LWN.net Logo

LWN.net Weekly Edition for July 21, 2005

Debconf5: Structural Evolution

Debconf5 sign Debconf5, the sixth annual Debian Conference, recently descended upon the Helsinki University of Technology (HUT) in Espoo, Finland. LWN reporter Rebecca Sobol was privileged to attend this year's event.

Hundreds of Debian developers, maintainers, translators, users and fans joined together for an overflowing week's worth of talks, BOFs, hacking and partying. Debian GNU/Linux is the largest distribution project in many ways; lots of developers (around 200 Debian Developers plus scores of package maintainers, documentation authors and translators), support for more architectures, lots of packages (nearly 15,000 binary packages are available), more derived distributions using it as a base, and soon even a choice between Linux and Hurd kernels. The Debian community is massive and scattered around the globe.

Debconf5 group During the year these people keep in touch through a variety of mailing lists and IRC channels, but the annual Debconf provides people with a chance to meet face to face to talk about their favorite operating system. Each year Debconf meets in a different part of the world to make it more accessible to some portion of its global community. This year's conference in Finland brought out over ninety Finns, followed by a full gross of people from Germany, the United Kingdom, the United States, Sweden, Spain and Norway. It was also accessible to a handful of people from the Russian Federation and other parts of Eastern Europe. A few traveled greater distances to come from South America, New Zealand and Fiji. All told, there were people from over thirty countries at this year's event.

Debian is large, and it is all volunteer. A few people have found or created jobs for themselves where they can be paid to work on Debian, at least part of the time, but they are in the minority. The organization is guided by a social contract and maintains a strong commitment to software freedom.

Bdale Garbee, long time Debian developer and former Debian Project Leader gave a talk on Debian's Structural Evolution, subtitled Musings on Debian, Today and Tomorrow. He has serious concerns that Debian has grown too large for its infrastructure. For example, each year Debian developers elect a Project Leader. For nine weeks each year a few prominent Debian developers cease working as a team to compete for a job that has grown too complex for a single person. Only Debian developers are allowed to vote, leaving hundreds, or more likely thousands of Debian volunteers and users with no say whatsoever.

Some of Debian's infrastructure is ably provided by Software in the Public Interest (SPI). However too few Debian developers are involved in SPI, which oversees many other projects. Also it not in SPI's mandate to provide technical guidance, that is the role of the Technical Committee. Bdale finds the committee, as currently defined, is not particularly satisfying. The committee could use a periodic review and refresh, which is currently not happening.

The current DPL, Branden Robinson started Project SCUD as an attempt to address some of these issues while working within the constraints of the Debian constitution. However Bdale (a member of SCUD) finds that the relationship between the DPL and the project is not clear. The team is self-selected and does not include a representative sampling of Debian project participants.

Perhaps it is time to replace the DPL and Technical Committee with an elected leadership board. Candidates would be motivated to campaign on their teamwork skills and more people would be willing to be involved in Debian's leadership. Perhaps a way could be found to allow the greater Debian community a voice in this process. Perhaps this would make Debian even stronger.

Comments (10 posted)

Delays in security updates

July 20, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

There are a number of reasons that users choose Linux, but security is one of the most often-cited reasons. While Linux distributions certainly see their fair share of security issues, updates are usually issued in a timely fashion.

However, there are times when the process gets bogged down. Security updates for Debian, for example, were not going out in a timely fashion for some time. As reported in Branden Robinson's Debian Project Leader Report for July, security updates were interrupted for some time. This has also been reported in the mainstream press, though members of the Debian team take issue with the actual reporting.

Looking at the security advisories for 2005, one thing that is clear is that no security updates were issued through most of June. There are no updates from June 4 through June 29. Updates resumed on June 30, and there have been a steady stream of updates since then. We e-mailed Martin Schulze about the Debian security delays, and he confirmed the time period.

That is quite a delay for some of the updates. For example, the sudo vulnerability, for example, was addressed in Debian on July 1 for Woody and Sarge. The Fedora Core team released an update for this vulnerability for Fedora Core 3 and Fedora Core 4 on June 21, and Ubuntu released an update on June 21st for Hoary (5.04) and Warty (4.10). Updates for Gaim's recent vulnerabilities were issued on June 16 for FC3 and FC4, and June 10 and June 15 by the Ubuntu team, respectively -- but not for Debian until July 5.

In an e-mail, Schulze said that he didn't know all of the details of the problems that delayed updates, but explained way the process is supposed to work:

When a new release happens the old release, formerly known as "stable", becomes "oldstable" and "testing" becomes "stable."

This change needs to be done on the ftp-master, on the security host and on the wanna-build database (the database behind the buildd network).

In addition to that, on all buildd hosts that are supposed to build packages for "oldstable" as well (not all buildds do), the old "stable" build chroot needs to be renamed to "oldstable" and "oldstable" needs to be enabled in the configuration.

Additionally, on all buildd hosts the "stable" build chroot needs to be updated to the current "stable," or the old "testing" chroot renamed. These are used by the security builds as well.

All this should be done synchronously, but wasn't. On July 7th I wrote in my logbook that the buildd network seems to be finally fixed. Actually it was fixed two days before that article. Before that, one part or another was missing or not fixed totally.

In the Project Leader Report, Robinson points out that there was a failure in infrastructure and communication:

I suspect, given what I know from conversation with some of the principals close to the infrastructure involved in getting our stable security updates out, that that's what we're dealing with. There have been technical failures and communication failures, with the former greatly exacerbated by the latter.

I have asked Andreas Barth to look into this situation and establish as clear a factual record as he can. Using this report, we should be able to attack the areas of weakness. One thing I'd like to see is better documentation of the internal workings of the security update process, perhaps in the Debian Developers' Reference. With a broader understanding of security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful.

Robinson has also proposed making the security team DPL delegates, and points out that now would be a good time to add new members to the security team roster. Whether that has happened or not, however, remains up in the air. Schulze said that adding new members would be "discussed inside the security team." Robinson has not replied to e-mails asking about the security delays.

Schulze also said that the backlog of security updates that built up through June should be cleared out by now.

Around the same time, the Fedora Legacy project's security updates also seem to have been bottled up. The Fedora Legacy project has a gap for updates between June 5 and July 9, for all Red Hat and Fedora distributions supported by the Fedora Legacy project, Red Hat 7.3 and 9.0, and Fedora Core 1 and Fedora Core 2.

Some of the updates that were released in July by Fedora Legacy were rather tardy indeed. For example the GNU Mailman advisory (CAN-2005-0202), was fixed by other distributions back in February. The PHP advisory on July 10 from Fedora Legacy was addressed back in April by Gentoo, Mandriva and others. (Debian's fix for this bug came out in May.) This post on the Fedora Legacy mailing list from Jesse Keating acknowledges that the legacy project has longer lead times on security updates.

It would seem that Debian's infrastructure problems have been solved, at least for now. However, the gap in updates is somewhat alarming. As a rule, Debian has often been one of the first distributions to issue security updates and advisories, and has developed a well-deserved reputation for being quick to respond to security issues. We hope that the delay in updates while the project was transitioning from Woody to Sarge is a one-time issue, and that the transition from Sarge to Etch, whenever that happens, will happen more smoothly.

The importance of speedy security releases can't be emphasized enough. Aside from the obvious PR problems when a distribution is behind in updates, Linux users need to be able to depend on updates as soon as they can be made available so that they are not subject to exploits any longer than is absolutely necessary.

Comments (2 posted)

Page editor: Rebecca Sobol

Security

Brief items

Debconf5: Securing the Testing Distribution

This part of our Debconf5 coverage was inspired by a talk titled Securing the Testing Distribution given by Joey Hess. Debconf5 sign

Debian has several branches, including two currently supported stable branches, Woody and Sarge and the unstable branch, also known as sid. Though usually fairly stable, sid is in constant flux and provides a faster paced target for those who like run the latest and greatest software. The testing branch, on the other hand, provides a look at the next stable version still in development, in this case etch. Testing was first used when woody was in development. Once Woody was released as Debian 3.0 testing became synonymous with sarge. So now that Sarge has been released as Debian 3.1, testing has become etch which will someday to be the next stable version.

The supported stable version(s) (support for Woody will end before we will see an etch release) have a security team providing security updates. Often security fixes are backported to the stable packages. Packages in sid are usually upgraded to a new version of the package in which the problem has been fixed. Up to now there has been no mechanism to provide security updates for testing.

Some of the security issues in stable will have already been fixed in testing's newer packages, but for the most part security fixes have lagged behind stable and unstable. Packages fixed in unstable can automatically migrate to testing, if certain criteria are met, but that comes with a built-in delay. Unrelated release critical bugs in unstable packages could block the security updates from reaching testing. Ironically, those very users most interested in the shape of the next stable version are also those likely to be put off by the lack of security updates.

Those days have come to end. Now there is a security team for testing, with five to six team members and twice that on the mailing list. Some team members are Debian Developers (DDs), but that's not required. The team now proactively looks for holes, checking Debian testing packages against CVE entrys, bugs in the Bug Tracking System (BTS), and watching other security lists.

DDs and package maintainers were asked to document all security issues, including the CVE number in open bug reports. Change log entries and closed bugs should include a CVE number and indicate when security issues are fixed. Tracking and fixing security bugs in etch will make it far more appealing to potential testers, and may even help Debian achieve a more predictable release cycle.

Comments (2 posted)

New vulnerabilities

affix: two remote vulnerabilities

Package(s):affix CVE #(s):CAN-2005-2250 CAN-2005-2277
Created:July 19, 2005 Updated:September 2, 2005
Description: A buffer overflow in the Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2 and 3.2.0 allows remote attackers to execute arbitrary code via a long filename in an OBEX file share. Also remote attackers may execute arbitrary commands via shell metacharacters in the filename argument of a PUT command.
Alerts:
Debian DSA-762-1 2005-07-19

Comments (none posted)

bugzilla: information disclosure

Package(s):bugzilla CVE #(s):CAN-2005-2173 CAN-2005-2174
Created:July 14, 2005 Updated:July 19, 2005
Description: Bugzilla has a vulnerability that may allow a remote attacker to modify flags of arbitrary bugs, triggering a return email to the attacker as well as a race condition.
Alerts:
Gentoo 200507-12 2005-07-13

Comments (none posted)

ekg: multiple vulnerabilities

Package(s):ekg CVE #(s):CAN-2005-1850 CAN-2005-1851 CAN-2005-1916
Created:July 18, 2005 Updated:August 8, 2005
Description: Several vulnerabilities have been discovered in the ekg contributed scripts. These include an insecure temporary file creation problem, a potential shell command injection problem, and an arbitrary command execution problem.
Alerts:
Ubuntu USN-162-1 2005-08-08
Debian DSA-760-1 2005-07-18

Comments (none posted)

heartbeat: insecure temporary files

Package(s):heartbeat CVE #(s):CAN-2005-2231
Created:July 19, 2005 Updated:August 15, 2005
Description: Eric Romang discovered several insecure temporary file creations in the High Availability Linux Project Heartbeat 1.2.3.
Alerts:
Debian DSA-761-2 2005-08-15
Ubuntu USN-165-1 2005-08-11
Mandriva MDKSA-2005:132 2005-08-09
Gentoo 200508-05 2005-08-07
Debian DSA-761-1 2005-07-19

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (1 posted)

mediawiki: JavaScript code injection

Package(s):mediawiki CVE #(s):
Created:July 20, 2005 Updated:July 20, 2005
Description: MediaWiki has a vulnerability caused by failing to correctly escape a parameter in the page move template. Remote attackers can use this to inject and execute JavaScript code with the permission of the user's browser session.
Alerts:
Gentoo 200507-18 2005-07-20

Comments (none posted)

mozilla-firefox: multiple vulnerabilities

Package(s):mozilla-firefox CVE #(s):
Created:July 14, 2005 Updated:July 22, 2005
Description: A dozen security vulnerabilities that have been fixed in Firefox 1.0.5 and Mozilla 1.7.9 have been back-ported to older versions.
Alerts:
Gentoo 200507-14 2005-07-15
Mandriva MDKSA-2005:120 2005-07-13

Comments (none posted)

mysql: low-impact security fix

Package(s):mysql CVE #(s):CAN-2005-1636
Created:July 20, 2005 Updated:February 22, 2006
Description: An update to MySQL version 4.1.12 fixes a low-impact security problem (bz#158689).
Alerts:
Mandriva MDKSA-2006:045 2006-02-21
Red Hat RHSA-2005:685-01 2005-10-05
Debian DSA-783-1 2005-08-24
Fedora FEDORA-2005-557 2005-07-20

Comments (1 posted)

pam_ldap: plain text authentication leak

Package(s):pam_ldap CVE #(s):CAN-2005-2069
Created:July 14, 2005 Updated:October 17, 2005
Description: pam_ldap and nss_ldap ignore the "ssl start_tls" ldap.conf setting, allowing an attacker to sniff unencrypted passwords and other information.
Alerts:
Red Hat RHSA-2005:767-01 2005-10-17
Red Hat RHSA-2005:751-01 2005-10-17
SuSE SUSE-SR:2005:020 2005-09-12
Ubuntu USN-152-1 2005-07-21
Mandriva MDKSA-2005:121 2005-07-18
Gentoo 200507-13 2005-07-14

Comments (none posted)

phppgadmin: directory traversal vulnerability

Package(s):phppgadmin CVE #(s):CAN-2005-2256
Created:July 18, 2005 Updated:July 19, 2005
Description: A missing input sanitization vulnerability has been discovered in the phppgadmin PHP scripts, sensitive information may be disclosed.
Alerts:
Debian DSA-759-1 2005-07-18

Comments (none posted)

thunderbird mozilla firefox: multiple vulnerabilities

Package(s):thunderbird firefox mozilla CVE #(s):CAN-2005-0989 CAN-2005-1159 CAN-2005-1160 CAN-2005-1532 CAN-2005-2261 CAN-2005-2265 CAN-2005-2266 CAN-2005-2269 CAN-2005-2270
Created:July 20, 2005 Updated:September 1, 2005
Description: Multiple vulnerabilities have been found in the Mozilla Thunderbird email client, as well as the Mozilla Suite and Firefox and Mozilla based other browsers. Bugs include an anonymous function handling bug, a JavaScript validation problem, privileged UI code handling DOM nodes, a JavaScript privilege escalation, a problem with Javascript in XBL controls, improper handling of child frames, a DOM name code execution vulnerability, and a base object clone problem.
Alerts:
Debian DSA-779-2 2005-09-01
Mandriva MDKSA-2005:127-1 2005-08-26
Debian DSA-781-1 2005-08-23
Debian DSA-779-1 2005-08-20
SuSE SUSE-SA:2005:045 2005-08-11
Ubuntu USN-157-2 2005-08-02
Ubuntu USN-157-1 2005-08-01
Mandriva MDKSA-2005:127 2005-07-28
Ubuntu USN-149-3 2005-07-28
Ubuntu USN-155-1 2005-07-26
Gentoo 200507-24 2005-07-26
Ubuntu USN-149-2 2005-07-25
Mandriva MDKSA-2005:120-1 2005-07-22
Slackware SSA:2005-203-01 2005-07-22
Red Hat RHSA-2005:587-01 2005-07-22
Fedora FEDORA-2005-622 2005-07-22
Fedora FEDORA-2005-621 2005-07-22
Fedora FEDORA-2005-618 2005-07-22
Fedora FEDORA-2005-620 2005-07-22
Fedora FEDORA-2005-617 2005-07-22
Fedora FEDORA-2005-619 2005-07-22
Fedora FEDORA-2005-616 2005-07-22
Red Hat RHSA-2005:601-01 2005-07-21
Red Hat RHSA-2005:586-01 2005-07-21
Ubuntu USN-149-1 2005-07-21
Fedora FEDORA-2005-606 2005-07-20
Fedora FEDORA-2005-604 2005-07-20
Fedora FEDORA-2005-605 2005-07-20
Fedora FEDORA-2005-603 2005-07-20

Comments (none posted)

Updated vulnerabilities

CUPS: multiple vulnerabilities

Package(s):CUPS CVE #(s):CAN-2004-2154
Created:July 14, 2005 Updated:September 20, 2005
Description: The CUPS printing system has a problem with queue name case-sensitivity matching that can cause a security policy override. An unauthorized user can use this to gain print to a protected queue.
Alerts:
Mandriva MDKSA-2005:165 2005-09-15
Ubuntu USN-185-1 2005-09-20
Fedora-Legacy FLSA:163274 2005-09-14
Red Hat RHSA-2005:571-01 2005-07-14

Comments (none posted)

cvs: multiple vulnerabilities

Package(s):cvs CVE #(s):CAN-2004-1342 CAN-2004-1343
Created:July 19, 2005 Updated:July 19, 2005
Description: The cvs pserver access method in connection with the Debian repouid can allow an attacker to bypass the password authentication and gain unauthorized access to the repository. Also, a problem with the cvs-repouids file can allow a remote user to crash the cvs server and cause a denial of service.
Alerts:
Debian DSA-715-1 2005-04-27

Comments (none posted)

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

acroread: arbitrary code execution

Package(s):acroread CVE #(s):CAN-2005-1625 CAN-2005-1841
Created:July 8, 2005 Updated:July 14, 2005
Description: Adobe Acrobat Reader (acroread) has a buffer overflow vulnerability. If a user is tricked into opening a specially crafted PDF file, arbitrary code can be executed.
Alerts:
SuSE SUSE-SA:2005:042 2005-07-14
Gentoo 200507-09 2005-07-11
Red Hat RHSA-2005:575-01 2005-07-08

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cacti: SQL injection and PHP file inclusion

Package(s):cacti CVE #(s):
Created:June 22, 2005 Updated:July 21, 2005
Description: Cacti (prior to version 0.8.6e) suffers from vulnerabilities which can lead to SQL injection and (on some systems) execution of arbitrary PHP files.
Alerts:
Debian DSA-764-1 2005-07-21
Gentoo GLSA 200506-20:02 2005-06-22
Gentoo GLSA 200506-20:02 2005-06-22
Gentoo 200506-20:02 2005-06-22
Gentoo 200506-20 2005-06-22

Comments (none posted)

centericq: temporary file vulnerability

Package(s):centericq CVE #(s):CAN-2005-1914
Created:July 13, 2005 Updated:July 13, 2005
Description: The centericq messaging client suffers from a classic temporary file vulnerability which could, conceivably, be exploited by a local user to overwrite files.
Alerts:
Debian DSA-754-1 2005-07-13

Comments (none posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Alerts:
Mandriva MDKSA-2005:237 2005-12-23
Red Hat RHSA-2005:806-01 2005-11-10
Debian DSA-846-1 2005-10-07
Ubuntu USN-189-1 2005-09-29
Red Hat RHSA-2005:378-01 2005-07-21
Mandriva MDKSA-2005:116-1 2005-07-19
Mandriva MDKSA-2005:116 2005-07-11
Trustix TSLSA-2005-0030 2005-06-24
Gentoo 200506-16 2005-06-20

Comments (1 posted)

cURL: buffer overflow

Package(s):curl CVE #(s):CAN-2005-0490
Created:February 28, 2005 Updated:July 19, 2005
Description: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded.
Alerts:
Fedora-Legacy FLSA:152917 2005-07-15
Fedora FEDORA-2005-325 2005-04-20
Red Hat RHSA-2005:340-01 2005-04-05
Conectiva CLA-2005:940 2005-03-21
Gentoo 200503-20 2005-03-16
Mandrake MDKSA-2005:048 2005-03-04
SuSE SUSE-SA:2005:011 2005-02-28
Ubuntu USN-86-1 2005-02-28

Comments (none posted)

cvs: multiple vulnerabilities

Package(s):cvs CVE #(s):CAN-2005-0753
Created:April 18, 2005 Updated:July 13, 2005
Description: CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error. These can be used to launch a remote denial of service or to remotely execute arbitrary code.
Alerts:
Debian DSA-742-1 2005-07-07
Fedora-Legacy FLSA:155508 2005-05-12
Ubuntu USN-117-1 2005-05-04
Red Hat RHSA-2005:387-01 2005-04-25
Gentoo 200504-16:02 2005-04-18
Slackware SSA:2005-111-01 2005-04-22
Trustix TSLSA-2005-0013 2005-04-20
Mandriva MDKSA-2005:073 2005-04-20
Fedora FEDORA-2005-330 2005-04-20
Gentoo 200504-16 2005-04-18
SuSE SUSE-SA:2005:024 2005-04-18

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 10, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dbus: information disclosure

Package(s):dbus CVE #(s):CAN-2005-0201
Created:June 8, 2005 Updated:August 30, 2005
Description: From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening.
Alerts:
Fedora FEDORA-2005-822 2005-08-29
Ubuntu USN-144-1 2005-06-27
Mandriva MDKSA-2005:105 2005-06-24
Red Hat RHSA-2005:102-01 2005-06-08

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

dhcpcd: denial of service

Package(s):dhcpcd CVE #(s):CAN-2005-1848
Created:July 13, 2005 Updated:September 13, 2005
Description: The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash.
Alerts:
Slackware SSA:2005-255-01 2005-09-13
Red Hat RHSA-2005:603-01 2005-07-27
Gentoo 200507-16 2005-07-15
Mandriva MDKSA-2005:117 2005-07-12
Debian DSA-750-1 2005-07-11

Comments (none posted)

Dnsmasq: poisoning and DoS

Package(s):dnsmasq CVE #(s):
Created:April 4, 2005 Updated:July 21, 2005
Description: Dnsmasq does not properly detect that DNS replies received do not correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux Security Audit team also discovered two off-by-one buffer overflows that could crash DHCP lease files parsing.
Alerts:
Slackware SSA:2005-201-01 2005-07-21
Gentoo 200504-03 2005-04-04

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ettercap: format string vulnerability

Package(s):ettercap CVE #(s):CAN-2005-1796
Created:June 13, 2005 Updated:July 13, 2005
Description: The Ettercap suite of networking tools has a format string vulnerability that can be exploited by a remote attacker for the execution of arbitrary code.
Alerts:
Debian DSA-749-1 2005-07-10
Gentoo 200506-07 2005-06-11

Comments (none posted)

evolution: message crash vulnerability

Package(s):evolution CVE #(s):CAN-2005-0806
Created:March 17, 2005 Updated:August 11, 2005
Description: The Evolution mail client can be crashed when reading certain types of messages.
Alerts:
Ubuntu USN-166-1 2005-08-11
Red Hat RHSA-2005:397-01 2005-05-04
Conectiva CLA-2005:950 2005-04-27
Fedora FEDORA-2005-338 2005-04-22
Mandrake MDKSA-2005:059 2005-03-16

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FUSE: information disclosure

Package(s):fuse CVE #(s):CAN-2005-1858
Created:July 13, 2005 Updated:July 13, 2005
Description: The filesystems in user space (FUSE) subsystem (not yet part of the mainline kernel) has an information disclosure vulnerability exploitable by local users.
Alerts:
Debian DSA-744-1 2005-07-08

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora-Legacy FLSA:155510 2005-12-17
Fedora-Legacy FLSA:154272 2005-07-15
SuSE SUSE-SR:2005:010 2005-04-08
Mandrake MDKSA-2005:069 2005-04-07
Mandrake MDKSA-2005:068 2005-04-07
Ubuntu USN-108-1 2005-04-05
Red Hat RHSA-2005:343-01 2005-04-05
Red Hat RHSA-2005:344-01 2005-04-01
Fedora FEDORA-2005-268 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-265 2005-03-30

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

gftp: missing input sanitizing

Package(s):gftp CVE #(s):CAN-2005-0372 CAN-2004-1376
Created:February 17, 2005 Updated:July 13, 2005
Description: gftp has a directory traversal vulnerability. A remote server could use specially crafted filenames to overwrite local files.
Alerts:
Fedora-Legacy FLSA:152908 2005-07-10
Red Hat RHSA-2005:410-01 2005-06-13
Fedora FEDORA-2005-310 2005-04-07
Fedora FEDORA-2005-309 2005-04-07
Mandrake MDKSA-2005:050 2005-03-04
Gentoo 200502-27 2005-02-19
SuSE SUSE-SR:2005:005 2005-02-18
Debian DSA-686-1 2005-02-17

Comments (none posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnupg: information leak

Package(s):gnupg CVE #(s):CAN-2005-0366
Created:March 16, 2005 Updated:August 19, 2005
Description: GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Alerts:
Ubuntu USN-170-1 2005-08-19
Gentoo 200503-29 2005-03-24
Mandrake MDKSA-2005:057 2005-03-15

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gxine: format string vulnerability

Package(s):gxine CVE #(s):CAN-2005-1692
Created:May 26, 2005 Updated:July 23, 2005
Description: The gxine media player has a format string vulnerability in the hostname decoding function. A specially crafted file can be used to cause a user to execute arbitrary code.
Alerts:
Slackware SSA:2005-203-04 2005-07-23
Gentoo 200505-19 2005-05-26

Comments (none posted)

gzip: race condition and directory traversal

Package(s):gzip CVE #(s):CAN-2005-0988 CAN-2005-1228
Created:May 4, 2005 Updated:July 13, 2005
Description: gzip suffers from a race condition which could allow a fast-fingered attacker to change the permissions on files owned by others. There is also a directory traversal vulnerability associated with the -N option.
Alerts:
Debian DSA-752-1 2005-07-11
Red Hat RHSA-2005:357-01 2005-06-13
OpenPKG OpenPKG-SA-2005.010 2005-06-10
OpenPKG OpenPKG-SA-2005.009 2005-06-10
Mandriva MDKSA-2005:092 2005-05-18
Gentoo 200505-05 2005-05-09
Trustix TSLSA-2005-0018 2005-05-06
Ubuntu USN-116-1 2005-05-04

Comments (none posted)

Heimdal: buffer overflow vulnerabilities

Package(s):heimdal CVE #(s):CAN-2005-2040
Created:June 29, 2005 Updated:July 18, 2005
Description: It has been reported that the "getterminaltype" function of Heimdal's (before 0.6.5) telnetd server is vulnerable to buffer overflows. An attacker could exploit this vulnerability to execute arbitrary code with the permission of the telnetd server program.
Alerts:
Debian DSA-758-1 2005-07-18
SuSE SUSE-SA:2005:040 2005-07-06
Gentoo 200506-24 2005-06-29

Comments (none posted)

ht: arbitrary code execution

Package(s):ht CVE #(s):CAN-2005-1545 CAN-2005-1546
Created:July 8, 2005 Updated:July 13, 2005
Description: The utility ht, an executable file viewer, editor and analyzer, has buffer and integer overflows that can be exploited for the purpose of executing arbitrary code.
Alerts:
Debian DSA-743-1 2005-07-08

Comments (none posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

ImageMagick: xwd coder denial of service

Package(s):ImageMagick CVE #(s):CAN-2005-1739
Created:May 26, 2005 Updated:July 19, 2005
Description: The xwd coder in ImageMagick has a vulnerability that can be accessed by working on a maliciously created image. A denial of service can result.
Alerts:
Fedora-Legacy FLSA:152777 2005-07-12
Mandriva MDKSA-2005:107 2005-06-28
Red Hat RHSA-2005:480-01 2005-06-02
Fedora FEDORA-2005-395 2005-05-26

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 10, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

infozip: privilege escalation, directory-traversal

Package(s):infozip CVE #(s):CAN-2003-0282 CAN-2004-1010 CAN-2005-0602
Created:May 2, 2005 Updated:August 1, 2005
Description: InfoZip reports that Zip 2.3 and (presumably) all previous versions have a buffer-overrun vulnerability relating to deep directory paths that could potentially lead to local privilege escalation (e.g., in the case of automated, Zip-based backups). All versions of UnZip through 5.50 have a number of directory-traversal vulnerabilities.
Alerts:
Ubuntu USN-159-1 2005-08-01
Slackware SSA:2005-121-01 2005-05-02

Comments (1 posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Debian DSA-713-1 2005-04-21
Gentoo 200504-11 2005-04-13

Comments (1 posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kernel: ELF loader core dump vulnerability

Package(s):kernel CVE #(s):CAN-2005-1263
Created:May 11, 2005 Updated:August 25, 2005
Description: Paul Starzetz has posted an advisory for yet another kernel vulnerability. In this case, by using a specially manipulated ELF binary, a local attacker can compromise the system (via the core dump code) and obtain root access. This vulnerability affects all kernels from 2.2 through 2.6.12-rc4.
Alerts:
Red Hat RHSA-2005:529-01 2005-08-25
Red Hat RHSA-2005:420-01 2005-06-08
Red Hat RHSA-2005:472-01 2005-05-25
Fedora FEDORA-2005-392 2005-05-23
Ubuntu USN-131-1 2005-05-23
Trustix TSLSA-2005-0022 2005-05-13

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-1913 CAN-2005-1761
Created:July 1, 2005 Updated:September 9, 2005
Description: Several vulnerabilities in the 2.6 kernel have been fixed, including a subthread exec problem (CAN-2005-1913) and a ia64 ptrace + sigrestore_context problem (CAN-2005-1761).
Alerts:
Ubuntu USN-178-1 2005-09-09
Red Hat RHSA-2005:551-01 2005-08-25
SuSE SUSE-SA:2005:044 2005-08-04
Fedora FEDORA-2005-510 2005-07-01

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

kimgio input validation errors

Package(s):kimgio CVE #(s):CAN-2005-1046
Created:April 22, 2005 Updated:July 19, 2005
Description: KDE has issued a security advisory for kimgio. This is found in kdelibs as shipped with KDE 3.2 up to including KDE 3.4. kimgio contains a PCX image file format reader that does not properly perform input validation. A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers, some of them exploitable to execute arbitrary code.
Alerts:
Ubuntu USN-114-2 2005-05-27
Red Hat RHSA-2005:393-01 2005-05-17
Mandriva MDKSA-2005:085 2005-05-12
Ubuntu USN-114-1 2005-05-03
Fedora FEDORA-2005-350 2005-05-02
Debian DSA-714-1 2005-04-26
Gentoo 200504-22 2005-04-22

Comments (none posted)

krb5: double-free flaw

Package(s):krb5 CVE #(s):CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689
Created:July 12, 2005 Updated:December 6, 2005
Description: The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information.
Alerts:
Ubuntu USN-224-1 2005-12-06
Debian DSA-757-1 2005-07-17
Trustix TSLSA-2005-0036 2005-07-14
Mandriva MDKSA-2005:119 2005-07-13
SuSE SUSE-SR:2005:017 2005-07-13
Gentoo 200507-11 2005-07-12
Fedora FEDORA-2005-553 2005-07-12
Red Hat RHSA-2005:562-01 2005-07-12
Fedora FEDORA-2005-552 2005-07-12
Red Hat RHSA-2005:567-02 2005-07-12

Comments (none posted)

leafnode: fetchnews vulnerabilities

Package(s):leafnode CVE #(s):CAN-2004-2068 CAN-2005-1453 CAN-2005-1911
Created:July 12, 2005 Updated:July 13, 2005
Description: The fetchnews program from the leafnode NNTP server has a number of vulnerabilities involving corruption of data from the upstream server. The system can hang indefinitely or crash.
Alerts:
Mandriva MDKSA-2005:114 2005-07-11

Comments (none posted)

libconvert-uulib-perl: arbitrary code execution

Package(s):libconvert-uulib-perl CVE #(s):CAN-2005-1349
Created:May 20, 2005 Updated:January 27, 2006
Description: Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:022 2006-01-26
Debian DSA-727-1 2005-05-20

Comments (1 posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libnet-ssleay-perl: weakened cryptographic operations

Package(s):libnet-ssleay-perl CVE #(s):CAN-2005-0106
Created:May 3, 2005 Updated:January 27, 2006
Description: Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content.
Alerts:
Mandriva MDKSA-2006:023 2006-01-26
Ubuntu USN-113-1 2005-05-03

Comments (none posted)

libTIFF: buffer overflow

Package(s):libtiff CVE #(s):CAN-2005-1544
Created:May 10, 2005 Updated:February 18, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafted TIFF image, resulting in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:042 2006-02-17
Debian DSA-755-1 2005-07-13
Ubuntu USN-130-1 2005-05-19
Gentoo 200505-07 2005-05-10

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Fedora-Legacy FLSA:168264 2006-03-07
Fedora-Legacy FLSA:152803 2006-01-09
Fedora FEDORA-2005-815 2005-08-26
Fedora FEDORA-2005-808 2005-08-25
Red Hat RHSA-2005:198-01 2005-06-08
Red Hat RHSA-2005:473-01 2005-05-24
Red Hat RHSA-2005:412-01 2005-05-11
Debian DSA-723-1 2005-05-09
Mandriva MDKSA-2005:081 2005-05-05
Mandriva MDKSA-2005:080 2005-04-28
Red Hat RHSA-2005:044-01 2005-04-06
Red Hat RHSA-2005:331-01 2005-03-30
Fedora FEDORA-2005-273 2005-03-29
Fedora FEDORA-2005-272 2005-03-29
Ubuntu USN-97-1 2005-03-16
Gentoo 200503-15 2005-03-12
Ubuntu USN-92-1 2005-03-07
Gentoo 200503-08 2005-03-04

Comments (none posted)

lvm10: creates insecure temporary directory

Package(s):lvm10 CVE #(s):CAN-2004-0972
Created:November 1, 2004 Updated:July 25, 2005
Description: Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:152842 2005-07-24
Mandrake MDKSA-2004:144 2004-12-06
Gentoo 200411-22 2004-11-11
Debian DSA-583-1 2004-11-03
Ubuntu USN-15-1 2004-11-01

Comments (none posted)

mailman: path traversal

Package(s):mailman CVE #(s):CAN-2005-0202
Created:February 9, 2005 Updated:July 13, 2005
Description: The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.

This vulnerability was used to compromise the Full-Disclosure list.

Alerts:
Fedora-Legacy FLSA:152895 2005-07-10
Ubuntu USN-78-2 2005-02-17
Debian DSA-674-3 2005-02-21
Mandrake MDKSA-2005:037 2005-02-14
Red Hat RHSA-2005:137-01 2005-02-15
SuSE SUSE-SA:2005:007 2005-02-14
Debian DSA-674-2 2005-02-11
Red Hat RHSA-2005:136-01 2005-02-10
Gentoo 200502-11 2005-02-10
Fedora FEDORA-2005-132 2005-02-10
Fedora FEDORA-2005-131 2005-02-10
Ubuntu USN-78-1 2005-02-09

Comments (none posted)

mc: buffer overflow

Package(s):mc CVE #(s):CAN-2005-0763
Created:March 29, 2005 Updated:August 11, 2005
Description: An unfixed buffer overflow has been discovered by Andrew V. Samoilov in mc, the midnight commander, a file browser and manager.
Alerts:
Fedora-Legacy FLSA:152889 2005-08-10
Red Hat RHSA-2005:512-01 2005-06-16
Debian DSA-698-1 2005-03-29

Comments (none posted)

mod_python: remote access vulnerability

Package(s):mod_python CVE #(s):CAN-2005-0088
Created:February 10, 2005 Updated:April 10, 2006
Description: mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result.
Alerts:
Fedora-Legacy FLSA:152896 2006-04-04
Conectiva CLA-2005:926 2005-03-02
Debian DSA-689-1 2005-02-23
Red Hat RHSA-2005:100-01 2005-02-15
Gentoo 200502-14 2005-02-13
Trustix TSLSA-2005-0003 2005-02-11
Ubuntu USN-80-1 2005-02-11
Red Hat RHSA-2005:104-01 2005-02-10
Fedora FEDORA-2005-140 2005-02-10
Fedora FEDORA-2005-139 2005-02-10

Comments (none posted)

Mozilla Firefox, Mozilla Suite: multiple vulnerabilities

Package(s):mozilla CVE #(s):CAN-2005-0989
Created:April 19, 2005 Updated:July 18, 2005
Description: The following vulnerabilities were found and fixed in the Mozilla Suite and Mozilla Firefox:
  • Vladimir V. Perepelitsa reported a memory disclosure bug in JavaScript's regular expression string replacement when using an anonymous function as the replacement argument (CAN-2005-0989).
  • moz_bug_r_a4 discovered that Chrome UI code was overly trusting DOM nodes from the content window, allowing privilege escalation via DOM property overrides.
  • Michael Krax reported a possibility to run JavaScript code with elevated privileges through the use of javascript: favicons.
  • Michael Krax also discovered that malicious Search plugins could run JavaScript in the context of the displayed page or stealthily replace existing search plugins.
  • shutdown discovered a technique to pollute the global scope of a window in a way that persists from page to page.
  • Doron Rosenberg discovered a possibility to run JavaScript with elevated privileges when the user asks to "Show" a blocked popup that contains a JavaScript URL.
  • Finally, Georgi Guninski reported missing Install object instance checks in the native implementations of XPInstall-related JavaScript objects.
The following Firefox-specific vulnerabilities have also been discovered:
  • Kohei Yoshino discovered a new way to abuse the sidebar panel to execute JavaScript with elevated privileges.
  • Omar Khan reported that the Plugin Finder Service can be tricked to open javascript: URLs with elevated privileges.
Alerts:
Gentoo 200507-17 2005-07-18
Fedora-Legacy FLSA:152883 2005-05-18
Red Hat RHSA-2005:384-01 2005-04-28
SuSE SUSE-SA:2005:028 2005-04-27
Red Hat RHSA-2005:386-01 2005-04-26
Slackware SSA:2005-111-04 2005-04-22
Red Hat RHSA-2005:383-01 2005-04-21
Gentoo 200504-18 2005-04-19

Comments (none posted)

mozilla firefox: javascript vulnerabilities

Package(s):mozilla firefox CVE #(s):CAN-2005-1531 CAN-2005-1532
Created:June 9, 2005 Updated:July 19, 2005
Description: Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly implement certain security checks for script injection, which allows remote attackers to execute script via "Wrapped" javascript.

Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CAN-2005-1160.

Alerts:
Fedora-Legacy FLSA:158149 2005-07-15
SuSE SUSE-SA:2005:030 2005-06-09

Comments (1 posted)

MySQL: input validation and temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
Created:March 16, 2005 Updated:July 19, 2005
Description: MySQL (prior to version 4.0.24) suffers from two input validation errors and a temporary file vulnerability.
Alerts:
Fedora-Legacy FLSA:152925 2005-07-15
OpenPKG OpenPKG-SA-2005.006 2005-04-20
Debian DSA-707-1 2005-04-13
Fedora FEDORA-2005-305 2005-04-05
Fedora FEDORA-2005-304 2005-04-05
Red Hat RHSA-2005:348-01 2005-04-05
Conectiva CLA-2005:946 2005-04-04
Red Hat RHSA-2005:334-01 2005-03-28
SuSE SUSE-SA:2005:019 2005-03-24
Mandrake MDKSA-2005:060 2005-03-21
Trustix TSLSA-2005-0009 2005-03-21
Ubuntu USN-96-1 2005-03-16
Gentoo 200503-19 2005-03-16

Comments (none posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Fedora-Legacy FLSA:152904 2006-05-12
Fedora FEDORA-2005-435 2005-08-16
Red Hat RHSA-2005:371-01 2005-05-17
Mandrake MDKSA-2005:028 2005-02-01
Gentoo 200501-44 2005-01-30

Comments (none posted)

Net-SNMP: fixproc insecure temporary file creation

Package(s):net-snmp CVE #(s):CAN-2005-1740
Created:May 23, 2005 Updated:July 13, 2005
Description: The fixproc application of Net-SNMP creates temporary files with predictable filenames.
Alerts:
Fedora FEDORA-2005-561 2005-07-13
Fedora FEDORA-2005-562 2005-07-13
Gentoo 200505-18 2005-05-23

Comments (1 posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 2006-02-25
Red Hat RHSA-2005:014-01 2005-01-12
Mandrake MDKSA-2005:005 2005-01-11

Comments (none posted)

openssh: directory traversal

Package(s):openssh CVE #(s):CAN-2004-0175
Created:May 18, 2005 Updated:July 13, 2005
Description: The OpenSSH scp client can, when connected to a hostile server, be instructed to overwrite arbitrary files.
Alerts:
Fedora-Legacy FLSA:123014 2005-07-11
Mandriva MDKSA-2005:100 2005-06-14
Red Hat RHSA-2005:495-01 2005-06-13
Red Hat RHSA-2005:165-01 2005-06-08
Red Hat RHSA-2005:481-01 2005-06-02
Red Hat RHSA-2005:106-01 2005-05-18
Red Hat RHSA-2005:074-01 2005-05-18

Comments (1 posted)

openssl: der_chop script temp file vulnerability

Package(s):openssl CVE #(s):CAN-2004-0975
Created:November 11, 2004 Updated:July 19, 2005
Description: The der_chop script in openssl has a temp file vulnerability that may allow an attacker to overwrite arbitrary files with the permissions that the script is running under.
Alerts:
Fedora-Legacy FLSA:152841 2005-07-15
Mandrake MDKSA-2004:147 2004-12-06
Debian DSA-603-1 2004-12-01
Ubuntu USN-24-1 2004-11-11

Comments (1 posted)

OpenSSL: information leak

Package(s):openssl CVE #(s):CAN-2005-0109
Created:May 23, 2005 Updated:October 11, 2005
Description: Hyper-Threading technology, as used in FreeBSD other operating systems and implemented on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. See this LWN article for more information.
Alerts:
Trustix TSLSA-2005-0028 2005-06-13
Mandriva MDKSA-2005:096 2005-06-06
Red Hat RHSA-2005:476-01 2005-06-01
Fedora FEDORA-2005-390 2005-05-23
Fedora FEDORA-2005-389 2005-05-23

Comments (none posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

perl: symlink vulnerability

Package(s):perl CVE #(s):CAN-2005-0448
Created:March 9, 2005 Updated:January 30, 2006
Description: The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries.
Alerts:
Fedora-Legacy FLSA:152845 2006-01-24
Red Hat RHSA-2005:674-01 2005-10-05
Fedora FEDORA-2005-600 2005-07-22
Mandriva MDKSA-2005:079 2005-04-28
Debian DSA-696-1 2005-03-22
Ubuntu USN-94-1 2005-03-09

Comments (none posted)

php4: integer overflow and denial of service

Package(s):php4 CVE #(s):CAN-2005-1042 CAN-2005-1043
Created:April 14, 2005 Updated:July 13, 2005
Description: The php4 EXIF module has two vulnerabilities. An integer overflow in the exif_process_IFD_TAG() function can be exploited to cause a buffer overflow for the purpose of arbitrary code execution. EXIF headers with a large IFD nesting level can be used to cause a denial of service. Remote exploits are possible.
Alerts:
Fedora-Legacy FLSA:155505 2005-07-10
Red Hat RHSA-2005:406-01 2005-05-04
Red Hat RHSA-2005:405-01 2005-04-28
Mandriva MDKSA-2005:072 2005-04-18
Ubuntu USN-112-1 2005-04-14

Comments (none posted)

php-pear: remote code execution

Package(s):php-pear CVE #(s):CAN-2005-1921
Created:July 1, 2005 Updated:July 29, 2005
Description: The PEAR XMLRPC implementation has a vulnerability that can be exploited for remote code execution. See this report from GulfTech Security Research. This vulnerability affects a large number of PHP web applications.
Alerts:
Fedora-Legacy FLSA:163559 2005-07-28
Conectiva CLA-2005:980 2005-07-14
Gentoo 200507-15 2005-07-15
Debian DSA-746-1 2005-07-13
Slackware SSA:2005-192-02 2005-07-12
Slackware SSA:2005-192-01 2005-07-12
Gentoo 200507-08 2005-07-10
Debian DSA-747-1 2005-07-10
Gentoo 200507-07 2005-07-10
Debian DSA-745-1 2005-07-10
SuSE SUSE-SA:2005:041 2005-07-08
Red Hat RHSA-2005:564-01 2005-07-07
Gentoo 200507-06 2005-07-06
Ubuntu USN-147-2 2005-07-06
Ubuntu USN-147-1 2005-07-05
Fedora FEDORA-2005-518 2005-07-05
Fedora FEDORA-2005-517 2005-07-05
Gentoo 200507-01 2005-07-03
Mandriva MDKSA-2005:109 2005-06-30

Comments (none posted)

phpsysinfo: cross-site-scripting

Package(s):phpsysinfo CVE #(s):CAN-2005-0870
Created:May 18, 2005 Updated:November 15, 2005
Description: The phpsysinfo program contains several cross-site scripting vulnerabilities.
Alerts:
Debian DSA-724-1 2005-05-18

Comments (none posted)

postgresql: EXECUTE privilege vulnerability

Package(s):postgresql CVE #(s):CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247
Created:February 10, 2005 Updated:July 19, 2005
Description: postgresql has a vulnerability in which the EXECUTE privilege may not be checked on custom functions. This may allow any database user to circumvent the EXECUTE restriction on functions.
Alerts:
Fedora-Legacy FLSA:152844 2005-07-16
Trustix TSLSA-2005-0015 2005-04-25
SuSE SUSE-SA:2005:027 2005-04-20
SuSE SUSE-SR:2005:008 2005-03-18
SuSE SUSE-SR:2005:006 2005-02-25
Fedora FEDORA-2005-158 2005-02-22
Fedora FEDORA-2005-157 2005-02-22
Mandrake MDKSA-2005:040 2005-02-17
Red Hat RHSA-2005:150-01 2005-02-16
Debian DSA-683-1 2005-02-15
Red Hat RHSA-2005:138-01 2005-02-15
Gentoo 200502-19 2005-02-14
Ubuntu USN-79-1 2005-02-10

Comments (none posted)

postgresql: database initialization errors

Package(s):postgresql CVE #(s):CAN-2005-1409 CAN-2005-1410
Created:May 4, 2005 Updated:February 28, 2006
Description: PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Alerts:
Fedora-Legacy FLSA:157366 2006-02-27
Mandriva MDKSA-2005:093 2005-05-26
Red Hat RHSA-2005:433-01 2005-06-01
Gentoo 200505-12 2005-05-15
Fedora FEDORA-2005-368 2005-05-10
Ubuntu USN-118-1 2005-05-04

Comments (none posted)

Pound: buffer overflow

Package(s):pound CVE #(s):CVE-2005-1391
Created:May 2, 2005 Updated:January 10, 2006
Description: Steven Van Acker has discovered a buffer overflow vulnerability in the "add_port()" function in Pound 1.8.2+. A remote attacker could send a request for an overly long hostname parameter, which could lead to the remote execution of arbitrary code with the rights of the Pound daemon process.
Alerts:
Gentoo 200504-29 2005-04-30

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

ruby: arbitrary command execution

Package(s):ruby CVE #(s):CAN-2005-1992
Created:June 21, 2005 Updated:October 6, 2005
Description: Ruby (versions < 1.8.2) is vulnerable to arbitrary command execution on XMLRPC servers.
Alerts:
Gentoo 200510-05 2005-10-06
Red Hat RHSA-2005:543-01 2005-08-05
Mandriva MDKSA-2005:118 2005-07-12
Gentoo 200507-10 2005-07-11
Debian DSA-748-1 2005-07-10
Ubuntu USN-146-1 2005-06-29
Fedora FEDORA-2005-475 2005-06-22
Fedora FEDORA-2005-474 2005-06-22

Comments (none posted)

samba: integer overflow vulnerability

Package(s):samba CVE #(s):CAN-2004-1154
Created:December 16, 2004 Updated:July 19, 2005
Description: Samba has an integer overflow vulnerability that may allow an authenticated remote user to execute arbitrary code on the Samba server.
Alerts:
Fedora-Legacy FLSA:152874 2005-07-15
Debian DSA-701-2 2005-04-21
Debian DSA-701-1 2005-03-31
Conectiva CLA-2005:913 2005-01-06
Red Hat RHSA-2005:020-01 2005-01-05
Mandrake MDKSA-2004:158 2004-12-27
SuSE SUSE-SA:2004:045 2004-12-22
Red Hat RHSA-2004:681-01 2004-12-21
Fedora FEDORA-2004-562 2004-12-20
Fedora FEDORA-2004-561 2004-12-20
Gentoo 200412-13 2004-12-17
Ubuntu USN-41-1 2004-12-17
OpenPKG OpenPKG-SA-2004.054 2004-12-17
Red Hat RHSA-2004:670-01 2004-12-16

Comments (none posted)

sharutils: temporary file vulnerability

Package(s):sharutils CVE #(s):CAN-2005-0990
Created:July 13, 2005 Updated:July 13, 2005
Description: Sharutils (and unshar in particular) creates temporary files in an unsafe way, making local file overwrite attacks possible.
Alerts:
Fedora-Legacy FLSA:154991 2005-07-10

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

SpamAssassin: denial of service

Package(s):spamassassin CVE #(s):CAN-2005-1266
Created:June 17, 2005 Updated:July 28, 2005
Description: SpamAssassin 3.0.4 was released to fix a denial of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. The vulnerability allows certain mis-formatted long message headers to cause spam checking to take a very long time.
Alerts:
OpenPKG OpenPKG-SA-2005.015 2005-07-28
Debian DSA-736-2 2005-07-07
Gentoo 200506-17:02 2005-06-21
Debian DSA 736-1 2005-07-01
Mandriva MDKSA-2005:106 2005-06-28
Red Hat RHSA-2005:498-01 2005-06-23
SuSE SUSE-SA:2005:033 2005-06-22
Gentoo 200506-17 2005-06-21
Fedora FEDORA-2005-428 2005-06-16
Fedora FEDORA-2005-427 2005-06-16

Comments (none posted)

squid: DNS spoofing

Package(s):squid CVE #(s):CAN-2005-1519
Created:May 18, 2005 Updated:July 13, 2005
Description: The squid proxy server performs DNS lookups in a way which is susceptible to answers injected by a hostile user, and, thus, DNS spoofing attacks.
Alerts:
Debian DSA-751-1 2005-07-11
Mandriva MDKSA-2005:104 2005-06-24
Red Hat RHSA-2005:415-01 2005-06-14
Red Hat RHSA-2005:489-01 2005-06-13
Ubuntu USN-129-1 2005-05-18
Fedora FEDORA-2005-373 2005-05-17

Comments (none posted)

SquirrelMail: multiple vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2005-0075 CAN-2005-0103 CAN-2005-0104
Created:January 28, 2005 Updated:July 19, 2005
Description: SquirrelMail 1.4.4 has been released, fixing a number of security issues that have been resolved since 1.4.3a.
Alerts:
Fedora-Legacy FLSA:152900 2005-07-16
Fedora FEDORA-2005-260 2005-03-28
Fedora FEDORA-2005-259 2005-03-28
Debian DSA-662-2 2005-03-14
Red Hat RHSA-2005:099-01 2005-02-15
Red Hat RHSA-2005:135-01 2005-02-10
Debian DSA-662-1 2005-02-01
Gentoo 200501-39 2005-01-28

Comments (none posted)

SquirrelMail: several XSS vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2005-1769
Created:June 21, 2005 Updated:September 16, 2005
Description: Several cross site scripting (XSS) vulnerabilities have been discovered in SquirrelMail versions 1.4.0 - 1.4.4.
Alerts:
Fedora-Legacy FLSA:163047 2005-09-14
Fedora FEDORA-2005-780 2005-08-22
Fedora FEDORA-2005-779 2005-08-22
Red Hat RHSA-2005:595-02 2005-08-05
Red Hat RHSA-2005:595-01 2005-08-03
Debian DSA-756-1 2005-07-13
Mandriva MDKSA-2005:108 2005-06-30
Gentoo 200506-19 2005-06-21

Comments (none posted)

sudo: race condition

Package(s):sudo CVE #(s):CAN-2005-1993
Created:June 21, 2005 Updated:February 24, 2006
Description: Charles Morris discovered a race condition in sudo which could lead to privilege escalation. If /etc/sudoers allowed a user the execution of selected programs, and this was followed by another line containing the pseudo-command "ALL", that user could execute arbitrary commands with sudo by creating symbolic links at a certain time.
Alerts:
Fedora-Legacy FLSA:162750 2006-02-23
Debian DSA-735-2 2005-07-07
Debian DSA 735-1 2005-07-01
Red Hat RHSA-2005:535-04 2005-06-29
SuSE SUSE-SA:2005:036 2005-06-24
OpenPKG OpenPKG-SA-2005.012 2005-06-23
Gentoo 200506-22 2005-06-23
Slackware SSA:2005-172-01 2005-06-22
Mandriva MDKSA-2005:103 2005-06-21
Fedora FEDORA-2005-473 2005-06-21
Fedora FEDORA-2005-472 2005-06-21
Ubuntu USN-142-1 2005-06-21

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: denial of service

Package(s):tcpdump CVE #(s):CAN-2005-1267
Created:June 9, 2005 Updated:October 10, 2005
Description: Several tcpdump protocol decoders contain programming errors which can cause them to go into infinite loops.
Alerts:
Debian DSA-854-1 2005-10-09
Slackware SSA:2005-195-10 2005-07-15
Ubuntu USN-141-1 2005-06-21
Mandriva MDKSA-2005:101 2005-06-15
Fedora FEDORA-2005-407 2005-06-16
Gentoo 200505-06:02 2005-05-09
Red Hat RHSA-2005:505-01 2005-06-13
Fedora FEDORA-2005-406 2005-06-09

Comments (none posted)

tcpdump: multiple DoS issues

Package(s):tcpdump CVE #(s):CAN-2005-1280 CAN-2005-1279 CAN-2005-1278
Created:May 2, 2005 Updated:April 10, 2006
Description: The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. (CAN-2005-1280)

tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet, which is not properly handled by RT_ROUTING_INFO, or LDP packet, which is not properly handled by the ldp_print function. (CAN-2005-1279)

The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. (CAN-2005-1278)

Alerts:
Fedora-Legacy FLSA:156139 2006-04-04
Debian DSA-850-1 2005-10-09
Mandriva MDKSA-2005:087 2005-05-11
Red Hat RHSA-2005:417-02 2005-05-11
Red Hat RHSA-2005:421-02 2005-05-11
Gentoo 200505-06 2005-05-09
Ubuntu USN-119-1 2005-05-06
Fedora FEDORA-2005-351 2005-05-02

Comments (none posted)

telnet: buffer overflows

Package(s):telnet CVE #(s):CAN-2005-0468 CAN-2005-0469
Created:March 28, 2005 Updated:August 1, 2005
Description: Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server.
Alerts:
Slackware SSA:2005-210-01 2005-08-01
Debian DSA-765-1 2005-07-22
Fedora-Legacy FLSA:154276 2005-07-24
Fedora-Legacy FLSA:152583 2005-07-11
Debian DSA-731-1 2005-06-02
Gentoo 200504-28 2005-04-28
Gentoo 200504-04 2005-04-06
Debian DSA-703-1 2005-04-01
Gentoo 200504-01 2005-04-01
Gentoo 200503-36 2005-03-31
Red Hat RHSA-2005:330-01 2005-03-30
Mandrake MDKSA-2005:061 2005-03-29
Fedora FEDORA-2005-274 2005-03-30
Fedora FEDORA-2005-277 2005-03-30
Fedora FEDORA-2005-270 2005-03-29
Fedora FEDORA-2005-269 2005-03-29
SuSE SUSE-SR:2005:009 2005-03-29
Debian DSA-699-1 2005-03-29
Debian DSA-697-1 2005-03-29
Red Hat RHSA-2005:327-01 2005-03-28

Comments (none posted)

Tor: information disclosure

Package(s):tor CVE #(s):
Created:June 21, 2005 Updated:August 25, 2005
Description: A bug in Tor allows attackers to view arbitrary memory contents from an exit server's process space. A remote attacker could exploit the memory disclosure to gain sensitive information and possibly even private keys.
Alerts:
Gentoo 200508-16 2005-08-25
Gentoo 200506-18 2005-06-21

Comments (none posted)

vixie-cron: crontab allows any user to read another users crontabs

Package(s):vixie-cron CVE #(s):CAN-2005-1038
Created:April 15, 2005 Updated:March 15, 2006
Description: crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. See also this Security Focus report.
Alerts:
Red Hat RHSA-2006:0117-01 2006-03-15
Red Hat RHSA-2005:361-01 2005-10-05
Fedora FEDORA-2005-320 2005-04-15

Comments (none posted)

wget: file overwrites and arbitrary code execution

Package(s):wget CVE #(s):CAN-2004-1487 CAN-2004-1488
Created:June 9, 2005 Updated:September 27, 2005
Description: wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite certain files via a redirection URL containing a ".." that resolves to the IP address of the malicious server, which bypasses wget's filtering for ".." sequences.

wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code.

Alerts:
Red Hat RHSA-2005:771-01 2005-09-27
Ubuntu USN-145-2 2005-09-06
Ubuntu USN-145-1 2005-06-28
Mandriva MDKSA-2005:098 2005-06-09

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xorg-x11: integer overflows

Package(s):xorg-x11 CVE #(s):CAN-2004-0914
Created:November 18, 2004 Updated:September 12, 2005
Description: The X.Org libXpm library has several integer overflow vulnerabilities An attacker can modify XPM images to execute malicious code.
Alerts:
Ubuntu USN-83-2 2005-09-12
Fedora-Legacy FLSA:152804 2005-05-12
Ubuntu USN-83-1 2005-02-16
Gentoo 200502-07 2005-02-07
Gentoo 200502-06 2005-02-06
Red Hat RHSA-2004:612-01 2004-12-20
Red Hat RHSA-2004:610-01 2004-12-20
Debian DSA-607-1 2004-12-10
Mandrake MDKSA-2004:137-1 2004-11-29
Mandrake MDKSA-2004:137 2004-11-22
Mandrake MDKSA-2004:138 2004-11-22
Gentoo 200411-28 2004-11-19
Fedora FEDORA-2004-434 2004-11-17
Fedora FEDORA-2004-433 2004-11-17
SuSE SUSE-SA:2004:041 2004-11-17

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

XV: multiple vulnerabilities

Package(s):xv CVE #(s):
Created:April 19, 2005 Updated:July 19, 2005
Description: Greg Roelofs has reported multiple input validation errors in XV image decoders. Tavis Ormandy of the Gentoo Linux Security Audit Team has reported insufficient validation in the PDS (Planetary Data System) image decoder, format string vulnerabilities in the TIFF and PDS decoders, and insufficient protection from shell meta-characters in malformed filenames. Successful exploitation would require a victim to view a specially created image file using XV, potentially resulting in the execution of arbitrary code.
Alerts:
Slackware SSA:2005-195-02 2005-07-15
Gentoo 200504-17 2005-04-19

Comments (none posted)

zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-2096
Created:July 6, 2005 Updated:October 27, 2005
Description: zlib has a buffer overflow vulnerability that can be exploited by inflation of corrupted files, this can be used to crash zlib or possibly remotely execute code.
Alerts:
Mandriva MDKSA-2005:196 2005-10-26
Debian DSA-797-2 2005-09-28
Fedora FEDORA-2005-565 2005-07-13
Slackware SSA:2005-189-01 2005-07-10
Trustix TSLSA-2005-0034 2005-07-08
Mandriva MDKSA-2005:112 2005-07-06
Fedora FEDORA-2005-523 2005-07-07
Fedora FEDORA-2005-524 2005-07-07
OpenPKG OpenPKG-SA-2005.013 2005-07-07
Ubuntu USN-148-1 2005-07-06
SuSE SUSE-SA:2005:039 2005-07-06
Red Hat RHSA-2005:569-01 2005-07-06
Gentoo 200507-05 2005-07-06
Debian DSA-740-1 2005-07-06

Comments (6 posted)

Page editor: Rebecca Sobol

Kernel development

Brief items

Kernel release status

The current stable 2.6 kernel is 2.6.12.3, which was announced on July 15.

The current 2.6 prepatch remains 2.6.13-rc3; a small number of fixes have accumulated in Linus's git repository since -rc3 came out. Since Linus and many key developers are in Ottawa for the kernel summit (see below) and the Ottawa Linux Symposium, activity has been relatively subdued.

The current -mm kernel is 2.6.13-rc3-mm1. Recent changes to -mm include the addition of the class-based kernel resource management (CKRM) patches, a number of fixes, and a set of patches marked "Futz with header files, waste much time."

Since your editor is in Ottawa as well, the Kernel Page will be relatively small this week. It will return to normal next week. Meanwhile, the slides from the "2.6 Kernel Roadmap" OLS talk have been posted for the curious.

Comments (2 posted)

Kernel development news

Quote of the week

Jiffies are here to stay, and they are here to stay for some very very fundamental reasons. If you hear somebody arguing for removing jiffies, you should piss in their general direction, and realize that they don't know what they are talking about.
-- Linus Torvalds

Comments (3 posted)

The 2005 Linux Kernel Developers' Summit

The 2005 version of the invitation-only Linux Kernel Developers' Summit was held on July 18 and 19 in Ottawa. The following are LWN editor Jonathan Corbet's notes from the discussion.

July 18 sessions:

  • The processor panel, being a discussion between the kernel developers and processor architects from AMD, IBM, and Intel.

  • I/O Buses, and I/O memory management units in particular.

  • Virtual memory topics, including fragmentation, response to memory pressure, and scalability.

  • ExecShield; Red Hat's security patches which have only partially been merged into the mainline.

  • Virtualization, and how the kernel can better support it.

  • The virtual filesystem, and various topics related to the VFS.

July 19 (Tuesday) sessions: [Linus Torvalds]

  • The hardware vendors' panel, on the impedance mismatch between the kernel development community and manufacturers.

  • Report from the networking summit which was held before the kernel event.

  • The convergence of storage and network paths; how do you ensure safe operation when distinction between the networking and block subsystems blurs?

  • Clustering: a brief report from the clustering summit held two weeks before in Germany.

  • RAS tools, being mostly a discussion of the recently merged kexec and kdump capabilities.

  • Realtime capabilities, a look at the various proposals for implementing realtime response with Linux.

  • The kernel and the Linux desktop; a report from the Desktop Developers' Conference.

  • A report from the power management summit, contributed by Pat Mochel. Pat also led the session at the Kernel Summit on power management. The one thing that session added which is not in Pat's report: Linus took the power management developers to task for focusing on suspend-to-disk capabilities, when, he says, what everybody wants is suspend-to-RAM. The latter is complicated, however, by the usual video adapter difficulties.

  • The kernel development process, with an emphasis on how the community could produce kernels with fewer bugs.

[Kernel summit group]

The group photo is available in medium resolution (1024 pixels) and full resolution (3072 pixels) formats.

Comments (11 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Janitorial

Networking

Architecture-specific

Security-related

Benchmarks and bugs

Miscellaneous

Page editor: Forrest Cook

Distributions

News and Editorials

An early look at FreeBSD 6

July 20, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

FreeBSD 6 is on its way. The announcement went out on Friday for FreeBSD 6 Beta1. The FreeBSD announcement indicates that FreeBSD 6 will be "a much less dramatic step from the FreeBSD 5 branch than the FreeBSD 5 branch was from FreeBSD 4." Still, there are a number of improvements and new features in FreeBSD 6 that are worth looking into.

One thing that hasn't changed greatly is the FreeBSD installation process. It's still the same no-frills menu-based installer that FreeBSD has used for some time. (Slackware Linux users will find it quite familiar.) We downloaded the FreeBSD 6 ISOs (though it turned out we only needed disc 1 for the install) and installed FreeBSD in about 20 minutes on a 1.6 GHz Celeron laptop with 512 MB of RAM. For the most part, there's not a great deal of difference from the user's perspective with this release.

Most of the packages included with FreeBSD 6 Beta1, or its Ports tree, are the same versions as what you'd find in FreeBSD 5.4. DistroWatch has a table listing the versions of the most popular open source packages found in FreeBSD 6 and earlier versions. A quick glance shows that the FreeBSD 6 Beta1 doesn't vary a great deal from FreeBSD Stable or the FreeBSD 5.4 release.

There have been a fair number of changes behind the scenes, however. As the release announcement points out, there are improvements to the UFS/VFS filesystem layer, improvements to ACPI power management and other goodies. The ACPI features may still need a little improvement, however. We noted that using acpiconf on the test Toshiba laptop resulted in a power-down of the system rather than just putting it to sleep. Of course, the issue may lie with Toshiba's ACPI implementation rather any problem with the FreeBSD code.

Wireless users may be happy to know that there are a number of changes to the wlan framework, which includes support for Wi-Fi Protected Access (WPA). There is also increased support for wireless chipsets in FreeBSD 6.

The cross-pollination between BSDs continues in this release. This release includes OpenBSD's dhclient. Brooks Davis announced the switch in June, and noted that this provides privilege separation and support for WPA.

One feature that isn't in FreeBSD 6, at least not yet, is UFS Journaling. It is, however one of the Summer of Code projects sponsored by Google. FreeBSD developer Scott Long says that it should be ready for FreeBSD 7, and possibly available as a patch for later 6.x releases. If FreeBSD 7 sounds too distant, it's worth noting that the FreeBSD project is already working on FreeBSD 7.

The open issues page lists a few show stoppers and other open issues that must be corrected for FreeBSD 6.0. The release schedule calls for 6.0-RELEASE sometime in mid-August.

For those using FreeBSD 5.x, there is still development there as well. Scott Long writes that there will be a 5.5 release in the fall and quite possibly a 5.6 release after that. According to Long, the 5.x series will continue to be supported until at least late 2007, so there's still plenty of life left in the 5.x series. Long also says that users should feel comfortable deploying FreeBSD 5.x and FreeBSD 6.x side-by-side.

6.x is really just an evolutionary step from 5.x, not the life-altering revolutionary step that 4.x->5.x was. It should be quite easy to deploy and maintain 5.x and 6.x machines side-by-side and migrate them as the need arises. We don't want people to be stranded on RELENG_5 like they were with RELENG_4. 6.x offers everything of 5.x, but with better performance and (hopefully) better stability.

Users who are thinking about upgrading to FreeBSD 6.0 directly from a FreeBSD 5.4 install, might find this post by Dru Lavigne useful. From our limited testing of FreeBSD 6.0 Beta1, it looks to be fairly stable and nearly ready for production use.

FreeBSD 6.0 Beta1 is available for x86, AMD64, Alpha, and IA64. Users who want the PowerPC version, however, may need to wait as there are some issues with the release on PowerPC.

There are, of course, far too many changes to cover here. Interested users should read through the release notes to see all of the changes in this release. Overall, it looks like FreeBSD 6 is shaping up to be a very solid OS.

Comments (none posted)

Distribution News

The Fedora BugZappers Triage Team launched

The Fedora Project has launched the Fedora BugZappers Triage Team. "The BugZappers are the official triage team of the Fedora Project. The main goal of the team is to triage, or do a first pass, of bugs in Bugzilla and ensure that a number of parameters are satisfactorily met. Basically what that means is that the BugZappers will go through bugs as they come in and try and make sure the bugs are valid (i.e. not a duplicate), sane and contain enough information to be escalated to developers."

Full Story (comments: none)

Debian GNU/Linux news

The release team is seeking new release assistants. "the development cycle for etch just started off. We would like to bring new people into the loop for etch now to better distribute the workload, and look out for new release assistants."

Bits from the Debian GNU/Hurd porters provides a status update for the Debian GNU/Hurd port. "While the port was limping along for a couple of years, it has picked up speed again. The current state is still far from being on par with Debian's established Linux ports, but it is mostly up to date and reasonably usable."

Version tracking has been added to bug tracking system. "A frequently requested feature for the bug tracking system in recent years has been the ability to track which bugs apply to which distributions, so that, eg, maintainers and others can tell which bugs that have been fixed in unstable still apply to packages in testing or stable. This has now been implemented."

Joachim Breitner has announced the formation of the Utnubu team and a a newly formatted repository of Ubuntu patches.

The Quality Assurance group is holding a Debian-QA-MiniConf at the Technical University of Darmstadt, Germany, from September 9 - 11, 2005.

Here are some reminders on the procedure for updating a lib package for a C++ ABI change. "Also, for those who aren't aware, the new xorg packages now in unstable are also implicated in the C++ transition, because libGLU is implemented in C++. Particularly if you have packages that are involved in other transitions that are happening right now, it may not necessarily be a good idea to rebuild against xorg just yet unless you're already part of the C++ transition."

Comments (none posted)

Distribution Newsletters

Fedora Weekly News

The fifth issue of the Fedora Weekly News has articles such as 'Join Fedora at LinuxWorld in San Francisco', 'Regarding Recent Kernel Update on FC4', 'ATrpms for FC4/i386 and FC4/x86_64', 'Creating a Fedora Core 4 LiveCD', 'Thomas Guide: RealPlayer', 'Review: Fedora Core 4', 'Firefox 1.0.5 Released', 'FUDCon in London?' and more.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of July 18, 2005 is out. This issue covers the possibility that the Gentoo kernel maintainers will discontinue the gentoo-sources-2.4 kernel series, new hardware donations, an IA64 LiveCD is planned to be released with Gentoo 2005.1, a bugzilla upgrade, developer of the week Sven Wegener, and several other topics.

Comments (none posted)

Package updates

Fedora Core updates

Fedora Core 4 updates: openssh-4.1p1-3.1 (upgrade to 4.1p1 for bug fixes), pam-0.79-9.1 (fix a regression in XAUTHORITY handling), logwatch-6.1.2-1.fc4 (upgrade to 6.1.2 for bug fixes), kernel-2.6.12-1.1398_FC4 (include a number of patches likely to show up in 2.6.12.3), system-config-bind-4.0.0-18_FC4 (bug fixes), selinux-policy-targeted-1.25.2-4 (bug fixes and isakmp port added), system-config-bind-4.0.0-19_FC4 (no info), java-1.4.2-gcj-compat-1.4.2.0-40jpp_31rh.FC4.1 (cope with impending libgcj and eclipse-ecj updates), diskdumputils-1.1.7-4 (update source package to 1.1.7), radvd-0.8-1.FC4 (upgrade to upstream version 0.8), bind-9.3.1-8.FC4 (fix named.init script bugs), radvd-0.8-2.FC4 (no info), freeradius-1.0.4-1.FC4.1 (fix missing ldap plugin).

Fedora Core 3 updates: octave-2.1.57-7.fc3 (fix several bugs and dependencies), kernel-2.6.12-1.1372_FC3 (include some patches likely to show up in 2.6.12.3), system-config-bind-4.0.0-18 (bug fixes), system-config-bind-4.0.0-19 (no info), diskdumputils-1.1.7-3 (update source package to 1.1.7), radvd-0.8-1.FC3 (upgrade to upstream version 0.8), bind-9.2.5-3 (fix named.init script bugs), radvd-0.8-2.FC3 (no info).

Comments (none posted)

Slackware updates

Slackware has new GCC 3.4.4 packages in testing, along with some Linux 2.6.12.2 kernel packages, and more. See the slackware-current changelog for complete details.

Full Story (comments: none)

Trustix TSL-2005-0035 - multi

Trustix Secure Linux has a bug fix advisory for cyrus-imapd, glibc, samba, sqlgrey, squid and tcpdump.

Full Story (comments: none)

Distribution reviews

Review: Fedora Core 4 (NewsForge)

Here's a review of Fedora Core 4, on NewsForge. "Fedora Core 4 gets low marks for multimedia. I encountered an overwhelming number of bugs in this area. There is no support for proprietary formats such as Windows Media, DVD, and MP3, though having used past Red Hat/Fedora releases, I would expect nothing more. Previously, enabling these multimedia types was not a hard task, but this time, it's daunting."

Comments (none posted)

Reviewer heaps praise on SuSE Linux 9.3 Pro (Desktop Linux)

Desktop Linux has a review of SuSE Linux 9.3 Pro. "[This] is a distribution for someone who wants to push the limits of what you can do with a Linux desktop today. In short, if you're a developer, a power user's power user, or someone who needs to see what 2006's corporate Linux desktop is going to look like, this is the distribution for you."

Comments (none posted)

Run GNU/Linux from a USB pen drive (NewsForge)

NewsForge reviews the Slax distribution, which can be installed on a USB pen drive. "Slax is a powerful and complete bootable distro based on Slackware, equipped with kernel 2.6, ALSA sound drivers, Wi-Fi card support, X11-6.8.2 with support for many GFX cards and wheel mice, and KDE 3.4. Slax uses the Unification File System (also known as unionfs), which enables you to write whatever you want into the pen drive. Bundled software includes KDE, the KOffice office suite, GAIM for chat, the Thunderbird email client, and the Firefox Web browser."

Comments (2 posted)

Page editor: Rebecca Sobol

Development

Visualize Chemistry with GAMGI

GAMGI, the General Atomistic Modelling Graphic Interface, is a tool for visualizing atomic structures. The project is supported by the Instituto Superior Técnico in Lisbon, Portugal, and is being developed by José Carlos Pereira and others. The software has been released under the GPL, BSD, and GFDL licenses. [GAMGI]

The project's scientific goals state:

GAMGI aims to be useful for: 1) the scientific community working in Atomistic Modelling, that needs a graphic interface to build input data and to view and analyse output data, calculated with Ab-Initio and Molecular Mechanics programs; 2) the scientific community at large, studying Chemistry, Physics, Materials Science, Geology, etc., that needs a graphic interface to view and analyse atomic structural information and to prepare images for presentations in classes and seminars; 3) teaching chemistry and physics in secondary schools and universities, even inviting students to install and run GAMGI at home; 4) science promotion, in schools, exhibitions and science museums.

[GAMGI] GAMGI can plot the following list of objects: "Text, Orbital, Bond, Atom, Direction, Plane, Group, Molecule, Cluster, Cell, Arrow, Shape, Graph, Assembly, Light, Layer and Window."

The GAMGI screen shots give a view of the user interface as well as a wide variety of chemical plots performed by GAMGI.

The technical mission discusses the GAMGI design philosophy and covers some of the system requirements and dependencies: "A really useful package must be easy to obtain, to compile, to use and to change, giving users and developers as much control as possible."

Version 0.11.2 of GAMGI was released this week, changes include: "Crystallographic planes can now be represented by polygons, for all volumes, with minor restrictions. The Cell orientation in a Spherical volume is now the same as for Conventional, Primitive, Wigner-Seitz cell volumes."

The change log file has more details and previews some upcoming features.

The GAMGI source code and packages for Debian and SUSE are available here.

Comments (1 posted)

System Applications

Libraries

libannodex 0.7.1 Release

Version 0.7.1 of libannodex, a library which provides an interface for reading and writing Annodex media, is available. Changes include a new anx_importer_find() API call and more.

Full Story (comments: none)

libfishsound 0.7.0 Released

Version 0.7.0 of libfishsound, a library with utilities for decoding and encoding the Vorbis and Speex audio formats, is out. Changes include several backported features from the development trunk.

Full Story (comments: none)

Web Site Development

FCKeditor 2.0 released (SourceForge)

Version 2.0 of FCKeditor, an online DHTML text editor, has been announced. "It's XHTML compliant and works with Firefox, Mozilla, Netscape and IE. After a long and delicate development path, this is the final release of version 2.0. Now the editor is even more stable. Lots of key bugs have been fixed and a few and exiting new features has been added like native Flash support."

Comments (none posted)

Five 1.1b released

Version 1.1b of Five, a Zope 2 product that allows you to integrate Zope 3 technologies into Zope 2, has been announced. Changes include Zope 3-style i18n, Zope 3 to Zope 2 interface bridging, and more standard ZCML directives.

Comments (none posted)

MediaWiki 1.4.7 released (SourceForge)

Version 1.4.7 of MediaWiki, the collaborative editing software that runs the Wikipedia online encyclopedia, is available with bug fixes.

Comments (none posted)

Midgard 1.7rc2 released

Version 1.7 rc 2 of Midgard, a web content management system, is out with several new features.

Full Story (comments: none)

Wicket 1.0.1 released (SourceForge)

Version 1.0.1 of Wicket is out with bug fixes and other improvements. "Wicket is a Java web application framework that takes simplicity, separation of concerns and ease of development to a whole new level. Wicket pages can be mocked up, previewed and later revised using standard WYSIWYG HTML design tools. Dynamic content processing and form handling is all handled in Java code using a first-class component model backed by POJO data beans that can easily be persisted using your favourite technology."

Comments (none posted)

Desktop Applications

Audio Applications

gtkpod V0.94.0 Released (SourceForge)

Version 0.94.0 of gtkpod, a graphical front-end for the iPod that uses GTK2, is available. "New features include the stable sorting of displayed tracks (click several headers in order and have the view sorted accordingly) and the sort-ignore-lists (ignore the 'the' at the start of albums...). If you speak Hebrew, you will probably welcome the new Hebrew translation catalog. More important for some users may be the support for iTunes 4.9 and firmware 3.1 released by Apple at the end of last month. Podcasts are still not supported, however."

Comments (none posted)

iPodder 2.0 for linux released (SourceForge)

Version 2.0 of iPodder has been announced. "iPodder is a media aggregator which automatically downloads files to your computer or portable device, leaving you 'one-click-away' from latest media feeds. Based on the iPodder idea of Adam Curry. Thanks to much effort by Scott Grayban, the iPodder "Lemon Edition" team is pleased to announce the release of iPodder 2.0 for Linux." See the release notes for change information.

Comments (none posted)

QjackCtl 0.2.18 released

Version 0.2.18 of QjackCtl, a GUI control interface to the Jack Audio Connection Kit (JACK) is out with bug fixes.

Full Story (comments: none)

CAD

BRL-CAD 7.4.0 released (SourceForge)

Version 7.4.0 of BRL-CAD, a constructive geometry solid modeling system, has been announced. "This release of BRL-CAD includes, among many new and improved features, the following enhancements since the last announcement (7.4.0 and 7.2.6 enhancements): the addition of an impressive high-performance triangle path-tracer, a completely rewritten rtarea tool for computing exposed and presented surface areas, benchmark suite enhancements, installation of a benchmark tool, and the inclusion of example geometry in the installation."

Comments (1 posted)

Data Visualization

PyX 0.8 released

Version 0.8 of the Python graphics package PyX is available. " PyX now supports PDF output and also the generation of multi-page PS/PDF documents. The internals of the path system have been cleaned up and the external interface has been streamlined. The axis data handling of the graph component has undergone a major revision. Many other improvements and bug fixes are included in this release."

Comments (none posted)

Desktop Environments

GNOME 2.11.5 Development Release

Development Release 2.11.5 of the GNOME desktop is available for testing. "This is the first actual 2.11 release, (and it's late. The release team apologizes), though garnome and ubuntu breezy (without GTK+ 2.7) have been shipping previous versions. So it's even more important now that people test this as much as possible."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week:

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

Comments (none posted)

This Month in SVN (KDE.News)

KDE.News has announced the July 2005 edition of This Month in SVN. "New features include recursive functions in KTurtle, asthetic enhancements in Kalzium, the eye-candy that is SuperKaramba and Konqueror's improved search box."

Comments (none posted)

Desktop Publishing

LyX 1.3.6 is released

Version 1.3.6 of LyX, a GUI front-end for the TeX typesetting application, is out with bug fixes and newly added native support for Windows.

Full Story (comments: none)

Scribus 1.3.0 released

Scribus 1.3.0 has been released. This version is called a "technology preview," but is said to be "stable and usable." Enhancements include a new undo system, table-of-contents generation, a "pre-flight verifier" for printing and PDF exports, facing page support, ports to your favorite proprietary platform, and more; click below for the full announcement.

Full Story (comments: none)

Electronics

Signs version 0.5.0 released

Version 0.5.0 of Signs is available. "Signs is a logic synthesis tool and gate level simulator for circuit descriptions in VHDL and other hardware description languages. Besides that, Signs contains modern fault simulators and automatic test pattern generators for computer aided testing of integrated circuits."

Comments (none posted)

XCircuit 3.3.25 released

Version 3.3.25 of XCircuit, an electronic schematic drawing package, is out. This release adds patches from the SourceForge repository.

Comments (none posted)

Financial Applications

SQL_Ledger version 2.4.14 is out

Version 2.4.14 of SQL_Ledger, a web-based accounting system is out. Changes include new keyboard access keys for POS, new focus capabilities, bug fixes, and more.

Comments (none posted)

Games

Auctioneer 3.0.10 has been released (SourceForge)

Version 3.0.10 of the game Auctioneer has been announced, it features bug fixes and performance improvements. "Auctioneer is an interface addon to the World of Warcraft (TM) game. Auctioneer enhances the WoW interface by adding additional information to the tooltips in the game that allow you to see additional information on the value of items in the game."

Comments (none posted)

Pioneers 0.9 released (SourceForge)

Version 0.9 of Pioneers is available. "Pioneers is a clone of the board game The Settlers of Catan. The new version includes a map editor, a stronger computer player and new maps."

Comments (none posted)

The return of PyGame

The PyGame (Python Game) project has re-emerged. There are several new games available, a PyWeek Game Programming Challenge, and more.

Comments (none posted)

Mail Clients

Mozilla Thunderbird 1.0.5 Released (MozillaZine)

Version 1.0.5 of the Mozilla Thunderbird email client has been announced. "This latest release is a minor update to the standalone mail and news program that fixes some security issues and improves stability. It is recommended for all 1.0.x users as an essential upgrade and can be downloaded from the Thunderbird product page or the 1.0.5 directory on ftp.mozilla.org."

Comments (none posted)

Mozilla Thunderbird 1.0.6 Released (MozillaZine)

Version 1.0.6 of the Mozilla Thunderbird email client has been announced. "This latest version should resolve the extension problems that were accidentally introduced in Thunderbird 1.0.5. In particular, the popular Enigmail PGP add-on should now work correctly."

Comments (none posted)

Mozilla Thunderbird 1.1 Alpha 2 Released (MozillaZine)

The Alpha 2 release of Mozilla Thunderbird, an email client, is available for testing. "Alpha 2 contains many bug fixes and improvements to the new features which were introduced in the first alpha including the ability to create message filter actions for forwarding and replying (with a template), exporting RSS feeds, handling .eml files, and a new software update system (currently disabled)."

Comments (none posted)

Music Applications

E-Radium V0.61b

Version 0.61b of E-Radium, a midi music editor that runs under the E-Uae Amiga emulator, is out. "This version of E-Uae is a hacked version of 0.28cvs, which runs with realtime priority to get accurate timing and supports alsa-seq to access midi. It does not hog the cpu as much as e-uae does either so it can be used together with various sound synthesis software running simultaniously in linux."

Full Story (comments: none)

NoteEdit 2.8.0 Final released

Version 2.8.0 Final of NoteEdit, a music score editor, is available. "The NoteEdit team is glad to announce the first major-version since its new beginning!" A long list of changes is included.

Full Story (comments: none)

Office Suites

OpenOffice.org 1.1.5 Release Candidate Is Here

The first release candidate of OpenOffice.org 1.1.5 is available for testing. "What's important about 1.1.5rc? It includes numerous bug fixes but just as important includes a filter for OpenDocument files, which is the type that OpenOffice.org 2.0 and the 1.9.x releases create."

Full Story (comments: none)

OpenOffice.org build 1.9.116 is out

Build 1.9.116 of OpenOffice.org has been released. Numerous changes are included, click below for the details.

Full Story (comments: none)

Web Browsers

Firefox 1.0.6 Candidate Builds Available (MozillaZine)

MozillaZine has announced the availability of Firefox 1.0.6 candidate builds. "Marcia Knous writes: "The Mozilla Quality Assurance team is requesting help from the community to test the 1.0.6 builds. Please visit the post in the QA blog to get more information regarding the testing.""

Comments (none posted)

Mozilla Firefox 1.0.6 Released (MozillaZine)

MozillaZine has an announcement for the release of Mozilla Firefox 1.0.6. "As we reported previously, API changes in last week's Firefox 1.0.5 broke some extensions. This version should resolve the problems."

Comments (none posted)

Mozilla 1.7.9 Release Candidates Available (MozillaZine)

MozillaZine has announced the availability of Mozilla 1.7.9 release candidates. "Mozilla 1.7.9 is a minor update to the Mozilla Application Suite with fixes for some security issues."

Comments (none posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

The minutes from the July 11, 2005 Mozilla.org staff meeting have been announced. "Issues discussed include Mozilla Firefox 1.0.5, Deer Park Alpha 2, the new application update system, 1.1 Beta 1 planning, server transitions, international domain names (IDN), hiring new employees and the news server."

Comments (none posted)

Languages and Tools

C

GCC 4.1 stage 2 has been closed

Stage 2 of the Gnu Compiler Collection version 4.1 has been closed. "The following projects were contributed during stage 1 and stage 2: New C Parser, LibAda GNATTools Branch, Code Sinking, Improved phi-opt, Structure Aliasing, Autovectorization Enhancements, Hot and Cold Partitioning, SMS Improvements, Integrated Immediate Uses, Tree Optimizer Cleanups, Variable-argument Optimization, Redesigned VEC API, IPA Infrastructure, Altivec Rewrite Warning Message Control, New SSA Operand Cache Implementation, Safe Builtins, Reimplementation of IBM Pro Police Stack Detector, New DECL hierarchy."

Comments (none posted)

Caml

Caml Weekly News

The July 19, 2005 edition of the Caml Weekly News is online with new Caml language articles. Topics include: pftdbns 0.2.6, AS/Xcaml status, Pattern Matching Papers, OMake 0.9.6 and Idea for another type safe PostgreSQL interface.

Full Story (comments: none)

Java

GNU Classpath 0.17 released

Developer snapshot version 0.17 of GNU Classpath, a set of free essential libraries for java, is out. "This is mainly a bug fix release for issues found with eclipse 3.1 and Free Swing applications just after our 0.16 release. But it also includes some exciting new features."

Full Story (comments: none)

Taking JUnit Out of the Box (O'ReillyNet)

Amir Shevat looks at JUnit in an O'Reilly article. "There are many tools designed to help up test, analyze, and debug programs. One of the most well-known tools is JUnit, a framework that helps software and QA engineers test units of code. Almost everyone that encounters JUnit has a strong feeling about it: either they like it or they don't. One of the main complaints about JUnit is that it lacks the ability to test complex scenarios."

Comments (none posted)

Perl

This Week in Perl 6 (O'Reilly)

The July 14, 2005 edition of This Week in Perl 6 is out with the latest Perl 6 language news.

Comments (none posted)

PHP

PHP 5.1 Beta 3 Available

Version 5.1 Beta 3 of PHP has been announced. New features include the addition of PHP Data Objects, better language performance, version 5.0 of the PCRE extension, bug fixes, and more.

Comments (none posted)

PHP Weekly Summary for July 11, 2005

The PHP Weekly Summary for July 11, 2005 is out. Topics include: Reference counting bug in libxml2; namespace proposal; date/timezone classes; signal blocking proposal; gone to Siberia; column length in PDO_MYSQL; a mad week in CVS; and safemode permissions patch.

Comments (none posted)

PHP Weekly Summary for July 18, 2005

The PHP Weekly Summary for July 18, 2005 is out. Topics include: Date/timezone classes (continued); PHP 4.4.0 released; PHP 4.0 escaped; struct ordering?; PHP-GTK 1.0.2 released; politics and the BC break in PHP 4.4; PHP 5.1.0 beta 3 released; dropping support for Win 98/NT/ME?; Ilia's week; and another safemode patch.

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The July 13, 2005 edition of Dr. Dobb's Python-URL! is online with lots of new articles about the Python language.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The July 20, 2005 edition of Dr. Dobb's Python-URL! is online with the latest Python language articles.

Full Story (comments: none)

XML

DocBook XSL 1.69.0 released (SourceForge)

Version 1.69.0 of DocBook XSL has been released. "The release includes major feature changes, particularly in the manpages stylesheets, as well as a large number of bug fixes. This project is the home for the DocBook XSLT stylesheets and DSSSL stylesheets and more."

Comments (none posted)

Version Control

monotone 0.21 released

Version 0.21 of monotone, a version control system, is available. Changes include several new command line options, new capabilities and bug fixes.

Full Story (comments: none)

Miscellaneous

Algol 68 Genie Mark 8 released

The Mark 8 release of the Algol 68 Genie interpreter is available. Changes include new networking procedures, a number of new keywords, and more.

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Firefox marketing site hacked (News.com)

News.com reports that the SpreadFirefox.com site was compromised. "The exploited flaw was a vulnerability in PHP, the language in which Drupal, the content management system that Spread Firefox uses, is written."

Comments (15 posted)

Linux in Government: Outside the US, People Get It (Linux Journal)

Linux Journal looks at the spread of Linux around the world. "Interestingly, the US government appears to favor a company it deemed a monopoly over Linux and open-source software. While technically educated Linux and open-source work forces have grown in Germany, China, Brazil, India and Hungary since 2001, the US government has done nothing to keep pace with the rest of the world. Only a decade ago, the US held a technological edge over Europe and Asia in all areas of IT. Today, the once burgeoning IT industry in the US has given way to its competitors, especially China and India."

Comments (5 posted)

Trade Shows and Conferences

O'Reilly Where 2.0 Conference Wrap-Up

O'Reilly has released a Where 2.0 Conference Wrap-Up. "Where 2.0, a new O'Reilly conference that took place June 29-30 in San Francisco, honed in on the new tech sector coalescing around these location-related technologies that promise to transform and personalize the way we all engage the Web and the world around us."

Full Story (comments: none)

The SCO Problem

The Michael Davidson Email - SCO v. IBM (Groklaw)

Here's a fun one: Groklaw has a message from Michael Davidson, thanks to the unsealing of various exhibits in SCO v. IBM. This message, from 2002 (i.e. before the suit was filed), summarizes his attempt to find copyright infringements in Linux; it was sent to Reg Broughton, and thence to Darl McBride. "The hope was that we would find a 'smoking gun' somwhere in code that was being used by Red Hat and/or the other Linux companies that would give us some leverage.... At the end, we had found absolutely *nothing*. ie no evidence of any copyright infringement whatsoever." SCO decided to sue anyway.

Comments (16 posted)

The Davidson Email, Red Hat, and the Lanham Act (Groklaw)

Groklaw takes a look at Red Hat and the Lanham Act. "Let's go back and take a look at what Red Hat is claiming in its lawsuit against The SCO Group. I think it will help you to understand why SCO is trying to spin, spin, spin so hard and what they are probably really afraid of. At least, I'd be scared, if I were them."

Comments (8 posted)

Sandeep Gupta's Redacted Declaration of July 2004 (Groklaw)

Groklaw examines the recently unsealed Redacted Declaration in Support of SCO's Opposition to IBM's Cross-Motion for Partial Summary Judgment by Sandeep Gupta. "It's quite a perfomance by Mr. Gupta. So much is redacted, it's hard for us to know what he said in detail, but Dr. Brian Kernighan, IBM's expert, did get to read it all, and he answers Mr. Gupta point-by-point in scathing terms in the recently unsealed Declaration of Brian W. Kernighan. In fact, unless I have misunderstood, he as much as says that Mr. Gupta improperly (may I even conclude he implies dishonestly or is it just incompetence being alleged?) cobbled bits and pieces of code from all over the place to make it look like a block of similar code".

Comments (none posted)

Companies

HP to announce restructuring Tuesday (News.com)

News.com reports that HP has announced restructuring and job cuts. "[CEO Mark] Hurd is expected to announce sweeping cuts to HP's workforce as part of a plan to bring the company's costs more in line with its competitors. About 15,000 employees could lose their jobs, with HP's IT, sales and service divisions among the areas particularly hard hit, according to a source close to the company."

Comments (none posted)

Intel to cut Linux out of the content market (Inquirer)

Over the years, your editor has seen several "platform X will lock Linux out of the market" stories. Here's the latest installment: a lengthy Inquirer article on how Intel is handing the digital video market to Microsoft. "The vehicle to do this is called East Fork, the upcoming and regrettable Intel digital media 'platform'. The funny part is that the scheme is already a failure, but it will hurt you as it thrashes before it dies. Be afraid, be very afraid."

Comments (26 posted)

Sun to open-source single sign-on code (News.com)

News.com looks at Sun's plans to release parts of its Java Access Manager single sign-on product as open-source code. "Web single sign-on makes it easier for users to log into multiple Web applications with one set of credentials and simplifies password management for organizations. The code Sun is releasing is meant to enable single sign-on only inside a single organization; it does not support federation across organizations."

Comments (2 posted)

Linux Adoption

Schools ink deal for open source (Stuff)

A New Zealand publication called Stuff looks at the use of Novell/SUSE Linux by the New Zealand Education Ministry. "The Education Ministry has signed an 18-month software licensing deal with Novell New Zealand, the ministry's first deal to provide open source software to schools. It includes Novell's SUSE distribution of the Linux desktop operating system. The Novell deals lets schools buy software for the same cost as Microsoft products, about $99 per product per server for a year-long licence. The ministry's senior ICT consultant, Douglas Harre, says it is meant to equalise prices of Microsoft and Novell products."

Comments (none posted)

Linux at Work

Linux trounces Windows Mobile in smartphone shipments (Linux Devices)

Linux Devices looks into the rise of Linux in the mobile phone market. "Embedded Linux powered 14 percent of smartphones shipped worldwide in Q1 of 2005, up 412 percent from 3.4 percent in Q1-04, according to Gartner. Windows Mobile Smartphone shipments also grew, rising 50 percent from a 2.9 share in 1Q-04 to 4.5 percent in 1Q-05, Gartner says."

Comments (4 posted)

Legal

Grokking Grokster (O'ReillyNet)

Quinn Norton analyzes the MGM v. Grokster case on O'Reilly. "Fred Von Lohmann of the EFF, who represented Grokster in district and circuit court, pointed out that Sony also openly advertised dubious uses of its Betamax, some of which were ruled a fair use, like time shifting. But "Librarying [building up a library of aired works for repeat viewing] was never ruled a fair use." So, what makes Sony OK and Grokster not?"

Comments (none posted)

Interviews

Interview: Greg Wallace on the future of embedded Linux (NewsForge)

NewsForge talks to Emu Software's Greg Wallace about the C3 Expo panel on embedded Linux. "I think that this market is really exploding in complexity, size, and in innovation. Embedded Linux intelligence is making its way into devices as diverse as network equipment to digital cameras. I think the entrepreneurs, developers and investors that gain an understanding of what is driving this market will be extremely well positioned to gain from its growth."

Comments (none posted)

Mozilla: From obscurity to opportunity (ZDNet UK)

ZDNet UK has published a set of articles and interviews about the Mozilla foundation. "The non-profit Mozilla foundation has gone from zero to hero over the last two years thanks to the increasing popularity of the Firefox browser ZDNet UK visited the company's HQ in Mountain View, California, to find out how a small band of open source enthusiasts have started to challenge Microsoft's hold on the browser market." (Found on MozillaZine.)

Comments (none posted)

Resources

What New Users Need to Know About OpenOffice.org (Linux Journal)

Linux Journal's Bruce Byfield looks at some pitfalls that new users of OpenOffice.org are likely to encounter. "The question is worth asking. Any large piece of software has its own ways of doing things, and OpenOffice.org is no exception. In fact, because of its history and its design assumption that users are at least as interested in designing documents as in writing them, OpenOffice.org needs more orientation than most. OOo is not difficult to learn, but if you approach it expecting it to behave exactly like another office suite, especially MS Office, you are setting yourself up for frustration."

Comments (none posted)

At the Sounding Edge: FreeWheeling (Linux Journal)

Dave Phillips plays with audio looping software for the Linux Journal. "I'm often asked whether Linux audio software includes anything similar to Acid. I freely confess that Linux audio development has yet to come up with an Acid competitor, although Ardour might be warped into service. However, Linux-based musicians do have access to some impressive loop-based music software, and so we come at last to FreeWheeling."

Comments (none posted)

Linux Audio Musings

Dave Phillips has updated his Linux audio musings column for July/August 2005. Take a look to see what's new in the world of audio software.

Comments (none posted)

Creating a community Linux event (NewsForge)

Matthew Revell discusses the process of organizing a community Linux event in a NewsForge article. "My fellow LugRadio presenters and I decided that we'd try to fill the gap for a U.K. community-oriented Linux event. Last month, roughly 250 open source fans attended LugRadio Live, a mix of talks, exhibition, LAN gaming, paintball, beer, and curry. Central to our event was the idea that everyone is a member of the same community and so everyone should be able to come."

Comments (none posted)

Reviews

Device Profile: Aeronix Zipit instant messenger appliance (Linux Devices)

Linux Devices reviews the Aeronix Zipit, an inexpensive instant messenger appliance that runs an embedded Linux operating system. "The Zipit is marketed under brandnames that include ZipitWireless and K-Byte, and is currently available at Target and TigerDirect, priced at $99, in colors that include white, silver, blue, red, and pink. It includes an 802.11b WiFi radio, 16-color greyscale LCD with QVGA (320x240) resolution, and a thumb keyboard with rubber buttons. Also included is a stereo DAC (digital audio converter) connected to a speaker and headphone jack."

Comments (none posted)

Miscellaneous

OSDL's Linux Initiatives (O'ReillyNet)

There is a rather uncritical article on O'ReillyNet describing OSDL's specification efforts. "The intent of the group is to create a list of the capabilities that a desktop system must have to successfully address each of the usage models. Once the group understands and clearly documents the required capabilities, it then becomes possible to identify key inhibitors that are preventing successful adoption, as well as specific technologies that either are not present or have some deficiencies when applied to enterprise environments. Working with Linux distributors and existing open source development communities, and, if necessary, creating new development communities by way of OSDL SIGs, the group hopes to accelerate Linux development in the specific areas that will facilitate its adoption on the enterprise desktop."

Comments (6 posted)

Coding misstep forces new Firefox release (News.com)

News.com follows the story behind recent and upcoming releases of Mozilla Firefox and Thunderbird. "The open-source Firefox browser and Thunderbird e-mail client will be updated for the second time in a week because of code changes that have unintentionally stopped some third-party extensions from functioning correctly. The updates will take Firefox and Thunderbird to version 1.0.6, while the Mozilla Suite will be updated to version 1.7.10 ..."

Comments (4 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Bluescreen welcomes Jettisoned / Old / Unused PCs

Tuomas Santakallio represents a company called Bluescreen, a student project that aims to create solutions on Debian for educational and SME environments. "In practice, we export refurbished PCs installed with Debian or Ubuntu into Kenya, where the PCs will be used in schools, churches, healthcare centres, libraries, internet cafés, etc. Some computers are bought for private use."

Full Story (comments: 1)

The Gimp needs more friends

An effort is underway to increase the public awareness of the Gimp, a full-featured image manipulation application. "There is a simple solution to end the deep unawareness of the Gimp. The Gimp needs more advertising to gain more users, developers and professional friends. The Gimp needs something like "spread firefox" or "get firefox", but in the more intelligent way."

Full Story (comments: none)

IDABC unveils draft software licence

IDABC has announced the unveiling of a new draft software licence. "At the annual LinuxTag fair and conference, IDABC presented a draft version of a software license that it hopes will encourage public administrations to release software applications developed by them. The proposal, which has been given the working title EU public licence (EUPL), was written on behalf of IDABC by the University of Namur following an in-depth study on existing licenses."

Full Story (comments: 1)

Rafael Ebron New Head of Mozilla Update (MozillaZine)

MozillaZine has announced the new head of the Mozilla Update project, Rafael Ebron. "Rafael's appointment comes after concerns from long-time Mozilla Update contributor Alan J Star that development of Mozilla Update is progressing too slowly and that there's not enough detailed planning for Mozilla Update 2.0, a complete rewrite of the site."

Comments (none posted)

RWJ Foundation: Information Links Grants (LinuxMedNews)

LinuxMedNews looks into a grant program from the Robert Wood Johnson Foundation for: Connecting Public Health with Health Information Exchanges.

Comments (none posted)

Commercial announcements

ActiveGrid Closes $10 Million in Series B Financing

ActiveGrid, Inc. has announced that it has closed a $10 million Series B round in financing, led by Worldview Technology Partners. "ActiveGrid plans to use the funds to accelerate and extend the development of its Enterprise LAMP product offering to leverage the growing popularity of the LAMP (Linux, Apache, MySQL, PHP/Python/Perl) software stack. Irwin Gross, general partner of Worldview Technology Partners, will join the company's board of directors."

Full Story (comments: none)

Mandriva settles Hearst litigation

Mandriva (formerly Mandrakesoft) has settled the litigation it had with Hearst Publications and Kingfisher Syndicate. This litigation concerned the "Mandrake The Magician" character and had being going on since 2000.

Full Story (comments: 10)

Mandriva Certifies BitDefender Linux Security Solutions

BitDefender Linux Security Solutions has announced its certification by the Mandriva Linux distribution. "Mandriva Linux distribution developers issued BitDefender security vendors with certificates stating full compatibility between BitDefender for Samba Linux File Servers, BitDefender Mail Protection for Small Business and Mandriva Linux Corporate Server 3.0."

Full Story (comments: none)

Open-Xchange Inc. Bundles Novell's SUSE LINUX Enterprise Server

Open-Xchange Inc. has announced an agreement with Novell to bundle SUSE Linux Enterprise Server with its Open-Xchange (OX) Server. "Open-Xchange also enters Novell's Technology Partner Program and will receive selling, marketing and development support."

Comments (none posted)

Open-Xchange Announces Agreement With Red Hat

Open-Xchange Inc. has announced a software partner agreement with Red Hat. "According to the agreement, Open-Xchange Server is now certified for the Red Hat Enterprise Server and Red Hat Application Server platform. Red Hat will provide Open-Xchange Inc. with open source technology and services as part of the Software Partner Agreement for distribution with Open-Xchange products. Open-Xchange Inc. will offer bundles for new customers and upgrade bundles for customers who want to migrate from SUSE LINUX Openexchange Server to the Red Hat platform."

Comments (none posted)

Rackspace Taps Novell to Manage Multiple Linux Operating Systems in Enterprise Hosting Environment

Novell, Inc. has announced that Rackspace Managed Hosting has selected Novell(R) ZENworks(R) Linux Management software to administer its new enterprise Linux* hosting solution. "Additionally, with the launch of Rackspace Red Label*, the company now offers its enterprise hosting solution on SUSE LINUX Enterprise Server, among other Linux distributions."

Comments (4 posted)

Bill Joy Joins SpikeSource Board of Directors

SpikeSource has announced the appointment of Bill Joy to its board of directors. "Bill Joy has joined the company's board of directors and that it has hired two new executives to oversee core business areas. Joaquin Ruiz has joined as vice president of product marketing and Anders Tjernlund as vice president of support services."

Comments (none posted)

New Books

Perl Best Practices - O'Reilly's Latest Release

O'Reilly has published the book Perl Best Practices by Damian Conway.

Full Story (comments: none)

Prentice Hall publishes "A Pratical Guide to Linux Commands, Editors, and Shell Programming"

Prentice Hall has published A Pratical Guide to Linux Commands, Editors, and Shell Programming by Mark Sobell.

Full Story (comments: none)

Resources

July 14 EDRI-gram newsletter

The EDRI-gram newsletter for July 14 is out, with the usual collection of news items on digital rights issues in Europe. The second piece - on a new European Commission proposal which would turn many "intellectual property rights" violations in to criminal offenses with a four-year prison term - is especially worth a look. "As with the 2004 IPR directive, the definition of 'commercial scale' is highly ambivalent. It doesn't require financial benefit, profit, or motive.... Free/Open source software development could be seriously jeopardised as well as generic drug production, by strong-armed legal hassle in stead of civil proceedings."

Full Story (comments: none)

Realtimepublishers Releases 'The Developer Shortcut Guide to SUSE LINUX'

Realtimepublishers has published the online book The Developer Shortcut Guide to SUSE LINUX by John Featherly. "Written for experienced developers who are looking to get a quick start on writing open source-based enterprise applications, this guide offers the most up-to-date information on the capabilities of SUSE LINUX as a development environment for enterprise .NET and Java applications."

Full Story (comments: none)

Education and Certification

New POSIX Certification Addresses Predictability for Realtime

The Open Group and IEEE have announced a new POSIX certification program. "The certification is based on the criteria for bounded response times in Application Profile PSE54, which is part of the IEEE 1003.13(TM)-2003 standard, and complements the existing certification program for the base POSIX 1003.1(TM) standard."

Full Story (comments: none)

Upcoming Events

Australian Open Source Developers' Conference

The 2nd Australian Open Source Developers' Conference will be held in Melbourne Australia on December 5-7, 2005. "OSDC is a great opportunity for open source devotees to attend an affordable conference where the main focus is software development. Companies and other organisations will find the conference an ideal avenue for providing professional development for staff, identifying trends and partners and promoting their services."

Full Story (comments: none)

CFP: Open Source Developers Conference - Melbourne

The 2005 Open Source Developers Conference will be held in Melbourne, Australia on December 5-7. A call for papers has been issued.

Full Story (comments: none)

CFP: 1st European Conference on Computer Network Defence

The 1st European Conference on Computer Network Defence (EC2ND) will be held at the University of Glamorgan in Pontypridd, UK on December 15 and 16, 2005. A call for papers has been issued, materials are due by September 30.

Full Story (comments: none)

Registration Opens for the First O'Reilly EuroOSCON

Registration is open for the O'Reilly EuroOSCON, the event will take place in Amsterdam, The Netherlands on October 17-20, 2005.

Full Story (comments: none)

14th USENIX Security Symposium Announced

The USENIX Association has announced the 14th Annual USENIX Security Symposium. The event will take place in Baltimore, Maryland on July 31-August 5, 2005.

Comments (none posted)

Events: July 21 - September 15, 2005

Date Event Location
July 21 - 23, 2005Ottawa Linux Symposium(OLS 2005)Ottawa, Canada
July 21 - 22, 2005ApacheCon Europe 2005Stuttgart, Germany
July 21 - 22, 2005North American Plone Symposium(The Astro Crowne Plaza)New Orleans, Louisiana
July 21 - 22, 2005PostgreSQL Bootcamp(Big Nerd Ranch)Atlanta, GA
July 26, 20052nd European LISP and Scheme WorkshopGlasgow, Scotland
July 27 - 28, 2005Black Hat Briefings USA 2005Las Vegas, NV
July 29 - 31, 2005DefCon 13(Alexis Park)Las Vegas, Nevada
July 31 - August 4, 20052005 SIGGRAPH Computer Animation FestivalLos Angeles, CA
July 31 - August 5, 2005USENIX Security SymposiumBaltimore, MD
August 1 - 5, 2005O'Reilly Open Source Convention(Oregon Convention Center)Portland, Oregon
August 1 - 5, 2005CIFS 2005 Conference and Plugfest(Doubletree Hotel)San Jose, CA
August 4, 2005Penguincon 2005Israel
August 4 - 7, 2005Linux 2005(University of Wales)Swansea, UK
August 8 - 11, 2005LinuxWorld Conference and Expo(Moscone Center)San Francisco, CA
August 20, 2005Free Audio and Video Event(FAVE)(Trinity Community and Arts Centre)Bristol, UK
August 27 - September 4, 2005aKademy 2005(University of Málaga)Málaga Spain
August 31 - September 2, 2005YAPC::EU::2005(University of Minho)Braga, Portugal
September 1 - 2, 2005Symposium on Security for Asia Network(SyScAN'05)(The Dusit Thani Hotel)Bangkok, Thailand
September 5 - 9, 2005International Computer Music Conference(ICMC 2005)Barcelona, Spain
September 14 - 16, 2005php|works(Holiday Inn Yorkdale)Toronto, Canada

Comments (none posted)

Mailing Lists

Ubuntu artwork

Ubuntu has set up a new Artwork Team to to handle all the pretty pictures in the Ubuntu project. This will include things like icons, splash screens, wallpapers, the calendar and much more. If you're interested in getting involved, the best way to start is to join the new artwork mailing list.

Full Story (comments: none)

Audio and Video programs

New episode of LUGRadio out (GnomeDesktop)

GnomeDesktop mentions the availability of a new audio program from LUGRadio. "The incredible crew at LUGRadio have put out another entertaining show featuring some discussion about GStreamer and Jono Bacon's newfound intimate relationship with it. Also being interviewed is Edward Hervey, maintainer of PiTiVi the GStreamer based non-linear video editor. Also interviewed is Sarah Ewen from Sony, talking about Linux on current and future Playstation's and Sony's plan for World Domination."

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds