LWN.net Logo

LWN.net Weekly Edition for December 2, 2004

A look at Xfce 4.2

December 1, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

As a rule, the Linux desktop discussion is dominated by the two heavyweight desktop environments -- KDE and GNOME. The term "heavyweight" applies to the respective "market share" of those desktops as well as the resources required to run either desktop. Linux users who wish to utilize a slightly slimmer desktop environment, without compromising features, may find the Xfce desktop environment an attractive alternative. With the release of the Xfce 4.2 release candidate, we decided to take a look at Xfce and provide a rundown of some of its more interesting features.

As the Xfce website states, Xfce is "a lightweight desktop environment for unix-like operating systems." Xfce started out as a Common Desktop Environment (CDE) clone, but has evolved into a unique desktop environment that's much more interesting (at least to this writer) than CDE.

The site os-cillation has GUI installers for Xfce 4.2RC1. To the best of this writer's knowledge, Xfce is the first desktop with its own GUI installer. There are four installers available; The base Xfce installer, the Gtk+ engine for Xfce installer, the Xfce Goodies installer and an installer for the Terminal term emulator from os-cillation. We chose to go the "kitchen sink" route, and installed everything available. However, only the base package should be required to use Xfce.

Installing Xfce with the GUI installers is a breeze, at least as long as the target system has all of the requisite software that Xfce requires to build. We built Xfce on two systems, a SUSE 9.2 system and a Ubuntu Linux system. The SUSE build went off without a hitch after installing the packages mentioned on the installer page.

The Ubuntu build failed a few times due to missing dependencies. This was easily fixed, though it was a minor annoyance having to apt-get the required libraries and re-start the install only to have it fail a few minutes later at a different point. At start time, the GUI installer identifies a few major components that are required to proceed, but doesn't display a comprehensive list of dependencies. [Xfce]

After the installation, it was time to exit the session in progress and log into Xfce. The first thing one will notice about Xfce is that it's much faster to load than KDE or GNOME. For users with systems with processors faster than 2 GHz and an abundance of RAM, this won't be a huge incentive to use Xfce. However, Xfce is a bit snappier than GNOME or KDE, and a great choice for older systems with less horsepower.

Many Linux users have probably run across GNOME and KDE applications that are written in such a way that they require services from their native desktop environments to function. For users that depend on applications that require GNOME or KDE services, Xfce can be configured to run GNOME or KDE services when it starts. This will slow down Xfce start time, but it's a handy feature for anyone who needs specific applications that won't otherwise cooperate with Xfce. Xfce's session settings, by default, do not allow Xfce to manage remote X applications.

The Xfce panel is highly configurable. By default, it includes launchers for the Xfce help system, Xfce configuration settings, Mozilla browser, Mozilla mail, XMMS, the Xfce "fast file manager" (Xffm), a graphical pager, terminal launcher and buttons to log out or lock your X session. Users can add launchers, remove launchers, change the orientation of the panel from horizontal to vertical and so on. The pager also allows the user to move windows from one desktop to another simply by dragging the window's outline in the pager to a different desktop. The Xfce Goodies package includes several useful plugins for the panel, including CPU and network monitors, a "show desktop" plugin and several others.

Xfce's file manager, Xffm is interesting, with quite a few handy features. Xffm includes a SMB network browser, a "Book" tree to allow users to bookmark frequently-visited directories, an fstab browser and a fairly useful find utility (Xfglob4). The Xffm components can also be invoked by themselves, so a user can call just the SMB browser by running xfsamba4 or browse only the bookmarked directories files with xfbook4. Xffm also makes it easy to rename files, create symlinks and even "scramble" files. The Xffm interface seems a bit clunky, but this writer doesn't often use file managers anyway.

Xfce is modular, meaning that the user can choose to drop components from the desktop if they are unwanted. Don't want to run the Xfce panel? No problem. Want to skip the GTK Theme Engine? That's an option as well. Users may also run various Xfce components under other window managers / desktop environments, if they prefer.

Does the world need yet another terminal emulator? This writer prefers to just use the venerable xterm, but others want a little more from their terminal emulator. The version of Terminal available from os-cillation for Xfce is only at version 0.1.10, but it seems stable enough for everyday use. Terminal has a few features not available in xterm, such as tabs for multiple terminal instances and transparency or a user-defined background image. Xfce also includes an xterm-like terminal called xfterm4, which is the default Xfce terminal.

Some of Xfce's features are not immediately visible. For example, Xfce supports Freedesktop.org Window Manager hints, XDND (drag and drop protocol) and several others. Xfce can also be configured in "kiosk mode" where Xfce can be locked down to prevent users making changes to the configuration of Xfce.

Another feature that this writer is particularly fond of is the ability to switch desktops by using the mouse scrollwheel. Simply hover the mouse over an "empty" space on the desktop and scroll. This feature is available in KDE as well, but it seems to have appeared in Xfce first.

In short, Xfce 4.2 seems to be ready for prime time. We used the release candidate for several days with no problems to speak of. It's an excellent desktop environment for users who want a clean, fast and attractive desktop.

Comments (30 posted)

The Grumpy Editor's Guide to PDF Viewers

This article is part of the LWN Grumpy Editor series.
Your editor spends a lot of time dealing with PDF files. The proliferation of "profit through litigation" business models has not helped in this regard, but, even without the legal profession's contributions, much text of interest comes in the PDF format. As a result, a great deal of your editor's time is spent working in PDF viewers. PDF viewing hassles can rival the holiday season in their ability to make an editor grumpy. There is little to be done about the latter, so it seems like a good time to review the state of the art in free PDF viewers. Maybe, in that realm, something better can be found.

In theory, PDF viewers require little in the way of features. They should present the contents of a file in a quick and readable manner, allow navigation through the file, support printing of (parts of) a PDF file, etc. So it should not be that hard to get things right. One would think. In practice, your editor has found that the quality of the available PDF viewers varies significantly, both in terms of the interface they provide and how well they simply work.

There are two base platforms upon which PDF viewers are built. Some are front ends to the ghostscript utility. Ghostscript is a large, complex, and not entirely bug-free utility (it is also a crucial part of many Linux systems); its strengths and shortcomings will be reflected in any PDF viewers built on it. Most other viewers are built on xpdf. We'll start with the ghostscript-based viewers.

GNOME Ghostview (ggv)

The GNOME PDF viewer of long standing is ggv. Interestingly, this utility seems to lack a web site, though there is an online manual available which is only slightly out of date. The most [ggv] recent ggv release was in September of 2004, as part of the GNOME 2.8 package. It is a ghostscript-based viewer.

The ggv screen includes a left-hand side bar which allows instant access to any page in the document. Pages can also be marked, either directly with a mouse click or with buttons which mark all pages, or just the even or odd ones.

There is an option which can be used to print only the pages which have been marked. The "print" button in the menu bar, however, just dumps the entire file into the print subsystem without providing any opportunity for the user to redirect the job or cancel the operation entirely. Your editor, who prefers to fire up his monster duplexing laser printer for the rare large print job, gets grumpy indeed at utilities which throw output at the little inkjet printer without even asking. One should not be able to dump hundreds of pages onto a printer with a single click.

ggv does not take a whole lot of clues from the document regarding its orientation; a file which looks to be in portrait mode, but which has pages that are wider than they are tall, can be presented (and printed!) in the wrong orientation. The window size is always whatever the user used the last time around, and does not react to the orientation of the document. It is possible to ask ggv to zoom the document to fit within the window it has (a nice feature), but doing so disables the manual zoom operations (which is not). The scrollwheel may be used to move within a single page, but it will not scroll between pages, making it mostly useless.

Every now and then your editor encounters a document which ggv is unable to render. With such documents, the usual result is a blank window, which is not particularly edifying.

The visual quality of ggv's output is good; it runs ghostscript in a high-quality, antialiased mode. There is a reasonable set of configuration options for a number of aspects of ggv's operation, including how it uses ghostscript. If it were not for occasional reliability problems and a number of user interface issues, it would be a contender for this editor's favor.

kghostview

The KDE contribution in the PDF viewer arena is kghostview, shipped as part of the kdegraphics package. Like ggv, kghostview uses [kghostview] ghostscript as a back end; as a result, it tends to fail on the same PDF files that confuse ggv. In many ways, kghostview comes across like ggv with a KDE look; it provides many of the same features. There are some differences, however.

Like ggv, kghostview provides a navigation bar on the left side; it also allows for the marking of articles. The kghostview version is different, however, in that it includes thumbnail images of each page. These thumbnails take space, making it more likely that the user will have to scroll the navigation bar. They are, however, very nice to have when one is looking for a specific page - the beginning of a section, say, or the end of an interminable table of contents. The thumbnails, alone, make kghostview a nicer tool to use than ggv.

kghostview has a friendlier interface for printing, allowing just about any behavior to be configured. Among other things, kghostview can do 2-up or 4-up printing, which can be useful for many documents. Printing can be restricted to marked pages. And, crucially, nothing is actually sent to the printer until the user has confirmed the operation.

Scrolling through the document with the scrollwheel is supported. If the user scrolls several pages, the application does the right thing - it does not take the time to render the pages in the middle. A single keystroke will fit the rendered document into the current window without disabling the regular zoom operations. If you are currently only viewing part of a page, you can drag a box around in a special thumbnail image to move to any part of that page.

In general, the interface provided by kghostview is as nice as any PDF viewer your editor has been able to find. It is clearly a tool which has received some serious thought - and use - by its developers.

xpdf

xpdf differs from the viewers we have seen thus far in that it is not based on ghostscript; instead, it contains its own PDF interpreter and rendering engine. A couple of the immediate consequences of that difference are (1) xpdf is rather faster than the [xpdf] ghostscript-based viewers, and (2) xpdf can often display documents which are not viewable with the other tools. In other words, xpdf is an important tool for those of us who end up working with PDF files often.

It is worth noting that, unlike the ghostscript-based viewers, xpdf (and others built on it) cannot handle PostScript files. That is a fundamental limitation, but, perhaps, also the source of xpdf's speed and robustness.

Compared to the GNOME and KDE viewers, xpdf is a minimalist tool. There are no menu bars, no fancy configuration widgets, and no navigation side bars. A small set of buttons at the bottom of the screen allows for movement through the file, including the ability to go to an absolute page number. A small menu gives a set of zoom options, including a couple of "fit to page" modes. Your editor notes that, when "fit to page" is enabled, the application responds poorly when its window is resized; it fails to skip intervening X resize events, and thus has to render the page numerous times. If you drag the corner of an xpdf window around for a few seconds, you can end up waiting for some time before it catches up.

The apparent simplicity of the xpdf interface hides a couple of vastly useful features. One of those is a "find in text" button, cleverly disguised as a pair of binoculars. If you have ever tried to find a particular string in a PDF file, this capability is priceless. Equally useful, if you are one of those strange people who writes articles about things found in PDF files, is the ability to cut and paste text from those files. Both of these functions silently fail if the file's text is in an image format - as is the case with many scanned legal documents. But, when they work, they are highly useful.

According to its web site, xpdf has the ability to work with encrypted PDF documents. Your editor, not having any such documents sitting around, was not able to try out that capability.

Navigation through PDF files is quick and straightforward, though it would be nice to have a side bar for going directly to pages. xpdf maintains a navigation history which can be useful for bouncing back and forth between specific pages. The scrollwheel works as one would expect. Printing support is minimal, but it has the features one really needs: the ability to print a (contiguous) subset of the file, and to specify which printer is to be used.

gpdf

gpdf is a GNOME-based PDF viewer built upon xpdf. As such, it shares the robustness and speed of xpdf. The gpdf developers, however, have added some new [gpdf] features of their own - and left others out.

gpdf provides a rather confusing toolbar at the top of the page. It is far from clear, for example, how the buttons marked "next" and "previous" differ from those marked "forward" and "back". There are two downward-pointing arrows; experimentation shows that one brings up a file history menu, while the other contains anything which doesn't fit in the toolbar at the current window width. There is a side bar in gpdf. It looks as if, someday, it is meant to contain page thumbnails, but, with gpdf 2.8.0, it renders pages as blank white rectangles with drop shadows. For whatever reason, it uses a two-column format, requiring the user to make the side bar very wide, or to do a bunch of horizontal scrolling.

gpdf uses the GNOME printing widget, so it provides a higher degree of control over printing than xpdf. It can put multiple PDF file pages onto each printed page. Better printing support is a definite improvement over xpdf.

On the other hand, gpdf lacks xpdf's scrollwheel support. It does not provide the "find in text" and "cut and paste" capabilities, which, it seems, are unique to xpdf. It is not clear why those features are missing; one might guess that gpdf forked the xpdf code base before they were added.

kpdf

The first impression one gets of kpdf is that it looks much like kghostview. It has essentially the same icon layout, and a very similar [kpdf] side bar with page thumbnails. kpdf, however, is an entirely different application, built on xpdf. Like gpdf, it seems to have left out many of the unique xpdf features.

kpdf is a relatively immature work. Its rendering is poor, by far the worst of any of the PDF viewers reviewed. Somehow, kpdf does not appear to understand font information well, leading to strange spacing between letters on both Fedora and Debian platforms. kpdf is speedy, however, and many of the important features are there.

It does appear that further work is being done with kpdf, at least if one goes by some screenshots linked to by KDE.News. The images suggest that the current development version supports multiple-page displays, string searches, and more. A future kpdf could well be be best PDF viewer of them all; the current version is too unfinished to be usable, however.

Concluding notes

This review has concerned itself with free PDF viewers. No review of this application space can really get away with ignoring Adobe Reader (acroread), however. This tool is certainly not free software, but there is a free-beer version available for x86 Linux systems. It is an old version; Adobe Reader 6 is not available for Linux. Even the older version, however, has its value. Occasionally a PDF file will come along that is so strange that no free viewer can cope with it. Acroread can be counted upon to work in such situations. It is, thus, one of exactly two proprietary programs on your editor's system.

Happily, free PDF viewers have come far enough along that having to fall back to acroread is a rare event.

The free PDF viewer state of the art has advanced in recent years, which is a good thing. This is an area where, for quite some time, the free alternatives lagged far behind. Now we have a wealth of viable programs to choose from. Too many, perhaps. Your editor might like it better if the development community would come together on, say, two viewers, and cooperate on making those two the best they can be. The history of these projects suggests that will not happen, however. There are two rendering engines (ghostscript and xpdf), multiplied by two desktop systems. Crossing those lines can be hard. We are likely to have a large set of actively-developed PDF viewers for some time yet.

Comments (70 posted)

Debian and the hot babe problem

This Intent To Package posting was guaranteed to raise a bit of a fuss. The program involved is hot-babe, a graphical CPU utilization monitor. It works by displaying a typical Bruno Bellamy drawing of a minimally-clad, maximally-endowed woman. As the CPU gets busier ("hotter"), the woman undresses to compensate. Your editor, whose journalistic ethics required that he investigate this utility, found it to be an amusing addition to the desktop - for about five minutes, or until the children walk in, whichever comes first.

The Debian developers raised the obvious, predictable objection to the inclusion of this utility: the associated images were covered by a non-free license.

Once that little issue was cleared up (the artist made the drawings available under the Artistic License), the way was cleared for the other predictable argument: should a utility seen by some as pornographic be part of the Debian distribution? On the face of it, there would appear to be little basis for keeping it out. The Debian standards for software require that it be free; there is nothing in the software guidelines or social contract about not being offensive to anybody.

There is no doubt that inclusion of hot-babe into Debian is asking for certain kinds of trouble. The imagery involved is no worse than that found on many European billboards, but it will go against many American "community standards" and is completely out of line by the standards of many other parts of the world. Including hot-babe in Debian will render the distribution unsafe for work environments in many places, will complicate the work of those trying to deploy it in libraries and schools, and will simply offend a certain number of the distribution's users.

Then again, the same could be said of fortunes-off, the King James Bible, or the Anarchist FAQ, all of which are already part of Debian. Some people are probably offended by fsck, Doom, or the emacs Zippy quotes file. Your editor, offended by illegible text, immediately and violently disables "color ls" on every system he installs. Creating an offense-free distribution can be a hard task even for companies which adopt that goal explicitly; it's pretty much impossible for a distribution which values freedom, and which has dedicated itself to becoming the biggest collection of free software around.

Unless the Debian Project changes its social contract to allow the exclusion of packages on moral grounds, tools like hot-babe will find a home there. Debian is, increasingly, the master repository for a family of distributions; it should probably be as inclusive as possible. Most of the distributions built on top of Debian, such as Linspire, Xandros, Skolelinux, LinEx, or Ubuntu, apply some discretion in the packages they select. They are unlikely to include tools like hot-babe, and, thus, may be considered safer versions to use in situations where somebody may get offended.

Well, OK, perhaps we can't be too sure with Ubuntu.

Linux developers and distributors clearly must be sensitive to the needs and feelings of their users. The needs that come first and foremost for Debian users are freedom and quality. Applying any other sort of filter to Debian would change that distribution in a fundamental way. The nice thing about Linux is that distributions can be made for a wide variety of audiences. A safe-for-schools version of Debian can be distributed without imposing additional standards on Debian itself. Linux can be configured to meet the tastes, morals, and standards of almost any group of users, without inflicting those standards on others. That is freedom at its best, and how it should be.

Except that your editor really would like to see color ls abolished everywhere.

Comments (55 posted)

Page editor: Jonathan Corbet

Security

A java vulnerability

December 1, 2004

This article was contributed by Jake Edge.

A vulnerability recently reported in Sun's Java browser plugin could provide the basis for one of the first cross-platform exploits. The vulnerability allows a malicious program to break out of the Java security sandbox and perform any action that the browser user has permission to do. That could include destructive filesystem changes, network access, sending email, etc. A user with a Java enabled browser would only need to visit a website that has been crafted to exploit this vulnerability and would fall victim to whatever the malware author intended.

The Java sandbox is intended to restrict Java applets so that they can only access certain approved packages in the Java virtual machine, packages that do not access anything outside of the sandbox. The exploit works by using JavaScript to acquire a reference to packages outside of the approved list and then passing that reference to an applet, subverting the sandbox. Disabling either JavaScript or the Java plugin in the browser will protect users until they can upgrade.

The vulnerability was discovered by Jouko Pynnonen in April, was fixed by Sun in October and was announced last week. Java plugin versions 1.4.2_04 and 1.4.2_05 (and presumably earlier versions as well) were found to be vulnerable on both Linux and Windows. Sun has released version 1.4.2_06 that fixes the problem. For a company that touts the security features of its Java technology, as Sun does, 5-6 months between discovery and a fix for a critical security hole seems overly long.

This vulnerability is very different from others we have seen because it exploits a problem in a technology that is specifically focused on cross-platform support. The same Java Runtime Environment (JRE) code base runs on most modern operating systems and underlies the Java support in most browsers. A significant security breakdown in the JRE affects the vast majority of Java enabled browsers in the world, including Firefox, Mozilla, and Internet Explorer. According to this posting on the Full Disclosure mailing list, Opera allows access to the restricted packages in the default security configuration and no exploit is needed to subvert the sandbox.

There are additional concerns for Netscape and IE users because applets can request particular versions of the plugin and, if that version is still installed, the browser will use it. In some cases, if the version is not installed, the user will be prompted to download and install it. This could allow a malware author to ensure that his code is running on a vulnerable JRE.

Due to Sun licensing constraints, free and open source browsers and operating systems cannot bundle the JRE and cannot do an automatic security update of the JRE. Proprietary OS and browser vendors are in the same boat unless they have licensed the JRE from Sun. The end result is that most users will need to get the updated JRE from Sun directly. As many users are not particularly diligent about seeking out security upgrades, this could leave a significant number of systems unpatched and provide an opportunity for some kind of malware to exploit this hole.

Comments (9 posted)

Brief items

SCO.com defaced

Somebody managed to deface SCO's web site (running on Apache and Linux, incidentally) over the weekend. For those who have to see it, images have been posted at Netcraft and The Inquirer. This crack may be good for a quick smile, but attacks of this nature are not the way to defeat SCO. Look for the inevitable "see how Linux users behave" press release in the near future.

Comments (22 posted)

New vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

nfs-utils: denial of service

Package(s):nfs-utils CVE #(s):CAN-2004-1014
Created:December 1, 2004 Updated:May 15, 2005
Description: The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker.
Alerts:
Fedora-Legacy FLSA:152871 2005-05-12
Red Hat RHSA-2004:583-01 2004-12-20
Gentoo 200412-08 2004-12-14
Trustix TSLSA-2004-0065 2004-01-09
Debian DSA-606-1 2004-12-08
Mandrake MDKSA-2004:146 2004-12-06
Ubuntu USN-36-1 2004-12-01

Comments (none posted)

Open DC Hub: remote code execution

Package(s):opendchub CVE #(s):
Created:November 29, 2004 Updated:December 1, 2004
Description: Donato Ferrante discovered a buffer overflow vulnerability in the RedirectAll command of the Open DC Hub. Upon exploitation, a remote user with administrative privileges can execute arbitrary code on the system running the Open DC Hub. See this advisory.
Alerts:
Gentoo 200411-37 2004-11-28

Comments (none posted)

phpbb: input sanitizing

Package(s):phpbb CVE #(s):
Created:December 1, 2004 Updated:December 1, 2004
Description: phpBB fails to sanitize input properly; this vulnerability may be exploited by a remote attacker to execute arbitrary code. Version 2.0.11 contains the fix.
Alerts:
Gentoo 200411-32 2004-11-24

Comments (none posted)

phpMyAdmin: cross-site scripting

Package(s):phpMyAdmin CVE #(s):CAN-2004-1055
Created:November 29, 2004 Updated:December 1, 2004
Description: Cedric Cochin has discovered multiple cross-site scripting vulnerabilities in phpMyAdmin. These vulnerabilities can be exploited through the PmaAbsoluteUri parameter, the zero_rows parameter in read_dump.php, the confirm form, or an error message generated by the internal phpMyAdmin parser. By sending a specially-crafted request, an attacker can inject and execute malicious script code, potentially compromising the victim's browser.
Alerts:
Gentoo 200411-36 2004-11-27

Comments (none posted)

phpWebSite: HTTP response splitting

Package(s):phpWebSite CVE #(s):
Created:November 26, 2004 Updated:December 1, 2004
Description: phpWebSite is vulnerable to HTTP response splitting attacks. A malicious user could inject arbitrary response data, leading to content spoofing, web cache poisoning and other cross-site scripting or HTTP response splitting attacks.
Alerts:
Gentoo 200411-35:02 2004-11-26

Comments (none posted)

sun-jre: Java plugin vulnerability

Package(s):sun-jre CVE #(s):CAN-2004-1029
Created:November 26, 2004 Updated:December 1, 2004
Description: Jouko Pynnonen reported a vulnerability in the plugin mechanism which allows remote attackers to bypass the Java sandbox through the use of javascript.
Alerts:
Gentoo 200411-38 2004-11-29
Conectiva CLA-2004:900 2004-11-26

Comments (none posted)

TWiki: input sanitizing

Package(s):twiki CVE #(s):CAN-2004-1037
Created:December 1, 2004 Updated:December 1, 2004
Description: The TWiki search function does not properly sanitize input, enabling a remote attacker to execute arbitrary commands.
Alerts:
Gentoo 200411-33 2004-11-24

Comments (1 posted)

yardradius: buffer overflow

Package(s):yardradius CVE #(s):CAN-2004-0987
Created:November 26, 2004 Updated:December 1, 2004
Description: Max Vozeler noticed that yardradius, the YARD radius authentication and accounting server, contained a stack overflow similar to the one from radiusd which is referenced as CAN-2001-0534. This could lead to the execution of arbitrary code as root.
Alerts:
Debian DSA-598-1 2004-11-25

Comments (none posted)

Updated vulnerabilities

apache: arbitrary code execution

Package(s):apache CVE #(s):CAN-2004-0940
Created:October 29, 2004 Updated:December 14, 2004
Description: According to an Apache announcement, a vulnerability exists in the Apache HTTP server, version 1.3. The problem is a potential buffer overflow in the "get_tag" function of Apache's SSI module "mod_include". It allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI documents that trigger a content length calculation error.
Alerts:
Red Hat RHSA-2004:600-01 2004-12-13
Mandrake MDKSA-2004:134 2004-11-15
Debian DSA-594-1 2004-11-17
Trustix TSLSA-2004-0056 2004-11-05
Gentoo 200411-03 2004-11-02
Slackware SSA:2004-305-01 2004-11-01
OpenPKG OpenPKG-SA-2004.047 2004-10-29

Comments (none posted)

apache2: denial of service

Package(s):apache CVE #(s):CAN-2004-0942
Created:November 10, 2004 Updated:November 26, 2004
Description: Versions of Apache 2.0 prior to 2.0.53 contain a bug in the header parsing code which can allow a remote denial of service attack given sufficient bandwidth.
Alerts:
Trustix TSLSA-2004-0061 2004-11-19
Mandrake MDKSA-2004:135 2004-11-15
Red Hat RHSA-2004:562-01 2004-11-12
Fedora FEDORA-2004-421 2004-11-12
Fedora FEDORA-2004-420 2004-11-12
Ubuntu USN-23-1 2004-11-11
Gentoo 200411-18 2004-11-10

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 2004-12-20
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Gentoo 200406-14 2004-06-17

Comments (none posted)

BNC: Buffer overflow vulnerability

Package(s):bnc CVE #(s):
Created:November 16, 2004 Updated:December 1, 2004
Description: Leon Juranic discovered that BNC fails to do proper bounds checking when checking server response. An attacker could exploit this to cause a Denial of Service and potentially execute arbitrary code with the permissions of the user running BNC.
Alerts:
Debian DSA-595-1 2004-11-24
Gentoo 200411-24 2004-11-16

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

ncompress: Buffer overflow

Package(s):compress uncompress ncompress CVE #(s):CAN-2001-1413
Created:October 11, 2004 Updated:December 14, 2004
Description: compress and uncompress do not properly check bounds on command line options, including the filename. Large parameters would trigger a buffer overflow. By supplying a carefully crafted filename or other option, an attacker could execute arbitrary code on the system. A local attacker could only execute code with his own rights, but since compress and uncompress are called by various daemon programs, this might also allow a remote attacker to execute code with the rights of the daemon making use of ncompress.
Alerts:
Red Hat RHSA-2004:536-01 2004-12-13
Gentoo 200410-08 2004-10-09

Comments (none posted)

cyrus-imap: multiple remote vulnerabilities

Package(s):cyrus-imap CVE #(s):CAN-2004-1012 CAN-2004-1013
Created:November 23, 2004 Updated:December 3, 2004
Description: Several vulnerabilities have been found in Cyrus IMAP Server <= 2.2.8 that could allow remote execution of arbitrary code.
Alerts:
SuSE SUSE-SA:2004:043 2004-12-03
Ubuntu USN-37-1 2004-12-02
Fedora FEDORA-2004-487 2004-12-01
Fedora FEDORA-2004-489 2004-12-01
Conectiva CLA-2004:904 2004-12-01
OpenPKG OpenPKG-SA-2004.051 2004-11-29
Mandrake MDKSA-2004:139 2004-11-25
Gentoo 200411-34 2004-11-25
Debian DSA-597-1 2004-11-25
Ubuntu USN-31-1 2004-11-23

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

gaim: buffer overflow in MSN protocol

Package(s):gaim CVE #(s):CAN-2004-0891
Created:October 25, 2004 Updated:February 11, 2005
Description: A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.
Alerts:
Fedora-Legacy FLSA:2188 2005-02-10
Red Hat RHSA-2004:604-01 2004-10-20
Mandrake MDKSA-2004:117 2004-11-01
Ubuntu USN-8-1 2004-10-27
Gentoo 200410-23 2004-10-24
Slackware SSA:2004-296-01 2004-10-25

Comments (none posted)

Gallery: cross-site scripting vulnerability

Package(s):Gallery CVE #(s):CAN-2004-1106
Created:November 8, 2004 Updated:January 17, 2005
Description: Jim Paris has discovered a cross-site scripting vulnerability in Gallery. By sending a carefully crafted URL, an attacker can inject and execute script code in the victim's browser window, and potentially compromise the users gallery.
Alerts:
Debian DSA-642-1 2005-01-17
Gentoo 200411-10:01 2004-11-06

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

gzip: insecure temporary files

Package(s):gzip CVE #(s):CAN-2004-0970
Created:November 8, 2004 Updated:December 7, 2004
Description: Trustix developers discovered insecure temporary file creation in supplemental scripts in the gzip package which may allow local users to overwrite files via a symlink attack.
Alerts:
Mandrake MDKSA-2004:142 2004-12-06
Debian DSA-588-1 2004-11-08

Comments (none posted)

imagemagick: buffer overflow vulnerability

Package(s):imagemagick CVE #(s):CAN-2004-0827
Created:September 16, 2004 Updated:November 30, 2004
Description: The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Alerts:
Ubuntu USN-35-1 2004-11-30
Ubuntu USN-7-1 2004-10-27
Red Hat RHSA-2004:480-01 2004-10-20
Red Hat RHSA-2004:494-01 2004-10-20
Mandrake MDKSA-2004:102 2004-09-22
Debian DSA-547-1 2004-09-16

Comments (none posted)

ImageMagick: EXIF buffer overflow

Package(s):ImageMagick CVE #(s):CAN-2004-0981
Created:November 8, 2004 Updated:December 8, 2004
Description: ImageMagick fails to do proper bounds checking when handling image files with EXIF information. An attacker could use an image file with specially-crafted EXIF information to cause arbitrary code execution with the permissions of the user running ImageMagick. See this advisory for more information.
Alerts:
Red Hat RHSA-2004:636-01 2004-12-08
Mandrake MDKSA-2004:143 2004-12-06
Debian DSA-593-1 2004-11-16
Gentoo 200411-11:01 2004-11-06

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

iptables: missing initialization

Package(s):iptables CVE #(s):CAN-2004-0986
Created:November 1, 2004 Updated:February 11, 2005
Description: Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least.
Alerts:
Fedora-Legacy FLSA:2252 2005-02-10
Ubuntu USN-81-1 2005-02-11
Mandrake MDKSA-2004:125 2004-11-04
Debian DSA-580-1 2004-11-01

Comments (none posted)

kernel: vulnerabilities in the smb file system

Package(s):kernel CVE #(s):CAN-2004-0883 CAN-2004-0949
Created:November 19, 2004 Updated:December 14, 2004
Description: During an audit of the smb file system implementation within Linux, several vulnerabilities were discovered ranging from out of bounds read accesses to kernel level buffer overflows. See these advisories: Linux kernel binfmt_elf loader vulnerabilities and Memory leak in 2.4.27 kernel for more information.
Alerts:
Red Hat RHSA-2004:504-01 2004-12-13
Red Hat RHSA-2004:505-01 2004-12-13
Red Hat RHSA-2004:549-01 2004-12-02
SuSE SUSE-SA:2004:042 2004-12-01
Ubuntu USN-30-1 2004-11-18

Comments (1 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005
Description: There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service.
Alerts:
Conectiva CLA-2005:924 2005-02-14
Red Hat RHSA-2005:004-01 2005-01-12
Red Hat RHSA-2004:537-01 2004-12-02
Ubuntu USN-27-1 2004-11-17
Mandrake MDKSA-2004:124 2004-11-04
Debian DSA-561-1 2004-10-11
Gentoo 200410-09 2004-10-09
Debian DSA-560-1 2004-10-07
Red Hat RHSA-2004:479-01 2004-10-06
Red Hat RHSA-2004:478-01 2004-10-04
Gentoo 200409-34 2004-09-27
SuSE SUSE-SA:2004:034 2004-09-17
Mandrake MDKSA-2004:099 2004-09-15
Mandrake MDKSA-2004:098 2004-09-15

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

lvm10: creates insecure temporary directory

Package(s):lvm10 CVE #(s):CAN-2004-0972
Created:November 1, 2004 Updated:July 25, 2005
Description: Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:152842 2005-07-24
Mandrake MDKSA-2004:144 2004-12-06
Gentoo 200411-22 2004-11-11
Debian DSA-583-1 2004-11-03
Ubuntu USN-15-1 2004-11-01

Comments (none posted)

Midnight Commander: extfs vfs vulnerability

Package(s):mc CVE #(s):CAN-2004-0494
Created:September 2, 2004 Updated:January 5, 2005
Description: Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts.
Alerts:
Red Hat RHSA-2004:464-02 2005-01-05
Red Hat RHSA-2004:464-01 2004-09-15
Fedora FEDORA-2004-273 2004-09-01
Fedora FEDORA-2004-272 2004-09-01

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mozilla products: arbitrary code execution and other vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908
Created:September 20, 2004 Updated:January 13, 2005
Description: Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. See the CERT advisory for details.
Alerts:
Gentoo 200501-03 2005-01-05
Fedora-Legacy FLSA:2089 2004-10-27
Conectiva CLA-2004:877 2004-10-22
Mandrake MDKSA-2004:107 2004-10-19
SuSE SUSE-SA:2004:036 2004-10-06
Red Hat RHSA-2004:486-01 2004-09-30
Slackware SSA:2004-266-03 2004-09-22
Gentoo 200409-26 2004-09-20

Comments (none posted)

mpg123: buffer overflow bug

Package(s):mpg123 CVE #(s):CAN-2004-0805
Created:September 16, 2004 Updated:January 11, 2005
Description: The mpg123 audio playing utility has a buffer overflow bug that may allow arbitrary execution of code.
Alerts:
Gentoo 200501-14 2005-01-10
Debian DSA-564-1 2004-10-13
Mandrake MDKSA-2004:100 2004-09-22
Gentoo 200409-20 2004-09-16

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mysql: several vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0835 CAN-2004-0836 CAN-2004-0837
Created:October 11, 2004 Updated:April 6, 2005
Description: Several problems have been discovered in MySQL. Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. (CAN-2004-0837)
Alerts:
Ubuntu USN-109-1 2005-04-06
Fedora FEDORA-2004-530 2004-12-08
Ubuntu USN-32-1 2004-11-25
Conectiva CLA-2004:892 2004-11-18
Mandrake MDKSA-2004:119 2004-11-01
OpenPKG OpenPKG-SA-2004.045 2004-10-30
Red Hat RHSA-2004:611-01 2004-10-27
Gentoo 200410-22 2004-10-24
Red Hat RHSA-2004:569-01 2004-10-20
Red Hat RHSA-2004:597-01 2004-10-20
Debian DSA-562-1 2004-10-11

Comments (none posted)

netkit-telnet: invalid free pointer

Package(s):netkit-telnet CVE #(s):CAN-2004-0911
Created:October 4, 2004 Updated:March 28, 2005
Description: Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).
Alerts:
Ubuntu USN-101-1 2005-03-28
Debian DSA-556-2 2004-10-18
Debian DSA-569-1 2004-10-18
Debian DSA-556-1 2004-10-02

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

openssl: der_chop script temp file vulnerability

Package(s):openssl CVE #(s):CAN-2004-0975
Created:November 11, 2004 Updated:July 19, 2005
Description: The der_chop script in openssl has a temp file vulnerability that may allow an attacker to overwrite arbitrary files with the permissions that the script is running under.
Alerts:
Fedora-Legacy FLSA:152841 2005-07-15
Mandrake MDKSA-2004:147 2004-12-06
Debian DSA-603-1 2004-12-01
Ubuntu USN-24-1 2004-11-11

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

perl: insecure temp file creation

Package(s):perl CVE #(s):CAN-2004-0976
Created:November 2, 2004 Updated:December 7, 2004
Description: Trustix Secure Linux has discovered some vulnerabilities in the perl package. The utility "instmodsh", the Perl package "PPPort.pm", and several test scripts (which are not shipped and only used during build) created temporary files in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program, or building the perl package, respectively.
Alerts:
Gentoo 200412-04 2004-12-07
Ubuntu USN-16-1 2004-11-02

Comments (none posted)

php: remotely exploitable memory errors

Package(s):php CVE #(s):CAN-2004-0594
Created:July 14, 2004 Updated:February 7, 2005
Description: Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not).
Alerts:
Debian DSA-669-1 2005-02-07
Whitebox WBSA-2004:392-01 2004-08-19
Fedora FEDORA-2004-223 2004-07-23
Fedora FEDORA-2004-222 2004-07-23
OpenPKG OpenPKG-SA-2004.034 2004-07-22
Slackware SSA:2004-202-01 2004-07-20
Debian DSA-531-1 2004-07-20
Red Hat RHSA-2004:392-01 2004-07-19
Red Hat RHSA-2004:395-01 2004-07-19
Conectiva CLA-2004:847 2004-07-16
SuSE SUSE-SA:2004:021 2004-07-16
Mandrake MDKSA-2004:068 2004-07-14
Gentoo 200407-13 2004-07-15
tinysofa TSSA-2004-013 2004-07-14

Comments (none posted)

PostgreSQL: Insecure temporary file use in make_oidjoins_check

Package(s):PostgreSQL CVE #(s):CAN-2004-0977
Created:October 18, 2004 Updated:December 20, 2004
Description: The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user.
Alerts:
Red Hat RHSA-2004:489-01 2004-12-20
Mandrake MDKSA-2004:149 2004-12-13
OpenPKG OpenPKG-SA-2004.046 2004-10-29
Debian DSA-577-1 2004-10-29
Ubuntu USN-6-1 2004-10-27
Gentoo 200410-16 2004-10-18

Comments (none posted)

ProZilla: Multiple vulnerabilities

Package(s):ProZilla CVE #(s):CAN-2004-1120
Created:November 23, 2004 Updated:February 1, 2005
Description: ProZilla contains several exploitable buffer overflows in the code handling the network protocols. A remote attacker could setup a malicious server and entice a user to retrieve files from that server using ProZilla. This could lead to the execution of arbitrary code with the rights of the user running ProZilla.
Alerts:
Debian DSA-663-1 2005-02-01
Gentoo 200411-31 2004-11-23

Comments (none posted)

qt3: BMP image parser heap overflow

Package(s):qt3/qt3-non-mt/qt3-32bit/qt3-static CVE #(s):CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
Created:August 19, 2004 Updated:May 15, 2005
Description: A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution.
Alerts:
Fedora-Legacy FLSA:152763 2005-05-12
Conectiva CLA-2004:866 2004-09-22
Whitebox WBSA-2004:414-01 2004-09-20
Debian DSA-542-1 2004-08-30
Fedora FEDORA-2004-271 2004-08-23
Fedora FEDORA-2004-270 2004-08-23
Gentoo 200408-20 2004-08-22
Red Hat RHSA-2004:414-01 2004-08-20
Mandrake MDKSA-2004:085 2004-08-18
SuSE SUSE-SA:2004:027 2004-08-19

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

ruby: infinite loop

Package(s):ruby CVE #(s):CAN-2004-0983
Created:November 8, 2004 Updated:May 15, 2005
Description: The upstream developers of Ruby have corrected a problem in the CGI module for this language. Specially crafted requests could cause an infinite loop and thus cause the program to eat up cpu cycles.
Alerts:
Fedora-Legacy FLSA:152768 2005-05-12
Red Hat RHSA-2004:635-01 2004-12-13
Gentoo 200411-23 2004-11-16
Fedora FEDORA-2004-403 2004-11-11
Fedora FEDORA-2004-402 2004-11-11
Ubuntu USN-20-1 2004-11-08
Mandrake MDKSA-2004:128 2004-11-08
Debian DSA-586-1 2004-11-08

Comments (none posted)

samba: remote DoS vulnerability

Package(s):samba CVE #(s):CAN-2004-0930 CAN-2004-0882
Created:November 8, 2004 Updated:December 1, 2004
Description: According to this Samba advisory a remote attacker could cause an smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters. Versions of Samba 3.0.x up to and including 3.0.7 are vulnerable.

There is also an advisory about possible buffer overruns in smbd.

Alerts:
Fedora FEDORA-2004-459 2004-11-29
Fedora FEDORA-2004-460 2004-11-29
Conectiva CLA-2004:899 2004-11-25
Mandrake MDKSA-2004:136 2004-11-18
Ubuntu USN-29-1 2004-11-18
Red Hat RHSA-2004:632-01 2004-11-16
Trustix TSLSA-2004-0058 2004-11-15
SuSE SUSE-SA:2004:040 2004-11-15
Mandrake MDKSA-2004:131 2004-11-10
Gentoo 200411-21 2004-11-11
Ubuntu USN-22-1 2004-11-10

Comments (none posted)

sharutils: arbitrary code execution

Package(s):sharutils CVE #(s):CAN-2004-1772
Created:October 1, 2004 Updated:April 26, 2005
Description: sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c. An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.
Alerts:
Red Hat RHSA-2005:377-01 2005-04-26
Fedora FEDORA-2005-281 2005-04-01
Fedora FEDORA-2005-280 2005-04-01
Ubuntu USN-102-1 2005-03-29
Fedora-Legacy FLSA:2155 2005-03-24
Gentoo 200410-01 2004-10-01

Comments (none posted)

sox: buffer overflow

Package(s):sox CVE #(s):CAN-2004-0557
Created:July 28, 2004 Updated:February 21, 2005
Description: Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file.
Alerts:
Fedora-Legacy FLSA:1945 2005-02-20
Debian DSA-565-1 2004-10-13
Whitebox WBSA-2004:409-01 2004-08-19
Slackware SSA:2004-223-03 2004-08-07
Conectiva CLA-2004:855 2004-07-30
Gentoo 200407-23 2004-07-30
Mandrake MDKSA-2004:076 2004-07-28
Red Hat RHSA-2004:409-01 2004-07-29
Fedora FEDORA-2004-244 2004-07-28
Fedora FEDORA-2004-235 2004-07-28

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

SquirrelMail: cross-site scripting

Package(s):squirrelmail CVE #(s):CAN-2004-1036
Created:November 17, 2004 Updated:December 23, 2004
Description: Squirrelmail (through version 1.4.3a-r2) suffers from yet another cross-site scripting vulnerability.
Alerts:
Red Hat RHSA-2004:654-01 2004-12-23
Conectiva CLA-2004:905 2004-12-02
Fedora FEDORA-2004-472 2004-11-28
Fedora FEDORA-2004-471 2004-11-28
Gentoo 200411-25 2004-11-17

Comments (none posted)

Subversion: Remote heap overflow

Package(s):subversion CVE #(s):CAN-2004-0413
Created:June 11, 2004 Updated:March 7, 2005
Description: Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:
Fedora-Legacy FLSA:1748 2005-03-07
SuSE SuSE-SA:2004:018 2004-06-17
Fedora FEDORA-2004-166 2004-06-11
Fedora FEDORA-2004-165 2004-06-11
OpenPKG OpenPKG-SA-2004.028 2004-06-11
Gentoo 200406-07 2004-06-10

Comments (none posted)

sudo: environment variable sanitizing

Package(s):sudo CVE #(s):CAN-2004-1051
Created:November 17, 2004 Updated:May 15, 2005
Description: Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information.
Alerts:
Fedora-Legacy FLSA:152856 2005-05-12
OpenPKG OpenPKG-SA-2005.002 2005-01-17
Debian DSA-596-2 2004-11-24
Debian DSA-596-1 2004-11-24
Ubuntu USN-28-1 2004-11-17
Mandrake MDKSA-2004:133 2004-11-15

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tiff: buffer overflows

Package(s):tiff CVE #(s):CAN-2004-0803
Created:October 13, 2004 Updated:April 12, 2005
Description: The tiff library contains several buffer overflows which may be exploited by way of maliciously-crafted image files. See this advisory for more information.
Alerts:
Red Hat RHSA-2005:021-01 2005-04-12
Conectiva CLA-2005:914 2005-01-06
Gentoo 200412-17 2004-12-19
Gentoo 200412-02 2004-12-05
Conectiva CLA-2004:888 2004-11-08
Slackware SSA:2004-305-02 2004-11-01
Red Hat RHSA-2004:577-01 2004-10-22
SuSE SUSE-SA:2004:038 2004-10-22
Mandrake MDKSA-2004:111 2004-10-21
Mandrake MDKSA-2004:109 2004-10-19
Debian DSA-567-1 2004-10-15
Fedora FEDORA-2004-334 2004-10-14
OpenPKG OpenPKG-SA-2004.043 2004-10-14
Gentoo 200410-11 2004-10-13

Comments (none posted)

unarj: buffer overflow vulnerability

Package(s):unarj CVE #(s):CAN-2004-0947
Created:November 11, 2004 Updated:February 2, 2005
Description: The unarj uncompression utility has a buffer overflow vulnerability from handling long file names in an archive. An attacker can cause unarj to crash or execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:2272 2005-02-01
Debian DSA-652-1 2005-01-21
Red Hat RHSA-2005:007-01 2005-01-12
Gentoo 200411-29 2004-11-19
Fedora FEDORA-2004-414 2004-11-11

Comments (none posted)

WordPress: HTTP response splitting and XSS vulnerabilities

Package(s):wordpress CVE #(s):
Created:October 14, 2004 Updated:December 20, 2004
Description: WordPress is vulnerable to HTTP response splitting and cross-site scripting attacks, due to the lack of input validation in the administration panel scripts. A malicious user could inject arbitrary response data, leading to content spoofing, web cache poisoning and other cross-site scripting or HTTP response splitting attacks. This could result in compromising the victim's data or browser.
Alerts:
Gentoo 200410-12:02 2004-10-14
Gentoo 200410-12 2004-10-14

Comments (none posted)

wv: buffer overflow

Package(s):wv CVE #(s):CAN-2004-0645
Created:July 14, 2004 Updated:February 10, 2005
Description: wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem.
Alerts:
Fedora-Legacy FLSA:1906 2005-02-08
Conectiva CLA-2004:902 2004-12-01
Debian DSA-579-1 2004-11-01
Debian DSA-550-1 2004-09-20
Conectiva CLA-2004:863 2004-09-10
Mandrake MDKSA-2004:077 2004-07-29
Fedora FEDORA-2004-225 2004-07-23
Fedora FEDORA-2004-224 2004-07-23
Gentoo 200407-11 2004-07-14

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xorg-x11: integer overflows

Package(s):xorg-x11 CVE #(s):CAN-2004-0914
Created:November 18, 2004 Updated:September 12, 2005
Description: The X.Org libXpm library has several integer overflow vulnerabilities An attacker can modify XPM images to execute malicious code.
Alerts:
Ubuntu USN-83-2 2005-09-12
Fedora-Legacy FLSA:152804 2005-05-12
Ubuntu USN-83-1 2005-02-16
Gentoo 200502-07 2005-02-07
Gentoo 200502-06 2005-02-06
Red Hat RHSA-2004:612-01 2004-12-20
Red Hat RHSA-2004:610-01 2004-12-20
Debian DSA-607-1 2004-12-10
Mandrake MDKSA-2004:137-1 2004-11-29
Mandrake MDKSA-2004:137 2004-11-22
Mandrake MDKSA-2004:138 2004-11-22
Gentoo 200411-28 2004-11-19
Fedora FEDORA-2004-434 2004-11-17
Fedora FEDORA-2004-433 2004-11-17
SuSE SUSE-SA:2004:041 2004-11-17

Comments (none posted)

xpdf: integer overflows

Package(s):xpdf kpdf cupsys CVE #(s):CAN-2004-0888 CAN-2004-0889
Created:October 21, 2004 Updated:February 18, 2005
Description: Several xpdf integer overflow vulnerabilities can be exploited via a mal-formed PDF document. Similar vulnerabilities can be found in kpdf and in cupsys which share code. Additional information can be found in this KDE security advisory.
Alerts:
Fedora FEDORA-2005-138 2005-02-09
Fedora FEDORA-2005-137 2005-02-09
Fedora FEDORA-2005-133 2005-02-09
Fedora FEDORA-2005-134 2005-02-09
Fedora FEDORA-2005-136 2005-02-09
Fedora FEDORA-2005-135 2005-02-09
Fedora FEDORA-2005-123 2005-02-08
Fedora FEDORA-2005-122 2005-02-08
Debian DSA-599-1 2004-11-25
Gentoo 200411-30 2004-11-23
Conectiva CLA-2004:886 2004-11-08
Gentoo 200410-30:02 2004-10-28
Gentoo 200410-20:02 2004-10-21
Debian DSA-581-1 2004-11-02
Ubuntu USN-14-1 2004-11-01
Ubuntu USN-9-1 2004-10-27
Gentoo 200410-30 2004-10-28
Fedora FEDORA-2004-358 2004-10-28
Fedora FEDORA-2004-357 2004-10-28
Red Hat RHSA-2004:592-01 2004-10-27
Fedora FEDORA-2004-337 2004-10-26
SuSE SUSE-SA:2004:039 2004-10-26
Ubuntu USN-2-1 2004-10-22
Red Hat RHSA-2004:543-01 2004-10-22
Mandrake MDKSA-2004:115 2004-10-21
Mandrake MDKSA-2004:116 2004-10-21
Mandrake MDKSA-2004:114 2004-10-21
Mandrake MDKSA-2004:113 2004-10-21
Gentoo 200410-20 2004-10-21
Fedora FEDORA-2004-348 2004-10-21
Debian DSA-573-1 2004-10-21

Comments (none posted)

zgv: multiple buffer overflows

Package(s):zgv CVE #(s):
Created:November 8, 2004 Updated:December 14, 2004
Description: Multiple arithmetic overflows have been detected in the image processing code of zgv. An attacker could entice a user to open a specially-crafted image file, potentially resulting in execution of arbitrary code with the rights of the user running zgv. See this BugTraq advisory for more information.
Alerts:
Debian DSA-608-1 2004-12-14
Gentoo 200411-12:01 2004-11-07

Comments (none posted)

zip: arbitrary code execution

Package(s):zip CVE #(s):CAN-2004-1010
Created:November 5, 2004 Updated:February 2, 2005
Description: HexView discovered a buffer overflow in the zip package. The overflow is triggered by creating a ZIP archive of files with very long path names. This vulnerability might result in execution of arbitrary code with the privileges of the user who calls zip. This flaw may lead to privilege escalation on systems which automatically create ZIP archives of user supplied files, like backup systems or web applications.
Alerts:
Fedora-Legacy FLSA:2255 2005-02-01
Debian DSA-624-1 2004-01-05
Red Hat RHSA-2004:634-01 2004-12-16
Mandrake MDKSA-2004:141 2004-11-25
Gentoo 200411-16 2004-11-09
Fedora FEDORA-2004-399 2004-11-08
Fedora FEDORA-2004-400 2004-11-08
Ubuntu USN-18-1 2004-11-05

Comments (1 posted)

zlib: denial of service

Package(s):zlib CVE #(s):CAN-2004-0797
Created:August 25, 2004 Updated:June 10, 2005
Description: Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks.
Alerts:
OpenPKG OpenPKG-SA-2005.007 2005-06-10
Fedora-Legacy FLSA:2043 2005-02-23
Conectiva CLA-2004:878 2004-10-25
Slackware SSA:2004-278-02 2004-10-04
Conectiva CLA-2004:865 2004-09-13
Mandrake MDKSA-2004:090 2004-09-07
SuSE SUSE-SA:2004:029 2004-09-02
Gentoo 200408-26 2004-08-27
OpenPKG OpenPKG-SA-2004.038 2004-08-25

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch remains 2.6.10-rc2; Linus has released no prepatches since November 14.

Patches continue to accumulate, slowly, in Linus's BitKeeper repository. These include the un-deprecation of MODULE_PARM() (it is generating too many warnings, and the fixes will not be merged before 2.6.10), a new major number (180) for the "ub" USB storage driver, some x86 single-stepping fixes, a large number of "sparse" annotations, the token-based memory management fix, a memory technology device (and JFFS2) update, a frame buffer device update, some user-mode Linux patches, some page allocator tuning, and a few architecture updates.

The latest patch from Andrew Morton is 2.6.10-rc2-mm4. Recent changes to -mm include a new "DMA32" memory zone on the x86_64 architecture, some big architecture updates, a quiet fix for a seemingly exploitable x86_64 buffer overflow, and lots of fixes.

The current 2.4 prepatch is 2.4.29-pre1, which was released by Marcelo on November 25. The bulk of this patch consists of driver and filesystem backports from 2.6.

Comments (none posted)

Kernel development news

Experiment: archive links in quoted messages

Perhaps the longest of longstanding LWN reader requests is the provision of archive links for messages we quote from the mailing lists. This has been a hard request to satisfy, for a couple of reasons. One is that we have learned, the hard way, that it is best to host a copy of the message ourselves. Web archives can go away or reorganize and break links; then we get a lot of mail about non-functioning links on LWN. The other, larger reason, though, has always been a simple matter of time. Producing the LWN Kernel Page requires reading through a few dozen lists, some of which have a lot of traffic. Reading those lists through a web archive - or even just finding links to quotes messages - would slow down the process and result in less content being written. That has not been a tradeoff we have been willing to make.

But we never forgot the request. Of course, it helps that certain readers regularly remind us... Starting this week, we have a tentative solution. The Gmane archive makes it easy to read through archived lists and create URLs to them. Thanks to a bit of script hacking, many of the quoted messaged linked to in this page now have an Archive-link header pointing to the Gmane version of the message, and to Gmane's thread view as well.

This feature should be considered experimental for now; whether it is retained depends on whether readers find it useful, and whether Gmane proves to be sufficiently reliable over time. We're curious to hear whether these links are worthwhile. With luck, an ancient item can now be scratched off the "to do" list.

Comments (5 posted)

Kernel headers and user space

The use of kernel headers in user space has long been discouraged. The kernel headers are not written with user space in mind, and they can change at any time. The proper way for user-space applications to interface with the kernel is by way of the C library, which provides its own structures and, when necessary, translates them into whatever the current kernel expects. This separation helps to keep user-space programs from breaking when the kernel changes.

Unfortunately, things do not always work that way, and some user-space programs still end up including kernel headers directly. These programs may simply be old, or they may need access to declarations which are not available in the C library include files - strange ioctl() codes, for example. So the kernel code still tries to make it possible for user space to include some header files. In these files, kernel-specific code is contained within #ifdef __KERNEL__ blocks and hidden from user space. This technique works, but it is brittle and adds extra cruft to the kernel code base. Intermixing internal kernel definitions with those needed by user space also makes it easy to break the user-space API.

The kernel developers have, for years, wanted to improve this situation. The latest attempt came in the form of this RFC from David Howells. This proposal would create some new directories in the kernel source tree: include/user and some architecture-specific variations (such as include/user-i386). When a portion of a kernel header file is found to be needed by user space, it would be placed into a separate file in one of those directories, and the new file would be included into the old one. At this point, the definitions needed by user space will have been separated out, but no visible changes will have been made; user space can still include the old file and get what it needs.

At some future point, when user space is deemed to have been fixed, all of the __KERNEL__ references could be removed from the old files. At that point, any application still including the internal header files would break.

One part of the idea which did not get very far was using standard C types (such as uint16_t and such) for the user-kernel interface. The problem with that idea is that the kernel cannot count on those types being consistently defined for all configurations, and cannot create its own definitions for the standard types. So the kernel/user interface must continue to be defined using kernel-specific types (__u16 and such).

Linus was not all that enthusiastic about the idea in general. To him, it looks like an exercise in rearranging things without specific goals and with the possibility of breaking things which work now:

We undeniably have existing users of kernel headers. That's just a fact. If we break them, it doesn't _matter_ how the kernel headers look, and then "existing practice" is about as good an organization as anything, and breaking things just to break things is not something I'm in the least interested in. "Beauty" comes secondary to "usefulness".

What he would like to see is more specific discussions which identify specific, problematic header files and what will be done to fix them. In the end, the header files might just get split up in the way described by Mr. Howells. It is more likely to happen as a long and slow process, however, and not as a massive, coordinated reorganization.

Comments (1 posted)

Merging swsusp2

Once upon a time, the 2.6 kernel had three software suspend implementations - two of which were in the mainline - but none which were seen to work all that well. Since then, the two mainline implementations have been merged, and the out-of-tree swsusp2 implementation has come a long way. Still, two implementations of a low-level core function seems like too many, so there is interest in bringing them together in the mainline. Swsusp2 developer Nigel Cunningham has made a new effort in that direction by posting a set of 51 patches which merge swsusp2 into the 2.6 kernel.

There is a great deal of code in these patches. Some of the more interesting pieces include:

  • A set of new exported symbols; these include fundamental things like sys_ioctl(), avenrun, and a number of low-level swap functions. These exports were poorly received; there is currently a great interest in reducing the number of symbols exported to modules. A patch which, instead, exports fundamental interfaces is bound to encounter some resistance.

    The swsusp2 code wants these symbols exported because the entire suspend mechanism can be built as a module and loaded only when the system is to be suspended. This can be a nice feature; swsusp2 is a lot of code, and it is all excess baggage anytime the system is actually being used. The costs of making swsusp2 modular may prove too high for that feature to be accepted into the mainline, however.

  • A change to the workqueue API allowing the creator of a workqueue to specify whether that queue should be left running during the suspend process. Some workqueues perform tasks which are needed during the image writeout process, and thus cannot be stopped prematurely.

  • A replacement refrigerator, the code charged with putting all processes on hold so that the system is in a quiet state before suspending. The intrusive macros which characterized the swsusp2 refrigerator some time ago are gone. The new version relies upon a PF_SYNCTHREAD task flag to keep processes (temporarily) from being frozen while they are doing some work involved with writing data to disk.

  • A complicated I/O infrastructure for writing the suspend image to disk. The new I/O code is said to be much faster, and it supports features like image compression, writing to swap files or LVM devices, etc. Future plans call for more esoteric features, such as suspending across a network. These features may be nice, but it has been pointed out that the swsusp2 I/O code alone outweighs the entire mainline software suspend code by a significant amount.

  • Various types of "nice displays" when a suspend or resume is in progress. These displays include progress bars, splash screens, and more.

Nigel offers a number of reasons for merging swsusp2. It is claimed to be much faster as a result of the use of asynchronous I/O, readahead on resume, and (for systems with slow drives) image compression. It is far more configurable; users can select the sort of display they like, image compression and/or encryption, etc. Suspending to swap files, LVM devices, and more is supported. And so on. There is little disagreement that swsusp2 offers some nice features, but there is some concern over how Nigel is trying to proceed:

I'm thus seeking to simply merge the existing code, let Pavel and others get to the point where they're ready to say "Okay, we're satisfied that suspend2 does everything swsusp does and more and better." Then we can remove swsusp.

The kernel developers are increasingly resistant to wholesale merging of large blocks of code - especially when that code duplicates functionality already found in the kernel. They would rather see a series of incremental patches, each of which takes a small, useful step in the right direction. Nigel does not want to do that; swsusp2 is vastly different, internally, than the mainline suspend code, and evolving one into the other looks like a long, painful, and pointless job. He may have to do that work, however, before any of the swsusp2 code can be merged.

A bigger obstacle, however, may be the fact that, while swsusp2 was being developed, the mainline software suspend code was progressing too. Your editor is able to reliably suspend to memory and disk with a vanilla 2.6.9 kernel. SUSE enables software suspend and calls it a feature in its 9.2 release. Since the in-kernel suspend code seems to actually work, enthusiasm for replacing it with a larger, more complex version is not as high as it might otherwise have been. The ultimate fate of swsusp2 may yet be to contribute its best improvements to the mainline, but to never be merged in its entirety..

Comments (3 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Janitorial

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Debian on AMD64

December 1, 2004

This article was contributed by Ladislav Bodnar

These days, just about every major distribution (with the notable exception of Slackware) is offering an AMD64 port of their principal product. This is mainly in anticipation of increased popularity of the 64-bit processors in the future and to gain experience in solving challenges that exist while developing a distribution that would be not only considerably faster than its x86 counterpart, but also equally usable - both on servers and workstations. In the upcoming series we will look at how different distributions (Linux and BSDs) handle these challenges. We will try to answer a question that some readers contemplating a new computer system might be asking: is the AMD64 processor ready to satisfy our most demanding computing tasks?

We will start with Debian GNU/Linux, which has always been the most multi-platform Linux distribution on the market. Woody, the current stable release for over 2 years, and Sarge, the new upcoming stable release due out in a month or two, support no fewer than 11 architectures. Perhaps surprisingly, AMD64 is not one of them and it won't be in Sarge either. That said, Debian developers have been working on an AMD64 for some time, and unofficial builds, including Sarge installation CDs and documentation, are already available on the Debian AMD64 Port pages. There are two unstable (=sid) branches - "pure64" and "gcc-3.4". The former is compiled with GCC 3.3 and is considered more stable, while the latter is compiled with gcc-3.4 which is said to have a better support for AMD64, but is less well-tested. An AMD64 testing branch is also available with a plan to build a full unofficial Sarge release at a later stage, but it will not enter the main Debian Sarge branch and it is not yet clear how security updates will be handled for this product.

Despite the unofficial status of the port, those who wish to run a fully-enabled 64-bit Debian distribution on an AMD64 processor can do so today. We installed it on a system with the following specifications: AMD64 3500+ processor (2.2GHz), K8N Neo2 (Socket939) mainboard from Micro-Star International, 1 GB of DDR SDRAM, 2 x 120 GB Maxtor hard disks, Plextor PX-712A DVD/CD Rewritable Drive, and NVIDIA GeForce4 Ti 4600 graphics card. If you are curious about the cost, the processor + mainboard + memory came to about $620, but anything newer than the 3500+ processor would cost dramatically more; for example the current prices for the AMD64 4000+ processor start at $715 (without the motherboard and RAM).

To initiate the installation, we downloaded the most recent Debian "netboot" ISO image (4.4 MB). This is a bootable CD that attempts to auto-configure networking before it proceeds with downloading and installing the base system. The installation was rather painless and the only non-standard place was the selection of FTP/HTTP mirrors; as was mentioned earlier, the AMD64 branch has not been included in the Debian's main branch and is maintained separately on the Alioth server. Therefore your preferred download server and selected AMD64 branch have to be entered manually. Besides the main server, a handful of mirrors in Europe and Asia are also available. As soon as the installation completed and the bootloader was configured, we were prompted to reboot into our brand new Debian AMD64 system. We continued with installation of packages for a typical workstation - a full graphical desktop with GNOME 2.8 and KDE 3.3.1, as well as most other general applications. The entire experience was rather dull (in a positive sense of the word) and everything we threw on the apt-get command installed without any problems at all. Perhaps we shouldn't have been surprised - the Debian AMD64 Ports page claims that 97% of all Debian packages compile just fine for the AMD64 processor which is, in fact, the second most complete port, after i386.

Although we were impressed by the quality of the port and the trouble-free system installation and configuration, there was little doubt that sooner or later we would run into some AMD64-specific issues. Firstly, there was the remaining 3% of applications that have yet to be ported to AMD64, with OpenOffice.org being the most glaring of the missing pieces. Secondly, what about the many useful binary-only applications, such as Acrobat Reader, Macromedia Flash Player, the NVIDIA graphics driver, Opera, RealPlayer, etc., most of which are built for i386 only (the NVIDIA graphics driver is the only notable exception)? There are two ways to solve the problem. The first one is by installing a set of IA32 libraries which should allow users to run most i386 applications, while the second one (a more proper way, since some would argue that mixing IA32 and AMD64 libraries is not the right way of maintaining a clean system) requires an installation of a basic 32-bit system into a chrooted environment.

The second option is slightly more involved, but this HOWTO explains the procedure in simple terms. After installing the "dchroot" package, configuring it and creating a simple shell script for launching the chrooted 32-bit applications transparently from within the 64-bit environment, we were able to install and run OpenOffice.org, Acrobat Reader, Opera and RealPlayer with no problems. Thus, we ended up with a Debian system that was almost complete and very close to what we would have on an x86 workstation. There were still some missing pieces - for example, it is not possible to get a 64-bit browser to load the 32-bit Macromedia Flash plugin, so the only way to view Flash-enabled web sites was from within the chrooted 32-bit Opera (or any other chrooted 32-bit browser, if installed). Of course, this method of running certain applications is still a lot more cumbersome, than it should be, but it will do for the time being. Eventually the Debian developers will port OpenOffice.org to the AMD64 platform and, if we scream loudly enough, we might even get the makers of the above-mentioned proprietary software start building AMD64 ports of their applications. In the meantime, it is not too difficult to run a full 64-bit system with a handful of "forbidden" 32-bit applications in a chroot jail.

Before installing Debian on the AMD64 system, we had some worries about the ability to maintain an efficient working environment on this relatively new platform, fearing compatibility issues, maybe even instability. Luckily, this turned out not to be the case. Although still labeled as beta, Debian's AMD64 port has so far proved to be a trouble-free, high-quality distribution that is certainly ready for deployment on high-end developer workstations. The system is incredibly responsive, it boots twice as fast as a the 1.4 GHz P4 box sitting next to it, and overall it has been an enormous pleasure to use it. AMD64 is a great processor and Debian developers have built a excellent product to take full advantage of its power. This experience has removed whatever doubts we had about the present state of quality 64-bit computing.

Comments (25 posted)

Distribution News

Debian GNU/Linux

Martin Schulze has announced a new Debian Flyer project in the CVS repository on Alioth. "This should make it easier for translators to get the translations in sync. A ``translation-check'' line has also been added to some translations so it is easier to determine what would have to be changed to ge the translation back in sync."

This Sarge release status report looks at the possibility of getting GNOME 2.8 into Sarge. "After requests and a detailed proposal from the GNOME team, we accepted an upload of GNOME 2.8 into sid, and, via the usual mechanisms, into sarge. We should mention that the release team was running out of objections to GNOME 2.8 in unstable that the GNOME team hasn't satisfactorily addressed; this, and the fact that they have demonstrated good reaction times of late are the main reasons why we're approving it despite the timing."

Comments (1 posted)

Fedora Core

The Unofficial Fedora FAQ has been updated for Fedora Core 3. The Fedora Core 2 FAQ is still available here.

Dirk Westfal has announced a LiveCD with Fedora Core 3, KDE 3.3.1 and GNOME 2.8.

Fedora Core 3 updates: system-config-samba (add missing options), spamassassin (bug fixes from upstream), system-config-date (enable Gujarati and Tamil translations), system-config-securitylevel (fixes tracebacks introduced by the libselinux update), abiword (fixes for tempnam usages and startup geometry crashes), udev (turn off debug logging), prelink (several bug fixes), libselinux (change location of helper applications), policycoreutils (removes FixFiles.cron), alsa-lib (fix bad assertion that trips up gstreamer), man (bug fixes and enhancements), openmotif (latest Xpm patches, fixes CAN-2004-0914), openmotif21 (fixes CAN-2004-0914, CAN-2004-0687, CAN-2004-0688 and other bugs), iptables (fixed autoload problem in iptables and ip6tables (CAN-2004-0986)), postfix (bug fixes), postfix (fixes the fix), tvtime (update to 0.9.15), quagga (new upstream release, bug fixes), gtk2 (fixes some ABI breakage), gtksourceview (rebuild), gedit (rebuild), bash (cleanup), words (major upgrade), slang (corrects buffer overruns), shadow-utils (fixes bug in useradd), man-pages-pl (remove mc.1), aspell-bg (add bulgarian.kbd file), slang (fixes a very slight horizontal line artifact), brltty (don't make /etc/*.conf executable), cvs (replaced old SCCS migration script).

Fedora Core 2 updates: system-config-samba (add missing options), gaim (FC2 Update), tcpdump (fixed nfs protocol parsing for 64 bit architectures), man (bug fixes and enhancements), ppp (bug fixes), openmotif21 (fixes CAN-2004-0914, CAN-2004-0687, CAN-2004-0688 and other bugs), openmotif (fixes CAN-2004-0914, CAN-2004-0687, CAN-2004-0688 and other bugs), slang (fixes a very slight horizontal line artifact).

Comments (none posted)

Mandrakelinux

Updated kdebase, kdelibs and kdepim packages fixing many bugs are available for Mandrakelinux 10.1.

Comments (none posted)

Slackware Linux

The slackware-current changelog contains an update from Patrick. "I built a few updates to get my mind on happier things. Maybe I'll have time to look at the kernel sometime soon, too, but getting my health back remains the A-number-1 priority here."

kde/koffice-1.3.5-i486-1.tgz: Upgraded to koffice-1.3.5.
kdei/koffice*.tgz: Upgraded to koffice-i18n-1.3.5.

Also, Bruno H Collovini and Piter Punk in Brazil have been helping to build security updates for Slackware. You can find those updates here.

Comments (none posted)

SUSE Security Summary Report SUSE-SR:2004:002

SUSE has fixed minor security issues in several packages. Click below for details.

Full Story (comments: none)

Trustix Secure Linux

Trustix has updated the following packages: amavisd-new, anaconda, courier-imap, cyrus-imapd, cyrus-sasl, file, kernel, mkbootdisk, mysql, rpm, samba, setup and swup. Bug fixes, enhancements and a few security problems are addressed in this 'multi' update.

Full Story (comments: none)

New Distributions

Flash Linux released (GnomeDesktop.org)

GnomeDesktop.org has an announcement for the initial release of Flash Linux. "Flash Linux is a compact distribution designed to run off 256Mb USB keys. It includes hardware detection, auto configuration, a fairly complete Gnome 2.8 desktop, and associated office tools. Ideal if you want to try out Gnome 2.8 without touching your current system with over 50Mb of storage left after installation. Note that this is a first release, it should however be pretty usable and stable."

Comments (none posted)

Distribution Newsletters

Debian Weekly News

The November 23 Debian Weekly News is out; it looks at bug-squashing parties, Debian and the Linux Core Consortium, speeding the boot process, debian-installer progress, and more.

Full Story (comments: none)

Debian Weekly News

The Debian Weekly News for November 30, 2004 is out. In this issue; a look at Debian flyers on Alioth, another woody update (3.0r4), DWN in RSS and blog formats, and more.

Full Story (comments: none)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of November 29, 2004 is out. This week's edition covers PegasosPPC boxes from Genesi with Gentoo preinstalled, the Gentoo script repository, some translation project news, a shift to the 2.6 kernel as the default, and more.

Full Story (comments: none)

DistroWatch Weekly, Issue 77

The DistroWatch Weekly for November 29, 2004 is out. "This week we have a brief report on the next release of Gentoo Linux and we also introduce UHU-Linux, a Hungarian project and a major driving force behind Linux adoption in Hungary."

Comments (none posted)

Minor distribution updates

Devil-Linux v1.2.1 released !

Devil-Linux v1.2.1 has been released. "The changes include Kernel 2.4.28, enabled sasl+ldap+mysql for postfix, dramatically reduced size of etc.tar.bz2, many program updates, and many other changes."

Full Story (comments: none)

Linux Netwosix

Linux Netwosix has announced the release of v1.2 (Jinko). This release has a new setup method, a new How-to, Linux kernel 2.6.9, GCC 3.3.3 and more.

Linux Netwosix has also released an updated NEPOTE (NEtwosix POrting Tool Environment).

Comments (none posted)

Newsletters and articles of interest

My workstation OS: Debian (NewsForge)

This NewsForge article advocates Debian on the desktop. "What do you want from a desktop operating system? Of course programs for everyday use (a Web browser, office tools, games, etc.), but those programs are not the main criteria, especially with GNU/Linux, since you can use almost any Linux application easily on your distribution of choice. The real criteria are stability, package management, hardware compatibility, and the people behind the software, the community. For its superiority in those areas, I made Debian my workstation OS."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Looking Past CVS: The Future is Distributed

November 30, 2004

This article was contributed by Mark Stosberg

The field of alternatives to CVS has exploded. Alternatives have been documented and compared, but the trends deserve further analysis.

It's truly a critical moment, as the winds of change are shifting over the landscape of source control. Major projects, such as PostgreSQL, KDE, and emacs are discussing the dumping of CVS for an alternative. Smaller Projects, such as wxRuby and Rhythmbox have already switched.

A Source Control Management (SCM) system is important because this software choice impacts a whole group of developers, and changing systems can be very disruptive to a project. The larger the project, the greater the inertia, and higher the cost to switch.

Here's my analysis of trends that will emerge:

What won't happen: No "CVS replacement" will emerge, at least not with the dominance that CVS has had. Instead, what we will see will follow the patterns of the expanding offerings of scripting languages. Although Perl has long dominated this category, other languages have dared to challenge the heavyweight, and they have prospered. Python, PHP, and ruby are all doing well, with growing communities building up around them.

Don't expect to see one clear SCM leader, with the rest hopelessly out of sight in terms of popularity and usability. Many sufficiently capable alternatives are emerging. The diverse environment we will see will play a part in determining which projects stand out. Those projects that grasp the importance of playing well with other SCMs will see increased popularity.

The young svk project seems to understand this issue. They integrate with VCP, a framework designed for interchanging formats of various SCMs. Svk is being designed so that at maturity, you will be able to use it as a client for several other SCMs.

Consider the following situation for a typical open-source programmer: The programmer would like to contribute to one project that uses CVS, another which uses Subversion, and a third which uses Arch. Rather than learning all three, she can use svk, reduce her overhead time, and improve her overall efficiency. Currently, svk can mirror a CVS archive, but not perform a "commit through" on your changes.

As people contribute to this 'glue' project, it will be easier for participating SCMs to update their own offerings to allow better interoperability.

One important trend is the removal the "single central server" limitation of CVS. New distributed systems allow developers to share changes in a peer-to-peer mode without going through a central server. This feature will gain prominence for two reasons. Most importantly, the centralized model is a subset of what a distributed system can do. So users don't have to pick an "either or" solution. Also, a distributed design maps extremely well onto the organic global network of open source software development.

Developers who do not have "commit access" benefit from distributed systems because they are given a much expanded toolkit, giving them access to the same command set that the core developers have. With better tools for more developers, more time can be spent writing code instead of managing it.

Distributed SCMs should be equally beneficial to corporations, with their increasingly distributed structures. More activity can happen locally to the developers, making a fast link to a distant central server less critical for developer productivity.

I have followed two distributed SCMs in particular, Arch and Darcs. Arch currently has a larger user base, and arch repositories exist for popular projects such as the Emacs and Vim editors. Arch is also noticeably more complex to set up and use.

Darcs, which just turned 1.0, shines because of its ease of use, clear documentation, and powerful underlying unique "theory of patches". Svk is working on emulating the Darcs interface, while Arch would like to support the Darcs patch handling features.

It's not all roses for Darcs, though. While it receives praise for use on small projects, it is known to hang for hours on large trees like the Linux kernel as well as when large scale conflicts occur.

Colin Walters, an Arch hacker, shares my vision of a distributed future. He concluded recently: "The contender for the future of free software revision control is still very much up in the air..

This much is clear: If you are still using CVS, it's time to evaluate the alternatives, and think distributed.

Comments (18 posted)

System Applications

Database Software

Glom 0.8.9 announced

Version 0.8.9 of Glom, a database table designer GUI, is out with numerous bug fixes and translation improvements.

Full Story (comments: none)

JabRef 1.6 released (SourceForge)

Version 1.6 of JabRef, a graphical application for managing bibliographical databases, has been announced. "Being the first version preceded by a public beta, we hope that JabRef 1.6 will be the most stable release so far. There are many new features since version 1.55, including greatly improved handling of bibtex strings, export to MODS format and facilities for detecting and handling external changes to open files. Many bugs have been fixed, and the user interface has been improved in many small ways."

Comments (none posted)

PostgreSQL 8.0.0 Beta 5 Now Available

Version 8.0.0 Beta 5 of the PostgreSQL database has been announced. "Its been almost 4 weeks since Beta4. After a lot of work involving a lot of bug fixes and documentation improvements to the source tree, we have just released our 5th Beta of 8.0.0. All of our major Open Items have now been completed, and we're slowly entering the final stages, involving a lot of testing and documentation changes."

Comments (none posted)

PostgreSQL Weekly News

The November 29, 2004 edition of the PostgreSQL Weekly News is available with the week's PostgreSQL database news.

Full Story (comments: none)

Libraries

libxklavier 1.12 released

Version 1.12 of libxklavier, the X keyboard utility library, has been released. "The very first xmodmap-enabled release of libxklavier is out. The API/ABI were broken again (sure, compatbility in GNOME CVS HEAD is maintained). Really hope to keep 1.1x series API stable from this point."

Full Story (comments: none)

Mail Software

Standalone email package 3.0 final

Version 3.0 final of the standalone email package for Python is available. "Python 2.4 final will probably be released in a few hours so this seems like a good time to release the standalone email package, version 3.0 final. Unless there's some last second snafu, this will be identical to the version released with Python 2.4."

Full Story (comments: none)

Networking Tools

Firestarter 1.0 announced

Version 1.0 of Firestarter, a visual firewall tool for GNOME, is out. "The program features a friendly setup wizard, a real time firewall event monitor and an advanced rules based system for creating traffic policy. The program also helps you set up Internet connection sharing in just a few clicks, or port forwarding when used on a LAN." Changes include a redesigned user interface, a new security policy system, DHCP service support, a view of connections, and more.

Full Story (comments: none)

Web Site Development

BIG SAM 1.2.02 released

Stable version 1.2.02 of BIG SAM, the Built-In Guestbook / Stand-Alone Module (written in PHP) is out.

Comments (none posted)

mnoGoSearch 3.2.25 released

Version 3.2.25 of the mnoGoSearch web site search engine has been released. See the Change Log for details.

Comments (none posted)

First stable version of phpPgWeb is out

The first stable release of phpPgWeb has been announced. "This PHP lgpl library is intended to make quickly a user friendly web interface to a postgresql database. It is thought to be configurable, manage automatically references between tables, has multilanguage support, and could be extended quite easily. It is not intended as admin tool (see phpPgAdmin), but as an intuitive web mask to a database."

Comments (none posted)

Quixote 2.0a2 is out

Version 2.0a2 of the Quixote web platform is available with lots of changes. "We still have a lot of work to do before a stable release. The documentation needs to be updated. The mod_python publisher is broken. The Quixote 1 style publisher probably needs some more work."

Full Story (comments: none)

Install XAMPP for easy, integrated development (IBM developerWorks)

Nils-Erik Frantzell writes about XAMPP on IBM developerWorks. "Open source stacks such as XAMPP from Apache Friends are simplifying open source development by making it easier to write and distribute applications in a stable and standardized environment. Traditionally, AMPP -- Apache, MySQL, PHP, and Perl -- have all been installed and configured as separate products. The trend of combining them into integrated middleware stacks promises to make open source development more competitive with J2EE application development, at least for low-end applications. In this article, you'll learn how to install, configure, and back up XAMPP on Mandrake Linux 10.0 and also how to configure and administer XAMPP, as well as how to install your own applications in an XAMPP environment."

Comments (none posted)

Web Services

Make minor backward-compatible changes to your Web services (IBM developerWorks)

Russell Butek covers web services versioning issues on IBM developerWorks. "Web services versioning doesn't really exist. To achieve new versions of a service, you have to create a new set of WSDL/XSD files with new namespaces, essentially creating a new Web service. That's a rather drastic solution. There are some changes you can make to an existing set of WSDL and XSD files that are backward compatible so that you can evolve your service, to a limited degree, without the drastic measure of creating a new one."

Comments (none posted)

Desktop Applications

Audio Applications

amaroK 1.2-beta1 Released

Version 1.2 beta 1 of amaroK, a KDE music player, is out with numerous changes.

Full Story (comments: none)

QjackCtl 0.2.13 released

Version 0.2.13 of QjackCtl, the Qt/GUI frontend for the JACK Audio Connection Kit, has been released with minor improvements.

Full Story (comments: none)

Data Visualization

Kst 1.0.0 Released

Kst is "a real-time data viewing and plotting tool with basic data analysis functionality." Version 1.0 of Kst has just been released; click below for the details.

Full Story (comments: none)

MultiPlot 0.4 released

Version 0.4 of MultiPlot, an FLTK-based graph plotting utility, has been released. Here is the change summary: "new version with minor bugfixes. sould now easily compile under linux and windows."

Comments (none posted)

Desktop Environments

Elektrified X.org released

The Elektra Project is an attempt to rationalize Linux configuration files by bringing them all into a standard key/value pair format (apply your favorite registry analogy here). The project has just released a major proof of its concept: an "elektrified" version of the X.org server. Click below for lots of details.

Full Story (comments: 85)

KDE CVS-Digest for November 26, 2004 (KDE.News)

The November 26, 2004 edition of the KDE CVS-Digest is online. Here's the content summary: "Extended password dialog can define length and strength thresholds. Dell Laptop Buttons Plug-in for KMilo . As-you-type spellchecking with aspell. KAddressbook import/export filter GMX addressbook format. X-Face support for Kmail and KNode. New blogging resource for Korganizer."

Comments (none posted)

gnome-utils 2.9.2 announced

Version 2.9.2 of gnome-utils, a collection of utilities for the GNOME desktop, is available. "The biggest change overall is that GNOME Screenshot has been moved from gnome-panel to gnome-utils."

Full Story (comments: none)

gnome-panel 2.9.2 announced

Version 2.9.2 of gnome-panel is out. "Since gnome-panel 2.9.2, the gnome-panel use the /apps/panel gconf directory to store its settings. The settings that were previously stored in /apps/panel/profiles will be automatically migrated."

Full Story (comments: 1)

Electronics

Open Collector Releases

The latest new electronics applications on Open Collector include new versions of annotate_gschem, gschem2xpcb, and Oregano.

Comments (none posted)

Financial Applications

SQL-Ledger 2.4.5 released

Version 2.4.5 of SQL-Ledger, a web-based accounting system, has been released. Changes include a couple of bug fixes.

Comments (none posted)

Games

gnome-games 2.9.2 announced

Unstable version 2.9.2 of gnome-games, a collection of games for the GNOME desktop, is out with numerous changes to individual games.

Full Story (comments: none)

New version of 'HLA Adventure' for Linux released

A new release of HLA Adventure, a text-based adventure game, is out.

Full Story (comments: none)

Choosing a Language for Interactive Fiction (O'Reilly)

Liza Daly introduces interactive fiction languages in an O'Reilly article. "IF languages have various structural and syntactic optimizations for writing games. Turn-based time (or even, in some cases, real time) is a built-in. It's easy to define conditions on which the game can be won or lost. An IF language already knows not only that GET HAMSTER means the player would like to perform an action called GET on an object called HAMSTER, but it also knows that PUT HAMSTER ON TABLE is an entirely different matter than PUT TABLE ON HAMSTER and that PUT NORTH ON HAMSTER is something altogether nonsensical."

Comments (1 posted)

Graphics

Inkscape 0.40 released

Inkscape 0.40 has been released; click below for the details. There are some major enhancements in this version, including support for layers, the ability to render text along a path, and "bitmap tracing," which turns bitmap images into vector graphics. A new set of tutorials has been added as well.

Full Story (comments: 3)

GUI Packages

Gtk2-Perl 2.9.2 announced

Unstable version 2.9.2 of Gtk2-Perl, the Perl bindings to GTK+, has been announced.

Full Story (comments: none)

gtkmm 2.4.8 announced

Version 2.4.8 of gtkmm, the C++ interface to GTK+, is out with bug fixes and documentation improvements.

Full Story (comments: none)

Interoperability

Wine Traffic

The November 26, 2004 edition of Wine Traffic is available with the latest Wine project news.

Comments (none posted)

Multimedia

GStreamer Plugins 0.8.6 released (GnomeDesktop)

Version 0.8.6 of the GStreamer plugins have been announced. "Lots of bugs fixed in this release (44 bugzilla items closed). New polypaudio sound server plugin and support for musepack files. Another important addition to this release is support for chained ogg files, which is important for many ogg web radio streams for instance. Some important fixes to our ALSA support was also made, so people who had troubles with ALSA output with earlier releases are advised to give this one a go."

Comments (none posted)

Music Applications

Hydrogen v0.9.1 is out

Stable version 0.9.1 of Hydrogen, a drum machine, has been released. Changes include a new ALSA driver, French documentation, and bug fixes.

Full Story (comments: none)

News Readers

Liferea 0.6.4 announced

Version 0.6.4 of Liferea, the Linux Feed Reader, is available. Changes include a Polish translation, global article skimming keybindings, and bug fixes.

Full Story (comments: none)

Office Applications

gcalctool v5.5.16 released

Version 5.5.16 of Gcalctool, the default GNOME desktop calculator, has been announced, it is considered stable. Changes include translation work.

Full Story (comments: none)

Office Suites

OpenOffice.org 1.1.3-kde released

KDE.News has the announcement for OpenOffice.org 1.1.3-kde. This is a version of ooo-build which has been reworked to fit into the KDE environment; it uses the KDE native widget framework and features KDE icons.

Comments (1 posted)

KOffice 1.3.5 Released

Version 1.3.5 of KOffice has been released, this is the fifth bugfix package for this series. Changes include Breton language support, a security fix, and KPresenter fixes.

Full Story (comments: none)

OO.o build-1.3.7 is available

Build 1.3.7 of OpenOffice.org has been announced. "This package contains Desktop integration work for OpenOffice.org, several back-ported features & speedups, and a much simplified build wrapper, making an OO.o build / install possible for the common man. It is a staging ground for up-streaming patches to stock OO.o."

Full Story (comments: none)

Web Browsers

Epiphany 1.4.6 released

Stable version 1.4.6 of Epiphany, the GNOME web browser, has been announced. Changes include numerous bug fixes and more.

Full Story (comments: none)

Epiphany Extensions 1.4.3 released

Version 1.4.3 of Epiphany Extensions has been released. A security bug fix is included, upgrading is advised.

Full Story (comments: none)

Epiphany 1.5.2 released

Unstable version 1.5.2 of Epiphany, the browser for GNOME, is out. Changes include interface improvements, bug fixes, and more.

Full Story (comments: none)

Epiphany Extensions 1.5.2 released

Unstable version 1.5.2 of Epiphany Extensions has been announced. Changes include an important security update, bug fixes, and more.

Full Story (comments: none)

Independent Status Reports (MozillaZine)

The November 2, 2004 edition of the Mozilla Independent Status Reports are available. Here's the content summary: "The latest set of independent status reports includes updates from mozImage, Biobar, fireFTP, Habari Xenu, Checky, citations nd Linkvisitor."

Comments (none posted)

Miscellaneous

Bakery 2.3.10 announced

Version 2.3.10 of Bakery, a C++ Framework for creating document-based GNOME applications, has been released. This is a bug-fix release.

Full Story (comments: none)

gnubiff 2.0.3 is out

Version 2.0.3 of the gnubiff mail notification program is out with bug fixes and security improvements.

Full Story (comments: none)

Languages and Tools

Caml

Caml Weekly News

The November 23-30, 2004 edition of the Caml Weekly News is online with news of the week's Caml language developments.

Full Story (comments: none)

Java

Juggle Your Java with JDistro (O'Reilly)

Howard Wen examines the JDistro project on O'Reilly. "Appropriately enough, running multiple Java applications at once can be akin to drinking too much coffee in one sitting: You get erratic results and ultimately crash hard. But having more than one Java program running can be helpful for development. Java programmer Guillaume Desnoix wanted such a robust environment, so he created his own: JDistro."

Comments (none posted)

Enhance looping in Java 5.0 with for/in (IBM developerWorks)

Brett McLaughlin looks at for/in in Java 5.0 in an IBM developerWorks article. "The for/in loop -- often called either enhanced for or foreach is largely a convenience feature in Java 5.0. It doesn't really offer any new functionality, but certainly makes several routine coding tasks simpler. In this article, you'll learn about many of those, including using for/in to iterator over arrays and collections, as well as how it can help avoid unnecessary (or just plain annoying) typecasts. You'll also learn how for/in is implemented, glean details about the new Iterable interface, and even understand how to make your own custom objects usable with this new construct."

Comments (2 posted)

Taming Tiger: JDK 5.0 source code licensing (IBM developerWorks)

John Zukowski examines the JDK 5.0 license on IBM developerWorks. "Sun recently released the JDK 5.0 source through the Sun Community Source License (SCSL) and Java Research License (JRL). This month, Tiger columnist John Zukowski takes a break from the details of the new release and overviews the licensing terms and what access to the source offers developers. He also provides a quick look at the surprise early access drop for Mustang, the J2SE 6.0 release."

Comments (none posted)

Lisp

SBCL 0.8.17 released

Version 0.8.17 of SBCL (Steel Bank Common Lisp) is out. "The main new feature of this version is Unicode support."

Full Story (comments: none)

Perl

Perl 5.8.6 released (use Perl)

Perl 5.8.6 has been announced. "The Perl 5 developer team is pleased to announce the Perl Release 5.8.6, the sixth maintenance release of Perl 5.8."

Comments (none posted)

PHP

PHP 5.0.3RC1 released

Version of 5.0.3RC1 PHP is available. "This is the first release candidate and should have a very low number of problems and/or bugs. Nevertheless, please download and test it as much as possible on real-life applications to uncover any remaining issues."

Comments (none posted)

PHP Weekly Summary for November 22, 2004

The PHP Weekly Summary for November 22, 2004 is out. Topics include: Broken pipe in fork, Overloaded class registration, CLI and go-pear in win32 installer, Binary compatibility broken, SPL's Countable, Cleanup for sprintf, libgd fonts, and Browscap.

Comments (none posted)

PHP Weekly Summary for December 1, 2004

The PHP Weekly Summary for December 1, 2004 is out. Topics include: Detached processes, php_iconv_string exportable, Segfault in PHP 5, PHP 4.3.10 RC1, Additional module registration, Per-directory magic quotes, Binary compatibility and Reverted commits.

Comments (none posted)

PostScript

GSview 4.61 beta release

Beta release 4.61 of GSview, a PostScript previewer, has been announced. Numerous changes are included. "Please send in bug reports before the GSview 4.7 release, scheduled for mid December 2004."

Comments (none posted)

Python

Python 2.4 released

Python 2.4 is out; this is a major release which adds a number of new features to the language. Click below for the announcement, or see the Python 2.4 page for download and change information. There is also a 2.4 highlights page for those in a hurry.

Full Story (comments: none)

ActivePython 2.4.0 build 243 is available

Build 243 of ActivePython 2.4.0, ActiveState's quality-assured binary build of Python, is out. "This is a release candidate matching the recently tagged core Python 2.4.0. Builds for Linux, Solaris and Windows are available."

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The November 23, 2004 edition of Dr. Dobb's Tcl-URL! is out with the week's Tcl/Tk articles and resources.

Full Story (comments: none)

XML

Mapping and Markup, Part 1 (O'Reilly)

John E. Simpson discusses the Geography Markup Language (GML) on O'Reilly. "Geography Markup Language (GML), now at Version 3.1, is a specification of the Open Geospatial Consortium (OGC). (This standards body was formerly known as the Open GIS Consortium--GIS being an acronym for Geographic Information Systems.) If you're used to W3C-sized specs--even behemoths like XML Schema--you'd better sit down before glancing at the GML "Recommendation Paper"; it's a monster, weighing in at over 600 PDF-formatted pages, supplemented by nearly three dozen separate schemas."

Comments (none posted)

Location, Location, Location (O'Reilly)

Uche Ogbuji writes about XML locations in an O'Reilly article. "It is often useful to keep track of the location of some data in an XML file being processed. If you are parsing a file in order to perform sophisticated search and analysis tasks, you may want to know in which element or other such node a specific pattern was found (or even at what file location). XPath is the standard way to convey the location of an XML node. In the case of DOM, you might like to be able to compute an XPath expression selecting a specific node. In the case of SAX, you might want to have an XPath location for a current event, or you may want to get information on a current file location from the parser. In this article, I cover techniques for figuring out such location information. Along the way, I shall be providing some examples of marginally documented corners of Python's SAX libraries."

Comments (none posted)

Build Tools

NAnt 0.85 Release Candidate 1 available (SourceForge)

Version 0.85 Release Candidate 1 of NAnt has been announced. "NAnt is a free .NET build tool, allowing applications to be built targeting both Microsoft .NET and Mono while supporting both win32 and Linux." See the latest release notes for change information.

Comments (none posted)

Editors

gedit 2.9.2 released

Version 2.9.2 of gedit, the official text editor for GNOME, is out with lots of bug fixes and translation improvements.

Full Story (comments: none)

IDEs

DrPython 3.7.0 released (SourceForge)

Version 3.7.0 of DrPython, a cross-platform Python IDE, is available. "I added Optional Text Drag and Drop (Thanks Robin Dunn), and finally nailed the encoding bug (swedish character display). The Plugin List is now updated from the website, so version number do not need to be updated by developers." See the announcement for the full list of changes.

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Torvalds: GPL Needs Minor Work (eWeek)

eWeek talks with Linus Torvalds about the GPL v3. "I'm a big-picture thinker when it comes to licenses, which really means that in the end, I don't care as much about the actual details as Eben [Moglen] does. So, no. My concerns about a GPL [Version] 3 aren't the same as his. My biggest concern is that licenses are something ... personal to developers, and even trivial modifications to the GPL will cause endless debates, and that can easily derail any attempts to improve it. In the end, while I certainly don't tend to agree with the FSF on all the politics, I think the fact that the FSF does control the license and [FSF founder] Richard Stallman has a lot of respect in the community means that a new license is possible."

Comments (10 posted)

Linux for Suits: Grass Roots vs. Giant Roars (Linux Journal)

Doc Searls wonders what happened with the Consumer Electronics Linux Forum (CELF). "Even if CELF eventually does produce a working distro, it reminds us in the meantime that Linux is fundamentally a grass-roots phenomenon. It's bottom-up, not top-down. I don't mean to discredit IBM, HP, Novell, Oracle or any of the other BigCos that promote Linux, support its development and fly the penguin flag. I do mean to credit the little guys who not only develop Linux, but deploy it in the marketplace. Especially the ones who deliver and not merely promise."

Comments (1 posted)

The 1994 USL-Regents of UCal Settlement Agreement (Groklaw)

Groklaw has come up with a copy of the (formerly) secret settlement agreement between Unix System Laboratories and the University of California. "Now we know why SCO keeps telling us the case is 'just a contract' case, why it has a penchant for suing only those who are, or were, their licensees, and why it sued IBM instead of Red Hat. USL preserves its rights against licensees under the license agreements. I see no expanded rights against third parties who are not licensees, just the preexisting right to try to sue them, with the same likely outcome that USL experienced when it tried to sue the University and BSDi, using the same lame copyright claims that the judge back then found so unconvincing."

Comments (4 posted)

Trade Shows and Conferences

Inside EuroBSDCon 2004 (O'ReillyNet)

O'ReillyNet reports from EuroBSDCon 2004. "Jordan kept pushing the button on innovations. Where is the alternative thinking? In the Linux world, if there is a new hardware, idea, or project, there's always someone who stands up and start working on it. Maybe that person will not complete what he or she started or maybe the result will be of low quality, but at least someone tried to contribute. This doesn't happen in the BSD world."

Comments (9 posted)

The SCO Problem

SCO motion to stay DaimlerChrysler denied (Groklaw)

Groklaw reports that an attempt by the SCO Group to put the DaimlerChrysler case on hold until the IBM case is decided has been denied by the judge. "I think we may be seeing the first indication of what happens when you put a cap on legal fees. Moral of the story? Pay your lawyer." The next hearing in this case (which now just relates to whether DaimlerChrysler responded quickly enough to SCO's demands) is on January 7.

Comments (1 posted)

Companies

Intel more active in desktop Linux (News.com)

News.com reports that Intel will be shipping desktop Linux installation kits along with its processors to OEMs in Asia. "The kit includes driver software, which enables use of specific hardware features; scripts to quickly install software that has been validated to work with various versions of Linux; and a program called the Application Version Compliance Tool that checks to make sure programs are compatible with those Linux versions and Intel electronics."

Comments (1 posted)

Lycos screensaver to blitz spam servers (Register)

The Register reports that Lycos has come up with a new approach to spam: distribute a "screen saver" which performs distributed denial of service attacks against spammer sites. "A spokesman for Lycos in Germany told The Register he believed that the tool could generate 3.4MB in traffic on a daily basis. When 10m screensavers are downloaded and used, the numbers quickly add up, to 33TB of 'useless' IP traffic. Seems Lycos may hurt not just spammers."

Comments (10 posted)

Linux Adoption

A Year of Victory for Linux (eWeek)

eWeek reports a good year for Linux. "Who's using Linux? Everybody. Small companies, Fortune 50 enterprises, nonprofits, governments. Everybody. Why? Because, when you cut through all of the FUD (fear, uncertainty and doubt), all of the bought and paid-for ROI (return on investment) and TCO (total cost of ownership) studies, all of the intellectual property fears, the bottom line is that Linux simply works."

Comments (8 posted)

Linux slashes costs for bank giant (ComputerWeekly)

ComputerWeekly looks at Linux use at Dresdner Kleinwort Wasserstein. "One of the biggest investment banks in Europe is using Linux for up to 70% of its new IT projects after finding that running the open source operating system on Intel-based servers cut running costs by nearly half."

Comments (6 posted)

The real cost of open source (FCW.com)

This Federal Computer Week article covers the adoption of open source software by the U.S. Marshal Service. "For the past few years, the Marshal Service has been replacing SCO Group Unix with Linux in some back-office systems. Earlier this year, officials began implementing JBoss Web application servers, another open-source package, across the agency's 94 district offices. Traditional commercial alternatives would have cost $50,000 per processor in software licenses, and "that would have been cost-prohibitive," Campbell said. "JBoss is free upfront; we only have to pay for maintenance."" (Thanks to David A. Wheeler)

Comments (15 posted)

Legal

Linus Torvalds gets software patents wrong, says attorney (Out-Law)

Out-Law.com is carrying a critical response to Linus Torvalds on European software patents. "Torvalds and his supporters lack a fundamental understanding of intellectual property rights as they seem to be unaware that copyright can only protect software code, and not software inventions. Allowing for patent protection on software inventions is a requirement of the World Trade Organisation's TRIPS agreement which states that patents must be available in all fields of technology." (Thanks to James Heald).

Comments (69 posted)

Interviews

Scott Wheeler: Perspectives on KDE Multimedia (OfB.biz)

Eduardo Sánchez interviews Scott Wheeler, KDE multimedia hacker, on Open for Business. "SW: The beginnings of the introduction of aRts into KDE took place at the KDE 2 meeting. It did indeed show quite a bit of promise. Stefan pitched it to the GNOME folks at GUADEC (Gnome Users and Developers' European Conference) one year as well. aRts continued to move along for a few years and kind of reached a high point in terms of stability in 2001 or so. But as you mentioned, it was mostly developed by Stefan Westerfeld --in fact it was almost exclusively developed by Stefan, which when he became somewhat disenchanted with it eventually led to problems. I suppose we can understand those in the context of a few things that happened --or rather didn't happen." (Found on KDE.News)

Comments (none posted)

Postfix's Wietse Venema Interviewed (Linux IT)

Linux IT talks with Postfix creator Wietse Venema. The interview is available in English and in Portuguese. "How and when did the idea of making Postfix start?
When I came to IBM research as a visiting scientist late 1996, I had a little list of projects that I wanted to work on. One of those was to build a mail system with the same quality as my TCP Wrapper software: something that just does the job without causing trouble, and that you can forget after you install it. At the time, there were four CERT/CC advisories for Sendmail each year.
"

Comments (1 posted)

Resources

Network and Identity Configurator for Linux (IBM AlphaWorks)

IBM AlphaWorks introduces a new configuration tool. "Network and Identity Configurator for Linux® (NICL) is a tool that enables easy changing of the system name and network address of Linux systems and IBM middleware. It employs a BASH script that can save multiple man-months in system configuration time. This tool was developed within IBM for administrating an internal block of Linux systems."

Comments (3 posted)

Wireless on the Road (Linux Journal)

Linux Journal looks for wireless connections in out of the way places. "Wireless Internet access has become easy to find in large cities. But I take vacations in more out-of-the-way places, where "the Internet" still is a new concept. Getting Internet access in most small towns isn't always a straightforward task. Here are some tips that might help you keep your Linux laptop connected on your next trip."

Comments (none posted)

Reviews

Open-Source payroll application launched (ZDNet UK)

ZDNet looks at a new payroll application. "Clockwork Software Systems launched PayThyme, an open-source payroll application, in Birmingham on Thursday. At the company's launch event in Birmingham, Clockwork business manager Jim Welch said it was initially supplying the software pre-installed on hardware, but will supply it as an individual, supported product in 2005. The source code of the product will be available for free download from the company's Web site in two weeks."

Comments (2 posted)

The sweet taste of good customer relations (NewsForge)

NewsForge takes a look at SugarCRM. "Sugar Sales should be able to satisfy most of the CRM needs of small to medium-sized businesses. As an open source product built to run on top of other open source products, Sugar Sales offers the same cost-effectiveness you find with any open source product, and it has an impressive feature set for the time it has been in development. That means we can reasonably expect it to improve quickly too."

Comments (39 posted)

The open source wiki behind Wikipedia (NewsForge)

NewsForge reviews MediaWiki. " From a user perspective, MediaWiki provides a simple, feature rich environment for editing and contributing content. Content is handled with a simple WYSIWYG editor that makes editing accessible to anyone by default even without a login. All articles also have a discussion tab that allows readers to comment on the article as well as a history tab that lets you view version history when edits have been made. Its ease of use has no doubt been a contributing factor in the growth of Wikipedia."

Comments (8 posted)

Miscellaneous

Why Install Linux on Your Mac? (O'ReillyNet)

O'ReillyNet wonders why anybody would replace OS X with Linux. "If you want some element of Linux -- access to certain tools and development environment capabilities, for example -- what you require is already built into Mac OS X. But if you wish to go further, to take maximum control of your computer, and do so on some of the best quality hardware around, Linux makes a lot of sense on a Mac. It offers the kind of low-cost, easy-to-use, properly scalable system that Apple's commercial offering just can't match."

Comments (4 posted)

VA drives open-source health records initiative (FCW.com)

Federal Computer Week looks at the reuse of code from the Department of Veterans Affairs. "Twenty-year-old software developed by the Department of Veterans Affairs could serve as the low-cost building block of a nationwide electronic health care record (EHR) system President Bush wants officials to deploy within the next decade, according to health management experts." (Thanks to David A. Wheeler)

Comments (3 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

U.S. Senate passes copyright bill

Public Knowledge has put out a release on the copyright bill that just passed in the U.S. Senate. It would seem that reason has prevailed in the end; all of the worst provisions, including silly language that might have prohibited skipping over commercials, have been removed. "We are also pleased that HR 4077 was dropped from the bill that passed. That legislation would have lowered the standard for copyright infringement. The Senate also wisely removed the PIRATE Act, which would have made the government the entertainment industry's private law firm at taxpayer expense."

Comments (6 posted)

Please participate in the 5-minute OpenOffice.org installed base survey!

The folks at OpenOffice.org are requesting your participation in a survey. "The results will be published in the December issue of the OpenOffice.org newsletter. The goal of this survey is to get a better understanding of the usage and distribution of OpenOffice.org."

Full Story (comments: none)

PEPFAR Software Inventory Report Evaluates Open Source Software (LinuxMedNews)

LinuxMedNews reports on the review of open-source medical software by the President's Emergency Plan for AIDS Relief (PEPFAR). "Open source software, including OpenEMR, is evaluated in the President's Emergency Plan for AIDS Relief ("PEPFAR") Software Inventory Report for use with HIV and AIDS. PEPFAR "FY 2005 budget requests $2.8 billion for fighting AIDS globally, which more than triples the investment since 2001."

Comments (none posted)

FSFE becomes WIPO observer

The Free Software Foundation Europe has announced that it has been accepted as an observer to the World Intellectual Property Organization. "In the scope of the FSFE WIPO project team, the FSFE will work with other players to change WIPO from an organisation that is solely oriented towards monopolisation of knowledge to one that is aimed at increasing the intellectual wealth of all of humankind through a more flexible, sustainable and effective tool set."

Full Story (comments: 2)

Commercial announcements

CFS Announces Early Success for Lustre File System

Cluster File Systems, Inc. has announced the use of its Lustre file system on HP clusters. "The HP StorageWorks SFS product utilizes the Lustre file system's object-based architecture to deliver breakthrough I/O bandwidth for Linux clusters. Building on this CFS(tm) technology, HP SFS enables users to deploy a single file system image on clusters with as many as tens of thousands of CPUs that are capable of throughput in excess of tens of gigabytes per second."

Comments (none posted)

IDC's survey of the server market

IDC has put out a press release summarizing its view of the server market - which appears to be doing well. "Linux server revenues surpassed $1 billion in quarterly factory revenue for the first time in 3Q04. Linux server revenues showed 42.6% growth, while unit shipments grew 31.7%, reaching 9.2% of overall quarterly server revenue. Worldwide investment in Linux servers for both technical and commercial workloads remains strong as the platform continues to expand its presence in data centers around the world. HP maintained its number 1 spot in the Linux server market, with 26.9% market share in terms of revenue, while IBM was second with 20.5%. Dell maintained the third spot with 17.4% of Linux server spending."

Comments (none posted)

Mandrakesoft completes a profitable year

Mandrakesoft has published its shareholder newsletter for the end of the 2003/2004 fiscal year. The bottom line: an €860,000 profit - not bad for a company which was still in bankruptcy at the beginning of the year.

Comments (2 posted)

Red Flag Offers Opera to Chinese Users

Red Flag Software has announced that the newest version of the Red Flag Desktop operating system will include the Opera browser.

Full Story (comments: none)

Sourcefire Launches Snort Scholarship Program

Sourcefire, Inc. will celebrate Snort's two millionth download by awarding two $5,000 scholarships to computer science students at any college or university that uses Snort as a teaching tool or to help secure its infrastructure.

Comments (none posted)

VA Linux Announces Release of 'VA Directory'

VA Linux has announced the initial release of its 'VA Directory' product. "VA Linux Systems Japan K.K. (VA Linux), a leading provider of Linux solutions for the telecommunications and enterprise system markets, today announced it will release 'VA Directory', a new LDAP directory service server software for large-scale enterprise systems. Advance sales of the VA Directory solution will begin immediately, while delivery and full customer support for the system will be available from January, 2005."

Full Story (comments: none)

New Books

"High Performance Linux Clusters" Released by O'Reilly

O'Reilly has published the book High Performance Linux Clusters by Joseph D. Sloan.

Full Story (comments: none)

KDE-Netherlands Presents Linux Book for Newbies

KDE.News looks at a new Linux book. "During this summer while aKademy was filling our minds and consuming our time other things were cooking in the Dutch KDE community. Some people from KDE-NL, the Dutch KDE community, were offered the opportunity to write a book about Linux and KDE. This month the book 'Linux in 10 minuten' was published and officially launched by Pearson Education Benelux and KDE-NL."

Comments (none posted)

"SWT: A Developer's Notebook" Released by O'Reilly

O'Reilly has published the book SWT: A Developer's Notebook by Tim Hatton.

Full Story (comments: none)

"Head First Design Patterns" Released by O'Reilly

O'Reilly has published the book Head First Design Patterns by Eric Freeman and Elisabeth Freeman with Kathy Sierra and Bert Bates.

Full Story (comments: none)

"Unit Test Frameworks" Released by O'Reilly

O'Reilly has published the book Unit Test Frameworks by Paul Hamill.

Full Story (comments: none)

Resources

The 2004 Perl Advent Calendar

It's December, so, inevitably, the 2004 Perl Advent Calender is out. This site features a new bit of Perl goodness each day through the 25th.

Comments (none posted)

Perl Debugger Quick Reference (O'Reilly)

O'Reilly has released a downloadable version of their Perl Debugger Quick Reference card. "Perl's debugger is powerful but somewhat esoteric. The core perldebtut tutorial is a good introduction, but who wants to skim through pages of documentation when you only need a quick refresher on the syntax of a command? Let this printable (PDF) Perl Debugger Quick Reference card, excerpted from Richard Foley's Perl Debugger Pocket Reference, be your guide instead."

Comments (none posted)

Contests and Awards

GIMP 2.2 Splash Screen Contest (GnomeDesktop)

A GIMP 2.2 Splash Screen Contest has been announced. "With the imminent release of the GIMP 2.2, the time has come to find the ideal splash screen to go with it. The GIMP website is running a splash contest for this. Now is your chance to join the ranks of the precious few who have had their artwork associated with a major release of the GIMP!"

Comments (none posted)

Upcoming Events

UMeet 2004 Virtual Conference

The UMEET virtual conference will be held from December 9-22, online. "This year UMEET reaches its fith edition. It is a virtual conference, that can be followed using WWW, mailing list and IRC. As in previous years we will have very important speakers and, as in previous editions, we are also open to your proposals and collaboration."

Full Story (comments: none)

UK Pure Data Workshops in November and December

Aymeric Mansoux and Derek Holzer will present a series of workshops and demos of open-source music software across the UK from November 30 through December 21, 2004. "While many tools exist for sound, multimedia and VJ purposes, few of them are designed with an open architecture which allows artists to configure the tools they use themselves. Fewer still are free to use, share and rebuild. This workshop introduces the software combination of Pure Data, GEM and PDP/PiDiP, running on the Linux operating system, as a platform for audio, video and multimedia artists to explore."

Full Story (comments: none)

Boston LinuxWorld Keynotes Announced

LinuxWorld Conference & Expo has announced the keynotes for the 2005 event in Boston, Mass on February 14-17, 2005. "Representatives from Novell, HP, Computer Associates (CA), Attitude LLC and MySQL AB will deliver keynote presentations detailing how companies have achieved higher profits and increased productivity by utilizing Linux."

Comments (none posted)

Dutch Perl Workshop 2005 (use Perl)

Use Perl has an announcement for the 2005 Dutch Perl Workshop. "The second Dutch Perl Workshop will take place on February 25, 2005. Nearly all talks will be in Dutch, so we target purely the large community of perl users in the Netherlands and Belgium."

Comments (none posted)

Bellua Cyber Security Asia 2005 CFP

A call for papers has gone out for the Bellua Cyber Security Asia 2005 conference. The event will take place in Jakarta, Indonesia on March 21-24, 2005.

Full Story (comments: none)

OOoRegiCon North America 2005 CFP

A Call for Papers has gone out for the OOoRegiCon North America 2005 conference. The event will take place in conjunction with the Desktop Linux Summit on February 9, 2005 in San Diego, CA. "The acceptance deadline for abstracts is December 10, 2004."

Full Story (comments: none)

LinuxWorld Conference and Expo Launches in Russia

IDG World Expo has announced the 2005 LinuxWorld Conference & Expo(R) Russia. "The show will follow the successful format of other LinuxWorld events, and will take place from 7-9 September 2005 at Moscow's premier exhibition center - Gostiny Dvor, a stones throw from the Kremlin and in the very heart of Moscow's business and government district."

Comments (none posted)

Events: December 2, 2004 - January 27, 2005

Date Event Location
December 2 - 3, 2004Australian Open Source Developers' Conference(Monash University)Melbourne, Australia
December 2 - 3, 2004Linux Bangalore 2004(Indian Institute of Science)Bangalore, India
December 4, 2004Lightweight Languages 2004(LL4)(MIT Stata Center)Boston, MA
December 5 - 18, 2004Ubuntu ConferenceMataró, Spain
December 9 - 22, 2004UMeet Virtual ConferenceOn the Net
December 13 - 17, 2004JavaPolis 2004(MetroPolis Antwerp)Antwerp, Belgium
December 27 - 29, 2004Chaos Communication Congress(21C3)(Berliner Congress Center)Berlin, Germany

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds