The Linux Core Consortium is an effort by Conectiva, Mandrakesoft, Progeny
and Turbolinux to create a single, Linux Standard Base-compliant core
distribution which each distributor can then use as a base for their
products. The idea is to share some of the distribution engineering work
and, simultaneously, to create a widely distributed, standard platform
which independent software vendors can target for their products. See
this LWN article for more information on the
LCC.
Bruce Perens has recently proposed to the
Debian project that it work with the LCC. There are, according to
Bruce, a few reasons why Debian would want to do that:
The first is that we should be influencing this group to do things
the Debian way, where that is important. The second is that the
group plans to lower the overhead of hardware and application
vendor certification for all of its participants, and we could
really use that sort of support. The third is that the group would
make certification by LSB and other standards bodies easier for all
of the participants.
Ian Murdock, the founder of the Debian project, has his own reasons for encouraging Debian to
join:
How does Debian benefit from LCC? It's a route to the ISV and IHV
certifications that Debian has always lacked, and it is the lack of
these certifications that's preventing Debian from standing
alongside Red Hat and Novell/SuSE in the commercial space despite
comparable (and arguably greater) popularly. The industry simply
doesn't know how to engage us, and LCC provides them with a vehicle
for doing that.
Appealing to vendors of proprietary software has never been high on the
Debian Project's list of priorities. Ian claims that vendor support is
important, however, if Linux is to remain an open, free platform in the
increasingly commercial context in which it operates.
Working with the LCC would, essentially, require Debian to help develop,
and then distribute, a set of standard binaries used by all LCC-based
distributions. All of these distributions would use the same (binary)
kernel, the same libraries, and many of the same configuration mechanisms.
The use of identical binaries goes beyond the requirements of the LSB,
which only requires that the same binary interface (ABI) be available. Ian
claims that the LSB approach has proved to
be insufficient:
...while there are numerous LSB-certified distros, there are
exactly zero LSB-certified applications. The reason for this is
that "substantially the same" isn't good enough--ISVs want *exactly
the same*, and there's a good reason for that, as evidenced by the
fact that while Debian is technically (very nearly) LSB compliant,
there are still a lot of edge cases like file system and package
namespace differences that fall outside the LSB that vastly
complicate the "certify to an ABI, then support all distros that
implement the ABI as defined by whether or not it passes a test
kit" model.
As one might imagine, there is some resistance within the Debian Project to
distributing a set of binaries (including the kernel) provided by an
outside organization. It will be a hard sell; from your editor's reading
of the debate, the early signs are that the Debian developers aren't buying
it. Debian users like to have a great deal of control over their systems,
and the LCC looks like a way of giving up some of that control with no
immediate benefits in sight.
Comments (16 posted)
A recent debate between KDE developers raises an interesting question: Does
it help or hurt to port open source applications to closed platforms, such
as Windows? One
side argues that availability of open source applications on Windows diminishes
the chances that users will choose to migrate to Linux or *BSD. The other side argues
that open source on Windows can bridge the gap between Linux and Windows,
thus making it easier for users to (eventually) migrate.
First, there is the question of goals. While Microsoft has a coherent set
of goals, the open source community does not. Some projects are dedicated
to spreading open source as an end unto itself, others just see open source
as the best model for their specific project. If the goal is simply to
foster adoption of a specific application, like Firefox or OpenOffice.org,
then porting that application to Windows is without question the right
strategy. The vast majority of desktop users are on Windows, and it makes
little sense to ask users to switch operating systems to use one
application.
However, if the goal is to spread open source in general, then one has to
wonder whether users are likely to migrate to a new operating system if the best applications for
that system (or most of them, anyway) are also available on the closed system that
they're familiar with. The vast majority of users are motivated by factors
other than licensing.
This is not the first time the debate has been raised, nor is it likely to
be the last. However, this may be a good time to look at the
situation. Linux is acknowledged as a mainstream server operating system,
but still looked at as a fringe desktop operating system. Desktop
applications on Linux are starting to reach parity in ease-of-use and
feature sets with their Windows counterparts, thus making it a viable
platform for Windows users to migrate to, should they so choose. At the
same time, many of those applications are available on Windows, allowing
Windows users to adopt open source applications without migrating away from
Windows. If this is the final result, then most Linux users would see
porting open source applications to Windows as undesirable. As Aaron Seigo
writes:
The more software we port to Windows the more we reinforce this application
availability imbalance and strengthen the user's inertia to stay on
Windows. If users had to make a choice between Windows or Linux (or BSD)
when it came to getting access to better applications they would find they
had a motivation to switch. And switch they would.
There is, however, the possibility that users will be more likely to adopt
Linux or *BSD if they have a positive experience with some of the open
source applications on Windows. Change is scary for many users, and it may
be better to provide a means to gradually adjust to open source platforms
rather than expecting a user to plunge in headlong and learn to swim right
away. It's also worth considering that many Windows users would never be
exposed to open source applications if they are not available on
Windows. It's one thing to hear wonderful things about OpenOffice.org,
Firefox, The Gimp, Apache or KDE, but another thing entirely to actually
use those applications and become comfortable with them.
For organizations, the gradual approach may be the best way to ensure the
adoption of open source. As "pipitas" argues:
Even at the present stage there is a considerable share of IT desicion
makers in enterprises and government bodies who seriously evaluate options
and costs of a switch over. For most, it now looks like "all or nothing,"
and a big jump. A too big one in many cases. So they refrain. So they sign
another 5 year contract with MS...
To chop the task into smaller pieces, to take the direction, but only a few
steps for now, to smooth the transition out over a period of time is very
difficult. And it costs. Not only do you have to train the users. You also
need to re-train the IT teams. So Microsoft is of course playing on the
card of Total Cost of Ownership (TOC), with a liiiiiittle bit of (every
marketeer's) exageration, but with a tiny bit of valid argument too. They
keep winning, albeit often by a small margin. And they even start losing
some rounds, lately.
Both sides make compelling arguments. There are, no doubt, users and
organizations that will adopt a handful of open source applications and
stop there. Other users and organizations will adopt Firefox,
OpenOffice.org and other open source applications and decide to go
further.
In the end, however, it's hard to argue for spreading open source by
restricting users' choice. Most Linux users resent Microsoft for
restricting their choices when using Windows, so it's somewhat hypocritical
to suggest that Windows users should have to make an "all or nothing"
choice to use Linux or *BSD to benefit from open source. While there's a
risk that users will choose to stay on Windows, it's the ability to choose
that led most of us to Linux in the first place.
Comments (27 posted)
The Ubuntu Conference was already in full swing by the time I arrived, late
last Friday. Canonical employs thirty-seven people, located in twelve
countries, and most of them are here in Mataró. For some this is their
first chance to meet and talk to fellow developers face to face. The
entire conference has been a series of workshops, BOFs and hack sessions
all revolving around Ubuntu, LaunchPad and the various components of
LaunchPad. A few visitors have joined in here and there, but only the
sessions
last Saturday were targeted to
visitors. Presentations have mostly been in English, although Saturday's
sessions were translated into Spanish and Catalan for the benefit of the
many Spanish visitors. People drift in and out, but over all attendance
averages around fifty people, and at least double that on Saturday.
The conference is located at the Hotel NH Ciutat de Mataró, also home for
most of the Canonical staff and your LWN editor. A typical day starts out
with a buffet breakfast in the hotel dining room. All Canonical staff meet
in the main conference room at 9:00 AM before breaking into smaller groups
to talk about and hack on the various projects. The hotel provides a pack
lunch so people can munch and continue working. By around 8 or 9 PM it's
time to head for dinner at one of the many restaurants in Mataró. This is
also done in smaller groups as some continue hacking until late and some go
looking for different types of food. Mataró is on the Mediterranean coast
so the weather is mild. Natives wear coats and scarves and hats, but those
of us from more northerly climes find it pleasant with no more light a
jacket even late at night.
Canonical projects underway here at the conference include Ubuntu and the
upcoming Hoary Hedgehog release, the proposed KDE version called Kubuntu
and the application suite LaunchPad, with many a late night hack session
devoted to one of the LaunchPad applications. For more on LaunchPad and
its applications see Ubuntu Conference: The
LaunchPad workshop. Briefly, the applications so far are the
translation tool Rosetta, package manager Soyuz, version control system
Bazaar, and bug tracker Malone.
I chatted with Canonical founder Mark Shuttleworth briefly on Wednesday
over lunch and asked him how Canonical plans to make money. Ubuntu is free, and
LaunchPad will be free to use, but Canonical does aim to make some money in
support. Additionally, he hopes to get some government grants to build
localized distributions. By using the still incomplete LaunchPad suite it
will be easy to create distributions for a wide variety of the world's
subcultures.
For now he keeps costs low by limiting the number of
developers assigned to any particular project and by not having a
centralized office, and enjoys Python hacking with his staff of talented
developers. He also knows what he's willing to spend to make Canonical
self-sustaining and how long that should take (though he did not share
details with your editor). If it doesn't happen he'll
pull the plug and move on. We're hoping that it does work out and
Canonical will manage to survive, not only because Ubuntu is a nice
distribution and quite stable on this laptop, but also because if LaunchPad
can become the suite that Mark envisions, it could be as revolutionary as
Linux itself. For now LaunchPad remains largely vaporware, with the
exception of Rosetta, so it is too soon to tell if it can really live up to
its potential, but with the team that Mark has put together it stands a
good chance.
This is Rebecca Sobol reporting from Mataró Spain.
Comments (none posted)
Here at the Ubuntu Conference in Mataró Spain, Canonical developers are
meeting with each other and with representatives of the Spanish government
and other guests to talk about Ubuntu and LaunchPad, an application suite
currently in development at Canonical. This article focuses mainly on the
workshops that took place on December 11, wherein government representatives
and other guests were treated to a view of some of the LaunchPad
applications.
The workshops began with an introduction by Mark Shuttleworth (right) and
Carlos González, from the Secretaria de Telecomunicacions i Societat de la
Informació de la Generalitat de Catalunya. Attendees included other
government representatives, members of the Hispalinux community, the local
press, and your roving LWN reporter.
Carlos explained that Mataró is located in Catalunya, where Catalan is the
local language and the local Linux distribution is Càtix. Other regions in Spain
have their own language and culture, and each region wants to preserve
that language and culture, and this is reflected in a variety of local
Linux distributions customized into the various local languages.
Alfonso de Cala, of Guadalinex, was the
next speaker, leading a brainstorming session aimed at identifying the
problems and frustrations of Linux developers throughout Spain. He noted
that this diversity of cultures within Spain has led to the creation of
numerous derived Linux distributions, with little or no collaboration
between developers. Not only are distributions localized for the region,
they are also tailored for use by different types of users. This has led to
much wasted effort as developers from around the country each tackle the
same problems and independently maintain a shared code base. The end
result is more fragmentation, when what is needed is more shared code and
collaboration.
During Alfonso's presentation we learned that the second version of
Guadalinex has been released and that thousands of people use Guadalinex in
schools, at home and at work. Guadalinex offers technical and
non-technical support. Also Guadalinex shares many of the same problems
that are faced by developers around Spain and around the world. Here is a
short list of areas, as identified by the audience, in which small
distributions, particularly those derived from larger distributions, are
having problems.
- Bugs: All software projects have bugs. Many end-users don't
know how to send in a bug report or where to send their bug report.
Bug tracking is not synchronized with upstream. Users of a stable
(old) release want bugs fixed, but developers are more interested in
the newest release. If all bugs are reported to one person, that
person gets swamped, so there needs to be a better way of
determining where bugs should go. Developers want bug reports but
they don't need to wade through many reports for the same bug.
- Translations: Translations can be difficult. A user interface
might be translated many times, some translations will be better
than others, but the best translations may never be incorporated upstream.
- Support and Training: In open source software the components
of a distribution come from many sources. Who does the end user go
to for support and training?
- Hardware: Many types of hardware are supported, but a small
distribution doesn't have access to all hardware. Even a stable
Enterprise distribution needs to be able to support new hardware.
- Code Management - Branding and Configuration: Code needs to be
customized without breakage. Changes need to be compatible with
upstream. Users should be able to tweak the configuration in a way
that remains supportable.
- Standardization and Convergence: All distributions need a
standard base, a standard user interface, and standard configuration
tools. The standard needs to allow for desired diversity. It needs
to be easier for people who don't speak English to be involved and
contribute to projects.
- Certification: Companies need to run a distribution that is
certified for those third party applications (like Oracle) that they
need. Localized distributions can not get certified easily.
- Distribution creation tools: Better tools are needed.
- Release schedules: Coordinating distribution release schedules
with the schedules of including applications.
Once the problems were identified it was time to talk about how LaunchPad
might provide at least some of the solutions. The three LaunchPad
applications closest to release are Rosetta, Malone and Soyuz. We should
note here that while LaunchPad tools are designed to be used with open
source software, they will not themselves be released as open source, at
least not initially.
Rosetta: Due for its first release this week, Rosetta may be out by
the time you read this. This translation tool provides an easy-to-use web
interface for translators, making it easy for a non-technical translator to
provide a translation for an application. How does that work? Take any
application included in your distribution. The user interface is typically
presented in English. To localize the application you could go into the
code and change all the strings to the language of choice. Then you'll
have to recompile, deal with any introduced errors, and have a version of
code that is different from upstream. Worse, the process starts over with
each update to the application, even when the application's interface
remains the same.
Now imagine that you have translators from all over world who use Rosetta's
interface to edit a POTemplate (or POT file) for that application. The
application needs only to be aware that POT files exist to present the end
user with an interface in their chosen language. New translations can be
added and existing translations can be improved without any change to the
code. Rosetta keeps track of translations and can export new or improved
translations back to the original application. Rosetta can also show you
your entire distribution to see what has been translated, and what still
needs to be translated.
Right now Rosetta only works with code, changing the face of the
application for the non-English speaking user. Later releases of Rosetta
will be able to handle man pages, DocBook and OpenOffice
documents, and do spell checking. Those interested in using Rosetta may
join the mailing list at rosetta-users@lists.ubuntu.com .
Malone: Another piece of LaunchPad is Malone, an extraordinary bug
tracking tool. Malone is for developers, not for end users to fill with
their bug reports. It will coordinate with other tools such as Bugzilla,
tracking bugs both upstream and between distributions. A developer using
Malone will be able to see if a bug has been fixed, and where it was fixed
so that the fixes can be incorporated into their own distribution. Expect
to hear more about Malone in early 2005.
Leading up to a brief look at Soyuz, a central tool in LaunchPad's
arsenal, Benjamin "Mako" Hill and Ismael Olea led a discussion on
collaboration and convergence. Various barriers to collaboration and
convergence were identified, some political, some practical. The more
distribution developers can work together the better it gets. When
developers can not or will not collaborate then they will duplicate each
other's work, sometimes fragmenting the code as application A in
distribution Z diverges from the same application in distribution X.
A few of the barriers to collaboration and convergence include government
secrecy, lack of communication/language barriers, geography/time zones,
different deadlines and priorities, lack of resources, infrastructure,
branding, unrealistic requirements, different hardware/architectures, and
so on. The idea of LaunchPad is to provide tools that will eliminate as
many barriers as possible, so that all Linux distributions can share more
and developers can spend less time reinventing the wheel. Soyuz is the
package tracker, helping the developer to track the packages in the
distribution, upload and build source, track bugs, keep information about
the packages and their maintainers and provide a wrapper around the version
control system. LaunchPad's version control system is called Bazaar and
it's forked from Arch. But that's a story for another article.
This is Rebecca Sobol reporting from Mataró Spain.
Comments (12 posted)
As has become our tradition, we will not publish the LWN.net Weekly Edition
the week of December 30. We'll return to the usual schedule with the
January 6, 2005 edition. The daily updates will continue to happen
over the holidays.
For various reasons, the 2004 Linux Timeline will be released a little
later than usual. Rest assured that it is in progress, and that it will be
out by the end of the year.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
The Linux kernel has seen a great deal of code auditing work. Even so,
longstanding security issues turn up regularly. Consider, for example, the
__scm_send() vulnerability recently
disclosed by Paul Starzetz. This problem, present in the 2.6.9 kernel,
is also present in 2.4; it has been there for some years.
This particular vulnerability hits the kernel socket API. Messages sent
with the sendmsg() system call can have, embedded within them,
control messages which can be used to transfer certain access rights to the
recipient of the message. The control message header is defined as:
struct cmsghdr {
__kernel_size_t cmsg_len; /* data byte count, including hdr */
int cmsg_level; /* originating protocol */
int cmsg_type; /* protocol-specific type */
};
These control messages are passed to __scm_send() for checking.
One of the first things done with each control message is to look at the
length of the message; the 2.6.9 code which performs this check looks like
this:
if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
(unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+ cmsg->cmsg_len) > msg->msg_controllen)
goto error;
The programmer who wrote this code probably thought that all the bases were
covered; the control message length was verified to be at least the minimum
necessary, but not so large as to overflow the space allocated for control
messages in the structure read in from kernel space.
The problem is that the cmsg_len field is of type
__kernel_size_t, which is an unsigned integer type. If a very
large value is stored in cmsg_len, it will cause an overflow in
this calculation:
((char*)cmsg - (char*)msg->msg_control) + cmsg->cmsg_len)
When this overflow occurs, the resulting sum can be a small number, so
cmsg_len does not appear
to be overly large to this particular test. At a later point, however,
that length will be added to a pointer into the list of control
messages. Once again, the addition will cause an integer overflow, with
the result that the pointer moves backward.
The exploit created by Mr. Starzetz works by creating a message with two
embedded control messages. The second one sets cmsg_len to
-12. That length gets translated to a very large unsigned number
(0xfffffff4 on 32-bit systems); it happens to be just the right value to bump the
pointer in __scm_send() backward in the list, where it encounters
the same control message structure again. An infinite loops results.
Interestingly, this particular vulnerability seems to have been found
by another researcher at about the same time. The fix was merged on
December 8; the identification of the bug is credited to Georgi
Guninski. It is, in any case, fixed, at least for 2.6.10. Some
distributors have already made updated kernels available.
Comments (none posted)
Security reports
An advisory has gone out for users of the CVS version of the "Slash" weblog
software. It seems a fairly serious vulnerability has been found in that
code; details will be released shortly. The Slash hackers are recommending
that people running sites upgrade to the current CVS version at their first
opportunity.
Full Story (comments: none)
New vulnerabilities
atari800: buffer overflows
| Package(s): | atari800 |
CVE #(s): | CAN-2004-1076
|
| Created: | December 14, 2004 |
Updated: | December 14, 2004 |
| Description: |
Multiple buffer overflows have been found in atari800, an Atari emulator. Since this program is installed setuid root, these overflows could be exploited by a local user to gain superuser access. |
| Alerts: |
|
Comments (none posted)
file: stack overflow
| Package(s): | file |
CVE #(s): | |
| Created: | December 14, 2004 |
Updated: | December 14, 2004 |
| Description: |
The file utility has a stack overflow in its ELF header parsing code which could be exploited by an attacker to execute arbitrary code. Version 4.12 contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel: IGMP and scm_send vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2004-1016
CAN-2004-1137
|
| Created: | December 14, 2004 |
Updated: | January 4, 2005 |
| Description: |
Paul Starzetz has discovered a new pair of kernel vulnerabilities. The IGMP code suffers from input validation and integer overflow vulnerabilities which could be remotely exploitable, and the socket function __scm_send() has a local denial of service vulnerability. |
| Alerts: |
|
Comments (none posted)
ncpfs: buffer overflow
| Package(s): | ncpfs |
CVE #(s): | CAN-2004-1079
|
| Created: | December 15, 2004 |
Updated: | December 22, 2004 |
| Description: |
The (setuid root) ncplogin and ncpmap utilities in ncpfs (prior to version 2.2.5) contain an exploitable buffer overflow. |
| Alerts: |
|
Comments (none posted)
PHProjekt: configuration modification
| Package(s): | phprojekt |
CVE #(s): | |
| Created: | December 14, 2004 |
Updated: | December 14, 2004 |
| Description: |
Versions of PHProjekt prior to 4.2-r1 contain a setup vulnerability which can allow a non-admin remote user to change the configuration. |
| Alerts: |
|
Comments (none posted)
vim: modeline problems
| Package(s): | vim |
CVE #(s): | CAN-2004-1138
|
| Created: | December 15, 2004 |
Updated: | February 24, 2005 |
| Description: |
A new set of modeline-related vulnerabilities has been discovered in versions of vim prior to 6.3-r2. These vulnerabilities could conceivably be exploited by a local user to obtain the privileges of another user. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
apache: arbitrary code execution
| Package(s): | apache |
CVE #(s): | CAN-2004-0940
|
| Created: | October 29, 2004 |
Updated: | December 14, 2004 |
| Description: |
According to an Apache
announcement, a vulnerability exists in the Apache HTTP server, version
1.3. The problem is a potential buffer overflow in the "get_tag" function
of Apache's SSI module "mod_include". It allows local users who can create
SSI documents to execute arbitrary code as the Apache run-time user via SSI
documents that trigger a content length calculation error. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
ncompress: Buffer overflow
| Package(s): | compress uncompress ncompress |
CVE #(s): | CAN-2001-1413
|
| Created: | October 11, 2004 |
Updated: | December 14, 2004 |
| Description: |
compress and uncompress do not properly check bounds on command line
options, including the filename. Large parameters would trigger a buffer
overflow. By supplying a carefully crafted filename or other option, an
attacker could execute arbitrary code on the system. A local attacker could
only execute code with his own rights, but since compress and uncompress
are called by various daemon programs, this might also allow a remote
attacker to execute code with the rights of the daemon making use of
ncompress. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FreeRADIUS: denial of service
| Package(s): | freeradius |
CVE #(s): | CAN-2004-0938
CAN-2004-0960
CAN-2004-0961
|
| Created: | September 22, 2004 |
Updated: | February 2, 2005 |
| Description: |
FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow in MSN protocol
| Package(s): | gaim |
CVE #(s): | CAN-2004-0891
|
| Created: | October 25, 2004 |
Updated: | February 11, 2005 |
| Description: |
A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows
remote attackers to cause a denial of service (application crash) and
possibly execute arbitrary code via an "unexpected sequence of MSNSLP
messages" that results in an unbounded copy operation that writes to the
wrong buffer. |
| Alerts: |
|
Comments (none posted)
Gallery: cross-site scripting vulnerability
| Package(s): | Gallery |
CVE #(s): | CAN-2004-1106
|
| Created: | November 8, 2004 |
Updated: | January 17, 2005 |
| Description: |
Jim Paris has discovered a cross-site scripting vulnerability in
Gallery. By sending a carefully crafted URL, an attacker can inject and
execute script code in the victim's browser window, and potentially
compromise the users gallery. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
gzip: insecure temporary files
| Package(s): | gzip |
CVE #(s): | CAN-2004-0970
|
| Created: | November 8, 2004 |
Updated: | December 7, 2004 |
| Description: |
Trustix developers discovered insecure temporary file creation in
supplemental scripts in the gzip package which may allow local users
to overwrite files via a symlink attack. |
| Alerts: |
|
Comments (none posted)
hpsockd: missing input sanitizing
| Package(s): | hpsockd |
CVE #(s): | CAN-2004-0993
|
| Created: | December 3, 2004 |
Updated: | December 8, 2004 |
| Description: |
"infamous41md" discovered a buffer overflow condition in hpsockd, the
socks server written at Hewlett-Packard. An exploit could cause the
program to crash or may have worse effect. |
| Alerts: |
|
Comments (none posted)
ImageMagick: EXIF buffer overflow
| Package(s): | ImageMagick |
CVE #(s): | CAN-2004-0981
|
| Created: | November 8, 2004 |
Updated: | December 8, 2004 |
| Description: |
ImageMagick fails to do proper bounds checking when handling image
files with EXIF information. An attacker could use an image file with
specially-crafted EXIF information to cause arbitrary code execution with
the permissions of the user running ImageMagick. See this advisory for more
information. |
| Alerts: |
|
Comments (none posted)
imlib: buffer overflows in image decoding
| Package(s): | imlib |
CVE #(s): | CAN-2004-1026
|
| Created: | December 6, 2004 |
Updated: | January 13, 2005 |
| Description: |
Pavel Kankovsky discovered that several overflows found in the libXpm
library also applied to imlib. He also fixed a number of other potential
flaws. A remote attacker could entice a user to view a carefully-crafted
image file, which would potentially lead to execution of arbitrary code
with the rights of the user viewing the image. This affects any program
that makes use of the imlib library. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
iptables: missing initialization
| Package(s): | iptables |
CVE #(s): | CAN-2004-0986
|
| Created: | November 1, 2004 |
Updated: | February 11, 2005 |
| Description: |
Faheem Mitha noticed that the iptables command, an administration tool for
IPv4 packet filtering and NAT, did not always load the required modules on
its own as it was supposed to. This could lead to firewall rules not being
loaded on system startup. This caused a failure in connection with rules
provided by lokkit at least. |
| Alerts: |
|
Comments (none posted)
kernel: vulnerabilities in the smb file system
Comments (1 posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libxpm4: stack and integer overflows
| Package(s): | libxpm4 |
CVE #(s): | CAN-2004-0687
CAN-2004-0688
|
| Created: | September 16, 2004 |
Updated: | February 14, 2005 |
| Description: |
There are several stack and integer overflow bugs in
the libXpm code of XFree86 that may be used for a denial of service. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc |
CVE #(s): | CAN-2004-0494
|
| Created: | September 2, 2004 |
Updated: | January 5, 2005 |
| Description: |
Midnight Commander has a vfs vulnerability with shell quoting
in extfs perl scripts. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mirrorselect: insecure temporary file creation
| Package(s): | mirrorselect |
CVE #(s): | |
| Created: | December 7, 2004 |
Updated: | December 8, 2004 |
| Description: |
Ervin Nemeth discovered that mirrorselect creates temporary files in
world-writable directories with predictable names. A local attacker could
create symbolic links in the temporary files directory, pointing to a valid
file somewhere on the filesystem. When mirrorselect is executed, this would
result in the file being overwritten with the rights of the user running
the utility, which could be the root user. |
| Alerts: |
|
Comments (none posted)
mozilla products: arbitrary code execution and other vulnerabilities
| Package(s): | mozilla firefox thunderbird |
CVE #(s): | CAN-2004-0902
CAN-2004-0903
CAN-2004-0904
CAN-2004-0905
CAN-2004-0908
|
| Created: | September 20, 2004 |
Updated: | January 13, 2005 |
| Description: |
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg123: buffer overflow bug
| Package(s): | mpg123 |
CVE #(s): | CAN-2004-0805
|
| Created: | September 16, 2004 |
Updated: | January 11, 2005 |
| Description: |
The mpg123 audio playing utility has a buffer overflow
bug that may allow arbitrary execution of code. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mysql: several vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0835
CAN-2004-0836
CAN-2004-0837
|
| Created: | October 11, 2004 |
Updated: | April 6, 2005 |
| Description: |
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837) |
| Alerts: |
|
Comments (none posted)
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet |
CVE #(s): | CAN-2004-0911
|
| Created: | October 4, 2004 |
Updated: | March 28, 2005 |
| Description: |
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user). |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
nfs-utils: denial of service
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-1014
|
| Created: | December 1, 2004 |
Updated: | May 15, 2005 |
| Description: |
The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker. |
| Alerts: |
|
Comments (none posted)
openssl: der_chop script temp file vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2004-0975
|
| Created: | November 11, 2004 |
Updated: | July 19, 2005 |
| Description: |
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
PostgreSQL: Insecure temporary file use in make_oidjoins_check
| Package(s): | PostgreSQL |
CVE #(s): | CAN-2004-0977
|
| Created: | October 18, 2004 |
Updated: | December 20, 2004 |
| Description: |
The make_oidjoins_check script insecurely creates temporary files in
world-writeable directories with predictable names. A local attacker could
create symbolic links in the temporary files directory, pointing to a valid
file somewhere on the filesystem. When make_oidjoins_check is called, this
would result in file overwrite with the rights of the user running the
utility, which could be the root user. |
| Alerts: |
|
Comments (none posted)
ProZilla: Multiple vulnerabilities
| Package(s): | ProZilla |
CVE #(s): | CAN-2004-1120
|
| Created: | November 23, 2004 |
Updated: | February 1, 2005 |
| Description: |
ProZilla contains several exploitable buffer overflows in the code handling
the network protocols. A remote attacker could setup a malicious server
and entice a user to retrieve files from that server using ProZilla. This
could lead to the execution of arbitrary code with the rights of the user
running ProZilla. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
rssh, scponly: unrestricted command execution
| Package(s): | rssh, scponly |
CVE #(s): | |
| Created: | December 3, 2004 |
Updated: | December 8, 2004 |
| Description: |
Jason Wies discovered that when receiving an authorized command from an
authorized user, rssh and scponly do not filter command-line options
that can be used to execute any command on the target host. Using a
malicious command, it is possible for a remote authenticated user to
execute any command (or upload and execute any file) on the target machine
with user rights, effectively bypassing any restriction of scponly or
rssh. See
this Bugtraq post for more details. |
| Alerts: |
|
Comments (none posted)
ruby: infinite loop
| Package(s): | ruby |
CVE #(s): | CAN-2004-0983
|
| Created: | November 8, 2004 |
Updated: | May 15, 2005 |
| Description: |
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles. |
| Alerts: |
|
Comments (none posted)
sharutils: arbitrary code execution
| Package(s): | sharutils |
CVE #(s): | CAN-2004-1772
|
| Created: | October 1, 2004 |
Updated: | April 26, 2005 |
| Description: |
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
SquirrelMail: cross-site scripting
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-1036
|
| Created: | November 17, 2004 |
Updated: | December 23, 2004 |
| Description: |
Squirrelmail (through version 1.4.3a-r2) suffers from yet another cross-site scripting vulnerability. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sudo: environment variable sanitizing
| Package(s): | sudo |
CVE #(s): | CAN-2004-1051
|
| Created: | November 17, 2004 |
Updated: | May 15, 2005 |
| Description: |
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tiff: buffer overflows
| Package(s): | tiff |
CVE #(s): | CAN-2004-0803
|
| Created: | October 13, 2004 |
Updated: | April 12, 2005 |
| Description: |
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
unarj: buffer overflow vulnerability
| Package(s): | unarj |
CVE #(s): | CAN-2004-0947
|
| Created: | November 11, 2004 |
Updated: | February 2, 2005 |
| Description: |
The unarj uncompression utility has a buffer overflow vulnerability
from handling long file names in an archive. An attacker can
cause unarj to crash or execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
viewcvs settings not honored
| Package(s): | viewcvs |
CVE #(s): | CAN-2004-0915
|
| Created: | December 6, 2004 |
Updated: | December 28, 2004 |
| Description: |
Hajvan Sehic discovered several vulnerabilities in viewcvs, a utility
for viewing CVS and Subversion repositories via HTTP. When exporting
a repository as a tar archive the hide_cvsroot and forbidden settings
were not honored. |
| Alerts: |
|
Comments (none posted)
WordPress: HTTP response splitting and XSS vulnerabilities
| Package(s): | wordpress |
CVE #(s): | |
| Created: | October 14, 2004 |
Updated: | December 20, 2004 |
| Description: |
WordPress is vulnerable to HTTP response splitting and cross-site scripting
attacks, due to the lack of input validation in the administration panel
scripts. A malicious user could inject arbitrary response data, leading to
content spoofing, web cache poisoning and other cross-site scripting or
HTTP response splitting attacks. This could result in compromising the
victim's data or browser. |
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf kpdf cupsys |
CVE #(s): | CAN-2004-0888
CAN-2004-0889
|
| Created: | October 21, 2004 |
Updated: | February 18, 2005 |
| Description: |
Several xpdf integer overflow vulnerabilities can be exploited via a
mal-formed PDF document. Similar vulnerabilities can be found in kpdf and
in cupsys which share code. Additional information can be found in this KDE security advisory. |
| Alerts: |
|
Comments (none posted)
zgv: multiple buffer overflows
| Package(s): | zgv |
CVE #(s): | |
| Created: | November 8, 2004 |
Updated: | December 14, 2004 |
| Description: |
Multiple arithmetic overflows have been detected in the image
processing code of zgv. An attacker could entice a user to open a
specially-crafted image file, potentially resulting in execution of
arbitrary code with the rights of the user running zgv. See this BugTraq advisory
for more information. |
| Alerts: |
|
Comments (none posted)
zip: arbitrary code execution
| Package(s): | zip |
CVE #(s): | CAN-2004-1010
|
| Created: | November 5, 2004 |
Updated: | February 2, 2005 |
| Description: |
HexView discovered a buffer overflow in the zip package. The overflow is
triggered by creating a ZIP archive of files with very long path
names. This vulnerability might result in execution of arbitrary code with
the privileges of the user who calls zip. This flaw may lead to privilege
escalation on systems which automatically create ZIP archives of user
supplied files, like backup systems or web applications. |
| Alerts: |
|
Comments (1 posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Resources
Bruce Schneier's CRYPTO-GRAM newsletter for December is out. Topics
include behavioral profiling, Google's desktop search, EPIC, and safe
personal computing. "
I am regularly asked what average Internet
users can do to ensure their security. My first answer is usually,
'Nothing--you're screwed.'
But that's not true, and the reality is more complicated. You're
screwed if you do nothing to protect yourself, but there are many
things you can do to increase your security on the Internet."
Full Story (comments: 1)
Thomas C. Greene has announced a set of data wipe tools for Unix-like
systems. They'll go and overwrite any old, sensitive data which may have
accumulated in the swap area and in free areas of the disk; click below for
the details.
Full Story (comments: 1)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 prepatch remains 2.6.10-rc3.
The trickle of patches into Linus's BitKeeper repository continues;
currently merged patches include a CIFS update, an IDE update, some
networking fixes (including a fix for the IGMP
vulnerabilities),
a DVB update and various other fixes.
The current patch from Andrew Morton is 2.6.10-rc3-mm1. Recent additions to -mm
include a reworking of the VFS readahead code, parts of the page fault handler scalability patch set,
hooks needed for the merging of the Xen architecture, a big set of
user-mode Linux patches, in-inode extended
attribute support for ext3, unlocked ioctl() support (see
below), a set of SELinux patches, and lots of fixes.
The current 2.4 prepatch remains 2.4.29-pre1; Marcelo has released
no prepatches since November 25.
Comments (2 posted)
Kernel development news
Nothing like changing the byte order of structure fields to really
drive the "out-of-tree" driver writers crazy. I like it :)
-- Greg Kroah-Hartman
Comments (40 posted)
Kernel hackers often need to be able to export debugging information to
user space. This information is not needed for the regular operation of
the system, but it can be highly useful for a developer who is trying to
figure out why things are behaving strangely. Sometimes putting in a few
printk() calls is sufficient, but, often, that is not the best way
to go. The debugging information may only be useful occasionally, but the
printed output clogs up the logs all the time. Using
printk()
also does not help if the developer wishes to be able to change values from
user space.
A common way of making debugging information available only when needed
(and possibly for write access) is
to create one or more files in a virtual filesystem. There are a few ways
in which that can be done:
- Creating files in /proc. This approach works, but there is
little more enthusiasm for creating more files in /proc at
this point, and the /proc filesystem functions can be a bit
of a pain to work with.
- 2.6 kernels have the /sys (sysfs) filesystem. In many cases,
debugging information can be put there, but sysfs is meant for
information used in administering the system, and the rules for sysfs
require that each file contain a single value. For that reason, it is
not even possible to use the seq_file
interface with sysfs. The result is that sysfs is relatively
consistent, but it is unwieldy for a developer who wishes to dump out
a complicated data structure.
- Creating an entirely new filesystem with libfs. This approach is highly flexible;
a developer who creates a new filesystem can write the rules that go
with it. The libfs interface makes things relatively simple, but the
task of creating a new filesystem is more than most people want to
take on just to make some debugging information available - especially
since that filesystem will require some debugging of its own.
As a way of making life easier for developers, Greg Kroah-Hartman has
created debugfs, a virtual filesystem
devoted to debugging information. Debugfs is intended to be a relatively
easy and lightweight subsystem which gracefully disappears when configured
out of the kernel.
A developer wishing to use debugfs starts by creating a directory within
the filesystem:
struct dentry *debugfs_create_dir(const char *name,
struct dentry *parent);
The parent argument will usually be NULL, causing the
directory to be created in the debugfs root. If debugfs is not configured
into the system, the return value is -ENODEV; a NULL
return, instead, indicates some other sort of error.
The general-purpose function for creating a file in debugfs is:
struct dentry *debugfs_create_file(const char *name, mode_t mode,
struct dentry *parent, void *data,
struct file_operations *fops);
The structure pointed to by fops should, of course, contain
pointers to the functions which implement the actual operations on the
file. In many cases, most of those functions can be the helpers provided
by seq_file, making the task of exporting a file easy.
Some additional helpers have been provided to make exporting a single value
as easy as possible:
struct dentry *debugfs_create_u8(const char *name, mode_t mode,
struct dentry *parent, u8 *value);
struct dentry *debugfs_create_u16(const char *name, mode_t mode,
struct dentry *parent, u16 *value);
struct dentry *debugfs_create_u32(const char *name, mode_t mode,
struct dentry *parent, u32 *value);
struct dentry *debugfs_create_bool(const char *name, mode_t mode,
struct dentry *parent, u32 *value);
Debugfs does not automatically clean up files when a module shuts down, so,
for every file or directory created with the above functions, there must be
a call to:
void debugfs_remove(struct dentry *dentry);
The debugfs interface is quite new, and it may well see changes before
finding its way into the mainline kernel. In particular, Greg has considered adding a kobject parameter to the
creation calls; the kobject would then provide the name for the resulting
files.
Comments (8 posted)
The timer interrupt is the kernel's way of keeping track of the passage of
time. Every so often, a programmable timer interrupts the kernel, which
responds by updating its internal time value, performing various
housekeeping tasks, and executing any delayed kernel work whose time has
come. In the 2.6 kernel, on the x86 architecture, by default, the timer
interrupt comes 1000 times per second; other architectures and
configurations can vary.
Playing with the timer tick frequency is almost as old as the kernel
itself. The frequency with which the hardware timer interrupts the
processor is well parameterized into a single compile-time variable
(HZ); running the system with a nonstandard clock frequency is
simply a matter of changing the definition of HZ (within
reasonable bounds) and building a new kernel.
There are legitimate reasons for playing with the timer frequency. A
faster clock can allow the system to perform more precise delays, and to
respond to events more quickly. Systems running at a higher clock
frequency should have lower latencies in many situations. There is an
overhead associated with the timer interrupt, however; a higher-frequency
interrupt will take more CPU time. So, for server loads (where latency is
less important), the overhead of a higher timer frequency is not worth it.
On laptops, the default 1KHz timer can also defeat the CPU's power management
features and significantly reduce battery life.
In other words, there is no single value for the timer frequency which
works for all users. Changing the frequency is still relatively hard,
however; some people are more comfortable with building new kernels than
others. Wouldn't it be nice if the frequency could be made into a
boot-time parameter, so that it could be changed from one boot to the next
without a kernel rebuild?
As it turns out, Andrea Arcangeli has a
patch which does exactly that. It's not even a new patch: SUSE has
been shipping 2.4 kernels with boot-time timer frequency selection for some
time. Andrea is now interested in merging this patch into the mainline,
should the other developers be willing.
The patch is relatively intrusive - it touches 143 files around the tree.
The core change is the transformation of HZ from a constant value
into a variable. Much of the kernel does not notice the change at all; a
call like:
schedule_timeout(HZ/10);
will still set up a wakeup for 100ms in the future. There is some new overhead
associated with fetching the value of HZ and performing the
division at run time, but Andrea states that it is not really measurable.
There are places in the kernel which require further changes, however.
Compile-time initializations which depend on a constant HZ value
will no longer work; those initializations must be moved to run time, or
recast in terms of a known constant value. There are also places where
values in timer-tick units are provided by user space. The kernel tries to
hide its internal clock frequency from user space, but there are still
places where it leaks through. A number of boot-time parameters are
expressed in ticks, and some device drivers take parameters in ticks as
well.
To address these problems, Andrea's expands the use of a symbol called
USER_HZ. It is a constant value, though its actual definition is
architecture dependent, varying from 32 to 1200 - though most architectures
set it to 100. All remaining compile-time initializations, and all values
obtained from user space, are interpreted as being in USER_HZ and
must be translated to internal values before being used. To that end, some
new macros have been provided:
jiffies_to_clock_t(internal_hz);
user_to_kernel_hz(user_hz);
With these in place, it's just a matter of keeping track of which type of
clock value is being used where. Andrea's patch renames variables
containing user-space tick values (it prepends "__" to the name)
as a way of indicating that a special value is contained there.
Andrew Morton has said that some form of
this patch is likely to be merged:
So I guess we're going to have to do this sometime - I don't think
there's any other solution apart from going fully tickless, which
would be considerably more intrusive.
Before the patch can be merged, however, a few details must be dealt with -
porting it from 2.4 to 2.6, for example. So it's unlikely to go in
immediately. Given time, however, it seems likely to be merged in some
form.
Comments (2 posted)
Despite efforts to remove the big kernel lock (BKL) from the 2.6 kernel, it
still covers large amounts of code. Much of that code is implementations
of the
ioctl() method in device drivers and filesystems throughout
the kernel. A poorly-implemented
ioctl() method can block other
processors for some time, wasting CPU time and creating high latencies.
Fixing
ioctl()'s BKL use has been on the "to do" list for some
time, but nobody has dived in to get the job done.
Mike Werner has recently taken a step in that direction, however, with this patch which aims to make it easy to wean
driver ioctl() methods off the BKL one at a time. To that end, it
creates a new method in the file_operations structure:
int (*unlocked_ioctl) (struct inode *inode, struct file *file,
unsigned int cmd, unsigned long arg);
This method behaves just like one would expect: if it is non-NULL,
it will be called in preference to the regular ioctl() method, and
the BKL will not be taken for that call. New drivers can be written to use this method,
and the ioctl() methods of old drivers can be shifted over once
they are known to be safe to call without the BKL.
This is a different approach than was taken to get the BKL out of
lseek() methods. In that case, the interface was changed by
decree, and lseek() was called without the BKL. First, however,
every in-tree lseek() method was enhanced with an explicit
lock_kernel() call of its own. As a result, those methods still
executed with the BKL held, but the taking of the BKL was made explicit and
put into a place where it could be removed when it was no longer needed.
A typical ioctl() method can be more complicated than most
lseek() methods, however, so the creation of a new method must
seem like the easier approach this time around.
One commenter has suggested that the new method should not include the
inode argument, since it is trivially obtained from the
file structure anyway. The version of this patch which was merged
into 2.6.10-rc3-mm1 retains that argument, however.
Meanwhile, Michael Tsirkin has posted a
different ioctl() patch which, while it provides a non-BKL
migration path for that method, also solves another problem. One of the
biggest challenges in writing portable ioctl() methods is dealing
with 32-bit compatibility on 64-bit systems. When user space is running in
32-bit mode, it will have a different view of any structures passed into
ioctl(), and the kernel must translate the 32-bit versions into
something it can work with.
The kernel provides some help with this translation in the form of a function called
register_ioctl32_conversion():
typedef int (*ioctl_trans_handler_t)(unsigned int, unsigned int,
unsigned long, struct file *);
int register_ioctl32_conversion(unsigned int cmd,
ioctl_trans_handler_t handler)
After this call, any 32-bit ioctl() call using the given
cmd will be passed to the handler function, which,
presumably, knows how to deal with it. This mechanism works, but it has a
few shortcomings. It relies on a global space for ioctl() command
codes, for example. Every command is supposed to be unique, but
things do not always happen that way - especially with out-of-tree
drivers. The use of a hash table to look up handler functions slows things
down a bit. And, as Andi Kleen pointed
out recently, the current mechanism suffers from race conditions which appear to
be unfixable without changing the interface.
But, if you're going to change the interface, you might as well do it
right. So Michael's patch adds two new ioctl() methods to the
file_operations structure. The ioctl_native() method
handles calls made from user-space processes which are using the same
architecture model as the kernel, while ioctl_compat() is called
in cases where the two differ. With this approach, the global table of
commands can be eliminated, and its problems go away as well. Since the
new ioctl_compat() method is invoked directly from the
file_operations structure, it is easy to manage the module
reference count to avoid unload races.
Oh, and the kernel does not acquire the big kernel lock before calling
either of the new methods; they are expected to be implemented with proper
locking from the beginning.
Michael's patch seems to solve all of the problems addressed by the
unlocked_ioctl() approach, plus a few more. The debate has not
yet begun, but it would not be surprising to see the two new methods win
out in the end.
Comments (1 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
After having installed (been sufficiently impressed by) the AMD64 ports
of both Debian Sid and Fedora Core 3 (see
Debian on AMD64 and
Fedora Core 3 on AMD64), we
expected the same from our third victim -
Gentoo Linux. Not only is Gentoo a
distribution designed to be compiled locally and optimized for the system
it is being installed on, Gentoo's AMD64 port has had plenty of time to
mature - version 2004.3 was, in fact, the distribution's third stable
release for this architecture. And although the road to a complete AMD64
Gentoo system had a lot more potholes than its Debian or Fedora
counterparts, further intercepted by frequent side trips to the Gentoo
forums and mailing lists, the end result was equally good - a powerful and
incredibly fast high-end workstation.
But let's start from the beginning. We installed the latest version of
Gentoo on a system with the following specifications: AMD64 3500+ processor
(2.2GHz), K8N Neo2 (Socket939) mainboard from Micro-Star International, 2
GB of DDR SDRAM, 2 x 120 GB Maxtor hard disks, Plextor PX-712A DVD/CD
Rewritable Drive, and NVIDIA GeForce4 Ti 4600 graphics card. Those who are
following the series might have noticed that the we have doubled the amount
of RAM since the last time - that's because we noticed that even with 1 GB
of RAM, the system was still making use of the swap partition, especially
when compiling Gentoo packages in the background, while running a KDE
desktop, several KDE and GNOME applications, and a web server.
We launched the Gentoo installation program from a 52.3 MB minimal live CD
(version 2004.3-r1) and followed the instructions in the Gentoo
Handbook. If you haven't installed any recent Gentoo release, you
should know that, despite some talk about automating parts of the Gentoo
installer, the installation is still as manual (read "tedious") as ever.
This is of course due to Gentoo's policy of making sure that users
installing the distribution learn the basics of a Linux-based operating
system early, rather than flood the mailing lists and forums with
elementary questions later. While this attitude is understandable, even
commendable, those of us who frequently install various distributions for
testing purposes or for large-scale deployment would certainly welcome a
more automated installation procedure.
We decided to perform a full installation from "stage1". This would seem
like a waste of time and effort on a AMD64 system - on traditional x86
architectures we could further optimize the build process to target our
chip, whether that be a Pentium 4, an Athlon XP, or even a 486, but what do
we optimize for on an AMD64 system? The Gentoo installation handbook
doesn't deal with this issue either, but based on the information found in
the GCC manual
we decided to set CHOST to "x86_64-pc-linux-gnu" and CFLAGS to "-march=k8
-O2". We also defined some USE variables to indicate what type of system we
are building before configuring the kernel and starting the long
compilation process.
Unfortunately, things didn't go all that well. While the base system
compiled and installed without a hitch, we ran into problems when trying to
compile ttmkfdir (a utility to create a fonts.scale file from a set of
TrueType fonts) xterm and ncurses. These were relatively easy to solve
compared to a later problem with ScrollKeeper - for some reason all
ScrollKeeper executable files had been pre-fixed with a name of the
architecture, so other applications trying to execute "scrollkeeper" were
unable to find it. A trip to Gentoo forums revealed that several other
users had suffered from the same issue, until a helpful soul came along and
offered a workable solution: unmask and upgrade gcc-config, then remove the
CTARGET line from /etc/env.d/05gcc (despite a stern warning not to touch
the file!).
The above is just an example of some of the potential setbacks facing users
who attempt to compile hundreds of packages on Gentoo Linux. Since the
version of Gentoo we attempted to install was a stable release (as opposed
to a beta or development release), we expected things to go smoothly, but
it wasn't the case. One of the solutions that we learned early to solve a
compilation problem was to "unmask" a package (by placing its name in
the /etc/portage/package.keywords file) and attempt to run emerge again.
This often worked - for example, we weren't able to compile the "stable"
mozilla-1.7.3 ebuild, but once we unmasked it, the emerge command went on
to fetch and compile successfully a "testing" mozilla-1.7.3-r3 ebuild. On a
positive note, we had no problems emerging KDE, and once we solved the
Scrollkeeper and Mozilla issues, the remainder of the GNOME packages also
compiled fine.
For those who are wondering about the speed of compiling applications on
this AMD64 system, here is an indication of the processor's power: emerging
the xorg-x11 package (in its default configuration) took about 25 minutes.
In contrast, emerging the same package on a 1.4 GHz Pentium 4 system took
about 40 minutes.
Mixing 32-bit and 64-bit applications on a Gentoo installation is achieved
in a similar fashion as on Debian. The relevant libraries are stored in
separate directories - /lib64 is a symbolic link to /lib
and /lib32 is a symbolic link to
/emul/linux/x86/lib. OpenOffice.org is only available in a
32-bit binary format and so are Opera, Flash Player, Acrobat Reader, and
other binary-only applications. One nice thing about Gentoo (compared to
Fedora Core) is that most of these applications are available from within
the portage infrastructure (e.g. a simple "emerge corefonts" downloads and
installs Microsoft TrueType fonts, "emerge nvidia-kernel" downloads and
installs the NVIDIA binary driver), so there is no need to configure a
third-party repository to be able to take advantage of some of the popular,
but non-free software.
Despite some bugs in the installation setup and the necessity to peruse
Gentoo's community resources to solve several problems, the overall
experience of installing and using Gentoo Linux on the AMD64 system wasn't
overly negative. Sure, we cursed profusely every time the compile process
came to a sudden halt with a loud error message, but luckily, none of the
problems were showstoppers. Thanks to them, we had the opportunity to
appreciate the quality of Gentoo's documentation and the helpfulness of
users on the distribution's forums. When all was said and done, we ended up
with a a complete, fast and powerful graphical workstation, just as we did
with Debian or Fedora. And while the effort required to achieve that goal
was far greater than with the other two distributions, there is little
doubt that Gentoo Linux is an elegant operating system with powerful
package management and truly superb documentation.
Comments (3 posted)
Distribution News
NetBSD 2.0 is out. The list of improvements in this release is quite
large; see
the
announcement for the details.
Comments (21 posted)
The Debian
Release-critical Bugreport for December 10
and the
December 10 Work-needing packages report
are available.
Comments (none posted)
A version of Fedora Core 3 for the PowerPC platform has been released for
testing. Click below for details, open issues with this release, and
mailing list information.
Full Story (comments: none)
Fedora Core 3 updates:
libpng10 (latest version),
libpng (latest version),
glib2 (bug fixes),
gtk2 (bug fixes),
postgresql-odbc (64 bit fixes),
shadow-utils (bug fixes),
MyODBC (locale setting bug fix),
grep (UTF-8 performance improvement),
gstreamer (multilib support),
mikmod (packaging change)
Fedora Core 2 updates:
libpng (bug fixes),
libpng10 (latest version),
glib2 (bug fixes),
gtk2 (bug fixes),
postgresql-odbc (64 bit fixes),
postgresql (synchronize with FC3),
shadow-utils (bug fixes),
MyODBC (locale setting bug fix)
Comments (none posted)
An update of the Unofficial Fedora FAQ dated December 13, 2004 is
available. Changes include several new translations, and
various topic improvements.
Full Story (comments: none)
Mandrakelinux updates:
evolution (bug fixes),
mdkonline (bug fixes and windowless capability),
libpng (invalid zlib header problem).
Comments (none posted)
Trustix Secure Linux updates:
multiple packages.
Comments (none posted)
Chua Wen Kiat has put together
an
unofficial starter guide for the Ubuntu "warty" release. It is a
wide-ranging document in the FAQ style which may become a required bookmark
for anybody working with the Ubuntu distribution.
Comments (none posted)
The Ubuntu distribution has announced a new
community work page.
"
Please update this page with projects/initiatives that you have/are
undertaking,
so everyone can read what's happening all over the world in sharing Ubuntu."
Full Story (comments: none)
Distribution Newsletters
The December 13 issue of the Gentoo Weekly Newsletter is out; this week's
issue looks at the new Chinese forum, virtualization techniques, and more.
Full Story (comments: none)
Distribution reviews
LinuxTimes.Net
reviews
BeatrIX GNU/Linux, an Ubuntu/Knoppix-based live CD distribution.
"
BeatrIX is a functional, easy to use and easy to set up desktop
system for the average user. Power users will find the lack of utilities in
the default install annoying, but it may be worth the trade for a more
custom environment and a smaller download."
Comments (1 posted)
Michael Stibane
reviews Slackware 10 in a NewsForge article.
"
Working as a freelance Linux trainer and writer for a few German Linux magazines, I have to test a lot of software. If it's bleeding edge and packaged as RPM or DEB it usually causes major problems when I install the software on Debian or RPM-based distros. It's a pain to bring Debian package management back to a normal state once it's out of sync after a dpkg -i --force-things command. By contrast, there is nothing like Slackware's tgz packaging without dependency checks (except compiling from source). Install the package, run it from a terminal, and see which libraries are not found. Install those too and usually everything is fine. Slackware also takes RPM packages without questions if you supply the --nodeps switch."
Comments (2 posted)
Page editor: Forrest Cook
Development
With last week's article on the
The HP Linux Imaging and Printing System,
December is turning into printer utility month on the LWN developer page.
XPP, the X Printing Panel
is a GUI printer control utility that is connected with the
CUPS print spooler project.
Its primary author is Till Kamppeter and the project dates back to
the summer of year 2000.
The XPP project is covered by the GNU General Public License (GPL).
In true Unix/Linux fashion, XPP supports a full set of command line
control capabilities along with its GUI features.
The project is aimed at filling a long needed niche in Unix printing:
Did you envy the people working under Windows or MacOS choosing their printers
and doing the nicest stuff on them with a few mouse clicks? And you as Unix user
have to enter cryptic command lines or to start scripts written by a system
administrator or yourself to do things as double sided printing, taking paper from
the lower tray, adjusting colours, and so on? Or were these features of your printers
even not available for you?
XPP differs from similar printing utilities in that it aims
to be a lightweight program:
Currently there are KDE Print, GtkLP, and others, but they are based on big,
memory-consuming desktop systems and GUI libraries. XPP uses the lightweight
library FLTK and therefore does not need a lot of resources and can be easily
installed on machines without the big desktops.
A few of the primary XPP features include:
- The capability of displaying the status of all local and
networked printers.
- Command line capability featuring CUPS, lpr, and lp command
line options compatibility.
- A GUI print feature selection capability
- A built-in previewer for selecting images and text for printing.
- Support for printer duplexers, alternate paper trays, and
other specialized printer features.
- Support for all printer options defined by the
Foomatic printer database.
- Support for multiple queues on a single printer.
- Control over printer color alignment, print head alignment,
and margin settings.
- Setting of color gamma correction and brightness.
- Job control settings for page labels and banner pages.
To see XPP in action, take a look at some
screen shots.
The XPP
README
document lists the project dependencies, which include
CUPS and
FLTK.
It also shows which Linux distributions XPP has been used with,
details the installation process, and has some command line and
GUI usage information.
Version 1.5 of XPP was released this week. The
Change Log
has details on what's new in this version.
XPP looks to be a convenient way to easily access the many
features available in a modern printer, it is exactly the kind
of application that is needed by Linux for gaining dominance in the
desktop world.
Comments (5 posted)
System Applications
Backup Software
Access control list support has been added to the dump/restore utilities.
"
Support of ACLs is a feature requested by many for a long time and I
finally got the time to implement it. Since on Linux ACLs are only
a particular case of EAs (Extended Attributes), I implemented full
EA support, meaning that even security labels set (for example) by
SELinux will be backuped."
Full Story (comments: 1)
Database Software
Sleepycat Software has
announced the availability of Berkeley DB XML 2.0. "
The major new release
includes support for XQuery 1.0, the emerging standard for XML data access, as
well as significant performance and usability enhancements."
The release lacks a download pointer; the software is available
over here.
Comments (none posted)
Version 1.5.2 RC 5 of the
Firebird database
has been released.
See the
release notes for details.
Comments (none posted)
MySQL has
announced the availability of a pair of graphical query browsing and database administration utilities which have been released under the GPL.
Comments (3 posted)
New stable releases of Knoda (Version 0.7.2) and hk_classes are available.
Changes include SQLite3 support, view support, improvements,
and bug fixes.
Full Story (comments: none)
Version 3.5.1 of phpPgAdmin, a web-based database administration tool,
has been announced.
It features several critical bug fixes.
Comments (none posted)
The December 7, 2004 edition of the PostgreSQL Weekly News is
available with the week's PostgreSQL database development news
and events.
Full Story (comments: none)
The December 14, 2004 edition of the PostgreSQL Weekly News is
out with a new collection of PostgreSQL database articles and
events.
Full Story (comments: none)
Manni Wood
shows how to automate PostgreSQL tasks in an O'Reilly article.
"
Databases aren't just create-once, ignore forever sinkholes for data. You'll
likely spend time maintaining them, if not generating reports. Save your
tender wrists and automate some of those routine tasks. Manni Wood
demonstrates how to combine Perl, the shell, and the psql command-line
utility to do repetitive jobs for you."
Comments (none posted)
Libraries
Development version 1.13 of the libxklavier keyboard handling library
has been released.
"
It contains mostly bugfixes (related to the
build process - the previous release was broken for people having X
headers in /usr/include/X11). Also, it is possible to see now which
backends are activated (at the end of the configure script) - and if
none, the script fails. xmodmap support is on by default, from now."
Full Story (comments: none)
Networking Tools
Version 1.0.1 of Firestarter, a visual firewall tool for GNOME, is out
with lots of changes and bug fixes.
Full Story (comments: none)
Version 0.2.12 of
TwistedSNMP,
a set of SNMP protocol implementations for Python's Twisted Matrix
networking framework, is out with numerous bug fixes.
Comments (none posted)
Peer to Peer
Ed Felten has
released tinyp2p,
a peer-to-peer system which requires all of 15 lines of code (it looks like
an entry for an obfuscated Python contest). "
I wrote TinyP2P to
illustrate the difficulty of regulating peer-to-peer
applications. Peer-to-peer apps can be very simple, and any moderately
skilled programmer can write one, so attempts to ban their creation would
be fruitless."
Comments (13 posted)
Web Site Development
Version 1.4 beta 2 of MediaWiki, an open source wiki engine,
is out.
"
MediaWiki 1.4beta2 is an experimental release, to help flush out remaining
major problems in the code prior to a final public 1.4.0 release. It is not
recommended to use this beta on a public site unless you're familiar with
MediaWiki innards and are willing and able to help diagnose and fix problems
that come up. All beta1 users should upgrade as soon as possible."
Comments (none posted)
Version 3.2.27 of
mnoGoSearch,
a web site search engine, has been released with a security fix.
See the
Change History document for details.
Comments (none posted)
Version 2.0a3 of Quixote, a web development platform,
is available. Changes include updated documentation, static directory
representation as html, work on the demos, and bug fixes.
Full Story (comments: none)
Desktop Applications
Audio Applications
Version 1.2-beta2 of the amaroK audio player is available with lots of
new features. Changes include an improved DCOP interface, a new
cross-fade capability, improvements to the PlaylistLoader,
CSS support for the ContextBrowser, bug fixes, and more.
"
amaroK is a soundsystem-independent audio-player for *nix.
Its interface uses a powerful "browser" metaphor that allows you to
reate playlists that make the most of your music collection."
Full Story (comments: none)
Business Applications
Development version 1.1.RC3 of
Achievo,
a web-based free project management tool for small to medium businesses,
has been announced.
"
Reported issues from the previous release candidate have been fixed."
Comments (none posted)
Data Visualization
The first alpha release of
the Python Computer Graphics Kit version 2.0.0 is out.
"
The Python Computer Graphics Kit is a generic 3D package written in
C++ and Python that can be used for a variety of domains such as
scientific visualization, photorealistic rendering, Virtual Reality or
even games. The package contains a number of generic modules that can
be useful for any application that processes 3D data. This includes
new types such as vectors, matrices and quaternions."
Full Story (comments: none)
Desktop Environments
Version 2.8.2 of the GNOME Desktop and Developer platform is out. This is
a maintenance release; click below for the details.
An updated version of the GARNOME distribution
is available as well.
Full Story (comments: none)
Stable version 2.8.2 of GARNOME is available.
"
This release incorporates the GNOME 2.8.2 Desktop & Developer
Platform, as well as plenty of new third-party package updates and
funkey new features."
Full Story (comments: none)
Development version 2.9.2.1 of GARNOME, the leading-edge GNOME distribution,
is out with a number of build fixes that showed up in version 2.9.2.
Full Story (comments: none)
The December 10, 2004 edition of the
KDE CVS-Digest is online with the following content summary:
"
mDNSResponder libraries moved to kdelibs. Krdc and Krbc now use DNS-SD. khtml improves CSS compliance. KNewStuff support for wallpapers."
Comments (none posted)
KDE.News
covers the progress of
KDE 3.4.
"
For those who can't live without a bleeding edge KDE, but don't dare to run CVS, we have packaged KDE 3.4 Alpha 1. As you can read on the KDE 3.4 release schedule, this is only the start of the fun, so please hammer on it over the end of year holidays and add your contributions. We welcome code patches, translations, documentation, great icons, detailed bug reports - any kind of help."
Comments (none posted)
Release candidate 2 of the
Xfce lightweight desktop environment is out.
"
The second Release Candidate, which provides several bugfixes over the first Release Candidate, is a lightweight desktop environment with several features not found in the Xfce 4.0 series, including a brand new session manager, keyboard shortcut and desktop menu graphical editors, multihead support, "kiosk mode" support, a desktop menu plugin for the panel, CUPS and BSD-LPR printing support, and a new icon theme."
Comments (none posted)
Electronics
Version 20041210 of Covered, a Verilog code coverage utility,
has been released.
Here is the change summary:
"
Lots of GUI improvements as well as support in the GUI for toggle and combinational logic coverage information (summary and detailed). GUI Help manual, scoring optimizations, bug fixes included."
Comments (none posted)
The
latest releases
from the
gEDA project include
new versions of the Spice GUI frontend gspiceui and the
InFormal FNF and PSL verification processor.
Comments (none posted)
Version 3.3.3 of
XCircuit,
an electronic schematic drawing application, is out with several bug fixes.
Comments (none posted)
Financial Applications
After a relatively long development period, GnuCash 1.8.10 is out. This
release contains a fair number of small improvements, but little that is
truly earth shaking; click below for the details.
Full Story (comments: 7)
Graphics
Version 1.2.2 of KolourPaint, a paint program for KDE, is out.
"
KolourPaint 1.2.2 fixes several longstanding bugs, improves
performance and for the first time in history, includes translations
to 32 languages."
Full Story (comments: none)
GUI Packages
Revision 15 of the
FLTK 2.0.0 reference documenatation
has been announced on
FLTK.net:
"
www.FLTK.net now has better FLTK reference documentation with built-in search engine, graphs that show dependencies between header files, new style sheet etc."
Comments (none posted)
Mail Clients
Unstable release 2.1.1 of the Evolution mail client is available
with a few new features and some bugs that need tracking down.
Full Story (comments: none)
Version 0.3.0 of Gyrus, an IMAP/Cyrus client for GNOME,
is available. Changes include new mailbox creation/deletion modules,
GUI improvements, and more.
Full Story (comments: none)
Medical Applications
LinuxMedNews has
an
announcement for version 0.7.2 of FreeMED, an
Electronic Medical Record and Practice Management system.
"
It is recommended that all users of previous versions upgrade. This is the
last major release before version 0.8.0. More information and download links are
available in the main story.
This new release contains many bug fixes and new features."
Comments (none posted)
Multimedia
GnomeMeeting 1.2 is out, see
the announcement for details. "
GnomeMeeting 1.2 has many new features, including the ability to share your contacts between GnomeMeeting and Novell Evolution 2.00. Another big new feature is the possibility to do PC-To-Phone calls at interesting rates using only your soundcard, no extra hardware is required."
Comments (none posted)
A call for developers has gone out for the Orkid Media Engine,
a cross-platform framework for building multimedia applications.
According to the author:
"
My primary development platform is windows (just because msvc
.net is the easiest development environment for me to use, since I use
it at my day job). That said, there are visual slickedit for linux
nd Xcode for OSX projects also included. So I'm targeting cross
platform - and I want feature parity on all platforms. So I need a
linux developer or two to help keep the linux build going, because
I cant support 4 platforms by myself (win32/linux/osx/ps2dev)."
Full Story (comments: none)
RSS Software
Uche Ogbuji
works with the Universal Feed Parser on IBM developerWorks.
"
RSS is supposed to be based on XML (or XML/RDF) standards. Unfortunately, the famous wild west community behind RSS has many renegade elements producing feeds that are not even well-formed XML. Mark Pilgrim's excellent Universal Feed Parser is a great tool for parsing even ill-formed feeds, and this tip demonstrates how to use it to extract feed data from RSS."
Comments (none posted)
Streaming Media
The first public preview of MediaFrame
has been announced.
"
MediaFrame is an Open Source streaming media platform in Java which provides
a fast, easy to implement and extremely small applet that enables over 97% of
web users to view audio/video content without having to rely on external
player applications or bulky plug-ins. MediaFrame does not require special
servers, software or programming knowledge."
Comments (none posted)
Miscellaneous
Version 2.3.10 of Bakery, a C++ Framework for creating document-based
GNOME applications, has been released.
"
App_WithDoc::on_document_load() now returns a bool so that
the application (as well as the document class) also has
a chance to say whether the loaded document is OK."
Full Story (comments: none)
Version 0.5 of Gnome Screen Ruler, a customizable screen ruler for Gnome
is out.
"
This release simplifies the preference dialog by removing the ruler size options.
Now, the ruler can be resized by dragging the ruler window border.
The second (vertical) ruler has been removed, and the single ruler can
be toggled between horizontal/vertical."
Full Story (comments: none)
Version 0.6.7 of Gourmet Recipe Manager, a gtk-based recipe
manager application,
has been released.
"
Version 0.6.7 brings improvements in the handling of encodings of
mealmaster files and works around buggy, slow behavior for some pygtk2.5 users."
Comments (none posted)
The first public release (version 0.2.0) of KTTS the
KDE Text-to-Speech System, is available.
"
KTTS is a subsystem within the KDE desktop for conversion of text to audible
speech. KTTS is currently under development and aims to become the standard
subsystem for all KDE applications to provide speech output."
Full Story (comments: none)
Languages and Tools
Caml
The December 7-14, 2004 edition of the Caml Weekly News is
online, take a look for some new Caml language discussion.
Full Story (comments: none)
Groovy
Andrew Glover
uses Ant and Groovy for code building on IBM DeveloperWorks.
"
Both Ant and Maven rule the world of build processing, but XML is occasionally a less-than-expressive configuration format. In this second installment in his new series on the practical applications of Groovy, Andrew Glover introduces Groovy's builder utility, which makes it especially easy to combine Groovy with Ant and Maven for more expressive and controllable builds."
Comments (none posted)
Java
Amir Shevat
introduces MantaRay on O'Reilly.
"
This article describes a unique distributed messaging solution and a JMS provider called MantaRay, and how it transformed a traditionally centralized and broker-based concept like JMS to a fully distributed system. It also shows what happens behind the scenes in a distributed system when performing JMS operations."
Comments (none posted)
O'Reilly has published
an excerpt from the book
Java Network Programming by
Elliotte Rusty Harold.
"
One of the challenges faced by the designers of the Web was dealing with the differences between operating systems. These differences can cause problems with URLs: for example, some operating systems allow spaces in filenames; some don't. Most operating systems won't complain about a # sign in a filename; but in a URL, a # sign indicates that the filename has ended, and a fragment identifier follows. Other special characters, nonalphanumeric characters, and so on, all of which may have a special meaning inside a URL or on another operating system, present similar problems."
Comments (none posted)
Perl
The December 1-6, 2004 edition of
This Fortnight in Perl 6 is online.
"
When someone says "I want a programming language in which I need only say what I wish done," give him a lollipop. -- Alan J. Perlis"
Comments (none posted)
PHP
Version 5.0.3 RC2 of
PHP
has been released.
"
This is the second release candidate and should have a very low number of problems and/or bugs. Nevertheless, please download and test it as much as possible on real-life applications to uncover any remaining issues.
Comments (none posted)
Luis Yordano Cruz
demonstrates the separation of data storage, manipulation, and display
in PHP 5 applications, in an O'Reilly article.
"
This article will demonstrate the power of three-tier development in PHP 5, using PEAR::DB_DataObject for the business logic and Smarty for display logic. I assume that you have some familiarity with HTML, Smarty, PEAR::DB_DataObject, MySQL, and PHP 5."
Comments (none posted)
PostScript
Version 8.50 of AFPL Ghostscript, a PostScript renderer,
has been announced.
"
Artifex Software, Inc. and artofcode LLC are pleased to annouce a new major release of Ghostscript, the first in the 8.5x stable series. More than a year in the making, this is our most comprehensive version to date. We recommend upgrading for all our users.
In addition to numerous bug fixes, the release has several major new features, in particular improved font handling and rasterization, and support for new PDF 1.5 features, including JPEG 2000 images."
Comments (none posted)
Python
The December 10, 2004 edition of Dr. Dobb's Python-URL!
is available with the week's collection of Python articles and
resources.
Full Story (comments: none)
The Python Software Foundation has announced a new
licensing FAQ.
"
The Python Software Foundation (PSF) board recently wrote up a licensing
FAQ that we hope will help to clear up some of the confusion that has
surrounded the PSF License. There are quite a few projects out there (on
Source Forge and otherwise) that misuse this license in ways potentially
detrimental to those projects."
Full Story (comments: none)
Tcl/Tk
The December 10, 2004 edition of Dr. Dobb's Tcl-URL!
is online with lots of Tcl/Tk article links and resources.
Full Story (comments: none)
The December 13, 2004 edition of Dr. Dobb's Tcl-URL! is
out with a second set of Tcl/Tk articles for this week.
Full Story (comments: none)
XML
Uche Ogbuji
further explores the Gnosis Utilities on O'Reilly.
"
I covered the data binding feature of David Mertz's Gnosis Utilities in my earlier article, "XML Data Bindings in Python, Part 2". As I mentioned, Gnosis Utilities is a Python package with a variety of utility classes for data management and especially for XML processing. Another useful module in Gnosis is the indexer, which creates full-text XPath indices of XML documents."
Comments (none posted)
Edd Dumbill
discusses XML-Aware programming languages on O'Reilly.
"
In this week's column, I'd like to indulge in some gentle fun at the expense of pundits and pronouncers. While XML is as rich a field as any for crackpots and timewasters, we must be careful not to pour cold water on experimentation and innovation. The topics of XML-oriented programming languages and the Semantic Web have been targets of mockery in their time, so this week I'm asking whether the true believers might be right."
Comments (none posted)
Neil Graham and Elena Litani
continue their IBM developerWorks series on JAXP 1.3.
"
In this article, the authors follow up on their overview of JAXP 1.3 in Part 1. They touch on utilities that add support for concepts defined in the Namespaces in XML specification, and describe changes to the javax.xml.transform package. They also discuss the new Java types defined and how these allow for the completion of native Java language support for W3C XML Schema datatypes. They conclude by giving details on JAXP's data model- and vendor-neutral XPath API."
Comments (none posted)
IDEs
Version 3.7.5 of
DrPython,
a cross-platform Python IDE that has been implemented in wxPython,
is available. See the
Change Log
for a description of the new features and fixed bugs.
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
ComputerWorld has
gotten
an early start on predictions for 2005. Number nine: "
Linux will
be adopted in greater numbers by IT, but desktop Linux will not. Linux is
already a mainstream server solution for many IT shops. That success won't
travel over to the desktop, however. Too much fragmentation, combined with
a lack of critical desktop applications and increasing dependence on the
Windows platform, will prevent desktop Linux adoption from increasing
significantly."
Comments (15 posted)
Tom Adelstein
looks at
the effects of Microsoft domination in US universities.
"
Check the curriculum at the University of South Florida, and you find a campus offering mainly Microsoft technology courses. As with the vast majority of the nation's universities and schools of higher education, you can learn how to use the Excel spreadsheet program, but you cannot find much about Linux kernel internals. Although many schools claim to have embraced open source, don't you believe it.
One of the issues I consider when visiting a university campus is the loss of technology leadership. As a nation, the US had failed to continue the tradition of sparking innovation on the campus."
Comments (8 posted)
Resources
NewsForge has posted
a detailed introduction to apt-get. "
If you know how Debian's archive system works, and how to choose the sources that apt-get uses, and use a few precautions in your upgrades, then the chances are that dependency problems will never bedevil you."
Comments (6 posted)
O'ReillyNet
presents excerpts from
Linux Cookbook by Carla Schroder.
"
Whether you want tips on installing a program for easy uninstall,
killing user processes, or better logins without passwords, Carla poses the
problems and offers solutions. Too bad not all recipes can be this clear,
quick, and painless. Join us again in a couple of weeks when Carla shares
tips on running different window managers simultaneously with Xnest and
hosting multiple domains with Apache."
Comments (5 posted)
LinuxJournal has published
part three
in a series about Linux MIDI applications by Dave Philips.
This edition covers:
"
An introduction to several Linux MIDI utilities, including JSynthLib, Midirgui and SynthEd."
Comments (none posted)
O'ReillyNet has posted
a detailed OpenOffice tutorial. "
This article describes how to create and use a letterhead with OpenOffice.org. Along the way you'll learn how to use a wizard, templates, styles, and even a field or two. The principles described apply to many other documents as well, so even if you don't need a letterhead, you should find this exercise useful."
Comments (none posted)
Reviews
Joe Barr
reviews the game Blob Wars.
"
The holiday season is hard upon us. The stress of shopping for loved ones,
making travel plans, or preparing for holiday guests is building. If you're
starting to feel like you might need a gun to take and to hold a parking
place, it might be time for a stress-buster. That's where Blob Wars comes in.
No, it's not a new diet. It's a free, fun, frenzied chance to gun down the
bad guys and rescue fair maidens. It's also an SDL-based game which runs well
on Linux. And the 1.0 release might be here before the new year."
Comments (none posted)
EEDesign
reviews the gEDA project, an open-source suite of electronic CAD tools.
"
Adherents say the biggest attraction is not so much that the gEDA tools are free but that they provide an open design system, with files that will always be readable, source code that's always available and no licensing hassles. But EDA vendors are quick to point out that open-source tools are unsupported and lack many of the features of commercial packages."
Thanks to Ales Hvezda.
Comments (2 posted)
Popular Mechanics
checks
out desktop Linux. "
I wanted to find out just what all the fuss
was about and if my geek friends were telling the truth--that Linux truly
is a consumer alternative to the Windows behemoth. So I installed Linux on
an IBM ThinkPad previously running Windows 98 and took it for a test
drive. And after a few weeks playing around with Linux, I'm
convinced. Linux measures up." (Thanks to Jay R. Ashworth).
Comments (12 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Firefox browser has passed the 10 million download mark, according to
this announcement.
"
In little more than a month, Firefox has been downloaded more than 10 million times.
Take a moment and think about that.
If you remember, it took us 10 days to reach 2 million downloads of the Firefox Preview Release. This time, in only 32 days, we quintupled that number".
Comments (none posted)
Sun Microsystems, Inc. has
announced growth in the Global Education and Learning Community,
which promotes open-source educational tools.
"
Sun Microsystems, Inc. today announced that the Global Education
and Learning Community (GELC) is thriving, growing to more than 1330
members with more than 177 projects in less than eight months.
Sun convened the first advisory board meeting in September 2004 to gather
the key influencers in technology and education to focus on developing
the technology community's collaborative open standards-based projects
and tools for teaching and learning."
Comments (none posted)
Commercial announcements
Arkeia Corp has announced a new plug-in for performing hot backups on
PostgreSQL databases.
"
The new hot backup plug-in is compatible with the company's flagship product Arkeia Network
Backup, as well as Arkeia Server Backup. It allows Arkeia backup solutions to protect the database
without interrupting PostgreSQL services."
Full Story (comments: none)
Bull has
announced that it will be building a 60-teraflop cluster for the French Nuclear Power agency. The system will have 544 nodes, each of which will hold eight dual-core Itanium processors; it will, says Bull, be the most powerful computer in Europe. Yes, it will run Linux.
Comments (none posted)
Coverity is the company which was formed on the work of the "Stanford
checker" group; it is selling static code analysis tools. The checker has
found large numbers of kernel bugs in the past. Coverity has now put out a
press release (click below for the full text) stating that, by their
statistics, the kernel has 985 bugs, or 0.17 bugs per thousand lines of
code. "
Commercial software typically has 20 to 30 bugs for every thousand lines of
code, according to Carnegie Mellon University's CyLab Sustainable Computing
Consortium. This is equivalent to 114,000 to 171,000 bugs in 5.7 million
lines of code."
Full Story (comments: 14)
Cybersource has published
a
new total cost of ownership study (PDF) comparing Windows and Linux
deployments. Despite having given several advantages to Windows, the study
concludes that switching to Linux is 36% cheaper if existing hardware is
used, and 26% cheaper if new hardware is part of the switch. The savings
are less (but still significant) if the Red Hat Enterprise products (and
associated support contracts) are purchased.
Comments (none posted)
The Linux Professional Institute has announced the signing of new
affiliates, the Agence Universitaire de la Francophonie (AUF) and
OpenForum Europe (OFE).
Full Story (comments: none)
OSDL has announced the results of a Linux market survey conducted by IDC.
The bottom line: in 2008, the Linux market will be $36 billion, of
which $14 billion will be "packaged applications and infrastructure
software running on Linux." A PowerPoint-style version of the study is available
in PDF format.
Full Story (comments: none)
Here's
a lawyergram from Pillsbury Winthrop LLP on free software and patents; the clue level is higher than one might expect. "
The suggestion that users of OS software
are more likely to be sued for patent infringement than those that use
proprietary software, like Microsoft's does not appear supported by actual
experience. It is interesting to note that while Microsoft has had several
dozen patent infringement lawsuits filed against it in the past few years,
none have been reported against Linux, the most popular of all [open source] programs."
Comments (3 posted)
MozSource
has launched
an email support service for Firefox, Thunderbird and Mozilla
at a rate of $4.99 per incident.
"
MozSource, the independent company that operates the Mozilla Store and the Netscape Store, today announced the launch of its new high-quality, affordable technical support service for Mozilla Firefox, Thunderbird and Mozilla 1.7.
Available from http://support.mozsource.com, end-user email support for the Firefox web browser, the Thunderbird email client and the Mozilla 1.7 Internet suite will be provided by an experienced team of support professionals who have years of experience with Mozilla-based products."
Comments (11 posted)
Red Hat and IBM have
announced a joint Linux ISV Certification Support Program in
Europe.
"
The programme -
fulfilled by the IBM Innovation Centres for Business Partners in
Hursley (UK), Moscow (Russia), Paris (France) and Stuttgart (Germany)
- provides support for Independent Software Vendors (ISVs) who wish to
certify applications on Red Hat Enterprise Linux running on IBM
hardware and IBM middleware."
Comments (none posted)
Wallmart.com and Amazon.com will be selling a series of Microtel PCs
loaded with the Xandros distribution, starting at around $200.
Full Story (comments: none)
New Books
O'Reilly has published the book
Jakarta Commons Cookbook
by Timothy M. O'Brien.
Full Story (comments: none)
No Starch Press will publish the book
Silence on the Wire by
Michal Zalewski.
Full Story (comments: none)
Resources
Downloadable ISO images of the ALT Linux free!music CD is available.
"
This CD contains Ogg Vorbis encoded music from 30 groups and
individual performers in quite different styles (rock, traditional
etc). According to FREE!MUSIC declaration all tracks can be copied,
sold, reused in movies etc. -- whatever you like, but you always have
to keep name of the authors and their contacts information, so that
anyone can mail or phone them and suggest a contract or a gig etc :)"
Full Story (comments: none)
Contests and Awards
KDE's Konqueror browser
has been awarded a MozillaQuest Magazine Editor's Choice award.
"
The KDE Konqueror browser seems to take less memory than do the Firefox, Mozilla, and Netscape browsers. Konqueror seems faster too. Moreover, Konqueror has a very good, open source, rendering engine. In our opinion, Konqueror is more efficient than the Firefox, Mozilla, and Netscape browsers."
Comments (24 posted)
Upcoming Events
An EPlugin hackfest will be held online.
"
On Thursday Dec. 16th, 2004 the Evolution Team is going to have an
EPlugin Hackfest on irc in #evolution on gimp net. We want everyone to
see just how cool EPlugin is, to help shake out bugs and implement those
niggly little features you've always wanted. It should start around 10am
Perth Australia time and go as long as we can!"
Full Story (comments: none)
Papers and proposals for CodeCon 4.0 are due in by December 15, 2004.
The event will be held in San Francisco CA on February 11-13, 2005.
Full Story (comments: none)
The Linux Users' Group of Davis has announced another Linux Installfest.
The event will take place on December 19, 2004 in Davis, California.
Full Story (comments: none)
The EclipseCon gold level sponsors have been announced.
"
Six leading technology companies,
Accelerated Technology, Inc. a Mentor Graphics Division, Actuate
Corporation, Agitar Software, Borland Software Corporation, HP and IBM will
be the key sponsors of the conference."
Full Story (comments: none)
A Call for Papers has gone out for the FOSDEM2005 Lightning Talks.
"
A Lightning Talk is a very short presentation of a software project in
15 minutes maximum. So the presentation should be very sharp, small and
clear. Presentations only about free software projects will be accepted.
The presentation should be presented in English."
Proposals should be submitted by February 25, 2005.
Full Story (comments: none)
A
call for papers has gone out for the UK Python Conference.
The event will take place on April 20-23, 2005 in Oxford, England.
Comments (none posted)
Red Hat has sent out
a press release announcing that the first annual "Red Hat Summit" will happen June 1 to 3 in New Orleans. "
The Red Hat Summit will blend different views and content into a
program useful for attendees building and enabling open source
architectures. General sessions will be held each morning of the
three-day Summit followed by in-depth sessions grouped into three main
tracks for attendees to choose from. Tracks include the Practical,
Technical, and Business and Current Issues Tracks."
Comments (none posted)
IDG World Expo has
announced a Mexican LinuxWorld Conference & Expo.
"
LinuxWorld Conference &
Expo in Mexico will be co-located with E.J. Krause's EXPO COMM MEXICO,
the most important international telecommunications and IT business
forum in Mexico. LinuxWorld Mexico is scheduled for February 2006 in
Mexico City at Centro Banamex." Preceding the event, the
LinuxWorld Mexico Summit will be held on June 9-10, 2005.
Comments (none posted)
| Date | Event | Location |
| December 16 - 18, 2004 | Ubuntu
Conference | Mataró, Spain |
| December 16 - 17, 2004 | JavaPolis
2004 | (MetroPolis Antwerp)Antwerp, Belgium |
| December 16 - 22, 2004 | UMeet Virtual
Conference | On the Net |
| December 27 - 29, 2004 | Chaos
Communication Congress(21C3) | (Berliner Congress Center)Berlin,
Germany |
| January 14, 2005 | PHP West Web Services
conference | (HR MacMillan Space Centre)Vancouver, BC,
Canada |
| January 28 - February 4, 2005 | Asia
Source | (Visthar training venue)Bangalore, India |
| January 31 - February 2, 2005 | OSDL
Enterprise Linux Summit | (Hyatt Hotel)Burlingame,
California |
| February 2 - 3, 2005 | Solutions
Linux 2004 | (CNIT, Paris la Défense)Paris, France |
| February 7 - 11, 2005 | GlobusWORLD | (Sheraton Boston Hotel)Boston,
MA |
| February 9 - 11, 2005 | German
Perl-Workshop 2005 | Dresden, Germany |
| February 9 - 11, 2005 | Third-Annual
Desktop Linux Summit | (Del Mar Fairgrounds)San Diego, CA |
| February 9, 2005 | OOo
RegiCon North America | (Del Mar Fairgrounds)San Diego,
CA |
Comments (none posted)
Mailing Lists
A new KDE Graphics Programming mailing list
has been announced.
"
The list is developer oriented and will be the central place
for all eye-candy development within KDE. Developers and researchers from the
computer graphics field are welcomed and strongly encouraged to subscribe.
Everything computer graphics related will be on topic - that includes
developments within the X.org community, uses of OpenGL within a desktop
environment or simply sharing your latest computer graphics research findings
with others."
Comments (none posted)
Miscellaneous
The Yankee Group has concluded that now would be a good time to put out
a scary press release on the dangers of using Linux without indemnification. "
A corporate Linux or open source user that lacks
indemnification and product warranty will expend its own time, money
and resources fighting legal action. In addition to the potential
monetary costs associated with protracted litigation, a corporation
risks incalculable loss to its reputation, which could deter existing
and prospective customers from signing on new business."
Comments (17 posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| paul-AT-pksings.com |
| To: |
| letters-AT-lwn.net |
| Subject: |
| Gnome Backgrounds, workspace specific |
| Date: |
| Wed, 8 Dec 2004 17:35:22 -0800 (PST) |
I'm a bit of a long-time Linux user and have come really like Gnome
because it is clean, fast and just plain looks and works well. There is
one feature in it that I personally really would like to see however,
workspace specific backgrounds instead of the one background for all
workspaces.
In researching how to do it I find that it apparently can not be done.
Nautilus, which handles the backgrounds, does not have that capability.
There probably is some technical reason, bloat, difficulty or something as
to why it can't. And I'd really like to know what it is.
And how many people really would like this feature.
For me it has resulted in probably 40 hours of my life searching for a way
to make it happen as it is the only thing I don't like about Gnome. Yes, I
tried KDE, which by the way, can do this, but to me it's just not as clean
and nice. Yes, I probably could spend the hours learning to customize it
and make it that way as it is pretty much infinitely customizable, but
quite frankly, I have no desire to spend more hours learning about and
customizing KDE to look like Gnome, which is what I would be trying to
accomplish. What I really want is Gnome to do this.
I am willing to spend money to make this happen. I am wondering if we the
users who would like this can make it happen. I would like to propose that
we who want this funtionality each send $5.00 US to the developer who, or
developers who provide it for us. I'm sure that there are at least 1000
users willing to provide 5 dollars each to get this functionality,
probably more. I personally will send $20. It is definitely worth that to
me, actually it's worth more but I think if enough of us are willing to
send a small amount it will add up to a large sum and somebody will do it
for us.
It as a side effect, will change the development model slightly, it will
set a precedent of how a group of users can influence a project to satisfy
a need.
Comments, suggestions?
PK
pksings@gmail.com
Comments (10 posted)
Page editor: Jonathan Corbet