| DistroWatch Weekly
|DistroWatch Weekly, Issue 240, 18 February 2008
Welcome to this year's 7th issue of DistroWatch Weekly! Do you trust your distribution? Does it have what it takes to provide you with important and timely updates? The issue of operating system and applications security in the era of millions of interconnected multi-user computing systems is more important than ever. In this week's issue we investigate how different Linux distributions handled the much-publicised vmsplice() privilege escalation exploit announced last week. In the news section, the Fedora developer community offers more desktop options to their users, VectorLinux announces a fast, light edition designed for old hardware, and ex-Linspire's Kevin Carmony goes doom and gloom on the CNR.com software installation service. Looking ahead, this week is likely to deliver further opportunities for heavy distro testing with the upcoming arrival of the fifth alpha of Ubuntu 8.04 and the first release candidate for Mandriva Linux 2008.1. Happy reading!
Join us at irc.freenode.net #distrowatch
Distributions and security updates
One of the main Linux stories of the past week was the security vulnerability affecting a considerable range of Linux kernels. The vmsplice() system call, introduced into the kernel in version 2.6.17 (and further expanded in versions 2.6.23 and 2.6.24, which resulted in two additional vulnerabilities) was responsible for the problem. As a result of this code, an unprivileged user logged in to any of the systems running the vulnerable kernel could easily obtain root privileges by executing certain code (this is known as "privilege escalation exploit"). Millions of machines were affected.
The vulnerability was first made public on February 8th. According to the Linux kernel changelog, it was fixed the same day and a new kernel, version 220.127.116.11, was made available on February 11th. The issue was widely publicised on February 11th, when many Linux news sites ran stories describing the problem and some even linked to the code that was capable of exploiting the vmsplice() vulnerability. Although rated as "less critical" (or 2 out of 5 on the severity barometer) by Secunia and "important" (rather than "critical") by Red Hat, any multi-user system running an unpatched kernel was vulnerable, while chances of a successful system compromise also increased dramatically. Even single-user desktop machines could be compromised through an unrelated code execution exploit.
Linux distributions started releasing patches on February 11th, the same day the news became widely known. But how fast were they? Naturally, most distributions will always need some time to evaluate the best possible approach and to test the resulting updates. Much depends also on the number of kernels and products that need to be patched and tested, the availability of the distribution's security experts, work coordination across time zones, and the level of bureaucracy in each organisation. Still, from the end-user's point of view, the sooner the update is released the better.
So is your distribution affected by this vulnerability? And if it is, how would you find out? In the UNIX world, all major software vendors issue security advisories, which they distribute through a variety of channels. A dedicated security mailing list was (and still is) the most popular method of informing users, but other options, such as RSS feeds, press releases or update daemons that periodically check for updates are now also used by some distributions. Still, a security advisory is the most important document - it not only informs about a security issue in a product, it also tells the user what to do to patch the vulnerability.
A number of security advisories were published last week, shortly after the vmsplice() exploit became widely known. Debian GNU/Linux was the first to issue a fix, but within a day or two most major distros followed suit with their own announcements. Of the Linux distributions that have an established policy of releasing security advisories only Gentoo Linux has failed to publish one; although the vmsplice() issue has already been reported in Gentoo's Bugzilla, no security fix has been made available at the time of writing. (Update: Apparently Gentoo does not issue security advisories for the Linux kernel; however the vmsplice() vulnerability was fixed and announcement published on February 13th.)
Nowadays, many popular distributions don't publish security advisories. This is especially true for community projects and desktop distributions, many of which just don't have the manpower to publish formal announcements. There are even distributions that don't provide updates at all. In an ideal world, all Linux users would run a distro that does have a well-established security infrastructure and would be subscribed to their project's security mailing list, but the real world is different. Still, operating system security is something that no serious project or user should compromise on.
Many DistroWatch readers run a Linux distribution that does not appear in the above table. If you are one of them, is your operating system vulnerable to the vmsplice() exploit? It depends. As an example, PCLinuxOS does not publish formal security advisories, but looking at its current directory, all their kernel packages have a time stamp of 11 or 12 February - presumably to correct the vmsplice() issue. If you updated your PCLinuxOS installation during the last few days, you should be safe. Similarly, Linux Mint does not provide security advisories, but the distribution comes with an automatic update utility called mintUpdate, which should have picked up the kernel update from upstream (Ubuntu). Nevertheless, even if PCLinuxOS and Linux Mint do provide security updates, they are still guilty of not making update information available to their users in a clear manner.
Other users might be even less lucky. Some developers of Arch Linux have previously argued that security announcements are redundant for their distribution as it uses the "rolling package update" mechanism with continuous package updates. But a quick look at their core tree reveals that six days after the vmsplice() vulnerability was published, it still only lists the vulnerable 18.104.22.168 kernel (correction: Arch Linux released a fix on February 10th). Users of Sabayon Linux have been left completely to their own devices - the project provides no security advisories or package updates. And although Zenwalk Linux does have a security section in the forum, there is no mention of the vmsplice() vulnerability at all. Many other distributions provide very few clues on whether or not they have provided a patch for the vulnerability or even whether they are aware of it; this includes SimplyMEPIS, VectorLinux, Puppy Linux and others.
Fedora and alternative desktops, VectorLinux Light, Kevin Carmony on the future of CNR.com
Fedora is often seen as a predominantly GNOME-centric distribution, but ever since the project started encouraging community participation in the development work, there are signs that this old status quo is changing. At least that's how one feels after reading this interview with Sebastian Vahl, Rex Dieter and Kevin Kofler, members of the KDE Special Interest Group (SIG) at Fedora: "There has always been lots of animosity against Fedora on dot.kde.org, the KDE news site, mostly due to old gripes against Red Hat Linux 8.0 (and some of that will probably never go away, it's like the old "Qt is not free" troll which is completely obsolete, yet still comes up from time to time), but lately there have been more and more positive echoes. Doing such PR is not an easy task though, as even correcting obvious inaccuracies can be perceived as flamebait (and thus backfire). On the other front, within Fedora, we're all working on getting KDE recognized as much as possible, ensuring it gets the first class citizen treatment it deserves. All in all, I'm happy with where we're headed."
Still on the subject of Fedora and its desktops, Rahul Sundaram has announced a special Fedora 8 Xfce spin, the project's unofficial, light-weight edition: "I am pleased to announce the immediate release of a brand new and sparkling, Fedora 8 Xfce Spin. Fedora Xfce Spin is a bootable Fedora live CD image available for x86 and x86_64 architecture. It can be optionally installed to hard disk or converted into boot USB images and is ideal for Xfce fans and for users running Fedora on relatively low resource systems. This release includes the latest Xfce release, 4.4.2 that integrates many new features and bug fixes. Along with the basic Xfce desktop environment, Thunar file manager and a comprehensive set of plugins and additional Xfce utilities like Xarchiver archive manager and Orage calendar application is included. All available languages in Fedora has also been integrated with this release." The live CD images are available for download from here: Fedora-8-Live-XFCE-i686.iso (620MB, SHA1, torrent). Fedora-8-Live-XFCE-x86_64.iso (687MB, SHA1, torrent).
* * * * *
VectorLinux originally started as a light-weight distribution designed for older hardware, a market long abandoned by most major distro makers. Although the project later also expanded to cover general office computing needs with its SOHO edition, VectorLinux Basic still remains an operating system with a reasonably light footprint. However, to satisfy users who wish to run the Slackware-based distribution on very old hardware, the project announced last week the release of VectorLinux Light: "VectorLinux announces the newest member of the VL5.9 family: VL-Light. VL-Light turns an ageing PC into a usable computer again. Living up to the VL motto of 'When Choice Matters,' we give you lots of choices in a small package. We have included JWM and Fluxbox Window Managers, Xfe and PC Man file manager, Opera, Dillo and Lynx Web Browsers, xine, MPlayer, and XMMS for multimedia, and AbiWord and Gnumeric for office tasks." The first beta of the installation CD is available for download from here: VL5.9-Light-B1.iso (334MB, MD5).
VectorLinux 5.9 "Light" edition running the default JWM desktop
(full image size: 603kB, screen resolution: 1280x1024 pixels)
* * * * *
Kevin Carmony, a controversial former CEO of Linspire who recently switched his allegiance to Ubuntu, has written an interesting blog entry on the current state of CNR.com, Linspire's flagship software distribution service. Since Linspire has not made enough effort to maintain a good working relationship with Ubuntu, he argues that CNR.com (and, by extension, possibly even Linspire and Freespire), is likely to fail: "Unfortunately, since leaving Linspire, it appears the Ubuntu relationship is on the rocks. I know since I switched to Ubuntu, I haven't even bothered trying CNR.com. The built-in software management system Ubuntu has is a better experience, and all they need to do is add a commercial piece (easy enough for them to do), and they'd have little use for CNR.com. It would appear Linspire has figured this out as well and sees the writing on the wall, and that without Ubuntu, CNR.com will fail."
|Released Last Week
LinuxTLE is a Thai community distribution based on Ubuntu, with emphasis on complete support for Thai throughout the user interface. A major new update, version 9.0 "Hua-Hin" and based on Ubuntu 7.10, was announced today. Some of the new features in this release include: support for 3D desktop features with Compiz Fusion; Iceweasel with pango-ligature and LibThai patches for Thai support; Thai-enabled OpenOffice.org 2.3.0; new fonts (Arundina, Angasana, Cordia); updated Thai scalable fonts by TLWG; introduction of the Brasero CD/DVD burning application and DisplayConfigGTK display configuration utility; new artwork and desktop theme. Please read the full release announcement (in Thai) for further details.
LinuxTLE 9.0 - an Ubuntu-based community distribution for Thai speakers
(full image size: 799kB, screen resolution: 1280x1024 pixels)
Parted Magic 2.0
Patrick Verner has announced the release of Parted Magic, a specialist live CD designed for hard disk partitioning tasks: "Parted Magic 2.0 is finally released! GParted has been forked to VisParted to add features GParted doesn't have. VisParted can read and write volume labels for most supported file systems. Point and click disk wiping was added. When you mount a partition with VisParted, a Thunar window will open at the selected location. Desktop icons are automatically created for mounted CDs, DVDs and USB flash drives. The boot menu is all new and all the boot options can be displayed by hitting F1. Networking and Firefox were added to surf the web, to get help and to view the online documents. A simple 7zip package management system was created so users can add their own stuff with little effort." Visit the project's news page to read the release announcement.
Parted Magic 2.0, running the recently forked VisParted graphical hard disk partitioning tool
(full image size: 486kB, screen resolution: 1280x1024 pixels)
Tomáš Matějíček has announced the final release of SLAX 6.0.0: "SLAX 6 is released. What's new? First, SLAX is officially released in two forms - ISO and TAR. The ISO format (labelled as 'SLAX for CD') is to be burnt to a CD, while the TAR format (labelled as 'SLAX for USB') is for all who need to run SLAX directly from USB media or from a disk. Simply unzip the tar archive directly to your device (to its root directory, it will create 'boot' and 'slax' subdirectories). That's almost all; you only need to make it bootable. For that purpose, navigate to the 'boot' directory and find bootinst.sh (if you are in Linux) or bootinst.bat (if you are in Windows). Run it. Linux users will need to use root account for that. The script will set up the device to be bootable. If you are using 'SLAX for USB', you will notice that all the changes you made are permanent." Read the rest of the release announcement for more information.
SLAX 6.0 - the default desktop
(full image size: 621kB, screen resolution: 1280x1024 pixels)
Debian GNU/Linux 4.0r3
Joey Schulze has announced the availability of the third update to Debian GNU/Linux 4.0: "The Debian project is pleased to announce the third update of its stable distribution Debian GNU/Linux 4.0. This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems. The installer has been updated to use and support the updated kernels included in this release. This update also includes stability improvements and added support for SGI O2 machines with 300 MHz RM5200SC (Nevada) CPUs. Flashplugin-nonfree has been removed, as this is closed source and we don't get security support for it. For security reasons, we recommend to immediately remove any version of flashplugin-nonfree and any remaining files of the Adobe Flash Player. Tested updates will be made available via backports.org." Read the rest of the release announcement for a detailed list of all changes.
Greenie Linux 1.2.8 "Battle For Wesnoth"
Stanislav Hoferek has announced the release of Greenie Linux 1.2.8, "Battle For Wesnoth" edition, a live CD featuring the latest version of the popular game. The freely downloadable CD image contains a light-weight operating system based on Xubuntu 7.10 with Linux kernel 2.6.22, Xfce, Wesnoth 1.2.8 with additional campaigns, Poedit (for Wesnoth translators), Gedit with ability to view WML syntax, GIMP 2.4, AbiWord, Xfmedia player, Firefox, Pidgin and gFTP (to send files over Internet). On the CD there are also binaries for Windows (Wesnoth stable 1.2.8, development 1.3.16) and Wesnoth 1.2.8 source code. Also Poedit is here for Windows, Mac OS X and Ubuntu. This is an installable live CD for players, WML programmers and translators. More information is available on the distribution's web site (in Slovak; the live CD itself is in English).
* * * * *
Development, unannounced and minor bug-fix releases
|Upcoming Releases and Announcements
Summary of expected upcoming releases
New distributions added to waiting list
- Damn Small Solaris. Damn Small Solaris is a minimalist build of OpenSolaris that fits on a 64MB live CD. The project's web site is in Russian.
- NuFW.Live. NuFW.Live is a KNOPPIX-based live CD featuring NuFW, a firewall that adds user-based filtering to Netfilter.
- Tartuga. Tartuga is an remastered build of Damn Small Linux with extra software and functionality.
* * * * *
DistroWatch database summary
And this concludes the latest issue of DistroWatch Weekly. The next instalment will be published on Monday, 25 February 2008.
|Linux Foundation Training
|• Issue 841 (2019-11-18): Emmabuntus DE3-1.00, changing keys in a keyboard layout, Debian phasing out Python 2 and voting on init diversity, Slackware gets unofficial updated live media|
|• Issue 840 (2019-11-11): Fedora 31, monitoring user activity, Fedora working to improve Python performance, FreeBSD gets faster networking|
|• Issue 839 (2019-11-04): MX 19, manipulating PDFs, Ubuntu plans features for 20.04, Fedora 29 nears EOL, Netrunner drops Manjaro-based edition|
|• Issue 838 (2019-10-28): Xubuntu 19.10, how init and service managers work together, DragonFly BSD provides emergency mode for HAMMER, Xfce team plans 4.16|
|• Issue 837 (2019-10-21): CentOS 8.0-1905, Trident finds a new base, Debian plans firewall changes, 15 years of Fedora, how to merge directories|
|• Issue 836 (2019-10-14): Archman 2019.09, Haiku improves ARM support, Project Trident shifting base OS, Unix turns 50|
|• Issue 835 (2019-10-07): Isotop, Mazon OS and, KduxOS, examples of using the find command, Mint's System Reports becomes proactive, Solus updates its desktops|
|• Issue 834 (2019-09-30): FreedomBox "Buster", CentOS gains a rolling release, Librem 5 phones shipping, Redcore updates its package manager|
|• Issue 833 (2019-09-23): Redcore Linux 1908, why Linux distros are free, Ubuntu making list of 32-bit software to keep, Richard M Stallman steps down from FSF leadership|
|• Issue 832 (2019-09-16): BlackWeb 1.2, checking for Wayland session and applications, Fedora to use nftables in firewalld, OpenBSD disables DoH in Firefox|
|• Issue 831 (2019-09-09): Adélie Linux 1.0 beta, using ffmpeg, awk and renice, Mint and elementary improvements, PureOS and Manjaro updates|
|• Issue 930 (2019-09-02): deepin 15.11, working with AppArmor profiles, elementary OS gets new greeter, exFAT support coming to Linux kernel|
|• Issue 829 (2019-08-26): EndeavourOS 2019.07.15, Drauger OS 7.4.1, finding the licenses of kernel modules, NetBSD gets Wayland application, GhostBSD changes base repo|
|• Issue 828 (2019-08-19): AcademiX 2.2, concerns with non-free firmware, UBports working on Unity8, Fedora unveils new EPEL channel, FreeBSD phasing out GCC|
|• Issue 827 (2019-08-12): Q4OS, finding files on the disk, Ubuntu works on ZFS, Haiku improves performance, OSDisc shutting down|
|• Issue 826 (2019-08-05): Quick looks at Resilient, PrimeOS, and BlueLight, flagship distros for desktops,Manjaro introduces new package manager|
|• Issue 825 (2019-07-29): Endless OS 3.6, UBports 16.04, gNewSense maintainer stepping down, Fedora developrs discuss optimizations, Project Trident launches stable branch|
|• Issue 824 (2019-07-22): Hexagon OS 1.0, Mageia publishes updated media, Fedora unveils Fedora CoreOS, managing disk usage with quotas|
|• Issue 823 (2019-07-15): Debian 10, finding 32-bit packages on a 64-bit system, Will Cooke discusses Ubuntu's desktop, IBM finalizes purchase of Red Hat|
|• Issue 822 (2019-07-08): Mageia 7, running development branches of distros, Mint team considers Snap, UBports to address Google account access|
|• Issue 821 (2019-07-01): OpenMandriva 4.0, Ubuntu's plan for 32-bit packages, Fedora Workstation improvements, DragonFly BSD's smaller kernel memory|
|• Issue 820 (2019-06-24): Clear Linux and Guix System 1.0.1, running Android applications using Anbox, Zorin partners with Star Labs, Red Hat explains networking bug, Ubuntu considers no longer updating 32-bit packages|
|• Issue 819 (2019-06-17): OS108 and Venom, renaming multiple files, checking live USB integrity, working with Fedora's Modularity, Ubuntu replacing Chromium package with snap|
|• Issue 818 (2019-06-10): openSUSE 15.1, improving boot times, FreeBSD's status report, DragonFly BSD reduces install media size|
|• Issue 817 (2019-06-03): Manjaro 18.0.4, Ubuntu Security Podcast, new Linux laptops from Dell and System76, Entroware Apollo|
|• Issue 816 (2019-05-27): Red Hat Enterprise Linux 8.0, creating firewall rules, Antergos shuts down, Matthew Miller answers questions about Fedora|
|• Issue 815 (2019-05-20): Sabayon 19.03, Clear Linux's developer features, Red Hat explains MDS flaws, an overview of mobile distro options|
|• Issue 814 (2019-05-13): Fedora 30, distributions publish Firefox fixes, CentOS publishes roadmap to 8.0, Debian plans to use Wayland by default|
|• Issue 813 (2019-05-06): ROSA R11, MX seeks help with systemd-shim, FreeBSD tests unified package management, interview with Gael Duval|
|• Issue 812 (2019-04-29): Ubuntu MATE 19.04, setting up a SOCKS web proxy, Scientific Linux discontinued, Red Hat takes over Java LTS support|
|• Issue 811 (2019-04-22): Alpine 3.9.2, rsync examples, Ubuntu working on ZFS support, Debian elects new Project Leader, Obarun releases S6 tools|
|• Issue 810 (2019-04-15): SolydXK 201902, Bedrock Linux 0.7.2, Fedora phasing out Python 2, NetBSD gets virtual machine monitor|
|• Issue 809 (2019-04-08): PCLinuxOS 2019.02, installing Falkon and problems with portable packages, Mint offers daily build previews, Ubuntu speeds up Snap packages|
|• Issue 808 (2019-04-01): Solus 4.0, security benefits and drawbacks to using a live distro, Gentoo gets GNOME ports working without systemd, Redox OS update|
|• Issue 807 (2019-03-25): Pardus 17.5, finding out which user changed a file, new Budgie features, a tool for browsing FreeBSD's sysctl values|
|• Issue 806 (2019-03-18): Kubuntu vs KDE neon, Nitrux's znx, notes on Debian's election, SUSE becomes an independent entity|
|• Issue 805 (2019-03-11): EasyOS 1.0, managing background services, Devuan team debates machine ID file, Ubuntu Studio works to remain an Ubuntu Community Edition|
|• Issue 804 (2019-03-04): Condres OS 19.02, securely erasing hard drives, new UBports devices coming in 2019, Devuan to host first conference|
|• Issue 803 (2019-02-25): Septor 2019, preventing windows from stealing focus, NetBSD and Nitrux experiment with virtual machines, pfSense upgrading to FreeBSD 12 base|
|• Issue 802 (2019-02-18): Slontoo 18.07.1, NetBSD tests newer compiler, Fedora packaging Deepin desktop, changes in Ubuntu Studio|
|• Issue 801 (2019-02-11): Project Trident 18.12, the meaning of status symbols in top, FreeBSD Foundation lists ongoing projects, Plasma Mobile team answers questions|
|• Issue 800 (2019-02-04): FreeNAS 11.2, using Ubuntu Studio software as an add-on, Nitrux developing znx, matching operating systems to file systems|
|• Issue 799 (2019-01-28): KaOS 2018.12, Linux Basics For Hackers, Debian 10 enters freeze, Ubuntu publishes new version for IoT devices|
|• Issue 798 (2019-01-21): Sculpt OS 18.09, picking a location for swap space, Solus team plans ahead, Fedora trying to get a better user count|
|• Issue 797 (2019-01-14): Reborn OS 2018.11.28, TinyPaw-Linux 1.3, dealing with processes which make the desktop unresponsive, Debian testing Secure Boot support|
|• Issue 796 (2019-01-07): FreeBSD 12.0, Peppermint releases ISO update, picking the best distro of 2018, roundtable interview with Debian, Fedora and elementary developers|
|• Issue 795 (2018-12-24): Running a Pinebook, interview with Bedrock founder, Alpine being ported to RISC-V, Librem 5 dev-kits shipped|
|• Issue 794 (2018-12-17): Void 20181111, avoiding software bloat, improvements to HAMMER2, getting application overview in GNOME Shell|
|• Issue 793 (2018-12-10): openSUSE Tumbleweed, finding non-free packages, Debian migrates to usrmerge, Hyperbola gets FSF approval|
|• Issue 792 (2018-1203): GhostBSD 18.10, when to use swap space, DragonFly BSD's wireless support, Fedora planning to pause development schedule|
|• Issue 791 (2018-11-26): Haiku R1 Beta1, default passwords on live media, Slax and Kodachi update their media, dual booting DragonFly BSD on EFI|
|• Issue 790 (2018-11-19): NetBSD 8.0, Bash tips and short-cuts, Fedora's networking benchmarked with FreeBSD, Ubuntu 18.04 to get ten years of support|
|• Issue 789 (2018-11-12): Fedora 29 Workstation and Silverblue, Haiku recovering from server outage, Fedora turns 15, Debian publishes updated media|
|• Full list of all issues|
Star Labs - Laptops built for Linux.
View our range including the Star Lite, Star LabTop and more. Available with a choice of Ubuntu, Linux Mint or Zorin OS pre-installed with many more distributions supported. Visit Star Labs for information, to buy and get support.
|Random Distribution |
Live Raizo is a live distribution based on Debian to experiment with system administration on simulated networks and real devices. It contains simulators of networks and systems (GNS3, QEmu, Docker, VPCS) and also Debian virtual machines already integrated into GNS3. Live Raizo also includes tools to interact with real devices: minicom, Putty, Wireshark, as well as DHCP, DNS, FTP, TFTP and SSH servers.