Your editor has finally acted to bring an end to an annual embarrassment.
Each year, at the Kernel Summit, the entire group is brought together for a
photograph. Most digital cameras can do a reasonable job of taking a
portrait, but getting a reasonable image of some 70 people all together is
another story. Your editor, possessing a camera of the "other story"
variety, has been forced to post grainy, second-rate pictures of a
first-rate crowd, only to be upstaged by attendees with far superior
equipment. To be absolutely sure that he will not be shamed this year,
your editor went and picked up a shiny new Sony DSC-V3
camera. If his writing in LWN has seemed distracted recently, blame the
new toy.
In the classic days of Linux, one would expect to spend a full, painful day
making a new device work with Linux. In this century, however, people have
this irrational expectation that their hardware will "just work." Linux
has gotten good at living up to that expectation in a number of ways; see
the advances in printer configuration, for example. Your editor set out to
determine if support for digital cameras has made the same sort of
progress.
It turns out that there are very few free applications which are aimed
specifically at interfacing with digital cameras. And the big ones,
reviewed below, are all based on the libgphoto2 library. So
this review did not take as long as some of the others in this series.
gtkam
Gtkam is "the official GTK2
GUI" for libgphoto2. On many distributions, it is the default digital
camera interface application. Your editor tried version 0.1.12 on Fedora
and Ubuntu systems.
The initial gtkam window is mostly blank. The "camera" item on the tool
bar leads to the obvious "add camera" dialog, which, in turn, contains a
pulldown menu for
the camera model. In theory, the user need only select the right model
from this list, and all will be well. Unfortunately, this menu contains
over 500 entries, making the camera selection process unwieldy at best.
Even more unfortunately, your editor's camera - on the market since June of
last year - was not on the list. Obviously, your editor should have
checked first and bought a supported camera; somehow, however, the idea of
showing up at the Kernel Summit with a Barbie camera lacks appeal.
There is also a "detect" button next to the model pulldown; it failed to
find your editor's camera, however.
Now, the DSC-v3 has two ways of dealing with the USB bus. In its default
configuration, the camera appears to be a USB mass storage device. The
camera can also be instructed to use the "picture transport protocol" (PTP)
mode, which is an older, specialized way of talking to cameras. When your
editor put the camera into the PTP mode, and after tweaking some
permissions under /proc/bus/usb, gtkam was able to detect it - as
a Sony DSC-F707V. The model was wrong, but everything worked.
When it is talking to a camera it knows about, gtkam presents a simple
browsing interface. The left pane is the directory hierarchy as exported
by the camera, while the right shows thumbnails of any images stored in the
currently-selected directory. Many of the obvious things are not possible;
you cannot ask gtkam to display a full-resolution image, for example, and
it will not let you drag images into file browsers or other applications.
There are, in fact, exactly two things you can do: download images, and
delete them.
The download window is somewhat awkward to work with, mostly because it
seems to want to provide for several possible actions. It can save the
pictures themselves, or just the thumbnails or metadata. It can feed the
images to an external application. Or it can rename the pictures, adding
an incrementing number to a user-supplied base filename. Once you get the
hang of the window, things work reasonably well, but it can take a couple
of tries at the outset.
digikam
The KDE digital camera application is digikam.
Your editor used version 0.7; that version is a bit old (there is a 0.7.2 beta out), but attempts to build
something more recent were a dismal failure. Digikam, it turns out, is not
a straightforward application to build.
The initial digikam window resembles gtkam's, in that there is not much to
be seen. The "Camera" toolbar item has an "add camera" option, which is a
nice enhancement over previous versions of digikam, which required the user
to wander into the "configure digikam" dialogs.
The camera dialog looks very much like gtkam's, and it
behaves in a very similar way. Since the same library is doing the work
underneath it all, this resemblance is not entirely coincidental. There is
one interesting addition to the digikam dialog, however: the user who
remains awake after having scrolled through some 500 possibilities will see
"USB mass storage" as a camera type. The user must provide the directory
where the camera will be mounted - and arrange for it to be actually
mounted there. With that work done, however, digicam was able to talk to
your editor's camera in its native mode. The PTP mode also works, as it
did with gtkam.
Actually, the PTP mode almost works. It will happily detect the camera
(once again calling it a DSC-F707V) and work with it - for one session.
Once the camera has been disconnected and plugged back in, however, digikam
is unable to work with it. Removing the camera from the configuration and
asking digikam to detect it from the beginning worked. It would seem that
the camera pops up with a different address under /proc/bus/usb
each time; gtkam is able to handle that change, but digikam is not.
Digikam provides the same basic operations as gtkam: download images from
the camera, and delete images from the camera. There is much more to
digikam than that, however: while gtkam forgets about images once they have
been extracted from the camera, digikam is a full image management and
manipulation framework. It implements albums, performs simple image
editing, and provides a large set of gimp-style plugins (which seem to be
mostly front ends to tools from the ImageMagick package).
gthumb
Your editor reviewed
gthumb
almost one year ago in
this article on image
viewers and editors. This application is not often presented as being
![[The gthumb import dialog]](/images/ns/grumpy/gthumb-import-sm.png)
a tool for working with digital cameras, but the attentive user will notice
an "import images" item on gthumb's "file" menu. Selecting that option
yields the dia digital camera
interface.
It is, perhaps, the best of them all. There is no need to tell gthumb to
configure a camera; it simply goes out and talks to whatever it finds.
It found your editor's new camera without trouble (in PTP mode only), but
had to be instructed
on where to look for the old one, which is of the painful serial port
variety. The dialog has a blank marked "film," which would appear to be
the name of a subdirectory to create for the images.
Once that has been
figured out, it is simply a matter of deciding where the images should go,
whether they should be deleted from the camera, and hitting the "import"
button.
Summary
So which is the preferred interface for a grumpy editor? Of the three
programs discussed above, gthumb has the most straightforward interface,
with a minimum of bureaucracy required before work can be done. That would
be your editor's pick.
The truth of the matter is this, however: your editor thinks the best
approach is to get a modern camera which implements the USB mass storage
protocol. Then you can simply mount the camera as a disk, move the image
files across, and be done with it. It's fast, easy, and for those who
prefer not to use the mv command, setting up hotplug scripts to
launch a file manager is relatively straightforward. There should be no
need for separate, specialized applications to interface with a digital
camera.
On the other hand, the management of images once they have been
pried from a camera's clutches is an interesting problem. Tools like
digikam and gthumb have been written with that task in mind; there are
several others out there as well. And that is likely to be your editor's
next (and rather more ambitious) exercise: a review of image management
tools. Stay tuned.
Comments (44 posted)
The Open Source Development Labs has, just in time for LinuxWorld,
announced the availability of the "Desktop Linux
Capabilities" specification. This document is available
in
PDF format.
One of OSDL's most controversial functions is the creation of
specifications for Linux in particular environments. The Carrier Grade
Linux and Data Center Linux documents might indeed be an accurate
reflection of the features desired by commercial interests in those
sectors. But those documents also appear, to the developers who actually
create Linux, as an attempt to tell them what they should be working on.
In that regard, the introduction from the desktop Linux document is likely
to rub some developers the wrong way:
An important decision taken by the OSDL Desktop Linux Working Group is
that the Linux operating system will be developed independently. We
will not attempt to emulate other existing desktop systems. We feel
that the system should interoperate with existing systems, but we do
not strive for complete compatibility.
The people at OSDL know quite well that any attempt to "decide" that
desktop Linux would not be developed independently would fail. They
do not yet seem to know how to keep that sort of language out of their
documents, however.
The introduction continues:
Variety and choice, two of Linux's greatest strengths, are also its
Achilles heel. ISVs and large corporations do not have the resources
(or ability, in some cases) to ensure all applications work in all
current graphical environments and windowing managers available in
each distribution.
OSDL goes on from there that there should be a single desktop Linux
standard. Furthermore, this standard must be chosen from one of the
existing desktop environments; any attempt to combine them was regarded as
not feasible. The authors are clearly not complete masochists, however:
they stopped short of saying which environment they think should be chosen,
or even naming a subset from which the choice should be made.
The document identifies four types of desktop deployment, ranging from
"fixed function" (locked-down kiosks of one form or another) through to
"technical workstation" and "basic office". The existence of a "general
purpose" usage category is recognized, but not really addressed in the
document.
The bulk of the document follows: it is a tiresome series of tables
describing the capabilities the authors think desktop Linux should have.
Many of them are obvious, and already present: x86 processor support, USB
support, IPv4, and so on. Some will be controversial: DVD playback support
(which "will require licenses") and implementation of digital restrictions
management schemes. Some make sense, and are in the works: persistent
device naming, good IPSec support, etc. And some things are strange in
their absence: instant messaging, Microsoft document format support,
electronic mail, internationalization, and so on.
And a few things are bizarre. It would appear that all desktop users, even
those with "fixed function" systems, have an urgent need for a Linux
installer which uses their preferred desktop environment. Installations
must be checkpointed so that they can be restarted in the middle. Desktop
users should, it is said, be able to do things like update their kernel
without needing root access to the machine. Numerous pages are devoted to
various aspects of the installation process - despite the fact that, in a
world of widespread Linux desktop deployments - most desktop users should
never do their own installations.
If Linux is to achieve desktop World Domination, quite a bit of work will
have to be done. Even the most ardent desktop Linux supporter will not (or
should not) say that all of the necessary pieces are in place now. When
OSDL set out to create its desktop capabilities document, it had an
opportunity to identify the missing pieces, the features which, were they
present, would make Linux more attractive in more desktop situations. That
opportunity was lost in what must have been a series of tiresome meetings
creating checklists of features Linux has had for years. Meanwhile the
development community continues to improve Linux (for all environments) at
a staggering rate - no specification required.
Comments (9 posted)
The
CentOS
(Community ENTerprise Operating System)
project has been thrust into the spotlight recently as a result of
contact from Red Hat's lawyers regarding the use of trademarks. In reality, that's something of a non-story, since Red Hat is only asking the project to comply with Red Hat's
trademark guidelines. Red Hat has
enforced its trademarks before without destroying the GPL or stopping the distribution of Red Hat derivatives.
The CentOS team makes it very clear that the trademark issue is not a major obstacle, and is no threat to the future development of CentOS. But the brief flurry of press did bring our attention to the cAos (community assembled operating systems) Foundation and its CentOS and cAos Linux distributions. This writer has run into several admins who've chosen to go with CentOS as an alternative to Red Hat Enterprise Linux.
The CentOS distribution is compiled from source packages from "a Prominent North American Enterprise Linux Vendor." CentOS-3 is built from Red Hat Enterprise Linux (RHEL) 3 sources, and CentOS-2 is built from RHEL 2. The project is working on CentOS 4 as well, but it is still in beta at the moment.
Installing and using CentOS is much (almost exactly) like using RHEL. There are some cosmetic differences, the CentOS logo and name replaces Red Hat's in most places -- though Red Hat is still given due credit in copyrights and so on -- and some changes in non-free packages. For the most part, though, CentOS seems to be an acceptable drop-in replacement for RHEL.
We also tested installing binary packages compiled for RHEL 3 on CentOS 3. We didn't run into any issues with packages compiled for RHEL 3 on CentOS 3 -- so CentOS seems to be suitable for users and organizations that want to use commercial products that support RHEL 3.
Support for CentOS is offered through forums, mailing lists, IRC channels and commercial organizations. We didn't approach any of the commercial organizations, but the CentOS community seems to be very helpful and responsive. The mailing lists, in particular, are fairly active. The February archive for CentOS 3 has 318 messages already, though some of the traffic is directly tied to the trademark issue.
Updates for CentOS are available via Yum repositories, which is a suitable replacement for the Red Hat Network as far as this writer is concerned. We did a little checking to see if the packages available from CentOS were up to date. After running "yum update" on CentOS 3 to get the latest packages, we checked against the Red Hat FTP repository for updates to RHEL 3. In each instance, we found that the CentOS packages were current, or at least as current as the packages on Red Hat's site.
The cAos Foundation is also distributing cAos Linux, not based on Red Hat's sources. The cAos Linux distribution is also RPM-based, but features its own Cinch installer, and a different design philosophy than CentOS. We did not spend much time with this distribution, but it does look like an interesting project for users who are looking for a community-driven RPM distribution with a long shelf-life. (The cAos page promises a 3-5 year life cycle, which is a bit more attractive for many users than the rapid development cycle for Fedora Core.)
Red Hat may have been better off leaving the trademark issue alone, since it seems that the project has garnered some attention it might not have received otherwise. After spending some time with CentOS, this writer sees little difference between Red Hat's official offerings and the CentOS offerings that are community-supported. Official support directly from Red Hat may be necessary for some organizations, but if that's not a requirement, the CentOS distribution may be a better choice.
Comments (11 posted)
Page editor: Jonathan Corbet
Security
Members of the Full Disclosure mailing list recently
got
a little more disclosure than they had been looking for. It
turns out that a bug in the
mailman list manager enabled a
suitably clever attacker to pull arbitrary files from the server. In
particular, the list of mailman accounts and passwords was taken from the
Full Disclosure server. Since people tend to use username and password
combinations in more than one place, it is entirely possible that the
information obtained could be used to attack user accounts elsewhere.
The bug was in this bit of code:
def true_path(path):
"Ensure that the path is safe by removing .."
path = path.replace('../', '')
path = path.replace('./', '')
return path[1:]
At first glance, it would appear that the above checks would remove any
directory traversal attempts. If, however, the URL contains a string like
".../....///", the string replacements performed will leave a
simple "../" in the path.
In retrospect, there is an obvious error here. The checks in the function
above perform some transformations to the input string, but never actually
verify that the resulting string does not violate the constraints they are
supposed to be enforcing. Such
code will likely always be exploitable in one way or another. The
short-term fix changes the above logic by splitting the path into
components and dealing with each component separately.
The bigger error, however, and one which is not addressed by the short-term
fix, is to allow the request to proceed at all if undesirable elements are
found. Assuming the code is reasonably well done, it should not generate
URLs which later need to be fixed up by the input validation routines. So
if something comes through which looks like a directory traversal attempt,
the more prudent action would be to reject the request outright. Hostile
input suggests hostile intent; it should be responded to accordingly.
Comments (11 posted)
Security reports
The Mozilla Foundation has
issued a
short-term response to Mozilla's vulnerability to a homograph spoofing
attack using international domain names (IDNs). "
In the forthcoming
Mozilla Firefox 1.0.1 and Mozilla 1.8 Beta releases, IDN support will be
disabled (bug 282270). For those users that need it, an XPI will be
released to turn IDN support back on (bug 282269)." Gervase Markham
has also provided some clarification and possible long-term solutions on
his
web
log.
Comments (1 posted)
New vulnerabilities
alsa-lib: disabled stack execution protection
| Package(s): | alsa-lib |
CVE #(s): | CAN-2005-0087
|
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
A flaw in the alsa mixer code was discovered that caused stack execution
protection to be disabled for the libasound.so library. The effect of this
flaw is that stack execution protection, through NX or Exec-Shield, would
be disabled for any application linked to libasound. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
hztty: local utmp exploit
| Package(s): | hztty |
CVE #(s): | CAN-2005-0019
|
| Created: | February 10, 2005 |
Updated: | February 14, 2005 |
| Description: |
hztty has a vulnerability in which local users can
execute arbitrary commands with group utmp privileges. |
| Alerts: |
|
Comments (none posted)
lighttpd: script source disclosure
| Package(s): | lighttpd |
CVE #(s): | |
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
lighttpd uses file extensions to determine which elements are programs
that should be executed and which are static pages that should be sent
as-is. By appending %00 to the filename, you can evade the extension
detection mechanism while still accessing the file. A remote attacker
could send specific queries and access the source of scripts that should
have been executed as CGI or FastCGI applications. |
| Alerts: |
|
Comments (none posted)
linux-source-2.6.8.1: multiple vulnerabilities
| Package(s): | linux-source-2.6.8.1 |
CVE #(s): | CAN-2005-0176
CAN-2005-0177
CAN-2005-0178
|
| Created: | February 15, 2005 |
Updated: | March 15, 2005 |
| Description: |
Michael Kerrisk noticed an insufficient permission checking in the shmctl()
function. Any process was permitted to lock/unlock any System V shared
memory segment that fell within the the RLIMIT_MEMLOCK limit (that is the
maximum size of shared memory that unprivileged users can acquire). This
allowed am unprivileged user process to unlock locked memory of other
processes, thereby allowing them to be swapped out. Usually locked shared
memory is used to store passphrases and other sensitive content which must
not be written to the swap space (where it could be read out even after a
reboot). (CAN-2005-0176)
OGAWA Hirofumi noticed that the table sizes in nls_ascii.c were incorrectly
set to 128 instead of 256. This caused a buffer overflow in some cases
which could be exploited to crash the kernel. (CAN-2005-177)
A race condition was found in the terminal handling of the "setsid()" function, which is used to start new process sessions. (CAN-2005-178)
|
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
netkit-rwho: missing input validation
| Package(s): | netkit-rwho |
CVE #(s): | CAN-2004-1180
|
| Created: | February 11, 2005 |
Updated: | February 17, 2005 |
| Description: |
"Vlad902" discovered a vulnerability in the rwhod program that can be
used to crash the listening process. The broadcasting one is
unaffected. This vulnerability only affects little endian
architectures (i.e. on Debian: alpha, arm, alpha, ia64, i386, mipsel
and s390). |
| Alerts: |
|
Comments (none posted)
postgresql: EXECUTE privilege vulnerability
| Package(s): | postgresql |
CVE #(s): | CAN-2005-0244
CAN-2005-0245
CAN-2005-0246
CAN-2005-0247
|
| Created: | February 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
postgresql has a vulnerability in which the EXECUTE privilege may
not be checked on custom functions. This may allow any database user to
circumvent the EXECUTE restriction on functions. |
| Alerts: |
|
Comments (none posted)
PowerDNS: denial of service
| Package(s): | pdns |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | February 14, 2005 |
| Description: |
A vulnerability has been reported in the DNSPacket::expand method of
dnspacket.cc. An attacker could cause a temporary Denial of Service by
sending a random stream of bytes to the PowerDNS Daemon. |
| Alerts: |
|
Comments (none posted)
sympa: arbitrary code execution
| Package(s): | sympa |
CVE #(s): | CAN-2005-0073
|
| Created: | February 11, 2005 |
Updated: | February 14, 2005 |
| Description: |
Erik Sjölund discovered that a support script of sympa, a mailing list
manager, is running setuid sympa and vulnerable to a buffer overflow.
This could potentially lead to the execution of arbitrary code under
the sympa user id. |
| Alerts: |
|
Comments (none posted)
synaesthesia: privilege escalation
| Package(s): | synaesthesia |
CVE #(s): | CAN-2005-0070
|
| Created: | February 14, 2005 |
Updated: | February 14, 2005 |
| Description: |
Erik Sjölund and Devin Carraway discovered that synaesthesia, a
program for representing sounds visually, accesses user-controlled
configuration and mixer files with elevated privileges. Thus, it is
possible to read arbitrary files. |
| Alerts: |
|
Comments (none posted)
thunderbird: cookie handling bug
| Package(s): | thunderbird |
CVE #(s): | CAN-2005-0149
|
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
A bug was found in the way Thunderbird handled cookies when loading content
over HTTP regardless of the user's preference. It is possible that a
particular user could be tracked through the use of malicious mail messages
which load content over HTTP. |
| Alerts: |
|
Comments (none posted)
toolchain-source: insecure temporary files
| Package(s): | toolchain-source |
CVE #(s): | CAN-2005-0159
|
| Created: | February 14, 2005 |
Updated: | February 14, 2005 |
| Description: |
Sean Finney discovered several insecure temporary file uses in
toolchain-source, the GNU binutils and GCC source code and scripts. These
bugs can lead a local attacker with minimal knowledge to trick the admin
into overwriting arbitrary files via a symlink attack. The problems exist
inside the Debian-specific tpkg-* scripts. |
| Alerts: |
|
Comments (none posted)
vmware: untrusted library search path
| Package(s): | vmware |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | February 16, 2005 |
| Description: |
VMware may load shared libraries from an untrusted, world-writable
directory, resulting in the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
Webmin: Information leak in Gentoo binary package
| Package(s): | webmin |
CVE #(s): | |
| Created: | February 11, 2005 |
Updated: | February 14, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that
the Webmin ebuild contains a design flaw. It imports the encrypted
local root password into the miniserv.users file before building binary
packages that include this file. A remote attacker could retrieve
Portage-built Webmin binary packages and recover the encrypted root
password from the build host. |
| Alerts: |
|
Comments (none posted)
xpcd: buffer overflow in pcdsvgaview
| Package(s): | xpcd |
CVE #(s): | CAN-2005-0074
|
| Created: | February 11, 2005 |
Updated: | February 14, 2005 |
| Description: |
Erik Sjölund discovered a buffer overflow in pcdsvgaview, an SVGA
PhotoCD viewer. xpcd-svga is part of xpcd and uses svgalib to display
graphics on the Linux console for which root permissions are required.
A malicious user could overflow a fixed-size buffer and may cause the
program to execute arbitrary code with elevated privileges. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
AWStats: remote code execution
| Package(s): | awstats |
CVE #(s): | CAN-2005-0116
CAN-2005-0362
CAN-2005-0363
|
| Created: | January 25, 2005 |
Updated: | February 15, 2005 |
| Description: |
When 'awstats.pl' is run as a CGI script, it fails to validate specific
inputs which are used in a Perl open() function call. A remote attacker
could supply AWStats malicious input, potentially allowing the execution of
arbitrary code with the rights of the web server. |
| Alerts: |
|
Comments (1 posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
ClamAV: multiple issues
| Package(s): | clamav |
CVE #(s): | CAN-2005-0133
|
| Created: | January 31, 2005 |
Updated: | March 3, 2005 |
| Description: |
ClamAV fails to properly scan ZIP files with special headers and base64
encoded images in URLs. |
| Alerts: |
|
Comments (none posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cups: multiple vulnerabilities
| Package(s): | cups |
CVE #(s): | CAN-2004-1267
CAN-2004-1268
CAN-2004-1269
CAN-2004-1270
|
| Created: | December 17, 2004 |
Updated: | February 9, 2005 |
| Description: |
cups has a denial of service vulnerability in the lppasswd utility
and a remote code execution vulnerability in the hpgltops filter. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilites
Comments (none posted)
evolution: arbitrary code execution
| Package(s): | evolution |
CVE #(s): | CAN-2005-0102
|
| Created: | January 24, 2005 |
Updated: | May 19, 2005 |
| Description: |
Max Vozeler discovered an integer overflow in camel-lock-helper. A
user-supplied length value was not validated, so that a value of -1
caused a buffer allocation of 0 bytes; this buffer was then filled by
an arbitrary amount of user-supplied data. A local attacker or a malicious
POP3 server could exploit this to execute arbitrary code with root
privileges (because camel-lock-helper is installed as setuid root). |
| Alerts: |
|
Comments (1 posted)
exim: buffer overflows
Comments (1 posted)
f2c: insecure temp files
| Package(s): | f2c |
CVE #(s): | CAN-2005-0017
CAN-2005-0018
|
| Created: | January 27, 2005 |
Updated: | April 20, 2005 |
| Description: |
The f2c fortran to C translator has a vulnerability due to
insecure opening of temporary files. A local attacker can use this
to launch a symlink attack. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow in MSN protocol
| Package(s): | gaim |
CVE #(s): | CAN-2004-0891
|
| Created: | October 25, 2004 |
Updated: | February 11, 2005 |
| Description: |
A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows
remote attackers to cause a denial of service (application crash) and
possibly execute arbitrary code via an "unexpected sequence of MSNSLP
messages" that results in an unbounded copy operation that writes to the
wrong buffer. |
| Alerts: |
|
Comments (none posted)
Gallery: cross-site scripting vulnerability
| Package(s): | gallery |
CVE #(s): | |
| Created: | January 31, 2005 |
Updated: | February 10, 2005 |
| Description: |
Rafel Ivgi has discovered a cross-site scripting vulnerability where
the 'username' parameter is not properly sanitized in 'login.php'. See
this Gallery
announcement for the release of 1.4.4-pl5 for more information. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0005
|
| Created: | January 18, 2005 |
Updated: | March 23, 2005 |
| Description: |
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code. |
| Alerts: |
|
Comments (1 posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iptables: missing initialization
| Package(s): | iptables |
CVE #(s): | CAN-2004-0986
|
| Created: | November 1, 2004 |
Updated: | February 11, 2005 |
| Description: |
Faheem Mitha noticed that the iptables command, an administration tool for
IPv4 packet filtering and NAT, did not always load the required modules on
its own as it was supposed to. This could lead to firewall rules not being
loaded on system startup. This caused a failure in connection with rules
provided by lokkit at least. |
| Alerts: |
|
Comments (none posted)
kdeenu: buffer overflow in fliccd
| Package(s): | kdeenu kstars |
CVE #(s): | CAN-2005-0011
|
| Created: | February 16, 2005 |
Updated: | February 18, 2005 |
| Description: |
Erik Sjolund discovered a buffer overflow in fliccd which is part of
kdeedu, edutainment applications for KDE. An attacker could exploit this
vulnerability to execute code with elevated privileges. If fliccd does not
run as daemon remote exploitation of this vulnerability is not possible. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kerberos5: execution of arbitrary code by authenticated user
| Package(s): | kerberos5 |
CVE #(s): | CAN-2004-1189
|
| Created: | December 21, 2004 |
Updated: | February 15, 2005 |
| Description: |
There is a buffer overflow in the password history handling code of
libkadm5srv which could be exploited by an authenticated user to execute
arbitrary code on a Key Distribution Center (KDC) server. |
| Alerts: |
|
Comments (none posted)
kernel: i386 SMP page fault handler privilege escalation
| Package(s): | kernel |
CVE #(s): | CAN-2005-0001
|
| Created: | January 14, 2005 |
Updated: | February 25, 2005 |
| Description: |
Paul Starzetz found an exploitable hole in the x86 SMP page fault handler
which could lead to privilege escalation. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2004-1308
|
| Created: | December 22, 2004 |
Updated: | May 19, 2005 |
| Description: |
The libtiff image manipulation library contains several exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libxpm4: stack and integer overflows
| Package(s): | libxpm4 |
CVE #(s): | CAN-2004-0687
CAN-2004-0688
|
| Created: | September 16, 2004 |
Updated: | February 14, 2005 |
| Description: |
There are several stack and integer overflow bugs in
the libXpm code of XFree86 that may be used for a denial of service. |
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
mailman: cross-site scripting
| Package(s): | mailman |
CVE #(s): | CAN-2004-1177
|
| Created: | January 10, 2005 |
Updated: | March 22, 2005 |
| Description: |
Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page. |
| Alerts: |
|
Comments (none posted)
mailman: path traversal
| Package(s): | mailman |
CVE #(s): | CAN-2005-0202
|
| Created: | February 9, 2005 |
Updated: | July 13, 2005 |
| Description: |
The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
This vulnerability was used to compromise the Full-Disclosure list. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mysql: several vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0835
CAN-2004-0836
CAN-2004-0837
|
| Created: | October 11, 2004 |
Updated: | April 6, 2005 |
| Description: |
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837) |
| Alerts: |
|
Comments (none posted)
mysql-dfsg: insecure temporary files
| Package(s): | mysql-dfsg |
CVE #(s): | CAN-2005-0004
|
| Created: | January 18, 2005 |
Updated: | March 25, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program
created temporary files in an insecure manner. This could allow a
symbolic link attack to create or overwrite arbitrary files with the
privileges of the user invoking the program. |
| Alerts: |
|
Comments (none posted)
nasm: Buffer overflow vulnerability
| Package(s): | nasm |
CVE #(s): | CAN-2004-1287
|
| Created: | December 20, 2004 |
Updated: | May 4, 2005 |
| Description: |
Jonathan Rockway discovered that NASM-0.98.38 has an unprotected
vsprintf() to an array in preproc.c. This code vulnerability may lead
to a buffer overflow and potential execution of arbitrary code. |
| Alerts: |
|
Comments (4 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet |
CVE #(s): | CAN-2004-0911
|
| Created: | October 4, 2004 |
Updated: | March 28, 2005 |
| Description: |
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user). |
| Alerts: |
|
Comments (none posted)
nfs-utils: denial of service
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-1014
|
| Created: | December 1, 2004 |
Updated: | May 15, 2005 |
| Description: |
The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker. |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
openssl: der_chop script temp file vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2004-0975
|
| Created: | November 11, 2004 |
Updated: | July 19, 2005 |
| Description: |
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
Opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | June 22, 2005 |
| Description: |
Opera is vulnerable to several vulnerabilities which could result in
information disclosure and facilitate execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
Comments (1 posted)
postfix: error in IPv6 handling
| Package(s): | postfix |
CVE #(s): | CAN-2005-0337
|
| Created: | February 4, 2005 |
Updated: | March 16, 2005 |
| Description: |
Jean-Samuel Reynaud noticed a programming error in the IPv6 handling code
of Postfix when /proc/net/if_inet6 is not available. If "permit_mx_backup"
was enabled in the "smtpd_recipient_restrictions", Postfix turned into an
open relay, i. e. erroneously permitted the delivery of arbitrary mail to
any MX host which has an IPv6 address. |
| Alerts: |
|
Comments (1 posted)
python: illegal function internals access
| Package(s): | python |
CVE #(s): | CAN-2005-0089
|
| Created: | February 3, 2005 |
Updated: | April 22, 2005 |
| Description: |
Python versions 2.2 and 2.3 has a vulnerability in the
SimpleXMLRPCServer module which may allow
remote users to read or change function internals via the
im_* and func_* attributes. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: infinite loop
| Package(s): | ruby |
CVE #(s): | CAN-2004-0983
|
| Created: | November 8, 2004 |
Updated: | May 15, 2005 |
| Description: |
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles. |
| Alerts: |
|
Comments (none posted)
samba: integer overflow vulnerability
| Package(s): | samba |
CVE #(s): | CAN-2004-1154
|
| Created: | December 16, 2004 |
Updated: | July 19, 2005 |
| Description: |
Samba has an integer overflow vulnerability
that may allow an authenticated remote user to
execute arbitrary code on the Samba server. |
| Alerts: |
|
Comments (none posted)
sharutils: arbitrary code execution
| Package(s): | sharutils |
CVE #(s): | CAN-2004-1772
|
| Created: | October 1, 2004 |
Updated: | April 26, 2005 |
| Description: |
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
squid: multiple vulnerabilities
| Package(s): | squid |
CVE #(s): | CAN-2005-0173
CAN-2005-0175
CAN-2005-0194
CAN-2005-0211
|
| Created: | February 4, 2005 |
Updated: | March 8, 2005 |
| Description: |
Several vulnerabilities have been discovered in Squid, including cache
pollution/poisoning via HTTP response splitting, larger than normal WCCP
packet could overflow a buffer, and more. |
| Alerts: |
|
Comments (none posted)
SquirrelMail: multiple vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2005-0075
CAN-2005-0103
CAN-2005-0104
|
| Created: | January 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
SquirrelMail 1.4.4 has been
released, fixing a number of security issues that have been resolved
since 1.4.3a. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sudo: environment variable sanitizing
| Package(s): | sudo |
CVE #(s): | CAN-2004-1051
|
| Created: | November 17, 2004 |
Updated: | May 15, 2005 |
| Description: |
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tiff: buffer overflows
| Package(s): | tiff |
CVE #(s): | CAN-2004-0803
|
| Created: | October 13, 2004 |
Updated: | April 12, 2005 |
| Description: |
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
typespeed: format string vulnerability
| Package(s): | typespeed |
CVE #(s): | CAN-2005-0105
|
| Created: | February 16, 2005 |
Updated: | February 16, 2005 |
| Description: |
Ulf Härnhammar from the Debian Security Audit Project discovered a
problem in typespeed, a touch-typist trainer disguised as game. This
could lead to a local attacker executing arbitrary code as group
games. |
| Alerts: |
|
Comments (none posted)
uw-imap: authentication bypass
| Package(s): | uw-imap imap |
CVE #(s): | CAN-2005-0198
|
| Created: | February 2, 2005 |
Updated: | March 1, 2005 |
| Description: |
The uw-imap package, prior to version 2004b, contains a vulnerability which can enable a remote attacker to bypass the authentication mechanism. This bug only affects CRAM-MD5 authentication, which is not enabled on all distributions. |
| Alerts: |
|
Comments (1 posted)
vim: modeline problems
| Package(s): | vim |
CVE #(s): | CAN-2004-1138
|
| Created: | December 15, 2004 |
Updated: | February 24, 2005 |
| Description: |
A new set of modeline-related vulnerabilities has been discovered in versions of vim prior to 6.3-r2. These vulnerabilities could conceivably be exploited by a local user to obtain the privileges of another user. |
| Alerts: |
|
Comments (none posted)
vim: symbolic link attack
| Package(s): | vim |
CVE #(s): | CAN-2005-0069
|
| Created: | January 18, 2005 |
Updated: | February 18, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the auxiliary scripts
"tcltags" and "vimspell.sh" created temporary files in an insecure
manner. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the script
(either by calling it directly or by execution through vim). |
| Alerts: |
|
Comments (none posted)
wpa_supplicant: buffer overflow
| Package(s): | wpa_supplicant |
CVE #(s): | |
| Created: | February 16, 2005 |
Updated: | February 16, 2005 |
| Description: |
wpa_supplicant contains a possible buffer overflow due to the lacking
validation of received EAPOL-Key frames. An attacker could cause the crash
of wpa_supplicant using a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2004-1125
|
| Created: | December 23, 2004 |
Updated: | April 1, 2005 |
| Description: |
xpdf has a
potential buffer overflow problem caused by insufficient input validation.
A specially crafted PDF file can allow an
attacker to execute code with privileges of the xpdf user. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: integer overflows
| Package(s): | xpdf kpdf cupsys |
CVE #(s): | CAN-2004-0888
CAN-2004-0889
|
| Created: | October 21, 2004 |
Updated: | February 18, 2005 |
| Description: |
Several xpdf integer overflow vulnerabilities can be exploited via a
mal-formed PDF document. Similar vulnerabilities can be found in kpdf and
in cupsys which share code. Additional information can be found in this KDE security advisory. |
| Alerts: |
|
Comments (none posted)
xview: buffer overflows
| Package(s): | xview |
CVE #(s): | CAN-2005-0076
|
| Created: | February 9, 2005 |
Updated: | February 9, 2005 |
| Description: |
The xview library suffers from a number of buffer overflow vulnerabilities. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Resources
The Google Hack Honeypot (GHH) is a reaction to a new type of malicious web
traffic: search engine hackers. GHH is designed to provide reconnaissance
against attackers that use search engines as a hacking tool against your
resources. GHH implements honeypot theory to provide additional security
to your web presence. Coded in PHP and released under the GNU General
Public License - GHH is Free Open Source Software.
Full Story (comments: 1)
Events
The Symposium on Security and Asia Networking 2005 will be held in Singapore on August 18 and 19. "
SyScAN intends to be a non-product, non-vendor biased
security conference. It is the aspiration of SyScAN to congregate, in
Singapore, the best security experts in their various fields, to share
their research, discovery and experience with all security enthusiasts
in Asia." The call for papers is out; submissions are due by May 8.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 prepatch is 2.6.11-rc4,
released by Linus on February 12. This
prepatch, intended to be the last before 2.6.11 is released, is dominated
by small fixes; it also contains some architecture updates, a serial ATA
blacklist (for poorly-behaved drives), some extra checking for
read() and
write() calls (covered in
last week's Kernel Page), a largish Radeon
framebuffer update, and an IDE update.
The
long-format changelog has the details.
Linus's BitKeeper repository contains a handful of fixes, including a patch
for a few memset() calls in the S/390 code which had the arguments
reversed - and somehow seemed to work anyway.
The current -mm prepatch is 2.6.11-rc3-mm2. Recent changes to -mm include
the addition of the realtime Linux security module, an NFS update, and
various fixes.
The current 2.4 prepatch is 2.4.30-pre1, released by Marcelo on
February 10. As would be expected for a kernel in deep maintenance
mode, this prepatch contains a relatively small set of fixes and a couple
of driver updates.
Comments (1 posted)
Kernel development news
However, then when I start looking at n_tty_receive_room() and
n_tty_receive_buf(), my stomach gets a bit queasy. I have this
horrid feeling that I had something to do with the mess, but I'm
going to lash out and blame somebody else, like tytso, for most of
it....
I'd love for somebody to try to take a look at where n_tty goes wrong, but
I think that for now I'll just make the fix be the cheezy "limit tty
chunks to 2kB". It's worked for a decade, it can work for a bit longer ;)
--
Linus Torvalds finds a problem and
"fixes" it
Comments (none posted)
The 2.4 kernel is now in a deep maintenance mode; all of the exciting
activity is happening in 2.6 instead. As a result, several months can pass
between 2.4 releases. That delay should not normally be a problem, but
it can be an issue for users who get bitten by a bug, or who need an
important security fix. There are still quite a few systems running 2.4
kernels, after all, and not everybody wants to wait for months for a fix to
a show-stopper bug.
It does not appear that the 2.4 process will speed up, however. Instead,
Willy Tarreau, working with Marcelo, has created a new 2.4 "hotfix" tree;
the first (announced) release is 2.4.29-hf2. This tree is created entirely by
cherry-picking patches out of the 2.4 BitKeeper repository; as such, it
contains only patches which will be part of the next official 2.4 kernel.
The tree contains a few security fixes (none of which appear particularly
urgent), one "critical fix" (for a panic in LVM), and various other bug
fixes.
The latest -hf patches will always be available on Willy's site.
Comments (2 posted)
With the
recent announcement
of a replacement for the existing Linux Hotplug script project with a
version written in C called
hotplug-ng, attention has been renewed
as to how the whole Linux hotplug process works. This article is an
attempt to explain this process, describing the history of how we
got here, and pointing out the directions in which things will
probably be changing.
The /sbin/hotplug userspace interface for the kernel was
created late in the 2.3 kernel development process (yes, way back then.)
It was intended to be used to notify userspace that the kernel had
discovered a new device. This was done so that userspace could then go and
try to load a module for this new device, or do any other type of
initialization and setup that might be needed. For a very good
explanation of how userspace could determine what driver was needed for
what device, and some examples of some very simple /sbin/hotplug
implementations, see
this paper
from the 2001 Ottawa Linux Symposium.
With this humble beginning, the
linux-hotplug project
started, and over time, a nice collection of shell scripts were created by a
number of developers, led primarily by David Brownell. These scripts are
installed by almost all Linux distribution, and enable USB, SCSI, Firewire,
PCI, and a number of other types of drivers to be loaded automatically when
a device is inserted into the system. Thanks to these scripts, Linux
accomplished a very good "it just works" feeling for a lot of users of the
2.4 and 2.6 kernels.
As time went on, more and more projects wanted to be notified by the kernel
that something had happened so that it could try to do things automatically
for the user. Things like:
- start up and shut down networking interfaces automatically
- mount storage devices and show an icon on the desktop
So different hooks were patched into the linux-hotplug scripts for these
projects, and everyone was happy.
Things got complex
Then along came
udev
and the 2.6 kernel, and the frailty of the existing
hotplug scripts were really felt. The 2.6 kernel changed the way hotplug
events were created by the kernel. Instead of only emitting an event for a
limited set of devices, everything that had a kobject registered in sysfs
created a hotplug event. Due to the driver model conversion of all
different busses in the kernel, now hotplug events were being created for
many more things than the linux-hotplug scripts cared about. People
realized that this was going to cause a big mess and a new type of
/sbin/hotplug program was proposed and created.
If you look at the current version of /sbin/hotplug, it is now a very
simple bash script:
DIR="/etc/hotplug.d"
for I in "${DIR}/$1/"*.hotplug "${DIR}/"default/*.hotplug ; do
if [ -f $I ]; then
test -x $I && $I $1 ;
fi
done
exit 1
What this script now does is allow any program to be called for hotplug
events from the kernel. Every time a hotplug event is created by the
kernel, the script passes execution on to any program listed in the
/etc/hotplug.d/
subdirectories. If a program wants to be
notified of all hotplug events, they add themselves to the
/etc/hotplug.d/default/
directory. If they only care about a single type of bus event, they place
themselves in the proper
/etc/hotplug.d/BUSNAME/
directory. The program name must end with
.hotplug
in order to make package managers life simpler.
So, for example, if you want to be notified of all USB hotplug events, put
a symlink to your program in the
/etc/hotplug.d/usb/
directory that ends in
.hotplug
. A typical
/etc/hotplug.d
tree one of my Gentoo-based systems looks like the following:
/etc/hotplug.d/
`-- default
|-- 10-udev.hotplug -> ../../../sbin/udevsend
|-- 20-hal.hotplug -> /usr/libexec/hal.hotplug
`-- default.hotplug
This arrangement means that udevsend is called first for any hotplug event,
followed by HAL, and then finally, the default linux-hotplug scripts.
The recent hotplug-ng announcement merely replaces the existing
/sbin/hotplug
bash script with a tiny executable program that does the
exact same thing. This is useful for machines that have limited memory
available, or generate a very high number of hotplug events.
Another noted goal of the hotplug-ng project was to replace the
existing linux-hotplug bash scripts for loading modules for new devices
with small executable programs. It shipped 3 examples of this, one for
USB, PCI and SCSI devices. Soon after the announcement, a IEEE1394 program
was submitted for inclusion in the package.
How a module is found
When the kernel finds a new device and registers it with sysfs, a hotplug
event is generated that describes the new device in a bus specific manner
through a number of different environment variables. For example, a USB
device creates the following variables when it is found:
PRODUCT=idVendor/idProduct/bcDevice
TYPE=bDeviceClass/bDeviceSubClass/bDeviceProtocol
INTERFACE=bInterfaceClass/bInterfaceSubClass/bInterfaceProtocol
| Variable |
Format |
Description |
| PRODUCT |
value/value/value |
idVendor/idProduct/bcdDevice, from the USB device
descriptor. Numbers are hexadecimal, without
leading '0x' or zeros.
|
| TYPE |
value/value/value |
bDeviceClass/bDeviceSubClass/bDeviceProtocol, from
device descriptor. When 0/*/* is seen, a variable
of type INTERFACE is also provided. Numbers are
decimal.
|
| INTERFACE |
value/value/value |
bInterfaceClass/bInterfaceSubClass/bInterfaceProtocol,
only for device class zero. Linux 2.6 gives each
interface its own hotplug event, and
/sys/$DEVPATH/bInterfaceNumber tells them apart.
Earlier kernels only reported the first interface.
Numbers are decimal.
|
The hotplug scripts then split those environment variables apart into
individual numbers, and then search the
/lib/modules/KERNEL_VERSION/module.*map
files for the proper matching module for this device. The
module.*map
files are created by the
depmod
program in the
module-init-tools
package by picking out all of the
MODULE_DEVICE_TABLE()
information from the individual drivers. See the previously mentioned OLS
article for more information about this process.
This scanning of the
module.*map
files by shell scripts has been determined by people to take a relatively
long amount of time. The
hotplug-ng
project tries to solve this by bypassing these files completely, and
relying on the fact that the
modprobe
program can use module aliases to determine what module to load. If you
look at the output of the modinfo program on a module from a 2.6 kernel,
you will notice a lot of alias entries:
$ modinfo tulip
filename: /lib/modules/2.6.11-rc4/kernel/drivers/net/tulip/tulip.ko
author: The Linux Kernel Team
description: Digital 21*4* Tulip ethernet driver
license: GPL
version: 1.1.13
parmtype: tulip_debug:int
parmtype: max_interrupt_work:int
parmtype: rx_copybreak:int
parmtype: csr0:int
parmtype: options:array of int
parmtype: full_duplex:array of int
vermagic: 2.6.11-rc4 SMP PENTIUM4 gcc-3.4
depends:
alias: pci:v00001011d00000009sv*sd*bc*sc*i*
alias: pci:v00001011d00000019sv*sd*bc*sc*i*
alias: pci:v000011ADd00000002sv*sd*bc*sc*i*
alias: pci:v000010D9d00000512sv*sd*bc*sc*i*
alias: pci:v000010D9d00000531sv*sd*bc*sc*i*
alias: pci:v0000125Bd00001400sv*sd*bc*sc*i*
alias: pci:v000011ADd0000C115sv*sd*bc*sc*i*
alias: pci:v00001317d00000981sv*sd*bc*sc*i*
alias: pci:v00001317d00000985sv*sd*bc*sc*i*
alias: pci:v00001317d00001985sv*sd*bc*sc*i*
alias: pci:v00001317d00009511sv*sd*bc*sc*i*
alias: pci:v000013D1d0000AB02sv*sd*bc*sc*i*
alias: pci:v000013D1d0000AB03sv*sd*bc*sc*i*
alias: pci:v000013D1d0000AB08sv*sd*bc*sc*i*
alias: pci:v0000104Ad00000981sv*sd*bc*sc*i*
alias: pci:v0000104Ad00002774sv*sd*bc*sc*i*
alias: pci:v00001259d0000A120sv*sd*bc*sc*i*
alias: pci:v000011F6d00009881sv*sd*bc*sc*i*
alias: pci:v00008086d00000039sv*sd*bc*sc*i*
alias: pci:v00001282d00009100sv*sd*bc*sc*i*
alias: pci:v00001282d00009102sv*sd*bc*sc*i*
alias: pci:v00001113d00001216sv*sd*bc*sc*i*
alias: pci:v00001113d00001217sv*sd*bc*sc*i*
alias: pci:v00001113d00009511sv*sd*bc*sc*i*
alias: pci:v00001186d00001541sv*sd*bc*sc*i*
alias: pci:v00001186d00001561sv*sd*bc*sc*i*
alias: pci:v00001186d00001591sv*sd*bc*sc*i*
alias: pci:v000014F1d00001803sv*sd*bc*sc*i*
alias: pci:v00001626d00008410sv*sd*bc*sc*i*
alias: pci:v00001737d0000AB09sv*sd*bc*sc*i*
alias: pci:v00001737d0000AB08sv*sd*bc*sc*i*
alias: pci:v000017B3d0000AB08sv*sd*bc*sc*i*
alias: pci:v000010B9d00005261sv*sd*bc*sc*i*
alias: pci:v000010B9d00005263sv*sd*bc*sc*i*
alias: pci:v000010B7d00009300sv*sd*bc*sc*i*
srcversion: 2B43BFCB982491A0D0794EC
Those module alias values are created directly from the
MODULE_DEVICE_TABLE()
values in the driver, and match the
modules.*map
files information. So, the
hotplug-ng programs build up the
module alias based on the environment variables passed to it, and then
invokes the modprobe program directly. This greatly speeds up the whole
module loading process. On this authors slow laptop, it went from 2
seconds to load a USB module for a newly seen device, to less than 1 with
the
hotplug-ng programs.
Disruption in the force
This was all well and good, until Roman Kagan
made the very obvious observation
that this whole process of creating environment
variables, and then splitting them apart was incredibly stupid. Why not
have the kernel itself just create the module alias string in the first
place and add that to the hotplug call? That way the whole userspace
process could be made incredibly simple. Sometimes the developers that are
closest to the problem miss obvious issues like this as they forget to step
back and view the whole picture properly. This revelation was received
very well
, and it will be added to the kernel after 2.6.11 is released,
allowing the
hotplug-ng programs to be made even smaller.
But what about udev?
One wrinkle on the whole hotplug process is the
udev program.
Originally,
udev only wanted to pay attention to the hotplug
events of devices that had a driver already loaded and wanted a node
created in the /dev directory. But, in order to do this properly, it
needed to listen to all events, sort them in the proper order, and then
operate on them. This placement of everything in a sequential order by
event generation, made Kay Sievers (one of the main
udev
developers) realize that he could just make
udev operate
as the main /sbin/hotplug process.
With the release of the 050 release of
udev, if
/sbin/udevsend
is the kernel hotplug program (it can be changed by modifying the value of
the
/proc/sys/kernel/hotplug file), then it operates like the
original
/etc/hotplug.d multiplexer program as well as handling all of
the udev device node generation. This ensures that the
/etc/hotplug.d/ invocations happen in the proper order, and in sequence for
the same device. Gentoo Linux already supports this mode of operation.
However, not every user wants to use udev. Because of that, the
hotplug-ng
project is continuing, even if it seems like they are competing against
each other in implementing the same functionality. As the same developers
are doing the work in both programs, all users of Linux benefit with a
faster module loading process, and further advancements in hotplug
functionality.
Comments (15 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Memory management
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
In December last year we set out to write a series of articles evaluating
Linux distributions that provide 64-bit editions of their products. We
looked at the semi-official
Debian Sid port,
Fedora Core 3,
Gentoo Linux 2004.3,
Mandrakelinux
10.1,
SUSE
LINUX 9.2, and a development version of
Ubuntu Linux
"Hoary" to see how ready they were for their roles as graphical development
workstations. It was an interesting journey to the world of leading edge
computing. There is little doubt that the AMD64 3500+ processor we used for
testing is an incredibly powerful and fast chip that is capable of
completing many tasks a lot faster than any of the current 32-bit
processors. And while many of the popular distributions were quick in
embracing the new platform, they have done it with different degrees of
success. What follows is the summary of our observations.
First, let's make one thing clear right from the start: just because you
have bought or downloaded a Linux distribution designed for 64-bit
processors, it does not mean that it is entirely 64-bit. In fact, the
default installs of Fedora, Mandrakelinux, SUSE and Ubuntu are heavy
hybrids of 32-bit and 64-bit applications and libraries. Debian provides a
"pure" 64-bit system, but it also makes available a 32-bit compatibility
layer for installing 32-bit applications. Gentoo is, ultimately, the most
customizable of all distributions, so it's natural that one can choose
between a pure 64-bit system or a mix of the two - again, through a
compatibility layer.
Why is the 32-bit compatibility layer still needed? There are three reasons.
Firstly, the current stable version of OpenOffice.org (1.1.x) does not
compile on 64-bit processors. With its superior document conversion filters
to and from MS Office, OpenOffice.org is an essential application on any
workstation. And although it is expected that OpenOffice.org 2.0 will
compile on 64-bit platforms, the early betas still do not, or at least,
nobody has been able to build one successfully. Secondly, there are several
other open source applications that do not work on 64-bit platforms; many
of these are multimedia players and proprietary codecs. While these are not
considered essential, the fact that they are missing from many
distributions has probably contributed to the slow migration of mainstream
users to Linux. Finally, there are non-free binary-only applications that
many users and developers consider useful to have around: NVIDIA and ATI
graphics card drivers, Acrobat Reader, Opera, Real Player, Macromedia Flash
Player and perhaps a few other pieces of software. Of these, only NVIDIA
and ATI have made an effort to build 64-bit editions of their drivers (the
ATI driver is currently in beta testing).
Therefore, the challenge of distributions that provide 64-bit product is
two-fold: they not only have to compile the Linux kernel, libraries and
open source applications for the new platform (some of which might need
modifications in the source code before they compile successfully), they
also need to integrate 32-bit software into the system. As we've mentioned
already, most distributions solve the latter challenge by providing two
sets of libraries and link each application to the appropriate library.
This results in substantially increased hard disk and memory requirements -
not a big deal on a modern computer, but still a considerable overhead
compared to any 32-bit system.
Interestingly, Debian has come up with a different approach. According to
their documentation, a second system representing a minimal 32-bit Debian
can be installed into a chroot-ed folder, together with all the necessary
32-bit applications. With a few scripts or aliases, the 32-bit subsystem
can be integrated transparently into the main 64-bit system. We had great
success with this approach. As an example, web developers will find it easy
to install Opera and Flash Player into the chroot-ed subsystem and use
Opera for viewing Flash-enabled web sites. Another peculiar aspect of
Debian is the availability of two 64-bit branches, called "pure64" and
"gcc34". The applications in the "gcc34" branch are actually compiled with
a current cvs version of GCC, which will eventually become GCC 4.0 and
which is said to be able to build better-optimized 64-bit binaries. We
tried both branches, but we found the "gcc34" branch too unstable, with
frequent crashes of XFree86.
Of the distributions we tested, the current versions of SUSE LINUX and
Fedora Core turned out to be the most stable and bug-free products.
Especially SUSE was a pleasant surprise in that there is a large number of
third party repositories with 64-bit applications for it, and after
installing apt-get, it is very easy to install just about any software one
might desire. Also, the developers of SUSE have found a way to integrate
the Flash plugin with Konqueror through the DCOP communication layer
between the browser and the plugin. This option, however, does not work
with any of the Gecko-based browsers or Opera. As for Fedora Core, it also
turned out to be a very trouble-free distribution. However, we were
surprised to see that third-party repositories were not as well-populated
with 64-bit applications as those for SUSE. Also, between Fedora's two
advanced package managers, we had good success with yum, but were unable to
make apt-get work correctly.
We found both Gentoo Linux 2004.3 and the FTP edition of Mandrakelinux 10.1
more buggy than either SUSE or Fedora. This is surprising since, unlike
Debian which is officially still beta, both of them were "stable releases".
With Gentoo, several applications failed to compile, while Mandrakelinux
had an unpolished installer with many obvious errors in it, and we had much
trouble setting up sources for keeping the distribution up-to-date.
Nevertheless, none of these problems were critical, and once overcome, both
Gentoo and Mandrakelinux were solid and perfectly usable products. It is
interesting to note that of all the 64-bit distributions on the market
(besides the high-end enterprise-level offerings from Red Hat and Novell),
MandrakeSoft is the only one that does not provide freely downloadable ISO
images; those can be obtained either by joining the €120/year
Mandrakeclub or by buying it from Mandrakestore, where it sells for
€120 + shipping and handling.
As one would expect, 64-bit Linux live CDs have also started to emerge
recently. Ubuntu has done a lot of work to build a fully supported live CD
for 64-bit processors which will officially launch with the release of
Ubuntu Linux 5.04 "Hoary", expected in April this year (beta versions are
already available for download and testing). The developers of Gnoppix have also been working on a
Ubuntu-based live CD for 64-bit processors and have produced several beta
releases. If you prefer the KDE desktop, then the Knoppix-based KANOTIX project has recently produced a very
interesting live CD for 64-bit processors with some bleeding-edge hardware
detection modules. There is also Knoppix64, but this
project has been dormant since its first official release last June.
Interestingly, there are, as yet, no RPM-based live CDs for 64-bit
platforms.
Finally, if you are in the market for a new computer, should you get one
with a 64-bit processor? And once you have it, should you install a 32-bit
or a 64-bit distribution? The answer to the first question is a resounding
"yes" - AMD64 is a great processor with a large range of excellent
inexpensive motherboards now available for it. As for the second question,
the answer is a "maybe", but probably closer to a "no" for most users.
Let's be honest about it, the speed difference between a 32-bit and 64-bit
operating system is marginal at best, but all of the current 64-bit Linux
distributions add a layer of complexity by having to provide compatibility
mechanisms for those applications that have not been ported to 64-bit
systems. This extra complexity is probably not worth the hassle. That said,
there are cases where the 64-bit processor has considerable advantages: on
systems with large databases that require enormous amounts of memory, on
machines used frequently for encoding huge media files, or those designed
for heavy web serving with data compression or other intensive tasks.
And of course, there are those of us who simply can't resist the temptation
to be on the bleeding edge of hardware and software development, and who
feel that running a 32-bit operating system on a 64-bit processor is just
plain silly....
Comments (20 posted)
Distribution News
Red Hat has
announced
global availability of Red Hat Enterprise Linux v.4. "
"This
release of Red Hat Enterprise Linux is a defining milestone in the
evolution of Linux as the backbone of the enterprise," said Paul Cormier,
Executive Vice President of Engineering at Red Hat. "Red Hat Enterprise
Linux in 2002 marked the entrance of Linux in the enterprise. The second
version one year later put us at par with Unix in terms of reliability, and
ahead in terms of value. Red Hat Enterprise Linux v.4 has the performance,
scalability, security, and application portfolio needed to make Linux the
sensible choice for every deployment, from servers connected to client and
desktop systems. This methodical delivery of innovation is helping create
unprecedented value for the customer.""
Comments (17 posted)
Activa Sistemas has announced (click below) a new version of ASLinux
Desktop. ASLinux Desktop 2.0 is a Linux distribution aimed at desktop PCs,
either workstations, corporate clients or home computers. It is available
for 32-bit Intel and AMD CPUs.
Full Story (comments: none)
The YES Linux Release Team has announced the immediate availability of YES
Linux 2.1 Final. This release of YES Linux features over 30 changes from
Builds 0, 1, and 2. Some of the most significant changes are the ability
to manage website virtual hosts from the administration application,
ability to have statistics for all websites including virtual hosts and
email server from the administration application, ability to purchase
domain names from either the introduction or from the administration
application, ability to modify the internal firewall from the
administration application, and the introduction of a dynamic message bus
to yes configuration. Click below for more details.
Full Story (comments: none)
Xandros has announced the version 3 release of the Open Circulation Edition
of its Linux desktop operating system (OS). The new release provides
Firefox web browsing, Skype Internet calling, and Thunderbird e-mailing.
The Xandros Open Circulation Edition is available for download at no
charge from the
Xandros web site.
Full Story (comments: none)
TimeSys Corporation has
announced that its OSDL Carrier Grade Linux (CGL) 2.0 reference
distribution for PowerPC has received LSB 1.3 certification.
Comments (none posted)
Footnotes
introduces GSB, a
GNOME distribution for Slackware Linux. "
This is the first release
and packages are available for GNOME-2.9.91. There is also an iso available
to make installation easier." Here is the
GSB website.
Comments (none posted)
Joerg Jaspert provides some
Bits from the
DAMs, including the introduction of a new DAM member, IRC-channel,
DAM-rules, Emeritus (ex-developer) handling, handling of MiA-maintainers.
"
For a short summary: DAM is now constantly working, approving
people, giving out accounts, simply doing stuff. We are always trying to
get better, so expect another "Bits of the DAMs" mail somewhere between now
and the end of the World."
Here's an update on the Debian Project
Leader Elections. Nominations are still open, Helen Faulkner and Martin
F. Krafft have agreed to take over the stewardship of the DPL debates, plus
schedules and information for prospective candidates.
In RFC: graph of Debian package cycle
Martin F. Krafft points to a graph of the life cycle of a Debian package.
Comments (none posted)
It's time for Ubuntu Love Day. "
Starting this Thursday, 17th
February, Ubuntu Love Day is dedicated to the growth and encouragement of
new Ubuntu contributors. Whether it's filing, triaging or fixing bugs,
learning how to make packages, becoming a Master of the Universe, or any of
the countless things you can do to contribute or get involved, Ubuntu Love
Day is for you!"
Full Story (comments: none)
New Distributions
KDE.News
introduces the Klax
live CD. "
"Klax" is an i486 GNU/Linux Live-CD based on Slackware
10.1 with a patched Qt 3.3.4 and a complete KDE 3.4 Beta 2. Additionally it
also contains KOffice 1.3.5 and k3b 0.11.20."
Comments (none posted)
Distribution Newsletters
The Debian Weekly News for February 15, 2005 is out. This week you can
read about legal professionals in Australia who have developed a new
judicial information system based on Free Software and Debian, Chris Halls'
preliminary packages for OpenOffice.org 1.9.73 built with Sun's JDK, the
Debian-Installer featured in c't magazine, a look at maintainer scripts,
the DebConf5 call for papers, understanding udev, and other topics.
Full Story (comments: 4)
The Gentoo Weekly Newsletter for the week of February 14, 2005 is out. This week's topics include the new hardware and software for Gentoo Forums, Gentoo evangelists at various conferences, Gentoo security practices, and more.
Full Story (comments: none)
The Mandrakelinux Community Newsletter for February 10, 2005 is out.
Topics in this issue include the release of Corporate Server 3.0 and
Desktop, the start of the Mandrakelinux 10.2 Beta process, a new
U.S. partner program, HP and Mandrakelinux, and keeping Mandrakelinux up to
date.
Full Story (comments: none)
Ubuntu Traffic #21 looks at IRC and mailing list activity through
January 14, 2005. Topics include Handling Metapackages, Installing From
Live CDs, Supporting Autorun, Experimental Hoary Live CD, ISDN Support,
Interactive Upgrade Hooks, Community Council Meeting, Documentation Team
Happenings, and Ubuntu Security Notifications.
Comments (none posted)
Ubuntu Traffic #22 covers IRC and mailing list activity through January
21, 2005. Topics in this issue include Python Minimal Test Suite, Live CD
Update, Yelp and Documentation Target Formats, Rsyncable Live CDs, Live CD
Autoconfiguration, OpenOffice 2.0, New Planet Ubuntu, Ubuntu Website Look
and Feel Contest, Array CD 3, Documentation Team Happenings, and Ubuntu
Security Notifications.
Comments (none posted)
Package updates
Fedora Core 3 updates:
openoffice.org (bug
fixes),
kernel (updates to 2.6.10-ac12 with
some backported fixes).
Fedora Core 2 updates: kernel (updates to
2.6.10-ac12 with some backported fixes).
Comments (none posted)
Mandrakelinux has updated drakxtools packages available that fix several
bugs.
Full Story (comments: none)
Trustix has fixed various bugs in cyrus-imapd, fcron, hwdata, kernel,
tftp-hpa.
Full Story (comments: none)
Newsletters and articles of interest
O'Reilly's LinuxDevCenter
shows
how to use Feather Linux as a firewall. "
Feather Linux makes it
easy to create and configure a firewall. When would you do this? Consider
setting up an ad hoc network for a LAN party or a trade show, where you
want a good connection to the internet but don't want to expose everything
on the local network to the world at large. Having a customizable, bootable
LiveCD makes it easy to turn any single machine into the firewall."
Comments (none posted)
LinuxMedNews
takes
a look at OpenVistA VivA FOIA Gold, a Knoppix 3.7 based live CD with
OpenVistA.
Comments (none posted)
Open for Business
covers
the process of keeping a FreeBSD system up-to-date. "
One of the
major selling points with FreeBSD is security. How silly it would be if we
didn't do the minimum necessary to insure it stays secure."
Comments (none posted)
Michael L. Love Ph.D has
an autobiographical
account of the origins of GNU-Darwin. "
Predictably, the work of
the GNU-Darwin project has attracted the attention of many scientists at
universites and pharmacutical companies around the world, so that our
usership is small but extremely helpful and influential. In addition, we
also got some early assistance from Apple, and they provided software
updates, as well as a connection to some first year funding. As a result,
we were able to obtain a G4 computer for development purposes, and I made
the trip to Apple's World Wide Developer's conference in 2001, where I
learned all about the inner workings of Apple computers."
Comments (none posted)
Distribution reviews
LinuxTimes
reviews
Gentoo Linux. "
Gentoo is a one-of-a-kind distribution, simple yet
powerful. The only drawback is that it can take very long to compile
software (I would love to test Gentoo on a AMD64), but the results made me
forget that."
Comments (none posted)
NewsForge has
an
article written by a Mandrakelinux fan. "
For ease of use,
Mandrake can't [be] beat. The Mandrake Control Center is cleanly laid out
and is probably the most intuitive on the market. Setting up one's box is a
snap. Mandrake's hardware recognition is simply superb. And I have never
had Mandrake choke on my machines. It has always recognized and set up my
hardware with little input needed from me. Mandrakelinux just keeps getting
better with every release."
Comments (none posted)
NewsForge takes Red Hat Enterprise Linux 4
for a test drive. "
Red Hat's main advantage over its competition
is its diversity. Red Hat Enterprise Linux comes in four varieties:
Advanced Server, Enterprise Server, Workstation, and Desktop. Each is
customized for specialized purposes, but all are based on the same
core. This ensures that customers have a variety of tools for a variety of
tasks, rather than try to make one software solution fit all uses and
machines."
Comments (none posted)
Page editor: Rebecca Sobol
Development
The
MythTV project by Isaac Richards
is an effort to create a homebrew Personal Video Recorder (PVR).
MythTV is a homebrew PVR project that I've been working on in my spare time. It's been under heavy development for two years, and is now quite useable and featureful.
The project was started in April, 2002, the
Background
document details the early history and motivation for the creation of
MythTV.
The
introduction section from the
Installing and using MythTV document explains the project in
more detail.
MythTV is a suite of programs that allow you to build the mythical home media convergence box on your own using Open Source software and operating systems.
Some of the main features of MythTV include:
- Capabilities to pause, fast-forward and rewind live TV.
- The ability to record video to a hard drive.
- Support for multiple capture cards and cards with multiple inputs.
- A client/server model with support for diskless clients.
- Support for multiple servers.
- The ability to record multiple programs simultaneously.
- Support for capture of analog, MPEG-2, MJPEG, DVB, and HDTV streams.
- Ability to control set-top boxes.
- Support for North American program guide data from Zap2It.com.
- Modules for viewing images, the web, RSS feeds, and weather.
- Modules for playing MP3 files and DVDs.
- Support for web-based control.
- Support for multiple themes.
A large collection of
screenshots show many of the display and user interface features.
Custom mini-distributions of MythTV are available for the
Knoppix and Fedora Core Linux distributions and the
XBox and VIA EPIA M hardware platforms.
MythTV has also been built on Debian and Mandrake systems.
To set up MythTV, new users should read the
Checking prerequisites and
System Configuration Requirements documents.
MythTV version 0.17 was released this week,
changes include native OS X support, a timestretch function, interface
support improvements, a new firewire capture method, and wide screen/HTDV
support in the user interface. See the
UnderDevelopment document for details.
MythTV would make a good platform for home use, it could also be
envisioned as a platform for a commercial video product.
Comments (5 posted)
System Applications
Database Software
Stable version 2.0.9 of Bond
has been announced.
"
BOND (building object network databases) is a rapid application development tool which allows you to develop GUI front ends to PostgreSQL databases. It uses XML to define widget layout and how to obtain information from databases. This project is designed to simplify the process of developing database applications for GTK."
Comments (none posted)
Version 1.2.0 of Gentle.NET, a database independent object persistence framework written in
C# for .NET and Mono,
is available.
"
This release adds an advanced caching subsystem and a provider for SQL Server CE. There have been major improvements to the configuration subsystem, error reporting, and a number of other components. A bug affecting the use of multiple brokers has been fixed. MySQL users should upgrade due to critical bugs in the MySQL library shipped with previous versions."
Comments (none posted)
Stevan Little
uses Perl to test databases on O'Reilly.
"
This code kata introduces an alternate approach to testing database code, that of using mock-objects, and specifically of using the DBD::Mock mock DBI driver."
Comments (none posted)
The February 11, 2005 of the PostgreSQL Weekly News
is online with the week's PostgreSQL database articles.
Full Story (comments: none)
Interoperability
Stable release 1.1.23 of
Samba Console
is available.
"
Samba Console is a web management console for Samba domain controlers. The goal is to give a better experience to the new Linux administrators that need to manage a production Samba server from anywhere using a simple web browser."
Full Story (comments: none)
Libraries
Version 3.6.0 of FreeImage, a library with support for the
PNG, BMP, JPEG, TIFF and other image formats,
is out.
"
FreeImage 3.6.0 brings many internal improvments with better toolkit functions (rotate, rescale), better support for the metadata API from other languages, better compression for the GIF plugin, and also an updated Delphi wrapper."
Comments (none posted)
Version 0.9.0 of liboggz, a C library for accessing Ogg Vorbis compressed
audio data, is out with code cleanup, bug fixes, and more.
Full Story (comments: none)
Networking Tools
Version 1.3.0 of iptables, a packet filtering implementation, is out.
"
The final 1.3.0 version contains some minor bugfixes and is otherwise
identical to the 1.3.0rc1 release candidate.
1.3.x is a major update to 1.2.11. Apart from fixing numerous bugs (see
changelog), it contains the much-hyped libiptc rewrite."
Full Story (comments: none)
Web Site Development
The initial release of Wiki for phpWebSite
has been announced.
"
Wiki for phpWebSite finally brings the power and convenience of a wiki to phpWebSite. This module requires phpWebSite version 0.10.0 or later. phpWebSite provides a complete web site content management system ( CMS ). All client output is XHTML 1.0 and meets the W3C's Web Accessibility Initiative requirements."
Comments (none posted)
Version 3.2.9 of mnoGoSearch-php, a PHP frontend to the
mnoGoSearch web site search engine,
is available, it features one bug fix.
Comments (none posted)
Version 0.6.0 of libannodex, a C library for reading
and writing Annodex media, is out with new features and bug fixes.
"
Annodex is an open standards based technology that
extends the World Wide Web's hyperlinking, searching, and compositing
infrastructure to time-continuous data, enabling video surfing, searching for
clips of audio and video files using ordinary Web search engines, and
on-the-fly composition of a video on a Web server from previously annodexed
clips."
Full Story (comments: none)
Version 0.2.0 of mod_annodex has been released.
"
mod_annodex is a module for Apache httpd, and provides
server-side support for annodex media. Parallel versions are available
for Apache versions 1.3 and 2.0."
Full Story (comments: none)
Versions 3.1.4 and 2.7.11 of
mod_python
have been released with a security fix. See the
release notes
for details.
Comments (none posted)
Chris Josephes
illustrates the use of PHP for managing Apache logs on O'Reilly.
"
In Profiling LAMP Applications with Apache's Blackbox Logs, I discussed using Apache's built-in logging directives to record server performance metrics. By recording performance metrics, web server administrators can have a historical record of how the server handled incoming HTTP requests. This article expands on that concept by adding a couple of logging directives and recording the logging data directly in a MySQL database."
Comments (none posted)
Miscellaneous
Version 0.8 of Bootchart, a tool for performance analysis and
visualization of the GNU/Linux boot process,
is available.
"
Version 0.8 greatly improves the boot logger. External tools (such as top and iostat) are no longer used, as all data are collected from the proc file system directly. The installation procedure was also streamlined."
Comments (none posted)
GnomeDesktop
covers the launch of the
Hula project.
"
Nat wrote: Today we are thrilled to be launching Hula, a new project to
build an open source mail and calendar server. Hula is a really exciting
project already in part because we think that we can fill a
hitherto-unclaimed spot in the stack of open source applications and in part
because we've "primed the pump" by basing it on an existing, functioning
codebase: a Novell product called NetMail."
Comments (none posted)
Desktop Applications
Audio Applications
Version 0.2.15a of QjackCtl, a GUI frontend to the Jack Audio Connection
Kit, is out with an important bug fix.
Full Story (comments: none)
Desktop Environments
The following new GNOME software has been announced this week:
Comments (none posted)
The following new KDE software has been announced this week:
Comments (none posted)
The February 11, 2005 edition of the
KDE CVS-Digest is online, here's the content summary:
"
Win32 tools and build support added to kdelibs. Digikam adds undo support for image editing. Kipi adds EPS image file format. KPDF begins work to support annotations. KDE now sports a new logo. Plus many bug fixes in preparation for the release."
Comments (none posted)
Aaron J. Seigo
chats with
several KDE usability experts on KDE.News.
"
Recently, our very own Fabrice Mous asked if I might write an article about usability and KDE development. At first I was hesitant, and not just because I have a lot more hacking to get done before KDE 3.4 is released (which is soon). I often get asked about usability and the Open Source process, and even I sometimes get tired of having the same old conversations over and over. I thought that this time it would be refreshing to ask someone else these questions and see what they had to say. So I arranged to meet up with several people on IRC who are involved in software usability and the KDE project. Here's what ensued..."
Comments (3 posted)
Electronics
Version 3.3.9 of
XCircuit,
an electronic schematic drawing package, is available. This version
features changes to the selection mechanism.
Comments (none posted)
Games
Version 0.1.0 of Equator
has been announced for the WorldForge game project.
"
Equator is a world builder client and general purpose editor. The aim is to create a single tool that has all the facilities required to build a game using WorldForge.
This is the first alpha release of equator, and many features are not yet implemented, or do not work well."
Comments (none posted)
Graphics
Version 0.41 of the cross-platform Inkscape SVG drawing tool is out.
"
The primary focus of 0.41 has been bug fixing. With over 100 bugs fixed
since the 0.40 release, this significantly strengthened Inkscape on
Windows and for international users. We owe deep thanks to the many
users who have worked patiently with us to report the problems and
validate these fixes. Several serious crashes, memory leaks and
mis-features are now corrected and certain areas are noticeably snappier
thanks to user submitted bug reports.
A couple new features also found their way in."
Full Story (comments: none)
GnomeDesktop
covers
the release of OSGEdit 0.6.0, a 3d scene editor and composer
that works with
OpenSceneGraph.
"
This new
version has big improvements in the interactivity, by using auto-commit of
changes instead of deferred application. Other changes include support for
editing particle systems, visual arrangement of properties into tabs, sync
with OpenSceneGraph 0.9.8, port to MacOSX, and lots of usability/bug fixes."
Comments (none posted)
Interoperability
Release 20050211 of Wine
has been announced.
Changes include work on the MSI dll, OLE work, and bug fixes.
Comments (none posted)
Music Applications
Version 1.0 of Rosegarden 4, an audio
and MIDI sequencer, has been released.
"
Rosegarden is one of the most comprehensive Linux music software
projects, and is the only Linux application to offer full composition
and recording capabilities to musicians who prefer to use classical
notation."
Full Story (comments: none)
Version 0.4.13 of SWH Plugins, a set of audio effect plugins, has
been announced. The
project home page has more
change information:
"
Changes include removal of denormals from the SC4 and SC4 mono plugins, and the fast lookahead limiter. These changes are especially important for people running JAMin on Pentium 4's. There is also some mild quality imrpovements to the tape delay and FAD delay, but more needs to be done there."
Full Story (comments: none)
Office Suites
Build 1.9.78 of OpenOffice.org has been announced.
"
This package contains Desktop integration work for
OpenOffice.org, several back-ported features & speedups, and a much
simplified build wrapper, making an OO.o build / install possible for
the common man. It is a staging ground for up-streaming patches to
stock OO.o."
Full Story (comments: none)
Science
Version 1.6.6 of
Chemtool
is available with a new bug fix.
"
Chemtool is a small program for drawing chemical structures on Linux and Unix systems using the GTK toolkit under X11."
Comments (none posted)
Web Browsers
The minutes are available from the following Mozilla meetings:
Also, Mitchell Baker has posted
A blog discussion
about the differences between mozilla.org staff and Mozilla
Foundation Employees.
Comments (none posted)
Languages and Tools
Caml
The February 8-15, 2005 edition of the Caml Weekly News is online.
Take a look for new Caml language articles.
Full Story (comments: 2)
Groovy
Andrew Glover
uses Groovy for MVC programming on IBM developerWorks.
"
Views are an integral part of MVC programming, which is itself a ubiquitous component of enterprise application development. In this installment of Practically Groovy, Andrew Glover shows how Groovy's template engine framework can simplify view programming and make your code more maintainable over time."
Comments (none posted)
Java
O'Reilly
has published an excerpt from the book
Java 1.5 Tiger: A Developer's Notebook by
Brett McLaughlin and David Flanagan.
"
In this excerpt from Chapter 5 of the book, Brett and David cover how to create and iterate over variable-length argument lists (better known as varargs), which will have you writing better, cleaner, more flexible code in no time."
Comments (1 posted)
John Zukowski
works with panes and Tiger on IBM developerWorks.
"
How many times have you written code with frame.getContentPane().add(), or forgotten to get the content pane before calling add() and ended up with an Error thrown at runtime? As consultant John Zukowski shows you in this Taming Tiger tip, these problems are a thing of the past."
Comments (none posted)
Perl
The
February 1-8, 2005 edition of This Week in Perl 6 is out
with the latest Perl 6 development news.
Comments (none posted)
Python
The February 15, 2005 edition of Dr. Dobb's Python-URL!
is out with the latest Python articles and resources.
Full Story (comments: none)
Ruby
The February 13, 2005 edition of the
Ruby Weekly News is available with the latest news and discussion from the
ruby-talk mailing list.
Comments (none posted)
Tcl/Tk
The February 14, 2005 edition of Dr. Dobb's Tcl-URL!
is online with the latest Tcl/Tk articles and resources.
Full Story (comments: none)
XML
Drew McLellan
discusses dynamic web interfaces on O'Reilly.
"
One of the classic drawbacks to building a web application interface is that once a page has been downloaded to the client, the connection to the server is severed. Any attempt at a dynamic interface involves a full roundtrip of the whole page back to the server for a rebuild--a process which tends to make your web app feel inelegant and unresponsive. In this article, I'll be exploring how this problem can be tackled with the use of JavaScript and the XMLHttpRequest object."
Comments (none posted)
Uche Ogbuji
has assembled a list of web resources for XML schemata and Web services
on IBM developerWorks.
"
It's not always easy to find XML schemata and Web services that meet your exact needs. This tip shows you how to comb through the enormous variety of Internet resources to find schemata and Web services using common search criteria."
Comments (none posted)
IDEs
Emmanuel Proulx
discusses Eclipse plugins on O'Reilly.
"
Many developers use Eclipse out of the box as an IDE, never investigating its
powerful extensibility. But as Emmanuel Proulx shows in this first
installment of a new series, Eclipse's modular system of plugins allow you to
customize it to your suit your development needs."
Comments (none posted)
Miscellaneous
Peter Xiaochuan Huang has announced his Luban programming language.
"
Happy new year of rooster to
everybody! And we announce the birth of a new
programming language: Luban. Luban is a component
oriented scripting language created by
Xiaochuan(Peter) Huang in New Jersey, USA.
Peter Huang created Luban because he always wants
better tools. He always wants something easier when
using Java, and he always misses name space and
interface when doing scripting. He eventually went out
and created Luban: a scripting language with a simple
and robust component model tailored for scripting.You
may say Luban is positioned somewhere between Perl and
Java."
Full Story (comments: none)
Howard Fosdick has put together a list of open-source tools
and interpreters for the Rexx language.
"
Rexx's distinguishing characteristic is that it combines power
with ease of use. The language is as easy as PHP or Basic but
packs the power required to drive mainframes. It is a
general-purpose language with a strong international standard
that is used for both applications development and systems
administration."
Full Story (comments: none)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
A theme that is emerging from the ongoing LinuxWorld conference is
the consolidation of open-source licenses. News.com
covers the issue.
"
The Open Source Initiative, an influential open-source organization, is devising ways to cut down on the rising number of open-source licenses attached to software.
The issue was on the front burner at this week's LinuxWorld conference here. Open-source software makers are concerned that a proliferation of licenses could hurt the spread of open source by creating compatibility problems and complicating potential sales."
Comments (4 posted)
Linux Journal
looks at
using Linux, OpenOffice.org, Scribus and The GIMP for getting a book
into publication. "
In December of 2004, Clinton Nixon published his
role-playing game, The Shadow of Yesterday. The content of the book was
nothing shocking, nor was the fact that he published the book
himself. Independent authors have been writing role-playing games for as
long as there have been role-playing games. Likewise, self-publication is
not a new phenomenon. The revolutionary thing in Clinton's case is the fact
that only open-source tools were used, from authorship to artwork to page
layout."
Comments (26 posted)
Trade Shows and Conferences
ZDNet
covers comments about software patents made by HP's Martin Fink.
"
Martin Fink, HP's vice president of Linux, said in Boston at the LinuxWorld Conference and Expo: "At the end of the day, software patents are a way of life. To ignore them is a little bit naive." It's fine to object to software patents, but it's foolhardy not to try to acquire them, he said."
Comments (5 posted)
NewsForge
looks at some of the new hardware on display at LinuxWorld.
"
Cray had the most impressive computer at LWCE: the XD1. It was a 3U behemoth that howled with cooling fans and sucked air in so hard that it snatched a business card right out of our hand. The heart of the Cray XD1 was modularized into six nodes of dual Opterons, providing a decent amount of processing power."
Comments (none posted)
NewsForge
covers the Week of Digital Freedoms, an event that was held at
Rome's Linux Club Italia.
"
The Week of Digital Freedoms was a four-day parade of seminars, workshop, movies, concerts, and talks. The program was really a good summary of the Italian activities in the fields of Free Software, unrestricted knowledge, and relationships between IT and ethics."
Comments (none posted)
The SCO Problem
News.com
talks with some lawyers about the ruling on the SCO v. IBM motions.
"
'Based on the scathing language of the ruling, it appears that SCO just barely dodged a possible knockout punch in this round,' said Carr & Ferrell attorney John Ferrell. 'There's very little that can be more disastrous to your case than an angry federal judge.'"
Comments (2 posted)
Groklaw
looks again at the SCO v. IBM ruling and concludes that Judge Kimball plans to resolve the copyright ownership issue in that case - not in the Novell case.
"
In addition to announcing that SCO must prove copyright ownership and infringement in the IBM case, he also said it appears likely SCO will lose both of those issues, discussing at some length -- and with some pointed displeasure -- SCO's failure to come forward with any admissible evidence on either element of the copyright claim, as required by summary judgment procedures. He also specifically rejected SCO's request to delay consideration of IBM's copyright counterclaims, so seems bent on deciding the copyright issues first in the IBM case."
Comments (3 posted)
Linux Adoption
The Register
covers the increasing use of open-source software across South America.
"
Brazil, with 170 million or so citizens and by far the largest South American economy (the economy of Sao Paolo on its own is roughly as big as the economy of Mexico), is leading the way. Brazil's President, Luiz Inacio da Silva, is keen to bridge what he perceives to be a huge technology gap between Brazil and more advanced economies, and sees Open Source as an important means of doing so. He appointed Sergio Amadeu, a former economics professor and Open Source enthusiast, to head Brazil's National Information Technology Institute, after taking office last year."
Comments (1 posted)
Legal
Groklaw
reports
that software patents have been removed from the EU Commission's agenda,
then points to an article in Silicon Insider entitled "R.I.P. Microsoft?"
"
Why put the two stories together on Groklaw? Because I see a
connection. I see widespread distrust of Microsoft and disgust at their
business practices. They may have been largely successful in pulling out the
teeth of the US antitrust ruling, but they are feeling now the effects of
being found guilty of antitrust violations both here and in Europe
nonetheless. If there is one thing money can't buy, it's a good
reputation. Maybe you really do reap what you sow after all."
Comments (8 posted)
Reuters
reports
that software patents are off the European Council's agenda again, for now.
"
EU ministers were expected to endorse the bill without debate next
Thursday and send it for a second reading in the European Parliament, but
the bloc's current president Luxembourg has taken the issue off the
meeting's agenda. 'The Commission regrets very much that the software
patent will not be on the agenda. It has been removed,' Commission
spokesman Olivier Drewes told a news conference. He said the legislation
had run into new problems but declined to give details."
Comments (none posted)
Interviews
With FOSDEM 2005 coming up on February 26-27, 2005 in Brussels, Belgium, it
is time once again for interviews with FOSDEM speakers. There are three
interviews available now:
Alexander
Larsson (Nautilus Maintainer),
Matthias
Ettrich (Creator of KDE, and Lyx), and
Oliver
Fourdan (Creator of XFCE).
Comments (none posted)
KDE.News continues its FOSDEM speaker interview series with
part two.
"
In the second in our series of interviews with speakers in the FOSDEM KDE developers room Scribus developers Craig Bradney and Peter Linnell talk about the state of desktop publishing on Unix and its acceptance in the commercial DTP World."
Comments (none posted)
KDE.News
covers
a third set of
FOSDEM interviews,
featuring some speakers from the developer tools track.
"
Alexander Dymo and Harald Fernengel talk about KDevelop
including Umbrello integration and what might be in store for KDevelop 4.
Benoit Minisini answers questions on Gambas discussing how it compares to
other IDEs and how programming is like a music composer writing a symphony."
Comments (1 posted)
O'Reilly
interviews Stewart Butterfield from Flickr.
"
At the O'Reilly Emerging Tech Conference in 2004, a startup called Flickr introduced a funny little social networking app that let you upload digital photos into chatroom and IM conversations. While the original launch met with rave reviews from attendees, the Flickr team kept adding features and evolving the service. By July 2004, they had achieved a critical mass of features, and Flickr was becoming the hottest thing on the net."
Comments (none posted)
ZDNet
interviews Novell CEO Jack Messman.
"
The Novell CEO began an ambitious Linux overhaul of his company in 2003, acquiring SuSE Linux to provide an alternative to the fading NetWare operating system. Since then, the company has released a major new Linux edition, revamped sales, dropped its No. 2 executive and prepared a new version of NetWare: Open Enterprise Server, which comes with Linux built in."
Comments (none posted)
Resources
NewsForge
covers
a security benchmark package from the Center for Internet Security (CIS).
"
Because the CIS has limited resources, its current Linux Benchmark
is designed for only Red Hat Enterprise Linux 2.1 and 3.0 and Fedora Core
1, 2, and 3. Although CIS suggests that derivatives of these distributions
may also be able to run the Benchmark, for now its usefulness is
limited. However, even if the Benchmark itself won't run with a particular
distribution, the information in the accompanying PDF file can be adapted
to most distributions with a minimum of effort and expertise."
Comments (2 posted)
developerWorks
looks
at the anatomy of the Linux boot process. "
This installment of
"Migrating from x86 to PowerPC" discusses detailed similarities and
differences between booting Linux on an x86-based platform (typically a
PC-compatible SBC) and a custom embedded platform based around PowerPC,
ARM, and others. It discusses suggested hardware and software designs and
highlights the tradeoffs of each. It also describes important design
pitfalls and best practices."
Comments (9 posted)
Reviews
NewsForge has
a review of GNOME Photo Printer.
"
For the past couple of years, I've used the GIMP whenever I've needed to print photos. It's not really designed for that purpose, but I could size and place the photos where I needed them on the page. One drawback was that multiple passes were required to put multiple photos on a page. Now I've found something much more efficient: the GNOME Photo Printer, written by Sebastian "fogman" Vorkõper. It's just the thing for my printing chores."
Comments (2 posted)
Linux Journal
reviews Hardening
Linux, by John Terpstra, Paul Love, Ronald P. Reck and Tim Scanlon.
"
Hardening Linux sets out to show average users how to secure a Linux
server or desktop in a step-by-step manner. From the outset the book
assumes you have installed a Red Hat or SuSE Linux server product. Users of
other flavors of Linux need not fret, though; they still can implement the
security suggestions in the book."
Comments (none posted)
KDE.News has
a review
of KBear.
"
This month in our series "Application of the Month" we show you the alternative FTP client, KBear. As usual we have an interview with the author and a description of this powerful but easy to use program."
Comments (none posted)
NewsForge
takes
a look at an open source RBX1600 personal music server from StreetFire
Sound Labs. "
"The open source community is the ultimate marketing
focus group," says entrepreneur Stephen Street, whose latest venture,
StreetFire Sound Labs, is taking on traditional stereo equipment
manufacturers in the "living room war" over home media
equipment. StreetFire's first product, the fully open source RBX1600
personal music server, debuted in the fourth quarter of 2004. The big
difference between StreetFire's $750 server and proprietary systems: "We
want people to hack our box," says Street. "You know the people hacking
their Tivos and running Linux on their Xboxes? We love those guys!""
Comments (none posted)
Daniel McCarthy
reviews XAMPP
on LinuxJournal.
"
XAMPP is a collection of free software for installing and using the Apache Web server. Basically, it is an Apache distribution that includes the Apache Web server, MySQL, PHP, Perl an FTP server and phpMyAdmin. XAMPP is available for Linux, Solaris and Windows. According to the Apache Friends Web site, "The philosophy behind XAMPP is to build an easy-to-install distribution for developers to get into the world of Apache.""
Comments (none posted)
Miscellaneous
Mozilla Firefox has been downloaded over 25 million times, according to
this article on MozillaZine.
"
By the end of
yesterday, 99 days after the release of Firefox 1.0, the browser had been
downloaded 25,105,560 times. In the Mozilla Foundation press release about
the 25 million milestone, Mitchell Baker says, "Firefox is being rapidly
adopted by the mainstream, with this audience embracing Firefox as a more
user-friendly web browsing solution.""
Comments (12 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Here's
an FFII release stating that the Dutch parliament has voted - narrowly - for a motion asking the Dutch government to oppose the adoption of the European patent directive next week. "
Dutch Minister for Foreign Trade Van Gennip has confirmed she will execute the motion as intended. It is now the Commission's turn to act."
Comments (4 posted)
LinuxMedNews
mentions the release of a new FreeB API specification draft.
"
Following up on the recent news release regarding Uversa's position as the
new project maintainer of FreeBilling (FreeB) we are now releasing a draft
API specification of version 2.0 for public comment and review. Read on for
details and how to comment."
Comments (none posted)
The Free Software Foundation (FSF) has announced the appointment of Peter
T. Brown as its new Executive Director. The appointment follows the
departure of Bradley M. Kuhn, who is taking up the post of Chief Technology
Officer at the newly created Software Freedom Law Center (SFLC).
Full Story (comments: none)
The Free Software Foundation Europe sent out a press release
concerning a recent ruling by the EU Commissioner
concerning software interfaces.
"
Software interfaces determine how computers communicate with each other
to exchange information. This information is important for several Free
Software projects. One of these is SAMBA, which connects the UNIX and
GNU/Linux world with Microsoft's operating system and works against the
monopoly that Microsoft has established on the operating system market.
Without access to the software interface information, SAMBA will have a
hard time keeping up."
Full Story (comments: none)
The GNOME-UK group has announced their existence.
"
GNOME-UK is about organising and promoting GNOME awareness in the United
Kingdom. This includes, among other things, organising stands and Linux
Events, such as the Linux Expos in London."
Full Story (comments: none)
The Linux Users' Group of Davis (LUGOD) has announced another
Linux Installfest. The event will be held on February 20 in
Davis, California.
Full Story (comments: none)
use Perl has posted
an update
on the funding of the Perl Foundation.
"
Allison writes "Thanks to amazingly generous members of the Perl community The Perl Foundation was able to fund Damian Conway, Larry Wall, and Dan Sugalski in 2002-2003. In 2005-2006 we hope to repeat this pattern and fund Larry Wall, Patrick Michaud, Leopold Tötsch, and a second Parrot developer."
Comments (none posted)
The January 26, 2005 edition of the
SourceForge.Net Update is online.
Topics include a Java programming challenge,
the project of the month, site statistics, the top 25 projects,
and more.
Comments (none posted)
Commercial announcements
Version 2.0 of Interactive SQL, a database utility
for building, executing and processing PostgreSQL queries,
is available for evaluation.
Full Story (comments: none)
Version 4.2.4 of InterMapper, a commercial network mapping utility,
is available.
"
This version makes
it easier to install the WISPerMapper version of the program, improves paging
support on Unix computers, and fixes many bugs."
Full Story (comments: none)
ActiveState has released Komodo 3.1, the newest version of the integrated
development environment (IDE). Komodo 3.1 now offers cross-platform
developers a GTK2+ based user interface, improved Linux desktop
integration, faster debugging with Python, support for Subversion, improved
UTF-8 and PHP5 support, and increased performance on Linux.
Full Story (comments: none)
Mandrakesoft has announced the release of a Linux system capable of
real-time computing on Itanium® 2 based parallel computing platforms
(Symmetric Multiprocessing and cluster computing). Developed for the
"ITEA-HYADES" research project which is intended to adapt standard
technology for applications that require real-time response, associated
with heavy, parallel computations, the new system has already shown its
capabilities in two innovating research applications.
Full Story (comments: none)
Microsoft Corp. has sent out a
press release, citing research from IDC and Forrester Research
that confirms the strong intellectual property protection customers
receive from Microsoft. The release includes testimony from customers
who chose Windows over Linux.
"
According to Stephen Graham, group vice president of Global Software
Business Strategies at IDC, "Recent media focus on industry intellectual
property disputes has brought the issue of indemnification to the forefront,
and all signs point to this issue continuing to grow in significance. End
users would be well advised to carefully review all software contracts to
assess potential exposure, including the extent of coverage provided by
vendors for legal costs and damages and the specific criteria for engaging
this protection.""
Comments (8 posted)
ModViz, Inc. has
announced the release of version 1.0 of its Virtual Graphics
Platform:
"
a leading standards-based software
solution that virtualizes 3D graphics intensive applications across
clusters of commodity-based computers."
Comments (none posted)
MontaVista Software has
announced the launch of their Mobilinux Open Framework.
"
The Mobilinux program encourages leading
semiconductor, mobile software, and phone integrators to create
reference architectures for handset vendors and mobile operators
looking to build Linux handsets."
Comments (none posted)
Novell, Inc. has
announced a joint promotion with IBM.
"
Novell and IBM have
launched a joint promotion to encourage software developers to build their
applications for Novell's SUSE(R) LINUX Enterprise Server on IBM POWER
platforms. SUSE LINUX Enterprise Server 9, with the scalability and
performance enhancements of the 2.6 Linux kernel, combined with the processing
capabilities of IBM POWER5 processor-based servers, including IBM eServer
OpenPower, IBM eServer BladeCenter JS20, IBM eServer pSeries and IBM eServer
iSeries, provides a strong foundation for a full range of applications."
Comments (9 posted)
Novell has made several announcements this morning. Here are just a few:
Comments (none posted)
The Open Source Development Labs has announced the availability of Desktop
Linux Capabilities, version 1.0, a document created with the participation
of key industry vendors, large end user customers and leaders in the
development community that defines a target for what will make Linux
desktops successful in the enterprise.
Full Story (comments: 2)
php|architect has announced the
php|symphony training series, starting on February 23.
"
php|symphony series is a series of great talks designed to dramatically improve your knowledge of PHP by introducing you to new ideas presented by some of the very best speakers and authors in the PHP world.
Each talk is delivered through our exclusive online training system, designed to work with practically any operating system capable of running Macromedia Flash, including Windows, MacOS and Linux, over a 28.8kbps or faster Internet connection."
Comments (none posted)
Red Hat, Inc. has
announced that it will present at the NCInvest 2005 Third
Annual Regional Investor Conference in Chapel Hill, North Carolina
on February 16, 2005. A replay of the presentation will be made
available online.
Comments (none posted)
Turbolinux, Inc. has
announced that it has achieved profitability in two Asian offices.
"
Turbolinux, Inc. announced
today that its Japan office and Chinese subsidiary have achieved
substantial profits both in gross sales and net income for the year
2004".
Comments (none posted)
The flood of press releases for the LinuxWorld Conference & Expo
has begun, here is the first round:
Comments (none posted)
LinuxWorld started today in Boston, bringing with it the usual flood of
press releases and articles. Here are just a few:
- Novell announced
it has contributed portions of Novell eDirectory to the FreeRADIUS and
Samba projects.
- Novell announced
the availability of Novell(R) Security Manager powered by Astaro.
- SGI announced
the latest version of its SGI ProPack(TM) software performance suite is
now fully supported on SUSE(R) LINUX Enterprise Sever 9.
- KDE.News covers the
KDE exhibit.
Comments (4 posted)
- AMD, in collaboration with XenSource announced
that it will port Xen to AMD64 technology.
- Oracle announced
the creation of a dedicated Linux Test Lab.
- PathScale and Sun announced
the results of standardized performance tests on PathScale's EKOPath
Compiler Suite.
- Trolltech announced
that over 50 vendors are designing, building or shipping devices based on
Qtopia(R) and related Trolltech software for embedded Linux.
- News.com has some photos available.
Comments (5 posted)
Here are the LinuxWorld announcements for Wednesday, February 16, 2005:
- Arkeia and SGI
are offering a High-Performance Backup Solution.
- HP
has opened the European Open Source Utility Performance Center.
- IDG World Expo
announced the winners of its Product Excellence Awards.
- MySQL
has launched the MySQL Network for Corporate Enterprises.
- Palmida
has released a system for controlling software IP assets.
- PathScale
has announced the addition of 15 new members to its PathScale FastPath reseller program.
- Rocketcalc has announced
new Opteron-Based Cluster Appliances.
- Scalix
announced support for the IBM eServer zSeries platform.
- TimeSys
has launched a Carrier Grade Linux 2.0 Upgrade Program for Telecom Manufacturers.
- Unisys
will hold the TuxMasters Invitational student programming contest.
- Xandros
has announced the launch of Xandros Surfside Linux.
Comments (4 posted)
Contests and Awards
KDE.News has
announced
a digiKam photo management application artwork contest.
"
Photo management application digiKam and KDE-Look.org are teaming up to have a contest for the best new Superimpose Templates which will be included in digiKam's next release. The prizes are a digital memory card and kde-look t-shirt."
Comments (none posted)
Upcoming Events
The Big Nerd Ranch will be holding another PostgreSQL Bootcamp on
April 18-22, 2005 near Atlanta, GA.
Full Story (comments: none)
The San Francisco techCongress
has been announced. The event will be held in Palo Alto, CA
on April 19-20, 2005.
"
The San Francisco techCongress will examine the common best
practices across industries and frank discussions of and pitfalls to
those solutions, advantages and benefits."
Comments (none posted)
GNOME.conf.au will be held in Canberra, Australia on April 19, 2005
as part of the Linux.Conf.Au conference.
Also, the UbuntuDownUnder conference will take place from April 25-30,
2005.
Full Story (comments: none)
The Free Audio and Video Event will be held in Bristol, UK on
August 13, 2005.
"
We are putting on a Free Audio/Video Event which will cover a range
things including Audio Software for Music and Radio Production, Video
Editing, Visuals and 'Creative Commons' Type licencing. This is a user
event focusing on what is possible with Free, Open source and FLOSS
Software."
Full Story (comments: none)
| Date | Event | Location |
| February 17, 2005 | Linux World Conference
and Expo | (Hynes Convention Center)Boston, MA |
| February 18, 2005 | Fedora Users and
Developers Conference(FUDcon1) | (Massachusetts Institute of Technology)Boston,
Massachusetts |
| February 24 - 25, 2005 | UKUUG
LISA/Winter Conference | Birmingham, UK |
| February 25, 2005 | Dutch Perl
Workshop | Amsterdam, the Netherlands |
| February 26 - 27, 2005 | Free and Open Source
Developers' European Meeting(FOSDEM 2005) | Brussels,
Belgium |
| February 28 - March 3, 2005 | EclipseCon 2005 | (Hyatt
Regency)Burlingame, CA |
| February 28 - March 1, 2005 | Asia
Debian Mini-Conf 2005 | Beijing, China |
| March 1 - 2, 2005 | JBoss World 2005 User
Conference | (Omni/CNN Center)Atlanta, GA |
| March 2 - 4, 2005 | Security-Enhanced
Linux Symposium | Silver Spring, Maryland |
| March 2 - 3, 2005 | Asia
CodeFest 2005 | Beijing, China |
| March 2 - 4, 2005 | The 5th Asia Open Source
Software Symposium | Beijing, China |
| March 2 - 4, 2005 | The Free and
Open Source Software Workshop | (Al Assad National Library)Damascus,
Syria |
| March 4, 2005 | LPA AGM | Rivonia Sandton,
South Africa |
| March 10 - 16, 2005 | CeBIT
2005 | Hannover, Germany |
| March 12, 2005 | Gentoo UK
2005 | (University of Salford)Manchester, UK |
| March 12, 2005 | Third Hungarian PHP
Conference | Budapest, Hungary |
| March 14 - 17, 2005 | Emerging
Technology Conference(ETech) | (Westin Horton Plaza)San Diego,
CA |
| March 20 - 25, 2005 | Novell BrainShare
2005 | Salt Lake City, Utah |
| March 21 - 24, 2005 | Bellua Cyber Security
Asia 2005 | (Hotel Borobudur)Jakarta, Indonesia |
| March 21 - 24, 2005 | Open
Source Modeling and IDEs Workshop | (Caribe Royale All Suites Resort & Convention
Center)Orlando, FL |
| March 23 - 25, 2005 | PyCon DC
2005 | (GWU Cafritz Conference Center)Washington, DC |
| March 26 - 27, 2005 | YAPC::Taipei
2005 | Taipei |
| March 30 - April 1, 2005 | PHP
Quebec | (Crowne Plaza Hotel)Montreal, Canada |
| March 31 - April 1, 2005 | Black Hat Briefings Europe
2005 | Amsterdam, the Netherlands |
| April 5 - 6, 2005 | Open Source Business
Conference(OSBC) | (Westin St. Francis)San Francisco, CA |
| April 7 - 8, 2005 | Black
Hat Briefings Asia 2005 | Singapore |
| April 10 - 15, 2005 | 2005 USENIX Annual
Technical Conference | Anaheim, California, USA |
| April 12 - 15, 2005 | Computers, Freedom and
Privacy Conference 2005 | (Westin Hotel)Seattle, WA |
Comments (none posted)
Miscellaneous
O'Reilly has announced the publication of a new magazine called
MAKE.
"
The urge to make things is primal and unstoppable. In
service of that universal urge, humans grab the tools and materials at
hand--while a previous generation picked up a saw and bullnose rabbet
plane, today's makers are likely to reach for a soldering iron and Cat 5
cable. MAKE, a new magazine from O'Reilly Media, celebrates and inspires
those who are driven to make cool and unusual things with technology, for
the pure fun of it."
Full Story (comments: none)
Page editor: Forrest Cook