LWN.net Logo

LWN.net Weekly Edition for August 12, 2004

The value of middlemen

Creators of Linux distributions perform a number of useful functions. They go out and find useful free software for their users. They put together a nice packaging system so that all that free software can be managed without going nuts. They ensure that the programs all fit together in a coherent design of the system as a whole. They create nice CD images for the distribution of their work, and installer programs so that all that software can be loaded onto your systems. Distributors run online repositories, create security updates, and, sometimes, even answer questions from users who are having difficulties.

Users may not fully appreciate another role filled by Linux distributors, however: they serve as middlemen between the producers and consumers of free software. This work goes beyond packaging programs and feeding back bug reports; Linux distributors also serve as crucial advocates for their users. When developers fail to act in the interest of the people using their software, the distributors can come in with their advocacy and patching skills to improve the situation.

A good example of how this process works was brought to light via a long and unpleasant linux-kernel discussion involving Jörg Schilling, the maintainer of the much-used cdrecord program. For the curious, the thread starts with this message. There are several issues discussed, but much of it comes down to some fundamental disagreements between Mr. Schilling and the Linux distributors on how cdrecord should work.

For example: in the 2.6 kernel the preferred way of performing raw SCSI operations on a device (which is how CD burning is done) is to simply open the device directly and issue the right ioctl() calls. So, if your drive is /dev/hdc (or, better, /dev/cdwriter), you run cdrecord with dev=/dev/cdwriter and be done with it. Mr. Schilling swears that the only proper way to specify the output device is via SCSI bus, target, and unit numbers - despite the fact that most of these devices do not sit on a SCSI bus and have no such numbers. And despite the fact that figuring out that, say, dev=0,2,0 is the right magic sequence to type is not something many users want to do. So cdrecord issues a set of scary warnings with the "open by device" mode is used, despite the fact that it is the best way to do things.

Another example: some users have a strange idea that they might actually like to write DVDs on their DVD-capable drives. The official version of cdrecord has no such capability, and Mr. Schilling has refused to add it. Some of the more cynical observers have noted that the fact that Mr. Schilling offers a proprietary version of cdrecord with DVD support may have something to do with this refusal.

Users of cdrecord could try to address these issues directly with its author. Experience has shown, however, that this can be an unpleasant and unrewarding process.

This is where the distributors step in. A quick check in the latest Fedora source RPM for cdrtools shows a good dozen patches; these vary from small documentation tweaks through to DVD support and the removal of unnecessary, scary warnings. Other distributors have done similar things. The end result is that users get a version of cdrecord which works as they would expect, while the distributors take the heat (and there is some heat) for the changes that they make.

Mr. Schilling has given us a true gift: the cdrecord program embodies a great deal of knowledge of just what is required to make a wide variety of CD writers work on numerous operating systems. We get to make use of that knowledge because Mr. Schilling has released his work under the GPL. Before criticizing him too much, it is good to reflect on the value of that gift. But this is also a good place to appreciate the extra value added by the Linux distributors. Sometimes a middleman is just what is needed to make the whole process work.

Comments (31 posted)

Sarge is coming

August 11, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Sarge is, finally, approaching. Last week, Steve Langasek announced a proposed timeline for Sarge and that Anthony Towns had stepped down as release manager for Debian. Langasek and Colin Watson are filling the post for the Sarge release. According to Watson's follow-up on Saturday, the release target for Sarge is now September 19. Joey Hess also announced release candidate 1 of the new Debian-Installer for Sarge on Saturday.

With the release so close at hand, we decided to take a look at the state of Sarge. We touched base with Langasek on the status of the release, and also asked Towns for comment on his decision to step down. In Langasek's announcement, he alluded to "the recrimination and hostility towards some of our most dedicated developers" as a possible reason for Towns' departure from the release manager post. Towns declined to elaborate on his decision to step down from the release manager position, but said that Sarge is in good hands:

I've got complete confidence that Colin and Steve can do a better job getting sarge out than I could, and are doing so. They might think differently, but if so, the resolution to that little quandary is quite simple: they're wrong. :)

We also asked Langasek about the statement, and whether he feels that the internal conflicts in Debian have gotten worse.

For my part, I'm well aware that there's always a certain amount of off-topic digression and conflict on the mailing lists -- this is nothing new in Debian, it's part and parcel of the kind of rough-and-tumble development model that's always been in effect in this community. One thing that *has* changed recently, however, is that the General Resolution process... has become unstuck in the past year, after having been held up for quite some time by a committee charged with fixing some subtle bugs in our constitution. Suddenly, the GR process seems like a good way to address lots of problems in the project, and lots of changes are being proposed without necessarily considering the full effects in the context of Debian, or sometimes without much consideration of whether this is something that *can* be legislated in Debian.

It's also true that as the project has grown, it has tended to become more politicized as it's harder for everyone to know everyone else personally. I don't think this is inevitable, though; it's simply something we need to learn to deal with as we grow. Since Debian has essentially been growing for its entire existence, we have a fair amount of experience with learning to address growing pains.

In any case, I definitely don't think AJ's decision represents any sort of crisis in Debian. The release manager's job is a hard one even when everything seems to be going right, so it's perfectly understandable that he would decide to step down.

With that unpleasant topic behind us, we also asked Langasek about the release schedule, and whether the schedule was realistic.

The important message to bring away from the announced release schedule is that we're close enough now to being able to release that it's time for developers to change focus. The schedule may slip a few days here or there, but the truth is that's something we have to contend with no matter how aggressive our proposed schedule is. So we might as well be ambitious!

Our brief tests of the RC1 of the Debian installer were quite positive. The installer is still a text-based system, but consists of a fairly easy set of choices for the average Linux user to follow. We tested RC1 on a dual-PIII Xeon system, and tried out both the normal and "expert" installer modes. Users have the choice of installing the 2.4 or 2.6 kernel in either mode. The "expert" mode is largely unnecessary unless one wants (or needs) to dabble more directly with the kernel modules that are loaded or if one wishes to experiment with installer modules that are not part of the default installation.

The new installer also offers to partition the disk for the user, no doubt a welcome addition for many Linux users who aren't familiar with disk partitioning. The user has a choice between an all-in-one partition, a separate /home partition, or a multi-user partitioning scheme if they choose to let the installer do the work for them. Both the /home and multi-user schemes provided sane partition layouts on a 40GB disk, using the Ext3 filesystem. We might have chosen more swap space (the installer opted for 512MB on a system with 1GB of RAM), but both partition layouts were quite usable.

The hardware detection worked fine for the test system, though the system admittedly contained a sparse selection of components -- an add-on IDE controller, network card and generic video card, PS/2 keyboard and mouse, no sound card. This writer found it very nice not to have to know which module is appropriate for the system's network card while in the middle of an install.

Users have the option of choosing packages manually, or selecting from seven pre-selected groups of packages like "desktop," "Web server," and "DNS." These can be mixed and matched, so users who want a print server and desktop in one machine can choose both at install time. The desktop set of packages provided both the KDE and GNOME desktops, and a fair selection of desktop apps and games.

There were only two things we didn't like, overall and neither can rightly be considered a bug -- though there is a bug report for our first complaint. Though the machine in question is a dual-CPU machine, neither the normal or expert install gave the option of an SMP-enabled kernel. Though it's not at all difficult to download a suitable SMP kernel (or compile your own) it's an additional step that should be unnecessary.

Likewise, it seems to this writer that OpenSSH should be installed by default on any network-connected system. While not difficult to do after the fact, one would think that including OpenSSH is a no-brainer on almost any Linux system. It is certainly as likely to be used as wget or nano, which are installed by default.

Those are extremely minor grumbles, however. It appears that Sarge is just about ready to make its debut. The schedule is a bit ambitious, but it doesn't seem unrealistic based on our tests of the RC1 of the installer and packages now in testing. Langasek asks that users start banging on the new installer and install manual to help the process along:

Now that the first release candidate of the debian-installer is available, we also need users to help test this new installer, and to also help review the installation manual to check for omissions and accuracy.

We hope to soon have security support available for testing, at which point we will also send out a general call for users to test the upgrade path from woody to sarge.

And, of course, Langasek asks that users report bugs wherever they find them "particularly if they're using testing or unstable." As users are trying out the new Debian installer, they might wish to read the d-i retrospective, which recounts the history of d-i and gives perspective on the work that went into the installer. Langasek says that the work has paid off:

Debian-installer stands head and shoulders above the boot-floppies system we used for woody, and we owe a lot of thanks to the developers responsible for giving us an installer that people can actually be enthusiastic about contributing to. :-)

Indeed, this writer is enthusiastic about the installer as well. Though the old installer was usable enough (as evidenced by the enormous Debian user base), the new installer is much improved. The final Sarge release should do a great deal to help Debian's popularity with newer Linux users.

Comments (11 posted)

Munich and software patents

August 11, 2004

This article was contributed by Tom Chance.

As was covered here last week, the high-profile Linux deployment in the city of Munich has been put on a temporary hold while a legal review of possible patent threats. This hold is a direct result of two motions filed recently by a Green Party alderman in the city. The motions, and their aftermath, have created a small storm, both in the city of Munich itself, and among free software advocates and anti-software patent activists. Those who oppose the transition from proprietary to free software in Munich took the opportunity to put a spanner in the works, and that prompted swift reactions from free software advocates; the events seem to have created some stress between the free software and anti-software patent communities.

The motivation behind the alderman's motions was simple: to persuade the city of Munich to put more pressure on German and European politicians to stop the EU's directive on the patentability of computer-implemented inventions. And insofar as they aimed to raise the problems associated with software patents among German politicians, they have met with some success. The city of Munich does appear to remain committed to its free software project, and despite speculation in the press, the only thing about which we can be certain is that, as LWN commented previously, the process will be slowed down while the lawyers do their thing. The latest word is that the delay may not last more than a few weeks.

So why, then, did the Free Software Foundation Europe feel compelled to issue a press release emphasizing that free software is no special case, and that the dangers posed by software patents affect all small and medium enterprises and projects, regardless of their licensing? I asked FSFE President Georg Greve whether he felt that the Green party should be condemned for its actions, and whether the FFII, which could be accused of spreading the flames with a widely-reported press release of its own, should be included in that as well. Mr. Greve described "condemnation" as "too strong a term," but it is clear that they aren't too happy, especially given that they have been actively campaigning against software patents for four years without jeopardizing free software deployments. He asked:

Why did the FFII and Green Party target the currently most prominent Free Software migration and not some proprietary software projects?

In response, the Green Party in Munich notes that it is software patents which threaten free software, and not anybody's attempts to fight the imposition of patents. Ignoring the patent directive, they say, would be far more dangerous than forcing this sort of confrontation.

As Tim Bray noted in his weblog, almost all software in the market probably infringes on some existing software patents, and the issue is one of financial resources (i.e. the ability to defend a case in court), not one of licensing. Greve claims that "[the] link is entirely artificial".

Bizarrely, part of the explanation of events lies in a mistake within the FFII. The study that lists the patents that affect the Munich project was never released as an FFII study; rather, it was a personal document on an FFII member's homepage. Harmut Pilch, the President of the FFII, wrote that he was "surprised by the announcement of Wilhelm Hoegner and the mayor", and that he "learnt from both only through the media". Nevertheless he goes on to defend the message given out by the Green Party, if not the exact methods they used, pointing out that the city of Munich had to assess the risk caused to its project by software patents.

The fallout of all of this is difficult to predict. We can be fairly sure that, barring an extraordinary risk assessment by the city of Munich's lawyers, their Linux project will go ahead. But it's impossible to judge the impact that the news will have on the vote in European Parliament later this year, and on other government projects involving free software. However, if the EU says "no" to software patents, the free software community in Europe could be saved from, possibly, the most damaging legal framework seriously considered to date. The knock-on effect in other countries and trade areas also can't be underestimated. So if steps like those taken by the Green Party in Munich can derail software patents in Europe at the expense of delaying, or even stopping, various free software deployments in government, would it not be worth the sacrifice? In this light the Green Party's actions seem like fine political ju jitsu.

An implicit assumption in that question is that the Green Party's initiative can be followed elsewhere. The only other example of a major deployment of free software in government in Europe is in Extremadura, where local politicians are already firmly against software patents. Employing this sort of technique elsewhere must be done carefully: emphasizing the software patent risk to free software could end up turning politicians against free software, rather than patents. A compromise approach, as Greve suggested, would be:

...for Free Software advocates to always raise the point that their opposition against SWPATs is not on the grounds of Free Software alone, but on the grounds of the entire local hardware and software industry.

It may be too late for effective damage control in Munich, so we will have to wait for the outcome there. But in the future, it would seem wise for anti-software patent activists to be mindful of Greve's suggestion. Free Software advocates must fight software patents, and we must recognize that they are more important than individual deployments of free software. But all the same, we mustn't unnecessarily prejudice politicians and those who make technology decisions against free software for the sake of gains in the fight against software patents.

Comments (5 posted)

Page editor: Jonathan Corbet

Security

The Information Technology Security Handbook

The World Bank InfoDev Program has set itself a goal of helping computer users in developing countries avoid security problems. To that end, it has published the Information Technology Security Handbook; it can be downloaded from the site in PDF format. It is a very introductory-level book on security threats to computers and their users; if users at that level can be convinced to read the whole thing, it may well do some good. Unfortunately, however, this book does the developing world a disservice by being strongly biased toward proprietary software.

The "Security for Individuals" section, for example, contains a couple of pages on "non-traditional and non-commercial software." Topics covered are, in this order, shareware, open source software, and pirated software. The open source discussion gives a brief overview of the "which is more secure?" debate, and informs us:

The update processes for Open Source products tend to be more difficult that [sic] those for Windows, but are in line with other Unix products and the installation procedures for the original Open Source products.

The fact of the matter, of course, is that the major distributors have all made the application of security updates into a trivially easy task, which can even be automated. The above statement might have been true some years ago; it certainly is not true now.

The discussion of free software pretty much ends there. So, for example, we get a long section on email problems; infection via email is said to be "highly likely." Six rules are given for protecting a system from email-borne malware ("Do not open an attachment from someone you do know and trust unless you are sure that they sent it deliberately"), but there is no mention of the fact that email-borne malware is, for all practical purposes, unknown outside of the Windows world.

The "security for organizations" chapter is written in an entirely different voice. It covers a wide range of topics, including regulatory compliance, wireless security, personnel threats, etc. There is a lot of useful material there for somebody who is beginning to think about security in an organizational context, but no specifics at all. There is a section on government policy which has mostly to do with bureaucratic organization and the crafting of security-related legislation.

The final and largest section is aimed at technical administrators. Interestingly, this section is mostly oriented around Unix and Unix-like systems. The coverage is strange, however; NIS netgroups warrant several pages, while PAM is breezed over in a single page. There is a long section full of rules on writing safe CGI scripts, but nothing about web server setup. The chapter contains some good stuff, but it looks like it was gathered together from several different sources.

This handbook looks like a useful resource in many ways. It falls short of what a book on security for the developing world could be, however. Like the rich world, the developing world has no need to rely on expensive and insecure proprietary software. A book on information security on developing countries really owes it to its readers to point out that, with free software, they can take greater control over their systems and not have to rely on the good intentions of a large, foreign company.

Comments (1 posted)

New vulnerabilities

Cfengine: RSA Authentication Heap Corruption

Package(s):Cfengine CVE #(s):
Created:August 10, 2004 Updated:August 11, 2004
Description: Two vulnerabilities have been found in cfservd. One is a buffer overflow in the AuthenticationDialogue function and the other is a failure to check the proper return value of the ReceiveTransaction function. An attacker could use the buffer overflow to execute arbitrary code with the permissions of the user running cfservd, which is usually the root user. However, before such an attack could be mounted, the IP-based ACL would have to be bypassed. With the second vulnerability, an attacker could cause a denial of service attack.
Alerts:
Gentoo 200408-08 2004-08-10

Comments (none posted)

cvstrac: arbitrary code execution

Package(s):cvstrac CVE #(s):
Created:August 6, 2004 Updated:August 11, 2004
Description: Richard Ngo reported on BugTraq that a vulnerability has been discovered in the CVS repository web browsing tool CVSTrac. If properly exploited an attacker can execute arbitrary code on the CVSTrac host with the privileges of the associated web server.
Alerts:
OpenPKG OpenPKG-SA-2004.036 2004-08-06

Comments (none posted)

opera: remote filesystem read access vulnerability

Package(s):opera CVE #(s):
Created:August 5, 2004 Updated:August 11, 2004
Description: The Opera browser has a vulnerability that may allow a remote attacker to read a local filesystem.
Alerts:
Gentoo 200408-05 2004-08-05

Comments (none posted)

PuTTY: pre-authentication arbitrary code execution problem

Package(s):putty CVE #(s):
Created:August 5, 2004 Updated:October 28, 2004
Description: PuTTY, a telnet and SSH client, contains a vulnerability that can allow an SSH server to execute arbitrary code on a connecting client.
Alerts:
Gentoo 200410-29 2004-10-27
Gentoo 200408-04 2004-08-05

Comments (none posted)

shorewall: temporary file exploit

Package(s):shorewall CVE #(s):
Created:August 10, 2004 Updated:August 11, 2004
Description: Javier Fernández-Sanguino Peña has discovered an exploitable vulnerability in the way that Shorewall handles temporary files and directories. The vulnerability can allow a non-root user to cause arbitrary files on the system to be overwritten. LEAF Bering and Bering uClibc users are generally not at risk due to the fact that LEAF boxes do not typically allow logins by non-root users. The complete advisory is here.
Alerts:
Mandrake MDKSA-2004:080 2004-08-09

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

Updated vulnerabilities

Apache mod_proxy: denial of service

Package(s):apache CVE #(s):CAN-2004-0492
Created:June 11, 2004 Updated:October 14, 2004
Description: A buffer overflow vulnerability in the apache mod_proxy module can be exploited to create a denial of service.
Alerts:
Fedora-Legacy FLSA:1737 2004-10-13
Mandrake MDKSA-2004:065 2004-06-29
Debian DSA-525-1 2004-06-24
Gentoo 200406-16 2004-06-21
OpenPKG OpenPKG-SA-2004.029 2004-06-11

Comments (none posted)

apache2: stack-based buffer overflow in ssl_util.c

Package(s):apache2 CVE #(s):CAN-2004-0488
Created:June 1, 2004 Updated:October 14, 2004
Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:
Fedora-Legacy FLSA:1888 2004-10-13
Debian DSA-532-2 2004-07-27
Debian DSA-532-1 2004-07-22
Red Hat RHSA-2004:245-01 2004-06-14
Gentoo 200406-05 2004-06-09
Slackware SSA:2004-154-01 2004-06-02
OpenPKG OpenPKG-SA-2004.026 2004-05-27
Trustix TSLSA-2004-0031 2004-06-02
Mandrake MDKSA-2004:054 2004-06-01
Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

apache mod_ssl format string vulnerability

Package(s):apache mod_ssl CVE #(s):
Created:July 16, 2004 Updated:August 6, 2004
Description: Triggered by a report to Packet Storm from Virulent, a format string vulnerability was found in mod_ssl, the Apache SSL/TLS interface to OpenSSL, version (up to and including) 2.8.18 for Apache 1.3. The mod_ssl in Apache 2.x is not affected. The vulnerability could be exploitable if Apache is used as a proxy for HTTPS URLs and the attacker established a own specially prepared DNS and origin server environment.
Alerts:
Conectiva CLA-2004:857 2004-08-06
Mandrake MDKSA-2004:075 2004-07-27
Slackware SSA:2004-207-02 2004-07-25
Gentoo 200407-18 2004-07-22
OpenPKG OpenPKG-SA-2004.032 2004-07-16

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 2004-12-20
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Gentoo 200406-14 2004-06-17

Comments (none posted)

courier: cross-site scripting vulnerability

Package(s):courier CVE #(s):CAN-2004-0591
Created:July 23, 2004 Updated:August 4, 2004
Description: The sqwebmail application has a cross-site scripting vulnerability. An attacker can inject and execute a web mail script via an email message.
Alerts:
Gentoo 200408-02 2004-08-04
Debian DSA-533-1 2004-07-22

Comments (none posted)

Ethereal: Multiple security problems

Package(s):ethereal CVE #(s):CAN-2004-0633 CAN-2004-0634 CAN-2004-0635
Created:July 9, 2004 Updated:August 19, 2004
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.5, including:
* In some cases the iSNS dissector could cause Ethereal to abort.
* If there was no policy name for a handle for SMB SID snooping it could cause a crash.
* A malformed or missing community string could cause the SNMP dissector to crash.
See this advisory for more information.
Alerts:
Whitebox WBSA-2004:378-01 2004-08-19
Red Hat RHSA-2004:378-01 2004-08-05
Netwosix NW-2004-0016 2004-07-23
Fedora FEDORA-2004-234 2004-07-22
Debian DSA-528-1 2004-07-17
Fedora FEDORA-2004-220 2004-07-14
Fedora FEDORA-2004-219 2004-07-14
Mandrake MDKSA-2004:067 2004-07-09
Gentoo 200407-08 2004-07-09

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

Horde-IMP: improper input validation

Package(s):Horde-IMP CVE #(s):
Created:June 16, 2004 Updated:August 10, 2004
Description: An input validation error exists in Horde-IMP through version 3.2.4; a specially crafted message could be used to run scripts in the context of the target's browser.
Alerts:
Gentoo 200408-07 2004-08-10
Gentoo 200406-11 2004-06-16

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kernel allows unauthorized changes to the group ID

Package(s):kernel CVE #(s):CAN-2004-0497
Created:July 2, 2004 Updated:September 27, 2004
Description: During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances - such as when the files are exported via NFS.
Alerts:
Conectiva CLA-2004:869 2004-09-27
Gentoo 200407-16 2004-07-22
Whitebox WBSA-2004:360-01 2004-07-07
Mandrake MDKSA-2004:066 2004-07-06
SuSE SUSE-SA:2004:020 2004-07-02
Fedora FEDORA-2004-206 2004-07-02
Fedora FEDORA-2004-205 2004-07-02
Red Hat RHSA-2004:354-01 2004-07-02
Red Hat RHSA-2004:360-01 2004-07-02

Comments (none posted)

kernel information leak

Package(s):kernel CVE #(s):CAN-2004-0415
Created:August 3, 2004 Updated:October 26, 2004
Description: Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.

A fix for this problem was added to the fifth 2.4.27 release candidate.

Alerts:
Conectiva CLA-2004:879 2004-10-26
Fedora-Legacy FLSA:1804 2004-10-18
Mandrake MDKSA-2004:087 2004-08-26
Gentoo 200408-24 2004-08-25
Whitebox WBSA-2004:413-01 2004-08-19
Red Hat RHSA-2004:327-01 2004-08-18
Fedora FEDORA-2004-251 2004-08-10
Trustix TSLSA-2004-0041 2004-08-09
SuSE SUSE-SA:2004:024 2004-08-09
Red Hat RHSA-2004:413-01 2004-08-03
Red Hat RHSA-2004:418-01 2004-08-03
Fedora FEDORA-2004-247 2004-08-03

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

MoinMoin Group ACL Bypass

Package(s):moinmoin CVE #(s):
Created:July 12, 2004 Updated:August 26, 2004
Description: MoinMoin contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker creates a user with the same name as an administrative group. This flaw may lead to a loss of integrity. See this osvdb entry for additional information.
Alerts:
Gentoo 200407-09 2004-07-11

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

MPlayer: GUI filename handling overflow

Package(s):mplayer CVE #(s):
Created:August 2, 2004 Updated:August 4, 2004
Description: The MPlayer GUI code contains several buffer overflow vulnerabilities, and at least one in the TranslateFilename() function is exploitable. By enticing a user to play a file with a carefully crafted filename an attacker could execute arbitrary code with the permissions of the user running MPlayer.
Alerts:
Gentoo 200408-01 2004-08-01

Comments (none posted)

MySQL: temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0381 CAN-2004-0388
Created:April 14, 2004 Updated:August 18, 2004
Description: The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system.
Alerts:
Gentoo 200405-20 2004-05-25
Mandrake MDKSA-2004:034 2004-04-19
OpenPKG OpenPKG-SA-2004.014 2004-04-14
Debian DSA-483-1 2004-04-14

Comments (none posted)

neon: buffer overflow

Package(s):neon CVE #(s):CAN-2004-0398
Created:May 19, 2004 Updated:September 30, 2004
Description: The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:
Fedora-Legacy FLSA:1552 2004-09-29
Mandrake MDKSA-2004:078 2004-07-29
Gentoo 200406-03 2004-06-05
Gentoo 200405-25b 2004-06-02
Gentoo 200405-25 2004-05-30
Conectiva CLA-2004:841 2004-05-25
Gentoo 200405-15 2004-05-20
Gentoo 200405-13 2004-05-20
OpenPKG OpenPKG-SA-2004.024 2004-05-19
Mandrake MDKSA-2004:049 2004-05-19
Fedora FEDORA-2004-130 2004-05-19
Fedora FEDORA-2004-129 2004-05-19
Red Hat RHSA-2004:191-01 2004-05-19
Debian DSA-507-1 2004-05-19
Debian DSA-506-1 2004-05-19

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pavuk: buffer overflow

Package(s):pavuk CVE #(s):CAN-2004-0456
Created:June 30, 2004 Updated:November 11, 2004
Description: Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server.
Alerts:
Gentoo 200411-19 2004-11-10
Debian DSA-527-1 2004-07-03
Gentoo 200406-22 2004-06-30

Comments (none posted)

php: remotely exploitable memory errors

Package(s):php CVE #(s):CAN-2004-0594
Created:July 14, 2004 Updated:February 7, 2005
Description: Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not).
Alerts:
Debian DSA-669-1 2005-02-07
Whitebox WBSA-2004:392-01 2004-08-19
Fedora FEDORA-2004-223 2004-07-23
Fedora FEDORA-2004-222 2004-07-23
OpenPKG OpenPKG-SA-2004.034 2004-07-22
Slackware SSA:2004-202-01 2004-07-20
Debian DSA-531-1 2004-07-20
Red Hat RHSA-2004:392-01 2004-07-19
Red Hat RHSA-2004:395-01 2004-07-19
Conectiva CLA-2004:847 2004-07-16
SuSE SUSE-SA:2004:021 2004-07-16
Mandrake MDKSA-2004:068 2004-07-14
Gentoo 200407-13 2004-07-15
tinysofa TSSA-2004-013 2004-07-14

Comments (none posted)

phpMyAdmin: remote PHP execution

Package(s):phpmyadmin CVE #(s):
Created:July 29, 2004 Updated:August 4, 2004
Description: phpMyAdmin has a vulnerability that allows a remote attacker to modify variables and execute PHP code. The attacker must have a valid user account.
Alerts:
Gentoo 200407-22 2004-07-29

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

samba: potential buffer overruns

Package(s):samba CVE #(s):CAN-2004-0600 CAN-2004-0686
Created:July 22, 2004 Updated:September 2, 2004
Description: According to this Samba advisory, Evgeny Demidov discovered that the Samba SMB/CIFS server has a buffer overflow bug in the Samba Web Administration Tool (SWAT) on decoding Base64 data during HTTP Basic Authentication. Samba versions between 3.0.2 through 3.0.4 are affected. (CAN-2004-0600)

Another buffer overflow bug has been located in the Samba code used to support the "mangling method = hash" functionality. The default setting for this parameter is "mangling method = hash2" and therefore Samba is not vulnerable by default. Samba versions between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected. (CAN-2004-0686)

Alerts:
Fedora FEDORA-2004-285 2004-09-02
Fedora FEDORA-2004-284 2004-09-02
Whitebox WBSA-2004:259-01 2004-08-19
Conectiva CLA-2004:854 2004-07-30
Gentoo 200407-21 2004-07-29
Trustix TSLSA-2004-0039 2004-01-05
Red Hat RHSA-2004:404-01 2004-07-26
Slackware SSA:2004-207-01 2004-07-25
tinysofa TSSA-2004-014 2004-07-23
SuSE SUSE-SA:2004:022 2004-07-23
Netwosix NW-2004-0015 2004-07-23
Mandrake MDKSA-2004:071 2004-07-22
Conectiva CLA-2004:851 2004-07-22
Red Hat RHSA-2004:259-01 2004-07-22
OpenPKG OpenPKG-SA-2004.033 2004-07-22

Comments (1 posted)

sox: buffer overflow

Package(s):sox CVE #(s):CAN-2004-0557
Created:July 28, 2004 Updated:February 21, 2005
Description: Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file.
Alerts:
Fedora-Legacy FLSA:1945 2005-02-20
Debian DSA-565-1 2004-10-13
Whitebox WBSA-2004:409-01 2004-08-19
Slackware SSA:2004-223-03 2004-08-07
Conectiva CLA-2004:855 2004-07-30
Gentoo 200407-23 2004-07-30
Mandrake MDKSA-2004:076 2004-07-28
Red Hat RHSA-2004:409-01 2004-07-29
Fedora FEDORA-2004-244 2004-07-28
Fedora FEDORA-2004-235 2004-07-28

Comments (none posted)

squid: buffer overflow

Package(s):squid CVE #(s):CAN-2004-0541
Created:June 9, 2004 Updated:September 30, 2004
Description: The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Alerts:
Red Hat RHSA-2004:462-01 2004-09-30
Mandrake MDKSA-2004:093 2004-09-15
Gentoo 200409-04 2004-09-02
Gentoo 200406-13 2004-06-17
Whitebox WBSA-2004:242-01 2004-06-10
Trustix TSLSA-2004-0033 2004-06-10
Mandrake MDKSA-2004:059 2004-06-09
SuSE SuSE-SA:2004:016 2004-06-09
Red Hat RHSA-2004:242-01 2004-06-09
Fedora FEDORA-2004-164 2004-06-09
Fedora FEDORA-2004-163 2004-06-09

Comments (none posted)

SquirrelMail cross site scripting vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2004-0519 CAN-2004-0520 CAN-2004-0521
Created:May 21, 2004 Updated:October 4, 2004
Description: Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found in SquirrelMail versions 1.4.2 and lower. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
Alerts:
Fedora-Legacy FLSA:1733 2004-10-02
Conectiva CLA-2004:858 2004-08-12
Whitebox WBSA-2004:240-01 2004-06-21
Gentoo 200406-08 2004-06-15
Red Hat RHSA-2004:240-01 2004-06-14
Fedora FEDORA-2004-160 2004-06-09
Fedora FEDORA-2004-159 2004-06-09
Gentoo 200405-16:02 2004-05-25
Gentoo 200405-16 2004-05-21

Comments (none posted)

Subversion: Remote heap overflow

Package(s):subversion CVE #(s):CAN-2004-0413
Created:June 11, 2004 Updated:March 7, 2005
Description: Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:
Fedora-Legacy FLSA:1748 2005-03-07
SuSE SuSE-SA:2004:018 2004-06-17
Fedora FEDORA-2004-166 2004-06-11
Fedora FEDORA-2004-165 2004-06-11
OpenPKG OpenPKG-SA-2004.028 2004-06-11
Gentoo 200406-07 2004-06-10

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

wv: buffer overflow

Package(s):wv CVE #(s):CAN-2004-0645
Created:July 14, 2004 Updated:February 10, 2005
Description: wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem.
Alerts:
Fedora-Legacy FLSA:1906 2005-02-08
Conectiva CLA-2004:902 2004-12-01
Debian DSA-579-1 2004-11-01
Debian DSA-550-1 2004-09-20
Conectiva CLA-2004:863 2004-09-10
Mandrake MDKSA-2004:077 2004-07-29
Fedora FEDORA-2004-225 2004-07-23
Fedora FEDORA-2004-224 2004-07-23
Gentoo 200407-11 2004-07-14

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.8-rc4, which was announced by Linus on August 9. There was, he says, just a little too much new stuff in there for him to have been comfortable putting it out directly as 2.6.8. That new stuff includes a replaced 586-optimized AES implementation, a new internal infrastructure for handling file positioning and seekability (see below), a sysctl API change, and some architecture updates. See the long-format changelog for the details.

Linus's BitKeeper tree contains a big Prism54 driver update and various fixes. Things are stabilizing for an official 2.6.8 release which may have happened by the time you read this.

The current prepatch from Andrew Morton is 2.6.8-rc4-mm1. Recent additions to -mm include a mechanism for gathering CPU scheduler statistics, the "mlock as user" patch (covered briefly last week), some asynchronous I/O fixes, version 17 of the wireless extensions API, some read-copy-update enhancements, resident set size ulimit support (see below), in-kernel cryptographic keyring management, a number of architecture updates, and lots of fixes. The staircase scheduler has been dropped from -mm for now ("it used up its time slice") in favor of a simpler patch which simply disables the use of the expired array. The quest for the best way to improve the scheduler continues.

The current 2.4 kernel is 2.4.27, released by Marcelo on August 7. 2.4.27 contains fixes for a handful of security problems, some new crypto algorithms, a big serial ATA update, TCP Vegas and BIC backports from 2.6, and vast numbers of fixes.

Comments (none posted)

Kernel development news

Safe seeks

The lseek() system call allows user space to move the current read/write position within a file. It is not an operation which normally attracts attention, since its full effect is, normally, to change an internal integer index. It turns out, however, that lseek() has been poorly implemented in many parts of the kernel. The recent vulnerability discovered by Paul Starzetz has highlighted the problem, with the result that the internal handling of lseek() is changing significantly for 2.6.8.

Seeking within a file is straightforward; it is just a matter of changing the current position index inside the kernel. The situation gets a little murkier, however, when dealing with things that are not regular files. Virtual files implemented by the kernel can often be seeked in a meaningful way, if it's done carefully; the same is true of a very small number of physical devices. For most devices, however, along with objects like network connections, seeking makes no sense at all.

The default behavior for lseek() is to change the internal offset pointer and return success; if code for the the underlying object (device, network connection, file, etc.) has not provided its own llseek() method, the call appears to succeed. Implementation of a non-seekable device requires an explicit action, instead, to ensure that user space is given the proper error. The traditional way of handling lseek() within a device driver is to include a simple llseek() method which looks like this:

    loff_t my_llseek(struct file *file, loff_t offset, int whence)
    {
        return -ESPIPE;    /* Not seekable */
    }

More recent kernels (2.4 and beyond) also provide a no_llseek() helper which looks like the above.

This technique works, as long as the author bothers to do things this way. In some cases, this little step gets skipped, and the resulting object appears seekable even though it is not. Even when this method is provided, however, it is not a complete solution; the pread() and pwrite() system calls, which specify a specific offset for the operation, involve seeks. Objects within the kernel do not see these calls directly; they just look like regular read() and write() calls. This works because the internal methods for these calls are always passed the offset to use.

What this means is that, for a non-seekable object, every read() or write() method should include a test like this:

    ssize_t my_read(struct file *filp, char *buf, size_t count,
    		    loff_t *ppos)
    {
    /* ... */
    if (ppos != &filp->f_pos)
        return -ESPIPE;
    /* ... */
    }

This test works because, for normal read() and write() calls, the ppos pointer goes directly to the offset (f_pos) stored in the file structure. If ppos points elsewhere, it means that a pread() or pwrite() call has been made, and an error should be returned. These tests are simple, but they are bits of boilerplate code which must be added to the implementation of all non-seekable objects, and not all authors bother. After all, for most uses, the code works just fine without.

The above code also forces widespread knowledge of the contents of the file structure and how position information is passed to read() and write() methods. For sysctl methods, things are even worse: there is no position passed in, so there is no alternative to getting it from the file structure.

Finally, there are some interesting race conditions associated with the handling of file offsets. Often a device driver will test a position for validity, sleep (while waiting for device operations or user-space copies), then change the offset. But that offset could have changed in other ways during the sleep, leaving its final value in an indeterminate state.

In response to all this, Linus has thrown together a set of patches changing the way seeks are handled inside the kernel. These patches have found their way into 2.6.8-rc4, but they were not posted separately on any open mailing lists first. The first patch adds a new FMODE_LSEEK bit to the file structure, so that the virtual filesystem (VFS) code knows which files are seekable and which are not. The idea is to move all tests for illegal seeks to the core VFS code. A second patch adds separate mode bits for pread() and pwrite(); as it turns out, files implemented with the seq_file interface are seekable, but do not support those two calls.

A pair of patches then followed to make use of the new tests in the VFS core. The nonseekable_open() helper was added to enable drivers (and other code) to clear the new bits and mark an object as not being seekable. It is meant to be called in the corresponding open() method. Then came changes to a large number of drivers making them use the new infrastructure; the net result was the removal of quite a bit of code.

It's worth noting that this patch represents a change in how device drivers should be written, but the actual API has not been changed in any incompatible ways. Unmodified drivers will still work - at least, as well as they did before. The sysctl change does involve an API change, however. All sysctl methods now have the offset passed in explicitly as a parameter; they should no longer go digging through the file structure for that information. Unmodified sysctl implementations will no longer compile.

The final step is to change how the read() and write() system calls are implemented. They now create a copy of the f_pos field and pass that to the appropriate methods, and copy the result back afterward. So those methods never work with f_pos directly, regardless of how they are invoked. As a result of all this work, the handling of seeking has become simpler and more robust.

Comments (2 posted)

Simple resident set size limits

One of the problems which can afflict any virtual memory system is a process which expands to fill all of memory. All it takes is, say, a quick OpenOffice session, and everything else running on the system finds itself shoved into a corner of memory and pushed out onto swap. Avoiding this problem is a simple matter of limiting the amount of physical memory that any given process can occupy, but Linux lacks such limits.

Rik van Riel seems to have started off on a series of relatively simple patches which address immediate VM issues. His latest patch implements resident set size limits for Linux processes. Once this patch is applied, a bit of appropriate limit setting could do a lot to keep those memory hog processes in their place.

The core of the patch comes down to two lines:

    if (mm->rss > mm->rlimit_rss)
	referenced = 0;

This code appears in the function page_referenced_one(), which tries to decide whether a process has actually made use of one of its in-core pages. If the page has not been referenced, it goes directly onto the list of pages to reclaim. All that this particular patch is doing is pretending that a process which has exceeded its maximum resident set size has not actually used any of its pages; as a result, the memory hog's pages will be the first ones to be reclaimed.

This patch applies on top of the token-based mechanism discussed last week. It modifies that code by depriving a process of the swap token once it goes over its memory limit.

Many systems in the past have chosen to implement hard resident set size limits. On such systems, a process which incurs a page fault will, if it's at its memory limit, immediately surrender one other page back to the memory management system. Rik's patch works differently, in that there are no hard limits. If there is no particular memory pressure, a process can grow to any size. The limit is only applied when the system starts looking for pages to reclaim for other users. This approach is simple, which is always good; it also allows the system to make full use of its memory when there is not a lot of contention.

Comments (1 posted)

Out-of-lining spinlocks

Spinlocks, as the core kernel synchronization primitive, are highly performance critical. They are implemented differently on each architecture, by way of some carefully-crafted assembly code, so that not one extra cycle is spent there, especially when the lock is not contended. They are also implemented as inline assembly, so that no function calls get in the way of that fast path through.

Recently, however, Zwane Mwaikambo has pulled a patch out of the -tiny tree which moves spinlocks into normal, out-of-line functions - at least, on the x86 and x86-64 architectures. The reason for doing this is to shrink the kernel; there are a lot of spinlock calls in the kernel, and the inline code gets replicated for every one of them. Moving the spinlock code out of line gets rid of that duplication, and shrinks the kernel text size by 50KB or so.

Zwane posted some benchmarks showing that there are no performance regressions. In fact, on some hardware, the improved cache utilization brought about by pulling together the spinlock code can actually improve performance by a slight amount.

The patch comes with a configuration option allowing the spinlock code to be built in either mode. Given that moving the code out of line seems to be a win, some have wondered if things shouldn't always be done that way. Linus pointed out one advantage to the inline code: it makes the sources of lock contention very clear in kernel profiles. With out-of-line spinlocks, all a profile will show is that a lot of time was spent waiting for locks; with the code inline, the function which is actually waiting for the lock shows up instead. So out-of-line locks may be best for production kernels, but developers may want to keep them inline.

Comments (2 posted)

Presentations from the cluster summit

The Minneapolis Cluster Summit, held on July 29 and 30, was a gathering of developers interested in pushing forward the state of the art in Linux clustering. The slides from the presentations have now been posted. The topics covered include high availability, OpenSSI, cluster block devices, GFS, lock management, and more.

Comments (1 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Interview with Cobind's David Watson

August 11, 2004

This article was contributed by Joe Klemmer

Not long ago I did a review of Cobind Linux. There's more to Cobind than just a Linux distribution, though. The company is developing some very interesting tools and utilities; YUMGUI and DiY Linux Toolkit. David Watson is listed as Cobind's Founder and CEO. He graciously took some time out of his schedule for an interview.

Joe Klemmer: Tell us a bit about who Cobind is. There's a page on your site that lists the team with mini-bio's on it but how did you guys come together? How was Cobind created?

David Watson: Bryan [Mills - Founder and President] and I have worked together doing software development since the summer of 2001. We have similar views on software design despite our differing ages and skill sets.

We wound up working together on an XML appliance product in the summer of 2003 with a startup here in Pittsburgh. We had to put together a custom Linux distribution for that product and discovered that a) it was a lot of work, b) the work was tedious and error-prone, and c) it was expensive as a result.

There are consulting firms that build custom Linux distributions, but they are very expensive owing to the sophisticated labor required. Cobind grew out of our desire to build custom Linux distributions without requiring expensive consultants. That is, a product-oriented solution that makes building custom Linux distributions accessible to a wider range of people.

We were able to launch Cobind, Inc. after we won a fellowship to fund our market research, business planning, product development, etc.

JK: There are two major products you are working on, Cobind DiY Linux Tools and Cobind Software Manager (YUMGUI). Let's talk first about YUMGUI. What was the impetus for making a GUI to run on top of YUM?

DW: a) YUM lacked a GUI and we weren't the only ones looking for one. Since we picked YUM for Cobind Desktop, it was one of the few places on the desktop where you still needed command line skills to install, update, remove, or search for packages.

b) Differentiation. There are many Linux package management systems but we believe YUM's architecture and CLI simplicity provided a solid foundation for a GUI with a similar design mantra.

c) Our skills were a good match for the application.

JK: You chose Python to develop this tool. Why use Python?

DW: YUM is written in Python. We believed that if a GUI was going to be successful with YUM, it would have to be integrated into the YUM sources and distributed with YUM. Aside from all the obvious and oft-repeated advantages to developing in Python, the decision was made for us by the YUM team.

JK: Is YUMGUI in a "production" state yet or do you still have some plans for expansion? Additional feature? Interface updates?

DW: No, it's still going to go through some twists and turns before it gets to a stable state. We are working with the YUM team to integrate the code into the YUM source. This is difficult because, as with most projects, the YUM development has not stood still while YUMGUI was being developed. That means there's a bit of a branch and merge issue, where the underlying code has changed substantially, but that's a soluble problem.

Once the code is integrated into YUM, then it can evolve with the community. We won't make any concerted effort to change the features or interface substantially prior to that code integration.

JK: YUMGUI is a good little tool. I know that some businesses would keep this as a commercial product. Did you have any thoughts of keeping it as a "closed" tool or were you already set to GPL it from the beginning?

DW: We believe in the tenets of open source software and the benefits make sense in this case. It would be very difficult to build a GUI on top of YUM if YUM was not open source. So yes, we viewed YUMGUI as a GPL product from the beginning, owing to its extension of YUM.

JK: Do you think that this tool could become a standard tool for all Linux distributions based on RPM?

DW: That's an ambitious but laudable goal and we are a humble bunch. Time will tell.

There is another question embedded in this one which is whether RPM-based distributions would benefit from vendors coalescing around a single package management standard. We believe that everyone would benefit from convergence in Linux package management since that convergence implies network effects benefiting users of the standard. Whether the social forces shaping the future of Linux will allow that to happen remains to be seen.

That said, we believe that YUM, with some additional refinement such as the work being done currently in CVS, is a legitimate contender for that standard package management tool and we remain hopeful.

JK: Now let's talk about your DiY Linux Tools. The gist of the web page for DiY is that it will help in generating a custom built Linux distribution. Basically letting anyone build their own configuration and application base to, in the end, have a Linux distribution of their own. Is this what DiY is for?

DW: Yes, fundamentally that is correct. In terms of user interface, the DiY Linux Tools present screens governing brand, licensing, groups,and packages, along with wizards for deploying custom applications such as LAMP.

A big part of the value proposition here is dependency resolution. On the surface, it seems simple to add a package to a distribution,unless you've gone through dependency hell trying to rpm -ivh *.rpm on a single package with deeply nested, unresolved dependencies. The tools demonstrate their utility because you can add packages and the dependency resolver will resolve most dependencies transparently and prompt you when it can't resolve dependencies. In addition the tools have a visual display of the dependency tree which helps people to understand tacit dependencies in the system.

We see three primary markets for the tools:

1) Hardware Vendors who want to produce custom Linux distributions for their hardware (this may range from the vendor doing the configuration pre-sale to the end-use customer using the tool to build the distribution in-line with the machine purchase, similar to Dell's online hardware configurator),

2) Software Vendors who are attracted to the "software in a box" model of selling Linux-based appliances with the software pre-configured,

3) Systems Administrators and consultants who want to use the tools to streamline their Linux deployments on desktops and servers.

JK: Can you tell us something about how DiY works under the hood? Is it also based on Python?

DW: The DiY Linux Tools are comprised of a PHP front-end, Python middle tier, MySQL back-end, and Python build farm, with SOAP protocol connecting the tiers. The system defines a data model representing an abstract Linux distribution. The front-end is responsible for presenting the browser interface and doing inserts, updates, and deletes to this data model while invoking events such as build. The middle tier manages build events by queuing builds to the build farm, which scales from 1..n machines. The data model can also be transformed into an XML build descriptor which enables builds to be exported and imported between disparate build systems.

Essentially, this system defines abstractions in the UI that make it easier to build and maintain a custom Linux distribution, relative to doing it from the command line. The hard part is finding the places where those abstractions leak and trying to contain those leaks.

There's still a lot of work to be done.

JK: Do you see DiY having an effect on the major Linux distributors?

DW: No, all of the evidence suggests that we're running below their radar, with very few exceptions. They've got Point Clark Networks, Progeny, Specifix, and Terra Soft Solutions to keep them occupied. If any of these models are successful, you'll probably see some consolidation in the future though the parameters are hard to predict with confidence.

JK: DiY is, initially, going to be available only through Cobind as a service. Will there ever be an open/free version of the tools?

DW: Perhaps, there are a number of variables impacting that decision and we're not likely to conclude the discussion for some time. Obviously, an open source release of the tools could place downward price pressure on custom Linux development since a variety of the tasks associated with building a distribution are faster and cheaper with the tools, enabling more individuals and organizations to do it themselves while relying on a vendor only for those parts of the system that are not addressed fully by the tools.

JK: It seems that your plan is to have YUMGUI and Cobind Desktop Linux as your feed and use DiY as your income generator along with other services. This seems to be the preferred current model for "Open Source Companies". Is this a long term trend that you feel is going to be the basis for "Open Source" businesses for a while?

DW: With regard to our plan: Yes, we have three broad categories of products: applications, distributions, and tools. We have several applications that we've written which are probably useful beyond our offices, but we just haven't had the time to get them cleaned up for release. Additionally, we have at least one additional distribution that we're likely to introduce to provide a differentiated server offering. Like most other companies in the space, we are using service revenue to support our product development work until the tools are baked.

The short term trend for open source businesses is likely to be what you describe. However, in the long term where hardware and software are commodities and developing countries exert significant downward price pressure on labor, it's likely that the margins that companies have enjoyed as benefactors of their own reputation economy will shrink over time. Whether increased volume in open source businesses makes up for the tightening margins remains to be seen. This may be a limiting factor in investment in new open source businesses. It's certainly difficult for a small company to sustain the costs without significant seed capital, pointing toward consolidation invoking economies of scale. That is, the costs may be prohibitive for a small company such as Cobind, but are reasonable in the context of a large hardware company where strategic initiatives (software and hardware being complementary assets) justify the R&D expenditures.

JK: Thank you for taking the time do do this interview.

DW: You're welcome.

Comments (3 posted)

Distribution News

Mandrakelinux 10.1 Beta1 is available

For those of you who like being early adopters, the first beta of Mandrakelinux 10.1 has been released for testing.

Full Story (comments: none)

Debian GNU/Linux

The Debian Weekly News for August 10, 2004 is out. Topics this week include, the Debian Women website, new libtiff in unstable, sarge release date, a Debian-Installer retrospective, compatibility problem with Bash 3.0, Debian-Installer Release Candidate 1, the Call for Participation: Popularity Contest, and more.

Colin Watson provides a sarge release update. All base and standard packages have been frozen, except for RC and important bugs and updated package translations.

The Debian-Installer team has announced the first release candidate of the Debian sarge installer. The installer now supports all 11 Debian architectures.

Comments (none posted)

Gentoo Weekly Newsletter -- Volume 3, Issue 32

The Gentoo Weekly Newsletter for the week of August 9, 2004 is out. This week's issue covers Gentoo at Linux World Expo, an update on the Gentoo website redesign, and more.

Full Story (comments: none)

Fedora

Fedora Core updates:
  • gimp-help: rebuilt for FC2
  • gimp: updated to version 2.0.4
  • gaim: updated FC2 to latest gaim release
  • gaim: updated FC1 to latest gaim release
  • devhelp: updated and rebuilt to pick up new Mozilla dependencies

Comments (none posted)

New Distributions

Hidden Linux

Hidden Linux is an enterprise grade Linux distribution, created to address the needs of organizations wishing to develop a secure Internet presence. It is designed for experienced Linux administrators and can be used as a mail, Web, database, FTP, print, Samba (PDC), PPTP, IPSec gateway server and client, firewall, DHCP, cache/proxy, and time server.

Comments (1 posted)

Minor distribution updates

AGNULA/DeMuDI

AGNULA/DeMuDI 1.2.0-rc2 has been released. Click below for the release announcement.

Full Story (comments: none)

BLAG Linux and GNU

BLAG Linux and GNU has released v19999.00071 with major feature enhancements. "Changes: This alpha release is based on Fedora Core 2. All Fedora updates were applied along with many new packages from Dag and freshrpms. The new packages included gift, fluxbox, inkscape, firestarter, and gstreamer-plugins-extra-*."

Comments (none posted)

Hiweed GNU/Linux

Hiweed GNU/Linux has released Hiweed Server v0.3beta1. "Changes: This version modifies the installer to enable custom installation. The user can select their favorite MTA, FTPD, or database package, and if the user chooses Webmin, the relative Webmin module will be installed."

Comments (none posted)

Lineox Enterprise Linux Grows with Application Server

Lineox has announced (click below) the Lineox Application Server and a Developer Suite, both available as updates to Lineox Enterprise Linux.

Full Story (comments: none)

OnebaseGo 'KDE 3.3 Beta2' LiveCD Released (KDE.News)

KDE.News reports the release of a new OnebaseGo 2.1 Live CD with KDE 3.3 Beta2.

Comments (none posted)

tinysofa

tinysofa has released tinysofa classic server v1.1 (Rio) and tinysofa enterprise server v2.0 (Odin).

Comments (none posted)

Whitebox Linux Errata & Vacations

White Box Linux has a status report on errata and new packages. Click below for the full report.

Full Story (comments: none)

Terra Soft Launches Yellow Dog Linux v4.0 RC1

Terra Soft Solutions has announced the release of Yellow Dog Linux 4.0 RC1. "Yellow Dog Linux v4.0 offers an incredible graphical interface with both KDE 3.2.2 and GNOME 2.6.0 desktops. Terra Soft's graphic designer Jake Fedie has prepared an all new presentation for both the Installer and post-install desktop environment. Included with v4.0 are OpenOffice 1.1.1, Rhythmbox 0.8.3, Mozilla 1.6 and development tools glibc 2.3.3 and gcc 3.3.3 built upon the 32-bit kernel 2.6.7."

Comments (5 posted)

Distribution reviews

Review: Debian-Installer Release Candidate 1 (linux.com)

Here's a review of the new Debian installer on linux.com. "Debian-Installer Release Candidate 1 (RC 1) has some ways to go in accessibility. It is still text-based, a sub-project to provide a GTK GUI having apparently suffered crib-death. In places,too, it requires system knowledge that might make the inexperienced feel a trickle of sweat. Yet compared to the labyrinthine twists and turns of the old installer, the new Debian-Installer is a stroll through a suburb whose streets are laid out on a grid. Unless you choose more control, only a minimal amount of user input is required - language, keyboard, time zone, root and user passwords - and in less than forty minutes the result is a working Debian system." (Thanks to Steven G. Johnson)

Comments (22 posted)

DragonFlyBSD 1.0A: A strong start (NewsForge)

NewsForge reviews DragonFlyBSD. "DragonFlyBSD's FreeBSD origins are quite clear -- the boot loader, boot selection screen, Ports tree, and source tree all share structural and functional similarities to FreeBSD, even if in some cases the code is totally different. The outdated FreeBSD sysinstall installation utility has been replaced by installer. It's still ncurses-based, but it's easier to navigate and use. In spite of the easy installation procedure, you have to know your way around FreeBSD in order to use DragonFly, as the manual pages are all still FreeBSD-centric and there is no handbook or guide to help you learn the system."

Comments (2 posted)

Page editor: Rebecca Sobol

Development

Interview with the GNU Directory's Janet Casey

This week, we feature an interview with Janet Casey from the FSF/UNESCO Free Software Directory site. This is a shortened version of the interview's highlights, you may want to skip directly to the complete interview.

Q: Please give us an overview of the purpose, history, and mechanics of the FSF/UNESCO Free Software Directory site.

A: The Directory was started from scratch in late 1999. It was originally funded by a grant from the Cordelia Corporation, but there was enough interest in it that the FSF has continued to fund it on an ongoing basis (our membership program is particularly valuable in this respect). UNESCO joined us in April of 2002. It is run from the FSF's offices in Boston, and accounts for between 40 and 45% of the traffic on the FSF's Web site; in a recent five day period, it had almost 2.5 million total hits. It has more than 3,400 listings, each one individually license-checked.

The scope of the Directory has broadened considerably over its lifetime: when Richard Stallman and I designed the original template for an entry, it had 30 possible fields; the current template has 47. The additional fields reflect changes in free software in general; for example, adding irc-help and irc-devel fields, and a bug-database field for packages that use (for example) bugzilla, reflects the general movement towards real-time interaction.

Q: What functions do you carry out for this site?

A: I decide which packages go into the Directory, license check them, write up entries, and update existing entries so the Directory is as accurate as possible. In the beginning I never had to chase down dead links, but now the Directory has been around long enough that packages disappear, and I have to find them. I also answer user email, both what comes to me personally and what comes in through our trouble ticket system (we use RequestTracker).

The single most important of these tasks is license-checking; it's what sets the FSD apart from other free software directories. I open each package and check the license of each source code file. Almost 90% of the packages in the Directory are under the GPL or LGPL, but we will include any package under a license we consider acceptably free (see http://www.gnu.org/licenses/license-list.html), that runs on a free OS, and that does not depend on non-free software.

Q: As one of the people in charge of The Free Software Directory, have you observed any software categories that have been particularly busy lately? Are there any other trends in the open-source software world that you have noticed?

A: I'm heartened by the growing interest in free versions of two particular programs: a free Flash, and free Java Swing. Neither project is complete, but both are under steady and active development. Anyone who spends any time on the Web knows that more and more sites these days are using Flash; a free version will be particularly valuable for the free software desktop, since it's mainly commercial and consumer sites that use Flash.

A really exciting and creative area is free software for video artists. There are packages available for real-time processing/manipulation (FreeJ, MoB, EffecTV, PiDiP, veejay), editing (LiVes), and a set of general tools and libraries (piksel).

The authors of these packages, originally developers, have moved into the artistic arena through their software. This isn't surprising; the ideals of freedom that underlie free software are the same as those that drive artistic creation. The ability to create (or hire someone to create) tools to create exactly the effect you want, without having to depend on the development whims of a software corporation, will attract video and multimedia artists, people who might not otherwise choose free software as their platform.

In general, the development of the Directory has mirrored the trends in free software. In the early days of the Directory, standard software had a command-line interface and was written in C; GUIs were just coming into vogue. Now, almost all packages have some kind of GUI interface, whether native or a front-end. In the past couple of years the Web interface has come to the fore. This reflects an increase in live/interactive communications in general, as we see in the growth of blogs and forums for both personal expression and technical support.

Q: What direction do you see the site going in? Is it expanding or stable, and are there any big changes coming?

A: The changes you'll see in the future will be refinements of the Directory as it now exists. For example, the fourth iteration of the classification system, one that reflects the growing diversification and depth of free software, will be rolled out in a few weeks.

I'd like to tweak the Directory's home page. Right now it has a listing of "most recently updated" packages; I'd like to break that into "updated" and "new" packages, and add a sidebar that regularly features a different group of software: i.e. software for video streaming, software from one research facility, even fun stuff like a list of software by French developers for the week of Bastille Day. The Directory has more than 3,400 packages; I want to use the front page to tell users about *all* of them, not just the well-known ones.

Q: In a recent LWN editorial, we pointed out some difficulties in finding current change information on new project releases. Has there been any progress in improving the access to this information?

A: We will implement, probably through a link to the changelog, a field that lets users find this information out. It looks like this will happen at the same time the new version of the classification structure goes live. Thank you for pointing this out, by the way. The FSF doesn't have the resources to do usability studies, so this kind of feedback is particularly valuable to us.

The editorial also revived an ongoing internal discussion about how to mine the deeper levels of data (possibly down to the file level) that are collected in the Directory. We've got a huge amount of data, and I know that, properly presented, it would be of great value to our users.

It's no secret, however, that documentation is not always the most important priority for free software developers. I urge developers to keep changelogs up to date. It would also be useful if a package's home page listed the changes for the most recent version, if not the changelog itself.

Q: Would you like to fill our readers in on any other issues regarding the Free Software Directory?

A: I don't want to stifle the creative anarchy that has always been a hallmark of free software, but there's a certain amount of repetition in the kinds of programs that exist. Believe me, the world does not need another window manager, and pretty soon there's going to be more image viewing packages than there are images on the Web!

Last, please pay attention to proper licensing. Put a license header with copyright date, name of copyright holder, and a statement telling what license the package is listed under in each source code file. The full text of a short license, such as the X11 license, can go right in the header. With the GPL or LGPL, please include a full copy of the license in the distribution. Since the "How To Enforce These Terms and Conditions" text is legally considered part of the GPL and LGPL, please be sure that it's in the copy of the license that you include in your software.

The more popular and economically viable free software becomes, the more it will come under attack. A trail of legal bread crumbs, in the form of a clear statement that the software you've written is free, is the best way to ensure that it remains free.

LWN: Thank you for your time.

A: Thanks for giving me this chance to talk about the Directory!

Comments (2 posted)

System Applications

Database Software

PostgreSQL 8.0.0 goes beta

The first PostgreSQL 8.0.0 beta release is out, and "is ready for some serious testing." Major changes include a native Windows port, savepoints, "point-in-time" continuous backup, "tablespaces" (a way of simplifying disk management), better buffer management, and more; see this history file for the full list.

Full Story (comments: 9)

PostgreSQL Weekly News

The August 9, 2004 PostgreSQL Weekly News is online with the latest PostgreSQL database news, including information on the new 8.0.0 beta release.

Full Story (comments: none)

Firebird 1.5.1 Release

Version 1.5.1 of the Firebird database was announced recently. "Firebird V1.5.1 is an updated version of Firebird V1.5. The V1.5 release of Firebird represented a major upgrade to the Firebird database engine, and was released earlier this year. Firebird V1.5.1 represents a committment by the project to develop and deliver ongoing improvements to this popular open source database engine."

Comments (none posted)

Glom 0.8.8 announced

Version 0.8.8 of Glom, a database table definition GUI, is out. Changes include improvements to the Details Layout, better documentation, and bug fixes.

Full Story (comments: none)

CLSQL 3.0.0 released

Version 3.0.0 of CLSQL, a Common Lisp interface to SQL databases, is out. "This major rewrite of the system includes full backward compatibility with CommonSQL, an extensive test suite, and new backends."

Full Story (comments: none)

Interoperability

Samba 3.0.6rc2 Available for Download

A new release candidate of Samba, version 3.0.6rc2, is available. "There have been several bug fixes since the 3.0.4/5 release that we feel are important to make available to the Samba community for wider testings."

Full Story (comments: none)

Web Site Development

Nvu 0.4.0 Released (MozillaZine)

Version 0.4.0 of Nvu, a standalone Mozilla Composer, has been announced. "Based on Mozilla 1.7, this version adds horizontal and vertical rulers for mouse-driven resizing, context menus on tabs, improved toolbar customisation, a document inspector and many other bug fixes."

Comments (none posted)

phpWebSite 0.9.3-4 Stable released (SourceForge)

Version 0.9.3-4 Stable of phpWebSite, a web site content management system, is out. "Version 0.9.3-4 contains mostly bug fixes which were found in the 0.9.3-3 release, but there are some new features/enhancements."

Comments (none posted)

Desktop Applications

Audio Applications

Marlin 0.4 and 0.5 released

Version 0.4 of Marlin, a sound sample editor based on Gnome and GStreamer, is available with incremental improvements. Version 0.5 of Marlin was also released this week. It features better mono/stereo conversion, bug fixes, and more.

Full Story (comments: none)

Desktop Environments

KDE 3.3 About to Finish: Public Release Candidate 2 (KDE.News)

KDE.News covers the release of KDE 3.3 RC2, which is out and in need of testing.

Comments (2 posted)

Metacity 2.8.2 released

Version 2.8.2 of Metacity, a GNOME 2 window manager, is out. "Metacity 2.8.2 breaks with the old versioning in order to try to match the Gnome version numbering[1]. Thus while 2.8.0, 2.8.1, and 2.8.1.x are stable versions of Metacity, 2.8.2 is an unstable version. It will EAT YOUR BRANE[2]." Numerous bug fixes are included in this release.

Full Story (comments: none)

Revelation 0.3.2 released

Version 0.3.2 of Revelation, a password manager for the GNOME 2 desktop, is available. "Yesterday's release of version 0.3.1 had a brown paper bag bug, this new version doesn't attempt to load the removed druid module."

Full Story (comments: none)

Graphics

JGraphpad v5.0 released (SourceForge)

Version 5.0 of JGraphpad, a diagram editor for Java, is available. Here's the description: "A major new version with EPS export, a series of new layouts, new and extended cell views, and many major bug fixes. A Portuguese translation is also available."

Comments (none posted)

GUI Packages

Gnome-Python 2.5.90 is out

Version 2.5.90 of Gnome-Python, the Python language bindings to the GNOME platform libraries, has been released. Lots of changes are included.

Full Story (comments: none)

gtkmm 2.4.5 and glibmm 2.4.4 announced

New versions of gtkmm and glibmm are available with bug fixes.

Full Story (comments: none)

Instant Messaging

Application of the Month: Konversation (KDE.News)

KDE.News has an announcement for a new Application of the Month feature. This edition looks at the Konversation IRC client.

Comments (none posted)

Interoperability

Wine Traffic

The August 6, 2004 edition of Wine Traffic is available with the latest Wine information.

Comments (none posted)

Music Applications

Ardour 0.9beta19 released

Version 0.9beta19 of Ardour, a multi-track audio editing system, has been released. "Although this is not the "feature-complete" beta19 I was hoping for, the set of changes are large enough to warrant a new beta number." Many bug fixes and several new features are included.

Comments (none posted)

jamin 0.9.0 released

Version 0.9.0 of jamin, the JACK Audio Mastering interface, is available. Changes include improvements to the limiter, OSC control for scene changes, support for 20 scenes, GUI improvements, improved bypass controls, better translations, and bug fixes.

Full Story (comments: none)

News Readers

BLAM! 1.2.3 released

Version 1.2.3 of BLAM!, an RSS reader, is out. "this release features OPML import/export as well as rendering fixes for Gtkhtml 3.1. Also added Ctrl+] for next unread message (works as well as "."), so now it works exactly like Evolution in that respect."

Full Story (comments: none)

Web Browsers

Mozilla to implement xforms

The Mozilla Foundation has announced a new initiative, supported by Novell and IBM, to implement the XForms 1.0 recommendation. "XForms is the forms module in XHTML 2, developed by the World Wide Web Consortium (W3C), which enables developers to deliver the type of next-generation, rich, portable web-based applications desired by corporate IT."

Comments (7 posted)

Mozilla Links Newsletter

The August 7, 2004 Mozilla Links Newsletter is out with FireFox status, a review of WebMail Compose 0.3.5, and more.

Full Story (comments: none)

Galeon 1.3.17 "The one that can (x)print"

Version 1.3.17 of the Galeon browser has been announced. "This one's got quite a few goodies in it along with the usual flood of bug fixes. We've got UI support for Xprint if your mozilla supports it and Ricardo's celebrated his return by implementing vfolders for bookmarks. As in evolution, these allow you to create views of your existing bookmark hierarchy based on various criteria."

Comments (none posted)

Miscellaneous

Gnome OSD announced

A new project called Gnome OSD has been announced. "Gnome OSD is a new small project to create an OSD (On Screen Display) infrastructure, similar to XOSD. It includes a command-line client, and sample xchat and rhythmbox plugins."

Full Story (comments: none)

Languages and Tools

C

GCC Newsletter

The August 11, 2004 GCC Newsletter is out with the latest Gnu Compiler Collection development news.

Comments (none posted)

Lisp

CMUCL 19a released

Version 19a of CMUCL, CMU Common Lisp, is out. "This major release includes several changes concerning performance improvements, better ANSI compliance, overflow checking, a better FFI, a basic implementation of simple streams, and many more."

Full Story (comments: none)

Perl

This Week on perl5-porters (use Perl)

The August 2-8, 2004 edition of This Week on perl5-porters is online with the following topics: File tests on AIX, Uninitialized versus undefined, Version objects, Releases, and more.

Comments (none posted)

This Week on Perl 6 (O'Reilly)

The July 31, 2004 edition of This Week on Perl 6 is online with the latest Perl 6 language developments. "Good news! Guido is a gentleman and declined to throw a pie at Dan. Bad news! The Perl community is a bunch of savages, and they paid $520 to be able to throw pie at Dan. Good news! There are photos."

Comments (none posted)

Using advanced widgets in Perl/Tk (IBM developerWorks)

Philipp K. Janert illustrates GUI programming with Perl and Tk on IBM's developerWorks. "Perl is one of the most popular languages out there, and is used for everything from mission-critical projects to Web applications to "glue." It is not, however, often used for GUI programming and prototyping. Philipp K. Janert thinks it should be, and you probably will too -- after this look at some of the more complex widgets available for Perl/Tk."

Comments (none posted)

Perl Command-Line Options (O'Reilly)

Dave Cross works with Perl's command line options on O'Reilly. "Perl has a large number of command-line options that can help to make your programs more concise and open up many new possibilities for one-off command-line scripts using Perl. In this article we'll look at some of the most useful of these."

Comments (none posted)

PHP

Simplify Business Logic with PHP DataObjects (O'ReillyNet)

Darryl Patterson works with DataObjects in PHP in an O'Reilly article. "Are you sick of writing the same SQL over and over in your application? Would you like to simplify and unify your access to the same tables in multiple places? DataObjects may be for you."

Comments (none posted)

PHP Weekly Summary for August 9, 2004

The PHP Weekly Summary for August 9, 2004 is out. Topics include: MD5/SHA1 digest calculation patch, new inet functions, better date support, realpath() continued, win32 libxml/xsl update, PHP 5.0.1 on the way, disabling emalloc, substring writes and buffered char streams, NULL TRUE FALSE gone, and PHP-GTK 1.0.1 test roll.

Comments (none posted)

Python

Python 2.4 alpha 2 has been released

Version 2.4 alpha 2 of Python has been released for testing. "In this release we have new syntax for function decorators, a fix for failing imports so that they don't leave a broken module in sys.modules, a host of updated modules in the standard library (including optparse and doctest) and a large number of other bug fixes and improvements."

Full Story (comments: none)

Dr. Dobb's Python-URL!

The August 9, 2004 edition of Dr. Dobb's Python-URL! is out. Take a look for numerous Python language articles and resources.

Full Story (comments: none)

python-dev Summary

The July 16-31, 2004 edition of the python-dev Summary is available. Take a look to see the latest Python language developments.

Full Story (comments: none)

SQL

Hierarchical SQL (O'Reilly)

Joe Celko works with trees in SQL on O'Reilly. "There are many different ways to represent trees in SQL and this short article discusses one of them."

Comments (1 posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The August 9, 2004 edition of Dr. Dobb's Tcl-URL! is online with another week's worth of Tcl/Tk article and resource links.

Full Story (comments: none)

XML

Describe XML content with the Dublin Core Metadata Initiative (IBM developerWorks)

David Mertz introduces the Dublin Core Metadata Initiative on IBM's developerWorks. " The Dublin Core Metadata Initiative (DCMI) is a standardized vocabulary for handling information about documents. In general, the DCMI vocabulary defines a hierarchy of terms that describe the purpose, context, and origin of a document (rather than describing the document itself). David shows you how DCMI provides a set of metadata primitives that you can reuse (through namespaces) in broader XML vocabularies, such as RSS variants. Various standards, including those from ISO and NISO, have adopted parts of DCMI."

Comments (none posted)

Build Tools

Maven: Trove of Tips (O'ReillyNet)

Andreas Schaefer gives some tips on Maven. "Maven not offers not just a build tool but an entire project environment, including documentation and testing features. All of which is a lot to bite off with an existing project. Andreas Schaefer made the switch to Maven and has some real-world lessons he learned from the experience."

Comments (none posted)

Debuggers

GPICD 0.3-1 released

Version 0.3-1 of GPICD, a programmer and in-circuit debugger (ICD) for Microchip PIC microcontrollers, has been released. Changes include a fully configurable hardware interface and bug fixes.

Comments (none posted)

Editors

SLIME 1.0-beta released

Version 1.0 beta of SLIME, the Superior Lisp Interaction Mode for Emacs, is out. "Changes in this version are related to autodoc mode, interactive evaluation, group customization, code indentation, setup, the modeline, and more."

Full Story (comments: none)

IDEs

DrPython 3.3.0 released (SourceForge)

Version 3.3.0 of DrPython, a cross-platform Python language IDE, has been released. "Lots of work has been done, reworked several dialogs, tweaked the interface (now shows overtype, indentation informationin statusbar), and plugins (automatic install/uninstall scripts), and the toolbar (add drscripts, plugins, customize specific icons), and important bugfixes in find/replace, keyboard shortcuts, in general."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Patent problems plague Linux (ZDNet)

Dan Ravicher justifies his Linux kernel patent survey in this ZDNet column. "A study that quantifies the potential risk eliminates the guessing game by supplying users with specific information they can use to determine whether they are sufficiently prepared. Studying a threat does not create the risk; it only makes that risk easier to more accurately address. You would not accuse a weatherman of spreading fear for profit by warning of a 25 percent chance of showers and saying 'tune in later for more information.'"

Comments (27 posted)

Open Sourcing Java (IT-Director)

Robin Bloor suggests that Sun should free Java in this IT-Director article. He seems to have picked up the fragmentation fear, however. "The problem with programming languages is that they evolve. They don’t get to be commodities. They evolve because they need to evolve. However there needs to be control in this, because it would do no-one any good for Java to turn into a 'thousand tongued hydra' - it could turn into 'write anyhow run nowhere else'. Actually Java has several different versions already anyway, due to the need to fit into small footprints."

Comments (19 posted)

Trade Shows and Conferences

Adaptations (Linux Journal)

Doc Searls presents his view of the common threads from O'Reilly's OSCON and the LinuxWorld Expo. "I see two fundamental divisions. The first is between noncommercial open-source infrastructure and commercial products and services that rely on it. The second is between traditional open-source development communities and the growing population of practitioners for which the main benefit of open-source is free (as in beer) building materials, rather than the deeper concerns (for example, freedom) of the original development communities. These are not opposed divisions but, rather, symbiotic roles in a maturing and proliferating marketplace in which large new species, all dependent on open source, are coming to dominate the commercial space."

Comments (none posted)

EFF hosts 'fund- and consciousness-raising' party (NewsForge)

NewsForge attends Freedom Fest 2004. "Freedom Fest is not a new idea. EFF has held these outdoor concerts annually for the last five years. The only new thing for 2004 was that it was the first one to be held during LWE."

Comments (none posted)

More news from LinuxWorld

Here's another round of announcements, press releases, and press coverage from the LinuxWorld Expo.

Comments (none posted)

Linux for sale in San Francisco (ZDNet)

ZDNet Australia looks at LinuxWorld. "The Free Software Foundation sits in its tiny little stand like a circus freak, while IBM and HP sales executives "work" potential customers drawn into their sales trap by the dazzling lighting, like flies to one of those buzzing bug zappers in a fish and chip shop. Smiling their toothy, American smiles and dispensing their business cards from gleaming card holders, Linux is the pitch. Linux is money. Bzzzzz CRACK!"

Comments (6 posted)

Impressions of LinuxWorld August 2004 (Linux Journal)

Linux Journal provides another view of LinuxWorld. "The theme of last week's LinuxWorld Conference and Expo in San Francisco was Linux for the Enterprise, a fact made visually obvious the moment one stepped in to the exhibition hall at the Moscone Center. Full of huge booths and over 150 vendors, LinuxWorld attracted all the big names in computing. Buzz about Linux in a meaningful business sense was everywhere."

Comments (none posted)

The SCO Problem

The latest SCO/IBM documents

For those following the details of the SCO/IBM fight, Groklaw has recently put up a couple of new filings. The first is IBM's memo in opposition to SCO's "renewed" motion to compel discovery. "Renewed" is quoted in the original title; IBM portrays the whole thing as being another exercise in delay on SCO's part.

Also available is a motion to strike Chris Sontag's declaration. IBM seems to think that Mr. Sontag, the person in charge of SCOsource, is not in a position to be an expert on IBM's revision control system.

Comments (none posted)

Companies

Linspire - aka Lindows - cuts IPO price (Silicon.com)

Silicon.com reports that Linspire has lowered its expected IPO value. "The company in July had set a price range of $9 to $11 for the 4.4 million shares it planned to sell on the public market. But on Friday, Linspire lowered that range to $7 to $9 per share, according to a filing with the Securities and Exchange Commission. That means the San Diego, Calif.-based company expects to raise between $30.8m and $39.6m rather than $39.6m and $48.4m."

Comments (none posted)

Novell Planning Release Of Combination SuSE/Ximian Linux Desktop (LinuxWorld.com)

LinuxWorld.com reports that Novell plans on releasing a new corporate desktop that merges SuSE Linux and Ximian. "Novell is still deciding what software will be included. Some companies and products, like RealNetworks and its popular media player, and Mono, the open-source clone of Microsoft's .Net infrastructure, have been confirmed; while other software integration - the Mozilla browser for example - is up in the air."

Comments (none posted)

Linux Adoption

French tax office takes up open source (News.com)

News.com reports that the French internal revenue service has decided to use the JBoss open-source application server. "Jean-Marie Lapeyre, Copernic's technical director, said a "detailed evaluation" had been conducted during the tender process, and JBoss was chosen because of its reliability and performance. "The advantages of open source are already well-known: very low-cost (or free of charge) and source-code opening that guarantees the reliability, durability and security of these solutions," Lapeyre said."

Comments (none posted)

Linux at Work

Open Supercomputing Hits Big 1-0 (Wired)

Wired covers 10 years of Beowulf supercomputers. "Who's afraid of the big bad Beowulf?
No one now, but 10 years ago the scientific community greeted the first Beowulf supercomputer cluster with fear and loathing. "The initial reaction of the supercomputer-oriented scientific community to the Beowulf project was very negative," says Donald Becker, co-founder of the original Beowulf project.
"

Comments (1 posted)

Interviews

Matthias Ettrich talks about KDE and aKademy (KDE.News)

KDE.News talks with Matthias Ettrich about the status of the KDE project, its achievements, and what he is looking forward to in aKademy. "Matthias Ettrich: Today I am very much focused on KDE's underlying technology, the Qt toolkit. This pretty much is a full-time job, so I'm no longer feeling bad about not actively contributing code to other parts of KDE anymore. When you take a step back and recognize how much the KDE team achieves in relation to its financial backup and the number of developers, you'll clearly see how important a solid foundation is. We are an insanely productive development community, and we achieve that by layering our software stack and investing into the foundation, instead of constantly reinventing the wheel."

Comments (none posted)

Nils Magnus (of LinuxTag) on Security and aKademy (KDE.News)

Here's a KDE.News interview with Nils Magnus of LinuxTag about security on the desktop. "Nils: I work with a Linux system that was set-up from an installed Knoppix with some adjustments for a more secure operation. I travel a lot, so I use computers in environments where I can not be sure about their integrity (e.g. my notebook). Important data is stored on a central, well-secured place that I can reach via an encrypted Internet connection. So any computer with a network connection is sufficient for me, because I always have a Knoppix DVD or a memory stick with me."

Comments (none posted)

Resources

Linux can save your data (NewsForge)

Chris DiBona uses Linux for data recovery in this NewsForge article. "There are a lot of reasons to use Linux. You've seen people write or heard people speak about its use in clusters, offices, Web servers, and other common uses. One thing that hasn't been talked about enough is its utility as a superior tool for recovering data from other operating systems."

Comments (9 posted)

Miscellaneous

Using Unicode to Power the World's Largest Democracy (Linux Journal)

Linux Journal looks at efforts to convert voter lists to Unicode in India. "[Professor Jitendra Shah] explains that the voter list data already is computerized and available in local languages. But there is no provision in the system for a public interface in Indian languages. He believes that Linux and free software, localized in all Indian languages, and the Unicode standard alone can provide an affordable universal interface. "It will provide access to people who wish to work with proprietary software as well as those who wish to use free software", he says."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

OSDL announces new office in Beijing

The Open Source Development Labs (OSDL) has announced plans for an office in Beijing, China.

Full Story (comments: none)

Software patents no bigger threat to Free Software than to proprietary software

The Free Software Foundation Europe has sent out a press release which reminds people that software patents affect proprietary software as well as open-source software. "In reaction to the decision by the City of Munich to re-evaluate its migration plans to Free Software, the Free Software Foundation Europe points out that software patents are equally a significant problem for both Free Software and proprietary software alike. "Without doubt, software patents are a roadblock to innovation. They will extort a high price that has to be paid by all European citizens through loss of competitiveness, and also jobs", says Georg Greve, President of the FSFE."

Full Story (comments: 15)

Commercial announcements

American Arium Delivers Linux Support for ARM and Intel XScale Processors Residing on 'Headless' Targets

American Arium has announced support for ARM and Intel XScale(R) systems running Linux. Arium provides a hardware-assisted solution that lets users debug full kernel and processes/applications simultaneously on systems that have neither serial nor network ports.

Comments (none posted)

Circuit City goes Linux

Circuit City has announced that it will be deploying Linux-based point of sale systems in over 600 stores. "By employing the IBM Retail Environment for SUSE Linux at the point of sale, Circuit City will have the flexibility and reliability of open standards, enabling Circuit City to adapt quickly to changes in the retail marketplace and to cost-effectively institute future upgrades to the platform."

Comments (10 posted)

Linuxant releases DriverLoader 2.0

Linuxant has released version 2.0 of its DriverLoader software. "DriverLoader is a revolutionary compatibility-wrapper allowing standard Windows NDIS (Network Driver Interface Specification) drivers shipped by hardware vendors to be used as-is on Linux x86 systems. RNDIS (Remote NDIS) is now also supported for USB."

Full Story (comments: none)

OpenGL 2.0 Unleashes the Power of Programmable Shaders

SGI has announced the latest version of the OpenGL(R) specification, incorporating support for the OpenGL Shading Language application programming interfaces.

Comments (3 posted)

OptimaNumerics Libraries for Intel Xeon EM64T Linux

OptimaNumerics has announced the availability of its OptimaNumerics Libraries for the Intel Xeon EM64T Linux platform. "OptimaNumerics Libraries, with linear algebra, parallel linear algebra and parallel random number generators modules, provide high performance versions of LAPACK, ScaLAPACK, SPRNG and PLFG libraries."

Full Story (comments: none)

OSoft Releases ThoutReader - A Virtual Library for Developers

OSoft has announced the initial release of the ThoutReader, an open source documentation platform that works like a virtual library so developers can quickly organize and search all of their reference documentation at once.

Comments (5 posted)

The Weather Channel switches to HP Linux servers

Intel and HP have issued a press release about the Weather Channel's switch to Linux servers. "The Weather Channel replaced 138 RISC-based processors with 42 Itanium 2 processors. The Weather Channel deployed 17 two-way HP Integrity rx2600 servers and two, four-way HP Integrity rx5670 servers running RedHat Enterprise Linux 2.1 and 3.0 and Oracle(1) 9i Real Application Clusters. The servers run applications which power corporate databases, transportation logistics, budgeting software, supply chain management, Web systems, asset management, and a file and print system. According to The Weather Channel, the Linux operating system provides increased flexibility and a better price performance ratio when compared to the RISC platform."

Comments (4 posted)

New Books

Dive Into Python published

The book Dive Into Python, an online work by Mark Pilgrim, is now available in paper form.

Full Story (comments: none)

"Upgrading to PHP 5" Released by O'Reilly

O'Reilly has published the book Upgrading to PHP 5 by Adam Trachtenberg.

Full Story (comments: none)

New Open Source Technical Books from Addison-Wesley/Prentice Hall PTR

Addison-Wesley/Prentice Hall PTR have published three new books: A Practical Guide to Red Hat Linux, Second Edition, The Design & Implementation of the FreeBSD Operating System, and Open Source Security Tools: A Practical Guide to Security Applications.

Full Story (comments: none)

Resources

FSF Europe Newsletter

The August 6, 2004 edition of the FSF Europe Newsletter is online. Take a look to see what the European branch of the Free Software Foundation is up to.

Full Story (comments: none)

New List of Linux Audio Applications

Dave Phillips has updated his list of new MIDI and audio applications for Linux. Take a look for the latest new tools and resources plus some recent conference reports.

Comments (none posted)

Contests and Awards

Desktop Integration Bounty : Check-in 2 Check it out !!!!

Another GNOME Desktop Integration Bounty contest has been announced. "GNOME Foundation is proud to announce the relaunch of the open source desktop integration bounty. The aim of the contest is to recruit new developers and to more tightly integrate the various projects that make up the desktop into a more coherent, and complete user experience. The contest consist of new set of small projects and also the unsolved old projects from the previous rounds. Complete the hack, enter the contest, and collect the prize."

Full Story (comments: none)

Ghostscript 8.50 bug bounty program

Artifex Software, Inc. has announced a bug bounty program for the Ghostscript 8.50 PostScript rendering program. "As before, each accepted patch that closes a bug marked with the bountiable keyword is worth US $500 for bugs at priority P3 and lower. New in this round are a couple of higher-priority bugs that pay double. A fix for a bug marked P2 or higher is worth $1000."

Comments (none posted)

Event Reports

2004 O'Reilly Open Source Convention Wrap-up

O'Reilly has sent out a wrap-up press release from this year's Open Source Convention.

Full Story (comments: none)

A portrait of an "analyst"

For the morbidly curious, SCO has posted the text of Rob Enderle's keynote from SCOforum. Suffice to say it gives a good picture of the sort of person we are dealing with.

Comments (29 posted)

Upcoming Events

5. Encuentro Linux

The 5. Encuentro Linux conference will be held in Valparaiso, Chile on October 21 and 22, 2004.

Full Story (comments: none)

KDE World Summit to Feature PGP Keysigning Session (KDE.News)

A PGP key signing session will be held at the KDE World Summit in Ludwigsburg, Germany on August 23. Key IDs should be submitted by August 15.

Comments (none posted)

linux.conf.au call for papers

Mark your calendars: the 2005 version of linux.conf.au will be held in Canberra, Australia, from April 18 to 23. The call for papers has gone out (click below) with a submission deadline of October 5. If you are interested in holding a miniconf, now is the time to get moving on that as well.

Full Story (comments: none)

Less than 7 weeks until OOoCon 2004!

A registration reminder has gone out for the upcoming OpenOffice.org convention. The event will take place on September 22-24, 2004 in Berlin, Germany.

Full Story (comments: none)

Ohio LinuxFest 2004

The Ohio LinuxFest 2004 will take place on October 2, 2004 at the Ohio State University in Columbus, Ohio. "This year's list of speakers includes representation from the Apache Software Foundation, Red Hat, the Samba Team, Novell (SUSE), and more." This is a free event.

Full Story (comments: none)

Linux Installfest workshop in Davis

The Linux Users' Group of Davis, California will be holding another Linux installfest on Sunday, August 15 at the John D. Kemper Hall of Engineering on the UC Davis campus.

Full Story (comments: none)

Events: August 12 - October 7, 2004

Date Event Location
August 21 - 29, 2004KDE Community World Summit 2004(aKademy)(Filmakademie Ludwigsburg)Ludwigsburg (Stuttgart Region), Germany
September 2 - 3, 2004Python for Scientific Computing(SciPy)(CalTech)Pasadena, CA
September 2 - 4, 20042nd Swiss Unix Conference(Technopark)Zurich, Switzerland
September 9 - 10, 2004Linux Expo Shanghai(Shanghai Exhibition Center)Shanghai, China
September 13 - 16, 2004Embedded Systems Conference(Hynes Convention Center)Boston, MA
September 15 - 17, 2004YAPC::Europe 2004Belfast, Northern Ireland
September 20 - 23, 2004New Security Paradigms Workshop(NSPW)(White Point Beach Resort)Nova Scotia
September 20 - 22, 2004Plone Conference 2004Vienna, Austria.
September 22 - 24, 2004OpenOffice.org Conference(OOoCon 2004)(Humboldt University)Berlin, Germany
September 22 - 24, 2004php|works 2004(Holiday Inn Yorkdale Hotel & Conference Centre)Toronto, Canada
September 27 - October 1, 20044th International SANE Conference(SANE)(Amsterdam RAI Centre)Amsterdam, The Netherlands
September 27 - 29, 2004ConSec '04(J.J.Pickle Research Center)Austin, Texas
September 29 - October 1, 2004OSCOM 4(Swiss Federal Institute of Technology)Zurich, Switzerland
October 2, 2004Ohio LinuxFestColumbus, Ohio
October 6 - 7, 2004LinuxWorld Conference and Expo(Olympia Exhibition Centre)London, England, UK

Comments (none posted)

Web sites

KDE.de Relaunched (KDE.News)

KDE.News reports that the KDE.de site has been relaunched. "The web team of KDE Germany is proud to present the German KDE website with a new layout."

Comments (none posted)

GnomeFiles.org Officially Launched

A new Gnome/GTK+ software repository, gnomefiles.org, has been launched. "Gnomefiles lists apps created for the GNOME DE and the GTK+ multi-platform toolkit. All bindings, wrappers & their apps are welcome too, so developers are invited to post their applications to the site."

Full Story (comments: none)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds