Users of the Fedora Core distribution (or any other distribution, for that
matter) are well advised to understand its security update policies.
Fedora does not backport security fixes into the version of the affected
program which was originally shipped with the distribution; instead, the
application is simply updated to the current version. Security updates are
made for approximately one year, after which the Fedora project moves on to
supporting its newer versions. Sometimes the support period is shorter;
Fedora Core 2, which was
released on
May 18, 2004, is currently
scheduled
to become unsupported on March 21.
It is worth noting that, for as long as it lasts, the Fedora Project's
security support is excellent. Updates are released quickly, and are
easily tracked using yum, up2date, or apt.
When Fedora stops supporting a release, it "transfers" that release to the
Fedora Legacy project. Fedora
Legacy is not part of Fedora itself; it is, instead, a separate,
community-based effort dedicated to making security updates available to
older Fedora Core and Red Hat Linux releases. The project's policy, as
stated in the FAQ, is
to support old Fedora Core releases for two release cycles after the
transfer.
When Fedora Legacy is working well, it is a highly useful service. With a
simple tweak to a yum configuration file, it is possible to keep
an older system current with almost no effort.
Unfortunately, the last update to Fedora Core 1 came out on
December 3, 2004. Any Fedora Core 1 systems which rely upon
Fedora Legacy for updates are currently vulnerable to holes in the kernel,
xpdf, vim, KDE, PHP, sudo, etc. The process, it would seem, has come to a
complete stop for over a month. We attempted to ask (via the posted
contact address) what was going on, but got no response.
A look at the project's mailing list shows that there are still signs of
life. There is an open
issues document which is still being maintained; it shows a substantial
number of packages needing updates, along with their bugzilla URLs. There
was also one message about the stoppage and
whether support for Fedora Core 1 had been dropped:
No, but a combination of lack of manpower, downtime on the build
server and the fact that we are releasing Red Hat 7.3, Red Hat 9
and Fedora Core 1 packages together means that the project is
grinding to a halt. As soon as the build server comes back I will
try and clear a lot of the backlog.
Keeping a distribution current with security patches is hard, tedious, and
often thankless work. It's the sort of work that people tend to demand to
be paid to do. Projects like Debian and Gentoo demonstrate that this job
can be done, and done well, on a volunteer basis, however. But it would
appear that the requisite effort is not there for the Fedora Legacy
project. Without the needed resources - developer time, systems to build
packages on, and testing - a project like Fedora Legacy will fail. People
who care about the security of older Fedora Core distributions - and the
long-term value of Fedora releases in general - might want to think about
what they can do to help the Fedora Legacy project get its process
restarted.
Comments (7 posted)
While Linux has made great strides in terms of application availability in
recent years, one area where Linux is still quite weak is accounting
software. More than a few open source diehards still turn to Quicken,
QuickBooks and/or TurboTax when it comes time to do the counting up.
When the GPL'ed version of Quasar
Accounting was announced
last week by Linux Canada, Inc., we decided it was time to take a look to
see if Quasar could give Linux users the features they need to do their
accounting solely on Linux. We also interviewed Linux Canada's Phil
Tonnellier about the application, and the decision to release parts of the
application under the GPL.
The GPL'ed components of Quasar include its client and server accounting
software. The point-of-sale components are not available under the GPL and
require a commercial license. Still, the accounting software components provide
all the features necessary for users who need to use Quasar for small
business accounting.
Tonnellier said that the company chose to release Quasar under the GPL for
several reasons. First, he said that the company "wanted to give
something back" since the company had been using Linux for retail
systems since 1995. He also said that there is a bit of pride in the
product as well:
We believe in our product. We believe in the quality of the source code,
and we believe that FOSS is the future of software. We feel that Quasar in
GPL can be the leading FOSS accounting system for the world. There is a
desire to get more eyes on the code and more testers to make Quasar a
better product.
In addition, Tonnellier said that making the source code available was part
of trying to build a strong reseller network for Quasar. As for keeping
part of the code closed, Tonnellier said that the company's revenues have
been primarily derived from sales to retail businesses, and that
"most retailers requiring point-of-sale can easily afford the Quasar
license fees, and indeed they may feel better knowing we have an income
stream and will remain strong for them in the future."
Quasar requires a database backend, either PostgreSQL, Firebird or
Sybase. Since MySQL is also extremely popular with the open source
community, we asked Tonnellier why Quasar didn't support MySQL as
well. According to Tonnellier, they didn't feel MySQL was quite ready in
2000 when Quasar development started:
We felt that MySQL did not meet all of our requirements for handling
referential integrity and PostgreSQL actually failed some tests. Thus we
chose Firebird and Sybase to work with. Since then PostgreSQL and MySQL
have come a long way in features and reliability. But to be honest, we have
been so busy working on features that we did not revisit the use of
PostgreSQL and MySQL. With the release to open source, we did take another
look at PostgreSQL and created the interface. One day we want to do the
same for MySQL, but just have not had the time.
Since Quasar has long been a closed-source application, we asked what kind
of preparation Linux Canada had to do in order to release the code under
the GPL. Tonnellier said that it was more complicated than just throwing
the source out into the wild:
There is a tremendous amount of work to prepare for open source. Especially
when you consider that the work has to be done in addition to running your
regular business to maintain a revenue stream. We needed to make sure that
the code is presentable and easy to build. We needed to remove any third
party dependencies. We needed to figure out a way to earn a living after
open source. We needed to define all of our new support packages. We needed
to prepare the web site and all of the manuals. We needed to set up proper
mailing lists and support forums. We needed to ensure our Internet server
could handle the traffic and was properly configured.
How does Quasar compare with QuickBooks? Tonnellier noted that Quasar is
missing QuickBooks' payroll component, but that Quasar "has very
powerful inventory control, including auto ordering and merchandise cost
landing." A list of Quasar's features can be found on the Linux
Canada website.
This reporter downloaded the Quasar packages for SUSE Linux 9.2. and took
Quasar for a test drive. Linux Canada has provided source code and packages
for Fedora Core, Mandrake Red Hat, Slackware, and SUSE. We tested Quasar
with the PostgreSQL backend, which was a bit tricky to set up initially,
but once we got it working it was smooth sailing.
For Linux users who want an accounting package for individual use, Quasar
is probably overkill. However, the package has plenty of features that make
it attractive to small businesses that have to manage invoices, inventory,
purchase orders, vendor payments and so forth.
The interface was fairly intuitive, even though this reporter is decidedly
not well-versed in accounting. Quasar also includes an extensive online
help system so that almost every window and dialog has an associated help
file that explains the current operation. We did run into the occasional
glitch, such as the Item Lookup dialog. When searching for a Department for
an item, clicking on "New" brings up a "Department Master" dialog that
refuses to accept user input until the Item Lookup window is
closed. However, we didn't find many glitches of this nature.
Overall, Quasar is a decent accounting application that seems to have most
of the features that a small business would need, excepting the payroll
functions that Tonnellier alluded to. This is, of course, a feature that
many businesses will still need to have, and will probably keep many
businesses from turning to Quasar.
Despite the rough edges, we'd recommend that users evaluate Quasar to see
if it would suit their needs. Since Quasar is now licensed under the GPL, the Linux community
can help Linux Canada add the features and polish it needs to be
competitive with proprietary accounting applications. Given the number of
users and organizations that would benefit from, and have been looking for,
an open source accounting software system, Quasar shouldn't have any
shortage of developers willing to take it to the next level.
Comments (5 posted)
The state of California has long been known for innovative public policies
and laws. Sometimes, the state can be truly visionary in its policies,
and, sometimes...
Senator Kevin Murray, from Los Angeles, has put forward a
proposed law which would attack the dreaded scourge of peer-to-peer
file sharing networks. In particular, the proposed law reads:
Any person or entity that sells, offers for sale, advertises,
distributes, disseminates, provides, or otherwise makes available
peer-to-peer file sharing software that enables its user to
electronically disseminate commercial recordings or audiovisual
works via the Internet or any other digital network, and who fails
to exercise reasonable care in preventing use of that software to
commit an unlawful act with respect to a commercial recording or
audiovisual work... is punishable, in addition to any other penalty or
fine imposed, by a fine not exceeding two thousand five hundred
dollars ($2,500), imprisonment in a county jail for a period not to
exceed one year, or by both that fine and imprisonment.
Of course, "peer-to-peer file sharing software" is a vague term, so
Sen. Murray makes it even more so:
As used in this section, "peer-to-peer file sharing software" means
software that once installed and launched, enables the user to
connect his or her computer to a network of other computers on
which the users of these computers have made available recording or
audiovisual works for electronic dissemination to other users who
are connected to the network.
It does not require a particularly expansive reading of that language to
conclude that, say, a Linux distribution with an FTP client or web browser
meets that definition. The law does not address what "reasonable care"
means, but, presumably, "no attempt whatsoever to prevent the distribution
of proprietary materials" would not make the grade. The paranoid among us
might well see an attempt to outlaw free software here....except for the
little problem that this law would be equally applicable
to any general-purpose, proprietary operating system.
This bill will most probably encounter a rough road, and, with luck, will
not be passed. It is, however, another result of a view which is being
encouraged by the entertainment industry (and others): software is an inherently
dangerous tool which must be heavily regulated. Manufacturers and
distributors of cooking knives, hand guns, gasoline, automobiles, etc. are
not required to design their products in such a way as to prevent the
commission of the obvious crimes which those products enable. But software
is a riskier item, and cannot be trusted.
The free software community values the freedom it has: if we have a
particular need, the only thing that stands between us and satisfying that
need is the requisite hacking time. Increasingly, however, we are hearing
that our code is illegal in some part of the world or other, regardless of
its intent or legitimate uses. This problem is only likely to get worse as
the Powers That Be try to get a handle on the strong, but relatively
uncontrolled free software world.
Comments (12 posted)
Page editor: Jonathan Corbet
Security
2004 was another busy year for those concerned with the security of their
systems. The LWN security database shows that the top-tier distributors
issued 1660 updates in 2004 in response to 396 vulnerabilities. Once
again, the kernel leads the list for the sheer number of vulnerabilities:
19 of them last year. Apache comes in second with 12 vulnerabilities -
though that figure mixes versions 1 and 2 which, arguably, should be kept
separate.
For the curious, here's the beginning of our table showing vulnerabilities
and resulting alerts for 2004:
For the full table, in its bandwidth- and browser-busting glory, see this page over here.
When viewing this table, please keep in mind one fundamental limitation it
has: we have no way of marking when a given distribution is not affected by
a vulnerability. So, if no alerts show for a specific combination of
distributor and vulnerability, it means either (1) the distributor did
not bother to issue an update, or (2) that distribution was not
vulnerable. Someday we hope to get to where we can distinguish between
those two situations.
Comments (6 posted)
Brief items
The Register
reports
that Verizon has come up with a novel way of reducing spam delivered to its
customers: blocking all email from Europe. "
Verizon three million
DSL customers waiting for emails from Europe were advised to use
alternative forms of communication. 'If it's really important you might
want to make a phone call...'"
Comments (31 posted)
New vulnerabilities
apache: temporary file vulnerability
| Package(s): | apache |
CVE #(s): | |
| Created: | January 19, 2005 |
Updated: | January 19, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the Apache 1.3 "check_forensic"
script created temporary files in an insecure manner. |
| Alerts: |
|
Comments (none posted)
chbg: buffer overflow
| Package(s): | chbg |
CVE #(s): | CAN-2004-1264
|
| Created: | January 18, 2005 |
Updated: | February 2, 2005 |
| Description: |
Danny Lungstrom discovered a vulnerability in chbg, a tool to change
background pictures. A maliciously crafted configuration/scenario
file could overflow a buffer and lead to the execution of arbitrary
code on the victim's machine. |
| Alerts: |
|
Comments (none posted)
gatos: buffer overflow
| Package(s): | gatos |
CVE #(s): | CAN-2005-0016
|
| Created: | January 17, 2005 |
Updated: | January 17, 2005 |
| Description: |
Erik Sjölund discovered a buffer overflow in xatitv, one of the programs in
the gatos package, that is used to display video with certain ATI video
cards. xatitv is installed setuid root in order to gain direct access to
the video hardware. |
| Alerts: |
|
Comments (none posted)
gopher: multiple vulnerabilities
| Package(s): | gopher |
CVE #(s): | CAN-2004-0560
CAN-2004-0561
|
| Created: | January 13, 2005 |
Updated: | January 17, 2005 |
| Description: |
Gopher's gopherd has an integer overflow vulnerability and
the gopher log routine has a format string vulnerability. |
| Alerts: |
|
Comments (none posted)
kernel: i386 SMP page fault handler privilege escalation
| Package(s): | kernel |
CVE #(s): | CAN-2005-0001
|
| Created: | January 14, 2005 |
Updated: | February 25, 2005 |
| Description: |
Paul Starzetz found an exploitable hole in the x86 SMP page fault handler
which could lead to privilege escalation. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0005
|
| Created: | January 18, 2005 |
Updated: | March 23, 2005 |
| Description: |
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code. |
| Alerts: |
|
Comments (1 posted)
mozilla: buffer overflow
| Package(s): | mozilla |
CVE #(s): | CAN-2004-1316
|
| Created: | January 14, 2005 |
Updated: | January 17, 2005 |
| Description: |
iSEC Security Research has discovered a buffer overflow bug in the way
Mozilla handles NNTP URLs. If a user visits a malicious web page or is
convinced to click on a malicious link, it may be possible for an attacker
to execute arbitrary code on the victim's machine. |
| Alerts: |
|
Comments (none posted)
mysql-dfsg: insecure temporary files
| Package(s): | mysql-dfsg |
CVE #(s): | CAN-2005-0004
|
| Created: | January 18, 2005 |
Updated: | March 25, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program
created temporary files in an insecure manner. This could allow a
symbolic link attack to create or overwrite arbitrary files with the
privileges of the user invoking the program. |
| Alerts: |
|
Comments (none posted)
playmidi: buffer overflow
| Package(s): | playmidi |
CVE #(s): | CAN-2005-0020
|
| Created: | January 17, 2005 |
Updated: | January 20, 2005 |
| Description: |
Erik Sjölund discovered that playmidi, a MIDI player, contains a setuid
root program with a buffer overflow that can be exploited by a local
attacker. |
| Alerts: |
|
Comments (none posted)
queue: buffer overflows
| Package(s): | queue |
CVE #(s): | CAN-2004-0555
|
| Created: | January 18, 2005 |
Updated: | January 19, 2005 |
| Description: |
"jaguar" of the Debian Security Audit Project has discovered several buffer
overflows in queue, a transparent load balancing system. |
| Alerts: |
|
Comments (none posted)
Squid: multiple vulnerabilities
| Package(s): | squid |
CVE #(s): | CAN-2005-0094
CAN-2005-0095
|
| Created: | January 17, 2005 |
Updated: | February 2, 2005 |
| Description: |
Squid contains a vulnerability in the gopherToHTML function and incorrectly
checks the 'number of caches' field when parsing WCCP_I_SEE_YOU messages.
Furthermore the NTLM code contains two errors. One is a memory leak in the
fakeauth_auth helper and the other is NULL pointer dereferencing error. |
| Alerts: |
|
Comments (none posted)
tnftp: arbitrary file overwriting
| Package(s): | tnftp |
CVE #(s): | CAN-2004-1294
|
| Created: | January 14, 2005 |
Updated: | January 17, 2005 |
| Description: |
According to this advisory, the
'mget' function in cmds.c lacks validation of the filenames that are
supplied by the server. An attacker running an FTP server could supply
clients with malicious filenames, potentially allowing the overwriting of
arbitrary files with the permission of the connected user. |
| Alerts: |
|
Comments (none posted)
twiki: arbitrary shell command execution
| Package(s): | twiki |
CVE #(s): | |
| Created: | January 14, 2005 |
Updated: | January 17, 2005 |
| Description: |
A vulnerability in twiki was found where a remote attacker could exploit it
to run arbitrary shell commands on the server. For further information, see
this announcement. |
| Alerts: |
|
Comments (none posted)
vim: symbolic link attack
| Package(s): | vim |
CVE #(s): | CAN-2005-0069
|
| Created: | January 18, 2005 |
Updated: | February 18, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the auxiliary scripts
"tcltags" and "vimspell.sh" created temporary files in an insecure
manner. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the script
(either by calling it directly or by execution through vim). |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
bmv: insecure temporary file
| Package(s): | bmv |
CVE #(s): | CAN-2003-0014
|
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
Peter Samuelson, upstream maintainer of bmv, a PostScript viewer for
SVGAlib, discovered that temporary files are created in an insecure
fashion. A malicious local user could cause arbitrary files to be
overwritten by a symlink attack. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
cups: multiple vulnerabilities
| Package(s): | cups |
CVE #(s): | CAN-2004-1267
CAN-2004-1268
CAN-2004-1269
CAN-2004-1270
|
| Created: | December 17, 2004 |
Updated: | February 9, 2005 |
| Description: |
cups has a denial of service vulnerability in the lppasswd utility
and a remote code execution vulnerability in the hpgltops filter. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
dillo: format string vulnerability
| Package(s): | dillo |
CVE #(s): | CAN-2005-0012
|
| Created: | January 10, 2005 |
Updated: | January 12, 2005 |
| Description: |
Gentoo Linux developer Tavis Ormandy found a format string bug in Dillo's
handling of messages in a_Interface_msg(). An attacker could craft a
malicious web page which, when accessed using Dillo, would trigger the
format string vulnerability and potentially execute arbitrary code with the
rights of the user running Dillo. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2004-1139
CAN-2004-1140
CAN-2004-1141
CAN-2004-1142
|
| Created: | December 20, 2004 |
Updated: | January 13, 2005 |
| Description: |
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.8, including:
- Bug in DICOM dissection discovered by Bing could make Ethereal crash
(CAN-2004-1139).
- An invalid RTP timestamp could make Ethereal hang and create a large
temporary file (CAN-2004-1140).
- The HTTP dissector could access previously-freed memory
(CAN-2004-1141).
- Brian Caswell discovered that an improperly formatted SMB could
make Ethereal hang (CAN-2004-1142).
|
| Alerts: |
|
Comments (none posted)
exim: buffer overflows
Comments (1 posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FreeRADIUS: denial of service
| Package(s): | freeradius |
CVE #(s): | CAN-2004-0938
CAN-2004-0960
CAN-2004-0961
|
| Created: | September 22, 2004 |
Updated: | February 2, 2005 |
| Description: |
FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow in MSN protocol
| Package(s): | gaim |
CVE #(s): | CAN-2004-0891
|
| Created: | October 25, 2004 |
Updated: | February 11, 2005 |
| Description: |
A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows
remote attackers to cause a denial of service (application crash) and
possibly execute arbitrary code via an "unexpected sequence of MSNSLP
messages" that results in an unbounded copy operation that writes to the
wrong buffer. |
| Alerts: |
|
Comments (none posted)
Gallery: cross-site scripting vulnerability
| Package(s): | Gallery |
CVE #(s): | CAN-2004-1106
|
| Created: | November 8, 2004 |
Updated: | January 17, 2005 |
| Description: |
Jim Paris has discovered a cross-site scripting vulnerability in
Gallery. By sending a carefully crafted URL, an attacker can inject and
execute script code in the victim's browser window, and potentially
compromise the users gallery. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
groff: insecure temp file
| Package(s): | groff |
CVE #(s): | CAN-2004-1296
|
| Created: | December 20, 2004 |
Updated: | January 17, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered that the auxiliary scripts
"eqn2graph" and "pic2graph" created temporary files in an insecure
way, which allowed exploitation of a race condition to create or
overwrite files with the privileges of the user invoking the program. |
| Alerts: |
|
Comments (1 posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
hylafax: weak hostname and username validation
| Package(s): | hylafax |
CVE #(s): | CAN-2004-1182
|
| Created: | January 11, 2005 |
Updated: | January 13, 2005 |
| Description: |
Patrice Fournier discovered a vulnerability in the authorization
subsystem of hylafax, a flexible client/server fax system. A local or
remote user guessing the contents of the hosts.hfaxd database could
gain unauthorized access to the fax system. Fixed in HylaFAX
4.2.1. |
| Alerts: |
|
Comments (none posted)
imlib: buffer overflows in image decoding
| Package(s): | imlib |
CVE #(s): | CAN-2004-1026
|
| Created: | December 6, 2004 |
Updated: | January 13, 2005 |
| Description: |
Pavel Kankovsky discovered that several overflows found in the libXpm
library also applied to imlib. He also fixed a number of other potential
flaws. A remote attacker could entice a user to view a carefully-crafted
image file, which would potentially lead to execution of arbitrary code
with the rights of the user viewing the image. This affects any program
that makes use of the imlib library. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iptables: missing initialization
| Package(s): | iptables |
CVE #(s): | CAN-2004-0986
|
| Created: | November 1, 2004 |
Updated: | February 11, 2005 |
| Description: |
Faheem Mitha noticed that the iptables command, an administration tool for
IPv4 packet filtering and NAT, did not always load the required modules on
its own as it was supposed to. This could lead to firewall rules not being
loaded on system startup. This caused a failure in connection with rules
provided by lokkit at least. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kerberos5: execution of arbitrary code by authenticated user
| Package(s): | kerberos5 |
CVE #(s): | CAN-2004-1189
|
| Created: | December 21, 2004 |
Updated: | February 15, 2005 |
| Description: |
There is a buffer overflow in the password history handling code of
libkadm5srv which could be exploited by an authenticated user to execute
arbitrary code on a Key Distribution Center (KDC) server. |
| Alerts: |
|
Comments (none posted)
kernel: race condition, privilege escalation
| Package(s): | kernel |
CVE #(s): | CAN-2004-1235
CAN-2004-1337
|
| Created: | January 10, 2005 |
Updated: | January 19, 2005 |
| Description: |
Paul Starzetz discovered a race condition in the ELF library and a.out
binary format loaders, which can be locally exploited in several
different ways to gain root privileges. (CAN-2004-1235)
Liang Bin found a design flaw in the capability module. After this
module was loaded on demand in a running system, all unprivileged user
space processes got all kernel capabilities (thus essentially root
privileges). (CAN-2004-1337) |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
Konqueror: Java sandbox vulnerabilities
| Package(s): | konqueror |
CVE #(s): | CAN-2004-1145
|
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
According to this KDE
Security Advisory, two flaws in the Konqueror web browser make it
possible to by pass the sandbox environment which is used to run
Java-applets. All versions of KDE up to KDE 3.3.1 inclusive are affected.
KDE 3.3.2 is not affected. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2004-1308
|
| Created: | December 22, 2004 |
Updated: | May 19, 2005 |
| Description: |
The libtiff image manipulation library contains several exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libxpm4: stack and integer overflows
| Package(s): | libxpm4 |
CVE #(s): | CAN-2004-0687
CAN-2004-0688
|
| Created: | September 16, 2004 |
Updated: | February 14, 2005 |
| Description: |
There are several stack and integer overflow bugs in
the libXpm code of XFree86 that may be used for a denial of service. |
| Alerts: |
|
Comments (none posted)
lintian: insecure temporary directory
| Package(s): | lintian |
CVE #(s): | CAN-2004-1000
|
| Created: | January 10, 2005 |
Updated: | January 12, 2005 |
| Description: |
Jeroen van Wolffelaar discovered a problem in lintian, the Debian
package checker. The program removes the working directory even if it
wasn't created at program start, removing an unrelated file or
directory a malicious user inserted via a symlink attack. |
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
mailman: cross-site scripting
| Package(s): | mailman |
CVE #(s): | CAN-2004-1177
|
| Created: | January 10, 2005 |
Updated: | March 22, 2005 |
| Description: |
Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mozilla products: arbitrary code execution and other vulnerabilities
| Package(s): | mozilla firefox thunderbird |
CVE #(s): | CAN-2004-0902
CAN-2004-0903
CAN-2004-0904
CAN-2004-0905
CAN-2004-0908
|
| Created: | September 20, 2004 |
Updated: | January 13, 2005 |
| Description: |
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mysql: several vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0835
CAN-2004-0836
CAN-2004-0837
|
| Created: | October 11, 2004 |
Updated: | April 6, 2005 |
| Description: |
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837) |
| Alerts: |
|
Comments (none posted)
namazu2: cross-site scripting vulnerability
| Package(s): | namazu2 |
CVE #(s): | CAN-2004-1318
|
| Created: | January 6, 2005 |
Updated: | January 12, 2005 |
| Description: |
The namazu2 full text search engine has a cross-site scripting vulnerability
that may allow an attacker to display arbitrarily crafted text
by the use of specially crafted input information. |
| Alerts: |
|
Comments (none posted)
nasm: Buffer overflow vulnerability
| Package(s): | nasm |
CVE #(s): | CAN-2004-1287
|
| Created: | December 20, 2004 |
Updated: | May 4, 2005 |
| Description: |
Jonathan Rockway discovered that NASM-0.98.38 has an unprotected
vsprintf() to an array in preproc.c. This code vulnerability may lead
to a buffer overflow and potential execution of arbitrary code. |
| Alerts: |
|
Comments (4 posted)
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet |
CVE #(s): | CAN-2004-0911
|
| Created: | October 4, 2004 |
Updated: | March 28, 2005 |
| Description: |
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user). |
| Alerts: |
|
Comments (none posted)
nfs-utils: denial of service
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-1014
|
| Created: | December 1, 2004 |
Updated: | May 15, 2005 |
| Description: |
The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker. |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
o3read: buffer overflow during file conversion
| Package(s): | o3read |
CVE #(s): | CAN-2004-1288
|
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
Wiktor Kopec discovered that
the parse_html function in o3read.c copies any number of bytes into a
1024-byte array. |
| Alerts: |
|
Comments (none posted)
openssl: der_chop script temp file vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2004-0975
|
| Created: | November 11, 2004 |
Updated: | July 19, 2005 |
| Description: |
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
Comments (1 posted)
phpgroupware: information disclosure vulnerability
| Package(s): | phpgroupware |
CVE #(s): | |
| Created: | January 6, 2005 |
Updated: | January 12, 2005 |
| Description: |
phpgroupware has multiple vulnerabilities that may
be exploited for the purpose of information disclosure
or a remote compromise. |
| Alerts: |
|
Comments (none posted)
poppassd_pam: unauthorized password changing
| Package(s): | poppassd_pam |
CVE #(s): | CAN-2005-0002
|
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did
not check that the old password was valid before changing passwords.
Subsequent investigation revealed that poppassd_pam did not call
pam_authenticate before calling pam_chauthtok. |
| Alerts: |
|
Comments (none posted)
ProZilla: Multiple vulnerabilities
| Package(s): | ProZilla |
CVE #(s): | CAN-2004-1120
|
| Created: | November 23, 2004 |
Updated: | February 1, 2005 |
| Description: |
ProZilla contains several exploitable buffer overflows in the code handling
the network protocols. A remote attacker could setup a malicious server
and entice a user to retrieve files from that server using ProZilla. This
could lead to the execution of arbitrary code with the rights of the user
running ProZilla. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: infinite loop
| Package(s): | ruby |
CVE #(s): | CAN-2004-0983
|
| Created: | November 8, 2004 |
Updated: | May 15, 2005 |
| Description: |
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles. |
| Alerts: |
|
Comments (none posted)
samba: integer overflow vulnerability
| Package(s): | samba |
CVE #(s): | CAN-2004-1154
|
| Created: | December 16, 2004 |
Updated: | July 19, 2005 |
| Description: |
Samba has an integer overflow vulnerability
that may allow an authenticated remote user to
execute arbitrary code on the Samba server. |
| Alerts: |
|
Comments (none posted)
sharutils: arbitrary code execution
| Package(s): | sharutils |
CVE #(s): | CAN-2004-1772
|
| Created: | October 1, 2004 |
Updated: | April 26, 2005 |
| Description: |
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sudo: environment variable sanitizing
| Package(s): | sudo |
CVE #(s): | CAN-2004-1051
|
| Created: | November 17, 2004 |
Updated: | May 15, 2005 |
| Description: |
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tiff: buffer overflows
| Package(s): | tiff |
CVE #(s): | CAN-2004-0803
|
| Created: | October 13, 2004 |
Updated: | April 12, 2005 |
| Description: |
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
TikiWiki: arbitrary command execution
| Package(s): | TikiWiki |
CVE #(s): | |
| Created: | January 10, 2005 |
Updated: | January 31, 2005 |
| Description: |
TikiWiki lacks a check on uploaded images in the Wiki edit page. A
malicious user could run arbitrary commands on the server by uploading and
calling a PHP script. |
| Alerts: |
|
Comments (none posted)
unarj: buffer overflow vulnerability
| Package(s): | unarj |
CVE #(s): | CAN-2004-0947
|
| Created: | November 11, 2004 |
Updated: | February 2, 2005 |
| Description: |
The unarj uncompression utility has a buffer overflow vulnerability
from handling long file names in an archive. An attacker can
cause unarj to crash or execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
UnRTF: Buffer overflow
| Package(s): | unrtf |
CVE #(s): | |
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
An unchecked strcat() in unrtf may overflow the bounds of a static buffer.
Using a specially crafted file, possibly delivered by e-mail or over the
web, an attacker may execute arbitrary code with the permissions of the
user running UnRTF. |
| Alerts: |
|
Comments (1 posted)
vilistextum: buffer overflow vulnerability
| Package(s): | vilistextum |
CVE #(s): | CAN-2004-1299
|
| Created: | January 6, 2005 |
Updated: | January 12, 2005 |
| Description: |
Vilistextum has a buffer overflow vulnerability that can
allows an attacker
to execute arbitrary code via a maliciously created web page. |
| Alerts: |
|
Comments (none posted)
vim: modeline problems
| Package(s): | vim |
CVE #(s): | CAN-2004-1138
|
| Created: | December 15, 2004 |
Updated: | February 24, 2005 |
| Description: |
A new set of modeline-related vulnerabilities has been discovered in versions of vim prior to 6.3-r2. These vulnerabilities could conceivably be exploited by a local user to obtain the privileges of another user. |
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: arbitrary code execution
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1187
CAN-2004-1188
CAN-2004-1300
|
| Created: | December 21, 2004 |
Updated: | January 25, 2005 |
| Description: |
Several buffer overflows have been discovered in xine-lib, the video/audio
codec library for Xine frontends (xine-ui, totem-xine, kaffeine, and
others). If an attacker tricked a user into loading a malicious RTSP stream
or a stream with specially crafted AIFF audio or PNM image data, they could
exploit this to execute arbitrary code with the privileges of the user
opening the audio/video file. See this advisory
for more information. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2004-1125
|
| Created: | December 23, 2004 |
Updated: | April 1, 2005 |
| Description: |
xpdf has a
potential buffer overflow problem caused by insufficient input validation.
A specially crafted PDF file can allow an
attacker to execute code with privileges of the xpdf user. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf kpdf cupsys |
CVE #(s): | CAN-2004-0888
CAN-2004-0889
|
| Created: | October 21, 2004 |
Updated: | February 18, 2005 |
| Description: |
Several xpdf integer overflow vulnerabilities can be exploited via a
mal-formed PDF document. Similar vulnerabilities can be found in kpdf and
in cupsys which share code. Additional information can be found in this KDE security advisory. |
| Alerts: |
|
Comments (none posted)
xzgv integer overflows
| Package(s): | xzgv |
CVE #(s): | CAN-2004-0994
|
| Created: | December 21, 2004 |
Updated: | January 12, 2005 |
| Description: |
Luke "infamous41md" discovered multiple vulnerabilities in xzgv, a picture
viewer for X11 with a thumbnail-based selector. Remote exploitation of an
integer overflow vulnerability could allow the execution of arbitrary
code. |
| Alerts: |
|
Comments (none posted)
zip: arbitrary code execution
| Package(s): | zip |
CVE #(s): | CAN-2004-1010
|
| Created: | November 5, 2004 |
Updated: | February 2, 2005 |
| Description: |
HexView discovered a buffer overflow in the zip package. The overflow is
triggered by creating a ZIP archive of files with very long path
names. This vulnerability might result in execution of arbitrary code with
the privileges of the user who calls zip. This flaw may lead to privilege
escalation on systems which automatically create ZIP archives of user
supplied files, like backup systems or web applications. |
| Alerts: |
|
Comments (1 posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Events
The Central Pennsylvania Linux Users Group will be holding a security
conference near Harrisburg on March 5. Speakers include Russell
Coker, Brandon Hale, and Ed Reed; click below for the details.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 prepatch remains 2.6.11-rc1.
Linus's BitKeeper repository contains, as of this writing,
some networking updates, an ALSA update (to version 1.0.8), some
enhancements to the "circular pipe buffers" code introduced in -rc1 (see
below), the ioctl() method rework (see below), in-inode extended
attributes for ext3, and various fixes.
The current prepatch from Andrew Morton is 2.6.11-rc1-mm1. Recent additions to -mm
include the Linux Trace Toolkit
(LTT), relayfs, ext3 in-inode extended
attributes (subsequently merged), the filesystems in user space (FUSE) patch set, an
update to the random driver, and a copy of Dave Jones's "post-halloween"
document (in the hope that somebody will be motivated to update it).
Andrew added LTT and relayfs with the explanation: "This is a
discussion which needs to be had." The discussion has indeed been
lively. Many developers see the value in this code, but object to the
implementation. As a result, LTT and relayfs are likely to be slimmed down
significantly, with more of the work shifted to user space or a separate
loadable module. We may also see the Linux Kernel State Tracer patch
submitted to -mm for comparison before the discussion is over.
The current 2.4 kernel is 2.4.29, released by Marcelo on January 19. One
change was made since -rc3: the removal of one patch which was causing
trouble. The changes since 2.4.28 are mostly bug fixes and driver updates;
2.4 is past the point of getting much in the way of new features.
Comments (none posted)
Kernel development news
Given that base 2.6 kernels are shipped by Linus with known unfixed
security holes anyone trying to use them really should be doing some
careful thinking. In truth no 2.6 released kernel is suitable for
anything but beta testing until you add a few patches anyway....
I still think the 2.6 model works well because its making very good
progress and then others are doing testing and quality management on it.
Linus is doing the stuff he is good at and other people are doing the
stuff he doesn't.
--
Alan Cox
Comments (11 posted)
The
ioctl() system call has long been out of favor among the
kernel developers, who see it as a completely uncontrolled entry point into
the kernel. Given the vast number of applications which expect
ioctl() to be present, however, it will not go away
anytime soon. So it is worth the trouble to ensure that
ioctl()
calls are performed quickly and correctly - and that they do not
unnecessarily impact the rest of the system.
ioctl() is one of the remaining parts of the kernel which runs
under the Big Kernel Lock (BKL). In the past, the usage of the BKL has
made it possible for long-running ioctl() methods to create long
latencies for unrelated processes. Recent changes, which have made
BKL-covered code preemptible, have mitigated that problem somewhat. Even
so, the desire to eventually get rid of the BKL altogether suggests that
ioctl() should move out from under its protection.
Simply removing the lock_kernel() call before calling
ioctl() methods is not an option, however. Each one of those
methods must first be audited to see what other locking may be necessary
for it to run safely outside of the BKL. That is a huge job, one which
would be hard to do in a single "flag day" operation. So a migration path
must be provided. As of 2.6.11, that path will exist.
The patch (by Michael s. Tsirkin) adds a
new member to the file_operations structure:
long (*unlocked_ioctl) (struct file *filp, unsigned int cmd,
unsigned long arg);
If a driver or filesystem provides an unlocked_ioctl() method, it
will be called in preference to the older ioctl(). The
differences are that the inode argument is not provided (it's
available as filp->f_dentry->d_inode) and the BKL is not taken
prior to the call. All new code should be written with its own locking,
and should use unlocked_ioctl(). Old code should be converted as
time allows. For code which must run on multiple kernels, there is a new
HAVE_UNLOCKED_IOCTL macro which can be tested to see if the newer
method is available or not.
Michael's patch adds one other operation:
long (*compat_ioctl) (struct file *filp, unsigned int cmd,
unsigned long arg);
If this method exists, it will be called (without the BKL) whenever a
32-bit process calls ioctl() on a 64-bit system. It should then
do whatever is required to convert the argument to native data types and
carry out the request. If compat_ioctl() is not provided, the
older conversion mechanism will be used, as before. The HAVE_COMPAT_IOCTL
macro can be tested to see if this mechanism is available on any given
kernel.
The compat_ioctl() method will probably filter down into a few
subsystems. Andi Kleen has posted patches adding new
compat_ioctl() methods to the block_device_operations and
scsi_host_template structures, for example, though those patches
have not been merged as of this writing.
Comments (1 posted)
Last week, this page looked
at the new circular buffer structure used to implement Unix pipes in
2.6.11-rc1, and noted that the plan was to evolve that structure into
something more general. Since then, Linus has taken a couple more steps;
it must be time to catch up.
One change which has already been merged is the addition of a set of
operations for pipe buffers:
struct pipe_buf_operations {
int can_merge;
void *(*map)(struct file *, struct pipe_inode_info *,
struct pipe_buffer *);
void (*unmap)(struct pipe_inode_info *, struct pipe_buffer *);
void (*release)(struct pipe_inode_info *, struct pipe_buffer *);
};
The can_merge flag addresses one of the issues raised last week:
coalescing of writes into existing pages in the buffer. If
can_merge is non-zero, coalescing will be performed. Otherwise,
each write to a pipe buffer will result in the creation of a new circular
buffer entry, and, by default, the allocation of a new page.
The map() and unmap() methods are charged with
controlling the visibility of pipe buffer pages in the kernel's virtual
address space. The default map() operations for buffers
implementing Unix pipes is quite simple:
static void *anon_pipe_buf_map(struct file *file,
struct pipe_inode_info *info,
struct pipe_buffer *buf)
{
return kmap(buf->page);
}
Since the mapping operation has been abstracted out, there are now fewer
assumptions regarding how data is really stored within a pipe buffer. This
opens the door to different pipe implementations, such as pipes which
implement a direct window into device memory.
The release() method should clean things up when the pipe buffer
is no longer needed.
Linus has also created an initial
implementation of a splice() system call, though this work is
clearly not ready for merging at this point. This system call looks like:
long sys_splice(int fdin, int fdout, size_t len, unsigned long flags);
fdin and fdout are two file descriptors; a call to
sys_splice() will result in len bytes being copied from
fdin to fdout, one of which is expected to be a pipe.
The flags argument is not currently used by the sample
implementation.
To make sys_splice() work, Linus added two new methods to the
ever-expanding file_operations structure:
ssize_t (*splice_write)(struct inode *in_pipe, struct file *out,
size_t len, unsigned long flags);
ssize_t (*splice_read)(struct file *in, struct inode *out_pipe,
size_t len, unsigned long flags);
The patch includes a generic splice_read() implementation suitable
for filesystem-backed file descriptors. It simply populates the page cache
with some pages from the file, then loads those pages into the pipe buffer
represented by out_pipe. Like ordinary read() and
write() methods, the splice variants can transfer fewer bytes than
requested. Linus's version will stop at the maximum capacity of a pipe
buffer - 16 pages, currently.
As Linus acknowledges, there are a number of shortcomings to the current
implementation - it is incomplete, the interfaces are ugly, and it will
oops the system if anything goes wrong. It is, however, an indication of
where he expects this work will lead. Stay tuned.
Comments (5 posted)
The 2.6 kernel development series differs from its predecessors in that
much larger and potentially destabilizing changes are being incorporated
into each release. Among these changes are modifications to the internal
programming interfaces for the kernel, with the result that kernel
developers must work harder to stay on top of a continually-shifting API.
There has never been a guarantee of internal API stability within the
kernel - even in a stable development series - but the rate of change is
higher now.
This article will be updated to keep track of the internal changes for each
2.6 kernel release. Its permanent location is:
http://lwn.net/Articles/2.6-kernel-api/
This page will, doubtless, remain incomplete for a while. If you see an
omission, please let us know by sending a note to kernel@lwn.net rather than by posting
comments here. The chances of a prompt update are higher, the article will
not become cluttered with redundant comments, and we'll be more than happy
to credit you here.
If you are a Linux Device Drivers, Third Edition reader looking for
information on changes since the book was published: LDD3 covers version
2.6.10 of the kernel, so only the changes starting with 2.6.11 are
relevant.
Last update: January 5, 2006
2.6.15 (January 2, 2006)
- The nested class device
patch was merged, allowing class_device structures to
have other class_devices as parents. This patch is a hack to
make the input subsystem work with sysfs. This code will change again
in the future; see Greg
Kroah-Hartman's article for more information on what is planned.
- The prototypes for the driver model class "interface" methods
add() and remove() have changed; there is now a new
parameter pointing to the relevant interface structure.
- A new platform_driver structure has been added to describe
drivers for devices built into the core "platform."
- The prototypes for the suspend() and resume()
methods in struct device_driver have changed. They are also
only called once per event, rather than three times as in previous
kernels.
- Two new fields have been added to the device_pm_info which
control how drivers should act on hardware-created wakeup events; see
this article for
details.
- There is a notification mechanism which lets interested modules know
when a USB device is added to (or removed from) the system. This
system is used by some core code; drivers do not normally need to hook
in to it.
- The gfp_t type
is now used throughout the kernel. If you have a function which takes
memory allocation flags, it should probably be using this type.
- Code using reader/writer semaphores can now use
rwsem_is_locked() to test the (read) state of the semaphore
without blocking.
- The new vmalloc_node() function allocates memory on a
specific NUMA node.
- The "reserved" bit for memory pages has, for all practical purposes,
been removed.
- vm_insert_page()
has been added to make it easier for drivers to remap RAM into user
space VMAs.
- There is a new kthread_stop_sem() function which can be used
to stop a kernel thread which might be currently blocked on a specific
semaphore.
- RapidIO bus support has
been merged into the mainline.
- The netlink connector
mechanism makes netlink code easier to write. Independently, a
type-safe netlink interface has been added and is used in parts of the
networking subsystem.
- These kernel symbols have been unexported and are no longer available
to modules: clear_page_dirty_for_io,
console_unblank, cpu_core_id
hugetlb_total_pages, idle_cpu,
nr_swap_pages, phys_proc_id,
reprogram_timer, swapper_space,
sysctl_overcommit_memory, sysctl_overcommit_ratio,
sysctl_max_map_count, total_swap_pages,
user_get_super, uts_sem, vm_acct_memory,
and vm_committed_space.
- Version 1 of the Video4Linux API is now officially scheduled for
removal in July, 2006.
- The owner field has been removed from the pci_driver
structure.
- A number of SCSI subsystem typedefs (Scsi_Device,
Scsi_Pointer, and Scsi_Host_Template) have been
removed.
- The DMA32 memory zone has been added to the x86-64
architecture; its purpose is to make it easy to allocate memory below
the 4GB barrier (with the new GFP_DMA32 flag).
- A call to rcu_barrier() will block the calling process until
all current RCU callbacks have completed.
2.6.14 (October 27, 2005)
- A new PHY abstraction layer has been added for network drivers.
- The sk_buff structure has changed again; the changes will
force a recompile but shouldn't otherwise be a problem.
- Version 19 of the
wireless extensions has been merged. Among other things, this version
deprecates the get_wireless_stats() method in the
net_device structure.
- The klist API has
changed. The order of the parameters has been reversed for
klist_add_head() and klist_add_tail(). It is now
necessary to provide a pair of reference counting functions when
setting up a list with klist_init().
- The relayfs virtual filesystem, which enables high-rate data transfers
between the kernel and user space, has been merged.
- kzalloc() has
been added as a way of obtaining pre-zeroed memory.
- Two new versions of
schedule_timeout() have been added.
- The new TASK_INTERACTIVE state flag tells the scheduler not
to perform the usual accounting on sleeping processes.
- SKB's which are expected to be cloned can be efficiently allocated
with alloc_skb_fclone().
- A few new helper functions for mapping block I/O requests have been
added; see this article
for details.
- Securityfs, a virtual
filesystem intended for use with security modules, has been merged.
2.6.13 (August 28, 2005)
- The HZ constant is now configurable at kernel build time.
- The timer API now includes try_to_del_timer_sync(), which
makes a best effort to delete the timer; it is safe to call in atomic
context.
- The block_device_operations structure now has an
unlocked_ioctl() member.
- The return value from netif_rx() has changed; it now will
return one of only two values: NETIF_RX_SUCCESS or
NETIF_RX_DROP.
- pci_dma_burst_advice can be used by PCI drivers to learn the
optimal way of bursting DMA transfers.
- The text searching API has been
added.
- A new memory allocation function, kzalloc(), has been added.
2.6.12 (June 17, 2005)
- cancel_rearming_delayed_work()
was added to the workqueue API.
- The timeout value passed to usb_bulk_msg() and
usb_control_msg() is now expressed in milliseconds instead of
jiffies.
- An interrupt-disabling spinlock is used in the rwsem implementation.
It was never correct to call one of the variants of
down_read() or down_write() with interrupts
disabled, but it is even less correct now.
- The fields in the net_device structure have been rearranged,
which will break binary-only drivers.
- kref_put() now returns an int value: nonzero if the
kref was actually released.
- kobject_add() and kobject_del() no longer generate
hotplug events. If you need these events, you must call
kobject_hotplug() explicitly. The wrapper functions
kobject_register() and kobject_unregister() do still
generate hotplug events.
- kobj_map() no longer takes a subsystem argument; instead, it
needs a pointer to a semaphore which it can use for mutual exclusion.
- A new function, sysfs_chmod_file(), allows permissions to be
changed on existing sysfs attributes.
- There is a new generic
sort() function which should be used in preference to
creating yet another implementation.
- A new attribute (__nocast) is being used with sparse
to disable a number of implicit casts and find probable bugs.
- io_remap_page_range() is now deprecated; use
io_remap_pfn_range() instead.
- A set of functions has
been added to work with big-endian I/O memory.
- synchronize_kernel() is deprecated. Callers
should instead use either synchronize_sched() (to verify that
all processors have quiesced) or synchronize_rcu() (to verify
that all processors have exited RCU critical sections).
- The flag argument to blk_queue_ordered() has changed
to indicate how ordered writes are handled by the device. Possible
values are QUEUE_ORDERED_NONE (ordering is not possible),
QUEUE_ORDERED_TAG (ordering is forced with request tags), and
QUEUE_ORDERED_FLUSH (ordering is done with explicit flush
commands). For the last case, the request queue has two new methods,
prepare_flush_fn() and end_flush_fn(), which are
called before and after a barrier request.
- A new function, valid_signal(), can (and should) be used to
test whether signal numbers from user space are valid.
- The Developers Certificate of Origin, the document acknowledged by all
those "Signed-off-by:" headers, has changed. The new
version adds a clause noting that contributions - and the information
that goes with them - are public information which can be
redistributed.
2.6.11 (March 2, 2005)
2.6.10 (December 24, 2004)
- Calling pci_enable_device() is required to get interrupt
routing to work. [GKH]
- A new function, pci_dev_present(), can be used to determine
whether a specific device is present or not. [GKH]
- The prototypes to pci_save_state() and
pci_restore_state() have changed: the buffer
argument is no longer needed (the space has been allocated in
struct pci_dev instead). [GKH]
- The kernel build system was tweaked; the preferred name for kernel
makefiles is now Kbuild. The change is meant to highlight
the fact that kernel makefiles are rather different than the
user-space variety, but very few, if any makefiles have been renamed.
- add_timer_on(), sys_lseek(), and a number of other
kernel functions are no longer exported to modules. Most of the
driver core functions have been changed to GPL-only exports.
- I/O space
write barriers are now supported.
- The prototype of kunmap_atomic() has changed. This change should not
affect properly-written code, but should generate warnings when a
struct page pointer is (erroneously) passed to that
function.
- atomic_inc_return() was added as a way to increment the value
of an atomic_t variable and get the new value.
- The little-used "BIO walking" helper functions
(process_that_request_first()) have been removed.
- The venerable remap_page_range() function has been changed to
remap_pfn_range(); the new function uses a page frame number
for the physical address, rather than the actual address.
remap_page_range() is still supported - for now.
- wake_up_all_sync(), unused in the mainline tree, was
removed.
- A simple, stream-oriented circular buffer
implementation was added.
- The kernel event
mechanism was merged, making it possible to notify user space of
relevant kernel events.
- vfs_permission() was replaced by
generic_permission(), which has an optional callback for ACL
checking. [MS]
2.6.9 (October 18, 2004)
- Kprobes
was merged, making another debugging technique available.
- Spinlocks are implemented completely out of line now. This change
should not affect any code.
- wait_event_timeout() was added.
- Kobjects now use the kref type to handle reference counting.
Most code should be unaffected by this change.
- A new set of functions for accessing I/O
memory was introduced. The new functions are cleaner and
type-safe, and should be used in preference to readb() and
friends. The new ioport_map() function makes it possible to
treat I/O ports as if they were I/O memory.
- The NETIF_F_LLTX feature for
net_devices tells the
networking subsystem that the driver code performs its own locking and
does not require that the xmit_lock be taking before
hard_start_xmit() can be called.
- dma_declare_coherent_memory() was added to allow the DMA
functions to hand out memory located on a specific device.
- msleep_interruptible() was added.
- The prototype of kref_put() changed; a pointer to the
release() function is now required.
2.6.8 (August 13, 2004)
- The fcntl() method in the file_operations structure,
just added in 2.6.6, was removed. It has been
replaced by two new methods: check_flags() and
dir_notify().
- nonseekable_open() was
added as a way of indicating that a given file is not seekable.
- wait_event_interruptible_exclusive() was added.
- dma_get_required_mask()
was added as a way for drivers to determine the optimal DMA mask.
- Module section information was added under
/sys/module, making it easier use symbolic debuggers with
modules.
- The VFS follow_link() method saw
some (compatible) changes. Filesystems should use the new symlink
lookup method so that the kernel can, eventually, support a greater
link depth. [MS]
(We are still in the process of filling in the earlier API changes - stay
tuned).
Acknowledgements
Thanks to the following people who have helped keep this page current:
| [GKH] | Greg Kroah-Hartman |
| Michael Hayes |
| [MS] | Miklos Szeredi |
Comments (13 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Xandros Corporation released a new version of its flagship product, Xandros
Desktop, shortly before Christmas last year. This was in line with the
company's previous two releases, coming out in roughly annual intervals and
targeting mostly home and business users who are interested in migrating
to Linux, but would prefer not to have to learn bash. There are two
editions of Xandros Desktop 3 - a $50 Standard edition and a $90 Deluxe
edition, with the main difference between the two being the inclusion of
CrossOver Office in the Deluxe edition. As the previous two Xandros
releases received highly positive reviews by the Linux media, we expected
the same high quality, attention to detail, and intuitive, user-friendly
desktop as in the company's previous releases, and we weren't disappointed.
Xandros Desktop 3 Deluxe came in a standard software box with two CDs
(installation and application CDs), a 9-page Getting Started Guide, and a
hefty, 350-page User Guide. The User Guide turned out to be a pleasant
surprise and a valuable resource for users just starting to explore a
Linux-based operating system. The guide is still based on the old Corel
Linux manual, but it is much more comprehensive with screenshots,
illustrations, tips, and step-by-step instructions for completing tasks.
Xandros has to be applauded for making an honest effort to provide solid
printed documentation; nowadays, even those few distribution makers that
still ship their products in traditional software boxes rarely include good
printed documentation (with SUSE LINUX possibly the only exception to the
rule).
After examining the content of the box, we proceeded with installing the
brand new Xandros Desktop on a test computer with the following
specifications: Intel Pentium 4 1.4 GHz, ASUS P4T mainboard with Intel 850
chipset, 384 MB RDRAM, Matrox Millennium G450 graphics card, two 7200RPM
hard disks (120 GB Maxtor and 80 GB Western Digital), PlexWriter CD-RW
drive, Realtek 8139too (on board) network card, and Lemel TF700 17 inch LCD
monitor.
Surprisingly, things didn't go well - the installation media would hang
during the hardware detection stage. Upon closer examination it turned out
that the installer was trying to check all 18 partitions on the first hard
disk (that's what a test computer of somebody testing distributions for
living looks like) and would not go any further after the 15th partition.
This was due to what seemed like a bug in Xandros' boot sequence (there
was no problem booting Xandros 1.0 or 2.0 on the same system). We had to
physically disconnect the first hard disk before we could complete the
installation of Xandros Desktop on the second hard disk, which didn't have
as many partitions. We decided not to hold this against Xandros since no
user in their target spectrum is likely to have more than 15 partitions on
their hard disk; probably much fewer than that.
There is not much to say about the installer except that it worked as
expected. Xandros has produced what surely is one of the best installers of
any distribution - simple enough without it being dumbed down
Linspire-style, but still powerful enough if one chooses the custom install
option. Hardware detection was almost perfect, with only the screen
resolution requiring a minor adjustment after the installation. The system,
running on top of the kernel 2.6.9, boots into graphical environment with
KDE 3.3.0, but the default applications for various tasks are not always
KDE packages; as an example, the default browser and mail applications are
Mozilla (with pre-configured Flash and RealPlayer plugins) and Mozilla
Mail. Neither Firefox, nor Thunderbird are installed, although Firefox is
available for download through Xandros Networks. There is an Updates applet
in the system tray to alert the user to the fact that a security or bug fix
patch has been released. All the other best-loved features of Xandros
Desktop, such as the desktop switching utility or the Xandros File Manager
are also present.
What are the most important new features in Xandros Desktop 3? One of them
is the ability to encrypt home directories of users on the system. This
option can be selected from the "User Manager" module in the KDE Control
Center where the system administrator can choose one of the 12 available
cryptographic algorithms and two (fast or slow) creation methods. The only
downside of this feature is that, depending on the selected options, it can
take up to several hours to complete the encryption process. Once a home
directory of a user has been encrypted, no other user, not even the
superuser, can see what is inside that directory; it will simply appear to
them as an empty directory. (Of course, the superuser could always install
a modified kernel to capture plain text or the encryption key). Needless
to say, it is not possible to delete
an encrypted directory.
Xandros Desktop 3 also comes with a new firewall wizard which, designed in
the usual Xandros-style user-friendly manner, allows even non-technical
users to setup and run an effective firewall on their computers connected
to the Internet. As an example, the user can simply tick the "Peer to Peer
file-sharing server" checkbox in the wizard to enable BitTorrent traffic,
which is so much more intuitive than the usual "punch a hole through ports
6881-6999", often found in FAQs or online documentation. The firewall can
be turned on and off from the main menu, with an option to start it at boot
time. The firewall is definitely a useful addition; we were surprised to
see quite a few services running by default on a stock Xandros system
(including Samba and ProFTPd), but turning unneeded services off was not
nearly as intuitive as setting up the Xandros Firewall.
The Xandros-specific application that allows drag-and-drop CD burning from
within its file manager has been further enhanced by the addition of a DVD
burning tool. No matter how excellent K3b is for this purpose, it is always
a pleasure to open a file manager, then simply drag files from a hard disk
folder and drop them into the CD or DVD drive. This action then launches a
pop-up wizard that guides the user through creating a new data or media
project. And while on the subject of dragging and dropping files around the
Xandros File Manager, this feature is available not just for mounted
devices, such as USB drives or NTFS partitions (read only), but also remote
file systems, like NFS, Samba or FTP - all automatically set up and ready
to use.
Packages in Xandros are managed through Xandros Networks. This is
essentially a web browser with a hierarchical folder structure listing
applications in the left pane. Besides providing security and bug-fix
updates for the product, Xandros Networks also lists a number of packages
that are not on the installation CD, but are available for download. As an
example, there is a whole lot of development tools and server software that
can be downloaded and installed with a single mouse click, but these are
not deemed essential for most users so they are not installed by default.
Some might be surprised to see that GIMP or Evolution are not installed
either, but this might be due to the fact that the Deluxe edition comes
with CrossOver Office, which supports Adobe Photoshop and Microsoft Office.
Xandros Networks also includes an online store, which contains a curious
mix of free and commercial applications. Some of these are available for
free after registration (e.g. GnuCash), others require that a user become a
Premium member of Xandros Networks at a cost of $39 per year (e.g. several
game demos), and still others require cash payments (e.g. StarOffice,
CrossOver Office, Xandros Desktop User Guide in PDF format).
Other new features include newly added VPN client (konnectvpn), a VoIP
application for Internet Telephony (KPhone), a scanner application (Kooka),
better support for wireless networking, ISDN connections, web cams,
software modems, and Palm Pilot. However, support for proprietary media
formats is still missing and so is playback of encrypted DVDs.
Interestingly, although Xandros is based on Debian, which has yet to follow
most other distributions and migrate from XFree86 to X.Org as its preferred
X window system, Xandros Desktop 3 comes with X.Org (version 6.7.0).
There is not much wrong with Xandros Desktop 3. The developers have created
a fine product that can be safely recommended to users wishing to try out
an alternative operating system without having to go through a steep
learning curve. And although we didn't care much for CrossOver Office,
those users who cannot be without Photoshop, or have complex macros and VBA
code in their MS Office files, will find the application invaluable. For
the rest of us, the $50 Standard edition is a fair price for a product that
has matured to become one of the best, if not the best, Linux distribution
for novice and non-technical computer users.
Comments (2 posted)
Distribution News
A tentative schedule and plan for the Fedora Core 4 release has been
posted; the first test release is due on February 21. The plans
include the possible incorporation of GCC 4, GNOME 2.10,
KDE 3.4, Xen, an SELinux "targeted" policy with more targets, better
Java support (including Eclipse), and more; click below for the details.
Full Story (comments: 23)
The Fedora Steering Committee has proposed to transfer Fedora Core 2 to the
Fedora Legacy Project at the point Fedora Core 4 Test 2 is released. This
is currently scheduled for March 21, 2005.
Full Story (comments: none)
Gervase Markham, the Mozilla Foundation representative charged with
negotiating an agreement with Debian over the use of Mozilla's trademarks,
has posted
a new proposal to
that end. Mozilla would retain control over trademark use, but would no
longer be able to exercise that control after a package is frozen for a
stable release.
Comments (6 posted)
Here's a
call for papers and registrations
for Debian Miniconf, which will take place in Canberra, Australia on April
18 and 19, 2005.
There is also a call for papers for the
Asia Debian Mini-Conf 2005, which takes place February 28 and March 1, 2005
in Beijing, China.
Bits from the dpkg maintainer looks at the
stable version which is in a state of freeze and a new experimental
version.
The Final
Report on the 5th Debian Conference is now available.
Comments (none posted)
The Ubuntu Linux Community Council meeting on January 11, 2005 covered a
number of issues but there are two major issues which are of particularly
noteworthy: new Local Community Teams and getting community members
involved in contributing to and maintaining pieces of Universe. Both a
summary
and a
full
log are available, or click below for more information.
Full Story (comments: none)
FC3:
gpdf (update to 2.8.2),
w3m (fixed a duplicated w3mimgdisplay),
gimp (major version upgrade from 2.0.x to
2.2.x),
NetworkManager (update to latest
CVS),
gimp-help (new version 2-0.6),
gimp (clip thumbnail quality at 75),
dovecot (bug fix update for the Dovecot IMAP
server),
dhcpv6 (adds Relay Agent support,
fixes bugs),
dhcp (updates DHCP and
DHCLIENT packages),
bind (updates),
vixie-cron (updates),
sysklogd (updates and bug fixes),
gpdf (minor security patch).
FC2: gpdf (update to 2.8.2), system-config-kickstart (rebuilt 2.5.19 for
FC2 to fix bug #143946), dovecot (bug fix
update for the Dovecot IMAP server), gpdf
(minor security patch).
Comments (none posted)
Slackware has a few changes noted
in the
slackware-current changelog. Upgrades include cups-1.1.23, udev-050,
glib2-2.6.1, gtk+2-2.6.1, libtiff-3.7.1, gnupg-1.2.7, stunnel-4.07,
gimp-2.2.1, sane-backends-1.0.15, xine-lib-1.0. Gnupg-1.4.0 is in
testing.
Comments (none posted)
TSL has a bug fix advisory for glibc, iproute, setup and tsl-utils. Click
below to find out more.
Full Story (comments: none)
Distribution Newsletters
The Debian Weekly News for January 18, 2005 is out. This issue covers the
Call for Papers for the Asia Debian Mini-Conf, a list of packages in
contrib which should be forced into the testing stage of contrib, ten ways
to give back to the Free Software community, the final DebConf 4 report,
and more.
Full Story (comments: none)
The Gentoo Weekly Newsletter for January 17, 2005 looks at Gentoo name and
logo usage guidelines, and other topics.
Full Story (comments: none)
The
DistroWatch
Weekly for January 17, 2005 is out. "
Welcome to this year's 3rd
edition of DistroWatch Weekly! Lots of new releases over the weekend,
especially for gaming enthusiasts, with new versions of Linux Live Game
Project and Hikarunix. Also in this issue - a comment on the recent
distribution comparison feature in Linux Format, news about the upcoming
Fedora Core 4 and Beyond Linux From Scratch 6.0, as well as a review of
DistroWatch by NewsForge. Happy reading!"
Comments (none posted)
Newsletters and articles of interest
NewsForge
reviews
the web site Distrowatch.com. "
Distrowatch is one of the best
resources for people who want to choose a Linux distro they'd find
suitable. The site also raises awareness for smaller distributions. It has
a large database with just about every Linux distribution currently
available, along with useful information about each one that will help
Linux searchers find the best one for them."
Comments (none posted)
Dru Lavigne
examines some of the common command differences a Linux user might
encounter on a FreeBSD system. "
One of the minor irritations that
comes with using another operating system is the change in the
environment. Some of the first things many Linux users discover about a
default FreeBSD installation are that it doesn't include bash and doesn't
colorize the output of ls. Fortunately, if you've become accustomed to
these features, it only takes a moment or so to integrate them into
FreeBSD."
Comments (none posted)
Distribution reviews
NewsForge
covers Debian From Scratch installation. "
DFS started last
summer when John Goerzen, a long-time Debian developer and author of
several books on Debian and Linux, found himself faced with two problems at
the same time. He wanted an installer for Debian's AMD64 port, and a rescue
CD that would support filesystems like Reiser4 that are not available in
the standard Debian rescue set. (The new Debian-Installer has since made
DFS's AMD64 installer unnecessary.) A bootable CD, he decided, would solve
both problems. Modifying an existing bootable CD such as Knoppix seemed too
complex, so he developed his own."
Comments (1 posted)
eWeek
reviews
Novell Linux Desktop. "
eWEEK Labs tested Novell Linux Desktop 9, the
first specifically Novell-branded Linux operating system to ship since the
company began flying its penguin flag, and we found the product to be as
capable and well-made as any desktop Linux distribution we've seen
yet."
Comments (none posted)
Alan Dipert
lists
his reasons for choosing NetBSD, on NewsForge. "
On the NetBSD Web
site, you'll find that the NetBSD team prides itself on NetBSD's "clean
design," and with good reason. As a Slackware Linux refugee, I could
appreciate the BSD rc initialization and configuration scripts. I was also
happy with the relatively low amount of software that comes with a default
install. I've had trouble in the past paring down Linux distributions to
installations of software I actually require. It's my philosophy, and
apparently NetBSD's, to start with software sets of absolutely essential
programs and libraries, then let users add what they require after the
system has booted on its own. Though NetBSD installs with X11 by default,
the environment is sparse to say the least. There are no automatic setup or
configuration scripts, graphical or otherwise. After my installation was
all said and done, NetBSD consumed less than 300MB of space on my machine,
including XFree86."
Comments (none posted)
Page editor: Rebecca Sobol
Development
Version 8.0.0 of the
PostgreSQL database
was announced this week.
In addition to significant improvements in scalability, features, and
performance, PostgreSQL 8.0 demonstrates the unparalleled development speed
of open source. More than a dozen companies, including Red Hat, Fujitsu,
Afilias, Software Research Associates, Inc., 2nd Quadrant, and Command Prompt
Inc., as well as hundreds of individual developers, contributed to add more
major features to 8.0 than have been seen in any previous version.
The primary
new features
of this release include:
- Savepoints for saving partially entered transaction data.
- Point-In-Time Recovery supported by continuous server data backups.
- Tablespaces for allowing fine-grained control of storage over multiple filesystems.
- An Improved Buffer Management Strategy for improved server performance.
- New support for changing column types using ALTER TABLE.
- A new Perl Server-Side Language version with enhanced features.
- COPY support for Comma-Separated-Value (csv) files.
- Native Win32 Support, faster server operation without emulators.
Furthermore:
"
In addition to the many features bundled with the release, PostgreSQL has been
enhanced by accelerated development of add-ons and optional components over
the last year. The Slony-I replication tool and the pgPool connection
pooling/brokering utility are both already being used for high-availability
server pools. Several stored procedure languages have been added or greatly
expanded, including PL/Java, PL/J, PL/PHP and PL/Perl, while the Npgsql and
PGsqlClient .NET data providers have been enhanced to support the many new
Windows users."
PostgreSQL continues to hold a position among the forefront of open-source
development projects, its rapid evolution proves that the development
model works well for large-scale projects.
The native Win32 support is likely to cause more widespread
usage of PostgreSQL, it may also bring new development talent to
the project.
We expect to have a more detailed look at the 8.0 release next week.
Comments (none posted)
System Applications
Audio Projects
The list of
applications using jack,
the Jack Audio Connection Kit, has been updated with a number of interesting
audio applications.
Comments (none posted)
The
latest changes from the
Planet CCRMA audio utility packaging project include
test packages for the ALSA 1.0.8 audio driver, and a new version of Hyperspec.
Comments (none posted)
Interoperability
The Samba news site
mentions the availability of a new paper on integration of
Samba 3 and 4.
"
The paper explores past attempts at merges between the current production Samba 3.0 release and the Samba4 development branch. The paper moves through an overview of existing interfaces in Samba 3.0 and Samba4 and examines the possibilities for future integration between the two code bases and their vastly different interface designs."
Comments (none posted)
Mail Software
Version 8.13.3 of the Sendmail mail transfer agent
has been released.
"
It contains fixes for a regression that was introduced in 8.13.2. Moreover, sendmail now keeps proper track of closed connections and will not reuse them erroneously."
Comments (none posted)
Web Site Development
Version 4.0.10 of AOLserver, a multithreaded web server for large
web sites,
has been announced.
"
This release adds two enhancements and one API change. The major enhancement is the adding of configurable transparent gzip compression of HTTP responses from ADP pages."
Comments (none posted)
Version 2.7.4 of the Zope web development platform
has been released with several bug fixes.
Comments (none posted)
Web Services
Rich Salz
discusses
the state of secure web services standards on O'Reilly.
"
I've recently spent a bit more time than usual talking to analysts and reporters. Almost all of these discussions end up circling around this question: what standards do we need for secure web services, and are they ready? The answer is yes, they basically are, and we'll review them below. But more importantly, I'll show that, for the most part, the web services community should stop working on new versions of fundamental standards."
Comments (none posted)
Miscellaneous
Once upon a time, the
distributed computing
environment (DCE) was going to be
the future of enterprise computing. DCE is back in the news: The Open
Group has just announced that DCE is
being released under the LGPL, click below for the details. It appears
that there is not, yet, a release available for downloading.
Full Story (comments: 6)
Desktop Applications
CAD
Development release 21 of PythonCAD is available.
"
The twenty-first release of PythonCAD adds the ability to save
the visibility and locked status of entities when saving a drawing.
This release also includes improved code for handling the undo/redo
operations by simplifying various routines as well as making
similiar routines in various modules consistent. Like all previous
releases, numerous bug fixes and code improvements have been applied."
Full Story (comments: none)
Desktop Environments
Version 4.2.0 of
Xfce, a lightweight
desktop environment, is available.
"
The new Xfce desktop, while still being lightweight and easy to install, offers several new and awaited features in comparison with its previous 4.0 stable release like a brand new session manager, keyboard shortcuts, a graphical desktop menu editor, multihead support (Xinerama and Multi-Screen mode), Kiosk Mode support (to lock down Xfce in cooporative environments), optional support for icons in the desktop menu, a desktop menu plugin for the panel, CUPS and BSD-LPR printing support, a new icon theme, and various other small enhancements."
Comments (none posted)
GnomeDesktop has published another
Around the Planet
article, take a look for pointers to a wide variety of
recent GNOME developments.
Comments (none posted)
GnomeDesktop has
an announcement
for development release 2.9.4 of GNOME.
The
change log has more information.
"
This release is a snapshot of development code. Although it is buildable and
usable, it is primarily intended for testing and hacking purposes."
Comments (none posted)
The following new GNOME software has been announced in the last week:
Comments (none posted)
GnomeDesktop
reports that
Davyd Madeley has created a
sneak preview of GNOME
2.10, with a look at new features, new programs and screenshots.
Comments (1 posted)
The January 14, 2005 edition of the
KDE CVS-Digest
is online with the latest KDE news. Here's the content summary:
"
KDevelop implements KScript interface. KStars adds more device support, scripting and Observing lists. Digikam adds Superimpose Template. KDM adds sessreg support. KDE PIM adds support for custom pages in the incidence editors. KNotes implements search. Kontact adds ability to select default startup part. Kexi adds database forms with record navigation."
Comments (none posted)
KDE.News has
the announcement
for the first beta release of KDE 3.4.
"
A lot of development has happened since KDE 3.4 Alpha, so we are now happy to publish KDE 3.4 Beta 1 code named Krokodile."
Comments (none posted)
The following new KDE software has been announced in the last week:
Comments (none posted)
Financial Applications
Linux Canada has announced that it is releasing its Quasar accounting
package under the GPL; it can be downloaded from the
Linux Canada web site. From a brief
look, Quasar appears to be a reasonably capable accounting package with a
KDE interface. The company's retail and point of sale applications remain
proprietary.
Full Story (comments: 14)
Games
Version 2.0.0 of the game BZFlag
has been announced.
"
BZFlag 2 introduces a slew of
major new features making this probably the "biggest" release in BZFlag's
history in terms of development time put into it and features being added
since the last publicly released version. Major new features include support
for vastly more complex worlds, physics drivers, graphics improvements,
weather (rain, snow, frogs), tank treads and tracks, animations, record and
playback, new flags, new commands, optimizations and much more."
Comments (none posted)
Interoperability
Version 20050111 of Wine (Wine Is Not an Emulator)
has been announced.
Changes include OLE bug fixes, MSI dll work, support for update regions,
initial typelib generation support, code cleanup, and bug fixes.
Comments (none posted)
Multimedia
Chris Adamson
works with QuickTime streaming media in an O'Reilly article.
"
Realtime multicast streaming came to QuickTime in version 5, but now, years
later, it's not widely realized that it can be called from QuickTime for
Java. Chris Adamson, author of QuickTime for Java: A Developer's Notebook,
shows how it works."
Comments (none posted)
Music Applications
Version 0.7.1 of
MusE,
an audio and MIDI sequencer application, is out.
"
This release is mainly a bugfix release, though a number of new features have been added. All users are encouraged to upgrade."
Comments (none posted)
Office Applications
Version 4.2.0 of HylaFAX, a Fax modem package,
has been announced.
Changes include a security fix, support for GCC 3.3, support
for fax batching, and more.
Comments (none posted)
Office Suites
KDE.News
takes a look at
KOffice. "
The functionality KOffice has already reached in its short
life is significant. And still, KOffice has good performance and is fully
usable on low-end hardware, which makes it suited for organizations and
individuals. This could even save costs when upgrading or migrating the
office software and old hardware can be reused."
Comments (8 posted)
Video Applications
Version 2.0.36 of
Avidemux,
a graphical video editing tool, is out with bug fixes and lots of
new features.
Comments (none posted)
Web Browsers
Version 1.8 Alpha 6 of the Mozilla browser
has been announced.
"
This latest alpha version of the
Mozilla Application Suite features around 450 bug fixes."
See the
Release Notes
for more information.
Comments (none posted)
A new web-based Mozilla.org feedback mechanism
has been announced.
"
Gervase Markham has introduced a new feedback webtool for mozilla.org. Dubbed
Hendrix, the new tool is a simple Web form for people who want to leave
feedback but cannot be bothered to wrestle with Bugzilla. Comments submitted
using Hendrix are posted to a newsgroup, where they can be accessed by
Mozilla contributors."
Comments (none posted)
Three new versions of the Bugzilla bug tracking software
have been announced.
"
Bugzilla 2.18 features more
improvements than we could possibly mention. See the Bugzilla 2.18 Release
Notes for more information.
The team have also released two other Bugzilla versions. Bugzilla 2.16.8
fixes security and other bugs in version 2.16.7 and is aimed at those who
want or need to stick with the 2.16 codebase. More details in the Bugzilla
2.16.8 Release Notes and security advisory (the security issues also affect
versions 2.18rc3 and 2.19.1).
Finally, Bugzilla 2.19.2, the latest development snapshot, has been released."
Comments (none posted)
Word Processors
Version 2.2.3 of the AbiWord word processor
has been announced.
"
This release
contains a great amount of bug fixes and improvements over the previous
release. This is especially true for the MacOSX platform".
Comments (none posted)
Miscellaneous
Version 0.1 of JChassis TermUI
has been announced.
"
JChassis TermUI v. 0.1 has just been released and is available for download.
TermUI is an API for simple GUI-like user interfaces on ANSI/VT100-compliant
terminals and terminal emulators, such as
Linux virtual terminals, Gnome
Terminal and KDE Konsole. The intent is simlar to that of the ncurses
library, but done in pure Java. Several commonly used widgets are available."
Comments (none posted)
Version 0.70 of the
Nvu web authoring system
has been announced.
"
Apart from usual enhancements and bug fixes (the changelog is also on my blog), this is major milestone since it's the first one to be based on Firefox 1.0's code. So the extensions and themes managers are now fully functional and the first extensions are already here!"
Comments (none posted)
Version 3.0.0 of Track+, a Java-based artifact tracking system,
has been announced.
"
Release 3.0.0 adds many new features like overview diagrams, Gantt charts, Unicode attachment file names, a report query language, extended access control and much more."
Comments (none posted)
Languages and Tools
C
The January 17, 2005 edition of the
GCC Newsletter
is online, the main contributor has exited, volunteers are needed.
"
I thank Mr. Lacage for beginning GCCNews and for his excellent work on it. It is to be hoped he will have time to contribute to it occasionally, as I try to build on his efforts.
I don't think I'll be able to match Mathieu's fine quality thus far, but I will try my best. I would welcome any help."
Comments (none posted)
Caml
The January 18, 2005 edition of the Caml Weekly News is online
with the week's Caml language articles and discussions.
Full Story (comments: none)
Java
Lu Jian
works with EasyMock to assist in the unit testing of Java.
"
Unit testing your code against a service or process that's either too
expensive (commercial databases) or just not done yet is something you can
deal with by simulating the other piece with a mock object. EasyMock can
suffice in some cases, but it can only create mock objects for interfaces.
Mocquer, based on the Dunamis project, can create mocks for classes, too."
Comments (none posted)
Perl
The January 3-11, 2005 edition of
This Week in Perl 6 is available with the latest Perl 6 language
discussions.
Comments (none posted)
Python
Reg. Charney
writes about Code Complexity Metrics under Python in a LinuxJournal
article.
"
For the rest of us, I decided to write an open-source program to produce metrics that end users can compute and modify. The program is written in Python and currently is limited to analyzing Python--thus the name PyMetrics--but the principles can be extended to any language. By writing the code in Python, you should be able to understand the program better than if I had written it in almost any other language."
Comments (none posted)
The January 15, 2005 edition of Dr. Dobb's Python-URL!
is out with the week's Python language articles.
Full Story (comments: none)
Tcl/Tk
The January 15, 2005 edition of Dr. Dobb's Tcl-URL! is online
with the latest Tcl/Tk articles and resources.
Full Story (comments: none)
XML
Andrew Glover
introduces Cheetah in an O'Reilly article.
"
It's true; XSLT isn't the be-all, end-all of templating and transformation
systems. If you use Python, consider instead Cheetah, a template engine
based on Python. Andrew Glover demonstrates its simplicity and power for
producing text in all kinds of formats."
Comments (none posted)
Deepak Vohra
shows how to parse XML documents with XPath on O'Reilly.
"
Pulling just a single node value or attribute from an XML document can be
inefficient if you have to parse over a whole list of nodes you don't want,
just to get to one you do. XPath can be much more efficient, by letting you
specify the path to the desired node up front. J2SE adds XPath support, and
the JDOM API also offers support through an XPath class."
Comments (none posted)
Version 0.66 of XQEngine
has been announced.
"
XQEngine is a Java component for searching collections of XML documents that uses an XQuery front end. This release fixes several bugs, including a namespace-related bug reported by Danny Ayers, adds a dozen new junit tests, and implements XQuery if-then-else functionality, among others."
Comments (none posted)
Editors
GnomeDesktop
covers
the release of
Bluefish
1.0, a GUI-based HTML editor.
"
Bluefish 1.0 has a new, very extended manual, has better gnome and kde integration, much improved bookmarks functionality, many performance improvements, many new and improved highlighting patterns (if you are upgrading: reset them to the new defaults in the preferences panel), better encoding detection, and many minor bugfixes."
Comments (1 posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Robin Bloor
looks forward to 2005 in this IT-Director article. "
The successful growth of Open Source in any market puts price pressure on the dominant proprietary vendors and we expect this pressure to show in the database market in the coming year with customers adopting Open Source database products for some applications and using this as a lever to negotiate the price of Oracle, DB2 and SQL Server downwards. In our view few companies will think to migrate their mission critical applications to Open Source database products, but we are already hearing of some companies that intend to do just that."
Comments (8 posted)
Companies
Business Week
sees
IBM's release of 500 patents as a move against Microsoft. "
It's
striking how different IBM's strategy is from Microsoft's. Microsoft, which
declined to comment, is building a legal team to enforce
intellectual-property claims. In so doing, it hopes to protect its
monopoly: When makers sell PCs and servers loaded with Windows, Microsoft
has the best shot at selling an array of applications. IBM has a different
tack. In a strategy it calls 'collaborative innovation,' it shares some of
its intellectual property, hoping to bolster open-source alternatives to
Windows, such as Linux."
Comments (1 posted)
News.com
reports
that HP plans to release OpenVMS 8.2. "
OpenVMS for Itanium will come
with many of the abilities of the Alpha version--in particular a famed
reliability feature called clustering that links separate machines into a
tightly knit group. One machine in a cluster can fill in for another that's
taken down for equipment failure or an upgrade, for example."
Comments (31 posted)
ZDNet
looks at
the history and future plans for Red Hat's Fedora Core project.
"
Three versions of Fedora have been released so far, and the company is happy with how users have helped RHEL. But the community effort has fallen short at a time when students and open-source enthusiasts have plenty of other channels for their cooperative energies.
"One of the mistakes we made early on when we made the split between RHEL and Fedora was we told everybody that Fedora was public, come help us out," said Greg Dekoenigsberg, Red Hat's community relations manager. "We got lots of people responding," but Red Hat couldn't accept much beyond simple bug reports."
Comments (2 posted)
News.com
reports that the Open Source Initiative has blessed Sun's new CDDL. "
Sun won't comment on whether the CDDL will govern Solaris, but sources familiar with the situation say it will. Sun has said it will release Solaris under an OSI-approved open-source license by the end of January."
Comments (42 posted)
Linux Adoption
Silicon.com
reports
that EduLinux will be used in 600 schools in Chile. "
EduLinux was
evaluated in 25 establishments during 2004, according to El Mercurio. This
study concluded that Linux would let schools make the best use of old
computers with limited processing power."
Comments (none posted)
Interviews
LinuxTimes
interviews George Staikos, the KDE North American Representative.
Q:
"What is the one area of KDE that needs the most work, or, What is the first priority for the KDE project at the present moment?"
A:
"Actually due to the timing, KDE's priority at the moment is KDE 4 - porting to Qt 4 and fixing architectural issues in KDE. This will be the main focus for 2005, and it should make a huge difference for KDE overall. Qt4 promises much better performance and the ability to take advantage of more advanced technologies and cleaner designs. As a part of this, there will be a focus on sharing more specifications and interoperating with other desktop software (GNOME, OpenOffice, Mozilla), and an effort to choose and integrate with a new multimedia framework."
Comments (7 posted)
News.com has published
an interview with Mitch Kapor.
"
The great thing that's happened of late is to see the early, huge momentum of Firefox, attracting millions of users and beginning to grow its market share appreciably. That represents proof that a well-done, well-wrought open-source product can have global impact as an application--and I consider a Web browser to be one of those everyday products."
Comments (1 posted)
Resources
Dru Lavigne
discusses
the differences between FreeBSD and Linux in an O'Reilly article.
"
Today's article examines some of the common command differences a Linux user might encounter on a FreeBSD system.
One of the minor irritations that comes with using another operating system is the change in the environment. Some of the first things many Linux users discover about a default FreeBSD installation are that it doesn't include bash and doesn't colorize the output of ls." Of course,
several of your LWN editors
de-colorize ls and vim at the earliest
opportunity after installing a new version of Linux.
Comments (none posted)
A new publication entitled
Free Software Magazine
has launched the first issue, it is available for download.
Here's a
sample article:
"
Free software, not just Linux, is a major problem for Microsoft. Its a big mistake thinking they dont understand free software, or its mechanics.
They understand it all too well, and they dont like it - not one little bit!
The problem Microsoft have with free software is that it benefits the customer directly, not the software IP holders."
Comments (11 posted)
Here's
a Linux Journal article looking at interesting MIDI software.
"
Improv controls real-time MIDI communication between a host computer and an external synthesizer. In a typical program, the computer receives MIDI input from the synthesizer, immediately alters that input in some preprogrammed manner and sends the altered data stream to the specified MIDI output port. Some Improv examples have the computer produce a MIDI output stream that can be altered by the external keyboard, creating interesting possibilities for a musical 'dialog' with the program."
Comments (1 posted)
Carla Schroder
details the process of making cross-platform printing work on
O'Reilly.
"
The combination of Samba and CUPS makes network printing on a mixed Linux/Windows LAN easier than ever. You can share Linux printers with Windows clients, and Windows printers with Linux clients. A Linux/Samba/CUPS printer server is reliable and reasonably simple to set up and maintain."
Comments (none posted)
Reviews
NewsForge
reviews the web site zazzybob.com. "
What's a zazzybob? I don't
know, but zazzybob.com is a Linux site that has a "particular lean" toward
scripting, with a full repository of Linux and Unix scripts free for the
taking under the terms of the GNU GPL. The scripts perform all sort of
useful and automatic functions, like adding a user, clearing the screen,
opening a bash xterm, or converting a decimal number to hex (or vice
versa)."
Comments (2 posted)
Linux Planet
looks at
KMail. "
KMail has long been my Linux email client of choice for
a number of reasons: nice clean interface, easily customizable and
configurable, stable, and more features than you can shake a stick
at. Today we'll dig into migrating from other email clients, encrypting
messages and key signing, and configuring multiple accounts and
identities." (Found on
KDE.News)
Comments (8 posted)
O'Reilly's OSDir has
an article
by George Staikos about the new RSS/RDF/Atom Aggregator that is
included in KDE 3.4 beta. "
Recently a new addition was made to the
code that will become KDE 3.4. The application known as aKregator was
imported. aKregator is a feed reader for KDE that supports RSS/RDF and Atom
feeds. Many news sites offer this technology as a means to access the
headlines and brief story summaries without loading the full content of the
pages."
Comments (none posted)
Miscellaneous
MozillaZine
covers a Netcraft report that finds Mozilla Firefox to be the
third most popular RSS reader.
"
The data comes from RSS/Atom feed post-processing service FeedBurner,
who analysed the readers accessing their 800 most popular feeds. Firefox's
Live Bookmarks feature came in third behind the Web-based Bloglines and the
Mac OS X client NetNewsWire. As the figures came from users of just one
service and have a lot of potential caveats, we'd be careful about trusting
them."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
CE Linux Forum has
announced
that it was officially established as a California non-profit corporation
on January 1 of this year. CELF's headquarters will be located in San Jose,
Calif., and Scott Smyers, who had been the chair of the organization's
steering committee, will serve as the chair of the CELF Board of Directors.
Comments (none posted)
The Open Source Development Labs has
announced that Samba hacker Andrew Tridgell ("tridge") has joined as the lab's second "Fellow."
Comments (none posted)
LinuxMedNews
mentions the posting of an RFP for the PhoenixPM project.
"
The purpose of the PhoenixPM project is to develop an Open Source Practice
management Software solution for a network of small safety net clinics in
Northern California."
Volunteer help is needed.
Comments (none posted)
Commercial announcements
Fervent Software has announced the availability of their Linux-based
commercial Studio to Go! live CD.
"
Studio to Go! is an integrated Live CD of score, MIDI and audio software
and one of the most sophisticated combinations of music software anywhere
in a single value-for-money package."
Full Story (comments: none)
FineArch Inc. has announced the development of a Sound Decoder chip
with support for the Ogg Vorbis sound compression format.
"
The existing playing process of Ogg Vorbis with multipurpose CPU software
required running of the CPU with a high-clock frequency; external RAM such
as SRAM was necessary as a working space for the software. FS-500,
however, will allow the running of Ogg Vorbis Stereo Sound Processing with
an internal LSI SRAM with an 8 MHz system running frequency."
Full Story (comments: 1)
LynuxWorks has
announced a PowerPC version of User-Mode Linux (UML) based on the
latest Linux 2.6 kernel and available for the Apple PowerPC G5. LynuxWorks
has also
announced a new embedded Linux point-of-sale (POS) solution using
BlueCat Linux.
Comments (none posted)
XenSource, a company formed around the
Xen virtual machine, has
announced the receipt of $6 million in venture capital. Evidently there really is money in Linux virtualization technology.
Comments (8 posted)
Laminar Research has announced version 8.03 of their commercial
X-Plane flight simulator
application.
A Linux compatible partially functional test version can be downloaded
for free.
Thanks to M. Jones.
Comments (none posted)
Xybernaut has
announced
that it will co-chair an international consortium focused on
next-generation applications for Linux. "
The overarching mission of
the consortium, called the Open Systems Competency Center (OSCC), is to
address scientific research on the practical applications in industry for
LINUX and Xybernaut will being providing extensive perspective and
experience in mobile, wireless and wearable computing to the group and its
efforts. Dr. Edwin Vogt, European Director for Xybernaut will co-chair the
consortium on behalf of Xybernaut."
Comments (none posted)
New Books
No Starch Press has published
The Book of Postfix
by Ralf Hildebrandt and Patrick Koetter.
Full Story (comments: none)
Resources
OSoft has
announced the availability of the Apache 2.0 web server documentation
in the ThoutReader Format.
"
The ThoutReader is an open source documentation platform that
allows software developers to browse, search, bookmark, and append all
their open source documentation as well as favorite reference books in
one standard format, at the same time -- even off-line."
Comments (none posted)
The January 19, 2005 edition of the Linux Documentation Project Weekly News
is online with the latest new documentation releases.
Full Story (comments: none)
Contests and Awards
Canonical is sponsoring the Ubuntu Website Look'n'Feel Contest to give the
Plone 2 based
Ubuntu website a new
look. There is a US$1000 first prize for the winning design. Click below
for details.
Full Story (comments: 11)
Surveys
Evans Data has
done another survey; this one is about database management systems. "
FireBird is
the most used open source database for Enterprise applications, more
database developers use FireBird for single purpose applications and
FireBird is tied for the most used database for workgroup
applications. Further, MySQL and FireBird are locked in a virtual tie
in the open source database space with each being used by just over
half of database developers who use open source databases."
Comments (14 posted)
Upcoming Events
The Syrian GNU/Linux Users Group has announced the
Free and Open Source Software Workshop, to be held in
Damascus, Syria on March 2-4, 2005.
Full Story (comments: none)
The SELinux Symposium has
announced their keynote speaker: Daniel G.
Wolf, director of the Information Assurance Directorate at the
National Security Agency (NSA).
The event will be held from March 2-4, 2005 in Silver Spring, MD.
Comments (none posted)
The Southern California Linux Expo will be held on
February 12 and 13, 2005 at the Los Angeles conference center.
Full Story (comments: none)
| Date | Event | Location |
| January 28 - February 4, 2005 | Asia
Source | (Visthar training venue)Bangalore, India |
| January 31 - February 2, 2005 | OSDL
Enterprise Linux Summit | (Hyatt Hotel)Burlingame,
California |
| February 2 - 3, 2005 | Solutions
Linux 2004 | (CNIT, Paris la Défense)Paris, France |
| February 4 - 6, 2005 | ShmooCon
2005 | (Wardman Park Marriott Hotel)Washington, DC |
| February 7 - 11, 2005 | GlobusWORLD | (Sheraton Boston Hotel)Boston,
MA |
| February 9 - 11, 2005 | German
Perl-Workshop 2005 | Dresden, Germany |
| February 9 - 11, 2005 | Third-Annual
Desktop Linux Summit | (Del Mar Fairgrounds)San Diego, CA |
| February 9, 2005 | OOo
RegiCon North America | (Del Mar Fairgrounds)San Diego,
CA |
| February 11 - 13, 2005 | CodeCon
2005 | San Francisco, CA |
| February 12 - 13, 2005 | Southern California
Linux Expo 2005(SCALE) | (Los Angeles Convention Center)Los Angeles,
CA |
| February 14 - 17, 2005 | Linux World
Conference and Expo | (Hynes Convention Center)Boston, MA |
| February 24 - 25, 2005 | UKUUG
LISA/Winter Conference | Birmingham, UK |
| February 25, 2005 | Dutch Perl
Workshop | Amsterdam, the Netherlands |
| February 26 - 27, 2005 | Free and Open Source
Developers' European Meeting(FOSDEM 2005) | Brussels,
Belgium |
| February 28 - March 3, 2005 | EclipseCon 2005 | (Hyatt
Regency)Burlingame, CA |
| February 28 - March 1, 2005 | Asia
Debian Mini-Conf 2005 | Beijing, China |
| March 1 - 2, 2005 | JBoss World 2005 User
Conference | (Omni/CNN Center)Atlanta, GA |
| March 2 - 4, 2005 | Security-Enhanced
Linux Symposium | Silver Spring, Maryland |
| March 2 - 3, 2005 | Asia
CodeFest 2005 | Beijing, China |
| March 2 - 4, 2005 | The 5th Asia Open Source
Software Symposium | Beijing, China |
| March 2 - 4, 2005 | The Free and
Open Source Software Workshop | (Al Assad National Library)Damascus,
Syria |
| March 12, 2005 | Gentoo UK
2005 | (University of Salford)Manchester, UK |
| March 12, 2005 | Third Hungarian PHP
Conference | Budapest, Hungary |
| March 14 - 17, 2005 | Emerging
Technology Conference(ETech) | (Westin Horton Plaza)San Diego,
CA |
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Leon Brooks <leon-olc-AT-cyberknights.com.au> |
| To: |
| Ingrid Marson via Mailroom <mailroomuk-AT-zdnet.com> |
| Subject: |
| The early ThunderBird adopters are not techies |
| Date: |
| Thu, 13 Jan 2005 17:36:12 +0800 |
| Cc: |
| James Governor <jgovernor-AT-redmonk.com>,
Ingrid Marson <Ingrid.Marson-AT-zdnet.co.uk>,
LWN Letters <letters-AT-lwn.net> |
> "I do think it [Thunderbird] will benefit from this groundswell
> around Firefox, but we shouldn't get too carried away by that
> groundswell," said Governor. "For all the momentum Firefox has
> enjoyed, it still only has a small, technically savvy, user
> base."
My own experience has been exactly the opposite. The power users get tied into
specific Outlook features or ways of doing things and like the mythical
monkeys holding the nuts inside the bottles won't release their grip to adopt
a safer system - sometimes even if there are major specific advantages beyond
the obviously better safety and lowered spam/virus irritation.
The stereotyped "dumb blonde secretaries" are the ones happiest to use FireFox
and ThunderBird, for the very simple and obvious reasons that the software
does everything they need and more, and is much safer to use. The non-techies
can then stop flinching every time they click on a new, dangerous-looking
link or piece of email.
They're even happier about Konqueror and Kontact under Linux. Some things are
an extra click or two to do, but it's much harder to accidentally destroy
stuff, much more consistent, much easier to figure out what's going on, and
the main-line stuff like copy and paste is much faster 'coz it's one click
each, no keyboarding, no mucking about in menus. The only obvious thing they
lack is the occasional browser plugin (e.g. Director), a field which is
filling in fast.
Linux has the added advantage of not suffering "bit-rot", so again and again
they're pleasantly surprised when six months later everyone's workstation
still does what it was doing when it was first installed. Meanwhile the
techies are muttering into their beers about not being able to play Halo in
the office.
Everyone keeps waiting for Linux to hit the mainstream, but in real life it
already has. It's all good. Let the techies catch up later if they must.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Vice President, Perth Linux User Group
http://osia.net.au/ Member, Open Source Industry Australia
http://slpwa.asn.au/ Member, Linux Professionals WA
http://linux.org.au/ Member, Linux Australia
Comments (3 posted)
| From: |
| Leon Brooks <leon-AT-cyberknights.com.au> |
| To: |
| Liam Lahey <echannelline-AT-integratedmar.com>,
Alec Taylor <webmaster-AT-microsoft.com> |
| Subject: |
| eChannelLine article on Linux: Alec Taylor's comments |
| Date: |
| Wed, 19 Jan 2005 10:43:31 +0800 |
| Cc: |
| letters-AT-lwn.net |
Please forward as appropriate.
From http://www.integratedmar.com/ECL.cfm?item=DLY011705-4 - Quoting Alec
Taylor, Microsoft's "Canada (MFST) [sic] platform strategy spokesperson in
Mississauga," Ontario:
> "One COO of a major financial institution commented to me recently he'd
> be hard-pressed to introduce open source into his bank's systems knowing
> there's a possibility his 13-year-old son may have contributed to the
> code."
That article's a sad commentary on the COO's respect for his son's abilities.
If he's more concerned about the son's age than the quality of the son's
work, what blunders of similar style must he be making with millions of
dollars of other people's money?
It's also typical and unfair of Microsoft to focus on a _potential_ random
13-year-old (regardless of his or her actual talents) and ignore the many
_existing_ battle-seasoned veteran programmers and engineers out there
writing Open Source applications. It's also typical of Alec, who late last
year claimed that OpenOffice didn't offer alternatives for a misspelling - a
feature which had long been in OO at the time - and regularly denies that
insecurity is independent of popularity.
The Open nature of Linux really bugs Alec. It seems to distrub him that code
is out there, flapping in the breeze for any random Internet user to stare
at, and he seems entirely uncomfortable with the idea that said code could be
safe because it was designed right and works, rather than because its
deficiencies are hidden and simply haven't been discovered yet. Yet two
thirds of the world's web servers and almost all of the world's exposed email
servers work like that and they are NOT the ones that give us the CodeRed
deluges of wild and alien traffic (and I note with a sigh that there's a new
MS IIS attack popping up in my logs as I type) or ship our private documents
to random net denizens mentioned in our address books.
The internal IT management at two Australian banks have told my book-keepers
that they'd much rather we used FireFox for their web interface than MS IE,
and one of them is already switching staff over internally. Another
Australian bank's tech support staff told me personally that they would much
rather that their banking application is used with WINE on Linux than under
WinME because it causes far less problems for them. So reports from the front
lines hint that Alec's finance COO has his head in the sand.
> "You can take a Microsoft solution, pop it into your environment, and
> away you go. Whereas in the open source world ... there are gaps in
> that solution stack and you have to ask yourself, 'who is going to
> fill those gaps?'" he said.
It's also a sad commentary on the state of Microsoft's application stack that
it only plays nicely as an invariant monocultural block, it's so lip-service
disrespectful of real standards that evidently stepping outside their own
application stack is a bit of a chore.
Worse, if a slice of that stack develops a problem - such as the recent
catastrophic vulnerabilities in Internet Explorer which have been known and
not fixed for months - the whole stack comes thundering down for lack of a
compatible alternative to bridge the gap.
Picture having all of your eggs in a tall, thin, wobbly tower of baskets and
you won't be too far from the truth. Open Source (including Linux) could be
modelled as a well-adapted and steady group of stacks, with scores of spare
baskets ready to slot in should anything begin to creak or twang.
Now think about the observation that the phrase "the recent catastrophic
vulnerabilities in Internet Explorer" is pretty much constantly applicable
and you can begin to understand what a terrifying house of cards a Microsoft
adoptee is really living in.
> right now open source is attempting to approximate what we already have
> with innovative integration
Inasmuch as "innovative integration" is in practice newspeak for vendor
lock-in, that's just plain not true. PHP, with its many integrated features
and flourishing community of third-party libraries, is one of the _many_
mutually interoperable technologies eating Microsoft's web application lunch
from the bottom up. It runs on many different web servers, from the
command-line or in a GUI framework.
We (Open Source developers) are putting considerably more effort into avoiding
Microsoft's mistakes than copying them. And since the developers are also the
users, the Open Source solutions are being built by the people who actually
use the stuff. You can't buy better customisation than that.
Mozilla FireFox, for example, provides many powerful security and convenience
features today that Microsoft is only just beginning to strap onto their own
browser, and because it's not hobbled with dependencies on vendor-specific
technologies you can use the same browser on Macintosh, Linux, Solaris,
anywhere. XUL and similar technologies in FireFox provide levels of seamless
integration which others can only dream about (or mimic with security
nightmares like ActiveX).
KDE's Konqueror browser is another example. It already encompasses a level of
smooth integration only dreamed of by proprietary competitors and is rapidly
getting even better. Files, archives, web pages, shell accounts, music CDs,
FTP servers, they're all one and the same. Dragging a selection of tracks
from my CD and dropping them onto a remote server results in the tracks being
ripped, named, converted (to Ogg, MP3, Shorten or whatever) and securely
uploaded. I don't have to start any media players, I don't have to know
anything about the remote server, not even what protocol I'm using to fetch
or send stuff, it all Just Works. If passwords are needed either I'm asked or
they're fetched from KWallet. And if there's a misspelling anywhere, yes, I
_am_ offered alternate words.
This level of integration extends throughout KDE, and it doesn't come with
IE's constant security burden. Anything that requires a database has a sheaf
of them to choose from, it's not hobbled to a single piece of software, never
vulnerable to an MS-Blaster worm of any sort. Microsoft is culturally unable
to offer any of this.
As if to rub salt into the wound, Microsoft's web site is as I type unable to
offer me any form of electronic feedback ("This Service is Currently Not
Available") or any way to contact Alec Taylor on line to include him in the
conversation. That's pretty pathetic for such a large and capable company,
especially one whose founder advised everyone (in his book "The Road Ahead")
to use more email. Such frustrating opacity is a happily very rare in Open
Source communities.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Vice President, Perth Linux User Group
http://osia.net.au/ Member, Open Source Industry Australia
http://slpwa.asn.au/ Member, Linux Professionals WA
http://linux.org.au/ Member, Linux Australia
Comments (none posted)
Page editor: Jonathan Corbet