| DistroWatch Weekly
|DistroWatch Weekly, Issue 240, 18 February 2008
Welcome to this year's 7th issue of DistroWatch Weekly! Do you trust your distribution? Does it have what it takes to provide you with important and timely updates? The issue of operating system and applications security in the era of millions of interconnected multi-user computing systems is more important than ever. In this week's issue we investigate how different Linux distributions handled the much-publicised vmsplice() privilege escalation exploit announced last week. In the news section, the Fedora developer community offers more desktop options to their users, VectorLinux announces a fast, light edition designed for old hardware, and ex-Linspire's Kevin Carmony goes doom and gloom on the CNR.com software installation service. Looking ahead, this week is likely to deliver further opportunities for heavy distro testing with the upcoming arrival of the fifth alpha of Ubuntu 8.04 and the first release candidate for Mandriva Linux 2008.1. Happy reading!
Join us at irc.freenode.net #distrowatch
Distributions and security updates
One of the main Linux stories of the past week was the security vulnerability affecting a considerable range of Linux kernels. The vmsplice() system call, introduced into the kernel in version 2.6.17 (and further expanded in versions 2.6.23 and 2.6.24, which resulted in two additional vulnerabilities) was responsible for the problem. As a result of this code, an unprivileged user logged in to any of the systems running the vulnerable kernel could easily obtain root privileges by executing certain code (this is known as "privilege escalation exploit"). Millions of machines were affected.
The vulnerability was first made public on February 8th. According to the Linux kernel changelog, it was fixed the same day and a new kernel, version 188.8.131.52, was made available on February 11th. The issue was widely publicised on February 11th, when many Linux news sites ran stories describing the problem and some even linked to the code that was capable of exploiting the vmsplice() vulnerability. Although rated as "less critical" (or 2 out of 5 on the severity barometer) by Secunia and "important" (rather than "critical") by Red Hat, any multi-user system running an unpatched kernel was vulnerable, while chances of a successful system compromise also increased dramatically. Even single-user desktop machines could be compromised through an unrelated code execution exploit.
Linux distributions started releasing patches on February 11th, the same day the news became widely known. But how fast were they? Naturally, most distributions will always need some time to evaluate the best possible approach and to test the resulting updates. Much depends also on the number of kernels and products that need to be patched and tested, the availability of the distribution's security experts, work coordination across time zones, and the level of bureaucracy in each organisation. Still, from the end-user's point of view, the sooner the update is released the better.
So is your distribution affected by this vulnerability? And if it is, how would you find out? In the UNIX world, all major software vendors issue security advisories, which they distribute through a variety of channels. A dedicated security mailing list was (and still is) the most popular method of informing users, but other options, such as RSS feeds, press releases or update daemons that periodically check for updates are now also used by some distributions. Still, a security advisory is the most important document - it not only informs about a security issue in a product, it also tells the user what to do to patch the vulnerability.
A number of security advisories were published last week, shortly after the vmsplice() exploit became widely known. Debian GNU/Linux was the first to issue a fix, but within a day or two most major distros followed suit with their own announcements. Of the Linux distributions that have an established policy of releasing security advisories only Gentoo Linux has failed to publish one; although the vmsplice() issue has already been reported in Gentoo's Bugzilla, no security fix has been made available at the time of writing. (Update: Apparently Gentoo does not issue security advisories for the Linux kernel; however the vmsplice() vulnerability was fixed and announcement published on February 13th.)
Nowadays, many popular distributions don't publish security advisories. This is especially true for community projects and desktop distributions, many of which just don't have the manpower to publish formal announcements. There are even distributions that don't provide updates at all. In an ideal world, all Linux users would run a distro that does have a well-established security infrastructure and would be subscribed to their project's security mailing list, but the real world is different. Still, operating system security is something that no serious project or user should compromise on.
Many DistroWatch readers run a Linux distribution that does not appear in the above table. If you are one of them, is your operating system vulnerable to the vmsplice() exploit? It depends. As an example, PCLinuxOS does not publish formal security advisories, but looking at its current directory, all their kernel packages have a time stamp of 11 or 12 February - presumably to correct the vmsplice() issue. If you updated your PCLinuxOS installation during the last few days, you should be safe. Similarly, Linux Mint does not provide security advisories, but the distribution comes with an automatic update utility called mintUpdate, which should have picked up the kernel update from upstream (Ubuntu). Nevertheless, even if PCLinuxOS and Linux Mint do provide security updates, they are still guilty of not making update information available to their users in a clear manner.
Other users might be even less lucky. Some developers of Arch Linux have previously argued that security announcements are redundant for their distribution as it uses the "rolling package update" mechanism with continuous package updates. But a quick look at their core tree reveals that six days after the vmsplice() vulnerability was published, it still only lists the vulnerable 184.108.40.206 kernel (correction: Arch Linux released a fix on February 10th). Users of Sabayon Linux have been left completely to their own devices - the project provides no security advisories or package updates. And although Zenwalk Linux does have a security section in the forum, there is no mention of the vmsplice() vulnerability at all. Many other distributions provide very few clues on whether or not they have provided a patch for the vulnerability or even whether they are aware of it; this includes SimplyMEPIS, VectorLinux, Puppy Linux and others.
Fedora and alternative desktops, VectorLinux Light, Kevin Carmony on the future of CNR.com
Fedora is often seen as a predominantly GNOME-centric distribution, but ever since the project started encouraging community participation in the development work, there are signs that this old status quo is changing. At least that's how one feels after reading this interview with Sebastian Vahl, Rex Dieter and Kevin Kofler, members of the KDE Special Interest Group (SIG) at Fedora: "There has always been lots of animosity against Fedora on dot.kde.org, the KDE news site, mostly due to old gripes against Red Hat Linux 8.0 (and some of that will probably never go away, it's like the old "Qt is not free" troll which is completely obsolete, yet still comes up from time to time), but lately there have been more and more positive echoes. Doing such PR is not an easy task though, as even correcting obvious inaccuracies can be perceived as flamebait (and thus backfire). On the other front, within Fedora, we're all working on getting KDE recognized as much as possible, ensuring it gets the first class citizen treatment it deserves. All in all, I'm happy with where we're headed."
Still on the subject of Fedora and its desktops, Rahul Sundaram has announced a special Fedora 8 Xfce spin, the project's unofficial, light-weight edition: "I am pleased to announce the immediate release of a brand new and sparkling, Fedora 8 Xfce Spin. Fedora Xfce Spin is a bootable Fedora live CD image available for x86 and x86_64 architecture. It can be optionally installed to hard disk or converted into boot USB images and is ideal for Xfce fans and for users running Fedora on relatively low resource systems. This release includes the latest Xfce release, 4.4.2 that integrates many new features and bug fixes. Along with the basic Xfce desktop environment, Thunar file manager and a comprehensive set of plugins and additional Xfce utilities like Xarchiver archive manager and Orage calendar application is included. All available languages in Fedora has also been integrated with this release." The live CD images are available for download from here: Fedora-8-Live-XFCE-i686.iso (620MB, SHA1, torrent). Fedora-8-Live-XFCE-x86_64.iso (687MB, SHA1, torrent).
* * * * *
VectorLinux originally started as a light-weight distribution designed for older hardware, a market long abandoned by most major distro makers. Although the project later also expanded to cover general office computing needs with its SOHO edition, VectorLinux Basic still remains an operating system with a reasonably light footprint. However, to satisfy users who wish to run the Slackware-based distribution on very old hardware, the project announced last week the release of VectorLinux Light: "VectorLinux announces the newest member of the VL5.9 family: VL-Light. VL-Light turns an ageing PC into a usable computer again. Living up to the VL motto of 'When Choice Matters,' we give you lots of choices in a small package. We have included JWM and Fluxbox Window Managers, Xfe and PC Man file manager, Opera, Dillo and Lynx Web Browsers, xine, MPlayer, and XMMS for multimedia, and AbiWord and Gnumeric for office tasks." The first beta of the installation CD is available for download from here: VL5.9-Light-B1.iso (334MB, MD5).
VectorLinux 5.9 "Light" edition running the default JWM desktop
(full image size: 603kB, screen resolution: 1280x1024 pixels)
* * * * *
Kevin Carmony, a controversial former CEO of Linspire who recently switched his allegiance to Ubuntu, has written an interesting blog entry on the current state of CNR.com, Linspire's flagship software distribution service. Since Linspire has not made enough effort to maintain a good working relationship with Ubuntu, he argues that CNR.com (and, by extension, possibly even Linspire and Freespire), is likely to fail: "Unfortunately, since leaving Linspire, it appears the Ubuntu relationship is on the rocks. I know since I switched to Ubuntu, I haven't even bothered trying CNR.com. The built-in software management system Ubuntu has is a better experience, and all they need to do is add a commercial piece (easy enough for them to do), and they'd have little use for CNR.com. It would appear Linspire has figured this out as well and sees the writing on the wall, and that without Ubuntu, CNR.com will fail."
|Released Last Week
LinuxTLE is a Thai community distribution based on Ubuntu, with emphasis on complete support for Thai throughout the user interface. A major new update, version 9.0 "Hua-Hin" and based on Ubuntu 7.10, was announced today. Some of the new features in this release include: support for 3D desktop features with Compiz Fusion; Iceweasel with pango-ligature and LibThai patches for Thai support; Thai-enabled OpenOffice.org 2.3.0; new fonts (Arundina, Angasana, Cordia); updated Thai scalable fonts by TLWG; introduction of the Brasero CD/DVD burning application and DisplayConfigGTK display configuration utility; new artwork and desktop theme. Please read the full release announcement (in Thai) for further details.
LinuxTLE 9.0 - an Ubuntu-based community distribution for Thai speakers
(full image size: 799kB, screen resolution: 1280x1024 pixels)
Parted Magic 2.0
Patrick Verner has announced the release of Parted Magic, a specialist live CD designed for hard disk partitioning tasks: "Parted Magic 2.0 is finally released! GParted has been forked to VisParted to add features GParted doesn't have. VisParted can read and write volume labels for most supported file systems. Point and click disk wiping was added. When you mount a partition with VisParted, a Thunar window will open at the selected location. Desktop icons are automatically created for mounted CDs, DVDs and USB flash drives. The boot menu is all new and all the boot options can be displayed by hitting F1. Networking and Firefox were added to surf the web, to get help and to view the online documents. A simple 7zip package management system was created so users can add their own stuff with little effort." Visit the project's news page to read the release announcement.
Parted Magic 2.0, running the recently forked VisParted graphical hard disk partitioning tool
(full image size: 486kB, screen resolution: 1280x1024 pixels)
Tomáš Matějíček has announced the final release of SLAX 6.0.0: "SLAX 6 is released. What's new? First, SLAX is officially released in two forms - ISO and TAR. The ISO format (labelled as 'SLAX for CD') is to be burnt to a CD, while the TAR format (labelled as 'SLAX for USB') is for all who need to run SLAX directly from USB media or from a disk. Simply unzip the tar archive directly to your device (to its root directory, it will create 'boot' and 'slax' subdirectories). That's almost all; you only need to make it bootable. For that purpose, navigate to the 'boot' directory and find bootinst.sh (if you are in Linux) or bootinst.bat (if you are in Windows). Run it. Linux users will need to use root account for that. The script will set up the device to be bootable. If you are using 'SLAX for USB', you will notice that all the changes you made are permanent." Read the rest of the release announcement for more information.
SLAX 6.0 - the default desktop
(full image size: 621kB, screen resolution: 1280x1024 pixels)
Debian GNU/Linux 4.0r3
Joey Schulze has announced the availability of the third update to Debian GNU/Linux 4.0: "The Debian project is pleased to announce the third update of its stable distribution Debian GNU/Linux 4.0. This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems. The installer has been updated to use and support the updated kernels included in this release. This update also includes stability improvements and added support for SGI O2 machines with 300 MHz RM5200SC (Nevada) CPUs. Flashplugin-nonfree has been removed, as this is closed source and we don't get security support for it. For security reasons, we recommend to immediately remove any version of flashplugin-nonfree and any remaining files of the Adobe Flash Player. Tested updates will be made available via backports.org." Read the rest of the release announcement for a detailed list of all changes.
Greenie Linux 1.2.8 "Battle For Wesnoth"
Stanislav Hoferek has announced the release of Greenie Linux 1.2.8, "Battle For Wesnoth" edition, a live CD featuring the latest version of the popular game. The freely downloadable CD image contains a light-weight operating system based on Xubuntu 7.10 with Linux kernel 2.6.22, Xfce, Wesnoth 1.2.8 with additional campaigns, Poedit (for Wesnoth translators), Gedit with ability to view WML syntax, GIMP 2.4, AbiWord, Xfmedia player, Firefox, Pidgin and gFTP (to send files over Internet). On the CD there are also binaries for Windows (Wesnoth stable 1.2.8, development 1.3.16) and Wesnoth 1.2.8 source code. Also Poedit is here for Windows, Mac OS X and Ubuntu. This is an installable live CD for players, WML programmers and translators. More information is available on the distribution's web site (in Slovak; the live CD itself is in English).
* * * * *
Development, unannounced and minor bug-fix releases
|Upcoming Releases and Announcements
Summary of expected upcoming releases
New distributions added to waiting list
- Damn Small Solaris. Damn Small Solaris is a minimalist build of OpenSolaris that fits on a 64MB live CD. The project's web site is in Russian.
- NuFW.Live. NuFW.Live is a KNOPPIX-based live CD featuring NuFW, a firewall that adds user-based filtering to Netfilter.
- Tartuga. Tartuga is an remastered build of Damn Small Linux with extra software and functionality.
* * * * *
DistroWatch database summary
And this concludes the latest issue of DistroWatch Weekly. The next instalment will be published on Monday, 25 February 2008.
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip.
(Tips this week: 0, value: US$0.00)
|Linux Foundation Training
|• Issue 717 (2017-06-19): SharkLinux, combining commands in the shell, Debian 9 flavours released, OpenBSD improving kernel security, UBports releases first OTA update|
|• Issue 716 (2017-06-12): Slackel 7.0, Ubuntu working with GNOME on HiDPI, openSUSE 42.3 using rolling development model, exploring kernel blobs|
|• Issue 715 (2017-06-05): Devuan 1.0.0, answering questions on systemd, Linux Mint plans 18.2 beta, Yunit/Unity 8 ported to Debian|
|• Issue 714 (2017-05-29): Void, enabling Wake-on-LAN, Solus packages KDE, Debian 9 release date, Ubuntu automated bug reports|
|• Issue 713 (2017-05-22): ROSA Fresh R9, Fedora's new networking features, FreeBSD's Quarterly Report, UBports opens app store, Parsix to shut down, SELinux overview|
|• Issue 712 (2017-05-15): NixOS 17.03, Alpha Litebook running elementary OS, Canonical considers going public, Solus improves Bluetooth support|
|• Issue 711 (2017-05-08): 4MLinux 21.0, checking file system fragmentation, new Mint and Haiku features, pfSense roadmap, OpenBSD offers first syspatch updates|
|• Issue 710 (2017-05-01): TrueOS 2017-02-22, Debian ported to RISC-V, Halium to unify mobile GNU/Linux, Anbox runs Android apps on GNU/Linux, using ZFS on the root file system|
|• Issue 709 (2017-04-24): Ubuntu 17.04, Korora testing new software manager, Ubuntu migrates to Wayland, running Nix package manager on alternative distributions|
|• Issue 708 (2017-04-17): Maui Linux 17.03, Snaps run on Fedora, Void adopts Flatpak, running Android apps on GNU/Linux, Debian elects Project Leader|
|• Issue 707 (2017-04-10): PCLinuxOS 2017.03, Canonical stops Unity development, OpenBSD on a Raspberry Pi, setting up a VPN for privacy|
|• Issue 706 (2017-04-03): Super Grub2 Disk, Snap packages of deepin applications, Subgraph OS routes network traffic for one application, announcements from Linux Mint|
|• Issue 705 (2017-03-27): Minimal Linux Live, sharing control of the operating system, new KaOS features, Uplos32 provides 32-bit fork of PCLinuxOS|
|• Issue 704 (2017-03-20): ToarusOS 1.0.4, Linux Mint's security record, Debian starts Project Leader election, Ubuntu 12.04 reaches end-of-life|
|• Issue 703 (2017-03-13): SolydXK 201701, CloudReady, Solus announces new features, KDE Connect sends text messages from desktop, openSUSE's YaST module for Let's Encrypt|
|• Issue 702 (2017-03-06): Fatdog64 Linux, elementary OS bundled with new netbook, Haiku announces new features, security and the size of a distro's development team|
|• Issue 701 (2017-02-27): OBRevenge 2017.02, Mageia 6 delays, NetBSD reproducible builds, questions about swap space, trying to steam video on a Raspberry Pi|
|• Issue 700 (2017-02-20): RaspBSD, Debian replaces Icedove with Thunderbird, Fedora's licensing guidlines, tips for switching shells, finding battery charge, getting IP address and killing processes|
|• Issue 699 (2017-02-13): Clear Linux, GhostBSD network utility ported to FreeBSD, Ubuntu coming to Fairphone, elementary OS crowd funding an app store|
|• Issue 698 (2017-02-06): Solus 2017.01.01, comparing containers with portable applicatins, Tails dropping 32-bit support, Debian Stretch enters freeze|
|• Issue 697 (2017-01-30): Subgraph OS 2016.12.30, running Ubuntu on an Android phone, Arch Linux phasing out 32-bit support, Linux Mint testing updated LMDE media|
|• Issue 696 (2017-01-23): GoboLinux 016, remotely running desktop applications, Solus adopting Flatpak, KDE neon using Calamares, TrueOS tests OpenRC|
|• Issue 695 (2017-01-16): Zorin OS 12, Peppermint team fixes installer bug, Debian refreshes Jessie media, Ubuntu improves low graphics mode, Exciting things coming in 2017|
|• Issue 694 (2017-01-09): MX Linux 16, Fedora considers systemd security features, DragonFly BSD to support massive swap space, Ubuntu Touch roadmap, Puppy's newsletter, sudo's password prompt|
|• Issue 693 (2017-01-02): Comparing small distros, fig language, video driver comparsion, Debian+PIXEL, Wayland on FreeBSD|
|• Issue 692 (2016-12-19): Bodhi Linux 4.0.0, Cappsule containers, Calculate's new Utilities package, Solus and Ubuntu MATE build new application menu|
|• Issue 691 (2016-12-12): SalentOS 1.0, openSUSE improves YaST, Fedora considers slower release cycle, KDE neon gets LTS branch|
|• Issue 690 (2016-12-05): Fedora 25, Ubuntu adopts rolling HWE kernel, running Android apps on GNU/Linux, Haiku working toward EFI support|
|• Issue 689 (2016-11-28): openSUSE 42.2, Fedora's upgrade path, plans for Korora 25, transitioning from PC-BSD to TrueOS, Webconverger's reproducible builds|
|• Issue 688 (2016-11-21): Endless OS 3.0.5, KDE neon fixes security hole, FreeBSD's Quarterly Status Report, Rolling release trial #2 concludes|
|• Issue 687 (2016-11-14): NAS4Free 10.3.0.3, Fedora gains MP3 playback, budgie-remix becomes Ubuntu Budgie, Ubuntu flavours compared, Rolling release trial #2|
|• Issue 686 (2016-11-07): FreeBSD 11.0, rolling release trial #2, Debian announces supported architectures, Simplicity switching to antiX base, farewell to Mythbuntu|
|• Issue 685 (2016-10-31): elementary OS 0.4, SUSE gains ARM support, Mint improves language support, Dirty COW explained, Rolling release trial #2|
|• Issue 684 (2016-10-24): Ubuntu 16.10, Linux popularity in different markets, Fedora runs on Raspberry Pi, Ubuntu features live kernel patching|
|• Issue 683 (2016-10-17): Refracta 8.0, making packages for distributions, Alpine switches to LibreSSL, 386BSD website publishes classic code|
|• Issue 682 (2016-10-10): KDE neon 20160915, Android-x86 6.0, Fedora warns of update bug, HandyLinux drops English translation, LXQt benchmarks|
|• Issue 681 (2016-10-03): OpenBSD 6.0, DragonFly BSD to support LibreSSL in ports, systemd denial of service bug, upgraded Mintbox Mini|
|• Issue 680 (2016-09-26): Uruk GNU/Linux 1.0, blocking applications at the firewall, Lenovo controversy, Ubuntu running on the Nextcloud Box|
|• Issue 679 (2016-09-19): OpenMandriva 3.0, 32-bit vs 64-bit performance, openSUSE updates, KaOS unveils first run wizard|
|• Issue 678 (2016-09-12): Apricity 07.2016, Mageia adopts DNF, KDE neon to use Wayland, FreeBSD updates Linux compatibility, creating cron jobs|
|• Issue 677 (2016-09-05): Peppermint OS 7, Manjaro updates leadership, TrueOS becomes rolling release, organizing files, creating torrents|
|• Issue 676 (2016-08-29): Korora 24, Fedora 25 to use Wayland by default, Linux turns 25, PC-BSD becomes TrueOS, finding software licensing information|
|• Issue 675 (2016-08-22): Gentoo LiveDVD "Choice Edition", moreutils, Ubuntu improves terminal convergence, MATE packaged for Openindiana, FreeBSD improves video support|
|• Issue 674 (2016-08-15): Zenwalk Linux 8.0, Ubuntu phone follow-up, Lubuntu transitioning to LXQt, Steam running on FreeBSD|
|• Issue 673 (2016-08-03): noop linux and EasyNAS, Debian's GnuPG switch, Fedora "Flock", using "nice"|
|• Issue 672 (2016-08-01): Ubuntu Phone 15.04, Solus embraces rolling release model, interview with Jane Silber, FreeBSD Quarterly Report|
|• Issue 671 (2016-07-25): Slackware 14.2, Point Linux 3.2, OpenBSD disables usermount, KaOS releases significant changes, Fedora 22 reaches end of life.|
|• Issue 670 (2016-07-18): Linux Lite 3.0, Bodhi team plans 4.0.0, pfSense changes licensing, running software across distributions, Linux Mint upgrade path|
|• Issue 669 (2016-07-11): Linux Mint 18, proving a system is secure, LibreSSL in FreeBSD, Ubuntu plans phasing out 32-bit, pfSense status report|
|• Issue 668 (2016-07-04): Fedora 24, Linux Mint plans for 18.1, FreeBSD and DragonFly BSD improve their file systems, comparing Flatpak, Snap and AppImage|
|• Issue 667 (2016-06-27): GeckoLinux 421, Fedora supports Flatpak, Solus unveils new features, running GNU/Linux on tablets|
|• Issue 666 (2016-06-20): Comparing more live update methods, Ubuntu's snap packages, Antergos drops 32-bit media, GeckoLinux unveils Rolling edition, learning Linux resources|
|• Full list of all issues|