LWN.net Logo

LWN.net Weekly Edition for November 11, 2004

An open source licensing white paper

The Olliance Group has announced the availability of a white paper entitled "Open Source Intellectual Property and Licensing Compliance: A Survey and Analysis of Industry Best Practices." The paper is available for free download to those willing to fill in a registration form.

The press release includes a recommendation from the president of the Free Standards Group, and the paper itself includes a foreward by OSDL head Stuart Cohen. So one might conclude that it would be a relatively high-clue work on how to interpret and comply with free software licenses. The sad truth, however, is that it appears to have been thrown together quickly (it contains a number of grammatical errors, for example), and the ultimate goals of its authors are unclear at best.

The purpose of the paper seems to be to help companies figure out how to avoid "open source risk." But that risk is not defined or justified anywhere in the paper. The closest it gets is toward the end, where we read:

The best defense against the risk of losing proprietary IP to certain open source licenses such as the GPL or Mozilla is through a sound compliance program that minimizes the risk of inadvertent commingling of open source code and proprietary code.

In other words, we have the same old "the GPL can cause you to lose your intellectual property" argument. This line has been debunked numerous times: there is nothing in the GPL which can legally force a company to loosen its death grip in its valuable IP. The GPL can subject a non-compliant company to copyright infringement suits, fines, and injunctions stopping distribution of a product. These are real risks which should be understood by any company which is considering incorporating GPL-licensed code into its products. But it is discouraging to see representatives of the Free Standards Group and OSDL putting their names on a report that brings back the "lose all your IP" scarecrow.

Oh, there is one other risk mentioned on the same page:

However, open source licenses, unlike proprietary software licenses, are generally not irrevocable--meaning that a company that has violated a license term may have its right to use the software revoked. While we do not know of any case in which this has happened, it remains a possibility that companies should be aware of.

In fact, the revocable nature of the GPL came out at the end of the KDE wars, when Richard Stallman revoked the right of the KDE developers to distribute the FSF's code, then magnanimously forgave them their sins:

More precisely, those who as of September 4, 2000 have used some FSF code in violation of the GPL solely by linking it with Qt, and thus have forfeited the right to use that code under the GPL, will once again have full GPL permissions to use that code upon switching to a GPL-covered version of Qt.

The real point, however, is that revocability is certainly not a feature which is unique to free software licenses. Consider the Windows XP EULA:

6. TERMINATION. Without prejudice to any other rights, Microsoft may cancel this EULA if you do not abide by the terms and conditions of this EULA, in which case you must destroy all copies of the Product and all of its component parts.

Almost any proprietary software license includes a term like this one. Olliance's claim that such terms are unique to free software licenses is simply false.

So what does Olliance recommend be done to address those scary free software risks? The first step is to perform an audit of every free application in use in the company. Employees are to be required to document every program they use, its version numbers, the dates over which it has been used, the reason why it is used, the manager who approved its use, and so on. A database is then to be built containing all of that information. What then is to be done with this database is not entirely clear.

Some other "best practices" include:

  • Requiring written approval by an "open source review board" before any open source application may be used.

  • Requiring a separate approval before modifying any free software.

  • Getting warranties from suppliers that they use no open source software, or that any such use is documented and indemnified.

In the midst of all this is a recommendation which actually makes sense:

Forbidding the modification of open source software or its inclusion in any product that is distributed, without further detailed analysis, and executive level management review, for companies that have significant intellectual property at risk.

OK, so maybe it doesn't make that much sense. The core of this recommendation is, however: think before you incorporate free software into your products. One could extend that to "think before you incorporate any software copyrighted by others into your products," but that would be asking a lot of the authors of this particular work.

As far as your editor can tell, the goal of this particular white paper is to stoke fears about open source licensing, and to urge companies to create a vast, grinding bureaucracy to impede the adoption of free software internally. Following its recommendations is unlikely to make many companies safer, but it will increase the apparent costs of using free software. There is a place for documentation of the real risks of using code copyrighted by others - both free and proprietary - and on how to avoid distributing products which violate free software licenses. But this paper does not fill that role.

Comments (8 posted)

Sendmail X

Sendmail has a difficult reputation. It is the canonical example of how large, complex programs are subject to security problems. It has a configuration file format which makes obfuscated Perl code seem highly readable by comparison. Its performance when dealing with large amounts of mail is held to be inferior. One could, of course, point out that sendmail's security problems appear to be mostly behind it, that few people ever have to look at the raw configuration file, and that sendmail was a cherished gift, once upon a time, to anybody who had ever tried to convince delivermail to route a message along a uucp bang path, by way of the Arpanet, from a CSNet node. For all of its blemishes, sendmail has been a crucial and valuable part of the network's infrastructure for many years.

After all those years, however, sendmail may just be due for a major upgrade. As it turns out, work on the next generation of sendmail, called sendmail X, has been under way for some time. Some early code has been made available; sendmail X 0.0.16 is available from this page. Do note that it is billed as "pre-alpha" code; using it on a server which handles real mail is probably not a good idea.

A lengthy design document for sendmail X is available; it gives some insight into what the next version of sendmail will look like. The first impression that comes out is that sendmail X will be so different that one wonders why the "sendmail" name is being used at all. Sendmail X is a completely new mail transfer agent, redesigned and rewritten from the beginning.

As is the norm for contemporary MTA design, sendmail X is implemented as a set of (relatively) small, cooperating processes. The system is divided in this way:

  • The queue manager is the core of sendmail X; its job is to manage messages as they move through the system, make delivery decisions, etc.

  • The SMTP server accepts incoming mail from the net and passes them to the queue manager. Actually, the queue manager is involved throughout the SMTP conversation; it is consulted on whether to accept the connection in the first place, and it may have actually delivered the mail before the text is acknowledged.

  • The SMTP client passes mail on to other systems for delivery.

  • The address resolver is charged with understanding - and rewriting - recipient addresses. This process also handles DNS blacklisting and other types of address-based filtering.

  • The master control program gets all of the other processes going and handles termination, restarts, and crash recovery. This program is actually derived from the BSD inetd source.

In addition, there will be a collection of local delivery agents, mail filter processes, etc.

Much thought has been given to performance, to the point that may cause some to wonder if there might be some premature optimization going on. For example, the SMTP server has been designed to use an Apache-style mode, where multiple processes exist, each of which runs several server threads. This design will certainly add complexity to the server, but few sites are likely to benefit from the associated performance increase.

System administrators will be glad to know that the sendmail.cf configuration file is gone. Sendmail X will use a C-like configuration syntax, similar to that used by BIND. Configuration of real-world mail systems will, perhaps, never be an entirely simple task, but sendmail X should be easier to set up than its predecessor.

Unsurprisingly, security is said to be a core design goal. The multi-process design is clearly motivated by security concerns, though the relatively high level of interaction between these processes may complicate things. The qmail design, for example, has a far lower level of interaction and trust between its components - though that approach leads to problems of its own. There are no setuid programs in sendmail X. It is necessary to run the master control program as root; it then handles any privileged tasks that it can before starting the subsidiary processes under a different user ID. Thus, for example, it binds to the SMTP port before starting the SMTP server. Since the master control program does not actually handle mail or communicate with the outside, it should be relatively hard to compromise.

The code consists of almost 600 C files. In some ways it resembles the qmail code; it has many short files with reimplementations of many functions normally found in the C library. A special string type is used to avoid buffer overruns. A casual look suggests that the code really is being written with security in mind. That much new code is sure to have a surprise or two in it somewhere, however.

The author of sendmail X (Claus Aßmann) claims to have been running it since the beginning of the year without losing any mail. Even so, it will probably be some time before it is put forward as a viable option for production sites. What happens then will be interesting. Sendmail X will be jumping into an environment where several other options exist and are in wide use. The MTA ecosystem has, over the years, gone from being a single-program monoculture to a diverse field with several alternatives. Sendmail X will have to be significantly better than those alternatives, and much better than sendmail 8, to be widely successful in that environment.

(Thanks to Xose Vazquez Perez for drawing our attention to this project).

Comments (17 posted)

The state of RTAI

November 10, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

After the Approaches to realtime Linux article drew a great deal of interest, we decided to drill down and offer a closer look at one of the projects mentioned therein: The Real Time Application Interface (RTAI) project, whose developers felt that our portrayal of the project was not entirely accurate. To set things straight, we touched base with RTAI hackers Philippe Gerum and Paolo Mantegazza.

First, we learned that there are actually two ongoing projects, the first is the original RTAI project, funded by the Dipartimento di Ingegneria Aerospaziale, Politecnico di Milano (DIAPM). The other project is RTAI/Fusion, which is a different approach that merges the RTAI interfaces with the Xenomai development framework.

The RTAI project with Linux RealTime (LXRT) uses several kernel modules to gain the realtime functionality that one may need. RTAI makes changes in the Linux interrupt and scheduling policies to provide real time capabilities within the non-real time Linux environment. According to the RTAI website:

RTAI offers the same services of the Linux kernel core, adding the features of an industrial real time operating system. It consists basically of an interrupt dispatcher: RTAI mainly traps the peripherals interrupts and if necessary re-routes them to Linux. It is not an intrusive modification of the kernel; it uses the concept of HAL (hardware abstraction layer) to get information from Linux and to trap some fundamental functions. This HAL provides few dependencies to Linux Kernel. This leads to a simple adaptation in the Linux kernel, an easy RTAI port from version to version of Linux and an easier use of other operating systems instead of RTAI. RTAI considers Linux as a background task running when no real time activity occurs.

The original RTAI project was designed specifically for DIAPM projects, says Mantegazza:

The whole of RTAI, so LXRT also, was born to satisfy DIAPM needs first, it was made available much as it is in the form 'if you like it use it.' Bugs fixing apart, there is very little of RTAI that has been done to show up or to solve non DIAPM problems. However our applications are not trivial, you can bet we have_pushed/are_pushing LXRT to the extremes.

On the other hand, Xenomai was designed to allow developers to port applications from other realtime systems, and therefore it takes a different approach. Gerum describes Xenomai as a "kind of generic RTOS (Real Time Operating System) core" that enable a developer to plug in their own real-time APIs. Gerum says the idea was that most RTOS vendors offer the same functionality, but with "different API window dressings." Xenomai was designed to "provide one generic core running side-by-side with the Linux kernel" that would allow for different APIs.

The RTAI/Fusion project that is now under development works with a "vanilla" Linux kernel running on top of the Adeos (Adaptive Domain Environment for Operating Systems) nanokernel. By running the Linux kernel and Fusion under the Adeos nanokernel, Fusion cooperates with Linux and allows developers to use "any number of real-time APIs at the same time."

Given that there are a number of real time projects for Linux, not to mention the other various RTOSes, we asked whether it would be possible to come up with a "one size fits all" solution for real time operating systems. Mantegazza says yes, but Gerum is not so sure:

Since the traditional RTOS vendors did not succeed in capturing more than a half of the real-time market during the last 20 years, the rest consisting of home-grown solutions, I guess that the answer is no. This said, it should be possible to have a real-time framework which is extensible enough to allow people to build their real-time solution of choice over it. The system would simply provide a few canned interfaces in order to be usable out of the box, by people with common needs.

Simple design and straightforward code layers make the above possible. For instance, DSP-like applications do not necessarily need a full-fledged multi-tasking infrastructure; basic interrupt handlers with predictable preemption time are often enough here. On the other hand, you are not going to run a complete telecom software stack over interrupt service routines, so you need a complete RTOS core and rich utility libraries.

It's important to note that RTAI/Fusion would not replace RTAI/LXRT so much as envelope it, if successful. According to Gerum, the plan is to "refactor the original RTAI 3.x interfaces over Fusion, if this technology is successful."

What's left to implement in Fusion? Gerum says there are several things left to be done:

What remains is about porting to other CPU architectures, extending the toolset and the available canned real-time interfaces including new traditional RTOS emulations.

Fusion already provides a full-fledged event-driven simulator with a nifty GUI for debugging applications on the host system; GDB can also be used to debug the real-time threads in user-space on the target. However, LTT (Linux Trace Toolkit) support is missing, for instance.

Users that are interested in trying RTAI/Fusion can get a jump-start with Debian, which has RTAI packages in testing and unstable.

Though the Real Time market is a small niche of the Linux community, it's good to see healthy projects like RTAI/LXRT and RTAI/Fusion that will give Linux the opportunity to achieve the goal of world domination.

Comments (none posted)

Page editor: Jonathan Corbet

Security

Brief items

Habeas returns

Remember Habeas? This is the company which copyrighted a bit of haiku, then restricted the right to include that "work of art" in the headers of an email message. Only non-spam messages could contain the poem without violating the license. The idea was that mail filters could look for the Habeas mark and, upon finding it, deliver the mail with confidence that it was legitimate.

The folks at Habeas were, apparently, surprised to discover that spammers are not as respectful as one might like of copyright law - or much of anything else. It did not take them all that long to start including the Habeas headers in their solicitations, especially once they figured out that filters like SpamAssassin gave a strong bonus to such messages. Rather than being a guarantee of legitimacy, the Habeas headers quickly became one of the most reliable indicators of spam. The SpamAssassin bonus came out, and Habeas disappeared from view.

The company is still there, however, and they have not given up. A new press release issued by the company celebrates the fact that SpamAssassin 3.0 once again gives a bonus to Habeas-marked mail. There is a new twist, however: Habeas now implements an online whitelist of senders whose mail is really thought to be legitimate. Strangely enough, getting onto the whitelist requires that a fee be paid to Habeas.

This new service might just work for certain kinds of commercial emailers, as long as Habeas sticks to its anti-spam standards. We may be seeing the beginning of a shift to a reputation-based mechanism for the filtering of email. Blacklists were clearly the first step in that direction, but they are limited in their scope. A scheme which can track positive reputations might, just, bring a finer degree of control to the spam filtering problem. Or it might just herald an era where purchasing yet another useless digital certificate will be required to get email delivered at all. Either way, it is a development worth watching.

Comments (none posted)

Some Linux kernel security vulnerabilities

Paul Starzetz has discovered a set of security holes in the kernel ELF loader; click below for the details. Essentially, bugs in how the kernel interprets binaries could conceivably be exploited by a local attacker to obtain root privileges or leak information from the kernel. Paul discusses 2.4, but fixes for these problems have just been merged for 2.6 as well. Expect a set of distributor updates in the near future.

Full Story (comments: 14)

New vulnerabilities

apache2: denial of service

Package(s):apache CVE #(s):CAN-2004-0942
Created:November 10, 2004 Updated:November 26, 2004
Description: Versions of Apache 2.0 prior to 2.0.53 contain a bug in the header parsing code which can allow a remote denial of service attack given sufficient bandwidth.
Alerts:
Trustix TSLSA-2004-0061 2004-11-19
Mandrake MDKSA-2004:135 2004-11-15
Red Hat RHSA-2004:562-01 2004-11-12
Fedora FEDORA-2004-421 2004-11-12
Fedora FEDORA-2004-420 2004-11-12
Ubuntu USN-23-1 2004-11-11
Gentoo 200411-18 2004-11-10

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

freeamp: arbitrary code execution

Package(s):freeamp CVE #(s):CAN-2004-0964
Created:November 8, 2004 Updated:November 10, 2004
Description: Luigi Auriemma discovered a buffer overflow condition in the playlist module of freeamp which could lead to arbitrary code execution. Recent versions of freeamp were renamed into zinf.
Alerts:
Debian DSA-587-1 2004-11-08

Comments (none posted)

Gallery: cross-site scripting vulnerability

Package(s):Gallery CVE #(s):CAN-2004-1106
Created:November 8, 2004 Updated:January 17, 2005
Description: Jim Paris has discovered a cross-site scripting vulnerability in Gallery. By sending a carefully crafted URL, an attacker can inject and execute script code in the victim's browser window, and potentially compromise the users gallery.
Alerts:
Debian DSA-642-1 2005-01-17
Gentoo 200411-10:01 2004-11-06

Comments (none posted)

gnats: format string vulnerability

Package(s):gnats CVE #(s):CAN-2004-0623
Created:November 9, 2004 Updated:November 10, 2004
Description: Khan Shirani discovered a format string vulnerability in gnats, the GNU problem report management system. This problem may be exploited to execute arbitrary code.
Alerts:
Debian DSA-590-1 2004-11-09

Comments (none posted)

gzip: insecure temporary files

Package(s):gzip CVE #(s):CAN-2004-0970
Created:November 8, 2004 Updated:December 7, 2004
Description: Trustix developers discovered insecure temporary file creation in supplemental scripts in the gzip package which may allow local users to overwrite files via a symlink attack.
Alerts:
Mandrake MDKSA-2004:142 2004-12-06
Debian DSA-588-1 2004-11-08

Comments (none posted)

Kaffeine, gxine: remotely exploitable buffer overflow

Package(s):Kaffeine gxine CVE #(s):
Created:November 8, 2004 Updated:November 11, 2004
Description: KF of Secure Network Operations has discovered an overflow that occurs during the Content-Type header processing of Kaffeine. The vulnerable code in Kaffeine is reused from gxine, making gxine vulnerable as well. An attacker could create a specially-crafted Content-type header from a malicious HTTP server, and crash a user's instance of Kaffeine or gxine, potentially allowing the execution of arbitrary code. See this SecurityTracker advisory for details.
Alerts:
Gentoo 200411-14:01 2004-11-07

Comments (none posted)

ImageMagick: EXIF buffer overflow

Package(s):ImageMagick CVE #(s):CAN-2004-0981
Created:November 8, 2004 Updated:December 8, 2004
Description: ImageMagick fails to do proper bounds checking when handling image files with EXIF information. An attacker could use an image file with specially-crafted EXIF information to cause arbitrary code execution with the permissions of the user running ImageMagick. See this advisory for more information.
Alerts:
Red Hat RHSA-2004:636-01 2004-12-08
Mandrake MDKSA-2004:143 2004-12-06
Debian DSA-593-1 2004-11-16
Gentoo 200411-11:01 2004-11-06

Comments (none posted)

mtink: insecure tempfile handling

Package(s):mtink CVE #(s):
Created:November 9, 2004 Updated:November 10, 2004
Description: Tavis Ormandy from Gentoo Linux discovered that mtink uses insecure permissions on temporary files. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When mtink is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user.
Alerts:
Gentoo 200411-17 2004-11-09

Comments (none posted)

ruby: infinite loop

Package(s):ruby CVE #(s):CAN-2004-0983
Created:November 8, 2004 Updated:May 15, 2005
Description: The upstream developers of Ruby have corrected a problem in the CGI module for this language. Specially crafted requests could cause an infinite loop and thus cause the program to eat up cpu cycles.
Alerts:
Fedora-Legacy FLSA:152768 2005-05-12
Red Hat RHSA-2004:635-01 2004-12-13
Gentoo 200411-23 2004-11-16
Fedora FEDORA-2004-403 2004-11-11
Fedora FEDORA-2004-402 2004-11-11
Ubuntu USN-20-1 2004-11-08
Mandrake MDKSA-2004:128 2004-11-08
Debian DSA-586-1 2004-11-08

Comments (none posted)

samba: remote DoS vulnerability

Package(s):samba CVE #(s):CAN-2004-0930 CAN-2004-0882
Created:November 8, 2004 Updated:December 1, 2004
Description: According to this Samba advisory a remote attacker could cause an smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters. Versions of Samba 3.0.x up to and including 3.0.7 are vulnerable.

There is also an advisory about possible buffer overruns in smbd.

Alerts:
Fedora FEDORA-2004-459 2004-11-29
Fedora FEDORA-2004-460 2004-11-29
Conectiva CLA-2004:899 2004-11-25
Mandrake MDKSA-2004:136 2004-11-18
Ubuntu USN-29-1 2004-11-18
Red Hat RHSA-2004:632-01 2004-11-16
Trustix TSLSA-2004-0058 2004-11-15
SuSE SUSE-SA:2004:040 2004-11-15
Mandrake MDKSA-2004:131 2004-11-10
Gentoo 200411-21 2004-11-11
Ubuntu USN-22-1 2004-11-10

Comments (none posted)

shadow: unauthorized modification of account information

Package(s):shadow CVE #(s):CAN-2004-1001
Created:November 4, 2004 Updated:November 23, 2004
Description: The shadow user account utilities have a potential problem with the chfn and chsh utilities that may allow unauthorized users to modify account properties.
Alerts:
Conectiva CLA-2004:894 2004-11-23
Ubuntu USN-17-1 2004-11-04
Mandrake MDKSA-2004:126 2004-11-04
Debian DSA-585-1 2004-11-05
Gentoo 200411-09 2004-11-04

Comments (none posted)

zgv: multiple buffer overflows

Package(s):zgv CVE #(s):
Created:November 8, 2004 Updated:December 14, 2004
Description: Multiple arithmetic overflows have been detected in the image processing code of zgv. An attacker could entice a user to open a specially-crafted image file, potentially resulting in execution of arbitrary code with the rights of the user running zgv. See this BugTraq advisory for more information.
Alerts:
Debian DSA-608-1 2004-12-14
Gentoo 200411-12:01 2004-11-07

Comments (none posted)

zip: arbitrary code execution

Package(s):zip CVE #(s):CAN-2004-1010
Created:November 5, 2004 Updated:February 2, 2005
Description: HexView discovered a buffer overflow in the zip package. The overflow is triggered by creating a ZIP archive of files with very long path names. This vulnerability might result in execution of arbitrary code with the privileges of the user who calls zip. This flaw may lead to privilege escalation on systems which automatically create ZIP archives of user supplied files, like backup systems or web applications.
Alerts:
Fedora-Legacy FLSA:2255 2005-02-01
Debian DSA-624-1 2004-01-05
Red Hat RHSA-2004:634-01 2004-12-16
Mandrake MDKSA-2004:141 2004-11-25
Gentoo 200411-16 2004-11-09
Fedora FEDORA-2004-399 2004-11-08
Fedora FEDORA-2004-400 2004-11-08
Ubuntu USN-18-1 2004-11-05

Comments (1 posted)

Updated vulnerabilities

apache: mod_ssl cipher negotiation problem

Package(s):apache CVE #(s):CAN-2004-0885
Created:October 15, 2004 Updated:November 4, 2004
Description: Apache's mod_ssl module may allow content to be retrieved without proper negotiation of the requested cipher suite.
Alerts:
Conectiva CLA-2004:885 2004-11-04
Mandrake MDKSA-2004:122 2004-11-01
Gentoo 200410-21 2004-10-21
OpenPKG OpenPKG-SA-2004.044 2004-10-15

Comments (none posted)

apache: arbitrary code execution

Package(s):apache CVE #(s):CAN-2004-0940
Created:October 29, 2004 Updated:December 14, 2004
Description: According to an Apache announcement, a vulnerability exists in the Apache HTTP server, version 1.3. The problem is a potential buffer overflow in the "get_tag" function of Apache's SSI module "mod_include". It allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI documents that trigger a content length calculation error.
Alerts:
Red Hat RHSA-2004:600-01 2004-12-13
Mandrake MDKSA-2004:134 2004-11-15
Debian DSA-594-1 2004-11-17
Trustix TSLSA-2004-0056 2004-11-05
Gentoo 200411-03 2004-11-02
Slackware SSA:2004-305-01 2004-11-01
OpenPKG OpenPKG-SA-2004.047 2004-10-29

Comments (none posted)

Archive::Zip: Virus detection evasion

Package(s):Archive::Zip CVE #(s):
Created:October 29, 2004 Updated:November 3, 2004
Description: Archive::Zip can be used by email scanning software (like amavisd-new) to uncompress attachments before virus scanning. By modifying the uncompressed size of archived files in the global header of the ZIP file, it is possible to fool Archive::Zip into thinking some files inside the archive have zero length.
An attacker could send a carefully crafted ZIP archive containing a virus file and evade detection on some email virus-scanning software relying on Archive::Zip for decompression.
Alerts:
Mandrake MDKSA-2004:118 2004-11-01
Gentoo 200410-31 2004-10-29

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 2004-12-20
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Gentoo 200406-14 2004-06-17

Comments (none posted)

cabextract: missing directory sanitizing

Package(s):cabextract CVE #(s):CAN-2004-0916
Created:October 28, 2004 Updated:November 3, 2004
Description: The cabinet file extraction tool cabextract may allow arbitrary files in upper directories to be overwritten.
Alerts:
Debian DSA-574-1 2004-10-28

Comments (none posted)

catdoc: insecure temp file

Package(s):catdoc CVE #(s):CAN-2003-0193
Created:October 28, 2004 Updated:November 3, 2004
Description: The xlsview utility in catdoc has a vulnerability that may allow local users to overwrite arbitrary files using a symlink attack on predictable temporary file names.
Alerts:
Debian DSA-575-1 2004-10-28

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

Cherokee: format string vulnerability

Package(s):cherokee CVE #(s):
Created:November 1, 2004 Updated:November 3, 2004
Description: Florian Schilhabel from the Gentoo Linux Security Audit Team found a format string vulnerability in the cherokee_logger_ncsa_write_string() function. Using a specially crafted URL when authenticating via auth_pam, a malicious user may be able to crash the server or execute arbitrary code on the target machine with permissions of the user running Cherokee.
Alerts:
Gentoo 200411-02 2004-11-01

Comments (none posted)

ncompress: Buffer overflow

Package(s):compress uncompress ncompress CVE #(s):CAN-2001-1413
Created:October 11, 2004 Updated:December 14, 2004
Description: compress and uncompress do not properly check bounds on command line options, including the filename. Large parameters would trigger a buffer overflow. By supplying a carefully crafted filename or other option, an attacker could execute arbitrary code on the system. A local attacker could only execute code with his own rights, but since compress and uncompress are called by various daemon programs, this might also allow a remote attacker to execute code with the rights of the daemon making use of ncompress.
Alerts:
Red Hat RHSA-2004:536-01 2004-12-13
Gentoo 200410-08 2004-10-09

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

gaim: buffer overflow in MSN protocol

Package(s):gaim CVE #(s):CAN-2004-0891
Created:October 25, 2004 Updated:February 11, 2005
Description: A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.
Alerts:
Fedora-Legacy FLSA:2188 2005-02-10
Red Hat RHSA-2004:604-01 2004-10-20
Mandrake MDKSA-2004:117 2004-11-01
Ubuntu USN-8-1 2004-10-27
Gentoo 200410-23 2004-10-24
Slackware SSA:2004-296-01 2004-10-25

Comments (none posted)

gaim: command execution via smiley themes

Package(s):gaim CVE #(s):CAN-2004-0784 CAN-2004-0785
Created:October 21, 2004 Updated:November 12, 2004
Description: gaim may allow arbitrary commands to be executed via shell meta characters in the the tar file name that is dragged to the smiley selector.
Alerts:
Red Hat RHSA-2004:400-01 2004-09-07
Conectiva CLA-2004:884 2004-11-04
Mandrake MDKSA-2004:110 2004-10-21

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

imagemagick: buffer overflow vulnerability

Package(s):imagemagick CVE #(s):CAN-2004-0827
Created:September 16, 2004 Updated:November 30, 2004
Description: The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Alerts:
Ubuntu USN-35-1 2004-11-30
Ubuntu USN-7-1 2004-10-27
Red Hat RHSA-2004:480-01 2004-10-20
Red Hat RHSA-2004:494-01 2004-10-20
Mandrake MDKSA-2004:102 2004-09-22
Debian DSA-547-1 2004-09-16

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

iptables: missing initialization

Package(s):iptables CVE #(s):CAN-2004-0986
Created:November 1, 2004 Updated:February 11, 2005
Description: Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least.
Alerts:
Fedora-Legacy FLSA:2252 2005-02-10
Ubuntu USN-81-1 2005-02-11
Mandrake MDKSA-2004:125 2004-11-04
Debian DSA-580-1 2004-11-01

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005
Description: There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service.
Alerts:
Conectiva CLA-2005:924 2005-02-14
Red Hat RHSA-2005:004-01 2005-01-12
Red Hat RHSA-2004:537-01 2004-12-02
Ubuntu USN-27-1 2004-11-17
Mandrake MDKSA-2004:124 2004-11-04
Debian DSA-561-1 2004-10-11
Gentoo 200410-09 2004-10-09
Debian DSA-560-1 2004-10-07
Red Hat RHSA-2004:479-01 2004-10-06
Red Hat RHSA-2004:478-01 2004-10-04
Gentoo 200409-34 2004-09-27
SuSE SUSE-SA:2004:034 2004-09-17
Mandrake MDKSA-2004:099 2004-09-15
Mandrake MDKSA-2004:098 2004-09-15

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

lvm10: creates insecure temporary directory

Package(s):lvm10 CVE #(s):CAN-2004-0972
Created:November 1, 2004 Updated:July 25, 2005
Description: Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:152842 2005-07-24
Mandrake MDKSA-2004:144 2004-12-06
Gentoo 200411-22 2004-11-11
Debian DSA-583-1 2004-11-03
Ubuntu USN-15-1 2004-11-01

Comments (none posted)

Midnight Commander: extfs vfs vulnerability

Package(s):mc CVE #(s):CAN-2004-0494
Created:September 2, 2004 Updated:January 5, 2005
Description: Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts.
Alerts:
Red Hat RHSA-2004:464-02 2005-01-05
Red Hat RHSA-2004:464-01 2004-09-15
Fedora FEDORA-2004-273 2004-09-01
Fedora FEDORA-2004-272 2004-09-01

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

MIME-tools: parsing bug

Package(s):MIME-tools CVE #(s):
Created:November 2, 2004 Updated:November 3, 2004
Description: According to this RoaringPenguin advisory, there's a bug in MIME-tools: It mis-parses things like boundary="" and apparently there's a virus that uses an empty boundary.
Alerts:
Gentoo 200411-06 2004-11-02
Mandrake MDKSA-2004:123 2004-11-01

Comments (none posted)

mozilla products: arbitrary code execution and other vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908
Created:September 20, 2004 Updated:January 13, 2005
Description: Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. See the CERT advisory for details.
Alerts:
Gentoo 200501-03 2005-01-05
Fedora-Legacy FLSA:2089 2004-10-27
Conectiva CLA-2004:877 2004-10-22
Mandrake MDKSA-2004:107 2004-10-19
SuSE SUSE-SA:2004:036 2004-10-06
Red Hat RHSA-2004:486-01 2004-09-30
Slackware SSA:2004-266-03 2004-09-22
Gentoo 200409-26 2004-09-20

Comments (none posted)

mpg123: buffer overflow bug

Package(s):mpg123 CVE #(s):CAN-2004-0805
Created:September 16, 2004 Updated:January 11, 2005
Description: The mpg123 audio playing utility has a buffer overflow bug that may allow arbitrary execution of code.
Alerts:
Gentoo 200501-14 2005-01-10
Debian DSA-564-1 2004-10-13
Mandrake MDKSA-2004:100 2004-09-22
Gentoo 200409-20 2004-09-16

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mysql: several vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0835 CAN-2004-0836 CAN-2004-0837
Created:October 11, 2004 Updated:April 6, 2005
Description: Several problems have been discovered in MySQL. Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. (CAN-2004-0837)
Alerts:
Ubuntu USN-109-1 2005-04-06
Fedora FEDORA-2004-530 2004-12-08
Ubuntu USN-32-1 2004-11-25
Conectiva CLA-2004:892 2004-11-18
Mandrake MDKSA-2004:119 2004-11-01
OpenPKG OpenPKG-SA-2004.045 2004-10-30
Red Hat RHSA-2004:611-01 2004-10-27
Gentoo 200410-22 2004-10-24
Red Hat RHSA-2004:569-01 2004-10-20
Red Hat RHSA-2004:597-01 2004-10-20
Debian DSA-562-1 2004-10-11

Comments (none posted)

netkit-telnet: invalid free pointer

Package(s):netkit-telnet CVE #(s):CAN-2004-0911
Created:October 4, 2004 Updated:March 28, 2005
Description: Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).
Alerts:
Ubuntu USN-101-1 2005-03-28
Debian DSA-556-2 2004-10-18
Debian DSA-569-1 2004-10-18
Debian DSA-556-1 2004-10-02

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pavuk: buffer overflow

Package(s):pavuk CVE #(s):CAN-2004-0456
Created:June 30, 2004 Updated:November 11, 2004
Description: Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server.
Alerts:
Gentoo 200411-19 2004-11-10
Debian DSA-527-1 2004-07-03
Gentoo 200406-22 2004-06-30

Comments (none posted)

perl: insecure temp file creation

Package(s):perl CVE #(s):CAN-2004-0976
Created:November 2, 2004 Updated:December 7, 2004
Description: Trustix Secure Linux has discovered some vulnerabilities in the perl package. The utility "instmodsh", the Perl package "PPPort.pm", and several test scripts (which are not shipped and only used during build) created temporary files in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program, or building the perl package, respectively.
Alerts:
Gentoo 200412-04 2004-12-07
Ubuntu USN-16-1 2004-11-02

Comments (none posted)

php: remotely exploitable memory errors

Package(s):php CVE #(s):CAN-2004-0594
Created:July 14, 2004 Updated:February 7, 2005
Description: Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not).
Alerts:
Debian DSA-669-1 2005-02-07
Whitebox WBSA-2004:392-01 2004-08-19
Fedora FEDORA-2004-223 2004-07-23
Fedora FEDORA-2004-222 2004-07-23
OpenPKG OpenPKG-SA-2004.034 2004-07-22
Slackware SSA:2004-202-01 2004-07-20
Debian DSA-531-1 2004-07-20
Red Hat RHSA-2004:392-01 2004-07-19
Red Hat RHSA-2004:395-01 2004-07-19
Conectiva CLA-2004:847 2004-07-16
SuSE SUSE-SA:2004:021 2004-07-16
Mandrake MDKSA-2004:068 2004-07-14
Gentoo 200407-13 2004-07-15
tinysofa TSSA-2004-013 2004-07-14

Comments (none posted)

PostgreSQL: Insecure temporary file use in make_oidjoins_check

Package(s):PostgreSQL CVE #(s):CAN-2004-0977
Created:October 18, 2004 Updated:December 20, 2004
Description: The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user.
Alerts:
Red Hat RHSA-2004:489-01 2004-12-20
Mandrake MDKSA-2004:149 2004-12-13
OpenPKG OpenPKG-SA-2004.046 2004-10-29
Debian DSA-577-1 2004-10-29
Ubuntu USN-6-1 2004-10-27
Gentoo 200410-16 2004-10-18

Comments (none posted)

ppp: denial of service

Package(s):ppp CVE #(s):
Created:October 29, 2004 Updated:November 3, 2004
Description: Improper verification of header fields lets an attacker make the pppd server access memory it isn't allowed to, and crash the server. There is no possibility of code execution, as there is no data being copied, just a pointer dereferenced. It is not even entirely clear that this vulnerability can be exploited to deny service to anybody other than the attacker.

See this security focus advisory for details.

Alerts:
Gentoo 200411-01 2004-11-01
Ubuntu USN-12-1 2004-10-29

Comments (none posted)

proxytunnel: format string vulnerability

Package(s):proxytunnel CVE #(s):CAN-2004-0992
Created:November 3, 2004 Updated:November 3, 2004
Description: Versions of proxytunnel prior to 1.2.3 contain a format string vulnerability which could be exploited by a hostile remote server to execute arbitrary code.
Alerts:
Gentoo 200411-07 2004-11-03

Comments (none posted)

qt3: BMP image parser heap overflow

Package(s):qt3/qt3-non-mt/qt3-32bit/qt3-static CVE #(s):CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
Created:August 19, 2004 Updated:May 15, 2005
Description: A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution.
Alerts:
Fedora-Legacy FLSA:152763 2005-05-12
Conectiva CLA-2004:866 2004-09-22
Whitebox WBSA-2004:414-01 2004-09-20
Debian DSA-542-1 2004-08-30
Fedora FEDORA-2004-271 2004-08-23
Fedora FEDORA-2004-270 2004-08-23
Gentoo 200408-20 2004-08-22
Red Hat RHSA-2004:414-01 2004-08-20
Mandrake MDKSA-2004:085 2004-08-18
SuSE SUSE-SA:2004:027 2004-08-19

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

sharutils: arbitrary code execution

Package(s):sharutils CVE #(s):CAN-2004-1772
Created:October 1, 2004 Updated:April 26, 2005
Description: sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c. An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.
Alerts:
Red Hat RHSA-2005:377-01 2005-04-26
Fedora FEDORA-2005-281 2005-04-01
Fedora FEDORA-2005-280 2005-04-01
Ubuntu USN-102-1 2005-03-29
Fedora-Legacy FLSA:2155 2005-03-24
Gentoo 200410-01 2004-10-01

Comments (none posted)

sox: buffer overflow

Package(s):sox CVE #(s):CAN-2004-0557
Created:July 28, 2004 Updated:February 21, 2005
Description: Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file.
Alerts:
Fedora-Legacy FLSA:1945 2005-02-20
Debian DSA-565-1 2004-10-13
Whitebox WBSA-2004:409-01 2004-08-19
Slackware SSA:2004-223-03 2004-08-07
Conectiva CLA-2004:855 2004-07-30
Gentoo 200407-23 2004-07-30
Mandrake MDKSA-2004:076 2004-07-28
Red Hat RHSA-2004:409-01 2004-07-29
Fedora FEDORA-2004-244 2004-07-28
Fedora FEDORA-2004-235 2004-07-28

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

Speedtouch USB driver: Privilege escalation vulnerability

Package(s):Speedtouch USB driver CVE #(s):
Created:November 2, 2004 Updated:November 11, 2004
Description: The Speedtouch USB driver contains multiple format string vulnerabilities in modem_run, pppoa2 and pppoa3. This flaw is due to an improperly made syslog() system call. A malicious local user could exploit this vulnerability by causing a buffer overflow, and potentially allowing the execution of arbitrary code with escalated privileges.
Alerts:
Mandrake MDKSA-2004:130 2004-11-10
Gentoo 200411-04 2004-11-02

Comments (none posted)

squid: denial of service vulnerability

Package(s):squid CVE #(s):CAN-2004-0918
Created:October 7, 2004 Updated:November 8, 2004
Description: Squid has a potential denial of service vulnerability and a problem with readable passwords due to incorrect permissions on the squid.conf file.
Alerts:
Ubuntu USN-19-1 2004-11-06
Conectiva CLA-2004:882 2004-11-03
OpenPKG OpenPKG-SA-2004.048 2004-10-29
Debian DSA-576-1 2004-10-29
Mandrake MDKSA-2004:112 2004-10-21
Red Hat RHSA-2004:591-01 2004-10-20
Gentoo 200410-15 2004-10-18
Fedora FEDORA-2004-338 2004-10-13
Fedora FEDORA-2004-330 2004-10-07

Comments (none posted)

Subversion: Remote heap overflow

Package(s):subversion CVE #(s):CAN-2004-0413
Created:June 11, 2004 Updated:March 7, 2005
Description: Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:
Fedora-Legacy FLSA:1748 2005-03-07
SuSE SuSE-SA:2004:018 2004-06-17
Fedora FEDORA-2004-166 2004-06-11
Fedora FEDORA-2004-165 2004-06-11
OpenPKG OpenPKG-SA-2004.028 2004-06-11
Gentoo 200406-07 2004-06-10

Comments (none posted)

subversion: metadata information disclosure

Package(s):subversion CVE #(s):CAN-2004-0749
Created:September 23, 2004 Updated:November 4, 2004
Description: The subversion version control system has vulnerabilities in the handling of metadata such as log file entries related to using mod_authz_svn.
Alerts:
Conectiva CLA-2004:883 2004-11-04
Gentoo 200409-35 2004-09-29
Fedora FEDORA-2004-318 2004-09-23

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tiff: buffer overflows

Package(s):tiff CVE #(s):CAN-2004-0803
Created:October 13, 2004 Updated:April 12, 2005
Description: The tiff library contains several buffer overflows which may be exploited by way of maliciously-crafted image files. See this advisory for more information.
Alerts:
Red Hat RHSA-2005:021-01 2005-04-12
Conectiva CLA-2005:914 2005-01-06
Gentoo 200412-17 2004-12-19
Gentoo 200412-02 2004-12-05
Conectiva CLA-2004:888 2004-11-08
Slackware SSA:2004-305-02 2004-11-01
Red Hat RHSA-2004:577-01 2004-10-22
SuSE SUSE-SA:2004:038 2004-10-22
Mandrake MDKSA-2004:111 2004-10-21
Mandrake MDKSA-2004:109 2004-10-19
Debian DSA-567-1 2004-10-15
Fedora FEDORA-2004-334 2004-10-14
OpenPKG OpenPKG-SA-2004.043 2004-10-14
Gentoo 200410-11 2004-10-13

Comments (none posted)

WordPress: HTTP response splitting and XSS vulnerabilities

Package(s):wordpress CVE #(s):
Created:October 14, 2004 Updated:December 20, 2004
Description: WordPress is vulnerable to HTTP response splitting and cross-site scripting attacks, due to the lack of input validation in the administration panel scripts. A malicious user could inject arbitrary response data, leading to content spoofing, web cache poisoning and other cross-site scripting or HTTP response splitting attacks. This could result in compromising the victim's data or browser.
Alerts:
Gentoo 200410-12:02 2004-10-14
Gentoo 200410-12 2004-10-14

Comments (none posted)

wv: buffer overflow

Package(s):wv CVE #(s):CAN-2004-0645
Created:July 14, 2004 Updated:February 10, 2005
Description: wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem.
Alerts:
Fedora-Legacy FLSA:1906 2005-02-08
Conectiva CLA-2004:902 2004-12-01
Debian DSA-579-1 2004-11-01
Debian DSA-550-1 2004-09-20
Conectiva CLA-2004:863 2004-09-10
Mandrake MDKSA-2004:077 2004-07-29
Fedora FEDORA-2004-225 2004-07-23
Fedora FEDORA-2004-224 2004-07-23
Gentoo 200407-11 2004-07-14

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xpdf: integer overflows

Package(s):xpdf kpdf cupsys CVE #(s):CAN-2004-0888 CAN-2004-0889
Created:October 21, 2004 Updated:February 18, 2005
Description: Several xpdf integer overflow vulnerabilities can be exploited via a mal-formed PDF document. Similar vulnerabilities can be found in kpdf and in cupsys which share code. Additional information can be found in this KDE security advisory.
Alerts:
Fedora FEDORA-2005-138 2005-02-09
Fedora FEDORA-2005-137 2005-02-09
Fedora FEDORA-2005-133 2005-02-09
Fedora FEDORA-2005-134 2005-02-09
Fedora FEDORA-2005-136 2005-02-09
Fedora FEDORA-2005-135 2005-02-09
Fedora FEDORA-2005-123 2005-02-08
Fedora FEDORA-2005-122 2005-02-08
Debian DSA-599-1 2004-11-25
Gentoo 200411-30 2004-11-23
Conectiva CLA-2004:886 2004-11-08
Gentoo 200410-30:02 2004-10-28
Gentoo 200410-20:02 2004-10-21
Debian DSA-581-1 2004-11-02
Ubuntu USN-14-1 2004-11-01
Ubuntu USN-9-1 2004-10-27
Gentoo 200410-30 2004-10-28
Fedora FEDORA-2004-358 2004-10-28
Fedora FEDORA-2004-357 2004-10-28
Red Hat RHSA-2004:592-01 2004-10-27
Fedora FEDORA-2004-337 2004-10-26
SuSE SUSE-SA:2004:039 2004-10-26
Ubuntu USN-2-1 2004-10-22
Red Hat RHSA-2004:543-01 2004-10-22
Mandrake MDKSA-2004:115 2004-10-21
Mandrake MDKSA-2004:116 2004-10-21
Mandrake MDKSA-2004:114 2004-10-21
Mandrake MDKSA-2004:113 2004-10-21
Gentoo 200410-20 2004-10-21
Fedora FEDORA-2004-348 2004-10-21
Debian DSA-573-1 2004-10-21

Comments (none posted)

zlib: denial of service

Package(s):zlib CVE #(s):CAN-2004-0797
Created:August 25, 2004 Updated:June 10, 2005
Description: Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks.
Alerts:
OpenPKG OpenPKG-SA-2005.007 2005-06-10
Fedora-Legacy FLSA:2043 2005-02-23
Conectiva CLA-2004:878 2004-10-25
Slackware SSA:2004-278-02 2004-10-04
Conectiva CLA-2004:865 2004-09-13
Mandrake MDKSA-2004:090 2004-09-07
SuSE SUSE-SA:2004:029 2004-09-02
Gentoo 200408-26 2004-08-27
OpenPKG OpenPKG-SA-2004.038 2004-08-25

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch remains 2.6.10-rc1, which came out on October 22.

Patches currently sitting in Linus's BitKeeper repository include fixes for the ELF loader security problems, kprobes support for the x86-64 architecture, a frame buffer device update, a set of user-mode Linux patches, an NTFS update, version 2.0 of the USB gadget serial driver, some kernel build tweaks (the preferred name for kernel makefiles is now Kbuild), the ext3 block reservation and online resizing patches, sysfs backing store, locking behavior annotations for the "sparse" utility, a reworking of spin lock initialization, the un-exporting of add_timer_on(), sys_lseek(), and a number of other kernel functions, an x86 signal delivery optimization, an IDE update, I/O space write barrier support, a frame buffer driver update, more scheduler tweaks, some big kernel lock preemption patches, a large number of architecture updates, and lots of fixes.

The current tree from Andrew Morton is 2.6.10-rc1-mm4. The biggest recent change in -mm, perhaps, is the inclusion of the four-level page table patch in 2.6.10-rc1-mm3 and subsequent fixes in -mm4; Andrew has stated that he expects to merge four-level page tables in the near future. Other changes include support for the FRV architecture, some scheduler tweaks, the un-exporting of cdev_get() and cdev_put(), a number of architecture updates, and the usual pile of fixes.

The current 2.4 prepatch is 2.4.28-rc2, released by Marcelo on November 7. It contains some networking updates and a patch for a (difficult to exploit) security problem; if nothing new turns up, it will become the official 2.4.28 release.

Comments (3 posted)

Kernel development news

Into the ABISS

Version 2 of the Active Block I/O Scheduling System (ABISS) was released on November 9. At a first glance, ABISS looks like yet another I/O scheduler for a kernel which already has a few of them - and that it is. But there is more to ABISS which makes it worth a look.

The goal behind ABISS is to enable applications to request (and receive) a guaranteed I/O rate to a specific file. It is implementing a sort of isochronous stream capability for the Linux block layer. The target applications might be multimedia recording and playback programs, or, perhaps, some sort of data acquisition system. Any application which needs assurance that it can transfer data to or from the filesystem at a given rate could benefit from ABISS.

For now, guaranteed data rates are only supported for read access, and only for a few filesystems. The core of the read side of ABISS is the "playout buffer." It is, for all practical purposes, a circular buffer in kernel space which is filled at the requested I/O rate. As long as the application does not exceed its requested rate for long periods of time, the data it requests should always be located in the buffer, and thus immediately available. The playout buffer is integrated with the page cache, so accessing the file via mmap() will also work - though, in that case, the application must inform ABISS of its progress through the file so that playout buffer pages can be released when no longer needed.

Setting up this buffer requires a few steps. The application uses an ioctl() call to request a guaranteed read rate; that request is then passed back to a user-space daemon for approval. The daemon is supposed to keep track of all such requests and ensure that the system actually has enough resources to implement another fixed-rate stream. Any policy decisions on which processes are allowed to request guaranteed-rate behavior - and the rates they can ask for - are also made in the user-space daemon.

If the daemon approves the request, the kernel builds an in-memory map of the location of the file's data blocks. This map is used when filling the playout buffer; its real purpose is to do the file location lookup work ahead of time and minimize unexpected I/O while the file is being processed. The operational phase consists of filling the playout buffer at the given rate while not allowing it to get too large. The idea is conceptually simple, though the actual implementation involves a number of somewhat tricky details.

ABISS differs from other I/O schedulers in that it does not just fit neatly into the block layer. Each filesystem must have ABISS support explicitly added to it. In particular, ABISS must be able to intercept ioctl() calls and, build the location map. When the filesystem-level code decides to look for a specific block within the file, the ABISS code, which may already have that location in its map, needs a chance to short out the usual lookup code. Finally, ABISS must be notified when a file is truncated, since it needs to adjust the location map to match the new size. Since filesystem-level changes are needed, ABISS does not support all filesystems in the Linux kernel; version 2 only works with FAT, VFAT, and ext3.

Underneath it all is a real I/O scheduler. The primary feature there is the implementation of I/O request priorities. Requests to fill the playout buffer go in at a high priority, and will be executed before most others. The ABISS I/O scheduler also implements a set of "best effort" priorities which can be used when guaranteed I/O rates are not required.

More information can be found on the ABISS project page.

Comments (4 posted)

Stackable security modules

The Linux security module framework allows the flexible loading of security modules into the kernel. These modules are allowed to hook into a large number of kernel functions and, if they deem it appropriate, block an attempted user-space operation. As a way of helping security modules, many core kernel structures include a void * "security" pointer which may be used to attach security-related information. These structures include those representing inodes, files, open sockets, processes, and more.

One shortcoming of the security module mechanism - according to some developers, at least - is that it makes life hard for people who are trying to load more than one module. There is some rudimentary support for stacking modules; essentially, any modules which request stacked loading are simply passed to the "primary" module. The primary module can refuse to accept the stacked module at all (in which case the load fails), or it can, in its own way, arrange to call the stacked module's hooks when it sees fit. So stacking a module requires that the author of the first-loaded module explicitly thought about and coded support for that mode of operation. Since that support must be added to a large number of security hooks, most security module authors conclude that they have better things to do with their time.

There is also the little matter of that void * security pointer in all those structures. If modules are to be stacked, they must come up with some way of sharing that single pointer without creating chaos.

Serge Hallyn has been trying to address the stacking problem for some time; his latest attempt was recently posted to linux-kernel with a request for comments. He certainly got a few of those.

The patch supports stacking security modules by separating them from each other to the greatest extent possible. The existing security hooks are all set to a set of "stacker" hooks; each one calls the associated hook provided by each stacked module, and returns a failure code if any of the modules decides to block the operation. The various void * pointers are each replaced by a static array, dimensioned to the maximum configured number of security modules (four by default). Each loaded module is given an index into the array, and is expected to work with its entry only. Thus, all security modules must be changed to work properly in the stacking mode.

The code itself has drawn a few complaints; not everybody is convinced by how the locking works, for example. Adding static arrays to heavily-used kernel data structures (such as files and inodes) will significantly increase kernel memory usage. Your editor, in his reading of the patch, can find no code which prevents loading more than the configured maximum number of modules and corrupting all of those structures. And so on.

The real issue of contention, however, is whether security module stacking makes any sense in the first place. Stacked modules operate without any awareness of each other, but could interact to produce surprising results. In the security world, surprising results tend not to be welcome. The right approach, as expressed by James Morris (and others), is to load SELinux and let it handle the loading of other security policies. SELinux was designed to do this, and it should be able to handle module interactions in a more predictable way. Whether other developers are willing to accept SELinux as the One True Base Security Module remains to be seen; it seems more likely than getting blind security module stacking into the kernel, however.

Comments (1 posted)

Partitioned loopback devices

The expanded device number type in the 2.6 kernel makes it possible, at the lowest level, to support vast numbers of partitions on every block device in the system. Unfortunately, the Linux block drivers have not caught up with this change. SCSI, in particular, is still limited to 15 partitions per device. There are a few reasons for this lag, but the largest is simple compatibility: there is no easy way to incorporate support for more partitions without breaking the existing device numbering scheme. The block layer assumes that partitions have consecutive minor numbers, so supporting more partitions means increasing the portion of the minor number which is dedicated to the partition number. But changing the interpretation of minor numbers in this way would break existing systems, and that is something the kernel developers are reluctant to do.

Carl-Daniel Hailfinger has recently posted an interesting solution to the partition limit: partitioned loopback devices. A loopback device is a kernel-implemented virtual block device which is backed up by something real - usually a disk partition or a file on a disk somewhere. Common uses for loopback devices include mounting regular files as filesystems or the creation of encrypted filesystems (though the device mapper is the preferred means for the latter application in 2.6). Loopback devices do not support partitions in their own right; they simply provide block-level access to the backing store as a single partition.

Carl-Daniel noticed, however, that adding partition support to loopback devices would be a relatively straightforward thing to do. In 2.6, partition handing is (finally) part of the block layer; all that is really required to support partitions in the loopback driver is to tell the block layer that those partitions exist. So, with a small patch, each loopback device can have up to 127 partitions. The bulk of the patch, in fact, is there to ensure continued compatibility for users of non-partitioned loopback devices.

This capability is interesting because it is a simple matter of one losetup command to create a loopback interface to a real disk drive. Thus, by using loopback devices in this mode, system administrators can get around the partition limits enforced by the real hardware drivers and divide their disks into lots of tiny little pieces. There is some small overhead associated with using the loopback device, but, for users in need of more partitions, it may well be a price worth paying.

Comments (14 posted)

Patches and updates

Kernel trees

  • Andrew Morton: 2.6.10-rc1-mm3. Includes 4-level page tables. (November 5, 2004)

Build system

Core kernel code

Development tools

Device drivers

Filesystems and block I/O

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

A First Look at Novell Linux Desktop 9

November 10, 2004

This article was contributed by Ladislav Bodnar

Early this week, Novell announced the availability of Novell Linux Desktop 9, a new $50 (per seat per year) desktop Linux distribution for the enterprise. We rushed to create a Novell profile account in order to download the 30-day evaluation edition. After all, Novell is the first well-known commercial entity undergoing a large-scale migration of its desktop computers to Linux. Also, this is the first release of what will eventually become Novell's main, fully supported Linux distribution, with SUSE LINUX reportedly being turned into a "community" project, à la Fedora Core. We were especially curious about one aspect of Novell Linux Desktop: what has been done to make the new operating system acceptable to thousands of Novell employees, most of whom are likely to be displeased with such a drastic change in their working routines?

Let's start with the installation. As expected, the system installer is YaST, somewhat automated, re-branded, and with a nice neutral-looking theme. GNOME 2.6 and KDE 3.2.1 are the only two desktop environments available and users need to make an explicit decision to install either of them, or alternatively, select both in the detailed package selection dialog. GNOME seems to be Novell's preferred desktop with more obvious customizations - icons for the Firefox browser, Novell Evolution collaboration client (the word "Ximian" has been dropped from the application), and OpenOffice.org Writer prominently displayed on the task bar. If software updates are available, a Red Carpet icon will also be around to alert the user to the fact. On the other hand, KDE has more or less the default SUSE look with Konqueror and Kontact as the preferred web browsing and mail/organizer clients.

Much thought was given to the selection of applications and their names in menus. As has been the trend with other user-friendly desktop distributions, most software packages were renamed to give a clear indication of their purpose. Names such as Gaim or K3B were replaced with "Instant Messenger" and "CD Burner". This brings up an interesting point regarding preferred applications - although K3B is a KDE application, it is the default CD burner on the GNOME desktop. This example indicates that Novell developers chose what they believed was the best application for each task, irrespective of the application's affinity in terms of development toolkits and class libraries. Overall, the Novell GNOME desktop is very nicely designed, somewhat reminiscent of that found in any recent Fedora Core release, and the users' first impressions, after booting into their new operating system for the first time, are likely to be positive.

Although Novell Linux is based on SUSE Linux Enterprise Server 9, many of the more visible applications were updated to later versions. This includes not only the above-mentioned GNOME desktop, but also OpenOffice.org (1.1.3), Evolution (2.0.1) and Firefox (0.10.0). The kernel is at version 2.6.5 and the X window system is the last pre-release of XFree86 4.4.0 before that project's infamous license change. A number of Novell-specific applications and compatibility layers with other Novell products were also included - among them iFolder, Red Carpet, Novell ZENworks and Connector for Microsoft Exchange Server deserve a special mention.

  • iFolder is a file synchronization service. All documents in the Documents/iFolder folder are regularly synchronized and backed up with an iFolder back-end server and can be retrieved from any computer with an iFolder client (they are available for both Windows and Linux), or through a web browser.

  • Red Carpet is a software management solution originally developed by Ximian. It offers software installation and removal, automated security updates, system-wide upgrades, searches, patches and history logs. Red Carpet effectively replaces YaST as the preferred software management tool on Novell Linux Desktop.

  • Novell ZENworks (not part of Novell Linux Desktop) is a system administration tool that offers centralized control over software configurations on Linux servers, workstations, laptops, and even handheld devices.

  • Connector for Microsoft Exchange Server was also originally developed by Ximian. It is a freely available GPL-ed product which turns the Evolution collaboration suite into an Microsoft Exchange client.
Also worth mentioning are the included system administration utilities. They consist of two independent modules - the system-wide YaST (called "Administrator Settings"), which requires root privileges, and a user-only control center (called "Personal Settings"), which is a collection of shortcuts to launch personal, appearance, hardware and system preferences dialogs. As for included software, all popular desktop applications are available - The GIMP and Sodipodi for graphics manipulation and vector drawing, Gaim, XChat and GnomeMeeting for instant messaging, IRC and video conferencing, Rhythmbox, Totem and RealPlayer 10 for playing multimedia files, as well as the usual array of system utilities. All these, together with the three back-bone applications (OpenOffice.org, Evolution and Firefox) provide an efficient working environment for most users.

We liked the new Novell Linux Desktop 9. It is a meticulously designed application suite, especially the GNOME desktop, with many user-friendly enhancements and a careful selection of applications. Its integration with some business-oriented solutions, such as iFolder and Connector provide added functionality that will appeal to enterprises. There is also a lot of developer enthusiasm behind the product - see this blog by Luis Villa, or the Novell Linux Desktop Cool Solutions page with an incredible amount of articles, tips and tricks, application notes, FAQs, links to user forums, and other useful information. The source code is also available. The price is reasonable and additional support options can be purchased through Novell for that extra peace of mind. All in all, a very good product indeed.

Comments (13 posted)

Distribution News

Fedora

The Fedora Project has announced the release of Fedora Core 3. See the download instructions or the torrent tracker to get your copy.

Fedora Core 2 updates: system-config-users (fixes bug #130379), wget (adds support for large files), system-config-users (fixes bugs #138093, #102637, #126756 and #131180) and openoffice.org (lots of bug fixes)

Fedora Core 3 upgrades to KDE 3.3.1, which updates the following packages: kde-il8n, kdeaddons, kdeadmin, kdeartwork, kdebase, kdebindings, kdeedu, kdegames, kdegraphics, kdelibs, kdemultimedia, kdenetwork, kdepim, kdesk, kdetoys, kdeutils, kdevelop, kdewebdev and arts. Other Fedora Core 3 updates: udev (removes debugging code), initscripts (minor bug fixes), hotplug (load sg module), ipsec-tools (fixes the use of 'setkey'), gpdf (rebuilt for FC3), wireless-tools (fixes a memory leak), redhat-artwork (fixes issues when using redhat-artwork on 64-bit platforms), gnome-media (merge from devel), gnumeric (64bit excel {im|ex}port backport fixes), openoffice.org (lots of bug fixes) and jwhois (fixes a crash when a processing a query requires more than one redirection).

Comments (none posted)

Mandrakelinux

Mandrakelinux 10.1 for x86-64 is now available. This new version is compatible with the following 64-bit processors: AMD Athlon 64, AMD Opteron, Intel Xeon 64 and Intel EM64T.

Various packages are available that fix certain bugs in KDE-related packages in Mandrakelinux 10.1 Official edition.

Comments (none posted)

Novell Linux Desktop 9 announced

Novell has announced the availability of Novell Linux Desktop 9, its entry into the desktop arena. "Novell does not rule out general replacement of Windows and other proprietary operating systems with Novell Linux Desktop."

Comments (3 posted)

Trustix Secure Linux

Trustix Secure Linux has announced the release of TSL 2.2 (Sunchild). The announcement contains a list of new packages and major upgrades in this version of TSL.

The first set of updates for TSL 2.2 includes various bug fixes for php, postfix, kernel, sqlgrey and sqlite.

Comments (none posted)

Ubuntu

The first batch of pressed Ubuntu 4.10 "Warty Warthog" CDs are shipping. "If you or someone you know would like to order pressed Ubuntu 4.10 CDs and have not yet, you will need to place an order on or before Friday November 12, 2004. After this, all orders will be not be shipped until we finish the next release of Ubuntu. Of course, with our quick release cycle, this is less than 6 months away."

X.org packages are now available for Ubuntu's Hoary Hedgehog. "For the last two weeks, Fabio Massimo Di Nitto and Daniel Stone have been locked in a room together, and we now have packages to show for it. The upgrade from XFree86 to X.Org should be perfectly smooth and seamless, and it is supported across Ubuntu's three architectures: amd64, i386, and powerpc."

A summary and log of Ubuntu's fourth community meeting is available, along with some information for those interested in getting a sponsorship for the Ubuntu conference in Spain.

Comments (none posted)

Yellow Dog Linux

Yellow Dog Linux v4.0 is now shipping from the Terra Soft Solutions on-line Store and will be available to resellers soon. Terra Soft has also announced the Yellow Dog 4.0 based Y-HPC, a complete 64-bit OS for PowerPC code development and High Performance cluster Computing.

Comments (none posted)

Debian GNU/Linux

Colin Watson provides a Sarge release update, including the news that Andreas Barth and Frank Lichtenheld are now Release Assistants, the toolchain is final with glibc 2.3.2.ds1-18 (already in testing), Sarge will release with KDE 3.2, plus a debian-installer update and much more.

There will be a Bug Squashing in Frankfurt, November 27-28, 2004. "The focus of this event will be to close as many RC-bugs as possible and to test some woody -> sarge upgrades. BSP coordinator and release assistant Frank Lichtenheld will be attending the meeting."

Comments (none posted)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for November 9, 2004 has a summary of the DebConf5 preparation meeting, debian-installer remote network tests, the search for distributable firmware, Alioth project naming conventions, installing Debian on a desktop, and more.

Full Story (comments: none)

Gentoo Weekly Newsletter 8 November 2004

The Gentoo Weekly Newsletter for the week of November 8, 2004 is out. This week's edition looks at the preliminary results of the Gentoo User Survey, and other topics.

Full Story (comments: none)

Ubuntu Traffic #10

Issue #10 of Ubuntu Traffic is available for the week of October 23-29, 2004. Here are the topics covered: Ubuntu Marketing, Wiki Update, New Documentation List, Hoary Kickoff Meeting, Community Council Meeting, Warty Live CD Released, Meet the Hoary Hedgehog, and Security Advisories.

Full Story (comments: none)

DistroWatch Weekly, Issue 74

The DistroWatch Weekly for November 8, 2004 features FreeBSD and covers several other topics.

Comments (none posted)

Minor distribution updates

blueflops

blueflops has released v2.0.8. "Changes: The kernel was updated to 2.6.9. busybox was updated to 1.0.0. There is a new pppd binary."

Comments (none posted)

DNA Linux

DNA Linux has released v0.4. "Changes: The system is now based on Slax 4.1.4. EMBOSS was updated to 2.9.0 with full PNG and X11 support for prettyplot, dotmatcher, and polydot. FinchTV 1.2, an ABI DNA raw sequence data graphical viewer was added."

Comments (none posted)

NSA Security Enhanced Linux

The NSA has released Security Enhanced Linux v2004110116. "Changes: This release is based on Linux 2.6.9, and includes significant scalability enhancements to the core SELinux code. Numerous improvements to libselinux, policycoreutils, and policy have also been merged. An updated version of setools from Tresys has been merged. Updated userland patches and SRPMS have been merged from the Fedora Core 3 development tree. This release includes the first public release of a new tool by MITRE, polgen, which attempts to generate policy for an application based on patterns in its behavior."

Comments (none posted)

Newsletters and articles of interest

Mozilla-Based Linspire Internet Suite Released (MozillaZine)

MozillaZine looks at the Mozilla-based Linspire Internet Suite. "The new program is an enhanced version of the Mozilla Application Suite with several additional features developed for Linspire by the Mozdev Group."

Comments (none posted)

Distribution reviews

In-depth Mandrakelinux 10.1 Official Edition review (Linux Tips for Free)

Linux Tips for Free takes a long look at Mandrakelinux 10.1 Official. "For this review I went out of my way and installed on all systems I could get my hands on. This should give a much better overall impression of the capabilities of the tested operating system than when it just gets tested with 1 or 2 systems. What few people realise when reading a review, is that their experience might well be different due to differences in hardware."

Comments (none posted)

Entry-level Linux: Linspire OS 4.5 (LinuxWorld.au)

LinuxWorld.au takes a quick look at Linspire OS 4.5. "The Linspire interface contains many familiar conventions that Windows users will find comforting, although Linspire (perhaps ironically, considering the lawsuits brought against it by Microsoft) doesn't seem to try as hard as some distributions to mimic the Microsoft operating system. After starting for the first time after installation, a slick multimedia tutorial starts up. As far as these types of tutorials go, it's quite a good one and well worth a watch if you can't be bothered reading the slim, full-colour manual."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The Darcs Revision Control System

Darcs is a relatively new revision control system that was written in Haskell by physicist David Roundy. The system is designed around a "theory of patches" which has its roots in quantum mechanics. Darcs has been released under version 2 of the GNU General Public License. The Darcs manual explains the project in more detail: [Darcs]

Darcs is a revision control system, along the lines of CVS or arch. That means that it keeps track of various revisions and branches of your project, allows for changes to propagate from one branch to another. Darcs is intended to be an ``advanced'' revision control system. Darcs has two particularly distinctive features which differ from other revision control systems: 1) each copy of the source is a fully functional branch, and 2) underlying darcs is a consistent and powerful theory of patches.

The manual further describes these two distinctions:

Functional Branches - "This has several advantages, since you can harness the full power of darcs in any scratch copy of your code, without committing your possibly destabilizing changes to a central repository."

The Theory of Patches - "This patch formalism means that darcs patches have a set of properties, which make possible manipulations that couldn't be done in other revision control systems. First, every patch is invertible. Secondly, sequential patches (i.e. patches that are created in sequence, one after the other) can be reordered, although this reordering can fail, which means the second patch is dependent on the first. Thirdly, patches which are in parallel (i.e. both patches were created by modifying identical trees) can be merged, and the result of a set of merges is independent of the order in which the merges are performed. This last property is critical to darcs' philosophy, as it means that a particular version of a source tree is fully defined by the list of patches that are in it, i.e. there is no issue regarding the order in which merges are performed."

Darcs differs from other revision control systems: "In the world of darcs, the source tree is not the fundamental object, but rather the patch is the fundamental object. Rather than a patch being defined in terms of the difference between two trees, a tree is defined as the result of applying a given set of patches to an empty tree. Moreover, these patches may be reordered (unless there are dependencies between the patches involved) without changing the tree. As a result, there is no need to find a common parent when performing a merge. Or, if you like, their common parent is defined by the set of common patches, and may not correspond to any version in the version history."

Here is a brief list of Darcs features:

  • The ability to record changes locally.
  • The ability to perform interactive record operations.
  • The ability to un-record a non-published change.
  • A full set of interactive commands.
  • Support for integrating test suites into a repository.
  • Support for multiple repository server protocols including http, ftp, and ssh.
  • User-defined repository write access.
  • Symmetric repositories, all darcs repositories are equal.
  • Support for repository browsing via a web server CGI script.
  • Cross-platform capable with support for Unix, Mac OS-X, and Windows.
  • History is preserved when files and directories are moved around.
  • Support for token replacing allowing global variable and function name changes.
  • Per-user and Per-repository default setting capabilities.

Darcs version 1.0 was released this week, the Linux kernel is being used as a test of the system on a large project. "With the release of 1.0, Roundy is also making available a copy of the Linux kernel as a darcs repository. With this proving ground, darcs is expected to soon scale to perform well on the largest projects as well."

Darcs could prove to be a very useful tool for numerous open-source development projects. Project leaders should certainly consider its adoption.

Comments (9 posted)

System Applications

Database Software

Berkeley DB 4.3 released

Sleepycat has announced the availability of Berkeley DB 4.3. Many of the improvements appear to be performance related; this release also includes in-memory transaction logging. Click below for the details.

Full Story (comments: 2)

knoda 0.7.2-test3 released

Version 0.7.2-test3 of knoda, a database frontend, has been released. Changes include index support for SQLite2 and SQLite3, database preselection for the Postgres and the ODBC drivers, Tri-state TRUE/FALSE/NULL support for boolean fields, and more.

Full Story (comments: none)

MaxDB PHP extension released

The MaxDB PHP extension has been released. "Compared to the previous version that worked over php's odbc extension, the new driver offers good benefits. Firstly, the extension supports the MaxDB native interface, and thus delivers significantly better performance. Secondly the extension offers a broader feature set (which is mostly compatible to PHP's mysql and mysqli extensions) compared to the earlier driver's limited ODBC functionality. The new driver enables an easy migration of existing PHP application or solutions to MaxDB."

Comments (none posted)

Interoperability

Samba 3.0.8 Available for Download

Samba 3.0.8 has been released with new features and several bug fixes. Included is a fix for a remote denial of service vulnerability.

Full Story (comments: none)

Libraries

libDSP 5.0.0 announced

Version 5.0.0 of libDSP has been announced. "libDSP is a C++ library of digital signal processing functions. It also contains a wrapper for C. Assembler optimizations for E3DNow!, SSE2 and x86-64 (SSE2)."

Full Story (comments: none)

libxklavier 1.11 announced

Version 1.11 of libxklavier, the X keyboard utility library, has been released. "Another development release in 1.1x series of the library is out. The most important thing is significant internal reogranization, further separation of XKB-dependant code - which eventually (soon?) would allow putting some xmodmap support in."

Full Story (comments: none)

Mail Software

Beat spam using hashcash (IBM developerWorks)

David Mertz discusses hashcash as a spam prevention method on IBM developerWorks. "Built on the widely available SHA-1 algorithm, hashcash is a clever system that requires a parameterizable amount of work on the part of a requester while staying "cheap" for an evaluator to check. In other words, the sender has to do real work to put something into your inbox. You can certainly use hashcash in preventing spam, but it has other applications as well, including keeping spam off of Wikis and speeding the work of distributed parallel applications. In this article, you'll meet David's own Python-based hashcash implementation."

Comments (2 posted)

Web Site Development

Easy web publishing for GNOME users (GnomeDesktop)

GnomeDesktop.org has an announcement for GPWS, the GNOME Personal Web Sharing project. "For those unfamiliar with Mac OS X, Personal Web Sharing lets you publish web pages or share files on the internet — or on your company’s (or school’s) local area network from a folder on your hard disk. You can get your website up and running in no time. GNOME Personal Web Sharing works very similarly, a folder named website is created after you install it where you can put your web pages or any other files you want to share. All you have to do to get your own web server up is run the program."

Comments (none posted)

mnoGoSearch-php 3.2.6 is out

Version 3.2.6 of mnoGoSearch-php, the PHP frontend to the mnoGoSearch web site search engine, is available with bug fixes. See the Change Log for details.

Comments (none posted)

UnCommon Web 0.3.2 released

Version 0.3.2 of UnCommon Web, a Common Lisp web application development framework, is available. "This version features a new component class hierarchy and new components, better documentation, an interface to the SLIME inspector, an improved session.value API, and more."

Full Story (comments: none)

Zope X3 3.0.0 final released

The long-awaited final release of Zope X3 3.0.0 is out. It is a complete rewrite of the Zope application server based around a component-oriented architecture. Note that "Zope X3" is not quite the same as "Zope 3", which will include backward compatibility with Zope 2. See the Zope X3 FAQ for more information.

Full Story (comments: none)

Which Open Source Wiki Works For You? (O'Reilly)

Shlomi Fish reviews a number of Wiki implementations on O'Reilly. "The purpose of this article is to give an overview of several popular Wiki implementations and see how they fare. It is not trivial to switch from one Wiki implementation to the other, because this will usually require translating all of the pages from the old syntax to the new one. Thus, choosing a Wiki engine requires some care, taking possible future developments into account."

Comments (none posted)

Miscellaneous

Xen 2.0 released

Xen 2.0 has been released. Xen is a virtual machine implementation which allows the running of Linux and BSD instances on a virtual system. New features included improved virtual I/O configuration for virtual machines and "live migration" of system images across a cluster. Click below for the announcement, or see the Xen project home page for more information.

Full Story (comments: none)

Desktop Applications

Accessibility

gok 0.11.15 is available

Version 0.11.15 of GOK, the GNOME Onscreen Keyboards Suite, is available with bug fixes and improvements to the dynamic accessibility keyboards.

Full Story (comments: none)

Business Applications

GanttProject 1.10.2 (SourceForge)

Version 1.10.2 of GanttProject is out. "It is a bugfix release which fixes several annoying bugs. Ganttproject lets you plan projects using a Gantt chart. It is written in Java. GanttProject use a XML file format. It can export the project in HTML Web pages or PDF document (using XSLT) or image files. It support 21 languages."

Comments (none posted)

Desktop Environments

GNOME 2.9.1 Development Release

GNOME 2.9.1, the GNOME development branch, is out. "This is our first of our 2.9 development series releases, working towards GNOME 2.10 in March 2005. There are a number of new features present in this release..."

Full Story (comments: none)

gnome-panel 2.9.1 is available

Version 2.9.1 of gnome-panel has been released. "This is the "Mieux vaux tard que jamais" release: it comes way too late for the GNOME 2.9.1 release, but we want people to be able to test this unstable release without waiting for GNOME 2.9.2."

Full Story (comments: none)

KDE CVS-Digest

The November 5, 2004 edition of the KDE CVS-Digest is online. Here's the content summary: "KDevelop adds extension support. kommander improves signal and slot editor. Kwallet is now asynchronous. Juk adds support for GStreamer 0.8. KPasswordDialog adds password strength meter."

Comments (none posted)

Electronics

gEDA News

The latest releases from the gEDA project include new versions of gspiceui, a GUI frontend to several Spice circuit simulators, and Confluence, a language for synchronous reactive system design.

Comments (none posted)

Open Collector Releases

The latest new electronics applications on Open Collector include Oregano 0.3.3 (a schematic capture and simulation application), InFormal 0.1.0 (a Verilog and PSL formal verification utility), and NuSMV 2.2 (a reimplementation and extension of SMV model checker).

Comments (none posted)

Games

Eris 1.2.1 Released

Version 1.2.1 of Eris has been released by the WorldForge game project. "Eris is a client library designed to simplify client development. This release adds support for libsigc++ 2.0.x in addition to libsigc++ 1.2.x supported by the previous release. It is only of interest for people wishing to build software against libsigc++ 2.0.x".

Comments (none posted)

GNOME War Pad 0.3.4 announced

Version 0.3.4 of GNOME War Pad, A VGA Planets client for GNOME, is out. Changes include bug fixes, a new Magallanes version, new constellations, and more.

Full Story (comments: none)

GUI Packages

FLU 2.14 released

Version 2.14 of FLU, the FLTK Utility Widgets, are available with some bug fixes and feature enhancements.

Comments (none posted)

Gtk# 1.9.0 released (GnomeDesktop)

Version 1.9.0 of Gtk#, the GNOME 2.6 bindings to .Net, is out. "Announcing release 1.9.0 of Gtk#. This is an unstable development release for the GNOME 2.6 bindings. It is parallel installable with the latest stable release, 1.0.4."

Comments (none posted)

Java-Gnome 2.8.2 and 2.9.1 announced

Two new versions, a stable and development release, of Java-Gnome are out with numerous changes. Click below for the details.

Full Story (comments: none)

Interoperability

Wine Traffic

The November 5, 2004 edition of Wine Traffic is online with the latest news from the Wine project.

Comments (none posted)

Mail Clients

Thunderbird 0.9 released

Version 0.9 of the Thunderbird mail client is out. Major new features include saved search folders, message grouping, better POP3 support, and more; see the release notes for details and download information.

Comments (5 posted)

Music Applications

DSSI 0.9 released

Version 0.9 of DSSI, an audio plugin API designed for software instruments with custom user interfaces, is available. "The main improvements in 0.9 are to the reference host implementation and sample plugins. The 0.9 API itself is binary compatible with the previous 0.4 release. A new convention for plugin-global (rather than instance-local) configuration data and a convention for setting a plugin's project working directory have been introduced, and 0.9 clarifies certain implementation points in the documentation."

Full Story (comments: none)

dssi-vst 0.3 announced

Version 0.3 of dssi-vst, a DSSI plugin wrapper for VST effects and instruments, has been released. "The main improvement since the initial 0.1 release is that dssi-vst now works correctly with plugins with complex GUIs that use back-channel information to communicate things like patch data to the audio plugin. In practical terms, this means that VSTs with test keyboard widgets, patch load and save, and other natty features in their GUIs should work properly as DSSI plugins without losing automatability for the true automatable parameters."

Full Story (comments: none)

Wired: music production and composition software for Linux (GnomeDesktop)

GnomeDesktop looks at Wired, a music production and composition system for GNOME. "Wired aims to be a professional music production and composition software running on Linux. It is using the GTK+ widget set (via wxWidgets) for better integration with the Gnome desktop. It brings musicians a complete studio environment to compose and record music without requiring expensive hardware."

Comments (none posted)

Peer to Peer

Gnomoradio 0.15 announced

Version 0.15 of Gnomoradio, a peer to peer music playing system, is available. "The release of version 0.15 makes Gnomoradio the first player to be able to import playlists based on the new XSPF file format (www.xspf.org). Other changes to 0.15 include migration to gtkmm 2.4 and a few bug fixes." Gnomoradio 0.15.1 was announced a few days later, it adds more bug fixes.

Full Story (comments: none)

Digital Photography

digikam 0.7 released

Version 0.7 of digikam,a digital photo management application for KDE, is available. This release features a metadata database backend, improved photo tagging support, a built-in image viewer with numerous plug-ins, and much more.

Full Story (comments: none)

Video Applications

avideomux 2.0.34-test1 released

Version 2.0.34-test1 of avideomux, a graphical video editing tool, has been announced. "Let's put it that way : 2.0.30 was awful. 2.0.32 was just bad. Most audio processings were broken. 2.0.34 is not average, it is good. All bugs are fixed and the version is globally good. So please drop 2.0.30 and 2.0.32 and use 2.0.34."

Comments (1 posted)

Web Browsers

Firefox 1.0 released

At last, Firefox 1.0 is out. Changes since the last release candidate consist mostly of bug fixes, but there is also an improved facility for controlling how links opened by other applications are handled. See the release notes for details and download information.

Comments (10 posted)

GNOME-Fx 0.10.1: "GNOME Firefox themes"

Version 0.10.1 of GNOME-Fx, the GNOME Firefox themes, are out. "The GNOME-Fx themes try to make Firefox look like a native GNOME application. Version 0.10.1 is a huge improvement because the themes use more native looking GTK widgets and also the help is GNOMEized."

Full Story (comments: none)

Miscellaneous

Alexandria 0.4.0 is out

Version 0.4.0 of Alexandria, a GNOME book collection management application, is available. Changes include support of several new library formats, CueCat barcode scanner support, manual editing of books, and much more.

Full Story (comments: none)

Coaster 0.1.0 announced

Version 0.1.0 of Coaster, a disc burning application for GNOME, has been released.

Full Story (comments: none)

GNOME Comics Organizer 0.5.0 is out

Version 0.5.0 of GNOME Comics Organizer, a comic book collection tracking utility, has been released. This is a major rewrite, it adds support for the latest GNOME/GTK, an XML file format, and more.

Full Story (comments: none)

Languages and Tools

C

GCC 3.4.3 Released

Version 3.4.3 of GCC, the Gnu Compiler Collection, has been released. "This release is a bug-fix release, containing fixes for regressions in GCC 3.4.2 relative to previous releases of GCC." See the Changes document for details.

Comments (none posted)

gcc newsletter #14

The November 3, 2004 edition of the gcc newsletter is online. Topics include release schedules, version-specific speed regressions, language extensions, optimization tests, the Ada frontend, and more.

Comments (none posted)

Groovy

Practically Groovy: Unit test your Java code faster with Groovy (IBM developerWorks)

Andrew Glover unit tests Java with Groovy, a Java-based scripting language, on IBM developerWorks. "Not long ago, developerWorks contributor Andrew Glover penned an article introducing Groovy, a new proposed standard language for the Java platform, as part of our alt.lang.jre series. Reader response was fantastic, so we've decided to launch this column to offer a practical guide to using this hot new technology. This first installment introduces a simple strategy for unit testing Java code with Groovy and JUnit."

Comments (none posted)

Java

Using SSL with Non-Blocking IO (O'ReillyNet)

Nuno Santos shows how to use SSL with the Java 1.4 non-blocking IO package. "Previously, the IO support in Java was limited to stream-based, blocking IO, which although elegant and simple, is significantly impaired in terms of scalability, requiring one active thread for each network connection. Java NIO introduced support for IO multiplexing and non-blocking IO, which are necessary tools to build highly scalable applications."

Comments (none posted)

What's new in JAXP 1.3? (IBM developerWorks)

Neil Graham and Elena Litani review JAXP 1.3 in part one of an IBM developerWorks article. "For a mature technology, the XML space is surprisingly active. Java™ API for XML Processing (JAXP) 1.3 was recently finalized, and is the conduit through which many of the newest open standards relating to XML will enter the J2SE platform. In this installment of a two-part article describing the JAXP 1.3 API, authors Neil Graham and Elena Litani provide a brief overview of the JAXP specification, give details of the modifications to the javax.xml.parsers package, and describe a powerful schema caching and validation framework."

Comments (none posted)

Lisp

ECL 0.9d released

Version 0.9d of ECL (Embeddable Common-Lisp) is out. "This version features support for shared libraries under Windows and Mac OS X, includes a working CLX library, provides a pretty printer, and more."

Full Story (comments: none)

Perl

This Fortnight on Perl 6 (O'Reilly)

The November 4, 2004 edition of This Fortnight on Perl 6 is online. Take a look for the latest Perl 6 discussions.

Comments (none posted)

Perl 6 grammars and regular expressions (IBM developerWorks)

Teodor Zlatanov compares Perl 5 and 6 regular expressions on IBM developerWorks. "Perl 6 is finally coming within reach. In this article, Ted gives you a tour of the grammars and regular expressions of the Perl 6 language, comparing them with the currently available Parse::RecDescent module for Perl 5. Find out what will be new with Perl 6 regular expressions and how to make use of the new, powerful incarnation of the Perl scripting language."

Comments (none posted)

PHP

PHP Weekly Summary for November 8, 2004

The PHP Weekly Summary for November 8, 2004 is out. Topics include: ./configure, SuSE and the AMD64, Negative string offset continued, spl interfaces, Reflection API, PDO meeting at phpconf, isset and the new VM, localeconv not working, serialize (again), Upload progress meter, new overloading feature?, __call interceptor and static methods, MySQL win32 libraries, PostgreSQL and Boolean values, and make test and rfc1867.

Comments (none posted)

Conduct Web experiments using PHP, Part 2 (IBM developerWorks)

Paul Meagher has written part two of an IBM developerWorks series on PHP web experiments. "In Part 1 of this two-part series, Paul Meagher showed you how to improve the quality of your Web offers by developing PHP-based tools to set up and run Web experiments. In Part 2, you focus on simulating and analyzing the contingency table data arising from these Web experiments."

Comments (none posted)

Python

Python 2.4 beta 2 released

The beta 2 version of Python 2.4 has been released. "Python 2.4b2 is a beta release. We'd greatly appreciate it if you could download it, kick the tires and let us know of any problems you find, but it is probably not suitable for production usage."

Full Story (comments: none)

urwid 0.8.2 announced

Version 0.8.2 0f urwid, a curses-based UI/widget library for Python, is available. "New in this release: - Re-released under GNU Lesser General Public License. Enjoy!"

Full Story (comments: none)

Python Memory Management

Evan Jones explores the issues behind Python's appetite for system memory. "Hence, the Python interpreter uses a variety of optimized memory allocation schemes. The most important one is a malloc implementation called pymalloc, designed specifically to handle large numbers of small allocations. Any object that is smaller than 256 bytes uses this allocator, while anything larger uses the system's malloc. This implementation never returns memory to the operating system. Instead, it holds on to it in case it is needed again. This is efficient when it is used again in a short time, but is wasteful if a long time passes before it is needed."

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The November 8, 2004 edition of Dr. Dobb's Tcl-URL! is online with the week's Tcl/Tk article links.

Full Story (comments: none)

XML

Hacking iTunes (O'Reilly)

Niel Bornstein works with the iTunes music player on O'Reilly. "In this article I'll explore ways to work with the iTunes Music Library file, an XML document, for fun and education, including transforming the library into an HTML page using various technologies, and querying Amazon and Google's web services for other suggested recordings and related information."

Comments (none posted)

Editors

Conglomerate 0.7.16 Released

Version 0.7.16 of Conglomerate, an XML editor, has been released. "This is still an unstable release; there are still some known repeatable crash bugs. Please download it and test that no new bugs have been introduced!"

Full Story (comments: none)

MlView 0.7.1 released

Version 0.7.1 of MlView, a generic XML editor for GNOME, has been released. This is a bugfix release in the stable branch.

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Trademarks: A threat to free software's freedom? (NewsForge)

NewsForge tackles possible conflicts between trademarks and the Debian Free Software Guidelines. "Do trademarks require a special license for software to be free? That is the question that Debian developers are currently debating. The specific concern is whether AbiWord's recent assertion of trademarks conflict with the Debian Free Software Guidelines (DFSG), the set of principles under which the Debian distribution operates. However, the implications could affect not only Debian's use of other trademarked packages, such as Mozilla, Evolution, and OpenOffice.org, but other GNU/Linux distributions' use of them as well."

Comments (18 posted)

The Problem of Software Patents in Standards (Technocrat.net)

Bruce Perens has written an article on software patents in standards, at Technocrat.net. "Patents, originally created to stimulate innovation, may now be having the opposite effect, at least in the software industry. Plagued by an exponential growth in software patents, many of which are not valid, software vendors and developers must navigate a potential minefield to avoid patent infringement and future lawsuits. Coupled with strategies to exploit this confusion over patents, especially in standards setting organizations, it appears that software advancement will become stifled unless legal action is taken to resolve the situation. This article examines the current situation facing software developers and users, the methods employed by standards setting organizations to address these problems, and recommends strategies for resolving the problem caused by software patents."

Comments (4 posted)

Firefox maps its next moves (News.com)

News.com looks at what comes after Firefox 1.0. "Now that it has the Firefox 1.0 milestone under its belt, the Mozilla Foundation has identified three areas for future growth and development: Cell phone and small-device browsing, desktop search integration, and OEM (original equipment manufacturer) distribution."

Comments (10 posted)

Trade Shows and Conferences

Linux, x86 clusters take over top 500 supercomputer ranking (CBR)

Computer Business Review looks at the trends at SuperComputing 2004. "It wasn't all that long ago that the entire Top 500 list was measured in tens of teraflops, and when Lawrence Livermore National Laboratory takes final delivery of Blue Gene/L early next year, this behemoth will have 131,072 customized PowerPC 400 cores running at 700MHz and it will deliver over 360 teraflops of peak computing power. Blue Gene/L, as you might have guessed from the name, runs a cut down version of Linux on its compute nodes and Novell's SuSE Linux Enterprise Server 9 on its I/O and management nodes."

Comments (1 posted)

The SCO Problem

Novell's reply motion on Groklaw

Groklaw has Novell's reply in support of its motion to dismiss SCO's "slander of title" lawsuit. Among other things, Novell turned up a the minutes of a 1995 board of directors meeting where it was stated that copyrights would be retained. "And there is another bombshell. Novell says that by introducing evidence outside the complaint, such as the Ed Chatlos declaration, SCO is inviting the Court to convert the motion to dismiss into a summary judgment, which they say means the Court now has the option to decide the matter once and for all and with finality right now."

Comments (3 posted)

Companies

Top Linux exec departs from Novell (News.com)

News.com reports that Chris Stone, Novell's vice chairman, has resigned from the company. "Stone had been instrumental in Novell's acquisition of two Linux companies, Ximian, in 2003, and SuSE Linux, in 2004. Stone had been in charge of technology development and alliances for Waltham, Mass.-based Novell, leaving most financial matters to Chief Executive Jack Messman."

Comments (18 posted)

PalmOne ponders OS options (News.com)

The palmtop hardware company PalmOne, which recently split off its Palm OS subsidiary PalmSource, is considering the use of Linux (and Microsoft) operating systems on its devices, according to this article on News.com. "Using the royalty-free Linux OS would enable PalmOne to reduce the costs of building its handhelds. By how much is not certain, but analysts estimate that the company currently spends anywhere from $5 to $15 per device for the Palm OS, depending on the price of the gadget."

Comments (3 posted)

Linux cluster companies attract new funds (News.com)

News.com reports on new funding for cluster computing. "San Francisco-based Penguin Computing raised $10 million, while Linux Networx in Salt Lake City received a $40 million investment. Both companies will use the funds to develop new technology and expand into new markets, they said in announcements Thursday."

Comments (none posted)

Japan Atomic Energy Research Institute Will Introduce Linux Supercomputer (Phys.Org)

Phys.Org reports on a new SGI Linux-based supercomputer to be installed at Japan's Atomic Energy Research Institute. "As a result of a competitive bidding process, Fujitsu Limited in cooperation with SGI Japan will deliver to JAERI the new SGI(R) Altix(R) 3700 Bx2 model which is based on 2,048 Intel(R) Itanium(R) 2 processors, the Linux(R) operating environment and over 13 terabytes of memory -- the world's largest memory capacity."

Comments (none posted)

Linux at Work

Police use Linux to comply with Freedom of Information (Silicon.com)

Silicon.com reports that a Scottish police force is developing a Linux-based system for ensuring it complies with the impending Freedom of Information Act legislation. "Inspector Campbell Dick, of Central Scotland police, told silicon.com the system will be rolled out across the force's 1,100 users if the three week pilot, which begins on 15 November, is successful."

Comments (none posted)

Interviews

Interview: OSDL chief Stuart Cohen - Part 1 (vnunet)

Vnunet talks with Stuart Cohen, CEO of OSDL. "What are the OSDL's main successes to date? Technical: Obviously with [Linux creator] Linus Torvalds and [kernel maintainer] Andrew Morton we're doing our fair share of code development, and the subsystem maintenance and performance testing work we do is significant. Business: some thought leadership we've been doing has been very helpful. Legal: the white papers, the legal defence fund, education, ideas around a prior art repository and work we're doing around trademark, patents, licensing and copyright is all very important [although] we haven't come out very much on that [yet]. Then there's our work in the telecoms market [with carrier grade Linux]."

Comments (none posted)

Firefox launches with a Kiwi boost (Computerworld NZ)

Computerworld NZ interviews Ben Goodger of the Firefox browser project. "Firefox wasn't the first experimental Mozilla browser. A version for Mac OS X lives on as the Camino browser, and Goodger says an even earlier version was built with .Net — which raises some intriguing possibilities. From the beginning, however, Firefox was envisaged as a browser for the masses. Open source projects are often criticised for including every feature or UI widget that some developer was motivated enough to add, but Goodger says keeping the interface simple was always a priority."

Comments (none posted)

Interview with Inkscape Founder Bryce Harrington (KDE.News)

KDE.News has an interview with Bryce Harrington, author of the Inkscape vector drawing program. "When we formed Inkscape it was important to us to communicate where the project intends to go, and what steps are needed to get there. There were several reasons for this. First, having an established plan makes it easy to figure out where to "fit" your work in. When working on projects where the overall vision is not communicated, you find your patches getting rejected for unpredictable reasons. By specifying a clear vision, it helps new developers in figuring out how to make their contributions tie into the project's goals."

Comments (none posted)

Kim Polese: Next stop--open source (ZDNet)

ZDNet interviews Kim Polese, CEO of the open-source services company SpikeSource.

"Q: Is the idea of SpikeSource to make it look like there's a commercial outfit like an IBM or Microsoft behind a set of open-source products?"

"A: Yeah. What is sort of interesting right now is that IT developers, architects and chief information officers are aggressively adopting open source. The problem has become how to manage the abundance. There are more than 85,000 different open-source projects today. All the things that IT is used to, like support documentation, reliability, road maps--none of that exists for open source when you start moving beyond a single component. When you start talking about actually integrating the components into applications, there is no sort of product management for open source. That is where we see an opportunity."

Comments (3 posted)

Koders.com: Find (open) source code fast (NewsForge)

NewsForge talks with Darren Rush of Koders.com. "Rush: Koders is essentially a search engine for source code. It was initially developed as an internal tool, for our team. We were looking for a better way to leverage all of our past project work. So we created a search engine that would allow us to easily find code snippets from our previous code and integrate them into our current projects."

Comments (none posted)

Resources

Advanced Linux Installations and Upgrades with Kickstart (O'ReillyNet)

O'ReillyNet discusses Kickstart customization, scalability, and security. "Most Kickstart experiments begin with a single ks.cfg file, though this approach is less suitable for large deployments. Even a farm of cloned hardware will require some settings unique to each host. That means you have either several one-use ks.cfgs, or one file to tweak for each Kickstart target. These methods are brittle because they bind two elements that may vary independently of one another: host-specific data (the IP address) and build-specific data (packages to install). When either one changes, the ad hoc edits to resync the two may introduce errors."

Comments (none posted)

The MJPEG tools (NewsForge)

NewsForge uses MJPEG tools for video processing. "The original intent of the MJPEG Tools was to provide a package which would enable Linux users to capture and play back video through a PCI card based around the Zoran ZR36067 MJPEG chip. Wrapped in the standard Audio/Video Interleaved (AVI) container format, MJPEG -- properly known as Motion JPEG -- is essentially a sequence of JPEG still images which, when played back fast enough, show as a movie."

Comments (none posted)

The Open Gaming License (O'Reilly)

Andrew M. St. Laurent examines the Open Gaming License in part three of an O'Reilly series on licenses. "This, the third and final article of the series, describes the Open Gaming License (OGL), a license designed to open source license certain parts of the Dungeons & Dragons roleplaying game, and two related documents, the d20 System Trademark License and the d20 System Trademark Guide Version 5.0."

Comments (none posted)

Reviews

Application of the Month: KAddressBook

KDE.News mentions a review of KAddressBook. "This time we take look at the underadvertised addressbook application within KDE, KAddressBook which is currently maintained and developed by Tobias Koenig."

Comments (none posted)

Novell launches an enterprise Linux desktop (NewsForge)

NewsForge takes a look at Novell's new desktop. "Novell describes NLD-9 as a complete "desktop productivity environment." It includes a complete set of the basic applications enterprise workers need: an office suite, a mail suite, and browser. Novell has tweaked OpenOffice.org to fill the office suite chores, Evolution as its mail suite, and Mozilla Firefox for the browser. That's not all that's included, of course, but those are the big three items required for basic desktop chores. It's called NLD version 9 because it is built atop SUSE Linux Enterprise Server 9. That gives it a degree of hardening, reliability, and performance that is hard for other distributions to match."

Comments (none posted)

Which Open Source Wiki Works For You? (O'ReillyNet)

O'ReillyNet looks at several wiki implementations. "The purpose of this article is to give an overview of several popular Wiki implementations and see how they fare. It is not trivial to switch from one Wiki implementation to the other, because this will usually require translating all of the pages from the old syntax to the new one. Thus, choosing a Wiki engine requires some care, taking possible future developments into account. This article will hopefully help you make that choice if the need arises."

Comments (none posted)

Komodo 3.0 Review (O'Reilly)

Jason Purdy reviews Komodo 3.0, a commercial IDE for Perl, PHP, Python, Tcl and XSLT, on O'Reilly. "I'm a GUI IDE kind of guy, and I've been through quite a few of them to find the one that best suits me as a Perl Web Developer. ActiveState's Komodo (version 3.0.1) fits the bill, though there remains room for improvement. Let's start with the positive, and then I'll address where Komodo can improve."

Comments (none posted)

Miscellaneous

To Evil! of October 2004 (O'ReillyNet)

Danny O'Brien's To Evil! column for October is out. "Despite previous polls, it appears that the Ubuntu Nude Man has sneaked ahead of Voting Machines in the final count. It seems that, in the evilness stakes this month, moral values beat the invasion of a self-electing junta of semi-sentient tabulating machines. Ubuttnaked Guy wears the Evil crown, and not much else, and invites us all back to his pad for some Twister and a toast... to evil!" (Thanks to Steve Mallett).

Comments (none posted)

PHPSurveyor Plays Key Role In US Elections (SourceForge)

SourceForge.net reports on the use of PHPSurveyor in tracking election irregularities. "PHPSurveyor, a PHP based online survey tool, is being used to gather data across the United States about all voting irregularities. In the first 10 hours of voting alone, over 13500 incidents had been recorded using the software."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

OSDL and the Service Availability Forum Jointly Support OpenAIS

Open Source Development Labs, Inc. has announced that it will be working with the Service Availability Forum on OpenAIS, an interface specification for high availability network infrastructure in the telecommunications industry.

Comments (none posted)

For the FSFE, the battle continues

The Free Software Foundation Europe has sent out an announcement concerning efforts by commercial software vendors to influence supporters of an EC antitrust case. "Microsoft has steadily been soliciting supporters of the European Commission antitrust case to withdraw their support for the Commission by offering a series of financial settlements. The agreement with Sun Microsystems to withdraw has now been joined by financial settlements with Novell and the CCIA, in which they also agreed to withdraw from the case."

Full Story (comments: none)

European Patent Process Under Review

Open Source Risk Management has announced a new study that concerns European patents. "Open Source Risk Management, the only vendor-neutral provider of Free and Open Source Software risk mitigation and management solutions, today announced the launching of a study designed to assess whether current European laws regarding technology patents achieve their stated objective of recognizing and protecting true innovation."

Comments (none posted)

Commercial announcements

From Beijing to Pittsburgh: Gelato Champions Itanium

The Gelato Foundation announced the participation of its members in several recent conferences. "Representatives from more than 25 Gelato Federation member institutions and corporations met on October 11-13, 2004, at Tsinghua University in Beijing, China to review and exchange research advances for Linux on the Intel(R) Itanium(R)2 platform. Twenty-one technical presentations by top research and industry users focused on high-performance computing issues and collaborative solutions. Three weeks later, over 20 Gelato member institutions are gathering at SC2004 in Pittsburgh (November 8-11)."

Comments (none posted)

Linux Networx Secures $40 Million Equity Financing

Linux Networx has announced the receipt of $40 Million in Series B funding for expediting new products and expanding the company.

Comments (none posted)

Lulu publishes free software editions

Red Hat co-founder Bob Young's latest company, Lulu, has announced that it will be providing tools for publishing and distributing independently developed software projects. "The first five software sets available on Lulu include popular open source projects OpenOffice.org (an alternative to Microsoft Office), Fedora (a version of the Linux operating system), Slash, and Bugzilla. Also available is a preparation program for the Cisco Certified Network Administrator (CCNA) test."

Comments (none posted)

Mandrakesoft revenues increase

Mandrakesoft has announced its financial results for the fiscal year ending September 30, 2004. "Mandrakesoft's revenue for fiscal year 2003-2004 has reached 5.18 millions Euros, representing a 33% increase over the previous year. This revenue is the highest in the company's history. The revenue growth strongly accelerated during H2 2003/2004, with a 49% year over year rise in revenues, when compared to a 21% year over year increase in H1."

Comments (10 posted)

Microsoft's protocol license agreement

Microsoft has published a protocol license agreement which can be signed to get a license from Microsoft to implement a whole set of interesting protocols. The list is at the end of the agreement; it includes AppleTalk, Bluetooth, the TCP discard protocol, DHCP, echo, FTP, HTTP, Gopher, IPSec, lpd, Firewire, ping, PPP, POP3, rlogin, Telnet, TFTP, TCP/IP (v4 and v6), and many others. Bet you didn't know Microsoft owned those... (as seen on Slashdot).

Comments (39 posted)

Microsoft's indemnification offer

Microsoft has put out a press release stating that its indemnification guarantees now apply to all users of most of its software offerings. "Microsoft's ability to offer strong protection is bolstered by the company's commitment to managing the intellectual property rights in its software. This commitment includes development process controls, inbound licensing of necessary third-party rights, cross-licensing agreements with other industry leaders, and protection of Microsoft innovations through patent and copyright."

Comments (2 posted)

Novell Settles One Antitrust Claim with Microsoft for $536 Million

Novell has announced an agreement with Microsoft to settle potential antitrust litigation related to Novell's NetWare operating system in exchange for $536 million in cash. Novell also announced that by the end of this week it will file an antitrust suit against Microsoft in the United States District Court in Utah seeking unspecified damages in connection with alleged harm to Novell's WordPerfect application software business in the mid-1990s. (Thanks to Stuart Cunningham)

Comments (11 posted)

OpenIB Alliance gets DOE grant

The U.S. Department of Energy has given a grant (of undisclosed size) to the OpenIB Alliance; its purpose is to fund further development of a free InfiniBand implementation for the Linux kernel.

Full Story (comments: none)

Platform Computing Launches Platform Rocks

Platform Computing Inc. has announced the launch of its Platform Rocks product. "Platform Computing Inc. today announced a powerful new software solution called Platform Rocks, a comprehensive cluster management toolkit that simplifies and speeds the deployment and management of small to large scale Linux clusters."

Comments (none posted)

Qtopia 2.1 released

Trolltech has announced the availability of Qtopia 2.1. Qtopia is a development platform for embedded devices; it is available under the GPL or (as with the other Trolltech products) with a commercial license. New features include touchscreen support, handwriting input, and better theme support.

There are also press releases stating that Datang Mobile has chosen Qtopia for its phone reference platform and Motorola will use it in its Linux-based E680 and A780 phones.

Comments (none posted)

SCO's new deal with its lawyers

SCO has finally nailed down a new deal with its lawyers; the full text of the agreement has been filed with the SEC. The deal calls for an immediate payment of $12.6 million, and a $2 million payment per quarter going into the future. There is still a contingency component, with the lawyers getting 33% of the first part of any take, dropping to 20% for any amount over $700 million. The same sort of payments apply if SCO is acquired. A separate $5 million escrow account must be set up to pay expert witnesses and other out-of-pocket expenses.

Comments (7 posted)

SteelEye Technology Joins MySQL Partner Program

SteelEye Technology, Inc, a provider of data and application availability management software, has announced that it has joined the MySQL Partner Program. "Through this agreement, SteelEye and MySQL have chosen to formalize this cooperation and will now work more closely together to bring greater knowledge and awareness of their joint solution to the marketplace."

Comments (none posted)

TimeSys Delivers Eclipse 3.0-based TimeStorm Development and Testing Tools

TimeSys Corporation announced its TimeStorm Linux Development Suite and TimeStorm Linux Verification Suite for the Eclipse 3.0 development platform.

Full Story (comments: none)

VA Linux expands its kernel business

It looks like something from 1998: VA Linux has put out a press release stating that it is hiring more Linux kernel hackers. In this case, however, the company involved is VA Linux Systems Japan K.K. Evidently the company's kernel-related consulting business is going well, and is set to expand; click below for the details.

Full Story (comments: none)

Highlights from Super Computing 2004

Pogo Linux announces PerformanceWare 5864, an eight processor AMD Opteron-based server (press release).

Cray Inc. has new Opteron/Linux supercomputers (press release).

Terra Soft Solutions announces Y-HPC, a complete 64-bit OS for PowerPC code development and High Performance cluster Computing (press release).

Absoft will manage, sell, and support a new High Performance Computing (HPC) Software Developers Kit (SDK) for IBM Linux on POWER clusters and servers (press release).

Linux Networx partners with Novell to create a High Performance Computing (HPC) Certification Center (press release).

Comments (1 posted)

New Books

Addison-Wesley/Prentice Hall PTR publishes "PHP 5 Power Programming"

Addison-Wesley/Prentice Hall PTR & IBM Press have published the book PHP 5 Power Programming by Gutmans, Bakken and Rethans.

Full Story (comments: none)

"Programmer's Ultimate Security DeskRef" Released by Syngress

Syngress Publishing, Inc. has published the book Programmer's Ultimate Security DeskRef by James C. Foster.

Full Story (comments: none)

"Windows to Linux Migration Toolkit" Released by Syngress Publishing

Syngress Publishing, Inc. has published the book Windows to Linux Migration Toolkit by David Allen.

Full Story (comments: none)

Resources

Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers!

David A. Wheeler has published a new release of his analysis of the advantages of using open-source software. "This paper provides quantitative data that, in many cases, using open source software / free software is a reasonable or even superior approach to using their proprietary competition according to various measures. This paper’s goal is to show that you should consider using OSS/FS when acquiring software. This paper examines market share, reliability, performance, scalability, security, and total cost of ownership. It also has sections on non-quantitative issues, unnecessary fears, OSS/FS on the desktop, usage reports, governments and OSS/FS, other sites providing related information, and ends with some conclusions." Here's a blog entry on changes in the paper.

Comments (none posted)

Linux Gazette Issue #108

The November issue of Linux Gazette is out. Topics in this edition include GRUB boot diskette for Knoppix, Using a Non-Default GUI (in RHEL and kin), Preparing For My Interviews Part 1: MySQL and Perl, Advanced Features of netfilter/iptables, and more.

Comments (none posted)

FSF Europe Newsletter

The November 6, 2004 edition of the FSF Europe Newsletter is online with the latest coverage of FSFE happenings.

Full Story (comments: none)

Audio Libre column announced

Daniel James has announced a new column on Audio Libre. "I've recently started writing a column on music software for LinuxUser & Developer magazine. Unfortunately, it's not generally available on the web at the moment. The first Audio Libre column is on AGNULA/DeMuDi". The column is available for download as a pdf document.

Full Story (comments: none)

Upcoming Events

Third-Annual Desktop Linux Summit announced

The third annual Desktop Linux Summit has been announced. "Now in its third year, the annual Desktop Linux Summit has added an extra day, expanding its focus to include discussions of open source leaders Mozilla and OpenOffice.org. A two-day event in prior years, the Summit is now three days and will be held February 9-11, 2005 at the Del Mar Fairgrounds in San Diego."

Comments (none posted)

Help Support GNOME in South America (GnomeDesktop)

GnomeDesktop.org mentions the first Forum GNOME event in Brazil. It will be held on November 11 and 12, 2004.

Comments (none posted)

EclipseCon 2005 Announces Conference Keynotes

the Eclipse Foundation has announced the conference keynotes for EclipseCon 2005. Tim O'Reilly, Urs Hoelzle, and Lee Nackman will be featured. "The second annual EclipseCon conference will be held Feb. 28 through March 3, 2005, at the Hyatt Regency, Burlingame, Calif."

Comments (none posted)

The JBoss World 2005 User Conference

JBoss, Inc. has announced the JBoss World 2005 User Conference. "JBoss(R), Inc., the Professional Open Source company, today announced that registration is now open for JBoss World 2005, its first annual users conference and exhibition, at the Omni/CNN Center in Atlanta, Ga., March 1-2, 2005. The conference will be a landmark gathering field and networking opportunity for the rapidly growing number of users and partners deploying open source middleware from JBoss into production."

Comments (none posted)

GlobusWORLD Grid Event, Boston

GlobusWORLD will be held in Boston, Mass on February 7-11, 2005. "GlobusWORLD 2005 will feature a full roster of technical Grid content including: tutorials (from beginner- to advanced-level); enterprise Grid panels moderated by Network World, CIO Magazine, and Computerworld; essential Grid standards updates; and keynotes by leading Grid pioneers, vendors and end users."

Comments (none posted)

January 17-21 PostgreSQL Bootcamp at the Big Nerd Ranch

A PostgreSQL Bootcamp will be held at the Big Nerd Ranch, near Atlanta, Georgia, on January 17-21, 2005.

Full Story (comments: none)

Python Bootcamp at the Big Nerd Ranch Feb 21-25, 2005

A Python Bootcamp will be held at the Big Nerd Ranch, near Atlanta, Georgia, on February 21-25, 2005.

Full Story (comments: none)

Events: November 11, 2004 - January 6, 2005

Date Event Location
November 11 - 12, 2004High Performance Computing, Networking, and Storage Conf(SCnn)Pittsburgh, PA
November 13 - 17, 2004ApacheCon US 2004(Alexis Park Resort)Las Vegas, NV
November 14 - 19, 2004Large Installation System Administration Conference(LISA '04)(Atlanta Marriott Marquis)Atlanta, GA
November 18 - 19, 2004Forum PHP, ParisParis, France
November 25 - 26, 2004Le forum PHP 2004(FIAP Jean Monnet)Paris, France
November 29 - 30, 2004LinuxPro 2004(Hotel Gromada Airport Conference Center)Warsaw, Poland
December 1 - 3, 2004Australian Open Source Developers' Conference(Monash University)Melbourne, Australia
December 1 - 3, 2004Linux Bangalore 2004(Indian Institute of Science)Bangalore, India
December 4, 2004Lightweight Languages 2004(LL4)(MIT Stata Center)Boston, MA
December 5 - 18, 2004Ubuntu ConferenceMataró, Spain
December 27 - 29, 2004Chaos Communication Congress(21C3)(Berliner Congress Center)Berlin, Germany

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds