| DistroWatch Weekly
|DistroWatch Weekly, Issue 240, 18 February 2008
Welcome to this year's 7th issue of DistroWatch Weekly! Do you trust your distribution? Does it have what it takes to provide you with important and timely updates? The issue of operating system and applications security in the era of millions of interconnected multi-user computing systems is more important than ever. In this week's issue we investigate how different Linux distributions handled the much-publicised vmsplice() privilege escalation exploit announced last week. In the news section, the Fedora developer community offers more desktop options to their users, VectorLinux announces a fast, light edition designed for old hardware, and ex-Linspire's Kevin Carmony goes doom and gloom on the CNR.com software installation service. Looking ahead, this week is likely to deliver further opportunities for heavy distro testing with the upcoming arrival of the fifth alpha of Ubuntu 8.04 and the first release candidate for Mandriva Linux 2008.1. Happy reading!
Join us at irc.freenode.net #distrowatch
Distributions and security updates
One of the main Linux stories of the past week was the security vulnerability affecting a considerable range of Linux kernels. The vmsplice() system call, introduced into the kernel in version 2.6.17 (and further expanded in versions 2.6.23 and 2.6.24, which resulted in two additional vulnerabilities) was responsible for the problem. As a result of this code, an unprivileged user logged in to any of the systems running the vulnerable kernel could easily obtain root privileges by executing certain code (this is known as "privilege escalation exploit"). Millions of machines were affected.
The vulnerability was first made public on February 8th. According to the Linux kernel changelog, it was fixed the same day and a new kernel, version 22.214.171.124, was made available on February 11th. The issue was widely publicised on February 11th, when many Linux news sites ran stories describing the problem and some even linked to the code that was capable of exploiting the vmsplice() vulnerability. Although rated as "less critical" (or 2 out of 5 on the severity barometer) by Secunia and "important" (rather than "critical") by Red Hat, any multi-user system running an unpatched kernel was vulnerable, while chances of a successful system compromise also increased dramatically. Even single-user desktop machines could be compromised through an unrelated code execution exploit.
Linux distributions started releasing patches on February 11th, the same day the news became widely known. But how fast were they? Naturally, most distributions will always need some time to evaluate the best possible approach and to test the resulting updates. Much depends also on the number of kernels and products that need to be patched and tested, the availability of the distribution's security experts, work coordination across time zones, and the level of bureaucracy in each organisation. Still, from the end-user's point of view, the sooner the update is released the better.
So is your distribution affected by this vulnerability? And if it is, how would you find out? In the UNIX world, all major software vendors issue security advisories, which they distribute through a variety of channels. A dedicated security mailing list was (and still is) the most popular method of informing users, but other options, such as RSS feeds, press releases or update daemons that periodically check for updates are now also used by some distributions. Still, a security advisory is the most important document - it not only informs about a security issue in a product, it also tells the user what to do to patch the vulnerability.
A number of security advisories were published last week, shortly after the vmsplice() exploit became widely known. Debian GNU/Linux was the first to issue a fix, but within a day or two most major distros followed suit with their own announcements. Of the Linux distributions that have an established policy of releasing security advisories only Gentoo Linux has failed to publish one; although the vmsplice() issue has already been reported in Gentoo's Bugzilla, no security fix has been made available at the time of writing. (Update: Apparently Gentoo does not issue security advisories for the Linux kernel; however the vmsplice() vulnerability was fixed and announcement published on February 13th.)
Nowadays, many popular distributions don't publish security advisories. This is especially true for community projects and desktop distributions, many of which just don't have the manpower to publish formal announcements. There are even distributions that don't provide updates at all. In an ideal world, all Linux users would run a distro that does have a well-established security infrastructure and would be subscribed to their project's security mailing list, but the real world is different. Still, operating system security is something that no serious project or user should compromise on.
Many DistroWatch readers run a Linux distribution that does not appear in the above table. If you are one of them, is your operating system vulnerable to the vmsplice() exploit? It depends. As an example, PCLinuxOS does not publish formal security advisories, but looking at its current directory, all their kernel packages have a time stamp of 11 or 12 February - presumably to correct the vmsplice() issue. If you updated your PCLinuxOS installation during the last few days, you should be safe. Similarly, Linux Mint does not provide security advisories, but the distribution comes with an automatic update utility called mintUpdate, which should have picked up the kernel update from upstream (Ubuntu). Nevertheless, even if PCLinuxOS and Linux Mint do provide security updates, they are still guilty of not making update information available to their users in a clear manner.
Other users might be even less lucky. Some developers of Arch Linux have previously argued that security announcements are redundant for their distribution as it uses the "rolling package update" mechanism with continuous package updates. But a quick look at their core tree reveals that six days after the vmsplice() vulnerability was published, it still only lists the vulnerable 126.96.36.199 kernel (correction: Arch Linux released a fix on February 10th). Users of Sabayon Linux have been left completely to their own devices - the project provides no security advisories or package updates. And although Zenwalk Linux does have a security section in the forum, there is no mention of the vmsplice() vulnerability at all. Many other distributions provide very few clues on whether or not they have provided a patch for the vulnerability or even whether they are aware of it; this includes SimplyMEPIS, VectorLinux, Puppy Linux and others.
Fedora and alternative desktops, VectorLinux Light, Kevin Carmony on the future of CNR.com
Fedora is often seen as a predominantly GNOME-centric distribution, but ever since the project started encouraging community participation in the development work, there are signs that this old status quo is changing. At least that's how one feels after reading this interview with Sebastian Vahl, Rex Dieter and Kevin Kofler, members of the KDE Special Interest Group (SIG) at Fedora: "There has always been lots of animosity against Fedora on dot.kde.org, the KDE news site, mostly due to old gripes against Red Hat Linux 8.0 (and some of that will probably never go away, it's like the old "Qt is not free" troll which is completely obsolete, yet still comes up from time to time), but lately there have been more and more positive echoes. Doing such PR is not an easy task though, as even correcting obvious inaccuracies can be perceived as flamebait (and thus backfire). On the other front, within Fedora, we're all working on getting KDE recognized as much as possible, ensuring it gets the first class citizen treatment it deserves. All in all, I'm happy with where we're headed."
Still on the subject of Fedora and its desktops, Rahul Sundaram has announced a special Fedora 8 Xfce spin, the project's unofficial, light-weight edition: "I am pleased to announce the immediate release of a brand new and sparkling, Fedora 8 Xfce Spin. Fedora Xfce Spin is a bootable Fedora live CD image available for x86 and x86_64 architecture. It can be optionally installed to hard disk or converted into boot USB images and is ideal for Xfce fans and for users running Fedora on relatively low resource systems. This release includes the latest Xfce release, 4.4.2 that integrates many new features and bug fixes. Along with the basic Xfce desktop environment, Thunar file manager and a comprehensive set of plugins and additional Xfce utilities like Xarchiver archive manager and Orage calendar application is included. All available languages in Fedora has also been integrated with this release." The live CD images are available for download from here: Fedora-8-Live-XFCE-i686.iso (620MB, SHA1, torrent). Fedora-8-Live-XFCE-x86_64.iso (687MB, SHA1, torrent).
* * * * *
VectorLinux originally started as a light-weight distribution designed for older hardware, a market long abandoned by most major distro makers. Although the project later also expanded to cover general office computing needs with its SOHO edition, VectorLinux Basic still remains an operating system with a reasonably light footprint. However, to satisfy users who wish to run the Slackware-based distribution on very old hardware, the project announced last week the release of VectorLinux Light: "VectorLinux announces the newest member of the VL5.9 family: VL-Light. VL-Light turns an ageing PC into a usable computer again. Living up to the VL motto of 'When Choice Matters,' we give you lots of choices in a small package. We have included JWM and Fluxbox Window Managers, Xfe and PC Man file manager, Opera, Dillo and Lynx Web Browsers, xine, MPlayer, and XMMS for multimedia, and AbiWord and Gnumeric for office tasks." The first beta of the installation CD is available for download from here: VL5.9-Light-B1.iso (334MB, MD5).
VectorLinux 5.9 "Light" edition running the default JWM desktop
(full image size: 603kB, screen resolution: 1280x1024 pixels)
* * * * *
Kevin Carmony, a controversial former CEO of Linspire who recently switched his allegiance to Ubuntu, has written an interesting blog entry on the current state of CNR.com, Linspire's flagship software distribution service. Since Linspire has not made enough effort to maintain a good working relationship with Ubuntu, he argues that CNR.com (and, by extension, possibly even Linspire and Freespire), is likely to fail: "Unfortunately, since leaving Linspire, it appears the Ubuntu relationship is on the rocks. I know since I switched to Ubuntu, I haven't even bothered trying CNR.com. The built-in software management system Ubuntu has is a better experience, and all they need to do is add a commercial piece (easy enough for them to do), and they'd have little use for CNR.com. It would appear Linspire has figured this out as well and sees the writing on the wall, and that without Ubuntu, CNR.com will fail."
|Released Last Week
LinuxTLE is a Thai community distribution based on Ubuntu, with emphasis on complete support for Thai throughout the user interface. A major new update, version 9.0 "Hua-Hin" and based on Ubuntu 7.10, was announced today. Some of the new features in this release include: support for 3D desktop features with Compiz Fusion; Iceweasel with pango-ligature and LibThai patches for Thai support; Thai-enabled OpenOffice.org 2.3.0; new fonts (Arundina, Angasana, Cordia); updated Thai scalable fonts by TLWG; introduction of the Brasero CD/DVD burning application and DisplayConfigGTK display configuration utility; new artwork and desktop theme. Please read the full release announcement (in Thai) for further details.
LinuxTLE 9.0 - an Ubuntu-based community distribution for Thai speakers
(full image size: 799kB, screen resolution: 1280x1024 pixels)
Parted Magic 2.0
Patrick Verner has announced the release of Parted Magic, a specialist live CD designed for hard disk partitioning tasks: "Parted Magic 2.0 is finally released! GParted has been forked to VisParted to add features GParted doesn't have. VisParted can read and write volume labels for most supported file systems. Point and click disk wiping was added. When you mount a partition with VisParted, a Thunar window will open at the selected location. Desktop icons are automatically created for mounted CDs, DVDs and USB flash drives. The boot menu is all new and all the boot options can be displayed by hitting F1. Networking and Firefox were added to surf the web, to get help and to view the online documents. A simple 7zip package management system was created so users can add their own stuff with little effort." Visit the project's news page to read the release announcement.
Parted Magic 2.0, running the recently forked VisParted graphical hard disk partitioning tool
(full image size: 486kB, screen resolution: 1280x1024 pixels)
Tomáš Matějíček has announced the final release of SLAX 6.0.0: "SLAX 6 is released. What's new? First, SLAX is officially released in two forms - ISO and TAR. The ISO format (labelled as 'SLAX for CD') is to be burnt to a CD, while the TAR format (labelled as 'SLAX for USB') is for all who need to run SLAX directly from USB media or from a disk. Simply unzip the tar archive directly to your device (to its root directory, it will create 'boot' and 'slax' subdirectories). That's almost all; you only need to make it bootable. For that purpose, navigate to the 'boot' directory and find bootinst.sh (if you are in Linux) or bootinst.bat (if you are in Windows). Run it. Linux users will need to use root account for that. The script will set up the device to be bootable. If you are using 'SLAX for USB', you will notice that all the changes you made are permanent." Read the rest of the release announcement for more information.
SLAX 6.0 - the default desktop
(full image size: 621kB, screen resolution: 1280x1024 pixels)
Debian GNU/Linux 4.0r3
Joey Schulze has announced the availability of the third update to Debian GNU/Linux 4.0: "The Debian project is pleased to announce the third update of its stable distribution Debian GNU/Linux 4.0. This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems. The installer has been updated to use and support the updated kernels included in this release. This update also includes stability improvements and added support for SGI O2 machines with 300 MHz RM5200SC (Nevada) CPUs. Flashplugin-nonfree has been removed, as this is closed source and we don't get security support for it. For security reasons, we recommend to immediately remove any version of flashplugin-nonfree and any remaining files of the Adobe Flash Player. Tested updates will be made available via backports.org." Read the rest of the release announcement for a detailed list of all changes.
Greenie Linux 1.2.8 "Battle For Wesnoth"
Stanislav Hoferek has announced the release of Greenie Linux 1.2.8, "Battle For Wesnoth" edition, a live CD featuring the latest version of the popular game. The freely downloadable CD image contains a light-weight operating system based on Xubuntu 7.10 with Linux kernel 2.6.22, Xfce, Wesnoth 1.2.8 with additional campaigns, Poedit (for Wesnoth translators), Gedit with ability to view WML syntax, GIMP 2.4, AbiWord, Xfmedia player, Firefox, Pidgin and gFTP (to send files over Internet). On the CD there are also binaries for Windows (Wesnoth stable 1.2.8, development 1.3.16) and Wesnoth 1.2.8 source code. Also Poedit is here for Windows, Mac OS X and Ubuntu. This is an installable live CD for players, WML programmers and translators. More information is available on the distribution's web site (in Slovak; the live CD itself is in English).
* * * * *
Development, unannounced and minor bug-fix releases
|Upcoming Releases and Announcements
Summary of expected upcoming releases
New distributions added to waiting list
- Damn Small Solaris. Damn Small Solaris is a minimalist build of OpenSolaris that fits on a 64MB live CD. The project's web site is in Russian.
- NuFW.Live. NuFW.Live is a KNOPPIX-based live CD featuring NuFW, a firewall that adds user-based filtering to Netfilter.
- Tartuga. Tartuga is an remastered build of Damn Small Linux with extra software and functionality.
* * * * *
DistroWatch database summary
And this concludes the latest issue of DistroWatch Weekly. The next instalment will be published on Monday, 25 February 2008.
|• Issue 507 (2013-05-13): Impressions of Calculate Linux, 13.4, Ubuntu's portable packages, mintDrivers|
|• Issue 506 (2013-05-06): Ubuntu and Kubuntu 13.04, Debian "Wheezy", Slackware on systemd, distros for Raspberry Pi|
|• Issue 505 (2013-04-29): First look at PCLinuxOS 2013.04, Saucy Salamander, Remastersys and System Imager, Linux containers|
|• Issue 504 (2013-04-22): Look at Bodhi 2.3.0, Ubuntu 13.04 features, building OpenBSD ports, opening large files|
|• Issue 503 (2013-04-15): CentOS versus Scientific Linux, PCLinuxOS 64, Lucas Nussbaum, ZFS/Btrfs versus ext4|
|• Issue 502 (2013-04-08): Look at Mint 201303 "Debian", Ubuntu versus openSUSE, comparing ZFS and Btrfs file systems|
|• Issue 501 (2013-04-01): KANOTIX 2013 and GhostBSD 3.0, openSUSE Rescue-CD, Haiku package management, computer forensics|
|• Issue 500 (2013-03-25): Look at openSUSE 12.3, Ubuntu release changes, Debian backports, growing divide|
|• Issue 499 (2013-03-18): MINIX 3.2.1, openSUSE 12.3 on desktop, Ubuntu GNOME and UbuntuKylin, distros for musicians, KolibriOS|
|• Issue 498 (2013-03-11): Sabayon Linux 11, Ubuntu's Mir, Linux malware|
|• Issue 497 (2013-03-04): Rebellin Linux 1.00 "Adrenaline", rolling-release Ubuntu, Arch vs spin-offs, justification and diversity|
|• Issue 496 (2013-02-25): Review of Chakra 2013.02, The Book of GIMP, Ubuntu and privacy, FreeNAS vs NAS4Free|
|• Issue 495 (2013-02-18): SparkyLinux 2.1 "Ultra", Fedora 19 schedule, Xubuntu on DVD, cloud privacy|
|• Issue 494 (2013-02-11): FreeBSD 9.1, web server stats, Anaconda, rolling-release PC-BSD, fixing broken packages in Arch|
|• Issue 493 (2013-02-04): UberStudent 2.0, OmniBoot 1.0, MariaDB, Enlightenment 0.17|
|• Issue 492 (2013-01-28): Fedora 18 review, systemd, Kali Linux, Ubuntu Unleashed|
|• Issue 491 (2013-01-21): Fuduntu 2013.1, Fedora 18 desktop choices, Consort, accessing encrypted drive|
|• Issue 490 (2013-01-14): Look at Manjaro Linux 0.8.3, openSUSE on Chromebook, Able2Extract 8.0|
|• Issue 489 (2013-01-07): PC-BSD 9.1, Arch spin-offs, rolling-releases, year-end PHR stats, removing applications|
|• Issue 488 (2012-12-24): Reviews of Unity and Puppy Linux 5.4 "Slacko", FreeBSD 10|
|• Issue 487 (2012-12-17): Cinnarch 2012.11.22, OpenMandriva, Fedora Magazine, Tumbleweed, OpenJDK vs Oracle Java|
|• Issue 486 (2012-12-10): Linux Mint 14 review, Ubuntu "spyware" controversy, Haiku overview, troubleshooting Linux servers|
|• Issue 485 (2012-12-03): Kwort Linux 3.5, Mint bug-fix update, Fedora's new Anaconda, defining a distribution|
|• Issue 484 (2012-11-26): Look at SMS 2.0.1, Fedora pre-beta report, Illumos, Secure Boot update|
|• Issue 483 (2012-11-19): DragonFly BSD 3.2.1 and Xubuntu 12.10, Gentoo and udev, switching file systems|
|• Issue 482 (2012-11-12): Review of Zenwalk 7.2, Clang in FreeBSD, Omniboot 0.5, priorities on external drives|
|• Issue 481 (2012-11-05): Look at Tails 0.13, EFF on Ubuntu and privacy, Debian installer changes, ext4 data corruption bug|
|• Issue 480 (2012-10-29): Review of Ubuntu 12.10, Wayland 1.0, FreeBSD's pkgng|
|• Issue 479 (2012-10-22): Look at Zentyal 3.0, Debian bug reporting, initiating a halt|
|• Issue 478 (2012-10-15): Slackware 14.0 review, Ubuntu donations, connecting to multiple machines behind router|
|• Issue 477 (2012-10-08): Review of ODROID-X, OpenBSD's anti-Linux song, interview with Vincent Untz, Linux as operating system|
|• Issue 476 (2012-10-01): Review of openSUSE 12.2, Slackware 14.0 features, accessing home computer with SSH|
|• Issue 475 (2012-09-24): Look at PCLinuxOS 2012.08, Ubuntu and Amazon, SolusOS and PiSi, ownCloud|
|• Issue 474 (2012-09-17): Bodhi Linux 2.0.1, OpenIndiana interview, Frugalware history, update notifications|
|• Issue 473 (2012-09-10): The Linux Command Line, Slackware documentation project, Debian's new primary arch, Goobuntu|
|• Issue 472 (2012-09-03): Kororaa Linux 17, OpenIndiana and SchilliX, Ubuntu GNOME remix, home server tip|
|• Issue 471 (2012-08-27): Linux Mint 13 "KDE", Ubuntu 12.10 features, Slax update, folder quotas|
|• Issue 470 (2012-08-20): Liberté Linux 2012.2, Arch and systemd, NetBSD's sysbuild and sysupgrade, 19 years of Debian|
|• Issue 469 (2012-08-13): Peppermint OS Three, SUSE on Secure Boot, GNOME OS, moving email to Linux|
|• Issue 468 (2012-08-06): First look at CentOS 6.3, Debian installer beta, Fedora and MATE, Libtrash|
|• Issue 467 (2012-07-30): Ubuntu Made Easy, Debian "Jessie", OpenBSD on Secure Boot, Rawhide troubles|
|• Issue 466 (2012-07-23): Fuduntu 2012.3, Linux in PC-BSD jails, secure boot on older computers|
|• Issue 465 (2012-07-16): Netrunner 4.2, Mandriva's two codebases, firewalls and window frames|
|• Issue 464 (2012-07-09): Zorin OS 6, FSF's views on secure boot, Virtual PDF Printer|
|• Issue 463 (2012-07-02): TurnKey Linux 11.3, Red Hat and Btrfs, Sabayon's MATE spin, ZFS on Linux|
|• Issue 462 (2012-06-25): Sabayon 9, "Wheezy" freeze, Zorin OS overview, Vinux interview, mounting network shares|
|• Issue 461 (2012-06-18): Linux Mint 13, openSUSE 12. delays, Debian Multimedia, Mageia 3 roadmap|
|• Issue 460 (2012-06-11): Look at Fedora 17, PC-BSD and Slackware interviews, Openfiler and FuguIta|
|• Issue 459 (2012-06-04): Impressions of Mageia 2, Fedora updates, Debian or Raspberry Pie, improving software performance|
|• Issue 458 (2012-05-28): Impressions of SolusOS 1, Linux kernel 3.4, encrypting home folder|
|• Issue 457 (2012-05-21): Linux accessibility, Fedora 17 overview, MultiSystem, launching tasks|
|• Issue 456 (2012-05-14): Look at OpenBSD 5.1, Debian Installer 7.0 alpha, UDS news round-up|
|• Issue 455 (2012-05-07): Review of Ubuntu 12.04, "Quantal Quetzal" plans, Debian infographic|
|• Full list of all issues|