LWN.net Logo

LWN.net Weekly Edition for June 9, 2005

A tale of two distributions

If the net seems slow over the next week or so, it may well be due to the near-simultaneous releases from two major distributions. The long-awaited release of Debian GNU/Linux 3.1 (also known as "sarge") was announced on June 6. As it happens, Fedora Core 4 was due on the same day, but has been pushed back one week to June 13. This delay was not due to any particular technical problems; instead, it seems, the lawyers were a little slow to sign off on the code name for this release.

A comparison of a few key packages in these two distributions can be instructive:

PackageDebian 3.1Fedora Core 4
Kernel2.4.27
2.6.8
2.6.11
GNOME2.82.10
KDE3.33.4
XXFree86 4.3.0Xorg 6.8.2
gcc3.3.54.0
postgresql7.4.78.0.2
MySQL4.0.24/4.1.11a4.1.11

These numbers will come as little surprise to most; it is in the nature of Debian releases to be slow in coming and mildly obsolete when they arrive, while Fedora releases run closer to the bleeding edge. The two distributions have different goals: Debian seeks to produce a highly stable distribution for its users; Fedora, instead, is a rapidly updated distribution providing current software to users and a real-world test bed for Red Hat.

The table listed above is not entirely fair; many packages in Debian sarge (including important ones, like Firefox) are at or near their current versions. Then, there is this table, which provides a different view:

PackageDebian 3.1Fedora Core 4
xine-ui 0.99.3--
monotone 0.18--
gforge 3.1--
shorewall 2.2.3--
GNUStep 3--
xfce 4.0.5--

This table could be made much longer, but the point should be clear: few distributions can offer the sheer variety of packages found in Debian. In all fairness, one should note that the Fedora Extras repository fills in some of the gaps on the Fedora side. Fedora Extras works reasonably well, but it remains a "second class citizen" repository without any commitment to future updates or security support. Debian also supports a much wider range of architectures than Fedora.

As these milestones are reached, both distributions are considering where they want to go in the future. On the Debian side, there is a general desire to improve the release process so that the next major release ("etch") comes a little more quickly. There is some planning happening for a painful gcc upgrade and a PostgreSQL transition, among other things. There is a continual low-level rumble on how Debian and derivatives (Ubuntu in particular) should work with each other. The "how many architectures should Debian support?" question still lacks a definitive answer. It also seems, however, that the Debian developers are taking a well-deserved break and deferring much of the "what now?" discussion until Debconf5, happening in mid-July. (As luck would have it, the conference has offered to fly LWN Distributions Page editor Rebecca Sobol to the event, so LWN will have coverage from Debconf5).

On the Fedora side, a deliberate effort was made to start a discussion on what should be in Fedora Core 5. A few goals were suggested: more security features and faster booting, for example. Most of the discussion, however, has centered around a suggestion to increase the length of the development cycle somewhat (to nine months or so). The current six-month cycle allows for a maximum of about two or three months before the stabilization efforts set in, and some developers are finding it difficult to get their changes in within that window. The suggestion has not been particularly well received by the powers that be within Red Hat, however.

In theory, opposition from Red Hat should matter less in the future. At the recently-concluded Red Hat Summit, the company announced that it planned to set Fedora free, and to put it under the control of an independent foundation. There have been no communications from the company on this subject outside of the conference, so details are scarce. Nothing has been said on how this foundation will be formed, funded, or governed. It remains to be seen whether Red Hat is truly willing to give up enough control to allow Fedora to pick its own directions. A truly independent Fedora, however, has the potential to combine a strong base distribution with a larger, more enthusiastic developer community; it could be a force to be reckoned with.

Debian and Fedora are two very different distributions. Debian is a huge, community-driven project with a "when it's ready" release policy. Fedora is, for now, a company-controlled, smaller distribution with scheduled releases. In many ways, however, they appear to be converging. Debian is facing the size issue (by considering which packages and architectures truly belong in the core distribution), release cycles, and, via efforts like Ubuntu, commercial appeal. Fedora, meanwhile, aims for a stronger community orientation and is debating package policies and release cycle issues of its own. Both distributions will remain part of our community for a long time - and we are richer for having both of them. But they are responding to many of the same pressures, so it would not be entirely surprising to see them look more alike in the future.

Comments (15 posted)

A sneak peak at Firefox and Thunderbird 1.1

June 8, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The Mozilla project recently released alpha builds of Firefox 1.1 and Thunderbird 1.1. In addition to bugfixes and performance enhancements, there are several new features in Firefox and Thunderbird that look interesting. So, what's slated for Firefox 1.1 and Thunderbird 1.1? Let's start by looking at the "Deer Park" alpha build of Firefox 1.1.

Firefox 1.1

Firefox 1.1 is the first major milestone on the way to Firefox 2.0. Firefox 1.5, planned for sometime in 2006, is the second milestone, with 2.0 being the final milestone. Overall, the 1.1 release isn't a radical change from 1.0, but there are some pleasant new features to look forward to, and a few user interface changes as well.

[deer park] The "Preferences" dialog has been modified quite a bit, which may throw users at first, but the overall layout seems a bit more logical. Some of the finer-grained controls have gone away, which may or may not be seen as a good thing. For example, in Firefox 1.0, users can disable specific JavaScript features such as "Move or resize existing windows," "Hide the status bar," and so forth. Firefox 1.1 gives users the option to enable JavaScript and then the option to "disable common annoyances." Firefox 1.1 also adds a "Tabs" dialog dealing with all of the tab functions in Firefox. The new Preferences dialog, and the new Thunderbird dialog, is very similar in layout to Apple's Safari browser Preferences dialog.

There is a new tool to quickly remove information from Firefox, called "Sanitize." One can choose to clear browsing history, saved form information, download history, cache, cookies and saved passwords with a hotkey or by choosing the "Sanitize" option from the tools menu. Sanitize is configurable, so one can choose to erase download history, cache and browsing history, for example, without erasing saved passwords or cookies. Users also have the option of erasing these items each time Firefox is shut down. This is a very useful option for those who share computers with other family members, roommates and co-workers.

Firefox 1.1 also improves browsing pages in the cache, so browsing forward and backward seems much faster than in Firefox 1.0. Granted, Firefox 1.0 isn't terribly slow, but even a few seconds improves the user experience drastically.

Users will also be able to report "broken" websites using Firefox 1.1. The release includes a "Report a Broken Web Site" wizard which provides the URL, a list of possible problems ("Browser not supported," "Can't log in," "Plugin not showing," and so forth) and a field to describe the problem in full. According to the Privacy Policy page for the feature, the Mozilla team will use this feature to work with webmasters to correct interoperability problems with Firefox. Whether the feature will actually encourage webmasters to fix the problems is another story.

The "Cookies" dialog has changed somewhat. Cookies are now organized in folders by site, and users can search to find the cookies that they're looking for rather than scrolling through the list, which can be handy if one has accumulated a long list of cookies.

Despite its alpha status, we didn't run into any serious glitches, crashes or other nastiness using Firefox 1.1. This writer plans to continue using Firefox 1.1 alpha as his primary browser, since it has proven to be stable (at least over the past three days) and offers some modest improvements over the 1.0 release.

Thunderbird

As with Firefox 1.1, there are no drastic interface changes or radical feature changes slated for Thunderbird 1.1, but there are a number of interesting improvements and new features that will make the upgrade worthwhile.

One spiffy new feature slated for 1.1, and working fine in the alpha release, is the "inline" spelling checker that underlines misspelled words (or words not yet in Thunderbird's dictionary) while you type. Thunderbird 1.0 does have spelling checking, but not as you type. Thunderbird also allows the user to add a word to the dictionary, or ignore it, on the fly by right-clicking on the word.

[Thunderbird prefs] The Preferences dialog for Thunderbird has also been reworked, and is similar to the new Preferences dialog for Firefox. Users can now get to the "about:config" interface for Thunderbird easily, by going to the "Advanced" tab and selecting "Config editor." Several of the features in 1.1 seem to be inspired by Thunderbird extensions. The RSS features, and the "about:config" access are both available for Thunderbird 1.0 as extensions, for example. It will be interesting to see if the Mozilla developers manage to keep Thunderbird and Firefox free of the kitchen-sink syndrome that plagued the Mozilla suite. We're not suggesting these should only be available as extensions, but we do hope the Mozilla team will resist adding in popular functionality from extensions in order to keep Firefox and Thunderbird lean and allow users to pick and choose the extensions they desire.

Users who wish to use Thunderbird as an RSS reader will like the OPML import capability in Thunderbird 1.1. We tested Thunderbird with an OPML file exported from Bloglines with more than 130 feeds. Thunderbird handled it gracefully, and imported all the feeds with no apparent problems. There should be an "export" capability in the final 1.1 release, but it is not in the current release.

Thunderbird 1.1 will also come with features to help users avoid being scammed by phishing attacks. We didn't actually get any phishing scams to test this out with Thunderbird, but the client is supposed to display a warning message if a message looks like a phishing attack.

Again, as with Firefox's alpha, the Thunderbird alpha handled well enough that this writer will probably employ it for day to day use -- while making regular backups of mail, just in case.

The Firefox roadmap calls for a second alpha release in June, and a beta and final 1.1 release sometime later this year. The Thunderbird roadmap calls for a final 1.1 release in June, but that may need to be pushed back since the alpha release is only a few days old.

Comments (7 posted)

The CDT takes on infringement

The Center for Democracy & Technology has long been "working for democratic values in a digital age." CDT has taken on many issues, including encryption, freedom of speech, privacy, and more. So the new copyright policy paper [PDF] from CDT seemed worth a look. Unfortunately, the CDT appears to have lost track of some important goals in its desire to compromise.

The stated goal of the paper is:

... to outline a general framework for protecting copyright in a manner that is consistent with the open architecture of the Internet and with the interests of creators, consumers, and technology innovators.

Most of us, probably, can agree with the goal of "protecting copyright." The whole structure of free software licensing, after all, is based on copyright law. Without copyright, there could be no General Public License. Free software could still exist in such a world, but the rules would be different.

So how do we "protect copyright"? The CDT offers a three-pronged approach, the first of which is "punishing bad actors." The authors, it seems, are enthusiastic supporters of actions like mass lawsuits against file traders. Also big on their list is "secondary liability" for people who encourage file sharing - Grokster, for example. There is a token mention of how secondary liability should only target "bad activity" without "chilling the development of new technologies or the provision of online services," but no discussion of how the two can be separated. There is no mention of any situation where "secondary liability" has gone too far, leaving the reader with the impression that the CDT is entirely happy with the enforcement activities which have happened to this point.

Well, not entirely happy; the CDT would like to see more laws passed to get the Federal government more heavily involved in copyright enforcement. They would also like to see:

Cooperation between content owners and ISPs on a voluntary basis to find practical and appropriate ways to pass crucial information on to specific individuals while protecting their anonymity (and while steering well clear of putting ISPs in the role of tracking and policing subscribers' behavior) could be a positive step.

How this "positive step" would actually work is not discussed.

The core of the CDT paper, however, relates to the creation of "consumer-friendly" DRM schemes. Given a suitable "open market," the CDT believes that DRM can "enable" the flow of digital content we all hunger for in our souls without making life overly frustrating for us "consumers." The CDT does argue against specific mandates by government (but the group appears to favor broadcast flag regulations which provide "reasonable balance") and in favor of preserving consumer privacy. But, as a whole, DRM schemes are clearly seen as a good thing.

The final step advocated by the CDT is "public education." The paper tells us:

It is particularly important to send the message to younger consumers that infringement is unlawful and unethical. This effort cannot be pursued by industry alone...

"Younger consumers" (and older ones too) could certainly benefit from a better understanding of copyright law. It is probably true that educating these "consumers" about fair use, ever-lengthening copyright periods, the starvation of the public domain, etc. is not something that we can expect industry to accomplish on its own. But, of course, the CDT shows no particular interest in helping industry out on that score; it's mostly interested in the infringement problem.

Remember that the CDT is supposed to be an advocate for democracy, civil rights, and the consumer. But this group has, perhaps out of fear of even worse alternatives, entirely given in to the demands of the entertainment industry in the name of making content available to "consumers." The CDT has sold out entirely on this issue.

There are numerous things the CDT could have addressed, were it truly interested in the wider debate. Perhaps a little mention of the DMCA would have been nice; seeing programmers arrested in the defense of DRM schemes might just have a "chilling effect" or two. An examination of just how well the market has done in producing "consumer-friendly" DRM so far might have been in order. And it might have been nice to see at least a passing mention of the public domain, the source of many of the ideas which have been incorporated into current, eternally-copyrighted content.

But there are two larger failures here. The first is the firm distinction between "producers" and "industry" on one side, and "consumers" on the other. We are, it seems, supposed to go off, be good little consumers, and not worry our pretty little heads about how the "producers," out there somewhere, will protect their content in a "friendly" manner. When your editor was young, it was often noted that freedom of the press is great if you happen to own a press. Now that your editor is no longer so young, we all own presses. We are no longer to be called "consumers," told to enjoy the products from "industry" in some business-friendly way. We, too, are producers, and we have a stake in this game. The CDT has not yet figured that out.

One of the most dramatic ways in which we are producers can be seen in the free software community. LWN readers are not "consumers" of Linux; they are its producers. And we have produced a world where many copyright infringement issues are no longer relevant. But, to the CDT, we do not exist. Any balanced look at DRM must include this fact: free software and DRM are absolutely incompatible with each other. When "consumers" actually have control over their computers (and DRM-capable devices are computers), they need not accept externally-imposed restrictions on what those computers can do. The CDT's "consumer-friendly" DRM vision, almost by definition, cannot include free software.

Certainly, we wish to live in a world where producers can make a living from their work. We are all producers now, remember? Besides, how else will we ever get to see the final three Star Wars movies we were promised back in the 1970's? The CDT's answer to this problem, however, does not describe a world that many of us would want to live in. Some of us, evidently, have a different idea of what constitutes "democratic values."

Comments (9 posted)

Page editor: Jonathan Corbet

Security

Intel processors and DRM

There has been a persistent round of rumors stating that upcoming Intel processors come with an additional, unwelcome feature: hardware digital restrictions management (DRM) capabilities. According to some, this built-in DRM is the motivating force behind Apple's just-announced switch to Intel processors. If Intel is to be believed, the reality of the situation is not as bad as one might fear.

According to Donald Whiteside, an Intel VP, there is no secret DRM in Intel's chips:

The rights management technology referred to in the article was not a secret DRM from Intel, but the DTCP-IP technology publicly offered by the 5C Entity; which Intel is a Founder. Intel believes that the DTCP-IP technology is an important element in enabling protected transport of compressed content within the home network, and we continue to promote DTCP-IP for this application which enables greater consumer flexibility & use of premium entertainment content.

The DTCP web site has some information on this technology - though one must pay significant money and sign some highly restrictive documents to get the full scoop. Essentially, DTCP is a way for devices to talk over local links - an IEEE1394 connection or home wireless network, for example - without creating fears that somebody's Valuable Intellectual Property will leak out into the world and bring an end to civilization. It's a fairly straightforward combination of encryption and remote attestation protocols.

Essentially, a DTCP-enabled device has, buried within it, a signed certificate identifying it as being approved by the powers that be. When two such devices communicate, they send challenges and check certificates to ensure that they are both approved; if the authentication step fails, no content will be exchanged. Assuming the authentication succeeds, encrypted content can be sent in one direction or the other; this content includes a set of flags specifying the rules which are to apply to the copying of that content. Anybody who makes an approved device must, of course, promise to implement those rules.

The DTCP designers have not left things to chance; each device includes within it a "revoked certificates" list. When somebody's gadget is shown to be insufficiently attentive to the restrictions applied to Valuable Intellectual Property, its certificate can be added to that list. Every device, and every piece of content as well, carries a copy of the list, and devices will update their list when a newer version comes along. So your compromised video player may well make copies for a while, until you bring in a disk with a new revocation list; after that, none of your other gadgets will talk to it any more.

It is still not clear what features Intel has added to its chips to support DTCP. It is unlikely to be anything which will be useful to Linux users. But, at least, it does not appear to be a system to lock "unauthorized" operating systems out of the processor. And certainly none of us expected any sort of free multimedia software to get a stamp of approval from the entertainment industry anyway.

Comments (9 posted)

Security news

Schneier: Attack Trends: 2004 and 2005

Bruce Schneier has posted some predictions on the types of security problems we'll see in the near future. "Targeted worms are another trend we're starting to see. Recently there have been worms that use third-party information-gathering techniques, such as Google, for advanced reconnaissance. This leads to a more intelligent propagation methodology; instead of propagating scattershot, these worms are focusing on specific targets. By identifying targets through third-party information gathering, the worms reduce the noise they would normally make when randomly selecting targets, thus increasing the window of opportunity between release and first detection."

Comments (1 posted)

New vulnerabilities

dbus: information disclosure

Package(s):dbus CVE #(s):CAN-2005-0201
Created:June 8, 2005 Updated:August 30, 2005
Description: From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening.
Alerts:
Fedora FEDORA-2005-822 2005-08-29
Ubuntu USN-144-1 2005-06-27
Mandriva MDKSA-2005:105 2005-06-24
Red Hat RHSA-2005:102-01 2005-06-08

Comments (none posted)

Dzip: directory traversal

Package(s):dzip CVE #(s):
Created:June 6, 2005 Updated:June 8, 2005
Description: Dzip is vulnerable to a directory traversal attack when extracting archives. An attacker could exploit this vulnerability by creating a specially crafted archive to extract files to arbitrary locations.
Alerts:
Gentoo 200506-03 2005-06-06

Comments (none posted)

kdbg: command injection vulnerability

Package(s):kdbg CVE #(s):CAN-2003-0644
Created:June 2, 2005 Updated:June 8, 2005
Description: Versions of the kdbg debugger from 1.1.0 through 1.2.8 have a problem with permission checking in the .kdbgrc run command file. A local user may use this to inject malicious commands in the file.
Alerts:
Red Hat RHSA-2005:416-01 2005-06-02

Comments (none posted)

kernel: local denial of service, possible compromise

Package(s):kernel CVE #(s):CAN-2005-0756 CAN-2005-1265
Created:June 8, 2005 Updated:June 9, 2005
Description: The mmap() system call does not perform proper checking of its parameters, leading to a possible kernel crash and possible code execution.

The ptrace() system call does not perform proper checking of addresses (on the x86-64 platform only), leading to a possible kernel crash.

Alerts:
SuSE SUSE-SA:2005:029 2005-06-09
Ubuntu USN-137-1 2005-06-08

Comments (none posted)

Mailutils: SQL injection

Package(s):mailutils CVE #(s):CAN-2005-1824
Created:June 6, 2005 Updated:June 8, 2005
Description: When GNU Mailutils is built with the "mysql" or "postgres" USE flag, the sql_escape_string function of the authentication module fails to properly escape the "\" character, rendering it vulnerable to a SQL command injection. A malicious remote user could exploit this vulnerability to inject SQL commands to the underlying database.
Alerts:
Gentoo 200506-02 2005-06-06

Comments (none posted)

Wordpress: multiple vulnerabilities

Package(s):wordpress CVE #(s):
Created:June 6, 2005 Updated:July 4, 2005
Description: Due to a lack of input validation, WordPress is vulnerable to SQL injection and XSS attacks. An attacker could use the SQL injection vulnerabilities to gain information from the database. Furthermore the cross-site scripting issues give an attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser.
Alerts:
Gentoo 200507-02 2005-07-04
Gentoo 200506-04 2005-06-06

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

apache-utils: htpasswd buffer overflow

Package(s):apache-utils CVE #(s):
Created:May 26, 2005 Updated:June 1, 2005
Description: The htpasswd utility has a buffer overflow vulnerability. Web sites that use an unchecked public interface to htpasswd can be used to execute arbitrary code with the privileges of the user who runs htpasswd.
Alerts:
Ubuntu USN-133-1 2005-05-26

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

cURL: buffer overflow

Package(s):curl CVE #(s):CAN-2005-0490
Created:February 28, 2005 Updated:July 19, 2005
Description: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded.
Alerts:
Fedora-Legacy FLSA:152917 2005-07-15
Fedora FEDORA-2005-325 2005-04-20
Red Hat RHSA-2005:340-01 2005-04-05
Conectiva CLA-2005:940 2005-03-21
Gentoo 200503-20 2005-03-16
Mandrake MDKSA-2005:048 2005-03-04
SuSE SUSE-SA:2005:011 2005-02-28
Ubuntu USN-86-1 2005-02-28

Comments (none posted)

cvs: multiple vulnerabilities

Package(s):cvs CVE #(s):CAN-2005-0753
Created:April 18, 2005 Updated:July 13, 2005
Description: CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error. These can be used to launch a remote denial of service or to remotely execute arbitrary code.
Alerts:
Debian DSA-742-1 2005-07-07
Fedora-Legacy FLSA:155508 2005-05-12
Ubuntu USN-117-1 2005-05-04
Red Hat RHSA-2005:387-01 2005-04-25
Gentoo 200504-16:02 2005-04-18
Slackware SSA:2005-111-01 2005-04-22
Trustix TSLSA-2005-0013 2005-04-20
Mandriva MDKSA-2005:073 2005-04-20
Fedora FEDORA-2005-330 2005-04-20
Gentoo 200504-16 2005-04-18
SuSE SUSE-SA:2005:024 2005-04-18

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 9, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

Dnsmasq: poisoning and DoS

Package(s):dnsmasq CVE #(s):
Created:April 4, 2005 Updated:July 21, 2005
Description: Dnsmasq does not properly detect that DNS replies received do not correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux Security Audit team also discovered two off-by-one buffer overflows that could crash DHCP lease files parsing.
Alerts:
Slackware SSA:2005-201-01 2005-07-21
Gentoo 200504-03 2005-04-04

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

Ethereal: numerous vulnerabilities

Package(s):ethereal CVE #(s):CAN-2005-1456 CAN-2005-1457 CAN-2005-1458 CAN-2005-1459 CAN-2005-1460 CAN-2005-1461 CAN-2005-1462 CAN-2005-1463 CAN-2005-1464 CAN-2005-1465 CAN-2005-1466 CAN-2005-1467 CAN-2005-1468 CAN-2005-1469 CAN-2005-1470
Created:May 6, 2005 Updated:June 7, 2005
Description: There are numerous vulnerabilities in versions of Ethereal versions 0.8.14 to 0.10.10 according to this advisory.
Alerts:
SuSE SUSE-SR:2005:014 2005-06-07
Red Hat RHSA-2005:427-01 2005-05-24
Mandriva MDKSA-2005:083 2005-05-10
Gentoo 200505-03 2005-05-06

Comments (none posted)

evolution: message crash vulnerability

Package(s):evolution CVE #(s):CAN-2005-0806
Created:March 17, 2005 Updated:August 11, 2005
Description: The Evolution mail client can be crashed when reading certain types of messages.
Alerts:
Ubuntu USN-166-1 2005-08-11
Red Hat RHSA-2005:397-01 2005-05-04
Conectiva CLA-2005:950 2005-04-27
Fedora FEDORA-2005-338 2005-04-22
Mandrake MDKSA-2005:059 2005-03-16

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: buffer overflow and SQL injection

Package(s):freeradius CVE #(s):CAN-2005-1454 CAN-2005-1455
Created:May 17, 2005 Updated:June 23, 2005
Description: Primoz Bratanic discovered that the sql_escape_func function of FreeRADIUS 1.0.2 and earlier may be vulnerable to a buffer overflow. He also discovered that FreeRADIUS fails to sanitize user-input before using it in a SQL query, possibly allowing SQL command injection.
Alerts:
Red Hat RHSA-2005:524-01 2005-06-23
Gentoo 200505-13:02 2005-05-17
Gentoo 200505-13 2005-05-17

Comments (1 posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora-Legacy FLSA:155510 2005-12-17
Fedora-Legacy FLSA:154272 2005-07-15
SuSE SUSE-SR:2005:010 2005-04-08
Mandrake MDKSA-2005:069 2005-04-07
Mandrake MDKSA-2005:068 2005-04-07
Ubuntu USN-108-1 2005-04-05
Red Hat RHSA-2005:343-01 2005-04-05
Red Hat RHSA-2005:344-01 2005-04-01
Fedora FEDORA-2005-268 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-265 2005-03-30

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

gftp: missing input sanitizing

Package(s):gftp CVE #(s):CAN-2005-0372 CAN-2004-1376
Created:February 17, 2005 Updated:July 13, 2005
Description: gftp has a directory traversal vulnerability. A remote server could use specially crafted filenames to overwrite local files.
Alerts:
Fedora-Legacy FLSA:152908 2005-07-10
Red Hat RHSA-2005:410-01 2005-06-13
Fedora FEDORA-2005-310 2005-04-07
Fedora FEDORA-2005-309 2005-04-07
Mandrake MDKSA-2005:050 2005-03-04
Gentoo 200502-27 2005-02-19
SuSE SUSE-SR:2005:005 2005-02-18
Debian DSA-686-1 2005-02-17

Comments (none posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnupg: information leak

Package(s):gnupg CVE #(s):CAN-2005-0366
Created:March 16, 2005 Updated:August 19, 2005
Description: GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Alerts:
Ubuntu USN-170-1 2005-08-19
Gentoo 200503-29 2005-03-24
Mandrake MDKSA-2005:057 2005-03-15

Comments (none posted)

GnuTLS: Denial of Service vulnerability

Package(s):gnutls CVE #(s):CAN-2005-1431
Created:May 9, 2005 Updated:June 1, 2005
Description: GnuTLS 1.2.3 and 1.0.25 have been released, fixing a denial of service problem.
Alerts:
Red Hat RHSA-2005:430-01 2005-06-01
Ubuntu USN-126-1 2005-05-13
Mandriva MDKSA-2005:084 2005-05-12
Fedora FEDORA-2005-362 2005-05-05
Gentoo 200505-04 2005-05-09

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:September 16, 2005
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gxine: format string vulnerability

Package(s):gxine CVE #(s):CAN-2005-1692
Created:May 26, 2005 Updated:July 23, 2005
Description: The gxine media player has a format string vulnerability in the hostname decoding function. A specially crafted file can be used to cause a user to execute arbitrary code.
Alerts:
Slackware SSA:2005-203-04 2005-07-23
Gentoo 200505-19 2005-05-26

Comments (none posted)

gzip: race condition and directory traversal

Package(s):gzip CVE #(s):CAN-2005-0988 CAN-2005-1228
Created:May 4, 2005 Updated:July 13, 2005
Description: gzip suffers from a race condition which could allow a fast-fingered attacker to change the permissions on files owned by others. There is also a directory traversal vulnerability associated with the -N option.
Alerts:
Debian DSA-752-1 2005-07-11
Red Hat RHSA-2005:357-01 2005-06-13
OpenPKG OpenPKG-SA-2005.010 2005-06-10
OpenPKG OpenPKG-SA-2005.009 2005-06-10
Mandriva MDKSA-2005:092 2005-05-18
Gentoo 200505-05 2005-05-09
Trustix TSLSA-2005-0018 2005-05-06
Ubuntu USN-116-1 2005-05-04

Comments (none posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

ImageMagick: xwd coder denial of service

Package(s):ImageMagick CVE #(s):CAN-2005-1739
Created:May 26, 2005 Updated:July 19, 2005
Description: The xwd coder in ImageMagick has a vulnerability that can be accessed by working on a maliciously created image. A denial of service can result.
Alerts:
Fedora-Legacy FLSA:152777 2005-07-12
Mandriva MDKSA-2005:107 2005-06-28
Red Hat RHSA-2005:480-01 2005-06-02
Fedora FEDORA-2005-395 2005-05-26

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 9, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

infozip: privilege escalation, directory-traversal

Package(s):infozip CVE #(s):CAN-2003-0282 CAN-2004-1010 CAN-2005-0602
Created:May 2, 2005 Updated:August 1, 2005
Description: InfoZip reports that Zip 2.3 and (presumably) all previous versions have a buffer-overrun vulnerability relating to deep directory paths that could potentially lead to local privilege escalation (e.g., in the case of automated, Zip-based backups). All versions of UnZip through 5.50 have a number of directory-traversal vulnerabilities.
Alerts:
Ubuntu USN-159-1 2005-08-01
Slackware SSA:2005-121-01 2005-05-02

Comments (1 posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Debian DSA-713-1 2005-04-21
Gentoo 200504-11 2005-04-13

Comments (1 posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0400 CAN-2005-0749 CAN-2005-0750 CAN-2005-0815 CAN-2005-0839
Created:April 1, 2005 Updated:July 1, 2005
Description: More kernel vulnerabilities have been discovered including:
  • Mathieu Lafon discovered an information leak in the ext2 file system driver. (CAN-2005-0400)
  • Yichen Xie discovered a Denial of Service vulnerability in the ELF loader. (CAN-2005-0749)
  • Ilja van Sprundel discovered that the bluez_sock_create() function did not check its "protocol" argument for negative values. (CAN-2005-0750)
  • Michal Zalewski discovered that the iso9660 file system driver fails to check ranges properly in several cases. (CAN-2005-0815)
  • Previous kernels did not restrict the use of the N_MOUSE line discipline in the serial driver. (CAN-2005-0839)
Alerts:
Mandriva MDKSA-2005:110 2005-06-30
Mandriva MDKSA-2005:111 2005-06-30
Fedora-Legacy FLSA:152532 2005-06-04
Conectiva CLA-2005:952 2005-05-02
Red Hat RHSA-2005:284-01 2005-04-28
Red Hat RHSA-2005:283-01 2005-04-28
Red Hat RHSA-2005:293-01 2005-04-22
Fedora FEDORA-2005-313 2005-04-11
Trustix TSLSA-2005-0011 2005-04-05
SuSE SUSE-SA:2005:021 2005-04-04
Ubuntu USN-103-1 2005-04-01

Comments (1 posted)

kernel: ELF loader core dump vulnerability

Package(s):kernel CVE #(s):CAN-2005-1263
Created:May 11, 2005 Updated:August 25, 2005
Description: Paul Starzetz has posted an advisory for yet another kernel vulnerability. In this case, by using a specially manipulated ELF binary, a local attacker can compromise the system (via the core dump code) and obtain root access. This vulnerability affects all kernels from 2.2 through 2.6.12-rc4.
Alerts:
Red Hat RHSA-2005:529-01 2005-08-25
Red Hat RHSA-2005:420-01 2005-06-08
Red Hat RHSA-2005:472-01 2005-05-25
Fedora FEDORA-2005-392 2005-05-23
Ubuntu USN-131-1 2005-05-23
Trustix TSLSA-2005-0022 2005-05-13

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

kimgio input validation errors

Package(s):kimgio CVE #(s):CAN-2005-1046
Created:April 22, 2005 Updated:July 19, 2005
Description: KDE has issued a security advisory for kimgio. This is found in kdelibs as shipped with KDE 3.2 up to including KDE 3.4. kimgio contains a PCX image file format reader that does not properly perform input validation. A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers, some of them exploitable to execute arbitrary code.
Alerts:
Ubuntu USN-114-2 2005-05-27
Red Hat RHSA-2005:393-01 2005-05-17
Mandriva MDKSA-2005:085 2005-05-12
Ubuntu USN-114-1 2005-05-03
Fedora FEDORA-2005-350 2005-05-02
Debian DSA-714-1 2005-04-26
Gentoo 200504-22 2005-04-22

Comments (none posted)

libconvert-uulib-perl: arbitrary code execution

Package(s):libconvert-uulib-perl CVE #(s):CAN-2005-1349
Created:May 20, 2005 Updated:January 27, 2006
Description: Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:022 2006-01-26
Debian DSA-727-1 2005-05-20

Comments (1 posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15