The Fedora hackers
have a small problem:
the current Fedora Core 4 distribution, as it sits in rawhide, is
about 300MB too big to fit onto four CDs. For various reasons, the project
is not interested in adding a fifth disk at
this time. So that means that
something has to come out and, presumably, be relegated to the "extras"
repository. The project has taken the somewhat unusual step of coming out
and asking its users: what would you remove?
The leading candidate, at the moment, would appear to be Java support,
especially Eclipse. The Java packages are huge; getting rid of them would
solve the space problems easily. They are also relatively easy to remove
because they were not shipped in prior versions of Fedora. The
distribution's users, one assumes, will complain less about losing something
they didn't have in the first place.
People are complaining, however. Many developers feel that, if Linux is to
have a hope of long-term success in large enterprises, it has to offer
top-quality Java support. But, if the distributors do not support free
Java implementations now, work on free Java stands a good chance of dying
from neglect. Few people want to see a future where Linux is, at best, a
platform for proprietary Java implementations. To avoid that future, the
distributors should support free Java now.
Other possibilities raised include:
- Getting rid of the games. Certainly games are not at the top
of the list for many commercial environments, but games do serve as a
gentle introduction to Linux for many people.
- Dropping either emacs or xemacs (but not both).
- Dropping exim and postfix. Except, of course, many people think that
the distribution should drop sendmail instead.
- Removing abiword and gnumeric, since, in theory, OpenOffice.org
provides the same functions.
- Removing KDE. Or removing GNOME. Neither of those look feasible, but
it's possible that XFce will go.
- Move epiphany to extras. Or firefox.
- Go to GCC4, which will cut some redundancy. It appears that this
change might just happen for FC4.
Various other ideas have gone around as well, but none of them are pleasing
to everybody. It appears that the Fedora
Project, which has to come up with an answer to this question in the near
future, is almost certain to upset somebody, at least in the short term.
For future Fedora Core releases, there are plans to make the installer
smarter so that it can transparently grab packages from multiple
repositories. With a bit more infrastructure work, perhaps Fedora could
take a cue from Ubuntu, and drop back to a single installation CD. In the
end, it really should not be necessary to download every possible package
(in ISO form) just to get a base system installed. For now, however, the
project seems stuck with the need to remove packages that some of its users
truly want.
Update: a list of removed packages
has been posted. Victims include abiword, balsa, exim, gnumeric, koffice,
octave, sylpheed, xemacs, and xfce. The Java packages appear to have
survived. Second update: it seems
that Fedora Core 4 will also be a five-CD distribution; that's how
they kept the Java packages.
Comments (61 posted)
Your editor returned to the LinuxWorld Conference & Expo last week for
the first time in five years. LinuxWorld has been an important conference
since it began; there may be no better place to see what is going on on the
business side of Linux. But the development-oriented conferences are much
more fun. Still, LinuxWorld proved to be an interesting experience.
Attendance at the Boston LinuxWorld was on the order of 7,000 people. The
east-coast version of the event is clearly quite a bit smaller than the San
Francisco edition, but that is still a significant crowd. Attendees were
heard to say that the show felt smaller than last year's event in New
York. The organizers seem happy with the turnout, however, and plan to
move to a larger conference center (still in Boston) next year.
There were some 140 exhibitors on the busy trade show floor. Of these, 24
were in the .Org area. By a conservative count, close to one third of the
exhibitors were pushing some sort of proprietary software for Linux; backup
software, configuration management, and databases all seem to be highly
active areas. Security too, as could be seen by all of the attendees who
were willing to accept - and wear - "virus free" stickers from one of the
more in-your-face booths.
The design of the conference center caused the exhibit floor to be divided
into two rooms. The conference organizers made use of that division to
great effect: they separated the two communities in attendance at
LinuxWorld. The larger room was dedicated to commerce; that's where all
the large booths from the usual suspects (Red Hat, Novell, IBM, Sun, etc.)
were to be found. The displays were flashy, the speakers charismatic, and
"solutions" were flying by at high speed. But the community which creates
the software that makes all this possible was nowhere in evidence. In
early LinuxWorld conferences, it was common to find developers hanging out
in their employers' booths. In 2005, those developers have found somewhere
else to be.
|
| Jim Gettys |
The interesting thing is that a fair number of developers could, indeed, be
found at LinuxWorld. They tended to prefer the other room, however, where
the ".Org pavilion" was located. That side of the hall was far less
flashy, but much more fun. The people who create Linux do still wander by
LinuxWorld; you just have to know where to find them.
The early LinuxWorld conferences included a reasonable program of talks
along with the exhibit floor. At the first LinuxWorld, your editor complained that talks by Jon
'maddog' Hall, Larry Wall, Jeremy Allison, and Miguel de Icaza had all been
scheduled simultaneously. There are few such problems in 2005. Though the
conference did offer some interesting speakers (among others: Jeremy
Allison, Matt Domsch, Chris Wright, Jay Beale, and, inevitably, maddog),
the conference program was fit into a mere three slots per day. The talks
are clearly not the main attraction at LinuxWorld.
Your editor got a chance to try out booth duty, giving a talk from the
O'Reilly booth. For the morbidly curious, O'Reilly's Greg Corrin has
posted a picture of the
event.
![[Bruce Perens]](/images/ns/lweb2005/perens-sm.jpg) |
| Bruce Perens |
The only talk your editor attended was, interestingly, not on the
conference program. Bruce Perens gave his "state of open source" talk,
instead, in a press conference format - complete with free food. The core
of the talk was concerned with software patents - in Europe, and in the
U.S. The community has, says Bruce, no defense against patent suits, and
free software developers cannot count on assistance from large corporations
when an infringement suit comes around. He was apparently recruited to be
an expert witness for "the defining Linux patent infringement case," only
to be dropped when the (anonymous) party realized that Bruce would not
testify in a patent holder's favor. According to Bruce, the solution to
the software patent problem can only lie in "clean-up" legislation at the
Federal level.
Bruce also touched on Sun's situation (from which the company has "no good
exit"), the SCO suit (interesting things may come from the turmoil at
Canopy), and the need to emphasize the "free" part of free software. A
focus on freedom will help the community to occupy a moral high ground
which will help when trying to obtain friendly legislation. Bruce has
posted his
speaking notes for those who are interested.
One notable absence this time around was any mention of BSD. The BSD
branch of Unix was well represented at early LinuxWorld shows; the booth
staff tended to stand out in the crowd of Linux folks. BSD remains an
important part of the free software world, but its distance from Linux
appears, sometimes, to be growing.
LinuxWorld reflects the commercial side of Linux; that side is an important
part of the greater Linux ecosystem. This conference is also where new
users tend to start. So it is an important event. It's important that the
community be there; we can help guide users toward the heart of the free
software movement.
Comments (7 posted)
The number of open source licenses in use today would be a good example of
"too much of a good thing." Taken individually, each open source license
represents the freedom to use, modify and redistribute code. However, many
of the licenses are incompatible, and present a hurdle for open source
projects that may want to incorporate code from other projects.
At LinuxWorld last week the Open
Source Initiative (OSI) board made it known that they are looking at
ways to reduce the number of open source licenses in use. We invited Russ
Nelson, president of OSI to respond to questions about reducing the number
of open source licenses in use.
LWN: What's so bad about license proliferation?
Two problems:
- A company reasonably should take a good look at the license before they
modify a piece of open source software, even for internal use. "A good
look" means a legal analysis. Every new open source license makes it that
much more expensive. Some companies want to do this even if they only *use*
open source software (but no open source license restricts use in any way).
- What happens when you want to combine software from two different
packages, but they're licensed under software with conflicting terms?
LWN: Realistically, what can be done about the problem? How can OSI "trim"
the number of licenses, or influence companies and developers that use
one-off licenses or less popular licenses that are incompatible with the
"main" open source licenses such as the GPL or BSD license?
Say "no" more often. But it's not enough for us to say "no". We have to
have community support for saying "no", so that the community won't use
software that isn't OSI Certified.
LWN: OSI has approved quite a few licenses - how many of those licenses are
one-offs or used by a handful of projects?
The vast majority. Before we can address license proliferation, we need to
understand the problem better. How many companies think they need to study
a license before they can use open source? How many before they make
internal modifications? How many before they publish modifications? We
need to understand how many licenses are actually being used, and how
widely. Lots of study needed before we take action.
LWN: Is there any consideration being given to changing the Open Source
Definition - for example, to disallow licenses that are specifically
tailored not to be compatible with the GPL?
We would have to discern intent to do that. But yes, we've changed the OSD
in the past; we may do it again.
LWN: It's been well-publicized that version 3 of the GPL is in the works.
(Well, has been for some time, but much noise has been made about it being
ready this year.) What needs to be in version 3?
Depends on what your goal is. If you went into a code tree to refactor it,
there's always changes you would make. If you want to add features, you
would make different changes. I expect that some community members would
like the GPL to be a contract rather than a copyright license. I expect
that others would like to see copyright provisions address "public
performance"; that is, web services.
LWN: In one story, Sam Greenblatt was quoted as saying "there should be
three licenses: the GPL, a commercial version of the GPL and...the BSD."
What would a "commercial version of the GPL" look like?
CDDL. Or more properly, the MPL, since it already has traction in the
community (clearly, since Sun wrote the CDDL based on the MPL). A lot of
licenses are derived from the MPL. If we can figure out why they derived
the MPL rather than using it, we can fix the problem in the MPL that caused
them to do that.
LWN: Thanks, Russ.
Comments (5 posted)
Page editor: Jonathan Corbet
Security
Here at LWN security headquarters, we have received hundreds of messages
from readers with one crucial security question on their minds: how was
Paris Hilton's T-Mobile account cracked?
Well...OK...maybe we haven't received quite that many messages. But we're
sure people will want to know. Turns out that
OSDir
has the answer. Apparently T-Mobile's site has a "secret
answer" mechanism for people who forget their passwords. Ms Hilton's
"secret answer" was her dog's name. Bitten again.
Wherever there is a potential security problem, there is inevitably a
Bruce Schneier column warning about it. In this case, Bruce notes:
Passwords have reached the end of their useful life. Today, they
only work for low-security applications. The secret question is
just one manifestation of that fact.
Passwords may well be heading toward the end of their useful life, but
"secret answers" are not necessarily a demonstration of that fact. Many
web sites (or other interfaces requiring confirmation) go out of their way
to prevent the use of insecure passwords. Some site developers put
considerable effort into creating novel rules for passwords. Then they add a "secret
answer" mechanism which bypasses all of that.
The real issue here, perhaps, is that an authentication interface should
actually control access to the resources it protects. Back doors are never
good for the security of a system, and a "secret answer" scheme is really
just a form of back door. If you provide a way around your password
interface, you should not be surprised if attackers use it.
Comments (17 posted)
Brief items
MozillaZine
reports
that IDN support will not be disabled. The details of the new
short term
solution are available. "
Darin Fisher, network supremo, has
pulled it out of the bag and come up with a less drastic short-term
solution to the IDN problem. It has just been checked in for all three
upcoming releases. Read about it over in bug 282270, but basically IDN will
still work, but all occurrences of IDN domains in the browser UI (URL bar,
security info etc.) will be the punycode form. There is a pref to re-enable
full IDN - set "network.IDN_show_punycode" to false. As with the previous
plan, this preference will be set to true in all official builds."
Meanwhile the search for a long term solution continues.
Comments (23 posted)
New vulnerabilities
bidwatcher: format string vulnerability
| Package(s): | bidwatcher |
CVE #(s): | CAN-2005-0158
|
| Created: | February 18, 2005 |
Updated: | March 3, 2005 |
| Description: |
Ulf Härnhammar from the Debian Security Audit Project discovered a
format string vulnerability in bidwatcher, a tool for watching and
bidding on eBay auctions. This problem can be triggered remotely by a
web server of eBay, or someone pretending to be eBay, sending certain
data back. As of version 1.3.17 the program uses cURL and is not
vulnerable anymore. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
gaim: client freezes
| Package(s): | gaim |
CVE #(s): | CAN-2005-0472
CAN-2005-0473
|
| Created: | February 22, 2005 |
Updated: | April 27, 2005 |
| Description: |
The Gaim client freezes when receiving certain invalid messages and crashes
when receiving specific malformed HTML. See this Secunia Advisory for
additional information. |
| Alerts: |
|
Comments (none posted)
GProFTPD: gprostats format string vulnerability
| Package(s): | gproftpd |
CVE #(s): | |
| Created: | February 18, 2005 |
Updated: | February 23, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team has identified a
format string vulnerability in the gprostats utility. An attacker could
exploit the vulnerability by performing a specially crafted FTP transfer,
the resulting ProFTPD transfer log could potentially trigger the execution
of arbitrary code when parsed by GProFTPD. |
| Alerts: |
|
Comments (none posted)
gftp: missing input sanitizing
| Package(s): | gftp |
CVE #(s): | CAN-2005-0372
CAN-2004-1376
|
| Created: | February 17, 2005 |
Updated: | July 13, 2005 |
| Description: |
gftp has a directory traversal vulnerability.
A remote server could use specially crafted filenames to overwrite
local files.
|
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
mc: multiple vulnerabilities
| Package(s): | mc |
CVE #(s): | CAN-2004-1004
CAN-2004-1005
CAN-2004-1092
CAN-2004-1176
|
| Created: | February 17, 2005 |
Updated: | March 4, 2005 |
| Description: |
Midnight commander has multiple vulnerabilities including
format string vulnerabilities, buffer overflows, a buffer underflow,
and a memory deallocation error. An attacker can use these to
run arbitrary code with the permission of the user. |
| Alerts: |
|
Comments (none posted)
PuTTY: remote code execution
| Package(s): | putty |
CVE #(s): | CAN-2005-0467
|
| Created: | February 21, 2005 |
Updated: | March 2, 2005 |
| Description: |
Two vulnerabilities have been discovered in the PSCP and PSFTP clients,
which can be triggered by the SFTP server itself. See this iDEFENSE advisory for details. |
| Alerts: |
|
Comments (none posted)
Squid: DNS response handling
| Package(s): | squid |
CVE #(s): | CAN-2005-0446
|
| Created: | February 18, 2005 |
Updated: | March 16, 2005 |
| Description: |
Handling of certain DNS responses trigger assertion failures. By returning
a specially crafted DNS response an attacker could cause Squid to crash by
triggering an assertion failure. |
| Alerts: |
|
Comments (none posted)
xpdf: vulnerabilities on 64 bit platforms
| Package(s): | xpdf gpdf cups |
CVE #(s): | CAN-2005-0206
|
| Created: | February 18, 2005 |
Updated: | March 16, 2005 |
| Description: |
The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0
(CAN-2004-0888) is incomplete for 64-bit architectures on certain Linux
distributions such as Red Hat, which could leave Xpdf users exposed to the
original vulnerabilities. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
alsa-lib: disabled stack execution protection
| Package(s): | alsa-lib |
CVE #(s): | CAN-2005-0087
|
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
A flaw in the alsa mixer code was discovered that caused stack execution
protection to be disabled for the libasound.so library. The effect of this
flaw is that stack execution protection, through NX or Exec-Shield, would
be disabled for any application linked to libasound. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
ClamAV: multiple issues
| Package(s): | clamav |
CVE #(s): | CAN-2005-0133
|
| Created: | January 31, 2005 |
Updated: | March 3, 2005 |
| Description: |
ClamAV fails to properly scan ZIP files with special headers and base64
encoded images in URLs. |
| Alerts: |
|
Comments (none posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: arbitrary code execution
| Package(s): | evolution |
CVE #(s): | CAN-2005-0102
|
| Created: | January 24, 2005 |
Updated: | May 19, 2005 |
| Description: |
Max Vozeler discovered an integer overflow in camel-lock-helper. A
user-supplied length value was not validated, so that a value of -1
caused a buffer allocation of 0 bytes; this buffer was then filled by
an arbitrary amount of user-supplied data. A local attacker or a malicious
POP3 server could exploit this to execute arbitrary code with root
privileges (because camel-lock-helper is installed as setuid root). |
| Alerts: |
|
Comments (1 posted)
f2c: insecure temp files
| Package(s): | f2c |
CVE #(s): | CAN-2005-0017
CAN-2005-0018
|
| Created: | January 27, 2005 |
Updated: | April 20, 2005 |
| Description: |
The f2c fortran to C translator has a vulnerability due to
insecure opening of temporary files. A local attacker can use this
to launch a symlink attack. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0005
|
| Created: | January 18, 2005 |
Updated: | March 23, 2005 |
| Description: |
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code. |
| Alerts: |
|
Comments (1 posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
kdeenu: buffer overflow in fliccd
| Package(s): | kdeenu kstars |
CVE #(s): | CAN-2005-0011
|
| Created: | February 16, 2005 |
Updated: | February 18, 2005 |
| Description: |
Erik Sjolund discovered a buffer overflow in fliccd which is part of
kdeedu, edutainment applications for KDE. An attacker could exploit this
vulnerability to execute code with elevated privileges. If fliccd does not
run as daemon remote exploitation of this vulnerability is not possible. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kernel: i386 SMP page fault handler privilege escalation
| Package(s): | kernel |
CVE #(s): | CAN-2005-0001
|
| Created: | January 14, 2005 |
Updated: | February 25, 2005 |
| Description: |
Paul Starzetz found an exploitable hole in the x86 SMP page fault handler
which could lead to privilege escalation. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2004-1308
|
| Created: | December 22, 2004 |
Updated: | May 19, 2005 |
| Description: |
The libtiff image manipulation library contains several exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lighttpd: script source disclosure
| Package(s): | lighttpd |
CVE #(s): | |
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
lighttpd uses file extensions to determine which elements are programs
that should be executed and which are static pages that should be sent
as-is. By appending %00 to the filename, you can evade the extension
detection mechanism while still accessing the file. A remote attacker
could send specific queries and access the source of scripts that should
have been executed as CGI or FastCGI applications. |
| Alerts: |
|
Comments (none posted)
linux-source-2.6.8.1: multiple vulnerabilities
| Package(s): | linux-source-2.6.8.1 |
CVE #(s): | CAN-2005-0176
CAN-2005-0177
CAN-2005-0178
|
| Created: | February 15, 2005 |
Updated: | March 15, 2005 |
| Description: |
Michael Kerrisk noticed an insufficient permission checking in the shmctl()
function. Any process was permitted to lock/unlock any System V shared
memory segment that fell within the the RLIMIT_MEMLOCK limit (that is the
maximum size of shared memory that unprivileged users can acquire). This
allowed am unprivileged user process to unlock locked memory of other
processes, thereby allowing them to be swapped out. Usually locked shared
memory is used to store passphrases and other sensitive content which must
not be written to the swap space (where it could be read out even after a
reboot). (CAN-2005-0176)
OGAWA Hirofumi noticed that the table sizes in nls_ascii.c were incorrectly
set to 128 instead of 256. This caused a buffer overflow in some cases
which could be exploited to crash the kernel. (CAN-2005-177)
A race condition was found in the terminal handling of the "setsid()" function, which is used to start new process sessions. (CAN-2005-178)
|
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
mailman: cross-site scripting
| Package(s): | mailman |
CVE #(s): | CAN-2004-1177
|
| Created: | January 10, 2005 |
Updated: | March 22, 2005 |
| Description: |
Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page. |
| Alerts: |
|
Comments (none posted)
mailman: path traversal
| Package(s): | mailman |
CVE #(s): | CAN-2005-0202
|
| Created: | February 9, 2005 |
Updated: | July 13, 2005 |
| Description: |
The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
This vulnerability was used to compromise the Full-Disclosure list. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mysql: several vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0835
CAN-2004-0836
CAN-2004-0837
|
| Created: | October 11, 2004 |
Updated: | April 6, 2005 |
| Description: |
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837) |
| Alerts: |
|
Comments (none posted)
mysql-dfsg: insecure temporary files
| Package(s): | mysql-dfsg |
CVE #(s): | CAN-2005-0004
|
| Created: | January 18, 2005 |
Updated: | March 25, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program
created temporary files in an insecure manner. This could allow a
symbolic link attack to create or overwrite arbitrary files with the
privileges of the user invoking the program. |
| Alerts: |
|
Comments (none posted)
nasm: Buffer overflow vulnerability
| Package(s): | nasm |
CVE #(s): | CAN-2004-1287
|
| Created: | December 20, 2004 |
Updated: | May 4, 2005 |
| Description: |
Jonathan Rockway discovered that NASM-0.98.38 has an unprotected
vsprintf() to an array in preproc.c. This code vulnerability may lead
to a buffer overflow and potential execution of arbitrary code. |
| Alerts: |
|
Comments (4 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
netkit-rwho: missing input validation
| Package(s): | netkit-rwho |
CVE #(s): | CAN-2004-1180
|
| Created: | February 11, 2005 |
Updated: | February 17, 2005 |
| Description: |
"Vlad902" discovered a vulnerability in the rwhod program that can be
used to crash the listening process. The broadcasting one is
unaffected. This vulnerability only affects little endian
architectures (i.e. on Debian: alpha, arm, alpha, ia64, i386, mipsel
and s390). |
| Alerts: |
|
Comments (none posted)
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet |
CVE #(s): | CAN-2004-0911
|
| Created: | October 4, 2004 |
Updated: | March 28, 2005 |
| Description: |
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user). |
| Alerts: |
|
Comments (none posted)
nfs-utils: denial of service
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-1014
|
| Created: | December 1, 2004 |
Updated: | May 15, 2005 |
| Description: |
The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker. |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
openssl: der_chop script temp file vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2004-0975
|
| Created: | November 11, 2004 |
Updated: | July 19, 2005 |
| Description: |
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
Opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | June 22, 2005 |
| Description: |
Opera is vulnerable to several vulnerabilities which could result in
information disclosure and facilitate execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
Comments (1 posted)
php4: multiple vulnerabilities
| Package(s): | php4 |
CVE #(s): | |
| Created: | February 20, 2005 |
Updated: | February 21, 2005 |
| Description: |
A vulnerability was reported in PHP in the cURL functions. A script can bypass the 'open_basedir' directory setting. See this SecurityTracker Alert for more information. |
| Alerts: |
|
Comments (2 posted)
postfix: error in IPv6 handling
| Package(s): | postfix |
CVE #(s): | CAN-2005-0337
|
| Created: | February 4, 2005 |
Updated: | March 16, 2005 |
| Description: |
Jean-Samuel Reynaud noticed a programming error in the IPv6 handling code
of Postfix when /proc/net/if_inet6 is not available. If "permit_mx_backup"
was enabled in the "smtpd_recipient_restrictions", Postfix turned into an
open relay, i. e. erroneously permitted the delivery of arbitrary mail to
any MX host which has an IPv6 address. |
| Alerts: |
|
Comments (1 posted)
postgresql: EXECUTE privilege vulnerability
| Package(s): | postgresql |
CVE #(s): | CAN-2005-0244
CAN-2005-0245
CAN-2005-0246
CAN-2005-0247
|
| Created: | February 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
postgresql has a vulnerability in which the EXECUTE privilege may
not be checked on custom functions. This may allow any database user to
circumvent the EXECUTE restriction on functions. |
| Alerts: |
|
Comments (none posted)
python: illegal function internals access
| Package(s): | python |
CVE #(s): | CAN-2005-0089
|
| Created: | February 3, 2005 |
Updated: | April 22, 2005 |
| Description: |
Python versions 2.2 and 2.3 has a vulnerability in the
SimpleXMLRPCServer module which may allow
remote users to read or change function internals via the
im_* and func_* attributes. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: infinite loop
| Package(s): | ruby |
CVE #(s): | CAN-2004-0983
|
| Created: | November 8, 2004 |
Updated: | May 15, 2005 |
| Description: |
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles. |
| Alerts: |
|
Comments (none posted)
samba: integer overflow vulnerability
| Package(s): | samba |
CVE #(s): | CAN-2004-1154
|
| Created: | December 16, 2004 |
Updated: | July 19, 2005 |
| Description: |
Samba has an integer overflow vulnerability
that may allow an authenticated remote user to
execute arbitrary code on the Samba server. |
| Alerts: |
|
Comments (none posted)
sharutils: arbitrary code execution
| Package(s): | sharutils |
CVE #(s): | CAN-2004-1772
|
| Created: | October 1, 2004 |
Updated: | April 26, 2005 |
| Description: |
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
squid: multiple vulnerabilities
| Package(s): | squid |
CVE #(s): | CAN-2005-0173
CAN-2005-0175
CAN-2005-0194
CAN-2005-0211
|
| Created: | February 4, 2005 |
Updated: | March 8, 2005 |
| Description: |
Several vulnerabilities have been discovered in Squid, including cache
pollution/poisoning via HTTP response splitting, larger than normal WCCP
packet could overflow a buffer, and more. |
| Alerts: |
|
Comments (none posted)
SquirrelMail: multiple vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2005-0075
CAN-2005-0103
CAN-2005-0104
|
| Created: | January 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
SquirrelMail 1.4.4 has been
released, fixing a number of security issues that have been resolved
since 1.4.3a. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sudo: environment variable sanitizing
| Package(s): | sudo |
CVE #(s): | CAN-2004-1051
|
| Created: | November 17, 2004 |
Updated: | May 15, 2005 |
| Description: |
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
thunderbird: cookie handling bug
| Package(s): | thunderbird |
CVE #(s): | CAN-2005-0149
|
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
A bug was found in the way Thunderbird handled cookies when loading content
over HTTP regardless of the user's preference. It is possible that a
particular user could be tracked through the use of malicious mail messages
which load content over HTTP. |
| Alerts: |
|
Comments (none posted)
tiff: buffer overflows
| Package(s): | tiff |
CVE #(s): | CAN-2004-0803
|
| Created: | October 13, 2004 |
Updated: | April 12, 2005 |
| Description: |
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
typespeed: format string vulnerability
| Package(s): | typespeed |
CVE #(s): | CAN-2005-0105
|
| Created: | February 16, 2005 |
Updated: | February 16, 2005 |
| Description: |
Ulf Härnhammar from the Debian Security Audit Project discovered a
problem in typespeed, a touch-typist trainer disguised as game. This
could lead to a local attacker executing arbitrary code as group
games. |
| Alerts: |
|
Comments (none posted)
uw-imap: authentication bypass
| Package(s): | uw-imap imap |
CVE #(s): | CAN-2005-0198
|
| Created: | February 2, 2005 |
Updated: | March 1, 2005 |
| Description: |
The uw-imap package, prior to version 2004b, contains a vulnerability which can enable a remote attacker to bypass the authentication mechanism. This bug only affects CRAM-MD5 authentication, which is not enabled on all distributions. |
| Alerts: |
|
Comments (1 posted)
vim: modeline problems
| Package(s): | vim |
CVE #(s): | CAN-2004-1138
|
| Created: | December 15, 2004 |
Updated: | February 24, 2005 |
| Description: |
A new set of modeline-related vulnerabilities has been discovered in versions of vim prior to 6.3-r2. These vulnerabilities could conceivably be exploited by a local user to obtain the privileges of another user. |
| Alerts: |
|
Comments (none posted)
vim: symbolic link attack
| Package(s): | vim |
CVE #(s): | CAN-2005-0069
|
| Created: | January 18, 2005 |
Updated: | February 18, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the auxiliary scripts
"tcltags" and "vimspell.sh" created temporary files in an insecure
manner. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the script
(either by calling it directly or by execution through vim). |
| Alerts: |
|
Comments (none posted)
vmware: untrusted library search path
| Package(s): | vmware |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | February 16, 2005 |
| Description: |
VMware may load shared libraries from an untrusted, world-writable
directory, resulting in the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
wpa_supplicant: buffer overflow
| Package(s): | wpa_supplicant |
CVE #(s): | |
| Created: | February 16, 2005 |
Updated: | February 16, 2005 |
| Description: |
wpa_supplicant contains a possible buffer overflow due to the lacking
validation of received EAPOL-Key frames. An attacker could cause the crash
of wpa_supplicant using a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2004-1125
|
| Created: | December 23, 2004 |
Updated: | April 1, 2005 |
| Description: |
xpdf has a
potential buffer overflow problem caused by insufficient input validation.
A specially crafted PDF file can allow an
attacker to execute code with privileges of the xpdf user. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: integer overflows
| Package(s): | xpdf kpdf cupsys |
CVE #(s): | CAN-2004-0888
CAN-2004-0889
|
| Created: | October 21, 2004 |
Updated: | February 18, 2005 |
| Description: |
Several xpdf integer overflow vulnerabilities can be exploited via a
mal-formed PDF document. Similar vulnerabilities can be found in kpdf and
in cupsys which share code. Additional information can be found in this KDE security advisory. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Resources
iDEFENSE Labs has announced the launch of a
community site. This site serves as a
repository for sharing research and development with the security
community, including the release of free software tools.
Full Story (comments: none)
Events
The Call for Papers has been announced for the RECON conference. RECON is
a security conference taking place in downtown Montreal June 17 - 19.
Papers must be submitted by April 15, 2005.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 prepatch remains 2.6.11-rc4. The slow trickle of
fixes into Linus's BitKeeper repository continues, with the final 2.6.11
release likely to happen before too long.
The current -mm prepatch is 2.6.11-rc4-mm1. Recent changes to -mm include
device mapper multipath support (see below), the cpushare
"secure computing" patch, a SCSI changer driver, a new set of BIO
support functions, some performance counter updates, and various fixes.
The current 2.4 prepatch is 2.4.30-pre2, released by Marcelo on
February 23. This prepatch adds a new set of fixes (mostly in the networking
subsystem) and a few filesystem and driver updates.
Comments (3 posted)
Kernel development news
Martin Hicks recently posted
a
patch which adds a new degree of user-space control over memory
management policy. In particular, it creates a new
/proc entry:
/proc/sys/vm/toss_page_cache_nodes
If a suitably privileged process writes one or more NUMA node numbers to
that file, all pages belonging to that node which are found in the page
cache will be flushed out. Essentially, this operation causes a node to
forget about all locally-cached pages from files in the filesystem.
Clearing the page cache in this way would normally be bad for performance.
The page cache exists to allow the filesystem to satisfy common filesystem
requests without going to the disk; clearing the cache defeats that
functionality and would normally be undesirable. There are exceptions to
everything, however. This patch is aimed at large-scale high-performance
computing tasks running in a cluster environment. Such jobs typically do
best if they can start with a clean system; they have no real use for
whatever may have been cached for the previous user. More to the point, a
full page cache can cause memory allocations to be satisfied with non-local
(slower) memory, resulting in significantly worse performance. By clearing
the cache before starting a new job, a system administrator can ensure that
local memory is available for that job.
Not everybody likes the patch. Ingo Molnar thinks that this capability will create
confusion and make the debugging of memory problems even harder.
How are we supposed to debug VM problems where one player
periodically flushes the whole pagecache? ... Providing APIs to
flush system caches, sysctl or syscall, is the road to VM madness.
Andrew Morton, instead, sees the value of the patch for some users, but doesn't like the implementation. He would
like to see this capability made useful for other classes of users, such as
kernel developers who want to put the system into a known state before
running tests. He also doesn't like the /proc interface, and
argues for a new system call instead. His suggestion was:
sys_free_node_memory(long node_id, long pages_to_make_free,
long what_to_free);
This form of the call would allow the clearing of something less than the
entire page cache, making the tool a bit less crude. The
what_to_free argument would be a bitmask specifying which types of
memory to free; beyond the page cache, this call could cause the kernel to
reclaim anonymous memory or slab caches.
The system call approach would seem to make sense; there is one remaining
glitch, however: SUSE already shipped the /proc interface in
SLES9. That revelation drew a complaint
from Andrew:
This is why you should target kernel.org kernels first. Now we
risk ending up with poor old suse carrying an obsolete interface
and application developers have to be able to cater for both
interfaces.
An explicit purpose behind the 2.6 development model is to get patches into
the mainline quickly so that their form can be stabilized before
distributors ship them. As the developers become used to this mode of
operation, this sort of issue should become relatively rare.
Comments (3 posted)
Multipath connectivity is a feature of high-end storage systems. A storage box
packed with disks will be connected to multiple transport paths, any one
of which can be used to submit I/O requests. A computer will be connected
to more than one of these transport interconnects, and can choose among
them when it has an I/O request for the storage server. This sort of
arrangement is expensive, but it provides for higher reliability (things
continue to work if an interconnect fails) and better performance.
Support for multipath in Linux has traditionally been spotty, at best.
Some low-level block drivers have included support for their specific
devices, but support at that level leads to duplicated functionality and
difficulties for administrators. Some thought has gone into how multipath
is best supported: does that logic belong at the driver layer, the SCSI
mid-layer, the block layer, or somewhere else? The conclusion that was
reached at last year's Kernel Summit was that the device mapper was the
best place for multipath support.
That support has now been coded up and posted for review; it was added to the
2.6.11-rc4-mm1 kernel. When used with the user-space multipath tools distribution,
the device mapper can now provide proper multipath support - for some
hardware, at least.
Internally, the multipath code creates a data structure, attached to a
device mapper target, which looks like this:
When time comes to transfer blocks to or from a device mapper target
representing a multipath device, the code goes to the first priority group
in the list. Each group represents a set of paths to the device, each of
which is considered equal to the others; the preferred paths (being the
fastest and/or most reliable) should be contained in the first group in the
list. Priority groups include a path selector - a function which
determines which path should be used for each I/O request. The current
patches include a round-robin selector
which simply rotates through the paths to balance the load across them.
Should situations arise which require more complicated policies, it should
not be tremendously difficult to create an appropriate path selector.
If a given path starts to generate errors, it is marked as failed and the
path selector will pass over it. Should all paths in a priority group
fail, the next group in the list (if it exists) will be used. The
multipath tools include a management daemon which is informed of failed
paths; its job is to scream for help and retry the failed paths. If a path
starts to work again, the daemon will inform the device mapper, which will
resume using that path.
There may be times when no paths are available; this can happen, for
example, when a new priority group has been selected and is in the process
of initializing itself. In this situation, the multipath target will
maintain a queue of pending BIO structures. Once a path becomes available,
a special worker thread works through the pending I/O list and sees to it
that all requests are executed.
At the lower level, the multipath code includes a set of hardware hooks for dealing with
hardware-specific events. These hooks include a status function, an
initialization function, and an error handler. The patch set includes a hardware handler for EMC CLARiiON devices.
Comments on the patches have been relatively few, and have dealt mostly
with trivial issues. The multipath patches are unintrusive; they add new
functionality, but do not make significant changes to existing code. So
chances are good that they could find their way into the 2.6.12 kernel.
Comments (6 posted)
The FUTEX code implements lightweight mutual exclusion primitives for user
space. It is intended to be used in situations - such as multi-threaded
programs - where mutual exclusion is needed, but where the implementation must be fast.
Olof Johansson recently
stumbled across a
case where the FUTEX code can
deadlock the system (thus failing the "fast" test) which shows how hard it
can be to get concurrency issues right.
One of the many locking primitives provided by the kernel is the
reader-writer semaphore, or "rwsem". An rwsem can be obtained for either
read or write access. Any number of readers will be allowed to hold the
semaphore concurrently. Any thread which must change the protected data
structures must, however, obtain the semaphore for write access. Only one
writer is allowed at any given time, and no readers may be in the critical
section while the writer is at work.
If a thread tries to obtain an rwsem for write access, and that semaphore
is currently held (by somebody else) for read access, the writer will be
put to sleep. Once
the writer gets in line, however, no more readers will be allowed in. Once
the existing readers have gotten out of the way, the writer will be allowed
to proceed. The queued readers will only wake up after the writer is
done. This implementation makes rwsems fair, in that readers cannot starve
writers indefinitely. It also makes certain types of subtle faults
possible, however.
If a process might have to wait on a FUTEX, the kernel must obtain that
process's memory map semaphore (mmap_sem). This semaphore, which
is an rwsem, controls access to the internal FUTEX data structures; it is
taken for read access. The kernel must also query the value of the FUTEX
itself, which is done through a call to get_user(). Should that
access generate a page fault, the fault handler will obtain
mmap_sem for read access a second time. This double access works
just fine; the second down_read() call simply looks like another
reader, which can run concurrently with the first.
Life gets complicated, however, when other processes share the same address
space. Since the FUTEX mechanism is aimed at threads, this is a situation
which comes about frequently. Consider the following series of events:
| Thread 1 | Thread 2 |
| Call sys_futex() | |
| down_read(¤t->mm->mmap_sem); |
|
| call mmap() |
| down_write(¤t->mm->mmap_sem); |
| (goes to sleep) |
| call get_user() | |
| (everything comes to a halt) |
When the second process calls mmap(), it must obtain
mmap_sem for write access. Since the first process is already a
reader, the down_write() call is queued and the process is put to
sleep. When the first process makes its get_user() call, it tries
to obtain the rwsem for read access for the second time. Since there is
now a writer waiting, however, the first process also is put to sleep.
Since the first process is the one holding the initial read lock, this
situation will never resolve itself; it is a deadlock. This particular
type of deadlock is nasty in that it requires a race condition to become
visible; things usually just work.
Several possible solutions have been proposed. The rwsem "lock depth"
could be explicitly tracked so that a
second attempt to obtain read access simply implements a counter and does
not sleep. Processes holding mmap_sem could be marked with a
special PF_MMAP_SEM flag; the page fault code would see that flag,
realize that the semaphore is already held, and not take it again. Olof's
initial report included a patch which tries to explicitly fault in the page
before taking the semaphore so that the get_user() call would not
generate a fault.
The solution which will eventually be adopted will likely take a different
approach, however. Conventional wisdom has long said that functions like
get_user() cannot be called in atomic context (in an interrupt
handler or when a spinlock is held), since they might sleep. In fact, if
the user-space access functions generate a page fault in atomic context,
the fault handler simply refuses to bring in the page and the function
returns an error code. So the solution, first suggested by Linus, is to put the process into
an atomic mode (by calling inc_preempt_count()) just before the
get_user() call. If get_user() fails, the page must be
faulted in. So the mmap_sem is dropped, the page is explicitly
faulted, and the whole process starts over again.
As often happens, the full solution turned out to be a bit more complicated
than initially thought. So Olof put together a
patch implementing a new user-space access function:
int get_user_inatomic(value, user_pointer);
This function is atomic; it may succeed or fail, but it will always return
without sleeping. Like get_user(), it is implemented as a macro
which tries to do the right thing regardless of the data type of the value
to be fetched. That implementation drew a
complaint from one developer, who would rather see new interfaces done
in a more strongly-typed manner. So the details of the patch that eventually
gets merged (presumably after 2.6.11) may change, but it will likely follow
this approach.
Comments (1 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
When it comes to hosting a company or a personal web site, there are more
choices than ever. Not only is there a plethora of web hosting providers
all lining up for our business, we also have a choice of many excellent
operating systems, most of which are free - in both senses of the word. In
fact, after having spent some time investigating the possibilities, this
author concluded that the majority of hosting companies in operation today
seem to have standardized on offering Fedora Core, Debian GNU/Linux and
FreeBSD as their preferred operating systems. This is hardly surprising;
all three of them are not only free of cost, but also well-established and
trusted as web serving platforms. For the purpose of this two-part article
we will look and compare the features and security aspects of Debian
GNU/Linux with those of FreeBSD, both of which the author had the pleasure
to use and administer in recent years.
Despite some crucial differences with respect to their kernels and base
system, the two operating systems, as considered from the point of view of
included applications, are rather similar. Both Debian and FreeBSD provide
the Apache web server, several scripting languages (PHP, Perl, Python, Ruby
or any other tool one might employ for the purpose of developing
interactive web pages), integration with MySQL and PostgreSQL databases,
SSL features and anything else that we've come to expect from a system
designed for web serving. All commonly used UNIX tools, such as man pages
and shells, are also provided.
But under the surface, there are more profound differences, especially in
the design and philosophy of the two operating systems. FreeBSD has a much
faster release cycle - production-ready releases are made roughly every 6
months, whereas the Debian developers only make a new stable release "when
ready", which can take years. In fact, the current stable release - Debian
Woody is now 31 months old. This means that those administrators and web
developers who would like to make use of new features in any of the
applications they deploy will probably be better off with FreeBSD. As an
example, during the time when this author administered a Debian server he
found himself in need of upgrading PHP to take advantage of some newly
introduced functions, as well as Postfix and SpamAssassin, the new versions
of which offered much improved spam-fighting techniques. But with Debian's
slow release cycle, the only way to upgrade the above mentioned packages
(other than compiling them from source) was to get them from Backports.org. Although very good and
highly up-to-date, Backports.org is a third-party repository, not
officially sanctioned by the Debian Project and not supported by the Debian
Security Team.
This is in sharp contrast with FreeBSD where only the base system, often
referred to as kernel and userland, is kept in a constant state (with the
only exception being security updates), while the included applications, or
ports in FreeBSD's language, are continuously updated. This being so, a
system administrator can choose to keep upgrading all important ports to
their current stable versions and take advantage of any new features in
them. This is a very pleasant aspect of FreeBSD - instead of an endless
wait one might endure before a new stable Debian release, the administrator
running FreeBSD can upgrade all installed ports to their latest versions at
any time, independently on the base system.
While most system administrators would deploy Debian as a binary
distribution, i.e. they would install and use its pre-compiled binary
packages, FreeBSD's ports are mostly meant to be compiled directly from
source on the user's system. As always, the proponents of each approach
could engage in endless debates about their respective merits; here we'll
just say that both ways of doing things have their advantages and
disadvantages. As an example, compiling Apache with a worker.c module (for
a busy web server) under FreeBSD is as simple as modifying a parameter in a
Makefile, then running "make install". On a Debian system, achieving the
same would entail downloading the source code, looking through the source
files to find the relevant place, modifying it, then creating a new Debian
package with "apt-build" - not a particularly tedious task, but not as
elegant as on FreeBSD. On the other hand, compiling ports directly from
source code always brings in a risk of a port failing to compile, which can
be frustrating.
The ability to upgrade the operating system painlessly to a newer version is
one area where Debian enjoys a considerable advantage. Since its early
days, Debian has always provided a simple and elegant upgrade path between
two stable releases, which is probably a feature that has attracted Debian
many supporters. Unfortunately, FreeBSD does not have the same policy.
While upgrading FreeBSD to a new minor version (e.g. from 4.10 to 4.11) is
relatively easy and mostly trouble-free, the same cannot be said of
upgrading between major versions (e.g from 4.10 to 5.3). In fact, the
FreeBSD project does not recommend upgrading from 4.x to 5.x at all; not
only is this path untested, it would also mean loss of functionality due to
incompatible file systems in the two major FreeBSD versions. This could be
an important consideration for those users who do not have physical access
to the server - while upgrading Debian to a newer version is as simple as
executing a couple of commands, with FreeBSD, one would need direct
assistance of somebody at the web hosting company.
There is one interesting feature of FreeBSD that does not exist in Debian
(at least not in its default configuration) - a set of reports entitled
"Daily Run" and a "Security Run", which are emailed to the system
administrator on a daily basis. They represent a collection of routine
tasks as performed by several cron jobs. The "Daily Run" output provides
information about the state of the system, uptime, mail in the mail queue,
state of the disk partitions and network interfaces. It also backs up and
outputs changes (if any) in the /etc/passwd and /etc/group files. The
"Security Run" is even more useful, with information about setuid files and
devices, passwordless user accounts, SSH login failures, and refused
connections. It even informs the administrator about current
vulnerabilities in any of the installed ports (provided that a certain port
is installed on the system, but we'll get to that in the second part of
this article).
There is perhaps one other FreeBSD advantage worth mentioning - it boots
much faster than Debian. True, this is not a terribly exciting
characteristic of an operating system that is meant to be running 24 hours
a day, but it is still good to know that if the system needs to be rebooted
(perhaps after a security-related kernel upgrade), it won't be down for
more than a minute on any reasonably recent hardware. Booting Debian takes
at least twice as long.
In part 2 of the article, coming up next week, we will compare the ways
security updates are handled by the two operating systems, and briefly
consider some migration issues.
Comments (21 posted)
Distribution News
Turbolinux, Inc. has
announced the availability of a technical preview version of
"Turbolinux 10 for AMD64/EM64T".
Comments (none posted)
Slack/390, the Slackware port for
s/390, has
announced the
release of Slack/390 10.0. The company Sine Nomine Associates has
announced a commercial support
package for Slack/390.
Comments (none posted)
Ubuntu Linux has released the
fifth in a series of milestone CD images on the path to a stable Hoary
Hedgehog. Array CD 5 is available for
download.
Click below to see what's changed since Array CD 4.
Full Story (comments: none)
The Debian Project will be at
several
conferences worldwide during late February and March. These include
CONSOL 2005 in Mexico City, Mexico, FOSDEM in Brussels, Belgium, 5th Asia
Open Source Software Symposium in Beijing, China, 7th Chemnitzer Linux-Tage
in Chemnitz, Germany, CeBIT in Hannover, Germany, and IT/Linux Days in
Lörrach, Germany.
Here's an update from the Debian Project Secretary on the Debian Project Leader Elections. The
campaigning period begins February 28, 2005.
Here's a release update covering the debian-installer, upload targets, kernels, and
infrastructure.
Matthew Garrett has posted
a writeup demystifying the roles and responsibilities of the FTPmaster
team. (Found on DebianPlanet)
Also found on DebianPlanet, Roberto
C. Sanchez has written an Automatic
Debian Package Repository HOWTO.
Comments (none posted)
For those of you waiting for the first Fedora Core 4 test release: the
expected date has been pushed back to March 14. The main reason for
the delay is to fit better with the GCC schedule; the current hope is that
it will be possible to include GCC 4 in Fedora Core 4. Click
below for the details.
Full Story (comments: 30)
New Distributions
T2 is a flexible System
Development Environment or Distribution Build Kit. T2 allows the creation
of custom distributions with bleeding edge technology. Currently the Linux
kernel is normally used, but there are plans to expand to Hurd, OpenDarwin
and OpenBSD, and more. T2 started as a community driven fork from the ROCK
Linux Project with the aim of creating a decentralized development and
clean a framework for spin-off projects and customized distributions. T2
2.1.0-beta3 "serpentine" was released February 18, 2005.
Comments (none posted)
Xorcom Rapid is a Debian/Asterisk
distribution program that features an auto-install for Debian Linux and
pre-configured Asterisk. It quickly and effortlessly converts any PC to a
functioning Asterisk PBX. Version 1.0 is currently available for
download.
Comments (none posted)
Distribution Newsletters
The Debian Weekly News for February 22, 2005 is out. This issue covers Debian Project Leader elections, the LSB has been submitted to the ISO/IEEE to achieve international standards recognition, an update on translations, Moria may be back, the roles and responsibilities of the FTPmaster Team, broken dependencies in unstable, and more.
Full Story (comments: none)
Here's the Gentoo Weekly Newsletter for the week of February 21, 2005.
This issue has an Après-Show report from Boston Linux World Expo, a last
call for FOSDEM 2005, sponsorships for the Gentoo UK conference, Gentoo RSS
feeds, a Gentooified Kuro-Box, and other topics.
Full Story (comments: none)
The
DistroWatch
Weekly for February 21, 2005 is out. "
Welcome to this year's 8th
issue of DistroWatch Weekly! In it, we take a brief look at two popular
distributions, new versions of which were released over the weekend:
PCLinuxOS and VectorLinux. We also reveal our brand new distribution
database, which, while far from complete, should make it easier to search
for a desired distribution based on various criteria. And if you have much
time on your hands, we introduce you to no fewer than 7 new Linux
distributions that were added to the waiting list last week. Happy
reading!"
Comments (none posted)
Minor distribution updates
Lineox has released the first release
candidate of Lineox Enterprise Linux 4.0, built from the source packages
for Red Hat Enterprise Linux 4.0. Click below for additional information.
Full Story (comments: none)
VectorLinux has
announced the
release of v5.0 SOHO, based on Slackware 10.1. "
Some of the bundled
applications are: KDE 3.3.2 and iceWM 1.2.13 as window managers. For a
complete web experience you will find Firefox 1.0 with pre-configured
Mplayer, Flash, and Java plugins, plus Gaim 1.1.2, gFtp, Kasablanca, and
Sylpheed."
Comments (none posted)
Xwoaf (X Windows
On A Floppy) has moved to a new web site, and now has new release. The X
applications available in version 0.1.4a are: edx text editor, retawq text
only web browser, txplor dual-pane tree/filelist filemanager, OXElmo email
client, bcalc 4 function calculator and a popup calendar with
day/date/time. Also includes jwm window manager and all modules for NICs,
block devices and file systems.
Comments (none posted)
Package updates
Fedora Core 3 updates:
selinux-policy-targeted-1.17.30-2.80 (bug
fixes),
policycoreutils-1.18.1-2.9 (fix
restorecon segfault on unlabeled file systems),
gamin-0.0.24-1.FC3 (many annoying bugs have
been fixed),
pcmcia-cs-3.2.7-2.2 (fix
double fclose in parse_cis()),
openssh-3.9p1-8.0.1 (change default ssh client
configuration so the trusted X11 forwarding is enabled).
Comments (none posted)
Mandrakelinux has new KDE packages that fix various bugs. Click below for
details.
Full Story (comments: none)
Trustix has bug fixes available for
cyrus-imapd, kernel, kudzu, php, postfix,
and squid. There are some additional packaging fixes for
postfix.
Comments (none posted)
Newsletters and articles of interest
Dru Lavigne
presents
a few tips and tricks for FreeBSD on O'ReillyNet. "
At least once a
year, I like to comb through the files on my FreeBSD system to see if there
are any new docs, scripts, or manpages that I've missed. I started my
search in /usr/share/examples, and the first thing that caught my eye was a
subdirectory called BSD_daemon:"
Comments (none posted)
Government Computer News
reports
that Novell's SUSE Linux Enterprise Server 9 running on IBM eServers has
been awarded Level 4 Common Criteria certification. "
The
certification should put Novell and IBM "on top of the list when it comes
to projects the government wants to do," said Novell CEO Jack Messman at
the LinuxWorld Conference and Expo, held this week in Boston."
Comments (none posted)
Distribution reviews
Here's a
brief
look at Arch Linux, on NewsForge. "
The philosophy of Arch is to
let people have as much control over their system as possible. Nothing is
on unless you turn it on. This means that a base install of Arch is very
fast. On top of that the boot scripts are very simple, making them easy to
edit. The philosophy is evident in Arch's hardware detection tool, hwd. The
tool gives information that lets users set up their computers manually, but
does not change the system configuration."
Comments (none posted)
Information Week has a
quick
review of Red Hat Enterprise Linux 4. "
RHEL 4 uses the Ext3 file
system and has added enhancements surrounding file access and
synchronization. Also included in this release is LVM2 (Logical Volume
Manager 2), which lets you manipulate files systems. I tested this feature
using the CLI (command-line interface) and found it effective and easy to
use. For example, I used lvreduce within LVM2 to decrease the size of
LogVol01 from 1.94 GB to 1.84 GB with a single command. Next, I used
lvextend to bring it back to its original size."
Comments (none posted)
Linux Times.Net
reviews
Vidalinux version 1.1. "
Vidalinux is a Gentoo based desktop OS
from our friends in Puerto Rico In this article, I will review Vidalinux
1.1 with a special comparison to Gentoo. Vidalinux isn't all that old:
version 1.0 was released in August 2004. This original release was followed
up by 1.1 late 2004 (Christmas Day actually). I spoke with Vidalinux
developers and they were more than happy to provide me with a copy of the
Premium Edition."
Comments (none posted)
Page editor: Rebecca Sobol
Development
February 23, 2005
This article was contributed by Frank Pohlmann
Late 19th century paintings of croquet-playing ladies are a somewhat unusual visual advertisement for a multi-user software design environment. But if we were to express
OpenCroquet's qualities in a few words, it would be
"a true collaborative internet-enabled three dimensional
design environment".
And the collaboration should be as smooth and unhurried as a game of,
well, croquet.
OpenCroquet is planned to become such an environment. Based on
Squeak, a
Smalltalk-80-based
multimedia design and studio, it continues the
Xerox-PARC
tradition of building software environments that enhance the human
ability to think while avoiding machine-based constraints.
Squeak and OpenCroquet are led by some of the original Xerox-PARC
crew, first and foremost
Alan Kay.
Although OpenCroquet is billed as an extension of the more mature Squeak environment - Squeak reached
version 3.7 in December -
OpenCroquet is far more than a plug-in or a software module. The currently downloadable version has the rather dispiriting version number 0.1;
for the moment it relies on Squeak 3.6, not 3.7 and the OpenCroquet installation installs its own Squeak environment.
Also known as the
"Jasmine" release,
it is accompanied by the usual health warnings, but anyone with a smattering of Smalltalk or
Slang
and a broadband connection would find it easy to muck around with the
code and run most of the environment without too many problems.
Squeak is a fully object-oriented programming and authoring environment,
and anyone familiar with it will find many of the graphical primitives and some of the GUI features available under OpenCroquet.
Squeak permits both scripted and purely GUI-led creation of new objects.
Changes to the runtime environment during object creation will not interrupt the underlying Squeak virtual machine. This is mostly due to the storage allocation algorithm and the realtime garbage collector working within the VM.
OpenCroquet does not only take advantage of Squeak, it is the result of a comprehensive
re-architecting
of the very idea of internet-enabled collaborative environments.
Web interfaces and classic IP-based protocols allow for some collaboration, but collaborative interfaces are usually document-based, or rely too much on analogues to phone messaging.
OpenCroquet is emphatically 3-dimensional, and it employees peer-to-peer networking that is not compromised by the existence of a central server to simplify the updating of object hierarchies.
It is also uncompromisingly object-oriented, taking messages between objects as the main communication and update mechanism.
Smalltalk and some operating systems have taken this approach very seriously, but in a 3-D environment where the very interface is just another objects whose behaviours can be changed by programmers at any
time, the very size and content of messages broadcast from object to
object carry substantial implications.
All objects are accessible to other users and all users participating in a particular shared space can modify all objects present in that shared space.
All objects are replicated across the shared space, thereby making it simple for all users to work in the same interactive 3-D space.
Objects are always versioned, something that is achieved by embedding a timebase in the communication protocol used by OpenCroquet.
TeaTime
The central ideas behind OpenCroquet object communication are contained within its multi-user communication architecture, also known as
TeaTime.
What is important here is the fact that it isn't just data that aren't replicated across the OpenCroquet system, but also computations.
This is why synchronization protocols are extremely important.
OpenCroquet needs to complete all visible (and audible) I/O-based effects before all messages are communicated to all collaborating objects within the shared space. For instance, all screens show identical interfaces, even though the perspectives might be different. How the computations are executed is entirely the responsibility of the individual object. How the computations propagate to every instance is due to the protocol being used. But it isn't usually a problem to propagate the messages to replicated objects, since they are likely to encounter an object state identical to the one the previous object was in before the computation was initiated.
But the object state update happens in two stages, not one. First, the behaviors of all of objects participating in an event or action are computed and all objects have to wait for the computations to end by a certain deadline. Then all behaviors are committed atomically. This point is re-iterated in the excellent documentation available the OpenCroquet website and it should be taken into account when new OpenCroquet applications are coded.
If the object behaviors (or methods, to stay in OO terminology) do not meet the deadline, all calculations executed by objects resident in the shared space are stopped and discarded.
There is another benefit to the historical data kept by the object. Distributed 3D environments suffer from risks caused by possible network disruptions or unpredictable user behavior. This might lead to objects or users being cut off from the shared space. The historical data are supposed to enable individual objects to recover from disruptions to the environment. This can be due to a number of factors; given that software and hardware underlying any OpenCroquet shared space is likely to be heterogeneous and that networks can be volatile, distributed object protocols have to have recovery mechanisms built in.
Any 3D distributed programming environment has to be easily intelligible to non-graphics programmers.
3D designers using tools like
Blender
should be comfortable creating collaborative objects for, say, electronic learning environments. OpenCroquet components are collected in the so-called Teapot suite; they provide access to the OpenGL rendering engine, event handlers and simulation objects that are part of the TeaTime architecture.
The graphics methods provide the user interface elements; since we are talking about a 3D environment, all rendering behavior that is included in a rendering frame has to include far more information than other user interfaces would usually require, including the user's and the object's position within the shared 3D space. The so-called Tframe class gives complete access to the OpenGL
library.
Events are communicated by something that is analogous to a user camera ("TuserCamera"), while objects are tracked via a 3D analogue of mousepointer. Keystrokes can be mapped onto both 3D objects and embedded
2D objects. The graphics engine has been implemented in Squeak, which is somewhat surprising given the typical graphics programmer's predilection for C and C++. Its speed is not impaired by this choice in any way.
Simulations manage fairly complex behaviors, and are coded separately to avoid imposing too much rendering overhead.
The outcome of methods would be calculated continuously;
once an individual calculation is completed, a message is sent to be received by the object at some time in the future.
This may sound like time travel, but is just good policy to avoid the
constant rendering overhead enforced by recalculating present object state by referring to past object history.
3D collaborative environments tend to have fairly straightforward applications from collaborative engineering projects to multi-user
learning environments that go beyond grading and the use of spreadsheets. Of course, previous 2D interfaces are not completely ignored; Mozilla runs quite happily inside OpenCroquet. But as soon as object libraries and networking bandwidth is available, a wide variety of
new uses can be implemented.
Comments (5 posted)
System Applications
Audio Projects
The
latest changes from the
Planet CCRMA audio utility packaging project include
new versions of Audacity, amSynth, and XMMS Jack.
Comments (none posted)
Database Software
Version 0.7.3-test2 of the knoda database frontend is available,
here is the change information:
"
The scripting API improved a lot. Handling the tab-order in forms works also
for subforms, a runtime version of knoda (knoda-rt) has been added, the
performance is better and many bugs are fixed."
Full Story (comments: none)
Version 7.6 beta of the MaxDB database
has been announced.
"
This release is a beta version, preparing for the production version release, which will take place in Q2 2005."
Comments (none posted)
The February 19, 2005 edition of the PostgreSQL Weekly News
is out with the week's PostgreSQL database news and resources.
Full Story (comments: none)
The PostgreSQL database developers have announced
phpPgAdmin 3.5.2
with bug fixes (mostly for the Windows version) and
PGCluster-1.3.0,
"
a Synchronous Multi-Master replication system for
PostgreSQL 8".
Comments (none posted)
Interoperability
A set of Samba Roadmap Slides
are available from samba.org in pdf format.
"
Samba Team member and 3.0.x release manager Gerald "Jerry" Carter gave a talk on "The State of Samba" at LinuxWorld Boston this week. The talk serves as an overview of recent activity on Samba, as well as an overview of where Samba is headed. The slides from the talk are available online and serve as an excellent guide to the planned roadmaps for both Samba 3.0 and Samba4."
Comments (none posted)
Networking Tools
Version 0.2.2 of xprobe2 is out with several new features.
"
probe2 is a remote active operating
system fingerprinting tool which uses advanced techniques, some which
where first to be introduced with Xprobe2, such as the usage of
statistical analysis ('fuzzy logic') to match between probe response(s)
to its signature database and others, in order to provide with accurate
results regarding the underlying operating system of a probed
element(s)."
Full Story (comments: none)
Package Management
Ethan McCallum
automates Linux package management on O'Reilly.
"
My two previous articles explained how to use Kickstart to automate OS installs and upgrades. This article demonstrates some techniques for the third piece of the system maintenance cycle: keeping your machines up to date."
Comments (none posted)
Printing
Version 8.15 rc 2 of ESP Ghostscript
has been announced.
"
ESP Ghostscript 8.15rc2 is the second release candidate based on GPL Ghostscript 8.15 and includes an enhanced configure script, the CUPS raster driver, many GPL drivers, support for dynamically loaded drivers (currently implemented for the X11 driver), and several GPL Ghostscript bug fixes. The new release also fixes all of the reported STRs from ESP Ghostscript 7.07.x."
Comments (none posted)
Web Site Development
Version 0.5.0 of Leonardo, a Python-based blog/wiki/CMS package,
has been announced. Bug fixes and new features are included.
Comments (none posted)
Version 3.2.31 of
mnoGoSearch,
a web site search engine, is out with bug fixes.
See the
change history
document for details.
Comments (none posted)
Version 2.0.12 of phpBB, a cross-platform open-source bulletin board system,
is out.
"
This release
addresses a couple of potential exploits and fixes a number of issues
involving path disclosures, etc. It also introduces a new ACP based
version check (language package maintainers please note the
additional localisation required for this)."
Full Story (comments: none)
Version 1.2 of the Silva content management system has been released.
"
This release
contains three major new features: expanded version management for XML
documents, subscription functionality for all versioned content, and an
internationalized Silva user interface, including Dutch and German
translations. Infrae is actively seeking volunteers to translate Silva
into other languages."
Full Story (comments: none)
Version 0.3.6 of UnCommon Web, a web application development
framework written in Common Lisp, is out.
"
This version adds an HTML FORM component collection, a new component
dependency protocol, new components, improved documentation, improved
support for the Allegroserve and mod_lisp backends, a new Araneida
backend, and more."
Full Story (comments: none)
Miscellaneous
Version 2.0 of the Ganymede metadirectory system is in progress.
"
We don't have a release date yet, but right now we believe that we've
hit most of the technical goals we are targeting with the 2.0 release,
and we're primarily lagging in documentation and some external support
code infrastructure that will be required to make the most of some of
the new features.
I just wanted to let folks know that the project is alive, that we are
working on it, and that we are very excited about the changes we have
in store for the next release."
Full Story (comments: 1)
Desktop Applications
Audio Applications
Version 0.9 beta 25 of
Ardour,
a multi-track audio recorder, is out. The
project status page
lists the changes:
"
Major changes to crossfades and disk buffer handling (among other fixes) require another unplanned beta."
Comments (none posted)
Desktop Environments
The latest stable release of the GNOME Desktop and developer platform,
version 2.8.3 is now available. This is the third and last maintenance
release of the stable 2.8.x series of GNOME and it contains a huge amount
of bugfixes and other improvements. Click below for a detailed list of
changes.
Full Story (comments: none)
GnomeDesktop
mentions
a new
blog entry
from Seth Nickell on the Sabayon project.
"
So what about sysadmins? Sabayon is GNOME's first major design targeted at improving the user experience for people who administer GNOME systems, and hopefully the start of an initiative toward designing for this important group of users.."
Comments (none posted)
The following new GNOME software has been announced this week:
Comments (none posted)
The following new KDE software has been announced this week:
Comments (none posted)
The February 18, 2005 edition of the
KDE CVS-Digest is online, here's the content summary:
"
In this week's KDE CVS-Digest (all on one page): Kttsd adds support for Italian Festival voices. Umbrello improves import from ArtisanSW, Visio, ArgoUML, Fujaba and NSUML. KSpread has a new insert calendar plugin. Konqueror loses its Cut/Copy/Paste buttons. KDE begins move to Subversion and discusses future roadmap."
Comments (none posted)
Philip Rodrigues
writes about
the KDE bug reporting system.
"
With bug number 100,000 reported, the hard-working KDE bug tracking system reached a milestone today. However, not everyone knows what goes on behind the scenes and how to help. In this article, I take a short look at using the bug reporting system, and how you can help KDE improve."
Comments (none posted)
Electronics
The
latest releases
from the
gEDA project include
new versions of Confluence, a language for synchronous reactive system
design, and Icarus Verilog, an electronic simulation language compiler.
Comments (none posted)
Version 1.0.1 of
gerbv,
a utility for viewing Gerber files used for printed circuit CAD images,
is out.
The announcement on the
Open Collector
site says: "
This time it is just a bunch of minor bugfixes. They include: * Allocating 1 too little strings caused very strange effects. Found and solved by Mario and primorec. * Had forgot to initialize some GCs when drawing some aperture macro primitives."
Comments (none posted)
Financial Applications
Version 2.4.9 of
SQL-Ledger,
a double entry accounting system, is available.
The
changes include
a price matrix rounding change, updated translations,
and a fixed reconciliation summary.
Comments (none posted)
Graphics
KDE.News
looks at
the
KToon project.
"
KToon, is a new 2D animation toolkit created by Toonka Films and now made available as a free GPL'ed option to the 2D animation industry."
Comments (none posted)
Medical Applications
LinuxMedNews
covers the latest release of OpenEMR, an
open-source medical billing system.
"
The latest development is an object oriented application developed
using Java. The new billing feature includes several enhancements over the
existing HCFA entry and printing capabilities. The new software includes
both the tools to create the forms, and a web interface to edit and override
the system generated information."
Comments (none posted)
Music Applications
Version 5.0.1 of libDSP, a C++ library of digital signal processing
functions, is available with new optimizations, code cleanup, and
bug fixes.
Full Story (comments: none)
Video Applications
Version 0.5.1 of
Dirac,
a cross-platform video codec,
has been announced.
"
This is a minor release with several algoritmic improvements and bug fixes."
Comments (none posted)
Web Browsers
MozillaZine
has announced the availability of
the minutes
for the February 14, 2005 mozilla.org staff meeting.
"
Issues discussed include Mozilla 1.8 Beta, Mozilla
Firefox 1.0.1, update.mozilla.org, the international domain name Punycode
spoofing issue, the Personal Security Manager and emphasising security."
Comments (none posted)
Word Processors
Version 2.2.4 of the AbiWord word processor
has been announced.
"
This release is mostly a bugfix release, with some additional features."
Comments (none posted)
Miscellaneous
O'Reilly has published
part one in an excerpt series on internationalization.
"
Writing software that is truly multilingual is not an easy task. In this
excerpt from Chapter 8 of Java Examples in a Nutshell, 3rd Edition, author
David Flanagan offers programming examples for the three steps to
internationalization in Java: using Unicode character encoding, handling
local customs, and localizing user-visible messages."
Comments (none posted)
Languages and Tools
Caml
The February 15-22, 2005 edition of the Caml Weekly News is out
with coverage of the latest Caml language developments.
Full Story (comments: none)
The
Caml Hump
site lists a number of new Caml language applications including
OCaml-Packrat, OCaml-CGI, Camlusb, OCaml-event, GikiWiki, Felix,
Iom, and ocaml-ssl.
Comments (none posted)
Java
Amir Shevat
covers scalability issues and MantaRay on O'Reilly.
"
It's difficult, maybe impossible, to know up front how much or in what ways
your application will need to scale. But by decoupling parts of the
application, you can at least ensure that the scaling process can be kept
modular. Amir Shevat shows how some sharable pieces of the MantaRay
messaging system can allow your app to grow beyond one box."
Comments (none posted)
Version 1.0 of xavax
has been announced.
"
xavax is a XML / Java Framework to develop J2EE business applications rapidly
and easily. It is based in business components defined with XML. Feature rich
and flexible since is used for years to create real business applications."
Comments (none posted)
Stephen B. Morris
works with the Java Dynamic Management Kit to manage legacy
SNMP-based equipment.
"
Java Dynamic Management Kit (JDMK) is a framework for the creation of Java-based management software and legacy SNMP-based systems. It extends Java Management Extensions (JMX), which allows instrumented applications to remotely monitor resources throughout the network."
Comments (none posted)
LinuxMedNews
covers a new open-source semantic cache for Java.
"
University Health Network has released a beta version of "chisel", an
open-source semantic cache for Java. It was developed to cache HL7 query
results in a semi-virtual EHR, but will run against any Java method that
encapsulates a conjunctive query."
Comments (none posted)
Brian Goetz
discusses benchmark shortcomings on IBM developerWorks.
"
Software engineers are notoriously obsessed, sometimes excessively, with performance. While sometimes performance is the most important requirement in a software project, as it might be when developing protocol routing software for a high-speed switch, most of the time performance needs to be balanced against other requirements, such as functionality, reliability, maintainability, extensibility, time to market, and other business and engineering considerations. In this month's Java theory and practice, columnist Brian Goetz explores why it is so much harder to measure the performance of Java language constructs than it looks."
Comments (3 posted)
Perl
Geoff Broadwell continues his O'Reilly series on Perl for 3D
visualization with
part three.
"
Later in this article, I'll discuss movement of the view position, continue the refactoring work by cleaning up draw_view, and begin to improve the look of our scene using OpenGL lighting and materials. Before I cover that, your feedback to the previous articles has included a couple of common requests: screenshots and help with porting issues."
Comments (none posted)
Ruby
The February 20, 2005 edition of the
Ruby Weekly News is available with the latest news and discussion
from the ruby-talk mailing list.
Comments (none posted)
Scheme
Issue #4 of the Schemer's Gazette is online with the latest
Scheme language development news.
Full Story (comments: none)
Tcl/Tk
The February 21, 2005 edition of Dr. Dobb's Tcl-URL! is online
with the latest Tcl/Tk news and resources.
Full Story (comments: none)
XML
Micah Dubinko
considers the issues involved in defining XML 2.0 on O'Reilly.
"
How much of a clean break would a transit to XML 2.0 need? What parts should stay, and what parts should go? According to xml-dev participants, the two hot-button issues are DTDs and human readability."
Comments (none posted)
Andre Tost
works with web services and SOAP headers
on IBM developerWorks. "
You can define SOAP headers in a WSDL definition using what are commonly called explicit and implicit headers. Learn the difference between these two styles and how these differences might impact you when developing with JAX-RPC."
Comments (none posted)
Eric Gropp
works with REST and web services to produce paper output
from XML in an O'Reilly article.
"
Producing paper reports is a fundamental requirement of many applications. As more systems are exposed as services, REST, XSLT, and the mighty URI can create a reporting approach that has a number of advantages over traditional, database-direct reporting engines."
Comments (none posted)
Editors
KDE.News
looks at
the latest release of Yzis.
"
The Yzis team is glad to announce the Milestone 3 release of Yzis, the fast moving vi-compatible editor from the authors of KVim. A lot has happened since the M2 release in August 2004: many new features have been added and bugs fixed, getting us closer to the full Vim feature set."
Comments (none posted)
IDEs
Version 3.10.8 of
DrPython,
and IDE for the Python language, is out. The
change log
lists bug fixes and other improvements.
Comments (none posted)
Version Control
Tom Copeland
analyzes and graphs CVS statistics on IBM developerWorks.
"
StatCVS is a handy utility for creating charts of a Concurrent Versions System (CVS) repository's activity. In this article, developer Tom Copeland explains how to install and run StatCVS, gives an overview of the reports generated, then explores generating reports for multiple repositories, StatCVS internals and limitations, and more."
Comments (none posted)
Miscellaneous
Version 1.0.3 of bzip2, a file compression utility, is out.
"
1.0.3 fixes some minor issues from the last version, but does not
bring any new functionality."
Full Story (comments: none)
Garrett Rooney
discusses backward compatibility issues on O'Reilly.
"
In order to better prepare you, the average open source hacker, for dealing with this problem, I'd like to share some of the experiences we've had with backward compatibility in the Subversion project. With luck, you'll be able to apply some of the lessons we've learned to your own projects."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
NewsForge
looks at Eben Moglen's plans for the Software Freedom Law Center.
"
Yet behind the facts of the news release is a larger story.
In helping to create the organization, Center director Eben Moglen, the framer of the GNU General Public License, is not just looking for a way to defend the FOSS communities against legal threats. Yet he is also looking beyond this potential need. By 2010, he hopes to see the SFLC become the center of a web of associations that will link FOSS projects, tech-savvy lawyers, and corporations, to everyone's mutual benefit."
Comments (2 posted)
Trade Shows and Conferences
Jeffrey Bianchine
covers day one
of LinuxWorld for Linux Journal.
"
The exhibition hall here at LinuxWorld has two discrete sides, one dominated by the big name players and the other populated by distribution and project communities bordering businesses--some of them well known--that invested in individual booths. After a morning spent listening to suits, I spent the afternoon working this side of the exhibition hall. It is a pleasure to report that the general buzz on this side of the exhibition hall is positive. It also is encouraging that so many of the business booths here are a mix of first-time exhibitors and new businesses."
Comments (none posted)
Jeffrey Bianchine continues his LinuxJournal coverage of the
LinuxWorld Expo with a look at the events from
day two.
"
On Tuesday, Novell, IBM, Oracle and Red Hat--giants bestriding their markets--were the press area headliners. Yesterday, the press announcements were being made by considerably smaller companies, eager to make an impact. This is not a surprise, as the opening day of any event of this sort traditionally is when the major players make their big statements."
Comments (none posted)
Linux Journal
wraps
up its LinuxWorld coverage. "
Given that LinuxWorld Expo has such
an overwhelming business tradeshow ethos, where does that leave the
communities and dot orgs that fostered Linux and open source in gaining the
"moral high ground" Bruce Perens mentioned yesterday? At this show, it left
them on the other side of a literal great wall."
Comments (2 posted)
The lead editor of OSDir
discusses the most significant
event he saw at LinuxWorld. "
Redhat's VP of open source affairs
Michael Tiemann stepped up to the plate and said in not so few words, that
the company messed up. It messed up big time, is sorry, and is trying to
make amends. Where they messed up was abandoning their 'freebie' Redhat
version two years ago to focus exclusively on their enterprise 'pay up big
time' version."
Comments (none posted)
This NewsForge article
covers the Celebrity Challenge at LinuxWorld. "
The game was not
unfamiliar to me: Unreal Tournament 2004, which was released last spring
and works wonderfully on GNU/Linux, Windows, and Mac OS X. Although I
missed my home setup -- the 64-bit edition of UT2004 running over 64-bit
Gentoo on my Athlon 64 system -- all the players were on a level playing
field, as we were all equally disadvantaged. But the stakes were high and
dozens of people were watching us prove that GNU/Linux is not just for
servers and workstations."
Comments (none posted)
Linux Journal
covers
the third Southern California Linux Exposition (SCALE 3X). "
Track A
was oriented to the experienced Linux user, covering the most technically
sophisticated topics, including the kernel, embedded issues and remastering
Knoppix. Tracks B and C were somewhat less technically oriented and
included talks about application development and availability, a variety of
implementation issues and relevant social issues. Track D was oriented to
the Linux beginner and included tutorials on such topics as distributions,
networking, content management and Samba. The VoIP panel discussion that
closed the conference tracks was well attended and included a spirited Q
& A session."
Comments (none posted)
News.com
reports
from FUDCon. "
The problem came in recent years when Red Hat threw
its energies into a stable product called Red Hat Enterprise Linux. RHEL
let the company grow from a small market of technically savvy customers to
the large market of mainstream customers. But in the process, Red Hat left
those "early adopters" behind, said Michael Tiemann, vice president of
open-source affairs."
Comments (9 posted)
Information Week
reports
from LinuxWorld. "
As Linux matures, some key differences are
emerging between the market's primary suppliers: Novell and Red Hat. As
Novell chairman and CEO Jack Messman pointed out last week during a
LinuxWorld press conference, his company's similarity to Red Hat begins and
ends with the basic Linux kernel."
Comments (10 posted)
The SCO Problem
The Salt Lake Tribune
notes that the SCO Group is far behind on the filing of its annual report with the SEC. "
And SCO's missed deadlines did not go unnoticed in Manhattan, where Nasdaq officials confirmed they likely will consider actions that could lead to delisting the company's stock."
Comments (2 posted)
Groklaw
follows IBM's latest move in the SCO case, the company will
provide the AIX and Dynix code.
"
Sometimes it's easier to comply with an order than to argue about it, if it's not essential. We now see, by the decision IBM made about what to make an issue of, that IBM doesn't believe that SCO will find a thing in that code, onerous as the task is for IBM to produce it."
Comments (none posted)
Companies
News.com
reports that IBM will invest $100 million in support of Linux
desktop applications.
"
IBM said the decision stemmed from the increasing popularity of Linux among its customers. According to the company, the number of customers opting for the Linux platform for applications such as WebSphere Portal, instant messaging and Web-based document sharing saw high double-digit growth in 2004."
Comments (17 posted)
The Register
reports that Sun has laid off some of its operating system staff.
"
Sources have informed The Register that a larger number of staffers in Sun's operating platforms group have been shown the door. Many of these workers had been cranking away on new versions of Solaris and the Java Desktop System - Sun's version of Linux. With that work mostly completed, the staffers became expendable to Sun. This looks like the tail-end of a long round of layoffs, which started last year and claimed more than 3,000 jobs."
Comments (4 posted)
Legal
The Register
reports that Lexmark has lost its DMCA case against Static Control Components yet again. "
Barring the intervention of the US Supreme Court, Lexmark's hopes of using the DMCA against Static Control Components have been dashed."
Comments (15 posted)
News.com
covers the broadcast flag hearing in U.S. Federal appeals court."
'You're out there in the whole world, regulating. Are washing machines next?' asked Judge Harry Edwards." This issue is relevant because the broadcast flag will make it difficult to create free digital TV systems.
Comments (none posted)
Interviews
KDE.News has an
interview with
Simon Edwards, part of the FOSDEM 2005 series. "
Simon Edwards
will be talking about KDE application development using Python in the
FOSDEM KDE Developer's Room. In the interview below he talks about the
advantages of Python, how it compares to other languages and whether KDE
should be rewritten in Python."
Comments (none posted)
The last set of interviews with speakers at the
Free and Open Source Developers' European
Meeting (Brussels, February 26 and 27) has been posted.
These are:
Stuart
Winter (Slackware),
Ethan
Galstad (Nagios),
Marius
Mauch (Gentoo),
Gerald
Combs (Ethereal),
Olle
Mulmo (Globus),
Jimmy
Jimbo Wales (Wikipedia), and kernel hacker
Alan Cox.
Comments (none posted)
LugRadio
has a new interview with Miguel de Icaza in Ogg format.
"
The latest episode of LugRadio is Monobrow (season 2, episode 9)! Interview with Miguel de Icaza, letters, why your kernel needs compiling, and much, much more!
LugRadio now fully supports podcasting! You too can now get LugRadio on the move!"
(found on
GnomeDesktop.)
Comments (5 posted)
NewsForge
interviews several open-source project leaders to discuss project
management issues.
"
Leaders from three separate but related -- and incredibly successful -- free/open source projects agree: If you want the project to move to the next level, let go and let the community take over. We asked Larry Wall, creator of Perl; Brian Behlendorf, the Apache Project leader; and Linus Torvalds, creator of Linux, for their thoughts on why this happens and how they and their projects have fared as a result."
Comments (none posted)
Resources
KDE.News
mentions
a new article by Chris Howells on KWifiManager.
"
It introduces KWifiManager, tells you how to find and connect to wireless networks and how to use it for monitoring your wireless connection." The
article is available as a pdf file.
Comments (none posted)
The Linux Journal OpenOffice.org article series continues with
this look at cross referencing. "
Frankly, cross-references are a disappointment in OpenOffice.org Writer. Several posters to the OpenOffice.org mailing lists have referred to them as glorified bookmarks, and they're not far off. Compared to other software designed for writing long documents, Writer's cross-referencing tools are lacking."
Comments (none posted)
Reviews
ZDNet
takes a
look at IBM's new Chiphopper. "
Chiphopper -- a package of free
technologies and services that IBM released at LinuxWorld -- is exactly
what it says its. It takes the expertise that went into making Red Hat and
SuSE's distributions of Linux portable to IBM's mainframe (z Series) and
Unix servers (p Series) and bottles it up into a turnkey porting tool that
commercial software developers can use to painlessly port their apps from
the x86 version of Linux to IBM's big iron systems (thus "hopping
chips")."
Comments (1 posted)
Linux Times.Net
takes
a look at some of the lighter weight window managers. "
One of
the most popular window managers is the very simple Fluxbox, derived from
the even more basic Blackbox. The developers of Fluxbox have added handy
features such as window tabs, key bindings, KDE and partial Gnome
support."
Comments (7 posted)
NewsForge has a
review
of GnomeMeeting. "
GnomeMeeting is now at the 1.2 release, and is
available in distribution-specific binaries for Debian, Fedora Core 2,
Slackware, Mandrake, and SUSE. The source code is available as well, if
your distro isn't included in that list."
Comments (7 posted)
OS News
reviews
KDE 3.4 beta 2.
"
It seems that KDE is becoming much more concerned with look and feel of late, which I think is a very good thing. I believe KDE is a first-rate desktop environment, and to stay that way, it needs to be aesthetically appealing. Along those lines, some new eyecandy has been added."
Comments (none posted)
KDE.News
looks at Amarok 1.2, a media player for KDE with new
Audioscrobbler capabilities.
"
Audioscrobbler allows users to share music tastes with friends on the Internet, making use of automatically submitted song statistics. amaroK goes a step further than other media players and allows users to receive music recommendations from the site."
Comments (none posted)
NewsForge
introduces OmegaT, a free translation system. "
Before you begin exploring OmegaT yourself, you should understand how it, or any CAT tool, works. OmegaT is a so-called translation memory application; that is, it doesn't translate texts for you. Instead, it stores pieces of text (called 'segments') and their corresponding translations in a file called 'translation memory.'"
Comments (none posted)
Miscellaneous
NewsForge
reports
on the first Italian Open Source Contest. "
Any software project
could participate, as long as it was original (no localizations), available
under an OSI certified license and counted, as of January 1, 2004, at least
one Italian citizen in the development team. There were six categories,
each with a first prize of €1,500. The first four were Most
Innovative Software, Best User Interaction, Best Community, and
Multimedia. Security, Networking, and Communication constituted another
single class, while Business Software included database, office, and system
integration tools."
Comments (none posted)
Time for
another strange Dvorak article in PC Magazine. This one concerns a sure-fire Microsoft plan to kill Linux. "
That means tearing away the entire top of Linux from the driver layerand that would be MS-Linux. Users who needed to add the driver layers would be offered the standard Linux driver package, which would be attached with a utility program. The utility would sew the drivers back into Linux, resulting in an OS that would be more or less the same as everyone else's.
Or the user could pay for the Windows drivers and attach those to MS-Linux, resulting in an OS that had the PnP benefits of Windows."
Comments (28 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
A large group of prominent free software and related personalities (Perens,
Stallman, Lessig, O'Reilly, Moglen, Kapor, van Rossum, Raymond, Behlendorf,
etc.) has signed a letter calling for resistance to the patent-friendly
policy adopted by OASIS, a consortium for electronic business standards. "
We ask you to stand with us in opposition to the OASIS patent policy. Do not
implement OASIS standards that aren't open. Demand that OASIS revise its
policies. If you are an OASIS member, do not participate in any working
group that allows encumbered standards that cannot be implemented in open
source and free software." Click below for the full text.
Full Story (comments: 12)
The NoSoftwarePatents site
reports
that the German Bundestag has voted unanimously in favor of a restart of
the patent directive process in Europe. An English translation of the
resolution is available
in PDF
format.
Comments (1 posted)
The EFF has put out
an advisory on
some of the worst terms often found in software end user license
agreements. "
Many people treat EULAs with the same reverence they do
the tags on mattresses that say, 'Do not remove this tag under penalty of
law.' They scoff at the idea that anyone could enforce such a bizarre
rule. Increasingly, however, we are seeing consumers and software
developers threatened with lawsuits for engaging in the digital equivalent
of ripping tags off a mattress."
Comments (15 posted)
The UK Association for Free Software has announced
the availability of new grants.
"
A new grants fund is available to free software projects in the UK
from money raised by the UK Free Software Network (UKFSN), the free
software Internet Service Provider set up by Jason Clifford in 2003,
and donations to UK's Association for Free Software (AFFS), a national
membership organisation for supporters of free software.
The total amount available in the first round is 1,500 GBP."
Full Story (comments: none)
Commercial announcements
Arabella Software has announced that it will offer Linux support and a
free Linux reference design for the Embedded Planet EP885 and EP8248
processor boards.
Full Story (comments: none)
The Go Daddy Group, Inc. has
announced
that it will issue its Turbo SSL Certificate to bona-fide open source
software projects at no cost. "
The Turbo SSL certificates which Go
Daddy will issue to open source projects -- a $29.95 value -- are issued
within minutes, have 99% browser recognition, and provide 128-bit Web
server security -- the highest level of encryption available on the market
today."
Comments (9 posted)
IBM has
announced the opening of new development centers.
"
IBM today announced
it will open more than a dozen new development centers in China,
Brazil and Russia in an effort to accelerate innovation around the
adoption of open standards based solutions in emerging markets."
Comments (none posted)
Mandrakesoft
has announced their first quarter results for
the period of October-December, 2004. Here are the numbers:
"
A consolidated
revenue of 1.44MEUR (1.88MUSD), an operating income
of 0.31MEUR (0.41MUSD) and a net income of 1.03MEUR (1.35MUSD)."
Full Story (comments: none)
New Mexico Software, Inc. has
announced a partnership with NextDay Network.
"
Dick Govatski, CEO of New Mexico Software, said, "NextDay Network is a
major national retailer of software products that makes innovative use of
online Internet marketing and distribution tools. We are delighted that they
will be selling our products.""
Comments (none posted)
Software developers at the University of Michigan have received backing
from PolyServe, Inc. to help create an industry-standard implementation of
Network File System Version 4 (NFSv4) for Linux.
Full Story (comments: none)
Novell has
announced its first quarter results. "
During the first fiscal quarter 2005, Novell recognized revenue of $15
million associated with its SUSE LINUX business, including $7 million of
recognized revenue from subscriptions to SUSE LINUX Enterprise Server. Sales
of subscriptions to SUSE LINUX Enterprise Server totaled 21,000 units in the
quarter."
Comments (3 posted)
The SCO Group has put out
a press release informing the world that it is being kicked out of the NASDAQ market for failure to comply with the reporting requirements. SCO is appealing the decision. "
The Company has been unable to file its Form 10-K for the fiscal year ended October 31, 2004 because it continues to examine certain matters related to the issuance of shares of the Company's common stock pursuant to its equity compensation plans. The Company is working to resolve these matters as soon as possible and expects to file its Form 10-K upon completion of its analysis."
Comments (11 posted)
VA Linux Systems Japan K.K. has Issued a manifesto that clarifies
the company's stance on open-source software and the relation to
the community.
"
This manifesto, entitled
"VA Linux: Statement of Our Commitments on Open Source Software", states
how the company views Open Source and how it is going to take part in it."
Full Story (comments: none)
Here are the LinuxWorld announcements for Thursday, February 17, 2005:
- ActiveState Komodo 3.1
has won a LinuxWorld Product Excellence Award.
- Akibia
has expanded their Portfolio of Linux Services.
- Chadwick Martin Bailey and InfoWorld Media Group
have announced an updated version of the Linux Vendor Brand Positioning Survey results.
- DataSynapse
has achieved Novell's YES certification for its GridServer software.
- Fujitsu
has announced support for Red Hat Enterprise Linux 4 on its PRIMERGY servers.
- Lionbridge
has announced that its VeriTest division has been YES Certified by Novell.
- MBX and Emu
are partnering to deliver Linux-based servers.
- Novell
has won some product excellence awards for its security and
management solutions.
- Parasoft
has released Insure++ 7.0 for Novell/SUSE Linux ES 9.
- Veritas
teams with IBM and Avnet to deliver solution bundles.
- Voltaire
is integrating Xen server virtualization software in its InfiniBand interconnect system.
- Win4Lin
has announced Win4Lin Pro, which allows Windows applications to run on Linux.
Pro
- The Xandros Open Circulation Edition
has been announced.
Comments (none posted)
Resources
A new article on LADSPA plugins is available on linuxaudio.org.
"
A new PDF article on the work of Steve Harris is now available, covering in particular LADSPA plugins and Jamin."
Full Story (comments: none)
The February 23, 2005 edition of the
Linux Documentation Project Weekly News
is online with lots of new documentation releases.
Full Story (comments: none)
Contests and Awards
KDE.News
has announced
the winner of the KDE-Look T-Shirt Contest.
"
The community has spoken and the winner of the First Annual KDE-Look T-Shirt Contest with 24 out of 81 votes is Nenad Grujicic with his entry Green."
Comments (none posted)
LWN readers have, doubtless, been sitting on the edge of their chairs
waiting to hear who would be the winner of the OOo splash screen
competition. The envelope has been opened, and the victor is Brendan
Whelan; his entry can be seen
over here,
along with an interview.
Full Story (comments: 12)
Upcoming Events
The Fosdem organization has offered the developers of various projects
around GNU classpath the opportunity to meet face to face in their own
developer room. Click below for a schedule.
Full Story (comments: none)
MozillaZine
announces the Mozilla project coverage at FOSDEM 2005.
"
Talks will cover
topics such as Mozilla Europe, Mozilla 2.0, XulRunner, Bugzilla, Camino and
localisation. Speakers include Axel Hecht, Gervase Markham, Hisham El-Emam,
Robert Kaiser, Ludovic Hirlimann and Tristan Nitot."
Comments (none posted)
GnomeDesktop has
the announcement
for GUADEC-es 2005.
"
The second edition of the GUADEC-es (International conference for Spanish speaking GNOME users and developers) will be held this year in A Corunha (Galicia, north-west of Spain), on 19-21 May. The conference, organized by the Gnome Hispano association, was placed strategically close in time to the VI Guadec in Stuttgart, trying to make it easy for Spanish speaking people coming from outside Europe to attend to both events."
Comments (none posted)
The LPA has announced its next AGM gathering.
"
The Linux Professionals' Association (LPA) will be having its AGM on
Friday 4 March 2005. The LPA is a South African organisation which has
traditionally championed OSS, specifically in the business sphere.
Formed in 1996 by what was then the majority of Linux/OSS based
businesses in Johannesburg, the Association has come a long way."
Full Story (comments: none)
March 10 has been declared
Python Meetup Day.
"
7:00pm on the second Thursday of each month is the default time for Python meetup groups all over the world. Thats March 10 for next month. I suppose its supposed to make you feel warm and fuzzy, knowing that there are little groups of true believers congregating at the same time, all over the world."
Comments (none posted)
| Date | Event | Location |
| February 24 - 25, 2005 | UKUUG
LISA/Winter Conference | Birmingham, UK |
| February 25, 2005 | Dutch Perl
Workshop | Amsterdam, the Netherlands |
| February 26 - 27, 2005 | Free and Open Source
Developers' European Meeting(FOSDEM 2005) | Brussels,
Belgium |
| February 28 - March 3, 2005 | EclipseCon 2005 | (Hyatt
Regency)Burlingame, CA |
| February 28 - March 1, 2005 | Asia
Debian Mini-Conf 2005 | Beijing, China |
| March 1 - 2, 2005 | JBoss World 2005 User
Conference | (Omni/CNN Center)Atlanta, GA |
| March 2 - 4, 2005 | Security-Enhanced
Linux Symposium | Silver Spring, Maryland |
| March 2 - 3, 2005 | Asia
CodeFest 2005 | Beijing, China |
| March 2 - 4, 2005 | The 5th Asia Open Source
Software Symposium | Beijing, China |
| March 2 - 4, 2005 | The Free and
Open Source Software Workshop | (Al Assad National Library)Damascus,
Syria |
| March 4, 2005 | LPA AGM | Rivonia Sandton,
South Africa |
| March 4 - 5, 2005 | Linuxforum
2005 | Copenhagen, Denmark |
| March 10 - 16, 2005 | CeBIT
2005 | Hannover, Germany |
| March 12, 2005 | Gentoo UK
2005 | (University of Salford)Manchester, UK |
| March 12, 2005 | Third Hungarian PHP
Conference | Budapest, Hungary |
| March 14 - 17, 2005 | Emerging
Technology Conference(ETech) | (Westin Horton Plaza)San Diego,
CA |
| March 20 - 25, 2005 | Novell BrainShare
2005 | Salt Lake City, Utah |
| March 21 - 24, 2005 | Bellua Cyber Security
Asia 2005 | (Hotel Borobudur)Jakarta, Indonesia |
| March 21 - 24, 2005 | Open
Source Modeling and IDEs Workshop | (Caribe Royale All Suites Resort & Convention
Center)Orlando, FL |
| March 23 - 25, 2005 | PyCon DC
2005 | (GWU Cafritz Conference Center)Washington, DC |
| March 26 - 27, 2005 | YAPC::Taipei
2005 | Taipei |
| March 30 - April 1, 2005 | PHP
Quebec | (Crowne Plaza Hotel)Montreal, Canada |
| March 31 - April 1, 2005 | Black Hat Briefings Europe
2005 | Amsterdam, the Netherlands |
| April 5 - 6, 2005 | Open Source Business
Conference(OSBC) | (Westin St. Francis)San Francisco, CA |
| April 7 - 8, 2005 | Black
Hat Briefings Asia 2005 | Singapore |
| April 10 - 15, 2005 | 2005 USENIX Annual
Technical Conference | Anaheim, California, USA |
| April 12 - 15, 2005 | Computers, Freedom and
Privacy Conference 2005 | (Westin Hotel)Seattle, WA |
| April 18 - 23, 2005 | Linux.Conf.Au
2005 | (Australian National University)Canberra, Australia |
| April 18 - 21, 2005 | MySQL Users Conference and Expo
2005 | (Santa Clara Convention Center)Santa Clara, CA |
| April 18 - 20, 2005 | LinuxWorld Conference
and Expo 2005 | (Metro Toronto Convention Centre)Toronto,
ON |
| April 18 - 19, 2005 | Debian Miniconf
4 | Canberra, Australia |
| April 19 - 20, 2005 | San
Francisco techCongress | (Rickey's Hyatt)Palo Alto, CA |
| April 20 - 23, 2005 | ACCU Conference
2005 | (Randolph Hotel)Oxford, England |
| April 21 - 24, 2005 | 3rd International Linux
Audio Conference(LAC2005) | (Center for Art and Media (ZKM))Karlsruhe,
Germany |
Comments (none posted)
Web sites
TuxScout is a new job site dedicated to
the Linux and Open Source community. Besides a fully featured search
engine for both job seekers and employers, the site offers a forum section
to discuss job hunting issues, a resources section with articles on resume
writing, interviewing, and more.
Full Story (comments: none)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Sitaram Chamarty <sitaramc-AT-gmail.com> |
| To: |
| mattcmp-AT-sonic.net |
| Subject: |
| Common sense takes a holiday: buying the Enderle FUD |
| Date: |
| Wed, 23 Feb 2005 17:47:16 +0530 |
| Cc: |
| letters-AT-lwn.net, trichardson-AT-theregister.co.uk |
Dear Mr McKenzie,
I obtained your email address from http://www.linuxpipeline.com/contact.jhtml
I write with reference to an article by Rob Enderle, at
http://www.linuxpipeline.com/60401613 , titled "Reality Takes A
Holiday: Buying The Firefox Hype".
In the interests of brevity I will not go into Mr Enderle's past
record at objective analysis of open source issues, (who can forget
his role in getting SCO and BayStar together and his speech at SCO
Forum, among many other highlights). I will, therefore, restrict
myself to commenting on the points he had made in this article.
Yes, Firefox is at version 1.0. However, what Mr Enderle will not
acknowledge, even though I'm sure he knows, is that 1.0 in the open
source world means it has already been through a huge amount of
testing already. Open source does not have the commercial pressures
of getting something out the door by a certain date, so when an open
source project says "1.0", it means "quite ready for public
consumption, thank you very much".
Automatic patch delivery is certainly important, and in theory
Microsoft has it. However, does Mr Enderle know of any large
organisation that allows auto-updates for all their machines, without
some internal testing to make sure the patch does not mess up critical
applications? So why is this an issue?
Ben Goodger moving to Google is no more significant that Linus
Torvalds working for Transmeta for many years. Linux did not stop
dead while he was working for Transmeta, and neither will Firefox just
because Ben Goodger is at Google. Even if that were to happen, the
beauty of the open source world is that there are others who can step
in if needed.
I have no idea how he can say Firefox breaks on banking and e-commerce
sites. The only app for which I still need to borrow someone's
Windows machine to use IE is, sadly, an inhouse application.
[Naturally, I cannot tell you who I work for :-)] It is well known
that corporate applications are able to get away with more stringent
demands on users ("you must have IE to use our intranet portal") while
banks and other sites meant to be accessed by the general public need
to be more careful.
Anyway you get the drift. I'll stop here. I'm sure you'll hear from
others about this.
With best wishes,
Sitaram Chamarty
--
sitaramc@gmail.com
Comments (9 posted)
Page editor: Jonathan Corbet