| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Welcome to LWN.net
Headlines for July 9, 2008
Dan Kaminsky has found a flaw in the design of DNS that can allow cache poisoning as an article at Securosis.com details. This has lead to a CERT advisory as well as a coordinated release of patched DNS servers from all affected vendors. Evidently source port randomization is helpful in alleviating the problem. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible." That last claim seems rather strong, time will tell, but it makes sense to be prepared to upgrade affected servers as soon as distributions make them available.
Free Software Magazine looks at some free software tools to protect freedom. "Whether you are online or offline, freedom matters. Like good health you never think about it or miss it until it is under threat or actually gone. If you love freedom, you probably love free software and it has given us some terrific tools with which to defend freedom. In this article I will give an overview of some of the available resources (Freenet, Wikileaks and Tor) to protect dissident opinion, facilitate whistle blowing and promote the safe and anonymous development of free software."
Debian has updated bind9 (DNS cache poisoning), bind8 (DNS cache poisoning).
Gentoo has updated pcre (buffer overflow).
SUSE has updated the kernel (multiple vulnerabilities).
Linux kernel developers are being encouraged to see the linux-next tree as the kernel they should use as their development base. But the unique nature of linux-next makes it difficult to use in that way. This article (from this week's Kernel Page, subscribers only) examines the evolving role of linux-next; click below for the full text.
Google has announced the release of its "Protocol Buffers" code under the Apache license. "Protocol Buffers allow you to define simple data structures in a special definition language, then compile them to produce classes to represent those structures in the language of your choice. These classes come complete with heavily-optimized code to parse and serialize your message in an extremely compact format." In other words, it's another XDR/RPC/pickle implementation, but tuned to Google's performance needs.
This MercuryNews article would appear to bring an end to the speculation on whether Hans Reiser was really guilty. "Accompanied by heavily armed Oakland police, software programmer Hans Reiser on Monday led authorities to the body of his missing wife, buried in a shallow grave in the Oakland hills."
An article at heise online describes Mozilla's new security metrics project, which is an attempt to measure the relative security of Firefox. "One of the main factors cited is how long Firefox users are exposed to a threat while a hole remains unpatched. The developers say they want to use the security metric derived from the results to identify any problematic stage in the development and patch process."
CentOS has updated firefox, devhelp, xulrunner, yelp (multiple vulnerabilities).
Debian has updated pcre3 (arbitrary code execution).
Fedora has updated pcre (F8, F9: arbitrary code execution), jetty (F8, F9: multiple vulnerabilities). Fedora 8 has updated firefox (multiple vulnerabilities) which directly causes all of the following updates: devhelp, gtkmozembedmm, yelp, gnome-web-photo, kazehakase, epiphany, liferea, epiphany-extensions, openvrml, galeon, ruby-gnome2, chmsee, Miro, gnome-python2-extras, blam.
Mandriva has updated phpMyAdmin (multiple vulnerabilities), gnome-screensaver (authentication bypass), sympa (denial of service), squid (denial of service), gnome-screensaver (clipboard contents disclosure).
It often seems that the mainstream technical press focuses on various "problems" with Linux, either technical or otherwise, which is what makes this PC World article stand out. It is a basic introduction to Linux for businesses that might be looking to switch from Windows, especially for the cost savings. "If that feels like a waste of your small business's precious IT budget, and you're still looking for an alternative to Windows Vista, look no further than Linux. The latest distributions are free, easy to install, and highly customizable; they harness your existing hardware without overtaxing it; and they include a wealth of productivity applications and utilities. You may already have a closet Linux expert on staff, but if you don't, paid support is usually available at rates far less than Microsoft's."
The GNOME Foundation has announced that it's long search for an executive director is over: Stormy Peters has accepted the job. "The past year there has seen tremendous growth in the number of devices that ship with GNOME- mass-market laptops, phones, and even GPS devices. Hiring Stormy as executive director will help GNOME capitalize on this momentum, exactly at a time when more of the world is realizing the value of combining free and open source software with great user experiences, while also helping GNOME consolidate its traditional strengths in enterprise and other large-scale deployments."
Gentoo Linux 2008.0 is out. "Code-named 'It's got what plants crave,' this release contains numerous new features including an updated installer, improved hardware support, a complete rework of profiles, and a move to Xfce instead of GNOME on the LiveCD."
The 2.6.26-rc9 kernel prepatch is out. "Enough changes that we needed another -rc, and the regression list isn't emptying fast enough either (probably because a number of people, including reporters, are vacationing)." Along with the fixes there's a new driver for cameras which implement the standard USB video class spec. The long-format changelog has the details.
Datamation reviews the second KDE 4.1 beta. "However, if the second beta of 4.1 is any indication, it will be only partly successful in quieting user dissent. On the one hand, KDE 4.1 includes the first 4.x versions of several major KDE applications, which goes a long way toward improving the user experience. And, in both other programs as well as the desktop, the second beta sports countless improvements in functionality and design. On the other hand, not only are many of the interface changes that people complain about still there, but the new Folder View raises a whole new set of issues about how users organize their desktops."
TechWorld takes a look at KOffice 2.0 Alpha 8. "KOffice 2.0 Alpha 8 ships as a suite of applications. In addition to the familiar word processor (KWord), spreadsheet (Kspread) and charting (Kchart), and presentation applications (KPresenter), KOffice has a wealth of tools for content design, manipulation and display. For the creative professional, there's Krita a fully-fledged graphic design and image manipulation tool, Karbon14 a Scalable Vector Graphics editor, and Kivio for flowcharts and diagrams. Also included is Kexi for database development (touted as "Microsoft Access for Linux"), and KPlato for project management. Other tools are KnetAttach, a network folder wizard, Kformula for mathematical formula editing, and a thesaurus." (Found on KDE.News)
SUSE has updated sudo, courier-authlib, gnome-screensaver, clamav, php5, ImageMagick, GraphicsMagick, mtr, bind, pcre, tomcat, squid, freetype2 (various issues).
Mandriva has updated php (multiple vulnerabilities: 2007.1, Corporate 4.0, 2008.0, 2008.1, Corporate 3.0, Multi Network Firewall 2.0, Corporate 4.0).
Fedora 8 has updated ruby (multiple vulnerabilities).
Debian has updated wordpress (several vulnerabilities).
Google's purchase of YouTube always seemed questionable to some observers: it looked as if Google were buying itself a whole new source of copyright lawsuits. One of the benefits of that purchase came through on July 2, when a U.S. District Court ordered Google to hand over its complete set of YouTube traffic logs, containing information about every video viewed on the service. See Groklaw for the full text of the order. If this order stands, millions of users worldwide will have their viewing data handed over to a litigious entertainment industry company. There's a couple of important implications to draw from this turn of events, so LWN will venture a little far afield and take a look.
The first maintenance release to the Ubuntu "Hardy" release is available. They've fixed a number of issues, but not all of them... "While we have fixed a number of audio-related issues, including a scheduler problem that caused audio stuttering under load, other audio playback problems may still exist, because so far we have been unable to verify a targeted fix that does not cause regressions for other users."
Free Software Magazine reviews the Acer Linpus Linux Lite ultra portable laptop. "It is due to launch here in the UK in early July with the GNU/Linux version with a price tag of £199. (Yes, surprise, surprise, they’re offering Windows XP too.) Given the specification (Intel atom N270 chip, 8.9 inch screen, webcam, 1024 x 600 resolution, 8GB SSD, three USB ports, VGA, and two SD card slots, two mini PCI slots (one for the WiFi and one for upcoming Wimax or HSDPA), Ethernet port, touchpad, 802.11b/g WiFi and a default 512MB of memory with a spare slot to add more) the Aspire One represents stonking good value for money."
Purple Labs has announced the acquisition of Openwave Systems. "Purple Labs, a French developer of Linux-based mobile software, today announced that it has completed its acquisition of the mobile client software business of California-based Openwave Systems, in an asset sale valued at more than $32 million. The browser and messaging products acquired in the deal are among the best-selling mobile applications in the world, having already shipped in more than 1.5 billion mobile phones. Following the acquisition, Purple Labs now supplies mobile browser software to all of the top 5 phone manufacturers, which together produce over 80% of the world’s mobile phones."
CentOS: has updated seamonkey (multiple vulnerabilities) and firefox (multiple vulnerabilities).
Fedora 8 has updated glib2 (buffer overflow), openldap (denial of service) and linuxdcpp (denial of service).
Fedora 9 has updated glib2 (buffer overflow), openldap (denial of service), linuxdcpp (denial of service), ruby (multiple vulnerabilities) and squid (denial of service).
rPath has updated mercurial (unauthorized access) and tshark/wireshark (multiple vulnerabilities).