| DistroWatch Weekly
|DistroWatch Weekly, Issue 240, 18 February 2008
Welcome to this year's 7th issue of DistroWatch Weekly! Do you trust your distribution? Does it have what it takes to provide you with important and timely updates? The issue of operating system and applications security in the era of millions of interconnected multi-user computing systems is more important than ever. In this week's issue we investigate how different Linux distributions handled the much-publicised vmsplice() privilege escalation exploit announced last week. In the news section, the Fedora developer community offers more desktop options to their users, VectorLinux announces a fast, light edition designed for old hardware, and ex-Linspire's Kevin Carmony goes doom and gloom on the CNR.com software installation service. Looking ahead, this week is likely to deliver further opportunities for heavy distro testing with the upcoming arrival of the fifth alpha of Ubuntu 8.04 and the first release candidate for Mandriva Linux 2008.1. Happy reading!
Join us at irc.freenode.net #distrowatch
Distributions and security updates
One of the main Linux stories of the past week was the security vulnerability affecting a considerable range of Linux kernels. The vmsplice() system call, introduced into the kernel in version 2.6.17 (and further expanded in versions 2.6.23 and 2.6.24, which resulted in two additional vulnerabilities) was responsible for the problem. As a result of this code, an unprivileged user logged in to any of the systems running the vulnerable kernel could easily obtain root privileges by executing certain code (this is known as "privilege escalation exploit"). Millions of machines were affected.
The vulnerability was first made public on February 8th. According to the Linux kernel changelog, it was fixed the same day and a new kernel, version 184.108.40.206, was made available on February 11th. The issue was widely publicised on February 11th, when many Linux news sites ran stories describing the problem and some even linked to the code that was capable of exploiting the vmsplice() vulnerability. Although rated as "less critical" (or 2 out of 5 on the severity barometer) by Secunia and "important" (rather than "critical") by Red Hat, any multi-user system running an unpatched kernel was vulnerable, while chances of a successful system compromise also increased dramatically. Even single-user desktop machines could be compromised through an unrelated code execution exploit.
Linux distributions started releasing patches on February 11th, the same day the news became widely known. But how fast were they? Naturally, most distributions will always need some time to evaluate the best possible approach and to test the resulting updates. Much depends also on the number of kernels and products that need to be patched and tested, the availability of the distribution's security experts, work coordination across time zones, and the level of bureaucracy in each organisation. Still, from the end-user's point of view, the sooner the update is released the better.
So is your distribution affected by this vulnerability? And if it is, how would you find out? In the UNIX world, all major software vendors issue security advisories, which they distribute through a variety of channels. A dedicated security mailing list was (and still is) the most popular method of informing users, but other options, such as RSS feeds, press releases or update daemons that periodically check for updates are now also used by some distributions. Still, a security advisory is the most important document - it not only informs about a security issue in a product, it also tells the user what to do to patch the vulnerability.
A number of security advisories were published last week, shortly after the vmsplice() exploit became widely known. Debian GNU/Linux was the first to issue a fix, but within a day or two most major distros followed suit with their own announcements. Of the Linux distributions that have an established policy of releasing security advisories only Gentoo Linux has failed to publish one; although the vmsplice() issue has already been reported in Gentoo's Bugzilla, no security fix has been made available at the time of writing. (Update: Apparently Gentoo does not issue security advisories for the Linux kernel; however the vmsplice() vulnerability was fixed and announcement published on February 13th.)
Nowadays, many popular distributions don't publish security advisories. This is especially true for community projects and desktop distributions, many of which just don't have the manpower to publish formal announcements. There are even distributions that don't provide updates at all. In an ideal world, all Linux users would run a distro that does have a well-established security infrastructure and would be subscribed to their project's security mailing list, but the real world is different. Still, operating system security is something that no serious project or user should compromise on.
Many DistroWatch readers run a Linux distribution that does not appear in the above table. If you are one of them, is your operating system vulnerable to the vmsplice() exploit? It depends. As an example, PCLinuxOS does not publish formal security advisories, but looking at its current directory, all their kernel packages have a time stamp of 11 or 12 February - presumably to correct the vmsplice() issue. If you updated your PCLinuxOS installation during the last few days, you should be safe. Similarly, Linux Mint does not provide security advisories, but the distribution comes with an automatic update utility called mintUpdate, which should have picked up the kernel update from upstream (Ubuntu). Nevertheless, even if PCLinuxOS and Linux Mint do provide security updates, they are still guilty of not making update information available to their users in a clear manner.
Other users might be even less lucky. Some developers of Arch Linux have previously argued that security announcements are redundant for their distribution as it uses the "rolling package update" mechanism with continuous package updates. But a quick look at their core tree reveals that six days after the vmsplice() vulnerability was published, it still only lists the vulnerable 220.127.116.11 kernel (correction: Arch Linux released a fix on February 10th). Users of Sabayon Linux have been left completely to their own devices - the project provides no security advisories or package updates. And although Zenwalk Linux does have a security section in the forum, there is no mention of the vmsplice() vulnerability at all. Many other distributions provide very few clues on whether or not they have provided a patch for the vulnerability or even whether they are aware of it; this includes SimplyMEPIS, VectorLinux, Puppy Linux and others.
Fedora and alternative desktops, VectorLinux Light, Kevin Carmony on the future of CNR.com
Fedora is often seen as a predominantly GNOME-centric distribution, but ever since the project started encouraging community participation in the development work, there are signs that this old status quo is changing. At least that's how one feels after reading this interview with Sebastian Vahl, Rex Dieter and Kevin Kofler, members of the KDE Special Interest Group (SIG) at Fedora: "There has always been lots of animosity against Fedora on dot.kde.org, the KDE news site, mostly due to old gripes against Red Hat Linux 8.0 (and some of that will probably never go away, it's like the old "Qt is not free" troll which is completely obsolete, yet still comes up from time to time), but lately there have been more and more positive echoes. Doing such PR is not an easy task though, as even correcting obvious inaccuracies can be perceived as flamebait (and thus backfire). On the other front, within Fedora, we're all working on getting KDE recognized as much as possible, ensuring it gets the first class citizen treatment it deserves. All in all, I'm happy with where we're headed."
Still on the subject of Fedora and its desktops, Rahul Sundaram has announced a special Fedora 8 Xfce spin, the project's unofficial, light-weight edition: "I am pleased to announce the immediate release of a brand new and sparkling, Fedora 8 Xfce Spin. Fedora Xfce Spin is a bootable Fedora live CD image available for x86 and x86_64 architecture. It can be optionally installed to hard disk or converted into boot USB images and is ideal for Xfce fans and for users running Fedora on relatively low resource systems. This release includes the latest Xfce release, 4.4.2 that integrates many new features and bug fixes. Along with the basic Xfce desktop environment, Thunar file manager and a comprehensive set of plugins and additional Xfce utilities like Xarchiver archive manager and Orage calendar application is included. All available languages in Fedora has also been integrated with this release." The live CD images are available for download from here: Fedora-8-Live-XFCE-i686.iso (620MB, SHA1, torrent). Fedora-8-Live-XFCE-x86_64.iso (687MB, SHA1, torrent).
* * * * *
VectorLinux originally started as a light-weight distribution designed for older hardware, a market long abandoned by most major distro makers. Although the project later also expanded to cover general office computing needs with its SOHO edition, VectorLinux Basic still remains an operating system with a reasonably light footprint. However, to satisfy users who wish to run the Slackware-based distribution on very old hardware, the project announced last week the release of VectorLinux Light: "VectorLinux announces the newest member of the VL5.9 family: VL-Light. VL-Light turns an ageing PC into a usable computer again. Living up to the VL motto of 'When Choice Matters,' we give you lots of choices in a small package. We have included JWM and Fluxbox Window Managers, Xfe and PC Man file manager, Opera, Dillo and Lynx Web Browsers, xine, MPlayer, and XMMS for multimedia, and AbiWord and Gnumeric for office tasks." The first beta of the installation CD is available for download from here: VL5.9-Light-B1.iso (334MB, MD5).
VectorLinux 5.9 "Light" edition running the default JWM desktop
(full image size: 603kB, screen resolution: 1280x1024 pixels)
* * * * *
Kevin Carmony, a controversial former CEO of Linspire who recently switched his allegiance to Ubuntu, has written an interesting blog entry on the current state of CNR.com, Linspire's flagship software distribution service. Since Linspire has not made enough effort to maintain a good working relationship with Ubuntu, he argues that CNR.com (and, by extension, possibly even Linspire and Freespire), is likely to fail: "Unfortunately, since leaving Linspire, it appears the Ubuntu relationship is on the rocks. I know since I switched to Ubuntu, I haven't even bothered trying CNR.com. The built-in software management system Ubuntu has is a better experience, and all they need to do is add a commercial piece (easy enough for them to do), and they'd have little use for CNR.com. It would appear Linspire has figured this out as well and sees the writing on the wall, and that without Ubuntu, CNR.com will fail."
|Released Last Week
LinuxTLE is a Thai community distribution based on Ubuntu, with emphasis on complete support for Thai throughout the user interface. A major new update, version 9.0 "Hua-Hin" and based on Ubuntu 7.10, was announced today. Some of the new features in this release include: support for 3D desktop features with Compiz Fusion; Iceweasel with pango-ligature and LibThai patches for Thai support; Thai-enabled OpenOffice.org 2.3.0; new fonts (Arundina, Angasana, Cordia); updated Thai scalable fonts by TLWG; introduction of the Brasero CD/DVD burning application and DisplayConfigGTK display configuration utility; new artwork and desktop theme. Please read the full release announcement (in Thai) for further details.
LinuxTLE 9.0 - an Ubuntu-based community distribution for Thai speakers
(full image size: 799kB, screen resolution: 1280x1024 pixels)
Parted Magic 2.0
Patrick Verner has announced the release of Parted Magic, a specialist live CD designed for hard disk partitioning tasks: "Parted Magic 2.0 is finally released! GParted has been forked to VisParted to add features GParted doesn't have. VisParted can read and write volume labels for most supported file systems. Point and click disk wiping was added. When you mount a partition with VisParted, a Thunar window will open at the selected location. Desktop icons are automatically created for mounted CDs, DVDs and USB flash drives. The boot menu is all new and all the boot options can be displayed by hitting F1. Networking and Firefox were added to surf the web, to get help and to view the online documents. A simple 7zip package management system was created so users can add their own stuff with little effort." Visit the project's news page to read the release announcement.
Parted Magic 2.0, running the recently forked VisParted graphical hard disk partitioning tool
(full image size: 486kB, screen resolution: 1280x1024 pixels)
Tomáš Matějíček has announced the final release of SLAX 6.0.0: "SLAX 6 is released. What's new? First, SLAX is officially released in two forms - ISO and TAR. The ISO format (labelled as 'SLAX for CD') is to be burnt to a CD, while the TAR format (labelled as 'SLAX for USB') is for all who need to run SLAX directly from USB media or from a disk. Simply unzip the tar archive directly to your device (to its root directory, it will create 'boot' and 'slax' subdirectories). That's almost all; you only need to make it bootable. For that purpose, navigate to the 'boot' directory and find bootinst.sh (if you are in Linux) or bootinst.bat (if you are in Windows). Run it. Linux users will need to use root account for that. The script will set up the device to be bootable. If you are using 'SLAX for USB', you will notice that all the changes you made are permanent." Read the rest of the release announcement for more information.
SLAX 6.0 - the default desktop
(full image size: 621kB, screen resolution: 1280x1024 pixels)
Debian GNU/Linux 4.0r3
Joey Schulze has announced the availability of the third update to Debian GNU/Linux 4.0: "The Debian project is pleased to announce the third update of its stable distribution Debian GNU/Linux 4.0. This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems. The installer has been updated to use and support the updated kernels included in this release. This update also includes stability improvements and added support for SGI O2 machines with 300 MHz RM5200SC (Nevada) CPUs. Flashplugin-nonfree has been removed, as this is closed source and we don't get security support for it. For security reasons, we recommend to immediately remove any version of flashplugin-nonfree and any remaining files of the Adobe Flash Player. Tested updates will be made available via backports.org." Read the rest of the release announcement for a detailed list of all changes.
Greenie Linux 1.2.8 "Battle For Wesnoth"
Stanislav Hoferek has announced the release of Greenie Linux 1.2.8, "Battle For Wesnoth" edition, a live CD featuring the latest version of the popular game. The freely downloadable CD image contains a light-weight operating system based on Xubuntu 7.10 with Linux kernel 2.6.22, Xfce, Wesnoth 1.2.8 with additional campaigns, Poedit (for Wesnoth translators), Gedit with ability to view WML syntax, GIMP 2.4, AbiWord, Xfmedia player, Firefox, Pidgin and gFTP (to send files over Internet). On the CD there are also binaries for Windows (Wesnoth stable 1.2.8, development 1.3.16) and Wesnoth 1.2.8 source code. Also Poedit is here for Windows, Mac OS X and Ubuntu. This is an installable live CD for players, WML programmers and translators. More information is available on the distribution's web site (in Slovak; the live CD itself is in English).
* * * * *
Development, unannounced and minor bug-fix releases
|Upcoming Releases and Announcements
Summary of expected upcoming releases
New distributions added to waiting list
- Damn Small Solaris. Damn Small Solaris is a minimalist build of OpenSolaris that fits on a 64MB live CD. The project's web site is in Russian.
- NuFW.Live. NuFW.Live is a KNOPPIX-based live CD featuring NuFW, a firewall that adds user-based filtering to Netfilter.
- Tartuga. Tartuga is an remastered build of Damn Small Linux with extra software and functionality.
* * * * *
DistroWatch database summary
And this concludes the latest issue of DistroWatch Weekly. The next instalment will be published on Monday, 25 February 2008.
|• Issue 662 (2016-05-23): Clonezilla Live, new Fedora community repository, DragonFlyBSD runs Wayland, a live edition of Slackware and kernel components|
|• Issue 661 (2016-05-16): FreeBSD 10.3, OpenMandriva adopts Clang, Debian adds ZFS packages, PCLinuxOS drops 32-bit and comparing CentOS with RHEL|
|• Issue 660 (2016-05-09): Ubuntu MATE 16.04, Mint's xapps, FreeBSD Quarterly Report, Debian updates 32-bit support, addressing GPL violations|
|• Issue 659 (2016-05-02): Ubuntu 16.04, compiling custom kernels, Cinnamon 3.0, Sabayon launches ARM build, Devuan ships Beta release|
|• Issue 658 (2016-04-25): Kali Linux 2016.1, elementary OS 0.3.2, Debian elects Project Leader, Fedora 24 feature preview, Nard reaches 1.0|
|• Issue 657 (2016-04-18): Redox, Linux Mint improves update manager, planned Fedora 24 features, Ubuntu 16.04 getting Snappy packages|
|• Issue 656 (2016-04-11): Qubes OS 3.1, Whonix offers bug bounties, Puppy's family tree, setting up disk partitions and running bash on Windows|
|• Issue 655 (2016-04-04): Parsix 8.5, Sabayon's Community repository, Red Hat offers free subscriptions, Ubuntu tablets, command line tips|
|• Issue 654 (2016-03-28): PCLinuxOS 2016.03, Using signatures to create a web of trust, Arch Linux rolls out Pacman update, GuixSD packages GNOME|
|• Issue 653 (2016-03-21): Antergos 2016.02.21, Debian prepares for election, a Unix-like OS written in Rust, watching Netflix on FreeBSD|
|• Issue 652 (2016-03-14): ReactOS 0.4.0, Debian swaps Iceweasel for Firefox, Fedora moving forward with Wayland, Verifying ISO files|
|• Issue 651 (2016-03-07): Korora 23, Linux Mint improves security, Ubuntu MATE on Raspberry Pi 3 computers, trying different file systems|
|• Issue 650 (2016-02-29): Haiku in 2016, running Android apps on GNU/Linux, 30 years of MINIX, Fedora plans Atomic Workstation|
|• Issue 649 (2016-02-22): Zorin OS 11, openSUSE launches new editions, Linux Mint website compromised, sandboxing applications using Firejail|
|• Issue 648 (2016-02-15): XStream Desktop 153, Raspbian unveils OpenGL feature, free hardware, Ikey Doherty talks desktop design|
|• Issue 647 (2016-02-08): Tails 2.0, KDE project launches Neon, Manjaro unveils ARM support, FreeBSD's quarterly report|
|• Issue 646 (2016-02-01): deepin 15, Mint plans X-Apps, FreeBSD to support boot environments, logging into the desktop as root|
|• Issue 645 (2016-01-25): Linux Mint 17.3 "Xfce", Chromixium changes its name, Ubuntu tablets coming soon, Linux vs BSD comparision|
|• Issue 644 (2016-01-18): Kwort 4.3, Sabayon tests ARM images, Slackware adopts PulseAudio, running Linux without GNU software|
|• Issue 643 (2016-01-11): Solus 1.0, Mint provide upgrade path to 17.3, Fedora developers work on stability, running the LXQt desktop|
|• Issue 642 (2016-01-04): paldo GNU/Linux, vetting distro repositories, Fedora plans to adopt GCC 6, Ian Murdock passes|
|• Issue 641 (2015-12-21): Arch Linux, Qubes OS to ship on Librem laptops, ALT offers start kit images, the spread of systemd and launchd|
|• Issue 640 (2015-12-14): Chakra GNU/Linux 2015.11, removing meta-data from files, Ubuntu to remove on-line dash searches|
|• Issue 639 (2015-12-07): OpenBSD 5.8, openSUSE gathers Summer of Code proposals, running WINE on a live disc, Enlightenment adds Wayland support|
|• Issue 638 (2015-11-30): Qubes OS 3.0, KaOS with Plasma, NetBSD 7.0, Fedora seeks Wayland testers, scheduling tasks|
|• Issue 637 (2015-11-23): NixOS 15.09, Antergos introduces ZFS support, MINIX shares new features, copying an OS to a new computer|
|• Issue 636 (2015-11-16): openSUSE 42.1, Fedora uses Wayland by default, Debian replaces live CD project, Steam consoles launch|
|• Issue 635 (2015-11-09): Fedora 23, Cinnamon 2.8 released, a Fedora KDE packager quits, Red Hat signs deal with Microsoft|
|• Issue 634 (2015-11-02): Ubuntu 15.10, Chakra upgrades to Plasma 5, OpenMandriva plans new editions, MINIX plans conference|
|• Issue 633 (2015-10-26): GhostBSD 10.1, Bodhi Linux to get new settings panel, Fedora 23 delayed, creating live image of existing OS|
|• Issue 632 (2015-10-19): Linux Lite 2.6, 32-bit build of CentOS, OpenBSD turns 20, Bodhi Linux releases AppPack|
|• Issue 631 (2015-10-12): Parsix 8.0, Manjaro seeks new artwork, sending commands to multiple servers, Debian drops LSB support|
|• Issue 630 (2015-10-05): Android-x86 4.4-r3, Ubuntu's new installer, Raspbian defaults to GUI interface, cleaning out dot files|
|• Issue 629 (2015-09-28): Open source desktops and touch interfaces, locking down user accounts, OpenMandriva opens gaming documentation|
|• Issue 628 (2015-09-21): Neptune 4.4, changes to pfSense, Pinguy OS releases updated ISO images, accessing hard disk images|
|• Issue 627 (2015-09-14): Mageia 5, Snappy co-exists with Debian packages, creating PDF/A documents, Antergos previews Poodle|
|• Issue 626 (2015-09-07): Status of Wayland and Mir, Cinnamon improvements, an OpenBSD hypervisor, HAMMER2 gets deduplication|
|• Issue 625 (2015-08-31): OpenELEC 5.0.8, Fedora's new Wayland features, Tails releases update, the LILO boot loader|
|• Issue 624 (2015-08-24): Zorin OS 10, Sabayon's new features, Solus seeks funding, Debian turns 22, new PC-BSD repository|
|• Issue 623 (2015-08-17): VectorLinux 7.1, Ubuntu One source released, Moksha Desktop ships in Bodhi, Fedora developers debate Chromium|
|• Issue 622 (2015-08-10): antiX 15, Fedora tests kdbus, Debian tracks UEFI issues, word processors for the CLI|
|• Issue 621 (2015-08-03): Point Linux 3.0, Debian drops Sparc, Fedora package stats, VirtualBox 5.0|
|• Issue 620 (2015-07-27): Debian GNU/Hurd 2015, Linux Bible, Ubuntu MATE gets new Welcome app, Telegram on Fedora, Plasma Mobile|
|• Issue 619 (2015-07-20): SolydXK 201506, Tanglu's new bug tracker, FSF and Canonical negotiate licensing, Haiku unveils new init system|
|• Issue 618 (2015-07-13): Semplice Linux 7, openSUSE derivatives, Debian adopts GCC 5, Docker ported to FreeBSD|
|• Issue 617 (2015-07-06): Alpine linux 3.2.0, Fedora on MIPS CPUs, Solus offers daily builds, Ubuntu migrating to Snappy|
|• Issue 616 (2015-06-29): MidnightBSD 0.6, openSUSE's "42", encryption added to the ext4 file system, FreeBSD on a Raspberry Pi|
|• Issue 615 (2015-06-22): Raspbian 2015, Fedora works around Intel driver issue, openSUSE adopts GCC 5, frozen desktop while copying files|
|• Issue 614 (2015-06-15): Chromixium OS 1.0, Debian 8.1 released, OpenBSD running in the cloud, sudo myths|
|• Issue 613 (2015-06-08): Fedora 22, Cinnamon 2.6 released, FreeBSD's history, working around Secure Boot|
|• Issue 612 (2015-06-01): Manjaro OpenRC, Debian, Devuan and systemd, Fedora 22 released, Mandriva closes its doors|
|• Issue 611 (2015-05-25): Kubuntu 15.04, openSUSE adopts Plasma 5, Ubuntu's Snappy, words from Debian's Neil McGovern|
|• Full list of all issues|
NEW! Cyber Threat!
NEW! An in-depth examination of the very real cyber security risks facing all facets of government and industry
FREE 224-page eBook