LWN.net Logo

LWN.net Weekly Edition for February 10, 2005

Judge Kimball rules at last

SCO v. IBM has been absent from the LWN front page for some time - and there has been a striking lack of letters from readers protesting that. An important ruling has been issued, however, and so it's time for an update.

IBM's tenth counterclaim ("CC10") in this case requests a ruling from the court that IBM's Linux activities do not violate any of SCO's copyrights. IBM filed a motion requesting a summary judgment on this counterclaim, stating that there were no disputed facts that might argue against that judgment. A victory on this motion would take much of the wind from SCO's sails. The SCO Group knows this, and so filed a motion of its own requesting that the tenth counterclaim be dismissed, or at least stayed.

These motions were argued before Judge Kimball back in September. The ruling was long in coming, but it is now available (in PDF format). The ruling is not a clear victory for either side, but it suggests that SCO is facing a rough road unless it turns up something truly incriminating in the discovery process.

The first order of business was SCO's motion to dismiss or stay CC10. The Judge notes that SCO's arguments have shifted over time, ending up with the statement that CC10 is moot because SCO is not actually alleging copyright infringements on IBM's part. The Judge didn't buy it:

Notwithstanding SCO's puzzling denial in its briefing that it has not alleged a claim against IBM for copyright infringement arising out of its use, reproduction, or improvement of Linux, it clearly has alleged such a claim.

The Judge makes note of SCO's public statements on the matter, and the AutoZone suit as well. In conclusion:

The court assumes that SCO was prepared to prosecute its claim in the AutoZone case or it would not have filed suit. Indeed, in light of SCO's lawsuit against AutoZone and SCO's public statements during the last two years, which have essentially invited this claim, it is incomprehensible that SCO seeks to postpone resolution of this claim.

The motion was denied flat out, with prejudice. In other words, SCO will have to face this counterclaim, which is clearly a problem of its own making.

The Judge then moved on to IBM's request for a summary judgment, which would have resolved CC10 (in IBM's favor) immediately. Judge Kimball reviewed a number of SCO's more blatant public statements, along with IBM's claim that no evidence to back up those statements has been presented. The Judge clearly sees some merit in IBM's arguments, but is not willing to grant the judgment at this time:

Viewed against the backdrop of SCO's plethora of public statements concerning IBM's and others' infringement of SCO's purported copyrights to the UNIX software, it is astonishing that SCO has not offered any competent evidence to create a disputed fact regarding whether IBM has infringed SCO's alleged copyrights through IBM's Linux activities.

Nevertheless, despite the vast disparity between SCO's public accusations and its actual evidence-or complete lack thereof-and the resulting temptation to grant IBM's motion, the court has determined that it would be premature to grant summary judgment on IBM's Tenth Counterclaim.

The Judge reasons that SCO's contract claims could play into the final determination of the copyright issues, and that ongoing discovery could yet yield the evidence that SCO seeks. The ruling, in passing, notes that Judge Kimball is "in general agreement" with the discovery order forcing IBM to provide all of its Unix/Dynix code to SCO. The Judge also states:

Simply put, regardless of the merits, the granting of summary judgment would be very unlikely to survive an appeal when a Rule 56(f) motion has been filed and a motion to compel production of arguably relevant information remains pending.

Judges hate being reversed on appeal, for obvious reasons. So Judge Kimball is, as he should, playing the game in such a way as to come to conclusions which will stand. So the court declined to rule in favor of IBM's motion now, but states that the motion can be refiled after discovery is complete.

IBM had also argued that the summary judgment on CC10 should be granted as a sanction for SCO's misbehavior in the case. Judge Kimball didn't buy it, though, and rejected that motion out of hand.

Then, IBM had filed a motion trying to strike a number of declarations filed by SCO. These declarations, by Sandeep Gupta, Chris Sontag, and John Harrop, were said (by IBM) to be inadmissible because the people who wrote them didn't know what they were talking about. The Judge accepted SCO's argument, though, that the real purpose of the declarations was to argue that more discovery was needed; he then said, however, that he made no use of the declarations in any case. So this motion, moot to begin with, was denied.

IBM has two other summary judgment motions on the table. One seeks to dispose of SCO's contract claims, while the other seeks a ruling on IBM's eighth counterclaim - the GPL violation claim. The filings on these motions are not complete, and arguments have not taken place. Judge Kimball has denied them (without prejudice) anyway, stating that they cannot be resolved until discovery is complete. In fact, no such motions can be resolved, so there is now a ban on any further dispositive motions during the discovery period.

What all this seems to mean is that there will be no shortcuts in this case. SCO does not get to squirm out of CC10, but neither does IBM get a quick resolution to its claims. SCO, it seems, will be able to conduct its fishing expedition through IBM's source repositories, though there may yet be more arguments on that point. Your editor, attempting to read between the lines of the ruling, senses a fair amount of hostility to SCO's claims and tactics. But, regardless of how the Judge sees the case now, he seems determined not to make any premature or careless decisions. This case will have to play out according to the calendar - at least, until the discovery phase is over.

Comments (3 posted)

The first public Sunbird release

February 9, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The latest addition to the Mozilla Project's offerings is Mozilla Sunbird, a calendar application based on the iCal standard. Actually, Sunbird has been in the works for some time, but the recent 0.2 release from the Sunbird team is the first "official" release. We're not really sure what makes this "official," but we thought this might be a good time to look at Sunbird to see how it's maturing.

Sunbird is far from complete, but it's much more stable than one might expect from an application at version 0.2. We used Sunbird for a couple of days without experiencing any crashes or "show stopper" bugs. There are a few glitches in Sunbird 0.2, which is to be expected. For example, copying and pasting an event from Thursday to Friday changed the start and end times of the event. There are also a few minor interface glitches, but nothing that would prevent a user from getting work done with Sunbird.

To test Sunbird's calendar import feature and handling of iCal files, we grabbed the U.S. holiday calendar from the Mozilla's holiday files page, [Sunbird screenshot] and a few calendars from iCalShare. Sunbird had no problems importing the calendars, though it automatically pushed the displayed month back to the start of the calendars.

The Sunbird roadmap shows how far Sunbird has progressed so far. Sunbird lacks the ability to export to HTML, edit remote calendars, accept invitations from Outlook users, and a number of other features. Still, the list of features that are complete is larger than the list of incomplete features. The list is not entirely up to date, either. For example, the "work week view" feature is available, though the roadmap doesn't show this feature as complete. This is, in fact, one of this writer's favorite features in Sunbird. The user can specify the days of their work week, and display only those days in the calendar view. Since this writer works a decidedly non-standard work week (Thursday through Sunday) this can come in quite handy.

As a standalone calendar application, Sunbird is already on its way to being a useful project. However, many users are going to want a calendar application that integrates with a mailer and browser. To that end, there's Project Lightning. Lightning is still in the early development phase, so there's very little concrete information about it, but the general gist of the project is to provide tighter integration between Thunderbird and Sunbird. The first general-user release of Lightning is tentatively scheduled for mid-2005.

Another area where Sunbird needs help is device synchronization. Right now, the application doesn't offer any automatic method of synchronizing with a PDA, which is a feature that many users will want from a calendaring application.

Why should users care about Sunbird when we already have Evolution and KDE PIM, which are much further along than Sunbird? The primary reason is multi-platform support. While Evolution and KDE PIM have much to recommend them, wide cross-platform availability is something that neither project can offer at this time. Companies that are looking to standardize on an application will want something that runs on Windows, and possibly Mac OS X as well.

Sunbird is a promising application. Given the quality of Firefox and Thunderbird, not to mention the original Mozilla suite, we're optimistic that Sunbird will be an excellent calendaring application when it grows up.

Comments (4 posted)

Looking forward to LinuxWorld

The LinuxWorld Conference & Expo happens February 14 through 17 in Boston. LWN editor Jonathan Corbet will be wandering by the event for the first time in a few years. Among other things, he will be giving a talk in the O'Reilly booth on Wednesday at 1:30; one can only hope that there will be no rap bands or accordion players in the neighboring booth at that time. Such problems are not unheard of at LinuxWorld.

It would, of course, be a disservice to our readers if we failed to point out that Linux Device Drivers, Third Edition, by Jonathan Corbet, Alessandro Rubini, and Greg Kroah-Hartman, will be released (and available) at the show.

The first LinuxWorld event was almost six years ago now. LWN was published that week only because the kind folks at Linuxcare let us stay in the exhibit hall past closing and plug the laptop into their network hub. That conference was an eye-opener. Even for those of us who had been convinced for years that Linux World Domination was inevitable, the level of interest - and the amount of money - to be seen at LinuxWorld was shocking. The wave was clearly building, and it didn't seem that anybody had any real control over it.

The memories of the Red Hat party - or the disturbing lack thereof - will be with us forever.

Six years later, LinuxWorld is a different experience. It's all executive keynotes and expensive exhibits; the conference program almost seems like an afterthought. The more development-oriented conferences, such as OLS or Linux.conf.au (where your editor will also be speaking), are much more fun. LinuxWorld remains the preeminent commercial Linux show, however, at least in the U.S. As a place to get a sense for what the business of Linux is doing, it is hard to beat. Your editor, masochist that he is, is looking forward to having his nose rubbed in the hype for a few days, seeing where people think the money is in Linux, and meeting some LWN readers. See you there.

Comments (2 posted)

European software patents may be adopted on Feb. 17

The FFII site has a translated article from the Polish press agency stating that Poland will no longer resist the adoption of the software patent directive in the European Council. If Poland backs down - and no other country steps up in its place - the Council could adopt its version of the patent directive without regard to the restart motion which passed the legal affairs committee on February 2. And that would mean US-style software patents in Europe.

Comments (22 posted)

Page editor: Jonathan Corbet

Security

Attacks on Firefox

Linux detractors often say that, if and when Linux becomes as popular as Windows, it will attract just as many attacks - and prove just as vulnerable. The popularity of Linux exceeds that of Windows in some areas, but, so far, these attacks have not materialized. It is now beginning to look like this upsurge in attacks may not target Linux directly. Instead, the Firefox browser may become the target of choice.

Eric Johanson recently put out an advisory demonstrating how "homograph attacks" can work against Firefox (and Konqueror). These attacks take advantage of international domain names, which can be written in non-ASCII character sets. The problem is that many non-ASCII characters are rendered just like (or very nearly like) characters in the ASCII set; as a result, a visually identical domain name can actually point somewhere unexpected. An example provided by Mr. Johanson is www.pаypal.com, which your browser renders as www.pаypal.com. This technique, clearly, could be used for phishing attacks - especially when one considers that SSL certificates can contain non-ASCII characters too. It is said that a short-term workaround for this problem is to turn off the network.enableIDN parameter in the about:config screen, but this workaround does not work for all users, and it does not persist across sessions.

Meanwhile, "mikx" has posted a set of three different Firefox vulnerabilities. "Fireflashing" is a trick that, in conjunction with the Flash plugin, can be used to trick a Firefox user into changing configuration parameters. The "firedragging" vulnerability gets around some restrictions to possibly allow a (Windows) user to put a web-supplied executable file onto the desktop. And "firetabbing" circumvents the isolation between sites when links are dragged to different tabs. All of these vulnerabilities have been acknowledge by the Mozilla Project and fixes have been committed.

These attacks are not truly devastating. They make certain kinds of phishing and social engineering attacks easier, but, hopefully, should not fool suitably careful users. But they do show that the level of interest in Firefox vulnerabilities is on the increase.

Attacking many parts of a Linux system is hard. Security is generally reasonably good, one hopes, and techniques like privilege minimization, privilege separation and sandboxing help to contain any vulnerabilities which do exist. The sheer variety of deployed Linux systems also works against attackers; an exploit which works on one system may be useless against the next. The role of diversity in ensuring the security of Linux systems should not be underestimated.

Firefox, however, is widely deployed and quite similar on all systems. If nothing else, the project's trademark policies tend to ensure that Firefox deployments will not vary much. Firefox contains interpreters which will certainly contain exploits of the "write once, run anywhere" variety. Firefox is directly controlled by users who may have little interest in - or knowledge of - security policies. And, in many (perhaps most) cases, it talks directly to random sites all over the net. So of course Firefox is being eyed as a possible entry point to otherwise secure systems.

The Firefox browser is popular for a reason: it is a solid, highly featureful, highly useful program. It is also a huge and complex program. Regardless of the skill of the Mozilla hackers, verifying and maintaining the security of a code base that large is going to be a major challenge. Expect some interesting times over the next few years as the security claims made by the Mozilla Project - and by the free software community in general - are put to the test.

Comments (24 posted)

New vulnerabilities

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

mailman: path traversal

Package(s):mailman CVE #(s):CAN-2005-0202
Created:February 9, 2005 Updated:July 13, 2005
Description: The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.

This vulnerability was used to compromise the Full-Disclosure list.

Alerts:
Fedora-Legacy FLSA:152895 2005-07-10
Ubuntu USN-78-2 2005-02-17
Debian DSA-674-3 2005-02-21
Mandrake MDKSA-2005:037 2005-02-14
Red Hat RHSA-2005:137-01 2005-02-15
SuSE SUSE-SA:2005:007 2005-02-14
Debian DSA-674-2 2005-02-11
Red Hat RHSA-2005:136-01 2005-02-10
Gentoo 200502-11 2005-02-10
Fedora FEDORA-2005-132 2005-02-10
Fedora FEDORA-2005-131 2005-02-10
Ubuntu USN-78-1 2005-02-09

Comments (none posted)

newspost: buffer overflow vulnerability

Package(s):newspost CVE #(s):CAN-2005-0101
Created:February 3, 2005 Updated:February 8, 2005
Description: The usenet news autoposter newspost has a buffer overflow which can be exploited remotely, causing newspost to crash or potentially execute arbitrary code.
Alerts:
Gentoo 200502-05 2005-02-03

Comments (none posted)

postfix: error in IPv6 handling

Package(s):postfix CVE #(s):CAN-2005-0337
Created:February 4, 2005 Updated:March 16, 2005
Description: Jean-Samuel Reynaud noticed a programming error in the IPv6 handling code of Postfix when /proc/net/if_inet6 is not available. If "permit_mx_backup" was enabled in the "smtpd_recipient_restrictions", Postfix turned into an open relay, i. e. erroneously permitted the delivery of arbitrary mail to any MX host which has an IPv6 address.
Alerts:
Red Hat RHSA-2005:152-01 2005-03-16
Ubuntu USN-74-2 2005-02-04
Ubuntu USN-74-1 2005-02-04

Comments (1 posted)

python: illegal function internals access

Package(s):python CVE #(s):CAN-2005-0089
Created:February 3, 2005 Updated:April 22, 2005
Description: Python versions 2.2 and 2.3 has a vulnerability in the SimpleXMLRPCServer module which may allow remote users to read or change function internals via the im_* and func_* attributes.
Alerts:
Slackware SSA:2005-111-02 2005-04-22
Red Hat RHSA-2005:108-01 2005-02-15
Mandrake MDKSA-2005:035 2005-02-10
Gentoo 200502-09 2005-02-08
Debian DSA-666-1 2005-02-04
Ubuntu USN-73-1 2005-02-03

Comments (none posted)

squid: multiple vulnerabilities

Package(s):squid CVE #(s):CAN-2005-0173 CAN-2005-0175 CAN-2005-0194 CAN-2005-0211
Created:February 4, 2005 Updated:March 8, 2005
Description: Several vulnerabilities have been discovered in Squid, including cache pollution/poisoning via HTTP response splitting, larger than normal WCCP packet could overflow a buffer, and more.
Alerts:
Conectiva CLA-2005:931 2005-03-08
Red Hat RHSA-2005:060-01 2005-02-15
Red Hat RHSA-2005:061-01 2005-02-11
Mandrake MDKSA-2005:034 2005-02-10
SuSE SUSE-SA:2005:006 2005-02-10
Ubuntu USN-77-1 2005-02-07
Debian DSA-667-1 2005-02-04

Comments (none posted)

xview: buffer overflows

Package(s):xview CVE #(s):CAN-2005-0076
Created:February 9, 2005 Updated:February 9, 2005
Description: The xview library suffers from a number of buffer overflow vulnerabilities.
Alerts:
Debian DSA-672-1 2005-02-09

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

AWStats: remote code execution

Package(s):awstats CVE #(s):CAN-2005-0116 CAN-2005-0362 CAN-2005-0363
Created:January 25, 2005 Updated:February 15, 2005
Description: When 'awstats.pl' is run as a CGI script, it fails to validate specific inputs which are used in a Perl open() function call. A remote attacker could supply AWStats malicious input, potentially allowing the execution of arbitrary code with the rights of the web server.
Alerts:
Debian DSA-682-1 2005-02-15
Gentoo 200501-36:03 2005-01-25
Gentoo 200501-36 2005-01-25

Comments (1 posted)

bind: validator function denial of service

Package(s):bind CVE #(s):CAN-2005-0034
Created:January 27, 2005 Updated:February 1, 2005
Description: A vulnerability was discovered in BIND version 9.3.0, an incorrect assumption in the validator function can be exploited by a remote attacker to cause named to exit prematurely.
Alerts:
Mandrake MDKSA-2005:023 2005-01-26

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

chbg: buffer overflow

Package(s):chbg CVE #(s):CAN-2004-1264
Created:January 18, 2005 Updated:February 2, 2005
Description: Danny Lungstrom discovered a vulnerability in chbg, a tool to change background pictures. A maliciously crafted configuration/scenario file could overflow a buffer and lead to the execution of arbitrary code on the victim's machine.
Alerts:
Mandrake MDKSA-2005:027 2005-02-01
Debian DSA-644-1 2005-01-18

Comments (none posted)

ClamAV: multiple issues

Package(s):clamav CVE #(s):CAN-2005-0133
Created:January 31, 2005 Updated:March 3, 2005
Description: ClamAV fails to properly scan ZIP files with special headers and base64 encoded images in URLs.
Alerts:
Conectiva CLA-2005:928 2005-03-03
Mandrake MDKSA-2005:025 2005-01-31
Gentoo 200501-46 2005-01-31

Comments (none posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CAN-2004-1267 CAN-2004-1268 CAN-2004-1269 CAN-2004-1270
Created:December 17, 2004 Updated:February 9, 2005
Description: cups has a denial of service vulnerability in the lppasswd utility and a remote code execution vulnerability in the hpgltops filter.
Alerts:
SuSE SUSE-SR:2005:003 2005-02-04
Mandrake MDKSA-2005:008 2005-01-17
Gentoo 200412-25:02 2004-12-28
Red Hat RHSA-2005:013-01 2005-01-12
Gentoo 200412-25 2004-12-28
Fedora FEDORA-2004-559 2004-12-17
Fedora FEDORA-2004-560 2004-12-17

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ethereal: multiple vulnerabilites

Package(s):ethereal CVE #(s):CAN-2005-0006 CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084
Created:January 21, 2005 Updated:February 15, 2005
Description: Ethereal has released 0.10.9 to fix several vulnerabilities.
Alerts:
Red Hat RHSA-2005:037-01 2005-02-15
Red Hat RHSA-2005:011-01 2005-02-02
Fedora FEDORA-2005-069 2005-01-25
Fedora FEDORA-2005-068 2005-01-25
Mandrake MDKSA-2005:013 2005-01-24
Debian DSA-653-1 2005-01-21
Gentoo 200501-27 2005-01-20

Comments (none posted)

evolution: arbitrary code execution

Package(s):evolution CVE #(s):CAN-2005-0102
Created:January 24, 2005 Updated:May 19, 2005
Description: Max Vozeler discovered an integer overflow in camel-lock-helper. A user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data. A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root privileges (because camel-lock-helper is installed as setuid root).
Alerts:
Red Hat RHSA-2005:238-01 2005-05-19
Conectiva CLA-2005:925 2005-02-16
Debian DSA-673-1 2005-02-10
Mandrake MDKSA-2005:024 2005-01-27
Gentoo 200501-35 2005-01-24
Ubuntu USN-69-1 2005-01-24

Comments (1 posted)

exim: buffer overflows

Package(s):exim CVE #(s):CAN-2005-0021 CAN-2005-0022
Created:January 7, 2005 Updated:February 15, 2005
Description: A buffer overflow in the host_aton() function in Exim 4.4x may allow execution of arbitrary commands with elevated privileges by a local user. This has been patched in Exim 4.43.

Additionally, there is a another buffer overflow in Exim's auth_spa_server() which also be fixed in Exim 4.43.

Alerts:
Red Hat RHSA-2005:025-01 2005-02-15
Gentoo 200501-23 2005-01-12
Debian DSA-637-1 2005-01-13
Debian DSA-635-1 2005-01-12
Ubuntu USN-56-1 2005-01-07
Fedora FEDORA-2005-001 2005-01-06
Fedora FEDORA-2005-001 2005-01-06

Comments (1 posted)

f2c: insecure temp files

Package(s):f2c CVE #(s):CAN-2005-0017 CAN-2005-0018
Created:January 27, 2005 Updated:April 20, 2005
Description: The f2c fortran to C translator has a vulnerability due to insecure opening of temporary files. A local attacker can use this to launch a symlink attack.
Alerts:
Debian DSA-661-2 2005-04-20
Gentoo 200501-43 2005-01-30
Debian DSA-661-1 2005-01-27

Comments (none posted)

FireHOL: insecure temporary file creation

Package(s):FireHOL CVE #(s):
Created:February 1, 2005 Updated:February 1, 2005
Description: FireHOL insecurely creates temporary files with predictable names. A local attacker could create malicious symbolic links to arbitrary system files. When FireHOL is executed, this could lead to these files being overwritten with the rights of the user launching FireHOL, usually the root user.
Alerts:
Gentoo 200502-01 2005-02-01

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

gaim: buffer overflow in MSN protocol

Package(s):gaim CVE #(s):CAN-2004-0891
Created:October 25, 2004 Updated:February 11, 2005
Description: A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.
Alerts:
Fedora-Legacy FLSA:2188 2005-02-10
Red Hat RHSA-2004:604-01 2004-10-20
Mandrake MDKSA-2004:117 2004-11-01
Ubuntu USN-8-1 2004-10-27
Gentoo 200410-23 2004-10-24
Slackware SSA:2004-296-01 2004-10-25

Comments (none posted)

Gallery: cross-site scripting vulnerability

Package(s):gallery CVE #(s):
Created:January 31, 2005 Updated:February 10, 2005
Description: Rafel Ivgi has discovered a cross-site scripting vulnerability where the 'username' parameter is not properly sanitized in 'login.php'. See this Gallery announcement for the release of 1.4.4-pl5 for more information.
Alerts:
Gentoo 200501-45:03 2005-01-30
Gentoo 200501-45 2005-01-30

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

imagemagick: .psd image file decode vulnerability

Package(s):imagemagick CVE #(s):CAN-2005-0005
Created:January 18, 2005 Updated:March 23, 2005
Description: According to this iDEFENSE advisory, ImageMagick is vulnerable to a heap overflow when decoding .psd image files. This could be remotely exploited allowing an attacker to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:070-01 2005-03-23
Red Hat RHSA-2005:071-01 2005-02-15
Gentoo 200501-37 2005-01-26
Gentoo 200501-26 2005-01-20
Debian DSA-646-1 2005-01-19
Ubuntu USN-62-1 2005-01-18

Comments (1 posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iptables: missing initialization

Package(s):iptables CVE #(s):CAN-2004-0986
Created:November 1, 2004 Updated:February 11, 2005
Description: Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least.
Alerts:
Fedora-Legacy FLSA:2252 2005-02-10
Ubuntu USN-81-1 2005-02-11
Mandrake MDKSA-2004:125 2004-11-04
Debian DSA-580-1 2004-11-01

Comments (none posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kerberos5: execution of arbitrary code by authenticated user

Package(s):kerberos5 CVE #(s):CAN-2004-1189
Created:December 21, 2004 Updated:February 15, 2005
Description: There is a buffer overflow in the password history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server.
Alerts:
Red Hat RHSA-2005:045-01 2005-02-15
Red Hat RHSA-2005:012-01 2005-01-19
Conectiva CLA-2005:917 2005-01-13
Ubuntu USN-58-1 2005-01-10
Debian DSA-629-1 2005-01-07
Gentoo 200501-05 2005-01-05
Mandrake MDKSA-2004:156 2004-12-22
Fedora FEDORA-2004-564 2004-12-21
Fedora FEDORA-2004-563 2004-12-21
Trustix TSLSA-2004-0069 2004-12-21

Comments (none posted)

kernel: i386 SMP page fault handler privilege escalation

Package(s):kernel CVE #(s):CAN-2005-0001
Created:January 14, 2005 Updated:February 25, 2005
Description: Paul Starzetz found an exploitable hole in the x86 SMP page fault handler which could lead to privilege escalation. See the advisory for details.
Alerts:
Fedora-Legacy FLSA:2336 2005-02-24
SuSE SUSE-SA:2005:010 2005-02-25
SuSE SUSE-SA:2005:005 2005-02-04
Mandrake MDKSA-2005:022 2005-01-25
Red Hat RHSA-2005:017-01 2005-01-21
Red Hat RHSA-2005:016-01 2005-01-21
SuSE SUSE-SA:2005:003 2005-01-21
Ubuntu USN-60-0 2005-01-14
Fedora FEDORA-2005-025 2005-01-13
Fedora FEDORA-2005-026 2005-01-13

Comments (none posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CAN-2004-1308
Created:December 22, 2004 Updated:May 19, 2005
Description: The libtiff image manipulation library contains several exploitable buffer overflows.
Alerts:
Fedora-Legacy FLSA:152815 2005-05-18
Red Hat RHSA-2005:035-01 2005-02-15
Conectiva CLA-2005:920 2005-01-20
Red Hat RHSA-2005:019-01 2005-01-13
SuSE SUSE-SA:2005:001 2005-01-10
Fedora FEDORA-2005-598 2005-01-07
Fedora FEDORA-2005-597 2005-01-07
Ubuntu USN-54-1 2005-01-06
Mandrake MDKSA-2005:002 2005-01-06
Mandrake MDKSA-2005:001 2005-01-06
Gentoo 200501-06 2005-01-05
Debian DSA-626-1 2005-01-06
Debian DSA-617-1 2004-12-24
Fedora FEDORA-2004-577 2004-12-22
Fedora FEDORA-2004-576 2004-12-22
Ubuntu USN-46-1 2004-12-22

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005
Description: There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service.
Alerts:
Conectiva CLA-2005:924 2005-02-14
Red Hat RHSA-2005:004-01 2005-01-12
Red Hat RHSA-2004:537-01 2004-12-02
Ubuntu USN-27-1 2004-11-17
Mandrake MDKSA-2004:124 2004-11-04
Debian DSA-561-1 2004-10-11
Gentoo 200410-09 2004-10-09
Debian DSA-560-1 2004-10-07
Red Hat RHSA-2004:479-01 2004-10-06
Red Hat RHSA-2004:478-01 2004-10-04
Gentoo 200409-34 2004-09-27
SuSE SUSE-SA:2004:034 2004-09-17
Mandrake MDKSA-2004:099 2004-09-15
Mandrake MDKSA-2004:098 2004-09-15

Comments (none posted)

lvm10: creates insecure temporary directory

Package(s):lvm10 CVE #(s):CAN-2004-0972
Created:November 1, 2004 Updated:July 25, 2005
Description: Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:152842 2005-07-24
Mandrake MDKSA-2004:144 2004-12-06
Gentoo 200411-22 2004-11-11
Debian DSA-583-1 2004-11-03
Ubuntu USN-15-1 2004-11-01

Comments (none posted)

mailman: cross-site scripting

Package(s):mailman CVE #(s):CAN-2004-1177
Created:January 10, 2005 Updated:March 22, 2005
Description: Florian Weimer discovered a cross-site scripting vulnerability in mailman's automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page. When an unsuspecting user followed this URL, the malicious content was copied unmodified to the error page and executed in the context of this page.
Alerts:
Fedora FEDORA-2005-242 2005-03-22
Fedora FEDORA-2005-241 2005-03-22
Red Hat RHSA-2005:235-01 2005-03-21
Debian DSA-674-1 2005-02-10
Mandrake MDKSA-2005:015 2005-01-24
Gentoo 200501-29 2005-01-22
Ubuntu USN-59-1 2005-01-10

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mysql: several vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0835 CAN-2004-0836 CAN-2004-0837
Created:October 11, 2004 Updated:April 6, 2005
Description: Several problems have been discovered in MySQL. Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. (CAN-2004-0837)
Alerts:
Ubuntu USN-109-1 2005-04-06
Fedora FEDORA-2004-530 2004-12-08
Ubuntu USN-32-1 2004-11-25
Conectiva CLA-2004:892 2004-11-18
Mandrake MDKSA-2004:119 2004-11-01
OpenPKG OpenPKG-SA-2004.045 2004-10-30
Red Hat RHSA-2004:611-01 2004-10-27
Gentoo 200410-22 2004-10-24
Red Hat RHSA-2004:569-01 2004-10-20
Red Hat RHSA-2004:597-01 2004-10-20
Debian DSA-562-1 2004-10-11

Comments (none posted)

mysql-dfsg: insecure temporary files

Package(s):mysql-dfsg CVE #(s):CAN-2005-0004
Created:January 18, 2005 Updated:March 25, 2005
Description: Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:2129 2005-03-24
Mandrake MDKSA-2005:036 2005-02-10
Gentoo 200501-33 2005-01-23
Debian DSA-647-1 2005-01-19
Ubuntu USN-63-1 2005-01-18

Comments (none posted)

nasm: Buffer overflow vulnerability

Package(s):nasm CVE #(s):CAN-2004-1287
Created:December 20, 2004 Updated:May 4, 2005
Description: Jonathan Rockway discovered that NASM-0.98.38 has an unprotected vsprintf() to an array in preproc.c. This code vulnerability may lead to a buffer overflow and potential execution of arbitrary code.
Alerts:
Red Hat RHSA-2005:381-01 2005-05-04
Fedora FEDORA-2005-322 2005-04-18
Mandrake MDKSA-2005:004 2005-01-06
Debian DSA-623-1 2004-01-04
Ubuntu USN-45-1 2004-12-22
Gentoo 200412-20 2004-12-20

Comments (4 posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Fedora-Legacy FLSA:152904 2006-05-12
Fedora FEDORA-2005-435 2005-08-16
Red Hat RHSA-2005:371-01 2005-05-17
Mandrake MDKSA-2005:028 2005-02-01
Gentoo 200501-44 2005-01-30

Comments (none posted)

netkit-telnet: invalid free pointer

Package(s):netkit-telnet CVE #(s):CAN-2004-0911
Created:October 4, 2004 Updated:March 28, 2005
Description: Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).
Alerts:
Ubuntu USN-101-1 2005-03-28
Debian DSA-556-2 2004-10-18
Debian DSA-569-1 2004-10-18
Debian DSA-556-1 2004-10-02

Comments (none posted)

nfs-utils: denial of service

Package(s):nfs-utils CVE #(s):CAN-2004-1014
Created:December 1, 2004 Updated:May 15, 2005
Description: The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker.
Alerts:
Fedora-Legacy FLSA:152871 2005-05-12
Red Hat RHSA-2004:583-01 2004-12-20
Gentoo 200412-08 2004-12-14
Trustix TSLSA-2004-0065 2004-01-09
Debian DSA-606-1 2004-12-08
Mandrake MDKSA-2004:146 2004-12-06
Ubuntu USN-36-1 2004-12-01

Comments (none posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 2006-02-25
Red Hat RHSA-2005:014-01 2005-01-12
Mandrake MDKSA-2005:005 2005-01-11

Comments (none posted)

ngIRCd: buffer overflow

Package(s):ngIRCd CVE #(s):
Created:January 28, 2005 Updated:February 1, 2005
Description: Florian Westphal discovered a buffer overflow caused by an integer underflow in the Lists_MakeMask() function of lists.c. See the ngIRCd 0.8.2 release announcement for more information.
Alerts:
Gentoo 200501-40 2005-01-28

Comments (none posted)

openssl: der_chop script temp file vulnerability

Package(s):openssl CVE #(s):CAN-2004-0975
Created:November 11, 2004 Updated:July 19, 2005
Description: The der_chop script in openssl has a temp file vulnerability that may allow an attacker to overwrite arbitrary files with the permissions that the script is running under.
Alerts:
Fedora-Legacy FLSA:152841 2005-07-15
Mandrake MDKSA-2004:147 2004-12-06
Debian DSA-603-1 2004-12-01
Ubuntu USN-24-1 2004-11-11

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

openswan: stack based buffer overflow

Package(s):openswan CVE #(s):CAN-2005-0162
Created:January 28, 2005 Updated:February 1, 2005
Description: A stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code.
Alerts:
Fedora FEDORA-2005-082 2005-01-28

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

php: remotely exploitable memory errors

Package(s):php CVE #(s):CAN-2004-0594
Created:July 14, 2004 Updated:February 7, 2005
Description: Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not).
Alerts:
Debian DSA-669-1 2005-02-07
Whitebox WBSA-2004:392-01 2004-08-19
Fedora FEDORA-2004-223 2004-07-23
Fedora FEDORA-2004-222 2004-07-23
OpenPKG OpenPKG-SA-2004.034 2004-07-22
Slackware SSA:2004-202-01 2004-07-20
Debian DSA-531-1 2004-07-20
Red Hat RHSA-2004:392-01 2004-07-19
Red Hat RHSA-2004:395-01 2004-07-19
Conectiva CLA-2004:847 2004-07-16
SuSE SUSE-SA:2004:021 2004-07-16
Mandrake MDKSA-2004:068 2004-07-14
Gentoo 200407-13 2004-07-15
tinysofa TSSA-2004-013 2004-07-14

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CAN-2004-1018 CAN-2004-1019 CAN-2004-1020 CAN-2004-1063 CAN-2004-1064 CAN-2004-1065
Created:December 16, 2004 Updated:March 24, 2005
Description: PHP has an out of bounds memory write access vulnerability and an integer overflow/underflow problem. See the PHP 4.3.10 Release Announcement for details.
Alerts:
Ubuntu USN-99-2 2005-03-24
Ubuntu USN-99-1 2005-03-18
Fedora-Legacy FLSA:2344 2005-03-07
Red Hat RHSA-2005:032-01 2005-02-15
Red Hat RHSA-2005:031-01 2005-01-19
SuSE SUSE-SA:2005:002 2005-01-17
Conectiva CLA-2005:915 2005-01-13
Fedora FEDORA-2004-567 2004-12-21
Fedora FEDORA-2004-568 2004-12-21
Red Hat RHSA-2004:687-01 2004-12-21
Trustix TSLSA-2004-0066 2004-12-17
Gentoo 200412-14 2004-12-19
Mandrake MDKSA-2004:151 2004-12-17
Ubuntu USN-40-1 2004-12-16
OpenPKG OpenPKG-SA-2004.053 2004-12-16

Comments (1 posted)

postgresql: privilege escalation via LOAD

Package(s):postgresql CVE #(s):CAN-2005-0227
Created:February 1, 2005 Updated:February 7, 2005
Description: John Heasman has discovered a local privilege escalation in the PostgreSQL server. Any user could use the LOAD extension to load any shared library into the PostgreSQL server; the library's initialization function was then executed with the permissions of the server.
Alerts:
Fedora FEDORA-2005-125 2005-02-07
Fedora FEDORA-2005-124 2005-02-07
Gentoo 200502-08 2005-02-07
Ubuntu USN-71-1 2005-02-01

Comments (none posted)

qt3: BMP image parser heap overflow

Package(s):qt3/qt3-non-mt/qt3-32bit/qt3-static CVE #(s):CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
Created:August 19, 2004 Updated:May 15, 2005
Description: A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution.
Alerts:
Fedora-Legacy FLSA:152763 2005-05-12
Conectiva CLA-2004:866 2004-09-22
Whitebox WBSA-2004:414-01 2004-09-20
Debian DSA-542-1 2004-08-30
Fedora FEDORA-2004-271 2004-08-23
Fedora FEDORA-2004-270 2004-08-23
Gentoo 200408-20 2004-08-22
Red Hat RHSA-2004:414-01 2004-08-20
Mandrake MDKSA-2004:085 2004-08-18
SuSE SUSE-SA:2004:027 2004-08-19

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

ruby: infinite loop

Package(s):ruby CVE #(s):CAN-2004-0983
Created:November 8, 2004 Updated:May 15, 2005
Description: The upstream developers of Ruby have corrected a problem in the CGI module for this language. Specially crafted requests could cause an infinite loop and thus cause the program to eat up cpu cycles.
Alerts:
Fedora-Legacy FLSA:152768 2005-05-12
Red Hat RHSA-2004:635-01 2004-12-13
Gentoo 200411-23 2004-11-16
Fedora FEDORA-2004-403 2004-11-11
Fedora FEDORA-2004-402 2004-11-11
Ubuntu USN-20-1 2004-11-08
Mandrake MDKSA-2004:128 2004-11-08
Debian DSA-586-1 2004-11-08

Comments (none posted)

samba: integer overflow vulnerability

Package(s):samba CVE #(s):CAN-2004-1154
Created:December 16, 2004 Updated:July 19, 2005
Description: Samba has an integer overflow vulnerability that may allow an authenticated remote user to execute arbitrary code on the Samba server.
Alerts:
Fedora-Legacy FLSA:152874 2005-07-15
Debian DSA-701-2 2005-04-21
Debian DSA-701-1 2005-03-31
Conectiva CLA-2005:913 2005-01-06
Red Hat RHSA-2005:020-01 2005-01-05
Mandrake MDKSA-2004:158 2004-12-27
SuSE SUSE-SA:2004:045 2004-12-22
Red Hat RHSA-2004:681-01 2004-12-21
Fedora FEDORA-2004-562 2004-12-20
Fedora FEDORA-2004-561 2004-12-20
Gentoo 200412-13 2004-12-17
Ubuntu USN-41-1 2004-12-17
OpenPKG OpenPKG-SA-2004.054 2004-12-17
Red Hat RHSA-2004:670-01 2004-12-16

Comments (none posted)

sharutils: arbitrary code execution

Package(s):sharutils CVE #(s):CAN-2004-1772
Created:October 1, 2004 Updated:April 26, 2005
Description: sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c. An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.
Alerts:
Red Hat RHSA-2005:377-01 2005-04-26
Fedora FEDORA-2005-281 2005-04-01
Fedora FEDORA-2005-280 2005-04-01
Ubuntu USN-102-1 2005-03-29
Fedora-Legacy FLSA:2155 2005-03-24
Gentoo 200410-01 2004-10-01

Comments (none posted)

sox: buffer overflow

Package(s):sox CVE #(s):CAN-2004-0557
Created:July 28, 2004 Updated:February 21, 2005
Description: Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file.
Alerts:
Fedora-Legacy FLSA:1945 2005-02-20
Debian DSA-565-1 2004-10-13
Whitebox WBSA-2004:409-01 2004-08-19
Slackware SSA:2004-223-03 2004-08-07
Conectiva CLA-2004:855 2004-07-30
Gentoo 200407-23 2004-07-30
Mandrake MDKSA-2004:076 2004-07-28
Red Hat RHSA-2004:409-01 2004-07-29
Fedora FEDORA-2004-244 2004-07-28
Fedora FEDORA-2004-235 2004-07-28

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

Squid: multiple vulnerabilities

Package(s):squid CVE #(s):CAN-2005-0094 CAN-2005-0095
Created:January 17, 2005 Updated:February 2, 2005
Description: Squid contains a vulnerability in the gopherToHTML function and incorrectly checks the 'number of caches' field when parsing WCCP_I_SEE_YOU messages. Furthermore the NTLM code contains two errors. One is a memory leak in the fakeauth_auth helper and the other is NULL pointer dereferencing error.
Alerts:
Gentoo 200502-04:02 2005-02-02
Fedora FEDORA-2005-106 2005-02-01
Fedora FEDORA-2005-105 2005-02-01
Conectiva CLA-2005:923 2005-01-26
Mandrake MDKSA-2005:014 2005-01-24
Ubuntu USN-67-1 2005-01-20
Debian DSA-651-1 2005-01-20
Gentoo 200501-25 2005-01-16

Comments (none posted)

SquirrelMail: multiple vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2005-0075 CAN-2005-0103 CAN-2005-0104
Created:January 28, 2005 Updated:July 19, 2005
Description: SquirrelMail 1.4.4 has been released, fixing a number of security issues that have been resolved since 1.4.3a.
Alerts:
Fedora-Legacy FLSA:152900 2005-07-16
Fedora FEDORA-2005-260 2005-03-28
Fedora FEDORA-2005-259 2005-03-28
Debian DSA-662-2 2005-03-14
Red Hat RHSA-2005:099-01 2005-02-15
Red Hat RHSA-2005:135-01 2005-02-10
Debian DSA-662-1 2005-02-01
Gentoo 200501-39 2005-01-28

Comments (none posted)

Subversion: Remote heap overflow

Package(s):subversion CVE #(s):CAN-2004-0413
Created:June 11, 2004 Updated:March 7, 2005
Description: Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:
Fedora-Legacy FLSA:1748 2005-03-07
SuSE SuSE-SA:2004:018 2004-06-17
Fedora FEDORA-2004-166 2004-06-11
Fedora FEDORA-2004-165 2004-06-11
OpenPKG OpenPKG-SA-2004.028 2004-06-11
Gentoo 200406-07 2004-06-10

Comments (none posted)

sudo: environment variable sanitizing

Package(s):sudo CVE #(s):CAN-2004-1051
Created:November 17, 2004 Updated:May 15, 2005
Description: Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information.
Alerts:
Fedora-Legacy FLSA:152856 2005-05-12
OpenPKG OpenPKG-SA-2005.002 2005-01-17
Debian DSA-596-2 2004-11-24
Debian DSA-596-1 2004-11-24
Ubuntu USN-28-1 2004-11-17
Mandrake MDKSA-2004:133 2004-11-15

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tiff: buffer overflows

Package(s):tiff CVE #(s):CAN-2004-0803
Created:October 13, 2004 Updated:April 12, 2005
Description: The tiff library contains several buffer overflows which may be exploited by way of maliciously-crafted image files. See this advisory for more information.
Alerts:
Red Hat RHSA-2005:021-01 2005-04-12
Conectiva CLA-2005:914 2005-01-06
Gentoo 200412-17 2004-12-19
Gentoo 200412-02 2004-12-05
Conectiva CLA-2004:888 2004-11-08
Slackware SSA:2004-305-02 2004-11-01
Red Hat RHSA-2004:577-01 2004-10-22
SuSE SUSE-SA:2004:038 2004-10-22
Mandrake MDKSA-2004:111 2004-10-21
Mandrake MDKSA-2004:109 2004-10-19
Debian DSA-567-1 2004-10-15
Fedora FEDORA-2004-334 2004-10-14
OpenPKG OpenPKG-SA-2004.043 2004-10-14
Gentoo 200410-11 2004-10-13

Comments (none posted)

unarj: buffer overflow vulnerability

Package(s):unarj CVE #(s):CAN-2004-0947
Created:November 11, 2004 Updated:February 2, 2005
Description: The unarj uncompression utility has a buffer overflow vulnerability from handling long file names in an archive. An attacker can cause unarj to crash or execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:2272 2005-02-01
Debian DSA-652-1 2005-01-21
Red Hat RHSA-2005:007-01 2005-01-12
Gentoo 200411-29 2004-11-19
Fedora FEDORA-2004-414 2004-11-11

Comments (none posted)

uw-imap: authentication bypass

Package(s):uw-imap imap CVE #(s):CAN-2005-0198
Created:February 2, 2005 Updated:March 1, 2005
Description: The uw-imap package, prior to version 2004b, contains a vulnerability which can enable a remote attacker to bypass the authentication mechanism. This bug only affects CRAM-MD5 authentication, which is not enabled on all distributions.
Alerts:
SuSE SUSE-SA:2005:012 2005-03-01
Red Hat RHSA-2005:128-01 2005-02-23
Mandrake MDKSA-2005:026 2005-02-01
Gentoo 200502-02 2005-02-02

Comments (1 posted)

vim: modeline problems

Package(s):vim CVE #(s):CAN-2004-1138
Created:December 15, 2004 Updated:February 24, 2005
Description: A new set of modeline-related vulnerabilities has been discovered in versions of vim prior to 6.3-r2. These vulnerabilities could conceivably be exploited by a local user to obtain the privileges of another user.
Alerts:
Fedora-Legacy FLSA:2343 2005-02-23
Mandrake MDKSA-2005:003 2005-01-06
Ubuntu USN-52-1 2004-12-23
Red Hat RHSA-2005:010-01 2005-01-05
OpenPKG OpenPKG-SA-2004.052 2004-12-15
Gentoo 200412-10 2004-12-15

Comments (none posted)

vim: symbolic link attack

Package(s):vim CVE #(s):CAN-2005-0069
Created:January 18, 2005 Updated:February 18, 2005
Description: Javier Fernández-Sanguino Peña noticed that the auxiliary scripts "tcltags" and "vimspell.sh" created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the script (either by calling it directly or by execution through vim).
Alerts:
Red Hat RHSA-2005:122-01 2005-02-18
Red Hat RHSA-2005:036-01 2005-02-15
Mandrake MDKSA-2005:029 2005-02-02
Ubuntu USN-61-1 2005-01-18

Comments (none posted)

wv: buffer overflow

Package(s):wv CVE #(s):CAN-2004-0645
Created:July 14, 2004 Updated:February 10, 2005
Description: wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem.
Alerts:
Fedora-Legacy FLSA:1906 2005-02-08
Conectiva CLA-2004:902 2004-12-01
Debian DSA-579-1 2004-11-01
Debian DSA-550-1 2004-09-20
Conectiva CLA-2004:863 2004-09-10
Mandrake MDKSA-2004:077 2004-07-29
Fedora FEDORA-2004-225 2004-07-23
Fedora FEDORA-2004-224 2004-07-23
Gentoo 200407-11 2004-07-14

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xorg-x11: integer overflows

Package(s):xorg-x11 CVE #(s):CAN-2004-0914
Created:November 18, 2004 Updated:September 12, 2005
Description: The X.Org libXpm library has several integer overflow vulnerabilities An attacker can modify XPM images to execute malicious code.
Alerts:
Ubuntu USN-83-2 2005-09-12
Fedora-Legacy FLSA:152804 2005-05-12
Ubuntu USN-83-1 2005-02-16
Gentoo 200502-07 2005-02-07
Gentoo 200502-06 2005-02-06
Red Hat RHSA-2004:612-01 2004-12-20
Red Hat RHSA-2004:610-01 2004-12-20
Debian DSA-607-1 2004-12-10
Mandrake MDKSA-2004:137-1 2004-11-29
Mandrake MDKSA-2004:137 2004-11-22
Mandrake MDKSA-2004:138 2004-11-22
Gentoo 200411-28 2004-11-19
Fedora FEDORA-2004-434 2004-11-17
Fedora FEDORA-2004-433 2004-11-17
SuSE SUSE-SA:2004:041 2004-11-17

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2004-1125
Created:December 23, 2004 Updated:April 1, 2005
Description: xpdf has a potential buffer overflow problem caused by insufficient input validation. A specially crafted PDF file can allow an attacker to execute code with privileges of the xpdf user.
Alerts:
Red Hat RHSA-2005:354-01 2005-04-01
Red Hat RHSA-2005:018-01 2005-01-12
Gentoo 200501-17 2005-01-11
Gentoo 200501-13 2005-01-10
Fedora FEDORA-2004-585 2005-01-03
Fedora FEDORA-2004-584 2005-01-03
Debian DSA-621-1 2004-12-31
Mandrake MDKSA-2004:166 2004-12-29
Mandrake MDKSA-2004:165 2004-12-29
Mandrake MDKSA-2004:162 2004-12-29
Mandrake MDKSA-2004:164 2004-12-29
Mandrake MDKSA-2004:163 2004-12-29
Mandrake MDKSA-2004:161 2004-12-29
Debian DSA-619-1 2004-12-30
Gentoo 200412-25 2004-12-28
Gentoo 200412-24 2004-12-28
Fedora FEDORA-2004-575 2004-12-22
Fedora FEDORA-2004-574 2004-12-22
Fedora FEDORA-2004-573 2004-12-22
Fedora FEDORA-2004-572 2004-12-22
Ubuntu USN-50-1 2004-12-23
Ubuntu USN-48-1 2004-12-23

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

xpdf: integer overflows

Package(s):xpdf kpdf cupsys CVE #(s):CAN-2004-0888 CAN-2004-0889
Created:October 21, 2004 Updated:February 18, 2005
Description: Several xpdf integer overflow vulnerabilities can be exploited via a mal-formed PDF document. Similar vulnerabilities can be found in kpdf and in cupsys which share code. Additional information can be found in this KDE security advisory.
Alerts:
Fedora FEDORA-2005-138 2005-02-09
Fedora FEDORA-2005-137 2005-02-09
Fedora FEDORA-2005-133 2005-02-09
Fedora FEDORA-2005-134 2005-02-09
Fedora FEDORA-2005-136 2005-02-09
Fedora FEDORA-2005-135 2005-02-09
Fedora FEDORA-2005-123 2005-02-08
Fedora FEDORA-2005-122 2005-02-08
Debian DSA-599-1 2004-11-25
Gentoo 200411-30 2004-11-23
Conectiva CLA-2004:886 2004-11-08
Gentoo 200410-30:02 2004-10-28
Gentoo 200410-20:02 2004-10-21
Debian DSA-581-1 2004-11-02
Ubuntu USN-14-1 2004-11-01
Ubuntu USN-9-1 2004-10-27
Gentoo 200410-30 2004-10-28
Fedora FEDORA-2004-358 2004-10-28
Fedora FEDORA-2004-357 2004-10-28
Red Hat RHSA-2004:592-01 2004-10-27
Fedora FEDORA-2004-337 2004-10-26
SuSE SUSE-SA:2004:039 2004-10-26
Ubuntu USN-2-1 2004-10-22
Red Hat RHSA-2004:543-01 2004-10-22
Mandrake MDKSA-2004:115 2004-10-21
Mandrake MDKSA-2004:116 2004-10-21
Mandrake MDKSA-2004:114 2004-10-21
Mandrake MDKSA-2004:113 2004-10-21
Gentoo 200410-20 2004-10-21
Fedora FEDORA-2004-348 2004-10-21
Debian DSA-573-1 2004-10-21

Comments (none posted)

zip: arbitrary code execution

Package(s):zip CVE #(s):CAN-2004-1010
Created:November 5, 2004 Updated:February 2, 2005
Description: HexView discovered a buffer overflow in the zip package. The overflow is triggered by creating a ZIP archive of files with very long path names. This vulnerability might result in execution of arbitrary code with the privileges of the user who calls zip. This flaw may lead to privilege escalation on systems which automatically create ZIP archives of user supplied files, like backup systems or web applications.
Alerts:
Fedora-Legacy FLSA:2255 2005-02-01
Debian DSA-624-1 2004-01-05
Red Hat RHSA-2004:634-01 2004-12-16
Mandrake MDKSA-2004:141 2004-11-25
Gentoo 200411-16 2004-11-09
Fedora FEDORA-2004-399 2004-11-08
Fedora FEDORA-2004-400 2004-11-08
Ubuntu USN-18-1 2004-11-05

Comments (1 posted)

zlib: denial of service

Package(s):zlib CVE #(s):CAN-2004-0797
Created:August 25, 2004 Updated:June 10, 2005
Description: Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks.
Alerts:
OpenPKG OpenPKG-SA-2005.007 2005-06-10
Fedora-Legacy FLSA:2043 2005-02-23
Conectiva CLA-2004:878 2004-10-25
Slackware SSA:2004-278-02 2004-10-04
Conectiva CLA-2004:865 2004-09-13
Mandrake MDKSA-2004:090 2004-09-07
SuSE SUSE-SA:2004:029 2004-09-02
Gentoo 200408-26 2004-08-27
OpenPKG OpenPKG-SA-2004.038 2004-08-25

Comments (none posted)

Resources

kses 0.2.2 released

kses is an HTML filter for PHP programs. If you have a PHP-based site which allows users to post content, kses can help you ensure that nothing nasty gets posted. Click below for details and download information.

Full Story (comments: none)

Events

[ISN] NSPW 2005 Call For Papers

The New Security Paradigms Workshop will be held September 20 to 23 in Lake Arrowhead, California. The call for papers has gone out; the submission deadline is March 28.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.11-rc3, released by Linus on February 2. This prepatch adds an XFS update, a set of out-of-memory killer fixes, a generic transport class mechanism (which replaces the SCSI transport code), some architecture updates, the removal of bcopy(), a fix for writable module parameters in sysfs (it never actually worked before), and various fixes. See the long-format changelog for the details.

Linus's BitKeeper repository contains a small number of patches, including some IDE updates, some additional checking in read() and write() (see below), a DMA blacklist for problematic serial ATA drives, and a handful of fixes.

The current -mm tree is 2.6.11-rc3-mm1. Recent changes to -mm include a firewire update, the address space randomization patches (covered on last week's security page), the "BIO pool" mechanism, the removal of the realtime rlimit patch (see below), and more fixes.

There still have been no 2.4.30 prepatches.

Comments (none posted)

Kernel development news

Quotes of the week

A large part of kernel history is currently practically locked into bk. bk isn't doing what I need, so naturally I'm looking for alternatives, but I don't have the freedom to take my data and try it with some other tool. Was that really part of the deal when bk was introduced that I'm denied of this freedom?
-- Roman Zippel

It's exactly the same as a file system. If you put some files into a file system does the file system creator owe you the knowledge of how those files are maintained in the file system? Since when is that part of the deal?
-- Larry McVoy

If you must follow this conversation, the thread can be found over here.

Comments (11 posted)

Audio latency goes full circle

Two weeks ago, it appeared that a solution to the problem of low-latency scheduling for audio applications had been found. Ingo Molnar's approach, which allowed unprivileged processes to use the realtime scheduling modes as long as they did not use more than an administrator-specified portion of the available CPU time, seemed like a reasonably straightforward way to go. Ingo's patch had gone into the -mm tree for further testing.

The rlimit approach keeps a rogue process from taking over the system entirely. It does not, however, prevent abuse by poorly-behaved software. If even limited access to realtime scheduling became widely available on Linux systems, it would only be a matter of time until developers figured out that they could make their programs seem faster by using the realtime mode. Proprietary applications could be particularly problematic in this regard; distributors would likely rip out unwarranted realtime scheduling calls in free software that they ship, but that cannot be done with proprietary code.

Other concerns with the rlimit approach include the need for some audio applications to get fast access to the CPU even if they require 100% of the available time, and general unease with tweaking the scheduler for this use. The end result is that the rlimit patch has come back out of -mm, and Ingo has said:

i'm not opposed to the LSM solution per se, especially given that none of the other solutions in existence are fully satisfactory (and thus acceptable for the scheduler currently). The LSM patch is clearly the least intrusive solution.

Those who have been following the discussion will remember that the whole long thing began because certain kernel developers did not feel that the realtime security module (which gives members of an administrator-specified group access to realtime scheduling) was acceptable for inclusion. So the discussion has come back to where it started, and it appears that the realtime security module will be merged (though that had not happened as of this writing). Ingo apologized for the whole thing, explaining it this way:

it is just an unfortunate situation that the issue here is _not_ clear-cut at all. It is a longstanding habit on lkml to try to solve things as cleanly and generally as possible, but there are occasional cases where this is just not possible.

One remaining problem with the realtime security module is that it gives audio users the right to monopolize the processor with any program they run, not just audio utilities. Making the audio programs run in a setgid mode might seem like a way around that issue, except for the fact that the GTK+ toolkit actively prevents things from working that way. The unfortunate result is that users must be given more privilege than they actually need. Most of the time, that should be acceptable; multi-user audio workstations are likely to be relatively rare.

Comments (12 posted)

read() and write() access checking

Long ago, when the 2.0 kernel was the state of the art, the implementation of the read() and write() system calls (and readv() and writev() too) behaved a little differently than now. Then, as now, the main purpose of the core implementation of those system calls was to pass the call on to the appropriate function in the filesystem code or device driver handling the file of interest after dealing with any relevant file locking details. In many ways, sys_read() and friends in 2.6 look very much like they did in 2.0.

The 2.0 implementation differed, however, in that it checked whether the calling process had the ability to read or write the buffer it passed into the kernel. The semantics of a read() call, say, should be the same regardless of where the data is being read from. So it made sense to check, before invoking the VFS or device driver, that the buffer passed to read() was writable by the calling process. In 2.2, that check went away, possibly as part of the big changes made to how user-space access checks were implemented. Performing those checks became entirely the responsibility of the lower-level code.

Linus recently merged a patch which restores the upper-level checks for 2.6.11. The reason given with the patch is that checks performed in lower-level code only verify the range of memory which will actually be read from or written to. If that range is smaller than the application requested (because the file is not that long, say), part of the range requested by the application will not be checked. The operation of the system is entirely correct in this case, but an opportunity to flag a bug in the calling program will have been missed.

It also doesn't hurt that placing the check at the entry point to the kernel ensures that it will be done in all situations. One less opportunity for security problems resulting from forgotten checks in lower-level code can only be a good thing. It seems almost certain that at least one such vulnerability must exist somewhere in the 2.6 kernel.

One might conclude that low-level code, such as device drivers, need no longer perform the access_ok() check, since it is now being handled at a higher level. A prudent developer, however, would probably leave that check in place. It is quite cheap on most architectures (it generally just ensures that the given buffer is not located in kernel space), and the higher-level checks went away once before. Safe is better than sorry, especially when being safe is so easy.

(For completeness, it's worth noting that Linus merged another patch which ensures that a read or write operation does not overflow the file offset).

Comments (none posted)

More hooks for kernel events

The kernel has, for a while now, been accumulating hooks for informing user space when things happen. Some of the current mechanisms include:

  • The hotplug mechanism, which invokes a user-space program (/sbin/hotplug by default) when kobjects are registered or unregistered (generally in response to the addition or removal of hardware on the system).

  • The Linux security module (LSM) hooks, which enable a loadable module to respond to (and possibly veto) dozens of actions by user-space processes. The LSM mechanism is used by, among other things, SELinux and the realtime LSM module.

  • The lightweight audit framework uses a netlink socket to pass information on kernel events to user space, with the idea that these events will be logged somewhere.

  • The kernel events mechanism, which also uses netlink, is a simple scheme for notifying user space of events which might be of interest to the user(s).

One might think that, at this point, the kernel is sufficiently well instrumented that more hooks would be unnecessary. But more are on the way.

One of those is the relay fork module, proposed by Guillaume Thouvenin. Its sole purpose is to inform interested user-space processes when a process forks; the intended user is the enhanced Linux system accounting project. Rather than use one of the existing mechanisms for conveying information to user space, the relay fork patch works by sending a signal to the interested process(es) whenever a fork occurs.

The patch works by adding a new sysfs directory (/sys/relayfork) with a couple of control attributes. The attribute signal controls which signal is sent; by default, signal 33 (which is in the realtime signal range on most architectures) is used. The other attribute (processes) contains a list of the processes receiving these signals. Registering a process for receipt of "relay fork" signals is simply a matter of writing its process ID to the processes attribute.

This patch may eventually go in, but probably not with the signal mechanism. Guillaume was encouraged to use the kernel events mechanism instead, and he has agreed that it is a workable solution.

Meanwhile, the vSecurity project is working to put together a number of hardening technologies in a form suitable for merging into the mainline. To that end, a couple of new LSM hooks have been proposed. This one adds a hook for invocations of the chroot() call, which, interestingly, has no such hook now. The purpose is not so much to control the use of chroot() as to note that it has happened and take steps, in other security hooks, to ensure that the process does not break out of its restricted subtree.

The other patch adds a hook to chmod(). This one is unlikely to be merged, since a separate hook, which is called for inode attribute changes, already exists. The vSecurity hacker (Lorenzo Hernández García-Hierro) has indicated that he has other hooks he wishes to place, but those have not yet been posted for review.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

A look at Slackware 10.1

February 9, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

You can't keep a good distribution, or maintainer, down. Despite Patrick Volkerding's "medical vacation" Slackware 10.1 has been released.

Slackware 10.1 continues the tradition of shipping well-tested and solid software rather than focusing on the cutting edge. Though the 2.6 kernel has been out for more than a year, Volkerding decided that the 2.4 kernel was more appropriate for this release of Slackware. The default is the 2.4.29 kernel, though a 2.6.10 kernel is available for those who want to use the 2.6 tree.

We installed Slackware 10.1 on a Pentium III 500 MHz system with 384 MB of RAM. We chose a full install, which took about 30 minutes. Slackware can still be installed from a single CD, but to install GNOME and other packages requires the second CD. The "full" install consumes about 3 GB of disk space.

There are few surprises with Slackware 10.1. The installer is essentially the same as 10 - a plain-text menu-based installer that offers few frills, but works well on lower-end machines. Despite the fact that Slackware doesn't offer a mouse-driven GUI installer, it's still user-friendly and easy to use.

There is plenty of desktop and server software included with 10.1. The latest release comes with several desktop options including GNOME 2.6.1 and KDE 3.3.2. This writer's favorite desktop, Xfce (version 4.2.0) is included as well. (It's interesting to note that Xfce is billed "above" GNOME in the release announcement.) [Slackware screenshot] What's not included might be worth noting as well. Oddly, Slackware doesn't include Mozilla Firefox, which most users might expect to find in a current distribution. Instead, Slackware comes with Mozilla 1.7.5, Netscape 7.2 and Konqueror 3.3.2 for the user's choice of browsers.

Koffice, Abiword and Gnumeric are included, but OpenOffice.org and Evolution are not. The exclusion of OpenOffice.org makes some sense, since OO.org takes up quite a bit of space, and would cut into space available on the install discs. It's easily found on the OpenOffice.org website, and shouldn't be that difficult to install for the average Slack user. Evolution, on the other hand, is a bit less fun to install from scratch.

On the server side, Slackware 10.1 comes with Apache 1.3.33, MySQL 4.0.23, PHP 4.3.10, Bind 9.3.0 and Sendmail 8.13.3. Slackware is one of the few Linux distributions to still ship with Apache 1.3.x as the default, rather than the Apache 2.0 series.

Slackware's package management has been much maligned by users of RPM and Debian-based systems, but Slack's package management has a few add-on tools that make it competitive with Yum or APT. Slackware still uses pkgtool but Slackware 10.1 includes slackpkg, a tool similar to APT or Yum, that allows Slackware users to easily update and install Slackware packages from remote repositories. This tool actually made its debut some time ago, but it's still not part of the core distribution. Users who want to try Debian-style package management will need to hunt it down in the Slackware extras. For users who want or need RPM, it is included as well.

Slackware continues to live up to its reputation as a solid, "Unix-like" Linux distribution. The only real disappointment, at least for this writer, is that Slackware doesn't have a native X86-64 port available. However, for x86 users, Slackware makes a great distribution.

We wish Pat the best of health in 2005, and are looking forward to Slackware 11.

Comments (3 posted)

Distribution News

Slackware 10.1 released

Slackware 10.1 has been released. Features in 10.1 include a 2.6.10 kernel (though 2.4.29 remains the default), X.Org X11R6.8.1, new package management tools, and much more; see the announcement for the details.

Comments (3 posted)

Mandrakelinux Corporate Server 3.0 now LSB 2.0 certified

Mandrakesoft has announced that Mandrakelinux Corporate Server 3.0 has received LSB 2.0 certification. "This certification is in line with Mandrakesoft's earlier announcement about its participation in the Linux Core Consortium (LCC): going forward, the Corporate Server line of products will be based on the LSB-compliant LCC operating system architecture." Click below for the full press release.

Full Story (comments: none)

Yellow Dog Linux v4.0.1 Supports Mac mini & iMac G5

Terra Soft Solutions has announced (click below) Yellow Dog Linux v4.0.1 with lots of updates, including the return of sleep and audio for pre-G5s; thermal support for G5s; and support for the iMac G5 and Mac mini.

Full Story (comments: 1)

New Ubuntu 'Array' Release

Ubuntu Linux has announced another Ubuntu Array release, featuring the new LiveCD. This and future releases will have synchronized LiveCD and installer CDs available.

Comments (none posted)

Guadalinex and Ubuntu

Guadalinex has announced (click below) that its 2005 release will be based on Ubuntu.

Full Story (comments: none)

Unofficial Fedora FAQ Update

The Unofficial Fedora FAQ has been updated. You'll find all new information on the new ATI drivers, an updated yum.conf to work with Fedora Extras, and more. Click below for the announcement.

Full Story (comments: none)

Debian Project Leader Elections

Nominations for Debian Project Leader are now open. All nominations should be cryptographically signed and sent to debian-vote. Nominations will be open until February 28th, after which will be a period for campaigning and an IRC debate between candidates. "Speaking of the debate, I would like to invite people to be panelists for the IRC debate (to be held on irc.oftc.net). The debate should be held on IRC after the rebuttals are posted, and before the voting starts, at the convenience of the candidates, and the panelists (which kinda puts it roughly in the ides of March, I think)."

Full Story (comments: 1)

Call For Papers for DebConf5 in Helsinki

The annual Debconf conference is the technical and social forum for Debian developers, sponsors, affiliates, and friends. It allows various groups within Debian a chance to come together and network. This is the time to submit a proposal to present a technical paper or tutorial, or to host a meeting (BoFS, or Birds of a Feather Session). Click below to find out more.

Full Story (comments: none)

Distribution Newsletters

Ubuntu Traffic #20

Benjamin Mako Hill is still getting caught up on IRC and mailing list activity. This Ubuntu Traffic covers the last week in of 2004. Threads covered in issue include Ars Technica Awards, Supporting Different Pythons, Documenting the Ubuntu Documentation Project, Ubuntu Minimum Specifications, LSB and Ubuntu, Beagle!, Security "Hardened" Kernels, Ubuntu on Servers, Encrypted Swap, Documentation Team Happenings, and Ubuntu Security Notifications.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for February 7, 2005 is out with a look at Gentoo booth at LinuxWorld, the 2,000,000th post since the creation of Gentoo's phpBB user support forum, two new support platforms for audio/video discussions, and more.

Comments (none posted)

Debian Weekly News

The Debian Weekly News for February 9, 2005 is out. This week's news includes Elizabeth Garbee's talk at LinuxConf.au, a Debian kernel IRC meeting, uploading packages without ftp, a report from the Debian booth at Solutions Linux, Paris, running Debian on the Mac Mini, a discussion on valid file names, and more.

Full Story (comments: none)

DistroWatch Weekly, Issue 86

The DistroWatch Weekly for February 7, 2005 is available. "Welcome to this year's 6th issue of DistroWatch Weekly! In this issue we'll talk about Ubuntu's rapid surge in popularity, cover the release of Slackware Linux 10.1, reveal a much-requested page for Sun Microsystem's Solaris operating system, and bring you news about several new distributions developed in various corners around the world. Happy reading!"

Comments (none posted)

Minor distribution updates

Devil-Linux v1.2.3 released

Devil-Linux v1.2.3 has been released. "The changes include Kernel 2.4.29, addition of a tftp server, serial console support for install-on-usb, many program updates and many other changes."

Full Story (comments: none)

GNUstep Live

The GNUstep Live CD v0.9.4 has been released. "Software using GNUstep (Addresses, Agenda, AClock, Affiche, BioCocoa, Camaelon, CamelBones, Camera, Charmap, Cenon, Connect, Cynthiune, DisplayCalibrator, EasyDiff, EdenMath, Fortunate, Gridlock, Gorm, Gomoku, GNUMail, GNUstep-icons, GNUstepWrapper, GNUWash, GWorkspace, GTAMS, HelpViewer, InnerSpace, ImageViewer, LapisPuzzle, LaTeX Service, LuserNET, Mines, MPDCon, Paje, ProjectCenter, PRICE, Poe, Preferences, PlopFolio, Preview, Renaissance, RSS Reader, Scheme, Shisen, Stepulator, StepTalk, StepBill, TalkSoup, TimeMon, Terminal, TextEdit, ViewPDF, VolumeControl, Waiho, WildMenus, Zillion, Zipper)"

Full Story (comments: 1)

Specifix Linux

Specifix Linux has announced the release of Specifix 0.21 Alpha. "Every package in the entire distribution has been rebuilt. We had to rebuild everything anyway because we changed to storing all our sources in the repository (a move long planned but only recently implemented, for various trivial reasons). In addition, rebuilding means that the packages all have "trove info", including size, the source trove from which they are built, time they were built, and the version of Conary that built them (view this information with conary rq --info). Lastly, this rebuild incorporates the new LSB /srv directory for things that used to be in /var but are local information that is permanent in character."

Comments (none posted)

Package updates

Fedora Core updates

FC3 updates: kernel-2.6.10.1.760_FC3 (disable longhaul driver, fix NFSv3 oops), xpdf-3.00-10.3 (fix handling CID font encodings in freetype), kdepim-3.3.1-1.FC3.1 (apply patch to fix buffer overflow), system-config-printer-0.6.116.1.1-1 (bug fixes), hwbrowser-0.19-0.fc3.2 (fix pygtk2-libglade requirement), python-2.3.4-13.1 (fix object traversal bug).

FC2 updates: kernel-2.6.10-1-12_FC2 (disable longhaul driver, fix NFSv3 oops), hotplug-2004_04_01-1.1 (fixes updfstab in the presence of multiple USB plug/unplug events).

Comments (none posted)

Newsletters and articles of interest

Becoming a Debian developer (NewsForge)

In this NewsForge article Bruce Byfield looks at the process of becoming a Debian developer. "Martin Michlmayr, Debian Project Leader and a member of the New Maintainer Committee, strongly advises anyone interested in becoming a developer to make other contributions to Debian first. That way, they can learn what they need to know beforehand. They can also decide whether they are willing to commit the necessary time. Inactive developers are a continual problem, especially with package maintenance, and candidates who know what to expect are less likely to drop out after being accepted."

Comments (none posted)

Distribution reviews

My workstation OS: Libranet (NewsForge)

NewsForge has a brief review of Libranet. "Long-time Libranet users know that what makes Libranet unique and powerful is its Adminmenu tool. Adminmenu has a large number of utilities that not only include the basics and the required, but also the downright handy. For primary needs, there are setup utilities for sound, video, users, networking, and packages. For handiness' sake, there are utilities for configuring the time and APT sources, and scanning for SCSI and SCSI emulation devices and Zip drives. There are all kinds of shortcut applications for installing browser plug-ins and RealPlayer, changing the monitor resolution and mouse cursors, and more."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The GRASS Geographical Information System

February 9, 2005

This article was contributed by Frank Pohlmann

GRASS GIS is one of the most under-hyped open-source applications currently in existence. GRASS stands for "Geographic Resources Analysis Support System"; it represents the most complete Geographical Information System available under the GPL.

The history of GRASS

GRASS has been in existence since 1982, according to the history document. It started life as a so-called environmental planning and land management system, its function was to enable the US Army Corps of Engineers' Construction Engineering Research Laboratory (USA-CERL) to manage the Pentagon's considerable landholdings.

GRASS originated on a VAX Unix environment and was ported to various Unix flavors during the 1980s. The project leader Bill Goran and the software architect L. Van Warren initially assumed that other commercial GIS systems would be easily accessible, and that they would be able to adapt such systems to the Pentagon's needs. After some analysis, they realized that no existing GIS system would meet the Pentagon's standards; they decided to create GRASS mostly from scratch, although existing Unix libraries were used wherever possible. GRASS was released as public domain software in 1985. The project received feedback from other development groups working at federal and institutions and universities.

In 1996, version 5 was in the making, but USA-CERL decided to withdraw support from the public domain version of GRASS, and collaborated with several commercial entities to create the non-free GRASSLANDS and other derivatives. In 1999 GRASS was released under the GPL while under the leadership of the University of Baylor and Markus Neteler, then at the University of Hanover. Various ports to a number of Linux flavors and non-Intel architectures have come into existence since.

These days the stable 5.4 version is available for Linux, Mac OS X, and Windows NT/2000/XP under Cygwin. It is possible to run GRASS on a number of Unix systems, but one would be well advised to compile from source, since, despite assurances to the contrary, binaries are not always available. The same advice applies to version 6.0.0, so far there are only beta and development versions available.

The GRASS Architecture

GRASS is currently undergoing a major version change, from 5.4 to 6.0.0. GRASS consists of more than 350 programs and scripts and most can be accessed from the command line. The project is almost completely GUI-accessible now. It has been running with a Tcl/Tk interface since version 5.4, that was initially coded by Jacques Bouchard. The Tcl/Tk version of GRASS is known as tcltkgrass, although from version 6.0.0 and forward, the interface has been changed considerably. The reliance on Tcl/Tk is set to grow less and less pronounced. All modules included in the GRASS tool chain that require user interaction use a new display manager to create GUIs every time they are instantiated.

The internationalization framework for GRASS is has been fully implemented, and character sets which are part of the Unicode standard can be used to implement new localization projects. The display routines now support the multi-byte character sets used in East Asian languages.

GRASS is huge, there are currently more than 1 million lines of C code. Binary versions weigh in between 30 and 150 MB, depending on the options enabled at compile time and the operating system target. C++ support is being added, although it is not clear to what extent future modules should be written in C++.

All GIS tool chains rely on databases to handle their spatial data. Internally, GRASS relies on dBase, although interfaces to external databases engines like MySQL, PostgreSQL and ODBC-based database engines exist, and are well supported. Anyone writing new modules for GRASS database access will not have to pay attention to the specifics of the database engine. For users and programmers, a basic Unix-type sub-directory structure with pre-configured directory names has to be created first, since it is hard coded into the GRASS installation and configuration files.

Multiple GRASS sessions can now be started from the same installation. This is particularly useful for instances where users might want to work on different versions of the same dataset. It is even possible to start 5.4 sessions and 6.0 sessions concurrently without having to worry about version conflicts.

GRASS supports both raster-based and vector-based data management; but unlike many other GIS systems, it supports a large variety of image processing modules, the creation of maps using the PROJ.4 cartographic projections library, and data visualization. Grass can process 2D and 3D raster data in 40 different formats including the bmp and jpeg formats as well as the less common JDEM format. The GDAL library supports many formats, although many of the more obscure formats can only be read, not created. 3D raster (voxel) volumes have been folded into GRASS quite recently with the 5.7 development version. Routines from the scriptable NVIZ package make it easy to visualize the same 3D raster data, since it includes new 3D display routines.

Vector data handling has been the subject of a complete rewrite. GRASS 6.0.0 is now able to handle topological vector data fully, and the vector geometry engine uses a data format that can live on 32 and 64-bit processors. Internal data structures have been rewritten in such a way that vector data can be accessed much more quickly. Vector data include non-spatial attributes that are best processed by traditional SQL-driven database management systems, a factor in the decision to include external database support.

GRASS can also handle PostGIS geographical objects stored on PostgreSQL. PostGIS objects are accessed as a vector file format. They are made available through the OGR Simple Features Library, which is a part of the GDAL package.

GRASS Applications

GRASS has been used in many contexts, from academic environments to soil erosion modeling and social science simulations. Vector network analysis is a well-established technique that adds another data modeling layer to the range of information evaluation tools already available. Statistical routines are accessible via the R interface, this makes it possible to produce geostatistics.

The number of interfaces, scripting routines, visualization packages as well as its stability and scalability make GRASS a truly unique addition to the stable of Linux applications. GRASS has also become the focus around which several Linux distributions have been built, including GIS Knoppix and Quantian. Enjoy!

Comments (5 posted)

System Applications

Audio Projects

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include the addition of Qjackctl 0.2.15-1, the 2.6.10 kernel for Fedora Core 2 and 3, ZynAddSubFX 2.1.1-2, and Pd externals for Fedora Core 3.

Comments (none posted)

Database Software

PostgreSQL Security Release for versions 8.0, 7.4, 7.3, and 7.2

A security release of the PostgreSQL database has been announced. "In order to address a potential security hole recently identified with the "LOAD" option, the PostgreSQL Global Development Group is announcing the release of new versions of PostgreSQL going back to the 7.2.x version."

Comments (none posted)

PostgreSQL Weekly News

The February 4 2005 edition of the PostgreSQL Weekly News is online with the week's summary of PostgreSQL database information.

Full Story (comments: none)

Object-Relational Mapping with SQLMaps (O'ReillyNet)

Sunil Patil looks at SQLMaps on O'Reilly. "Hibernate is great--if your DBA will let you run generated database queries on his or her system. Sometimes you need to keep the option of hand-optimized queries open. Sunil Patil introduces SQLMaps, a framework that allows you to do just that."

Comments (1 posted)

MySQL-python 1.1.10

Version 1.1.10 of MySQL-python, the Python interface to the MySQL database, is out. "MySQL-3.22 through 4.1 and Python-2.3 through 2.4 are currently supported."

Comments (none posted)

MySQL Triggers Tryout (O'Reilly)

Peter Gulutzan explores MySQL triggers on O'Reilly. "MySQL 5.0, the alpha version of MySQL that's available for testing new features, has trigger support. This is no surprise, as triggers were promised in the MySQL Development Roadmap, but it's a novel experience to work with one of the big "MySQL can't do that" features and watch MySQL doing it."

Comments (none posted)

Interoperability

Samba 3.0.11 Available for Download

Stable version 3.0.11 of Samba is available for download. "This is the latest stable release of Samba. This is the version that production Samba servers should run for all current bug-fixes."

Full Story (comments: none)

Networking Tools

Nagios Plugins 1.4 released (SourceForge)

Version 1.4 of Nagios Plugins, an open source monitoring system, is available. "This release includes major enhancements. With the growth of internet enabled devices, the IPv4 addressing range will be used up soon. Jeremy T Bouse has integrated IPv6 support into our networking utilities, so you can now monitor your next generation network."

Comments (none posted)

Peer to Peer

WASTE v1.5 beta 3 Now Available (SourceForge)

WASTE "is an anonymous, secure, and encrypted collaboration tool which allows users to both share ideas through the chat interface and share data through the download system." Version 1.5 beta 3 of WASTE has been announced. "This new release features a brand new installer, a mini version for those with a low bandwidth connection (excludes documentation), and the first release of WASTE in other languages."

Comments (1 posted)

Web Site Development

ATutor 1.4.3 Released (SourceForge)

Version 1.4.3 of ATutor, a Web-based Learning Content Management System (LCMS), is available. "Current ATutor users are encouraged to upgrade their systems to take advantage of the many new features that have been added to this release."

Comments (none posted)

UnCommon Web 0.3.5 released

Version 0.3.5 of UnCommon Web, a Common Lisp-based web application development framework, is out. "This version features several changes related to components and component rendering, the TAL/YACLML template and formatting languages, backends, documentation, and more."

Full Story (comments: none)

Desktop Applications

Accessibility

The Silent Soundtrack (O'Reilly)

John E. Simpson applies XML to captioning on O'Reilly. "It's taken a while for movie producers and distributors to catch up to the closed-captioning capabilities of the hardware, but they're almost there. Yet in one important area, content is still all too often obscured from my earnest attention: computerized multimedia. From games to Flash and Shockwave animations to Quicktime and Windows Media clips, what's going on on my PC is frequently just flat-out lost on me. Computers... text... hmmm. You'd think XML might come to the rescue here. And so it does."

Comments (none posted)

Business Applications

Compiere R2.5.2 with Database Independence (SourceForge)

Version 2.5.2 of Compiere, an ERP + CRM business application, has been announced. "Compiere to date, has been available on Oracle. We are pleased to announce that it is now also available on Sybase. Several independent open source projects have ported Compiere to different databases."

Comments (none posted)

Data Visualization

Gmsh 1.59 is available

Version 1.59 of Gmsh, a three-dimensional finite element mesh generator, has been announced. "In addition to the usual bug fixes, Gmsh 1.59 adds support for discrete surfaces, introduces several new default plugins, and improves the solver interface."

Comments (none posted)

Desktop Environments

The Equinox Desktop Environment

Equinox Desktop Environment is a new lightweight desktop system that is based on FLTK, the Fast, Light ToolKit.

Equinox Desktop Environment (shortly EDE) is small desktop environment, builted to be simple and fast. It is based on modified FLTK library (called extended FLTK or just eFLTK). Comparing to other desktop environments, EDE is much faster and smaller in memory space (EDE's window manager use less memory than xterm). By the way, it is for now, little bit buggy :(

EDE Version 1.0.2 was announced this week, it promises stability improvements and new features.

Comments (none posted)

GNOME 2.10 Beta 1 Public Testing Release (GnomeDesktop)

GnomeDesktop has an announcement for the new GNOME 2.10 Beta 1 Public Testing Release. "Also known as 2.9.90, GNOME 2.10 Beta 1 is the first pre-release intended for wide public scrutiny before the final release in March. It is packed full of tasty GNOME goodness, so if you're itching to find out what we've been doing, and can't wait to finish building it, take a look at Davyd's Sneak Peek this release".

Comments (none posted)

GNOME Software Announcements

The following new GNOME software has been announced in the last week:

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced in the last week:

Comments (none posted)

KDE CVS-Digest (KDE.News)

The February 4, 2005 edition of the KDE CVS-Digest is online with the following content summary: "Digikam does black and white tonal conversion. KPDF implements history and KTTSD (screen reader) support. KMail adds graphical emoticons. KNotes implements read-only support. Konqueror shows document title and favicon in location bar autocomplete. amaroK supports the Akode engine"

Comments (none posted)

The Big Kolab Kontact Interview - Part II (KDE.News)

KDE.News continues its interview with the Kontact and Kolab developers. "KMail is the best Open Source e-mail program existing today and with KOrganizer and KAddressBook we already had two other important parts of a PIM solution. So why should we start from scratch? With KParts, XML-GUI and DCOP, KDE offers an incredibly cool framework which made it quite easy to integrate these applications without throwing away existing and well tested code, so it was clearly the way to go."

Comments (none posted)

Electronics

Open Collector Releases

The latest new electronics applications on Open Collector include QOscC 0.1.6 (software oscilloscope), SC2V 0.3 (SystemC to Verilog synthesizable subset translator), and Confluence 0.10.2 (declarative functional programming language for the design and verification of synchronous reactive systems).

Comments (none posted)

XCircuit 3.3.8 released

Version 3.3.8 of XCircuit, an electronic schematic drawing package, is available. This version features fixes for several bugs.

Comments (none posted)

Financial Applications

Eclipse Trader 0.12 Released (SourceForge)

Version 0.12 of Eclipse Trader is out. "Eclipse Trader is a set of plugins for the Eclipse RCP (Rich Client Platform) dedicated to the building of an online stock trading system. This release adds a simple alerts system that may be used to receive notifications when a stock item reaches a predefined price level, and a new plugin for the Directa Trading (Italy) service. This plugin provides realtime data and trading feature for Directa customers."

Comments (none posted)

Games

Ember 0.2.0 Released

The WorldForge game project has announced version 0.2.0 of Ember. "Ember is a 3d client for the WorldForge project. It uses the Ogre 3d graphics library for presentation and CEGUI for it's GUI system. This is the first release of Ember since it's fork from the Dime codebase. The focus has been on getting a working client out of the door. Games such as Mason are fully playable."

Comments (none posted)

Reviving Pygame

The PyGame site has been mysteriously quiet for a few months, now there's an explanation: "As you might have noticed, Pete has been MIA recently. A group of Pygame users (Bob Ippolito, Rene "illume" Dudfield, Joe "piman" Wreschnig, and others in #pygame) are trying to organize the 1.7 release in his absence. If you know of any bugs in Pygame 1.6.2 that haven't been fixed in CVS (if you don't know and don't know how to check, assume they aren't), please stop by #pygame on irc.freenode.net".

Comments (none posted)

Graphics

G3D 6.05 Beta 2 Released (SourceForge)

Version 6.05 beta 2 of G3D, a cross-platform 3D engine for games and other applications, has been announced. "The 6.05 beta 2 release includes new support for the 3DS file format, 2D and video rendering, optional wxWidgets integration, workarounds for bugs in old graphics cards, and major performance improvements in the networking API. It is also the first release to support the new g++ 3.4 on Linux and has a Win32 installer for easy setup."

Comments (none posted)

Instant Messaging

IRC Text to Speech with Java (O'Reilly)

Paul Mutton applies a speech synthesizer to IRC on O'Reilly. "This article will show you how to create a multi-platform IRC bot (an automated client) that uses the FreeTTS Java speech synthesizer library to convert IRC messages into audible speech."

Comments (none posted)

Interoperability

Wine Traffic

The February 4, 2005 edition of Wine Traffic is online, take a look for the latest developments in the Wine project.

Comments (none posted)

Music Applications

blepvco 0.1.0 - LADSPA minBLEP hard-syncable VCOs

Version 0.1.0 of blepvco is out. "blepvco is a LADSPA plugin library containing three anti-aliased, minBLEP-based, hard-sync-capable oscillator plugins. The oscillators are intended to be used with modular synthesis systems, such as Alsa Modular Synth (a couple example AMS patches are included)."

Full Story (comments: none)

Science

Mathomatic 12.0 released

Stable version 12.0 of Mathomatic is out. "Mathomatic is a highly portable, general purpose CAS (Computer Algebra System) written entirely in C. It is totally free software (GNU LGPL license). This is a console mode application that compiles and runs under any operating system with a C compiler. It has been under development since 1986 and now stands at 15,000 lines of code."

Comments (none posted)

Web Browsers

Mozilla 1.8 Roadmap Updates (MozillaZine)

MozillaZine covers the latest Mozilla Development Roadmap announcement. "Following on from the recent Mozilla Firefox Roadmap update, the main Mozilla Development Roadmap has also been revised. The big news is that there will be a second Mozilla 1.8 Beta release in March."

Comments (none posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

The minutes from the January 24, 2005 mozilla.org staff meeting are online. The MozillaZine summary says: "Issues discussed include Mozilla 1.8 Alpha 6, Mozilla Firefox 1.0.1, Mozilla Firefox 1.1, deploying Hendrix and the broken website tool."

Comments (none posted)

Independent Status Reports (MozillaZine)

MozillaZine has announced the February 7, 2005 edition of the Mozilla independent status reports. "The latest set of independent status reports includes updates from Journal, Link Visitor, Spurlbar, biobar, cuneAform, Figaro, Research Buddy, Abacus MathML Editor, IE View, ConQuery, Launchy, viewbgplus, Searchsidebar and Flashblock."

Comments (none posted)

XForms 1.0 Beta Plugin Available for Gecko (MozillaZine)

MozillaZine reports on the availability of version 1.0 of the XForms plugin for Mozilla and Firefox. "The Mozilla Foundation today released a beta version of its XForms plugin for Gecko-based browsers. XForms 1.0 is a W3C recommendation that allows web page authors to take advantage of structured data and client-side validation when designing forms. XForms is designed to be embedded in XML documents, such as XHTML 1.0. Mozilla XForms support has been developed over the last several months by IBM, Novell, and independent contributors."

Comments (none posted)

Miscellaneous

Sunbird 0.2 Released (MozillaZine)

MozillaZine carries the announcement of the first official release of the Sunbird calendaring program from the Mozilla Project. For the curious, screenshots can be found on the Sunbird page.

Comments (9 posted)

Languages and Tools

Caml

Caml Weekly News

The February 8, 2005 edition of the Caml Weekly News is online with the week's Caml language news.

Full Story (comments: none)

Java

Bitwise Optimization in Java: Bitfields, Bitboards, and Beyond (O'ReillyNet)

Glen Pepicelli manipulates bits with Java in an O'Reilly article. "Flipping bits on and off is the lowest level of computing, and most Java developers are totally isolated from it. But maybe they shouldn't be. In this article, Glen Pepicelli introduces the idea of bitsets--ints and longs whose bitwise representation are the data you're interested in--and how they can be used with mathematical and logical operators to write faster code."

Comments (none posted)

An Introduction to TMAPI (O'Reilly)

Robert Barta and Oliver Leimig introduceTMAPI on O'Reilly. "There are several software packages for Java developers when they need to develop applications using XML Topic Maps. There are some proprietary software vendors and also open source packages like TM4j, tinyTIM, and a few others. In the Java tradition to standardize interfaces, the TMAPI project has proposed a set of Java interfaces which particular Topic Map implementations may choose to adhere to. The obvious advantage for the application developer is to use only that single set of interfaces and to choose a particular implementation on other merits."

Comments (none posted)

AOP tools comparison, Part 1 (IBM developerWorks)

Mik Kersten discusses tools for Aspect-oriented programming on IBM developerWorks. "AOP is a technology whose time has come, but how do you choose the right tool for your projects? In this first article in the new AOP@Work series, aspect-oriented programming expert Mik Kersten compares the four leading AOP tools (AspectJ, AspectWerkz, JBoss AOP, and Spring AOP) to help you decide which one is for you. In Part 1 of this two-part discussion, the author focuses on the tools' language mechanisms and the trade-offs imposed by the different approaches."

Part two of the series is also available.

Comments (none posted)

Cover your code with Hansel and Gretel (IBM developerWorks)

Dennis M. Sosnoski writes about the Hansel and Gretel code coverage tools on IBM developerWorks. "Unit tests provide a great technique for making sure that code performs to specifications. But the quality of unit tests is up to the test writer, and the results from unit tests are only as good as the quality of the tests. How can you make sure your unit tests deliver the quality you need? In the first article of this new series dedicated to classworking tools, regular developerWorks contributor Dennis Sosnoski discusses how code coverage tools provide one important quality check for your tests."

Comments (none posted)

Lisp

Parallel Computing in Lisp

A series of web log entries about parallel computing in Lisp are available. "Bill Clementson has written a new weblog entry in a series about parallel computing in Lisp. The latest entry, posted on 25 January 2005, deals with the feedback he got on the previous ones. Bill started posting weblog entries in this series in April 2004. They discuss the various approaches, dialects and tools for parallel computing in Lisp."

Full Story (comments: none)

Perl

This Fortnight in Perl 6

The January 19-31, 2005 edition of This Fortnight in Perl 6 is online with another collection of Perl 6 topics.

Comments (none posted)

Throwing Shapes (O'Reilly)

Vladi Belperchinov-Shabanski discusses the Remote Procedure Call under Perl. "In the Perl world there are several modules that offer different kinds of RPC, including RPC::Simple, RPC::XML, DCE::RPC, and more. In this article I'll explain how to use Perl-specific features to develop a compact RPC implementation that I will name Perl-centric Remote Call (PerlRC). As the name suggests, it will run only with Perl clients and servers."

Comments (none posted)

Python

Python 2.3.5 released

Python 2.3.5 - a bugfix release - is now available. Included therein is the fix for the SimpleXMLRPCServer vulnerability. This is the last planned update for Python 2.3.

Full Story (comments: none)

python-dev Summary

The python-dev Summary for December 16-31, 2004 is out with another summary of traffic from the python-dev mailing list.

Full Story (comments: none)

python-dev Summary

The python-dev Summary for January 1-15, 2005 is out with another summary of activity on the python-dev mailing list.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The February 9, 2005 edition of Dr. Dobb's Python-URL! is online with the latest Python language articles and resources.

Full Story (comments: none)

More Test-Driven Development in Python (O'ReillyNet)

Jason Diamond continues his O'Reilly series on Test-Driven Development in Python with part two. "The goal of test-driven development is not to produce tests; they're merely a helpful by-product. The real goal is to produce elegant, working code. Jason Diamond demonstrates how test-driven development can improve the design of code."

Comments (none posted)

Ruby

Ruby Weekly News

The February 6, 2005 edition of the Ruby Weekly News is available with the latest news and discussion from the ruby-talk mailing list.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The February 8, 2005 edition of Dr. Dobb's Tcl-URL! has been published. Take a look for the latest Tcl/Tk news.

Full Story (comments: none)

XML

The XPath 2.0 Data Model (O'Reilly)

Bob DuCharme discusses the XPath 2.0 data model on O'Reilly. "As XSLT 2.0 and its companion specification XQuery 1.0 approach Recommendation status, it's time to step back and look at a more fundamental difference between 2.0 and 1.0: the underlying data models. A better understanding of the differences gives you a better understanding of what you can get out of XSLT 2.0 besides a wider selection of function calls."

Comments (none posted)

Generate SQL with XSLT 2.0 (IBM developerWorks)

Jack Herrington shows how to Generate SQL with XSLT on IBM developerWorks. "Learn to use the cutting-edge features of XSLT 2.0 and generate PHP code from an abstract data model. In Part 1 of this two-part series, Jack Herrington uses a robust multilevel transform technique to show you how to take a simple model of a target database and generate the SQL for the database server."

Comments (none posted)

Version Control

Aegis 4.20 released

Version 4.20 of the Aegis version control system is available. See the change log file for details.

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Part I: Corporate Desktop Linux - The Hard Truth (OSDir.com)

W. McDonald Buck, retired CTO of World Bank, looks at what it will take to put Linux on the corporate desktop, on OSDir. "I'm a Linux devotee. I'm offended by the rigged analyses that Microsoft has purchased in its "Get the Facts" campaign. But I think it is important that the open source community demonstrate fairly that open source software presents a better cost/benefit case than Windows. This case is not helped by resorting to the same kind of trickery and distortion of which Microsoft is guilty. I don't like to see obviously skewed analysis on Linux's behalf any more than I like to see it on Microsoft's behalf. No that's wrong. I have a greater dislike of pro-Linux trickery, because I expect better of us."

Comments (41 posted)

Experts Predict Spyware for Mozilla Firefox in 2005 (NewsForge)

NewsForge reports that experts are predicting that spyware creators will soon target Mozilla Firefox. "For his part, Stu Sjouwerman -- founder and COO of Counterspy maker Sunbelt Software -- agreed that Firefox spyware is likely in 2005. "I'm pretty sure you can expect one or two Firefox (spyware) exploits before the end of the year," Sjouwerman said. "The more popular a platform gets, the more likely it is to come under attack. Firefox -- which I use myself -- I don't think is going to be immune from that. If you go wide like this, you have to expect that your product will be exposed to a trial by fire.""

Comments (20 posted)

Trade Shows and Conferences

Linux leaders at open-source summit (ADT Magazine)

ADT Magazine reports on the Open Source Development Labs (OSDL) Linux Summit. "On the corollary subject of the lawsuit filed back in 2003 by The SCO Group against IBM for illegally contributing its proprietary Unix code to Linux, panel moderator Stuart Cohen saw a bright side to the legal rangles over patent infringement in the open-source community. "The SCO lawsuit was probably the greatest thing that every happened to acceleration of Linux and open source," he said. "If the press hadn't covered it to the extent they did, and the due diligence hadn't then been done by all of the attorneys, Linux and open source probably never would have had the rapid success that it's had over the past 18 months. Because it came through all of that with such flying colors, it became a real phenomenon.""

Comments (5 posted)

License issues lining up for Linux, open source (NewsForge)

NewsForge covers license discussions at the recent OSDL Enterprise Linux Summit. "In a presentation on open source software licensing issues, noted open source legal mind and license author Larry Rosen gave attendees a sampling of the new license applications he received via email while working for the Open Source Initiative (OSI) last year."

Comments (none posted)

The SCO Problem

How SCO's Threats Rallied Linux (Business Week)

Business Week is running a column by Stuart Cohen (CEO of OSDL) on how the SCO Group has helped Linux. "The SCO litigation and surrounding media hoopla actually helped accelerate Linux's popularity -- and its legal foundation. SCO's legal offensive was effectively a wake-up call for a community, mobilizing and uniting a large but disparate group of customers and developers around a single cause. It spurred the Linux community to get its house in order. Its response revealed to the world how large that house had become and gave Linux newfound credibility."

Comments (6 posted)

SCO's Opposition to IBM's Motion for Reconsideration/Clarification of Wells' Discovery Order (Groklaw)

For those following the details of the SCO/IBM trench warfare, Groklaw has SCO's opposition to IBM's attempt to get reconsideration of the latest discovery order. There is also a detailed discussion of why the parties are behaving as they are. "The Nazgul are also implicitly telling Judge Kimball that it is so likely Magistrate Judge Wells will reconsider or clarify her discovery ruling that the matter is not ripe for his consideration, and the effort required to come up to speed on a small mountain of briefs and evidence. By doing so, they actually compliment the magistrate judge, in effect signaling that she has overlooked dispositive factors on an important issue but they regard her as an honest, competent judge who will make the correct decision if she takes a fresh look at the issues in light of the brief that will accompany the motion for reconsideration or clarification."

Comments (10 posted)

Ray's Return (ComputerWorld)

ComputerWorld looks at the trouble at the Canopy Group. "So when [Ray Noorda] takes control of SCO's Linux litigation, we can be pretty sure one set of lawsuits will go away almost immediately: the ones aimed at corporate Linux users. At 80, Noorda may have lost a step. But he'll never be so far gone that he'll think it's a good idea to sue his own customers."

Comments (1 posted)

The Yarro Complaint (Groklaw)

For those of you following along with the self-destruction of the Canopy Group: Groklaw has Mr. Yarro's complaint in the suit. "In a nutshell, Yarro and the others who 'resigned' from Canopy say Noorda meant to give them millions and millions (and in some cases part ownership of the company) instead of to his children. You see, it was like this: Yarro was such a valuable employee that Noorda wished to keep him there, and apparently it required millions in perks to retain his services."

Comments (none posted)

Companies

MP3.com founder returns to music biz (News.com)

News.com looks at Linspire executive and MP3.com founder Michael Robertson's MP3Tunes downloadable music service. "Robertson says he will open the service next week, with "hundreds of thousands" of songs from independent and unsigned artists already available at 88 cents apiece. He'll approach the major labels for access to their music, too--but it will be a tough sell. The big labels have adamantly opposed selling any songs online that are not wrapped in digital rights management technology." A Linux-based music player appliance is also in the works.

Comments (8 posted)

Sun Responds to Criticism of CDDL (Groklaw)

Groklaw takes a look at Sun's response to criticism of the CDDL. "If Sun prefers to carve out a smaller community for itself, it is free to build its own little island, with its own big fence. The result will be, though, that Linux will continue to develop more quickly and it will bury Sun's license and its code, because the open, GPL method works better, and the GPL requirement of giving back all modifications results in rapid improvement. Sun is free to cut itself off from that, if it so chooses, but it will reap what it sows. If they imagined that the world would drop the GPL and adopt the CDDL instead, I trust by now they realize that isn't going to happen."

Comments (none posted)

Trolltech to Extend Dual Licensing to Qt for Windows (KDE.News)

KDE.News reports that Trolltech will be offering the Windows version of Qt under a dual license. "Trolltech, maker of the Qt toolkit which forms the basis for KDE, announced today that the Qt version for Microsoft Windows will be available under the GPL in addition to its current commercial license offerings for that platform. This change will take place with the release of Qt 4."

Comments (3 posted)

It's Windows vs. Windows as Microsoft battles piracy (News.com)

News.com covers a new heavy-handed approach to operating system piracy coming from Microsoft. "In its most serious bid yet to reap revenue from those who've been getting Windows without payment to Microsoft, the company plans to require computer owners to verify that their copy of Windows is properly licensed before allowing them to download software from Microsoft's site. By mid-year, the once voluntary Windows Genuine Advantage program will become mandatory." The article hints at a possible increase in Linux adoption in emerging markets as a result of the change.

Comments (18 posted)

Legal

Eiffel Tower: Repossessed (Fast Company)

It's not directly Linux-related, but this Fast Company article does show that the U.S. has no monopoly on copyright excesses. The company which maintains the Eiffel Tower, it seems, has copyrighted it. "As a result, it's no longer legal to publish current photographs of the Eiffel Tower at night without permission. Technically, this applies even to amateurs."

Comments (13 posted)

Warming up to open source (News.com)

Here's a News.com article on a change in patent policy at the Organization for the Advancement of Structured Information Standards. "But the overture to open-source developers only goes so far, making royalty-free (RF) licensing of patents in standards an option next to the existing status quo, Reasonable and Non-Discriminatory (RAND) licensing of those patents."

Comments (none posted)

Interviews

Linux kernel maintainer joins patent celebrations (ZDNet)

ZDNet UK talks with some free software developers about the (hopefully) restarted European software patent discussion. "But there is a dark cloud already looming over the celebrations of anti-patent campaigners, as the EC has not yet decided whether to agree to the EP's request for a restart. Linux developer [Alan] Cox said he is worried that the EC may ignore the EP's request. 'Unfortunately, however, it seems the Commission will not treat this as a chance to drop the entire issue but will continue pursuing software patents for the sole benefit of a tiny number of large, mostly American, companies,' said Cox. 'The battle is far from over.'"

Comments (5 posted)

FOSDEM 2005: KOffice Interview (KDE.News)

KDE.News interviews Raphael Langerhorst, who will be giving a talk at FOSDEM on "KOffice - Desktop Integration and Workflow Automation". "A big advantage of KOffice is its KDE base, which makes it more lightweight and integrated. OOo brings its own framework which makes the codebase bigger and harder to maintain, but it is necessary to be cross platform. And this is what makes OOo more suitable in mixed environments - OOo builds the bridge between Windows and Linux/Unix whereas KOffice might be a better choice in pure KDE environments. OOo is also a suitable bridge between many legacy file formats and the OASIS Open Document format."

Comments (none posted)

Resources

Cygwin: Changing the Face of Windows (Linux Journal)

Machtelt Garrels gives an overview of Cygwin in a Linux Journal article. "Cygwin does not convert your Windows machine into a UNIX-compatible one, however. Cygwin does not enable your computer to understand UNIX signals, pseudo-terminals (PTYs) and such; it only provides mappings of UNIX actions to the Windows platform. It is not a way to make native Linux applications run on Windows. If you want an application to run on your Windows workstation, and it is not yet a part of the Cygwin suite, you will have to compile the source. If the application is a graphical one, another solution is to run the application remotely by using X functionality."

Comments (4 posted)

Coasterless DVD burning (Troubleshooters)

Troubleshooters.com has put up a tutorial on DVD burning. "This document is written for a person just getting started with DVD burning. It details the pitfalls and how to avoid them. The reason is simple enough -- I'm just now learning DVD burning, and have recently fallen into those pitfalls."

Comments (2 posted)

HA-OSCAR: Five Steps to a High-Availability Linux Cluster (O'ReillyNet)

O'ReillyNet uses HA-OSCAR to set up a high availability Linux cluster. "The HA-OSCAR project's primary goal is to improve the existing OSCAR, Beowulf architecture, and cluster management technology systems (including OSCAR, ROCKS, and Scyld) while providing high-availability and scalability capabilities for Linux clusters. The OCG recognized the project as an official working group, along with the current OSCAR and Thin-OSCAR working groups. HA-OSCAR introduces several enhancements and new features to OSCAR, mainly in the areas of availability, scalability, and security. The new features in the initial release are head node redundancy and self-recovery for hardware, service, and application outages."

Comments (none posted)

Comparing MySQL performance (NewsForge)

NewsForge runs a set of MySQL benchmarks on various Linux and BSD systems. "Both Linux 2.4 and 2.6 had the strongest showing overall for these tests, dominating just about every benchmark no matter the workload. Scalability for both kernels was also excellent with addition of an extra processor. In fact, I was surprised how well 2.4 had done, as I had somewhat expected 2.6 to show at least a noticeable, if slight, increase over 2.4. Instead, they took turns besting each other from test to test -- and in scalability -- for a fairly even overall showing."

Comments (2 posted)

A Temporary Internet Lounge Revisited (Linux Journal)

Linux Journal shows how to set up an Internet lounge using Knoppix 3.7. "By default Knoppix never touches the hard drive--you don't have to install it, you simply have to tell a PC to boot from the CD-ROM drive. Because of Knoppix's excellent hardware detection system, one could, in theory at least, put together a dozen different makes and models of PCs with a dozen identical Knoppix disks, and in five minutes have all of them up, running and browsing the Internet. With Knoppix, there are in essence two filesystems on the disk--a conventional ISO 9660 system that is used while Knoppix boots and a compressed filesystem that is used after the system boots. This complicates things, but it also allows Knoppix to store significantly more than 700MB of software on a conventional 700MB CD-ROM."

Comments (none posted)

Top 15 Firefox Extensions (PC Magazine)

PC Magazine takes a look at some ways to extend your Mozilla Firefox browser. "Extensions can do loads of tasks, from blocking pop-up ads to playing card games -- and even viewing a Web page as if it were in IE -- so they can make Firefox a versatile and customizable platform for your browsing activities. But where to start? Which extensions are worth downloading and installing? We evaluated dozens of extensions and present the best 15 for your perusal. It's easy to add them; just go to the Tools | Extensions | Get More Extensions menu to get started."

Comments (12 posted)

Reviews

Linare Releases Sub-$500 Notebook (ExtremeTech)

ExtremeTech takes a look at some new Linare notebooks. "Linare's notebook includes an AMD Athlon 1800+ processor, a 40-GB hard drive, a 14.1-inch XGA TFT-LCD, 128 Mbytes of RAM, a CD-ROM, Fast Ethernet, and the Linare Linux OS. It also ships with OpenOffice, a full office suite compatible with Microsoft Office documents."

Comments (8 posted)

Miscellaneous

New site to group Aussie open source bloggers (ZDNet.au)

ZDNet Australia covers an announcement by Linux Australia about a new Planet Linux Australia site devoted to aggregating the blogs of prominent Australian Linux and open source developers. "According to the organisation, the site "is not just about aggregating feeds, it's about recognising and appreciating all the cool stuff people are doing around the country". Using RSS aggregation software popular within the blogging community, so far the the site has linked 62 Australians associated with open source development, from many different fields and from around the nation."

Comments (1 posted)

Zombie trick expected to send spam sky-high (News.com)

Just when you thought you couldn't get enough of that yummy spam, News.com reports that a new surge of bogus email is soon to arrive. "According to the SpamHaus Project--a U.K.-based antispam compiler of blacklists that block 8 billion messages a day--a new piece of malicious software has been created that takes over a PC. This "zombie" computer is then used to send spam via the mail server of that PC's Internet service provider. This means the junk mail appears to come from the ISP, making it very hard for an antispam blacklist to block it."

Comments (12 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

FSFE writes Open Letter to International Bank of Settlements

The FSFE has sent an open letter to the International Bank of Settlements regarding software patents in Europe. "Once Basel II becomes widely used, a dramatic increase in software patent infringement lawsuits for this area is likely to occur on a global basis. Any bank or any of its customers for Basel II based software may become target of such legal action -- the risk is incalculable and can bring about multi-billion Euro lawsuits."

Full Story (comments: none)

Commercial announcements

Command Prompt Unveils Around the Clock PostgreSQL Support

Command Prompt has announced a 24/7 support program for PostgreSQL database customers. "The program, which is an extension of the successful line of Managed Services offered by Command Prompt, allows any user of PostgreSQL to call Command Prompt, Inc. any time, any day and receive the support they need."

Full Story (comments: none)

Guardian Digital Releases Advanced Spam and Phishing Protection

Guardian Digital has announced the release of their Secure Mail Suite version 3.2. "Incorporating advanced technologies for enterprise spam and phishing protection, Secure Mail Suite v. 3.2 is the first solution of its kind to include distributed protection from these types of attacks including the latest blended threats."

Full Story (comments: none)

JBoss and Sun Microsystems Expand Collaboration on Standards

JBoss and Sun Microsystems, Inc. have announced that they have expanded their collaboration on standards through a new multi-year agreement for JBoss to support the Java 2, Enterprise Edition platform.

Comments (none posted)

JetBrains Provides Free IntelliJ IDEA Licenses

JetBrains, Inc. has announced availability of free licenses of its IntelliJ IDEA to the open-source community. "JetBrains, Inc., creators of intelligent, productivity-enhancing tools, announced today it is formalizing and expanding its practice of supporting Open Source development projects and invites developers of qualifying Open Source projects to apply for no-cost user licenses for its widely acclaimed IntelliJ IDEA integrated development environment for Java."

Comments (none posted)

Mandrakesoft to participate in IGGI supercomputer projet

Mandrakesoft has announced their participation in the IGGI supercomputer project. "Mandrakesoft and partners are starting a research project in grid computing: IGGI. The consortium will develop a solution that can turn any network of desktop machines into a cluster. This project is supported by governemental funding."

Full Story (comments: none)

New specifications from OSDL

The Open Source Development Labs has announced that version 3.0 of the Carrier Grade Linux Requirements Definition is available "as a technology release for evaluation by developers." The CGL document is "a public reference blueprint for Linux distributions, major end users or Linux kernel developers to build Linux kernel features and associated libraries that are required by telecommunication carriers in their next-generation network infrastructure."

Also available is version 1.1 of the OSDL Data Center Linux Capabilities document. "The new document expands priorities published last year by the Lab around Data Center Linux in four main areas: security, hot-plug, clustering, and storage networking."

Comments (none posted)

PalmSource Completes Acquisition of China MobileSoft

PalmSource, Inc. has announced the completion of its acquisition of China MobileSoft (CMS), a Chinese mobile phone software company. "The combination of Palm OS and CMS's software products is expected to enable PalmSource to provide one of the broadest lines of mobile software in the industry, powering mobile phones at all price points in all regions of the world. Over time, PalmSource expects to leverage the work CMS has done with Linux to provide a new version of Palm OS based on Linux. The Company will continue to support the Palm OS(R) Garnet and Palm OS(R) Cobalt operating system software lines."

Comments (none posted)

Sealevel Systems Announces First Internal USB to RS-232 Serial Adapters

Sealevel Systems, Inc. has announced a series of internal USB to RS-232 serial adapter with Linux support. "These devices are intended for mounting directly to a PC's chassis, eliminating the need for external converters and providing a clean, professional installation. All models are USB bus powered, capable of data rates to 460K bps, and install inside the computer in a spare bracket location."

Comments (none posted)

SKY MobileMedia Announces SKY-MAP Support for MontaVista Linux

SKY MobileMedia, Inc. has announced their SKY-MAP mobile applications software platform on the MontaVista Linux platform. "In collaboration with MontaVista Software, the combination of SKY's fully integrated and standards-compliant SKY-MAP platform paired with MontaVista(R) Linux Consumer Electronics Edition provides phone manufacturers with a complete applications software platform for multimedia handsets and smartphones."

Comments (none posted)

Unisys ES7000 Servers Now Certified On SUSE LINUX Enterprise Server 9

Unisys has announced that its ES7000 server line is now certified on SUSE LINUX Enterprise Server 9. "Unisys is the only vendor to achieve SLES 9 certification for both 32-bit and 64-bit servers with up to 32 processors."

Comments (none posted)

Virtual Iron Software Joins Open Source Development Labs

Open Source Development Labs has announced that Virtual Iron has joined OSDL and will participate in the Lab's Data Center Linux (DCL) working group.

Virtual Iron Software, Inc. has announced it has established an advisory board founded with industry leaders for the datacenter virtualization company and named Steve Beckhardt, Dr. John Carter, Dr. Charles E. Leiserson, Billy Marshall, Richard Napolitano and Christopher M. Stone as founding members.

Comments (none posted)

New Books

GNU/Linux Application Programming published

Charles River Media has published the book GNU/Linux Application Programming by M. Tim Jones.

Full Story (comments: none)

"Home Networking Annoyances" Released by O'Reilly

O'Reilly has published the book Home Networking Annoyances by Kathy Ivens.

Full Story (comments: none)

"Internet Annoyances" Released by O'Reilly

O'Reilly has published the book Internet Annoyances by Preston Gralla.

Full Story (comments: none)

Zope 3 Developer's Handbook published

Sams has published the book Zope 3 Developer's Handbook by Stephan Richter. An online version of the book is also available.

Full Story (comments: none)

Resources

FSF Europe Newsletter

The February 7, 2005 edition of the FSF Europe Newsletter is online with the latest from the Free Software Foundation Europe.

Full Story (comments: none)

Linux Gazette #111

The February 2005 issue of Linux Gazette is out. Articles include Are Your Servers Secure???, by Blessen Cherian, Free as in Freedom: Part Two: Linux for the "Rest of Us", by Adam Engel, Compiling the Linux Kernel, by R. Krishnakumar, Introduction to Shell Scripting - The Basics, by Ben Okopnik, Songs in the Key of Tux: Recording with Audacity, by Jimmy O'Regan, and more.

Comments (none posted)

Contests and Awards

2004 LinuxQuestions.org Members Choice Award Winners

LinuxQuestions.org has announced the Members Choice Award winners for 2004. Firefox was named Browser of the Year, Slackware is the Distribution of the Year and Knoppix is the LiveCD Distribution of the Year. A full list of nominees along with detailed results can be found here.

Comments (7 posted)

LinuxWorld Conference & Expo Names Finalists for Product Excellence Awards

LinuxWorld Conference & Expo has announced the finalists for the LinuxWorld Product Excellence Awards, to be presented at LinuxWorld Conference & Expo next week. Finalists include KDE 3.3, Mambo 4.5.1a and Novell Linux Desktop 9.

Comments (none posted)

Upcoming Events

ApacheCon Europe 2005 CFP

A Call for Participation has gone out for ApacheCon Europe 2005. The event will be held from July 18-22, 2005 in Stuttgart, Germany. Submissions are due by March 4.

Comments (none posted)

CodeCon Reminder

A reminder has been sent out fo the CodeCon event. "CodeCon will be held February 11-13, noon-6pm, at Club NV (525 Howard Street) in San Francisco."

Full Story (comments: none)

New Products, Services and Software to Be Featured at Desktop Linux Summit

Linspire has sent out a preview of the upcoming San Diego Desktop Summit. "The Desktop Summit today announced a preview of new products, services and software to be featured at the event, February 9-11 at the Del Mar Fairgrounds in San Diego. Several new products and services will debut at the Summit, which will also feature exhibitors from some of the most innovative open source and desktop Linux companies."

Comments (none posted)

Fedora User and Developer Conference (FUDCon)

The first FUDCon has been announced. "The Fedora Project, a Red-Hat-sponsored and community-supported open source project, today announced a packed program for their first international conference, the Fedora Users and Developers Conference. Known as "FUDcon" for short, this conference is the first to bring together Fedora users and developers. It will be held at Boston University in Boston, Massachusetts, USA on Friday, February 18th, 2005."

Comments (4 posted)

FOSDEM 2005 Press-release

A press release has gone out for FOSDEM 2005. "FOSDEM announced the preliminary program for its upcoming conference, to be held February 26-27, 2005 in Brussels, Belgium. Now in its fifth year, FOSDEM provides a forum for programmers across a wide spectrum of free and open source technologies to share ideas, and to foster collaboration between different projects. A wide range of developers gather at the annual conference to advance the adoption of open source and free software throughout Europe and the world."

Comments (none posted)

Sun Regional Delegate Program for linux.conf.au 2005

Sun has announced its Regional Delegate Program for the linux.conf.au 2005 conference. "As with previous LCAs, Sun Microsystems has kindly offered to sponsor the Regional Delegates Program (RDP) for LCA 2005. For the LCA 2005 RDP, there will be ten winners: one from each of the Australian states and territories; a national winner; and a winner representing New Zealand." The conference will be held in Canberra on April 18-23 2005.

Full Story (comments: none)

Google, HP, Novell, and Red Hat Execs to Keynote 2005 MySQL Users Conf

The keynote speakers for the 2005 MySQL Users Conference have been announced. The event will be held in Santa Clara, California on April 18-21, 2005.

Full Story (comments: none)

PGP keysigning at LinuxWorld in Boston

A PGP keysigning session will be held on February 15 at the Boston LinuxWorld conference.

Full Story (comments: none)

NSPW 2005 Call For Papers

A Call For Papers has gone out for the 2005 New Security Paradigms Workshop. The event will be held in Lake Arrowhead, California on September 20-23, 2005.

Full Story (comments: none)

PalmSource Worldwide Mobile Summit and DevCon

PalmSource, Inc. has announced its Worldwide Mobile Summit and DevCon. The event will take place in San Jose, California on May 23 -26, 2005. "PalmSource will also highlight its product roadmap for feature phones and Linux, leveraging its recent acquisition of China MobileSoft (CMS), a leading Chinese mobile phone software company."

Comments (none posted)

Call For Papers - August Penguin 2005

A Call For Papers has gone out for the Penguicon 2005 conference. The event will be held in Israel on August 4, 2005, papers are due by March 4, 2005.

Full Story (comments: none)

FlightGear to Demo Linux Based 747 Cockpit Simulator at SCALE 3x

FlightGear will demonstrate their open-source 757 flight simulator at the SCALE conference in Los Angeles. "The FlightGear team will use their open-source flight simulator to drive a full scale 747-400 simulator cockpit. The FlightGear demonstration will take place at SCALE 3x on Feb 12-13, 2005."

Full Story (comments: none)

OpenEMR at Southern California Linux Exposition (LinuxMedNews)

LinuxMedNews has announced a presentation of the OpenEMR project on February 13 at the Third Annual Southern California Linux Exposition. "Walt Pennington will discuss OpenEMR, an open source medical practice management and electronic medical record application."

Comments (none posted)

YAPC::Taipei 2005 Registration Opens (use Perl)

Use Perl has announced registration for the YAPC::Taipei 2005 Perl conference. The event will be held on March 26 and 27, 2005 in Taipei, Taiwan.

Comments (none posted)

Events: February 10 - April 7, 2005

Date Event Location
February 10 - 11, 2005German Perl-Workshop 2005Dresden, Germany
February 10 - 11, 2005Third-Annual Desktop Linux Summit(Del Mar Fairgrounds)San Diego, CA
February 10 - 11, 2005GlobusWORLD(Sheraton Boston Hotel)Boston, MA
February 11 - 13, 2005CodeCon 2005San Francisco, CA
February 12 - 13, 2005Southern California Linux Expo 2005(SCALE)(Los Angeles Convention Center)Los Angeles, CA
February 14 - 17, 2005Linux World Conference and Expo(Hynes Convention Center)Boston, MA
February 18, 2005Fedora Users and Developers Conference(FUDcon1)(Massachusetts Institute of Technology)Boston, Massachusetts
February 24 - 25, 2005UKUUG LISA/Winter ConferenceBirmingham, UK
February 25, 2005Dutch Perl WorkshopAmsterdam, the Netherlands
February 26 - 27, 2005Free and Open Source Developers' European Meeting(FOSDEM 2005)Brussels, Belgium
February 28 - March 3, 2005EclipseCon 2005(Hyatt Regency)Burlingame, CA
February 28 - March 1, 2005Asia Debian Mini-Conf 2005Beijing, China
March 1 - 2, 2005JBoss World 2005 User Conference(Omni/CNN Center)Atlanta, GA
March 2 - 4, 2005Security-Enhanced Linux SymposiumSilver Spring, Maryland
March 2 - 3, 2005Asia CodeFest 2005Beijing, China
March 2 - 4, 2005The 5th Asia Open Source Software SymposiumBeijing, China
March 2 - 4, 2005The Free and Open Source Software Workshop(Al Assad National Library)Damascus, Syria
March 10 - 16, 2005CeBIT 2005Hannover, Germany
March 12, 2005Gentoo UK 2005(University of Salford)Manchester, UK
March 12, 2005Third Hungarian PHP ConferenceBudapest, Hungary
March 14 - 17, 2005Emerging Technology Conference(ETech)(Westin Horton Plaza)San Diego, CA
March 20 - 25, 2005Novell BrainShare 2005Salt Lake City, Utah
March 21 - 24, 2005Bellua Cyber Security Asia 2005(Hotel Borobudur)Jakarta, Indonesia
March 21 - 24, 2005Open Source Modeling and IDEs Workshop(Caribe Royale All Suites Resort & Convention Center)Orlando, FL
March 23 - 25, 2005PyCon DC 2005(GWU Cafritz Conference Center)Washington, DC
March 26 - 27, 2005YAPC::Taipei 2005Taipei
March 30 - April 1, 2005PHP Quebec(Crowne Plaza Hotel)Montreal, Canada
March 31 - April 1, 2005Black Hat Briefings Europe 2005Amsterdam, the Netherlands
April 5 - 6, 2005Open Source Business Conference(OSBC)(Westin St. Francis)San Francisco, CA
April 7 - 8, 2005Black Hat Briefings Asia 2005Singapore

Comments (none posted)

Mailing Lists

VOIPSEC mailing list formed

A new mailing list has been formed by the Voice over IP Security Alliance (VOIPSA). "The Voice over IP Security Alliance (VOIPSA) is a unique collaboration of VoIP and Information Security vendors, providers, and researchers. VOIPSA aims to help organizations understand and mitigate VoIP security risks through discussion lists, white papers, sponsorship of VoIP security research projects, and the development of tools and methodologies for public use."

Full Story (comments: none)

Web sites

CPAN::Forum (use Perl)

use Perl has an announcement for the newly created CPAN::Forum site. "Graham integrated links to the individual subforums in the search.cpan results and Randy in the Kobes' search. I hope people who are searching for modules will find it a good place to discuss them."

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds