LWN.net Logo

LWN.net Weekly Edition for February 3, 2005

Interview: OSI's new president

On January 31, the Open Source Initiative announced an expansion of its efforts and the appointment of Russ Nelson as its president. Mr. Nelson was kind enough to answer a few questions from LWN on the OSI and where he thinks it is headed. The questions, and his answers, can be found below. We thank Russ for taking the time to fill us in.

LWN: So you're the new president of OSI. Why did you take on that role, and where do you anticipate taking the OSI in the near future?

To Infinity ... and Beyond!

No, wait, that's Bruce Perens' line [Bruce worked for Pixar and is in the Toy Story credits].

Never before in history have we had a time when one person of ordinary intelligence can write a program which becomes used by half the worldwide computer-using population. This creates so many problems between countries that I really feel they have to be addressed with a treaty.

I think that the end goal is an international treaty concerning Open Source. Just to take one tiny portion of that issue: today somebody asked us for an "official Spanish version de license MIT". We can't do that. I mean, we could translate it (or more properly find a volunteer to translate it and publish it on opensource.org), but the problem is that almost certainly the author of the MIT-licensed software didn't give us permission to license his software under the Spanish-language MIT license.

In many ways, the OSI appears to have fallen from view. Until this news hit, the most recent item listed on the front page was dated October, 2001. The OSI gets called upon to put its stamp on a license occasionally; what else does the OSI do now? Is it relevant to the free software development process, and how?

When were we ever relevant to the free software development process? We've always been an education/advocacy group. If you're already convinced that open source is a good thing, what more would we say to you? Really, the only time somebody inside the open source community needs to be concerned with us is when they talk to someone outside the community. If that person needs to be whupped around a little, send 'em to us and we'll give 'em what for.

We continue to do what we've always done: talk to people about open source. Calm their fears, and renew their hopes.

The press release states that OSI will set out on "the establishment of principles of Open Source development and best practices" and "the creation of a registry of software projects that adhere to those principles." What need is driving the creation of these principles and the associated registry?

I believe that there is such a thing as an "Open Source effect". That effect requires more than just a license that complies with the Open Source Definition (OSD). We need to be more clear about that, because we sometimes have people who come along and want to create a license which complies with the letter of the OSD but not the spirit. The trouble is that the benefits come with the spirit. We need to do a better job of codifying the spirit.

When you talk about "inclusion of international perspectives and initiatives related to Open Source," what do you mean?

Working towards the end goal (as above) and adding board members from outside the US. We're starting to get some non-US, non-Europe (if you look at the map of locations of Debian developers, there are a LOT of them in Europe) countries that are signing on to open source in a BIG way. Take Brazil for example. We need better representation in those countries.

Why does the OSI need *two* legal counselors? What do they do?

Why does a computer need *two* power supplies? We felt that the job had grown to the point that one sole-proprietor lawyer (Larry Rosen) couldn't do the job anymore, and Larry's open source practice had expanded. It's possible that one law-firm lawyer could have brought in enough resources, but we wanted to share the work. In essence, Mark is inward-facing and Laura is outward-facing. She has been on the license-discuss mailing list for years now. She has also started to help with legally-oriented correspondence. Mark will help us with, among other things, registering the OSI-Certified mark, and with overhauling our bylaws.

How will the new OSI board members be selected? In general, how is the OSI kept accountable to the community it hopes to represent?

We are still a small, self-selecting board. We expect to change that in some way, but the details are still in the air. Having a larger board will take us in that direction no matter what.

How do you expect OSI to work with other free software-oriented groups, such as OSDL and the FSF? Will there be more cooperation in the future?

CAGE MATCH!! BLOOD, GORE, AND DEATH! Er, um, sorry. We had a dinner last summer with OSDL to talk about license proliferation issues. We are on cordial relations with the FSF, AND EXPECT TO TAKE THEM OVER SHORTLY! Sorry, I must apologize for all these capital letters. I don't know where they're coming from. I'll be in Boston in a couple of weeks for Linux World. I expect that I'll run into Bradley Kuhn and HE'LL DIE we'll talk about further ways in which the OSI and FSF could cooperate. I know of no reason why any animosities between us cannot be overcome AND CRUSHED LIKE A BUG.

Is there anything else which you would like to communicate to LWN readers?

Is this the point at which I add various mealy-mouthed corporate statements?

I think it's great to be President of the OSI at this point in time. We've had a strong president in Eric Raymond who took us from nothing to a highly respected member of the open source community. As corporations and governments come to be part of the community, we have to double and redouble our educational and advocacy efforts. We need to make sure that corporations know how to work with individual developers, and that governments know how to set the rules so everybody can work together. And we have to squash software patents, but that's a different interview.

Comments (34 posted)

GNOME and KDE priorities

February 3, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

With the KDE 3.4 and GNOME 2.10 releases on the horizon, we decided to take a look at both projects to see where both desktop teams were focusing their efforts. To get a feel for the priorities of each team, this reporter "test drove" the KDE 3.4 beta 1 using the SUSE 9.2 packages and GNOME 2.9.4 with Ubuntu's Live CD. We also spoke to KDE core developer Zack Rusin about the 3.4 release and GNOME release team member Luis Villa about GNOME's 2.10 release.

Both KDE 3.4 and GNOME 2.10 are incremental releases. That is to say, neither desktop is undergoing dramatic changes in the upcoming release and casual users may not notice many changes. Instead, there are a number of [KDE screenshot] small improvements and enhancements to the current desktop that users will find in each release.

Both projects are concentrating on backward compatibility. KDE's Rusin said that the 3.x series is basically in "maintenance" mode, with the KDE team trying to add features that users want, without major changes that would compromise compatibility with older releases. He noted that one of the goals for the 3.4 release is to maintain binary compatibility with the earlier 3.x releases. GNOME's Villa said that the GTK core toolkit has a strict ABI/API compatibility policy. "If you build against GTK 2.0, you should be able to run against GTK 2.6 with no problems." He also said that other core GNOME libraries provide the same guarantee, "that's why we have Firefox and Eclipse building against us."

According to Villa, the 2.10 release will see more bugfixes than usual. He said that, depending on how you track bugs, the 2.10 release [GNOME screenshot] already includes between 1,000 and 5,000 closed bugs -- and that's before the final feature freezes and bug fixing before the final release. Villa did note that the GNOME team always places a high priority on quality control, but that this release seemed to have a higher than normal number of bugfixes.

Another focus for the GNOME team in 2.10 is implementation of freedesktop.org standards agreed upon by the GNOME and KDE teams. Villa noted that the GNOME team had revamped the menu structure to comply with the freedesktop.org menu specification.

The GNOME release adds a new "Places" menu to the panel that allows the user to quickly navigate between their home folder, the desktop, CD-ROM and network locations. Villa said that the GNOME team has also addressed some of the complaints about the file chooser from the last version of GNOME, and that the typeahead feature has returned.

Both desktops are increasingly friendly for users with disabilities. Villa said that the 2.10 release did not focus on improvements to accessibility because GNOME is "already far and away the leaders in accessiblity."

The KDE team, on the other hand, has made accessibility a major priority in 3.4. One major new feature that users will find in 3.4 is the text to speech system in 3.4, which would be available in many applications. Rusin said there is also a new "mono" theme for 3.4 that would be better for users who had difficulty with the high-color styles used in KDE. Rusin noted that working on accessibility was difficult because it is "such a hugely complicated area," and that the KDE team will continue to add functionality in future releases.

Multimedia has also gotten a boost in GNOME 2.10. According to Villa, the Gstreamer integration is greatly improved in GNOME 2.10. This is the first release where Totem has been integrated into the GNOME release process, and Villa also said it was the first release where the Totem team had worked more closely with the Gstreamer team. Totem had previously worked with Xine, but Villa said that Xine had "legal encumbrances" that made it more difficult for vendors to distribute. There is also a new and improved mixer applet in GNOME 2.10 that hides some of the complexity from the user, at least at first. Villa said users would still be able to get to all of the functionality of their sound card with the mixer, but wouldn't be presented with it at first glance.

Both KDE and GNOME teams have been beefing up their groupware offerings. Rusin told LWN that KDE PIM had been "hugely improved" for 3.4. Kontact has expanded its support of GroupWare servers with support for Novell GroupWise and OpenGroupware.org, and partial support for Microsoft Exchange Server 2000. Kontact also supports OpenExchange Server, eGroupWare and Kolab.

Evolution's latest release includes eplugin, a plugin architecture to allow developers to extend Evolution with new features. Some of the plugins available now include an inline audio player for Evolution, an Exchange account setup plugin and an "automatic contacts" plugin that creates address book entries when a user replies to e-mails. Evolution already includes the Exchange plugin, and Villa said that Evolution was also getting a lot of work to be compatible with Novell GroupWise.

KDE 3.4 marks the first inclusion of aKregator, a feed aggregator for KDE. This writer found aKregator very easy to use, and its integration with Konqueror and Kontact makes it a great choice for KDE users. The KDE team has also beefed up KPDF to include support for the text-to-speech features.

From talking to developers on both teams, it's clear that both desktops are trying to move towards better "enterprise" capability, and making it easier for others to develop applications for the respective desktops. From using both, it's clear to this writer that GNOME and KDE view users differently. GNOME continues to move towards a simple end-user interface, while KDE is more about adding features that users want -- even if it increases complexity.

Users who want to try out GNOME 2.10, without the hassle of compiling GNOME or installing it, should look to the Ubuntu Live CD for the upcoming Hoary Hedgehog release. Rusin said he wasn't aware of any Live CDs with KDE 3.4 beta just yet, but something might pop up on the Knoppix lists.

Comments (12 posted)

Grokster, the Little Engine that Could, Chugs Up One Last Hill

Grokster is the Little Engine That Could. So far, against overwhelming odds, it has successfully dodged every legal bullet a massive horde of entertainment companies - some 28 of them, representing the interests of the music recording and movie industry - have thrown at it. Now, there is one more hill, and it's the steepest of them all, a hearing before the US Supreme Court in March.

There is a lot more at stake than just the fate of a couple of peer-to-peer file sharing services. What's at stake, to quote from one of the many amici briefs filed in this high-profile case (this one by the Computer & Communications Industry Association and NetCoalition) is nothing less than this: it's a push to overturn the court's ruling in Sony Corp. of America v. Universal City Studios, 464 U.S. 417 (1984) (the "Betamax case") and replace it "with new standards that would as a practical matter give the entertainment industry a veto power over the development of innovative products and services."

[Editor's note: due to the length of this article, we have not put the whole thing inline in the Weekly Edition. The full text of PJ's Grokster article may be found on its own page.]

Comments (2 posted)

European software patent update

January 28, 2005

This article was contributed by Tom Chance.

On 24 September 2003, after 19 months of consideration, the European Parliament voted on the software patent directive, and made substantial amendments to exclude patents on pure software and business methods. However, regular rows between the European Council and Parliament; the Council ignoring many of the Parliaments amendments; and the Committee for Legal Affairs of the European Parliament's (JURI) subterfuge tactics to try and push it through, mean that pure software patents in Europe are still a scary possibility

Restart the process?

Under the co-decision rules for European lawmaking, the European Parliament, Commission and the Council all have to agree to the text of the directive before it can come into force. However at this stage in the legislative process (it is now at its second reading), if the European Council continues to ignore the Parliament's amendments, it will be extremely difficult for the European Parliament to keep them.

An absolute majority (two thirds of all MEPs, or at least 367 votes) is required in a second reading for each Council amendment the Parliament wishes to reject. Every MEP absent in the plenary chamber that day and every abstention vote would count in favor of the Council proposal. In 2004, the University of Duisburg-Essen released a study which showed that on average only 56.2% of Italian MEPs took part in the 4,437 roll call votes held in European Parliament between 1999 and 2003. The most diligent MEPs are from Luxembourg with a presence of 85.2%. We would, in other words, have to encourage an abnormally high turnout of MEPs for an issue that struggles to capture their imaginations.

This is even more worrying when you consider that a majority of the MEPs currently in parliament were elected in 2004 and did not even participate in the first reading of the directive. Ten new countries, with no previous say in the directive, also joined the EU in 2004. If the council position is officially announced, the Parliament will be forced to vote on the second reading within three to four months. This would give a relatively new Parliament little opportunity for discussion and consultation, and could lead to software patent loopholes if critical amendments were left out.

On the 2nd of February, JURI is set to decide whether or not to restart the procedure. This decision has only been possible because of a motion, signed by 61 members of the European Parliament, calling for a new first reading of the software patent directive. Poland has also helped significantly by repeatedly postponing the adoption of the Council's software patent agreement, but can only do this for so long before other states pressure them on issues more important to the Polish economy.

A complete restart is one of the best (and only) feasible solutions left. As there are no absolute majority requirements in first readings, it would be easier for European Parliament to pass amendments. The Council would have to have a new first reading, canceling their current pro-software patent position and putting pressure on them to avoid adopting a similar stance so contrary to the will of Parliament. A restart would also enable new member states to have their say from the beginning, making it a more democratic directive.

What can you do?

The only reason we don't have software patents in Europe is because of the efforts of activists protesting and lobbying against them. In Europe, according to the European Patent Office, already 7% of applicants hold more than 50% of patents. If we don't want to go down a path whereby a start-up or open source company with no patents will be forced to pay whatever price larger corporations choose to impose, we must get out there and fight to stop it happening. Here are a few ideas to get you started:

  • Help spread the word about software patents by joining the Web Demo. Register your site at http://demo.ffii.org/.

  • Contact a member of JURI with your concerns about software patents and your support for a restart of the software patent directive. The JURI committee has members from many different European member states, and these MEPs are best contacted by people from their own countries, since they will be much more likely to respond and raise your concerns within JURI. Find your MEPs here.

  • Contact your local MEPs to lobby members of JURI on your behalf. If you don't have time to seriously lobby a member of JURI, get your local MEP to do it for you. MEPs are supposed to represent their constituents, so let them help you get your message across. Find out who they are here.

  • Visit European Parliament in Brussels to lobby MEPs (especially the JURI committee) about software patents. Ask for more information on this mailing list.

  • If you are too busy to do any of the above, you might consider donating to organizations like the FFII and the Electronic Frontier Foundation, who are trying to ensure that software patent legislation is compatible with small and medium enterprises as well as free or open source software. Large software companies employ people to do nothing but patent lobbying, so we need to support those people who are opposing them as much as possible.

(Edward Griffith-Jones contributed to the writing of this article).

Comments (13 posted)

Page editor: Jonathan Corbet

Security

Address space randomization in 2.6

Arjan van de Ven has posted a series of patches which add some address space randomization to the 2.6 kernel. With these patches applied, each process's stack will begin at a random location, and the beginning of the memory area used for mmap() (which is where shared libraries go, among other things) will be randomized as well. These patches represent an improvement in the kernel's security infrastructure, but the reception on the public lists has been surprisingly hostile.

Many buffer overflow exploits, especially those used in large-scale attacks, contain hardcoded addresses. An exploit which overflows a stack variable will place some executable code on the stack; it then overwrites the return pointer so that the broken function "returns" into the exploit code. If you look at a given distribution's shipped version of a vulnerable program, an exploit will always be able to place its payload at the same address on the stack, so it can contain that address directly. If, instead, the exploit author does not know ahead of time where the payload will end up, actually getting the computer to execute that code will be much harder.

That is why the stack randomization patch helps. When the stack location is deterministic, a relatively simple exploit can be made to work on all systems running the vulnerable distribution. If the stack moves, instead, hardcoded addresses no longer work.

Moving the mmap() area has similar benefits. One popular type of exploit prepares the stack and then "returns" into a shared library somewhere. That return can, for example, cause the application to behave as if it had intentionally called system() or a similar library function. Moving the libraries around makes these attacks harder.

One of the biggest complaints that has been raised is that the amount of randomization is insufficient. The patches, as posted, vary the stack base within a 64KB area and the mmap() base within a 1MB range. Alignment requirements prevent just any address from being used with the result that only a relatively small number of possible base addresses exists. So a determined attacker could repeatedly run a hardcoded exploit with some assurance that, within a reasonable amount of time, the stack would land at the right place and the exploit would work. Placing a long series of no-op instructions at the beginning of the payload can also make an exploit more robust when faced with randomization.

Arjan responds that the amount of randomization is not the issue at the moment. He is trying to get the infrastructure into the kernel and tested in a minimally disruptive way; the degree of randomization can be tweaked upward later on. That amount may never get as high as some people would like, at least on 32-bit systems, because it cuts back on the available virtual address space. But it is likely to go up once the developers are convinced that things are working.

In any case, a larger randomness makes the problem harder, but does not change its fundamental nature. With the ability to keep trying, an attacker will eventually get around any degree of randomization possible on 32-bit systems (64-bit systems are a different story). Thus, says Ingo Molnar:

conclusion: stack randomisation (and other VM randomisations) are not a tool against local attacks (which are much easier and faster to brute-force) or against targeted remote attacks, but mainly a tool to degrade the economy of automated remote attacks.

Randomization is not a magic bullet which solves a wide range of security problems. It does make an attack harder, however, and that can only be a good thing.

Comments (13 posted)

New vulnerabilities

bind: validator function denial of service

Package(s):bind CVE #(s):CAN-2005-0034
Created:January 27, 2005 Updated:February 1, 2005
Description: A vulnerability was discovered in BIND version 9.3.0, an incorrect assumption in the validator function can be exploited by a remote attacker to cause named to exit prematurely.
Alerts:
Mandrake MDKSA-2005:023 2005-01-26

Comments (none posted)

ClamAV: multiple issues

Package(s):clamav CVE #(s):CAN-2005-0133
Created:January 31, 2005 Updated:March 3, 2005
Description: ClamAV fails to properly scan ZIP files with special headers and base64 encoded images in URLs.
Alerts:
Conectiva CLA-2005:928 2005-03-03
Mandrake MDKSA-2005:025 2005-01-31
Gentoo 200501-46 2005-01-31

Comments (none posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

f2c: insecure temp files

Package(s):f2c CVE #(s):CAN-2005-0017 CAN-2005-0018
Created:January 27, 2005 Updated:April 20, 2005
Description: The f2c fortran to C translator has a vulnerability due to insecure opening of temporary files. A local attacker can use this to launch a symlink attack.
Alerts:
Debian DSA-661-2 2005-04-20
Gentoo 200501-43 2005-01-30
Debian DSA-661-1 2005-01-27

Comments (none posted)

FireHOL: insecure temporary file creation

Package(s):FireHOL CVE #(s):
Created:February 1, 2005 Updated:February 1, 2005
Description: FireHOL insecurely creates temporary files with predictable names. A local attacker could create malicious symbolic links to arbitrary system files. When FireHOL is executed, this could lead to these files being overwritten with the rights of the user launching FireHOL, usually the root user.
Alerts:
Gentoo 200502-01 2005-02-01

Comments (none posted)

Gallery: cross-site scripting vulnerability

Package(s):gallery CVE #(s):
Created:January 31, 2005 Updated:February 10, 2005
Description: Rafel Ivgi has discovered a cross-site scripting vulnerability where the 'username' parameter is not properly sanitized in 'login.php'. See this Gallery announcement for the release of 1.4.4-pl5 for more information.
Alerts:
Gentoo 200501-45:03 2005-01-30
Gentoo 200501-45 2005-01-30

Comments (none posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Fedora-Legacy FLSA:152904 2006-05-12
Fedora FEDORA-2005-435 2005-08-16
Red Hat RHSA-2005:371-01 2005-05-17
Mandrake MDKSA-2005:028 2005-02-01
Gentoo 200501-44 2005-01-30

Comments (none posted)

ngIRCd: buffer overflow

Package(s):ngIRCd CVE #(s):
Created:January 28, 2005 Updated:February 1, 2005
Description: Florian Westphal discovered a buffer overflow caused by an integer underflow in the Lists_MakeMask() function of lists.c. See the ngIRCd 0.8.2 release announcement for more information.
Alerts:
Gentoo 200501-40 2005-01-28

Comments (none posted)

openswan: stack based buffer overflow

Package(s):openswan CVE #(s):CAN-2005-0162
Created:January 28, 2005 Updated:February 1, 2005
Description: A stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code.
Alerts:
Fedora FEDORA-2005-082 2005-01-28

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

postgresql: privilege escalation via LOAD

Package(s):postgresql CVE #(s):CAN-2005-0227
Created:February 1, 2005 Updated:February 7, 2005
Description: John Heasman has discovered a local privilege escalation in the PostgreSQL server. Any user could use the LOAD extension to load any shared library into the PostgreSQL server; the library's initialization function was then executed with the permissions of the server.
Alerts:
Fedora FEDORA-2005-125 2005-02-07
Fedora FEDORA-2005-124 2005-02-07
Gentoo 200502-08 2005-02-07
Ubuntu USN-71-1 2005-02-01

Comments (none posted)

SquirrelMail: multiple vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2005-0075 CAN-2005-0103 CAN-2005-0104
Created:January 28, 2005 Updated:July 19, 2005
Description: SquirrelMail 1.4.4 has been released, fixing a number of security issues that have been resolved since 1.4.3a.
Alerts:
Fedora-Legacy FLSA:152900 2005-07-16
Fedora FEDORA-2005-260 2005-03-28
Fedora FEDORA-2005-259 2005-03-28
Debian DSA-662-2 2005-03-14
Red Hat RHSA-2005:099-01 2005-02-15
Red Hat RHSA-2005:135-01 2005-02-10
Debian DSA-662-1 2005-02-01
Gentoo 200501-39 2005-01-28

Comments (none posted)

uw-imap: authentication bypass

Package(s):uw-imap imap CVE #(s):CAN-2005-0198
Created:February 2, 2005 Updated:March 1, 2005
Description: The uw-imap package, prior to version 2004b, contains a vulnerability which can enable a remote attacker to bypass the authentication mechanism. This bug only affects CRAM-MD5 authentication, which is not enabled on all distributions.
Alerts:
SuSE SUSE-SA:2005:012 2005-03-01
Red Hat RHSA-2005:128-01 2005-02-23
Mandrake MDKSA-2005:026 2005-02-01
Gentoo 200502-02 2005-02-02

Comments (1 posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

AWStats: remote code execution

Package(s):awstats CVE #(s):CAN-2005-0116 CAN-2005-0362 CAN-2005-0363
Created:January 25, 2005 Updated:February 15, 2005
Description: When 'awstats.pl' is run as a CGI script, it fails to validate specific inputs which are used in a Perl open() function call. A remote attacker could supply AWStats malicious input, potentially allowing the execution of arbitrary code with the rights of the web server.
Alerts:
Debian DSA-682-1 2005-02-15
Gentoo 200501-36:03 2005-01-25
Gentoo 200501-36 2005-01-25

Comments (1 posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

chbg: buffer overflow

Package(s):chbg CVE #(s):CAN-2004-1264
Created:January 18, 2005 Updated:February 2, 2005
Description: Danny Lungstrom discovered a vulnerability in chbg, a tool to change background pictures. A maliciously crafted configuration/scenario file could overflow a buffer and lead to the execution of arbitrary code on the victim's machine.
Alerts:
Mandrake MDKSA-2005:027 2005-02-01
Debian DSA-644-1 2005-01-18

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CAN-2004-1267 CAN-2004-1268 CAN-2004-1269 CAN-2004-1270
Created:December 17, 2004 Updated:February 9, 2005
Description: cups has a denial of service vulnerability in the lppasswd utility and a remote code execution vulnerability in the hpgltops filter.
Alerts:
SuSE SUSE-SR:2005:003 2005-02-04
Mandrake MDKSA-2005:008 2005-01-17
Gentoo 200412-25:02 2004-12-28
Red Hat RHSA-2005:013-01 2005-01-12
Gentoo 200412-25 2004-12-28
Fedora FEDORA-2004-559 2004-12-17
Fedora FEDORA-2004-560 2004-12-17

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ethereal: multiple vulnerabilites

Package(s):ethereal CVE #(s):CAN-2005-0006 CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084
Created:January 21, 2005 Updated:February 15, 2005
Description: Ethereal has released 0.10.9 to fix several vulnerabilities.
Alerts:
Red Hat RHSA-2005:037-01 2005-02-15
Red Hat RHSA-2005:011-01 2005-02-02
Fedora FEDORA-2005-069 2005-01-25
Fedora FEDORA-2005-068 2005-01-25
Mandrake MDKSA-2005:013 2005-01-24
Debian DSA-653-1 2005-01-21
Gentoo 200501-27 2005-01-20

Comments (none posted)

evolution: arbitrary code execution

Package(s):evolution CVE #(s):CAN-2005-0102
Created:January 24, 2005 Updated:May 19, 2005
Description: Max Vozeler discovered an integer overflow in camel-lock-helper. A user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data. A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root privileges (because camel-lock-helper is installed as setuid root).
Alerts:
Red Hat RHSA-2005:238-01 2005-05-19
Conectiva CLA-2005:925 2005-02-16
Debian DSA-673-1 2005-02-10
Mandrake MDKSA-2005:024 2005-01-27
Gentoo 200501-35 2005-01-24
Ubuntu USN-69-1 2005-01-24

Comments (1 posted)

exim: buffer overflows

Package(s):exim CVE #(s):CAN-2005-0021 CAN-2005-0022
Created:January 7, 2005 Updated:February 15, 2005
Description: A buffer overflow in the host_aton() function in Exim 4.4x may allow execution of arbitrary commands with elevated privileges by a local user. This has been patched in Exim 4.43.

Additionally, there is a another buffer overflow in Exim's auth_spa_server() which also be fixed in Exim 4.43.

Alerts:
Red Hat RHSA-2005:025-01 2005-02-15
Gentoo 200501-23 2005-01-12
Debian DSA-637-1 2005-01-13
Debian DSA-635-1 2005-01-12
Ubuntu USN-56-1 2005-01-07
Fedora FEDORA-2005-001 2005-01-06
Fedora FEDORA-2005-001 2005-01-06

Comments (1 posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

gaim: buffer overflow in MSN protocol

Package(s):gaim CVE #(s):CAN-2004-0891
Created:October 25, 2004 Updated:February 11, 2005
Description: A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.
Alerts:
Fedora-Legacy FLSA:2188 2005-02-10
Red Hat RHSA-2004:604-01 2004-10-20
Mandrake MDKSA-2004:117 2004-11-01
Ubuntu USN-8-1 2004-10-27
Gentoo 200410-23 2004-10-24
Slackware SSA:2004-296-01 2004-10-25

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

imagemagick: .psd image file decode vulnerability

Package(s):imagemagick CVE #(s):CAN-2005-0005
Created:January 18, 2005 Updated:March 23, 2005
Description: According to this iDEFENSE advisory, ImageMagick is vulnerable to a heap overflow when decoding .psd image files. This could be remotely exploited allowing an attacker to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:070-01 2005-03-23
Red Hat RHSA-2005:071-01 2005-02-15
Gentoo 200501-37 2005-01-26
Gentoo 200501-26 2005-01-20
Debian DSA-646-1 2005-01-19
Ubuntu USN-62-1 2005-01-18

Comments (1 posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iptables: missing initialization

Package(s):iptables CVE #(s):CAN-2004-0986
Created:November 1, 2004 Updated:February 11, 2005
Description: Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least.
Alerts:
Fedora-Legacy FLSA:2252 2005-02-10
Ubuntu USN-81-1 2005-02-11
Mandrake MDKSA-2004:125 2004-11-04
Debian DSA-580-1 2004-11-01

Comments (none posted)

kdebase: screen saver crash

Package(s):kdebase CVE #(s):CAN-2005-0078
Created:January 26, 2005 Updated:January 26, 2005
Description: From the Debian advisory: "Raphaël Enrici discovered that the KDE screensaver can crash under certain local circumstances. This can be exploited by an attacker with physical access to the workstation to take over the desktop session."
Alerts:
Debian DSA-660-1 2005-01-26

Comments (none posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kerberos5: execution of arbitrary code by authenticated user

Package(s):kerberos5 CVE #(s):CAN-2004-1189
Created:December 21, 2004 Updated:February 15, 2005
Description: There is a buffer overflow in the password history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server.
Alerts:
Red Hat RHSA-2005:045-01 2005-02-15
Red Hat RHSA-2005:012-01 2005-01-19
Conectiva CLA-2005:917 2005-01-13
Ubuntu USN-58-1 2005-01-10
Debian DSA-629-1 2005-01-07
Gentoo 200501-05 2005-01-05
Mandrake MDKSA-2004:156 2004-12-22
Fedora FEDORA-2004-564 2004-12-21
Fedora FEDORA-2004-563 2004-12-21
Trustix TSLSA-2004-0069 2004-12-21

Comments (none posted)

kernel: i386 SMP page fault handler privilege escalation

Package(s):kernel CVE #(s):CAN-2005-0001
Created:January 14, 2005 Updated:February 25, 2005
Description: Paul Starzetz found an exploitable hole in the x86 SMP page fault handler which could lead to privilege escalation. See the advisory for details.
Alerts:
Fedora-Legacy FLSA:2336 2005-02-24
SuSE SUSE-SA:2005:010 2005-02-25
SuSE SUSE-SA:2005:005 2005-02-04
Mandrake MDKSA-2005:022 2005-01-25
Red Hat RHSA-2005:017-01 2005-01-21
Red Hat RHSA-2005:016-01 2005-01-21
SuSE SUSE-SA:2005:003 2005-01-21
Ubuntu USN-60-0 2005-01-14
Fedora FEDORA-2005-025 2005-01-13
Fedora FEDORA-2005-026 2005-01-13

Comments (none posted)

Konversation: multiple vulnerabilities

Package(s):konversation CVE #(s):CAN-2005-0129 CAN-2005-0130 CAN-2005-0131
Created:January 24, 2005 Updated:January 26, 2005
Description: Multiple vulnerabilities have been discovered in all Konversation versions up to and including 0.15.
Alerts:
Gentoo 200501-34 2005-01-24

Comments (none posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpam-radius-auth

Package(s):libpam-radius-auth CVE #(s):CAN-2005-0108
Created:January 26, 2005 Updated:January 26, 2005
Description: The PAM RADIUS authentication module suffers from an integer overflow vulnerability.
Alerts:
Debian DSA-659-1 2005-01-26

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CAN-2004-1308
Created:December 22, 2004 Updated:May 19, 2005
Description: The libtiff image manipulation library contains several exploitable buffer overflows.
Alerts:
Fedora-Legacy FLSA:152815 2005-05-18
Red Hat RHSA-2005:035-01 2005-02-15
Conectiva CLA-2005:920 2005-01-20
Red Hat RHSA-2005:019-01 2005-01-13
SuSE SUSE-SA:2005:001 2005-01-10
Fedora FEDORA-2005-598 2005-01-07
Fedora FEDORA-2005-597 2005-01-07
Ubuntu USN-54-1 2005-01-06
Mandrake MDKSA-2005:002 2005-01-06
Mandrake MDKSA-2005:001 2005-01-06
Gentoo 200501-06 2005-01-05
Debian DSA-626-1 2005-01-06
Debian DSA-617-1 2004-12-24
Fedora FEDORA-2004-577 2004-12-22
Fedora FEDORA-2004-576 2004-12-22
Ubuntu USN-46-1 2004-12-22

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005
Description: There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service.
Alerts:
Conectiva CLA-2005:924 2005-02-14
Red Hat RHSA-2005:004-01 2005-01-12
Red Hat RHSA-2004:537-01 2004-12-02
Ubuntu USN-27-1 2004-11-17
Mandrake MDKSA-2004:124 2004-11-04
Debian DSA-561-1 2004-10-11
Gentoo 200410-09 2004-10-09
Debian DSA-560-1 2004-10-07
Red Hat RHSA-2004:479-01 2004-10-06
Red Hat RHSA-2004:478-01 2004-10-04
Gentoo 200409-34 2004-09-27
SuSE SUSE-SA:2004:034 2004-09-17
Mandrake MDKSA-2004:099 2004-09-15
Mandrake MDKSA-2004:098 2004-09-15

Comments (none posted)

lvm10: creates insecure temporary directory

Package(s):lvm10 CVE #(s):CAN-2004-0972
Created:November 1, 2004 Updated:July 25, 2005
Description: Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:152842 2005-07-24
Mandrake MDKSA-2004:144 2004-12-06
Gentoo 200411-22 2004-11-11
Debian DSA-583-1 2004-11-03
Ubuntu USN-15-1 2004-11-01

Comments (none posted)

mailman: cross-site scripting

Package(s):mailman CVE #(s):CAN-2004-1177
Created:January 10, 2005 Updated:March 22, 2005
Description: Florian Weimer discovered a cross-site scripting vulnerability in mailman's automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page. When an unsuspecting user followed this URL, the malicious content was copied unmodified to the error page and executed in the context of this page.
Alerts:
Fedora FEDORA-2005-242 2005-03-22
Fedora FEDORA-2005-241 2005-03-22
Red Hat RHSA-2005:235-01 2005-03-21
Debian DSA-674-1 2005-02-10
Mandrake MDKSA-2005:015 2005-01-24
Gentoo 200501-29 2005-01-22
Ubuntu USN-59-1 2005-01-10

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mpg123: frame header buffer overflow

Package(s):mpg123 CVE #(s):CAN-2004-0991
Created:January 20, 2005 Updated:January 26, 2005
Description: mpg123 has a vulnerability in which a maliciously created file could cause a buffer overflow in the frame header parsing code, allowing arbitrary code to be executed with the permission of the user.
Alerts:
Mandrake MDKSA-2005:009 2005-01-19

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mysql: several vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0835 CAN-2004-0836 CAN-2004-0837
Created:October 11, 2004 Updated:April 6, 2005
Description: Several problems have been discovered in MySQL. Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. (CAN-2004-0837)
Alerts:
Ubuntu USN-109-1 2005-04-06
Fedora FEDORA-2004-530 2004-12-08
Ubuntu USN-32-1 2004-11-25
Conectiva CLA-2004:892 2004-11-18
Mandrake MDKSA-2004:119 2004-11-01
OpenPKG OpenPKG-SA-2004.045 2004-10-30
Red Hat RHSA-2004:611-01 2004-10-27
Gentoo 200410-22 2004-10-24
Red Hat RHSA-2004:569-01 2004-10-20
Red Hat RHSA-2004:597-01 2004-10-20
Debian DSA-562-1 2004-10-11

Comments (none posted)

mysql-dfsg: insecure temporary files

Package(s):mysql-dfsg CVE #(s):CAN-2005-0004
Created:January 18, 2005 Updated:March 25, 2005
Description: Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:2129 2005-03-24
Mandrake MDKSA-2005:036 2005-02-10
Gentoo 200501-33 2005-01-23
Debian DSA-647-1 2005-01-19
Ubuntu USN-63-1 2005-01-18

Comments (none posted)

nasm: Buffer overflow vulnerability

Package(s):nasm CVE #(s):CAN-2004-1287
Created:December 20, 2004 Updated:May 4, 2005
Description: Jonathan Rockway discovered that NASM-0.98.38 has an unprotected vsprintf() to an array in preproc.c. This code vulnerability may lead to a buffer overflow and potential execution of arbitrary code.
Alerts:
Red Hat RHSA-2005:381-01 2005-05-04
Fedora FEDORA-2005-322 2005-04-18
Mandrake MDKSA-2005:004 2005-01-06
Debian DSA-623-1 2004-01-04
Ubuntu USN-45-1 2004-12-22
Gentoo 200412-20 2004-12-20

Comments (4 posted)

netkit-telnet: invalid free pointer

Package(s):netkit-telnet CVE #(s):CAN-2004-0911
Created:October 4, 2004 Updated:March 28, 2005
Description: Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).
Alerts:
Ubuntu USN-101-1 2005-03-28
Debian DSA-556-2 2004-10-18
Debian DSA-569-1 2004-10-18
Debian DSA-556-1 2004-10-02

Comments (none posted)

nfs-utils: denial of service

Package(s):nfs-utils CVE #(s):CAN-2004-1014
Created:December 1, 2004 Updated:May 15, 2005
Description: The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker.
Alerts:
Fedora-Legacy FLSA:152871 2005-05-12
Red Hat RHSA-2004:583-01 2004-12-20
Gentoo 200412-08 2004-12-14
Trustix TSLSA-2004-0065 2004-01-09
Debian DSA-606-1 2004-12-08
Mandrake MDKSA-2004:146 2004-12-06
Ubuntu USN-36-1 2004-12-01

Comments (none posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 2006-02-25
Red Hat RHSA-2005:014-01 2005-01-12
Mandrake MDKSA-2005:005 2005-01-11

Comments (none posted)

openssl: der_chop script temp file vulnerability

Package(s):openssl CVE #(s):CAN-2004-0975
Created:November 11, 2004 Updated:July 19, 2005
Description: The der_chop script in openssl has a temp file vulnerability that may allow an attacker to overwrite arbitrary files with the permissions that the script is running under.
Alerts:
Fedora-Legacy FLSA:152841 2005-07-15
Mandrake MDKSA-2004:147 2004-12-06
Debian DSA-603-1 2004-12-01
Ubuntu USN-24-1 2004-11-11

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

php: remotely exploitable memory errors

Package(s):php CVE #(s):CAN-2004-0594
Created:July 14, 2004 Updated:February 7, 2005
Description: Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not).
Alerts:
Debian DSA-669-1 2005-02-07
Whitebox WBSA-2004:392-01 2004-08-19
Fedora FEDORA-2004-223 2004-07-23
Fedora FEDORA-2004-222 2004-07-23
OpenPKG OpenPKG-SA-2004.034 2004-07-22
Slackware SSA:2004-202-01 2004-07-20
Debian DSA-531-1 2004-07-20
Red Hat RHSA-2004:392-01 2004-07-19
Red Hat RHSA-2004:395-01 2004-07-19
Conectiva CLA-2004:847 2004-07-16
SuSE SUSE-SA:2004:021 2004-07-16
Mandrake MDKSA-2004:068 2004-07-14
Gentoo 200407-13 2004-07-15
tinysofa TSSA-2004-013 2004-07-14

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CAN-2004-1018 CAN-2004-1019 CAN-2004-1020 CAN-2004-1063 CAN-2004-1064 CAN-2004-1065
Created:December 16, 2004 Updated:March 24, 2005
Description: PHP has an out of bounds memory write access vulnerability and an integer overflow/underflow problem. See the PHP 4.3.10 Release Announcement for details.
Alerts:
Ubuntu USN-99-2 2005-03-24
Ubuntu USN-99-1 2005-03-18
Fedora-Legacy FLSA:2344 2005-03-07
Red Hat RHSA-2005:032-01 2005-02-15
Red Hat RHSA-2005:031-01 2005-01-19
SuSE SUSE-SA:2005:002 2005-01-17
Conectiva CLA-2005:915 2005-01-13
Fedora FEDORA-2004-567 2004-12-21
Fedora FEDORA-2004-568 2004-12-21
Red Hat RHSA-2004:687-01 2004-12-21
Trustix TSLSA-2004-0066 2004-12-17
Gentoo 200412-14 2004-12-19
Mandrake MDKSA-2004:151 2004-12-17
Ubuntu USN-40-1 2004-12-16
OpenPKG OpenPKG-SA-2004.053 2004-12-16

Comments (1 posted)

ProZilla: Multiple vulnerabilities

Package(s):ProZilla CVE #(s):CAN-2004-1120
Created:November 23, 2004 Updated:February 1, 2005
Description: ProZilla contains several exploitable buffer overflows in the code handling the network protocols. A remote attacker could setup a malicious server and entice a user to retrieve files from that server using ProZilla. This could lead to the execution of arbitrary code with the rights of the user running ProZilla.
Alerts:
Debian DSA-663-1 2005-02-01
Gentoo 200411-31 2004-11-23

Comments (none posted)

qt3: BMP image parser heap overflow

Package(s):qt3/qt3-non-mt/qt3-32bit/qt3-static CVE #(s):CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
Created:August 19, 2004 Updated:May 15, 2005
Description: A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution.
Alerts:
Fedora-Legacy FLSA:152763 2005-05-12
Conectiva CLA-2004:866 2004-09-22
Whitebox WBSA-2004:414-01 2004-09-20
Debian DSA-542-1 2004-08-30
Fedora FEDORA-2004-271 2004-08-23
Fedora FEDORA-2004-270 2004-08-23
Gentoo 200408-20 2004-08-22
Red Hat RHSA-2004:414-01 2004-08-20
Mandrake MDKSA-2004:085 2004-08-18
SuSE SUSE-SA:2004:027 2004-08-19

Comments (none posted)

realplayer: integer overflow

Package(s):realplayer CVE #(s):
Created:January 24, 2005 Updated:January 26, 2005
Description: A flaw in the .rm RealMovie stream handling routines allows a remote attacker to exploit an integer overflow vulnerability using a special .rm file. This might allow a remote attacker to execute code as the user running RealPlayer.
Alerts:
SuSE SUSE-SA:2005:004 2005-01-24

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

ruby: infinite loop

Package(s):ruby CVE #(s):CAN-2004-0983
Created:November 8, 2004 Updated:May 15, 2005
Description: The upstream developers of Ruby have corrected a problem in the CGI module for this language. Specially crafted requests could cause an infinite loop and thus cause the program to eat up cpu cycles.
Alerts:
Fedora-Legacy FLSA:152768 2005-05-12
Red Hat RHSA-2004:635-01 2004-12-13
Gentoo 200411-23 2004-11-16
Fedora FEDORA-2004-403 2004-11-11
Fedora FEDORA-2004-402 2004-11-11
Ubuntu USN-20-1 2004-11-08
Mandrake MDKSA-2004:128 2004-11-08
Debian DSA-586-1 2004-11-08

Comments (none posted)

samba: integer overflow vulnerability

Package(s):samba CVE #(s):CAN-2004-1154
Created:December 16, 2004 Updated:July 19, 2005
Description: Samba has an integer overflow vulnerability that may allow an authenticated remote user to execute arbitrary code on the Samba server.
Alerts:
Fedora-Legacy FLSA:152874 2005-07-15
Debian DSA-701-2 2005-04-21
Debian DSA-701-1 2005-03-31
Conectiva CLA-2005:913 2005-01-06
Red Hat RHSA-2005:020-01 2005-01-05
Mandrake MDKSA-2004:158 2004-12-27
SuSE SUSE-SA:2004:045 2004-12-22
Red Hat RHSA-2004:681-01 2004-12-21
Fedora FEDORA-2004-562 2004-12-20
Fedora FEDORA-2004-561 2004-12-20
Gentoo 200412-13 2004-12-17
Ubuntu USN-41-1 2004-12-17
OpenPKG OpenPKG-SA-2004.054 2004-12-17
Red Hat RHSA-2004:670-01 2004-12-16

Comments (none posted)

sharutils: arbitrary code execution

Package(s):sharutils CVE #(s):CAN-2004-1772
Created:October 1, 2004 Updated:April 26, 2005
Description: sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c. An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.
Alerts:
Red Hat RHSA-2005:377-01 2005-04-26
Fedora FEDORA-2005-281 2005-04-01
Fedora FEDORA-2005-280 2005-04-01
Ubuntu USN-102-1 2005-03-29
Fedora-Legacy FLSA:2155 2005-03-24
Gentoo 200410-01 2004-10-01

Comments (none posted)

sox: buffer overflow

Package(s):sox CVE #(s):CAN-2004-0557
Created:July 28, 2004 Updated:February 21, 2005
Description: Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file.
Alerts:
Fedora-Legacy FLSA:1945 2005-02-20
Debian DSA-565-1 2004-10-13
Whitebox WBSA-2004:409-01 2004-08-19
Slackware SSA:2004-223-03 2004-08-07
Conectiva CLA-2004:855 2004-07-30
Gentoo 200407-23 2004-07-30
Mandrake MDKSA-2004:076 2004-07-28
Red Hat RHSA-2004:409-01 2004-07-29
Fedora FEDORA-2004-244 2004-07-28
Fedora FEDORA-2004-235 2004-07-28

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

Squid: multiple vulnerabilities

Package(s):squid CVE #(s):CAN-2005-0094 CAN-2005-0095
Created:January 17, 2005 Updated:February 2, 2005
Description: Squid contains a vulnerability in the gopherToHTML function and incorrectly checks the 'number of caches' field when parsing WCCP_I_SEE_YOU messages. Furthermore the NTLM code contains two errors. One is a memory leak in the fakeauth_auth helper and the other is NULL pointer dereferencing error.
Alerts:
Gentoo 200502-04:02 2005-02-02
Fedora FEDORA-2005-106 2005-02-01
Fedora FEDORA-2005-105 2005-02-01
Conectiva CLA-2005:923 2005-01-26
Mandrake MDKSA-2005:014 2005-01-24
Ubuntu USN-67-1 2005-01-20
Debian DSA-651-1 2005-01-20
Gentoo 200501-25 2005-01-16

Comments (none posted)

Subversion: Remote heap overflow

Package(s):subversion CVE #(s):CAN-2004-0413
Created:June 11, 2004 Updated:March 7, 2005
Description: Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:
Fedora-Legacy FLSA:1748 2005-03-07
SuSE SuSE-SA:2004:018 2004-06-17
Fedora FEDORA-2004-166 2004-06-11
Fedora FEDORA-2004-165 2004-06-11
OpenPKG OpenPKG-SA-2004.028 2004-06-11
Gentoo 200406-07 2004-06-10

Comments (none posted)

sudo: environment variable sanitizing

Package(s):sudo CVE #(s):CAN-2004-1051
Created:November 17, 2004 Updated:May 15, 2005
Description: Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information.
Alerts:
Fedora-Legacy FLSA:152856 2005-05-12
OpenPKG OpenPKG-SA-2005.002 2005-01-17
Debian DSA-596-2 2004-11-24
Debian DSA-596-1 2004-11-24
Ubuntu USN-28-1 2004-11-17
Mandrake MDKSA-2004:133 2004-11-15

Comments (none posted)

sword: missing input sanitizing

Package(s):sword CVE #(s):CAN-2005-0015
Created:January 20, 2005 Updated:January 26, 2005
Description: The CGI script diatheke from sword does not properly sanitize its input, allowing arbitrary commands to be executed through a specially crafted URL.
Alerts:
Debian DSA-650-1 2005-01-20

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tiff: buffer overflows

Package(s):tiff CVE #(s):CAN-2004-0803
Created:October 13, 2004 Updated:April 12, 2005
Description: The tiff library contains several buffer overflows which may be exploited by way of maliciously-crafted image files. See this advisory for more information.
Alerts:
Red Hat RHSA-2005:021-01 2005-04-12
Conectiva CLA-2005:914 2005-01-06
Gentoo 200412-17 2004-12-19
Gentoo 200412-02 2004-12-05
Conectiva CLA-2004:888 2004-11-08
Slackware SSA:2004-305-02 2004-11-01
Red Hat RHSA-2004:577-01 2004-10-22
SuSE SUSE-SA:2004:038 2004-10-22
Mandrake MDKSA-2004:111 2004-10-21
Mandrake MDKSA-2004:109 2004-10-19
Debian DSA-567-1 2004-10-15
Fedora FEDORA-2004-334 2004-10-14
OpenPKG OpenPKG-SA-2004.043 2004-10-14
Gentoo 200410-11 2004-10-13

Comments (none posted)

TikiWiki: arbitrary command execution

Package(s):TikiWiki CVE #(s):
Created:January 10, 2005 Updated:January 31, 2005
Description: TikiWiki lacks a check on uploaded images in the Wiki edit page. A malicious user could run arbitrary commands on the server by uploading and calling a PHP script.
Alerts:
Gentoo 200501-41 2005-01-30
Gentoo 200501-12 2005-01-10

Comments (none posted)

unarj: buffer overflow vulnerability

Package(s):unarj CVE #(s):CAN-2004-0947
Created:November 11, 2004 Updated:February 2, 2005
Description: The unarj uncompression utility has a buffer overflow vulnerability from handling long file names in an archive. An attacker can cause unarj to crash or execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:2272 2005-02-01
Debian DSA-652-1 2005-01-21
Red Hat RHSA-2005:007-01 2005-01-12
Gentoo 200411-29 2004-11-19
Fedora FEDORA-2004-414 2004-11-11

Comments (none posted)

vdr: insecure file access

Package(s):vdr CVE #(s):CAN-2005-0071
Created:January 25, 2005 Updated:January 31, 2005
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Team has discovered that the vdr daemon which is used for video disk recorders for DVB cards can overwrite arbitrary files.
Alerts:
Gentoo 200501-42 2005-01-30
Debian DSA-656-1 2005-01-25

Comments (none posted)

vim: modeline problems

Package(s):vim CVE #(s):CAN-2004-1138
Created:December 15, 2004 Updated:February 24, 2005
Description: A new set of modeline-related vulnerabilities has been discovered in versions of vim prior to 6.3-r2. These vulnerabilities could conceivably be exploited by a local user to obtain the privileges of another user.
Alerts:
Fedora-Legacy FLSA:2343 2005-02-23
Mandrake MDKSA-2005:003 2005-01-06
Ubuntu USN-52-1 2004-12-23
Red Hat RHSA-2005:010-01 2005-01-05
OpenPKG OpenPKG-SA-2004.052 2004-12-15
Gentoo 200412-10 2004-12-15

Comments (none posted)

vim: symbolic link attack

Package(s):vim CVE #(s):CAN-2005-0069
Created:January 18, 2005 Updated:February 18, 2005
Description: Javier Fernández-Sanguino Peña noticed that the auxiliary scripts "tcltags" and "vimspell.sh" created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the script (either by calling it directly or by execution through vim).
Alerts:
Red Hat RHSA-2005:122-01 2005-02-18
Red Hat RHSA-2005:036-01 2005-02-15
Mandrake MDKSA-2005:029 2005-02-02
Ubuntu USN-61-1 2005-01-18

Comments (none posted)

wv: buffer overflow

Package(s):wv CVE #(s):CAN-2004-0645
Created:July 14, 2004 Updated:February 10, 2005
Description: wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem.
Alerts:
Fedora-Legacy FLSA:1906 2005-02-08
Conectiva CLA-2004:902 2004-12-01
Debian DSA-579-1 2004-11-01
Debian DSA-550-1 2004-09-20
Conectiva CLA-2004:863 2004-09-10
Mandrake MDKSA-2004:077 2004-07-29
Fedora FEDORA-2004-225 2004-07-23
Fedora FEDORA-2004-224 2004-07-23
Gentoo 200407-11 2004-07-14

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xorg-x11: integer overflows

Package(s):xorg-x11 CVE #(s):CAN-2004-0914
Created:November 18, 2004 Updated:September 12, 2005
Description: The X.Org libXpm library has several integer overflow vulnerabilities An attacker can modify XPM images to execute malicious code.
Alerts:
Ubuntu USN-83-2 2005-09-12
Fedora-Legacy FLSA:152804 2005-05-12
Ubuntu USN-83-1 2005-02-16
Gentoo 200502-07 2005-02-07
Gentoo 200502-06 2005-02-06
Red Hat RHSA-2004:612-01 2004-12-20
Red Hat RHSA-2004:610-01 2004-12-20
Debian DSA-607-1 2004-12-10
Mandrake MDKSA-2004:137-1 2004-11-29
Mandrake MDKSA-2004:137 2004-11-22
Mandrake MDKSA-2004:138 2004-11-22
Gentoo 200411-28 2004-11-19
Fedora FEDORA-2004-434 2004-11-17
Fedora FEDORA-2004-433 2004-11-17
SuSE SUSE-SA:2004:041 2004-11-17

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2004-1125
Created:December 23, 2004 Updated:April 1, 2005
Description: xpdf has a potential buffer overflow problem caused by insufficient input validation. A specially crafted PDF file can allow an attacker to execute code with privileges of the xpdf user.
Alerts:
Red Hat RHSA-2005:354-01 2005-04-01
Red Hat RHSA-2005:018-01 2005-01-12
Gentoo 200501-17 2005-01-11
Gentoo 200501-13 2005-01-10
Fedora FEDORA-2004-585 2005-01-03
Fedora FEDORA-2004-584 2005-01-03
Debian DSA-621-1 2004-12-31
Mandrake MDKSA-2004:166 2004-12-29
Mandrake MDKSA-2004:165 2004-12-29
Mandrake MDKSA-2004:162 2004-12-29
Mandrake MDKSA-2004:164 2004-12-29
Mandrake MDKSA-2004:163 2004-12-29
Mandrake MDKSA-2004:161 2004-12-29
Debian DSA-619-1 2004-12-30
Gentoo 200412-25 2004-12-28
Gentoo 200412-24 2004-12-28
Fedora FEDORA-2004-575 2004-12-22
Fedora FEDORA-2004-574 2004-12-22
Fedora FEDORA-2004-573 2004-12-22
Fedora FEDORA-2004-572 2004-12-22
Ubuntu USN-50-1 2004-12-23
Ubuntu USN-48-1 2004-12-23

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

xpdf: integer overflows

Package(s):xpdf kpdf cupsys CVE #(s):CAN-2004-0888 CAN-2004-0889
Created:October 21, 2004 Updated:February 18, 2005
Description: Several xpdf integer overflow vulnerabilities can be exploited via a mal-formed PDF document. Similar vulnerabilities can be found in kpdf and in cupsys which share code. Additional information can be found in this KDE security advisory.
Alerts:
Fedora FEDORA-2005-138 2005-02-09
Fedora FEDORA-2005-137 2005-02-09
Fedora FEDORA-2005-133 2005-02-09
Fedora FEDORA-2005-134 2005-02-09
Fedora FEDORA-2005-136 2005-02-09
Fedora FEDORA-2005-135 2005-02-09
Fedora FEDORA-2005-123 2005-02-08
Fedora FEDORA-2005-122 2005-02-08
Debian DSA-599-1 2004-11-25
Gentoo 200411-30 2004-11-23
Conectiva CLA-2004:886 2004-11-08
Gentoo 200410-30:02 2004-10-28
Gentoo 200410-20:02 2004-10-21
Debian DSA-581-1 2004-11-02
Ubuntu USN-14-1 2004-11-01
Ubuntu USN-9-1 2004-10-27
Gentoo 200410-30 2004-10-28
Fedora FEDORA-2004-358 2004-10-28
Fedora FEDORA-2004-357 2004-10-28
Red Hat RHSA-2004:592-01 2004-10-27
Fedora FEDORA-2004-337 2004-10-26
SuSE SUSE-SA:2004:039 2004-10-26
Ubuntu USN-2-1 2004-10-22
Red Hat RHSA-2004:543-01 2004-10-22
Mandrake MDKSA-2004:115 2004-10-21
Mandrake MDKSA-2004:116 2004-10-21
Mandrake MDKSA-2004:114 2004-10-21
Mandrake MDKSA-2004:113 2004-10-21
Gentoo 200410-20 2004-10-21
Fedora FEDORA-2004-348 2004-10-21
Debian DSA-573-1 2004-10-21

Comments (none posted)

xtrlock: buffer overflow

Package(s):xtrlock CVE #(s):CAN-2005-0079
Created:January 20, 2005 Updated:January 26, 2005
Description: xtrlock has a buffer overflow that can allow a local attacker to crash the lock program and take over a user's desktop session.
Alerts:
Debian DSA-649-1 2005-01-20

Comments (none posted)

zhcon: privilege escalation

Package(s):zhcon CVE #(s):CAN-2005-0072
Created:January 24, 2005 Updated:January 26, 2005
Description: Erik Sjolund discovered that zhcon accesses a user-controlled configuration file with elevated privileges which could make it possible to read arbitrary files.
Alerts:
Debian DSA-655-1 2005-01-25
Mandrake MDKSA-2005:012 2005-01-24

Comments (none posted)

zip: arbitrary code execution

Package(s):zip CVE #(s):CAN-2004-1010
Created:November 5, 2004 Updated:February 2, 2005
Description: HexView discovered a buffer overflow in the zip package. The overflow is triggered by creating a ZIP archive of files with very long path names. This vulnerability might result in execution of arbitrary code with the privileges of the user who calls zip. This flaw may lead to privilege escalation on systems which automatically create ZIP archives of user supplied files, like backup systems or web applications.
Alerts:
Fedora-Legacy FLSA:2255 2005-02-01
Debian DSA-624-1 2004-01-05
Red Hat RHSA-2004:634-01 2004-12-16
Mandrake MDKSA-2004:141 2004-11-25
Gentoo 200411-16 2004-11-09
Fedora FEDORA-2004-399 2004-11-08
Fedora FEDORA-2004-400 2004-11-08
Ubuntu USN-18-1 2004-11-05

Comments (1 posted)

zlib: denial of service

Package(s):zlib CVE #(s):CAN-2004-0797
Created:August 25, 2004 Updated:June 10, 2005
Description: Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks.
Alerts:
OpenPKG OpenPKG-SA-2005.007 2005-06-10
Fedora-Legacy FLSA:2043 2005-02-23
Conectiva CLA-2004:878 2004-10-25
Slackware SSA:2004-278-02 2004-10-04
Conectiva CLA-2004:865 2004-09-13
Mandrake MDKSA-2004:090 2004-09-07
SuSE SUSE-SA:2004:029 2004-09-02
Gentoo 200408-26 2004-08-27
OpenPKG OpenPKG-SA-2004.038 2004-08-25

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch remains 2.6.11-rc2.

Linus's BitKeeper repository, which looks like it is heading for a 2.6.11-rc3 release before too long, contains an XFS update, a set of out-of-memory killer fixes, a generic transport class mechanism (which replaces the SCSI transport code), some architecture updates, the removal of bcopy(), a fix for writable module parameters in sysfs (it never actually worked before), and various fixes.

The current -mm release is 2.6.11-rc2-mm2. Recent changes to -mm include the unexporting of register_cpu() and unregister_cpu(), an InfiniBand update, a tool for tracking page-level memory leaks (see below), the addition of the unprivileged realtime scheduling rlimit code (covered here last week; this code replaces the SCHED_ISO patch), and a fair number of fixes.

The current 2.4 kernel remains 2.4.29; the 2.4.30 process has not yet begun.

Comments (2 posted)

Kernel development news

Quotes of the week

We argued that the owner of a Digital Audio Workstation should be free to lock up his CPU any time he wants. But, no one would listen. We were told that we didn't really know what we needed, and were asking the wrong question. That was very discouraging. It looked like LKML was going to ignore our needs for yet another year.
-- Jack O'Quin, finding the process long and frustrating.

The Linux acceptance process is not about "whose patch sucks least", but whether it hits a subsystem-specific bar of architectural requirements or not.... We'll rather live on with one less feature for another year than with a crappy feature that is twice as hard to get rid of!
-- Ingo Molnar explains that process.

Whoever's responsible, prepare to be flamed to a crisp the likes of which has never been witnessed before by observers of solar probes, nor conceived of by the most visionary and imaginative of eschatologists.
-- William Lee Irwin. I'd stand back if I were you.

Comments (2 posted)

NETIF_F_LLTX and race conditions

Network drivers must provide a function (hard_start_xmit()) for the networking layer to call whenever it decides the time has come to send out a packet. Normally, calls to hard_start_xmit() are serialized with a spinlock (xmit_lock) in the net_device structure. In this way, the networking subsystem guarantees that it will not attempt to send multiple packets simultaneously on the same interface.

This method works, but it is not quite ideal, especially for high-performance network adaptors. Most drivers already implement their own internal locking, rendering xmit_lock redundant. The xmit_lock can also cause a certain amount of cache line bouncing on SMP systems with a lot of networking traffic. To work around these problems, the NETIF_F_LLTX "feature" flag was added in 2.6.9. If a driver sets NETIF_F_LLTX on its interface, it is declaring that it performs its own locking, and its hard_start_xmit() function will be called without the xmit_lock held.

All seemed well for a while, but, back in December, Roland Dreier noticed a problem. When a network driver notices that an interface's transmit buffers are too full to accept any more packets, it calls netif_stop_queue() to inform the networking layer. Its hard_start_xmit() method should then not be called until the driver (with a call to netif_wake_queue()) indicates that new packets can, once again be accepted. Network drivers thus can count on not being asked to transmit packets when they have stopped the queue.

Unless, as it turns out, they have set NETIF_F_LLTX. The lack of transmit locking in the networking layer itself leads to a situation where hard_start_xmit() can be called simultaneously on multiple processors; hard_start_xmit() is supposed to handle that situation with its own locking. But, if one hard_start_xmit() call fills the transmit buffer and stops the queue, the second call will proceed in a state it had not expected: it has a packet to transmit but no place to put it. In most cases, this race leads to a strange error message in the system logs. In a poorly-written driver, worse things could happen.

Roland's initial problem report included a patch which silenced the log message. The networking hackers did not like that solution, however; they feared that it could hide serious (unrelated) bugs. So they set out to come up with a better solution. The result was a lengthy patch which made some significant changes to how network driver locking works. Uses of xmit_lock were changed to disable interrupts, so that lock could be used in interrupt handlers as well. Drivers could then use xmit_lock (rather than their own lock) for internal locking. The NETIF_F_LLTX flag was redefined to indicate that the transmit routine was completely lockless, a condition which only applies to certain types of software device. The end result was most of the advantages of NETIF_F_LLTX but with the race condition solved. A version of this patch was merged as part of 2.6.11-rc2.

Unfortunately, there were some difficulties. The locking changes led to deadlocks in certain situations where the driver would try to grab a lock already held by the networking code which called it. Network drivers had to be careful not to do anything (such as spin_unlock_irq()) which would enable interrupts while xmit_lock was held. dev_kfree_skb() could no longer be called in any place where xmit_lock was held, since its use is not legal when interrupts are disabled. Overall, there were enough problems with this approach that the patch was backed out after the -rc2 release, and the developers started over.

The current approach, as proposed by David Miller, is to leave things as they are and silence the log message. The patch has been tweaked a bit since first proposed by Roland in December; it now tries to distinguish the NETIF_F_LLTX race from other (more serious) calls to hard_start_xmit() with the transmit buffer full. This is done by checking to see if the queue has been stopped; if so, it is a harmless race and transmission of the packet is silently deferred. If the queue is still running, however, then something has gone wrong somewhere. This change must be made in all drivers which use NETIF_F_LLTX - a relatively small set. It's a small change, but it is a change in the rules for network drivers and worth being aware of.

Comments (8 posted)

Yet another approach to memory fragmentation

A number of developers have taken a stab at the problem of memory fragmentation and the allocation of large, contiguous blocks of memory in the kernel. Approaches covered on this page recently include Marcelo Tosatti's active defragmentation patch and Nick Piggin's kswapd improvements. Now Mel Gorman has jumped into the fray with a different take on the problem.

At a very high level, the kernel organizes free pages as shown in the diagram below.

[cheesy memory diagram]

The system's physical memory is split into zones; on an x86 systems, the zones include the small space reachable by ISA devices (ZONE_DMA), the regular memory zone (ZONE_NORMAL), and memory not directly accessible by the kernel (ZONE_HIGHMEM). NUMA systems divide things further by creating zones for each node. Within each node, memory is split into chunks and sorted depending on its "order" - the base-2 logarithm of the size of each block. For each order, there is a linked list of available blocks of that size. So, at the bottom of the array, the order-0 list contains individual pages; the order-1 list has pairs of pages, etc., up to the maximum order handled by the system. When a request for an allocation of a given order arrives, a block is taken off the appropriate list. If no blocks of that size are available, a larger block is split. When blocks are freed, the buddy allocator tries to coalesce them with neighboring blocks to recreate higher-order chunks.

In real-life Linux systems, over time, the larger blocks tend to get split up, to the point that larger allocations can become difficult. A look at /proc/buddyinfo on a running system will tend to show quite a few zero-order pages available (one hopes), but relatively few larger blocks. For this reason, high-order allocations have a high probability of failure on a system which has been up for a while.

Mel's approach is to split memory allocations into three types, as indicated by a new set of GFP_ flags which can be provided when memory is requested. Memory allocations marked by __GFP_USERRCLM are understood to be for user space, and to be easily reclaimable. In general, all that's required to reclaim a user-space page is to write it to backing store (if it has been modified). The __GFP_KERNRCLM flag marks reclaimable kernel memory, such as that obtained from slabs and used in caches which can, when needed, be dropped. Finally, allocations not otherwise marked are considered to not be reclaimable in any easy way.

Then, the buddy allocator's data structures are expanded to look something like this:

[The Gorman approach to buddy allocators]

When the allocator is initialized, and all that nice, virgin memory is still unfragmented, the free_area_global field points to a long list of maximally-sized blocks of memory. The three free_area arrays - one for each type of allocation - are initially empty. Each allocation request, when it arrives, will be satisfied from the associated free_area array if possible; otherwise, one of the MAX_ORDER blocks from free_area_global will be split up. The portion of that block which is not allocated will be placed in the array associated with the current memory allocation type.

When memory is freed and blocks are coalesced, they remain within the type-specific array until they reach the largest size, at which point they go back onto the global array.

One immediate benefit from this organization is that the pages which are hardest to get back - those in the "kernel non-reclaimable" category - are grouped together into their own blocks. A single pinned page can prevent the coalescing of a large block, so segregating the difficult kernel pages makes the management of the rest of memory easier. Beyond that, this organization makes it possible to perform active page freeing. If a high-order request cannot be satisfied, simply start with a smaller block and free up the neighboring pages. Active freeing is not yet implemented in Mel's current patch, however.

Even without the active component, this patch helps the kernel to satisfy large allocations. Mel gives results from a memory-thrashing test he ran; with a vanilla kernel, only three out of 160 attempted order-10 allocations were successful. With a patched kernel, instead, 81 attempts succeeded. So the new allocation technique and data structures do help the situation. What happens next remains to be seen, however; there seems to be a big hurdle to overcome when trying to get high-order allocation patches merged.

Comments (3 posted)

Useful gadget: /proc/page_owner

If you look far enough into the 2.6.11-rc2-mm2 announcement, you'll find a mention of a "page owner tracking leak detector" patch. The addition of this patch was almost certainly motivated by the series of memory leak problems which have afflicted the 2.6.11 prepatches. It is a heavy-handed tool, but, for some situations, it might make the problem of finding memory leaks far easier.

Essentially, this patch causes the kernel to keep track of the call chain that leads to the allocation of every page. This information is made available via /proc/page_owner; it looks something like this:

Page allocated via order 0
[0xc0146f01] kmem_getpages+49
[0xc014846d] cache_grow+173
[0xc0148aac] cache_alloc_refill+460
[0xc0118a8f] copy_files+431
[0xc0148ff5] kmem_cache_alloc+149
[0xc011986b] copy_process+3051
[0xc01199d1] fork_idle+65
[0xc041824a] do_boot_cpu+42

Your editor's 256MB sacrificial kernel box has, after a short period of run time, over 13,000 such entries. So plowing through the raw data is probably not what most people want to do. To help out, a small program (page_owner.c) has been put into the Documentation directory (though one might argue that it should be in scripts instead). This program boils down the contents of /proc/page_owner to something which looks like this:

856 times:
Page allocated via order 0
[0xc0146572] __do_page_cache_readahead+290
[0xc0146a70] max_sane_readahead+48
[0xc0140166] filemap_nopage+790
[0xc013fe50] filemap_nopage+0
[0xc0150861] do_no_page+193
[0xc0150cc6] handle_mm_fault+246
[0xc01126cc] do_page_fault+492
[0xc0151b3c] remove_vm_struct+140

839 times:
Page allocated via order 0
[0xc0146572] __do_page_cache_readahead+290
[0xc0146a70] max_sane_readahead+48
[0xc0140166] filemap_nopage+790
[0xc013fe50] filemap_nopage+0
[0xc0150861] do_no_page+193
[0xc0150cc6] handle_mm_fault+246
[0xc01126cc] do_page_fault+492
[0xc013c207] ltt_log_event+71

With this output, finding the source of a major memory leak should be relatively straightforward. It's worth noting that this program fails if told to read directly from /proc/page_owner (it does a stat() to determine the size of its input), so you must copy the data to a regular file first. This patch is also a major memory consumer in its own right, since it must store the call chain information for every allocated page. It's thus not something most people would put onto a production system - or even on most development systems. But it can be a useful thing to have around when a page-level memory leak bites.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

  • Shailabh Nagar: ckrm-e17. (January 28, 2005)

Development tools

Device drivers

  • Dave Airlie: drm tree. (February 1, 2005)

Documentation

Filesystems and block I/O

Janitorial

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Arch Linux for Power Users

February 2, 2005

This article was contributed by Ladislav Bodnar

Since its humble beginnings in early 2002 Arch Linux has been growing in popularity, occasionally even winning over users of more popular power distributions, such as Slackware or Gentoo. What are the reasons behind its success? We installed the recently released Arch Linux 0.7 on a Pentium 4 test machine to find out.

The first point where Arch Linux is ahead of both Slackware and Gentoo is the system installer. Although similar to Slackware's own installer in that it is a curses-based, menu-driven installation program with several sub-screens for fine tuning of various installation options, we were pleasantly surprised by the number of choices the installer provided. As an example, it let us choose a preferred kernel (2.4 or 2.6), X window system (XFree86 or X.Org), boot loader (GRUB or LILO), text editor (nano or vim), and it even went as far as to provide an option to compile a custom kernel prior to completing the installation. For configuring the basic system, we were dropped right into well commented configuration files in /etc/ to make any changes (e.g. to enable networking with DHCP). The availability of choice was what made an excellent first impression; contrast that to the Slackware installer where the only available bootloader is LILO, or to Gentoo, which forces you to edit text files in nano (at least until you get to the point where you can install alternative text editors).

The recommended way of installing Arch Linux is to select a base system only for initial installation, configure it, then reboot. Additional packages can be installed later - either from the installation CD (note, however, that in terms of desktop environments, the Arch Linux installation CD only provides IceWM, WindowMaker and XFce, but no GNOME or KDE), or over the network. The tool to install packages on Arch Linux is called "pacman", written in C++.

After spending some time perusing the fairly comprehensive Arch Linux Installation Guide, we concluded that pacman, in its basic form, resembles Debian's apt-get in more than one way. With a simple 'pacman -Sy' (equivalent to 'apt-get update') we retrieved the current list of available packages from the master repository, then proceeded with installation of X.Org, followed by KDE and GNOME. If the '-S' switch (short for '--sync') is specified, pacman is capable of resolving any dependencies required by the given package(s). Therefore a simple command like 'pacman -S xorg kde gnome' was all that was needed to turn a very basic Arch Linux system into a powerful workstation with both KDE and GNOME.

Next, we went on to create an xorg.conf file with 'X -configure', then updated the ~/.xinitrc file to start KDE instead of the default WindowMaker, before we found ourselves in a pristine KDE desktop. Unlike Slackware or Gentoo, Arch Linux does include some branding on the KDE splash screen and on the default wallpaper, but the KDE theme, menu items and desktop icons are left in their default states. We noticed the absence of Firefox, so we fired up a terminal and went back to pacman (there is no graphical edition of the package installation tool). Here we used pacman's search capabilities to locate available files with commands like 'pacman -Ss firefox', then installed the packages that we wanted. Besides the usual open source software applications, we also noticed the availability of some non-free packages, such as MS TrueType fonts, NVIDIA driver, Opera and Acrobat Reader. Altogether, there are over 1,800 binary packages available in the current and extra directories on Arch Linux mirrors.

Those of you who read the Ubuntu Hoary story last week will recall our disappointment on not being able to install the beta version of OpenOffice.org 2.0. Luckily, we found this package (version 1.9.74) in the Arch's unstable directory, so we invoked pacman one more time to take a look at this preview of the much anticipated release. It installed and downloaded as expected and we were soon greeted with the OpenOffice.org 2.0 splash screen. At first glance, there are no visible changes in the user interface, but this list of new features leaves little doubt about the extent of the improvements in the open source office suite. We found the package very stable, although not much speedier than the 1.1 series. The developers of Arch Linux tend to provide other experimental packages for interested users - besides OpenOffice.org 2.0, Arch binary packages of the first beta of KDE 3.4 are now also available in a third-party repository.

Comparing this distribution to Gentoo, there is another aspect of Arch Linux that will appeal to power users - the Arch Build System (ABS). ABS was designed to fulfill a role of building Arch binary packages from source code with relative ease - either for packages that do not exist in the official Arch repositories, or to rebuild packages with custom options. This is done by modifying a pre-built template in /var/abs/PKGBUILD.proto, then executing the 'makepkg' command to build an Arch Linux binary package. The resulting file can be installed with pacman. Unlike Gentoo, however, there is no easy way to rebuild the entire system or to optimize it for the processor at hand, and currently there are no plans to support architectures other than the i686.

Arch Linux is a clean, powerful distribution. Apart from the two package management utilities of pacman and pkgbuild, the developers have resisted any temptation to implement package customizations or add new utilities. As such, the system requires a fair amount of post-install tweaking to bring it to a usable level. Security updates are handled in a style of FreeBSD's ports of constantly updating packages to their latest versions. This may occasionally break the system, but problems are usually fixed in a reasonably short time. One area where Arch Linux trails behind Gentoo is documentation; except for the two man pages for pacman and pkgbuild, the installation manual and a sparse wiki, there is little else to guide novice users to configure their Arch Linux system. On the other hand, the distribution has active user forums and mailing lists, as well as several international community sites in German, Italian and Polish.

Next time you find yourself at home during a rainy weekend, give Arch Linux a try - it is one of the more interesting and powerful dark horses among Linux distributions.

Comments (5 posted)

Distribution News

Ubuntu Linux

Ubuntu has announced the creation of Local Community Teams (LoCo Teams), to promote the use, adoption, and localization of Ubuntu.

The Ubuntu development team has reached its first milestone in the production of the Live CD version of the upcoming release of Ubuntu codenamed "Hoary Hedgehog." This edition features a completely redesigned system for creating Live CDs. "While some people have tried rough previews, this is the first proper milestone for the live CD version. Anyone, especially folks who are using our previous release (4.10 "Warty Warthog"), are encouraged to try this out."

Ubuntu has issued a call for help for a new kernel team. "The Linux kernel in Ubuntu has, up until this point, been primarily maintained by a series of different individuals. As Ubuntu takes on more architectures and more users, its *needs* a solid team to help maintain this essential piece of infrastructure. Ubuntu will not be able to do this without the community's support."

Comments (none posted)

Fedora Extras available for download

The Fedora Project has announced, with apologies for the delay, that the Fedora Extras repository is now available with over 500 packages. Click below for the details.

Full Story (comments: 13)

Debian GNU/Linux

The debconf5 organization team has declared that registrations for the sixth annual Debian Conference are now open.

Another Bug Squashing Party has been proposed for February 4 - 6, 2005.

Comments (none posted)

LBA Reveals Plans For Next Linux Release

SOT Finnish Engineering Ltd has revealed plans for the next version of the Linux Business Alliance's flagship product, LBA-Linux R3. The upcoming release will include new features that focus on security and improved usability. Click below for more information.

Full Story (comments: none)

LACommunity goes gentoo...

Gentoo users looking for audio applications may be interested in Arnold Krille's gentoo-portage overlay. "Today I decided to make my little but constant gentoo-portage overlay available for the public. It contains only some apps not in already in portage. Currently available are aeolus-0.3.1 with aeolus-stops-0.1.1, fmit-0.9.[89], museseq-0.7.0, tuneroid-0.9.4 and (not an linux-audio-app) ktechlab-0.1.2." Click below for more information.

Full Story (comments: none)

LNA: Linux Netwosix Virtual World Community

The first Linux Netwosix Virtual World Community is born! All Netwosix users are invited to join the community. "If you have a problem with Netwosix or you just want to talk about Linux, if you want to improve our work or if you just want to help us to grew up, join the first Linux Netwosix Virtual Community at : http://www.netwosix.org/community". Click below for additional details.

Full Story (comments: none)

The Live CD List

Looking for a Live CD? The Live CD List provides a comprehensive, easy-to-search list of Linux-based Live CDs.
Quick instructions:
*click a name to be taken to the project homepage
*click a header to sort
*click a Primary Function to show only Live CDs with that Primary Function

Comments (none posted)

Announcing The Slackware Handbook Project (MadPenguin)

MadPenguin has announced the Slackware Handbook Project. "The Slackware Handbook is a project co-ordinated and hosted by Mad Penguin in an effort to keep Slackware documentation as up-to-date as possible. This is accomplished by creating a format in which the entire Slackware community can take part in the process by being capable of adding/editing content as they see fit. All of this content is also moderated by peer review system, keeping it as accurate as possible."

Comments (none posted)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for February 1, 2005 looks at DebConf registration, Debian installation in expert mode, Debian at FOSDEM, dealing with missing dependencies, library packaging guideline, the transition of MySQL related packages, how to upgrade Woody to Sarge, the new 2005 Debian archive key, and several other topics.

Full Story (comments: none)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of January 31, 2005 is out. Topics in this edition include Trusted Gentoo, a request for EM64T developers, the release of a Gentoo/PPC GameCD, and more.

Full Story (comments: none)

Ubuntu Traffic

Two new issues of Ubuntu Traffic, a newsletter summarizing the goings-on in the Ubuntu community, are out. The Ubuntu Traffic #18 covers the week after the conference in Mataró. Ubuntu Traffic #19 covers the last week of 2004.

Comments (none posted)

DistroWatch Weekly, Issue 85

Here's the DistroWatch Weekly for January 31, 2005. "Welcome to this year's 5th issue of DistroWatch Weekly! In this issue we will bring you a couple of resources that can help with building a custom live CD, introduce the Debian Volatile project, and present Xandros Desktop OS 3 as our featured distribution of the week. Happy reading!"

Comments (none posted)

Package updates

Fedora Core updates

FC3: selinux-policy-targeted-1.17.30-2.73 (allow dhcpd to read random devices), procps-3.2.3-5.1 (add support for /proc/slabinfo 2.1), system-config-kickstart-2.5.19-1.fc3 (bug fixes and improvements), elinks-0.9.2-2.1 (bug fixes prevents crashes), NetworkManager-0.3.3-1.cvs20050119.2.fc3 (bug fixes), gaim-1.1.2-0.FC3 (corrects update id), openssl096b-0.9.6b-21 (adds missing fix for CAN-2004-0081), curl-7.12.3-2 (upgrade to 7.12.3), system-config-printer-0.6.116.1-1 (bug fixes), ruby-1.8.2-1.FC3.1 (backported changes from devel), rhgb-0.16.2-1.FC3 (fixes various errors), file-4.12-1.FC3.1 (upgrade and bug fixes), net-tools-1.60-37.FC3.1 (bug fixes), gimp-2.2.3-0.fc3.2 (make desktop icon theme-able), system-config-services-0.8.18-0.fc3.1 (fix off-by-one bug), mc-4.6.1-0.12.FC3 (upgrade to mc-4.6.1-pre3 and many bug fixes), dump-0.4b39-1.FC3 (fixes for unintentional writes to target partition and other bug fixes), selinux-policy-targeted-1.17.30-2.75 (contains the SELinux example policy configuration), policycoreutils-1.18.1-2.6 (merge upstream changes), dbus-0.22-10.FC3.2 (fix for CAN-2005-0201).

FC2: procps (add support for /proc/slabinfo 2.1), elinks-0.9.1-1.1 (bug fixes prevents crashes), zlib-1.2.1.2-0.fc2 (fixes 2 DoS issues), gaim-1.1.2-0.FC2 (corrects update id), openssl096b-0.9.6b-20 (adds missing fix for CAN-2004-0081), dump-0.4b39-1.FC2 (fixes related to possible data corruption, other bug fixes).

Comments (none posted)

Mandrakelinux updates

Mandrakelinux 10.1 updates: kde (bug fixes), kdebase (fix a problem with the previous update)

Mandrakelinux 10.0, 10.1, Corporate Server 3.0 updates: nut (fixes a bug in the upsd initscript), mdkonline (fixes a permissions flaw), clamav (upgrade to clamav 0.81)

Comments (none posted)

Slackware updates

Slackware has gotten many updates, upgrades and fixes in slackware-current this week. Click below for this week's slice of the changelog.

Full Story (comments: none)

Distribution reviews

A Week in the Life of an Arch Linux Newbie (OSNews)

OS News has published a review of ArchLinux. "ArchLinux quotes itself as being "an i686-optimized linux distribution targeted at competent linux users." Part of its philosophy is that by not providing you with lots of configuration utilities, you are forced to "learn the ropes" and you will benefit from the additional knowledge acquired. A sensible approach you may think, and is fine for experienced and/or fearless techies. You know that this isn't going to be the distro to recommend to your mother! But, I wouldn't say ArchLinux is elitist as some readers may fear. Sure, you will be frowned upon (to put it mildly) if you ask questions in the forums that are blatantly answered in the main documentation. However, expecting users to actually edit the appropriate config files manually isn't a bad thing in my opinion."

Comments (none posted)

Ubuntu Linux--Would You Like Some Community With That? (LinuxPlanet)

LinuxPlanet reviews Ubuntu Linux. "This review discusses both Ubuntu 4.10 (AKA "Warty Warthog") and the upcoming 5.04 (AKA "Hoary Hedgehog") release, the latter of which is currently only available in live CD form as a preview but is slated for full release in April 2005 (hence the numbering convention--2005, fourth month). I'd suggest losing the cutesy names, but no one is asking me. Both of these are available and actively supported on the x86, AMD64, and G4 and G5 PowerPC platforms."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The Open Clip Art Library

The Open Clip Art Library is An Online Massive Open Source 2d Graphics Repository according to the project FAQ. The project was started in early 2004, it now boasts over 3,000 images. The goal of the project is simple and clear:

This project aims to create an archive of clip art that can be used for free for any use. All graphics submitted to the project should be placed into the Public Domain according to the statement by the Creative Commons.

[Open Clip Art Library] Version 0.10 of the library was just released:

We have packaged up this month's release and our package size has gone up from a 20M package to 23M. We now have 3207 images that pass our Library tests and have the proper meta-data embedded. Its pretty amazing!

Images are stored as SVG (Scalable Vector Graphics) and PNG (Portable Network Graphics) files in a multi-level directory tree. To get an idea of the available images, the library's top level directories include:

animals,    buildings,   computer,   decorations,  education
food,       geography,   logos,      office,       people,
plants,     recreation,  shapes,     signs_and_symbols,
special,    transportation,          unsorted

See the online clip art browser for examples.

New clip art images may be created with applications such as Inkscape and Sodipodi, typical office users can then import the images into OpenOffice.org, KWord, and AbiWord, or any other application that supports the SVG or PNG formats.

The project releases are being synchronized with timely events: [ocal-hearts] "Our community focused on submitting Valentines Day clip art to help everyone with the upcoming holiday. For the month of February we are trying to collect images related to 'black history month'." The project roadmap gives a good indication of where the work is being focused for future releases.

The complete version 0.10 library is available for download here (23 MB). Also, a set of Perl language tools (zip file) are available for working with the clip art archive.

If you need a selection of images for creating web pages, holiday cards, or presentations, the Open Clip Art Library is the first place to look. If you have an artistic ability, the project could surely make use of your contributions.

Comments (3 posted)

System Applications

Audio Projects

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include a cleanup of the Fedora Core repository, new kernels, and new versions of ALSA, and the CMT LADSPA Plugins.

Comments (none posted)

Database Software

PostgreSQL Weekly News

The January 28, 2005 edition of the PostgreSQL Weekly News is out with a collection of the latest PostgreSQL database articles.

Full Story (comments: 1)

Interoperability

Samba 3.0.11rc1 Available for Download

Version 3.0.11rc1 of Samba has been announced. "This is a release candidate of the Samba 3.0.11 code base and is provided for testing only. While close to the final stable release, this snapshot is *not* intended for production servers. If all goes well, this this version will become the final 3.0.11 stable release (with possible minor changes)."

Full Story (comments: none)

Libraries

ObjectHandler 0.1.0 released (SourceForge)

Version 0.1.0 of ObjectHandler, part of the QuantLib library for quantitative finance, has been announced. Here is the change explanation: "QuantLib (or any generic C++ library) integration into spreadsheets and other end user tools requires a standalone ObjectHandler component, a repository allowing objects to be stored, shared, updated, interrogated, and destroyed."

Comments (none posted)

Networking Tools

Release of iptables-1.3.0rc1

Release 1.3.0rc1 of iptables, a packet filtering framework, is available. "1.3.0rc1 is the first release candidate of the iptables-1.3.x branch, featuring a libiptc rewrite for major performance improvements at rule loading time. Apart from that, a surprisingly big number of small bug fixes have accumulated since the 1.2.11 release in June 2004."

Full Story (comments: none)

SSL-Explorer v0.1.7 released! (SourceForge)

Version 0.1.7 of SSL-Explorer, an open-source SSL VPN solution, has been announced. "This release includes many new features, the most important of which being the automatic installation of Java applications from our online application store as well as client-side native application execution. Also HTML-based application content may now be launched in a similar manner to provide support for Java Applets and ActiveX controls through the VPN."

Comments (none posted)

Desktop Applications

Audio Applications

Aqualung 0.9beta4 released

Version 0.9beta4 of Aqualung, a music player with gapless track changes, is available. "This new release adds many new features, including file metadata (FLAC/Vorbis/ID3) display & importing, volume calculation and playback RVA (relative volume adjustment) support."

Full Story (comments: none)

ccAudio2 Version 0.2.1 (beta) released

Beta version 0.2.1 of ccAudio2 has been announced. "'ccaudio2' is a simple, highly portable, stand-alone, C++-based framework for manipulation of audio data. It is meant to be a C++ framework that is as useful as "audiofile" or "sndfile" is for C programming, and to cover various generic and useful manipulations of audio data as well as audio file access. The package includes a stand-alone audio processing command line tool to demonstrate library functionality." See the Change Log for a description of changes in this version.

Comments (none posted)

QjackCtl 0.2.14 released!

Version 0.2.14 of QjackCtl, Qt application for controlling the JACK sound server daemon, has been released. "No big features, only a bunch of optimizations and cleanups."

Full Story (comments: none)

jack_convolve 0.0.4 announced

Version 0.0.4 of jack_convolve, a convolution engine for jackd, has been announced. Here are the change notes: "new version. the executable is called jack_convolve again. I added libsamplerate support and support for multiple response files."

Full Story (comments: none)

CAD

Twenty-second release of PythonCAD now available

Release 22 of PythonCAD is available. "The twenty-second release contains primarily internal code enhancements in regards to the Python language. PythonCAD running under PyGTK releases after the 2.4.0 release will now utilize the gtk.ComboBox and the gtk.ColorButton widgets, while PythonCAD running under older releases will still utilize the same widgets as before. This change removes the DeprecatationWarning users with the newer PyGTK release would see. A problem where restoring a deleted TextBlock entity was fixed, and a variety of other fixes and improvements are also included in this release."

Full Story (comments: none)

Desktop Environments

GNOME Software Announcements

The following new GNOME software has been announced in the last week:

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced in the last week:

Comments (none posted)

KDE CVS-Digest (KDE.News)

The January 28, 2005 edition of the KDE CVS-Digest is online. Here's the content summary: "Digikam adds an image border tool. Kopete oscar_rewrite merged into HEAD. Plus many bugfixes and improvements in Quanta and Kopete."

Comments (none posted)

Electronics

gEDA News

The latest releases from the gEDA project include new versions of PCB and gnucap.

Comments (none posted)

Games

Eris 1.3.3 Released

Version 1.3.3 of Eris, a client-side session layer for the WorldForge game project, has been released. "This is the third unstable release of the current development work that will become Eris 1.4, and is being made to coincide with the release of Ember. Minor API changes have taken place since the previous release, related to how Eris::Connection reports time-outs (they are now handled by the existing Failure signal). Various crashes related to time-outs and the meta-server query code have been resolved."

Comments (none posted)

GUI Packages

Linux GUI Testing tool - release 0.1.0

Initial release 0.1.0 of the Linux GUI Testing tool is out. "This is the first release of a testing framework for GNOME, Open Office, Firefox, and QT4 (though at this point only tested against GNOME.) Ideally it'll allow for regular automated testing of complete desktops, just like LTP allows the kernel to do. The main development so far has been done by a Novell group in bangalore, but they'd love to have more involvement from outside."

Full Story (comments: 1)

FLTK News

The latest news from the FLTK project (Fast, Light ToolKit) include the release of version 1.0 of the FLTK training videos, fldiff 0.3, and a home site update.

Comments (none posted)

Interoperability

Wine Traffic

The January 28, 2005 edition of Wine Traffic is available with all of the latest Wine project discussions.

Comments (none posted)

Medical Applications

Future of FreeB (LinuxMedNews)

Fred Trotter posted an article on LinuxMedNews concerning the future of the FreeB medical billing system. "Yesterday I spent several hours talking to David Uhlman about a new approach to medical billing. As a result of this discussion I have decided to hand over the reigns of FreeB development to him and his new company, Uversa For a good few of you, that is really all you will care to know about this issue. FreeB development will continue, and its main goals, to be a separate biller useful to several projects will continue. Some of you will be curious as to why... so that rather lengthy technical monologue follows."

Comments (none posted)

Music Applications

liblo 0.16 announced

Version 0.16 of liblo, the Lite OSC library, is available with bug fixes. "Liblo, the Lite OSC library, is an implementation of the Open Sound Control [1] protocol for POSIX systems. It is written in ANSI C and released under the GNU General Public Licence. It is designed to make developing OSC applictions as easy as possible."

Full Story (comments: none)

MIDI to CSV Utilities 1.0

Version 1.0 of the MIDI to CSV (comma separated values) Utilities have been announced. "Not a long time ago, somebody asked in Linux-audio-users mailing list for a commandline utility allowing MIDI to text conversion. I'm proud to introduce you a set of tools from John Walker, who wrote and released it into the public domain."

Full Story (comments: none)

Office Suites

ooo-build 1.3.8 Announced

Build 1.3.8 of OpenOffice.org has been announced. This version adds several new features, GCC 3.4 support, and lots of bug fixes.

Full Story (comments: none)

OpenOffice.org Newsletter - Volume 02 - Issue 7 - 01/2005

The January, 2005 edition of the OpenOffice.org Newsletter is online with a number of new articles.

Full Story (comments: none)

Hacking Open Office (O'Reilly)

Peter Sefton works with OpenOffice.org internals on O'Reilly. "In this article, I'm going to explore some of the ways that OpenOffice.org's Writer application (I'm using version 1.1.2 on Linux and 1.1.3 on Windows XP) is open to customization and configuration. I'll walk through some of the techniques I used to set up the first templates I built with the application in my quest for an interoperable, XHTML-ready system of templates and styles which will work across Microsoft Word and Writer."

Comments (none posted)

Video Applications

gephex 0.4.2 released

Version 0.4.2 of gephex, a real-time video effects platform, is available. "0.4.2 is a bugfix and stabilization release of the 0.4 branch. It also introduces minor feature enhancements."

Full Story (comments: none)

Web Browsers

Updated Schedule for Mozilla Firefox 1.1 (MozillaZine)

MozillaZine covers the latest release schedule for version 1.1 of the Firefox browser. "The final version of 1.1, previously scheduled for March, will now be released a little later than originally planned (an exact date isn't given). In addition, there will be a series of test builds issued before 1.1 final: a Developer Preview, a Preview Release and one or more release candidates. Mozilla Firefox 1.1 isn't expected to contain any major new features but will include updated versions of core components such as Gecko, which has received many improvements over the last few months."

Comments (20 posted)

Firefox Roadmap Update (MozillaZine)

MozillaZine covers the latest Firefox 2.0 Roadmap. "The update calls for a Developer Preview (Alpha) in March, a Preview Release (Beta) in April and Firefox 1.1 final release in June 2005."

Comments (none posted)

Pyphany: Epiphany Python Bindings (GnomeDesktop)

GnomeDesktop looks at the Pyphany project. "Yesterday marks the first Pyphany release. Pyphany is a set of Python bindings for Epiphany and a Python extension loader for Epiphany. You can use Pyphany to write Python extensions for the Epiphany web browser."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The Caml Weekly News for January 25 - February 1, 2005 is out with the latest Caml language articles.

Full Story (comments: none)

HTML

Nvu 0.80 Released (MozillaZine)

Version 0.80 of the Nvu web authoring system has been announced. "Also known as Nvu 1.0 Beta pre-Release 3, this latest version has experimental XHTML support, line numbers in the HTML Source view, support for editing PHP code and HTML comments and fixes for many bugs."

Comments (none posted)

Java

Internals of Java Class Loading (O'ReillyNet)

Binildas Christudas discusses Java class loading issues on O'Reilly. "When are two classes not the same? When they're loaded by different class loaders. This is just one of many curious side effects of Java's class-loading system. Binildas Christudas shows how different class loaders relate to one another and how (and why) to build your own custom class loader."

Comments (none posted)

Advanced Synth (IBM developerWorks)

Michael Abernethy looks at Synth on IBM developerWorks. "Take an in-depth look at the Synth look and feel, the newest addition to Swing introduced in Java 5.0. Synth lets developers rapidly create and deploy custom looks for an application by introducing the concept of a "skin" to Java UI programming. Software Engineer Michael Abernethy takes you through Synth concepts step-by-step to build an application with a Synth look from scratch. After reading this article, you should be able to create professional-looking UIs in no time."

Comments (none posted)

An Introduction to Service-Oriented Architecture from a Java Developer Perspective

Debu Panda works with SOA architecture applications under Java on O'Reilly. "The use of heterogeneous technologies and applications in corporations is a reality. At a time when resources are scarce, IT shops cannot just throw away their existing applications; rather, they must leverage their existing investments. service-oriented architecture (SOA) is popular because it lets you reuse applications and it promises interoperability between heterogeneous applications and technologies. In this article, I will introduce SOA from a Java developer perspective and examine the technologies available in the Java space to build service-oriented applications."

Comments (none posted)

Lisp

CL-PPCRE 1.2.1 released

Version 1.2.1 of CL-PPCRE, a Perl-compatible, fast, portable regular expression library written in Common Lisp, is out. "These versions provide a cleaned-up build procedure, performance improvements, better Allegro CL compatibility, and a few bug fixes."

Full Story (comments: none)

SBCL 0.8.19 released

Version 0.8.19 of Steel Bank Common Lisp has been released. "This version features improvements to foreign library loading, debugging and profiling. SBCL has also been ported to native 64-bit mode on x86-64/Linux."

Full Story (comments: none)

PHP

Active Calendar 1.0.1 Released

Stable version 1.0.1 of Active Calendar, a PHP class that generates calendars as HTML tables, has been announced. "It generates calendar for 1971-2037 and can produce static calendars without any links or calendars with navigation controls, a date picker control, and linked days. User confige the layout through CSS; JavaScript is not required."

Comments (none posted)

IBT PHP Library Release 0.9.2 Stable (SourceForge)

Stable release 0.9.2 of the IBT PHP Library, a shell of high-level PHP functionality that encases PHP content and logic, has been announced. "The 0.9.2 release of the IPL is our second release. It has been thoroughly tested and is stable. This release comes earlier than expected and has, so far, outperformed expectations. 0.9.2 holds many exciting new features such as an entire workflow engine, the ability to create action scripts, a workflow class for building cusom workflow engines, a new email class to ease the tasks involved in sending email, and some added header and data manipulation functions."

Comments (none posted)

Programming eBay Web Services with PHP 5 and Services_Ebay (O'Reilly)

Adam Trachtenberg uses PHP to work with eBay web services on O'Reilly. "By using eBay's web services APIs, members of the eBay Developers Program can hook into the eBay platform using XML to integrate eBay into their own applications."

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The January 28, 2005 edition of Dr. Dobb's Python-URL! is online with another week's collection of Python articles and resources.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The February 1, 2005 edition of Dr. Dobb's Python-URL! is out with new Python language articles and resources.

Full Story (comments: none)

Enhanced Interactive Python with IPython (O'ReillyNet)

Jeremy Jones looks at IPython on O'Reilly. "An interactive programming environment can be a powerful tool to assist in writing programs. Python has one as part of its standard distribution. Yet IPython, "an enhanced Interactive Python shell," is a far superior replacement."

Comments (none posted)

Ruby

Ruby Weekly News

The January 24, 2005 edition of the Ruby Weekly News is available with the latest Ruby language articles.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The December 27, 2005 edition of Dr. Dobb's Tcl-URL! is online with the week's Tcl/Tk articles.

Full Story (comments: none)

Dr. Dobb's Tcl-URL

The February 1, 2005 edition of Dr. Dobb's Tcl-URL is online, take a look for the latest Tcl/Tk articles.

Full Story (comments: none)

Scripting a Binary Tree Using Tcl (O'ReillyNet)

Michael Norton puts Tcl to work on binary trees. "I tend to use Tcl extensively because I look at this scripting language as a big tub of Lego bricks. Who doesn't like to play with Legos? To me, Tcl is Legos for the computer programmer. It comes with lots of bricks that snap together, enabling you to build something incredible. But here's a thought that will surely make the pragmatic C programmer's head spin. I'm going to put the Tcl language to work with managing binary trees."

Comments (none posted)

XML

Formal Taxonomies for the U.S. Government (O'Reilly)

Michael Daconta explains XML taxonomies on O'Reilly. "The FEA DRM specifies three abstract layers of an organization's information: business context, information exchange, and data element description. Business context specifies the use of a taxonomy to categorize government information. One definition of a taxonomy is "a scheme that partitions a body of knowledge and defines the relationships among the pieces. It is used for classifying and understanding the body of knowledge.""

Comments (none posted)

Cross Compilers

GNU Development Chain Release 3.0

Release 3.0 of the GNU Development Chain, a set cross compiler, debugger, and other utilities for the Motorola 68HC11/68HC12 microprocessor family, is out. "It is based on Binutils 2.15, Gcc 3.3.5, Gdb 6.2 and Newlib 1.12.0."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

The Future Is Open: What OpenDocument Is And Why You Should Care ~ by Daniel Carrera (Groklaw)

Groklaw looks at the OpenDocument format. "I asked Daniel Carrera, an OpenOffice.org volunteer, if he'd please explain to us the OpenDocument format. How does a format get chosen? And is OpenDocument on the list when governments like the State of Massachusetts make up such lists of acceptable formats for governmental use? If not, what can be done to change that? He graciously agreed. Because we are all concerned about proprietary formats and standards, and more and more governments are adopting policies requiring open standards, it's a very important subject."

Comments (none posted)

Group to Divide Linux Standards Base (eWeek)

eWeek covers a Free Standards Group decision to break the LSB into modules. ""We decided that rather than add everything to the LSB core, it would be better to break this up into separate parts, the first of which is on the server side. We are thus looking at making the current, ongoing server work a branch of the LSB core," Chris Maresca, a senior partner at Olliance Group, an open-source consulting company that is working with the FSG, told attendees at the OSDL (Open Source Development Labs) Enterprise Linux Summit here on Monday."

Comments (22 posted)

Rewriting GPL No Easy Task (eWeek)

eWeek covers a talk by Eben Moglen on version 3 of the GPL. "Another change to the technical paradigm that the license must address is the issue of trusted computing and the threat it poses. 'If I knew what the solution to the problem of trusted computing was, we would have a draft version of it in circulation by now,' Moglen said."

Comments (23 posted)

Trade Shows and Conferences

Hawaii now has its own open source conference (NewsForge)

NewsForge covers the Trans-Pacific Open Source Software Conference. "The first-ever Trans-Pacific Open Source Software Conference (TPOSSCON) was held at the Hawaii Convention Center January 17 - 21, 2005. In many ways, it was a "pilot project" meant to gain credibility for what organizer Scott Belford of the Hawaii Open Source Education Foundation (HOSEF) hopes will become a yearly event that attracts people not only from Pacific Islands but also from "mainland" countries on both sides of the world's largest ocean."

Comments (none posted)

13-year old to address Linux conference (ZDNet)

ZDNet Australia looks forward to Linux.Conf.Au, where Bdale Garbee's daughter is on the program. "Elizabeth will be speaking on 'Extending Tuxracer - Learning by Playing', a seminar which Chair of the 2005 organising committee Steven Handley has said will revolve around making modifications to Tuxracer (a popular open source game involving Linux's cuddly mascot) with the aim of making the game more fun. Ex-Debian Project Leader and dad Bdale will also present at the conference."

Comments (9 posted)

The SCO Problem

Bitter struggle to control company (Salt Lake Tribune)

The Salt Lake Tribune reports that things are getting ugly at Canopy. "On one side is Ralph Yarro, ousted chairman, president and chief executive of the Lindon-based Canopy, an investment firm whose extensive holdings include SCO Group, a company now widely known for its Linux-related lawsuits against IBM and others. Yarro is joined by ex-chief financial officer Darcy Mott and former corporate counsel Brent Christensen. The three are suing for at least $100 million, alleging they were illegally ousted in December by a group led by Noorda's daughter, Val Noorda Kriedel of Orange County, Calif.; longtime Canopy investment adviser Terry Peterson, and William Mustard, an independent senior executive consultant appointed CEO in Yarro's place." (As seen on Groklaw).

Comments (3 posted)

Companies

Are Microsoft's licences unfair to open-sourcerers? (Register)

The Register examines the effects of Microsoft's protocol licensing scheme on open-source development. "Carlo Piana, a partner at Milan law firm Tamos Piana & Partners, which represents FSF Europe, told eWeek:"Microsoft has proposed a licencing agreement blatantly tailored to exclude free software from accessing it." The terms of the Microsoft licence require that the holder does not distribute the source code of their implementation of the protocol, except to other licence holders." Thanks to Nigel Arnot.

Comments (22 posted)

Red Hat unveils government business unit (News.com)

Here's a brief News.com article on Red Hat's new government sales group. "Red Hat also said that it has landed a new government customer: the U.S. Department of Energy's national laboratories and technology centers. Under the seven-year agreement, Red Hat Enterprise Linux will be broadly deployed at the labs and tech centers."

Comments (3 posted)

Open-Source Foes (ComputerWorld)

Here's a ComputerWorld article on the differences between the Linux and Solaris approaches to open source. "Linux has propeller-head cachet and market credibility, along with billions of dollars in technical and marketing investment from companies such as IBM, Red Hat and Novell. OpenSolaris has one company behind it and Scott McNealy at its press conferences."

Comments (6 posted)

Sun: Patent use OK beyond Solaris project (News.com)

In this News.com article Sun claims that its recently released patents may be used for all open source projects. "The server and software company clarified its position somewhat on Monday. "Clearly we have no intention of suing open-source developers," said Tom Goguen, head of Solaris marketing. However, he added, "We haven't put together a fancy pledge on our Web site" to that effect."

Comments (17 posted)

Linux at Work

IT Powerhouse Strikes Back (IPSnews)

Here's an article on the IPS site about embedded Linux uses in India. "It is unlikely that Linus Torvalds, creator of Linux, ever intended this open-source operating system to be put to military use. But it is a mark of the robustness of this revolutionary operating system that the Indian army is reposing faith on it -- and indeed, has now completed user trials on the device. Called SATHI (short for Situational Awareness and Tactical Handheld Information and Hindi for buddy), the 875-gramme device helps soldiers coordinate with one another on the battlefield."

Comments (1 posted)

Legal

The open-source patent conundrum (News.com)

Bruce Perens examines software patents, on News.com. "The latest tactic in the software-patenting battle is the granting of patent rights to open-source developers. But are the grants really the equivalent of wolves in sheep's clothing?"

Comments (4 posted)

JURI Votes: It's Restart (Groklaw)

Groklaw carries the news that the European software patent process will be restarted from the beginning. This is good news, but it means that the lobbying effort will have to start over as well.

Comments (1 posted)

Interviews

The Big Kolab Kontact Interview - Part I (KDE.News)

KDE.News talks with some people from the Kontact and Kolab projects. "Steffen Hansen: Kolab is a Free software groupware solution. The components are the Kolab server and Kontact, which is the KDE Kolab client. There is also a Kolab web client in the works."

Comments (none posted)

The social structure of open source development (NewsForge)

Tom Chance talks with Andreas Brand about KDE's social structure, on NewsForge. "Andreas Brand is a sociologist researching ways of recruiting and organising teams of volunteers on the Internet. He has been studying KDE as an example of an open source project based upon collaboration without hierarchies. As part of his work he has conducted interviews with KDE developers, participated in several open source conferences, analysed the KDE home page, and distributed a questionnaire among volunteers. We asked him about his thoughts on the KDE development model."

Comments (2 posted)

Resources

KDE tips and tricks (NewsForge)

NewsForge explores KDE tips and tricks. "The K Desktop Environment (KDE) is incredibly popular in the world of GNU/Linux. Distributions such as SUSE and Mandrakelinux use it by default. KDE has some useful features that, while easily accessible, are less prominent. Just as a camera inexplicably makes a cell phone more fun to use, KDE's cool but unnoticed details may make it more attractive to prospective users. Read on to learn about a few such features may help you every day."

Comments (none posted)

Reviews

Pentium-based ETX module supports Linux (Linux Devices)

Linux Devices looks at a new Linux-compatible single-board computer from Adlink. "Adlink has released an ETX form-factor single-board computer (SBC) that supports embedded Linux on Celeron and Pentium processors. Target markets for the ETX-IM333 include medical automation, instrumentation, gaming, POS, mobile computing, and transportation, according to the company. The ETX-IM333 is based on an Intel 855GME chipset and supports Pentium M processors from 1.1 GHz to 2.0 GHz, as well as Celeron M processors from 600 MHz to 1.3 GHz."

Comments (none posted)

Freevo: Freedom For Your TV (O'ReillyNet)

O'ReillyNet covers the Freevo Project. "Freevo is a media platform that brings together various applications for video recording and playback. Under its open format, the user can fully customize Freevo to suit his media viewing needs. Its main feature is its ability to schedule and record television broadcasts."

Comments (none posted)

Hacking Google (O'ReillyNet)

O'ReillyNet presents excerpts from Google Hacks, 2nd Edition. "With access to more than three million documents in over 30 languages, Google is a researcher's dream. But like any invaluable tool, knowing the insider tricks of the trade is a must to save time and needless effort. Tara Calishain and Rael Dornfest, authors of Google Hacks, 2nd Edition, have set out to educate the masses to the ins and outs of Google. In today's excerpt, they offer the inside scoop on scattersearching, cartography, Google on the go, gmail-lite, and AdSense. With over 150 million Google searches conducted every day, why be just a number?"

Comments (none posted)

GRAMPS got roots (NewsForge)

NewsForge has a review of the GRAMPS genealogical application. "GRAMPS is easy to use, produces a variety of reports, handles GED files with ease, and allows you to add notes, photos, and other data to individuals in your database. Citing its web site, "GRAMPS is a genealogical application, the name being an acronym for Genealogical Research and Analysis Management Programming System. It allows you to store, edit, and research genealogical data, with similar functionality to other genealogical programs.""

Comments (5 posted)

How Beaverton, Ore. is boosting budding open source businesses (NewsForge)

NewsForge takes a look at OSDL's new Open Technology Center. "[Executive director LaVonne] Reimer called the center the first and only place bringing together the best minds in the business to explore the benefits of open technology. She indicated the Beaverton business center would focus on and fund different aspects of business and provide space for startups, technology with which to experiment, and an executive program for open tech entrepreneurs and those who surround them."

Comments (none posted)

Miscellaneous

Steal This Show (New York Times)

The New York Times (registration required) looks at the television business model, BitTorrent, MythTV, the broadcast flag, and more. "Cecil Watson, a 32-year-old software expert in Fontana, Calif., created KnoppMyth to make the installation of MythTV as simple as possible. The MythTV movement is 'picking up steam,' Mr. Watson said, because it satisfies the way he wants to watch television today - and he doesn't have to pay rental fees for a cable box or a DVR if he chooses not to. 'It records the shows I want to watch and I now have the choice to spend the time the way I want,' he said."

Comments (15 posted)

Where is the spirit of Linux? (LinuxFocus)

LinuxFocus has an editorial on the spirit of Linux. "Linux really used to have a spirit and a small but very active community. It was almost like a little garage. Everybody was working on some part of the car. Adding tires, polishing and tuning the motor.... New people came and were amazed. Hey, this is a cool idea! How can I help? Give me that screw driver. I will fix the mirror. Next Linuxfocus came into the garage. The Linux "car" is a nice one! It is a bit difficult to drive but we like it so we will contribute by documenting how to use it. Everybody who was using the Linux "car" was also contributing to it in some way. It was very exciting." (Thanks to Mats Schneider)

Comments (10 posted)

Running Windows viruses with Wine (NewsForge)

Matt Moen has some fun playing with Windows viruses on Linux under Wine. "Out of the five Windows viruses I ran under Wine, not a single one was able to send email and propagate itself. When I went out of my way to be part of the Windows community by doing my part to propagate Windows viruses (lots of Windows users seem to think this is important, seeing as how they run random executables and use Microsoft Outlook and Internet Explorer) I discovered that it couldn't easily be done with GNU/Linux tools." Thanks to Tres Melton.

Comments (8 posted)

The Real Price of Linux Software (law.com)

Law.com has run a low-clue article on how businesses can protect themselves from the (perceived) threats of free software. "Open-source software's potential risks for intellectual property infringement litigation and the lack of warranties, indemnities and other protections mean businesses should be clamping down on open-source software. Despite the possibility of legal action by SCO, most companies have little understanding of how much open-source software they are using because they don't manage it properly and don't understand how many commercial applications have embedded open-source software."

Comments (7 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

A reorganization at the Open Source Initiative

The Open Source Initiative has put out a press release describing a fairly major organizational thrashup. Eric Raymond leaves as president, to be replaced by Russell Nelson. A number of new initiatives are in the works, including "the establishment of principles of Open Source development and best practices" and the maintenance of a registry of projects which are deemed to follow those principles.

Comments (none posted)

Organizations ask for renegotiation of the software patent directive

CCOO, Proinnova, Hispalinux, AI, Libro Blanco and Caliu have asked for renegotiation of the software patents directive in the Council and expressed their solidarity with ThankPoland.info. "In the 40 days between 2004-12-21 and today, over 40 000 citizens (over 28 000 verified signatures [1]) thanked the Polish Information Minister for his position at the Council of the EU. The signatures may be handed to the authorities this week. Poland twice delayed the formal adoption of a document for the software patents directive [2] that, without defining restrictive criteria, left the door open for software patents in the EU. In recent years, Eurolinux has gathered more than 380.000 signatures against software patents [3]." (Thanks to Xavi Drudis Ferran)

Full Story (comments: 1)

PDPC 2005 Fundraiser

The PDPC 2005 Fundraiser has been announced. "Peer-Directed Projects Center, the IRS 501(c)(03) not-for-profit org which runs the Freenode network, has begun its 2005 fundraiser. We're soliciting funds for PDPC's 2005-2006 fiscal year, which begins July 1."

Full Story (comments: none)

The PHP Security Consortium Announced

A new organization called the PHP Security Consortium has been launched. "The PHP Security Consortium (PHPSC) is an international group of PHP experts dedicated to promoting secure programming practices within the PHP community."

Comments (none posted)

Software Freedom Law Center founded

The Software Freedom Law Center has announced its existence. This center, headed by Eben Moglen, will provide pro-bono legal services to non-profit developers of free software. "The Law Center will initially have two full-time intellectual property attorneys on staff and expects to expand to four attorneys later this year. Initial clients for the Law Center include the Free Software Foundation and the Samba Project." OSDL is putting up some of the initial cash to get it going; click below for the press release.

Full Story (comments: 1)

Commercial announcements

ActiveGrid joins OSDL

The Open Source Development Labs (OSDL) has announced that ActiveGrid, Inc. has joined OSDL and will participate in the lab's Data Center Linux (DCL) working group.

Full Story (comments: none)

Appgen releases MyBooks Professional for Linux

Appgen's accounting solutions has announced availability of MyBooks Professional. "Appgen general business and accounting applications are Linux-native, and have been since 1997."

Full Story (comments: none)

EMS PostgreSQL Manager 2.8 Released

Version 2.8 of the EMS PostgreSQL Manager, a commercial PostgreSQL database administration and development tool has been announced. A freeware version is available for download.

Comments (none posted)

Hyundai Deploys SGI Altix Supercomputers running Linux

SGI has announced a deployment of their Altix Supercomputers by the Hyundai Motor Company. "A subsidiary of Silicon Graphics, Inc. (NYSE: SGI), SGI Korea has delivered four SGI(R) Altix(R) servers and an SGI(R) InfiniteStorage solution. These new servers, powered by a total of 148 Intel(R) Itanium(R) 2 processors and running Red Hat(R) Enterprise Linux(R) operating system, were installed in November and will be used for full car analysis, engine analysis, drag test and the prediction of airborne noise."

Comments (none posted)

IRMA to Deliver Complete Translations of Linux in 78 Languages by 2006

Linspire has announced its online IRMA translation site. "Linspire, Inc. today announced the release of a new Web-based translating application that will allow volunteers to easily translate leading Linux applications into nearly 80 different languages. Dubbed the International Resource Management Application, or IRMA, the project calls on users who speak English and another language to volunteer to translate parts of the operating system. Currently, 24 languages are supported through the system, with 54 additional languages to be added over the next few weeks."

Comments (10 posted)

Jybe Beta Released (MozillaZine)

MozillaZine covers Jybe, a Firefox extension. "Jack Mott writes: "Our company, Advanced Reality, recently released a new product as an open beta. Jybe is an extension for Firefox that allows you to link your browser together to one or more friends' browsers and allows you to chat and browse the web together. Initial features included full frames support, chat, and a powerpoint presentation system, with more to come."

Comments (none posted)

Levanta Joins Open Source Development Labs

Open Source Development Labs has announced the latest new member, Levanta. "The Open Source Development Labs (OSDL), a global consortium dedicated to accelerating the adoption of Linux in the enterprise, today announced that Levanta, Inc., a leader in Linux configuration management, systems provisioning and software deployment, has joined OSDL and will participate in the Lab's Data Center Linux and Desktop Linux working groups."

Comments (none posted)

Maguma Workbench PHP IDE 2.2

Release 2.2 of Maguma Workbench, an IDE for PHP, has been released. "Maguma has published the newest version of Maguma Workbench. Maguma Workbench 2.2 has new features, more stability and a new pricing concept. During the same period Maguma will also publish the Maguma Workbench SDK, for more independence to create new modules for your "Workbench". For this reason Maguma has created a competition for developers, to create new plugins."

Full Story (comments: none)

Hack your Nokia phone in Python

Nokia has announced the availability of a development kit enabling applications to be written for its Series 60 phones in Python.

Comments (2 posted)

PatentCafe Launches New Open Source Software Patent Search Engine

PatentCafe has announced the opening of its Open Source Software (OSS) Patent Search Engine devoted entirely to worldwide search access to OSS patents. Click below to see the press release.

Full Story (comments: 4)

Skype 1.0 available

Skype Technologies has announced that version 1.0 of its voice-over-IP application for Linux is available for free (beer) download. "Skype for Linux 1.0 has been successfully been tested on many recent distributions, including, but not limited to: SuSE 9, Gentoo 1.4, Debian 'unstable', Fedora Core 2, Sun Java Desktop System Release 2 and Xandros."

Comments (14 posted)

New TiVo Application Platform Opens Its Doors to Third Party Developers

TiVo Inc. has announced the availability of an early-access software development kit (SDK) that allows third parties to create entertainment and information applications that extend the TiVo service. "As part of the launch of the early-access SDK, TiVo is also announcing a developers contest. Developers are encouraged to submit their applications to be judged by a panel of industry luminaries that includes James Gosling, CTO of Sun Microsystems' developer products group, and Chris Anderson, Editor-in-Chief of WIRED magazine. Complete contest rules and prizes can be found online at http://www.tivo.com/challenge."

Comments (1 posted)

New Books

"Buffer Overflow Attacks: Detect, Exploit, Prevent" Released by Syngress

Syngress has published the book Buffer Overflow Attacks: Detect, Exploit, Prevent by James C. Foster.

Full Story (comments: none)

ThoughtWorks publishes Pragmatic Version Control Using Subversion

ThoughtWorks has announced the publication of the book Pragmatic Version Control Using Subversion by Mike Mason.

Comments (none posted)

"Linux Server Security" Released by O'Reilly

O'Reilly has published the book Linux Server Security by Michael D. Bauer.

Full Story (comments: none)

Resources

openEHR Foundation News (LinuxMedNews)

LinuxMedNews has published the latest openEHR Foundation News. "Thomas Beale, Chair of the openEHR ARB posts an openEHR status review and progress outlook for 2005 to the openEHR mailing lists."

Comments (none posted)

User Documentation for OpenEMR (LinuxMedNews)

LinuxMedNews mentions the availability of new documentation for OpenEMR, an open-source electronic medical records system. "The OpenEMR community received a 25 page User Documentation Manual for OpenEMR. The OpenEMR community thanks Dr. Bowen for his gracious contribution of a 25 page user manual for OpenEMR version 2.6."

Comments (none posted)

Contests and Awards

KDE Edu Applications Strike in Qt Contest (KDE.News)

KDE.News covers the QtForum.org programming contest award winners. "Today QtForum.org, a site dedicated to Qt development discussions, presented the winners of the QtForum.org programming contest award, sponsored by Trolltech. The contest selected the best educational software written with the Qt libraries, and these two programs from the KDE Edutainment Project took first and second prize, while third place was shared among two also KDE-based applications."

Comments (none posted)

OO.o Splashscreen Vote - take two

The OpenOffice.org spashscreen contest is again underway. "Voting is once again open for the OpenOffice.org 2.0 splashscreen. This screen will be seen by tens of millions. If you voted last month, please vote again; all votes cast that time were thrown out as invalid."

Full Story (comments: 1)

Upcoming Events

O'Reilly Open Source Convention CFP

O'Reilly has sent out a call for participation for the 2005 Open Source Convention (OSCON). The event will be held in Portland, Oregon on August 1-5, 2005, proposals are due by February 13.

Full Story (comments: none)

Free Linux Certification at 2005 LinuxWorld Conference and Expo

IDG World Expo has announced a free LPI certification testing program at the Boston Linux World Conference & Expo event. "Each day of the conference at 1:00 p.m., LPI will be conducting the LPI 101 exam in Room 205. The proctored exams are free to all conference delegates, and a special discounted price of $25 is also offered to all exhibitors and exhibit hall attendees."

Comments (none posted)

6th Annual Libre Software Meeting CFP (LinuxMedNews)

The 6th annual LSM 2005 Libre Software Meeting for Medicine has been announced. The event will be held on July 5-9, 2005 in Dijon, France. "LSM is the annual international meeting of experts (prividers and users) on new developments in free software medical systems (open source) and their applications. An important objective of the LSM/2005 is to open contacts between people from different domains mainly IT (Information Technology) and Medicine."

Comments (none posted)

Golden Penguin Bowl at LinuxWorld Conference and Expo

IDG World Expo has announced the next Golden Penguin Bowl, an event that pits media agains analysts. The bowl will take place on February 15 at 4:30 PM as part of the World Conference & Expo 2005 in Boston.

Comments (none posted)

Malaga Named as Location for 2005 KDE Conference (KDE.News)

KDE.News has announced the location selection for the 2005 KDE Conference. "After an evaluation process of several possible locations, Malaga in southern Spain has been chosen as the location of the 2005 KDE conference by the KDE e.V. membership in a recent vote. The conference will be held by KDE e.V. in cooperation with different sponsors."

Comments (none posted)

WFS 2005 - Call for Papers

The 6th International Workshop on Free Software will be held on June 1-4, 2005 in Rio Grande do Su, Brazil. Papers are due by March 14.

Full Story (comments: none)

Events: February 3 - March 31, 2005

Date Event Location
February 3, 2005Solutions Linux 2004(CNIT, Paris la Défense)Paris, France
February 3 - 4, 2005Asia Source(Visthar training venue)Bangalore, India
February 4 - 6, 2005ShmooCon 2005(Wardman Park Marriott Hotel)Washington, DC
February 7 - 11, 2005GlobusWORLD(Sheraton Boston Hotel)Boston, MA
February 9 - 11, 2005German Perl-Workshop 2005Dresden, Germany
February 9 - 11, 2005Third-Annual Desktop Linux Summit(Del Mar Fairgrounds)San Diego, CA
February 9, 2005OOo RegiCon North America(Del Mar Fairgrounds)San Diego, CA
February 11 - 13, 2005CodeCon 2005San Francisco, CA
February 12 - 13, 2005Southern California Linux Expo 2005(SCALE)(Los Angeles Convention Center)Los Angeles, CA
February 14 - 17, 2005Linux World Conference and Expo(Hynes Convention Center)Boston, MA
February 18, 2005Fedora Users and Developers Conference(FUDcon1)(Massachusetts Institute of Technology)Boston, Massachusetts
February 24 - 25, 2005UKUUG LISA/Winter ConferenceBirmingham, UK
February 25, 2005Dutch Perl WorkshopAmsterdam, the Netherlands
February 26 - 27, 2005Free and Open Source Developers' European Meeting(FOSDEM 2005)Brussels, Belgium
February 28 - March 3, 2005EclipseCon 2005(Hyatt Regency)Burlingame, CA
February 28 - March 1, 2005Asia Debian Mini-Conf 2005Beijing, China
March 1 - 2, 2005JBoss World 2005 User Conference(Omni/CNN Center)Atlanta, GA
March 2 - 4, 2005Security-Enhanced Linux SymposiumSilver Spring, Maryland
March 2 - 3, 2005Asia CodeFest 2005Beijing, China
March 2 - 4, 2005The 5th Asia Open Source Software SymposiumBeijing, China
March 2 - 4, 2005The Free and Open Source Software Workshop(Al Assad National Library)Damascus, Syria
March 10 - 16, 2005CeBIT 2005Hannover, Germany
March 12, 2005Gentoo UK 2005(University of Salford)Manchester, UK
March 12, 2005Third Hungarian PHP ConferenceBudapest, Hungary
March 14 - 17, 2005Emerging Technology Conference(ETech)(Westin Horton Plaza)San Diego, CA
March 21 - 24, 2005Bellua Cyber Security Asia 2005(Hotel Borobudur)Jakarta, Indonesia
March 21 - 24, 2005Open Source Modeling and IDEs Workshop(Caribe Royale All Suites Resort & Convention Center)Orlando, FL
March 23 - 25, 2005PyCon DC 2005(GWU Cafritz Conference Center)Washington, DC
March 26 - 27, 2005YAPC::Taipei 2005Taipei
March 30 - April 1, 2005PHP Quebec(Crowne Plaza Hotel)Montreal, Canada
March 31 - April 1, 2005Black Hat Briefings Europe 2005Amsterdam, the Netherlands

Comments (none posted)

Web sites

The GCC Wiki

A new Wiki Site has been launched for discussion of GCC, the GNU Compiler Collection.

Comments (none posted)

The Open Skills Site

OpenSkills 2 is a new site for the discussion of various Linux issues: "Welcome to OpenSkills 2 (Beta 2), a Collaborative Knowledge Portal, an Insane Experiment of System Exposure Just Another Linux-and-More WebSite for SysAdmin". The site is also available in Italian.

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

Comments re: An Early Look at Ubuntu Hoary

From:  Jeff Waugh <jeff.waugh-AT-ubuntu.com>
To:  Ladislav Bodnar <ladislav-AT-linuxfreemail.com>, LWN <lwn-AT-lwn.net>
Subject:  Comments re: An Early Look at Ubuntu Hoary
Date:  Thu, 27 Jan 2005 16:22:02 +1100

 Hi Ladislav!
   
 Another great article about Ubuntu - thank you. :) One minor correction for
 you:
   
   "We have already mentioned the Ubuntu live CDs, which represent another
   interesting aspect of this distribution. These live CDs are now built by
   the maintainers of Gnoppix, a project that was originally an attempt to
   develop a Knoppix-like distribution for GNOME users."
   
 It turns out that the reverse is true: Gnoppix is now based on Ubuntu.
   
 Our new LiveCD infrastructure uses 'Casper', a fully cross-platform LiveCD
 bootstrap system that runs on top of Ubuntu's standard installer code, and
 exactly the same kernel as installed Ubuntu systems. To do this, we've
 swapped out some of the common, ugly LiveCD kernel extensions and used
 better technologies in the standard Linux kernel, such as the devicemapper
 copy-on-write overlay.
   
 These features, in addition to much needed documentation, have granted
 third parties much greater ability to make minor modifications or entirely
 new LiveCDs. Gnoppix is now an Ubuntu derivative, Kubuntu will soon be
 producing installer and LiveCDs, and there are plans afoot in the GNOME
 Project to use a 'debranded' and customised Ubuntu LiveCD as a GNOME
 marketing tool.
   
 All this talk about LiveCDs papers over one important issue - Casper can be
 used to create any kind of bootable media... DVD, USB, firewire,
 holographic storage... Well, ok, so that one's still "coming soon". ;-)
   
 Thanks,
   
 - Jeff
 
--
GUADEC 2005: Stuttgart, Germany http://2005.guadec.org/
  
     "I guess there's part of me that's always resented it... to be an
   actor, you have to have someone else say yes to you." - Edward Norton

Comments (none posted)

eWEEK, I think you've missed the point of the GPL

From:  Leon Brooks <leon-AT-cyberknights.com.au>
To:  eWEEK-AT-ziffdavis.com
Subject:  eWEEK, I think you've missed the point of the GPL
Date:  Tue, 1 Feb 2005 16:36:14 +0800
Cc:  letters-AT-lwn.net

Quoting http://www.eweek.com/article2/0,1759,1754298,00.asp -
> We agree with Gates' argument that the case for "free" should not
> be oversimplified. Software costs only begin with the acquisition
> of a license, free or otherwise.
 
The reason so many South American, African and Asian countries are
falling over themselves to adopt FOSS is very simple: it gives them
back control of their countries, and their economies.
 
Anyone paying any attention to the South Americans would have noticed
how often they mention that one copy of MS-Office equals so many bags
of this or that export product. This is something that I wish my own
country (Australia) would do.
 
Simple issues like outright cost are overwhelmed by the sheer ability
FOSS grants the locals. Linux, GNOME, KDE and other major items have
already been internationalised for communities with less than one tenth
of the population of the smallest language group ever internationalised
in MS-Windows or MS-Office. Security agencies, the military and so on
can examine and change every byte of the software that their systems
run, without going cap-in-hand to a foreign business and signing their
life away. Locals can work on local projects with rudimentary equipment
and without shelling out several years' wages for any development kits
or distribution rights.
 
These advantages are only representative of the huge number of
advantages to FOSS. Microsoft can never foreseeably be "agile" enough
to meet more than a small number of these needs, or even to publicly
admit that they exist.
 
With a very few showcase exceptions, Microsoft and their customers
assume adversarial positions; with FOSS, the customers _are_ the
developers, the management and the marketing department. They don't
need anyone to ask them where they want to go today, they just go.
 
Cheers; Leon
 
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Member, Perth Linux User Group
http://osia.net.au/ Member, Open Source Industry Australia
http://slpwa.asn.au/ Member, Linux Professionals WA
http://linux.org.au/ Member, Linux Australia

Comments (1 posted)

Misquote/misattribution in your Mercury article?

From:  Leon Brooks <leon-AT-cyberknights.com.au>
To:  John Boudreau <jboudreau-AT-mercurynews.com>
Subject:  Misquote/misattribution in your Mercury article?
Date:  Wed, 2 Feb 2005 11:19:34 +0800
Cc:  letters-AT-lwn.net

> The SCO Group says that IBM and other companies inserted its Unix
> code into versions of Linux.
 
Not exactly true. In fact, just far enough from true to get you into
legal trouble. If you'd written it in quotes it would be Mr Moglen's
problem, presuming that such an attribution is correct, but as it
stands it reads more like a misplaced rephrase of something Mr
Kusnetzky is likely to have said.
 
The SCO group does not say that any more - at least, not in any legally
binding forum.
 
What they are actually claiming in court is that IBM dealt unfairly with
them in a contract centring on Monterey. The substance of the claim is
that IBM inserted code _which_IBM_developed_ into all of TSG-owned
UNIX(R), OS/2 and later Linux. The logic to the claim is that because
the code was originally developed for TSG's UNIX(R) codebase (not
actually true), it falls under the same _contractual_ terms as UNIX(R)
proper and therefore could not have been published elsewhere by IBM.
 
It turns out that practically all of their premises are wrong, that
their predecessors-in-interest-once-removed in the contract (AT&T)
clearly didn't intend a remotely similar interpretation of the
contract, that much of their UNIX(R) code is public domain anyway so
they'd be hard pressed to claim legitimate ownership, that they
published the supposedly tainted code themselves for more than a year,
that no copyrights or patents relating to UNIX(R) were ever transferred
to them, that no UNIX(R) code exists in Linux and to cut a long list
short that they don't appear to even be able to find their own
backsides with both hands, a map, a mirror and someone coaching them.
 
The SCO Group are not pressing any copyright or patent claims against
IBM. IBM is counterclaiming (so far) seven patent violations against
The SCO Group. TSG don't even own the trademark on UNIX(R), The Open
Group does. Worse, The SCO Group appear to have included GPLed driver
code from Linux wholesale into UNIXWARE(R) without so much as an
attribution.
 
In short, Open Source generally doesn't need protection from idiots.
Idiots will attack monied interests for the very simple reason that
there's no profit in attacking individual developers, and said monied
interests will typically respond by smacking down said idiots.
 
What Open Source does need legal protection from are short-sighted,
powerful and greedy monopolists like the RIAA and Microsoft, who appear
to be willing to sacrifice almost any principle in the pursuit of
control and the ensuing profits. Open Source generally doesn't have the
concentrations of money needed to go toe-to-toe in courts and
legislatures and under tables with these organisations.
 
Cheers; Leon
 
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Member, Perth Linux User Group
http://osia.net.au/ Member, Open Source Industry Australia
http://slpwa.asn.au/ Member, Linux Professionals WA
http://linux.org.au/ Member, Linux Australia

Comments (none posted)

Page editor: Jonathan Corbet

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds