LWN.net Logo

LWN.net Weekly Edition for July 28, 2005

An OLS wrapup

The seventh annual Ottawa Linux Symposium has come to an end. Your editor, who has attended six of the seven OLS events, finds the conference in good [Ottawa art shot] health. OLS was larger this year - some 700 people - but it has handled its growth well. OLS remains one of the premier Linux development gatherings worldwide.

A look at the schedule reveals some clear themes for this event. Virtualization is obviously at the top of the list for many OLS attendees; the largest room was dedicated to the topic for a full day. This was perhaps the most kernel-oriented schedule yet from an already kernel-dominated event; there was hardly enough non-kernel content to fill even a single track. Those who are interested in the user space side of free software may find themselves drifting toward other events; but kernel people will find plenty of interest at OLS.

OLS is an increasingly professional event; the proportion of students and part-time hackers attending the event appears to have dropped over the years. Registration fees can be as high as C$750. A surprising number of the attendees are mostly concerned with what their customers want from Linux; these are people who are making their living in a way which at least involves Linux and free software.

As always, there was no trade show floor at OLS; nobody is trying to sell anything to the attendees. OLS is very much about technology and development communities, and little about hype.

Your editor, rather than trying to provide exhaustive coverage of the event, attended some of the more interesting sessions. The resulting articles have been posted over the last week; for convenience, they are:

  • A challenge for developers. Jim Gettys thinks that free software developers have to get past the "mantra of one," build the multiuser, cooperative systems of the future, and take the lead for the next generation of computing.

  • Linux and trusted computing. IBM engineers Emily Ratliff and Tom Lendacky discuss the current state of Linux support for the "trusted platform module" (TPM) chip and some of the good things that it can do for us. Trusted computing does not have to be an evil thing.

  • Xen and UML. Lead developers from the two most prominent Linux paravirtualization projects discuss where those projects are and what's coming next.

There was much more than the above at OLS this year; your editor, in particular, appreciated Keith Packard's discussion of the TWIN window system (designed for very small devices), Michael Austin Halcrow's description of the eCryptfs filesystem (hopefully to be written up in the future), Rusty Russell's discussion of nfsim, and Pat Mochel's sysfs talk. The Wednesday reception featured talks by Doug Fisher of Intel (who nearly got booed off the stage when it became clear that his talk was being run from a Windows system) and Art Cannon from IBM. Art's talk, a buzzword-loaded presentation on how to talk to business people about open source, was well received but hard to follow due to the poor acoustics and high noise level in the room. If you gather several hundred people (many of whom have not seen each other over the past year) into a room and give them all the beer they want, it can be hard to get them to sit down, be quiet, and listen to somebody talk about business stuff.

[Dave Jones and Andrew Morton] Dave Jones's ending keynote, instead, got everybody's full attention. Dave, who, among other things, is the current maintainer of Red Hat's kernels, is concerned with the number of regressions and other bugs seen in recent kernels. The quality of our kernels, says Dave, is going down as a result of regressions, and driver regressions in particular.

There's a lot of reasons for the problems. They date back, perhaps, to the adoption of BitKeeper. With BK, Linus could quickly pull in a large set of patches from a subsystem maintainer without really looking at them all. So BitKeeper increased the velocity of patches through the system, with some cost as to the quality. The real problem, however, is one of testing. The only way to really find kernel bugs is to have the kernel tested by a wide variety of users. This is particularly true for driver bugs; nobody, not even the driver maintainer, can possibly have all of the hardware needed to perform even remotely comprehensive testing. It takes a large community of users to do that.

When testing does happen, we need to make it easier for users to report bugs. Requiring a user to create a BugZilla account and fill in vast amounts of information for a (possibly) tiny bug is counterproductive; many bug reporters will simply give up and go away. Bug reporting should be a simple and quick operation.

There are, in any case, quite a few challenges involved in dealing with bug reporters; this was Dave's opportunity to complain a little about the frustrations of his job. Bug reporters tend to always see their bug as the most important one (so, he says, bug reporting systems should not allow reporters to set the severity of the bug); they will continue to mess with the system while others are trying to fix the bug, making confirmation of fixes difficult; some of them file a bug and disappear, not responding to requests for important information; they will lie about the configuration of their systems (and the presence of binary-only modules in particular); and so on. The receiving end of a major distribution's bug tracking system can be a difficult place to be.

The question of the proper place to report bugs came up. Many bugs seen by end users are really bugs in the upstream package, not in a particular distribution's version of it. Those bugs should be reported to the real, upstream maintainer. Some distributions (Debian, for example) see this reporting as their responsibility; others would like bug reporters to go directly upstream. Dave, in particular, notes that quite a few kernel bugs show up only in the Red Hat BugZilla system; they never make it to the (not universally used) kernel BugZilla. How many other distributors, he wonders, have kernel bugs sitting in their bug trackers which should really be reported to the community? In the future, it would be nice if BugZilla installations could talk to each other so that bugs could be forwarded to the right place; however, each BugZilla evidently has its own schema, making that sort of communication difficult.

Dave noted that the kernel has gotten significantly more complicated over the time he has been working on it. Coming up to speed and really understanding what is happening inside the kernel is a challenging task. Kernel developers need to recognize this and take advantage of all the techniques and tools which are available to them to produce better releases.

Next year's keynote speaker will be Greg Kroah-Hartman.

The final event of OLS is the infamous Black Thorn party; it is the ideal way to unwind after an intense week of conferencing. The Black Thorn is getting a little small, however; one of the OLS organizers was asking people to put their backpacks aside so there would be room for everybody to stand. If OLS continues to grow, the final event may have to happen somewhere else.

Comments (11 posted)

Git approaches 1.0

On April 5, 2005, it was announced that BitMover would "focus exclusively" on its commercial BitKeeper offering and withdraw the free-beer client used by a number of free software developers. This was a nervous moment; BitKeeper had become an integral part of the Linux kernel development process. Nobody wanted to go back to the old days - when no source code management system was used at all - but there was no clear successor to BitKeeper on offer.

And where might such a successor have been expected to come from? We had been told many times that the development of BitKeeper required numerous person-years of work and millions of dollars of funding. The free software community was simply not up to the task of creating a tool with that sort of capabilities - especially not in a hurry. The kernel development community, having lost a tool it relied upon heavily, appeared doomed to a long painful period of adjustment.

Two full days later, Linus announced the first release of a tool called "git." It was, he said, "_really_ nasty," but it was a starting point. On April 20, fifteen days after the withdrawal of BitKeeper, the 2.6.12-rc3 kernel prepatch, done entirely with git, was released. The git tool, in those days, was clearly suitable only for early adopters, but, even then, it was also clearly going somewhere.

Git brings with it some truly innovative concepts; it is not a clone of any other source code management system. Indeed, at its core, it is not really an SCM at all. What git offers is a content-addressable object filesystem. If you store a file in git, it does not really have a name; instead, it can be looked up using its contents (as represented by an SHA hash). A hierarchical grouping of files - a particular kernel release, for example - is represented by a separate "tree" object listing which files are part of the group and where they are to be found. Files do not have any history - they simply exist or not, and two versions of the same file are only linked by virtue of being in the same place in two different tree objects.

This way of organizing things is hard to grasp, initially, but it makes some interesting things possible. One of the harder problems in many SCM systems - handling the renaming of files - requires no special care with git. A single git repository can hold any number of branches or parallel trees without confusion. File integrity checking is built into the basic lookup mechanism, so that corruption will be detected automatically, and, if desired, kernel releases can be cryptographically signed easily. Perhaps most importantly, however: git made certain options, such as the merging of patches, very fast.

It's worth noting that git is not a clone of BitKeeper, or of any other SCM. Certainly it incorporates lessons learned from years of use of BitKeeper and other tools; it supports changesets, for example, and is designed to be used in a distributed mode. But git is something new, it brings a unique approach to the problem.

Watching the git development process snowball over the last few months has been fascinating. A large and active development community coalesced around git in short order; interestingly, relatively few of the core git developers were significant kernel contributors. In a short period of time, git has acquired most of the features expected from an SCM, its rough edges have been smoothed, it has picked up a variety of graphical interfaces, and it is widely used in the kernel development community. Git is clearly a success.

The git developers are now working toward a 1.0 release. As part of that process, Linus has now handed git over to a new maintainer: Junio Hamano. Junio has been an active git developer for some time; he will now attempt to take the project forward as its leader. He will have plenty of work ahead of him as git moves into a more stable (though still fast-moving) phase.

Git is an example of how well the free software process can work. Linus has shown us, once again, that he knows how to get a successful free software project started: put out a minimal (but well thought out) core that begins to solve a problem, then let the community run with it. The result is a vibrant, living project which incorporates the best of what has been learned before while simultaneously breaking new ground. The creator of the Linux kernel appears to have launched another winner.

But, then, some things still seem to surprise even Linus:

August 25, 1991July 26, 2005
"I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones." "...this thing ended up being a bit bigger and more professional than I originally even envisioned."

Let this be a lesson to all free software developers out there: the humblest of projects can, with the right ideas and participation, become far more "big and professional" than one might ever imagine.

Comments (6 posted)

A Firefox roadmap update

July 27, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The Mozilla Foundation is shaking up its roadmap a little -- though not "scrapping" the 1.1 release as had been reported in some outlets. The 1.1 release was originally planned for this month, but that has been changed to a 1.5 release planned for September. Chris Hofmann, Mozilla's director of engineering, talked to us about the change in the roadmap, and what's ahead for Firefox and Thunderbird.

Hofmann said that the version number change was made for a number of reasons:

[The change] is partly technical, one of the features that is going into this next release is a software updating feature, so we were able to do a better job of testing incremental updates with this software update feature. As we move up the numbering scale, and make sure that all of that detection and ability to deal with numbering changes works with part of the software update system and more importantly, recognizes the progress that we've made in the last six months getting a number of features into the product that we hadn't expected to be there and this far along.

Firefox developer Asa Dotzler also wrote about the change:

One major consideration in this decision was the sheer volume of changes in the Firefox core (Gecko) made a minor .1 increment seem misleading. While it may not be obvious by looking simply at release dates, today's Gecko core of Firefox has seen nearly 16 months worth of changes compared to what shipped in Firefox 1.0. This is because we created our Gecko 1.7 branch (the branch from which Firefox 1.0 shipped) back in April of 2004. At that time, Gecko development on the trunk continued and very little of that work was carried over to the 1.7 branch to be included in Firefox 1.0.

Indeed, there are quite a few new features and other changes in Firefox 1.5, many of which we covered on LWN with the first Deer Park Alpha release. The 1.5 release should have improvements in pop-up blocking, tab reordering, Scalable Vector Graphics (SVG) support and ECMAScript for XML (E4X) support.

One of the improvements that Hofmann highlighted for 1.5 is Firefox's extensions system. According to Hofmann, the 1.5 release will handle versioning information of extensions and "ability for the browser to recognize extensions that might be incompatible with specific releases." Hofmann also said that this release would allow the user to turn extensions on and off, something that the Firefox 1.0 does not allow -- though some extensions, like Greasemonkey do provide that feature directly.

The 1.0 to 1.5 jump will also bring about some changes to the Firefox API, which may affect extensions that work with the current interface.

There's a pretty big shift in the API set for applications and extensions that are moving from 1.0 to 1.5, most of the extension authors have taken the work to make extensions that are going to be compatible with 1.5. There might be a few more changes we make in the next few weeks of the development cycle, but by the time we get to 1.5 release, the goal is to have a very large percentage of the extensions available be compatible with that release.

Thunderbird is also being shifted from a 1.1 release to a 1.5 release around the same time frame as Firefox. Hofmann said that the version bump for Thunderbird was, in part, because development had been moving along nicely for Thunderbird as well -- but also because the Mozilla Foundation is trying to keep version numbers for both applications in sync. He noted that Thunderbird 1.5 would have improvements in spam detection and for detecting phishing attacks, in-line spell checking and improved RSS features. Thunderbird 1.5 will also feature improvements for updates, and users should be able to do updates from Thunderbird directly.

Though the feature sets are sketchy at this point, the Mozilla Foundation's roadmap calls for a Firefox 2.0 release in early 2006 and a Firefox 3.0 by the end of 2006. One feature that Hofmann talked about for future releases is Xul Runner. According to Hofmann, Xul Runner will allow Firefox, Thunderbird and other applications "to share core components of technology." According to Hofmann, any one of the Mozilla applications would include the core features, and then users would only need to download "a thin layer" for additional applications.

Hofmann said that the first instance of Xul Runner would be available "around the time we ship Firefox 1.5," and that the next versions of Firefox and Thunderbird would be built on top of Xul Runner and "allow sharing of common code" that both applications use.

Given the amount of time 1.5 has been in development (Firefox 1.0 was released in November, 2004) it seems a bit ambitious to plan the 2.0 and 3.0 releases in 2006. However, anything is possible. Meanwhile, the Firefox 1.5 Beta is scheduled for August, and a second alpha release is available now for brave souls who can't wait for new features, or who are eager to help in testing.

Comments (4 posted)

Page editor: Jonathan Corbet

Security

Greasemonkey gets into trouble

July 27, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The ability to add extensions to Firefox has proven to be a popular feature. One of the most popular extensions for Firefox, inspiring countless user scripts, is the Greasemonkey extension, which allows users change the behavior of web sites.

A serious vulnerability was found in Greasemonkey last week by Mark Pilgrim, author of the upcoming book "Greasemonkey Hacks," and Dive Into Greasemonkey. Pilgrim discovered that a combination of two flaws in Greasemonkey could allow user data to be transmitted to virtually any site.

We spoke to Pilgrim about the vulnerabilities, and the security of Greasemonkey in general. According to Pilgrim, Greasemonkey's first flaw would allow a web page access to the APIs to call remote pages. A page with an exploit for this vulnerability would allow the exploit to call code from other sites without the user being aware of it. This could include posting data to another site.

The second exploit allowed pages to access file URLs, which could allow a remote site to browse the content of a user's hard drive. In conjunction with the first vulnerability, "remote pages could access any file on your system... [they could] recurse through the entire hard drive and post it anywhere in the world, really. And that's bad."

These vulnerabilities are fixed in the 3.5 version of Greasemonkey, though it is a "neutered" version that lacks the Greasemonkey APIs. Pilgrim said that a beta had been released that should retain functionality and clear up the security holes that he had found.

The new version disables file URLs altogether for that API function, so even user scripts are not allowed to do that anymore, and second of all, closes the hole that allows remote page you're browsing to trap the API call. The pages you browse now no longer have access to any of the Greasemonkey internals. User scripts can still use it... but the page you're browsing can't steal access to those pages.

Even though the vulnerability has been closed in the latest versions of Greasemonkey, Pilgrim said that users could still be vulnerable to malicious user scripts. "Greasemonkey is very powerful, and people need to be aware what they're installing." Indeed, there does seem to be a level of concern that the problems with Greasemonkey are in its features, not its vulnerabilities. The concept of allowing users to run scripts in the browser developed by third parties, who may not have the users' best interests in mind, opens up some scary possibilities.

Since Firefox and Greasemonkey are becoming increasingly popular with less technical users, we asked Pilgrim how those users could verify that the scripts they install were safe, and if there was any way for the Greasemonkey team to protect those users.

Basically, there's no technical solution to that, Greasemonkey allows you so much power, that you can't stop people from writing malicious scripts...without making Greasemonkey useless.

We also asked Chris Hofmann, director of engineering for Mozilla, about the Greasemonkey vulnerability and whether the Mozilla developers could do anything to make extensions safer for users. Hofmann also said that much of the responsibility lies with the user to verify the source and function of extensions. "Users should take caution for any extensions they download, and to authenticate the source of the extension." He also explained that the default operation of the browser was to warn users before installing any software, to prevent any extensions or scripts from being installed without the user's knowledge.

It's worth noting that Firefox is not unique in allowing extensions or add-ons like Greasemonkey. Pilgrim noted that Turnabout for Internet Explorer performed the same function for IE, by allowing users to run scripts to change the function of websites. Just as with Firefox, Turnabout users could easily run malicious scripts if they're not careful about where they acquire them.

There's really nothing unique about the Greasemonkey situation, though. Spyware and adware have propagated in large part because users have been willing to download and install software without questioning the source of the software or any possible side-effects. The best that the Greasemonkey team can do is ensure that their software is not subject to vulnerabilities like the two that Pilgrim discovered. Beyond that, the responsibility will remain with the user to verify that extensions, scripts and other software is suitable for use.

Comments (4 posted)

New vulnerabilities

ClamAntiVirus: integer overflows

Package(s):clamav CVE #(s):CAN-2005-2450
Created:July 26, 2005 Updated:August 16, 2005
Description: Clam AntiVirus versions < 0.86.2 is vulnerable to integer overflows when handling the TNEF, CHM and FSG file formats. By sending a specially-crafted file an attacker could execute arbitrary code with the permissions of the user running Clam AntiVirus.
Alerts:
Debian DSA-776-1 2005-08-16
Mandriva MDKSA-2005:125 2005-07-27
Gentoo 200507-25 2005-07-26

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2005-2335
Created:July 21, 2005 Updated:August 12, 2005
Description: The fetchmail POP3 client has an arbitrary code execution vulnerability that may be triggered by a malicious POP server. See this advisory for more information.
Alerts:
Debian DSA-774-1 2005-08-12
Mandriva MDKSA-2005:126 2005-07-28
OpenPKG OpenPKG-SA-2005.016 2005-07-28
Ubuntu USN-153-1 2005-07-26
Gentoo 200507-21 2005-07-25
Red Hat RHSA-2005:640-01 2005-07-25
Slackware SSA:2005-203-05 2005-07-23
Fedora FEDORA-2005-614 2005-07-21
Fedora FEDORA-2005-613 2005-07-21

Comments (none posted)

httpd: off-by-one overflow and cross-site scripting

Package(s):apache httpd CVE #(s):CAN-2005-1268 CAN-2005-2088
Created:July 25, 2005 Updated:November 7, 2005
Description: Watchfire reported a flaw that occurred when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL).

Alerts:
Slackware SSA:2005-310-04 2005-11-07
Debian DSA-803-1 2005-09-08
Ubuntu USN-160-2 2005-09-07
SuSE SUSE-SA:2005:046 2005-08-16
Fedora-Legacy FLSA:157701 2005-08-10
Ubuntu USN-160-1 2005-08-04
Mandriva MDKSA-2005:130 2005-08-03
Mandriva MDKSA-2005:129 2005-08-03
Fedora FEDORA-2005-638 2005-08-02
Fedora FEDORA-2005-639 2005-08-02
Trustix TSLSA-2005-0038 2005-07-29
SuSE SUSE-SR:2005:018 2005-07-28
Red Hat RHSA-2005:582-01 2005-07-25

Comments (none posted)

libgadu: integer overflows

Package(s):libgadu CVE #(s):CAN-2005-1852
Created:July 22, 2005 Updated:July 27, 2005
Description: libgadu, a library implementing the Gadu messaging protocol, suffers from a set of integer overflow vulnerabilities. This vulnerability affects a number of other packages; see, for example, this KDE advisory for kdenetwork and Kopete.
Alerts:
Gentoo 200507-26 2005-07-27
Debian DSA-767-1 2005-07-27
Gentoo 200507-23 2005-07-25
Slackware SSA:2005-203-02 2005-07-22
Fedora FEDORA-2005-623 2005-07-22
Fedora FEDORA-2005-624 2005-07-22
Red Hat RHSA-2005:639-01 2005-07-21

Comments (none posted)

movemail: arbitrary code execution

Package(s):movemail CVE #(s):
Created:July 21, 2005 Updated:July 27, 2005
Description: The emacs movemail POP utility has an arbitrary code execution vulnerability that can be activated by connecting to a malicious POP server.
Alerts:
Slackware SSA:2005-201-02 2005-07-21

Comments (none posted)

phpbb2: cross-site scripting

Package(s):phpbb2 CVE #(s):CAN-2005-2161
Created:July 27, 2005 Updated:July 27, 2005
Description: The phpbb2 package suffers from a cross-site scripting vulnerability.
Alerts:
Debian DSA-768-1 2005-07-27

Comments (none posted)

sandbox: insecure temporary file handling

Package(s):sandbox CVE #(s):
Created:July 25, 2005 Updated:July 27, 2005
Description: The Gentoo Linux Security Audit Team discovered that the sandbox utility was vulnerable to multiple TOCTOU (Time of Check, Time of Use) file creation race conditions. Local users may be able to create or overwrite arbitrary files with the permissions of the root user.
Alerts:
Gentoo 200507-22 2005-07-25

Comments (none posted)

shorewall: rule bypass vulnerability

Package(s):shorewall CVE #(s):CAN-2005-2317
Created:July 21, 2005 Updated:October 10, 2005
Description: Shorewall has a vulnerability in which a client that is accepted by MAC address filtering can bypass other rules, allowing access to all open services on the firewall.
Alerts:
Ubuntu USN-197-1 2005-10-10
Debian DSA-849-1 2005-10-08
Gentoo 200507-20:02 2005-07-22
Gentoo 200507-20 2005-07-22
Mandriva MDKSA-2005:123 2005-07-20

Comments (none posted)

vim: arbitrary command execution

Package(s):vim CVE #(s):CAN-2005-2368
Created:July 26, 2005 Updated:August 23, 2005
Description: Georgi Guninski discovered that it was possible to construct Vim 6.3 modelines that execute arbitrary shell commands by wrapping them in glob() or expand() function calls. If an attacker tricked an user to open a file with a specially crafted modeline, he could exploit this to execute arbitrary commands with the user's privileges.
Alerts:
Mandriva MDKSA-2005:148 2005-08-22
Red Hat RHSA-2005:745-01 2005-08-22
Fedora FEDORA-2005-741 2005-08-15
Fedora FEDORA-2005-738 2005-08-10
Fedora FEDORA-2005-737 2005-08-10
Ubuntu USN-154-1 2005-07-26

Comments (1 posted)

webcalendar: information disclosure

Package(s):webcalendar CVE #(s):CAN-2005-2320
Created:July 27, 2005 Updated:July 27, 2005
Description: The webcalendar utility suffers from an information disclosure vulnerability.
Alerts:
Debian DSA-766-1 2005-07-26

Comments (none posted)

zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-1849
Created:July 21, 2005 Updated:April 11, 2006
Description: zlib has a vulnerability that can cause code that executes it to crash if a corrupted file is opened.
Alerts:
Mandriva MDKSA-2006:070 2006-04-10
Debian DSA-1026-1 2006-04-06
Gentoo 200603-18 2006-03-21
Ubuntu USN-151-4 2005-11-09
Ubuntu USN-151-3 2005-10-28
Fedora-Legacy FLSA:162680 2005-09-14
Debian DSA-797-1 2005-09-01
Gentoo 200508-01 2005-08-01
Gentoo 200507-28 2005-07-30
SuSE SUSE-SA:2005:043 2005-07-28
OpenPKG OpenPKG-SA-2005.014 2005-07-28
Mandriva MDKSA-2005:124 2005-07-22
Slackware SSA:2005-203-03 2005-07-23
Ubuntu USN-151-2 2005-07-22
Fedora FEDORA-2005-626 2005-07-22
Fedora FEDORA-2005-625 2005-07-22
Gentoo 200507-19 2005-07-22
Red Hat RHSA-2005:584-01 2005-07-21
Ubuntu USN-151-1 2005-07-21
Debian DSA-763-1 2005-07-20

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

affix: two remote vulnerabilities

Package(s):affix CVE #(s):CAN-2005-2250 CAN-2005-2277
Created:July 19, 2005 Updated:September 2, 2005
Description: A buffer overflow in the Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2 and 3.2.0 allows remote attackers to execute arbitrary code via a long filename in an OBEX file share. Also remote attackers may execute arbitrary commands via shell metacharacters in the filename argument of a PUT command.
Alerts:
Debian DSA-762-1 2005-07-19

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cacti: SQL injection and PHP file inclusion

Package(s):cacti CVE #(s):
Created:June 22, 2005 Updated:July 21, 2005
Description: Cacti (prior to version 0.8.6e) suffers from vulnerabilities which can lead to SQL injection and (on some systems) execution of arbitrary PHP files.
Alerts:
Debian DSA-764-1 2005-07-21
Gentoo GLSA 200506-20:02 2005-06-22
Gentoo GLSA 200506-20:02 2005-06-22
Gentoo 200506-20:02 2005-06-22
Gentoo 200506-20 2005-06-22

Comments (none posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Alerts:
Mandriva MDKSA-2005:237 2005-12-23
Red Hat RHSA-2005:806-01 2005-11-10
Debian DSA-846-1 2005-10-07
Ubuntu USN-189-1 2005-09-29
Red Hat RHSA-2005:378-01 2005-07-21
Mandriva MDKSA-2005:116-1 2005-07-19
Mandriva MDKSA-2005:116 2005-07-11
Trustix TSLSA-2005-0030 2005-06-24
Gentoo 200506-16 2005-06-20

Comments (1 posted)

CUPS: multiple vulnerabilities

Package(s):CUPS CVE #(s):CAN-2004-2154
Created:July 14, 2005 Updated:September 20, 2005
Description: The CUPS printing system has a problem with queue name case-sensitivity matching that can cause a security policy override. An unauthorized user can use this to gain print to a protected queue.
Alerts:
Mandriva MDKSA-2005:165 2005-09-15
Ubuntu USN-185-1 2005-09-20
Fedora-Legacy FLSA:163274 2005-09-14
Red Hat RHSA-2005:571-01 2005-07-14

Comments (none posted)

cURL: buffer overflow

Package(s):curl CVE #(s):CAN-2005-0490
Created:February 28, 2005 Updated:July 19, 2005
Description: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded.
Alerts:
Fedora-Legacy FLSA:152917 2005-07-15
Fedora FEDORA-2005-325 2005-04-20
Red Hat RHSA-2005:340-01 2005-04-05
Conectiva CLA-2005:940 2005-03-21
Gentoo 200503-20 2005-03-16
Mandrake MDKSA-2005:048 2005-03-04
SuSE SUSE-SA:2005:011 2005-02-28
Ubuntu USN-86-1 2005-02-28

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 10, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dbus: information disclosure

Package(s):dbus CVE #(s):CAN-2005-0201
Created:June 8, 2005 Updated:August 30, 2005
Description: From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening.
Alerts:
Fedora FEDORA-2005-822 2005-08-29
Ubuntu USN-144-1 2005-06-27
Mandriva MDKSA-2005:105 2005-06-24
Red Hat RHSA-2005:102-01 2005-06-08

Comments (none posted)

dhcpcd: denial of service

Package(s):dhcpcd CVE #(s):CAN-2005-1848
Created:July 13, 2005 Updated:September 13, 2005
Description: The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash.
Alerts:
Slackware SSA:2005-255-01 2005-09-13
Red Hat RHSA-2005:603-01 2005-07-27
Gentoo 200507-16 2005-07-15
Mandriva MDKSA-2005:117 2005-07-12
Debian DSA-750-1 2005-07-11

Comments (none posted)

Dnsmasq: poisoning and DoS

Package(s):dnsmasq CVE #(s):
Created:April 4, 2005 Updated:July 21, 2005
Description: Dnsmasq does not properly detect that DNS replies received do not correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux Security Audit team also discovered two off-by-one buffer overflows that could crash DHCP lease files parsing.
Alerts:
Slackware SSA:2005-201-01 2005-07-21
Gentoo 200504-03 2005-04-04

Comments (none posted)

ekg: multiple vulnerabilities

Package(s):ekg CVE #(s):CAN-2005-1850 CAN-2005-1851 CAN-2005-1916
Created:July 18, 2005 Updated:August 8, 2005
Description: Several vulnerabilities have been discovered in the ekg contributed scripts. These include an insecure temporary file creation problem, a potential shell command injection problem, and an arbitrary command execution problem.
Alerts:
Ubuntu USN-162-1 2005-08-08
Debian DSA-760-1 2005-07-18

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

evolution: message crash vulnerability

Package(s):evolution CVE #(s):CAN-2005-0806
Created:March 17, 2005 Updated:August 11, 2005
Description: The Evolution mail client can be crashed when reading certain types of messages.
Alerts:
Ubuntu USN-166-1 2005-08-11
Red Hat RHSA-2005:397-01 2005-05-04
Conectiva CLA-2005:950 2005-04-27
Fedora FEDORA-2005-338 2005-04-22
Mandrake MDKSA-2005:059 2005-03-16

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora-Legacy FLSA:155510 2005-12-17
Fedora-Legacy FLSA:154272 2005-07-15
SuSE SUSE-SR:2005:010 2005-04-08
Mandrake MDKSA-2005:069 2005-04-07
Mandrake MDKSA-2005:068 2005-04-07
Ubuntu USN-108-1 2005-04-05
Red Hat RHSA-2005:343-01 2005-04-05
Red Hat RHSA-2005:344-01 2005-04-01
Fedora FEDORA-2005-268 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-265 2005-03-30

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnupg: information leak

Package(s):gnupg CVE #(s):CAN-2005-0366
Created:March 16, 2005 Updated:August 19, 2005
Description: GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Alerts:
Ubuntu USN-170-1 2005-08-19
Gentoo 200503-29 2005-03-24
Mandrake MDKSA-2005:057 2005-03-15

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gxine: format string vulnerability

Package(s):gxine CVE #(s):CAN-2005-1692
Created:May 26, 2005 Updated:July 23, 2005
Description: The gxine media player has a format string vulnerability in the hostname decoding function. A specially crafted file can be used to cause a user to execute arbitrary code.
Alerts:
Slackware SSA:2005-203-04 2005-07-23
Gentoo 200505-19 2005-05-26

Comments (none posted)

heartbeat: insecure temporary files

Package(s):heartbeat CVE #(s):CAN-2005-2231
Created:July 19, 2005 Updated:August 15, 2005
Description: Eric Romang discovered several insecure temporary file creations in the High Availability Linux Project Heartbeat 1.2.3.
Alerts:
Debian DSA-761-2 2005-08-15
Ubuntu USN-165-1 2005-08-11
Mandriva MDKSA-2005:132 2005-08-09
Gentoo 200508-05 2005-08-07
Debian DSA-761-1 2005-07-19

Comments (none posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 10, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

infozip: privilege escalation, directory-traversal

Package(s):infozip CVE #(s):CAN-2003-0282 CAN-2004-1010 CAN-2005-0602
Created:May 2, 2005 Updated:August 1, 2005
Description: InfoZip reports that Zip 2.3 and (presumably) all previous versions have a buffer-overrun vulnerability relating to deep directory paths that could potentially lead to local privilege escalation (e.g., in the case of automated, Zip-based backups). All versions of UnZip through 5.50 have a number of directory-traversal vulnerabilities.
Alerts:
Ubuntu USN-159-1 2005-08-01
Slackware SSA:2005-121-01 2005-05-02

Comments (1 posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Debian DSA-713-1 2005-04-21
Gentoo 200504-11 2005-04-13

Comments (1 posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (1 posted)

kernel: ELF loader core dump vulnerability

Package(s):kernel CVE #(s):CAN-2005-1263
Created:May 11, 2005 Updated:August 25, 2005
Description: Paul Starzetz has posted an advisory for yet another kernel vulnerability. In this case, by using a specially manipulated ELF binary, a local attacker can compromise the system (via the core dump code) and obtain root access. This vulnerability affects all kernels from 2.2 through 2.6.12-rc4.
Alerts:
Red Hat RHSA-2005:529-01 2005-08-25
Red Hat RHSA-2005:420-01 2005-06-08
Red Hat RHSA-2005:472-01 2005-05-25
Fedora FEDORA-2005-392 2005-05-23
Ubuntu USN-131-1 2005-05-23
Trustix TSLSA-2005-0022 2005-05-13

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-1913 CAN-2005-1761
Created:July 1, 2005 Updated:September 9, 2005
Description: Several vulnerabilities in the 2.6 kernel have been fixed, including a subthread exec problem (CAN-2005-1913) and a ia64 ptrace + sigrestore_context problem (CAN-2005-1761).
Alerts:
Ubuntu USN-178-1 2005-09-09
Red Hat RHSA-2005:551-01 2005-08-25
SuSE SUSE-SA:2005:044 2005-08-04
Fedora FEDORA-2005-510 2005-07-01

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

krb5: double-free flaw

Package(s):krb5 CVE #(s):CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689
Created:July 12, 2005 Updated:December 6, 2005
Description: The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information.
Alerts:
Ubuntu USN-224-1 2005-12-06
Debian DSA-757-1 2005-07-17
Trustix TSLSA-2005-0036 2005-07-14
Mandriva MDKSA-2005:119 2005-07-13
SuSE SUSE-SR:2005:017 2005-07-13
Gentoo 200507-11 2005-07-12
Fedora FEDORA-2005-553 2005-07-12
Red Hat RHSA-2005:562-01 2005-07-12
Fedora FEDORA-2005-552 2005-07-12
Red Hat RHSA-2005:567-02 2005-07-12

Comments (none posted)

libconvert-uulib-perl: arbitrary code execution

Package(s):libconvert-uulib-perl CVE #(s):CAN-2005-1349
Created:May 20, 2005 Updated:January 27, 2006
Description: Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:022 2006-01-26
Debian DSA-727-1 2005-05-20

Comments (1 posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libnet-ssleay-perl: weakened cryptographic operations

Package(s):libnet-ssleay-perl CVE #(s):CAN-2005-0106
Created:May 3, 2005 Updated:January 27, 2006
Description: Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content.
Alerts:
Mandriva MDKSA-2006:023 2006-01-26
Ubuntu USN-113-1 2005-05-03

Comments (none posted)

libTIFF: buffer overflow

Package(s):libtiff CVE #(s):CAN-2005-1544
Created:May 10, 2005 Updated:February 18, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafted TIFF image, resulting in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:042 2006-02-17
Debian DSA-755-1 2005-07-13
Ubuntu USN-130-1 2005-05-19
Gentoo 200505-07 2005-05-10

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Fedora-Legacy FLSA:168264 2006-03-07
Fedora-Legacy FLSA:152803 2006-01-09
Fedora FEDORA-2005-815 2005-08-26
Fedora FEDORA-2005-808 2005-08-25
Red Hat RHSA-2005:198-01 2005-06-08
Red Hat RHSA-2005:473-01 2005-05-24
Red Hat RHSA-2005:412-01 2005-05-11
Debian DSA-723-1 2005-05-09
Mandriva MDKSA-2005:081 2005-05-05
Mandriva MDKSA-2005:080 2005-04-28
Red Hat RHSA-2005:044-01 2005-04-06
Red Hat RHSA-2005:331-01 2005-03-30
Fedora FEDORA-2005-273 2005-03-29
Fedora FEDORA-2005-272 2005-03-29
Ubuntu USN-97-1 2005-03-16
Gentoo 200503-15 2005-03-12
Ubuntu USN-92-1 2005-03-07
Gentoo 200503-08 2005-03-04

Comments (none posted)

lvm10: creates insecure temporary directory

Package(s):lvm10 CVE #(s):CAN-2004-0972
Created:November 1, 2004 Updated:July 25, 2005
Description: Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:152842 2005-07-24
Mandrake MDKSA-2004:144 2004-12-06
Gentoo 200411-22 2004-11-11
Debian DSA-583-1 2004-11-03
Ubuntu USN-15-1 2004-11-01

Comments (none posted)

mc: buffer overflow

Package(s):mc CVE #(s):CAN-2005-0763
Created:March 29, 2005 Updated:August 11, 2005
Description: An unfixed buffer overflow has been discovered by Andrew V. Samoilov in mc, the midnight commander, a file browser and manager.
Alerts:
Fedora-Legacy FLSA:152889 2005-08-10
Red Hat RHSA-2005:512-01 2005-06-16
Debian DSA-698-1 2005-03-29

Comments (none posted)

mediawiki: JavaScript code injection

Package(s):mediawiki CVE #(s):
Created:July 20, 2005 Updated:July 20, 2005
Description: MediaWiki has a vulnerability caused by failing to correctly escape a parameter in the page move template. Remote attackers can use this to inject and execute JavaScript code with the permission of the user's browser session.
Alerts:
Gentoo 200507-18 2005-07-20

Comments (none posted)

mod_python: remote access vulnerability

Package(s):mod_python CVE #(s):CAN-2005-0088
Created:February 10, 2005 Updated:April 10, 2006
Description: mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result.
Alerts:
Fedora-Legacy FLSA:152896 2006-04-04
Conectiva CLA-2005:926 2005-03-02
Debian DSA-689-1 2005-02-23
Red Hat RHSA-2005:100-01 2005-02-15
Gentoo 200502-14 2005-02-13
Trustix TSLSA-2005-0003 2005-02-11
Ubuntu USN-80-1 2005-02-11
Red Hat RHSA-2005:104-01 2005-02-10
Fedora FEDORA-2005-140 2005-02-10
Fedora FEDORA-2005-139 2005-02-10

Comments (none posted)

mozilla firefox: javascript vulnerabilities

Package(s):mozilla firefox CVE #(s):CAN-2005-1531 CAN-2005-1532
Created:June 9, 2005 Updated:July 19, 2005
Description: Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly implement certain security checks for script injection, which allows remote attackers to execute script via "Wrapped" javascript.

Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CAN-2005-1160.

Alerts:
Fedora-Legacy FLSA:158149 2005-07-15
SuSE SUSE-SA:2005:030 2005-06-09

Comments (1 posted)

mozilla-firefox: multiple vulnerabilities

Package(s):mozilla-firefox CVE #(s):
Created:July 14, 2005 Updated:July 22, 2005
Description: A dozen security vulnerabilities that have been fixed in Firefox 1.0.5 and Mozilla 1.7.9 have been back-ported to older versions.
Alerts:
Gentoo 200507-14 2005-07-15
Mandriva MDKSA-2005:120 2005-07-13

Comments (none posted)

MySQL: input validation and temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
Created:March 16, 2005 Updated:July 19, 2005
Description: MySQL (prior to version 4.0.24) suffers from two input validation errors and a temporary file vulnerability.
Alerts:
Fedora-Legacy FLSA:152925 2005-07-15
OpenPKG OpenPKG-SA-2005.006 2005-04-20
Debian DSA-707-1 2005-04-13
Fedora FEDORA-2005-305 2005-04-05
Fedora FEDORA-2005-304 2005-04-05
Red Hat RHSA-2005:348-01 2005-04-05
Conectiva CLA-2005:946 2005-04-04
Red Hat RHSA-2005:334-01 2005-03-28
SuSE SUSE-SA:2005:019 2005-03-24
Mandrake MDKSA-2005:060 2005-03-21
Trustix TSLSA-2005-0009 2005-03-21
Ubuntu USN-96-1 2005-03-16
Gentoo 200503-19 2005-03-16

Comments (none posted)

mysql: low-impact security fix

Package(s):mysql CVE #(s):CAN-2005-1636
Created:July 20, 2005 Updated:February 22, 2006
Description: An update to MySQL version 4.1.12 fixes a low-impact security problem (bz#158689).
Alerts:
Mandriva MDKSA-2006:045 2006-02-21
Red Hat RHSA-2005:685-01 2005-10-05
Debian DSA-783-1 2005-08-24
Fedora FEDORA-2005-557 2005-07-20

Comments (1 posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Fedora-Legacy FLSA:152904 2006-05-12
Fedora FEDORA-2005-435 2005-08-16
Red Hat RHSA-2005:371-01 2005-05-17
Mandrake MDKSA-2005:028 2005-02-01
Gentoo 200501-44 2005-01-30

Comments (none posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 2006-02-25
Red Hat RHSA-2005:014-01 2005-01-12
Mandrake MDKSA-2005:005 2005-01-11

Comments (none posted)

openssl: der_chop script temp file vulnerability

Package(s):openssl CVE #(s):CAN-2004-0975
Created:November 11, 2004 Updated:July 19, 2005
Description: The der_chop script in openssl has a temp file vulnerability that may allow an attacker to overwrite arbitrary files with the permissions that the script is running under.
Alerts:
Fedora-Legacy FLSA:152841 2005-07-15
Mandrake MDKSA-2004:147 2004-12-06
Debian DSA-603-1 2004-12-01
Ubuntu USN-24-1 2004-11-11

Comments (1 posted)

OpenSSL: information leak

Package(s):openssl CVE #(s):CAN-2005-0109
Created:May 23, 2005 Updated:October 11, 2005
Description: Hyper-Threading technology, as used in FreeBSD other operating systems and implemented on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. See this LWN article for more information.
Alerts:
Trustix TSLSA-2005-0028 2005-06-13
Mandriva MDKSA-2005:096 2005-06-06
Red Hat RHSA-2005:476-01 2005-06-01
Fedora FEDORA-2005-390 2005-05-23
Fedora FEDORA-2005-389 2005-05-23

Comments (none posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pam_ldap: plain text authentication leak

Package(s):pam_ldap CVE #(s):CAN-2005-2069
Created:July 14, 2005 Updated:October 17, 2005
Description: pam_ldap and nss_ldap ignore the "ssl start_tls" ldap.conf setting, allowing an attacker to sniff unencrypted passwords and other information.
Alerts:
Red Hat RHSA-2005:767-01 2005-10-17
Red Hat RHSA-2005:751-01 2005-10-17
SuSE SUSE-SR:2005:020 2005-09-12
Ubuntu USN-152-1 2005-07-21
Mandriva MDKSA-2005:121 2005-07-18
Gentoo 200507-13 2005-07-14

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

perl: symlink vulnerability

Package(s):perl CVE #(s):CAN-2005-0448
Created:March 9, 2005 Updated:January 30, 2006
Description: The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries.
Alerts:
Fedora-Legacy FLSA:152845 2006-01-24
Red Hat RHSA-2005:674-01 2005-10-05
Fedora FEDORA-2005-600 2005-07-22
Mandriva MDKSA-2005:079 2005-04-28
Debian DSA-696-1 2005-03-22
Ubuntu USN-94-1 2005-03-09

Comments (none posted)

php-pear: remote code execution

Package(s):php-pear CVE #(s):CAN-2005-1921
Created:July 1, 2005 Updated:July 29, 2005
Description: The PEAR XMLRPC implementation has a vulnerability that can be exploited for remote code execution. See this report from GulfTech Security Research. This vulnerability affects a large number of PHP web applications.
Alerts:
Fedora-Legacy FLSA:163559 2005-07-28
Conectiva CLA-2005:980 2005-07-14
Gentoo 200507-15 2005-07-15
Debian DSA-746-1 2005-07-13
Slackware SSA:2005-192-02 2005-07-12
Slackware SSA:2005-192-01 2005-07-12
Gentoo 200507-08 2005-07-10
Debian DSA-747-1 2005-07-10
Gentoo 200507-07 2005-07-10
Debian DSA-745-1 2005-07-10
SuSE SUSE-SA:2005:041 2005-07-08
Red Hat RHSA-2005:564-01 2005-07-07
Gentoo 200507-06 2005-07-06
Ubuntu USN-147-2 2005-07-06
Ubuntu USN-147-1 2005-07-05
Fedora FEDORA-2005-518 2005-07-05
Fedora FEDORA-2005-517 2005-07-05
Gentoo 200507-01 2005-07-03
Mandriva MDKSA-2005:109 2005-06-30

Comments (none posted)

phpsysinfo: cross-site-scripting

Package(s):phpsysinfo CVE #(s):CAN-2005-0870
Created:May 18, 2005 Updated:November 15, 2005
Description: The phpsysinfo program contains several cross-site scripting vulnerabilities.
Alerts:
Debian DSA-724-1 2005-05-18

Comments (none posted)

postgresql: EXECUTE privilege vulnerability

Package(s):postgresql CVE #(s):CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247
Created:February 10, 2005 Updated:July 19, 2005
Description: postgresql has a vulnerability in which the EXECUTE privilege may not be checked on custom functions. This may allow any database user to circumvent the EXECUTE restriction on functions.
Alerts:
Fedora-Legacy FLSA:152844 2005-07-16
Trustix TSLSA-2005-0015 2005-04-25
SuSE SUSE-SA:2005:027 2005-04-20
SuSE SUSE-SR:2005:008 2005-03-18
SuSE SUSE-SR:2005:006 2005-02-25
Fedora FEDORA-2005-158 2005-02-22
Fedora FEDORA-2005-157 2005-02-22
Mandrake MDKSA-2005:040 2005-02-17
Red Hat RHSA-2005:150-01 2005-02-16
Debian DSA-683-1 2005-02-15
Red Hat RHSA-2005:138-01 2005-02-15
Gentoo 200502-19 2005-02-14
Ubuntu USN-79-1 2005-02-10

Comments (none posted)

postgresql: database initialization errors

Package(s):postgresql CVE #(s):CAN-2005-1409 CAN-2005-1410
Created:May 4, 2005 Updated:February 28, 2006
Description: PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Alerts:
Fedora-Legacy FLSA:157366 2006-02-27
Mandriva MDKSA-2005:093 2005-05-26
Red Hat RHSA-2005:433-01 2005-06-01
Gentoo 200505-12 2005-05-15
Fedora FEDORA-2005-368 2005-05-10
Ubuntu USN-118-1 2005-05-04

Comments (none posted)

Pound: buffer overflow

Package(s):pound CVE #(s):CVE-2005-1391
Created:May 2, 2005 Updated:January 10, 2006
Description: Steven Van Acker has discovered a buffer overflow vulnerability in the "add_port()" function in Pound 1.8.2+. A remote attacker could send a request for an overly long hostname parameter, which could lead to the remote execution of arbitrary code with the rights of the Pound daemon process.
Alerts:
Gentoo 200504-29 2005-04-30

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

ruby: arbitrary command execution

Package(s):ruby CVE #(s):CAN-2005-1992
Created:June 21, 2005 Updated:October 6, 2005
Description: Ruby (versions < 1.8.2) is vulnerable to arbitrary command execution on XMLRPC servers.
Alerts:
Gentoo 200510-05 2005-10-06
Red Hat RHSA-2005:543-01 2005-08-05
Mandriva MDKSA-2005:118 2005-07-12
Gentoo 200507-10 2005-07-11
Debian DSA-748-1 2005-07-10
Ubuntu USN-146-1 2005-06-29
Fedora FEDORA-2005-475 2005-06-22
Fedora FEDORA-2005-474 2005-06-22

Comments (none posted)

samba: integer overflow vulnerability

Package(s):samba CVE #(s):CAN-2004-1154
Created:December 16, 2004 Updated:July 19, 2005
Description: Samba has an integer overflow vulnerability that may allow an authenticated remote user to execute arbitrary code on the Samba server.
Alerts:
Fedora-Legacy FLSA:152874 2005-07-15
Debian DSA-701-2 2005-04-21
Debian DSA-701-1 2005-03-31
Conectiva CLA-2005:913 2005-01-06
Red Hat RHSA-2005:020-01 2005-01-05
Mandrake MDKSA-2004:158 2004-12-27
SuSE SUSE-SA:2004:045 2004-12-22
Red Hat RHSA-2004:681-01 2004-12-21
Fedora FEDORA-2004-562 2004-12-20
Fedora FEDORA-2004-561 2004-12-20
Gentoo 200412-13 2004-12-17
Ubuntu USN-41-1 2004-12-17
OpenPKG OpenPKG-SA-2004.054 2004-12-17
Red Hat RHSA-2004:670-01 2004-12-16

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):spamassassin CVE #(s):CAN-2004-0796
Created:August 9, 2004 Updated:August 11, 2005
Description: SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:
Fedora-Legacy FLSA:129284 2005-08-10
Fedora-Legacy FLSA:2268 2005-03-24
Red Hat RHSA-2004:451-01 2004-09-30
Conectiva CLA-2004:867 2004-09-22
OpenPKG OpenPKG-SA-2004.041 2004-09-15
Mandrake MDKSA-2004:084 2004-08-18
Gentoo 200408-06 2004-08-09

Comments (none posted)

SpamAssassin: denial of service

Package(s):spamassassin CVE #(s):CAN-2005-1266
Created:June 17, 2005 Updated:July 28, 2005
Description: SpamAssassin 3.0.4 was released to fix a denial of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. The vulnerability allows certain mis-formatted long message headers to cause spam checking to take a very long time.
Alerts:
OpenPKG OpenPKG-SA-2005.015 2005-07-28
Debian DSA-736-2 2005-07-07
Gentoo 200506-17:02 2005-06-21
Debian DSA 736-1 2005-07-01
Mandriva MDKSA-2005:106 2005-06-28
Red Hat RHSA-2005:498-01 2005-06-23
SuSE SUSE-SA:2005:033 2005-06-22
Gentoo 200506-17 2005-06-21
Fedora FEDORA-2005-428 2005-06-16
Fedora FEDORA-2005-427 2005-06-16

Comments (none posted)

SquirrelMail: multiple vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2005-0075 CAN-2005-0103 CAN-2005-0104
Created:January 28, 2005 Updated:July 19, 2005
Description: SquirrelMail 1.4.4 has been released, fixing a number of security issues that have been resolved since 1.4.3a.
Alerts:
Fedora-Legacy FLSA:152900 2005-07-16
Fedora FEDORA-2005-260 2005-03-28
Fedora FEDORA-2005-259 2005-03-28
Debian DSA-662-2 2005-03-14
Red Hat RHSA-2005:099-01 2005-02-15
Red Hat RHSA-2005:135-01 2005-02-10
Debian DSA-662-1 2005-02-01
Gentoo 200501-39 2005-01-28

Comments (none posted)

SquirrelMail: several XSS vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2005-1769
Created:June 21, 2005 Updated:September 16, 2005
Description: Several cross site scripting (XSS) vulnerabilities have been discovered in SquirrelMail versions 1.4.0 - 1.4.4.
Alerts:
Fedora-Legacy FLSA:163047 2005-09-14
Fedora FEDORA-2005-780 2005-08-22
Fedora FEDORA-2005-779 2005-08-22
Red Hat RHSA-2005:595-02 2005-08-05
Red Hat RHSA-2005:595-01 2005-08-03
Debian DSA-756-1 2005-07-13
Mandriva MDKSA-2005:108 2005-06-30
Gentoo 200506-19 2005-06-21

Comments (none posted)

sudo: race condition

Package(s):sudo CVE #(s):CAN-2005-1993
Created:June 21, 2005 Updated:February 24, 2006
Description: Charles Morris discovered a race condition in sudo which could lead to privilege escalation. If /etc/sudoers allowed a user the execution of selected programs, and this was followed by another line containing the pseudo-command "ALL", that user could execute arbitrary commands with sudo by creating symbolic links at a certain time.
Alerts:
Fedora-Legacy FLSA:162750 2006-02-23
Debian DSA-735-2 2005-07-07
Debian DSA 735-1 2005-07-01
Red Hat RHSA-2005:535-04 2005-06-29
SuSE SUSE-SA:2005:036 2005-06-24
OpenPKG OpenPKG-SA-2005.012 2005-06-23
Gentoo 200506-22 2005-06-23
Slackware SSA:2005-172-01 2005-06-22
Mandriva MDKSA-2005:103 2005-06-21
Fedora FEDORA-2005-473 2005-06-21
Fedora FEDORA-2005-472 2005-06-21
Ubuntu USN-142-1 2005-06-21

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: denial of service

Package(s):tcpdump CVE #(s):CAN-2005-1267
Created:June 9, 2005 Updated:October 10, 2005
Description: Several tcpdump protocol decoders contain programming errors which can cause them to go into infinite loops.
Alerts:
Debian DSA-854-1 2005-10-09
Slackware SSA:2005-195-10 2005-07-15
Ubuntu USN-141-1 2005-06-21
Mandriva MDKSA-2005:101 2005-06-15
Fedora FEDORA-2005-407 2005-06-16
Gentoo 200505-06:02 2005-05-09
Red Hat RHSA-2005:505-01 2005-06-13
Fedora FEDORA-2005-406 2005-06-09

Comments (none posted)

tcpdump: multiple DoS issues

Package(s):tcpdump CVE #(s):CAN-2005-1280 CAN-2005-1279 CAN-2005-1278
Created:May 2, 2005 Updated:April 10, 2006
Description: The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. (CAN-2005-1280)

tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet, which is not properly handled by RT_ROUTING_INFO, or LDP packet, which is not properly handled by the ldp_print function. (CAN-2005-1279)

The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. (CAN-2005-1278)

Alerts:
Fedora-Legacy FLSA:156139 2006-04-04
Debian DSA-850-1 2005-10-09
Mandriva MDKSA-2005:087 2005-05-11
Red Hat RHSA-2005:417-02 2005-05-11
Red Hat RHSA-2005:421-02 2005-05-11
Gentoo 200505-06 2005-05-09
Ubuntu USN-119-1 2005-05-06
Fedora FEDORA-2005-351 2005-05-02

Comments (none posted)

telnet: buffer overflows

Package(s):telnet CVE #(s):CAN-2005-0468 CAN-2005-0469
Created:March 28, 2005 Updated:August 1, 2005
Description: Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server.
Alerts:
Slackware SSA:2005-210-01 2005-08-01
Debian DSA-765-1 2005-07-22
Fedora-Legacy FLSA:154276 2005-07-24
Fedora-Legacy FLSA:152583 2005-07-11
Debian DSA-731-1 2005-06-02
Gentoo 200504-28 2005-04-28
Gentoo 200504-04 2005-04-06
Debian DSA-703-1 2005-04-01
Gentoo 200504-01 2005-04-01
Gentoo 200503-36 2005-03-31
Red Hat RHSA-2005:330-01 2005-03-30
Mandrake MDKSA-2005:061 2005-03-29
Fedora FEDORA-2005-274 2005-03-30
Fedora FEDORA-2005-277 2005-03-30
Fedora FEDORA-2005-270 2005-03-29
Fedora FEDORA-2005-269 2005-03-29
SuSE SUSE-SR:2005:009 2005-03-29
Debian DSA-699-1 2005-03-29
Debian DSA-697-1 2005-03-29
Red Hat RHSA-2005:327-01 2005-03-28

Comments (none posted)

thunderbird mozilla firefox: multiple vulnerabilities

Package(s):thunderbird firefox mozilla CVE #(s):CAN-2005-0989 CAN-2005-1159 CAN-2005-1160 CAN-2005-1532 CAN-2005-2261 CAN-2005-2265 CAN-2005-2266 CAN-2005-2269 CAN-2005-2270
Created:July 20, 2005 Updated:September 1, 2005
Description: Multiple vulnerabilities have been found in the Mozilla Thunderbird email client, as well as the Mozilla Suite and Firefox and Mozilla based other browsers. Bugs include an anonymous function handling bug, a JavaScript validation problem, privileged UI code handling DOM nodes, a JavaScript privilege escalation, a problem with Javascript in XBL controls, improper handling of child frames, a DOM name code execution vulnerability, and a base object clone problem.
Alerts:
Debian DSA-779-2 2005-09-01
Mandriva MDKSA-2005:127-1 2005-08-26
Debian DSA-781-1 2005-08-23
Debian DSA-779-1 2005-08-20
SuSE SUSE-SA:2005:045 2005-08-11
Ubuntu USN-157-2 2005-08-02
Ubuntu USN-157-1 2005-08-01
Mandriva MDKSA-2005:127 2005-07-28
Ubuntu USN-149-3 2005-07-28
Ubuntu USN-155-1 2005-07-26
Gentoo 200507-24 2005-07-26
Ubuntu USN-149-2 2005-07-25
Mandriva MDKSA-2005:120-1 2005-07-22
Slackware SSA:2005-203-01 2005-07-22
Red Hat RHSA-2005:587-01 2005-07-22
Fedora FEDORA-2005-622 2005-07-22
Fedora FEDORA-2005-621 2005-07-22
Fedora FEDORA-2005-618 2005-07-22
Fedora FEDORA-2005-620 2005-07-22
Fedora FEDORA-2005-617 2005-07-22
Fedora FEDORA-2005-619 2005-07-22
Fedora FEDORA-2005-616 2005-07-22
Red Hat RHSA-2005:601-01 2005-07-21
Red Hat RHSA-2005:586-01 2005-07-21
Ubuntu USN-149-1 2005-07-21
Fedora FEDORA-2005-606 2005-07-20
Fedora FEDORA-2005-604 2005-07-20
Fedora FEDORA-2005-605 2005-07-20
Fedora FEDORA-2005-603 2005-07-20

Comments (none posted)

Tor: information disclosure

Package(s):tor CVE #(s):
Created:June 21, 2005 Updated:August 25, 2005
Description: A bug in Tor allows attackers to view arbitrary memory contents from an exit server's process space. A remote attacker could exploit the memory disclosure to gain sensitive information and possibly even private keys.
Alerts:
Gentoo 200508-16 2005-08-25
Gentoo 200506-18 2005-06-21

Comments (none posted)

vixie-cron: crontab allows any user to read another users crontabs

Package(s):vixie-cron CVE #(s):CAN-2005-1038
Created:April 15, 2005 Updated:March 15, 2006
Description: crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. See also this Security Focus report.
Alerts:
Red Hat RHSA-2006:0117-01 2006-03-15
Red Hat RHSA-2005:361-01 2005-10-05
Fedora FEDORA-2005-320 2005-04-15

Comments (none posted)

wget: file overwrites and arbitrary code execution

Package(s):wget CVE #(s):CAN-2004-1487 CAN-2004-1488
Created:June 9, 2005 Updated:September 27, 2005
Description: wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite certain files via a redirection URL containing a ".." that resolves to the IP address of the malicious server, which bypasses wget's filtering for ".." sequences.

wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code.

Alerts:
Red Hat RHSA-2005:771-01 2005-09-27
Ubuntu USN-145-2 2005-09-06
Ubuntu USN-145-1 2005-06-28
Mandriva MDKSA-2005:098 2005-06-09

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xorg-x11: integer overflows

Package(s):xorg-x11 CVE #(s):CAN-2004-0914
Created:November 18, 2004 Updated:September 12, 2005
Description: The X.Org libXpm library has several integer overflow vulnerabilities An attacker can modify XPM images to execute malicious code.
Alerts:
Ubuntu USN-83-2 2005-09-12
Fedora-Legacy FLSA:152804 2005-05-12
Ubuntu USN-83-1 2005-02-16
Gentoo 200502-07 2005-02-07
Gentoo 200502-06 2005-02-06
Red Hat RHSA-2004:612-01 2004-12-20
Red Hat RHSA-2004:610-01 2004-12-20
Debian DSA-607-1 2004-12-10
Mandrake MDKSA-2004:137-1 2004-11-29
Mandrake MDKSA-2004:137 2004-11-22
Mandrake MDKSA-2004:138 2004-11-22
Gentoo 200411-28 2004-11-19
Fedora FEDORA-2004-434 2004-11-17
Fedora FEDORA-2004-433 2004-11-17
SuSE SUSE-SA:2004:041 2004-11-17

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-2096
Created:July 6, 2005 Updated:October 27, 2005
Description: zlib has a buffer overflow vulnerability that can be exploited by inflation of corrupted files, this can be used to crash zlib or possibly remotely execute code.
Alerts:
Mandriva MDKSA-2005:196 2005-10-26
Debian DSA-797-2 2005-09-28
Fedora FEDORA-2005-565 2005-07-13
Slackware SSA:2005-189-01 2005-07-10
Trustix TSLSA-2005-0034 2005-07-08
Mandriva MDKSA-2005:112 2005-07-06
Fedora FEDORA-2005-523 2005-07-07
Fedora FEDORA-2005-524 2005-07-07
OpenPKG OpenPKG-SA-2005.013 2005-07-07
Ubuntu USN-148-1 2005-07-06
SuSE SUSE-SA:2005:039 2005-07-06
Red Hat RHSA-2005:569-01 2005-07-06
Gentoo 200507-05 2005-07-06
Debian DSA-740-1 2005-07-06

Comments (6 posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch remains 2.6.13-rc3. Linus's git repository continues to accumulate patches; most of them are fixes, but there is also a set of SCSI updates and a set of cleanups for the system shutdown and reboot code.

The current -mm tree is 2.6.13-rc3-mm2. Quite a few patches have been added to -mm recently, but they are almost exclusively fixes for various problems. Andrew estimates there are over 100 patches in -mm which need to go straight into 2.6.13.

The current 2.4 prepatch is 2.4.32-pre2, released by Marcelo on July 27. It includes a small number of fixes, including one which closes a security hole.

Comments (none posted)

Kernel development news

A pair of suspend2 patches

One of the outcomes from the power management summit held on July 17 was a decision to move toward merging Nigel Cunningham's suspend2 patches - at least, those which appear to make sense to the wider community. Suspend2 is an out-of-tree implementation of the suspend-to-disk and suspend-to-ram features which are so nice to have on laptop systems. The suspend2 implementation offers a number of features not found in the mainline version, including nice displays, progress bars, interruptible operation, and, it is said, greater reliability. Getting the better parts of suspend2 into the mainline seems like a clearly desirable goal. Since the summit, Nigel has posted a pair of patches which provide some clues as to what is coming, and how it will be received.

A big part of the software suspend problem is getting the system into a quiescent state before putting it on ice. To that end, processes are put into the "refrigerator," a special sort of suspended animation. When suspend time comes around, every process on the system is sent a special signal telling it that refrigeration time has come; each process, once it gets to a good stopping point, checks itself into the fridge and does not run again until after the system has been resumed.

The problem that this scheme runs into is that some processes are dependent on others. If a process which, for example, is involved with getting data written to disk is refrigerated too early in the process, it may never be possible to get the system to a state where it can be suspended. So the software suspend patches try to figure out which processes must be allowed to continue running while the system is being quiesced. It has always been a bit of a hit-and-miss business. The current suspend2 patches try to clean up that process a bit.

Many of the processes which should not be refrigerated are associated with various driver workqueues. So the mainline suspend code marks every workqueue process with the special PF_NOFREEZE flag, keeping it out of the clutches of the refrigerator. But most of those processes can be refrigerated just fine with no ill effect, and they should be. Having unneeded processes running when the system is trying to suspend itself can only serve to destabilize the entire situation.

Previous versions of the suspend2 patches changed the workqueue API so that every creator of a workqueue had to explicitly state whether it should be refrigerated or not. That approach worked, but it broke every create_workqueue() call. The current patch, instead, leaves the existing calls alone, but extends the API with a couple of new calls:

    struct workqueue_struct *create_nofreeze_workqueue(const char *name);
    struct workqueue_struct *create_nofreeze_singlethread_workqueue(const char *name);

As an aside, one notes that kernel namespace is starting to acquire some very long function names. One might almost wish for the good old days, when only the first six characters of a function name were used.

Seriously, however, these functions show how refrigeration is now handled with workqueues. By default, worker tasks associated with workqueues will be put on ice when the system is suspended. Anybody wishing to create a workqueue which does not behave that way must call one of the new functions.

This change has been propagated down to the generic kernel threads layer, which also picked up a new function:

    struct task_struct *kthread_nofreeze_create(int (fn)(void *data),
                                                void *data,
						const char *namefmt, ...);

This patch seems likely to be merged with, at most, minor tweaks. Nigel's second patch, however, got a somewhat less friendly reception. It creates a new process flag called PF_SYNCTHREAD. Any process which is actively trying to flush data to disk is marked with this flag; the end result is that it will be passed over by the refrigerator during the early part of the suspend process. In this way, processes which are creating dirty pages can be put on hold prior to those which are trying to clean those pages up. This patch is not popular, however; it has been criticized for being overly intrusive when simply flushing all pages to disk prior to beginning the suspend process would do the trick. So, unless things change, this patch will not go in.

In any case, these patches are just preparatory work for a larger event: the merging of a new refrigerator implementation. That code has not (recently) been posted; stay tuned.

Comments (7 posted)

Kernel testing and regressions: an example

Kernel testing, or the lack thereof, is considered to be a significant part of the kernel quality problem. Recent kernels, while quite good in many regards, contain more bugs than they should because people have not gotten around to testing them before the final release. Many regressions are in device drivers, which present special testing problems: drivers can only be tested by people who have the relevant hardware. Core kernel code, however, is hardware independent and should be easier to test. But bugs can slip through in that code as well.

Consider, for example, the realtime rlimits feature, which can be used to enable otherwise unprivileged users to run processes with elevated priority. Andreas Steinmetz recently noticed that this feature does not work in the 2.6.13-rc3 kernel. This would seem to be just the sort of feedback the process needs: a user, testing a feature in a -rc kernel, found a bug and provided a patch to fix it. As a result, that particular bug will not be present in 2.6.13.

The only problem is that, as confirmed by Ingo Molnar, the bug is a little older than that. In fact, the realtime resource limit feature does not work at all in the stable 2.6.12 kernel, and nobody noticed until now. This is a feature which can be tested by just about anybody, but that work clearly had not been done. Given that nobody appears to be using this feature, Ingo is not confident that the fix can go into a 2.6.12 stable release; this one will have to wait for 2.6.13.

It should be said that testing realtime resource limits is not an entirely straightforward operation; setting that limit requires changes to the PAM library, C library, and the shells as well. Very few distributions - and no major ones - are shipping those changes at this time. Even so, unprivileged realtime scheduling is a feature that a number of people had been asking for. It is a little surprising that none of those people noticed that it failed to work in a major kernel release. Getting comprehensive testing coverage for the kernel is clearly still a problem - even before drivers are taken into account.

Comments (8 posted)

Is CKRM worth it?

Anytime your editor gives a talk on kernel development efforts, there seems to be one project which inspires scattered boos and hisses from the audience. The lucky project this year was Class-based Kernel Resource Management (CKRM). The CKRM patches have been under development for some time, and the developers involved have been pushing for inclusion. The future of the CKRM patches seems uncertain, however; there is significant opposition to them being merged.

The idea behind CKRM is to give system administrators a high degree of control over how the resources on a system are used. To that end, it puts every process into a "class," then applies rules specifying which resources are available to each class. On the classification side, CKRM includes a rule-based classification engine which can pigeonhole processes in a number of ways: its user or group IDs, the command it is running, which ports it is listening to, etc. Classification engines are pluggable, however, so a site with specific needs could write its own. It is also possible for an administrator to directly shove a process into a given class by way of a virtual filesystem interface.

The controlling side regulates how much of the system each class can use. Maximum limits can be applied, in a way similar to the resource limits built into the kernel now. There is also a mechanism for specifying a "guarantee," a minimum amount of resource which will be allocated to a class. So an administrator can set things up such that the web server will not take more than half the CPU, or that the X server will always get at least 20% if it needs it.

That leads to another component of CKRM: controllers. Each controller manages the allocation of one specific resource in the system. CPU usage is regulated by the CPU controller; as it happens, the CKRM patches in the -mm tree do not currently include that controller. The CPU controller extends its fingers fairly deeply into the Linux scheduler, and the developers do not feel that it is ready for inclusion quite yet. In fact, the only controllers currently in -mm handle the total number of tasks and the rate at which processes can fork. Many other controllers are in development, handling resources like main memory, disk I/O bandwidth, network bandwidth, and more.

The CKRM patches are large - over 14,000 lines in -mm. They also must place hooks into many sensitive parts of the kernel in order to be able to monitor process transitions and enforce resource limits and guarantees. Any patch which digs into parts of the core kernel in this way is going to see a fair amount of scrutiny, and CKRM is no exception. In this case, many developers see CKRM as an overly complex subsystem which is aimed at the needs of the customers of one specific vendor. Most Linux users simply do not need to have such fine-grained control over resource usage on their systems.

CKRM looks like a bit of a long-term maintenance headache as well. Every subsystem which requires distributing hooks around the kernel (think of the Linux security modules, the audit subsystem, or inotify as other subsystems of this type) is essentially overlaying a new structure on top of the base kernel. Any changes to the kernel must be done carefully so that none of the overlaid structures will break. So each one of these structures makes kernel programming a little harder; it is one more thing a developer must keep in mind when making changes. Mix in the fact that most kernel developers (and testers, for that matter) will not have CKRM configured into their kernels, and it becomes clear that a subsystem like CKRM could turn out to be relatively fragile.

Supporters of CKRM see it as a useful tool for the management of larger systems (they see applications for smaller systems as well). In particular, it can be used with virtualization systems (Xen or UML, for example) to consolidate servers onto a smaller hardware base while providing appropriate resource guarantees for the guest servers. Thus, says Gerrit Huizenga, CKRM can be thought of as part of the "eco-computing movement." CKRM imposes no overhead on the system if it is configured out, and almost no overhead if it is built in but not used. Since CKRM is useful for some users, and stays out of the way for the rest, it is worth adding to the kernel.

For now, CKRM is in -mm for people to play with; Andrew Morton has noted that it is not, yet, on a path toward inclusion in the near future. He wants to see a real debate, however, and not a simple, offhand rejection:

But there's been a lot of work put into this and if we're to flatly reject the feature then the developers are owed a much better reason than "eww yuk".

So far, that reason has not been provided in any definitive way. So expect to see this topic come up again as the developers try to get a real answer on whether CKRM is headed for the mainline or not.

Comments (3 posted)

Older kernel history in git format

Linus has announced the availability of a git repository containing all of the kernel development history back to the beginning of the BitKeeper era. Using the new "pack" format, the entire history fits in less than 200MB of disk space - less than a single, uncompressed kernel source tree. This history does not currently tie into the current mainline, though there are ways to stitch it all together. Note that this history is obtained by way of the CVS repository; some information is lost by taking this path, but potential disputes over the use of the BitKeeper metadata are avoided.

Linus's note does not say where the repository can be found; it will be on your favorite kernel.org mirror under /pub/scm/linux/kernel/git/torvalds/old-2.6-bkcvs.git.

Comments (11 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Janitorial

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Slamd64: Slackware Linux for AMD64

July 27, 2005

This article was contributed by Ladislav Bodnar

One of the main disadvantages of Slackware Linux is the fact that, unlike most other major distributions, its developers have so far ignored any non-x86 platforms, including the increasingly popular AMD64 processor. The good news is that, because Slackware development is completely open and transparent, it is often just a matter of time before an itch is scratched and a new project is born. This is the case of Slamd64, a port of Slackware Linux to the AMD64 processor.

Developed by a UK-based college student named Fred Emmott, the first stable version of Slamd64 was released in June 2005 as version 10.1, following a long series of alpha releases and four release candidates. We installed it on a machine with the following specifications: AMD64 3500+ processor (2.2GHz), K8N Neo2 (Socket939) mainboard from Micro-Star International, 2 GB of DDR SDRAM, 2 x 120 GB Maxtor hard disks, Plextor PX-712A DVD/CD rewritable drive, and NVIDIA GeForce4 Ti 4600 graphics card. The monitor was a standard 19 inch LCD from Mozo International.

Before booting the installation CD, we noted a few differences between Slackware Linux and Slamd64. Firstly, Slamd64 is an unofficial port without any endorsement from the Slackware project. Unlike Slackware 10.1 and its current branch, both of which still default to the 2.4 kernel series, Slamd64 10.1 comes with kernel 2.6.10.11, inclusive of support for SATA drives. KDE, the distribution's default desktop, is present in the same version as in Slackware 10.1, but more recent KDE 3.4.1 packages are also provided on download mirrors. GNOME is not included, although contributed Freerock GNOME packages, compiled for x86_64, are available from a third-party source. And despite its name, Slamd64 will also work on Intel's EM64T chips.

The installation program differs very little from the one in standard Slackware. The curses-based, menu-driven process has not changed much in years, providing a simple, but well-tested and reliable installer. Why, then, did it suddenly collapse with a segmentation fault, right after setting up the swap partition? A quick trip to the project's online forum provided an answer - this is a known issue that occurs on certain system configurations. Our workaround was simply to skip setting up the swap partition; we added it to /etc/fstab later, once we booted into the newly installed system. Luckily, this was the only bump on the otherwise neat and smooth road.

The first boot took us to a console boot prompt. As is the case with any Slackware installation, a fair amount of manual work awaits a user who intends to set up the system as a graphical workstation - we had to make some changes to the network configuration file, set up xorg.conf and create new users. We also downloaded the most recent version of NVIDIA binary graphics driver, which installed and worked flawlessly at first try. Once done, we were able to launch KDM and login to the KDE desktop.

Compared to other major Linux distributions, Slackware is a lean system. It is slightly on the conservative side, especially when it comes to the selection of packages included with the distribution, often favoring well-established packages over newer and more progressive ones (don't expect to find GRUB or Postfix among the included packages). It goes without saying that Slamd64 is still leaner. There is no OpenOffice.org or Firefox, and besides KDE, the only other available desktop environments are Fluxbox and XFce. Since Slackware 10.1 was released some 5 months ago, most of these packages are now somewhat outdated. Of course, there is nothing wrong with running KDE 3.3.2, but since the distribution maintainers have been kind enough to provide binary packages for KDE 3.4.1, we decided to take advantage of the offer. The installation with pkgtool went without a hitch.

Next, we started looking for some other applications to install. We visited LinuxPackages.net, a web site providing the largest collection of contributed packages for Slackware Linux. To out delight, we found a section listing x86_64 packages, and although it wasn't nearly as well-populated as the i386 section, we were able to locate a few dozens of useful packages, including Audacity, Firefox, Postfix, Snort, and Subversion, just to name a few. Some of the packages already present in Slamd64 were available in newer versions - such was the case with The GIMP and K3b. Many packages were fresh - Firefox 1.0.6 for Slamd64 was released within days after its source code became available upstream. GNOME 2.10.1 was also listed. Although we discovered that the number of Slackware packages for the x86_64 architecture were nowhere near the numbers one might find in third-party repositories for Fedora, Mandriva or SUSE, there clearly is an ongoing effort to build 64-bit Slackware packages and provide them to the community.

Like other major distributions, Slamd64 ships with compatibility libraries for running 32-bit applications. We were able to install and use several 32-bit binary packages, such as OpenOffice.org 1.1.4 or Opera 8.01. According to Fred Emmott, many other 32-bit binary packages will work, although they are not officially supported. As is the case with Fedora or SUSE, the 32-bit libraries are stored in /lib, while the 64-bit ones are placed in /lib64.

Our overall impressions of Slamd64 were positive. Although we came across a minor installation glitch, once the system was installed, we found it blazingly fast. The 32-bit OpenOffice.org Writer and Calc launched in under 3 seconds, while the native 64-bit applications felt still more responsive. Like its parent, Slamd64 is a clean, robust system which is a pleasure to work with. Users who prefer a package manager with a dependency resolution feature can easily install slapt-get, which reportedly works well on Slamd64. We didn't expect to find a large number of third-party 64-bit binary packages for Slackware on the Internet, but were pleased to see a reasonably active developer community making an effort at building some of the more important ones. And although the Slamd64 web site provides little in terms of documentation, it does have a fairly active user forum and mailing list. Frequent updates in the "current" directory are a further testament that the developers of this young project are serious about building a solid Slackware-based distribution for the x86_64 platform

Comments (5 posted)

New Releases

Mandriva Linux 2006 Beta officially out

The first beta for Mandriva Linux 2006 is now available. "If you already have a Mandriva system installed you can simply perform an update with urpmi: the file trees for i586 processors or 64 bit x86_64 compatible processors are on the /devel/2006.0/ subdirectory of the mirrors. You will also find ISO images for 3 CDs, also available for both architectures. Mini ISO files contain the minimum needed to perform an installation and allow to add extra package sources from FTP mirrors during the installation."

Full Story (comments: none)

MEPIS SoHoServer Test01

MEPIS has begun formal testing of the MEPIS SoHoServer. "SoHoServer is a general purpose SoHo solution based on the recent release of Debian "sarge". The preinstalled and configured server software includes Apache2, PHP4, Perl, Mysql, Proftpd, Bind, DHCPd, Postfix, Dovecot, Shorewall, Squid, DansGuardian, Webmin, and Usermin."

Full Story (comments: none)

Whax v.3.0 Live CD released

The public release of WHAX v.3.0 has been announced. "WHAX is the natural evolution of WHoppix - a live cd, standalone penetration testing toolkit. There are some major new features in WHAX which add huge functionality compared Whoppix, and may change the way we use live distributions."

Full Story (comments: none)

Distribution News

Debian GNU/Linux announcements

The sixth annual Debian Developers' Conference (Debconf5) has been declared a success. "More than 300 people attended this year's Debian Conference, which took place from July 9th to 17th at the University of Helsinki, Finland. The conference has been supported by more than 20 sponsors and featured a lot of talks, workshops, demonstrations, coding marathons and round table discussions on various aspects of the Debian project."

Henrique de Moraes Holschuh looks at a new Alioth project to host the planning, design work, any documentation and eventual reference implementation and deployment coordination for new initscript engines in Debian.

Pascal Hakim reports that it is now possible to subscribe and unsubscribe from individual bugs in the Bug Tracking System.

Enrico Zini provides a status report on the merging of Debtags data into the Packages file.

Comments (none posted)

Unofficial FAQ Updated For Fedora Core 4

The Unofficial Fedora FAQ has been updated for Fedora Core 4. "One of the major updates in the Fedora Core 4 FAQ is an entirely new, super-simple method of configuring yum."

Full Story (comments: none)

Fedora Bug Day Event - Pick Your Poison

The Fedora BugZappers Triage Team is holding a Bug Day on July 29, 2005. "The theme for our first bug day will be 'Pick Your Poison.' Anything in bugzilla is fair game! The goal will be to try and triage as many bugs as possible, close out duplicates as well as linking to upstream bug trackers. Additionally, we have the special honor of trying to file and close out as many Documentation Bugs as possible."

Full Story (comments: none)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for July 26 is out; this week's topics include graylisting, the multi-architecture proposal, CPU frequency policy, and more.

Full Story (comments: none)

Fedora Weekly News #6

This issue of the Fedora Weekly News includes articles on Red Hat Magazine - July 2005, Fedora BugZappers Triage Team, FUDCon London, 2005, Introducing Deer Park, Rev'ing up Your Backups, Thomas Guide: Remote Desktop, Current Status of Nrpms.net, Firefox 1.0.6 Released, mplayerplug-in 3.01 Released, Safe way to remove old kernels, and more.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of July 25, 2005 is out. This week's edition marks Bug #100,000 since the Gentoo Bugzilla was started in 2002, plus another look at keeping gentoo-sources-2.4, and other topics.

Comments (none posted)

DistroWatch Weekly, Issue 110

The DistroWatch Weekly for July 25, 2005 is out. "It is 'shoulder season' in the distribution land. Apart from several minor distribution releases, it was a slow week, with only the launch of the Utnubu initiative and a new beta release from Mandriva providing some excitement. Prompted by a satisfied user, we have taken a closer look at StartCom MultiMedia Edition, an interesting distribution based on Red Hat Enterprise Linux. Apart from these topics, we have all the usual columns, complemented by a quick tip for using digital cameras, mobile phones and music players under Linux."

Comments (none posted)

Package updates

Fedora Core updates

Fedora Core 4 updates: freeradius-1.0.4-1.FC4.1 (new version 1.0.4), ypserv-2.13-7 (crash with ypxfr), setarch-1.8-1.FC4 (fix possible segfault), openoffice.org-1.9.117-3.1.0.fc4 (add patch to avoid missing FormWizard spam on save), pvm-3.4.5-5_FC4 (bug fixes), subversion-1.2.1-2.1 (update to 1.2.1), module-init-tools-3.1-4 (fix depmod segfault), system-config-netboot-0.1.22-1_FC4 (bug fixes), setools-2.1.1-2 (upgrade to 2.1.1-2), nfs-utils-1.0.7-10 (add patches), libsepol-1.5.10-1.1 (fix reset booleans warning message again), gnbd-kernel-2.6.11.2-20050420.133124.FC4.43, dlm-kernel-2.6.11.5-20050601.152643.FC4.10, cman-kernel-2.6.11.5-20050601.152643.FC4.9, GFS-kernel-2.6.11.8-20050601.152643.FC4.9, gnome-panel-2.10.1-10.2 (backport fix for recent-files memory leak), system-config-printer-0.6.131.3-1 (fix an unwanted interaction with SELinux), tar-1.15.1-7.FC4 (bug fixes, clean up), util-linux-2.12p-9.7 (bug fixes), gcc-4.0.1-4.fc4 (fixes, updated from CVS, rebuilt for FC4), libtool-1.5.16.multilib2-2 (needed for gcc-4.0.1 update), system-config-bind-4.0.0-20_FC4 (bug fixes), mgetty-1.1.33-3_FC4 (bug fixes), apr-0.9.6-3.1 (updated libtool script), audit-0.9.19-2.FC4 (minor fixes).

Fedora Core 3 updates: pvm-3.4.5-5_FC3 (bug fixes), mgetty-1.1.31-3_FC3 (bug fixes), system-config-netboot-0.1.22-1_FC3 (bug fixes), util-linux-2.12a-24.4 (add support for OCFS2), tar-1.14-5.FC3 (bug fixes, clean up), gcc-3.4.4-2.fc3 (updates and fixes), system-config-bind-4.0.0-20 (bug fixes), mgetty-1.1.31-4_FC3 (bug fixes).

Comments (none posted)

Mandriva Linux

Mandriva Linux update MDKA-2005:035 provides updated clamav packages for versions 10.1, 10.2, and Corporate 3.0.

Full Story (comments: none)

Slackware updates

This week some glibc packages have been rebuilt and recompiled, there's a switch to udev-058 (older but more stable), linux-2.6.12.3 packages in testing, and upgrades to emacs-21.4a, mysql-4.1.13, zlib-1.2.3, fetchmail-6.2.5.2, gxine-0.4.6, abiword-2.2.8, fluxbox-0.9.13, firefox-1.0.6, mozilla-1.7.10, thunderbird-1.0.6, nail-11.24, ppp-2.4.3 and radiusclient-0.3.2, libxml-2.6.20, cyrus-sasl-2.1.21, iproute2-2.6.11-050330, lftp-3.2.1, sendmail-8.13.4, wireless_tools.27, guile-1.6.7, links-2.1pre17, and much more. See the slackware-current changelog for complete details.

Comments (none posted)

Distribution reviews

Life Is Good When You're a Slacker (Mad Penguin)

Mad Penguin reviews Slackware Linux version 10.1. "Performance of the Slackware desktop itself is superb. I've not found a desktop yet that outperforms it on my systems (save for VectorLinux, which is a Slackware variant designed to perform well on older hardware). Gentoo, and consequently VidaLinux , come close but Slackware rocks them all."

Comments (none posted)

My workstation OS: ELX Biz Desktop 4.0 (NewsForge)

NewsForge looks at ELX Biz Desktop. "When I installed ELX I was pleasantly surprised. All the applications functioned properly, the multimedia applications worked immediately upon installation, the interface was intuitive and easy to configure, and I could find almost no bugs. It appears to be a very mature product."

Comments (none posted)

Page editor: Rebecca Sobol

Development

GnuPG: The GNU Privacy Guard

The Gnu Privacy Guard (GnuPG) is an open-source encryption, key management, and decryption application that is available under the GNU General Public License (GPL). GnuPG is intended to be used for securing digital communications and data storage.

GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.

[GnuPG] The main GnuPG features include:

  • Is a full replacement for PGP.
  • No (known) patented algorithms are used.
  • Functions in a command-line mode and as a UNIX filter.
  • Fully implements the OpenPGP specification.
  • Is compatible with PGP versions 5-7.
  • Supports the following encryption methods: ElGamal, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER.
  • Allows expiration dates for keys and signatures.
  • Has translation support for many languages.
  • Has an online help system.
  • Can use keys stored on removable smart-cards.
  • Supports the HKP keyservers.
  • And more..

A wide variety of front-end applicaions are available for GnuPG, they include GUI interfaces, mail and chat program interfaces, and scripting interfaces.

Building GnuPG from source was a simple matter of downloading and verifying the code, unpacking, then running the usual configure, make, and make install steps. Using the code was easy, a quick pass through the GnuPG Mini-Howto document showed how to create a key, and perform simple encryption and decryption of a file.

A wealth of documentation is available online including numerous Howtos, Guides, FAQs, and online manual pages.

Stable version 1.4.2 of GnuPG was released this week. It features a number of changes to the ID card software, new command completion capabilities, improvements to the key cleaning function, and more. If you should need any encryption capabilities, from simple secure file trading to complicated security systems, GnuPG is there to help.

Comments (2 posted)

System Applications

Database Software

Firebird 2 Alpha 3 released to testers

The Alpha 3 release of the Firebird 2 database is available for testing. "Read the general notes on page 2 of the Alpha 3 release notes carefully FIRST! Particularly, try out the new international language support that has been introduced in this alpha."

Comments (1 posted)

PostgreSQL Weekly News

The July 24, 2005 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL database news.

Full Story (comments: none)

An Introduction to Test::MockDBI (O'Reilly)

Mark Leighton Fisher introduces Perl's Test::MockDBI on O'Reilly. "Test::MockDBI mocks up the entire DBI API by using Test::MockObject::Extends to substitute a Test::MockObject::Extends object in place of the DBI. A feature of this approach is that if the DBI API changes (and you use that change), you will notice during testing if you haven't upgraded Test::MockDBI, as your program will complain about missing DBI API method(s)"

Comments (none posted)

LDAP Software

LAT 0.6.1 Released

Version 0.6 of LAT, the LDAP Administration Tool, is out with new features and bug fixes.

Full Story (comments: none)

Libraries

libgdither 0.6 released

Version 0.6 of libgdither, a library for applying dithering to PCM audio sources as a noise reduction technique, is out with bug fixes.

Full Story (comments: none)

Web Site Development

aroundme 0.5.2 (alpha) released

Version 0.5.2 alpha of aroundme is available for testing. "'aroundme' is social networking and team interaction software. It has three central components: a social network, groupware, and activities and task management. It works with standard Web server configurations, and uses only about 3Mb of disk space. The amount of space each user has for image storage is configurable at installation. Features include membership and group wiki, blog, events, tasks, and polls; user multiple profiles, customisable social networking; simple publishing tools; a membership and group access control system; and an RSS feed."

Comments (none posted)

Midgard 1.7.0 released

Version 1.7.0 of Midgard, a web content management system, is out. "Midgard's 1.7 release is a major overhaul of the whole Content Management System. Besides the stable and mature Content Management features of first generation Midgard, it also ships a preview version of second generation Midgard capabilities, allowing developers to have a glimpse at the new day of Midgard2."

Full Story (comments: none)

phpBB 2.0.17 released

Version 2.0.17 of phpBB, a web-based bulletin board system, is out. "This release addresses several bugfixes and some low security issues as well as the recently seemingly wide-spread XSS issue (only affecting Internet Explorer)."

Full Story (comments: none)

Tapestry 4.0 beta released

Version 4.0 beta of Tapestry, an Apache Jakarta object-oriented web application framework, is out. "Tapestry is unlike most other frameworks in that it doesn't use code generation; instead it uses a true component object model based on JavaBeans properties and strong specifications. Tapestry applications require far less Java coding and are far more robust than equivalent applications developed with other popular frameworks." The Tapestry Support Network has also been launched.

Full Story (comments: none)

XOOPS 2.2 RC2 released (SourceForge)

Version 2.2 RC 2 of XOOPS, an Object Oriented PHP-based dynamic web content management system, has been announced. "This Release Candidate is meant for testing purposes only, and contains a number of new features that make management of XOOPS powered websites easier and more flexible. Among the major changes are the dynamic userprofile, which is now a module for easier upgrading and enhancement, an extended Private Message system (also as a module), themable administration interface, and many many smaller enhancements, fixes and features."

Comments (none posted)

Desktop Applications

Business Applications

Four 'enterprise' applications from Tiny.be

A company called Tiny has announced the availability of four "enterprise" applications, all released under the GPL. They are: Tiny Project, a project management tool; Tiny Accounting, a double-entry bookkeeping system; Tiny Marketing, a marketing campaign manager, and Tiny CRM, a customer relationship management tool. The tools are written in Python, and there are Debian packages available.

Comments (none posted)

Desktop Environments

Fisterra 2 stable release published (GnomeDesktop)

A stable release of Fisterra 2, a development framework for GNOME, has been announced. "Fisterra 2 at the moment contains: "fisterra-base": a stable and mature GNOME framework to develop sectorial applications. "fisterra-distribution": a beta implementation yet, with POS (point of sale) functionality."

Comments (none posted)

GNOME Software Announcements

The following new GNOME software has been announced this week:

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

Comments (none posted)

KDE Commit Digest

The July 22, 2005 issue of the KDE Commit-Digest is available. Here is the content summary: "Umbrello adds a Ruby code generator. Kalzium now has a chemical equations solver. New recurrence code for libkcal. Kopete adds support for receiving AIM buddy icons. Kopete supports Richtext formatting in Yahoo! Messages."

Comments (none posted)

Desktop Publishing

Inkscape 0.42 released

Version 0.42 of the Inkscape SVG drawing tool is out. 0.42 is said to be "the most feature-filled release to date"; it includes flowed text (with any shape), proper text selection, a reworked gradient tool, a new set of effects, and more. Click below for the details and download information.

Full Story (comments: 5)

Electronics

Kicad 2005-07-25 released

Release 2005-07-25 of Kicad, a printed circuit CAD application, is available. Changes include cosmetic enhancements, a new mouse function, translation and documentation improvements.

Comments (none posted)

XCircuit 3.3.29 released

Version 3.3.29 of XCircuit, an electronic schematic drawing package, is out. The device auto-numbering system is being reworked.

Comments (none posted)

Games

Phil's pyGame Utilities 1.1 released

Version 1.1 of Phil's pyGame Utilities, a tile and level editor, has been announced. The Changes include: "command line interface improved considerably - use .ini files for init". Also, version 1.0 of Phil's pyGame Library is available.

Comments (none posted)

Interoperability

CYGWIN/X needs a new maintainer

Alexander Gottwald is stepping down from the position of maintainer of CYGWIN/X, a new voluneer is needed.

Full Story (comments: none)

Wine-20050725 released

Release 20050725 of Wine has been announced. Changes include early theme support in common controls, MSHTML improvements, Direct3D improvements, early LDAP support, bug fixes and more.

Comments (none posted)

Mail Clients

Sylpheed-Claws 1.9.13 unleashed (SourceForge)

Version 1.9.13 of Sylpheed-Claws is available. "Sylpheed-Claws is an extended version of Sylpheed, a GTK+ based, lightweight, and fast e-mail client. This is the GTK 2 version of Sylpheed-Claws. This release includes improved GPGME, IMAP, and printing support."

Comments (none posted)

Music Applications

E-Radium V0.61c announced

Version 0.61c of E-Radium, a midi music editor that runs under the E-Uae Amiga emulator, is out with bug fixes and performance improvements.

Full Story (comments: none)

Hydrogen 0.9.2 released

Version 0.9.2 of Hydrogen, a musical drum machine, is out with bug fixes and lots of new capabilities.

Full Story (comments: none)

kluppe 0.5.1 released

Version 0.5.1 of kluppe, a jackified loop-player for Linux, is out with the beginnings of MIDI support and bug fixes.

Full Story (comments: none)

mma beta 0.15 released

The initial beta release of mma, Musical MIDI Accompaniment is out. "MMA is a accompaniment generator -- it creates midi tracks for a soloist to perform with. User supplied files contain pattern selections, chords, and MMA directives. MMA is very versatile and generates excellent tracks. It comes with an extensive user-extendable library with a variety of patterns for various popular rhythms, an extensive user manual, and many demo songs."

Full Story (comments: none)

Office Suites

KOffice 1.4.1 with Improved OASIS Support (KDE.News)

KDE.News covers the release of KOffice 1.4.1. "Among various bugfixes and language improvements, the KOffice 1.4.1 release further improves support for the OASIS OpenDocument file format."

Comments (none posted)

KDE Plugin in the Official OpenOffice.org Packages (KDE.News)

KDE.News looks at the KDE plugin for OpenOffice.org. "A year and a half after launching the KDE.OpenOffice.org Integration Project, the KDE plugin with the Native Widget Framework as become part of the official OpenOffice.org development packages."

Comments (none posted)

OO.o build 1.9.118 announced

Build 1.9.118 of OpenOffice.org is available. It features bug fixes, build improvements and some new capabilities.

Full Story (comments: none)

Science

GeoTools 2.1.0 released (SourceForge)

Version 2.1.0 of GeoTools, an open-source Java GIS toolkit, is available. "This release features improved performance of LiteRenderer, Shapefile (now indexable), and PostGIS."

Comments (none posted)

Web Browsers

Epiphany: The Web through the eyes of GNOME (GnomeDesktop)

GnomeDesktop looks at the development of Epiphany, the default GNOME web browser. "Since the GNOME 2.12 feature freeze is in effect, it’s time to reflect on where Epiphany, GNOME’s default web browser, stands and where it’s going."

A followup article addresses some of the concerns raised in the first article.

Comments (none posted)

Mozilla 1.7.10 Released (MozillaZine)

MozillaZine reports that Mozilla 1.7.10 has been released, with a security update to the Mozilla Application Suite. "There was no Mozilla 1.7.9 release: it was cancelled after it was discovered that changes in the equivalent 1.0.5 releases of Mozilla Firefox and Mozilla Thunderbird caused some problems."

Comments (none posted)

Mozilla 1.7.11 Release Candidates Available (MozillaZine)

Release Candidates of Mozilla 1.7.11 are available. "The test builds made available today contain a fix for the folder switching issue (bug 300749) but do not feature code to correct the problem that makes cursor keys non-functional in the message composition window (bug 301917)."

Comments (none posted)

Mozilla Firefox 1.1 Delayed, Renamed to 1.5 (MozillaZine)

MozillaZine covers the release plans for Firefox 1.5. "ZDNet UK is reporting that the next major release of Mozilla Firefox has been delayed and will now be known as Firefox 1.5 rather than 1.1. The upgrade is now set for a September release."

Comments (none posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

MozillaZine has announced the publication of the minutes from the July 18, 2005 mozilla.org staff meeting. "Issues discussed include new hires, Mozilla Firefox 1.0.5 release feedback, release management in general, the Firefox 1.0.6 API fix release, Firefox 1.1 Beta 1, Mozilla Thunderbird 1.1 Alpha 2, Spread Firefox and quality assurance."

Comments (none posted)

Word Processors

AbiWord Development snapshot 2.3.4 released (GnomeDesktop)

Development snapshot 2.3.4 of The AbiWord word processor has been announced. "The changes from 2.3.2 to 2.3.4 (2.3.3 was never any good) include a lot of bugfixes, as we are working on stablizing the 2.3 development series towards our first stable 2.4 release. No record of the exact list of changes is available for this release."

Comments (none posted)

Miscellaneous

KnowledgeTree 2.0.7 released (SourceForge)

Version 2.0.7 of KnowledgeTree is available. "KnowledgeTree is a powerful Open Source document management system. Capabilities include advanced document version control, full text search, multiple search types, extensible metadata for documents, customizable dashboard and authoring workflow. Version 2.0.7 of KnowledgeTree continues the incremental bug fixes and behind-the-scenes improvements to the Document Management System."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The July 26, 2005 edition of the Caml Weekly News is online with the latest Caml language articles.

Full Story (comments: none)

Java

JasperReports 1.0.0 released (SourceForge)

Version 1.0.0 of JasperReports has been released. "JasperReports, our July 2005 Project of the Month, is a free Java reporting library. XML report templates are used to generate ready to print documents using data from customizable data sources, including JDBC. The output can be delivered to the screen, printer, or stored in PDF, HTML, XLS, CSV and XML format".

Comments (none posted)

Lisp

GNU CLISP 2.34 feature release (SourceForge)

Version 2.34 of GNU CLISP has been announced. "GNU CLISP [2.33.2] is now available for download. CLISP is a portable ANSI Common Lisp implementation, a compiled, object-oriented, dynamic, functional, interactive programming environment. New features: MOP, weak structures, case sensitive symbols, global error handlers. New modules: matlab, rawsock, zlib, i18n, pari."

Comments (none posted)

Perl

This Week in Perl 6 (O'Reilly)

The July 13-19, 2005 edition of O'Reilly's This Week in Perl 6 is available with the latest Perl 6 news.

Comments (none posted)

Ten Essential Development Practices (O'Reilly)

Damian Conway presents ten Perl tips on O'Reilly. "The following ten tips come from Perl Best Practices, a new book of Perl coding and development guidelines by Damian Conway."

Comments (none posted)

PHP

PHP Weekly Summary for July 25, 2005

The PHP Weekly Summary for July 25, 2005 is out. Topics include: Inheriting apxs compiler flags; ext/mail?; SQLite row size; internal static properties; fread() bug; ext/standard dependencies; regression change in HEAD; preparing for 5.1.0.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The July 21, 2005 edition of Dr. Dobb's Tcl-URL! is online with the latest Tcl/Tk news and resources.

Full Story (comments: none)

Dr. Dobb's Tcl-URL!

The July 26, 2005 edition of Dr. Dobb's Tcl-URL! is online with the latest Tcl/Tk articles.

Full Story (comments: none)

IDEs

Stani's Python Editor 0.7.4.a

Version 0.7.4.a of Stani's Python Editor, a Python language IDE, is available. "This is a major bugfix release for wxPython 2.6 and Mac OS X. The new features are configurable shortcuts and a realtime updating sidebar."

Comments (none posted)

Profilers

OProfile 0.9.1 has been released

Version 0.9.1 of the OProfile profiler is out. Changes include support for MIPS 24K performance counters and bug fixes.

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Boot Fedora Linux Faster (Improved Source)

Here's an article that shows how one person modified a Fedora Core 4 system to make it boot faster. "As Linux has advanced it has increasingly become slower to boot. I have tested on my machine 4 Linux distributions: Linspire, Fedora 3 & 4, Suse 9.2 & 9.3, and Debian. And on average between all these distributions Linux needs around a minute to 1 and half minutes to go from boot loader to graphical login screen. So I decided to look into reducing the time it takes to boot my current setup, which is Fedora 4. In doing so I was able to reduce the boot time of my Fedora 4 installation to less than 25 seconds (just above 24 seconds on average). Below I have documented what I did, and what you can use to potentially reduce your boot up time for Linux."

Comments (27 posted)

Linux and Audio Production: Simplicity Required (O'ReillyNet)

Here's an O'ReillyNet article calling for more usability in Linux audio applications. "Don't get me wrong, there are certainly efforts going in to this area and applications such as Ardour, Wired and Rosegarden, but these tools face a number of uphill battles in winning me over. The interesting point is that the challenge is not focused so much on features but on usability and integration."

Comments (5 posted)

Linux vendors cosy up to Debian to push into enterprise (Techworld)

Techworld has an update on the Debian Core Consortium, which is set to be formally announced at LinuxWorld. "Debian's technology is highly regarded, and it is already widely used for tasks such as web hosting, but its diffuse nature has made it difficult for software and hardware vendors to put support plans into place. The DCC aims to give Debian a more predictable release cycle, and to give software and hardware vendors a single point of contact."

Comments (5 posted)

Trade Shows and Conferences

Ottawa Linux Symposium2005: first day (O'Reilly)

Andy Oram covers the first day of the 2005 Ottawa Linux Symposium on O'Reilly. "One advantage of the close examination that a conference like this one gives to its subject matter is that you see the unsavory underside. Marcel Holtmann zipped expertly through a comprehensive assessment of the state of Bluetooth on Linux (the BlueZ project) and how far each protocol had come. Martin J. Bligh reported the frustrations of making memory management robust on Linux. Even though millions of sites are comfortably and reliably running Linux, the basic operating system task of memory management has a way to go."

Comments (7 posted)

The SCO Problem

SCO Added to "New Russell Microcap Index" (Groklaw)

Groklaw does some digging into SCO's recent addition to the New Russell Microcap Index. ""If you're a busy person and don't want to play around with your investments, Russell offers opportunities to get the type of solid investment program that some of the world's largest, most sophisticated investors use. We bring together some of the world's best money managers to meet our clients' needs. We do this through industry-leading money manager research used by corporate investors like AT&T, Boeing, United Airlines, and organizations like the Bill & Melinda Gates Foundation." Well, well. What do you know? Look who just showed up. Mr. Gates. Purely coincidentally, I'm sure."

Comments (3 posted)

Companies

IBM steps into open-source Java project (News.com)

News.com examines IBM's involvement in the Harmony project, an effort to make an open-source version of the Java Platform, Standard Edition. "In the past week, IBM has dedicated an employee to working with the proposed open-source project, which is being done at the Apache Software Foundation, said Rod Smith, vice president of advanced technology at IBM. At this point, IBM's participation is limited to thoughts on design, but the company likely will contribute code to the project, Smith said. "I think you'll see some code down the road. I'm sure you will. But right now, it's getting involved in some of the ideas and design they're trying to put together," he said."

Comments (7 posted)

Microsoft Patents Emoticon (Groklaw)

Groklaw examines a recent patent application by Microsoft. "Microsoft has filed for a patent on the smiley face. No. Really. Literally, they have applied for this: "A method, comprising: selecting pixels to be used as an emoticon; assigning a character sequence to the pixels; and transmitting the character sequence to a destination to allow for reconstruction of the pixels at the destination.""

Comments (36 posted)

Linux Adoption

Healthcare Experts Question Open-Source Apps (LinuxInsider)

LinuxInsider discusses a reluctance in moving to Linux and open-source code by the health care industry. "Health-care organizations are not planning to replace their Unix or Microsoft operating systems with Linux, said Massimiliano Claps, senior research analyst at IDC Canada, adding if that's going to happen, it's going to happen first with Unix. Despite the much-touted advances open source is making in various government IT projects around the globe, it's not even on the radar when it comes to electronic health records, said panelists at the recent e-Health 2005 Conference." (Found on LinuxMedNews.)

Comments (13 posted)

Interviews

An Interview with John Markoff (O'ReillyNet)

O'Reilly has published an interview with John Markoff. "John Markoff is the author of What the Dormouse Said. In this interview, John expands on the idea he presents in his book that the counterculture shaped the evolution of the computer industry. He touches on all the players here: visionaries like Doug Engelbart and his team at SRI, John McCarthy and the people at Stanford Artificial Intelligence Laboratory), activist Fred Moore, and roleplayers like Stewart Brand and Ken Kesey."

Comments (none posted)

Information Security with Colin Percival (O'ReillyNet)

O'ReillyNet interviews Colin Percival, a FreeBSD security officer. "To the second question: you should listen to me because I have written a 12-page academic paper presenting and discussing a serious security vulnerability, and nobody has been able to refute my results. I believe that my work stands on its own; it doesn't need my name attached to give it credibility."

Comments (9 posted)

People Behind KDE: Thiago Macieira (KDE.News)

KDE.News has announced a new People Behind KDE interview with Thiago Macieira. "Thiago is a Brazilian who spends his time reading the kde-bugs-dist mailing list. Somehow he also finds time to look after the networking code in kdelibs and his dog Kayla. He also tells us why he has two clocks and includes a Unix story in Old English."

Comments (none posted)

Resources

Add vision to your robot submarine (developerWorks)

developerWorks continues with a series of articles on migrating from x86 to PowerPC. "In this episode of the ongoing Kuro Box project, learn how to add a USB camera to the machine. This article includes example Linux code to initialize and read from a USB camera through Video4Linux. Also find a brief introduction to edge detection techniques in captured images."

Comments (none posted)

What Is Business Process Modeling? (O'ReillyNet)

Mike Havey introduces Business Process Modeling in an O'Reilly article. "Business Process Modeling (BPM) is a set of technologies and standards for the design, execution, administration, and monitoring of business processes. In this article, Mike Havey, author of Essential Business Process Modeling, briefly describes the state of BPM today and the BPM standards, then builds an ideal BPM architecture using the example of a retailer process."

Comments (none posted)

Build a Wireless ISP on Linux (developerWorks)

developerWorks builds a wireless ISP (WISP). "Setting up a wireless Internet Service provider (WISP) for your office or neighborhood doesn't have to be a taxing or expensive ordeal. If you build your network from easy-to-buy equipment and use Linux, you can use the power of shell scripts to make network management easy. This article gives you the tips and scripts you need."

Comments (1 posted)

Linux in Government: You Can Use the Desktop on a Laptop Now (Linux Journal)

Linux Journal takes a look at running desktop Linux on a laptop. "I spent the better part of two days trying a variety of distributions. Before people start writing comments about how much better their distributions run than the one I chose, let me say I played no favorites. I wanted performance and I got it with Ubuntu. Contrary to what some of you might believe, it's not my favorite Linux distro. It simply performed the best in this case."

Comments (3 posted)

Best practices for portable patches (NewsForge)

NewsForge has an article on writing portable patches. "One of the things I usually take care of as a Gentoo packages maintainer is sending patches to upstream developers. If a patch is applied upstream, we can remove it from future versions of a package so we have less work to do to maintain the package. Unfortunately, it seems that other distributions and packagers don't always do the same. This is true not only for Linux distributions such as Debian, Fedora Core, and SUSE, but also for maintainers of packages in places like FreeBSD's Ports, DarwinPorts or Fink. Here are some tips for developers on making things easier for yourself and everyone who has to touch your code."

Comments (13 posted)

Live Backups of MySQL Using Replication (O'ReillyNet)

Here's an O'ReillyNet tutorial on how to set up replication with MySQL. "Typically, replication is a system configuration whereby the MySQL server, known in this context as a master server, houses the data and handles client requests, while another MySQL server (a slave server) contains a complete copy of the data and duplicates all SQL statements in which data is changed on the master server right after it happens. There are several uses for replication (e.g., load balancing), but the concern of this article has to do with using replication for data backups."

Comments (none posted)

Reviews

JLP's KDE 3.5 Previews - Part 1 (KDE.News)

Jure Repinc provides a preview of KDE 3.5. "Stability of this prebeta version is very good. I rarely encountered crashes or freezes. Speed is also about the same as with current stable version 3.4.1. The default font sizes have been reduced to 10 points, which makes a little bit more room on the screen." (Found on KDE.News)

Comments (none posted)

Desktop Publishing With Scribus 1.3.0 (Linux Magazine)

Joe 'Zonker' Brockmeier takes a look at Scribus, on Linux Magazine. "For the most part, Scribus should have all of the features most users need to create complex documents for publication. It's more than suitable for home users who might want to create nice-looking documents (expect this year's Christmas newsletters to look extra-nice), and should be able to handle a great deal of professional DTP work as well. It's apparently quite good at creating PDF forms for small businesses as well."

Comments (1 posted)

Miscellaneous

Second visit to Taiwan (RMS Blog)

Richard Stallman writes about a recent trip to Taiwan in a Blog posting. Many interesting culinary delights were sampled. "I took the opportunity presented by the visit to arrange speeches at a few other universities, and meet with hardware companies to ask them to cooperate with free software. We visited the campus of ASUS (which always made me think of Spanish "Jesús" without the J). There one person deigned to meet us, and his attitude was that the free software community was beneath their notice. On discovering this, I told him I was sorry to waste his time, and left. However, the people at VIA, Realtek, RALink and MSI showed an interest in cooperating. Some even offered to provide advance specs for free BIOS support." (Thanks to Keith Howanitz.)

Comments (8 posted)

LinuxFund names new director, schedules payouts (NewsForge)

NewsForge reports that the LinuxFund credit card program is getting back in business. "LinuxFund's new head, David Mandel, told NewsForge in an interview the funding -- $500 per month for a year to Debian, Freenode, and Wikipedia -- will be given to the projects quarterly and is part of an effort to get LinuxFund back on track. Mandel said that with help from LinuxFund's founder, Benjamin Cox, he was confident the project, and more importantly its payments to FOSS developers, would resume and possibly even grow."

Comments (none posted)

The unity of Unix (ZDNet)

This ZDNet column tries to draw attention to the set of core ideas which characterize all Unix-derived systems. "People who categorize the Unix market as splintered or fractured are generally trying to compare it unfavorably to Microsoft's Windows. That's simply wrong: Windows is a brand, Unix a set of ideas. The Windows brand has been consistently handled, but there's essentially no continuity of ideas between the 3.0, 95, NT, and Longhorn Windows generations. The Unix hardware makers, in contrast, have tried hard to differentiate their products through branding when, in reality, all of their products have been part of the same family. Oddly enough, therefore, both beliefs: that Microsoft has been consistent and that Unix hasn't, are consequences of marketing fictions."

Comments (8 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

EU Public Licence: join the debate

The EU's IDABC Programme has released a draft of the EU public licence. Interested parties are invited to join the online discussions on the EUPL at the eGovernment Observatory's forum.

Full Story (comments: none)

WSIS PCT WG: WIPO should prevent software patents, shorten copyright span

The Free Software Foundation Europe has sent out a statement by the UN WSIS Patents, Copyrights and Trademarks Working Group of Civil Society concerning software patents.

Full Story (comments: none)

Commercial announcements

Levanta announces Linux management appliance

Levanta (once a high-flying company called Linuxcare) has announced the availability of "Intrepid M", a standalone box intended to help with the management of networks of Linux systems. "Through an intuitive interface, a Linux systems administrator with as little as two years of experience can use the Intrepid M to quickly deploy, rollback and migrate RPM-based Linux servers (whether running RedHat, SuSE, or Fedora distributions) from a central location -- all without the need to install the operating system or applications directly on computers."

Comments (none posted)

PostgreSQL Achieves Coverity Quality Certification

EnterpriseDB Corp has announced the receipt of a Coverity Quality Certification for the PostgreSQL-based RDBMS database. "EnterpriseDB Corporation, an enterprise-class database company, announced today that its PostgreSQL-based RDBMS was analyzed by Coverity Prevent, the world’s most advanced static software analysis tool, and found to contain only 20 defects in more than 775,000 lines of code. This is the lowest defect density (one defect per nearly 39,000 lines of code) reported by Coverity for an open source relational database."

Comments (none posted)

Open-Xchange to Appear at LinuxWorld Expo in San Francisco

Open-Xchange Inc. has announced that it will hold a demonstration of the Open-Xchange Server at the LinuxWorld Expo in San Francisco, CA on August 9-11, 2005. "Open-Xchange enables easy migration and integration to an open source environment -- allowing IT administrators to create and implement killer-apps without changing existing infrastructure components, i.e. databases, directory services, message transfer agents, e-mail servers or web-servers."

Comments (none posted)

Xandros extends Enterprise Linux Challenge

Xandros has extended its Enterprise Linux Challenge through September 30, 2005. "To date over 1,000 companies have signed up to qualify for a free copy of the Xandros replacement for Windows business desktops. This clear sign of enterprises being ready for Linux, surpassed even Xandros expectations. Challenge participants download a free trial of the new Version 3 of the Xandros Business Desktop Operating System (OS), which provides seamless compatibility with the latest Windows servers, including domain authentication support, logon scripts, and group policy profiles. Participants who fill in a detailed questionnaire to help Xandros identify future enterprise needs will be rewarded with a fully licensed boxed copy of the Xandros Business Desktop OS."

Full Story (comments: none)

New Books

C++ Books from Addison-Wesley/Prentice Hall PTR

Addison-Wesley and Prentice Hall PTR have published three new C++ books.

Full Story (comments: none)

Book: Free software for busy people

Mohammad Al-Ubaydli has written a brief book, called Free software for busy people. It serves as a quick introduction to the free software world for people who don't want to know all the details; much of the book is about OpenOffice.org and Firefox. Linux comes in toward the end. It is available online (Creative Commons noncommercial license), or can be purchased. (Seen on BoingBoing).

Comments (none posted)

Learning Perl, Fourth Edition - O'Reilly's Newest Release

O'Reilly has published the book Learning Perl, Fourth Edition by Randal L. Schwartz, Tom Phoenix, and brian d foy.

Full Story (comments: none)

Perl Testing: A Developer's Notebook - O'Reilly's Latest Release

O'Reilly has published the book Perl Testing: A Developer's Notebook by Ian Langworth and chromatic.

Full Story (comments: none)

No Starch Press publishes "Linux Made Easy"

No Starch Press has published the book Linux Made Easy: The Official Guide to Xandros 3 for Everyday Users by Rickford Grant.

Full Story (comments: none)

Upcoming Events

FAVE 2005: Open Source Creativity in Bristol, UK

The FAVE 2005 event will take place in Bristol, UK on August 20, 2005. "FAVE is a new event for people who are interested in free and open source creative software on Linux and other computer platforms."

Full Story (comments: none)

GOTO10 ASP digital sound workshop

A digital sound workshop will take place in Rotterdam, the Netherlands on September 1-4, 2005. "In a four-day workshop hosted by V2_, sound artists Frank Barknecht and Aymeric Mansoux will introduce the basics of Audio Signal Processing (ASP) in the fields of real-time music production. This workshop specifically targets people who want to develop their work in the digital sound field or those people curious about the processes involved behind the audio software they already use."

Full Story (comments: none)

IBM eServer pSeries, AIX and Linux Technical Conference

IBM will be holding two instances of its eServer pSeries and Linux technical conference. the first will be held in Orlando, FL on September 12-16, 2005 and the second will be held in Barcelona, Spain on November 7-10, 2005.

Comments (none posted)

LinuxWorld London

A LinuxWorld conference will be held in Olympia, London on October 5 and 6, 2005.

Full Story (comments: none)

OSCON public meeting

The Open Source Initiative is holding a meeting at the upcoming OSCON event. "OSI is going to be holding a public meeting at O'Reilly's OSCON the first week of August. It's to be held on Thursday evening at 7:30PM in room D135 of the conference hotel."

Full Story (comments: none)

OSDC 2005 CFP

A call for papers has gone out for the 2005 Open Source Developer's Conference. The event takes place in Melbourne, Australia on December 5-7, 2005. Proposals are due by August 19.

Comments (none posted)

The Pacific Northwest Venture Capital Symposium

Strategic Research Institute has announced the Pacific Northwest Venture Capital Symposium. The event will take place in Bellevue, Washington on September 12-13, 2005.

Comments (none posted)

Python Bootcamp Back at the Big Nerd Ranch

Mark Lutz will be holding another Python Bootcamp at the Big Nerd Ranch in Atlanta, Georgia on October 17-21, 2005.

Full Story (comments: none)

Southern California Linux Expo - Call For Papers

A Call For Papers has gone out for the Southern California Linux Expo. The event takes place near Los Angeles, CA on February 11-12, 2006. Papers are due in November.

Full Story (comments: none)

Events: July 28 - September 22, 2005

Date Event Location
July 28, 2005Black Hat Briefings USA 2005Las Vegas, NV
July 29 - 31, 2005DefCon 13(Alexis Park)Las Vegas, Nevada
July 31 - August 4, 20052005 SIGGRAPH Computer Animation FestivalLos Angeles, CA
July 31 - August 5, 2005USENIX Security SymposiumBaltimore, MD
August 1 - 5, 2005O'Reilly Open Source Convention(Oregon Convention Center)Portland, Oregon
August 1 - 5, 2005CIFS 2005 Conference and Plugfest(Doubletree Hotel)San Jose, CA
August 4, 2005Penguincon 2005Israel
August 4 - 7, 2005Linux 2005(University of Wales)Swansea, UK
August 8 - 11, 2005LinuxWorld Conference and Expo(Moscone Center)San Francisco, CA
August 20, 2005Free Audio and Video Event(FAVE)(Trinity Community and Arts Centre)Bristol, UK
August 27 - September 4, 2005aKademy 2005(University of Málaga)Málaga Spain
August 31 - September 2, 2005YAPC::EU::2005(University of Minho)Braga, Portugal
September 1 - 2, 2005Symposium on Security for Asia Network(SyScAN'05)(The Dusit Thani Hotel)Bangkok, Thailand
September 1, 2005GOTO10 ASP digital sound workshopRotterdam, the Netherlands
September 1 - 4, 2005GOTO10 ASP digital sound workshopRotterdam, the Netherlands
September 5 - 9, 2005International Computer Music Conference(ICMC 2005)Barcelona, Spain
September 14 - 16, 2005php|works(Holiday Inn Yorkdale)Toronto, Canada
September 16 - 18, 2005ToorCon 7(San Diego Convention Center)San Diego, CA
September 19 - 21, 2005Plone Conference 2005(Semper Depot, Lehargasse)Vienna, Austria
September 20 - 23, 2005New Security Paradigms Workshop(NSPW)(UCLA Conference Center)Lake Arrowhead, California

Comments (none posted)

Web sites

Samba Project and Developer Blogs

The Samba Project has announced two new Project and Developer Blogs. "This will be the permanent home of project lists, status updates and what is happening with a given project or feature. The site's success will really depend on developer interaction and whether or not the community finds the status information helpful."

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds