LWN.net Logo

LWN.net Weekly Edition for July 14, 2005

The European software patent vote

Just as last week's LWN Weekly Edition was being finalized, the word came out that the European software patent directive had, after years of strange maneuvers, lobbying, and politics, been rejected by the European Parliament. And this was not any ordinary rejection: the final vote was 648 to 14. That is quite an outcome, considering that, not particularly long ago, a good result in the final parliamentary vote was seen as a long shot at best.

This vote is not a result of a sudden general understanding that software patents are a bad idea. In the end, most parties went against the directive because (1) it had been amended to the point that nobody liked it anymore, and (2) the parliament was not pleased with how it had been treated by the European Council. So the vote should not be seen as a definitive statement from Europe on software patents; it also should not be seen as the end of the debate.

For now, the software patent situation in Europe remains unchanged. In theory, such patents are not legal, but the European Patent Office (EPO) has issued quite a few software patents anyway. Some European member states are more friendly to software patents than others. So the situation remains muddled, and is likely to stay that way for a while. Court battles to determine the legitimacy of EPO-issued software patents seem almost certain. So software patents are still a threat, at some level, for European free software developers and users. Even if a software patent issued by the EPO is eventually thrown out of court, it's still no fun to be the one in court trying to make that happen.

In other words, this outcome is very much a mixed result. It is far superior to a directive which would have enshrined software patents in European Union law; the rejection of that language is an unambiguous victory. But it would have been far nicer to pass a version of the directive which clearly disallowed patents on software. It would have been nicer to put an end to this problem - in Europe, at least.

Because this debate certainly is not over. The European Council once said that, if the directive were to fail to pass the Parliament, there would be no further attempts. For those who truly believe that: we have some nice ocean-front property in Luxembourg we'd be willing to sell you. This sort of issue, backed as it is by interests with lots of money in the bank and even more in their eyes, almost never goes away. Software patents in Europe will be back, at the EU and member state levels.

For now, though, the free software community can celebrate an important victory. There is still no global software patent regime in place, and there is a far higher awareness of the issue than there was a few years ago. All the effort put in by so many people working to fight this directive has paid off. Great congratulations are due to each and every person who contributed to this fight, whether that contribution took the form of massive organizing or a quick letter to a member of parliament. You have shown that you can influence policy, even on an obscure technical issue, and even in the face of well-funded opposition. Well done!

Comments (1 posted)

The Xandros Business Desktop

July 13, 2005

This article was contributed by Ladislav Bodnar

Ever since the launch of Xandros Corporation four years ago, the company has settled into a regular release cycle. New versions of Xandros Desktop OS for home users ("Standard" and "Deluxe" editions) have come out towards the end of each calendar year, followed by high-end "Business" editions some six months later. Continuing in this practice, Xandros Desktop OS 3 Business was unveiled last month when it became available to customers from the company's online store for $129.

As the name suggests, the "Business" edition is designed as a desktop system for small and medium-size businesses. This product should appeal to those production environments that have been evaluating the possibility to move their desktops to Linux, but have not found a suitable replacement for their Windows systems - either because many of the popular Linux distributions lack certain required functionality or because their existing infrastructure is overly dependent on Microsoft Windows and Office, and possibly even SQL Server, migration of which would be a costly and tedious task.

Xandros Business Desktop was specifically designed for the latter group. The company claims that these businesses can keep their current Windows server infrastructure, MS Office files, and even run many of the Windows applications they depend on, but can still migrate their desktop computers from a virus- and spyware-prone operating system with less than a stellar security reputation to a more secure and less maintenance-intensive Linux-based system. Although the initial migration will certainly cost some capital, Xandros argues, the overall long-term savings should be considerable.

Xandros is walking a tight rope here. On one hand, businesses that consider migrating their desktop systems to Linux have likely started experimenting with Linux already, probably with one of the freely available distributions, such as Fedora, Mandriva or Ubuntu. If these fit their requirements, they would almost certainly prefer one of them over a $129-per-seat Xandros Desktop OS. If they haven't found a suitable replacement, Xandros might still be a viable option, but it doesn't take a genius to figure out that a business with a few dozen computers will end up having to pay license fees that are not much lower than those for Windows. If this is the case, why bother with a costly migration to Linux?

Probably the best reason is to save on system maintenance. As we know, keeping Windows boxes free of viruses, spyware, worms and other Internet malware is a costly and time-consuming exercise, so replacing Windows with Linux, wherever possible, would certainly eliminate most of this expense.

The next question is: why Xandros? If you have never installed and used this distribution, you will be forgiven for asking - that's because Xandros remains our firm favorite as the best and most user-friendly desktop Linux distribution there is. From the moment you insert the installation CD into your CD-ROM drive until you finally boot into your new desktop, you will see true usability features not found in any other distribution. Xandros has not built an operating system by just integrating its individual pieces from freely available software on the Internet, it also developed many utilities that conform to the definitions of software usability better than most other distributions.

Besides all the well-established features of Xandros Desktop, such as the Xandros File Manager, Xandros Networks (for downloading and installing software and security updates), the integrated drag-and-drop CD/DVD-burning application, enhanced KDE Control Center, CrossOver Office (with support for MS Office, Adobe Photoshop and other Windows applications), file system encryption and excellent hardware detection, the Business edition adds further incentives. Among them, Windows networking features are probably the biggest selling point of Xandros Business Desktop - especially when considering its ability to authenticate to both Windows NT and Active Directory domains, to browse NFS shares, and to perform drag-and-drop operations on network shares, as well as FTP servers.

This edition of Xandros Desktop OS comes with an extra Application CD, an excellent 350-page User Guide, and a 9-page Getting Started Guide. Inserting the CD immediately brings up a software installer dialog, providing an opportunity to browse through the available packages. Among the more interesting applications included on the CD are OpenOffice.org 1.1.2 and StarOffice 7 with various dictionaries, together with a number of development packages and database servers, as well as Citrix and SAP clients. The manual is identical to the one available with the Deluxe edition and Xandros deserves praise for making an effort to put together a really useful guide.

Despite developing a superb package, Xandros might still have hard time selling the product in desirable quantities. It seems that most of the migration efforts we get to hear about these days tend to revolve around one of the free distributions (the current migration to Linux by the municipalities of Munich and Vienna are good examples), customized to their needs. Also, we haven't heard of any success stories involving Xandros Business Desktop, an event that would surely result in a self-congratulatory press release by the company. As good as Xandros Desktop is, it still remains a largely proprietary system, not particularly cheap, and with a potential of another vendor lock-in, which is a trap that many businesses would rather avoid.

This brings up the next question: is the company's current business strategy of selling boxed products, as opposed to giving the products away and charging for services, a sustainable business model? If the history of open source software companies is anything to go by, selling services tends to result in sustainable growth, while selling software boxes is likely to lead towards stagnation at best, and bankruptcy at worse. There are far too many examples of the latter to ignore the danger!

Comments (9 posted)

Next week: OLS + KS/DDC

Next week is the annual pilgrimage to the Ottawa Linux Symposium, one of the key Linux development events worldwide. The schedule has been posted for those who are interested; it looks like the usual collection of great talks. LWN editor Jonathan Corbet will be giving an updated version of the "2.6 Kernel Roadmap" talk at 10:00 on Wednesday.

The Desktop Developers' Conference is happening the two days prior to the opening of OLS. We would love to be able to report from that event, but your editor will, instead, be downstairs at the annual kernel summit. Look for our coverage from that event early in the week. There will be reports from OLS as well, though your editor has learned, from experience, to rest well before the famous closing party. See you in Ottawa.

Comments (1 posted)

Page editor: Jonathan Corbet

Security

The Personal Data Privacy and Security Act

July 13, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The good news is that the U.S. Congress is turning its attention to identity theft. The bad news is that Congress is unlikely to produce truly effective legislation. The Personal Data Privacy and Security Act of 2005 is one bill that attempts to address ID theft and misuse of personal information. It was introduced at the end of June by Senators Arlen Specter and Patrick Leahy. Text of the bill is available from thomas.loc.gov.

The bill's summary sounds good:

To prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.

The bill does have some sensible provisions. It would specifically prevent companies from selling social security numbers, for example, without explicit consent of the individual. The bill would also require notification to individuals that their personal information had been compromised, and would require "data collectors" to disclose information being collected upon request. The bill would also beef up penalties for identity theft, and for concealing security breaches.

While there is a lot to like about the bill, it has more than its share of flaws. Section 422 of the act requires "any business entity or agency engaged in interstate commerce that involves collecting, accessing, using, transmitting, storing, or disposing of personally identifiable information" to provide written notification of an information compromise or, if the address is unknown, notification by phone. The problem with requiring a written notice or phone call is that many sites that would be required to comply with the law do not necessarily collect addresses or phone numbers. Forcing them to start gathering that information would be burdensome, intrusive on the privacy of the people who are allegedly being protected, and would add to the amount of data that can be stolen in the event of a successful attack.

The act also provides for a posting on the affected site, if more than 1,000 residents of the U.S. have been affected, and notice to "major media outlets serving that State or jurisdiction" if more than 5,000 residents of a state or jurisdiction are affected. However, these seem to be aggregate requirements -- so if a company has been affected, it seems to require that they notify all individuals by phone or mail, and post a notice, and send notice to "major media outlets."

There are a few flaws of omission in the bill as well. For example, as Jon Oltsik points out, there's no provision for monitoring compliance with the bill. While the bill prescribes heavy penalties for failing to comply, the only way that non-compliance will come to light, in the bill's present form, is once it's too late and a breach has occurred. This is of little comfort to those who have already had their information stolen and misused. Penalties for misuse and theft of data are fine, but prevention would be much better.

While the bill requires data collectors to disclose information upon request, it does not require any notification of collection. It's unlikely that the average person even knows what organizations are collecting data in the first place. To really "ensure privacy" the bill should prevent unauthorized data collection altogether.

Also, the bill protects social security numbers, which in and of itself is a good thing, but too specific. To be truly effective, now and in the future, the bill should cover any government-issued IDs. For example, it would be prudent to include IDs that fall under the Real ID Act.

It would be nice to see a national data security law that would provide notifications to individuals in the event that their information has been stolen, and give additional control to individuals over the aggregation and dissemination of personal data such as social security numbers. The proposed Personal Data Privacy and Security Act of 2005 takes some tentative steps in the right direction; hopefully its weaker points will be addressed as the bill moves forward.

Comments (6 posted)

New vulnerabilities

acroread: arbitrary code execution

Package(s):acroread CVE #(s):CAN-2005-1625 CAN-2005-1841
Created:July 8, 2005 Updated:July 14, 2005
Description: Adobe Acrobat Reader (acroread) has a buffer overflow vulnerability. If a user is tricked into opening a specially crafted PDF file, arbitrary code can be executed.
Alerts:
SuSE SUSE-SA:2005:042 2005-07-14
Gentoo 200507-09 2005-07-11
Red Hat RHSA-2005:575-01 2005-07-08

Comments (none posted)

centericq: temporary file vulnerability

Package(s):centericq CVE #(s):CAN-2005-1914
Created:July 13, 2005 Updated:July 13, 2005
Description: The centericq messaging client suffers from a classic temporary file vulnerability which could, conceivably, be exploited by a local user to overwrite files.
Alerts:
Debian DSA-754-1 2005-07-13

Comments (none posted)

dhcpcd: denial of service

Package(s):dhcpcd CVE #(s):CAN-2005-1848
Created:July 13, 2005 Updated:September 13, 2005
Description: The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash.
Alerts:
Slackware SSA:2005-255-01 2005-09-13
Red Hat RHSA-2005:603-01 2005-07-27
Gentoo 200507-16 2005-07-15
Mandriva MDKSA-2005:117 2005-07-12
Debian DSA-750-1 2005-07-11

Comments (none posted)

FUSE: information disclosure

Package(s):fuse CVE #(s):CAN-2005-1858
Created:July 13, 2005 Updated:July 13, 2005
Description: The filesystems in user space (FUSE) subsystem (not yet part of the mainline kernel) has an information disclosure vulnerability exploitable by local users.
Alerts:
Debian DSA-744-1 2005-07-08

Comments (none posted)

ht: arbitrary code execution

Package(s):ht CVE #(s):CAN-2005-1545 CAN-2005-1546
Created:July 8, 2005 Updated:July 13, 2005
Description: The utility ht, an executable file viewer, editor and analyzer, has buffer and integer overflows that can be exploited for the purpose of executing arbitrary code.
Alerts:
Debian DSA-743-1 2005-07-08

Comments (none posted)

krb5: double-free flaw

Package(s):krb5 CVE #(s):CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689
Created:July 12, 2005 Updated:December 6, 2005
Description: The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information.
Alerts:
Ubuntu USN-224-1 2005-12-06
Debian DSA-757-1 2005-07-17
Trustix TSLSA-2005-0036 2005-07-14
Mandriva MDKSA-2005:119 2005-07-13
SuSE SUSE-SR:2005:017 2005-07-13
Gentoo 200507-11 2005-07-12
Fedora FEDORA-2005-553 2005-07-12
Red Hat RHSA-2005:562-01 2005-07-12
Fedora FEDORA-2005-552 2005-07-12
Red Hat RHSA-2005:567-02 2005-07-12

Comments (none posted)

leafnode: fetchnews vulnerabilities

Package(s):leafnode CVE #(s):CAN-2004-2068 CAN-2005-1453 CAN-2005-1911
Created:July 12, 2005 Updated:July 13, 2005
Description: The fetchnews program from the leafnode NNTP server has a number of vulnerabilities involving corruption of data from the upstream server. The system can hang indefinitely or crash.
Alerts:
Mandriva MDKSA-2005:114 2005-07-11

Comments (none posted)

sharutils: temporary file vulnerability

Package(s):sharutils CVE #(s):CAN-2005-0990
Created:July 13, 2005 Updated:July 13, 2005
Description: Sharutils (and unshar in particular) creates temporary files in an unsafe way, making local file overwrite attacks possible.
Alerts:
Fedora-Legacy FLSA:154991 2005-07-10

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cacti: SQL injection and PHP file inclusion

Package(s):cacti CVE #(s):
Created:June 22, 2005 Updated:July 21, 2005
Description: Cacti (prior to version 0.8.6e) suffers from vulnerabilities which can lead to SQL injection and (on some systems) execution of arbitrary PHP files.
Alerts:
Debian DSA-764-1 2005-07-21
Gentoo GLSA 200506-20:02 2005-06-22
Gentoo GLSA 200506-20:02 2005-06-22
Gentoo 200506-20:02 2005-06-22
Gentoo 200506-20 2005-06-22

Comments (none posted)

ClamAV: denial of service

Package(s):clamav CVE #(s):CAN-2005-2056 CAN-2005-2070
Created:June 27, 2005 Updated:July 12, 2005
Description: Andrew Toller and Stefan Kanthak discovered that a flaw in libmspack's Quantum archive decompressor renders Clam AntiVirus vulnerable to a Denial of Service attack. A remote attacker could exploit this vulnerability to cause a Denial of Service by sending a specially crafted Quantum archive to the server.
Alerts:
Mandriva MDKSA-2005:113 2005-07-11
Debian DSA-737-1 2005-07-05
SuSE SUSE-SA:2005:038 2005-06-29
Gentoo 200506-23 2005-06-27

Comments (none posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Alerts:
Mandriva MDKSA-2005:237 2005-12-23
Red Hat RHSA-2005:806-01 2005-11-10
Debian DSA-846-1 2005-10-07
Ubuntu USN-189-1 2005-09-29
Red Hat RHSA-2005:378-01 2005-07-21
Mandriva MDKSA-2005:116-1 2005-07-19
Mandriva MDKSA-2005:116 2005-07-11
Trustix TSLSA-2005-0030 2005-06-24
Gentoo 200506-16 2005-06-20

Comments (1 posted)

crip: insecure temporary files

Package(s):crip CVE #(s):CAN-2005-0393
Created:June 30, 2005 Updated:July 6, 2005
Description: Justin Rye discovered that crip, a terminal-based ripper, encoder and tagger tool, utilizes temporary files in an insecure fashion in its helper scripts.
Alerts:
Debian DSA-733-1 2005-06-30

Comments (none posted)

cURL: buffer overflow

Package(s):curl CVE #(s):CAN-2005-0490
Created:February 28, 2005 Updated:July 19, 2005
Description: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded.
Alerts:
Fedora-Legacy FLSA:152917 2005-07-15
Fedora FEDORA-2005-325 2005-04-20
Red Hat RHSA-2005:340-01 2005-04-05
Conectiva CLA-2005:940 2005-03-21
Gentoo 200503-20 2005-03-16
Mandrake MDKSA-2005:048 2005-03-04
SuSE SUSE-SA:2005:011 2005-02-28
Ubuntu USN-86-1 2005-02-28

Comments (none posted)

cvs: multiple vulnerabilities

Package(s):cvs CVE #(s):CAN-2005-0753
Created:April 18, 2005 Updated:July 13, 2005
Description: CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error. These can be used to launch a remote denial of service or to remotely execute arbitrary code.
Alerts:
Debian DSA-742-1 2005-07-07
Fedora-Legacy FLSA:155508 2005-05-12
Ubuntu USN-117-1 2005-05-04
Red Hat RHSA-2005:387-01 2005-04-25
Gentoo 200504-16:02 2005-04-18
Slackware SSA:2005-111-01 2005-04-22
Trustix TSLSA-2005-0013 2005-04-20
Mandriva MDKSA-2005:073 2005-04-20
Fedora FEDORA-2005-330 2005-04-20
Gentoo 200504-16 2005-04-18
SuSE SUSE-SA:2005:024 2005-04-18

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 10, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dbus: information disclosure

Package(s):dbus CVE #(s):CAN-2005-0201
Created:June 8, 2005 Updated:August 30, 2005
Description: From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening.
Alerts:
Fedora FEDORA-2005-822 2005-08-29
Ubuntu USN-144-1 2005-06-27
Mandriva MDKSA-2005:105 2005-06-24
Red Hat RHSA-2005:102-01 2005-06-08

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

Dnsmasq: poisoning and DoS

Package(s):dnsmasq CVE #(s):
Created:April 4, 2005 Updated:July 21, 2005
Description: Dnsmasq does not properly detect that DNS replies received do not correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux Security Audit team also discovered two off-by-one buffer overflows that could crash DHCP lease files parsing.
Alerts:
Slackware SSA:2005-201-01 2005-07-21
Gentoo 200504-03 2005-04-04

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ettercap: format string vulnerability

Package(s):ettercap CVE #(s):CAN-2005-1796
Created:June 13, 2005 Updated:July 13, 2005
Description: The Ettercap suite of networking tools has a format string vulnerability that can be exploited by a remote attacker for the execution of arbitrary code.
Alerts:
Debian DSA-749-1 2005-07-10
Gentoo 200506-07 2005-06-11

Comments (none posted)

evolution: message crash vulnerability

Package(s):evolution CVE #(s):CAN-2005-0806
Created:March 17, 2005 Updated:August 11, 2005
Description: The Evolution mail client can be crashed when reading certain types of messages.
Alerts:
Ubuntu USN-166-1 2005-08-11
Red Hat RHSA-2005:397-01 2005-05-04
Conectiva CLA-2005:950 2005-04-27
Fedora FEDORA-2005-338 2005-04-22
Mandrake MDKSA-2005:059 2005-03-16

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora-Legacy FLSA:155510 2005-12-17
Fedora-Legacy FLSA:154272 2005-07-15
SuSE SUSE-SR:2005:010 2005-04-08
Mandrake MDKSA-2005:069 2005-04-07
Mandrake MDKSA-2005:068 2005-04-07
Ubuntu USN-108-1 2005-04-05
Red Hat RHSA-2005:343-01 2005-04-05
Red Hat RHSA-2005:344-01 2005-04-01
Fedora FEDORA-2005-268 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-265 2005-03-30

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

gftp: missing input sanitizing

Package(s):gftp CVE #(s):CAN-2005-0372 CAN-2004-1376
Created:February 17, 2005 Updated:July 13, 2005
Description: gftp has a directory traversal vulnerability. A remote server could use specially crafted filenames to overwrite local files.
Alerts:
Fedora-Legacy FLSA:152908 2005-07-10
Red Hat RHSA-2005:410-01 2005-06-13
Fedora FEDORA-2005-310 2005-04-07
Fedora FEDORA-2005-309 2005-04-07
Mandrake MDKSA-2005:050 2005-03-04
Gentoo 200502-27 2005-02-19
SuSE SUSE-SR:2005:005 2005-02-18
Debian DSA-686-1 2005-02-17

Comments (none posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnupg: information leak

Package(s):gnupg CVE #(s):CAN-2005-0366
Created:March 16, 2005 Updated:August 19, 2005
Description: GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Alerts:
Ubuntu USN-170-1 2005-08-19
Gentoo 200503-29 2005-03-24
Mandrake MDKSA-2005:057 2005-03-15

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gxine: format string vulnerability

Package(s):gxine CVE #(s):CAN-2005-1692
Created:May 26, 2005 Updated:July 23, 2005
Description: The gxine media player has a format string vulnerability in the hostname decoding function. A specially crafted file can be used to cause a user to execute arbitrary code.
Alerts:
Slackware SSA:2005-203-04 2005-07-23
Gentoo 200505-19 2005-05-26

Comments (none posted)

gzip: race condition and directory traversal

Package(s):gzip CVE #(s):CAN-2005-0988 CAN-2005-1228
Created:May 4, 2005 Updated:July 13, 2005
Description: gzip suffers from a race condition which could allow a fast-fingered attacker to change the permissions on files owned by others. There is also a directory traversal vulnerability associated with the -N option.
Alerts:
Debian DSA-752-1 2005-07-11
Red Hat RHSA-2005:357-01 2005-06-13
OpenPKG OpenPKG-SA-2005.010 2005-06-10
OpenPKG OpenPKG-SA-2005.009 2005-06-10
Mandriva MDKSA-2005:092 2005-05-18
Gentoo 200505-05 2005-05-09
Trustix TSLSA-2005-0018 2005-05-06
Ubuntu USN-116-1 2005-05-04

Comments (none posted)

Heimdal: buffer overflow vulnerabilities

Package(s):heimdal CVE #(s):CAN-2005-2040
Created:June 29, 2005 Updated:July 18, 2005
Description: It has been reported that the "getterminaltype" function of Heimdal's (before 0.6.5) telnetd server is vulnerable to buffer overflows. An attacker could exploit this vulnerability to execute arbitrary code with the permission of the telnetd server program.
Alerts:
Debian DSA-758-1 2005-07-18
SuSE SUSE-SA:2005:040 2005-07-06
Gentoo 200506-24 2005-06-29

Comments (none posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

ImageMagick: xwd coder denial of service

Package(s):ImageMagick CVE #(s):CAN-2005-1739
Created:May 26, 2005 Updated:July 19, 2005
Description: The xwd coder in ImageMagick has a vulnerability that can be accessed by working on a maliciously created image. A denial of service can result.
Alerts:
Fedora-Legacy FLSA:152777 2005-07-12
Mandriva MDKSA-2005:107 2005-06-28
Red Hat RHSA-2005:480-01 2005-06-02
Fedora FEDORA-2005-395 2005-05-26

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 10, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

infozip: privilege escalation, directory-traversal

Package(s):infozip CVE #(s):CAN-2003-0282 CAN-2004-1010 CAN-2005-0602
Created:May 2, 2005 Updated:August 1, 2005
Description: InfoZip reports that Zip 2.3 and (presumably) all previous versions have a buffer-overrun vulnerability relating to deep directory paths that could potentially lead to local privilege escalation (e.g., in the case of automated, Zip-based backups). All versions of UnZip through 5.50 have a number of directory-traversal vulnerabilities.
Alerts:
Ubuntu USN-159-1 2005-08-01
Slackware SSA:2005-121-01 2005-05-02

Comments (1 posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Debian DSA-713-1 2005-04-21
Gentoo 200504-11 2005-04-13

Comments (1 posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kernel: ELF loader core dump vulnerability

Package(s):kernel CVE #(s):CAN-2005-1263
Created:May 11, 2005 Updated:August 25, 2005
Description: Paul Starzetz has posted an advisory for yet another kernel vulnerability. In this case, by using a specially manipulated ELF binary, a local attacker can compromise the system (via the core dump code) and obtain root access. This vulnerability affects all kernels from 2.2 through 2.6.12-rc4.
Alerts:
Red Hat RHSA-2005:529-01 2005-08-25
Red Hat RHSA-2005:420-01 2005-06-08
Red Hat RHSA-2005:472-01 2005-05-25
Fedora FEDORA-2005-392 2005-05-23
Ubuntu USN-131-1 2005-05-23
Trustix TSLSA-2005-0022 2005-05-13

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-1913 CAN-2005-1761
Created:July 1, 2005 Updated:September 9, 2005
Description: Several vulnerabilities in the 2.6 kernel have been fixed, including a subthread exec problem (CAN-2005-1913) and a ia64 ptrace + sigrestore_context problem (CAN-2005-1761).
Alerts:
Ubuntu USN-178-1 2005-09-09
Red Hat RHSA-2005:551-01 2005-08-25
SuSE SUSE-SA:2005:044 2005-08-04
Fedora FEDORA-2005-510 2005-07-01

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

kimgio input validation errors

Package(s):kimgio CVE #(s):CAN-2005-1046
Created:April 22, 2005 Updated:July 19, 2005
Description: KDE has issued a security advisory for kimgio. This is found in kdelibs as shipped with KDE 3.2 up to including KDE 3.4. kimgio contains a PCX image file format reader that does not properly perform input validation. A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers, some of them exploitable to execute arbitrary code.
Alerts:
Ubuntu USN-114-2 2005-05-27
Red Hat RHSA-2005:393-01 2005-05-17
Mandriva MDKSA-2005:085 2005-05-12
Ubuntu USN-114-1 2005-05-03
Fedora FEDORA-2005-350 2005-05-02
Debian DSA-714-1 2005-04-26
Gentoo 200504-22 2005-04-22

Comments (none posted)

libconvert-uulib-perl: arbitrary code execution

Package(s):libconvert-uulib-perl CVE #(s):CAN-2005-1349
Created:May 20, 2005 Updated:January 27, 2006
Description: Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:022 2006-01-26
Debian DSA-727-1 2005-05-20

Comments (1 posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libnet-ssleay-perl: weakened cryptographic operations

Package(s):libnet-ssleay-perl CVE #(s):CAN-2005-0106
Created:May 3, 2005 Updated:January 27, 2006
Description: Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content.
Alerts:
Mandriva MDKSA-2006:023 2006-01-26
Ubuntu USN-113-1 2005-05-03

Comments (none posted)

libTIFF: buffer overflow

Package(s):libtiff CVE #(s):CAN-2005-1544
Created:May 10, 2005 Updated:February 18, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafted TIFF image, resulting in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:042 2006-02-17
Debian DSA-755-1 2005-07-13
Ubuntu USN-130-1 2005-05-19
Gentoo 200505-07 2005-05-10

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Fedora-Legacy FLSA:168264 2006-03-07
Fedora-Legacy FLSA:152803 2006-01-09
Fedora FEDORA-2005-815 2005-08-26
Fedora FEDORA-2005-808 2005-08-25
Red Hat RHSA-2005:198-01 2005-06-08
Red Hat RHSA-2005:473-01 2005-05-24
Red Hat RHSA-2005:412-01 2005-05-11
Debian DSA-723-1 2005-05-09
Mandriva MDKSA-2005:081 2005-05-05
Mandriva MDKSA-2005:080 2005-04-28
Red Hat RHSA-2005:044-01 2005-04-06
Red Hat RHSA-2005:331-01 2005-03-30
Fedora FEDORA-2005-273 2005-03-29
Fedora FEDORA-2005-272 2005-03-29
Ubuntu USN-97-1 2005-03-16
Gentoo 200503-15 2005-03-12
Ubuntu USN-92-1 2005-03-07
Gentoo 200503-08 2005-03-04

Comments (none posted)

lvm10: creates insecure temporary directory

Package(s):lvm10 CVE #(s):CAN-2004-0972
Created:November 1, 2004 Updated:July 25, 2005
Description: Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:152842 2005-07-24
Mandrake MDKSA-2004:144 2004-12-06
Gentoo 200411-22 2004-11-11
Debian DSA-583-1 2004-11-03
Ubuntu USN-15-1 2004-11-01

Comments (none posted)

mailman: path traversal

Package(s):mailman CVE #(s):CAN-2005-0202
Created:February 9, 2005 Updated:July 13, 2005
Description: The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.

This vulnerability was used to compromise the Full-Disclosure list.

Alerts:
Fedora-Legacy FLSA:152895 2005-07-10
Ubuntu USN-78-2 2005-02-17
Debian DSA-674-3 2005-02-21
Mandrake MDKSA-2005:037 2005-02-14
Red Hat RHSA-2005:137-01 2005-02-15
SuSE SUSE-SA:2005:007 2005-02-14
Debian DSA-674-2 2005-02-11
Red Hat RHSA-2005:136-01 2005-02-10
Gentoo 200502-11 2005-02-10
Fedora FEDORA-2005-132 2005-02-10
Fedora FEDORA-2005-131 2005-02-10
Ubuntu USN-78-1 2005-02-09

Comments (none posted)

mc: buffer overflow

Package(s):mc CVE #(s):CAN-2005-0763
Created:March 29, 2005 Updated:August 11, 2005
Description: An unfixed buffer overflow has been discovered by Andrew V. Samoilov in mc, the midnight commander, a file browser and manager.
Alerts:
Fedora-Legacy FLSA:152889 2005-08-10
Red Hat RHSA-2005:512-01 2005-06-16
Debian DSA-698-1 2005-03-29

Comments (none posted)

mod_python: remote access vulnerability

Package(s):mod_python CVE #(s):CAN-2005-0088
Created:February 10, 2005 Updated:April 10, 2006
Description: mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result.
Alerts:
Fedora-Legacy FLSA:152896 2006-04-04
Conectiva CLA-2005:926 2005-03-02
Debian DSA-689-1 2005-02-23
Red Hat RHSA-2005:100-01 2005-02-15
Gentoo 200502-14 2005-02-13
Trustix TSLSA-2005-0003 2005-02-11
Ubuntu USN-80-1 2005-02-11
Red Hat RHSA-2005:104-01 2005-02-10
Fedora FEDORA-2005-140 2005-02-10
Fedora FEDORA-2005-139 2005-02-10

Comments (none posted)

Mozilla Firefox, Mozilla Suite: multiple vulnerabilities

Package(s):mozilla CVE #(s):CAN-2005-0989
Created:April 19, 2005 Updated:July 18, 2005
Description: The following vulnerabilities were found and fixed in the Mozilla Suite and Mozilla Firefox:
  • Vladimir V. Perepelitsa reported a memory disclosure bug in JavaScript's regular expression string replacement when using an anonymous function as the replacement argument (CAN-2005-0989).
  • moz_bug_r_a4 discovered that Chrome UI code was overly trusting DOM nodes from the content window, allowing privilege escalation via DOM property overrides.
  • Michael Krax reported a possibility to run JavaScript code with elevated privileges through the use of javascript: favicons.
  • Michael Krax also discovered that malicious Search plugins could run JavaScript in the context of the displayed page or stealthily replace existing search plugins.
  • shutdown discovered a technique to pollute the global scope of a window in a way that persists from page to page.
  • Doron Rosenberg discovered a possibility to run JavaScript with elevated privileges when the user asks to "Show" a blocked popup that contains a JavaScript URL.
  • Finally, Georgi Guninski reported missing Install object instance checks in the native implementations of XPInstall-related JavaScript objects.
The following Firefox-specific vulnerabilities have also been discovered:
  • Kohei Yoshino discovered a new way to abuse the sidebar panel to execute JavaScript with elevated privileges.
  • Omar Khan reported that the Plugin Finder Service can be tricked to open javascript: URLs with elevated privileges.
Alerts:
Gentoo 200507-17 2005-07-18
Fedora-Legacy FLSA:152883 2005-05-18
Red Hat RHSA-2005:384-01 2005-04-28
SuSE SUSE-SA:2005:028 2005-04-27
Red Hat RHSA-2005:386-01 2005-04-26
Slackware SSA:2005-111-04 2005-04-22
Red Hat RHSA-2005:383-01 2005-04-21
Gentoo 200504-18 2005-04-19

Comments (none posted)

mozilla firefox: javascript vulnerabilities

Package(s):mozilla firefox CVE #(s):CAN-2005-1531 CAN-2005-1532
Created:June 9, 2005 Updated:July 19, 2005
Description: Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly implement certain security checks for script injection, which allows remote attackers to execute script via "Wrapped" javascript.

Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CAN-2005-1160.

Alerts:
Fedora-Legacy FLSA:158149 2005-07-15
SuSE SUSE-SA:2005:030 2005-06-09

Comments (1 posted)

MPlayer: heap overflows

Package(s):mplayer CVE #(s):
Created:April 20, 2005 Updated:July 12, 2005
Description: Heap overflows have been found in the code handling RealMedia RTSP and Microsoft Media Services streams over TCP (MMST). By setting up a malicious server and enticing a user to use its streaming data, a remote attacker could possibly execute arbitrary code on the client computer with the permissions of the user running MPlayer.
Alerts:
Mandriva MDKSA-2005:115 2005-07-11
Gentoo 200504-19 2005-04-20

Comments (none posted)

MySQL: input validation and temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
Created:March 16, 2005 Updated:July 19, 2005
Description: MySQL (prior to version 4.0.24) suffers from two input validation errors and a temporary file vulnerability.
Alerts:
Fedora-Legacy FLSA:152925 2005-07-15
OpenPKG OpenPKG-SA-2005.006 2005-04-20
Debian DSA-707-1 2005-04-13
Fedora FEDORA-2005-305 2005-04-05
Fedora FEDORA-2005-304 2005-04-05
Red Hat RHSA-2005:348-01 2005-04-05
Conectiva CLA-2005:946 2005-04-04
Red Hat RHSA-2005:334-01 2005-03-28
SuSE SUSE-SA:2005:019 2005-03-24
Mandrake MDKSA-2005:060 2005-03-21
Trustix TSLSA-2005-0009 2005-03-21
Ubuntu USN-96-1 2005-03-16
Gentoo 200503-19 2005-03-16

Comments (none posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Fedora-Legacy FLSA:152904 2006-05-12
Fedora FEDORA-2005-435 2005-08-16
Red Hat RHSA-2005:371-01 2005-05-17
Mandrake MDKSA-2005:028 2005-02-01
Gentoo 200501-44 2005-01-30

Comments (none posted)

Net-SNMP: fixproc insecure temporary file creation

Package(s):net-snmp CVE #(s):CAN-2005-1740
Created:May 23, 2005 Updated:July 13, 2005
Description: The fixproc application of Net-SNMP creates temporary files with predictable filenames.
Alerts:
Fedora FEDORA-2005-561 2005-07-13
Fedora FEDORA-2005-562 2005-07-13
Gentoo 200505-18 2005-05-23

Comments (1 posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 2006-02-25
Red Hat RHSA-2005:014-01 2005-01-12
Mandrake MDKSA-2005:005 2005-01-11

Comments (none posted)

openssh: directory traversal

Package(s):openssh CVE #(s):CAN-2004-0175
Created:May 18, 2005 Updated:July 13, 2005
Description: The OpenSSH scp client can, when connected to a hostile server, be instructed to overwrite arbitrary files.
Alerts:
Fedora-Legacy FLSA:123014 2005-07-11
Mandriva MDKSA-2005:100 2005-06-14
Red Hat RHSA-2005:495-01 2005-06-13
Red Hat RHSA-2005:165-01 2005-06-08
Red Hat RHSA-2005:481-01 2005-06-02
Red Hat RHSA-2005:106-01 2005-05-18
Red Hat RHSA-2005:074-01 2005-05-18

Comments (1 posted)

openssl: der_chop script temp file vulnerability

Package(s):openssl CVE #(s):CAN-2004-0975
Created:November 11, 2004 Updated:July 19, 2005
Description: The der_chop script in openssl has a temp file vulnerability that may allow an attacker to overwrite arbitrary files with the permissions that the script is running under.
Alerts:
Fedora-Legacy FLSA:152841 2005-07-15
Mandrake MDKSA-2004:147 2004-12-06
Debian DSA-603-1 2004-12-01
Ubuntu USN-24-1 2004-11-11

Comments (1 posted)

OpenSSL: information leak

Package(s):openssl CVE #(s):CAN-2005-0109
Created:May 23, 2005 Updated:October 11, 2005
Description: Hyper-Threading technology, as used in FreeBSD other operating systems and implemented on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. See this LWN article for more information.
Alerts:
Trustix TSLSA-2005-0028 2005-06-13
Mandriva MDKSA-2005:096 2005-06-06
Red Hat RHSA-2005:476-01 2005-06-01
Fedora FEDORA-2005-390 2005-05-23
Fedora FEDORA-2005-389 2005-05-23

Comments (none posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

perl: symlink vulnerability

Package(s):perl CVE #(s):CAN-2005-0448
Created:March 9, 2005 Updated:January 30, 2006
Description: The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries.
Alerts:
Fedora-Legacy FLSA:152845 2006-01-24
Red Hat RHSA-2005:674-01 2005-10-05
Fedora FEDORA-2005-600 2005-07-22
Mandriva MDKSA-2005:079 2005-04-28
Debian DSA-696-1 2005-03-22
Ubuntu USN-94-1 2005-03-09

Comments (none posted)

php4: integer overflow and denial of service

Package(s):php4 CVE #(s):CAN-2005-1042 CAN-2005-1043
Created:April 14, 2005 Updated:July 13, 2005
Description: The php4 EXIF module has two vulnerabilities. An integer overflow in the exif_process_IFD_TAG() function can be exploited to cause a buffer overflow for the purpose of arbitrary code execution. EXIF headers with a large IFD nesting level can be used to cause a denial of service. Remote exploits are possible.
Alerts:
Fedora-Legacy FLSA:155505 2005-07-10
Red Hat RHSA-2005:406-01 2005-05-04
Red Hat RHSA-2005:405-01 2005-04-28
Mandriva MDKSA-2005:072 2005-04-18
Ubuntu USN-112-1 2005-04-14

Comments (none posted)

phpbb: arbitrary command execution

Package(s):phpbb CVE #(s):
Created:July 4, 2005 Updated:July 6, 2005
Description: Ron van Daal discovered a vulnerability in the PhpBB highlighting code that can allow an attacker to execute arbitrary code with the privileges of the web server.
Alerts:
Gentoo 200507-03 2005-07-04

Comments (none posted)

php-pear: remote code execution

Package(s):php-pear CVE #(s):CAN-2005-1921
Created:July 1, 2005 Updated:July 29, 2005
Description: The PEAR XMLRPC implementation has a vulnerability that can be exploited for remote code execution. See this report from GulfTech Security Research. This vulnerability affects a large number of PHP web applications.
Alerts:
Fedora-Legacy FLSA:163559 2005-07-28
Conectiva CLA-2005:980 2005-07-14
Gentoo 200507-15 2005-07-15
Debian DSA-746-1 2005-07-13
Slackware SSA:2005-192-02 2005-07-12
Slackware SSA:2005-192-01 2005-07-12
Gentoo 200507-08 2005-07-10
Debian DSA-747-1 2005-07-10
Gentoo 200507-07 2005-07-10
Debian DSA-745-1 2005-07-10
SuSE SUSE-SA:2005:041 2005-07-08
Red Hat RHSA-2005:564-01 2005-07-07
Gentoo 200507-06 2005-07-06
Ubuntu USN-147-2 2005-07-06
Ubuntu USN-147-1 2005-07-05
Fedora FEDORA-2005-518 2005-07-05
Fedora FEDORA-2005-517 2005-07-05
Gentoo 200507-01 2005-07-03
Mandriva MDKSA-2005:109 2005-06-30

Comments (none posted)

phpsysinfo: cross-site-scripting

Package(s):phpsysinfo CVE #(s):CAN-2005-0870
Created:May 18, 2005 Updated:November 15, 2005
Description: The phpsysinfo program contains several cross-site scripting vulnerabilities.
Alerts:
Debian DSA-724-1 2005-05-18

Comments (none posted)

postgresql: EXECUTE privilege vulnerability

Package(s):postgresql CVE #(s):CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247
Created:February 10, 2005 Updated:July 19, 2005
Description: postgresql has a vulnerability in which the EXECUTE privilege may not be checked on custom functions. This may allow any database user to circumvent the EXECUTE restriction on functions.
Alerts:
Fedora-Legacy FLSA:152844 2005-07-16
Trustix TSLSA-2005-0015 2005-04-25
SuSE SUSE-SA:2005:027 2005-04-20
SuSE SUSE-SR:2005:008 2005-03-18
SuSE SUSE-SR:2005:006 2005-02-25
Fedora FEDORA-2005-158 2005-02-22
Fedora FEDORA-2005-157 2005-02-22
Mandrake MDKSA-2005:040 2005-02-17
Red Hat RHSA-2005:150-01 2005-02-16
Debian DSA-683-1 2005-02-15
Red Hat RHSA-2005:138-01 2005-02-15
Gentoo 200502-19 2005-02-14
Ubuntu USN-79-1 2005-02-10

Comments (none posted)

postgresql: database initialization errors

Package(s):postgresql CVE #(s):CAN-2005-1409 CAN-2005-1410
Created:May 4, 2005 Updated:February 28, 2006
Description: PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Alerts:
Fedora-Legacy FLSA:157366 2006-02-27
Mandriva MDKSA-2005:093 2005-05-26
Red Hat RHSA-2005:433-01 2005-06-01
Gentoo 200505-12 2005-05-15
Fedora FEDORA-2005-368 2005-05-10
Ubuntu USN-118-1 2005-05-04

Comments (none posted)

Pound: buffer overflow

Package(s):pound CVE #(s):CVE-2005-1391
Created:May 2, 2005 Updated:January 10, 2006
Description: Steven Van Acker has discovered a buffer overflow vulnerability in the "add_port()" function in Pound 1.8.2+. A remote attacker could send a request for an overly long hostname parameter, which could lead to the remote execution of arbitrary code with the rights of the Pound daemon process.
Alerts:
Gentoo 200504-29 2005-04-30

Comments (none posted)

razor-agents: denial of service

Package(s):razor-agents CVE #(s):
Created:June 23, 2005 Updated:July 6, 2005
Description: The Vipuls Razor spam detection framework has multiple vulnerabilities. Processing of malformed messages can lead to a remote denial of service by causing the software to execute infinite loops.
Alerts:
Debian DSA-738-1 2005-07-05
SuSE SUSE-SA:2005:035 2005-06-23

Comments (none posted)

RealPlayer HelixPlayer arbitrary code execution

Package(s):RealPlayer HelixPlayer CVE #(s):CAN-2005-1766 CAN-2005-1277
Created:June 27, 2005 Updated:July 6, 2005
Description: RealNetworks, Inc. has addressed security vulnerabilities that offered the potential for an attacker to run arbitrary or malicious code on a customer's machine. RealNetworks has received no reports of machines compromised as a result of the now-remedied vulnerabilities. RealNetworks takes all security vulnerabilities very seriously.
Alerts:
Gentoo 200507-04 2005-07-06
Red Hat RHSA-2005:523-02 2005-07-05
SuSE SUSE-SA:2005:037 2005-06-27
Fedora FEDORA-2005-484 2005-06-25
Fedora FEDORA-2005-483 2005-06-25

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

ruby: arbitrary command execution

Package(s):ruby CVE #(s):CAN-2005-1992
Created:June 21, 2005 Updated:October 6, 2005
Description: Ruby (versions < 1.8.2) is vulnerable to arbitrary command execution on XMLRPC servers.
Alerts:
Gentoo 200510-05 2005-10-06
Red Hat RHSA-2005:543-01 2005-08-05
Mandriva MDKSA-2005:118 2005-07-12
Gentoo 200507-10 2005-07-11
Debian DSA-748-1 2005-07-10
Ubuntu USN-146-1 2005-06-29
Fedora FEDORA-2005-475 2005-06-22
Fedora FEDORA-2005-474 2005-06-22

Comments (none posted)

samba: integer overflow vulnerability

Package(s):samba CVE #(s):CAN-2004-1154
Created:December 16, 2004 Updated:July 19, 2005
Description: Samba has an integer overflow vulnerability that may allow an authenticated remote user to execute arbitrary code on the Samba server.
Alerts:
Fedora-Legacy FLSA:152874 2005-07-15
Debian DSA-701-2 2005-04-21
Debian DSA-701-1 2005-03-31
Conectiva CLA-2005:913 2005-01-06
Red Hat RHSA-2005:020-01 2005-01-05
Mandrake MDKSA-2004:158 2004-12-27
SuSE SUSE-SA:2004:045 2004-12-22
Red Hat RHSA-2004:681-01 2004-12-21
Fedora FEDORA-2004-562 2004-12-20
Fedora FEDORA-2004-561 2004-12-20
Gentoo 200412-13 2004-12-17
Ubuntu USN-41-1 2004-12-17
OpenPKG OpenPKG-SA-2004.054 2004-12-17
Red Hat RHSA-2004:670-01 2004-12-16

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

SpamAssassin: denial of service

Package(s):spamassassin CVE #(s):CAN-2005-1266
Created:June 17, 2005 Updated:July 28, 2005
Description: SpamAssassin 3.0.4 was released to fix a denial of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. The vulnerability allows certain mis-formatted long message headers to cause spam checking to take a very long time.
Alerts:
OpenPKG OpenPKG-SA-2005.015 2005-07-28
Debian DSA-736-2 2005-07-07
Gentoo 200506-17:02 2005-06-21
Debian DSA 736-1 2005-07-01
Mandriva MDKSA-2005:106 2005-06-28
Red Hat RHSA-2005:498-01 2005-06-23
SuSE SUSE-SA:2005:033 2005-06-22
Gentoo 200506-17 2005-06-21
Fedora FEDORA-2005-428 2005-06-16
Fedora FEDORA-2005-427 2005-06-16

Comments (none posted)

squid: DNS spoofing

Package(s):squid CVE #(s):CAN-2005-1519
Created:May 18, 2005 Updated:July 13, 2005
Description: The squid proxy server performs DNS lookups in a way which is susceptible to answers injected by a hostile user, and, thus, DNS spoofing attacks.
Alerts:
Debian DSA-751-1 2005-07-11
Mandriva MDKSA-2005:104 2005-06-24
Red Hat RHSA-2005:415-01 2005-06-14
Red Hat RHSA-2005:489-01 2005-06-13
Ubuntu USN-129-1 2005-05-18
Fedora FEDORA-2005-373 2005-05-17

Comments (none posted)

SquirrelMail: multiple vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2005-0075 CAN-2005-0103 CAN-2005-0104
Created:January 28, 2005 Updated:July 19, 2005
Description: SquirrelMail 1.4.4 has been released, fixing a number of security issues that have been resolved since 1.4.3a.
Alerts:
Fedora-Legacy FLSA:152900 2005-07-16
Fedora FEDORA-2005-260 2005-03-28
Fedora FEDORA-2005-259 2005-03-28
Debian DSA-662-2 2005-03-14
Red Hat RHSA-2005:099-01 2005-02-15
Red Hat RHSA-2005:135-01 2005-02-10
Debian DSA-662-1 2005-02-01
Gentoo 200501-39 2005-01-28

Comments (none posted)

SquirrelMail: several XSS vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2005-1769
Created:June 21, 2005 Updated:September 16, 2005
Description: Several cross site scripting (XSS) vulnerabilities have been discovered in SquirrelMail versions 1.4.0 - 1.4.4.
Alerts:
Fedora-Legacy FLSA:163047 2005-09-14
Fedora FEDORA-2005-780 2005-08-22
Fedora FEDORA-2005-779 2005-08-22
Red Hat RHSA-2005:595-02 2005-08-05
Red Hat RHSA-2005:595-01 2005-08-03
Debian DSA-756-1 2005-07-13
Mandriva MDKSA-2005:108 2005-06-30
Gentoo 200506-19 2005-06-21

Comments (none posted)

sudo: race condition

Package(s):sudo CVE #(s):CAN-2005-1993
Created:June 21, 2005 Updated:February 24, 2006
Description: Charles Morris discovered a race condition in sudo which could lead to privilege escalation. If /etc/sudoers allowed a user the execution of selected programs, and this was followed by another line containing the pseudo-command "ALL", that user could execute arbitrary commands with sudo by creating symbolic links at a certain time.
Alerts:
Fedora-Legacy FLSA:162750 2006-02-23
Debian DSA-735-2 2005-07-07
Debian DSA 735-1 2005-07-01
Red Hat RHSA-2005:535-04 2005-06-29
SuSE SUSE-SA:2005:036 2005-06-24
OpenPKG OpenPKG-SA-2005.012 2005-06-23
Gentoo 200506-22 2005-06-23
Slackware SSA:2005-172-01 2005-06-22
Mandriva MDKSA-2005:103 2005-06-21
Fedora FEDORA-2005-473 2005-06-21
Fedora FEDORA-2005-472 2005-06-21
Ubuntu USN-142-1 2005-06-21

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: denial of service

Package(s):tcpdump CVE #(s):CAN-2005-1267
Created:June 9, 2005 Updated:October 10, 2005
Description: Several tcpdump protocol decoders contain programming errors which can cause them to go into infinite loops.
Alerts:
Debian DSA-854-1 2005-10-09
Slackware SSA:2005-195-10 2005-07-15
Ubuntu USN-141-1 2005-06-21
Mandriva MDKSA-2005:101 2005-06-15
Fedora FEDORA-2005-407 2005-06-16
Gentoo 200505-06:02 2005-05-09
Red Hat RHSA-2005:505-01 2005-06-13
Fedora FEDORA-2005-406 2005-06-09

Comments (none posted)

tcpdump: multiple DoS issues

Package(s):tcpdump CVE #(s):CAN-2005-1280 CAN-2005-1279 CAN-2005-1278
Created:May 2, 2005 Updated:April 10, 2006
Description: The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. (CAN-2005-1280)

tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet, which is not properly handled by RT_ROUTING_INFO, or LDP packet, which is not properly handled by the ldp_print function. (CAN-2005-1279)

The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. (CAN-2005-1278)

Alerts:
Fedora-Legacy FLSA:156139 2006-04-04
Debian DSA-850-1 2005-10-09
Mandriva MDKSA-2005:087 2005-05-11
Red Hat RHSA-2005:417-02 2005-05-11
Red Hat RHSA-2005:421-02 2005-05-11
Gentoo 200505-06 2005-05-09
Ubuntu USN-119-1 2005-05-06
Fedora FEDORA-2005-351 2005-05-02

Comments (none posted)

telnet: buffer overflows

Package(s):telnet CVE #(s):CAN-2005-0468 CAN-2005-0469
Created:March 28, 2005 Updated:August 1, 2005
Description: Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server.
Alerts:
Slackware SSA:2005-210-01 2005-08-01
Debian DSA-765-1 2005-07-22
Fedora-Legacy FLSA:154276 2005-07-24
Fedora-Legacy FLSA:152583 2005-07-11
Debian DSA-731-1 2005-06-02
Gentoo 200504-28 2005-04-28
Gentoo 200504-04 2005-04-06
Debian DSA-703-1 2005-04-01
Gentoo 200504-01 2005-04-01
Gentoo 200503-36 2005-03-31
Red Hat RHSA-2005:330-01 2005-03-30
Mandrake MDKSA-2005:061 2005-03-29
Fedora FEDORA-2005-274 2005-03-30
Fedora FEDORA-2005-277 2005-03-30
Fedora FEDORA-2005-270 2005-03-29
Fedora FEDORA-2005-269 2005-03-29
SuSE SUSE-SR:2005:009 2005-03-29
Debian DSA-699-1 2005-03-29
Debian DSA-697-1 2005-03-29
Red Hat RHSA-2005:327-01 2005-03-28

Comments (none posted)

Tor: information disclosure

Package(s):tor CVE #(s):
Created:June 21, 2005 Updated:August 25, 2005
Description: A bug in Tor allows attackers to view arbitrary memory contents from an exit server's process space. A remote attacker could exploit the memory disclosure to gain sensitive information and possibly even private keys.
Alerts:
Gentoo 200508-16 2005-08-25
Gentoo 200506-18 2005-06-21

Comments (none posted)

trac: file upload vulnerability

Package(s):trac CVE #(s):
Created:June 22, 2005 Updated:July 6, 2005
Description: Versions of trac prior to 0.8.4 suffer from an input validation error which can lead to the uploading of files to undesired locations on the host system.
Alerts:
Debian DSA-739-1 2005-07-06
Gentoo 200506-21 2005-06-22

Comments (none posted)

vixie-cron: crontab allows any user to read another users crontabs

Package(s):vixie-cron CVE #(s):CAN-2005-1038
Created:April 15, 2005 Updated:March 15, 2006
Description: crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. See also this Security Focus report.
Alerts:
Red Hat RHSA-2006:0117-01 2006-03-15
Red Hat RHSA-2005:361-01 2005-10-05
Fedora FEDORA-2005-320 2005-04-15

Comments (none posted)

wget: file overwrites and arbitrary code execution

Package(s):wget CVE #(s):CAN-2004-1487 CAN-2004-1488
Created:June 9, 2005 Updated:September 27, 2005
Description: wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite certain files via a redirection URL containing a ".." that resolves to the IP address of the malicious server, which bypasses wget's filtering for ".." sequences.

wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code.

Alerts:
Red Hat RHSA-2005:771-01 2005-09-27
Ubuntu USN-145-2 2005-09-06
Ubuntu USN-145-1 2005-06-28
Mandriva MDKSA-2005:098 2005-06-09

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xorg-x11: integer overflows

Package(s):xorg-x11 CVE #(s):CAN-2004-0914
Created:November 18, 2004 Updated:September 12, 2005
Description: The X.Org libXpm library has several integer overflow vulnerabilities An attacker can modify XPM images to execute malicious code.
Alerts:
Ubuntu USN-83-2 2005-09-12
Fedora-Legacy FLSA:152804 2005-05-12
Ubuntu USN-83-1 2005-02-16
Gentoo 200502-07 2005-02-07
Gentoo 200502-06 2005-02-06
Red Hat RHSA-2004:612-01 2004-12-20
Red Hat RHSA-2004:610-01 2004-12-20
Debian DSA-607-1 2004-12-10
Mandrake MDKSA-2004:137-1 2004-11-29
Mandrake MDKSA-2004:137 2004-11-22
Mandrake MDKSA-2004:138 2004-11-22
Gentoo 200411-28 2004-11-19
Fedora FEDORA-2004-434 2004-11-17
Fedora FEDORA-2004-433 2004-11-17
SuSE SUSE-SA:2004:041 2004-11-17

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

XV: multiple vulnerabilities

Package(s):xv CVE #(s):
Created:April 19, 2005 Updated:July 19, 2005
Description: Greg Roelofs has reported multiple input validation errors in XV image decoders. Tavis Ormandy of the Gentoo Linux Security Audit Team has reported insufficient validation in the PDS (Planetary Data System) image decoder, format string vulnerabilities in the TIFF and PDS decoders, and insufficient protection from shell meta-characters in malformed filenames. Successful exploitation would require a victim to view a specially created image file using XV, potentially resulting in the execution of arbitrary code.
Alerts:
Slackware SSA:2005-195-02 2005-07-15
Gentoo 200504-17 2005-04-19

Comments (none posted)

zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-2096
Created:July 6, 2005 Updated:October 27, 2005
Description: zlib has a buffer overflow vulnerability that can be exploited by inflation of corrupted files, this can be used to crash zlib or possibly remotely execute code.
Alerts:
Mandriva MDKSA-2005:196 2005-10-26
Debian DSA-797-2 2005-09-28
Fedora FEDORA-2005-565 2005-07-13
Slackware SSA:2005-189-01 2005-07-10
Trustix TSLSA-2005-0034 2005-07-08
Mandriva MDKSA-2005:112 2005-07-06
Fedora FEDORA-2005-523 2005-07-07
Fedora FEDORA-2005-524 2005-07-07
OpenPKG OpenPKG-SA-2005.013 2005-07-07
Ubuntu USN-148-1 2005-07-06
SuSE SUSE-SA:2005:039 2005-07-06
Red Hat RHSA-2005:569-01 2005-07-06
Gentoo 200507-05 2005-07-06
Debian DSA-740-1 2005-07-06

Comments (6 posted)

Events

USENIX Security Symposium

The USENIX Security Symposium is happening starting July 31 in Baltimore. Click below for the details.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.13-rc3, released by Linus on July 12. Changes this time around include a new DES (crypto) implementation with better performance, multi-block operation support in the crypto layer, "almost-skas" mode support for user-mode Linux, a big memory technology device (MTD) update, user-space I/O initiation for InfiniBand, and the long-awaited inotify patch. "There's a bit more changes here than I would like, but I'm putting my foot down now. Not only are a lot of people going to be gone next week for LKS and OLS, but we've gotten enough stuff for 2.6.13, and we need to calm down." See the long-format changelog for the details.

Linus's git repository contains a small number of fixes added after the -rc3 release.

The current -mm tree is 2.6.13-rc2-mm2. Recent changes to -mm include a set of swapper fixes, a big InfiniBand update, and lots of fixes. The class-based kernel resource management patches have since been added for (presumably) 2.6.13-rc3-mm1.

Comments (none posted)

Kernel development news

Some 2.6.13 API changes

The flood of patches going into the mainline 2.6.13 brings with it the usual assortment of changes to the internal kernel API. Here's a subset of those changes.

The configurable HZ patch has been merged. If there is, somehow, code which has survived this far with assumptions about the value of HZ, it should probably be fixed sometime soon.

There is a new timer function:

    int try_to_del_timer_sync(struct timer_list *timer);

This function will make a best effort to delete the timer. Should the timer function actually be running at the time, however, this version will not wait for it to complete; it will return -1 immediately. It can thus be used in interrupt handlers and other contexts where waiting for a timer function to finish is not an option.

The block_device_operations structure has a new member:

    long (*unlocked_ioctl) (struct file *filp, unsigned cmd, 
                            unsigned long arg);

If an unlocked_ioctl() method exists, it will be called (in preference to ioctl()), and the big kernel lock will not be held. Drivers which perform their own locking (which should be all of them, really) can use the new method to avoid the overhead of the BKL.

The netif_rx() function, used by network drivers (when not in NAPI mode) to feed packets into the kernel, has traditionally returned one of several values indicating how congested the system was. The idea was that drivers could use this information to reduce load on the kernel as congestion increases. No drivers do this, however; instead, NAPI is used for high-traffic situations. So netif_rx() now will return one of two values: NETIF_RX_SUCCESS if all is well, or NETIF_RX_DROP if the packet was dropped.

It's also worth noting that the sk_buff structure has changed again, leading to the usual troubles with binary-only drivers.

Authors of PCI drivers who want to squeeze out every bit of DMA performance from their hardware can use a new function to determine the optimal DMA burst size:

    void pci_dma_burst_advice(struct pci_dev *pdev, 
                              enum pci_dma_burst_strategy *strat,
			      unsigned long *param);

On return, strat will tell which strategy works best on the current platform. PCI_DMA_BURST_INFINITY says that bursts should simply be made as large as possible; in this case, param contains no information. PCI_DMA_BURST_BOUNDARY tells the driver to not burst across memory boundaries which are a multiple of the value returned in param. And PCI_DMA_BURST_MULTIPLE sets a maximum size (returned in param) on each individual burst.

Thomas Graf has contributed a generic text searching mechanism for the kernel. It can handle searching through non-contiguous data, and is designed to work with pluggable searching algorithms. A couple of search modules have been provided: a straight Knuth/Morris/Pratt string matcher and a finite state machine version which provides a limited regular expression mechanism. The initial application for this library is for flexible packet classification in the networking traffic control code, but other uses are possible.

Performing a search requires first setting up a configuration:

    struct ts_config *textsearch_prepare(const char *algorithm, 
                                         const void *pattern,
                                         unsigned int patlen, 
					 int gfp_mask, int flags);

Here, algorithm is the searching algorithm to use; "kmp" will get Knuth/Morris/Pratt. pattern is the actual pattern to search for; patlen is its length. The usual memory allocation flags are provided in gfp_mask, and flags is for search-specific flags. Currently, the only flag is TS_AUTOLOAD, which allows the kernel to load a module implementing the desired search algorithm, if necessary. The return value is a pointer to a configuration structure to be used with the other functions, or an error value (as determined by IS_ERR()).

A ts_config structure, once initialized, can be reused as many times as desired. It contains no per-search state, so it can be used in parallel searches as well. When the structure is no longer needed, it should be returned with a call to textsearch_destroy().

If the data to be searched is a single, contiguous block, then searching is a matter of calling:

    unsigned int textsearch_find_continuous(struct ts_config *config,
                                            struct ts_state *state,
					    const void *data, 
					    unsigned int datalen);
    unsigned int textsearch_next(struct ts_config *config,
                                 struct ts_state *state);

For these calls, config is a configuration returned from textsearch_prepare(), and state is a local state variable. A call to textsearch_find_continuous() must come first; it will initialize state for a search through the given data array. Both functions will return the offset of the beginning of the match, or UINT_MAX if no (further) match is found.

If the data to be searched is not contiguous in memory, things get a little more complicated. The caller must provide a method which can obtain a pointer to a block of data:

    unsigned int (*get_next_block)(unsigned int consumed,
			 	   const u8 **dst,
				   struct ts_config *config,
				   struct ts_state *state);

This function will be called by the textsearch code when it needs more data to look through. It should locate the first byte beyond consumed and store its address in *dst. The config pointer will not normally be used; state->cb is a 40-byte "control buffer" which can be used to store data between calls to get_next_block(). The return value is the length of the block, or zero if there is no more data.

Another method:

    void (*finish)(struct ts_config *config, struct ts_state *state);

will be called after each search completes. Note that there can be several get_next_block() calls for each call to finish().

Both of these methods are stored in the ts_config structure; they should be set there after the call to textsearch_prepare(). The first search is performed with:

    unsigned int textsearch_find(struct ts_config *config,
                                 struct ts_state *state);

Subsequent searches can be performed with textsearch_next().

Comments (none posted)

PCI error recovery

The PCI bus is the interconnect of choice for the bulk of the architectures supported by Linux. Most peripherals on such systems - including disk, network, and USB controllers - communicate with the CPU via this bus. Linux device drivers (regardless of the bus used) must be written with the idea that the device being controlled can fail. Most drivers, however, assume that the bus used to communicate with the device will work flawlessly. This assumption exists because (1) it tends to be true, and (2) the Linux kernel has never provided an infrastructure which enables drivers to detect (and respond to) PCI errors. Work is under way to provide that infrastructure, however; there are currently two entirely different interfaces being proposed for this role.

The first approach, posted by Linas Vepstas, works by way of callbacks. It enhances the pci_driver structure by adding a new set of methods:

struct pci_error_handlers
{
    enum pci_channel_state error_state;
    int (*error_detected)(struct pci_dev *dev, 
                          enum pci_channel_state error);
    int (*mmio_enabled)(struct pci_dev *dev);
    int (*link_reset)(struct pci_dev *dev);
    int (*slot_reset)(struct pci_dev *dev);
    void (*resume)(struct pci_dev *dev);
};

A PCI driver is not required to supply any of these callbacks. Any driver which will perform PCI error recovery must provide at least error_detected(), however. That method will be called sometime after the PCI subsystem detects an error on the bus; the error parameter will be set to one of these values:

enum pci_channel_state {
    pci_channel_io_normal = 0, /* I/O channel is in normal state */
    pci_channel_io_frozen = 1, /* I/O to channel is blocked */
    pci_channel_io_perm_failure, /* pci card is dead */
};

The error_detected() method should shut down any ongoing I/O operations, but should not attempt to communicate with the adapter itself. This method can take locks and sleep; it is called from process context. The return value tells the error recovery subsystem how to proceed; it can be PCIERR_RESULT_CAN_RECOVER (the driver thinks it will be able to recover just by talking to the adapter), PCIERR_RESULT_NEED_RESET (a hard reset of the adapter will be required), or PCIERR_RESULT_DISCONNECT (the situation is hopeless, and the adapter should be considered permanently dead).

If all drivers on an affected PCI segment think they can recover from the problem, the next step is to turn memory-mapped I/O back on and let the drivers try. To this end, each driver's mmio_enabled() callback will be invoked. This callback should do whatever port banging is required to get the adapter back into a reasonable state, then return one of PCIERR_RESULT_RECOVERED (it worked), PCIERR_RESULT_NEED_RESET (it failed, try resetting), or PCIERR_RESULT_DISCONNECT (it failed, abandon all hope). Regardless of the outcome, the driver should not restart I/O from this callback.

The link_reset() method is similar to mmio_enabled(), but it is only applicable for PCI-Express adapters which might be fixable via a link reset operation. The return codes are the same as for mmio_enabled().

If a reset is called for, the PCI subsystem will perform the reset, then call slot_reset() to let the driver know. The driver should attempt to bring the adapter back to a working state, re-download firmware, etc., then return a status code indicating whether things worked or not. If reinitialization fails, it is possible that slot_reset() could be called more than once as the PCI subsystem employs an increasingly large hammer.

Finally, if all seems to be well, the driver's resume() callback will be called; this is the point where I/O operations can be restarted.

A very different approach is taken by the IOCHK interface posted by Hidetoshi Seto. This patch expects drivers to perform more of their own error checking, but gives more control over the timing of recovery operations.

The IOCHK patch works by defining a new opaque type called iocookie. A driver which is about to engage in a conversation with one of its devices would initialize one of these cookies with:

    void iochk_clear(iocookie *cookie, struct pci_dev *dev);

The driver then performs its device operations, reading and writing memory-mapped I/O registers as necessary. At any point, the driver can check to see whether an error has occurred with:

    int iochk_read(iocookie *cookie);

A non-zero return indicates trouble; should that happen, the driver can respond by resetting the device, disconnecting it, or going into hysterics. There is no core support for operations like resetting adapters.

The obvious question which has been raised is why two interfaces are needed. It seems that some situations are better handled by an asynchronous notification mechanism (such as implemented by Linas's patch), while others are better suited to a synchronous approach. So it may well be that, at some point in the future, the kernel will go from no PCI error handling interfaces to two of them. Before that happens, however, one assumes that some work will be done to unify the underlying support code and to make the two interfaces appear more like parts of a single API.

Comments (none posted)

Manual driver binding and unbinding

July 12, 2005

This article was contributed by Greg Kroah-Hartman.

One new feature in the 2.6.13-rc3 kernel release, is the ability to bind and unbind drivers from devices manually from user space. Previously, the only way to disconnect a driver from a device was usually to unload the whole driver from memory, using rmmod.

In the sysfs tree, every driver now has bind and unbind files associated with it:

    $ tree /sys/bus/usb/drivers/ub/
    /sys/bus/usb/drivers/ub/
    |-- 1-1:1.0 -> ../../../../devices/pci0000:00/0000:00:1d.7/usb1/1-1/1-1:1.0
    |-- bind
    |-- module -> ../../../../module/ub
    `-- unbind

In order to unbind a device from a driver, simply write the bus id of the device to the unbind file:

    echo -n "1-1:1.0" > /sys/bus/usb/drivers/ub/unbind

and the device will no longer be bound to the driver:

    $ tree /sys/bus/usb/drivers/ub/
    /sys/bus/usb/drivers/ub/
    |-- bind
    |-- module -> ../../../../module/ub
    `-- unbind

To bind a device to a driver, the device must first not be controlled by any other driver. To ensure this, look for the "driver" symlink in the device directory:

    $ tree /sys/bus/usb/devices/1-1:1.0
    /sys/bus/usb/devices/1-1:1.0
    |-- bAlternateSetting
    |-- bInterfaceClass
    |-- bInterfaceNumber
    |-- bInterfaceProtocol
    |-- bInterfaceSubClass
    |-- bNumEndpoints
    |-- bus -> ../../../../../../bus/usb
    |-- modalias
    `-- power
        `-- state

Then, simply write the bus id of the device you wish to bind, into the bind file for that driver:

    echo -n "1-1:1.0" > /sys/bus/usb/drivers/usb-storage/bind

And check that the binding was successful:

    $ tree /sys/bus/usb/devices/1-1:1.0
    /sys/bus/usb/devices/1-1:1.0
    |-- bAlternateSetting
    |-- bInterfaceClass
    |-- bInterfaceNumber
    |-- bInterfaceProtocol
    |-- bInterfaceSubClass
    |-- bNumEndpoints
    |-- bus -> ../../../../../../bus/usb
    |-- driver -> ../../../../../../bus/usb/drivers/usb-storage
    |-- host2
    |   `-- power
    |       `-- state
    |-- modalias
    `-- power
        `-- state

As the example above shows, this capability is very useful for switching devices between drivers which handle the same type of device (both the ub and usb-storage drivers handle USB mass storage devices, like flash drives.)

A number of "enterprise" Linux distributions offer multiple drivers of different version levels in their kernel packages. This manual binding feature will allow configuration tools to pick and choose which devices should be bound to which drivers, allowing users to upgrade only specific devices if they wish to.

In order for a device to bind successfully with a driver, that driver must already support that device. This is why you can not just arbitrarily bind any device to any driver. To help with the issue of adding new devices support to drivers after they are built, the PCI system offers a dynamic_id file in sysfs so that user space can write in new device ids that the driver should bind too. In the future, this ability to add new driver IDs to a running kernel will be moved into the driver core to make it available for all buses.

Comments (3 posted)

CFQ v3

Jens Axboe's completely fair queueing (CFQ) I/O scheduler has been regarded by many as the best available in the 2.6 kernel for a while. Said scheduler has just been through another major upgrade which should implement a higher degree of fairness while providing "excellent" throughput for the system as a whole.

One of the big additions this time around is time sharing: processes now get time slices during which they are able to dispatch I/O requests. The scheduler will allow a drive to go idle - briefly - during a process's time slice to give that process an opportunity to generate more I/O requests. In this way, it behaves similarly to the anticipatory scheduler; it allows the process to get the most out of its slice while, hopefully, taking advantage of the locality of that process's requests. If, however, a process's requests end up causing too much seeking, that process will temporarily lose its right to hold the disk idle.

Tied in with the time sharing implementation is the notion of I/O priorities. Each process has its own I/O priority, which, by default, is derived from its CPU priority. Processes with higher priorities will preempt lower-priority processes, while sharing the drive in a round-robin fashion with equal-priority processes. There is also a realtime priority level which does not do round-robin sharing, and an "idle" level which is only allowed to dispatch requests when the drive has been idle for a sufficiently long period.

There is a temporary priority boosting mechanism designed to avoid priority inversion problems when a low-priority process holds important resources.

Two new system calls have been added for working with I/O priorities:

    int ioprio_set(int which, int who, int priority);
    int ioprio_get(int which, int who);

Here, which controls whether the call applies to a single process, process group, or user, and who is the appropriate ID (usually the process ID). A call to ioprio_set() will apply the new priority (subject to the usual permissions checks) while ioprio_get() returns the current value.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

  • Marco Costalba: qgit-0.7. (July 12, 2005)

Device drivers

Documentation

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Benchmarks and bugs

Miscellaneous

Page editor: Jonathan Corbet

Distributions

Debconf 5 - Debian Derivatives and Custom Debian Distributions

This week your editor had the opportunity to travel to Helsinki, Finland for Debconf5 - thanks to the conference organizers for making this possible! The following article is based on a round table discussion Debconf5 sign on Debian Derivatives, lead by Benjamin "Mako" Hill, and a talk by Andreas Tille titled 'CDD - Custom Debian Distributions'.

Fledgling distribution projects often use a larger, more established project as a base for beginning development. These days Debian is the most popular distribution to use as a base for creating a new distribution. DistroWatch lists one hundred twenty-nine projects based on Debian. The LWN Distribution list identifies nearly one hundred distributions with roots in Debian.

Some are derived distributions, some are custom Debian distributions (CDDs). What's the difference? CDDs are part of the Debian Project and appear on Debian CDD website. Anything else can be considered a derivative.

Why is Debian such a popular starting point for CDDs and derivatives? One reason is the large number of packages in the Debian archive, something for almost every special interest. Why create a custom distribution? Most often it's to get a subset of packages to focus on a particular interest, or for a particular language. Whether it's a Chinese desktop or a live CD with a good selection of security tools, many people want more focus from their distribution.

Businesses don't want their employees to have access to thousands of packages but they may want non-free applications or customized configurations. Many users are overwhelmed by the size and complexity of Debian and they appreciate a smaller distribution focused to their interests. Specialized distributions provide preconfigured, easy to install (or live CD) versions of the software they want, without the clutter of thousands of packages that may not be well described, or not described in a language they understand.

Some packages might be highly inappropriate for some users; for example, the parents of the young children using Debian Jr. might not want them to have access to hot babe. Desktop users in China will appreciate a system where the default interface is in a language they can read. Someone who wants forensic tools on a live CD probably doesn't want a lot of games taking up space on that CD.

From Debian-Med to Skolelinux; Quantian to DeMuDi; smaller and more focused is better. One notable exception to that rule is Ubuntu, which aims for a wide variety of packages for a general purpose audience, though with fewer available platforms and above all a predictable release cycle.

Meanwhile, Debian continues to grow, with more packages available, more maintainers to care for those packages, and support for more architectures. As Debian grows so grows the number of users, the number of derivatives, and, so it seems, the time between releases. Debian's infrastructure is strained with the growth. Some fear a decline in the quality that has made Debian a first class distribution. Derived distributions take some of the strain off, but at a cost.

Even those working the CDD projects have complained that their patches don't always make it back into the main Debian archive. Certainly while there was a Sarge freeze there were times when patches couldn't be included immediately, but even without that constraint, a common complaint of derived distribution developers was that their patches were often ignored by the package maintainer. In other cases the derivative developers were fixing bugs, improving translations, adding features and making changes without a word to Debian or any other project. All in all there has been considerable duplication of effort between the many projects using Debian, and not nearly enough collaboration.

We have reported previously on Canonical's suite of tools designed to make collaboration easier. Progeny and HP are two more companies that will provide customized Debian distributions, and both companies have been working on tool kits to make that job easier. Better tool kits are only part of the solution.

Everyone agrees that there needs to be better communications between Debian developers and the developers of Debian derivatives. There needs to be better documentation of what changes are made and why these changes were deemed necessary. Generally there needs to be better collaboration between Debian and its offshoots. The Debian Derivers Council has been formed to help with communications and better collaboration. We look forward to seeing some positive results from the various tool kits and the actions of the Council.

This is Rebecca Sobol in Helsinki, Finland.

Comments (none posted)

New Releases

AGNULA/DeMuDi 1.2.1 is out

Version 1.2.1 of the AGNULA/DeMuDi audio distribution has been announced. "This release is the second of the 1.2.x series , and sports a complete integration with Debian, using the Sarge Debian Installer and the CDD (Custom Debian Distributions) concept."

Full Story (comments: none)

Distribution News

Debian Project Leader report for 2005-07-07

Branden Robinson has posted his third report as Debian Project Leader. This report covers the Sarge release, the status of security support, delegation activities, the need for a new hosting site and new hardware, and more.

Full Story (comments: none)

Debian Security Support in Place

The Debian Project's security support system has been fixed. "The Debian project confirms that the security infrastructure for both the current release Debian GNU/Linux 3.1 (alias sarge) and the former release 3.0 (alias woody) is working again. The security team is now able to provide updates on a regular basis again."

Full Story (comments: none)

Bits from the CD team: plans for debian-cd v3.0

Steve McIntyre has sent out an update regarding the Debian-cd effort. "At Debconf we've had a couple of very good discussion sessions about changes that are wanted/needed in debian-cd. Firstly we had several members of the debian-cd team thrash out what we wanted to do for the next version, then a second chat with some more of the debian-cd users to see what they would like us to do for them. I came to Debconf with some ideas of my own for discussion, and several of these other people have thrown extra things into the pot. Here's a summary of what we came up with; I'll follow up to debian-cd with more details."

Full Story (comments: none)

Slackware Changelog Notice

The latest Slackware Changelog Notice is out for July 9, 2005 with coverage of the latest modifications to slackware.

Full Story (comments: none)

Announcing Launch of ($10m) Ubuntu Foundation

Mark Shuttleworth and Canonical have launched the Ubuntu Foundation, with an initial funding of $10m. "The Ubuntu Foundation will employ core Ubuntu community members to ensure that Ubuntu (www.ubuntu.com) will remain fully supported for an extended period of time, and continue to produce new releases of the distribution. As a first step, the Foundation announces that Ubuntu version 6.04, due for release in April 2006, will be supported for three years on the desktop and five years on the server."

Full Story (comments: 1)

Distribution Newsletters

Debian Weekly News - July 12th, 2005

The July 12, 2005 issue of the Debian Weekly News is online, here's the content summary: "Bill Allombert called for arm porters to support the ARM port of Debian. As this year's Debian conference is taking place now, Debian Planet carries a lot of content from the attending developers."

Full Story (comments: none)

Fedora Weekly News #4

The fourth issue of the Fedora Weekly News is out. This week's topics include an installer crash workaround, Fedora Core 4 books, the preliminary FC5 schedule, and several others.

Comments (none posted)

Gentoo Weekly Newsletter

The July 11, 2005 Gentoo Weekly Newsletter is online.

Full Story (comments: none)

Mandriva Linux Community Newsletter #105

The July 8, 2005 edition of the Mandriva Linux Community Newsletter is online. Topics include: Mandriva acquires Lycoris, Multi Network Firewall 2 released, New Club site beta available to members, Limited Edition 2005 reviewed at playREACTION, and Mandriva Updates.

Full Story (comments: none)

Package updates

Fedora updates

Fedora Core 4 updates system-config-nfs (several fixes), grep (bug fix), kernel (bug fixes, I2C drivers), kdegraphics (bug fix), audit (new interpretive mode, bug fixes), libxml2 (bug fixes), dhcp (bug fixes), lam (bug fixes), vixie-cron (bug fixes), procps (bug fixes), libwnck (new feature), metacity (new feature), gaim (bug fixes), net-snmp (security update), bind (bug fixes), selinux-policy-targeted (policy change). There is also a new set of kernel modules for clustering: GFS-kernel, dlm-kernel, gnbd-kernel, and cman-kernel.

Fedora Core 3 updates dhcp (bug fixes), lam (bug fixes), vixie-cron (bug fixes), procps (bug fixes), gaim (bug fixes), bind (bug fixes).

Comments (none posted)

Mandriva updates drakxtools packages

Mandriva has issued an update advisory for the drakxtools packages, three bugs have been fixed.

Full Story (comments: none)

Slackware Changelog Notice for PHP

Slackware has issued a Changelog Notice that addresses a security issue with the PHP pear-xml_rpc vulnerability.

Full Story (comments: none)

Trustix updates initscripts, php, php4 and pango

Trustix Secure Linux has released a Bugfix Advisory for initscripts, php, php4 and pango.

Full Story (comments: none)

Newsletters and articles of interest

SPI 2005 Annual Report Available

The annual meeting of Software in the Public Interest was held on July 1, 2005. The report covers SPI's finances, elections, board members, committees, member projects, and other significant changes throughout the year.

Full Story (comments: none)

Page editor: Rebecca Sobol

Development

Edit audio file tags with EasyTAG

EasyTAG is a tag editor which supports a variety of audio file types:

EasyTAG is a utility for viewing and editing tags for MP3, MP2, FLAC, Ogg Vorbis, MusePack and Monkey's Audio files. Its simple and nice GTK+ interface makes tagging easier under GNU/Linux.

Tag info is metadata that is embedded in an audio file. Tag fields include the track title, artist, date, genre, album, comments, copyright, URL, Encoder name and even an attached photo.

[EasyTAG] A condensed feature list of the latest version follows:

  • Supports a wide variety of audio formats.
  • Auto-tagging information can be derived from the song's filename and directory.
  • Supports renaming of files from tag information.
  • Supports global field setting across multiple files.
  • Has one level of undo/redo.
  • Can run batch processes on field data.
  • Can run an external application on a directory or file.
  • Can retrieve CDDB information from Freedb servers.
  • The GUI has windows for browsing selections, generating playlists, and searching files.
  • Features translations for numerous languages.

The software was written in C and uses a GTK-based user interface, it has been licensed under the GNU General Public License. Installation of an older version on a Fedora Core 3 system was fairly easy, it involved locating and installing rpms for the id3lib and flac libraries and installing the EasyTAG rpm files from the project download site (there is also a package in Fedora extras). Packages are available for Debian, Fedora, Mandriva, Slackware, SUSE, NetBSD and MacOSX. Source code can be compiled for other platforms and distributions.

Development version 1.99.7 of EasyTAG was released this week, it features a lot of bug fixes and translation improvements.

Operation of the basic features was easy and obvious, editing tag information on mp3 and ogg was trivial. The tag information on a test mp3 file showed up on both the mpg123 and mpg321 players with no troubles. EasyTAG will definitely go into this editor's collection of useful audio utilities.

Comments (9 posted)

System Applications

Database Software

ZODB 3.2.9 final released

Version 3.2.9 final of ZODB, the Zope Object Database, is out. "In addition to minor bugfixes, there is one critical bugfix in 3.2.9, concerning data consistency after a subtransaction commit. This was discovered by code inspection, and a test case showing the problem was constructed from that analysis."

Full Story (comments: none)

Interoperability

Samba 3.0.20 pre2 Available

Preview release 2 of Samba 3.0.20 has been announced. "There has been a substantial amount of development since the 3.0.14a stable release (and since the 3.0.20pre1 release as well). We would like to ask the Samba community for help in testing these changes as we work towards the next official, production Samba 3.0 release. This is the last anticipated preX release before moving onto the Release Candidate state of testing."

Full Story (comments: none)

LDAP Software

LAT 0.6 Released

Version 0.6 of LAT, the LDAP Administration Tool, is out. It features Active Directory support, initial Samba support, GNOME Keyring support, bug fixes, and more.

Full Story (comments: none)

Networking Tools

iptables 1.3.2 released

Version 1.3.2 of the iptables network filtering system has been announced. "The final 1.3.2 version contains accumulated bugfixes to the last 1.3.1 version. No new targets/matches have been added."

Full Story (comments: none)

Web Site Development

Custom-Compiling Apache and Subversion (O'ReillyNet)

Manni Wood looks at the use of Subversion with Apache on O'Reilly. "Subversion is a useful, powerful, and modern revision-control system that builds on well-understood and powerful tools including Apache. This layering has many benefits--and drawbacks, if the defaults aren't quite right for you. You can compile them yourself, though; Manni Wood demonstrates how."

Comments (none posted)

MediaWiki 1.4.6, 1.5beta3 released (SourceForge)

Versions 1.4.6 and 1.5 beta 3 of MediaWiki have been released, they address a security issue. "Incorrect escaping of a parameter in the page move template could be used to inject JavaScript code by getting a victim to visit a maliciously constructed URL. Users of vulnerable releases are recommended to upgrade to this release."

Comments (none posted)

Desktop Applications

Audio Applications

liboggz 0.9.2 Released

Version 0.9.2 of liboggz, an interface and command-line tool set for reading and writing Ogg files and streams, is out. Changes include improved examples, build improvements, and bug fixes.

Full Story (comments: none)

Desktop Environments

Dropline GNOME 2.10.2 is here! (GnomeDesktop)

Version 2.10.2 of dropline GNOME has been announced. "The wait is over! We're proud to announce dropline GNOME 2.10.2, the third in the series of our "All Roads Lead to GNOME" releases. This release incorporates several updates for the GNOME 2.10 desktop and development platform, as well as several months of refinement, to produce our best release to date."

Comments (none posted)

GNOME Software Announcements

The following new GNOME software has been announced this week:

Comments (none posted)

KDE Commit Digest for July 8, 2005 (KDE.News)

KDE.News has announced the July 8, 2005 edition of the KDE Commit-Digest. Here is the table of contents: "KPDF can now open PS files. Kexi form designer supports drag and drop of database fields to create forms. Krita now has a pixelize filter, bumpmapping and watercolor painting. KRDC now has KWallet support. KRecipes improves printing. Also bug fixes and speedups in khtml."

Comments (1 posted)

KDE Software Announcements

The following new KDE software has been announced this week:

Comments (none posted)

Desktop Publishing

Announce Scribus 1.2.2.1

Version 1.2.2.1 of the Scribus desktop publishing application is out. "The Scribus team urges all users and distros to use this latest release. We have replaced our 1.2.2 release with this release to fix one issue and update some documentation."

Full Story (comments: none)

Electronics

Kicad release 2005-07-04

Release 2005-07-04 of Kicad, an electronic schematic capture and printed circuit CAD application, is available. It features bug fixes.

Comments (none posted)

Financial Applications

SQL-Ledger version 2.4.13 released

Version 2.4.13 of SQL-Ledger, a web-based accounting system, has been released. It features new point of sale buttons, bug fixes, translation work, and more.

Comments (none posted)

Fonts and Images

Open Clip Art Library Release 0.15 Announcement (GnomeDesktop)

GnomeDesktop.org covers the latest release of the Open Clip Art Library. "Release 0.15 of the Open Clip Art Library is now on-line for download as an individual package consisting of 4336 images submitted by over 430 artists from around the world. The amount of high quality clip art has increased much with the inclusion of Nicu Buculei's Playing Cards collection and Gerald Ganson's package submission."

Comments (none posted)

Graphics

Coin3D 2.4.3 released

Version 2.4.3 of Coin3D, a 3D graphics library with SGI Open Inventor compatibility, has been released. "Yesterday's Coin 2.4.2 release contained a couple of ugly regressions. They are now fixed, and here is the new 2.4.3 patchlevel release."

Comments (none posted)

Medical Applications

FreeB2 Standalone Released (LinuxMedNews)

LinuxMedNews covers the release of the standalone version of FreeB, a Medical Billing engine. "FreeB supports X12 837p and CMS(HCFA) 1500 formats. FreeB is a standalone engine, it can interface with any practice management system or EMR to provide medical billing capabilities to that system. FreeB is the sister project of ClearHealth."

Comments (none posted)

Multimedia

libannodex 0.7.0 Released

Version 0.7.0 of libannodex, a C library that supports the reading and writing of Annodex media, is out. Changes include CMML 2.1 support, build fixes, and more.

Full Story (comments: none)

Web Browsers

Firefox 1.0.5 is out

Mozilla Firefox 1.0.5 is available. This release contains a number of security fixes and general bug fixes; an upgrade is recommended. See the release notes for details and downloads.

Comments (8 posted)

Google Releases Toolbar and Extensions for Mozilla Firefox (MozillaZine)

MozillaZine looks at a new Google Toolbar for the Firefox browser. "Search engine giant Google today improved its offerings for Mozilla Firefox, launching a beta version of its Google Toolbar for Firefox and also two experimental Google Firefox extensions. Previously, the Google Toolbar — a browser add-on that offers easy access to Google's search and other features — has only been available to users of Microsoft Internet Explorer."

Comments (none posted)

Deer Park Alpha 2 Candidate Builds Available (MozillaZine)

The alpha 2 candidate builds of Deer Park, the Mozilla Firefox 1.1 testing release, have been announced. "As previously reported, Deer Park is the codename for Mozilla Firefox 1.1 and is being used by the Mozilla Foundation to refer to the 1.1 alpha releases in an attempt to dissuade end-users from downloading them. In addition to testers of the program itself, Deer Park Alpha 2 is intended to be used by extension, theme and Web application developers for compatibility and feature testing." More information is available here.

Comments (none posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

MozillaZine has announced the minutes from the June 27, 2005 mozilla.org staff meeting. "Issues discussed include releases and the QA planning meeting."

Comments (none posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

The minutes from the July 6, 2005 mozilla.org staff meeting have been announced. "Issues discussed include releases, server transition and marketing."

Comments (none posted)

Miscellaneous

G11NToolKit 1.2.0 (SourceForge)

Version 1.2.0 of the G11NToolKit is out with changes to the package naming conventions. "The G11NToolKit is a set of Java classes that can be used to aid in extracting and preparing source code strings for translation. The classes are designed to work together to accomplish the tasks desired. The tool kit is intended to be used in a defined process in conjunction with other translation tools."

Comments (none posted)

Languages and Tools

C

GCC 4.0.1 released

Version 4.0.1 of GCC, the GNU Compiler Collection, has been released. The change log details the fixed bugs.

Comments (none posted)

Caml

Caml Weekly News

The July 12, 2005 edition of the Caml Weekly News is online. Take a look for the latest Caml articles. Topics include: Sparse structure, LablGtkSourceView, Line printer daemon, Polymorphic map and OO syntax extension, LablPCRE - a PCRE binding for Objective Caml and Wyrd 1.0.0.

Full Story (comments: none)

Groovy

Programming Tools: Java Scripting Languages (Linux Journal)

Reg. Charney introduces Jython and Groovy in a Linux Journal article. "I recently returned from JavaOne 2005 in San Francisco. The show was impressive for a number of reasons. The attendance seemed to be about 30% larger than last year's. The same could be said for the number of tutorials, sessions and BOFs. For example, there were enough BOFs to run until 11:00pm at night. Many of the sessions were filled to capacity, with over 600 attendees each technical presentation. Given my strong background in C++, I am used to a more amorphous attitude toward languages. Therefore, I was surprised to see that there still is a vibrancy to Java that I do not see with C++."

Comments (1 posted)

Perl

This Week in Perl 6 (O'Reilly)

The June 29-July 5, 2005 edition of This Week in Perl 6 is online with the latest Perl 6 development news.

Comments (none posted)

PHP

PHP 4.4.0 Released

PHP version 4.4.0 has been released. "This is a maintenance release that addresses a serious memory corruption problem within PHP concerning references. If references were used in a wrong way, PHP would often create memory corruptions which would not always surface and be visible. In other cases it can cause variables and objects to change type or class. If you encountered strange behavior like this, this release might fix it." See the change log for more details.

Comments (none posted)

Python

python-dev Summary

The June 15-30, 2005 edition of the python-dev Summary is online with coverage of activity on the python-dev mailing list.

Full Story (comments: none)

Ruby

Ruby Weekly News

The July 10th, 2005 edition of the Ruby Weekly News summarizes the latest discussions on the ruby-talk mailing list.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The July 12, 2005 edition of Dr. Dobb's Tcl-URL! is online with the latest Tcl/Tk news and resources.

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

The BBC seeks escape from patent minefield (InfoWorld)

Here's an InfoWorld article on the BBC's efforts to create an open-source, patent-free multimedia codec. "The obvious losers in that kind of deal are open source projects, which often are but loosely knit groups of individuals in no position to pay any kind of fee, no matter how 'reasonable.' But potential users of those projects lose, as well. Consider the growing number of people in the developing world who rely on open source for all their computing needs, and you'll see how patent-encumbered technologies do not pose a long-term solution for a media organization with a mission similar to the BBC's."

Comments (11 posted)

Vendors Team on Debian-Based Enterprise Linux (eWeek)

eWeek looks at plans for a new collaborative distribution effort that will be based on Debian. "Sources close to Mandriva, Progeny and Turbolinux say the trio of companies will be announcing a new enterprise Linux distribution based on Debian Linux at the LinuxWorld event in San Francisco in August. This new enterprise distribution, which may include other companies as well, will be built on the foundation of the Debian 3.1 "Sarge" Linux distribution."

Comments (12 posted)

Spammers Most Likely Users Of E-Mail Authentication (TechWeb)

TechWeb reports that, as expected by many, email authentication schemes have done little for the spam problem. "MX Logic tracked a sampling of 17.7 million messages that passed through its servers from June 19 through June 25, and found that of the 9 percent from domains with published SPF records, 84 percent was spam. Of the even smaller number of messages from domains with published Sender ID records (just 0.14 percent), 83 percent were spam."

Comments (23 posted)

The SCO Problem

New trial date in IBM-SCO case (News.com)

News.com covers the new trial date in the IBM vs. SCO case. "U.S. District Court Judge Dale Kimball reset the trial date to Feb. 26, 2007, in SCO's lengthy and contentious legal battle against IBM, which focuses on allegations that the computer maker infringed on SCO's intellectual property. Previously, the trial was scheduled to begin on Nov. 1."

Comments (9 posted)

Companies

LimeWire: Open source brings commercial success (NewsForge)

NewsForge looks at the business behind LimeWire, an open source Gnutella client. "On the development side, LimeWire LLC engages open source developers by paying bounties for features. Small bounties, listed as being 'good for beginners,' pay $50; medium bounties, 'good for learning the intricacies of the code,' pay $200; and large bounties, for projects that are 'difficult, but very useful,' pay $500."

Comments (6 posted)

Microsoft Surprises with Linux 'Hands-On Lab' (eWeek)

eWeek reports on a hands-on Linux lab conducted by Microsoft at its annual worldwide partner show. "Titled "Linux and Open Source: Understanding the Competitive Challenge," and run by Don Johnson, an electrical engineer from Techstream Inc., the lab let attendees, many of whom were not familiar with Linux, experiment with KDE (K Desktop Environment) as well as see the Apache Web server in action. In addition, Johnson, who has been a system administrator and is familiar with both Microsoft and open-source solutions, gave them an overview of some Linux concepts and what he believed were the key tradeoffs between Windows and Linux. However, it was clear that his bias lay firmly on the Windows side for the most part."

Comments (8 posted)

Business

Database vendors eye open-source effect (News.com)

News.com examines the effect of open source offerings on the database market. "But the effects of open-source pricing and products are already being felt, according to Noel Yuhanna, an analyst at Forrester Research. 'The pressure is on and is starting to build up,' Yuhanna said. Established database vendors 'will be lowering prices in large deals, probably offering more discounts just from the pressure of open source.'"

Comments (4 posted)

Legal

Re-grokking Grokster (Linux Journal)

Linux Journal's Doc Searls examines the effect of the MGM v. Grokster ruling on the spread of new technology. "Mark Cuban, for example, is an exceptionally innovative American individual who works on both sides of the Entertainment/Technology fence. From Broadcast.com to the Dallas Mavericks to HDnet to his own TV show, Mark knows how the games are played and has played them all very well. He's smart, shrewd and nobody's fool.* At the Web 2.0 conference last fall, he said, "When you're sitting around a table at a tough negotiation, you need to look around and see who the sucker is. If you don't find one, it's you.""

Comments (4 posted)

The coming Web security woes (News.com)

Here's a News.com article (from last week) on a proposed new U.S. data security law. "Anyone who runs a Web site with registered users and receives income from it (Blogads and Google Ads count) should be concerned. The Specter-Leahy bill says that if that site's list of user IDs or e-mail addresses is compromised, each registered user must be notified via U.S. mail or telephone. Refusal to do so can be punished with $55,000-a-day fines and prison time of up to five years." How many such sites even have postal mail addresses or phone numbers for their users?

Comments (47 posted)

Interviews

Ian Murdock on the Debian Core Consortium and Ubuntu Foundation (ZDNet)

ZDNet talks with Ian Murdock about the Debian Core Consortium and Ubuntu. "Debian is increasingly just another upstream source for [Ubuntu]. Personally, I think this is a huge mistake on their part-sure, they have lots of momentum, but that's largely because Debian seemed to be faltering for a little while. But now that sarge is out there, the real momentum is behind Debian again, though Ubuntu still has momentum on the desktop side. If I were them, I'd continue focusing on that. I certainly wouldn't be so eager to unhook from the Debian train just yet."

Comments (26 posted)

Cornelius Schumacher on KConfig XT (KDE.News)

KDE.News interviews Cornelius Schumacher "C.S.: While KConfig is a powerful and efficient way to handle configuration settings it doesn't address two things: Type safety and GUI. KConfig is great as backend, but to address these two areas we had to put another layer on top of it. That's what KConfig XT is. The key feature of KConfig XT is that it provides a machine-readable description of the configuration settings, so that we can do all kind of fancy stuff like generating type-safe code to access the settings, associate the settings with a GUI or provide tools like Zack's KConfigEditor with the ability to give the user the needed context for editing configuration files."

Comments (none posted)

Resources

Apache's eXtended Server Side Includes (O'ReillyNet)

Kostas Pentikousis explores Apache SSI on O'Reilly. "In the early days of web publishing, SSI was an easy way to include dynamic content in pages. Though large server-side application frameworks have more popularity, SSI lives on--especially in Apache XSSI. Kostas Pentikousis demonstrates how XSSI makes it possible to build powerful, clean, maintainable, and fast web sites."

Comments (none posted)

The Daemon, the GNU and the Penguin - Ch. 15, by Dr. Peter Salus (Groklaw)

Groklaw has published chapter 15 of Peter Salus's The Daemon, the GNU and the Penguin. This chapter covers Commercial UNIXes and BSDI.

Comments (none posted)

Command-line animations using ImageMagick (NewsForge)

Shashank Sharma shows how to create animations with ImageMagick in a NewsForge article. "If the success of the "Shrek," "Toy Story," "Stuart Little," "The Incredibles," and many other Hollywood hits is any indication, animations add glitz to the mundane. While animation in the movies still requires professional animation packages like Blender, you can make simple animations using the command-line wizardry of ImageMagick."

Comments (none posted)

Linux in the Classroom: a Look Back (Linux Journal)

Last April Dr. Mike LeVan designed a Course in Linux System Administration. Now Linux Journal has a follow up article. "Although we did not have a live Webcast, plenty of people went to the Web site to download the assignments and notes to try to keep up with the material. Several people also started discussions in our social forum to try to make the class more of a community. In a sense, it was a typical global community that you find with Linux. We had people from Argentina, Lebanon, Canada, Singapore, Austria, Finland and many other countries. It really turned into a good experience for my students, and I hope it was for those who signed up to follow the class on-line."

Comments (none posted)

Reviews

db.* proves it's a database survivor (NewsForge)

NewsForge looks at the history of db.*, a proprietary database turned open-source. "db.* has been in the market for more than 20 years. Originally, it was a proprietary product called dbVista developed by a company called Raima. During the dot-com boom, it was acquired by a company called Centura and released into open source under a modified Mozilla license. Centura spent millions of dollars to bring the code base up to standards, including overhauling the documentation. However, in 2001, Centura dot-bombed and went belly up, leaving db.* orphaned. Unlike an orphaned proprietary product though, another company could -- and did -- step in."

Comments (2 posted)

Fundable.org helps open source projects find support (NewsForge)

NewsForge examines the use of the Fundable.org project for fueling open-source development. "Fundable.org is a new service that allows people who need funds to connect with those who are willing to contribute. Co-founder John Pratt isn't sure where the idea came from, but he and partner Louis Helm have been working on it day and night since the inspiration hit them in January, 2005. The concept, while unique, is quite simple. Anyone who has a product or service to sell, or needs monetary support for a charitable cause, or who wants to organize a group purchase, posts their requirement on Fundable.org."

Comments (none posted)

Google map API transforms the Web (ZDNet)

ZDNet looks at new applications for the recently released Google Maps API. "We are getting a great demonstration right now of open source power, as applications using the Google Maps API begin to appear. Mapquest, owned by AOL, has been around for many years, but it's a proprietary offering. Yahoo Maps has been around for years, but it has been late to this party. It's Google, using the open source process, that has blown the field apart. The code has only been out a few weeks but already we're seeing several really great applications."

Comments (3 posted)

MythTV: Easy personal video recording with Linux (NewsForge)

NewsForge reviews MythTV, a video recording/time shifting system. "After trying MythTV on SUSE 9.1 Professional client, I found an even easier way to get everything running in less time. If you want to use your box exclusively as a media center, try KnoppMyth, a Linux distro based on Knoppix, aimed solely at providing an out-of-the-box system optimized for MythTV. The installation, although not graphical, is a no-brainer, and doesn't take much time. When it finishes, KnoppMyth helps you configure most of the options for MythTV to get it up and running".

Comments (none posted)

Miscellaneous

Windows tipped for EDA standard (Electronics Weekly)

Electronics Weekly covers comments by John Tanner, CEO of Tanner EDA, on the future of EDA (Electronic Design Automation) applications. "Windows will become the de facto standard operating system for EDA applications, in the same way as the PC has superseded dedicated Unix boxes, and EDA firms currently migrating their software to Linux are running up a blind alley." Thanks to John Rigg.

Comments (25 posted)

Black Duck - But No SCO (IT-Director)

Robin Bloor looks at Black Duck and other topics on IT-Director. "What the technology does is analyze source code and 'finger print' it. (To be precise, it maps the pattern of the code, but it's easier to think of it as a fingerprint). It can then look at code and determine its origin, with some degree of certainty. Even code that is not identical or partly rewritten can be identified. This is a useful capability because companies can 'black duck' the applications they've written and make sure that no code has been pilfered from SourceForge and added in, in violation of some Open Source license. (Black Duck has some customers that have had to do a little recoding because they discovered such chunks of code)."

Comments (6 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

European Parliament says no to software patents, yes to innovation

The FFII congratulates the European Parliament on its clear "no" to bad legislative proposals and procedures in this press release (click below).

Full Story (comments: none)

OSDL Appoints New Director to Lead Efforts in Europe

Open Source Development Labs has appointed Claude Beullens as director for Europe, the Middle East and Africa. "Beullens brings nearly 30 years of experience in enterprise computing, sales and marketing to lead OSDL's efforts and initiatives throughout the region."

Comments (none posted)

Open Source NHIN RFP Set-Aside (LinuxMedNews)

LinuxMedNews reports on a funding source for open-source software development by the U.S. Health and Human Services Department (HHS). "HHS, in a July 1 amendment to its request for proposals for the NHIN, said it will set aside one unrestricted award for open-source software which meets the following criteria: free redistribution, inclusion of source code, permission for modifications and non-specific licensing."

Comments (none posted)

Software Freedom Law Center Announces Plone as Newest Client

The Software Freedom Law Center has announced its newest client, the Plone Foundation. "The Software Freedom Law Center (SFLC), provider of pro-bono legal services to protect and advance Free and Open Source Software (FOSS), today announced it will represent the Plone Foundation. The Foundation, based in Houston, Texas, supports the development and promotion of the open source content management system, Plone, and its developer community."

Full Story (comments: none)

Commercial announcements

Excel Software Updates Linux Development Tools

Excel Software has announced the availability of new Linux development tools. "QuickUML 1.1.1 and QuickBugs 1.0.4 include an updated installer and many user interface enhancements. QuickBugs now has the ability to associate files or a zipped archive of files to bug reports, shortcuts for navigating or processing each bug and additions to the scriptable report generator. QuickCRC is a software design tool for discovering objects and related information for an object-oriented software development project."

Full Story (comments: none)

Fujitsu and Novell Deliver Linux for High-Performance Servers

Novell, Inc. has announced an agreement with Fujitsu to provide Linux-based server support. "As part of the agreement, Fujitsu will offer support services for Novell's SUSE(TM) LINUX Enterprise Server, which will soon be available worldwide on Fujitsu's mission-critical PRIMEQUEST(TM) and PRIMERGY(TM) servers."

Comments (none posted)

Mathematica 5.2 adds 64-Bit Support

Wolfram Research has announced the release of Mathematica 5.2, a mathematical simulation package. "Hot on the heels of Mathematica 5.1, itself released just eight months ago, 5.2 brings 64-bit technology to all supported platforms-an industry first. More than 4.3GB of memory (the 32-bit address limit) can now be addressed, and high-precision or large numbers are processed in 64-bit rather than 32-bit digit chunks for faster computation."

Comments (none posted)

OpenLogic Launches BlueGlue 3.2 management suite

OpenLogic has launched version 3.2 of its BlueGlue management suite. "At JavaOne, OpenLogic introduced BlueGlue 3.2, an Open Source management suite that can tie together, in any combination, 120 of the most popular Open Source software applications available today. Developers can get a stack working in minutes and BlueGlue will test, update and validate the project constantly."

Full Story (comments: none)

Opera technical preview adds BitTorrent support

Opera Software has announced a technical preview of the Opera browser with support for the BitTorrent file-downloading technology. "With BitTorrent, Opera hopes to make it easier for users to download the large amount of legal material available, such as Linux software and computer game demos. The Opera browser will also be offered for download as a torrent file."

Full Story (comments: none)

PloneLive 1.0 Released

Version 1.0 of PloneLive, an online book describing the Plone content management system, has been announced. " PloneLive 1.0 is a "live" book, meaning that it is updated every month with new material and corrections. Over the next year, we will be updated the book 12 times, tracking the changes and newest trends in Plone and covering new, as yet unreleased versions of Plone. The subscription cost is 29.95, this will get you access to an online repository of the full book and any of its more recent updates."

Comments (none posted)

Systemax Releases Custom-Build PCs with Linux

Linspire, Inc. and Systemax, Inc. have announced a customizable Systemax desktop PC pre-installed with Linspire Linux. "The Systemax Venture L335 System is outfitted with top-quality components, including an Intel Celeron D processor, 40GB hard drive, CD-ROM and 256MB of RAM, plus keyboard, speakers and mouse. The Systemax Venture L335 is available for $299.99 direct to consumers at TigerDirect.com and GlobalComputer.com."

Comments (none posted)

Zend Core for IBM Released

IBM and Zend have announced the Zend Core project. "IBM and Zend today announced the availability of Zend Core for IBM, the industry's first integrated solution specifically designed to help developers deploy database applications and services based on the popular PHP Web language. IBM and Zend also announced that they are jointly working on furthering PHP technology to include improved high-level database integration frameworks and enhanced PHP Web services standards."

Full Story (comments: none)

New Books

Advanced Perl Programming, Second Edition - O'Reilly's Latest Release

O'Reilly has published the book Advanced Perl Programming, Second Edition by Simon Cozens.

Full Story (comments: none)

"Talk is Cheap" - O'Reilly's Latest Release

O'Reilly has published the book Talk is Cheap by James E. Gaskin.

Full Story (comments: none)

Resources

FSF Europe Newsletter

The July 8, 2005 edition of the Free Software Foundation Europe Newsletter is online with the latest FSFE news.

Full Story (comments: none)

Linux Gazette #116

The Linux Gazette for July 2005 is out. In addition to the usual features this issue has articles on Automatic creation of an Impress presentation from a series of images, Booting Knoppix from a USB Pendrive via Floppy, Introduction to Shell Scripting, part 6, User-Centered Design, and more.

Comments (none posted)

Contests and Awards

Bug 300000 Sweepstake Results Announced (MozillaZine)

MozillaZine has announced the winner of the Bug 300000 Sweepstake. "Gervase Markham has announced the results of the Bug 300000 Sweepstake. Gerv writes: "bugzilla.mozilla.org bug 300,000 was filed on 2005-07-07 at 13:54 ZST by long-time Mozilla contributor 'timeless'. Of all the entrants in the 300,000 bug sweepstake, the person who guessed closest was Takeshi Nishimura, who guessed 2005-07-07 07:06 - over a period of nearly 4 months, he was only 6 hours, 48 minutes out!""

Comments (none posted)

Upcoming Events

GUADEC 2006 Slated For Barcelona

The initial press release for GUADEC 2006 has been posted. The event will take place in Barcelona, Spain in May 2006.

Comments (none posted)

Linux Bangalore Planning

A planning announcement has gone out for the next Linux Bangalore event. There is a request for: "More suggestions from you, more recommendations, more comments."

Full Story (comments: none)

linux.conf.au 2006 - Call For Papers

A call for papers has gone out for the 2005 linux.conf.au event. The conference will be held in Dunedin, New Zealand in January, 2006. Papers are due by September 5, 2005.

Full Story (comments: none)

Linux Installfest workshops in Davis - Saturday, July 16th

The Linux Users' Group of Davis will hold another Linux Installfest workshop in Davis, California on July 16, 2005.

Full Story (comments: none)

ToorCon 2005 Call for Papers

A Call for Papers has gone out for ToorCon 2005, a hacker convention that will be held in San Diego on September 15-18, 2005. Papers are due by August 15.

Full Story (comments: none)

Events: July 14 - September 8, 2005

Date Event Location
July 14 - 18, 2005Debconf 5Helsinki, Finland
July 14 - 15, 2005First International Conference on Open Source Systems(OSS2005)Genova, Italy
July 14, 2005GOTO10 workshop(OKNO)Brussels, Belgium
July 14 - 15, 2005IEEE International Conference on Web Services(ICWS 2005)Orlando, Florida
July 14 - 15, 2005Free Libre Open Source Software in Education Conference(FLOSSIE)(Bolton Technology Innovation Centre)Bolton, UK
July 17 - 19, 2005Desktop Developer's Conference(Ottawa Congress Centre)Ottawa, Ontario, Canada
July 18 - 22, 2005ApacheCon Europe 2005Stuttgart, Germany
July 18 - 22, 2005PostgreSQL Bootcamp(Big Nerd Ranch)Atlanta, GA
July 20 - 23, 2005Ottawa Linux Symposium(OLS 2005)Ottawa, Canada
July 20 - 22, 2005North American Plone Symposium(The Astro Crowne Plaza)New Orleans, Louisiana
July 26, 20052nd European LISP and Scheme WorkshopGlasgow, Scotland
July 27 - 28, 2005Black Hat Briefings USA 2005Las Vegas, NV
July 29 - 31, 2005DefCon 13(Alexis Park)Las Vegas, Nevada
July 31 - August 4, 20052005 SIGGRAPH Computer Animation FestivalLos Angeles, CA
August 1 - 5, 2005O'Reilly Open Source Convention(Oregon Convention Center)Portland, Oregon
August 1 - 5, 2005CIFS 2005 Conference and Plugfest(Doubletree Hotel)San Jose, CA
August 4, 2005Penguincon 2005Israel
August 4 - 7, 2005Linux 2005(University of Wales)Swansea, UK
August 8 - 11, 2005LinuxWorld Conference and Expo(Moscone Center)San Francisco, CA
August 20, 2005Free Audio and Video Event(FAVE)(Trinity Community and Arts Centre)Bristol, UK
August 27 - September 4, 2005aKademy 2005(University of Málaga)Málaga Spain
August 31 - September 2, 2005YAPC::EU::2005(University of Minho)Braga, Portugal
September 1 - 2, 2005Symposium on Security for Asia Network(SyScAN'05)(The Dusit Thani Hotel)Bangkok, Thailand
September 5 - 9, 2005International Computer Music Conference(ICMC 2005)Barcelona, Spain

Comments (none posted)

Web sites

Social Bookmarking for Linux and Open Source

LinuxQuestions.org has announced a new LQ Bookmarks site. "LQ Bookmarks allows you to bookmark, tag, annotate and share links to Open Source and Linux related sites. It also allows you to access your bookmarks from any browser on any machine. The ability to share and see what others are sharing is called social bookmarking."

Full Story (comments: none)

Audio and Video programs

LQ Radio Show - Episode #2

Episode number 20 of the LQ Radio Show is available. "The show is hosted by jeremy and includes a panel of LQ moderators. Topics include Linux on the desktop, beagle, Apple moving to Intel, blogging, Linux appliances, broadcom, Google's Linux app, the Vienna Linux migration and much much more."

Full Story (comments: none)

Miscellaneous

Another fun DMCA case

Attorney William Patry's weblog looks at a new DMCA case, which, at its core, is claiming that a failure to heed a web site's robots.txt file is a circumvention of a technical copyright protection measure. "Those who decry the DMCA as an (attempted) tool of oppression will find more than ample support in this effort."

Comments (33 posted)

Page editor: Forrest Cook

Letters to the editor

European rejection of software patents is a victory for open source

From:  "Eric S. Raymond" <esr-AT-snark.thyrsus.com>
To:  wire-service-AT-snark.thyrsus.com
Subject:  European rejection of software patents is a victory for open source
Date:  Wed, 6 Jul 2005 16:53:12 -0400

The Open Source Initiative welcomes the news that European Parliament
voted overwhelmingly today (6 July 2005) to reject a proposal that would
have permitted American-style software patents in Europe.
 
In theory, a healthy software-patent system might reward innovators
and promote the worthy objective of the advancement of knowledge and
the useful arts. In practice, American-style software-patent systems
have serious flaws, including weak patentability filters and failure
to systematically check submissions against important bodies of prior
art such as Internet open-source repositories. Their effect is to
actually suppress innovation. Real-world evidence of this suppression
is in "An Empirical Look at Software Patents"
<http://www.researchoninnovation.org/swpat.pdf>.
 
The institution of American-style software patents in Europe would
undoubtedly lead to the same abuses we have seen in the U.S., where
patents are routinely deployed to prevent healthy competition in the
software industry -- and aimed, especially, at the suppression of open
source. Europe's "reform" seemed to us to be headed towards exactly
the same unhappy result, inflicting great harm on software consumers,
open-source programmers, and all independent developers.
 
We are pleased to see that the European citizenry understand that they
have an interest in protecting their right to innovate. We are pleased
that they have exercised their democratic prerogative to make their
voices heard. We are pleased that numerous companies, small and large,
European and American-based, have realized that software monopolies tilt
against their interest. And we are pleased that Europe's elected
legislators duly voted both the will of the people and good common
sense. And while the battle is not yet won, we are hopeful that the
decisiveness of this vote proves to be a catalyst not only for
programming freedom and continued software innovation in Europe, but for
the reform of obsolete and broken patent systems worldwide.
--
                 Eric S. Raymond for the Board of OSI

Comments (14 posted)

Page editor: Jonathan Corbet

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds