger issues behind Dell's sale of a Linux-based cluster to SUNY. "This is yet another episode in the continuing saga of the fall from grace of proprietary technologies, the commoditization of processing power, and the difference between the must-haves and the nice-to-haves in budget-constrained times. It's also a signal that the high-end technical computing space is no longer a sanctuary for vendors of premium-priced boutique systems."

Comments (none posted)

Open-source stalwart leaves HP (News.com)

News.com covers Bruce Perens' departure from HP. "He has worked with HP to broaden its Linux and open-source efforts, but has also occasionally come into conflict with the company. Perens had planned to show attendees at a midsummer open-source convention how to circumvent controls on DVD players, but backed off under pressure from HP."

Comments (none posted)

Balancing Linux and Microsoft (NY Times)

The NY Times covers Bruce Perens' departure from HP. "After the merger with Compaq, Hewlett also became the largest vendor of Linux-based server computers, ahead of Dell Computer and I.B.M. Yet Hewlett's bet on Linux still pales compared with its reliance on Microsoft. And after the merger, it was mainly former Compaq executives who took senior positions overseeing the Linux business." (Registration required) Thanks to Jim Turley

Comments (none posted)

Philips sees new life for Linux (ZDNet)

ZDNet looks at a new project by Intel and Philips: The Pronto++ reference platform. "The platform runs on Intel's PXA250 processor, which uses ARM-based XScale technology. A representative said that the platform will initially use a third-party embedded Linux distribution, although the vendor has not been named."

Comments (none posted)

Is that a Mac in a penguin suit? (News.com)

News.com covers dual boot computers from QliTech Linux Computers. "The company is offering Macs, with standard Apple warranties, pre-loaded with Linux software from SuSE, Mandrake, Debian or Gentoo, with Mac OS X installed on a separate partition. The machines are sold at Apple's typical retail prices."

Comments (none posted)

SGI raises the Itanic (Register)

This article from the Register covers the recent use of Linux by SGI. "Earlier this summer, SGI launched a tour to reassure customers that its heart and soul remained with MIPS and Irix. Today it touted impressive memory benchmarks for its Itanium2 hardware, due to be launched next year, and it's running Linux."

Comments (none posted)

Business

An Alternative to Microsoft Gains Support in High Places (NY Times)

Several readers have pointed out this NY Times article which introduces open source software, and Linux, as an alternative to Microsoft. "As open source software, especially Linux, has spread, countries in other regions have also come to regard it as both a model of software development and perhaps an engine of economic growth. The government proposals and projects are efforts to position their nations to exploit a promising trend in technology." [The NY Times is a registration required site]

Comments (none posted)

Lindows.com and Microtel to Offer $199 PCs (San Diego Union-Tribune)

The San Diego Union-Tribune reports on a partnership between Lindows.com and Microtel Computer Systems, the companies will be assembling ultra-inexpensive PCs that will be sold at Wall-Mart stores. "How can a new computer be so inexpensive? For one thing, it doesn't come with the Microsoft Windows operating system, which sells for about $199 itself. Instead, the computers are based on the Linux computing platform and use the Lindows operating system. They are being sold on Walmart.com, the Web site of the Wal-Mart discount store chain. They also don't come with monitors, which sell separately for as little as $75."

Comments (none posted)

What baseball--and you--could learn from the Web (ZDNet)

ZDNet has a baseball analogy for the open source model, involving a recent issue with Major League Baseball (MLB) logos on the web. "MLB may not understand the Web model. But if it wants to recruit new followers (as well as win back those it has already lost), it needs to think of its intellectual property in the same way as the W3C. Unlike Disney, for which visuals are its main selling proposition, logos are not MLB's main product."

Comments (none posted)

IT managers cite security and competition when choosing a Linux system (International Herald Tribune)

The International Herald Tribune examines why businesses are choosing Linux. "Where governments deal with issues of open-source culture and monopoly-busting, small companies indicate three main reasons for taking the plunge: reliability, security and cost." Thanks to Martijn Dekkers

Comments (none posted)

Interviews

Larry Wall On Perl, Religion, and... (Slashdot)

Shashdot answers Perl questions on Slashdot. "Not only did Larry Wall answer your questions, but he said they were excellent questions. You've got to love Larry Wall, not just because he's a nice guy and created Perl, but also because he is the first Slashdot interview guest ever to send his answers preformatted in squeaky-clean HTML."

Comments (none posted)

Looking Back, Looking Forward: Gaël Duval on Mandrake (Open for Business)

OfB interviews Mandrake co-founder Gaël Duval about the company's past, present, and future. "...I think the commercial dynamics around Mandrake Linux, and the creation of MandrakeSoft, have been key factors for its development and long-term success. But as you know, Mandrake is much like a Free Software project that is financed by a commercial company. This approach makes great difference when compared to other Linux distributions!"

Comments (none posted)

Resources

Embedded Linux Newsletter

The September 5, 2002 edition of the LinuxDevices Embedded Linux Newsletter is out with the latest embedded Linux news.

Full Story (comments: none)

In-Memory Database Systems (Linux Journal)

Here's a Linux Journal article on the use of in-memory database systems (IMDS) in embedded products. "In-memory databases have emerged specifically to meet the performance needs and resource availability in embedded systems. As the name implies, IMDSes reside entirely in memory--they never go to disk."

Comments (none posted)

Xbox Linux project releases SuSE 8.0 howto (Register)

For those not scared off by the preceding article, the Register provides a tutorial on installing SuSE 8.0 on an Xbox. "First you need a mod chip, the XBE bootloader and patched SuSE kernel downloaded from the Project, a SuSE nforce driver from the nVidia site, the correct USB adapter for the Xbox and (easy-peasy this bit) a USB keyboard. Oh, and a SuSE 8.0 compatible PC."

Comments (1 posted)

Xbox Live to target hackers? (News.com)

News.com reports that Microsoft may backtrack on an earlier pledge not to use its Xbox Live online gaming service to crack down on "mod chips". "The 14-page user agreement and privacy notice included with the first Xbox Live kits sent to beta testers specifies that Microsoft reserves the right to revoke Xbox Live privileges for anyone with a hacked Xbox and to scan consoles on the network to enforce its rights."

Comments (none posted)

Open source satellite control (IBM developerWorks)

IBM developerWorks shows how the open source model helps satellite engineers with the Jet Propulsion Laboratory (JPL). "How do you harness a satellite control system written in three languages, on four development platforms, and deployed to multiple client environments? With open source, naturally. When one wrong move can cost millions, rely on teamwork, smart design, and open standards to keep the project -- if not the satellite -- from going down in flames."

Comments (none posted)

Reviews

Intel embeds Linux in home digital media adapter (LinuxDevices)

LinuxDevices.com looks at Intel's new "Digital Media Adaptor". "The device, which is based on an XScale microarchitecture PCA210 'applications processor' and runs an embedded Linux operating system, receives digital media from the PC via 802.11 wireless networking and UpnP technologies, and connects to TVs and stereos using standard audio/video cables -- much like a DVD player."

Comments (none posted)

Book Review: Linux Administration Handbook (Linux Journal)

Linux Journal reviews the Linux Administration Handbook by Evi Nemeth, Garth Snyder and Trent R. Hein. "So many of the available books about Linux are either too generic to be of much use for doing serious systems administration or so specific that they are useful only for one version of one Linux distribution. This book is an exception. First, it is heavy on concept, so you actually learn how things work instead of learning how to be a technician. The specifics are then addressed by showing what you do on Red Hat 7.2, SuSE 7.3 and Debian 3.0."

Comments (none posted)

Book Review: Linux Routers - A Primer for Network Administrators, 2nd Ed. (Linux Journal)

Linux Journal reviews Linux Routers - A Primer for Network Administrators, 2nd Edition. "Each chapter on router configuration begins with an introduction of what tasks the router needs to accomplish, followed by the specific kernel options or software packages required for that task. Any hardware needed for the router also is introduced. Next come step-by-step instructions for configuring the Linux kernel and discussions of troubleshooting procedures. Illustrations and tables are provided to clarify the material presented. There is also information on utilities or diagnostic applications useful in specific situations."

Comments (none posted)

Sony gadget picks TV shows for you (News.com)

News.com reviews Sony's new Cocoon, a hard disk video recording device that runs Linux. "Sony on Wednesday gave a fresh peek into its strategy for linking consumer electronics to the Web, unveiling a Net-connected video recorder that can seek out and record TV programs it thinks its owner would like. The device, which uses a hard-disk drive to record, instead of optical discs or magnetic tapes, will be the first of Sony's "Cocoon" line of products that aim to become an alternative to the PC for accessing Internet content."

Comments (2 posted)

Miscellaneous

True Freedom of Choice (Linux Journal)

Linux Journal has an article that describes a Windows user's experience with the switch to Linux. "Did I want to switch because I longed for the good old days when you knew, or at least could have a good idea about, what making a change to your computer would cause that computer to do? Was it because I suspected some better operating system was out there? Was I concerned, after reading my End User License Agreement, that use of the operating system implied a right for the vendor to gain access to my machine and apply unnecessary or unwanted updates? In a nutshell, the answer to all these questions was yes."

Comments (none posted)

Library invests in Free Software (GNU-Friends)

GNU-Friends reports on the use of the Koha library system by a library in Ohio. "Nelsonville Public Library, in Athens County, Ohio has recently decided to migrate to Koha, a free software integrated library system. While reviewing it, they decided that they felt that it needed three additional features to meet their needs. Instead of dropping it from consideration, they decided to take the money that they would otherwise spend on licensing fees and pay someone to implement these features."

Comments (1 posted)

Page editor: Forrest Cook

Announcements

Resources

GNU manuals available in printed form.

Several GNU manuals are now available in printed form. Available titles include the GNU Scientific Library Reference Manual, the GNU Octave Manual, and An Introduction to R.

Comments (1 posted)

archLSB for Itanium Architecture

The Linux Standards Base has announced the public review of the Itanium Architecture "archLSB-IA64" ABI specification. The public review begins Friday Sept. 6th, 2002 and will end Friday Sept. 27, 2002. Your reviews, opinions, and contributions are welcome.

Comments (none posted)

Upcoming Events

Singapore Linux Conference needs sponsors

The Singapore Linux Conference, currently scheduled for October 14 - 16, 2002, is looking for sponsors to help pay speakers.

Full Story (comments: none)

PHPCon 2002

PHPCon 2002, a conference on the PHP web scripting language, will be held in Millbrae, California on October 24 and 25, 2002.

Full Story (comments: none)

The Python UK Conference 2003

Early planning is in the works for the Python UK Conference, 2003, to be held on April 2 and 3, 2003 in England.

Comments (none posted)

Registration is open for the Ruby Conference 2002

Registration is now open for the Ruby Conference 2002, to be held in Seattle, WA on September 1-3, 2002.

Comments (1 posted)

Penguin Breeding at Gnomedex (Linux Journal)

Doc Searls has written a review of the Gnomedex conference.

Comments (none posted)

Perl 'Meetup' (use Perl)

Use Perl has an announcement for the first Perl Meetup, to be held in London, England on September 19, 2002.

Comments (none posted)

Events: September 12 - November 7, 2002

September 12 - 13, 2002Open source GIS - GRASS users conference 2002(GRASS)(Centro Servizi Culturali S. Chiara)Trento, Italy
September 12 - 13, 2002Perl 6 Mini::Conference(ETF, E1, ETH Zurich)Zurich, Switzerland
September 16 - 20, 20029th Annual Tcl/Tk ConferenceVancouver, BC, Canada
September 18 - 20, 2002Yet Another Perl Conference Europe 2002(YAPC::Europe 2002)Munich, Germany
September 25 - 27, 2002The Second Open Source Content Management Conference(OSCOM)(Lawrence Hall of Science, University of California)Berkeley, CA
September 27 - 29, 2002Lulu Tech Circus(State Fairgrounds Complex)Raleigh, North Carolina, USA
October 11 - 13, 2002V Congreso HispalinuxSan Sebastian-Donostia, Spain
October 14 - 16, 2002The Singapore Linux Conference 2002(Le Meridien Singapore)Singapore
October 14 - 15, 2002The Open Group Conference(Hotel Martinez Palace)Cannes, France
October 17 - 18, 2002Open Source for E-GovernmentWashington, DC
October 24 - 25, 2002PHPCon 2002(The Clarion Hotel SFO)Millbrae, California
October 28 - 31, 2002International Lisp Conference 2002 - The Art of LispSan Francisco, CA
October 30 - 31, 2002Think-Linux, The Solutions Show(The Pinnacle)Toledo OH
November 1 - 3, 20022nd Annual Ruby Conference(RubyConf 2002)(Washington State Trade and Convention Center)Seattle, Washington
November 3 - 6, 2002International PHP 2002 conferenceFrankfurt, Germany
November 3 - 8, 200216th System Administration Conference(Lisa '02)Philadelphia, PA

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

Releasing old software into public domain.

From:  Pavel Roskin <proski@gnu.org>
To:  gnu@gnu.org
Subject:  Releasing old software into public domain.
Date:  Thu, 5 Sep 2002 18:42:56 -0400 (EDT)
Cc:  letters@lwn.net

Hello!
 
Reading recent discussions in the online media, it is clear that many
people have an issue with the copyright laws that make copyrights remain
in force for many decades.
 
I believe that the Free Software Foundation should release into the public
domain all the software currently under GPL, that is at least 15 years
old, and for which FSF is the sole copyright holder.
 
GPL is a great license because it uses the copyright law to make software
free. However, 15 years should be enough for software to enjoy copyright
protection. Even when our goals are noble, we should not be using the
copyright law beyond the fair limit that we would like it to have.
 
In my opinion, FSF could make a good point by releasing its old software
into the public domain. That would be an example for other copyright
holders, even those who produce non-free software.
 
Possible damage to the free software would be negligible. I cannot
imagine software companies craving for Emacs or gcc sources from 1987.
In fact, I could not even find gcc that old on the GNU FTP site - the
oldest version is dated 1988.
 
You see, 15 years is like eternity for software. One cannot make money
from 15 years old software without twisting the law and doing immoral
things. I cannot imagine the Free Software Foundation suing somebody for
embedding 15 years old software into proprietary applications. Then let's
make it clear to everyone that we won't ever do it.
 
I really hope that FSF will use this opportunity to influence copyright
law and set a good precedent for other software copyright holders.
 
--
Best regards,
Pavel Roskin,
free software developer

Comments (3 posted)

[new] Koha for libraries and ??? for ABA and ??? for HMOs

From:  Tres Melton <class5@pacbell.net>
To:  letters@lwn.net
Subject:  [new] Koha for libraries and ??? for ABA and ??? for HMOs
Date:  Fri, 06 Sep 2002 03:59:45 -0700

Dear LWN readers,
 
I recently posted this to gnu-friend.org in response to a <a
href="http://lwn.net/Articles/9255/">link</a> that I followed from LWN
and thought that a wider audience might be more appropriate. The
following is my comment:
----------------------------------------------------------------------
 
This is an awesome thing to do. I'm glad that a single library took the
plunge but it might have been easier and cheaper for a number of them to
invest together.
 
What would be cool is if the American Bar Association, a hugh consumer
of office software, were to spearhead the development of a free software
word processor. They could start with Abiword or one of the many other
packages available. they could then fund the addition of features like
citing legal information, legal templates, a spell checker that
understood the latin terms that are used in legal briefs, etc.. If this
took off then most legal firms (not that they are my favorite entities
in the world) could save millions of dollars on office packages. Further
all of the legal papers that get filed are in the public domain (unless
a judge seals them) so why not use a public format for the documents so
that the public can truly access them. This would certainly make it
easier for non-laywers to get information that they may need.
 
This idea could also be used for the entire health care industry. If
congress wanted to cut costs in the health care industry imagine how far
they could go by making the forms standardized for all parts of the
industry. Insurance should like this as well. If the entire industry
used the same software then all of the documents would be in the same
format - both from the disk storage point of view and from the page
layout point of view. This would make it easier for anyone in the
industry to process information since common fields would always be in
the same place in the document. Everyone in the industry would have
access to the software for free and could thus save millions. The
documents could be exchanged between pharmacies, hospitals, doctors,
patients, insurance companies, Social Security, Medicare, Medicaid, etc.
without the need to reformat or re-enter the information. There are
literally thousands of different forms that are required by different
insurance carriers and all but one could be eliminated.
 
These are just two examples where free software could benefit entire
industries. Both of these projects are too big to be taken on by a
single lawyer or doctor but the Bar Association is big enough to handle
the leagl word processor and any of the government agencies that I
mentioned could take care of the medical one. Further the government is
large enough that if they mandated that all reports that are submitted
to them be in the new format that everyone else would just kinda fall in
line.
 
The real place that Free Software would be of value is if it simply
eliminated the need for proprietary software in most of the industries
that don't really need it. Obviously I'm not advocating running a
radiation machine on Free Software but the reports that it generates
could certainly be in a common format. Almost all industries could start
to develope their own software: Banking, Investment Houses, Accountants,
etc.. Some software could be used across many industries. Take
scheduling for example: you make appointments at the doctor's office
just like you do to get your hair cut. I think that there would be a
business model in a software development company getting a bunch of
companies from the same industry together and say "Software is an
expense to you. For some upfront money now we can eliminate a large
portion of you software spending in the future." Companies that do not
write software to sell but to run their business on do not compete with
their software (for the most part) so why not level that part of their
playing field so that they can focus their energies in areas where they
do compete.
 
Construction companies and architects are another one that comes to
mind. Let them compete on the price and style of the homes that they
build and eliminate the cost of software. There are many programming
libraries that will run equally well on Winblows as they will on Linux.
We can't expect them to ditch what they are familiar with until we can
prove that everything that they need to run their business will run on a
free OS: GNU/Linux
 
Best Regards,
 
Tres Melton
class5 (at) pacbell.net
 

Comments (none posted)

Make BAD Patents costly

From:  "Anand Srivastava" <Anand.Srivastava@ascom.ch>
To:  letters@lwn.net
Subject:  Make BAD Patents costly
Date:  Thu, 5 Sep 2002 14:13:45 +0200

Hi,
 
Today, I realized what is wrong with the Patent system. There are not
enough balances. It doesn't penalize people who create bad patent. We
can't expect Patent Office to know whether a given Patent is about a real
breakthrough. So we should modify the Patent Law in such a way that
creating bad patents would be costly. Basically make it so expensive to
create non-defendable patents that it becomes profitable to challenge bad
patents in court.
 
If a holder loses in court not only does he/she/it loses the ability to use
it but also has to pay for the expenditure of the court case. Since Patents
are used for making money, it must be deemed that the Patent holder was
benefitting illegally, so must be told to pay an amount which depends on
the income of the holder for the duration the patent was in effect. This
must be reduced by the no. of patents the holder has. This fine must be
increased if the patent was done in bad faith. Also the patent should be
made invalid if any point in the patent is found to be invalid. This will
force applicants to make their patents as narrow as necessary.
 
Ofcourse there will need to be some balances to this as well. If a holder
loses on the basis of prior art then the holder should be required to only
pay the case fees, not the fines, if the holder can prove that he/she/it
had no idea that the solution already existed. Also if the holder wins then
the loser must pay the holder the case fees. This will act as a deterrent
to suing without much reason.
 
Also Patent lifetime must be short for software, something like 5yrs should
be fine.
 
-anandsr

Comments (3 posted)

Page editor: Jonathan Corbet

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds