LWN.net Logo

LWN.net Weekly Edition for November 18, 2004

Fedora: an example of community involvement

The Fedora Project, after more than one year, has not become a "community" project by any means. It is centrally controlled, and many crucial decisions seem to come from some sort of smoke-filled room in Raleigh. The long-promised publicly-available source code repository ("intended to be available by the release of Fedora Core 2") is nowhere to be seen, the governing councils have not been created, and the project's technical leader is rarely seen on the mailing lists. In many ways, Fedora looks more like an open beta testing program run by Red Hat than a true community project.

That said, a couple of things are worth pointing out. One is that the Fedora Project has clearly succeeded in creating, evolving, and supporting a top-quality distribution with bleeding-edge software and predictable release cycles. The other is that, in some ways at least, Fedora's interaction with its user community is yielding clear benefits. Simple testing and filing of bugs is probably the biggest part of it. Beyond that, however, the project does seem to listen to its users and be influenced by what they say, even if Red Hat does have the final word on important decisions. And, at times, members of the community can truly help to make the distribution better.

As an example, consider this challenge recently posted by Owen Taylor. He noted that a Linux system still takes a couple of minutes to boot, which is too much:

Ideally, system boot would involve a 3-4 second sequential read of around 100 megabytes of data from the hard disk, CPU utilization would be parallelized with that, and all queries on external systems would be asynchronous ... startup continues and once the external system responds, the system state is updated. Plausibly the user could start work under 10 seconds on this ideal system.

Owen asked for help from the community in figuring out what was slowing down the boot process. That help was all of two days in coming, when Ziga [Boot chart] Mahkovec posted some results. He had modified the kernel boot process to instrument what was going on, and produced a pretty chart showing where the time was being spent. One immediate culprit stands out from the chart: the rhgb process. That is the "Red Hat Graphical Boot" utility, which does no actual work; it simply watches over the initialization process and shows its progress on the console. It's not something which should be occupying a large part of the time required to boot. But it was responsible for over 1/3 of the time required to boot a Fedora system.

As it turns out, rhgb gets into a loop where it simply spins in the CPU, slowing down everything else. A bugzilla entry was created, the bug was fixed, and life improved. Ziga made a new chart showing an improved situation - and a boot time of 46 seconds.

Fedora users may have even more to cheer soon. Ziga made yet another chart which follows the process through a GNOME graphical login. One of the big culprits there is the obnoxious, throbbing Red Hat Network update applet. It turns out that Red Hat developers detest that applet too and tend to kill it on their systems. Now that it has been shown to be a major factor in making users wait to be able to do anything with their systems, it may just get some needed attention.

Meanwhile, the bottom line is this: Fedora may not be a community project like, for example, Debian. But neither is it a sealed product from a corporate cathedral. Fedora is clearly a better distribution as a result of its interactions with its users. Hopefully, someday, Red Hat will follow through on its promises (source code management server, community governing council) and bring the community further into the process. Fedora is blessed with a community of users who want to help; it shouldn't let the desire for corporate control keep them from being part of the project.

Comments (17 posted)

Book review: SELinux

[Cover] The NSA's Security Enhanced Linux project is controversial. To some, it is the future of Linux computing; with SELinux, many of our current security nightmares will cease to trouble us. To others, SELinux is a morass of complexity which is difficult, if not impossible, to understand well enough to get any sense of whether it is configured in a secure way or not. This whole situation is not helped by the current state of SELinux documentation. There are few resources out there for people wanting to know how SELinux works, how to manage it, or even whether to try to adopt it.

There is, however, a new book on the shelves: SELinux: NSA's Open Source Security Enhanced Linux, by Bill McCarty. At 254 pages, this book is relatively thin by contemporary technical book standards. It offers a finicky editor a fair number of things to grumble about, but those grumbles should not overshadow the important point: this book is an important step in the process of bringing SELinux to a level where software developers and system administrators can make some sense of it.

Let's get the grumbles out of the way first. The book shows some signs of having been written and produced in a hurry; as a result, it has more than the desirable number of typos and contradictions. It talks alternately about the runcon and run_con command, for example. It claims that "domain" and "type" are interchangeable terms for the same concept, then says "Recall that a general type is one not related to a specific domain." Readers are directed to the kernel source (said to be found in the deprecated /usr/src/linux directory) to associate a device name with a major number when a quick look at /proc/devices would do the job. We are told "SELinux is generally stable and free of trouble," which would, by itself, strain many readers' ability to suspend disbelief, but then the author suggests avoiding using X on SELinux systems, or, if that is impractical, learning to love GNOME to avoid problems with KDE. And so on. The reader finds these things often enough that they become a significant distraction from the real content of the book.

The book starts with a general overview of SELinux, including the obligatory set of scary statistics on the frequency of attacks. A number of approaches to security are looked at, including, of course, mandatory access control schemes. The second chapter is a quick overview of SELinux, where the important concepts (roles, types) are introduced. The two mechanisms which can cause type/domain transitions (file creation and exec() calls) are introduced. Everything is fairly vague at this point, but the discussion is enough to let some of the important ideas sink in.

The author then takes a diversion into how to install SELinux on several distributions, with special attention paid to Debian, Fedora, and Gentoo. This information will certainly be useful to some readers, but (especially in the future) most readers are likely to find SELinux on their systems already. If you are trying to figure out how to make your Fedora system work, Chapter 3 will just be a distraction. (Incidentally, the book covers Fedora Core 2).

Chapter 4 gets into high-level SELinux administration: turning enforcement on and off, installing new policies, dealing with file labels, etc. There is useful stuff here, but the presentation leaves a little to be desired. For example, loading policies requires the use of the newrole command (which will remind old-time Unix users of the obnoxious newgrp command made necessary by certain vendors' kernels which could only handle membership in one group at a time). Policy loading is covered before newrole, however, leading to a fair number of forward references in the text. Reordering the discussion would have made things easier to follow. That said, this chapter provides a reasonable start for administrators trying to find their way around their SELinux systems.

The next three chapters form the technical core of the book, with detailed descriptions of the language used to define role-based access control and type enforcement rules. There's lots of cute railroad diagrams for those who want pictures, and a detailed examination of how the policy for the ping utility is put together. If you are trying to make sense of the policy files that come with your SELinux distribution, these chapters provide the information that you will need. The book then winds down with a chapter on ancillary policy statements and one giving some pointers on how to carry out simple policy changes.

A topic which is missing entirely is how one might design a security policy from the beginning. The implicit assumption is that few, if any, readers will have such ambitious goals; they will, instead, be trying to make things work with the policy shipped by their distributor. That is probably a good assumption; designing an SELinux security policy from the beginning is not for the faint of heart. Still, as we'll explore in a companion article, there may be reasons for wanting to take on such a project.

Meanwhile, if SELinux takes off the way many people clearly expect it to, there will be a strong need for developers and administrators who truly understand how it works. For that reason, your editor predicts that this book will become required reading for a lot of people. For all of our quibbles, we must say that Mr. McCarty has succeeded in shedding some much-needed light into a dark and difficult corner of Linux systems administration.

Comments (4 posted)

Solaris 10

November 17, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

As the release date for Solaris 10 nears, Sun Microsystems has been powering up the hype machine accordingly, and trying to convince the world that Solaris 10 is the best OS ever. According to Sun, Solaris 10 will offer more than 600 new, "breakthrough" features. That's a few too many for this article, but we'll take a look at some of the most notable features that are slated for inclusion in Solaris 10.

One interesting feature is Solaris Dynamic Tracing (DTrace). DTrace is a system for troubleshooting problems in real time, by allowing admins and developers to observe and tune system behavior.

Another feature that Sun is touting is Solaris Containers. Containers are essentially virtual machines, which allow an admin to create "private execution environments" on a machine, to isolate applications from one another and essentially create multiple hosts on a single server. This is, of course, nothing new to Linux users who have already discovered User-Mode Linux or any of the other virtualization solutions available for Linux.

Solaris 10 also comes with a new file system, ZFS. This is a 128-bit file system that offers far greater capacity than the current UFS, and 64-bit checksums for data stored on the filesystem. ZFS works with "virtual storage pools," and is supposed to greatly reduce the difficulty of administering file systems. According to Sun's website:

For example, with Solaris ZFS, to add mirrored file systems for three users and then add more disks, the number of tasks is reduced from 28 to 5. And the time taken to perform this function has been reduced from 40 minutes to 10 seconds, so administrators can spend more time solving business problems, rather than managing storage.

The TCP/IP stack gets special attention in Solaris 10. Sun has rewritten its networking stack, and claims that delivers a 50-percent or better speed boost for "many networked applications." Solaris 10 also includes built-in kernel support for the Stream Control Transmission Protocol (SCTP) and Session Initiation Protocol (SIP) in an effort to make Solaris 10 attractive for VoIP deployments.

Despite the slew of new features, Sun has fallen into an unenviable position with Solaris: Having to go to customers with a emulation technology to run their existing programs. When Linux was the underdog, much was made of the ability to run Solaris and other *nix binaries on Linux, as a way to allow companies to move their existing applications to Linux. With Solaris 10, Sun is promising a Linux Application Environment (LAE) to run Linux binaries on Solaris 10 on x86 systems.

Pricing for Solaris 10 has changed as well. Sun is, literally, giving it away. Sun is giving a "right-to-use" (RTU) license and security updates for Solaris 10 at no charge. Customers who want to utilize support or have access to all Solaris 10 updates and fixes start at $120 per year for a 1-4 CPU machine.

The company is also making much of binary compatibility with Solaris 10 -- promising customers that older Solaris applications will be able to run unchanged on Solaris 10.

Perhaps the most interesting feature for Solaris 10 is the licensing, if we ever find out what it is. According to Sun's executives, Solaris 10 will be open source. However, the company has not yet announced a license, whether the license will be OSI-compliant or exactly how much of Solaris 10 will be under this open source license. Further, assuming that the license is open enough to encourage contribution, Sun hasn't set out any information about accepting contributions from the community.

A more ominous possibility exists: Sun could release its code under a license which is not only non-free, but which creates problems for any free software developers who look at that code. If Sun's fortunes continue to decline, there is a definite possibility that the company could look to litigation for its salvation. This possibility should be kept in mind by anybody who contemplates going anywhere near the Solaris code.

Obviously, Sun is trying to regain some of the ground that it has lost with Linux. It seems unlikely, at least to this writer, that Sun will make much headway in regaining lost customers with Solaris 10. While Solaris 10 offers some undeniably useful and interesting features, it's fairly obvious that most organizations do not choose operating systems on features alone.

Sun lacks the momentum that Linux has gained over the past few years. Companies that have already invested time and money into migrating to Linux are less likely to spend additional time and money evaluating Solaris 10 if Linux is meeting their needs. Companies that are already utilizing Linux are unlikely to even bother evaluating Solaris 10 unless Linux does not meet their needs.

Also, Sun's LAE won't be available in the first release of Solaris 10, meaning that organizations that are willing to consider migrating from Linux to Solaris will have to hold off until Sun releases LAE in an update to Solaris 10. This puts Sun even farther in the hole with regards to losing customers to Linux.

If the Solaris 10 license is GPL-compatible, many of Solaris 10's interesting features will no doubt find their way into Linux. It seems unlikely that Sun would choose that path. On the other hand, if Sun chooses a less friendly open source license, it will have a tough time creating a community that will drive Solaris development or adoption in the same way that the GPL has driven Linux. Either way, Sun seems set to lose with its open source ploy.

Solaris 10 looks to be a fine operating system, but it may very well be too little and too late to help Sun regain its market share.

Comments (36 posted)

Poland gets cold feet on Europatents

A press release has gone out stating that the Polish government has officially decided that it is unable to support software patents in Europe.

Consequently, the EU Council is unable to formally adopt that legislative proposal as its common position. Without the support of Poland, those countries that supported the proposal in May now fall short of a qualified majority by 16 votes.

Needless to say, this is an important development. Software patents will probably not be defeated quite this easily, but this is an important step in that direction.

Comments (none posted)

LWN comes early next week

Next week's LWN Weekly Edition will be published on November 24 - one day earlier than usual - so that the LWN staff can prepare themselves for the annual Thanksgiving feast. We'll return to the usual schedule on December 2.

Comments (none posted)

Page editor: Jonathan Corbet

Security

Civilizing SELinux

On its face, SELinux offers a number of attractive capabilities. It enables a Linux system to be partitioned into lots of little realms ("domains" or "types") with fine-grained control over the capabilities of each realm. For example, the named DNS server can be empowered to bind to the DNS ports (but no others), write to its log and cache files (but no others), and read from its configuration files (but from nowhere else). It can read random numbers, but cannot access any other device files. And so on. The end result is that, even if named falls to a remote code exploit, there is very little that exploit can actually do. A vulnerability which, on a current Linux system, could lead to a full system compromise is limited to a denial of service problem, or, at worst, the provision of bogus DNS information.

This promise is worth something. Currently, any sort of compromise of any daemon on the system has a good chance of being escalated to full control of the system itself. SELinux cannot prevent security holes in server processes, but it does have the potential to strictly limit the damage which can be done by exploiting those holes. SELinux could be the mechanism which turns Linux into the most secure widely-used operating system on the planet.

The only problem is that getting there could be a challenge, and, along the way, we risk turning Linux into a system we no longer wish to use.

Like all good kernel code, SELinux does not, itself, contain a security policy. That policy, instead, is defined by the system administrator and loaded from user space. Defining that policy, however, is not the easiest thing to do. The book SELinux: NSA's Open Source Security Enhanced Linux, just reviewed by LWN, notes that a typical set of policy files contains some 250,000 lines of code. More to the point:

The SELinux source policy is a sophisticated software system. It includes dozens of object classes, scores of defined permissions, more than 1,000 type transitions, thousands of object instances, and tens of thousands of access-vector rules.

As an aside, all of this code is written in a language which, as of this writing, probably has no more than a few dozen expert authors. So a couple of questions come immediately to mind: how is it possible for anybody to truly understand a system's security policy, and how can that policy be shown to be correct? Complexity and obscurity are enemies of security, and SELinux has large amounts of both.

There are complications. Installing a new program on a full-blown SELinux system required updating the security policy. There has been talk of a day when applications are routinely shipped with SELinux policy files, just like they currently contain makefiles. But that talk assumes that large numbers of application developers will learn the SELinux policy language well enough to write a secure policy for their code. It assumes that system administrators will understand those files well enough to decide whether they are safe to install. In an SELinux world, malicious policy files may become a required part of any self-respecting trojan horse; vigilance will be required.

Perhaps the biggest problem, though, is the assumption that a single policy file will fit into the security policies running on systems worldwide. If everybody ends up with a single, uniform security policy derived from the SELinux sample policy, that assumption might hold. But how can a single security policy make sense for all situations? The sheer difficulty of creating a radically different policy will likely keep experimentation to a minimum, but there will inevitably be pressure for different policies for different situations. In the future, we may see new offshoot distributions which differ mainly in their SELinux policies. Divergent security policies will be good for user choice, and the diversity may be good for the security of the net in general. But they will make it hard to write a portable application policy file.

SELinux depends on "labels" applied to almost all files on the system. Those labels define the type(s) of the files, and, thus, who can access them, and in which way. These labels are also a crucial part of the domain system which allows the isolation of specific daemons and utilities. Maintaining the integrity of these labels proves to be a challenge, however. Consider this warning from the SELinux book:

If you use vipw, vi, or some other means to modify /etc/passwd, /etc/group, or /etc/shadow, you'll likely remove the security context labeling [from] the file, which will make the file inaccessible.

Relabeling files is something every SELinux administrator needs to know how to do. The Fedora boot process checks for labeling problems, and, when they are found, it automatically relabels things. Relabeling is a fact of life in the SELinux world.

It turns out that the proper labels are stored in the SELinux policy; what's on the files themselves can be thought of as a sort of cached version. In other words, SELinux has imposed a new file permissions scheme which is maintained outside of the kernel. If the files are manipulated by non-aware applications, or by way of a non-SELinux kernel, those permissions will become unsynchronized. Applications installed by the administrator will have labeling problems of their own.

The end result is that SELinux could lead to systems which are too complex to administer, which have a single security policy created by the distributor, and which are highly resistant to the installation of software not provided by the distributor - or to changes in general. That is not a world which most of us would like to live in; we should think carefully before we run too quickly in that direction.

Of course, that is a worst case scenario, and the Linux community is unlikely to let things get that bad. Some steps have already been taken in the right direction. The Fedora Project's decision to fall back to a "targeted" mode, where SELinux only applies to certain system daemons, is a good start. The targeted mode reduces the complexity of the security policy and makes experimentation easier. Fedora has also introduced "policy booleans" to the mix. These booleans are runtime variables which provide (relatively) high-level control over the system's security policy. Booleans in Fedora Core 3 control whether Apache can run CGI programs or read home directories, whether yellow pages can be used, and more.

The booleans point in an important direction. Perhaps part of the real problem with SELinux is that policies must be written in the equivalent of assembly language. Most programmers do not want to worry about individual register assignments, and most system administrators would rather not deal with domain transitions and access vectors. If, in some future day, a system's security policy can be specified with, at most, a few hundred lines of high-level declarations, that policy may just be manageable. If that can be done, SELinux might just be the answer to a lot of our security worries.

(See also: this just-released, beta Fedora document which describes what is involved in using SELinux to control Apache).

Comments (20 posted)

Brief items

EFF on mailing lists and spam

The EFF has put out a a lengthy document describing its concerns with contemporary spam filtering techniques. "Blind keyword or phrase blocking is the determination that messages will not be delivered because they contain specific words or phrases. This method is imprecise and unnecessary, especially now that more sophisticated tools are available. Moreover, it can be used to block messages for political reasons. In short, there's no defensible reason to label email as spam based solely on keywords or phrases."

Comments (1 posted)

freedesktop.org site compromised

Visitors to freedesktop.org will see a message noting that the site was compromised on November 15. The project does not believe that any code on the site was tampered with, but they are rebuilding everything from the beginning anyway. More info will come as we get it. (Thanks to Thomas Kirby).

Comments (20 posted)

New vulnerabilities

BNC: Buffer overflow vulnerability

Package(s):bnc CVE #(s):
Created:November 16, 2004 Updated:December 1, 2004
Description: Leon Juranic discovered that BNC fails to do proper bounds checking when checking server response. An attacker could exploit this to cause a Denial of Service and potentially execute arbitrary code with the permissions of the user running BNC.
Alerts:
Debian DSA-595-1 2004-11-24
Gentoo 200411-24 2004-11-16

Comments (none posted)

bogofilter: denial of service

Package(s):bogofilter CVE #(s):CAN-2004-1007
Created:November 17, 2004 Updated:November 17, 2004
Description: Bogofilter has a vulnerability in its quoted-printable processing code which may be exploited to crash the process.
Alerts:
Ubuntu USN-26-1 2004-11-17

Comments (none posted)

ez-ipupdate: format string vulnerability

Package(s):ez-ipupdate CVE #(s):CAN-2004-0980
Created:November 11, 2004 Updated:November 17, 2004
Description: ez-ipupdate, a dynamic DNS file updating utility, has a format string vulnerability that can lead to the execution of arbitrary code.
Alerts:
Debian DSA-592-1 2004-11-12
Mandrake MDKSA-2004:129 2004-11-10
Gentoo 200411-20 2004-11-11

Comments (none posted)

openssl: der_chop script temp file vulnerability

Package(s):openssl CVE #(s):CAN-2004-0975
Created:November 11, 2004 Updated:July 19, 2005
Description: The der_chop script in openssl has a temp file vulnerability that may allow an attacker to overwrite arbitrary files with the permissions that the script is running under.
Alerts:
Fedora-Legacy FLSA:152841 2005-07-15
Mandrake MDKSA-2004:147 2004-12-06
Debian DSA-603-1 2004-12-01
Ubuntu USN-24-1 2004-11-11

Comments (1 posted)

SquirrelMail: cross-site scripting

Package(s):squirrelmail CVE #(s):CAN-2004-1036
Created:November 17, 2004 Updated:December 23, 2004
Description: Squirrelmail (through version 1.4.3a-r2) suffers from yet another cross-site scripting vulnerability.
Alerts:
Red Hat RHSA-2004:654-01 2004-12-23
Conectiva CLA-2004:905 2004-12-02
Fedora FEDORA-2004-472 2004-11-28
Fedora FEDORA-2004-471 2004-11-28
Gentoo 200411-25 2004-11-17

Comments (none posted)

sudo: environment variable sanitizing

Package(s):sudo CVE #(s):CAN-2004-1051
Created:November 17, 2004 Updated:May 15, 2005
Description: Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information.
Alerts:
Fedora-Legacy FLSA:152856 2005-05-12
OpenPKG OpenPKG-SA-2005.002 2005-01-17
Debian DSA-596-2 2004-11-24
Debian DSA-596-1 2004-11-24
Ubuntu USN-28-1 2004-11-17
Mandrake MDKSA-2004:133 2004-11-15

Comments (none posted)

unarj: buffer overflow vulnerability

Package(s):unarj CVE #(s):CAN-2004-0947
Created:November 11, 2004 Updated:February 2, 2005
Description: The unarj uncompression utility has a buffer overflow vulnerability from handling long file names in an archive. An attacker can cause unarj to crash or execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:2272 2005-02-01
Debian DSA-652-1 2005-01-21
Red Hat RHSA-2005:007-01 2005-01-12
Gentoo 200411-29 2004-11-19
Fedora FEDORA-2004-414 2004-11-11

Comments (none posted)

Updated vulnerabilities

apache: arbitrary code execution

Package(s):apache CVE #(s):CAN-2004-0940
Created:October 29, 2004 Updated:December 14, 2004
Description: According to an Apache announcement, a vulnerability exists in the Apache HTTP server, version 1.3. The problem is a potential buffer overflow in the "get_tag" function of Apache's SSI module "mod_include". It allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI documents that trigger a content length calculation error.
Alerts:
Red Hat RHSA-2004:600-01 2004-12-13
Mandrake MDKSA-2004:134 2004-11-15
Debian DSA-594-1 2004-11-17
Trustix TSLSA-2004-0056 2004-11-05
Gentoo 200411-03 2004-11-02
Slackware SSA:2004-305-01 2004-11-01
OpenPKG OpenPKG-SA-2004.047 2004-10-29

Comments (none posted)

apache2: denial of service

Package(s):apache CVE #(s):CAN-2004-0942
Created:November 10, 2004 Updated:November 26, 2004
Description: Versions of Apache 2.0 prior to 2.0.53 contain a bug in the header parsing code which can allow a remote denial of service attack given sufficient bandwidth.
Alerts:
Trustix TSLSA-2004-0061 2004-11-19
Mandrake MDKSA-2004:135 2004-11-15
Red Hat RHSA-2004:562-01 2004-11-12
Fedora FEDORA-2004-421 2004-11-12
Fedora FEDORA-2004-420 2004-11-12
Ubuntu USN-23-1 2004-11-11
Gentoo 200411-18 2004-11-10

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 2004-12-20
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Gentoo 200406-14 2004-06-17

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

ncompress: Buffer overflow

Package(s):compress uncompress ncompress CVE #(s):CAN-2001-1413
Created:October 11, 2004 Updated:December 14, 2004
Description: compress and uncompress do not properly check bounds on command line options, including the filename. Large parameters would trigger a buffer overflow. By supplying a carefully crafted filename or other option, an attacker could execute arbitrary code on the system. A local attacker could only execute code with his own rights, but since compress and uncompress are called by various daemon programs, this might also allow a remote attacker to execute code with the rights of the daemon making use of ncompress.
Alerts:
Red Hat RHSA-2004:536-01 2004-12-13
Gentoo 200410-08 2004-10-09

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

freeamp: arbitrary code execution

Package(s):freeamp CVE #(s):CAN-2004-0964
Created:November 8, 2004 Updated:November 10, 2004
Description: Luigi Auriemma discovered a buffer overflow condition in the playlist module of freeamp which could lead to arbitrary code execution. Recent versions of freeamp were renamed into zinf.
Alerts:
Debian DSA-587-1 2004-11-08

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

gaim: buffer overflow in MSN protocol

Package(s):gaim CVE #(s):CAN-2004-0891
Created:October 25, 2004 Updated:February 11, 2005
Description: A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.
Alerts:
Fedora-Legacy FLSA:2188 2005-02-10
Red Hat RHSA-2004:604-01 2004-10-20
Mandrake MDKSA-2004:117 2004-11-01
Ubuntu USN-8-1 2004-10-27
Gentoo 200410-23 2004-10-24
Slackware SSA:2004-296-01 2004-10-25

Comments (none posted)

gaim: command execution via smiley themes

Package(s):gaim CVE #(s):CAN-2004-0784 CAN-2004-0785
Created:October 21, 2004 Updated:November 12, 2004
Description: gaim may allow arbitrary commands to be executed via shell meta characters in the the tar file name that is dragged to the smiley selector.
Alerts:
Red Hat RHSA-2004:400-01 2004-09-07
Conectiva CLA-2004:884 2004-11-04
Mandrake MDKSA-2004:110 2004-10-21

Comments (none posted)

Gallery: cross-site scripting vulnerability

Package(s):Gallery CVE #(s):CAN-2004-1106
Created:November 8, 2004 Updated:January 17, 2005
Description: Jim Paris has discovered a cross-site scripting vulnerability in Gallery. By sending a carefully crafted URL, an attacker can inject and execute script code in the victim's browser window, and potentially compromise the users gallery.
Alerts:
Debian DSA-642-1 2005-01-17
Gentoo 200411-10:01 2004-11-06

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnats: format string vulnerability

Package(s):gnats CVE #(s):CAN-2004-0623
Created:November 9, 2004 Updated:November 10, 2004
Description: Khan Shirani discovered a format string vulnerability in gnats, the GNU problem report management system. This problem may be exploited to execute arbitrary code.
Alerts:
Debian DSA-590-1 2004-11-09

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

gzip: insecure temporary files

Package(s):gzip CVE #(s):CAN-2004-0970
Created:November 8, 2004 Updated:December 7, 2004
Description: Trustix developers discovered insecure temporary file creation in supplemental scripts in the gzip package which may allow local users to overwrite files via a symlink attack.
Alerts:
Mandrake MDKSA-2004:142 2004-12-06
Debian DSA-588-1 2004-11-08

Comments (none posted)

imagemagick: buffer overflow vulnerability

Package(s):imagemagick CVE #(s):CAN-2004-0827
Created:September 16, 2004 Updated:November 30, 2004
Description: The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Alerts:
Ubuntu USN-35-1 2004-11-30
Ubuntu USN-7-1 2004-10-27
Red Hat RHSA-2004:480-01 2004-10-20
Red Hat RHSA-2004:494-01 2004-10-20
Mandrake MDKSA-2004:102 2004-09-22
Debian DSA-547-1 2004-09-16

Comments (none posted)

ImageMagick: EXIF buffer overflow

Package(s):ImageMagick CVE #(s):CAN-2004-0981
Created:November 8, 2004 Updated:December 8, 2004
Description: ImageMagick fails to do proper bounds checking when handling image files with EXIF information. An attacker could use an image file with specially-crafted EXIF information to cause arbitrary code execution with the permissions of the user running ImageMagick. See this advisory for more information.
Alerts:
Red Hat RHSA-2004:636-01 2004-12-08
Mandrake MDKSA-2004:143 2004-12-06
Debian DSA-593-1 2004-11-16
Gentoo 200411-11:01 2004-11-06

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

iptables: missing initialization

Package(s):iptables CVE #(s):CAN-2004-0986
Created:November 1, 2004 Updated:February 11, 2005
Description: Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least.
Alerts:
Fedora-Legacy FLSA:2252 2005-02-10
Ubuntu USN-81-1 2005-02-11
Mandrake MDKSA-2004:125 2004-11-04
Debian DSA-580-1 2004-11-01

Comments (none posted)

Kaffeine, gxine: remotely exploitable buffer overflow

Package(s):Kaffeine gxine CVE #(s):
Created:November 8, 2004 Updated:November 11, 2004
Description: KF of Secure Network Operations has discovered an overflow that occurs during the Content-Type header processing of Kaffeine. The vulnerable code in Kaffeine is reused from gxine, making gxine vulnerable as well. An attacker could create a specially-crafted Content-type header from a malicious HTTP server, and crash a user's instance of Kaffeine or gxine, potentially allowing the execution of arbitrary code. See this SecurityTracker advisory for details.
Alerts:
Gentoo 200411-14:01 2004-11-07

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005
Description: There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service.
Alerts:
Conectiva CLA-2005:924 2005-02-14
Red Hat RHSA-2005:004-01 2005-01-12
Red Hat RHSA-2004:537-01 2004-12-02
Ubuntu USN-27-1 2004-11-17
Mandrake MDKSA-2004:124 2004-11-04
Debian DSA-561-1 2004-10-11
Gentoo 200410-09 2004-10-09
Debian DSA-560-1 2004-10-07
Red Hat RHSA-2004:479-01 2004-10-06
Red Hat RHSA-2004:478-01 2004-10-04
Gentoo 200409-34 2004-09-27
SuSE SUSE-SA:2004:034 2004-09-17
Mandrake MDKSA-2004:099 2004-09-15
Mandrake MDKSA-2004:098 2004-09-15

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

lvm10: creates insecure temporary directory

Package(s):lvm10 CVE #(s):CAN-2004-0972
Created:November 1, 2004 Updated:July 25, 2005
Description: Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:152842 2005-07-24
Mandrake MDKSA-2004:144 2004-12-06
Gentoo 200411-22 2004-11-11
Debian DSA-583-1 2004-11-03
Ubuntu USN-15-1 2004-11-01

Comments (none posted)

Midnight Commander: extfs vfs vulnerability

Package(s):mc CVE #(s):CAN-2004-0494
Created:September 2, 2004 Updated:January 5, 2005
Description: Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts.
Alerts:
Red Hat RHSA-2004:464-02 2005-01-05
Red Hat RHSA-2004:464-01 2004-09-15
Fedora FEDORA-2004-273 2004-09-01
Fedora FEDORA-2004-272 2004-09-01

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mozilla products: arbitrary code execution and other vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908
Created:September 20, 2004 Updated:January 13, 2005
Description: Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. See the CERT advisory for details.
Alerts:
Gentoo 200501-03 2005-01-05
Fedora-Legacy FLSA:2089 2004-10-27
Conectiva CLA-2004:877 2004-10-22
Mandrake MDKSA-2004:107 2004-10-19
SuSE SUSE-SA:2004:036 2004-10-06
Red Hat RHSA-2004:486-01 2004-09-30
Slackware SSA:2004-266-03 2004-09-22
Gentoo 200409-26 2004-09-20

Comments (none posted)

mpg123: buffer overflow bug

Package(s):mpg123 CVE #(s):CAN-2004-0805
Created:September 16, 2004 Updated:January 11, 2005
Description: The mpg123 audio playing utility has a buffer overflow bug that may allow arbitrary execution of code.
Alerts:
Gentoo 200501-14 2005-01-10
Debian DSA-564-1 2004-10-13
Mandrake MDKSA-2004:100 2004-09-22
Gentoo 200409-20 2004-09-16

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mtink: insecure tempfile handling

Package(s):mtink CVE #(s):
Created:November 9, 2004 Updated:November 10, 2004
Description: Tavis Ormandy from Gentoo Linux discovered that mtink uses insecure permissions on temporary files. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When mtink is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user.
Alerts:
Gentoo 200411-17 2004-11-09

Comments (none posted)

mysql: several vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0835 CAN-2004-0836 CAN-2004-0837
Created:October 11, 2004 Updated:April 6, 2005
Description: Several problems have been discovered in MySQL. Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. (CAN-2004-0837)
Alerts:
Ubuntu USN-109-1 2005-04-06
Fedora FEDORA-2004-530 2004-12-08
Ubuntu USN-32-1 2004-11-25
Conectiva CLA-2004:892 2004-11-18
Mandrake MDKSA-2004:119 2004-11-01
OpenPKG OpenPKG-SA-2004.045 2004-10-30
Red Hat RHSA-2004:611-01 2004-10-27
Gentoo 200410-22 2004-10-24
Red Hat RHSA-2004:569-01 2004-10-20
Red Hat RHSA-2004:597-01 2004-10-20
Debian DSA-562-1 2004-10-11

Comments (none posted)

netkit-telnet: invalid free pointer

Package(s):netkit-telnet CVE #(s):CAN-2004-0911
Created:October 4, 2004 Updated:March 28, 2005
Description: Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).
Alerts:
Ubuntu USN-101-1 2005-03-28
Debian DSA-556-2 2004-10-18
Debian DSA-569-1 2004-10-18
Debian DSA-556-1 2004-10-02

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pavuk: buffer overflow

Package(s):pavuk CVE #(s):CAN-2004-0456
Created:June 30, 2004 Updated:November 11, 2004
Description: Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server.
Alerts:
Gentoo 200411-19 2004-11-10
Debian DSA-527-1 2004-07-03
Gentoo 200406-22 2004-06-30

Comments (none posted)

perl: insecure temp file creation

Package(s):perl CVE #(s):CAN-2004-0976
Created:November 2, 2004 Updated:December 7, 2004
Description: Trustix Secure Linux has discovered some vulnerabilities in the perl package. The utility "instmodsh", the Perl package "PPPort.pm", and several test scripts (which are not shipped and only used during build) created temporary files in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program, or building the perl package, respectively.
Alerts:
Gentoo 200412-04 2004-12-07
Ubuntu USN-16-1 2004-11-02

Comments (none posted)

php: remotely exploitable memory errors

Package(s):php CVE #(s):CAN-2004-0594
Created:July 14, 2004 Updated:February 7, 2005
Description: Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not).
Alerts:
Debian DSA-669-1 2005-02-07
Whitebox WBSA-2004:392-01 2004-08-19
Fedora FEDORA-2004-223 2004-07-23
Fedora FEDORA-2004-222 2004-07-23
OpenPKG OpenPKG-SA-2004.034 2004-07-22
Slackware SSA:2004-202-01 2004-07-20
Debian DSA-531-1 2004-07-20
Red Hat RHSA-2004:392-01 2004-07-19
Red Hat RHSA-2004:395-01 2004-07-19
Conectiva CLA-2004:847 2004-07-16
SuSE SUSE-SA:2004:021 2004-07-16
Mandrake MDKSA-2004:068 2004-07-14
Gentoo 200407-13 2004-07-15
tinysofa TSSA-2004-013 2004-07-14

Comments (none posted)

PostgreSQL: Insecure temporary file use in make_oidjoins_check

Package(s):PostgreSQL CVE #(s):CAN-2004-0977
Created:October 18, 2004 Updated:December 20, 2004
Description: The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user.
Alerts:
Red Hat RHSA-2004:489-01 2004-12-20
Mandrake MDKSA-2004:149 2004-12-13
OpenPKG OpenPKG-SA-2004.046 2004-10-29
Debian DSA-577-1 2004-10-29
Ubuntu USN-6-1 2004-10-27
Gentoo 200410-16 2004-10-18

Comments (none posted)

qt3: BMP image parser heap overflow

Package(s):qt3/qt3-non-mt/qt3-32bit/qt3-static CVE #(s):CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
Created:August 19, 2004 Updated:May 15, 2005
Description: A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution.
Alerts:
Fedora-Legacy FLSA:152763 2005-05-12
Conectiva CLA-2004:866 2004-09-22
Whitebox WBSA-2004:414-01 2004-09-20
Debian DSA-542-1 2004-08-30
Fedora FEDORA-2004-271 2004-08-23
Fedora FEDORA-2004-270 2004-08-23
Gentoo 200408-20 2004-08-22
Red Hat RHSA-2004:414-01 2004-08-20
Mandrake MDKSA-2004:085 2004-08-18
SuSE SUSE-SA:2004:027 2004-08-19

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

ruby: infinite loop

Package(s):ruby CVE #(s):CAN-2004-0983
Created:November 8, 2004 Updated:May 15, 2005
Description: The upstream developers of Ruby have corrected a problem in the CGI module for this language. Specially crafted requests could cause an infinite loop and thus cause the program to eat up cpu cycles.
Alerts:
Fedora-Legacy FLSA:152768 2005-05-12
Red Hat RHSA-2004:635-01 2004-12-13
Gentoo 200411-23 2004-11-16
Fedora FEDORA-2004-403 2004-11-11
Fedora FEDORA-2004-402 2004-11-11
Ubuntu USN-20-1 2004-11-08
Mandrake MDKSA-2004:128 2004-11-08
Debian DSA-586-1 2004-11-08

Comments (none posted)

samba: remote DoS vulnerability

Package(s):samba CVE #(s):CAN-2004-0930 CAN-2004-0882
Created:November 8, 2004 Updated:December 1, 2004
Description: According to this Samba advisory a remote attacker could cause an smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters. Versions of Samba 3.0.x up to and including 3.0.7 are vulnerable.

There is also an advisory about possible buffer overruns in smbd.

Alerts:
Fedora FEDORA-2004-459 2004-11-29
Fedora FEDORA-2004-460 2004-11-29
Conectiva CLA-2004:899 2004-11-25
Mandrake MDKSA-2004:136 2004-11-18
Ubuntu USN-29-1 2004-11-18
Red Hat RHSA-2004:632-01 2004-11-16
Trustix TSLSA-2004-0058 2004-11-15
SuSE SUSE-SA:2004:040 2004-11-15
Mandrake MDKSA-2004:131 2004-11-10
Gentoo 200411-21 2004-11-11
Ubuntu USN-22-1 2004-11-10

Comments (none posted)

shadow: unauthorized modification of account information

Package(s):shadow CVE #(s):CAN-2004-1001
Created:November 4, 2004 Updated:November 23, 2004
Description: The shadow user account utilities have a potential problem with the chfn and chsh utilities that may allow unauthorized users to modify account properties.
Alerts:
Conectiva CLA-2004:894 2004-11-23
Ubuntu USN-17-1 2004-11-04
Mandrake MDKSA-2004:126 2004-11-04
Debian DSA-585-1 2004-11-05
Gentoo 200411-09 2004-11-04

Comments (none posted)

sharutils: arbitrary code execution

Package(s):sharutils CVE #(s):CAN-2004-1772
Created:October 1, 2004 Updated:April 26, 2005
Description: sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c. An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.
Alerts:
Red Hat RHSA-2005:377-01 2005-04-26
Fedora FEDORA-2005-281 2005-04-01
Fedora FEDORA-2005-280 2005-04-01
Ubuntu USN-102-1 2005-03-29
Fedora-Legacy FLSA:2155 2005-03-24
Gentoo 200410-01 2004-10-01

Comments (none posted)

sox: buffer overflow

Package(s):sox CVE #(s):CAN-2004-0557
Created:July 28, 2004 Updated:February 21, 2005
Description: Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file.
Alerts:
Fedora-Legacy FLSA:1945 2005-02-20
Debian DSA-565-1 2004-10-13
Whitebox WBSA-2004:409-01 2004-08-19
Slackware SSA:2004-223-03 2004-08-07
Conectiva CLA-2004:855 2004-07-30
Gentoo 200407-23 2004-07-30
Mandrake MDKSA-2004:076 2004-07-28
Red Hat RHSA-2004:409-01 2004-07-29
Fedora FEDORA-2004-244 2004-07-28
Fedora FEDORA-2004-235 2004-07-28

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

Speedtouch USB driver: Privilege escalation vulnerability

Package(s):Speedtouch USB driver CVE #(s):
Created:November 2, 2004 Updated:November 11, 2004
Description: The Speedtouch USB driver contains multiple format string vulnerabilities in modem_run, pppoa2 and pppoa3. This flaw is due to an improperly made syslog() system call. A malicious local user could exploit this vulnerability by causing a buffer overflow, and potentially allowing the execution of arbitrary code with escalated privileges.
Alerts:
Mandrake MDKSA-2004:130 2004-11-10
Gentoo 200411-04 2004-11-02

Comments (none posted)

Subversion: Remote heap overflow

Package(s):subversion CVE #(s):CAN-2004-0413
Created:June 11, 2004 Updated:March 7, 2005
Description: Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:
Fedora-Legacy FLSA:1748 2005-03-07
SuSE SuSE-SA:2004:018 2004-06-17
Fedora FEDORA-2004-166 2004-06-11
Fedora FEDORA-2004-165 2004-06-11
OpenPKG OpenPKG-SA-2004.028 2004-06-11
Gentoo 200406-07 2004-06-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tiff: buffer overflows

Package(s):tiff CVE #(s):CAN-2004-0803
Created:October 13, 2004 Updated:April 12, 2005
Description: The tiff library contains several buffer overflows which may be exploited by way of maliciously-crafted image files. See this advisory for more information.
Alerts:
Red Hat RHSA-2005:021-01 2005-04-12
Conectiva CLA-2005:914 2005-01-06
Gentoo 200412-17 2004-12-19
Gentoo 200412-02 2004-12-05
Conectiva CLA-2004:888 2004-11-08
Slackware SSA:2004-305-02 2004-11-01
Red Hat RHSA-2004:577-01 2004-10-22
SuSE SUSE-SA:2004:038 2004-10-22
Mandrake MDKSA-2004:111 2004-10-21
Mandrake MDKSA-2004:109 2004-10-19
Debian DSA-567-1 2004-10-15
Fedora FEDORA-2004-334 2004-10-14
OpenPKG OpenPKG-SA-2004.043 2004-10-14
Gentoo 200410-11 2004-10-13

Comments (none posted)

WordPress: HTTP response splitting and XSS vulnerabilities

Package(s):wordpress CVE #(s):
Created:October 14, 2004 Updated:December 20, 2004
Description: WordPress is vulnerable to HTTP response splitting and cross-site scripting attacks, due to the lack of input validation in the administration panel scripts. A malicious user could inject arbitrary response data, leading to content spoofing, web cache poisoning and other cross-site scripting or HTTP response splitting attacks. This could result in compromising the victim's data or browser.
Alerts:
Gentoo 200410-12:02 2004-10-14
Gentoo 200410-12 2004-10-14

Comments (none posted)

wv: buffer overflow

Package(s):wv CVE #(s):CAN-2004-0645
Created:July 14, 2004 Updated:February 10, 2005
Description: wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem.
Alerts:
Fedora-Legacy FLSA:1906 2005-02-08
Conectiva CLA-2004:902 2004-12-01
Debian DSA-579-1 2004-11-01
Debian DSA-550-1 2004-09-20
Conectiva CLA-2004:863 2004-09-10
Mandrake MDKSA-2004:077 2004-07-29
Fedora FEDORA-2004-225 2004-07-23
Fedora FEDORA-2004-224 2004-07-23
Gentoo 200407-11 2004-07-14

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xpdf: integer overflows

Package(s):xpdf kpdf cupsys CVE #(s):CAN-2004-0888 CAN-2004-0889
Created:October 21, 2004 Updated:February 18, 2005
Description: Several xpdf integer overflow vulnerabilities can be exploited via a mal-formed PDF document. Similar vulnerabilities can be found in kpdf and in cupsys which share code. Additional information can be found in this KDE security advisory.
Alerts:
Fedora FEDORA-2005-138 2005-02-09
Fedora FEDORA-2005-137 2005-02-09
Fedora FEDORA-2005-133 2005-02-09
Fedora FEDORA-2005-134 2005-02-09
Fedora FEDORA-2005-136 2005-02-09
Fedora FEDORA-2005-135 2005-02-09
Fedora FEDORA-2005-123 2005-02-08
Fedora FEDORA-2005-122 2005-02-08
Debian DSA-599-1 2004-11-25
Gentoo 200411-30 2004-11-23
Conectiva CLA-2004:886 2004-11-08
Gentoo 200410-30:02 2004-10-28
Gentoo 200410-20:02 2004-10-21
Debian DSA-581-1 2004-11-02
Ubuntu USN-14-1 2004-11-01
Ubuntu USN-9-1 2004-10-27
Gentoo 200410-30 2004-10-28
Fedora FEDORA-2004-358 2004-10-28
Fedora FEDORA-2004-357 2004-10-28
Red Hat RHSA-2004:592-01 2004-10-27
Fedora FEDORA-2004-337 2004-10-26
SuSE SUSE-SA:2004:039 2004-10-26
Ubuntu USN-2-1 2004-10-22
Red Hat RHSA-2004:543-01 2004-10-22
Mandrake MDKSA-2004:115 2004-10-21
Mandrake MDKSA-2004:116 2004-10-21
Mandrake MDKSA-2004:114 2004-10-21
Mandrake MDKSA-2004:113 2004-10-21
Gentoo 200410-20 2004-10-21
Fedora FEDORA-2004-348 2004-10-21
Debian DSA-573-1 2004-10-21

Comments (none posted)

zgv: multiple buffer overflows

Package(s):zgv CVE #(s):
Created:November 8, 2004 Updated:December 14, 2004
Description: Multiple arithmetic overflows have been detected in the image processing code of zgv. An attacker could entice a user to open a specially-crafted image file, potentially resulting in execution of arbitrary code with the rights of the user running zgv. See this BugTraq advisory for more information.
Alerts:
Debian DSA-608-1 2004-12-14
Gentoo 200411-12:01 2004-11-07

Comments (none posted)

zip: arbitrary code execution

Package(s):zip CVE #(s):CAN-2004-1010
Created:November 5, 2004 Updated:February 2, 2005
Description: HexView discovered a buffer overflow in the zip package. The overflow is triggered by creating a ZIP archive of files with very long path names. This vulnerability might result in execution of arbitrary code with the privileges of the user who calls zip. This flaw may lead to privilege escalation on systems which automatically create ZIP archives of user supplied files, like backup systems or web applications.
Alerts:
Fedora-Legacy FLSA:2255 2005-02-01
Debian DSA-624-1 2004-01-05
Red Hat RHSA-2004:634-01 2004-12-16
Mandrake MDKSA-2004:141 2004-11-25
Gentoo 200411-16 2004-11-09
Fedora FEDORA-2004-399 2004-11-08
Fedora FEDORA-2004-400 2004-11-08
Ubuntu USN-18-1 2004-11-05

Comments (1 posted)

zlib: denial of service

Package(s):zlib CVE #(s):CAN-2004-0797
Created:August 25, 2004 Updated:June 10, 2005
Description: Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks.
Alerts:
OpenPKG OpenPKG-SA-2005.007 2005-06-10
Fedora-Legacy FLSA:2043 2005-02-23
Conectiva CLA-2004:878 2004-10-25
Slackware SSA:2004-278-02 2004-10-04
Conectiva CLA-2004:865 2004-09-13
Mandrake MDKSA-2004:090 2004-09-07
SuSE SUSE-SA:2004:029 2004-09-02
Gentoo 200408-26 2004-08-27
OpenPKG OpenPKG-SA-2004.038 2004-08-25

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.10-rc2, announced by Linus on November 14. Patches merged since -rc1 include fixes for the ELF loader security problems, Anubis block cypher support, an ALSA update, a number of networking updates, kprobes support for the x86-64 architecture, a frame buffer device update, a set of user-mode Linux patches, an NTFS update, version 2.0 of the USB gadget serial driver, some kernel build tweaks (the preferred name for kernel makefiles is now Kbuild), the ext3 block reservation and online resizing patches, sysfs backing store, locking behavior annotations for the "sparse" utility, a reworking of spin lock initialization, the un-exporting of add_timer_on(), sys_lseek(), and a number of other kernel functions, an x86 signal delivery optimization, an IDE update, I/O space write barrier support, a frame buffer driver update, more scheduler tweaks, some big kernel lock preemption patches, a large number of architecture updates, and lots of fixes. See the long-format changelog (600KB) for the details.

Linus has noted that now would be a good time to calm down and stick to bug fixes until 2.6.10 comes out. His BitKeeper repository shows that he is sticking to that; it contains mostly fixes. There is also a memory technology device (and JFFS2) update, a frame buffer device update, some user-mode Linux patches, some page allocator tuning, and a few architecture updates.

The current prepatch from Andrew Morton is 2.6.10-rc2-mm1. Recent changes to -mm include some kmap_atomic() changes (see below), the ability to disable a subset of "magic sysrq" features, some SELinux scalability work, enhanced I/O and memory usage accounting data collection, and an updated reiser4 filesystem.

The 2.4.28 kernel has been released; Marcelo announced its availability on November 17. The biggest change since 2.4.27, for many people, will be the serial ATA and networking improvements, but many other fixes have gone in as well.

Comments (none posted)

Kernel development news

Quote of the week

Well, yes, your base appetites have led you to the name "pud", where my refined intellect led me to "phd", with h for higher ;)

-- Hugh Dickins on the philosophy of page table naming.

Comments (none posted)

On not getting burned by kmap_atomic()

"High memory," on a Linux system is, by definition, memory which is not normally mapped into the kernel's virtual address space. It is a mechanism which enables 32-bit architectures to make use of more physical memory than would otherwise be possible. When the kernel needs to directly manipulate the contents of a high-memory page, it must explicitly create a virtual address for it. The traditional functions for creating and removing those addresses are:

    void *kmap(struct page *page);
    void kunmap(struct page *page);

These functions work as intended, but they can be expensive to use. The virtual address space they use is limited, and shared across all processors. As a result, each kmap() and kunmap() invocation requires a global TLB flush. Often, however, high memory does not need to be mapped for long periods of time, and does not need to be shared across processors. To improve performance in such situations, the notion of an "atomic kmap" was added:

    void *kmap_atomic(struct page *page, enum km_type type);
    void kunmap_atomic(void *address, enum km_type type);

Atomic kmaps use a very small set of predefined virtual "slots," which are not shared across processors. The type argument specifies which slot is to be used, with the callers taking responsibility for not stepping on each others' toes. Slots are dedicated to specific purposes - two for code called in user context, two for interrupt handlers, two for page table management, etc. In practice, it all works out; conflicts over atomic kmap slots don't happen.

Another problem has come up, however, and that has led to a small change in the prototypes of the atomic kmap functions in the -mm kernel. The regular kmap functions have a symmetrical interface in that both take a struct page * argument. kunmap_atomic(), instead, takes a void * argument - the kernel virtual address to be unmapped. It is a common mistake, however, to pass in the associated struct page pointer instead. Since the argument type is void *, the compiler does not complain, and the discovery of the problem does not come until (possibly much) later.

The solution is straightforward: redefine the function as follows:

    char *kmap_atomic(struct page *page, enum km_type type);
    void kunmap_atomic(char *address, enum km_type type);

With this change, the compiler will issue a warning whenever somebody tries to pass a struct page pointer to kunmap_atomic().

The patch has generated a surprising number of follow-on fixes, mostly to suppress warnings caused by the change. Many kunmap_atomic() calls now explicitly cast the address argument to the char * type. In the end, though, the result should be one more potential mistake which can be caught before it burns somebody - as long as programmers don't "fix" warnings by casting struct page pointers.

Comments (5 posted)

Trustees Linux

Linux currently offers a wealth of projects which are working to extend the classic Unix permissions mechanism with more flexible schemes. One recent entry is an LSM port of Trustees Linux, which has been done by Andrew Ruder. Trustees Linux starts with the idea that access control lists are overly complicated and inefficient; achieving the desired goals can require hanging ACLs on thousands of files, and keeping all of those ACLs in sync can be a challenge.

The Trustees approach, instead, is to create a separate, central database which contains filesystem permissions. This database can assign a "trustee" to a directory; this trustee provides access permissions which apply to the directory and, by default, everything below that directory. A single rule can, thus, cover a large part of the filesystem hierarchy.

The trustee rules cover the usual sorts of permissions; who can search for, read, and write files in a given subtree. The format is somewhat terse; one of the rules provided in the examples is:

    [/dev/hda1]/var/log:zavadsky:REB

This rule enables user "zavadsky" to wander around in (and under) /var/log and read files there.

Mr. Ruder's port is centered around the Linux security module inode_permission() hook; that code examines the trustees which apply to a given inode and decides whether the requested access is to be allowed or not.

It's all pretty straightforward, but there is an interesting twist to how Trustees works with file permissions: the module gives the CAP_DAC_OVERRIDE capability to every process, allowing them to override the existing Unix file permissions. The Trustees module will, in turn, apply those permissions itself much of the time, but it is possible to write rules which override them. In this sense, Trustees functions as an authoritative module, which is not how LSM modules are supposed to work. If Trustees Linux is ever proposed for merging into the mainline, that little feature could come back to haunt it.

Comments (7 posted)

Stopping unwanted OOM killer experiences

There has, in recent times, been a small increase in the number of complaints from users who have seen processes killed by the kernel in response to an out-of-memory (OOM) situation. The only problem is that the system should not have been quite that hard up for memory at the time. Even if the user is doing something which requires completely irrational amounts of memory ("yum update", say), it seems like the system should have been able to muddle along without killing low-priority processes, like the ssh server. These unwanted OOM killer experiences have driven a few developers to take a closer look at what was going on.

Marcelo Tosatti has been working on the problem for a bit; he put together a patch which tries to avoid invocations of the OOM killer if things might get better soon. The idea is that, while a full scan of a memory zone may have failed to turn up any free pages, it may have kicked I/O into motion that will, very soon, make some pages free. So the OOM killer is kept in its cage until the no-memory situation has persisted for a few seconds. Marcelo reported that this patch improved things significantly for his test cases.

It turns out, though, that the real problem was elsewhere; the token-based thrashing control patch appears to be the real culprit. This patch, remember, tries to reduce system thrashing in memory-constrained situations by exempting one process at a time from the page reclaim mechanism. That process will, in theory, make use of its sheltered time to make some real progress before the token moves on and its pages are, once again, subject to eviction. The token-based mechanism has been shown to truly improve the situation when memory is tight.

Until it gets too tight, as it turns out. A process which needs a page, but which does not hold the token, may find that all of the (otherwise) reclaimable pages belong to the process currently holding the token. The unlucky process thus finds no pages to grab, and pushes the big red OOM button. The system is not truly out of memory, however; it has simply been told that all the good pages are temporarily off limits.

Rik van Riel put his finger on the problem, and Andrew Morton put together a simple patch to fix it. Essentially, the VM subsystem will now ignore the swap token when finding reclaimable pages gets too hard. During normal operation, the token-based mechanism holds sway, but it can be set aside as a preferable alternative to killing random processes in the system. The patch appears to have solved the problems without taking away the benefits of the token-based approach.

Marcelo acknowledged that this was the right fix, grumbled that he had wasted a bunch of time, and promised "Next time I should be looking into the easy stuff before trying miraculous solutions." It was his work, however, which shone a light on the problem in the first place, and led to its eventual solution.

Comments (5 posted)

Patches and updates

Kernel trees

Core kernel code

Device drivers

Janitorial

Memory management

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

SUSE Linux Enterprise Server 9

September 1, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

[Editor's note: this article was written a couple of months ago, but for various reasons we delayed publishing it. Now we are pleased to present this review of SLES 9.]

A few weeks ago, Novell released SUSE Linux Enterprise Server (SLES) 9. We decided to take the distribution for a spin, and see what it has to offer. We installed SLES 9 on an SMP system with dual 500MHz PIII Xeons with 1 GB of RAM and 40GB drive.

Installation of SLES is a breeze, though there's a lot of CD-swapping during package install. YaST2 did just fine at detecting and configuring all system hardware. The automatic disk partitioning scheme, however, was a bit odd. We chose to use the "Expert" partitioning mode, which is actually quite simple to use as long as one is familiar with Linux partitioning. SLES defaults to the Reiser Filesystem for new partitions, though users have the option of using Ext3, Ext2, JFS or XFS if they prefer.

SLES 9 ships with the 2.6.5 kernel, but doesn't seem to include a 2.4.x series kernel. This is somewhat surprising, since it seems likely that some SUSE/Novell customers may be standardized on the 2.4.x series and not quite ready to move.

One interesting feature we discovered is the ability to install a UML virtual host using YaST2. Unfortunately, and for no apparent reason, this requires a network installation source -- users who have installed from CD will have to set up an FTP or NFS installation source to make use of the UML feature in YaST, negating the convenience of the feature in the first place.

For the most part, though, SLES 9 was very easy to set up and configure. YaST2 has really matured into a nice system administration tool over the years. For example, YaST2's DNS Server module makes it very simple to set up DNS zones. YaST includes modules for administering services, hardware, software package management, user administration and much more. We're still not quite sure what a pineapple icon has to do with "Misc" settings in YaST2, though.

The default desktop is KDE 3.2.1, though GNOME is available as well as a FVWM and twm. For a "server" OS, SLES 9 also comes with a odd selection of desktop software -- though there are a few packages that are conspicuously absent. For example, OpenOffice.org does not seem to be available, nor is The Gimp. Obviously, desktop users interested in SUSE will probably want to use SUSE 9.1 instead.

Users might wonder whether they should be looking at SLES 9 or SUSE 9.1, and what SLES 9 has that you won't find in the retail package. For the most part, SUSE 9.1 Professional comes with the same features you will find in SLES 9. You will find support for Novell management tools that isn't present in SUSE 9.1 Professional, and a few YaST2 modules that aren't available in 9.1. For example, 9.1 doesn't include HA configuration or UML configuration through YaST2. The end-user experience for SLES 9 and SUSE 9.1 is pretty much the same, though and there's no steep learning curve or anything for users migrating to SLES 9 from SUSE 9.1 or older versions.

What do companies and organizations get for their extra money when buying SLES 9? Long-term support, for one thing. While the retail packages have a two-year period for updates and so on, SLES 9 will be eligible for full maintenance through August 31, 2007, and security maintenance through August 31, 2009. Companies and organizations that are considering a platform for long-term use should be looking to SLES rather than SUSE's home user offerings.

Another consideration for SLES 9, though not something we were in a position to test, is that Novell is working towards Common Criteria Evaluation Assurance Level (EAL) 4+, though it has not yet been awarded that certification yet. SLES 8 received EAL 3+. For environments where this is an issue, SLES is the obvious choice.

We reviewed SLES 9 for x86, but it bears mentioning that there are also versions available for 64-bit x86 processors, Itanium, IBM Power processors, IBM S/390 and IBM zSeries. A full list of packages for each version of SLES is available through SUSE's website.

Novell does make a "evaluation" version of SLES 9 available for download, though users who want online updates past the 30-day trial will have to buck up for a subscription. The x86 line carries a $349 price tag for one year for up to two CPUs.

In all, we were pretty happy with SLES 9. It's a robust system that's easy to use and administer. It will make a good impression on those new to Linux, and it's still a usable system for longtime Linux users as well.

Comments (1 posted)

Distribution News

Gentoo Linux 2004.3 Released

Gentoo Linux 2004.3 is out. This appears to be, mainly, a bug fix release; click below for the announcement or see the 2004.3 release information page for more information.

Full Story (comments: 9)

Lycoris SME server roadmap

Lycoris contribs.org, the new home of the SME server, has announced a roadmap for the distribution. "For our first release, we do minor touch-up to the current 6.01 contribs.org release. We have both a GPL edition for free download and a Lycoris-branded commercial release." (Thanks to Brock Frazier)

Comments (none posted)

Debian Bug squashing in Cambridge, November 27th to 28th

Debian users and developers in the Cambridge UK area are invited to a Bug Squashing on November 27-28, 2004. Click below for details.

Full Story (comments: 1)

Using Apache with SELinux on Fedora

A beta-quality document on using Apache with SELinux on Fedora Core 3 systems has been released. It will likely become required reading for Fedora administrators, but, even for people who are not Fedora users, this document is a good introduction to the complexities of making SELinux work with even a single system daemon.

Comments (4 posted)

Fedora Core

Fedora Core 3 updates: system-config-users (bug fixes), libxml2 (bug fixes), subversion (includes the latest release of Subversion 1.1), gdb (bug fixes), abiword (bug fixes), authd (upgrade to v1.4.3 fixes a segfault seen on x86_64 arches), and gaim (bug fixes).

Fedora Core 2 updates: libxml2 (bug fixes), and subversion (update to 1.0.9).

Comments (none posted)

Trustix Secure Linux

TSL 2.2 updates: many packages (bug fixes in apache automake bind console-tools courier-imap cracklib cups cyrus-imapd cyrus-sasl filesystem foomatic-filters freetype ghostscript glib glibc gzip lynx mod_perl mutt mysql netatalk ntp openldap openssh openssl openswan perl perl-convert-uulib perl-dbi perl-unicode-map php postfix postgresql proftpd python razor-agents rp-pppoe rsync spamassassin squid stunnel swup syslinux tsl-utils uw-imap vim wget words) and iptables (autoloads fewer modules)

Comments (none posted)

Slackware Linux

Patrick Volkerding has been seriously ill for some time. As a result, updates to Slackware have not been happening. You can read the gory details here. We wish Patrick well and hope he recovers from this illness.

Full Story (comments: 1)

Distribution Newsletters

Debian Weekly News

The November 16 Debian Weekly News is out. Topics this week include a release status update (getting closer), GNOME 2.8 for sarge, and several others.

Full Story (comments: none)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of November 15, 2004 is out, with a look at the Gentoo Linux 2004.3 release, a call for developers on Gentoo's X11 team, kernel housecleaning, and more.

Full Story (comments: none)

Ubuntu Traffic #11

The Ubuntu Traffic report for November 5, 2004 is out, with a look at several mailing list topics of discussion. This edition's topics include Ubuntu Book, Hoary Says: "Get Your UTF-8 On", Ubuntu Learns a Few More Languages, Ubuntu Artwork Sites, Hoary Woes, Documentation Meeting, Ubuntu Bug Reporting, Ubuntu Conference, Separating Language Packs and Hoary Status.

Full Story (comments: 2)

DistroWatch Weekly, Issue 75

The DistroWatch Weekly for November 15, 2004 is out, featuring Yggdrasil Linux, with a look at Gentoo Linux for G5 processors, and more.

Comments (none posted)

Minor distribution updates

BG-Rescue Linux

BG-Rescue Linux has released v0.4.0. "Changes: Support for USB mass storage (USB stick) devices was added. The Pocket Boy patch was applied. Support for DHCP IP address negotiation was added. An automatic tool (which runs under Unix/Linux and Windows 9x/ME/NT/2k/XP) was added to download the recent versions of BG-Rescue Linux and F-Prot and create the bootable ISO image. The Linux kernel was updated to 2.4.27. busybox was updated to 1.00, gpart to 0.1h to support ReiserFS 3.6, lilo to 22.6, mdadm to 1.7.0, ntfsprogs to 1.9.4, pcmcia-cardmgr to 3.2.8, reiserfsck to 3.6.18, smbclient to 1.9.18p8 to support pipes, and syslinux to 2.11. rzip and tphdisk were added."

Comments (none posted)

Coyote Linux

Coyote Linux has released v2.16. "Changes: This release adds muti-language support to the Web administrator. Currently English, Spanish, French, Portuguese, and Romanian translations are available."

Comments (none posted)

floppyfw

floppyfw has released development v2.9.13. "Changes: A few more images to pick from (Soekris and Flash/USB), and build scripts to make it all from scratch (in a uClibc buildroot or the floppyfw devkit). wondershaper has been added to the base."

Comments (none posted)

Hakin9 Live

Hakin9 Live has released v2.3.D. "Changes: Kernel 2.4.26 is included. WiFi cards support and xDSL support were enhanced. Cryptoloop support was added. New utilities were added."

Comments (none posted)

RUNT (ResNet USB Network Tester)

RUNT has released v4.0. "Changes: This version features scripts to make USB booting easier, the bootdisk can now be created from the pen drive, there is now keyboard layout selection by typing 'keymap' at the boot prompt. This version is based on Slackware 10.0 with kernel 2.4.26, and now has support for Nforce built-in ethernet devices."

Comments (none posted)

SLAX-Live CD

SLAX-Live CD has released v4.2.0. "Changes: This version contains KDE 3.3.1 and X.org 6.8.1. A new user called guest was added, and a new boot parameter home= was implemented."

Comments (none posted)

uClinux

uClinux has released v20041116. "Changes: This test release included Linux 2.6.9, Linux 2.4.27, Linux-2.0.39, uClibc 0.9.26, glibc 2.2.5, busybox 1.00, and much more."

Comments (none posted)

Newsletters and articles of interest

Thin client OpenLab Linux 3.2 released (Tectonic)

Tectonic covers the release of OpenLab 3.2. "AJ Venter, lead developer on the OpenLab project at DireqLearn, says "OpenLab is a different approach to the design of a GNU/Linux distribution, built on the premise of 'working out of the box'. Version 3.2 makes significant strides toward an even greater user experience. For example, OpenLab makes the set-up of a thin-client server easier than it has ever been before. All you need to do is say 'yes' when asked if you want it. No further user input is required.""

Comments (none posted)

Review: 'Knoppix Hacks' (NewsForge)

NewsForge reviews the book Knoppix Hacks. ""Knoppix Hacks" is a collection of activities that involve many of the programs and applications that make up Knoppix. These hacks can be a neat project, a set of tips and tricks, or a creative recipe that simplifies what was once a difficult task. The book starts out with simple tasks, and as the book progresses, the hacks tend to require more time, technical prowess, and resources from the reader."

Comments (none posted)

FreeBSD for Linux Users (O'ReillyNet)

O'ReillyNet looks into the differences between FreeBSD and Linux. "Most introductory Unix courses start with the differences between SysV and BSD. Students, unimpressed by this fascinating bit of theoretical trivia, tend to jot down a few notes dutifully, and then wait patiently for the hands-on portion of the class. Within the hour, though, someone will make a panicked discovery and shout out, "Where are my runlevels?" There's an inevitable and incredulous follow-up of "What do you mean there aren't any runlevels?" and "Where'd all my startup scripts go?""

Comments (none posted)

Installing Gnome 2.8 on Suse 9.1 (Tuxme.com)

Tuxme.com presents a how-to article on installing Gnome 2.8 on SUSE Linux 9.1. "To make a long story short, I now am able to run Gnome 2.8 alongside KDE 3.3.1 without any problems thanks to APT and Mr. Ogley's rpm packages. (Why do I always want to type pancakes when trying to type packages?). The process wasn't smooth as butter, there was some manual 'rpm -Uvh package', find the missing dependencies, thank god for google once more, and repeat. But if you're a little savvy and adventures, you can do it, too. You might want to make a backup of your system if you'd hate to lose anything valuable."

Comments (none posted)

Distribution reviews

Feather Linux: The Swiss Army Knife of LiveCDs (O'ReillyNet)

O'ReillyNet takes a look at Feather Linux. "To demonstrate how well Feather Linux works as a rescue CD, I'm going to pose a common administrative problem and demonstrate how to solve it with the LiveCD. Think of it like a MacGyver computer exercise, with a Feather CD as the Swiss Army knife. While doing this, we will practice the Unix Way, taking full advantage of its tools: bash, Perl, pipes, redirections, and the rest of the arcane Unix heritage."

Comments (2 posted)

gnuLinEx 2004 Launched (Linux Journal)

Linux Journal looks at gnuLinEx. "In August 2004, the new version of gnuLinEx, the operating system used by the government of the Autonomous Community of Extremadura, Spain, was released. This new release confirms that the regional government is determined to bet on free software."

Comments (3 posted)

Novell Linux Desktop reviewed: A New Linux Desktop for Enterprise Customers (LXer.com)

LXer.com has published a review of Novell's new Linux Desktop. "A tip of the hat to Novell for its commitment to open standards, Linux and its new business model. Many people should find your desktop a worthy entry into the market. You'll have some growing pains, but your product has excellent potential."

Comments (none posted)

Novell Linux Desktop 9: First Impressions (OrangeCrate.com)

OrangeCrate.com reviews Novell Linux Desktop 9. "NLD is distributed on three ISO CD images, and that represents roughly 3/5ths of the SUSE Linux 9.2 Professional edition. This means that many of the extra packages in the SUSE Linux Professional Edition are not available in NLD. This is not a bad thing however, for a business desktop doesn't need the extraneous packages that add servers, games and other things that don't add value for the business user."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Wired: a music production and creation system

The first official release (version 0.1) of Wired, a Linux-based audio and MIDI recording application, was announced this week.

Wired aims to be a professional music production and creation software running on the Linux operating system. It brings musicians a complete studio environment to compose and record music without requiring expensive hardware. Wired supports unlimited Audio/Midi tracks playback and recording, and introduces a Plugin system for instruments and effects. It can also read AKAI CDs and import 18 different Wave formats.

[Wired] Wired contrasts with Ardour, another multi-track audio recorder project that recommends the use of one of several expensive multi-track capable sound cards for best results. Also, Ardour does not include MIDI support, although it is a project goal. The Ardour project status has been stuck on the verge of the 1.0 release for a long time, we look forward to progress there.

The Wired features that have been implemented to date include:

  • Multi-track audio recording/playback.
  • Multi-track MIDI recording/playback.
  • Support for an unlimited number of Audio and MIDI tracks.
  • MIDI editing capabilities.
  • Sequencer capabilities.
  • Support for the ALSA and OSS audio drivers.
  • Preliminary support for the JACK Audio Connection Kit.
  • A plugin system that supports effects and sound sources.
  • Support for wav, Midi, and AKAI CD file formats.
  • Undo/Redo capability.
  • An online help system.
Features that are planned for future releases include:
  • A loop sampler with time-stretching capabilities.
  • A beatbox for creating drum sequences
  • A MIDI-controlled sampler.
  • High pass, low pass, and notch filters.
  • A compressor/limiter effect.
  • An audio delay effect.
Wired appears to use the window manager within a window approach for managing most of its GUI components. See the screenshots page for examples.

Wired has been released under the GNU General Public License (GPL), the source code is available for download here. Dependencies include GTK2, wxWidgets, PortAudio, SoundTouch, and libsndfile.

Comments (5 posted)

System Applications

Audio Projects

ALSA 1.0.7 released

Following several alpha releases, version 1.0.7 of the ALSA sound driver is stable and ready for download.

Comments (none posted)

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include new versions of Ecasound, Timemachine, the SWH LADSPA Plugins, and Lilypond.

Comments (none posted)

Database Software

Daffodil Software Open Sources replication tool (SourceForge)

Daffodil Software has released its Daffodil Replicator software under the GPL. "Daffodil Replicator will provide a unique option to users in certain respects. It supports heterogeneous databases including Oracle, DB2, SQL-Server, PostgreSQL, Derby and Daffodil DB. It is platform-independent by virtue of being built in Java, and supports bi-directional data replication. Now Open Source, it offers users the power to understand its architecture and code, and also modify it if required."

Comments (none posted)

phpPgAdmin 3.5 Released

Version 3.5 of phpPgAdmin has been announced. "A new major version of phpPgAdmin is now available. phpPgAdmin is a web-based administration tool for all 7.x and the new 8.0 version of PostgreSQL. Major emphasis on this release is in supporting all the new 8.0 features."

Comments (none posted)

PostgreSQL Weekly News

The November 9, 2004 edition of the PostgreSQL Weekly News is out with the week's PostgreSQL database news.

Full Story (comments: none)

PostgreSQL Weekly News

The November 15, 2004 edition of the PostgreSQL Weekly News is out with the week's collection of PostgreSQL database news.

Full Story (comments: none)

RSS Feeds from PostgreSQL with SRSSS

SRSSS is a new project that can connect an PostgreSQL database to an RSS feed, according to this announcement. "The Simple RSS Service (SRSSS) generates and serves RSS feeds through a common interface via CGI-enabled webservers. It uses modules to extract items for feeds from various sources, and has a virtual filesystem where feeds can be read by CGI-clients."

Comments (none posted)

Libraries

GLib 2.5.6 (unstable) released

Unstable version 2.5.6 of GLib, the low-level core library for GTK+ and GNOME, is out with several changes. Testing is in order.

Full Story (comments: none)

Mail Software

DSPAM 3.2.2 released

Version 3.2.2 of DSPAM, a server-side statistical anti-spam filter is out. Changes are mainly bug fixes, see the release notes for details.

Comments (none posted)

spamprobe 1.1x4 released (SourceForge)

Version 1.1x4 of spamprobe, a bayesian spam filter, has been announced. "This release adds the final missing pieces to the new parser code. MBX files and Content-Length headers are now supported. Database cleanup when signals are caught has also been improved. I would like to move 1.1 into the stable branch fairly soon so if folks would test out this release and report any problems it would be a big help!"

Comments (none posted)

Web Site Development

Analog 5.92beta1 is out

Version 5.92beta1 of Analog, a web server log file analyzer, has been released. Starting with this version, the project license has been changed to the GPL. Firebird and Firefox are now in the recognized browsers list, see the what's new document for more information.

Comments (none posted)

New mnoGoSearch releases

New versions of mnoGoSearch-php and mnoGoSearch-php-extension are available from the mnoGoSearch web site search engine project.

Comments (none posted)

Build Your Own Blogging Application, Part 2 (O'ReillyNet)

O'Reilly has published part two in Matthew Russell's series on blogging software. "In part one, Matthew Russell showed you how to build a front end for your blogging app using Tcl/Tk and some XHTML fundamentals. Here in part two, he uses two parts Perl and a sprinkle of Bash to explain how to build the back end."

Comments (none posted)

Desktop Applications

Audio Applications

New abcde version

Version 2.2.0 of abcde, a frontend to the cdparanoia CD ripper, is out. "It is a major release, with plenty of new features. See the changelog at www.hispalinux.es/~data/abcde.php".

Full Story (comments: none)

Ecasound 2.3.5 released

Version 2.3.5 of Ecasound, a multi-track audio processing utility, is out. Here are the changes: "Various Mac OS X specific build issues have been resolved. Minor changes have been made to the OSS soundcard support to avoid limitations of certain OSS drivers. Many minor updates have been made to user documentation and to build system scripts."

Full Story (comments: none)

Business Applications

Grace 0.1.1 Released (SourceForge)

Version 0.1.1 of the Grace Receipting System is out. "The Grace Receipting System allows non-profits to track their donors and contributions, and prints receipts and reports."

Comments (none posted)

SQL-Ledger Version 2.4.4

Version 2.4.4 of SQL-Ledger, a web-based accounting system, has been released. Changes include session control and cookie-based authentication, ship via search, bug fixes, and translation improvements.

Comments (none posted)

CAD

Nineteenth release of PythonCAD now available

Release 19 of PythonCAD, a Python-based CAD application, is out. "The nineteenth release of PythonCAD fixes a file saving bug found shortly after the eighteenth release was made public. The bug affected drawings that had text entities. A fix for this bug was found and tested by the bug reporter (thanks Ed Richley!) and confirmed to fix the problem."

Full Story (comments: none)

Data Visualization

Fl_2D_Gl_Contour 0.3 is out

A new release of Fl_2D_Gl_Contour and related widgets is available for FLTK. "Fl_2D_Gl_Contour, OpenGL based contour widget for Linux, it allow you to graph contour and color map of irregular data set, by now two-dimensional graphics are available but 3D graphis will be soon" See the developer's web site for more information.

Comments (none posted)

JGraphpad v5.1.0 Released (SourceForge)

Version 5.1.0 of JGraphpad, a graph component for Java, is out. "JGraphpad 5.1.0 fixes a number of minor bugs, corrects the default behaviour for various functionality and introduces several new features. Of note, the image export functionality is improved, GPUserObjects have a number of fixes and jumping to ports behaviour has been corrected."

Comments (none posted)

JUNG 1.5 released (SourceForge)

Version 1.5 of JUNG, the Java Universal Network/Graph Framework, is available. "The current distribution of JUNG includes implementations of a number of algorithms from graph theory, data mining, and social network analysis, such as routines for clustering, decomposition, optimization, random graph generation, statistical analysis, and calculation of network distances, flows, and importance measures (centrality, PageRank, HITS, etc.)."

Comments (none posted)

Desktop Environments

The Upcoming Changes of the Gnome Subsystem (GnomeDesktop)

GnomeDesktop reports that Anders Carlsson of Imendio outlines and explains the API changes that are coming with the Gnome 3.0 release in the future. "One of the most horrible parts of libgnome is GnomeProgram; the code that handles start-up and argument parsing for GNOME programs. This code also sets up the program to be more "integrated" with the rest of GNOME. For example, when your application segfaults you get this nice dialog allowing you to report a bug. When you have accessibility enabled, GnomeProgram calls the necessary hooks for that. All that is done by GnomeProgram."

Comments (1 posted)

GARNOME 2.9.1

Version 2.9.1 of Garnome, the leading-edge GNOME distribution, has been released. "This release incorporates the GNOME 2.9.1 Desktop & Developer Platform, as well the usual assortment of third-party updates to keep even the most seasoned developer frustrated beyond belief."

Full Story (comments: none)

KDE CVS-Digest (KDE.News)

The November 12, 2004 KDE CVS-Digest is online with the following content summary: "KJSEmbed QT events now work on Windows. Kdm adds themes. Media kioslave now can use HAL. Kate improves Java and Perl syntax highlighting. KWallet adds search, empty password support, and XML data import."

Comments (none posted)

Xfce 4.2 Release Candidate 1 is out

Release Candidate 1 of Xfce 4.2, a lightweight desktop environment, is available. "This first Release Candidate offers several new and awaited features in comparison with the previous 4.0 stable release, while continuing to be lightweight, including a brand new session manager, keyboard shortcut and desktop menu graphical editors, multihead support, "kiosk mode" support, a desktop menu plugin for the panel, CUPS and BSD-LPR printing support, and a new icon theme." See the Change Log file for more information.

Comments (none posted)

Desktop Publishing

Passepartout 0.6 released (GnomeDesktop)

Version 0.6 of Passepartout, a desktop publishing application for GNOME, has been announced. "Among the new features are PDF output (albeit with some limitations) and TrueType support. It also now uses FontConfig to find font files, an addition that should please and be a relief to users of previous versions."

Comments (none posted)

Writing "Learning PHP 5" (O'Reilly)

David Sklar describes the tools he used to write his latest book. "What are the tools and processes that I used to write Learning PHP 5? Each chapter (and appendix) is its own file, formatted with the Docbook Lite XML dialect. I used XEmacs to edit the files. XEmacs's xml-mode provides helpful assistance with well-formedness checking and context-sensitive tag insertion. It also works with XEmacs' font-lock mode to make tags, attributes, and other XML goodies appear in pretty colors for easier readability."

Comments (none posted)

Financial Applications

Grisbi (GnomeDesktop)

GnomeDesktop.org introduces the personal finance application Grisbi. "It's a cool financial/personnal accounting application written with Gnome and Gtk, and it is released under the GPL licence. It features budgeting, a Win32 port and GTK2 interface."

Comments (none posted)

Graphics

DiaCanvas2 0.14.2 is out

Version 0.14.2 of DiaCanvas2, a GTK+ 2 widget for working with diagrams, is available. This release features several bug fixes.

Full Story (comments: none)

GUI Packages

GTK+ 2.5.5 released

Unstable version 2.5.5 of the GTK+ GUI toolkit is available with numerous improvements and bug fixes.

Full Story (comments: none)

gtkmm 2.5.1 announced

Version 2.5.1 of gtkmm, a C++ interface to GTK+, has been released. "gtkmm 2.5 wraps new API in GTK+ 2.5, and is API/ABI-compatibile with gtkmm 2.4. The new API is unstable, until this become the API/ABI-stable gtkmm 2.6 when GTK+ 2.5 becomes the API-stable GTK+ 2.6."

Full Story (comments: none)

Imaging Applications

F-Spot 0.0.3 Released (GnomeDesktop)

Version 0.0.3 of F-Spot has been released. "After quite some time from the previous release, the Mono-based, Novell-sponsored, F-Spot, an image catalog/viewer application, reached version 0.0.3." See the changes document for details.

Comments (none posted)

Instant Messaging

Gaim 1.0.3 released (GnomeDesktop)

Version 1.0.3 of Gaim, an internet chat application, has been announced. "This is a bug-fix release."

Comments (none posted)

Multimedia

gst-python 0.8.0 announced

Stable version 0.8.0 of gst-python, a set of python bindings for the GStreamer streaming media framework, is out. "gst-python is a set of python bindings for GStreamer, it has a good coverage and is already used by several applications. The tarball contains minimalist examples, for example a video player and a command line based music player."

Full Story (comments: none)

News Readers

Liferea 0.6.2 has been announced

Version 0.6.2 of Liferea, the Linux Feed Reader, has been released. Changes include cookie support, security improvements, http authentication support, and bug fixes.

Full Story (comments: none)

Office Suites

ooo-build-1.3.6 announced

Build 1.3.6 of the ooo-build fork of OpenOffice.org is available. "This package contains Desktop integration work for OpenOffice.org, several back-ported features & speedups, and a much simplified build wrapper, making an OO.o build / install possible for the common man. It is a staging ground for up-streaming patches to stock OO.o."

Full Story (comments: none)

Video Applications

Kino Tips: Installing from Scratch and Exporting MPEG Videos (Linux Journal)

Olexiy Tykhomyrov and Denys Tonkonog explain the process of building and installing Kino, a video editing application in an article on Linux Journal. "Kino is not a monolith program, but it does call some extra stuff and uses many libraries while running. A tree of the main dependencies is shown below in Figure 1. In order to compile Kino successfully, you have to install all the needed packages beforehand and compile them from source. Hopefully, the configuration script will help you determine the required software."

Comments (none posted)

Web Browsers

Epiphany 1.2.10 released

Stable version 1.2.10 of the Epiphany browser has been released. It fixes a tabbed browsing security vulnerability.

Full Story (comments: none)

Epiphany 1.4.5 released

Development version 1.4.5 of the Epiphany browser has been released. It fixes a tabbed browsing security vulnerability and includes many more changes.

Full Story (comments: none)

GNOME-Fx 1.0.0: "GNOME Firefox themes"

Version 1.0.0 of GNOME-Fx, the GNOME Firefox themes, has been released. "I finally got around updating the GNOME-Fx themes for Firefox 1.0. No big changes, just support for Firefox 1.0 The GNOME-Fx themes try to make Firefox look like a native GNOME application. Version 0.10.1 is a huge improvement because the themes use more native looking GTK widgets and also the help is GNOMEized."

Full Story (comments: none)

Miscellaneous

Browser Bookmarks Menu (Gnome Applet) 0.3

Version 0.3 of the GNOME Browser Bookmarks Menu applet is available. "Version 0.3 was supposed to focus on packaging and installation, but that turned out to be more complicated than I was expecting (and any help would be appreciated). So I went for features instead."

Full Story (comments: none)

Coaster 0.1.2 announced

Version 0.1.2 of Coaster, a CD burning application, is available. New features include undo/redo, icon themes and caching, and more.

Full Story (comments: none)

gperfmeter v2.0.25 released

Stable version v2.0.25 of gperfmeter, the GNOME performance meter, has been released. "This release is so that there is an official distribution tarball for the possible inclusion of gnome-perfmeter in the JDS release for Solaris 10."

Full Story (comments: none)

Languages and Tools

C

Inside memory management

Jonathan Bartlett discusses memory management on IBM developerWorks. "Get an overview of the memory management techniques that are available to Linux programmers, focusing on the C language but applicable to other languages as well. This article gives you the details of how memory management works, and then goes on to show how to manage memory manually, how to manage memory semi-manually using referencing counting or pooling, and how to manage memory automatically using garbage collection."

Comments (1 posted)

Caml

Caml Weekly News

The November 9-16, 2004 edition of the Caml Weekly News is out with the week's Caml language articles.

Full Story (comments: none)

Haskell

Haskell Communities and Activities Report

The November, 2004 edition of the Haskell Communities and Activities Report is available with Haskell language coverage. "The Haskell Communities and Activities Report was initiated at the 2001 Haskell workshop, as a status report of the Haskell community as a whole, to be updated twice a year. The purpose is twofold: (a) to establish what communities, people and projects are out there, working with or on Haskell, and what their areas of interest are; (b) to feed back summary information about ongoing activities in the diverse Haskell sub-communities and amongst Haskell users (commercial or otherwise) to the Haskell Community as a whole." Thanks to Shae Matijs Erisson.

Comments (none posted)

Java

SableVM 1.1.7 Released (SourceForge)

Version 1.1.7 of SableVM, a Java Virtual Machine, is available. "In this version, we added an experimental generational garbage collector, we imported a new GNU Classpath snapshot, we added handling of Jar/Zip files on boot classpath, we added user-friendly failure messages for bootstrap problems, we added added a profiling switch, we made sablevm-classpath install its files in standard locations, we made jikes and gcc be less verbose by default, and we made several important bugfixes and improvements."

Comments (none posted)

Extending Struts (O'ReillyNet)

Sunil Patil talks about extending struts on O'Reilly. "I have seen lot of projects where the developers implemented a proprietary MVC framework, not because they wanted to do something fundamentally different from Struts, but because they were not aware of how to extend Struts. You can get total control by developing your own MVC framework, but it also means you have to commit a lot of resources to it, something that may not be possible in projects with tight schedules."

Comments (none posted)

Memory Contention in J2EE Applications for Multiprocessor Platforms (O'Reilly)

Ramchandar Krishnamurthy and Deepak Goel look into multiprocessor J2EE memory contention issues on O'Reilly. "With the need for highly scalable J2EE applications in the enterprise environment, parallel processing of threads is required on multi-processor platforms. The memory requirements in the JVM heap for the processing of these threads and concurrent processing have caused to create performance and scalability bottlenecks in the deployment of these J2EE applications. This article explores the issue of synchronization of threads while accessing the memory within the JVM heap on a multi-processor platform for a J2EE application."

Comments (none posted)

ML

MLton 20041109 is out

Version 20041109 of MLton, the Standard ML compiler, is out. Changes include support for more platforms, MLBasis file support, dynamic libraries, new structures, and more.

Full Story (comments: none)

Perl

Perl 5.8.6 RC1 is out (use Perl)

Release Candidate 1 of Perl 5.8.6 is out. "This is a regular maintenance release for perl 5.8.x, providing bug fixes and integrating module updates from CPAN."

Comments (none posted)

Implementing Flood Control (O'Reilly)

Vladi Belperchinov-Shabanski uses perl to manage Flood Control in an O'Reilly article. "'Flood control' is a method of controlling the processing-rate of a stream of events. It can reject or postpone events until there are available resources (CPU, time, space, etc.) for them. Essentially the flood control restricts the number of events processed in a specific period of time."

Comments (none posted)

PHP

PHP Weekly Summary for November 15, 2004

The PHP Weekly Summary for November 15, 2004 is out. Topics include: BC, PostgreSQL and Boolean values, Upload progress meter cont, __get 'feature', php_fork, PDFlib versions, PDO meeting, Operator overloading, Date support, and Much ado.

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The November 10, 2004 edition of Dr. Dobb's Python-URL! is online with another batch of Python article links.

Full Story (comments: none)

urwid 0.8.3 released

Version 0.8.3 of uruwid, a curses-based UI/widget library for Python, is available. Changes include support for CJK double-byte encodings, a word wrapping mode, support for regular and double width characters, and more.

Full Story (comments: none)

gnome-python 2.6.1 announced

Version 2.6.1 of gnome-python, the Python language wrappers for the GNOME APIs, is out. Changes include performance improvements, bug fixes, and more.

Full Story (comments: none)

Python 3D Software Collection

Mike C Fletcher has assembled the Python 3D Software Collection, "A small collection (51 packages) of pointers to Python software for working in three dimensions"

Comments (none posted)

PYRO: Python Robotics

Version 3.4.1 of the Python Robotics project is out. "Pyro is a library, environment, graphical user interface, and low-level drivers to explore AI and robotics using the Python language." Support has been added for the Sony Aibo robot, see the What's New document for release information.

Comments (none posted)

Ruby

One Man’s Journey of Dependency-Injected Discovery (Ruby Garden)

Jamis Buck describes the evolution of the Coopland project into Poseidon, and Ruby dependency injection issues in an article on the Ruby Garden.

Comments (none posted)

S

RPy 0.4.0 released

Version 0.4.0 of RPy is out. "RPy is a very simple, yet robust, Python interface to the R Programming Language. It can manage all kinds of R objects and can execute arbitrary R functions (including the graphic functions). All errors from the R language are converted to Python exceptions. Any module installed for the R system can be used from within Python." See the News page for release details.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The November 15, 2004 edition of Dr. Dobb's Tcl-URL! is online with the latest Tcl/Tk article links.

Full Story (comments: none)

UML

Gaphor 0.7.0 announced

Version 0.7.0 of Gaphor, a Python-based UML modeling environment, is out. New features include an XMI export plugin, item alignment, an undo mechanism, copy/paste operation, and more.

Full Story (comments: none)

XML

Ali 0.4 was released

Version 0.4 of Ali is out with new UTF-8 support. "Ali is a simple to use C API to parse XML data. It's scanf like approach is much easier than using SAX or DOM. A tutorial, complete reference documentation, and code examples in the download are all provided. Ali is pronounced like "Alley""

Comments (none posted)

Announcing csv2xml version 0.5 (SourceForge)

Version 0.5 of csv2xml, a csv to xml converter, is out. "Version 0.5 has just been released, it is reccomended that people do not use versions earlier than 0.5 as it fixes a memory leak. The new version provides command line options for greater flexibility. Allowing the user to customise the xml output format, depending on users needs."

Comments (none posted)

Introduction to XML Events (IBM developerWorks)

Micah Dubinko introduces XML Events on IBM developerWorks. "A number of markup technologies involve attaching behaviors to specific parts of a document. XML Events is a W3C Recommendation that allows declarative attachment of a behavior -- which can be a predefined bundle of actions defined in XML or a more general call to a scripting language -- to a specific element. This article gives an overview of how XML Events came about, what it's useful for, and how it works."

Comments (none posted)

XML, the Web, and Beyond (O'Reilly)

Edd Dumbill covers developments in the XML world in his O'Reilly column. "Welcome to this week's column, in which I'm excited to be able to tell you about changes in prospect for next year's XML Europe conference, and report on a discussion about when multiple schemas for XML documents should be used."

Comments (none posted)

Build Tools

Got Project Automation? (O'ReillyNet)

Mike Clark presents an overview of project automation techniques on O'Reilly. "In his new book, Pragmatic Project Automation, Mike Clark gives you soup-to-nuts recipes for automating your software project: creating one-step builds with Ant, scheduling continuous builds with CruiseControl, generating software releases at the push of a button, installing and deploying applications with ease, and monitoring builds and running programs via email, RSS, your cell phone, and, yes, even lava lamps."

Comments (none posted)

Cross Assemblers

An MPLAB plugin for gputils

The gputils project (GNU Pic Utilities) has announced a new plugin that supports the Microchip mplab Universal Device Programmer.

Comments (none posted)

Debuggers

Emacs Mode for GDB (Linux Journal)

Nick Roberts introduces the Emacs interface to the GDB debugger. "Graphical front ends are available for GDB, including Insight, but they require a separate editor. Until now, Emacs used a mode that originally was written by Eric Raymond in 1992. This comprised of the GUD buffer, where GDB commands were entered as though on the command line, and the source buffer, where a arrow string ("=>") pointed to the current line of program execution. In this article, I describe a new mode, which I call GDB-UI, that is a part of the next release of Emacs (21.4) and offers the GUI features of many modern debuggers. The advantage of this mode over the other debuggers is the powerful features of Emacs are available for tasks such as editing and searching to provide a truly integrated development environment."

Comments (none posted)

IDEs

Wing IDE 2.0 announced

Version 2.0 of Wing, an IDE for Python, is available. "New features in Wing IDE 2.0 include a completely redesigned customizable user interface, call tips, syntax error indicators, editor tabs and splits, multi-file wildcard and regular expression searching, integrated documentation and tutorial, a German localization, and Unicode support."

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Factory of the Future? (Newsweek)

Newsweek has published a look at Nathan Myhrvold's patent shakedown startup. "Sources familiar with Myhrvold's strategy say that he has raised $350 million from some of the largest companies in high tech: Microsoft, Intel, Sony, Nokia and Apple. Google and eBay also recently invested. With this large bankroll, the company is out buying existing patents in droves. (Myhrvold won't comment on these activities, but sources say he has already purchased about 1,000 patents.) The strategy is to set up a sort of patent marketplace. Patent owners get money upfront for the dusty ideas sitting on their shelves, the investors get the rights to use the ideas without being sued and Myhrvold gets to rent those same ideas to other companies that need them to continue creating products."

Comments (25 posted)

Dear IE, I'm leaving you for good (ZDNet)

A ZDNet columnist breaks up with his browser. "With Mozilla Firefox, at least I know where I stand. The code is open source, built from the ground up, clean--not recycled. No more hidden agendas. At least when there's a flaw in Firefox, this browser alerts me on its toolbar. It doesn't try to hide its mistakes, waiting until the second Tuesday of the month to offer me a patch for some flaw that's been out there for six months already."

Comments (26 posted)

Prelude to MS-Linux (CBS)

CBS MarketWatch is carrying a Dvorak column on Microsoft's investment in Vintela. "When these two purchases are analyzed along with other recent Microsoft actions, you have to conclude that it is about to bring out a version of Linux under its own brand name. I suspect it will simply be termed Microsoft Linux or MS-Linux."

Comments (18 posted)

The SCO Problem

Fact and fiction in the Microsoft-SCO relationship (News.com)

News.com has posted a lengthy article claiming to lay down the truth behind Microsoft's involvement in the SCO case. There is some decent research there, but some things are missing: the name "Mike Anderer" never appears, for example. "But it was Microsoft that helped ensure that SCO could mount the fight, by providing major financial help at least twice in 2003. (SCO's finances are currently being tallied for the quarter ended Oct. 31, with the results to be reported in late December.) Though it doesn't appear that Microsoft was in the driver's seat when it came to SCO's legal attack on Linux, Microsoft's financial assistance was unusual and crucial."

Comments (2 posted)

Companies

CollabNet: Bringing open source to the rest of us (Silicon.com)

Silicon.com covers CollabNet. "Five-year-old CollabNet doesn't feel ashamed to get more deeply involved in open source than just providing the tools for development. When it saw the need for an open-source version control tool to succeed the industry standard CVS (Concurrent Versions System), it spearheaded the creation of the Subversion project by hiring four employees to get the process started and build a community around it."

Comments (none posted)

Red Hat opens office in China (News.com)

Red Hat has opened a new office in China, according to this article on ZDNet. "The company said it will work with industry partners such as Hewlett-Packard, IBM, Intel and Oracle, as well as with Chinese business partners, to serve the rapidly growing Chinese software market. Red Hat's office will be located in the nation's capital, Beijing."

Comments (none posted)

Sun deputizes Versora for Microsoft attack (the Register)

The Register reports that Sun will be working with Versora in an effort to move customers off of Microsoft web servers. "Versora, a small company based in Santa Barbara, California, is the newest member of Sun's iForce partner program. The firm makes products that automatically move code from Windows IIS servers to Apache servers. Sun will be looking to shift customers onto both Apache and its own Java System Web Server."

Comments (1 posted)

Sun to set Solaris free, after a fashion (News.com)

News.com sees Open Solaris as Sun's attack on Red Hat. "The pricing strategy, to be announced at a quarterly product launch event in San Jose, Calif., is the first half of an ambitious effort to retrieve relevance that Solaris lost to Linux. The second half will arrive in 60 to 90 days as Sun releases the source code of Solaris under an open-source license, Loiacono said."

Comments (6 posted)

Business

Firefox fortune hunters (News.com)

News.com looks at businesses built around Mozilla. "One result of these and other efforts is that Mozilla developers who cut their teeth as volunteers are now finding paid work in the Mozilla-based marketplace--a trend reflected in the open-source ecosystem as a whole."

Comments (none posted)

Linux Adoption

Norway reports additional benefits from move to Linux (Desktop Linux)

Desktop Linux looks at Linux adoption in Norway. "In the midst of a migration to Linux, the city of Bergen, Norway has reportedly expanded its estimates of the cost savings and other benefits it expects to achieve in switching from Microsoft Windows technologies. In a report at ZDNet published last week, Bergen CTO Ole-Bjorn Tuftedal says he expects to save 30 percent on hardware costs alone thanks to the efficiency of Linux -- this, in addition to cost savings associated with licensing fees and other economic benefits he had expected prior to testing open source for city-wide deployment."

Comments (none posted)

Venezuelan government institutions may adopt GNU/Linux (VHeadline.com)

VHeadline.com reports that Venezuela is looking at Linux. "Venezuela's National Assembly (AN) has started a debate on a bill to implement "free software" in government institutions ... the proposal was introduced October 21 by AN deputy Luis Tascon and urges the five independent branches of Government: Executive, Legislative, Judiciary, Moral and Electoral including all official entities to adopt free software as an exclusive working platform via the GNU/Linux operative system."

Comments (none posted)

Legal

Senate May Ram Copyright Bill (Wired)

Wired examines the latest silliness before the U.S. Congress. "The bill would also permit people to use technology to skip objectionable content -- like a gory or sexually explicit scene -- in films, a right that consumers already have. However, under the proposed law, skipping any commercials or promotional announcements would be prohibited. The proposed law also includes language from the Pirate Act (S2237), which would permit the Justice Department to file civil lawsuits against alleged copyright infringers."

Comments (14 posted)

Monopolies of the mind (Economist)

The Economist has run a leader on patent problems. "Europe has not, so far, made the same blunder, but the European Parliament is considering the easing of rules for innovations incorporated in software. This might have a similarly deleterious effect as business-method patents, because many of these have been simply the application of computers to long-established practices."

There is also a (subscribers only) article on fixing the patent system. "Later this month, the European Council of Ministers will discuss draft legislation on harmonising policy on computer-implemented innovations. Many small software companies in Europe, as well as 'open-source' software developers that make non-proprietary software, oppose the initiative. They fear that it is a first step towards adopting controversial software patents, already awarded in America, which could block different implementations of the same features. Were further proof needed that this may not be an entirely positive development, look no further than the mighty software monopolist, Microsoft, whose chairman, Bill Gates, has called on employees to increase the number of patents that the company files."

Comments (2 posted)

MS and Indemnification (Groklaw)

Groklaw has taken a detailed look at Microsoft's indemnification offer. "Refund the full amount they paid for the software? How can you resist a generous offer like that? Maybe we need to look at the fine print here."

Comments (16 posted)

Interviews

Interview: OSDL chief Stuart Cohen - Part 2 (vnunet)

Vnunet is running part two of an interview with OSDL's Stuart Cohen: "There are people who think Linux is going to run Microsoft into the ground. I don't believe it for a minute. It's too smart, too well managed, too well run. [But] it'll listen to its customers. When it gets to some market share number, or some customer sets, or some customer rating, then some [Windows] applications will run on Linux. It'll try different things, probably in different geographies, to see what works."

Comments (none posted)

Novell CTO on hot Linux apps and closing gaps (Enterpriselinux)

Enterpriselinux interviews Novell CTO Alan Nugent. "Some corporate IT pros say they have a hard time finding the applications that they need for Linux. Do you think this is still valid, or do they just need to do more research?"

"Nugent: I think it is still valid in some areas. If I am at a Fortune 500 insurance company, I can't find a great claims management system that runs on Linux just yet. But, if I am in the electrical CAD business or mechanical CAD business, I can. So, it depends on the market. A year ago, that question would have been valid for a much broader segment of the market. They really couldn't find applications that would run on Linux; but it is getting better every day. Companies can now begin to use Linux much more broadly than for Web servers or firewalls. We work with dozens and dozens of companies which have either completed ports or are in the process of doing ports to Linux. Many of them are household names."

Comments (none posted)

Interview with NVIDIA Engineers (LinuxQuestions)

LinuxQuestions.org interviews some unnamed NVIDIA engineers. "Demand has continues to grow for high quality Linux drivers with each new generation of GPUs. Around 15-20% of our workstation users ship with Linux. Some industries in the workstation business are 100% Linux. We have users using our Linux OpenGL drivers for things like designing automobiles, operating medical equipment, broadcasting television, and creating the latest special effects in movies."

Comments (24 posted)

Interview with Red Hat Vice President of Open Source Affairs Michael Tiemann (LinuxQuestions.org)

LinuxQuestions.org talks with Michael Tiemann. "As a Linux distribution, Fedora shines, pure and simple. But it's hard not to: the work that the GNOME team, the Open Office team, the Evolution team, the Firefox team, the kernel team, I could go on..., are doing is simply amazing. And the Fedora community is blessed with a large number of people seriously committed to making it great. I think that Fedora does a fantastic job of showing people "the best of what works today in 100% free and open source software". I think that Fedora is the perfect balance of leading edge technologies, yet robust enough that I can give my dad 4 CDs, he can install them, and then tell me "everything worked, as expected.""

Comments (none posted)

Resources

Securing Linux, Part 2: Planning the installation (IBM developerWorks)

IBM developerWorks helps build a secure Linux system. "The first step -- before inserting your distribution's CDs and launching the installer -- is to develop a security plan: determine what services the system will provide, which hardware will be used, what software is necessary, and how the installation will be organized. By making the effort to develop such a plan before the actual installation, lots of possible security issues can be identified and eliminated at a very early stage. This is beneficial as it helps to minimize the risk of a system intrusion or outage. Furthermore, it provides a sound basis for quickly reacting in case of attack or publication of software vulnerabilities and patches."

Comments (6 posted)

FreeBSD for Linux Users (O'Reilly)

Dru Lavigne presents part one of an O'Reilly introductory article on FreeBSD. "In today's article, I'll cover some of the big-picture differences from the perspective of a Linux user being introduced to FreeBSD. In Part 2, I'll discuss command equivalents between Linux and FreeBSD."

Comments (none posted)

Reviews

What's New in Fedora Core 3 SE Linux (Linux Journal)

Linux Journal examines Security Enhanced Linux in Fedora Core 3. "The default SE Linux policy in FC3 is the targeted policy. Two types of policies are offered--targeted and strict. Targeted policy is new in FC3. Under the targeted policy, only some of the more commonly used daemons run with SE Linux restricting what they can do. These daemons include named, httpd, dhcpd, portmap, squid, nscd, syslogd, snmpd and ntpd. These daemons run in their own domains; httpd, for instance, runs in the httpd_t domain."

Comments (none posted)

Miscellaneous

TiVo hacks flourish (ZDNet)

ZDNet looks at some of the interesting modifications that are being done to the Linux-based TiVo video recorders. "TiVo hacks available for download do everything from adding a Web interface to the TiVo unit, converting programs to DVD and other formats, altering TiVo native features, expanding the unit's hard drive, transferring files back and forth from the unit to the PC, and archiving shows at smaller file sizes. "TiVo is missing some tremendous opportunities," said Riley Cassel, a programmer who last year released a popular, unauthorized extension called MFS_FTP. "There's no technical reason you couldn't watch TV across the Net...Of course, the problem is that the same software can be used to broadcast HBO or Discovery HD, so Hollywood would go nuts.""

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

An open letter to the NIH (Bioinformatics.Org)

Bioinformatics.Org has posted an open letter to the US National Institutes of Health (NIH) regarding the freedom of scientific research materials and related software issues. "We also wish to take this opportunity to address some related problems with the current publishing model. First, there is often no requirement for the availability of the software used in bioinformatics and related research for results to be published, thus preventing the necessary condition of reproducibility. Not only should the software be available in binary form, but one should also be able to obtain and/or inspect the source code of that software to ensure the accuracy of the results. It is too often the case that a non-public entity has conducted an experiment with its own, proprietary software, making it impossible to independently verify the results."

Comments (1 posted)

Commercial announcements

Absoft Announces New Cluster Builder's Kit

Absoft Corporation has announced version 2.0 of its Cluster Builder's Kit. "Absoft Corporation has announced a new Cluster Builder's Kit version 2.0 which replaces its Beowulf Tool Kit v1.0. The Cluster Builder's Kit (CBK) is used in conjunction with Absoft high performance compilers and debugging solutions and is designed to facilitate building and setting up cluster systems."

Comments (none posted)

BEA Announces Open-Source Milestones for Apache Beehive

BEA Systems, Inc. has announced milestones in the company's open-source efforts including code release milestones, updated tools and additional platform support for Apache Beehive. They'll be showcasing Apache Beehive at ApacheCon.

Comments (none posted)

Conectiva, Mandrakesoft, Progeny, and Turbolinux form consortium

Four distributors - Conectiva, Mandrakesoft, Progeny, and Turbolinux - have announced a project to build a common core distribution compliant with LSB 2.0. The newly-formed Linux Core Consortium plans to put out a release every 18 to 24 months. Click below for the press release, or see the LCC FAQ for more information, including an answer to the obvious "isn't this just another UnitedLinux?" question.

Full Story (comments: 6)

HP Drives Mainstream Adoption of Open Source Software with JBoss Deal

HP has announced an agreement with JBoss, Inc. to provide a single point of contact for JBoss support, as well as a full range of consulting services.

Comments (none posted)

McObject and MontaVista announce eXtremeDB

McObject and MontaVista Software Inc. have announced the release of eXtremeDB, an in-memory embedded database.

Full Story (comments: none)

ReelTime to Deploy Linux Operating Systems

Reeltime Rentals, Inc, a video rental outfit, has announced that it will be using Linux on its IRDS video rental servers. "According to Alex Stanczyk, CEO of Reeltime Rentals, "Using Linux as the OS on our IRDS Servers is a very exciting step for the company. Due to the robust nature of the platform coupled with its security and uptime, ReelTime will be able keep its cost infrastructure extremely low allowing the Company to greatly increase its profitability."

Comments (none posted)

Terra Soft announces new PowerPC clusters

Terra Soft Solutions, Inc has announced its new IBM PowerPC 970-based clusters.

Full Story (comments: none)

Slashmail.org announces improvements

UCE Bee has announced improvements to it's email service, Slashmail.org. "Slashmail.org is powered by Open Source technologies. Riding the wave of creativity and grassroots genius inherent with the Open Source software model, Slashmail.org is committed to supporting a simple business model: For a nominal annual charge, Slashmail.org will provide a clutter-free email service that allows you to focus on the task at hand: "personal and private communications"."

Full Story (comments: none)

Voyager Capital Becomes the First Venture Firm to Join the Open Source Development Labs

The Open Source Development Labs has announced that Voyager Capital, a Pacific Northwest information technology venture firm has become the latest member of OSDL. "Voyager will bring its network of important business contacts, its insights into developments of both software and hardware technologies, and aid in the expansion of OSDL's member consortium."

Comments (1 posted)

New Books

"Gaming Hacks" Released by O'Reilly

O'Reilly has published the book Gaming Hacks by Simon Carless.

Full Story (comments: none)

"Inside the Spam Cartel" Released by Syngress Publishing

Syngress Publishing has published the book Inside the Spam Cartel by Stu Sjouwerman and others.

Full Story (comments: none)

"Java Network Programming, Third Edition" Released by O'Reilly

O'Reilly has published the book Java Network Programming, Third Edition by Elliotte Rusty Harold.

Full Story (comments: none)

Building Applications with the Linux Standard Base

IBM Press has published the book Building Applications with the Linux Stanndard Base by the Linux Standard Base Team.

Full Story (comments: none)

"SELinux" Released by O'Reilly

O'Reilly has published the book SELinux by Bill McCarty.

Full Story (comments: none)

"Smart Home Hacks" Released by O"Reilly

O'Reilly has published the book Smart Home Hacks by Gordon Meyer.

Full Story (comments: none)

SpamAssassin : A Practical guide to Configuration, Customization and Integration

Packt Publishing has published the book SpamAssassin: A Practical guide to Configuration, Customization and Integration by Alistair McDonald.

Full Story (comments: none)

Resources

Is Open Source the new cell phone?

A survey by VA Software Corporation has revealed that while Open Source tools, technologies and techniques are used in a majority of enterprises, executive resistance to Open Source may be hindering greater adoption of Open Source development methods for internal software development.

Full Story (comments: 9)

The LDP Weekly News

The November 17, 2004 edition of the Linux Documentation Project Weekly News is online with the newest documentation releases.

Full Story (comments: none)

SSC Publishing to Launch TUX

SSC Publishing has announced the launch of a new monthly print and online publication, TUX, a magazine for new Linux users. The magazine will launch February 1, 2005.

Full Story (comments: 2)

Contests and Awards

KPDF Icon Contest Announces Winner (KDE.News)

KDE.News has announced the winner of the KPDF icon contest. ""But who won?" you might ask. Well the jury have given their scores, and it has become clear that Marco Martin has won the icon contest for another kpdf icon. Congratulations Marco!"

Comments (none posted)

Upcoming Events

GNOME Love Day (GnomeDesktop)

A new GNOME Love Day event has been announced. "Sunday, November 21st is a very special GNOME love day dedicated to spreading the love for Yelp, GNOME's own rocking help browser. Our friendly and experienced hackers will be on hand to help bring new developers up to speed."

Comments (none posted)

Bug squashing in Cambridge, November 27th to 28th

A Debian bug squashing event will be held in Cambridge, Mass on November 27 and 28, 2004.

Full Story (comments: 1)

JavaPolis 2004 announced

JavaPolis 2004 will be held in Antwerp, Belgium on December 13-17, 2004.

Full Story (comments: none)

PHP Quebec Call For Speakers

A call for speakers has gone out for the 2005 PHP Quebec conference. The event will take place in Montreal, Canada from March 30 - April 1, 2005.

Comments (none posted)

Computers, Freedom and Privacy Conference 2005 CFP

A Call for Proposals has gone out for the Computers, Freedom and Privacy Conference 2005. The event will take place in Seattle, WA on April 12-15, 2005.

Full Story (comments: none)

Events: November 18, 2004 - January 13, 2005

Date Event Location
November 18 - 19, 2004Large Installation System Administration Conference(LISA '04)(Atlanta Marriott Marquis)Atlanta, GA
November 18 - 19, 2004Forum PHP, ParisParis, France
November 25 - 26, 2004Le forum PHP 2004(FIAP Jean Monnet)Paris, France
November 29 - 30, 2004LinuxPro 2004(Hotel Gromada Airport Conference Center)Warsaw, Poland
December 1 - 3, 2004Australian Open Source Developers' Conference(Monash University)Melbourne, Australia
December 1 - 3, 2004Linux Bangalore 2004(Indian Institute of Science)Bangalore, India
December 4, 2004Lightweight Languages 2004(LL4)(MIT Stata Center)Boston, MA
December 5 - 18, 2004Ubuntu ConferenceMataró, Spain
December 13 - 17, 2004JavaPolis 2004(MetroPolis Antwerp)Antwerp, Belgium
December 27 - 29, 2004Chaos Communication Congress(21C3)(Berliner Congress Center)Berlin, Germany

Comments (none posted)

Mailing Lists

Zope 3 Users Mailing List

A new Zope 3 users' mailing list has been created: "on popular demand from a couple of people we have decided to create a new Zope 3 Users mailing list that will serve to answer your questions about Zope 3. The Zope 3 developers have made a commitment to answer your questions in a timely manner. We hope that this way the generic Zope and Zope3-Dev mailing list will be disburdened from user-related questions."

Full Story (comments: none)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Miscellaneous

Celebrate Mozilla Firefox 1.0 with mozparty2 (MozillaZine)

A series of international mozparty2 events have been announced: "aeneas wrote in to remind us about mozparty2, a network of parties taking place around the globe to celebrate the release of Mozilla Firefox 1.0. At the time of writing, 372 parties are planned, with most taking place next weekend (19th-21st November)"

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

How Microsoft can improve Internet Explorer

From:  Leon Brooks <leon-olc-AT-cyberknights.com.au>
To:  edit-AT-zdnet.com.au
Subject:  How Microsoft can improve Internet Explorer
Date:  Mon, 15 Nov 2004 13:28:40 +0800
Cc:  letters-AT-lwn.net

> If ZDNet Australia readers have suggestions for features they would like
> to see in IE, either use the talkback below or e-mail the edit team. We
> will pass your messages on to both Ben English and Steve Vamos.
 
Can't see Ben & Steve liking this, but it's a kind of litmus test to see
whether MS really do listen to their customers, or whether their primary
focus is the same as Bill's - maximising control and so profit.
 
I for one would be delighted to see two things done for MS-WindowsUpdate, one
of them an MS-IE feature, but the important bit is the reasons for wanting
them:
 
 * A true divorce from MS-IE; ie, you can run MS-WU successfully after
   installing an alternate file manager and removing all of the
   MS-IE-related DLLs from the system; I don't really care whether
   this is done by running it through another browser or as a separate
   program; and
 
 * Never install any derivative of MS-Outlook or the "OnLine Services"
   group during an update again. Keep the MS-OL updates separate and
   only install them if MS-OL is already installed.
 
This should all be accessible at a "retail" point-and-click level. It should
be a genuine choice for Joe Half-a-clue Home User.
 
Why do I ask for these things? Because an MS-Windows system behind a
firewall is still regularly made vulnerable through - in order of
frequency - MS-OL, MS-IE and MS-Office.
 
I can remote-update one or *all* of my remote Linux installations both server
and desktop rapidly and securely from where I sit in a matter of seconds, and
rarely need to touch them more often than annually. I don't see why this
can't be true for MS-Windows.
 
There is no technical reason why MS-OL needs to be there, and no technical
reason for MS-WU to be MS-IE only either. You could bounce *any* browser
through an internal/local DLL which pre-informs the browser of exactly what
you have installed then redirects it through to the MS-WU page to select and
download appropriate updates on-line using perfectly ordinary W3C-compliant
forms and check-boxes. And any browser down to and including Lynx.
 
Consistently naming the update files date-time-serial-description.exe (e.g.
"20041116_1214_KB823980_Fix_XP_buffer_overflow.exe") would also allow even a
reasonably clueless user to click through the list in the correct order no
matter how they arrived (direct, via an intranet file server or on a CD).
 
Have MS considerd using something like URPMI or apt-get? RPM automagically
sorts out the most recent versions of whatever packages it's got to hand, and
combined with something like URPMI or yum will also discover and fetch any
needed dependencies automatically or on demand. Apt-get does the same thing
with Debian packages. You can even upgrade your entire system over the 'net
(think of going MS-Win-2k to MS-Win-XP a piece at a time) and usually with
only a few seconds' interruption to each service on the way.
 
There's nothing really to stop you from using RPM with MS-Windows, all of the
prerequisites run both natively and under CygWin and it'd be a damn sight
easier to deal with than the current arbitrary mess. URPMI is PERL, easy to
port, looks pretty enough.
 
    http://www.madpenguin.org/images/reviews/mdk10/installsw.png
    http://www.linuxbeta.com/slideshows/slideshow.php?release...
      (and click 94, 95 etc for a reasonably complete tour).
 
_Please_ eat a small serve of crow and learn about the methods that already
work for your Open Source "competitors", so the dwindling MS-Windows sector
of my customer base don't go on chewing up so much of my time and hair.
 
Finally, do have a shot at using FireFox. Hammer it, see how it goes on the
riskiest of web sites. Add this and you can even pretend to still be using
MSIE 6 on XP to do it:
 
    http://extensionroom.mozdev.org/more-info/useragentswitcher
 
LWN might like to publish this for the record, if not I'll post an HTMLized
copy on my website amongst the random downloads available there:
 
    http://cyberknights.com.au/downloads.phtml
 
Cheers; Leon
Perth, West Oz.

Comments (2 posted)

Page editor: Jonathan Corbet

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds