Back in April, 2003, the Mozilla Project
stirred
things up by announcing a set of changes to its development model and
roadmap. Rather than continue to develop one huge suite which did
everything, the project would shift its efforts to the creation of smaller,
standalone applications. In particular, future development would go into
the browser then known as Phoenix, and the mail client called, at that
time, Minotaur. The full Mozilla suite was expected to fade away.
Over time, as the project continued to make new Mozilla releases, it seemed
that the suite might stay around for some time after all. The project made
several Mozilla 1.8 alpha releases, and one beta, leading some users
to believe, reasonably, that there might just be a Mozilla 1.8 final release
afterward. So the February 28 staff
meeting summary surprised a number of people with this brief item:
*Mozilla 1.8 final*
- To be discussed tomorrow whether we do one
The ensuing discussion was long and noisy. The suite still has a large and
dedicated user base, even if it has been somewhat overshadowed by Firefox
and Thunderbird. Some developers had been
working on Mozilla 1.8 and now wonder why. It seems that, over the
last couple of years, the big-picture plan had faded from view, and the
Mozilla Foundation didn't go out of its way to remind people of where it
was going.
That ended on March 10, when the Foundation posted its transition plan
for the Mozilla suite. According to that plan, the "alpha" and "beta"
1.8 releases were intended simply to test out the Mozilla backend code.
There will be no final, stable, supported Mozilla 1.8 release.
The Foundation does seem to recognize that not everybody will have expected
this decision:
There is no doubt that the series of 1.8 alpha and beta releases
have caused some confusion about whether there would be a 1.8
product released by the Mozilla Foundation. In addition, a set of
people have done a non-trivial amount of work on 1.8 features,
thinking this would be part of an official Mozilla Foundation
release. This has been a major error on our part.
The confusion was also clearly to be found within the project itself, as
can be seen by the fact that the question of whether a 1.8 release would
happen or not was
left as an open item for discussion at the February 28 staff meeting.
In any case, the decision has now been made. And that decision is
consistent with the project's stated long-term goals, even if people did
have reason to believe that things would happen differently. The interesting
question now is: what happens next?
What's next, it seems, is that the Mozilla suite gets a new name (almost
certainly "SeaMonkey," its longstanding name within the Mozilla Project)
and is developed and maintained by a group of volunteers. That group is
already organizing itself, and has posted a plan of sorts on the SeaMonkey home
page. The first priority will be to get a real 1.8 release out, but
the developers are already looking beyond that milestone. A
commonly-mentioned longer-term goal is moving over to XULRunner;
porting back some of the better Firefox and Thunderbird features is also on
the list.
The Mozilla Foundation claims to support this course of action. So
SeaMonkey will be able to use the Mozilla support infrastructure - CVS,
BugZilla, etc. It also appears that it will be able to use the SeaMonkey
name, though it appears that there may be a significant debate within the
new project about naming before this is all over. The Mozilla Foundation's
primary concern, it seems, is that the SeaMonkey releases cannot appear to be
an official Mozilla product.
The Mozilla Foundation's motives in making this decision are easy to
understand. The Foundation's resources are limited, so it wants to
concentrate those resources on the standalone applications which are at the
core of its stated plans - and which, it must be said, have been rather
more successful (in terms of user adoption) than the full-blown Mozilla
suite ever was. That suite is free software, however, so it can survive
abandonment by its creator as long as there are developers with the time
and interest to maintain it. The fact that the Foundation is providing the
support infrastructure (and, of course, Gecko engine and the rest of the
support code used by the Mozilla suite) is an added bonus. There is every
reason to expect that both projects will thrive; in a year or two, this
decision may be seen as a good thing by all parties involved.
Comments (12 posted)
The big news from the Debian Project this week is a proposal from the
Release Team and FTP masters that may result in several architectures being
"dropped." The Debian release team and FTP masters are
proposing some
criteria to determine which architectures will receive stable
releases after sarge:
The release team and the ftpmasters are mutually agreed that it is not
sustainable to continue making coordinated releases for as many
architectures as sarge currently contains, let alone for as many new
proposed architectures as are waiting in the wings.
The proposal would not affect the Sarge release, but would take effect for
the next stable Debian release, dubbed "Etch." The architectures that are
slated for release with Sarge will still go out the door, and will have
security support throughout Sarge's release cycle, but would not be
included in testing for the Etch release.
The proposal would relegate a number of architectures to "second class
citizen" (SCC) status, though even that does not come for free. At a
minimum, the architecture must have a functioning Debian build system
("buildd") which can run 24 hours per day without crashing.
It would also require five Debian developers
that use or work on the port to send a signed request for its addition,
binaries for the port would need to be built and signed by Debian
developers, include "basic Unix functionality," and binaries
would need to be built from unmodified Debian source. Finally, the
architecture must be freely usable, and the port would require a sufficient
user base, or 10% of downloads "over a sampled set of
mirrors."
To be part of the Etch release, an architecture would have to meet yet
another set of criteria. The target systems must be available for
purchase, they must be able to compile at least 98% of the distribution's
packages, there must be a working installer, and there must be a machine
under debian.org, available to developers, for testing. It would also be
necessary for the security team, the system administration team, and the
release team to sign off on accepting the architecture.
We followed up on the proposal with Steve Langasek, one of the Debian
Release Team members. Using this set of criteria, Langasek predicts that
this would reduce the candidate architectures from 11 (for Sarge) to 4 for
Etch -- x86, PowerPC, IA-64 and AMD64. The list of ports is not set in
stone. Langasek told LWN that he hopes other ports will "strive for
inclusion in the Etch release, and that their efforts will contribute to
maintaining the high quality we have today even if they don't end up being
released."
We also asked Langasek how the Release Team had picked the criteria to be
used for future releases.
One of the items in the agenda I had set for this meeting in Vancouver
(with input from the rest of the team) was to talk about setting
per-architecture criteria for etch to address some of the problems we've
seen during the sarge cycle, where we've been fighting fires involving one
architecture or another not being able to keep up -- and what we've noticed
is that it's not consistently any particular architecture, it's been spread
out across the board, so we really needed to tell people up front what we
needed from ports in order to get etch out on-schedule.
As it turns out, the ftpmasters ran with this idea in a late-night
brainstorm session even before the meeting officially began, and had some
preliminary criteria put together by Saturday morning. By Saturday
evening, we'd hammered this into something we all agreed was a good idea,
and spent the next couple of days tweaking, refining it as one thought or
another popped into someone's head.
The release team has invited comments on the plan, and it is undergoing
quite a bit of discussion over on debian-devel.
We asked Langasek if the proposal would be dropped if there was a strong
reaction against it. Langasek said that the Release Team was open to ideas,
and was "happy to tweak the specific criteria in use if there are reasons
to do so." However, Langasek said that setting basic requirements
"shouldn't be all that controversial, because the only alternative to
holding our ports to a standard that reflects the demands of the release
process really is a slow, unpredictable release." He also said there
might be tweaks for ports not deemed release candidates.
It is pretty clear based on feedback that something more than the proposed
unstable snapshot mechanism is desired for those ports that aren't going to
be "release candidates". We don't know yet what form that will take, but
there's been a lot of good discussion about what the needs are that should
be met.
One criteria for release candidates that caught our eye was the requirement
that the architecture must be "publicly available to buy new."
We wondered if that would mean dropping support for 386 and 486 chips,
something that other distributions have done for some time. According to
Langasek, processors with the 486 instruction set are still in use.
The truth is that it's still possible to buy chips implementing a 486
instruction set, and a lot of people are still doing interesting things
with them in the embedded sphere -- and it doesn't really cost us anything,
release-wise, to maintain backwards-compatibility with those chips.
There have been a few ABI changes recently that have made current software
dependent on an instruction set that's only available in 486 chips and
higher; it's possible to emulate around this, but the only implementation
currently available has security problems, so it may yet turn out that
sarge is the first release of Debian's "i386" port that doesn't actually
support true 80386 processors. We've also dropped support in sarge for the
oldest of the 32-bit Sparc processors, for similar reasons.
From where we're sitting, this looks like a reasonable proposal. It doesn't
arbitrarily drop specific architectures, but allows for ports to be dropped
from Etch's release candidates if they fail to keep up. This may not be the
"magic bullet" needed to ensure more timely releases from the Debian
Project, but it should contribute to faster releases overall.
Comments (11 posted)
One of the quieter announcements to come out of last month's RSA conference
was
this
release stating that Dorothy Denning had received the 2004 "Harold
F. Tipton Award" in recognition of her career in information security.
From the release:
"Over the past three decades, Dorothy Denning has been instrumental
in the battle to secure cyber infrastructure," said Tipton, who
will present the award to Dr. Denning. "She has an extensive
history of developing ways to protect highly sensitive information
for corporations and government agencies."
Ms Denning was certainly an early pioneer in this field. Her 1982
Cryptography and Data Security was, for some years, the book
on encryption, access control, and security models. A copy of it remains
on your editor's shelf. Dorothy Denning helped pave the way to where we
are now.
The release omits an important point in Ms Denning's career, however, which
would be worthwhile for the free software community to remember. Those who
were paying attention at the time will remember the encryption battles of
the 1990's, when governments (and the U.S. government in particular) tried
to control the spread of cryptographic technology. The breaking point in
that debate was the "Clipper" initiative, first proposed under Bush I,
then supported by the Clinton administration. Clipper would have required
that all encryption used in the United States implement a key escrow
mechanism which would enable the government to decrypt any communication
which caught its interest. Of course, the government promised not to abuse
this capability, honest, trust us. Strangely enough, people didn't trust
them.
Dorothy Denning was nearly unique in the cryptography community in that she
was a strong clipper supporter. Her essay, The
Future of Cryptography, remains available; it is worth reading for a
scary view on how the net should work. Here's what she was worried about:
Crypto anarchy can be viewed as the proliferation of cryptography
that provides the benefits of confidentiality protection but does
nothing about its harms. It is government-proof encryption which
denies access to the government even under a court order or other
legal order. It has no safeguards to protect users and their
organizations from accidents and abuse. It is like an automobile
with no brakes, no seat belts, no pollution controls, no license
plate, and no way of getting in after you've locked your keys in
the car.
Crypto anarchy, it was claimed, would lead to social disorder and the end
of life as we know it. But it could be prevented; all that was needed was
key escrow, and the "Skipjack" encryption algorithm, which happened to be
classified so nobody could see it. It was thought that key escrow might win
on its own merits, but this outcome was not to be left to the whim of
markets:
The manufacture, distribution, import, and export of unlicensed
encryption products would be illegal, but no particular method of
encryption would be mandated. Individuals would be allowed to
develop their own encryption systems for personal or educational
use without obtaining licenses, though they could not distribute
them to others.
It should be clear that this view of the world would not sit well with the
free software community. We want to be able to develop - and distribute -
software which satisfies our own sense of how much security we need. We
have little patience for coding in back doors for government, or for
anybody else. We do not believe in the security of government-mandated
back doors or classified encryption algorithms.
Clearly, the proponents of key escrow were not successful. There are two
reasons for this failure; the first, and perhaps strongest, of those is
economic. Somehow, the Powers That Be subscribed to the absurd notion that
there would be a worldwide market for encryption products with an explicit
back door for the U.S. government. People in the industry, however,
eventually figured out that key escrow and crypto export regulations would
destroy their business. They pushed for change, and got it.
The other reason, however, is public opposition. The debate was loud,
public, and effective. And a significant part of that debate came about as
a result of the public release of PGP, which let the strong cryptography
cat out of the bag in an irreversible way. Phillip Zimmermann's courageous
act demonstrated the repressive power that was poised to swoop down on
those who sought to protect their own data; it also made any attempt to
control the spread of encryption technology moot. Without the release of
that code, the software environment as we see it today might have been
quite different.
As we fight software patents, broadcast flags, or attempts to restrict
peer-to-peer software, we should keep these lessons in mind. These battles
can be won, even when strong interests are quite determined in their
opposition. And releasing code onto the net can change the world. By
developing and distributing our systems, which are designed with
our interests in mind, we are helping to bring about a more free
future.
Comments (8 posted)
Page editor: Jonathan Corbet
Security
CIO magazine has run an article called
How To Save The
Internet. The core idea is that the Internet threatens to collapse
under the load of spam, spyware, worms, etc., and that some sort of Big
Ideas must be found to save the situation. A few of the suggested ideas
merit a look...
The first is "hire a czar." The idea would seem to be that the appointment
of a high-level (U.S.) "cybersecurity" official would do something to make
our systems more secure. It looks mostly like a bully-pulpit role:
We propose a high-profile surgeon general for information security,
who reports to the secretary of DHS. Imagine labels on software
like those on cigarettes--Infosecurity General's
Warning: The use of software and hardware that is not certified
secure can harm your system and other people's systems, and you may
be held liable for those damages.
Aside from the idea of how hardware and software would be "certified
secure," one could imagine that people in the free software community could
have a lot of fun creating warning labels.
Another suggestion is giving vendors incentives to create more secure
software. Essentially, it is the return of the product liability idea.
This approach may still offer some promise, but it is hard to see how to
make it fit with the "no warranties" nature of free software.
Two related items are well described by the title applied to the first:
"Treat End Users Like the Dummies They Are." The suggestion to have ISPs
provide more filtering, detection, and response services to those who are
willing to pay for them is fine. The other one, however, is more
problematic:
Let's make all end user devices nonprogrammable.... No one can
connect to the Internet on a machine that creates code. If you want
a computer to do programming, you would have to be licensed. We
could license software companies to purchase programmable machines,
which would be completely traceable along with the code created on
them.
The idea of "traceable code" would appear to pose some technical challenges
of its own. But the idea that you could "save the Internet" by restricting
access to programmable devices is truly frightening. There are a few of us
out there who see the net as a bit more than a clothing-optional shopping
mall. We would not react well to the idea that we would have to be
licensed before getting a machine we could hack on.
There is an idea for the creation of reputation servers as an antidote to
phishing problem (though, of course, it has to be expressed as "using
XML and meta-data to tag websites with safety, reputation, past performance
and other security ratings"). Something like that may yet be part
of a solution to certain classes of problems. More likely, however, is
that it would just become another variant of the (nearly useless) SSL
certificate mechanism.
Almost as an afterthought, the article presents a couple of relevant Big
Ideas: make a bigger effort to write error-free software, and think
carefully about what features any given program should have. Maybe an
email client really should not be able to execute code received in
messages. One wonders why nobody ever thought of that before.
See the article for the full list of "Big Ideas." For the most part, this
article can be dismissed as just another silly journalistic exercise. But
the truth of the matter is that people are actually likely to try some of
these ideas. Look for a "Code Traceability and Programmer Licensing"
initiative in a legislature near you sometime soon.
Comments (16 posted)
New vulnerabilities
Ethereal: Multiple vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2005-0699
CAN-2005-0704
CAN-2005-0705
|
| Created: | March 14, 2005 |
Updated: | March 28, 2005 |
| Description: |
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.10, including:
The Etheric and 3GPP2 A11 dissectors are vulnerable to buffer overflows
(CAN-2005-0704 and CAN-2005-0699), the GPRS-LLC could crash when the
"ignore cipher bit" option is enabled (CAN-2005-0705) and various
vulnerabilities in the IAPP, JXTA, and sFlow dissectors. |
| Alerts: |
|
Comments (none posted)
gnupg: information leak
| Package(s): | gnupg |
CVE #(s): | CAN-2005-0366
|
| Created: | March 16, 2005 |
Updated: | August 19, 2005 |
| Description: |
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
IPsec-Tools: denial of service
| Package(s): | ipsec-tools setkey racoon |
CVE #(s): | CAN-2005-0398
|
| Created: | March 14, 2005 |
Updated: | April 5, 2005 |
| Description: |
The IPsec-Tools package is used to build other programs such as setkey and
racoon. There is a potential denial of service vulnerability when parsing
ISAKMP headers in racoon. |
| Alerts: |
|
Comments (none posted)
luxman: buffer overflow
| Package(s): | luxman |
CVE #(s): | CAN-2005-0385
|
| Created: | March 14, 2005 |
Updated: | March 16, 2005 |
| Description: |
Kevin Finisterre discovered a buffer overflow in luxman, an SVGA based
PacMan clone, that could lead to the execution of arbitrary commands
as root. |
| Alerts: |
|
Comments (none posted)
MySQL: input validation and temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2005-0709
CAN-2005-0710
CAN-2005-0711
|
| Created: | March 16, 2005 |
Updated: | July 19, 2005 |
| Description: |
MySQL (prior to version 4.0.24) suffers from two input validation errors and a temporary file vulnerability.
|
| Alerts: |
|
Comments (none posted)
openslp: buffer overflows
| Package(s): | openslp |
CVE #(s): | |
| Created: | March 14, 2005 |
Updated: | March 21, 2005 |
| Description: |
The SUSE Security Team reviewed critical parts of the OpenSLP package, an
open source implementation of the Service Location Protocol (SLP). During
the audit, various buffer overflows and out of bounds memory access have
been fixed which can be triggered by remote attackers by sending malformed
SLP packets. |
| Alerts: |
|
Comments (none posted)
Ringtone Tools: buffer overflow
| Package(s): | ringtonetools |
CVE #(s): | |
| Created: | March 15, 2005 |
Updated: | March 16, 2005 |
| Description: |
Qiao Zhang has discovered a buffer overflow vulnerability in the
'parse_emelody' function in 'parse_emelody.c'. A remote attacker could
entice a Ringtone Tools user to open a specially crafted eMelody file,
which would potentially lead to the execution of arbitrary code with the
rights of the user running the application. |
| Alerts: |
|
Comments (none posted)
sylpheed: buffer overflow
| Package(s): | sylpheed |
CVE #(s): | CAN-2005-0667
|
| Created: | March 15, 2005 |
Updated: | April 15, 2005 |
| Description: |
Buffer overflow in Sylpheed before 1.0.3 and other versions before 1.9.5
allows remote attackers to execute arbitrary code via an e-mail message
with certain headers containing non-ASCII characters that are not properly
handled when the user replies to the message. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
abuse: several vulnerabilities
| Package(s): | abuse |
CVE #(s): | CAN-2005-0098
CAN-2005-0099
|
| Created: | March 7, 2005 |
Updated: | March 9, 2005 |
| Description: |
Several vulnerabilities have been discovered in abuse, the SDL port of
the Abuse action game. Erik Sjölund discovered several buffer overflows in
the command line handling, which could lead to the execution of arbitrary
code with elevated privileges since it is installed setuid root. Steve
Kemp discovered that that abuse creates some files without dropping
privileges first, which may lead to the creation and overwriting of
arbitrary files. |
| Alerts: |
|
Comments (none posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cURL: buffer overflow
| Package(s): | curl |
CVE #(s): | CAN-2005-0490
|
| Created: | February 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended buffer
lengths when decoded. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
KDE dcopidlng: insecure temporary file creation
| Package(s): | dcopidlng |
CVE #(s): | |
| Created: | March 7, 2005 |
Updated: | March 9, 2005 |
| Description: |
Davide Madrisan has discovered that the dcopidlng script creates temporary
files in a world-writable directory with predictable names. A local
attacker could create symbolic links in the temporary files directory,
pointing to a valid file somewhere on the filesystem. When dcopidlng is
executed, this would result in the file being overwritten with the rights
of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: arbitrary code execution
| Package(s): | evolution |
CVE #(s): | CAN-2005-0102
|
| Created: | January 24, 2005 |
Updated: | May 19, 2005 |
| Description: |
Max Vozeler discovered an integer overflow in camel-lock-helper. A
user-supplied length value was not validated, so that a value of -1
caused a buffer allocation of 0 bytes; this buffer was then filled by
an arbitrary amount of user-supplied data. A local attacker or a malicious
POP3 server could exploit this to execute arbitrary code with root
privileges (because camel-lock-helper is installed as setuid root). |
| Alerts: |
|
Comments (1 posted)
f2c: insecure temp files
| Package(s): | f2c |
CVE #(s): | CAN-2005-0017
CAN-2005-0018
|
| Created: | January 27, 2005 |
Updated: | April 20, 2005 |
| Description: |
The f2c fortran to C translator has a vulnerability due to
insecure opening of temporary files. A local attacker can use this
to launch a symlink attack. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: DoS issue in parsing malformed HTML
| Package(s): | gaim |
CVE #(s): | CAN-2005-0208
|
| Created: | February 25, 2005 |
Updated: | March 14, 2005 |
| Description: |
Gaim has a DoS issue in parsing malformed HTML, and a MSN related crash. |
| Alerts: |
|
Comments (none posted)
gaim: client freezes
| Package(s): | gaim |
CVE #(s): | CAN-2005-0472
CAN-2005-0473
|
| Created: | February 22, 2005 |
Updated: | April 27, 2005 |
| Description: |
The Gaim client freezes when receiving certain invalid messages and crashes
when receiving specific malformed HTML. See this Secunia Advisory for
additional information. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
gftp: missing input sanitizing
| Package(s): | gftp |
CVE #(s): | CAN-2005-0372
CAN-2004-1376
|
| Created: | February 17, 2005 |
Updated: | July 13, 2005 |
| Description: |
gftp has a directory traversal vulnerability.
A remote server could use specially crafted filenames to overwrite
local files.
|
| Alerts: |
|
Comments (none posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
hashcash: format string vulnerability
| Package(s): | hashcash |
CVE #(s): | |
| Created: | March 7, 2005 |
Updated: | March 9, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw
in the Hashcash utility that an attacker could expose by specifying a
malformed reply address. Successful exploitation would permit an attacker
to disrupt Hashcash users, and potentially execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
HelixPlayer: buffer overflows
| Package(s): | HelixPlayer |
CVE #(s): | CAN-2005-0455
CAN-2005-0611
|
| Created: | March 3, 2005 |
Updated: | March 9, 2005 |
| Description: |
The Helix Player 1.0 media player has two buffer overflows
that can be exploited by playing specially crafted
SMIL and WAV files. This can allow a remote attacker to
execute code with the user's permissions. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0005
|
| Created: | January 18, 2005 |
Updated: | March 23, 2005 |
| Description: |
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code. |
| Alerts: |
|
Comments (1 posted)
imagemagick: format string vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0397
|
| Created: | March 3, 2005 |
Updated: | April 4, 2005 |
| Description: |
The ImageMagick file
name handling code has a format string vulnerability.
Specially crafted file names can be used to crash ImageMagick
and possibly execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kdenetwork: file descriptor leak
| Package(s): | kdenetwork |
CVE #(s): | CAN-2005-0205
|
| Created: | March 3, 2005 |
Updated: | March 16, 2005 |
| Description: |
The kdenetwork networking applications package has a bug
with the handling of privileged file descriptors in kppp.
A local user can use this to modify the /etc/hosts
and /etc/resolv.conf files, allowing them to
spoof domain information. |
| Alerts: |
|
Comments (none posted)
less: heap based buffer overflow
| Package(s): | less |
CVE #(s): | CAN-2005-0086
|
| Created: | March 8, 2005 |
Updated: | March 9, 2005 |
| Description: |
Victor Ashik discovered a heap based buffer overflow in less, caused by
a patch added to the less package in Red Hat Linux 9. An attacker could
construct a carefully crafted file that could cause less to crash or
possibly execute arbitrary code when opened. |
| Alerts: |
|
Comments (none posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libexif: improper validation
| Package(s): | libexif |
CVE #(s): | CAN-2005-0664
|
| Created: | March 7, 2005 |
Updated: | April 15, 2005 |
| Description: |
Sylvain Defresne discovered that the EXIF library did not properly
validate the structure of the EXIF tags. By tricking a user to load an
image with a malicious EXIF tag, an attacker could exploit this to
crash the process using the library, or even execute arbitrary code
with the privileges of the process. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2004-1308
|
| Created: | December 22, 2004 |
Updated: | May 19, 2005 |
| Description: |
The libtiff image manipulation library contains several exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
linux-source-2.6.8.1: multiple vulnerabilities
| Package(s): | linux-source-2.6.8.1 |
CVE #(s): | CAN-2005-0176
CAN-2005-0177
CAN-2005-0178
|
| Created: | February 15, 2005 |
Updated: | March 15, 2005 |
| Description: |
Michael Kerrisk noticed an insufficient permission checking in the shmctl()
function. Any process was permitted to lock/unlock any System V shared
memory segment that fell within the the RLIMIT_MEMLOCK limit (that is the
maximum size of shared memory that unprivileged users can acquire). This
allowed am unprivileged user process to unlock locked memory of other
processes, thereby allowing them to be swapped out. Usually locked shared
memory is used to store passphrases and other sensitive content which must
not be written to the swap space (where it could be read out even after a
reboot). (CAN-2005-0176)
OGAWA Hirofumi noticed that the table sizes in nls_ascii.c were incorrectly
set to 128 instead of 256. This caused a buffer overflow in some cases
which could be exploited to crash the kernel. (CAN-2005-177)
A race condition was found in the terminal handling of the "setsid()" function, which is used to start new process sessions. (CAN-2005-178)
|
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
mailman: cross-site scripting
| Package(s): | mailman |
CVE #(s): | CAN-2004-1177
|
| Created: | January 10, 2005 |
Updated: | March 22, 2005 |
| Description: |
Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page. |
| Alerts: |
|
Comments (none posted)
mailman: path traversal
| Package(s): | mailman |
CVE #(s): | CAN-2005-0202
|
| Created: | February 9, 2005 |
Updated: | July 13, 2005 |
| Description: |
The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
This vulnerability was used to compromise the Full-Disclosure list. |
| Alerts: |
|
Comments (none posted)
MediaWiki: multiple vulnerabilities
| Package(s): | mediawiki |
CVE #(s): | CAN-2005-0534
CAN-2005-0535
CAN-2005-0536
|
| Created: | February 28, 2005 |
Updated: | June 13, 2005 |
| Description: |
A security audit of the MediaWiki project discovered that MediaWiki is
vulnerable to several cross-site scripting and cross-site request
forgery attacks, and that the image deletion code does not sufficiently
sanitize input parameters. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mlterm: integer overflow
| Package(s): | mlterm |
CVE #(s): | |
| Created: | March 7, 2005 |
Updated: | March 9, 2005 |
| Description: |
mlterm is vulnerable to an integer overflow that can be triggered by
specifying a large image file as a background. This only effects users
that have compiled mlterm with the 'gtk' USE flag, which enables
gdk-pixbuf support. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
Mozilla and Mozilla Firefox: out of memory heap corruption
| Package(s): | mozilla firefox |
CVE #(s): | CAN-2005-0255
|
| Created: | March 1, 2005 |
Updated: | March 16, 2005 |
| Description: |
According to this iDEFENSE advisory, remote
exploitation of a design error in Mozilla 1.7.3 and Firefox 1.0 may allow
an attacker to cause heap corruption, resulting in execution of arbitrary
code. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mysql: several vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0835
CAN-2004-0836
CAN-2004-0837
|
| Created: | October 11, 2004 |
Updated: | April 6, 2005 |
| Description: |
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837) |
| Alerts: |
|
Comments (none posted)
mysql-dfsg: insecure temporary files
| Package(s): | mysql-dfsg |
CVE #(s): | CAN-2005-0004
|
| Created: | January 18, 2005 |
Updated: | March 25, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program
created temporary files in an insecure manner. This could allow a
symbolic link attack to create or overwrite arbitrary files with the
privileges of the user invoking the program. |
| Alerts: |
|
Comments (none posted)
nasm: Buffer overflow vulnerability
| Package(s): | nasm |
CVE #(s): | CAN-2004-1287
|
| Created: | December 20, 2004 |
Updated: | May 4, 2005 |
| Description: |
Jonathan Rockway discovered that NASM-0.98.38 has an unprotected
vsprintf() to an array in preproc.c. This code vulnerability may lead
to a buffer overflow and potential execution of arbitrary code. |
| Alerts: |
|
Comments (4 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet |
CVE #(s): | CAN-2004-0911
|
| Created: | October 4, 2004 |
Updated: | March 28, 2005 |
| Description: |
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user). |
| Alerts: |
|
Comments (none posted)
nfs-utils: denial of service
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-1014
|
| Created: | December 1, 2004 |
Updated: | May 15, 2005 |
| Description: |
The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker. |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
openssl: der_chop script temp file vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2004-0975
|
| Created: | November 11, 2004 |
Updated: | July 19, 2005 |
| Description: |
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
Opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | June 22, 2005 |
| Description: |
Opera is vulnerable to several vulnerabilities which could result in
information disclosure and facilitate execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
perl: symlink vulnerability
| Package(s): | perl |
CVE #(s): | CAN-2005-0448
|
| Created: | March 9, 2005 |
Updated: | January 30, 2006 |
| Description: |
The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
Comments (1 posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpMyAdmin |
CVE #(s): | |
| Created: | March 4, 2005 |
Updated: | March 9, 2005 |
| Description: |
phpMyAdmin contains multiple vulnerabilities that could lead to command
execution, XSS issues and bypass of security restrictions. See PMASA-2005-1
and PMASA-2005-2
for details. |
| Alerts: |
|
Comments (none posted)
postfix: error in IPv6 handling
| Package(s): | postfix |
CVE #(s): | CAN-2005-0337
|
| Created: | February 4, 2005 |
Updated: | March 16, 2005 |
| Description: |
Jean-Samuel Reynaud noticed a programming error in the IPv6 handling code
of Postfix when /proc/net/if_inet6 is not available. If "permit_mx_backup"
was enabled in the "smtpd_recipient_restrictions", Postfix turned into an
open relay, i. e. erroneously permitted the delivery of arbitrary mail to
any MX host which has an IPv6 address. |
| Alerts: |
|
Comments (1 posted)
postgresql: EXECUTE privilege vulnerability
| Package(s): | postgresql |
CVE #(s): | CAN-2005-0244
CAN-2005-0245
CAN-2005-0246
CAN-2005-0247
|
| Created: | February 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
postgresql has a vulnerability in which the EXECUTE privilege may
not be checked on custom functions. This may allow any database user to
circumvent the EXECUTE restriction on functions. |
| Alerts: |
|
Comments (none posted)
python: illegal function internals access
| Package(s): | python |
CVE #(s): | CAN-2005-0089
|
| Created: | February 3, 2005 |
Updated: | April 22, 2005 |
| Description: |
Python versions 2.2 and 2.3 has a vulnerability in the
SimpleXMLRPCServer module which may allow
remote users to read or change function internals via the
im_* and func_* attributes. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
RealPlayer: buffer overflows
| Package(s): | RealPlayer |
CVE #(s): | CAN-2005-0455
CAN-2005-0611
|
| Created: | March 3, 2005 |
Updated: | March 21, 2005 |
| Description: |
The RealPlayer media player has two buffer overflows
that can be exploited by playing specially crafted
SMIL and WAV files. This can allow a remote attacker to
execute code with the user's permissions. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: infinite loop
| Package(s): | ruby |
CVE #(s): | CAN-2004-0983
|
| Created: | November 8, 2004 |
Updated: | May 15, 2005 |
| Description: |
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles. |
| Alerts: |
|
Comments (none posted)
samba: integer overflow vulnerability
| Package(s): | samba |
CVE #(s): | CAN-2004-1154
|
| Created: | December 16, 2004 |
Updated: | July 19, 2005 |
| Description: |
Samba has an integer overflow vulnerability
that may allow an authenticated remote user to
execute arbitrary code on the Samba server. |
| Alerts: |
|
Comments (none posted)
sharutils: arbitrary code execution
| Package(s): | sharutils |
CVE #(s): | CAN-2004-1772
|
| Created: | October 1, 2004 |
Updated: | April 26, 2005 |
| Description: |
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
Squid: DNS response handling
| Package(s): | squid |
CVE #(s): | CAN-2005-0446
|
| Created: | February 18, 2005 |
Updated: | March 16, 2005 |
| Description: |
Handling of certain DNS responses trigger assertion failures. By returning
a specially crafted DNS response an attacker could cause Squid to crash by
triggering an assertion failure. |
| Alerts: |
|
Comments (none posted)
squid: race condition
| Package(s): | squid |
CVE #(s): | CAN-2005-0626
|
| Created: | March 8, 2005 |
Updated: | March 9, 2005 |
| Description: |
A race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the
Netscape Set-Cookie recommendations for handling cookies in caches, may
cause Set-Cookie headers to be sent to other users, which allows attackers
to steal the related cookies. |
| Alerts: |
|
Comments (none posted)
SquirrelMail: multiple vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2005-0075
CAN-2005-0103
CAN-2005-0104
|
| Created: | January 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
SquirrelMail 1.4.4 has been
released, fixing a number of security issues that have been resolved
since 1.4.3a. |
| Alerts: |
|
Comments (none posted)
sudo: environment variable sanitizing
| Package(s): | sudo |
CVE #(s): | CAN-2004-1051
|
| Created: | November 17, 2004 |
Updated: | May 15, 2005 |
| Description: |
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tiff: buffer overflows
| Package(s): | tiff |
CVE #(s): | CAN-2004-0803
|
| Created: | October 13, 2004 |
Updated: | April 12, 2005 |
| Description: |
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
UnAce: buffer overflow and directory traversal
| Package(s): | unace |
CVE #(s): | CAN-2005-0160
CAN-2005-0161
|
| Created: | February 28, 2005 |
Updated: | June 17, 2005 |
| Description: |
Ulf Harnhammar discovered that UnAce suffers from buffer overflows when
testing, unpacking or listing specially crafted ACE archives
(CAN-2005-0160). He also found out that UnAce is vulnerable to
directory traversal attacks, if an archive contains "./.." sequences or
absolute filenames (CAN-2005-0161). |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2004-1125
|
| Created: | December 23, 2004 |
Updated: | April 1, 2005 |
| Description: |
xpdf has a
potential buffer overflow problem caused by insufficient input validation.
A specially crafted PDF file can allow an
attacker to execute code with privileges of the xpdf user. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: vulnerabilities on 64 bit platforms
| Package(s): | xpdf gpdf cups |
CVE #(s): | CAN-2005-0206
|
| Created: | February 18, 2005 |
Updated: | March 16, 2005 |
| Description: |
The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0
(CAN-2004-0888) is incomplete for 64-bit architectures on certain Linux
distributions such as Red Hat, which could leave Xpdf users exposed to the
original vulnerabilities. |
| Alerts: |
|
Comments (none posted)
xv: filename handling vulnerability
| Package(s): | xv |
CVE #(s): | |
| Created: | March 4, 2005 |
Updated: | March 9, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw
in the handling of image filenames by xv. Successful exploitation would
require a victim to process a specially crafted image with a malformed
filename, potentially resulting in the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Resources
Bruce Schneier's CRYPTO-GRAM newsletter for March is out. Topics include
the breaking of SHA-1, two-factor authentication, ChoicePoint, and
Microsoft's "Ghostbuster" rootkit hunter. "
This is too good an idea to abandon. Microsoft, if you're listening,
you should release this tool to the world. Make it public domain. Make
it open source, even. It's a great idea, and you deserve credit for
coming up with it."
Full Story (comments: 1)
Events
The CanSecWest Security Masters Dojo is happening May 3 and 4 in Vancouver, BC, Canada. It is described as "
Advanced and intermediate security training
and technology enhancement for information
security professionals." Click below for the course details.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current ultra-stable 2.6 kernel is 2.6.11.4, which was
released on March 15; it contains two
security fixes. Previously,
2.6.11.3 was
released on March 12 with a larger set of fixes. The form of the
2.6.11.x patches has changed slightly: they now apply directly to the
2.6.11 root, rather than to the previous .x release.
There still have been no 2.6.12 prepatches, though it looks like one
should appear soon.
When that prepatch shows up, it will include over 2000 patches currently
sitting in Linus's BitKeeper repository. These include a driver for the
"trusted computing" TPM chip (see the Trusted Computing
Group site for more information on TPM), SuperHyway bus
support, a new multi-level security implementation for SELinux, a user-mode
Linux update, support for hot-pluggable parallel ports, the "cpuset" patch
(see cpusets.txt for information on cpusets),
a new nVidia framebuffer driver, the device
mapper multipath patches, a big set of input driver patches, an ALSA
update, an IPv6 update (including a patch removing the "experimental"
designation for IPv6), a rearrangement of the net_device structure
(which will break binary-only drivers), a 21,000-line DVB whitespace
cleanup patch, a rework of the page table access functions (which is still
causing some trouble on ia-64), a patch enabling an administrator to enable
a subset of the "magic SysRq" functions,
numerous driver updates, the address space randomization patches, a new
packet classifier mechanism for the networking layer, a new workqueue API
function, a
Tiger digest algorithm implementation, the restoration of the Philips
webcam driver, some software suspend improvements, some readahead
improvements, a big block I/O barrier rewrite (which enables full barrier
support on serial ATA drives), a set of patches to shrink the kernel for
embedded use, a generic sort() function, high-resolution POSIX
CPU clock support (not the full high-resolution timers patch), a USB API
change (usb_control_msg() and usb_bulk_msg() now take a
timeout in milliseconds rather than in jiffies), and lots of fixes.
Also to be found in BitKeeper is an (almost) direct merge of the first three
2.6.11.x releases.
The current -mm patch is 2.6.11-mm4.
Recent changes to -mm include a big CFQ I/O scheduler update, a new and
smaller relayfs patch, a set of sparse memory support patches, a
performance counter API update, a reiser4 update, and various fixes.
The current 2.4 prepatch remains 2.4.30-pre3; there have been no 2.4
prepatches since March 9.
Comments (2 posted)
Kernel development news
This patch causes a CONFIG_PREEMPT=y, CONFIG_PREEMPT_BKL=y,
CONFIG_DEBUG_PREEMPT=y kernel on a ppc64 G5 to hang immediately after
displaying the penguins, but apparently not before having set the hardware
clock backwards 101 years.
After having carefully reviewed the above description and having decided
that these effects were not a part of the patch's design intent I have
temporarily set it aside, thanks.
-- Andrew Morton
Comments (2 posted)
LWN is happy to host
an online version of Linux
Device Drivers, Third Edition by Jonathan Corbet, Alessandro
Rubini, and Greg Kroah-Hartman. As of this writing, only the PDF version
of the book is available; it will eventually be released in HTML and
DocBook form as well. The book has been released under the
Creative Commons
Attribution-ShareAlike license, but you're going to want to run out and
buy a copy or three anyway.
Comments (27 posted)
It is a nice thing when hardware vendors provide Linux drivers for their
products. Since these drivers are written by the vendor, there is usually
no trouble getting information on how the hardware is controlled. With luck, that
hardware will "just work" for Linux users, and all will be as it should
be. In the real world, however, things are not always that simple.
Hardware companies often take interesting approaches to coding drivers,
and the people involved are not always well tied into the Linux kernel
development community. The result can be conflicts between the vendors,
who simply want to get things done, and the kernel developers, who are
increasingly unwilling to accept code which does not meet their standards.
For a current example, consider the proposed
new Neterion/S2io 10GbE network driver. This driver has been rewritten
from the beginning; it supports many of the hardware's advanced features
and provides high performance. It looks like just the thing for high-end
Linux-based networking uses.
The problem is that the driver does not deal directly with the Linux kernel
API. It is, instead, based on a "hardware abstraction layer" (HAL) which
glues the driver to the kernel. So, for example, the driver builds lists
with a structure like:
typedef struct xge_list_t {
struct xge_list_t* prev;
struct xge_list_t* next;
} xge_list_t;
Such lists are accessed with functions like xge_list_insert() and
even xge_list_for_each(). Similarly, the driver uses
xge_os_spin_lock() to acquire a lock, xge_os_malloc() to
allocate memory, and xge_os_pio_mem_read8() to read a byte from
I/O memory. This approach helps Neterion support a variety of systems with
the same core driver code, but it does not sit well with the kernel
hackers. Networking maintainer David Miller responded this way:
I totally reject this driver, HAL is unacceptable for in-tree
drivers. We've been over this a thousand times.
One problem with the HAL approach is that there can be a performance cost.
A 10G network adaptor can handle thousands of packets per second; at that
sort of load, even the minimal overhead of a simple wrapper function can
make a significant difference. The extra memory taken by the glue code,
parallel linked list implementation, etc. also hurts. A developer
community which is dedicated to obtaining the best possible performance
from the hardware will be unwilling to swallow even a small cost in the
name of portability.
The bigger issue, however, is in the maintainability of the driver. A
driver written for a HAL layer has its own idioms and conventions; it works
with a completely different API. It simply does not look like a Linux
driver; Linux developers will have a harder time understanding and
modifying it.
One might think that this is not a big issue, since Neterion has said that
it plans to maintain the driver, but there are a couple of problems that
come up:
- When a kernel developer changes an internal function, he or she will
usually go through and fix all of the in-tree users of that function.
So developers who are not employed by the hardware vendor will almost
certainly have to work with the driver code at some point.
- Hardware vendors have a short attention span. Product cycles
tend to be short, and the vendor will, before too long, move on to new
products requiring new and different drivers. Once a given driver no
longer applies to the products which are currently in the vendor's
catalog, the vendor will, most likely, see little reason to continue
maintaining that driver. The Linux community, however, will have an
interest in keeping that driver working for several more years.
Additionally, the vendor may resist patches which affect the HAL layer
itself, making it harder for the community to work on the driver. Overall,
the Linux kernel developers plan to maintain the kernel for many years into
the future; they tend to be concerned about taking on code which will make
that maintenance task harder in the future.
So the kernel hackers have some solid reasons for resisting HAL-based
drivers. The vendors also have good reasons for wanting to write such
drivers. To them, the resistance to HAL looks like a "Linux is the only
important system" attitude, and it forces them in incur extra costs when
writing their code. In this case, Neterion has reluctantly
said that it will produce a non-HAL driver if that is the only way to
get into the tree; other vendors may not bother.
Comments (15 posted)
Peter Chubb has long been working on a project to move device drivers into
user space. Getting drivers out of the kernel, he points out, would have a
number of benefits. Faults in drivers (the source of a large percentage of
kernel bugs) would be less likely to destabilize the entire system.
Drivers could be easily restarted and upgraded. And a user-space
implementation would make it possible to provide a relatively stable driver
API, which would appeal to many vendors.
Much of the support needed for user-space drivers is already in place. A
process can communicate with hardware by mapping the relevant I/O memory
directly into its address space, for example; that is how the X server
works with video adaptors. One piece, however, is missing:
user-space drivers cannot handle device interrupts. In many cases, a
proper driver cannot be written without using interrupts, so a user-space
implementation is not possible.
Peter has now posted his user-space interrupts
patch for review and possible inclusion. The mechanism that he ended
up with is simple and easy to work with, but it suffers from an important
limitation.
The mechanism is this: a process wishing to respond to interrupts opens a
new /proc file; for IRQ 10, the file would be
/proc/irq/10/irq. A read on that file will yield the number of
interrupts which have occurred since the last read. If no interrupts have
occurred, the read() call will block until the next interrupt
happens. The select() and poll() system calls are
properly supported, so it is possible to include interrupt handling as just
another thing to do in an event loop.
On the kernel side, the real interrupt handler looks like this:
static irqreturn_t irq_proc_irq_handler(int irq, void *vidp,
struct pt_regs *regs)
{
struct irq_proc *idp = (struct irq_proc *)vidp;
BUG_ON(idp->irq != irq);
disable_irq_nosync(irq);
atomic_inc(&idp->count);
wake_up(&idp->q);
return IRQ_HANDLED;
}
In other words, all it does is count the interrupt and wake up any process
that might be waiting to handle it.
The handler also disables the interrupt before returning. There is an
important reason for this action: since the
handler knows nothing of the device which is actually interrupting, it is
unable to acknowledge or turn off the interrupt. So, when the handler
returns, the device will still be signalling an interrupt. If the
interrupt were not disabled in the processor (or the APIC), the processor
would be interrupted (and the handler called) all over again, repeatedly -
at least, when level-triggered interrupts are in use. Disabling the
interrupt allows life to go on until the user-space process gets scheduled
and is able to tend to the interrupting device.
There is a problem here, however: interrupt lines are often shared between
devices. Disabling a shared interrupt shuts it off for all devices using
that line, not just the one being handled by a user-space driver. It is
entirely possible that masking that interrupt will block a device which is
needed by the user-space handler - a disk controller, perhaps. In that
case, the system may well deadlock. For this reason, the patch does not
allow user-space drivers to work with shared interrupts. This restriction
avoids problems, but it also reduces the utility of the whole thing.
One possible solution was posted by Alan
Cox. He would require user-space processes to pass a small structure into
the kernel describing the hardware's IRQ interface. It would be just
enough for the kernel to tell if a particular device is interrupting,
acknowledge that interrupt, and tell the device to shut
up. With that in place, the kernel could let user space deal with what the
device really needs while leaving the interrupt enabled. It has been pointed out that this simple scheme would not
work with some of the more complicated hardware, but it would be a step in
the right direction regardless.
Meanwhile, Michael Raymond described a
different user-space interrupt implementation (called "User Level
Interrupt" or ULI) done at SGI. This patch is significantly more
complicated. In this scheme, a user-space driver would register an
interrupt handler function directly with the kernel. When an interrupt
happens, the ULI code performs some assembly-code black magic so that its
"return from interrupt" instruction jumps directly into the user-space
handler, in user mode. Once that handler returns, the ULI library writes a
code to a magic device which causes the kernel stack and related data
structures to be restored to their pre-interrupt state. The implementation
is more complex, and it currently only works on the ia-64 architecture, but
it could conceivably offer better performance than the /proc
method.
Comments (7 posted)
A few more changes to the 2.6 internal kernel API have been merged since
last week's summary.
The driver model API has seen a couple of small changes.
kref_put() no longer returns void:
int kref_put(struct kref *kref, void (*release)(struct kref *kref));
The (new) return value is normally zero, but will be nonzero if the kref
was actually removed. Note that a zero return does not imply that the kref
is still valid; somebody else may have done the last kref_put()
call in the mean time.
The kset type now has its own internal spinlock. That means that
a kset is no longer required to be part of a subsystem.
Greg Kroah-Hartman has proposed a rather wider
set of changes to the driver model class code. Essentially, he is
pushing all users over to a form of the "class_simple" interface, and
getting away from the original class implementation, which was hard to use
correctly. These changes have not yet been merged, however.
The kernel has long held a variety of special-purpose sorting functions.
These have now been replaced by a generic heap sort utility written by Matt
Mackall. It's interface is:
void sort(void *base, size_t num, size_t size,
int (*compare)(const void *a, const void *b),
void (*swap)(void *a, void *b, int size));
Here, base is the array of items to sort; it contains num
items of size bytes. The compare() function returns the
integer equivalent of a-b; sort() will sort the array in
ascending order as dictated by compare(). The swap()
function is optional; it can be provided if the caller knows a faster way
to exchange two elements in the array.
Comments (none posted)
Patches and updates
Kernel trees
Core kernel code
Device drivers
Filesystems and block I/O
- Phillip Lougher: SquashFS.
(March 14, 2005)
Janitorial
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Following the release of Red Hat Enterprise Linux (RHEL) 4 last month, the
developers of the world's most prominent Linux distribution have been freed
of the immense responsibility that goes into producing a quality
enterprise-class operating system and were once again able to experiment
with cutting edge software releases. That's because, for the Red Hat
engineers, Fedora Core 4 is the start of a new release cycle on the road to
RHEL 5. The distribution will go through the usual testing phases and
stability checks, before several interim releases (speaking from the RHEL's
point of view). Then about a year and three releases later, Fedora Core
will likely be declared a well-tested and solid base on which to build the
Red Hat's flagship product. This gives us an exciting opportunity to peek
at the innovations that will be part of our every-day computing lives in
the not too distant future. Your writer was unable to resist the temptation
and decided to check out the
hot-off-the-presses
Fedora Core 4 Test1 (FC4T1).
Fedora Core 4 Test1 couldn't possibly be any more bleeding edge. Although it
is based on a stable Linux kernel 2.6 11, it includes beta or RC releases
of GNOME 2.10, KDE 3.4 and OpenOffice.org 2.0, as well as several
experimental releases of important packages, such as LVM2, RPM and yum. On
top of it, all packages have been compiled with the yet-to-be-released GCC
4.0. Other "firsts" include Java packages for developers, the Eclipse IDE
(also a development version), and support for the PPC and PPC64
architectures. All this should give much entertainment to even the most
hardcore beta testers out there. We downloaded the DVD ISO image for the
x86_64 architecture and installed it on a computer built on top of an AMD64
3500+ processor (2.2GHz), K8N Neo2 (Socket939) MSI mainboard, and 2 GB of
DDR SDRAM.
If we still had any doubts about just how experimental this test release
was, they were quickly gone as soon as we completed the installation and
rebooted the system. First, we noticed a high number of Python-related
errors during the boot. Then, instead of the usual configuration dialog
("firstboot"), we were dropped straight into a GDM login screen (at 800x600
pixel resolution), with the only available account being the root account
created earlier. Those Python errors came to haunt us soon afterward, as
we were unable to launch many applications (included most of Red Hat's
configuration dialogs) and could not connect to Red Hat Networks to check
for updates. Evolution crashed during account configuration and
OpenOffice.org wouldn't start at all. To add insult to injury, opening
Firefox greeted us with: "There ought to be release notes for Fedora Core
3.90 here, but there aren't. In the meantime, we bring you this ASCII art
hat."
To sum it up, the x86_64 edition of Fedora Core 4 Test1 is broken. It is not
completely unusable, because the GNOME desktop came up nicely and Nautilus
also worked (and, as one of the testers on the Fedora Test mailing list
remarked, "the console was very fast"). But surely, there is more to
personal computing than file management! In a desperate attempt to improve
the experience and to find something positive to write about, we tried a
few things, such as "yum update" (which failed too, reporting several unmet
dependencies), and visited the mailing list to see whether other testers
have fared better. But apart from further bug reports about grub-install,
which insists on installing GRUB into the Master Boot Record, and the usual
failed media check during installation, we were unable to find a panacea
for the half-broken operating system.
Nevertheless, some of the individual yum updates turned out to be
improvements. The Python problem was solved by 'yum update gnome-python2',
which meant that the Red Hat utilities, including Red Hat Networks, were
working again. A new version of Nautilus was also available - this one was
slightly better because we were able to complete the initial account setup,
although it still crashed shortly afterward. But no amount of package
updates were able to bring OpenOffice.org to life; it stubbornly refused
to start without giving away any clues as to the reason for its behavior.
Of course, the rawhide tree is undergoing a large amount of updates daily,
so a fix might be available by the time you read this. But it became rather
clear during our brief experimenting that, as development releases go,
FC4T1 is more like a very early alpha, with many broken or non-functional
packages and unusually sluggish desktops, both GNOME and KDE.
One group of people who are likely to be excited about the new features in
FC4 are Java developers. Included in this release are the Ant "make"
facility (version 1.6.2), GCJ GNU compiler for Java, Tomcat (5.0.30), the
Apache Struts Web Application Framework (1.1) and even the Eclipse
Integrated Development Environment (version 3.1.0) with a several popular
plugins. This comes at the expense of a number of long-standing open source
applications that were "relegated" to Fedora Extras and will
no longer be part of the core system. AbiWord, Gnumeric, KOffice, Exim,
Sylpheed, Tuxracer and XEmacs are among the affected packages, so users who
need them will need to get them from the "extras" repository from now on.
Fedora Core 4 is undoubtedly the most ambitious Fedora release to date. The
developers are going through similar pains as they experienced during the
first test release of Fedora Core 2 over a year ago, which introduced
kernel 2.6 and SELinux functionality into the distribution. That release
was also barely usable and even the final product wasn't the most bug-free
distribution in the world. It took another 8 months of solid debugging
before a much improved and stable Fedora Core 3 was released. I suspect
that we will see a similar pattern here. If you are a tinkerer who takes
pleasure in navigating Bugzillas, and who routinely builds RPM packages
from CVS sources, then you will likely enjoy this release. As for the rest
of you, save your blank CDs and DVDs for FC4 Test2, or for another
distribution.
Comments (3 posted)
New Releases
The folks at Ubuntu have made available a preview version of the "Hoary
Hedgehog" release. There is no end of good stuff in this release; click
below for the details.
Full Story (comments: 14)
GnomeDesktop
takes a look
at the release of an accessibility-focused version of the Ubuntu LiveCD.
This is the second testing/proof of concept release of an accessible
derivative of the Hoary Live CD, based on the recently released Ubuntu
preview. This CD aims to give blind/vision impaired Linux users a chance to
use the Gnopernicus screen reader, and explore the many features and
applications of the GNOME and Ubuntu desktop.
Comments (none posted)
The first test release in the Fedora Core 4 development cycle is now
available for i386, x86_64, and PPC/PPC64. This release has gcc 4.0, GNOME
2.10.0 Beta 2, and more. Click below for more information.
Full Story (comments: 39)
Terra Soft Solutions has announced the release of Y-HPC for Yellow Dog
Linux v4.0.1, featuring a rebuild against the 2.6.10 kernel. "
Y-HPC
is Terra Soft's 64-bit PowerPC Linux operating system and cluster
construction/management suite. In use by the Department of Energy,
Department of Defense, University labs, and corporations nation-wide, Y-HPC
offers a full 64-bit code development foundation and an advanced, rapid
cluster construction and management suite."
Full Story (comments: none)
Novell, Inc. has
announced
that Novell(R) Open Enterprise Server is now available to customers
worldwide. Open Enterprise Server combines NetWare(R) and SUSE(R) LINUX
Enterprise Server.
Comments (none posted)
Distribution News
A codename has been chosen for Ubuntu 5.10, the Breezy Badger. Work will
begin on the Breezy Badger in April, once the Hoary Hedgehog reaches a
final, stable release. A stable Breezy Badger is expected in October 2005.
Also found in this announcement (click below) is the Breezy Badger Mascot
Competition. "The Breezy Badger is an extremely rare South American
breed, not a friend of colder climates. ;-) Obviously, submissions should
depict a badger!" The competition closes on April 25, 2005.
Full Story (comments: none)
SUSE has sent out
a
press release announcing the April availability of SUSE Linux
Professional 9.3. "
SUSE LINUX Professional includes a stable and reliable Linux operating
system plus a complete set of desktop applications -- office suite, Web
browser, e-mail and instant messaging clients, multimedia viewers, photo
organizers, and other popular open source applications. It also features the
latest tools for setting up a secure home network, running a Web server,
developing applications and more. SUSE LINUX 9.3 also provides a sneak peak
into upcoming server-based Linux, including the XEN virtualization environment
and intuitive search engines."
Comments (11 posted)
The Debian Project release team has proposed that most architectures (all
but i386,
amd64, PowerPC, and ia-64) be dropped from the main distribution
after the sarge release. "
The release team and
the ftpmasters are mutually agreed that it is not sustainable to
continue making coordinated releases for as many architectures as sarge
currently contains, let alone for as many new proposed architectures as
are waiting in the wings." Debian ports to the dropped
architectures would remain (via a new "second class citizen" mechanism) as
long as people continue to maintain them, but they would not be part of the
core Debian distribution. Click below for the full announcement.
Full Story (comments: 21)
Finding a time to get all six candidates for Debian Project Leader together
for a debate was not an easy task. Now a date and time has been set. The
2005 DPL IRC Debate will be held on Wednesday March 16, at 06:00 UTC.
Click below for details.
Full Story (comments: none)
Bits from the CD team (2005-03-16):
"
We're increasing the amount of space available for CD and DVD ISO
images on cdimage.debian.org so we can host full images for both woody and
sarge for a period after the release. A newly donated RAID array is on the
way from HP (thanks!) to accommodate this. This should hopefully be in
place and serving images within the next week."
Bits from the Testing Security team:
Contents of this message:
What the Testing Security Team has been up to
How can I leverage my powerful brain to aid you?
Let the games begin!
This is fun, how else can I help?
More bits from SPI: covers a SPI board
meeting held March 15, 2005. Topics include date and time of the next
meeting, tax filing, accounting update, purcel, old resolutions, and more.
Comments (1 posted)
LinuxQuestions.org has added a forum for Ubuntu Linux. "
"We are very
excited to have an Ubuntu section at LinuxQuestions, it will be a great
additional resource for current and new Ubuntu users", said Ryan Troy,
Admin of ubuntuforums.org."
Full Story (comments: none)
New Distributions
Xline is a European distribution of
Linux, an advanced operating system based on the GNU/Linux core with many
additional packages. It is compatible with the architectures x86
(including Pentium and Athlon), amd64 (including Opteron, Athlon 64 and
EM64T), Alpha/AXP, IA-64, PC-98, UltraSPARC and PowerPC. Development is
open to everyone; developers, testers, translators, etc. GNOME is the
default desktop, at least in the initial development of Xline.
Full Story (comments: none)
Foresight Desktop Linux is a
distribution which showcases some of the latest and greatest from GNOME. Some
of the things that may not be mature enough for some of the other distros.
It's got Mono, beagle, f-spot, howl, the latest hal, Conary for package
management, and more. (Found on
GnomeDesktop)
Comments (none posted)
Distribution Newsletters
The Debian Weekly News for March 15, 2005 is available. This issue covers an upload of the first version of the dbconfig-common package which implements a general database maintenance interface, the DebConf 5 Call for Papers is closed, the Debian logo license, automatic integration of USB storage, a license for documentation, key management on a USB stick, proper etiquette for election discussions, Sarge release status, post-Sarge release plans, and more.
Full Story (comments: none)
The Gentoo Weekly Newsletter for the week of March 14, 2005 is out, with a look at the launch of Planet Gentoo, the Gentoo UK Conference, and several other topics.
Full Story (comments: none)
The
DistroWatch
Weekly for March 14, 2005 is out. "
It is "CeBIT" time again,
which means lots of interesting news and announcements. It seems that the
CeBIT edition of KNOPPIX 3.8 is a runaway success and there is a lot to
look forward to next month when SUSE LINUX 9.3 starts shipping. Plenty of
excitement on the desktop front too, with the brand new GNOME 2.10 freshly
out of the oven and KDE 3.4 following shortly. Also, don't miss our much
improved distribution search engine with several new features added within
the last few days! Enjoy!"
Comments (none posted)
Minor distribution updates
Dyne:bolic GNU/Linux version 1.4.1
has been released. This is release implements important stability fixes
concluding the development of the 1.x series of dyne:bolic.
Full Story (comments: none)
Lineox has released Lineox Enterprise Linux 4.0 for x86_64. Lineox has
also released two Always Current x86_64 versions of Lineox Enterprise Linux
4.0 to syncronize it with x86 version.
Full Story (comments: none)
Linspire has
announced the availability of the latest version of its distribution which, perhaps in honor of bad 1970's TV, is called "Linspire Five-0". "
Highlights include a completely revised and
streamlined graphical interface, improved laptop and hardware support,
significant Internet optimization, and dozens of enhanced software
applications to provide a complete user experience." Book it, Danno!
Comments (none posted)
White Box Enterprise Linux 3.0 Respin 2 is now available. This release
is purely a maintenance release to pick up the accumulated errata since
Respin 1 in June '04. "
It includes all errata issued from upstream
through the end of Feb 05, with the exception of the kernel. The kernel is
the older one issued with Red Hat, Inc.'s Update 4 so that binary driver
discs made available by 3rd party hardware vendors should be compatible
with this rebuild release."
Full Story (comments: none)
The
YES Linux Release Team has
announced the immediate availability of YES Linux 2.2 Build 1. This is the
second build of YES Linux 2.2, with lots of updated packages, and a few new
ones. This release features updates to bind-utils, php, openssh, sudo, and
mod_security (IDS).
Full Story (comments: none)
Package updates
Updates for Fedora Core 3:
hwbrowser-0.20-0.fc3.1 (fix deprecation
warnings),
bind-9.2.5-1 (upgrade to ISC
BIND 9.2.5 final),
openoffice.org-1.1.3-9.5.0.fc3 (bug fixes),
NetworkManager-0.3.4-1.1.0.fc3 (many bug
fixes),
at-3.1.8-68_FC3 (bug fixes),
koffice-1.3.5-0.FC3.2 (bug fixes),
qt-3.3.4-0.fc3.0 (upgrade to v3.3.4),
ImageMagick-6.0.7.1-5.fc3 (bug fixes),
system-config-samba-1.2.28-0.fc3.1 (bug
fixes),
kdenetwork-3.3.1-3 (CVS backport
with bug fixes),
udev-039-10.FC3.7 (some
start_udev fixes).
Updates for Fedora Core 2: openoffice.org-1.1.3-9.4.0.fc2 (updates and
bug fixes).
Comments (none posted)
A bug in the lvm2 packages (in Mandrakelinux v10.1) caused it to recurse
symlinked directories indefinitely which caused lvm commands to be really
slow or timeout. A patch has been applied to correct this problem.
Full Story (comments: none)
Newsletters and articles of interest
KDE.News
takes a look at a new
KDE-centric live CD that comes with a fully functional amaroK music
player. "
The KDE-centric PCLinuxOS LiveCD distro was used as a base
to create this really cool Live CD. amaroK Live is not so much a Live CD
distro as it is a demonstration of a really cool music player. It is a
stripped down Live CD (only 289MB including the music) with a fully
functional amaroK music player bundled with the tracks commissioned last
year by Wired Magazine, which are distributed under the Creative Commons
Sampling Licenses. It includes - among other major artists - tracks by the
Beastie Boys and David Byrne."
Comments (none posted)
NewsForge
turns old hardware into a firewall using floppyfw and Coyote Linux.
Floppfw takes a minimalist approach that requires you to understand
iptables in order to customize it. Its lack of remote administration could
be seen as an advantage for both resource-constrained and
security-conscious users. Running SSH or a Web server takes up memory and
processor resources that could be used to support more users. It is also
one less source of potential vulnerabilities. Those familiar with Linux and
command-line administration will feel right at home with floppyfw.
Coyote Linux shines when it comes to ease of use. The disk creation program
is easy to install on both Linux and Windows. The Web-based administration
interface makes changing firewall settings a breeze. Add-on packages are
also easy to install; in most cases, you just copy the file to the diskette
and reboot. If you do not have much Linux experience, or if you just prefer
graphical administration, Coyote Linux makes more sense for you.
Comments (none posted)
Netcraft
reports
that Fedora is the fastest growing Linux distribution in the web server
survey. "
Based on distribution names contained in the server banner,
Fedora has outpaced all its rivals over the last six months, growing
fastest both in absolute numbers and in relative terms."
Comments (none posted)
Distribution reviews
eWeek
reviews Red
Hat Enterprise Linux 4. "
Red Hat's enterprise-targeted Linux
distribution delivers an open-source platform that's up-to-date,
well-tested and ready to serve a diverse set of IT services. Version 4
marks the debut of the Linux 2.6 kernel in RHEL, allowing the operating
system to scale much better than previous versions on multiprocessor
systems. Sporting the latest productivity applications for Linux, RHEL fits
well on corporate desktops as well."
Comments (none posted)
NewsForge has a
mini
review of Linspire. "
Built on a Debian Linux core, Linspire is
designed for simplicity of use, and it delivers this in spades. Linspire
eliminates the need for me to be technically proficient in the nuances of
Linux to successfully operate and enjoy the OS. This includes loading
software, staying updated, and never seeing a command-line interface. It
makes it very easy to just get on with what I have to do and not worry
about the technicalities of using a Linux-based system."
Comments (none posted)
Page editor: Rebecca Sobol
Development
SSL-Explorer is a cross-platform open-source SSL-based
(Secure Sockets Layer) VPN
(Virtual Private Network) solution that has been released by
3SP. SSL-Explorer is mainly
aimed at organizations that are running a Windows environment,
some Linux-specific support is also included.
The product description states:
SSL-Explorer is the world's first open-source SSL VPN solution of its kind. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser.
SSL-based VPNs have become a hot topic in recent years. The benefits to productivity and the low maintenance overhead that comes with browser-based VPN solutions are something that cannot be overlooked by most businesses, though implementation costs can often be prohibitive.
The 3SP
Product Vision document clarifies the company's stance on making
money:
Like all corporate open source ventures, driving forward the development of SSL-Explorer there is a full-time development team assigned to the production and delivery of the features outlined in these pages. Of course, we require capital to invest into the continued development of SSL-Explorer.
In order for us to continue to provide cutting edge solutions to the open source community, a range of enterprise features will be marketed that will extend further upon the foundation provided by the GPL product. The GPL SSL-Explorer product is aimed at smaller businesses and the more tech-savvy personal users, while the enterprise modules will cater for larger companies that will require dedicated support, full endpoint security and other advanced features.
Features of SSL-Explorer include:
- 128-bit SSL encryption of connections.
- Microsoft Active Directory Authentication support.
- Client-less Filesystem Access for browsing filesystems remotely.
- Support for access to Extranet and Intranet resources.
- Java Application Deployment for sending out applications.
- Support for remote Systems Management.
- An unlimited number of simultaneous users.
- A web-based Microsoft filesystem browser.
- web forwarding support for accessing internal information.
- Active Directory account database integration.
- Support for multiple access profiles.
- Access is via a zero-footprint VPN client.
- Works with any SSL-enabled browser.
- Provides transparent access to all web-based applications.
- Officially supports Microsoft Windows XP/2000/2003 and Red Hat Linux 8.0 operating systems.
The SSL-Explorer
SourceForge page
lists some additional project details. SSL-Explorer is written in Java,
it runs under Linux, BSD, POSIX systems, and numerous varieties of
Windows. SSL-Explorer has been released under the GNU General
Public License (GPL).
Version 0.18 of SSL-Explorer
was announced this week.
"This release includes many new features, most importantly the support for role based access control and the proxying of Outlook Web Access over the VPN. Several new improvements have also been made to the secure application deployment feature. The 0.1.8 release also contains a number of important security enhancements, general bugfixes and performance enhancements."
The
project roadmap shows where the design of the system is headed,
a long list of new features is planned.
Those of you who work in cross-platform environments should find
SSL-Explorer to be a tool that is worth examination, the software
is available for download
here.
Comments (none posted)
System Applications
Clusters and Grids
Jeff Mausolf
reviews Condor on IBM developerWorks.
"
Condor is an open source tool that can manage a cluster of dedicated compute nodes and effectively harness otherwise wasted cycles from idle desktop workstations. This article will provide a high-level overview of Condor and introduce some of its unique features."
Comments (none posted)
Database Software
Stable version 4.0.24 of the MySQL database has been released.
"
This is a bugfix release for the recent production version. It also
includes fixes for recently reported potential security vulnerabilites in
the creation of temporary table file names and the handling of User
Defined Functions (UDFs)."
Full Story (comments: none)
Version 4.1.10a of the MySQL database has been released.
"
This MySQL 4.1.10a release just includes the additional patches for
recently reported potential security vulnerabilites in the creation of
temporary table file names and the handling of User Defined Functions
(UDFs)."
Full Story (comments: none)
The March 13, 2005 edition of the PostgreSQL Weekly News
is online with the week's PostgreSQL database information.
Full Story (comments: none)
Teodor Zlatanov
embeds Perl in a database table on IBM developerWorks.
"
In this installment, Ted looks at Perl and databases. Specifically, he works with the Class::DBI CPAN module and MySQL to introduce you to embedding Perl in database tables."
Comments (none posted)
Interoperability
Release Candidate 1 for Samba 3.0.12 is out.
"
This is a release candidate of the Samba 3.0.12 code base and is
provided for testing only. While close to the final stable release,
this snapshot is *not* intended for production servers. If all
goes well, this this version (or something very similar) will become
the final 3.0.12 stable release."
Full Story (comments: none)
Web Site Development
Version 2.0a5 of
Quixote, a Python-based web development platform, is out. See the
Changes document for details.
Comments (none posted)
Miscellaneous
Bryan Clark
works with Xen on IBM developerWorks.
"
Xen is a paravirtualization technology available for the Linux kernel that lets you enclose and test new upgrades as if running them in the existing environment but without the worries of disturbing the original system. This article shows you how to install a Xen system that will give administrators a valuable sandbox for testing system upgrades (as well as a playground for running multiple virtual machines on the same Linux box). Take a look at virtualization on Linux and see the benefits that come from using Xen in that space."
Comments (none posted)
Desktop Applications
Audio Applications
Version 0.9 beta 28 of
Ardour,
a multi-track audio recording application, is out.
Changes include
numerous bug fixes and more.
Comments (none posted)
Version 2.4.0 of Ecasound, a multi-track audio processing application,
has been released. The changes include:
"
An annoying bug with handling filenames with whitespace has been fixed. Integration with libsamplerate and other resamplers has received a lot of attention and many bugs have been fixed. Error reporting has been improved when loading invalid chainsetups. A new sum-mixdown mode has been added to the engine. Some minor cosmetic changes have been made to the output produced by the console ecasound interface. A log message history mechanism has been added to the engine to help ECI app and script development."
Comments (none posted)
Business Applications
Version 1.5.0 of
OpenWFE, an open source java workflow engine, is out.
"
OpenWFE 1.5.0 is a major step in this open source workflow engine development : the workflow instantiation mechanism has been completely revised, making the OpenWFE process definition language even more expressive and powerful.
Along with this change, functions in the process definition language have been heavily enhanced."
Comments (none posted)
Calendar Software
The first independent release of SchoolBell, a calendaring
server for groups and organizations, has been announced.
"
For this release, we have managed
to move most, but not all, of SchoolBell functionality to the Zope3
framework. It is now a Zope 3 component that can be instantiated via
the ZMI, a stand alone calendaring server and a bunch of useful
libraries for anyone interested in developing calendars in Zope 3."
Full Story (comments: none)
Desktop Environments
KDE 3.4 has been released. There's a lot of new stuff in this release;
highlights include much improved accessibility (especially built-in
text-to-speech capability), DBUS/HAL support, a
new RSS aggregator, KHTML improvements, and much more; click below for the
details.
Full Story (comments: none)
The March edition of
The GNOME
Journal is out. This month's articles look at the 2.10 release,
art.gnome.org, CD burning, Evolution 2.2, and Ubuntu Hoary package
management.
Comments (none posted)
The following new GNOME software has been announced this week:
Comments (none posted)
The March 11, 2005 edition of the
KDE CVS-Digest is online with the following content summary:
"
Kttsd adds support for Kiswahili, Zulu, and Ibibio Festival languages. Digikam adds undo/redo operation for the image editor. KCharts now can flip row and column data. Kexi scripting can now pass signals, slots and Q_PROPERTY's between C++ and scripting languages. Kalzium (periodic table) adds family view."
Comments (none posted)
The following new KDE software has been announced this week:
Comments (none posted)
Electronics
Version 0.2.1 of
QOscC,
a software oscilloscope application with spectrum analysis capabilities,
is out. Changes include support for Serial Multimeters, datafile export,
and improved documentation.
Comments (none posted)
Version 3.3.11 of
XCircuit,
an electronic schematic drawing package, has been released.
Changes include a fix for a bug that can cause a crash.
Comments (none posted)
Financial Applications
Version 2.4.10 of
SQL-Ledger,
a web-based accounting system, is available.
Changes include inventory movement in the transaction report,
a new UTF-8 option to bypass text formatting, and more.
Comments (none posted)
Interoperability
Release 20050310 of Wine
has been announced.
Changes include an initial implementation of a true Richedit control,
a shell extension for browsing Unix directories,
MSI work, PBuffer support in OpenGL, and bug fixes.
Comments (none posted)
Mail Clients
Release Candidate build 1.0.1 of Mozilla Thunderbird
has been announced.
"
Like
last month's Mozilla Firefox 1.0.1, this new version will just fix a few
security and stability bugs; it's not a major update."
Comments (none posted)
Office Applications
Version 1.4.3 of Gnumeric, a spreadsheet application,
is available.
"
This is a bug fix release for 1.4.x with various minor patches. The main
point of interest is that Ivan Wong has fixed Gtk+'s large window handing on
Win32 and the 1.4.3 package for that platform is now considered ready for
general usage. There are still missing pieces (printing and registry
connections) but the core application can display smoothly now."
Comments (none posted)
Office Suites
Build 1.9.79.2 of the OpenOffice.org office suite is available
with numerous bug fixes, documentation work, and a NovellTeam easter egg.
Full Story (comments: none)
Web Browsers
MozillaZine
covers an ongoing debate over the Mozilla Application Suite.
"
The Mozilla Foundation is expected to make a formal announcement on the future of the Mozilla Application Suite soon. Debate about the future of the suite, often known as Mozilla 1.x or by its SeaMonkey codename, has raged over the last few days following Saturday's publication of the minutes of the mozilla.org staff meeting held on Monday 28th February 2005. In reference to Mozilla 1.8 final, the minutes state that it was "To be discussed tomorrow [Tuesday 1st March] whether we do one". This led to dozens of replies about the fate of the suite from a wide variety of contributors and onlookers."
Comments (14 posted)
MozillaZine
has the news: there will be no Mozilla 1.8 release. The
plan, instead, calls for a shift to the standalone Firefox and Thunderbird clients. "
However, the Mozilla Foundation will offer infrastructure support to a community effort to continue development of the Mozilla Application Suite, probably under a different name." See the article for various links to more information.
Comments (8 posted)
MozillaZine
has announced the availability of
the minutes from the March 7, 2005 mozilla.org staff meeting.
"
Issues discussed include Mozilla Firefox 1.0.1 rollout,
Mozilla Thunderbird 1.0.1, Mozilla 1.7.6, Mozilla 1.8b2, Mozilla Firefox 1.1,
Mozilla Thunderbird 1.1 and update.mozilla.org load."
Comments (none posted)
Version 0.1b of Mozilla for GroupWise
has been announced.
"
MozNGW, as
it's known, is a cross-platform client for the Novell GroupWise corporate
communication and collaboration solution. MozNGW installs as a Mozilla
Firefox extension and completely replaces the standard GroupWise client. The
software is compatible with GroupWise 6.02 and above, though it will
"probably" work with version 5.5 Enhancement Pack."
Comments (none posted)
MozillaZine
reports on
the first meeting of the new community-driven SeaMonkey project.
"
Chaired by Alex "WeirdAl" Vincent, the hour-long meeting took place
in #seamonkey on irc.mozilla.org and focussed on various project management
issues, with several volunteers appointed to leadership roles."
Comments (none posted)
Languages and Tools
Caml
The March 8-15, 2005 edition of the Caml Weekly News
is out. Take a look for the latest Caml Language information.
Full Story (comments: none)
Groovy
Andrew Glover
explores Groovy frameworks on IBM developerWorks.
"
The Groovlet and GroovyServer Pages (GSP) frameworks are built on the shoulders of the Java Servlet API. Unlike Struts and JSF, however, Groovy's server-side implementation isn't meant for all occasions. Rather, it's a simplified alternative for developing server-side applications quickly and easily. Follow along with Groovy advocate Andrew Glover as he introduces these frameworks and demonstrates their use."
Comments (none posted)
Java
Bill Siggelkow
explores chains under Jakarta Struts in part two of an O'Reilly series.
"
In part one of this two-part series, Bill Siggelkow showed Java programmers
how certain design patterns help Commons Chain to define and execute
sequential sets of steps. In part two, Bill shows how Struts uses Chain to
add custom behavior to
request processing."
Comments (none posted)
Perl
The Feb. 23 - March 7, 2005 edition of
This Fortnight in Perl 6 is online with the latest Perl 6 development
news.
Comments (none posted)
Python
Release Candidate 1 of Python 2.4.1 has been announced.
"
According to the release notes, several dozen bugs
have been fixed, including a fix for the SimpleXMLRPCServer
security issue (PSF-2005-001)."
Full Story (comments: none)
Ruby
The March 13, 2005 edition of the
Ruby Weekly News is available with the latest news and discussion
from the ruby-talk mailing list.
Comments (none posted)
Tcl/Tk
The March 15, 2005 edition of Dr. Dobb's Tcl-URL!
is online with the week's Tcl/Tk articles and resources.
Full Story (comments: none)
XML
Uche Ogbuji
discusses semantic transparency and XML on IBM developerWorks.
"
The running theme of the column has been semantic transparency: the ability to correctly interpret the contents of XML documents. Semantic transparency might be the most important aspect of XML modeling. This is first in a series of articles that review the many different approaches to semantic transparency and discuss what they mean to developers using XML."
Comments (none posted)
J. David Eisenberg
compares XSLT and XQuery on O'Reilly.
"
XSLT has been the main XML technology for transformations for some time now, but its not the only player in the game. Although XQuery is designed for retrieving and interpreting information, it is also, according to the specification, flexible enough to query a broad spectrum of XML information sources, including both databases and documents."
Comments (none posted)
Micah Dubinko
writes about Unicode and XML on O'Reilly.
"
Yet, one topic is sacrosanct: that one of the smartest and best design decisions underlying XML was to define it on the foundation of characters, specifically the Universal Character Set and Unicode.
As such, a working knowledge of Unicode is not optional. Practitioners of XML need to be, at a minimum, conversant in the basics of Unicode as described in the first few sections of Mike J. Brown's excellent write-up."
Comments (none posted)
Editors
Version 0.90 of Nvu, an HTML editor,
has been announced.
"
This latest version of
the standalone Linspire-backed Mozilla-based Web page editor includes an
improved Link dialogue, a new default theme and printing fixes. There's also
performance improvements (switching between the HTML Source view and Normal
Edit Mode should now be much faster), better support for PHP code and HTML
comments and several minor bug fixes."
Comments (none posted)
IDEs
Version 0.5.2 of FLDev
has been announced.
"
FLDev is an IDE designed for older systems and small C/C++ Applications and is based on the Editor described in the FLTK Manual."
Comments (none posted)
Miscellaneous
Version 1.15.1 of GNU Tar
has been announced.
"
This version fixes an important flaw introduced with the previous version. The bug caused tar to refuse unpacking archives piped from standard input."
(Thanks to Dan Stromberg.)
Comments (2 posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
The Guardian
reports on
the software patent fight. "
But this time, things may be
different. The European Commission has gone out of its way to thwart the
European parliament, disregarding the wishes of various elected bodies by
its insistence that bureaucracy trumps democracy, and that fiats beat
votes. A time was bound to come when there would be a power struggle over
who really runs Europe: the commission or parliament. Maybe an apparently
obscure battle over software patents will not only go down in computing
history, but also be counted as a decisive moment in shaping the 21st
century's political landscape, too."
Comments (12 posted)
The New Zealand Herald
looks
at software patents. "
Patent 525484, accepted by the [New
Zealand Intellectual Property] office and
now open for objections until the end of May, says Microsoft invented and
owns the process whereby a word-processing document stored in a single XML
file may be manipulated by applications that understand XML."
Comments (11 posted)
Trade Shows and Conferences
NewsForge
covers some business aspects of open-source software at
the InnoTech conference.
"
PORTLAND, Ore. -- Far away from the usual open source software industry focus on code, freedom, and evangelism, the InnoTech conference and expo held here this week centered on the business of open source for business' sake. Sure there was talk about the advantages of Linux and open source technology, the ability to impact operating system-level functionality, and fighting unwarranted fears of a different model, but the heart of the conference was the beat of business -- cutting costs, driving value, and saving time and grief."
Comments (none posted)
Chris Adamson
covers the recent JBoss World 2005 conference on O'Reilly.
"
"Welcome to a new world."
This was the theme of the JBoss World 2005 conference, held from March 1-2 at the CNN Center in Atlanta. This new world centers around "professional open source:" open source software backed up by paid support and consulting. In other words, the company provides the "professional," and the software delivers on the "open source" promise."
Comments (none posted)
The SCO Problem
News.com
reports that the Canopy wars have been resolved. "
Under the terms of the settlement, [Ralph] Yarro will receive all of Canopy's SCO shares, SCO said. In addition, Canopy paid Yarro, Mott and another former Canopy employee, Brent Christensen, an undisclosed amount of money. Yarro, Mott and Christensen have resigned from all roles at Canopy or companies Canopy invested in." In other words, the Canopy Group, under its new management, has shoved SCO out the door and left Mr. Yarro to deal with his own mess.
Comments (5 posted)
A new
SCO case summary page
has been announced on Groklaw.
"
I have just quickly put together a permanent page called Summary in the
list of links on the left of the page, summarizing the SCO v. IBM
litigation to date."
Comments (none posted)
Interviews
Techworld has
a strange interview with Nelson Pratt, the "marketing director" for OSDL. "
We see Linux going further into the enterprise but one of the big inhibitors is licensing. We know from talking open source customers that licensing on a large scale is too labour-intensive. The typical open source licensing granting process was set up with the view of protecting developer/hacker."
Comments (13 posted)
KDE.News
interviews Josef
Spillner about KDE's Get Hot New Stuff framework. "
The GHNS
concept describes a way to let users share their digital creations. For
example, user A is using a spreadsheet application and modifies a template
which comes with it. This template can then be uploaded to a server, and
eventually be downloaded by user B by checking the contents of the "Get Hot
New Stuff" download dialogue. In the context of companies, documents can be
distributed to all employees, and in the context of the internet, a
community sharing framework is built on top of all this."
Comments (none posted)
Nuxeo Blogs features
an interview with Philipp von Weitershausen, author of the book
Web Component Development with Zope 3.
"
Zope X3.0 is out there. It's stable, it's used in production, it can be used by you today! Don't be scared by the X. It originally suggested something like eXperimental which in no way means that X3.0 is experimental software. Thanks to heavy automatic testing, X3.0 is from a quality assurance point of view probably better tested than Zope 2 ever will be. Nowadays, you can see the X as a reminder that Zope X3.0 is not just a new version of Zope 2, but actually a completely redesigned product that was rewritten from scratch."
Comments (none posted)
Resources
Troubleshooters.com
takes a look at
Grub. "
Grub is a world-class boot loader with insufficient
documentation. In many ways it blows the doors of LILO. For instance, it's
MUCH easier to use Knoppix to rebuild a grub boot loader than to rebuild a
LILO boot loader. However, until you're comfortable with grub, it might
seem just the opposite. All too often grub dumps you at a grub>
prompt with no hint of what you should do. You might have heard that a
successful reboot is just three commands away, but which commands? The
state of grub's documentation is such that you can't figure it out unless
you already know grub."
Comments (17 posted)
Linux Journal
covers the
use of fields for editing and content management in OpenOffice.org.
"
Many of the fields on the Functions tab can take time to set up. For
a document that is printed once, they probably are not worth bothering
about. It is when you are building templates that many of these fields come
into their own. With a bit of planning, you can have your templates serve
multiple purposes, making them even more useful than they already
are."
Comments (none posted)
Reviews
NewsForge
reviews amaroK 1.2. "
The keystone of any audio player is the
database it keeps of your collection. AmaroK allows you to create file
trees using artist, album, year, or genre in any order. So to find, say,
all the albums that were released in a particular year, sort by year first
and then by album, and a file tree opens that lists all the years in the
first level, and all the albums in the second. There's also a simple search
filter to find something particular. I have four different versions of The
Left Banke's "Walk Away Renee," and I can quickly find them all by typing
that song title in the search box. The ability to structure the file tree
in a number of different ways and to search it easily is amaroK's single
most important usability feature."
Comments (13 posted)
The Register
looks at the Asterisk phone system. "
However, cost isnt the only reason why a company might wish to switch to Asterisk, [creator Mark Spencer] says. Its an open source system, so anyone has access to the code and can do what they want with it.
'If you bought a PBX from a major vendor, and you wanted the features to behave differently, you dont have the ability to make that change,' says Spencer."
Comments (none posted)
NewsForge
looks at JPGraph.
"
JPGraph is a set of programs written in PHP that plots data into a wide range of graphs and formats the results. Licensed under the Trolltech QPL License, JPGraph is now at Version 1.17. Whatever your data, JPGraph can help you to view it graphically, letting you to see relations in more clearly."
Comments (none posted)
Dave Phillips
reviews
KeyKit on Linux Journal.
"
KeyKit is a powerful MIDI composition and processing environment that includes an abundance of features and tools designed for conventional MIDI music-making--for example, MIDI sequencers and virtual drum machines--as well as for unconventional MIDI music-making. Indeed, for the Linux musician who wants to explore some exotic and unusual ways of composing with MIDI, KeyKit is required software."
Comments (none posted)
Linux Devices
covers a
camera from Sony Ericsson that can be controlled via Bluetooth.
"
The ROB-1 is powered by a 200MHz Freescale Dragonball processor with
an ARM9 core. It has a user memory size of 2MB, according to Sony-Ericsson,
and runs a Linux operating system. According to Sony-Ericsson, the ROB-1
is compatible with "any phone that has a Java platform with Bluetooth API
JSR-82," including most Sony-Ericsson Bluetooth phones. Such phones can
maneuver the ROB-1 using a joystick interface. "
Comments (1 posted)
NewsForge
reviews SmoothWall Express 2.0.
"
In these days of always-on Internet connections, a firewall that protects
your network from unauthorized access is indispensable. Though most home
routers have some sort of basic firewall capabilities, their rules for
incoming and outgoing traffic are often basic and arbitrary. An alternative
is to run a Linux-based firewall on old hardware, but configuring this sort
of setup is generally not easy. An exception is SmoothWall, a free
application you can install on any old machine to convert it to a dedicated
hardware firewall. SmoothWall has a friendly interface and more configuration
options than standard hardware firewalls."
Comments (1 posted)
Linux Journal begins a new series focusing on the best desktop candidates
with a look at
Xandros Business Edition. "
You also may consider the Xandros
desktop to be suitable for use by people wanting a modern and trouble-free
Linux system. Xandros uses KDE as its windowing environment instead of
GNOME. Fortunately, applications such as Evolution and the GNOME
infrastructure are available as updates to the system, as are traditional
GTK applications, such as FireFox and The GIMP."
Comments (none posted)
Miscellaneous
Danny O'Brien's
March "To
Evil!" column is up on OSDir. "
Old school packet driver hacker
Russ Nelson replaced Eric S. Raymond as
President-In-Charge-Of-Controversialism at the Open Source Initiative on
Febuary 1st. The presidency of the OSI is one of the highest positions one
can hold in the open source world. Unfortunately, that doesn't count for
much. I think it means you're allowed to refer to everyone else as 'your
tribe', and have editorials run on Newsforge whenever you want. Twenty-two
days later, Nelson resigned, it seems as a result of public pressure over a
blog posting he made on February 7th, titled 'Blacks Are Lazy'."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The FFII has posted a set of hard questions for the European Council on the
March 7 software patent vote. "
Q13: (a) If the Presidency alone cannot deny a B item request, how did
a majority of the Council vote against removing the item from the
agenda? (b) Article 8(1)(b) states that the outcome of voting must be
'indicated by visual means', but no such indication was seen on the
public video. Did we miss it, or was no vote called?" It will be
interesting to see if they get any answers.
Full Story (comments: 3)
GnomeDesktop.org
is looking
for new project talent.
"
With the release of Gnome 2.10, now is a perfect time to get involved with Gnome. You can meet new friends, learn new skills, and make Gnome rock even harder. There are many ways to get involved including several tasks that do not require coding skills. For aspiring coders, though, a new report has been created to list bugs in bugzilla that have been marked as tasks appropriate for new developers."
Comments (none posted)
The gpl-violations.org project is handing out an open warning letter to
thirteen vendors of commercial software and appliance products present at
CeBIT who are alleged of misusing GPL licensed software. "
"While
the Free and Open Source community is very happy to see more and more
vendors adopt Linux and other GPL-licensed software, it is of great
importance that those vendors comply with the respective license
conditions, just like with any other software" states Mr. [Harald] Welte.
"The warning notice gives them a chance to fix their products, before
someone might get them into legal troubles", he continues."
Full Story (comments: none)
Commercial announcements
A number of new database applications for PostgreSQL
have been announced.
"
We are pleased to announce new versions of EMS PostgreSQL Data Pump, DB Comparer and Extract. You can download the newest versions from our web-site:
http://www.sqlmanager.net/.
Today all of these utilities support PostgreSQL 8.
They became more stable and good-looking."
Comments (none posted)
Fortress Systems Ltd. has launched an open-source email gateway package.
"
Earlier this month, Fortress Systems Ltd. (www.fsl.com) released
SMGateway, an open source e-mail/security application. SMGateway has
all of the functionality provided by MailScanner and SpamAssassin plus
extensions and enhancements to provide a simple web based interface for
users and administrators."
Full Story (comments: none)
The publication Free Software Magazine is now available at the
reduced price of $4.95 per month.
Full Story (comments: none)
IBM has announced the release of their 2005 Software Evaluation Kit.
"
This is the easiest way to get all of the fresh releases of
IBM middleware for Linux."
Full Story (comments: none)
Infrae and Nuxeo are partnering to work on application technologies for
the Zope 3 web content management system.
"
Through this cooperation, with our expertise in content management,
internet communication, semantic web, user interfaces, content
repositories, and XML technologies, we intend to advance the state of
the art for our software and our customers, as well as the broader
development community."
Full Story (comments: none)
Another of Novell's CeBIT announcements is the
introduction
of Novell ZENworks 7 Linux Management, an integrated management system for
centralized control of Linux desktops and servers. The management
capabilities of ZENworks 7 Linux Management are integrated with Novell
Linux Desktop and SUSE LINUX Enterprise Server 9 (part of Novell Open
Enterprise Server).
Comments (none posted)
Novell and IBM have announced an initiative to help ISVs accelerate the
development and certification of new applications for Novell's SUSE LINUX
on IBM eServer and middleware platforms.
Full Story (comments: none)
Red Hat, Inc. has
announced that it will be holding its Fourth Quarter
and FY2005 Earnings Conference Call on March 31, 2005.
Comments (none posted)
SugarCRM Inc. has
announced the new
SugarForge.org site.
"
SugarCRM Inc. is proud to
announce the establishment of SugarForge.org, the premiere destination for
community collaboration on Sugar Suite extensions, modules, language packs and
themes."
Comments (none posted)
Version 2.0.2 of Wing IDE, a commercial interactive development environment
for Python, is available.
"
This release adds easier-to-use Zope/Plone integration, extension
of the IDE with Python scripts, CVS integration, code templates /
snippets, expanded text encoding support, speed optimizations,
and more than 70 other improvements."
Full Story (comments: none)
New Books
JotSpot ("the first application wiki company") has
announced that it will be hosting a collaborative project to update Lawrence Lessig's classic
Code and Other Laws of Cyberspace. The book has been
posted on a wiki-like system, and updates are being solicited from the community; the result will be published as a printed edition later this year.
Comments (1 posted)
MozillaZine has
an announcement for a new book by Marcia Knous.
"
The 304 page
book, titled Firefox and Thunderbird Garage, will be published by Prentice
Hall PTR on Friday 15th April. As well as acting as a manual for the Firefox
browser and Thunderbird mail and newsgroups client, the thirteen chapter book
will also introduce the concept of open source development."
Comments (none posted)
O'Reilly has published the book
IPv6 Network Administration
by Niall Richard Murphy and David Malone.
Full Story (comments: none)
Resources
Version 7.0 of Adobe Acrobat Reader, a pdf file viewer,
was announced
in January.
The software is now available in tar and rpm formats
here.
Thanks to Jens Stavnstrup.
Comments (4 posted)
Contests and Awards
IBM has announced the
Linux on POWER
Open Source Developer Contest starting March 15, 2005 with entries due
by July 15, 2005.
Full Story (comments: none)
Upcoming Events
Proposals may be submitted for the next
desktop developer's conference meeting in Ottawa.
The event will be held on July 17-19, 2005.
Full Story (comments: none)
PostNewsweek Tech Media has
announced the FOSE 2005 exposition. The event will be held from
April 5-7 at the Washington D.C. Convention Center.
"
The Linux Solutions Government program at FOSE 2005 will consist of a
dedicated demonstration area, the Linux Pavilion & Theater on the tradeshow
floor; a robust one-day Linux Solutions Government Conference in the Linux
Pavilion Theater; and as a pre-cursor to FOSE, the Linux Solutions Government
Guide in the April issue of Linux Magazine."
Comments (none posted)
The sixth annual GNOME User and Developer
European Conference (GUADEC)
has been announced. The event will take place in Stuttgart, Germany
on May 29-31, 2005.
"
The high-level conference
has lined up a roster of industry-leading analysts, developers and thought
leaders, as well as top government and business IT officials. The conference
is a unique forum for highlighting the capabilities and direction of GNOME,
the user environment for desktops, networked servers and portable Internet
devices. GUADEC will also feature meaningful discussions of the future
direction of open source projects, including the Open Office suite."
Comments (none posted)
PyCon 2005 will be held in
Washington DC on March 23-25, 2005.
"
The organizers of PyCon 2005
have announced that Greg Stein, an engineering manager at Google
working with the Blogger team, will be giving a keynote presentation
on Google's use of Python for internal projects."
Full Story (comments: none)
The 2005 O'Reilly Where 2.0 Conference will be held on
June 29 and 30, 2005 in San Francisco, California.
"
Location-aware technologies like GPS, RFID, WLAN, cellular
networks and networked sensors are enabling an ever-growing array of
capabilities, from local search, mapping, and business analytics to
enterprise integration, commercial applications, and software
infrastructure. The first O'Reilly Where 2.0 Conference has been created
to explore the emerging consumer and enterprise ecosystems around location
technologies--ecosystems that can radically change the way we work and
play."
Full Story (comments: none)
A Call for Papers has gone out for the UKUUG Linux 2005 event.
"
This summer's UKUUG Linux conference will be held in Swansea
with tutorials all day Thursday 4th August and the conference
all day Friday 5th and ending lunchtime on Sunday 7th."
Abstracts are due by March 25.
Full Story (comments: none)
| Date | Event | Location |
| March 17, 2005 | Emerging
Technology Conference(ETech) | (Westin Horton Plaza)San Diego,
CA |
| March 20 - 25, 2005 | Novell BrainShare
2005 | Salt Lake City, Utah |
| March 21 - 24, 2005 | Bellua Cyber Security
Asia 2005 | (Hotel Borobudur)Jakarta, Indonesia |
| March 21 - 24, 2005 | Open
Source Modeling and IDEs Workshop | (Caribe Royale All Suites Resort & Convention
Center)Orlando, FL |
| March 23 - 25, 2005 | PyCon DC
2005 | (GWU Cafritz Conference Center)Washington, DC |
| March 26 - 27, 2005 | YAPC::Taipei
2005 | Taipei |
| March 30 - April 1, 2005 | PHP
Quebec | (Crowne Plaza Hotel)Montreal, Canada |
| March 31 - April 1, 2005 | Black Hat Briefings Europe
2005 | Amsterdam, the Netherlands |
| April 1 - 3, 2005 | Twisted
Sprint | Hobart, Tasmania |
| April 5 - 6, 2005 | Open Source Business
Conference(OSBC) | (Westin St. Francis)San Francisco, CA |
| April 5 - 7, 2005 | FOSE 2005 | (Washington
D.C. Convention Center)Washington, D.C. |
| April 7 - 8, 2005 | Black
Hat Briefings Asia 2005 | Singapore |
| April 10 - 15, 2005 | 2005 USENIX Annual
Technical Conference | Anaheim, California, USA |
| April 12 - 15, 2005 | Computers, Freedom and
Privacy Conference 2005 | (Westin Hotel)Seattle, WA |
| April 15 - 17, 2005 | Debian Edu/Skolelinux
workshop | (Nafplion)Athens, Greece |
| April 18 - 23, 2005 | linux.conf.au
2005 | (Australian National University)Canberra, Australia |
| April 18 - 21, 2005 | MySQL Users Conference and Expo
2005 | (Santa Clara Convention Center)Santa Clara, CA |
| April 18 - 20, 2005 | LinuxWorld Conference
and Expo 2005 | (Metro Toronto Convention Centre)Toronto,
ON |
| April 18 - 19, 2005 | Debian Miniconf
4 | Canberra, Australia |
| April 19 - 20, 2005 | San
Francisco techCongress | (Rickey's Hyatt)Palo Alto, CA |
| April 20 - 23, 2005 | ACCU Conference
2005 | (Randolph Hotel)Oxford, England |
| April 21 - 24, 2005 | 3rd International Linux
Audio Conference(LAC2005) | (Center for Art and Media (ZKM))Karlsruhe,
Germany |
| April 21 - 23, 2005 | WebTech
2005 | Sofia, Bulgaria |
| April 23 - 24, 2005 | LayerOne Technology
Conference | (Pasadena Hilton)Pasadena, CA |
| April 25 - 30, 2005 | UbuntuDownUnder | Sydney,
Australia |
| May 2 - 7, 2005 | DallasCon
2005 | (Richardson Hotel)Dallas, TX |
| May 2 - 4, 2005 | Samba eXPerience
2005 | (Hotel Freizeit)Göttingen - Germany |
| May 4 - 6, 2005 | CanSecWest/core05 | Vancouver,
B.C. |
| May 11 - 15, 2005 | php|tropics
2005 | (Moon Palace Resort)Cancun, Mexico |
Comments (none posted)
Miscellaneous
LinuxMedNews
is offering various items with their logo attached.
"
You can FINALLY buy cheesy Linux Medical News stuff (shirts, hats, buttons, mugs, etc.) at the Linux Medical News FOSS store!"
Comments (none posted)
Page editor: Forrest Cook