LWN.net Logo

LWN.net Weekly Edition for October 7, 2004

A busy week for the courts

Various courts in the U.S. have handed down a set of decisions in the last week which have strong implications for the free software community. Here is a quick rundown of what the courts have been saying.

bnetd

The developers of bnetd had a straightforward goal: they wanted to be able to engage in networked gameplay, using their legally-purchased Blizzard games, without dealing with Blizzard's Battle.net servers. So they reverse-engineered the protocol used by Blizzard's games to talk to the server and implemented bnetd, which provides the same functionality. bnetd is licensed under the GPL.

Blizzard did not like bnetd. The provision of alternative servers took players of Blizzard's games out of the company's control; it was no longer possible to throw advertisements at players. The Battle.net servers also check the registration key provided by the game client; if the key turns out not to be valid, or if multiple players attempt to use the same key, access to the server will be denied. The bnetd developers never quite got around to implementing the key checks; free software developers have little patience with that sort of thing, and, in any case, Blizzard provides no way for third parties to check the validity of registration keys.

Blizzard's response was to send takedown notices, then file suit with a number of copyright infringement and contract claims. On September 30, a U.S. District Court in Missouri agreed with Blizzard, finding the bnetd developers guilty of breach of contract and violation of the anti-circumvention clauses of the Digital Millennium Copyright Act. The full ruling is available in PDF format.

The contracts in question are the license agreement for the games and the terms of use for Battle.net. Among other things, these contracts forbid reverse engineering of the software and running services that compete with Battle.net. The court found that the EULA and TOU were binding in all respects. Among other things, a license agreement can forbid reverse engineering in all cases and that is just fine with the court.

With regard to the DMCA charges, the court concluded that, by reverse engineering the handshake used to control access to the games' "Battle.net mode," the bnetd developers did circumvent an access control mechanism. In their defense, the developers stated that they fell within the DMCA's exemption for those trying to achieve interoperability. The court disagreed:

The Court find that the defendants' actions constituted more than enabling interoperability. The bnetd emulator developed by the defendants always allows the Blizzard game to access Battle.net mode features even if the user does not have a valid or unique CD Key, because the bnetd emulator does not determine whether the CD Key is valid or currently in use by another player. Unauthorized copies of the Blizzard games were played on bnetd servers. Then, defendants distributed the bnetd program for free. Because the bnetd source code was freely available, others developed additional Battle.net emulators based on the bnetd source code.... Finally, the defendants did not create an independently created computer program. The bnetd program was intended as a functional alternative to the Battle.net service. Once game play starts there are no differences between Battle.net and the bnetd emulator from the standpoint of a user who is actually playing the game.

It is hard to know how to read this reasoning. Interoperability, it seems, is only a defense if the resulting program does not do anything interesting, and if it is not distributed as free software.

The court also found that the developers had violated the DMCA's provisions regarding trafficking in anti-circumvention devices:

The defendants' purpose in developing the bnetd server was to avoid the anti-circumvention restrictions of the game and to avoid the restricted access to Battle.net. Thus, the sole purpose of the bnetd emulator was not to enable interoperability. The bnetd emulator had limited commercial purpose because it was free and available to anyone who wanted to copy and use the program.

This language contradicts the court's statement of the "undisputed facts" in the first part of the ruling:

The users of the Battle.net service have occasionally experienced difficulties with the service. Blizzard has also received complaints about user profanity and users who cheated to win games by modifying Blizzard's software ("client hacks")... To address their frustrations with Battle.net, the defendants joined a group of non-profit volunteer game hobbyists, programmers, and other individuals called the "bnet project."

The above is, remember, an undisputed fact. The court chose, however, to ignore that fact and recast the purpose of bnetd to suit its reasoning. On top of that, the idea that bnetd is a circumvention device because it carries a free license is truly chilling.

The end result is that Blizzard is able to place strong restrictions on the users of its games, preventing them from communicating via any sort of alternative service. Free software developers have been restricted in the sort of code they can develop, and the value of Blizzard's games for its own customers has been reduced. There are certainly problems with the DMCA which allow this sort of thing to happen. This is, however, also a problem with proprietary software; free software users do not have to cope with restrictions of this type. Unfortunately, it may be a long time before we see free games which offer the sort of experience provided by the best of today's proprietary offerings.

Diebold

The Diebold case was the source of another important ruling (PDF). In this case, Diebold attempted to use the DMCA to shut down distribution of leaked internal messages between its employees regarding problems with Diebold's electronic voting systems. The core of the ruling was that Diebold misused the DMCA by attempting to force a takedown of material which was not copyrightable.

The purpose, character, nature of the use, and the effect of the use upon the potential market for or value of the copyrighted work all indicate that at least part of the email archive is not protected by copyright law. The email archive was posted or hyperlinked to for the purpose of informing the public about the problems associated with Diebold's electronic voting machines. It is hard to imagine a subject the discussion of which could be more in the public interest.

The Diebold ruling may not affect free software developers directly, but it should serve to put some limits on the use of DMCA takedown notices.

Kodak

A court in Rochester, NY (Kodak's home town) has found that Sun has infringed upon three of Kodak's patents. Kodak claims that Sun should owe it just over $1 billion for its crime. Intellectual property suits, it seems, are increasingly the strategy of choice for businesses in decline.

The patents (numbers 5,421,012, 5,226,161, and 5,206,951) all read about the same; they would appear to describe any of a number of object request brokers or remote procedure call mechanisms. If they are upheld, Kodak can be expected to begin shaking down technology companies across the U.S.; they would be unlikely to limit themselves to those working with Java.

This looks like a case with a reasonably high likelihood of being reversed on appeal. In the mean time, it serves as yet another reminder of what software patents are doing to the computing industry in the U.S. Until the U.S. patent system is reformed, these lawsuits will be a constant threat. One can only hope that the parts of the world which do not, yet, recognize software patents are paying attention.

SCO

The SCO group had a minor setback in the IBM case when Judge Kimball denied two of the company's motions regarding scheduling. The ruling is up on Groklaw. The judge had little sympathy for SCO's position:

However, there is nothing in the Amended Scheduling Order that precludes IBM from filing motions for summary judgment, and there is nothing in the Scheduling Order that relieves SCO from responding to such motions. Thus, it is puzzling that SCO seeks to "enforce" the Amended Scheduling Order when there is nothing in that Order to justify SCO's request for a significant delay in filing its responses.

The big ruling - on IBM's motion for a summary judgment on its tenth counterclaim (stating that its Linux work does not infringe SCO's copyrights) - is still pending. (What is also pending, incidentally, is the agreement with SCO's lawyers on putting a cap on SCO's legal costs. SCO may have encountered some difficulties in closing that deal.)

Comments (25 posted)

Red Hat acquiring Netscape Enterprise Solutions software

October 6, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Last week, Red Hat announced it had reached a deal to buy some of the software from the Netscape Enterprise Suite. Red Hat spokesperson Leigh Day said that the deal has not yet been finalized, but that it is expected to close in the next two weeks.

Red Hat is paying $23 million for the software, but what is it getting, and why does the company want to buy software that it could develop instead? Day said that Red Hat is getting Netscape's Directory Server, Certificate Management, messaging and calendering software. According to Day, it was worth spending the $23 million because "Red Hat is gaining a tried and true technology that would take years to develop on its own." The company will also be taking on a team of developers from AOL/Netscape that have been working on the software. Though Netscape was acquired several years ago, the Directory Server software was still under active development. Netscape Directory Server 6.2 was released last December.

It doesn't take a marketing expert to divine Red Hat's motives for the acquisition. When going head-to-head with Microsoft or Novell, Red Hat needs a mature directory services and groupware suite. Day confirmed that Red Hat would be using its acquisition to compete directly with directory server offerings from Microsoft and Novell.

She also noted that Netscape's software is in use by a number of enterprise and government agencies. Whether Red Hat will gain those customers as part of the acquisition is another question. Day said that Red Hat has not yet announced whether the company would be taking over support for current users of Netscape Security Solutions. She also wasn't sure whether Red Hat's final product would support operating systems other than Linux. Netscape Directory Server currently runs on HP-UX, Solaris, Windows NT and 2000 and Red Hat Advanced Server.

Red Hat currently ships OpenLDAP with its enterprise products. What does Netscape Directory Server offer that OpenLDAP does not? Both technologies implement the features of the Lightweight Directory Access Protocol (LDAP), but a glance at the features list for Netscape Directory Services shows that there are several features not implemented in OpenLDAP, including schema updates, server-side sort of search results, and a number of other features. Netscape's software also offers GUI administration tools and tuning tools that are probably a bit more user-friendly than OpenLDAP's tools.

In keeping with Red Hat's open source policy, Red Hat will be releasing the software under the GPL, according to Day. As with the Sistina Global File System (GFS) software, it will be between six and twelve months before the code is released. Why such a lengthy process? Day said that Red Hat would use this time to optimize the code for its products, and for a community development process. Day said that the software would also be usable with Fedora, but wasn't sure if it would be released as part of Fedora Core.

We also wondered whether any patents would be part of the deal. Netscape was issued several patents related to directory services prior to their acquisition by AOL. Patent 6,366,913 was issued to Netscape for "Centralized directory services supporting dynamic group membership," which no doubt applies to Netscape's Directory Server. Patent 6,094,485, covering a method for "SSL step-up" may apply to Netscape's Certificate Management software. Netscape also was issued patents for an automatic client configuration system, a system for schedule and task management, and others that may apply to the suite of applications Red Hat is buying. Day said that Red Hat's legal team is "probably still looking into that." One hopes that the lawyers are looking carefully, as it would not do to acquire the software while leaving AOL with the patents related to the software. Red Hat may also find need of a defensive patent portfolio in the future.

In the long run, this should be very good for the Linux and open source community. The addition of Netscape's directory software and groupware solutions will give Linux yet another feature that it needs to compete with Microsoft in the enterprise market.

Comments (9 posted)

Page editor: Jonathan Corbet

Security

Inside SELinux on Fedora Core 3

October 6, 2004

This article was contributed by Jake Edge.

Following up on a previous overview of Security Enhanced Linux (SELinux), this article looks more closely at the implementation of Security Enhanced Linux (SELinux) in Fedora Core 3 test2 (FC3).

FC3 provides two separate SELinux policies, a default "targeted" policy and the more restrictive "strict" policy. The targeted policy focuses on a handful of specific system daemons and locks down their access while allowing the rest of the system to run using the standard Linux security mechanisms. The FC3 SELinux FAQ describes the reasoning behind the targeted policy:

Initially, when SELinux was included in Fedora Core, the NSA strict policy was enforced. For testing purposes, this helped to find hundreds of problems in the strict policy. In addition, it became obvious that applying a single strict policy to the many environments of Fedora users was not feasible. Managing a single strict policy for anything other than default installation was going to require local expertise.

There are 9 daemons currently handled by the targeted policy, all network services of various sorts (httpd, named, snmpd, etc.) and more daemons will be added to the policy in the future.

The top-level configuration file (/etc/selinux/config) for SELinux on FC3 allows one to choose which of the policies to use and also what enforcement level to use. In particular, the "permissive" level is useful for finding problems in the policy for a specific installation as it just warns when the policy has been violated. Once the policy has been adjusted, the level can be set to "enforcing," which will cause SELinux to enforce the policies. In addition, the enforcement level can be set to "disabled" which effectively turns off SELinux. Any changes made to the configuration file require a reboot to take effect, but the enforcement level can be changed in a running system using the setenforce command.

While changing the enforcement level is painless, the same is not true for changing policies. SELinux uses the extended attributes in Linux filesystems to permanently associate a security context with each file and when changing policies, the attributes of many files in the filesystem must also be changed. The fixfiles command is available to traverse the filesystem and make the required changes based on the information provided in the file_contexts file associated with the policy. file_contexts maps a regular expression describing some subtree of the filesystem (possibly down to an individual file) to a security context and fixfiles (and the related setfiles command) parse this file and set the attributes appropriately. FC3 puts the SELinux configuration in the /etc/selinux directory and the specifics for each policy in /etc/selinux/<policyname>. For example: /etc/selinux/targeted/contexts/file_contexts provides the security context configuration for files in the targeted policy.

To support examining the security context of various entities in the SELinux system, the -Z command line parameter has been added to several standard utilities. The ls, ps, and id commands have been modified to display the security context of files, processes and users respectively and are very useful when diagnosing policy issues.

To get a sense of what goes into the policy configuration and how complex it is, we examined the targeted policy configuration for the ntpd program. Once the selinux-policy-targeted-sources package is installed, the configuration file for ntpd can be found in /etc/selinux/targeted/src/policy/domains/program/ntpd.te. This file specifies the access that the daemon will be allowed to have and should specify all of the system entities (files, sockets, etc.) that the program needs to access for correct operation. The level of detail required in this file is rather eye opening:

  • Types are defined for the drift file and for the network port used by ntpd
  • All of the file and directory types that are used by the daemon are also specified with what access is granted for each
  • Read access is granted for the urandom device
  • Network access is granted
  • Access to bind to the udp port that it uses and socket creation access for datagram and stream sockets is granted
  • Capabilities allowing it to use the nice() system call are granted
  • etc.
It would appear that a fair amount of work went into figuring out all of the various pieces that go into this configuration for what, at first blush, would seem a fairly simple system daemon. Multiply this level of complexity by the number of daemons in a typical system and one can see why some critics of SELinux call it too complicated to be useful. On the other hand, SELinux does provide very fine grained control over access to system resources and in certain applications, that control is very desirable.

Comments (8 posted)

New vulnerabilities

cups: information leak

Package(s):cups CVE #(s):CAN-2004-0923
Created:October 5, 2004 Updated:October 14, 2004
Description: CUPS has an information leakage problem when printing to SMB shares requiring authentication.
Alerts:
Debian DSA-566-1 2004-10-14
Gentoo 200410-06 2004-10-09
Fedora FEDORA-2004-331 2004-10-05

Comments (none posted)

freenet6: file protection problem

Package(s):freenet6 CVE #(s):CAN-2004-0563
Created:September 30, 2004 Updated:October 6, 2004
Description: freenet6 has a protection problem which allows the username and password to be read from a configuration file.
Alerts:
Debian DSA-555-1 2004-09-30

Comments (none posted)

net-acct: temporary file vulnerability

Package(s):net-acct CVE #(s):CAN-2004-0851
Created:October 6, 2004 Updated:October 6, 2004
Description: Net-acct (an IP accounting daemon) version 0.71 suffers from a temporary file vulnerability.
Alerts:
Debian DSA-559-1 2004-10-06

Comments (none posted)

netkit-telnet: invalid free pointer

Package(s):netkit-telnet CVE #(s):CAN-2004-0911
Created:October 4, 2004 Updated:March 28, 2005
Description: Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).
Alerts:
Ubuntu USN-101-1 2005-03-28
Debian DSA-556-2 2004-10-18
Debian DSA-569-1 2004-10-18
Debian DSA-556-1 2004-10-02

Comments (none posted)

php: information disclosure and file upload vulnerabilities

Package(s):php CVE #(s):
Created:October 6, 2004 Updated:October 6, 2004
Description: Versions of PHP prior to 4.3.9 suffer from vulnerabilities which can disclose the contents of random memory to an attacker and allow uploads of files to any location writable by the web server.
Alerts:
Gentoo 200410-04 2004-10-06

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

samba: unauthorized file access

Package(s):samba CVE #(s):CAN-2004-0815
Created:October 1, 2004 Updated:October 14, 2004
Description: A security vulnerability has been located in Samba 2.2.x <= 2.2.11 and Samba 3.0.x <= 3.0.5. A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection.

According to this errata only Samba 3.0.x <= 3.0.2a contains the exploitable code.

Alerts:
Conectiva CLA-2004:873 2004-10-14
Fedora-Legacy FLSA:2102 2004-10-13
Debian DSA-600-1 2004-10-07
SuSE SUSE-SA:2004:035 2004-10-05
Red Hat RHSA-2004:498-01 2004-10-04
Mandrake MDKSA-2004:104 2004-10-01
Trustix TSLSA-2004-0051 2004-10-01

Comments (none posted)

sharutils: arbitrary code execution

Package(s):sharutils CVE #(s):CAN-2004-1772
Created:October 1, 2004 Updated:April 26, 2005
Description: sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c. An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.
Alerts:
Red Hat RHSA-2005:377-01 2005-04-26
Fedora FEDORA-2005-281 2005-04-01
Fedora FEDORA-2005-280 2005-04-01
Ubuntu USN-102-1 2005-03-29
Fedora-Legacy FLSA:2155 2005-03-24
Gentoo 200410-01 2004-10-01

Comments (none posted)

Updated vulnerabilities

Apache mod_proxy: denial of service

Package(s):apache CVE #(s):CAN-2004-0492
Created:June 11, 2004 Updated:October 14, 2004
Description: A buffer overflow vulnerability in the apache mod_proxy module can be exploited to create a denial of service.
Alerts:
Fedora-Legacy FLSA:1737 2004-10-13
Mandrake MDKSA-2004:065 2004-06-29
Debian DSA-525-1 2004-06-24
Gentoo 200406-16 2004-06-21
OpenPKG OpenPKG-SA-2004.029 2004-06-11

Comments (none posted)

apache: protected pages vulnerability

Package(s):apache CVE #(s):CAN-2004-0811
Created:September 23, 2004 Updated:September 29, 2004
Description: Apache 2.0.51 may allow the viewing of protected pages because of a problem merging the Satisfy directive.
Alerts:
Gentoo 200409-33 2004-09-24
Trustix TSLSA-2004-0049 2004-09-23

Comments (none posted)

apache2: stack-based buffer overflow in ssl_util.c

Package(s):apache2 CVE #(s):CAN-2004-0488
Created:June 1, 2004 Updated:October 14, 2004
Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:
Fedora-Legacy FLSA:1888 2004-10-13
Debian DSA-532-2 2004-07-27
Debian DSA-532-1 2004-07-22
Red Hat RHSA-2004:245-01 2004-06-14
Gentoo 200406-05 2004-06-09
Slackware SSA:2004-154-01 2004-06-02
OpenPKG OpenPKG-SA-2004.026 2004-05-27
Trustix TSLSA-2004-0031 2004-06-02
Mandrake MDKSA-2004:054 2004-06-01
Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 2004-12-20
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Gentoo 200406-14 2004-06-17

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

cups: denial of service

Package(s):cups cupsys CVE #(s):CAN-2004-0558
Created:September 15, 2004 Updated:October 14, 2004
Description: Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port.
Alerts:
Conectiva CLA-2004:872 2004-10-14
Fedora FEDORA-2004-275 2004-09-28
Slackware SSA:2004-266-01 2004-09-22
Whitebox WBSA-2004:449-01 2004-09-20
Gentoo 200409-25 2004-09-20
SuSE SUSE-SA:2004:031 2004-09-15
Red Hat RHSA-2004:449-01 2004-09-15
Mandrake MDKSA-2004:097 2004-09-15
Debian DSA-545-1 2004-09-15

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

Gaim: remote code execution vulnerability

Package(s):gaim CVE #(s):CAN-2004-0500
Created:August 12, 2004 Updated:October 18, 2004
Description: The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability in the MSN-protocol parsing functions.
Alerts:
Fedora-Legacy FLSA:1237 2004-10-16
Whitebox WBSA-2004:400-01 2004-09-20
Slackware SSA:2004-239-01 2004-08-26
Fedora FEDORA-2004-279 2004-08-26
Fedora FEDORA-2004-278 2004-08-26
Mandrake MDKSA-2004:081 2004-08-12
SuSE SUSE-SA:2004:025 2004-08-12
Gentoo 200408-12 2004-08-12

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

getmail: filesystem overwrite vulnerability

Package(s):getmail CVE #(s):CAN-2004-0880 CAN-2004-0881
Created:September 23, 2004 Updated:October 4, 2004
Description: Getmail has a vulnerability that may allow a local user to create or overwrite files in any directory on the system.
Alerts:
Slackware SSA:2004-278-01 2004-10-04
Debian DSA-553-1 2004-09-27
Gentoo 200409-32 2004-09-23

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

apache2: IPv6 denial of service

Package(s):httpd apache2 CVE #(s):CAN-2004-0747 CAN-2004-0751 CAN-2004-0786 CAN-2004-0809
Created:September 15, 2004 Updated:October 6, 2004
Description: Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux.
Alerts:
Debian DSA-558-1 2004-10-06
Trustix TSLSA-2004-0047 2004-09-16
Mandrake MDKSA-2004:096 2004-09-15
Gentoo 200409-21 2004-09-16
Fedora FEDORA-2004-308 2004-09-16
Fedora FEDORA-2004-307 2004-09-16
SuSE SUSE-SA:2004:032 2004-09-15
Red Hat RHSA-2004:463-01 2004-09-15

Comments (none posted)

imagemagick: buffer overflow vulnerability

Package(s):imagemagick CVE #(s):CAN-2004-0827
Created:September 16, 2004 Updated:November 30, 2004
Description: The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Alerts:
Ubuntu USN-35-1 2004-11-30
Ubuntu USN-7-1 2004-10-27
Red Hat RHSA-2004:480-01 2004-10-20
Red Hat RHSA-2004:494-01 2004-10-20
Mandrake MDKSA-2004:102 2004-09-22
Debian DSA-547-1 2004-09-16

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

jabberd: remote denial of service vulnerability

Package(s):jabberd CVE #(s):
Created:September 23, 2004 Updated:September 29, 2004
Description: Jabberd's XML parsing routines have a vulnerability that may be exploited to create a remote denial of service.
Alerts:
Gentoo 200409-31 2004-09-23

Comments (none posted)

kdebase: multiple vulnerabilities

Package(s):kdebase CVE #(s):CAN-2004-0689 CAN-2004-0690 CAN-2004-0721 CAN-2004-0746
Created:August 12, 2004 Updated:October 4, 2004
Description: Three separate vulnerabilities have been identified in the KDE 3.2 "kdebase" package; see this advisory for details. These problems include two temporary file vulnerabilities and a "frame injection" problem in konqueror which could help with phishing attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies for certain country specific secondary top level domains.
Alerts:
Red Hat RHSA-2004:412-01 2004-10-04
Conectiva CLA-2004:864 2004-09-13
Fedora FEDORA-2004-293 2004-09-08
Fedora FEDORA-2004-292 2004-09-08
Fedora FEDORA-2004-291 2004-09-08
Fedora FEDORA-2004-290 2004-09-08
Slackware SSA:2004-247-01 2004-09-03
Mandrake MDKSA-2004:086 2004-08-20
Debian DSA-539-1 2004-08-17
Gentoo 200408-13 2004-08-12

Comments (none posted)

kernel information leak

Package(s):kernel CVE #(s):CAN-2004-0415
Created:August 3, 2004 Updated:October 26, 2004
Description: Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.

A fix for this problem was added to the fifth 2.4.27 release candidate.

Alerts:
Conectiva CLA-2004:879 2004-10-26
Fedora-Legacy FLSA:1804 2004-10-18
Mandrake MDKSA-2004:087 2004-08-26
Gentoo 200408-24 2004-08-25
Whitebox WBSA-2004:413-01 2004-08-19
Red Hat RHSA-2004:327-01 2004-08-18
Fedora FEDORA-2004-251 2004-08-10
Trustix TSLSA-2004-0041 2004-08-09
SuSE SUSE-SA:2004:024 2004-08-09
Red Hat RHSA-2004:413-01 2004-08-03
Red Hat RHSA-2004:418-01 2004-08-03
Fedora FEDORA-2004-247 2004-08-03

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

lha: stack-based buffer overflow

Package(s):lha CVE #(s):CAN-2004-0769 CAN-2004-0771 CAN-2004-0694 CAN-2004-0745
Created:September 2, 2004 Updated:October 14, 2004
Description: The lha archiving and compression utility has a stack-based buffer overflow vulnerability. A modified archive could allow an attacker to execute code when a victim extracts or test the archive.
Alerts:
Fedora-Legacy FLSA:1833 2004-10-13
Whitebox WBSA-2004:323-01 2004-09-20
Gentoo 200409-13 2004-09-08
Fedora FEDORA-2004-295 2004-09-08
Fedora FEDORA-2004-294 2004-09-08
Red Hat RHSA-2004:323-01 2004-09-01

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005
Description: There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service.
Alerts:
Conectiva CLA-2005:924 2005-02-14
Red Hat RHSA-2005:004-01 2005-01-12
Red Hat RHSA-2004:537-01 2004-12-02
Ubuntu USN-27-1 2004-11-17
Mandrake MDKSA-2004:124 2004-11-04
Debian DSA-561-1 2004-10-11
Gentoo 200410-09 2004-10-09
Debian DSA-560-1 2004-10-07
Red Hat RHSA-2004:479-01 2004-10-06
Red Hat RHSA-2004:478-01 2004-10-04
Gentoo 200409-34 2004-09-27
SuSE SUSE-SA:2004:034 2004-09-17
Mandrake MDKSA-2004:099 2004-09-15
Mandrake MDKSA-2004:098 2004-09-15

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

Midnight Commander: extfs vfs vulnerability

Package(s):mc CVE #(s):CAN-2004-0494
Created:September 2, 2004 Updated:January 5, 2005
Description: Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts.
Alerts:
Red Hat RHSA-2004:464-02 2005-01-05
Red Hat RHSA-2004:464-01 2004-09-15
Fedora FEDORA-2004-273 2004-09-01
Fedora FEDORA-2004-272 2004-09-01

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mozilla products: arbitrary code execution and other vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908
Created:September 20, 2004 Updated:January 13, 2005
Description: Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. See the CERT advisory for details.
Alerts:
Gentoo 200501-03 2005-01-05
Fedora-Legacy FLSA:2089 2004-10-27
Conectiva CLA-2004:877 2004-10-22
Mandrake MDKSA-2004:107 2004-10-19
SuSE SUSE-SA:2004:036 2004-10-06
Red Hat RHSA-2004:486-01 2004-09-30
Slackware SSA:2004-266-03 2004-09-22
Gentoo 200409-26 2004-09-20

Comments (none posted)

mpg123: buffer overflow bug

Package(s):mpg123 CVE #(s):CAN-2004-0805
Created:September 16, 2004 Updated:January 11, 2005
Description: The mpg123 audio playing utility has a buffer overflow bug that may allow arbitrary execution of code.
Alerts:
Gentoo 200501-14 2005-01-10
Debian DSA-564-1 2004-10-13
Mandrake MDKSA-2004:100 2004-09-22
Gentoo 200409-20 2004-09-16

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

neon: buffer overflow

Package(s):neon CVE #(s):CAN-2004-0398
Created:May 19, 2004 Updated:September 30, 2004
Description: The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:
Fedora-Legacy FLSA:1552 2004-09-29
Mandrake MDKSA-2004:078 2004-07-29
Gentoo 200406-03 2004-06-05
Gentoo 200405-25b 2004-06-02
Gentoo 200405-25 2004-05-30
Conectiva CLA-2004:841 2004-05-25
Gentoo 200405-15 2004-05-20
Gentoo 200405-13 2004-05-20
OpenPKG OpenPKG-SA-2004.024 2004-05-19
Mandrake MDKSA-2004:049 2004-05-19
Fedora FEDORA-2004-130 2004-05-19
Fedora FEDORA-2004-129 2004-05-19
Red Hat RHSA-2004:191-01 2004-05-19
Debian DSA-507-1 2004-05-19
Debian DSA-506-1 2004-05-19

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

OpenOffice: information disclosure

Package(s):openoffice.org CVE #(s):CAN-2004-0752
Created:September 15, 2004 Updated:October 20, 2004
Description: OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files.
Alerts:
Gentoo 200410-17 2004-10-20
Mandrake MDKSA-2004:103 2004-09-27
Red Hat RHSA-2004:446-01 2004-09-15

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pavuk: buffer overflow

Package(s):pavuk CVE #(s):CAN-2004-0456
Created:June 30, 2004 Updated:November 11, 2004
Description: Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server.
Alerts:
Gentoo 200411-19 2004-11-10
Debian DSA-527-1 2004-07-03
Gentoo 200406-22 2004-06-30

Comments (none posted)

php: remotely exploitable memory errors

Package(s):php CVE #(s):CAN-2004-0594
Created:July 14, 2004 Updated:February 7, 2005
Description: Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not).
Alerts:
Debian DSA-669-1 2005-02-07
Whitebox WBSA-2004:392-01 2004-08-19
Fedora FEDORA-2004-223 2004-07-23
Fedora FEDORA-2004-222 2004-07-23
OpenPKG OpenPKG-SA-2004.034 2004-07-22
Slackware SSA:2004-202-01 2004-07-20
Debian DSA-531-1 2004-07-20
Red Hat RHSA-2004:392-01 2004-07-19
Red Hat RHSA-2004:395-01 2004-07-19
Conectiva CLA-2004:847 2004-07-16
SuSE SUSE-SA:2004:021 2004-07-16
Mandrake MDKSA-2004:068 2004-07-14
Gentoo 200407-13 2004-07-15
tinysofa TSSA-2004-013 2004-07-14

Comments (none posted)

PuTTY: pre-authentication arbitrary code execution problem

Package(s):putty CVE #(s):
Created:August 5, 2004 Updated:October 28, 2004
Description: PuTTY, a telnet and SSH client, contains a vulnerability that can allow an SSH server to execute arbitrary code on a connecting client.
Alerts:
Gentoo 200410-29 2004-10-27
Gentoo 200408-04 2004-08-05

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

qt3: BMP image parser heap overflow

Package(s):qt3/qt3-non-mt/qt3-32bit/qt3-static CVE #(s):CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
Created:August 19, 2004 Updated:May 15, 2005
Description: A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution.
Alerts:
Fedora-Legacy FLSA:152763 2005-05-12
Conectiva CLA-2004:866 2004-09-22
Whitebox WBSA-2004:414-01 2004-09-20
Debian DSA-542-1 2004-08-30
Fedora FEDORA-2004-271 2004-08-23
Fedora FEDORA-2004-270 2004-08-23
Gentoo 200408-20 2004-08-22
Red Hat RHSA-2004:414-01 2004-08-20
Mandrake MDKSA-2004:085 2004-08-18
SuSE SUSE-SA:2004:027 2004-08-19

Comments (none posted)

rsync: path-sanitizing bug

Package(s):rsync CVE #(s):CAN-2004-0792
Created:August 16, 2004 Updated:November 1, 2004
Description: This August 2004 rsync advisory reports that there is a path-sanitizing bug that affects daemon mode in all recent rsync versions (including 2.6.2) but only if chroot is disabled. It does NOT affect the normal send/receive filenames that specify what files should be transferred (this is because these names happen to get sanitized twice, and thus the second call removes any lingering leading slash(es) that the first call left behind). It does affect certain option paths that cause auxilliary files to be read or written.
Alerts:
Conectiva CLA-2004:881 2004-11-01
Slackware SSA:2004-285-01 2004-10-12
Whitebox WBSA-2004:436-01 2004-09-20
Red Hat RHSA-2004:436-01 2004-09-01
Fedora FEDORA-2004-269 2004-08-19
Fedora FEDORA-2004-268 2004-08-19
Gentoo 200408-17 2004-08-17
Mandrake MDKSA-2004:083 2004-08-17
Netwosix NW-2004-0017 2004-08-17
Trustix TSLSA-2004-0042 2004-08-17
tinysofa TSSA-2004-020-ES 2004-08-16
Debian DSA-538-1 2004-08-17
SuSE SUSE-SA:2004:026 2004-08-16
OpenPKG OpenPKG-SA-2004.037 2004-08-15

Comments (none posted)

ruby: insecure file permissions

Package(s):ruby CVE #(s):CAN-2004-0755
Created:August 16, 2004 Updated:October 14, 2004
Description: Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore, but not in Debian woody) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session.
Alerts:
Fedora FEDORA-2004-264 2004-10-15
Red Hat RHSA-2004:441-01 2004-09-30
Gentoo 200409-08 2004-09-03
Debian DSA-537-1 2004-08-16

Comments (none posted)

sendmail: pre-set password

Package(s):sendmail CVE #(s):CAN-2004-0833
Created:September 27, 2004 Updated:September 29, 2004
Description: Hugo Espuny discovered a problem in sendmail, a commonly used program to deliver electronic mail. When installing "sasl-bin" to use sasl in connection with sendmail, the sendmail configuration script use fixed user/pass information to initialize the sasl database. Any spammer with Debian systems knowledge could utilize such a sendmail installation to relay spam.
Alerts:
Debian DSA-554-1 2004-09-27

Comments (none posted)

sox: buffer overflow

Package(s):sox CVE #(s):CAN-2004-0557
Created:July 28, 2004 Updated:February 21, 2005
Description: Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file.
Alerts:
Fedora-Legacy FLSA:1945 2005-02-20
Debian DSA-565-1 2004-10-13
Whitebox WBSA-2004:409-01 2004-08-19
Slackware SSA:2004-223-03 2004-08-07
Conectiva CLA-2004:855 2004-07-30
Gentoo 200407-23 2004-07-30
Mandrake MDKSA-2004:076 2004-07-28
Red Hat RHSA-2004:409-01 2004-07-29
Fedora FEDORA-2004-244 2004-07-28
Fedora FEDORA-2004-235 2004-07-28

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

squid: buffer overflow

Package(s):squid CVE #(s):CAN-2004-0541
Created:June 9, 2004 Updated:September 30, 2004
Description: The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Alerts:
Red Hat RHSA-2004:462-01 2004-09-30
Mandrake MDKSA-2004:093 2004-09-15
Gentoo 200409-04 2004-09-02
Gentoo 200406-13 2004-06-17
Whitebox WBSA-2004:242-01 2004-06-10
Trustix TSLSA-2004-0033 2004-06-10
Mandrake MDKSA-2004:059 2004-06-09
SuSE SuSE-SA:2004:016 2004-06-09
Red Hat RHSA-2004:242-01 2004-06-09
Fedora FEDORA-2004-164 2004-06-09
Fedora FEDORA-2004-163 2004-06-09

Comments (none posted)

SquirrelMail cross site scripting vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2004-0519 CAN-2004-0520 CAN-2004-0521
Created:May 21, 2004 Updated:October 4, 2004
Description: Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found in SquirrelMail versions 1.4.2 and lower. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
Alerts:
Fedora-Legacy FLSA:1733 2004-10-02
Conectiva CLA-2004:858 2004-08-12
Whitebox WBSA-2004:240-01 2004-06-21
Gentoo 200406-08 2004-06-15
Red Hat RHSA-2004:240-01 2004-06-14
Fedora FEDORA-2004-160 2004-06-09
Fedora FEDORA-2004-159 2004-06-09
Gentoo 200405-16:02 2004-05-25
Gentoo 200405-16 2004-05-21

Comments (none posted)

Subversion: Remote heap overflow

Package(s):subversion CVE #(s):CAN-2004-0413
Created:June 11, 2004 Updated:March 7, 2005
Description: Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:
Fedora-Legacy FLSA:1748 2005-03-07
SuSE SuSE-SA:2004:018 2004-06-17
Fedora FEDORA-2004-166 2004-06-11
Fedora FEDORA-2004-165 2004-06-11
OpenPKG OpenPKG-SA-2004.028 2004-06-11
Gentoo 200406-07 2004-06-10

Comments (none posted)

subversion: metadata information disclosure

Package(s):subversion CVE #(s):CAN-2004-0749
Created:September 23, 2004 Updated:November 4, 2004
Description: The subversion version control system has vulnerabilities in the handling of metadata such as log file entries related to using mod_authz_svn.
Alerts:
Conectiva CLA-2004:883 2004-11-04
Gentoo 200409-35 2004-09-29
Fedora FEDORA-2004-318 2004-09-23

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

wv: buffer overflow

Package(s):wv CVE #(s):CAN-2004-0645
Created:July 14, 2004 Updated:February 10, 2005
Description: wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem.
Alerts:
Fedora-Legacy FLSA:1906 2005-02-08
Conectiva CLA-2004:902 2004-12-01
Debian DSA-579-1 2004-11-01
Debian DSA-550-1 2004-09-20
Conectiva CLA-2004:863 2004-09-10
Mandrake MDKSA-2004:077 2004-07-29
Fedora FEDORA-2004-225 2004-07-23
Fedora FEDORA-2004-224 2004-07-23
Gentoo 200407-11 2004-07-14

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

zlib: denial of service

Package(s):zlib CVE #(s):CAN-2004-0797
Created:August 25, 2004 Updated:June 10, 2005
Description: Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks.
Alerts:
OpenPKG OpenPKG-SA-2005.007 2005-06-10
Fedora-Legacy FLSA:2043 2005-02-23
Conectiva CLA-2004:878 2004-10-25
Slackware SSA:2004-278-02 2004-10-04
Conectiva CLA-2004:865 2004-09-13
Mandrake MDKSA-2004:090 2004-09-07
SuSE SUSE-SA:2004:029 2004-09-02
Gentoo 200408-26 2004-08-27
OpenPKG OpenPKG-SA-2004.038 2004-08-25

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.9-rc3, announced by Linus on September 29. Changes this time include lots more annotations for the "sparse" checker, an NTFS update, a patch causing ICMP "source quench" messages to be ignored, the new I/O memory access functions (see the September 23 Kernel Page), a big set of input driver patches, m32r architecture support, a User-mode Linux update, the merger of the two in-kernel software suspend implementations, a tunable "max sectors" limit for block I/O requests (a latency reduction feature), and a new prctl() option allowing programs to change their name. The long-format changelog has the details.

For what it's worth, Andrew Morton estimates that 2.6.9-rc4 will be out "later this week," with the final 2.6.9 release happening about a week after that.

Linus's BitKeeper repository contains another big set of "sparse" annotations, the removal of get_cpu_ptr(), a generic, netlink-based network statistics interface, some networking fixes, and a number of architecture updates.

Also to be found in BitKeeper is a kernel management style document which Linus quietly committed as "wisdom passed down the ages on clay tablets."

This preemptive admission of incompetence might also make the people who actually do the work also think twice about whether it's worth doing or not. After all, if _they_ aren't certain whether it's a good idea, you sure as hell shouldn't encourage them by promising them that what they work on will be included. Make them at least think twice before they embark on a big endeavor

The current prepatch from Andrew Morton is 2.6.9-rc3-mm2. Recent changes to -mm include a reworking of the IRQ subsystem, a set of ext3 online resizing fixes, a "completely fair queueing" I/O scheduler update, the switchable I/O schedulers patch, an I/O write barrier primitive, a security module for BSD secure levels, and lots of fixes.

The current 2.4 prepatch remains 2.4.28-pre3, which dates back to September 11.

Comments (none posted)

Kernel development news

Quotes of the week

And I have to warn people if they think that the churn is fast and the rate of change in the networking is high right now, you have seen absolutely nothing yet. :-)

-- David Miller

The _reality_ is that there is _no_ point in time where you and Linus allow for stabilization of the main tree prior to release. The release criteria has devolved to a point where we call it done when the stack of pancakes gets too high.

-- Jeff Garzik (among others) is concerned about the current development model.

Comments (8 posted)

The -mm development tree

Andrew Morton's -mm kernel tree now fills the role which might have once been taken by an odd-numbered development series. We don't have 2.7.x; instead, new stuff finds its way into 2.6.x-mm. So it can be interesting to step back, occasionally, and look at what patches are lurking there.

2.6.9-rc3-mm2 contains a full 1213 patches. About half of these come from trees managed by various subsystem maintainers; seeing what those are usually requires pulling a separate BitKeeper tree and looking inside. These trees hold patches which are usually (usually!) relatively small and maintenance-oriented. The external trees brought into -mm currently include those dedicated to the ACPI, AGPGART, ALSA, i2c, IDE, IEEE 1394, input, serial ATA, networking, NTFS, driver core, PCI, USB, and SCSI subsystems.

Among the other 654 patches in 2.6.9-rc3-mm2 are found:

  • A change to how rlimit settings are interpreted; they become per-process settings, rather than per-thread.

  • The sysfs backing store patches continue to languish in -mm, apparently waiting for a review from some of the core developers.

  • Ingo Molnar's "generic IRQ subsystem" work. These patches, posted on October 2, are a big reorganization of the interrupt handling code. Over the years, much of the IRQ code had been copied from one architecture to the next, leading to a lot of duplicated functions. These patches pull the generic code out of the architecture subtrees and remove some 3000 lines of code from the kernel.

  • Numerous kernel debugger (kgdb) patches continue to live in -mm; as always, they are unlikely to move into the mainline.

  • They get less attention than they used to, but there are still must-fix and should-fix lists in -mm.

  • Arjan van de Ven's patch which keeps processes from being able to overwrite kernel memory via /dev/mem. This patch has been shipped with Red Hat/Fedora kernels for a while, but is not yet in the mainline.

  • An extensive set of ext3 patches implementing block reservations. Stephen Tweedie has recently resumed working on these patches, so they may move forward in the near future. The ext3 online resizing patch set is also in -mm.

  • Mikael Pettersson's performance counters patches.

  • The -mm tree continues to be a testing ground for scheduler patches. It currently contains Peter Williams's Single Priority Array scheduler (covered briefly here last August). There is also an extensive set of scheduling domains fixes and a number of latency-reduction patches from Ingo Molnar's work.

  • Ingo Molnar's big kernel semaphore patch.

  • A set of PCMCIA patches adding driver model and hotplug support.

  • A big DVD+RW support patch, which includes CDRW packet writing support.

  • Support for in-kernel keyrings and their management.

  • The CacheFS filesystem.

  • The kexec patches, including support for using kexec as a kernel crash dump mechanism.

  • The reiser4 filesystem and a large number of fixes.

  • The modular I/O schedulers patch and the reworked "completely fair queueing" scheduler.

  • The remap_page_range() change to remap_pfn_range().

  • A security module implementing the BSD "secure levels" mechanism.

Mixed in with these big patches is the usual array of architecture updates, subsystem fixes, etc.

In other words, -mm is a big patch; it is significantly different from the mainline kernel. For some developers, it is too far removed; David Miller recently responded to a request to test networking changes in -mm this way:

Putting the net stuff into -mm makes debugging of networking changes harder, as -mm has a ton of experimental stuff in it as well. -mm frequently makes machines unbootable, and particularly this is felt on non-x86 platforms such as sparc64 which is where I do all of my work.

This kind of observation is not new; many developers continued to create their patches on the 2.4 kernel long after the 2.5 branch opened because 2.5 struck them as being too unstable. When one is trying to shake out bugs in new code, it is nice to minimize the number of other unrelated, disruptive changes. That said, -mm continues to be the main staging area for much of the code going into the mainline, and many developers target it specifically with their patches. Given the number of bugs found after patches go into -mm, people are clearly running it as well.

Comments (3 posted)

Active memory defragmentation

"High order" allocations, in the kernel, are attempts to obtain multiple, contiguous pages for an application which needs more than one page in a single, physically-contiguous block. These allocations have always been a problem for the kernel to satisfy; once the system has been running for a while, physical memory is usually fragmented to the point that very few groups of adjacent, free pages exist. Last month, this page looked at Nick Piggin's kswapd changes which attempt to mitigate this problem somewhat. There are other people working in this area, however.

One of those is Marcelo Tosatti, who posted a patch which adds active memory defragmentation to the kernel. At a high level, the algorithm used is relatively simple: to obtain free blocks of order N, start with the largest, smaller blocks you can find, and try to relocate the contents of the pages immediately before and after the block. If enough pages can be moved, a larger block of free pages will have been created.

Naturally, this process seems rather more complicated when looked at closely. Not all pages can be relocated; those which are locked or reserved, for example, are not touchable. The patch also declines to work with pages which are currently under writeback; until the writeback I/O completes, those pages must not move. A number of more complicated cases, such as moving pages which are part of a nonlinear mapping, are not handled with the current patch.

If a page does appear to be relocatable, it must first be locked and have its contents copied to the new page. Then all page tables which reference the old page must be re-pointed to the new page. Reverse mapping information, if any, must be set correctly. If there is a copy of the page in swap, that copy must be connected with the new page. And so on. Marcelo's patch responds to many of the more complicated cases by simply refusing to move the page. Even so, Marcelo reports good results in creating large, contiguous blocks of free memory.

Of course, there are a few glitches, including problems on SMP systems. But, says Marcelo, never fear:

But it works fine on UP (for a few minutes :)), and easily creates large physically contiguous areas of memory.

It was pointed out that this patch has some common features with a different effort: the drive to support hotpluggable memory. When memory is to be removed from the system, all pages currently stored in that memory must be relocated. In essence, the hotplug memory patches seek to create a large block of free memory which happens to cover a specific set of physical addresses.

Dave Hansen described two patches adding hotplug memory support - one done at IBM, and one from Fujitsu. Each apparently has its strong and weak points.

Between Marcelo's work and the hotplug patches, there is a significant amount of experience in moving pages aside to free blocks of memory. An effort to bring together those patches into a single one containing the best of each will probably be necessary before any can be merged. But the end result of that work could be an end to problems with high-order allocations.

Comments (1 posted)

When should a process be migrated?

The performance of modern computers is heavily influenced by how well they use the processor's memory cache. Going to main memory is a slow operation (from a processor's point of view); an operating system which forces main memory accesses too often will run slowly. One of the things the Linux kernel does to optimize cache use is to try to avoid moving processes between CPUs if it is likely that those processes have a fair amount of useful data in the cache. When a process moves, it leaves its cached data behind and must begin populating the new CPU's cache from the beginning. That repopulation requires memory accesses and slows things down.

The metric used by the kernel to decide whether moving a particular task is advisable is a scheduling domain parameter called cache_hot_time. If the process has run in the current processor within the "hot time," it is considered to have significant data in the cache and is not moved unnecessarily. In recent kernels, cache_hot_time for processors on non-NUMA, SMP systems is 2.5ms.

Kenneth Chen recently did some tests to see if that value makes sense. On his four-processor system, he found that workload throughput with a 2.5ms hot time was 12% below its peak level - which happens with a 10ms value. As it turns out, 10ms was once the default value for the cache hot time; Kenneth proposes that this value be restored. Others have, instead, suggested that a new tunable parameter be provided so that administrators could find and set the optimal value for their systems.

Ingo Molnar has come up with a different approach - have the computer figure out for itself what the optimal "cache hot" time is. To this end, his code performs the following steps for each pair of processors on the system:

  1. The first processor fills a large, shared buffer with data, thus populating its own cache with (some of) the contents of that buffer.

  2. The second processor fills a private buffer, filling its own cache.

  3. The second processor then overwrites the shared buffer, moving the contents of that buffer into its own cache.

The time required for the third step is, to an approximation, a worst case scenario for what it costs to move a process when it has filled the local cache with data. Ingo tested the code on a few systems and got optimal values which vary from 5ms (on a four-processor Pentium 4 system) to 87ms (for an eight-processor, semi-NUMA, Pentium 3 system). Clearly, one default value for all systems is not the right answer. This also looks like a good number for the computer to find for itself - assuming subsequent tests show that this patch (or a successor) is finding something close to the optimal value.

Comments (6 posted)

Patches and updates

Kernel trees

Core kernel code

Device drivers

Filesystems and block I/O

Janitorial

Memory management

Networking

Architecture-specific

Benchmarks and bugs

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

AGNULA/DeMuDi - A Distribution for Musicians and Composers

October 6, 2004

This article was contributed by Ladislav Bodnar

When DeMuDi (Debian Multimedia Distribution) was announced in July 2001, it generated considerable interest. Back in those days, playback of many audio and video formats under Linux suffered from two common perceptions: the difficulty in getting many proprietary formats to produce sound and images on a Linux system, and the question of complying with copyright, encryption, and intellectual property laws while doing so. Although the goals of DeMuDi were much less ambitious than initiating legal fights with the powerful music and movie industry players over the rights of Linux users, the project's name and goals sounded sweet to the ears of many who missed the trouble-free playback of audio and video on their previous operating system.

It wasn't long after the initial announcement that the project was renamed to AGNULA (A GNU/Linux Audio Distribution). The term DeMuDi was still used to refer to the Debian-based distribution, which, by then, was joined by a sister sub-project - the Red Hat-based ReHMuDi (Red Hat Multimedia Distribution). This was because AGNULA had received funding worth €1.7 million over 24 months from the European Commission, and several prominent European companies and organizations, including Red Hat France and Free Software Foundation Europe, joined the AGNULA development effort. The objectives of the project also underwent a revision - instead of embracing all of what falls under the term "multimedia", its focus scaled down to cover audio only, with the goal of producing Linux-based operating systems containing software for musicians and composers.

By the time funding by the European Commission ended in April this year, the project produced DeMuDi 1.1.0 (based on Debian Woody) and ReHMuDi 2.0 (based on Red Hat Linux 9), as well as a DeMuDi live CD for presentation purposes. Although these releases did not attract much attention in the Linux media -- perhaps due to the specialist nature of the products -- they were much appreciated by many musicians and composers. This prompted the lead developer to continue working on DeMuDi on a volunteer basis, even after funding by the European Commission dried up. Most of the development is now handled by Andrea Glorioso and Free Ekanayaka of Firenze Tecnologia in Florence, Italy.

Their continued effort resulted in AGNULA/DeMuDi 1.2.0, which was released last week. Unlike the previous version, this one is a much more up-to-date build based on Debian Sarge and complete with a recent Sarge beta installer with all its features, such as hardware autodetection and autoconfiguration, automatic boot manager setup (GRUB), and a selection of journaling file systems. Additionally, this version includes a custom dialog allowing users to choose from a list of specialist audio applications to install. The installer provides another option - a choice between Fluxbox and GNOME 2.6 desktops, recommending the fast Fluxbox for professionals and the easy-to-use GNOME for first-time Linux users.

Once the system is installed and booted, it differs little from most other Linux distribution. However, as soon as you glance under the "Multimedia" and "Audio" menus, you will be quickly reminded about the purpose of this operating system and its usefulness as a comprehensive tool designed to help creative artists. DeMuDi comes with a mind-boggling range of audio tools; here is a brief list of some of the more interesting among them:

  • BEAST/BSE is a GTK+ music composition and modular synthesis application with support for all popular audio formats, such as MIDI, WAV, MP3 and Ogg. Its many features include multitrack editing, real-time synthesis support, 32-bit audio rendering, full duplex support, multiprocessor support, precise timing down to sample granularity, and on demand loading of partial wave files, just to name a few. BEAST/BSE is a fairly complex application, but it comes with excellent help files and a demo project, which is a lot of fun in itself.

  • Cecilia is a Tcl/Tk-based graphical frontend for the sound synthesis and sound processing package Csound. Developed for musicians and sound designers, the software comes with all the traditional sound processing devices such as EQs, compressors, and delays, adapted for anything from "the simplest applications to the wildest imaginable sonic contortions."

  • JACK is a low-latency audio server designed from the ground up for professional audio work. It can connect a number of different applications to an audio device, while allowing them to share audio between themselves. Its clients can run as normal applications or as "plugins".

  • jMax is a Java-based visual programming environment (it requires the Java Virtual Machine) for building interactive real-time music and multimedia applications. It is developed by IRCAM, a research, music production, and educational center located in Paris, France.

  • TkECA is a Tcl/Tk frontend for Ecasound, a software package for multitrack audio processing. It can be used for simple tasks, like audio playback, recording and format conversions, multitrack effect processing, mixing, recording, and signal recycling. TkECA supports all of Ecasound's features in a graphical environment.
The above is just a tip of the iceberg. From DJ's music library software, through mixers, players, recorders and samplers, to specialist drumming and note editing tools - DeMuDi has them all, arranged neatly in hierarchical menus. Investigating all the different applications and trying to get creative with what is available can easily kill an entire weekend. It is hardly surprising that many of these excellent tools have been created by free-minded artists-turned-programmers and released under the GPL for free distribution and use.

DeMuDi is, essentially, the most comprehensive collection of free audio tools for Linux, running on top of a Debian base system. If you've ever thought about putting your musical talent to good use and compose a few original tunes, download the latest version and take a look at what is available. Even if your creation doesn't end up on the Top 40 music charts, DeMuDi is guaranteed to give you hours of free entertainment.

Comments (1 posted)

Distribution News

Turbolinux 10 Server released

Remember Turbolinux? The company has just sent out a press release announcing the availability of Turbolinux 10 Server, a 2.6-based distribution with, seemingly, an emphasis on security.

Comments (none posted)

SUSE Linux Professional 9.2 released

Novell has announced the November availability of SUSE Linux Professional 9.2. The usual new features are included: 2.6 kernel, KDE 3.3, GNOME 2.6, Evolution 2.0, X.org X11R6.8.1, etc. SUSE also claims improved Bluetooth support.

Comments (6 posted)

Mandrakelinux

Mandrakesoft has released the second edition of its live CD distribution, which is now called simply "Move." It is based on Mandrakelinux 10.0, and is intended to be an easy way for new users to start with Linux. "Move is also a great tool for those who want a portable Linux environment. Along the lines of Mandrakesoft's recently released GlobeTrotter, Move lets users carry around both settings and files on a USB key."

The release of Mandrakelinux 10.1 Community is the top story in the Mandrakelinux Community Newsletter Issue # 96, which also takes a look some new projects in the cooker, support for LSB 2.0 and several other topics.

Mandrakelinux updates the kernel package for 10.0, with prism54 support added to the 2.4 kernel and more enhancements and bug fixes in the 2.6 kernel.

Comments (none posted)

Debian GNU/Linux

The Debian Weekly News for October 5 is out; it looks at the second Debian Installer testing candidate, the status of the non-US archive, Debian GNU/Hurd K7, and more.

Here's the latest update on the progress of the third revision of Debian GNU/Linux 3.0 (woody).

DebConf5 will take place July 2005 in Helsinki, Finland. Some funding is available for Debian developers who would like to attend, but can't afford to. This year the organizers are starting early to take advantage of better flight prices and special offers.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of October 4, 2004 looks at the finalists in the website redesign contest, the appearance of Bryon Roche at the international Gentoo PPC developer meeting, and several other topics.

Full Story (comments: none)

Fedora

Fedora News Updates Issue 16 is out: FC3test2 has been released, FC1 has been passed on to Fedora Legacy, new documentation for translators, and more in this edition.

Fedora Core 2 has updated the following packages due to new kernel scsi filtering: dvd+rw-tools, xcdroast, k3b, cdrdao and cdrtools.

Comments (none posted)

DistroWatch Weekly, Issue 69

The DistroWatch Weekly for October 4, 2004 looks at a newsletter for Ubuntu users, OpenBSD 3.6 CDs, Bayanihan Linux and more.

Comments (none posted)

New Distributions

GNUstep Live CD

The GNUstep Live CD contains GNUstep software. GNUstep is a a free implementation of the OPENSTEP framework (which was used as the base for Cocoa in Mac OS X).

Comments (none posted)

Minor distribution updates

AGNULA/DeMuDi 1.2.0 released

Version 1.2.0 of AGNULA/DeMuDi, a Debian distribution oriented around audio applications, is out. "This release is first the 1.2.x series, which sports tighter integration with Debian, using the Sarge Debian Installer and the CDD (Custom Debian Distributions) framework."

Full Story (comments: none)

Aurox Linux

Aurox Linux has released Aurox 10.0 (Amber). "Changes in this release are related mainly to 'core' components of the system: kernel and hardware detection tools."

Comments (none posted)

IPCop Firewall

IPCop Firewall version 1.4.0 has been released. This version supports more hardware, uses a LFS (Linux from Scratch) build system, a new GUI and more.

Comments (none posted)

Lineox Enterprise Linux 2.1 Released

Lineox Enterprise Linux 2.1 has been released with Always Current version and update service, built from Red Hat Enterprise Advanced Server 2.1 sources. for Lineox and Red Hat Enterprise Linux 2.1. Click below for more details.

Full Story (comments: none)

Trustix Secure Linux

Trustix has added support for more hardware in hwdata and upgrades mod_php4 to 4.3.9 to fix lots of bugs. Click below for details.

Full Story (comments: none)

Distribution reviews

Xandros 2.5: Linux for a Windows Crowd (PC World)

PC World takes a quick look at Xandros Linux 2.5. "Want to give Linux a try with little fuss and bewilderment? Xandros may have just what you're looking for. I took a shipping version of Xandros Desktop OS Deluxe 2.5 for a spin and was pleased to find that everything just plain worked."

Comments (none posted)

SimplyMepis 2004.01 Review (Linuxgruven)

Linuxgruven reviews SimplyMepis 2004.01. "I have been using Mepis since 2003.10.08. SimplyMepis 2004 continues the excellent user experience and manages to top out any other desktop-oriented distribution that I have used. I originally found Mepis while searching for an affordable option for our undergraduate labs at work. I had been using Xandros Desktop 2.0 since it had been released and was very happy with it. However, Xandros' license agreement was and remains very limiting. Also, I found their file manager to be significantly less flexible than KDE's Konqueror. Mepis offers a similarly straightforward desktop experience while remaining far truer to it's Debian roots. In fact, at the end of the day, Mepis is pretty much just a well-configured and tested Debian desktop distribution with refreshingly little "special sauce" thrown in. Instead, Mepis distinguishes itself by preconfiguring many details, making the menus and defaults clean, and including the best tools for most tasks."

Comments (1 posted)

Page editor: Rebecca Sobol

Development

The R Project for Statistical Computing

The R project is building an open-source GPL-licensed language for statistical computing and graphics, R has its roots in the S language, which was originally developed by AT&T's Bell Labs. See the Evolution of S document for a complete history of the language. The R project was originally started at the University of Auckland, it now includes a lengthy list of contributors. R is being developed under the guidance of The R Foundation for Statistical Computing.

[R] The What is R? document describes R:

R can be considered as a different implementation of S. There are some important differences, but much code written for S runs unaltered under R. R provides a wide variety of statistical (linear and nonlinear modelling, classical statistical tests, time-series analysis, classification, clustering, ...) and graphical techniques, and is highly extensible. The S language is often the vehicle of choice for research in statistical methodology, and R provides an Open Source route to participation in that activity.

The R environment contains an integrated set of software tools including:

  • A data storage facility.
  • A suite of matrix and array calculation operators.
  • A collection of intermediate tools for data analysis.
  • On-screen and printed graphical output for data analysis.
  • An interpreted programming language for manipulating data.
To see R in action, take a look at some of the Screen Shots. The R project's manuals are available (in PDF format) on the project documentation page. Further information is available from the R FAQ document, including a lengthy list of add-on packages.

Version 2.0.0 of R was released this week. "This new release marks more a coming of age than a radical change of the product. Since the release of 1.0.0 on February 29, 2000, R has developed steadily and settled on a release cycle with a "dot-release" two times per year."

New features available in R 2.0.0 include:

  • Support for namespaces.
  • Exception handling constructs.
  • Support for formal methods and classes.
  • Improved garbage collection.
  • Generalized I/O objects.
  • A new grid subsystem for graphics.
  • A lattice package for producing multi-frame layouts.
  • A port to Mac OSX.
  • Support for Tcl/Tk-based GUI development.
  • The bundling of widely used packages.
  • Improved configuration scripts.
  • Bug fixes.
The CHANGES document has a more detailed list of information on the new version.

If you are looking for an extensive set of tools for visualizing data, R is certainly worth investigating. The source code for R is available from the The Comprehensive R Archive Network (CRAN).

Comments (5 posted)

System Applications

Audio Projects

FLAC 1.1.1 has been released

Version 1.1.1 of FLAC, the free, lossless audio codec, has been released. "There is a new changelog with a complete list of changes/fixes/improvements, but the main ones include: almost 2x decoding speedup on Macintosh, better Ogg FLAC support, and several new options to flac and metaflac."

Comments (1 posted)

Database Software

New test version of knoda 0.7.2-test1 released

Version 0.7.2-test1 of Knoda, a database front-end is available. "The main new features: View support for PostgreSQL, Sqlite, and ODBC has been added. The ODBC driver has been improved a lot. Some bugs have been fixed."

Full Story (comments: none)

PostgreSQL 8.0 Beta 3 Released

Version 8.0 Beta 3 of PostgreSQL has been released. "Its been almost 4 weeks since we've released PostgreSQL 8.0 Beta2, and there have been enough improvements to the code to warrant a new Beta, to reduce the number of "already fixed" bug reports."

Comments (none posted)

PostgreSQL Weekly News

The October 5, 2004 edition of the PostgreSQL Weekly News is online with the week's PostgreSQL database development news.

Full Story (comments: none)

How to Misuse SQL's FROM Clause (O'Reilly)

Stéphane Faroult looks at common problems with the SQL FROM clause on O'Reilly. "It may seem surprising to state it so, but the FROM clause of SQL statements seems to be one of the most often misused parts of SQL queries. Misused? How is that possible? We put into the FROM clause all the tables to join together in a query, don't we? Well, well, well. Not quite. At the risk of sounding pedantic, perhaps a bit of (applied) theory would be welcome."

Comments (1 posted)

Embedded Systems

Embedded Linux Training Materials

Michael Opdenacker has announced a 500 page training document on embedded Linux systems. "It features 3 trainings (Introduction to Unix and GNU/Linux, Embedded Linux kernel and driver development, Development tools) as well as 4 presentations (Java in embedded Linux systems, Linux 2.6 new features, Introduction to uClinux, Real-time in embedded Linux systems). The 500-page materials are released under the GNU Free Documentation License".

Full Story (comments: none)

Filesystem Utilities

Announcing gnomevfs-mount 0.0.1

The initial release of gnomevfs-mount is out. "Since I saw gmailfs, I wondered why gnome does not have a way to mount gnomevfs-uris on the linux filesystem. I have taken a look into fuse and I realized it would be very easy doing the same with gnomevfs."

Full Story (comments: none)

GParted 0.0.5 released

Version 0.0.5 of GParted, the Gnome partition editor, is available. Changes include i18n support, bug fixes, and UI improvements.

Full Story (comments: none)

Libraries

libannodex 0.5.68 Released

Version 0.5.68 of libannodex has been announced. "libannodex is a C library providing a simple programming interface for reading and writing Annodex media. Annodex is an open standards based technology that extends the World Wide Web's hyperlinking, searching, and compositing infrastructure to time-continuous data, enabling video surfing, searching for clips of audio and video files using ordinary Web search engines, and on-the-fly composition of a video on a Web server from previously annodexed clips." This release features improved temporal interleaving, lookahead for the Ogg and Anx importers, improved EOS handling, and more.

Full Story (comments: none)

liboggz 0.8.5 Released

Version 0.8.5 of liboggz, a C library for working with Ogg format compressed audio streams, is out. Changes include a new oggzmerge tool, a new OggzReadPage API, improvements to the seeking behavior, a seek-stress example program, bug fixes, and more.

Full Story (comments: none)

libxklavier 1.04 released

Version 1.04 of libxklavier, the X Keyboard utility library, has been released. "This release is mostly bugfix. Some compilation problems on non-linux systems are resolved - and a small attempt to resolve some runtime problems was made (without breaking compatibility - more stuff will go into the devel branch to be started soon). Some memory leaks are cleaned up (thanks to kmaraas and valgrind). The only non-bugfix change is introduction of some simple test apps into the package - useful for debugging and as examples."

Full Story (comments: none)

Mail Software

bogofilter 0.92.7 released

Version 0.92.7 of bogofilter, a spam filter, is available. "A variety of small fixes have been made to bogofilter and bogotune and to their documentation."

Full Story (comments: none)

Reporting Application Errors by Email (O'ReillyNet)

Sean C. Sullivan shows how to send error messages via email in an O'Reilly article. "Even if your application logs an error to a local file, the developer doesn't know there's a problem until a user notices it and sends the log file back. It can be more useful for apps to email their own error messages back. And as Sean C. Sullivan explains, it's not hard to do with either log4j or java.util.logging."

Comments (none posted)

Networking Tools

Pads 1.1.3 Released (SourceForge)

Version 1.1.3 of Pads, a signature-based network asset detection engine, is available. "This version of Pads is a feature and bug fix release. It has a new feature that allows MAC addresses to be resolved into hardware vendor names along with minor bug fixes."

Comments (none posted)

Printing

Common UNIX Printing System 1.1.22rc1

Version 1.1.22rc1 of CUPS, the Common UNIX Printing System, has been released. "CUPS 1.1.22 is a bug fix release which fixes device URI logging, file descriptor and memory leaks, crashes related to printer browsing, and error handling in the browsing code. The new release also adds support for PostScript files from other Windows PostScript drivers."

Comments (none posted)

Security

Unicornscan 0.4.2 announced

Unicornscan, an information gathering and correlation engine, was launched this week. "Unicornscan is an attempt at a User-land Distributed TCP/IP stack. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network."

Full Story (comments: none)

Web Site Development

MediaWiki 1.3.5 released (SourceForge)

Version 1.3.5 of MediaWiki, the collaborative editing software that runs the Wikipedia free encyclopedia, is out. "MediaWiki 1.3.5 is a security update, which contains a small fix for a potential cross-site scripting vulnerability. All MediaWiki 1.3.x users are strongly encouraged to upgrade to this latest release."

Comments (none posted)

Quixote 1.1 Released

Version 1.1 of Quixote, a Python-based web applications framework, has been released. The CHANGES file lists numerous bug fixes.

Comments (none posted)

Silva 1.1 released

Version 1.1 (final) of Silva, a browser-based CMS for creating publications for the web, paper, and other media, is available. New features include XSLT support for rendering Silva objects, an XML export/system, abbr and acronym support, a new parser for the SilvaDocument forms-based editor, and bug fixes.

Full Story (comments: none)

Whitebeam 0.9.30 Release

Version 0.9.30 of Whitebeam, an XML based web application server, has been released. "This release of Whitebeam exposes a comprehensive server-side JavaScript API to the Postgres database."

Comments (none posted)

NMS Project Needs Help (use Perl)

Use Perl has posted a plea for help with the NMS project. "The nms project is a project that provides drop-in replacements for the CGI programs provided by Matt's Script Archive. The idea is to provide users with secure and well-written alternatives to Matt Wright's scripts. Even Matt recommends them. But the project is in danger of becoming a victim of its own success. We have a large number of users which is growing daily. And although we makes the programs as easy to install and use as possible, the... er... inexperience of our users means that we are getting a lot of support requests. We've also got a lot of ideas for enhancements but not enough time to implement them."

Comments (none posted)

Miscellaneous

GNOME CPU Frequency Scaling Monitor 0.3 announced

Version 0.3 of the GNOME CPU Frequency Scaling Monitor (GNOME CPUFreq Applet), is out. Changes include the ability to change the CPU frequency, new and improved governors, and more.

Full Story (comments: none)

Desktop Applications

Accessibility

ATutor 1.4.2 Released

Version 1.4.2 of ATutor, a Web-based Learning Content Management System (LCMS) designed for accessibility and adaptability, is out. New features include: "Surveys and unmarked tests, secure content, system wide searching, category based themes, new languages, and more."

Full Story (comments: none)

Business Applications

OpenWFE 1.4.4 released (SourceForge)

OpenWFE 1.4.4 is available. "OpenWFE is an open source java workflow engine. It is a complete Business Process Management suite, with 4 components : an engine, a worklist, a webclient and a reactor (host for automatic agents). It can also be used behind the scene. OpenWFE 1.4.4 introduces an important new feature in its process definition language : variable substitution. ${myvar}, when used in the attribute value of a tag gets resolved to the content of the myvar variable. Coupled to an iterator or a concurrent-iterator, it can simplify definitions dramatically."

Comments (none posted)

CAD

Seventeenth release of PythonCAD available

Release 17 of PythonCAD, a Python-based CAD package, is available. "The seventeenth releases of PythonCAD can print! This release includes the ability of the program to generate a PostScript file that can either be sent to a printer or saved directly to a file. Printing support is not entirely complete however, and will be enhanced over the next several release. This release also includes improvements in the user interface for changing existing drawing entities, especially text and dimensions."

Full Story (comments: none)

Desktop Environments

KDE CVS-Digest (KDE.News)

The October 1, 2004 edition of the KDE CVS-Digest is available. "Highlights of this week: XML autoindenter in Kate. Rendering speedups in Kolourpaint. New media:/ kioslave. Improved SQL parser in Kexi. Konversation adds support for SSL. Summary of Network-Integrated Multimedia Middleware, from the aKademy presentations."

Comments (none posted)

Xfce 4.2 BETA1 is out

The Beta 1 release of Xfce version 4.2 has been released. "This is the first release based on the 4.1 development branch of Xfce, so inevitably it may include bugs. This beta release introduces many new features in comparison with Xfce 4.0.x."

Comments (2 posted)

Desktop Publishing

LyX 1.3.5 is released

Version 1.3.5 of LyX, a document processor built on top of TeX, has been released. "This is mainly a bugfix release, with few notable user-visible improvements."

Full Story (comments: none)

Advanced XML-based typesetting and printing (NewsForge)

Jonathan Bartlett works with DSSSL, the Document Style Semantics and Specification Language, in a NewsForge argicle. "DSSSL is more than just a styling language like CSS. It is a full programming language, which means you can have stylesheets that are as complex and context-sensitive as you want. You can have if statements, procedures, and loops in your stylesheet, and you can custom-process XML documents yourself. DSSSL is based on the Scheme programming language."

Comments (none posted)

Electronics

Oregano 0.3.1 released

Version 0.3.1 of Oregano, a schematic capture and circuit simulation package, has been announced. "This release fixes backwards compatibility with GTK 2.2. There some UI bugfixes, Gnome HIG fixes, and Mac OS X support. Some translations are updated, and many are out of date."

Comments (none posted)

XCircuit 3.3.0 released

Version 3.3.0 of XCircuit, an electronic schematic drawing package, is out. Changes include a new spice parser and PostScript display improvements.

Comments (none posted)

Games

Cyphesis 0.3.4 Released

Version 0.3.4 of Cyphesis has been released. "Cyphesis is a small to medium scale server for WorldForge games, with builtin AI. This version includes the demo game Mason which is currently in development. This release is intended for server administrators wishing to run a Mason server or anyone wishing to work on serverside game development."

Comments (none posted)

G3D 6.04 Released (SourceForge)

Version 6.04 of G3D has been announced. "The G3D 3D Engine powers commercial games, graphics research, university courses, and hobbyist projects. You can use it to make your own 3D programs for MSVC 6, MSVC.NET, Linux, and OS X. The 6.04 release adds a new manual and tutorial, OpenGL 2.0 support, easy-to-use access to programmable hardware, and new demos including a network game infrastructure."

Comments (none posted)

Four Cool Ways to Use Neural Networks in Games (O'Reilly)

David M. Bourg and Glenn Seeman apply Neural Networks to Game software on O'Reilly. "In our book, AI for Game Developers, we cover many different AI techniques that are used in games. Many of the techniques we cover, such as chasing and evading, pathfinding, finite state machines, and rules-based systems, among others, have obvious applications in games. However, some of the other techniques we cover, such as neural networks, genetic algorithms, and Bayesian techniques, are not as familiar and thus their applications in games may not be as obvious."

Comments (none posted)

GUI Packages

PyGTK 2.4.0 announced

Version 2.4.0 of PyGTK, the Python language bindings to GTK, is available. Changes include wrapping for objects in GTK+ 2.4.0, Enum and Flags wrapping, better constructor integration, threading improvements, bug fixes, and more.

Full Story (comments: none)

Mail Clients

Evolution 2.0.1 released

Stable version 2.0.1 of the Evolution mail client is out. "Evolution 2.0 is the stable version of the 1.5.x development series. It will upgrade your existing 1.4 install if you were not using 1.5 previously, but will not delete it until told to." Numerous bug fixes are included.

Full Story (comments: none)

Multimedia

KPlayer 0.5.2 released (SourceForge)

Version 0.5.2 of KPlayer, a KDE media player, has been released. "The new 0.5.2 version features a brand new user manual, whats-this hints throughout the user interface including configuration dialog and file properties, improved mouse wheel support, several other improvements and bug fixes, and new Hungarian and Polish translations."

Comments (none posted)

Office Applications

Gnumeric 1.3.91 is out

Version 1.3.91 of the Gnumeric spreadsheet is available. "I would have liked to characterise this as just stabilisation release, but there is more in here than bug fixes. Yaacov Zamir and Morten cleared out lots of old code and synced the cell printing to use the same pango generation we used for display. While that was going on Emmanuel added some nice eye candy to the plots, grid lines. I was surprised by how much they add to the charts. The docs are also shaping up nicely."

Full Story (comments: none)

Office Suites

OpenOffice.org 1.1.3 is out

Stable version 1.1.3 of the OpenOffice.org office suite has been released. "OpenOffice.org 1.1.3 is ready for use by businesses, enterprises, governments and individuals, and offers near-perfect compatibility with legacy proprietary office suites such as Microsoft Office."

Full Story (comments: none)

OO.o build-1.3.5.5 released

Build 1.3.5.5 of OpenOffice.org is available. "This package contains Desktop integration work for OpenOffice.org, several back-ported features & speedups, and a much simplified build wrapper, making an OO.o build / install possible for the common man. It is a staging ground for up-streaming patches to stock OO.o."

Full Story (comments: none)

OpenOffice.org Newsletter

The September 2004 edition of the OpenOffice.org Newsletter is online with the latest OOo office suite news.

Full Story (comments: none)

Web Browsers

Firefox 0.10.1 Released (MozillaZine)

Version 0.10.1 of the Firefox browser has been announced. "The Mozilla Foundation today released Firefox 0.10.1, which patches a security hole that was discovered this week."

Comments (1 posted)

Mozilla 1.8 Alpha 4 Released (MozillaZine)

MozillaZine has the announcement for Mozilla 1.8 Alpha 4. "New features include partial support for some new Web standards (such as CSS3), improvements to the popup blocker, keyboard shortcut improvements, virtual folders in Mail and Newsgroups (allowing one to save searches), a spellchecker included by default on Linux and, of course, too many bug fixes to mention."

Comments (none posted)

Miscellaneous

GNOME screen ruler announced

A new project, the GNOME screen ruler, has been announced. "This new app lets you measure things on the screen in pixels (inch and millimeter metrics coming soon). This type of ruler is quite popular on OSX. It's useful for graphics artists, GUI designers, maybe others."

Full Story (comments: none)

viewglob 1.0 released (SourceForge)

Version 1.0 of viewglob is out. "viewglob is a tool to increase the usability of the Unix shell by leveraging the expressiveness of graphical environments. It sits as a layer beneath an xterm and watches your bash or zsh shell activity as you type. An interactive GTK+ display shows the layout of relevant directories and highlights file selections and potential name completions. This 1.0 release makes several stability fixes and adds two useful features".

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The September 28 - October 5, 2004 edition of the Caml Weekly News is available. Take a look for the latest Caml language news.

Full Story (comments: none)

Java

Reduce code bloat with XDoclet (IBM developerWorks)

Sing Li reviews XDoclet on IBM's developerWorks. "The open source XDoclet code-generation engine, an integral part of many leading Java frameworks, is often heralded as an enabler for attribute-oriented programming and continuous integration. But XDoclet also has an undeserved reputation for being difficult for beginning developers to grasp and master. In this article, the ever-popular Sing Li takes on XDoclet and reveals the simple yet elegant design at its heart, enabling you to understand the technology and put it to productive use."

Comments (none posted)

Twice as Nice (IBM developerWorks)

Andrew Glover explores Nice on IBM's developerWorks. "Nice is a JRE compatible, object-oriented language that brings tremendous expressiveness to the Java platform. Nice also lets you implement many of the cutting edge features found in Java 5 on any Java virtual machine. In this fourth installment of the alt.lang.jre series, regular contributor and all around "Nice" guy Andrew Glover walks you through some of the most exciting features of Nice."

Comments (none posted)

Lisp

SBCL 0.8.15 released

Version 0.8.15 of SBCL (Steel Bank Common Lisp) is available. "This version renames the image saving hooks, adds single-stepping of code to debugging facilities, supports saving cores with foreign code loaded, and fixes some bugs."

Full Story (comments: none)

Using Java with Lisp

Bill Clementson has assembled a set of weblog entries on the topic of using Java with Common Lisp.

Full Story (comments: 1)

PHP

Scry 1.1 Released (SourceForge)

Version 1.1 of Scry, the Simple PHP Photo Album is available. "New features include: pagination, two URL modes, better legacy GD compatibility, easier setup, and optional exif support. Version 1.1 also corrects a number of outstanding bugs reported on SourceForge."

Comments (none posted)

Conduct Web experiments using PHP, Part 1 (IBM developerWorks)

Paul Meagher uses PHP to analyze web data on IBM's developerWorks. "This two-part article series offers Web developers a practical introduction to the design of experiments (DOE) and categorical data analysis (CDA). This first part demonstrates how to use PHP to implement an experimental protocol for measuring the effectiveness of a Web-based offer. The second part will examine analyzing the resulting data using CDA tools that we'll implement using PHP."

Comments (none posted)

Python

GnomePython 2.6.0 announced

Version 2.6.0 of GnomePython, the Python language wrappers for the GNOME 2.6 APIs, is out with lots of changes.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The October 4, 2004 edition of Dr. Dobb's Python-URL! is available. Take a look for numerous Python language articles.

Full Story (comments: none)

python-dev Summary

The latest python-dev Summary is out with coverage of the python-dev mailing list from September 1-15, 2004.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The October 5, 2004 edition of Dr. Dobb's Tcl-URL! is out with the week's Tcl/Tk article links.

Full Story (comments: none)

UML

Gaphor 0.6.0 announced

Version 0.6.0 of Gaphor, a Python-based UML modeling environment, is out. New features include a code reverse engineer plugin, a diagram layout engine, and improved plugin support.

Full Story (comments: none)

XML

Don't Be Afraid to Drop the SOAP (O'Reilly)

Sam Tregar explains some problems with SOAP on O'Reilly. "Two years ago I added a SOAP interface to the Bricolage open source content management system. I had high expectations. SOAP would give me a flexible and efficient control system, one that would be easy to develop and simple to debug. What's more, I'd be out on the leading edge of cool XML tech. Unfortunately the results haven't lived up to my hopes. The end result is fragile and a real resource hog. In this article I'll explore what went wrong and why."

Comments (2 posted)

Build Tools

iCompile Automatic C++ Build System (SourceForge)

Version 0.3 of iCompile, an automated C++ build tool, has been released. "This release contains a new manual and several new features like a --quiet option, the ability to automatically build static and dynamic libraries, and new configuration options."

Comments (none posted)

Editors

MlView 0.7.0 released

Version 0.7.0 of MlView, the GNOME XML editor, is available with a long list of improvements and bug fixes.

Full Story (comments: none)

Miscellaneous

Groovy, Java's New Scripting Language (O'ReillyNet)

Ian F. Darwin explores Groovy in an O'Reilly article. "When some Java developers hear about Groovy, their first reaction often is, as mine was, "Oh, no, not another scripting language for Java." We already have, after all, JavaScript and Rhino, Jython, Jelly, BeanShell, JRuby, Tcl/Java, Sleep, ObjectScript, Pnuts, Judoscript, the Bean Scripting Framework (BSF)--which gives access to Perl, TK/Tcl, and more--and many others. But other developers have been hoping for a scripting language with the power of Perl, Python, or Ruby but without having to re-learn everything from the ground up."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Gaim-Encryption: Simple encryption for instant messages (NewsForge)

NewsForge looks at securing chat sessions. "Gaim-Encryption uses a public/private key mechanism similar to the one that PGP uses. When you first run Gaim-Encryption, it generates a set of keys -- essentially secret codes that others can use to communicate with you. By default, the settings for automatically finding out if another Gaim user has Gaim-Encryption is enabled, so when you first IM a person who uses Gaim-Encryption, the public keys are exchanged. From then on, the conversation between the two parties is encrypted during transport; though a snooper could see you're IMing, the message contents will be encrypted."

Comments (20 posted)

Desktop Linux is Windows piracy aide (Silicon.com)

Silicon.com covers an interesting and somewhat unbelievable Gartner study. "PCs running Linux are growing in popularity in part because they can be loaded with a pirated copy of Windows, according to a study from analyst Gartner. The consulting firm has issued a report stating that about 40 per cent of Linux PCs will be modified to run an illegal copy of Windows, a bait-and-switch manoeuvre that lowers the cost of obtaining a Windows PC. In emerging markets, where desktop Linux enjoys wider popularity, the trend is even starker. Around 80 per cent of the time, Linux will be removed for a pirated copy of Windows."

Comments (39 posted)

OSIA to Gartner: Get A Clue over Desktop Linux

Open Source Industry Australia (OSIA) responds (click below) to a Gartner study on Desktop Linux and piracy. "If Gartner's conclusion that pre-installing Linux encourages people to steal copies of Windows were correct, then we can extend this tenuous logic by stating that pre-installing Windows in turn must clearly encourage people to pirate application-level software; if there was no Windows OS on the PC, then users couldn't pirate other products like Photoshop, Microsoft Office or Dreamweaver which need Windows in order to be used. One can quickly see how this process of thought leads to ridiculous conclusions and we are surprised that Gartner started down this path."

Full Story (comments: 3)

Trade Shows and Conferences

Linux: Millennium Momentum (LXer)

LXer provides a wrap-up of the Ohio Linux Fest. "A smashingly successful Ohio LinuxFest has just finished, and our on-the-scene (and anonymous) reporter has written an excellent (and at times hilarious) roundup of the event. Congratulations go out to the organizers of the OLF, and a special thanks to maddog for helping them with last minute needs. Well done all!"

Comments (1 posted)

The SCO Problem

SCO Asks to File Another Overlength Memo (Groklaw)

Groklaw covers the latest move in the SCO vs IBM case. "So, we get to read more legalese from the SCO team. zzzzzz First, the Ex Parte Motion. Then I will put up the order. I believe I have discerned their real strategy. Yes, it's "anywhere but here", as IBM attorney Evan Chesler put it at the September 15th hearing. But I detect a water-torture strategy as well. Drip, drip, drip, more memoranda, more motions, more words until we all waive our little white flags from the parapet and beg them to stop at any cost. One thing is for sure. They can't appeal on the grounds that they didn't get to tell the court every last thought they could possibly dream up."

Comments (none posted)

Judge Kimball Denies SCO's 2 Motions (Groklaw)

Groklaw has a ruling from Judge Kimball in SCO v. IBM regarding SCO's scheduling motions. SCO loses all the way. "However, there is nothing in the Amended Scheduling Order that precludes IBM from filing motions for summary judgment, and there is nothing in the Scheduling Order that relieves SCO from responding to such motions. Thus, it is puzzling that SCO seeks to 'enforce' the Amended Scheduling Order when there is nothing in that Order to justify SCO's request for a significant delay in filing its responses." This is a minor and expected setback for SCO; the ruling on the first of IBM's summary judgment motions is still pending.

Comments (2 posted)

Companies

Ballmer calls for horse-based attack on Star Office (Register)

Here's the latest set of Steve Ballmer quotes, courtesy of The Register. "He blamed the success of Linux in the public sector on influential academics, who favour it because universities are Unix environments, and politicians reacting to 'noisy constituents - and those Linux people are noisy.'"

Comments (24 posted)

Red Hat acquires AOL's Netscape server software (News.com)

Red Hat has purchased AOL's Netscape server software. "In a move to add more open-source arrows to its quiver, Linux seller Red Hat has acquired the Netscape server software products of AOL Time Warner, the companies plan to announce Thursday. Red Hat plans to release the Netscape Enterprise Suite as open-source software, meaning that anyone will be able to use, modify and redistribute the products, News.com has learned."

Comments (9 posted)

Sun pushes OpenOffice standard (News.com)

News.com reports that Sun Microsystems is backing European Union efforts to standardize office document formats. "In a recent letter to the European Commission, Sun President Jonathan Schwartz said he agrees with a recommendation by the EC's Interchange of Data between Administrations unit to establish the format used by OpenOffice.org, an open-source productivity suite based on Sun's StarOffice, as an international standard."

Comments (6 posted)

Linux Adoption

ATT Tests Linux to Replace Microsoft's Windows on 70,000 PCs

Bloomberg reports that AT&T is considering deploying Linux on tens of thousands of desktops - or is, perhaps, just trying to get a lower price out of Microsoft. "A surge in virus attacks on Windows spurred AT&T to consider using Linux, [AT&T CIO Hossein] Eslambolchi said. AT&T could also save 50 percent to 60 percent on the cost of desktop software by using Linux, he said."

Comments (13 posted)

Interviews

Open source lives on Mars with rover mission extension (NewsForge)

NewsForge talks with Jeff Norris, a senior computer scientist at NASA's Jet Propulsion Laboratory who headed development of the Martian rovers' Science Activity Planner. "Norris said open source software is not necessarily onboard the Martian rovers, but is instead here on Earth controlling them and communicating with them. He explained that during development, NASA engineers were able to focus on their mission rather than those components that were going to rely on open source."

Comments (2 posted)

KOffice Interview (KDE.News)

KDE.News talks with David Faure about KOffice. "An office suite is a huge thing to develop. Work is needed in almost every part of it, and it's hard to simply follow users' demands as everyone's 'must have' feature is a different one. More specifically, I can see that the immediate future is going to be: finishing the OASIS file format implementation and working on the document converters to make them use the OASIS format, then looking at whether to rewrite our text engine (as well as KWord and KPresenter) to be based on Qt4's new text engine (dubbed 'Scribe'), which looks very promising."

Comments (none posted)

Neowin Interview : Ben Goodger, chief developer of Firefox (Neowin.net)

Neowin.net talks with Ben Goodger about the Firefox browser. "Firefox : 1.0. What's new since 0.9?
Lots of things - you can now read RSS feeds in Bookmarks with our new "Live Bookmarks" feature - Feed links become bookmarks inside dynamic folders. We've made a lot of improvements to Find in page to make it less annoying and make the "Find as you Type" highlighting feature more discoverable. Extension Update is now up and running, you can open blocked popups, sort Bookmarks in the menu, and a number of other things
"

Comments (18 posted)

Resources

Windows PCs vs. X Terminals: A Cost Comparison (Linux Journal)

Salvador Peralta compares the long term price of Windows PCs to X terminals in a Linux Journal article. Here's his conclusion: "Excluding administrative costs, the 15-year cost of 25 Linux systems in a lab environment is estimated to be $41,359 versus a 15-year cost of $100,000 to $155,000 for Windows PCs serving the same function. Although these estimates are based on rough cost estimates, the overall cost of hardware and software deployment, coupled with the shorter overall time spent on administrative tasks, yields significant cost savings over long-term deployment cycles in our work environment."

Comments (5 posted)

What to do if you're involved in code-dispute litigation (NewsForge)

NewsForge advises a calm approach to code disputes. "If you run a sloppy project, you're asking for trouble. If you don't know who contributed each piece of code, how to contact them, and when the code was contributed, then you are not properly documenting your work. In addition to having a written agreement with your contributors, you'll also want to form a committee to deal with potential infringement claims. Lastly, you should try to consolidate ownership of the entire code base for the project."

Comments (2 posted)

Reviews

Programming Tools: Eclipse 3.0.1 (Linux Journal)

Linux Journal looks at Eclipse. "Although Eclipse was written in Java and has a well-developed Java IDE, I was curious to see how it would work with languages other than Java and C++. A feature currently in beta testing, pydev, provides a Python IDE within the Eclipse platform. Given the beta nature of pydev, incorporating it into the Eclipse platform went quite well. I tested pydev on some projects I am developing, and it worked adequately. In the future, the promise of Eclipse and its rich set of features makes it a viable contender for a Python IDE."

Comments (1 posted)

The future of Linux multimedia (NewsForge)

NewsForge takes a look at multimedia on Linux. "Today the biggest Linux multimedia projects, like xine and MPlayer, are about to release full 1.0 versions, which means stable and powerful support. One of the net's biggest multimedia companies, Real Networks, has a brand new release of the ever-popular RealPlayer. Sound drivers via Advanced Linux Sound Architecture (ALSA) are well into 1.0 status, giving us fully functional surround sound and a stable API. As for visuals, The two biggest video card manufacturers, ATI and nVidia, officially support Linux."

Comments (22 posted)

SQLite 3.0.7 (Linux Journal)

Linux Journal reviews SQLite. "D. Richard Hipp's SQLite database engine has earned a well-respected place in the toolbox of many programmers. Its small size and simple distribution make it a natural choice for standalone and embedded applications. Wide support by many programming languages, including PHP, has made SQLite popular for Web applications that need persistent data storage but don't need the kind of multi-user scaling capabilities provided by server-based solutions."

Comments (4 posted)

Miscellaneous

Coders win, winners code (NewsForge)

NewsForge covers coding contests by TopCoder. "TopCoder announced on September 29 the completion of the final elimination round in the Algorithm Competition portion of its 2004 annual TopCoder Open coding contest. But the real winner may be TopCoder's open source development model, which gives programmers a chance to build enterprise applications for cash prizes."

Comments (4 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

FSFE and Microsoft vs. the EC

The Free Software Foundation Europe reports on the first part of the hearing in the appeal procedure by Microsoft vs. the EC. The Court heard from Jeremy Allison, introduced by Carlo Piana from the Milan-based Tamos & Piana law firm, on behalf of the Free Software Foundation Europe. "My name is Jeremy Allison, and I'm speaking on behalf of the FSFE who is representing the Samba Team, who have a great interest in this case. Samba is one of the few competing products to Microsoft in the Workgroup server market. It is commonly shipped with Linux, but is developed separately. I am one of the original authors of the Samba code, and with my colleague from Germany Volker Lendecke have been working on interoperating with Microsoft software for over 12 years."

Comments (5 posted)

Allianz Group will suffer because of software patents

The Free Software Foundation Europe (FSFE) has sent a letter of protest to the CEO of the Allianz Group over software patents in Europe.

Full Story (comments: none)

Gluecode Contributes BPM Engine to Apache Software Foundation

Gluecode Software has announced the contribution of Project Agila, the Apache Software Foundation's first embeddable open source business process management (BPM) engine. To ensure that it conforms to Apache Software Foundation's policies for code contributions, Agila is proceeding through the foundation's standard incubation stage. Once the incubation process is complete, Agila will become part of the Apache Jakarta Project.

Comments (20 posted)

LPI announces sponsorship by HP Education Services

The Linux Professional Institute has announced new sponsorship by Hewlett-Packard's Education Services. "Hewlett-Packard Germany was providing the sponsorship to LPI international to assist with LPI-German marketing and business development activities in Germany, Austria and Switzerland."

Full Story (comments: none)

Microsoft FAT patent overturned

The Public Patent Foundation has put out a release proclaiming its role in the US patent office's action rejecting all claims in Microsoft's patent on the FAT filesystem format. The office's action is available in PDF format for people wanting the details.

Comments (6 posted)

OpenOffice.org announces Engineering Steering Committee

A new OpenOffice.org Engineering Steering Committee has been announced. "Composed of senior developers appointed by the Community Council, the ESC represents the technical groups making up the Project. Its advice therefore will have impact both on the nature and direction of the source, as well as on the processes for code submission and review. Its creation represents a further step in making OpenOffice.org more open to developers."

Full Story (comments: none)

OSDL Names Thomas Hanrahan Head of Linux Engineering

Open Source Development Labs has announced the appointment of Thomas Hanrahan as the Lab's new director of Linux engineering. OSDL Lab director Timothy Witham has been promoted to Chief Technology Officer.

Comments (none posted)

Commercial announcements

Black Duck Names Open Source Attorney Lawrence Rosen as Senior Advisor

Black Duck Software has announced that Lawrence Rosen has joined the company as a senior advisor. Rosen, a noted attorney and computer specialist, is the author of Open Source Licensing: Software Freedom and Intellectual Property Law.

Comments (none posted)

CompTIA Linux+ Beta Exam

CompTIA is holding the CompTIA Linux+ Beta exam. "For the next eight weeks, anyone interested in demonstrating that he or she has the equivalent of six to 12 months of experience with the latest Linux applications can do so for $75 by passing the CompTIA Linux+(tm) beta exam."

Full Story (comments: none)

Cray Targets CAE Market with New Cray XD1 Supercomputer

Cray Inc. has announced the new Cray XD1 Opteron/Linux-based supercomputer. The USDA Forest Service is using the Cray XD1 to predict and track the paths of smoke plumes from wildfires.

Comments (none posted)

IBM Broadens Linux Support for Middleware Industry Solutions

IBM has announced that it is broadening its support of its Middleware Industry Solutions on Linux. "IBM's middleware solutions for various industries include technology from its five software brands (WebSphere, DB2, Tivoli, Lotus and Rational), industry-specific middleware, industry-specific services expertise from IBM and others, and industry-specific application software from IBM's network of ISV partners."

Full Story (comments: none)

Red Hat to buy back stock

Red Hat has announced a stock repurchase plan. "Red Hat ... today announced that its Board of Directors has authorized the repurchase of up to $100 million of the Company's common stock from time to time on the open market or in privately negotiated transactions. 'We believe, that based on current market prices, our stock is undervalued and that it is in the best interest of our shareholders for us to acquire shares in the open market. In addition, our repurchase program will help to offset dilution associated with our employee stock plans,' said Matthew Szulik, Chairman and Chief Executive Officer." One almost wonders if they borrowed the wording from SCO's repurchase announcement.

Comments (2 posted)

SpamHippo V2.02 - Email Spam & Virus Protection System

Pathlink Technology Corporation has released a new and improved version of SpamHippo anti-spam and anti-virus email protection system. Available in both server software and commercial outsource email service forms, SpamHippo captures and devours spam and virus ridden email, utilizing spam trapping logic (STL).

Full Story (comments: none)

Sun Ships New Version of Java Platform

Sun Microsystems, Inc. has announced the release of the Java 2 Platform Standard Edition version 5.0. "As one of the largest-scale projects developed through the Java Community Process(SM) (JCP(SM)), J2SE 5.0 involved nearly 160 expert members designing over 100 features that drive extensive developer benefits including ease of use, overall performance and scalability, system monitoring and management, and rich client desktop development." See the New Features and Enhancements document for a technical description of the new capabilities in J2SE 5.0.

Comments (10 posted)

New Books

"Java Threads, Third Edition" Released by O'Reilly

O'Reilly has published the book Java Threads, Third Edition by Scott Oaks and Henry Wong.

Full Story (comments: none)

Steal This File Sharing Book

No Starch Press has published the book Steal This File Sharing Book by Wallace Wang.

Full Story (comments: 1)

Resources

The LDP Weekly News

The October 6, 2004 edition of the Linux Documentation Project Weekly News is online with the latest documentation changes.

Full Story (comments: none)

Contests and Awards

Grand Central Communications Unveils New Developer Program

Grand Central Communications, Inc. has announced "The Golden Spike Developer Contest". The contest is open to all Early Access Program participants, which is also announced in this press release. Developers can submit one or more entries in the following categories: Best Business Process, Best Use of SOAP APIs and Best Use of Rich Client.

Comments (none posted)

Event Reports

LAC 2004 recordings now online

The recordings of the linux audio conference 2004 are available online.

Full Story (comments: none)

Audio for RMS talk at SANE

An audio download of Richard Stallman's talk at SANE 2004 is available. "It is a 24MB .ogg file."

Full Story (comments: none)

Upcoming Events

Boston GNOME Summit Wiki

A wiki site is online for the Boston GNOME Summit, the event will take place in Cambridge, MA on October 9-11, 2004.

Full Story (comments: none)

TCM Hosts Open Source Enterprise Solutions Conference

The Technology Council of Maryland has will be hosting the "Open Source Enterprise Solutions Conference" at the University of Maryland Shady Grove Campus, October 27, 2004. "The conference will deliver insights into how organizations have released their own versions of operating systems based on open source. Representatives of leading corporations and federal agencies will discuss the impact that open source has had on their organizations."

Comments (none posted)

CfP: German Perl Workshop 2005 (use Perl)

Use Perl has published a call for papers for the 7th German Perl-Workshop. The event will be held from February 9-11, 2005 in Dresden, Germany.

Comments (none posted)

Randal L. Schwartz and the 'Learning Perl' Seminar

Hurricane Electric will be holding two commercial educational seminars on the Perl language by Randal L. Schwartz. The events will take place in Fremont, CA on October 30 and November 20, 2004.

Comments (none posted)

2005 MySQL Users Conference: Call for Participation Is Open

A Call for Participation has gone out for the 2005 MySQL Users Conference. The event will take place in Santa Clara, California on April 18-21, 2005.

Full Story (comments: none)

IBM eServer pSeries, AIX & Linux Technical Conference

IBM will be holding a technical conference on IBM eServer pSeries, AIX and Linux. The event will take place in Munich on October 26-29, 2004.

Full Story (comments: none)

Events: October 7 - December 2, 2004

Date Event Location
October 7, 2004LinuxWorld Conference and Expo(Olympia Exhibition Centre)London, England, UK
October 8 - 10, 2004Linucon(Red Lion Hotel)Austin, TX
October 9, 2004Italian Code Jam(University of Ferrara)Ferrara, Italy
October 10 - 17, 2004MySQL SwellAcross the Mediterranean
October 11 - 15, 200411th Annual Tcl/Tk Conference(Bourbon Orleans Hotel)New Orleans, LA
October 21 - 22, 2004Web.It 2004Bari, Italy
October 21 - 22, 20045. Encuentro LinuxValparaiso, Chile
October 23 - 24, 2004OpenFest 2004(Inter Expo Center)Sofia, Bulgaria
October 26 - 28, 2004LinuxWorld Conference and ExpoFrankfurt, Germany
October 26 - 29, 2004IBM eServer, pSeries, AIX and Linux Technical ConferenceMunich, Germany
October 27 - 29, 2004Sixth International Conference on Information and Communications Security(ICICS'04)Malaga, Spain
October 27, 2004Open Source Enterprise Solutions ConferenceUniversity of Maryland Shady Grove Campus
October 27, 2004Open Source Enterprise Solutions Conference(University of Maryland Shady Grove)Rockville, MD
November 1 - 6, 2004International Computer Music Conference(ICMC)Miami, FL
November 4 - 5, 2004HiverCon 2004(The Davenport Hotel)Dublin, Ireland
November 6 - 12, 2004High Performance Computing, Networking, and Storage Conf(SCnn)Pittsburgh, PA
November 7 - 10, 2004International PHP Conference 2004Frankfurt, Germany
November 8 - 10, 2004MySQL ComCon Europe(NH Hotel Frankfurt-Mörfelden)Frankfurt, Germany
November 14 - 18, 2004COMDEX Conference and Exposition(Las Vegas Convention Center)Las Vegas, Nevada
November 14 - 17, 2004ApacheCon 2004 US(Alexis Park Resort)Las Vegas, NV
November 14 - 19, 2004Large Installation System Administration Conference(LISA '04)(Atlanta Marriott Marquis)Atlanta, GA
November 25 - 26, 2004Le forum PHP 2004(FIAP Jean Monnet)Paris, France
November 29 - 30, 2004LinuxPro 2004(Hotel Gromada Airport Conference Center)Warsaw, Poland
December 1 - 3, 2004Australian Open Source Developers' Conference(Monash University)Melbourne, Australia

Comments (none posted)

Web sites

The SnakeHandlers.net Python Site

SnakeHandlers.net is: "The place to speak in tongues, juggle snakes, and ask your Python Questions!"

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Miscellaneous

WIPO mission change effort succeeds

A couple of weeks ago, we reported on an effort, sponsored by Brazil and Argentina, to change the official mission of the World Intellectual Property Organization (WIPO). Today, Cory Doctorow reports that this effort was approved by the WIPO General Assembly. "...at the general session of the WIPO in Geneva this weekend, the Assembly [adopted] a decision to put development and the promotion of creativity front-and-center in its goals. That means that from now on, WIPO isn't an organization that blindly supports more IP no matter what, but rather one that seeks to improve the world by whatever tool is best suited to the job."

Comments (8 posted)

Page editor: Forrest Cook

Letters to the editor

Re: "I2O specification"

From:  Alan Cox <alan-AT-redhat.com>
To:  editor-AT-lwn.net
Subject:  Re: "I2O specification"
Date:  Sat, 2 Oct 2004 11:50:31 -0400

The I2O specification was kept secret until it leaked. When a copy of the
specification 1.5 accidentally got placed on their public ftp site the game
was up. Had that not happened it would probably never have been released.
I2O was also a scheme to keep hardware specifications secret, control driver
writing and place it outside the operating system.
 
As it happens I2O wasn't a threat because it was committee designed and IMHO
too busy trying to ape the mainframe to understand it.
 
Merced was very different - you only have to imagine the scenario of IA64
leaking early, AMD cloning it and releasing a clone before the real thing
came out to understand why this was done. It didn't have senior powers that
be itching to keep Linux off the machines.
 
Alan
(speaking for himself not Red Hat)

Comments (none posted)

You're talking about the same man who...

From:  Leon Brooks <leon-AT-cyberknights.com.au>
To:  paul_krill-AT-infoworld.com
Subject:  You're talking about the same man who...
Date:  Sun, 3 Oct 2004 19:16:24 +0800
Cc:  letters-AT-lwn.net, linux-aus-AT-linux.org.au

...didn't even see the Internet coming, so shipped the first edition of
Windows 95 without a web browser.
 
Quoting from:
http://www.infoworld.com/article/04/10/01/HNgatestalksmus...
 
> As far as Linux goes, Microsoft has seen other potential threats to
> its dominance come and go, Gates stressed.
 
If that truly represents what Trey Gates believes, then he's stuck somewhere
between GandhiCon 1 and 2, while the rest of his company is just passing
GandhiCon 3.
 
    http://www.faqs.org/docs/jargon/G/GandhiCon.html
 
> OS/2 was supposed to kill us
 
_Microsoft_ once called OS/2 a killer product on their own (Windows, no less)
packaging. Is this doublethink? Go figure.
 
> Unix, in faltering, has lacked the advantage that Windows has had in that
> it comes from one vendor and has one set of instructions, Gates said.
 
That's true on its face for a change, and I call to witness the CodeReds,
Slammers and other symptoms of that dangerous monoculture.
 
> In the area of grid computing, Gates said not all situations are applicable
> for grid,
 
Translation: "we don't have a real product there yet." If they were actually
competitive in the field, he would sing a different tune.
 
> “The bad news is this malware [or malicious software] thing is so bad,”
> he said.
 
See above, under "monoculture" - and possibly "irony" and/or "chutzpah".
 
> phising
 
This is a grammatical error, the term is "phishing".
 
> “We ourselves are not going after the e-voting market or the nuclear
> reactor control market,” Gates said.
 
That's a relief! However, they _are_ going after the nuclear aircraft carrier
market. Oh, well, win some, lose some, I guess.
 
Paul, none of what Bill opined here was news.
 
Gartner inadvertantly revealed last week that (if their figures accurately
represent real life, which is doubtful) Linux has slashed illegal software
copying by at least 20% in many Asian countries, all by itself.
 
That _is_ news - it's an approach to so-called "software piracy" which
actually works, and doesn't build resentment of the organisations
implementing it, nor cause hardship for the end-users.
 
However, the few news outlets which reported it (including InfoWorld,
http://www.infoworld.com/article/04/09/29/HNlinuxpiracy_1...) blindly
pitched it as if Linux had somehow _contributed_ to the problem.
 
Why this fascination with Microsoft and their viewpoint? Why are the
pointless, outdated and generally wrong prognostications of a rich man, or
the empty sensationlism of an attention-starved consultancy considered
newsworthy, while the real world-changing news consistently whooshes right
underneath InfoWorld's radar?
 
Pharmaceutical companies owned by Bill Gates act to block South Americans from
shipping cheap generic anti-AIDS drugs to Africa, and it's not newsworthy. On
the other hand, Linux advocates are helping those same Africans cross the
Digital Divide, claw their way towards economic independence, and it's still
not newsworthy. There's even a whole computer game on the topic
(http://home.gna.org/oomadness/en/slune/), and still silence from InfoWorld.
Yet you publish this inane "Bill's not scared" article. Hello?
 
Cheers; Leon

Comments (none posted)

Page editor: Jonathan Corbet

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds