| DistroWatch Weekly
|DistroWatch Weekly, Issue 240, 18 February 2008
Welcome to this year's 7th issue of DistroWatch Weekly! Do you trust your distribution? Does it have what it takes to provide you with important and timely updates? The issue of operating system and applications security in the era of millions of interconnected multi-user computing systems is more important than ever. In this week's issue we investigate how different Linux distributions handled the much-publicised vmsplice() privilege escalation exploit announced last week. In the news section, the Fedora developer community offers more desktop options to their users, VectorLinux announces a fast, light edition designed for old hardware, and ex-Linspire's Kevin Carmony goes doom and gloom on the CNR.com software installation service. Looking ahead, this week is likely to deliver further opportunities for heavy distro testing with the upcoming arrival of the fifth alpha of Ubuntu 8.04 and the first release candidate for Mandriva Linux 2008.1. Happy reading!
Join us at irc.freenode.net #distrowatch
Distributions and security updates
One of the main Linux stories of the past week was the security vulnerability affecting a considerable range of Linux kernels. The vmsplice() system call, introduced into the kernel in version 2.6.17 (and further expanded in versions 2.6.23 and 2.6.24, which resulted in two additional vulnerabilities) was responsible for the problem. As a result of this code, an unprivileged user logged in to any of the systems running the vulnerable kernel could easily obtain root privileges by executing certain code (this is known as "privilege escalation exploit"). Millions of machines were affected.
The vulnerability was first made public on February 8th. According to the Linux kernel changelog, it was fixed the same day and a new kernel, version 22.214.171.124, was made available on February 11th. The issue was widely publicised on February 11th, when many Linux news sites ran stories describing the problem and some even linked to the code that was capable of exploiting the vmsplice() vulnerability. Although rated as "less critical" (or 2 out of 5 on the severity barometer) by Secunia and "important" (rather than "critical") by Red Hat, any multi-user system running an unpatched kernel was vulnerable, while chances of a successful system compromise also increased dramatically. Even single-user desktop machines could be compromised through an unrelated code execution exploit.
Linux distributions started releasing patches on February 11th, the same day the news became widely known. But how fast were they? Naturally, most distributions will always need some time to evaluate the best possible approach and to test the resulting updates. Much depends also on the number of kernels and products that need to be patched and tested, the availability of the distribution's security experts, work coordination across time zones, and the level of bureaucracy in each organisation. Still, from the end-user's point of view, the sooner the update is released the better.
So is your distribution affected by this vulnerability? And if it is, how would you find out? In the UNIX world, all major software vendors issue security advisories, which they distribute through a variety of channels. A dedicated security mailing list was (and still is) the most popular method of informing users, but other options, such as RSS feeds, press releases or update daemons that periodically check for updates are now also used by some distributions. Still, a security advisory is the most important document - it not only informs about a security issue in a product, it also tells the user what to do to patch the vulnerability.
A number of security advisories were published last week, shortly after the vmsplice() exploit became widely known. Debian GNU/Linux was the first to issue a fix, but within a day or two most major distros followed suit with their own announcements. Of the Linux distributions that have an established policy of releasing security advisories only Gentoo Linux has failed to publish one; although the vmsplice() issue has already been reported in Gentoo's Bugzilla, no security fix has been made available at the time of writing. (Update: Apparently Gentoo does not issue security advisories for the Linux kernel; however the vmsplice() vulnerability was fixed and announcement published on February 13th.)
Nowadays, many popular distributions don't publish security advisories. This is especially true for community projects and desktop distributions, many of which just don't have the manpower to publish formal announcements. There are even distributions that don't provide updates at all. In an ideal world, all Linux users would run a distro that does have a well-established security infrastructure and would be subscribed to their project's security mailing list, but the real world is different. Still, operating system security is something that no serious project or user should compromise on.
Many DistroWatch readers run a Linux distribution that does not appear in the above table. If you are one of them, is your operating system vulnerable to the vmsplice() exploit? It depends. As an example, PCLinuxOS does not publish formal security advisories, but looking at its current directory, all their kernel packages have a time stamp of 11 or 12 February - presumably to correct the vmsplice() issue. If you updated your PCLinuxOS installation during the last few days, you should be safe. Similarly, Linux Mint does not provide security advisories, but the distribution comes with an automatic update utility called mintUpdate, which should have picked up the kernel update from upstream (Ubuntu). Nevertheless, even if PCLinuxOS and Linux Mint do provide security updates, they are still guilty of not making update information available to their users in a clear manner.
Other users might be even less lucky. Some developers of Arch Linux have previously argued that security announcements are redundant for their distribution as it uses the "rolling package update" mechanism with continuous package updates. But a quick look at their core tree reveals that six days after the vmsplice() vulnerability was published, it still only lists the vulnerable 126.96.36.199 kernel (correction: Arch Linux released a fix on February 10th). Users of Sabayon Linux have been left completely to their own devices - the project provides no security advisories or package updates. And although Zenwalk Linux does have a security section in the forum, there is no mention of the vmsplice() vulnerability at all. Many other distributions provide very few clues on whether or not they have provided a patch for the vulnerability or even whether they are aware of it; this includes SimplyMEPIS, VectorLinux, Puppy Linux and others.
Fedora and alternative desktops, VectorLinux Light, Kevin Carmony on the future of CNR.com
Fedora is often seen as a predominantly GNOME-centric distribution, but ever since the project started encouraging community participation in the development work, there are signs that this old status quo is changing. At least that's how one feels after reading this interview with Sebastian Vahl, Rex Dieter and Kevin Kofler, members of the KDE Special Interest Group (SIG) at Fedora: "There has always been lots of animosity against Fedora on dot.kde.org, the KDE news site, mostly due to old gripes against Red Hat Linux 8.0 (and some of that will probably never go away, it's like the old "Qt is not free" troll which is completely obsolete, yet still comes up from time to time), but lately there have been more and more positive echoes. Doing such PR is not an easy task though, as even correcting obvious inaccuracies can be perceived as flamebait (and thus backfire). On the other front, within Fedora, we're all working on getting KDE recognized as much as possible, ensuring it gets the first class citizen treatment it deserves. All in all, I'm happy with where we're headed."
Still on the subject of Fedora and its desktops, Rahul Sundaram has announced a special Fedora 8 Xfce spin, the project's unofficial, light-weight edition: "I am pleased to announce the immediate release of a brand new and sparkling, Fedora 8 Xfce Spin. Fedora Xfce Spin is a bootable Fedora live CD image available for x86 and x86_64 architecture. It can be optionally installed to hard disk or converted into boot USB images and is ideal for Xfce fans and for users running Fedora on relatively low resource systems. This release includes the latest Xfce release, 4.4.2 that integrates many new features and bug fixes. Along with the basic Xfce desktop environment, Thunar file manager and a comprehensive set of plugins and additional Xfce utilities like Xarchiver archive manager and Orage calendar application is included. All available languages in Fedora has also been integrated with this release." The live CD images are available for download from here: Fedora-8-Live-XFCE-i686.iso (620MB, SHA1, torrent). Fedora-8-Live-XFCE-x86_64.iso (687MB, SHA1, torrent).
* * * * *
VectorLinux originally started as a light-weight distribution designed for older hardware, a market long abandoned by most major distro makers. Although the project later also expanded to cover general office computing needs with its SOHO edition, VectorLinux Basic still remains an operating system with a reasonably light footprint. However, to satisfy users who wish to run the Slackware-based distribution on very old hardware, the project announced last week the release of VectorLinux Light: "VectorLinux announces the newest member of the VL5.9 family: VL-Light. VL-Light turns an ageing PC into a usable computer again. Living up to the VL motto of 'When Choice Matters,' we give you lots of choices in a small package. We have included JWM and Fluxbox Window Managers, Xfe and PC Man file manager, Opera, Dillo and Lynx Web Browsers, xine, MPlayer, and XMMS for multimedia, and AbiWord and Gnumeric for office tasks." The first beta of the installation CD is available for download from here: VL5.9-Light-B1.iso (334MB, MD5).
VectorLinux 5.9 "Light" edition running the default JWM desktop
(full image size: 603kB, screen resolution: 1280x1024 pixels)
* * * * *
Kevin Carmony, a controversial former CEO of Linspire who recently switched his allegiance to Ubuntu, has written an interesting blog entry on the current state of CNR.com, Linspire's flagship software distribution service. Since Linspire has not made enough effort to maintain a good working relationship with Ubuntu, he argues that CNR.com (and, by extension, possibly even Linspire and Freespire), is likely to fail: "Unfortunately, since leaving Linspire, it appears the Ubuntu relationship is on the rocks. I know since I switched to Ubuntu, I haven't even bothered trying CNR.com. The built-in software management system Ubuntu has is a better experience, and all they need to do is add a commercial piece (easy enough for them to do), and they'd have little use for CNR.com. It would appear Linspire has figured this out as well and sees the writing on the wall, and that without Ubuntu, CNR.com will fail."
|Released Last Week
LinuxTLE is a Thai community distribution based on Ubuntu, with emphasis on complete support for Thai throughout the user interface. A major new update, version 9.0 "Hua-Hin" and based on Ubuntu 7.10, was announced today. Some of the new features in this release include: support for 3D desktop features with Compiz Fusion; Iceweasel with pango-ligature and LibThai patches for Thai support; Thai-enabled OpenOffice.org 2.3.0; new fonts (Arundina, Angasana, Cordia); updated Thai scalable fonts by TLWG; introduction of the Brasero CD/DVD burning application and DisplayConfigGTK display configuration utility; new artwork and desktop theme. Please read the full release announcement (in Thai) for further details.
LinuxTLE 9.0 - an Ubuntu-based community distribution for Thai speakers
(full image size: 799kB, screen resolution: 1280x1024 pixels)
Parted Magic 2.0
Patrick Verner has announced the release of Parted Magic, a specialist live CD designed for hard disk partitioning tasks: "Parted Magic 2.0 is finally released! GParted has been forked to VisParted to add features GParted doesn't have. VisParted can read and write volume labels for most supported file systems. Point and click disk wiping was added. When you mount a partition with VisParted, a Thunar window will open at the selected location. Desktop icons are automatically created for mounted CDs, DVDs and USB flash drives. The boot menu is all new and all the boot options can be displayed by hitting F1. Networking and Firefox were added to surf the web, to get help and to view the online documents. A simple 7zip package management system was created so users can add their own stuff with little effort." Visit the project's news page to read the release announcement.
Parted Magic 2.0, running the recently forked VisParted graphical hard disk partitioning tool
(full image size: 486kB, screen resolution: 1280x1024 pixels)
Tomáš Matějíček has announced the final release of SLAX 6.0.0: "SLAX 6 is released. What's new? First, SLAX is officially released in two forms - ISO and TAR. The ISO format (labelled as 'SLAX for CD') is to be burnt to a CD, while the TAR format (labelled as 'SLAX for USB') is for all who need to run SLAX directly from USB media or from a disk. Simply unzip the tar archive directly to your device (to its root directory, it will create 'boot' and 'slax' subdirectories). That's almost all; you only need to make it bootable. For that purpose, navigate to the 'boot' directory and find bootinst.sh (if you are in Linux) or bootinst.bat (if you are in Windows). Run it. Linux users will need to use root account for that. The script will set up the device to be bootable. If you are using 'SLAX for USB', you will notice that all the changes you made are permanent." Read the rest of the release announcement for more information.
SLAX 6.0 - the default desktop
(full image size: 621kB, screen resolution: 1280x1024 pixels)
Debian GNU/Linux 4.0r3
Joey Schulze has announced the availability of the third update to Debian GNU/Linux 4.0: "The Debian project is pleased to announce the third update of its stable distribution Debian GNU/Linux 4.0. This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems. The installer has been updated to use and support the updated kernels included in this release. This update also includes stability improvements and added support for SGI O2 machines with 300 MHz RM5200SC (Nevada) CPUs. Flashplugin-nonfree has been removed, as this is closed source and we don't get security support for it. For security reasons, we recommend to immediately remove any version of flashplugin-nonfree and any remaining files of the Adobe Flash Player. Tested updates will be made available via backports.org." Read the rest of the release announcement for a detailed list of all changes.
Greenie Linux 1.2.8 "Battle For Wesnoth"
Stanislav Hoferek has announced the release of Greenie Linux 1.2.8, "Battle For Wesnoth" edition, a live CD featuring the latest version of the popular game. The freely downloadable CD image contains a light-weight operating system based on Xubuntu 7.10 with Linux kernel 2.6.22, Xfce, Wesnoth 1.2.8 with additional campaigns, Poedit (for Wesnoth translators), Gedit with ability to view WML syntax, GIMP 2.4, AbiWord, Xfmedia player, Firefox, Pidgin and gFTP (to send files over Internet). On the CD there are also binaries for Windows (Wesnoth stable 1.2.8, development 1.3.16) and Wesnoth 1.2.8 source code. Also Poedit is here for Windows, Mac OS X and Ubuntu. This is an installable live CD for players, WML programmers and translators. More information is available on the distribution's web site (in Slovak; the live CD itself is in English).
* * * * *
Development, unannounced and minor bug-fix releases
|Upcoming Releases and Announcements
Summary of expected upcoming releases
New distributions added to waiting list
- Damn Small Solaris. Damn Small Solaris is a minimalist build of OpenSolaris that fits on a 64MB live CD. The project's web site is in Russian.
- NuFW.Live. NuFW.Live is a KNOPPIX-based live CD featuring NuFW, a firewall that adds user-based filtering to Netfilter.
- Tartuga. Tartuga is an remastered build of Damn Small Linux with extra software and functionality.
* * * * *
DistroWatch database summary
And this concludes the latest issue of DistroWatch Weekly. The next instalment will be published on Monday, 25 February 2008.
|Linux Foundation Training
|• Issue 797 (2019-01-14): Reborn OS 2018.11.28, TinyPaw-Linux 1.3, dealing with processes which make the desktop unresponsive, Debian testing Secure Boot support|
|• Issue 796 (2019-01-07): FreeBSD 12.0, Peppermint releases ISO update, picking the best distro of 2018, roundtable interview with Debian, Fedora and elementary developers|
|• Issue 795 (2018-12-24): Running a Pinebook, interview with Bedrock founder, Alpine being ported to RISC-V, Librem 5 dev-kits shipped|
|• Issue 794 (2018-12-17): Void 20181111, avoiding software bloat, improvements to HAMMER2, getting application overview in GNOME Shell|
|• Issue 793 (2018-12-10): openSUSE Tumbleweed, finding non-free packages, Debian migrates to usrmerge, Hyperbola gets FSF approval|
|• Issue 792 (2018-1203): GhostBSD 18.10, when to use swap space, DragonFly BSD's wireless support, Fedora planning to pause development schedule|
|• Issue 791 (2018-11-26): Haiku R1 Beta1, default passwords on live media, Slax and Kodachi update their media, dual booting DragonFly BSD on EFI|
|• Issue 790 (2018-11-19): NetBSD 8.0, Bash tips and short-cuts, Fedora's networking benchmarked with FreeBSD, Ubuntu 18.04 to get ten years of support|
|• Issue 789 (2018-11-12): Fedora 29 Workstation and Silverblue, Haiku recovering from server outage, Fedora turns 15, Debian publishes updated media|
|• Issue 788 (2018-11-05): Clu Linux Live 6.0, examining RAM consumpion, finding support for older CPUs, more Steam support for running Windows games on Linux, update from Solus team|
|• Issue 787 (2018-10-29): Lubuntu 18.10, limiting application access to specific users, Haiku hardware compatibility list, IBM purchasing Red Hat|
|• Issue 786 (2018-10-22): elementary OS 5.0, why init keeps running, DragonFly BSD enables virtual machine memory resizing, KDE neon plans to drop older base|
|• Issue 785 (2018-10-15): Reborn OS 2018.09, Nitrux 1.0.15, swapping hard drives between computers, feren OS tries KDE spin, power savings coming to Linux|
|• Issue 784 (2018-10-08): Hamara 2.1, improving manual pages, UBports gets VoIP app, Fedora testing power saving feature|
|• Issue 783 (2018-10-01): Quirky 8.6, setting up dual booting with Ubuntu and FreeBSD, Lubuntu switching to LXQt, Mint works on performance improvements|
|• Issue 782 (2018-09-24): Bodhi Linux 5.0.0, Elive 3.0.0, Solus publishes ISO refresh, UBports invites feedback, Linux Torvalds plans temporary vacation|
|• Issue 781 (2018-09-17): Linux Mint 3 "Debian Edition", file systems for SSDs, MX makes installing Flatpaks easier, Arch team answers questions, Mageia reaches EOL|
|• Issue 780 (2018-09-10): Netrunner 2018.08 Rolling, Fedora improves language support, how to customize Kali Linux, finding the right video drivers|
|• Issue 779 (2018-09-03): Redcore 1806, keeping ISO downloads safe from tampering, Lubuntu makes Calamares more flexible, Ubuntu improves GNOME performance|
|• Issue 778 (2018-08-27): GuixSD 0.15.0, ReactOS 0.4.9, Steam supports Windows games on Linux, Haiku plans for beta, merging disk partitions|
|• Issue 777 (2018-08-20): YunoHost 188.8.131.52, limiting process resource usage, converting file systems on Fedora, Debian turns 25, Lubuntu migrating to Wayland|
|• Issue 776 (2018-08-13): NomadBSD 1.1, Maximum storage limits on Linux, openSUSE extends life for 42.3, updates to the Librem 5 phone interface|
|• Issue 775 (2018-08-06): Secure-K OS 18.5, Linux is about choice, Korora tests community spin, elementary OS hires developer, ReactOS boots on Btrfs|
|• Issue 774 (2018-07-30): Ubuntu MATE & Ubuntu Budgie 18.04, upgrading software from source, Lubuntu shifts focus, NetBSD changes support policy|
|• Issue 773 (2018-07-23): Peppermint OS 9, types of security used by different projects, Mint reacts to bugs in core packages, Slackware turns 25|
|• Issue 772 (2018-07-16): Hyperbola GNU/Linux-libre 0.2.4, UBports running desktop applications, OpenBSD auto-joins wi-fi networks, boot environments and zedenv|
|• Issue 771 (2018-07-09): Linux Lite 4.0, checking CPUs for bugs, configuring GRUB, Mint upgrade instructions, SUSE acquired by EQT|
|• Issue 770 (2018-07-02): Linux Mint 19, Solus polishes desktop experience, MintBox Mini 2, changes to Fedora's installer|
|• Issue 769 (2018-06-25): BunsenLabs Helium, counting Ubuntu users, UBports upgrading to 16.04, Fedora CoreOS, FreeBSD turns 25|
|• Issue 768 (2018-06-18): Devuan 2.0.0, using pkgsrc to manage software, the NOVA filesystem, OpenBSD handles successful cron output|
|• Issue 767 (2018-06-11): Android-x86 7.1-r1, transferring files over OpenSSH with pipes, LFS with Debian package management, Haiku ports LibreOffice|
|• Issue 766 (2018-06-04): openSUSE 15, overview of file system links, Manjaro updates Pamac, ReactOS builds itself, Bodhi closes forums|
|• Issue 765 (2018-05-28): Pop!_OS 18.04, gathering system information, Haiku unifying ARM builds, Solus resumes control of Budgie|
|• Issue 764 (2018-05-21): DragonFly BSD 5.2.0, Tails works on persistent packages, Ubuntu plans new features, finding services affected by an update|
|• Issue 763 (2018-05-14): Fedora 28, Debian compatibility coming to Chrome OS, malware found in some Snaps, Debian's many flavours|
|• Issue 762 (2018-05-07): TrueOS 18.03, live upgrading Raspbian, Mint plans future releases, HardenedBSD to switch back to OpenSSL|
|• Issue 761 (2018-04-30): Ubuntu 18.04, accessing ZFS snapshots, UBports to run on Librem 5 phones, Slackware makes PulseAudio optional|
|• Issue 760 (2018-04-23): Chakra 2017.10, using systemd to hide files, Netrunner's ARM edition, Debian 10 roadmap, Microsoft develops Linux-based OS|
|• Issue 759 (2018-04-16): Neptune 5.0, building containers with Red Hat, antiX introduces Sid edition, fixing filenames on the command line|
|• Issue 758 (2018-04-09): Sortix 1.0, openSUSE's Transactional Updates, Fedora phasing out Python 2, locating portable packages|
|• Issue 757 (2018-04-02): Gatter Linux 0.8, the UNIX and Linux System Administration Handbook, Red Hat turns 25, super long term support kernels|
|• Issue 756 (2018-03-26): NuTyX 10.0, Neptune supplies Debian users with Plasma 5.12, SolydXK on a Raspberry Pi, SysV init development|
|• Issue 755 (2018-03-19): Learning with ArchMerge and Linux Academy, Librem 5 runs Plasma Mobile, Cinnamon gets performance boost|
|• Issue 754 (2018-03-12): Reviewing Sabayon and Antergos, the growing Linux kernel, BSDs getting CPU bug fixes, Manjaro builds for ARM devices|
|• Issue 753 (2018-03-05): Enso OS 0.2, KDE Plasma 5.12 features, MX Linux prepares new features, interview with MidnightBSD's founder|
|• Issue 752 (2018-02-26): OviOS 2.31, performing off-line upgrades, elementary OS's new installer, UBports gets test devices, Redcore team improves security|
|• Issue 751 (2018-02-19): DietPi 6.1, testing KDE's Plasma Mobile, Nitrux packages AppImage in default install, Solus experiments with Wayland|
|• Issue 750 (2018-02-12): Solus 3, getting Deb packages upstream to Debian, NetBSD security update, elementary OS explores AppCentre changes|
|• Issue 749 (2018-02-05): Freespire 3 and Linspire 7.0, misunderstandings about Wayland, Xorg and Mir, Korora slows release schedule, Red Hat purchases CoreOS|
|• Issue 748 (2018-01-29): siduction 2018.1.0, SolydXK 32-bit editions, building an Ubuntu robot, desktop-friendly Debian options|
|• Issue 747 (2018-01-22): Ubuntu MATE 17.10, recovering open files, creating a new distribution, KDE focusing on Wayland features|
|• Issue 746 (2018-01-15): deepin 15.5, openSUSE's YaST improvements, new Ubuntu 17.10 media, details on Spectre and Meltdown bugs|
|• Full list of all issues|
|Random Distribution |
N-iX Desktop Linux
N-iX Destkop Linux was a Linux Distribution based on Fedora Core. You can download the ISO images and just have a N-iX customised version of Fedora with some additional stuff, like Java, Flash, Adobe Acrobat Reader, K3B and other software working right from the box. You don't need to search and install those programs. But if you also want to run N-iX tools, like XPlat Messenger Client, Cross Network Client you should buy a licence for N-iX Desktop Linux.
|Tips, Tricks, Myths and Q&As |
|Tips and tricks: Running openSUSE "Factory"|
|Questions and answers: Alternatives to GNOME 3|
|Tips and tricks: Command line weather, ionice, rename files, video preview snapshot, calednar, ls colour settings|
|Questions and answers: Switching file systems on the fly|
|Questions and answers: When to use swap space|
|Tips and tricks: Fix filenames, manage networks from the command line and more command line tips|
|Myths and misunderstandings: The spread of systemd and launchd|
|Tips and tricks: Waking up your computer remotely|
|Questions and answers: Open-source applications for live streaming, difference between desktop environments and window managers|
|Tips and tricks: Check free disk space, wait for a process, command line spell-check, shutdown PC when CPU gets hot|
|More Tips & Tricks and Questions & Answers|