The region of Italy known as Trentino-Alto Adige or South Tyrol has an
interesting history. It became part of Italy as a spoil of World
War 1, and many of its residents have never been entirely comfortable with
Italian control. It is a breathtakingly beautiful region, where German is
heard more than Italian. The unique nature of this area has resulted in it
being given a great deal of autonomy; Trentino-Alto Adige often does things
its own way.
Bolzano, a provincial capital in Trentino-Alto Adige, has just broken some
new ground with this announcement that the area's Italian schools
have switched to Linux. Your editor was able to discuss the project
with three of its principals: Antonio J. Russo, Paolo Zilotti, and
Christopher Gabriel. They deserve thanks for helping to fill in the
details, and for putting up with your editor's Italian.
This project goes by the name "FUSS",
for "Free Upgrade South Tyrol's Schools." Over the course of two months,
the entire computing infrastructure for the region's Italian-language
schools was converted over to a customized version of the Debian
distribution. This effort involved installing Linux on 2640 computers over
the course of 23 days; an installation
party photo gallery has been posted for those who are interested. The
project has also developed a live CD which will be handed out to students
when school opens (September 12) so that they may all run the same
software at home. The students of these schools will be able to do all of
their schoolwork using free software.
And freedom is an important issue in this project; the introduction
page starts out this way:
The decision to use free software in the schools is indeed, beyond
the economic and technical reasons, an ethical and political
choice. It is the choice of remaking oneself, both in the use
and teaching of computing, with the values of freedom and sharing,
and not just in the use of software which is efficient, stable, and
secure, which runs on older machines, and which is not subject to
licensing costs.
(The linked page, like most in this article, is in Italian; translations by
the editor).
To achieve its goals, the FUSS project decided early on that only free
software could be used. All of the usual reasons apply for this choice:
ethics, the ability to give the software to students, ability to modify the
software, etc. Given this constraint, it is not surprising that FUSS
decided to base its effort on Debian.
The 100% free nature of the distribution, combined with its quality, vast
array of packages, and adaptability are given as the reasons for this
choice. The project
developed its own version of Debian, which it calls "FUSS Soledad
GNU/Linux," or just "Soledad."
Soledad is based upon the Sarge release, but the FUSS developers have made
a number of changes. The installer and default configuration have been
adapted to the schools' needs, and a special GNOME-based desktop has been
put together. The mix of packages has carefully selected for the target
audience, with a strong bias toward educational software. The package
list for the desktop
configuration is available; there is also a version of Soledad for
server deployments. ISO images of Soledad are available from the FUSS download page.
Many of us who have dealt with the public school systems in their countries
have often wondered why there is not more free software in use. But
anybody who has tried to convince a school system to change knows what kind
of inertia exists there. So how did the FUSS project supporters get the
approval for a change of this magnitude?
There are a few factors at play here. The Italian schools in Bolzano are
(unlike those in much of Italy) organized around a central purchasing
structure for information technology. Even better, the relationship
between the schools and the central IT folks is good.
This structure made it easier to
convert the entire school system at once. The initial supporters of FUSS
came from within the school administration, and thus had the advantage of
pushing for change from the inside. Even so, the FUSS supporters had to
work for years, and had
to "assemble a fair amount of paper" before getting the project approved.
Mr. Russo adds:
I don't think that there is a formula for bringing this sort of
project to conclusion; the only thing I can say is that, in
Bolzano, people active in the spread of free software have worked
hard for many years, organizing events, conferences, installation
parties, but, most of all, meeting people and explaining to them
the benefits of free software and how their work could be improved
and made more pleasant with the use of cooperatively-developed
tools.
The FUSS developers add that the autonomous nature of Bolzano helped, since
decisions are made locally. But the importance of laying the groundwork is
clear: spend enough time educating people about the benefits of free
software, and they will eventually come around and support it.
2460 Linux installations may seem like a lot, but it is only a beginning.
This deployment only covers Bolzano's Italian-language schools; the region
also runs a great many German-language schools, and a rather smaller number
based on Ladin.
The FUSS developers have made offers of help to their German-speaking
counterparts, but, so far, have received little response. School systems
in various other regions of Italy are said to be interested, however, and
are watching to see how it all turns out.
The acid test will start on September 12, when 16,000 students return to
school. It is hard to imagine that there would be no startup glitches on a
project of this magnitude. How quickly they are ironed out, and how
quickly students and teachers become comfortable with the new systems will
have a big influence on whether other parts of Italy will make the jump to
free software. The odds are in the project's favor: school systems have
few needs which cannot be met nicely by currently-available free software.
The hard part of this project is done; congratulations are due to the many
people who have worked for years to make FUSS a reality.
Comments (8 posted)
Courts in various parts of the world have handed down decisions which, in
one way or another, can affect users and developers of free software.
These decisions are not particularly friendly to our community. Here is a
quick overview of what the courts have said.
ACRA v. Lexmark
We have encountered Lexmark before; that company has attempted to use the
DMCA to shut down alternative manufacturers of alternative ink cartridges
for its printers. That attempt failed, but the company appears to have
found another, stronger way of protecting itself from competition: the
shrink-wrap patent license.
In this case, the Arizona Cartridge Remanufacturers Association (ACRA) took
Lexmark to court, challenging Lexmark's "prebate" offering. This marketing
scheme involves "reduced price" cartridges which are explicitly marked, on
the box, as being "single use only." Customers are supposed to return
empty cartridges to Lexmark, and they are prohibited from giving the
cartridges to other remanufacturers. ACRA alleged that the labeling on the
box was deceptive, since it was not actually binding upon customers. ACRA
failed to convinced the US 9th Circuit Court of Appeals, however; on
August 30, it reaffirmed
a lower-court decision [PDF] in Lexmark's favor.
The two things which come out of this ruling are: (1) patents can be
used to impose post-sale restrictions on customers, and (2) labeling
on a package can be a valid shrink-wrap patent license. So anybody who
disposes of a used Lexmark cartridge in a non-approved manner becomes a
patent infringer - and remanufacturers which accept those cartridges are
inducing infringement.
It is not hard to see where this sort of logic can go. If a product
contains technology subject to a patent, that patent can be used to impose
no end of post-sale conditions. In the current climate, obtaining a patent
which can cover any given product will not be an especially challenging
task. Those patents could be used in interesting new ways. It is already
annoying to buy a laptop with a "designed for Windows" sticker attached to
the case with 1000-year glue. How fun would it be if the sticker read
"designed for Windows only" - and have it be enforceable?
Many of us use free software because it gives us greater control over our
systems. The growing power granted to those who hold intellectual property
rights threatens to take the control away. Increasingly, we do not truly
own the hardware we thought we had purchased; we simply hold a set of
limited rights to use that hardware in specific ways which do not threaten
the manufacturers' interests. That does not seem like the path to freedom.
Universal Music Australia Pty Ltd v Sharman License Holdings Ltd
In Australia, a large number of media companies took Sharman License
Holdings to court, alleging several copyright-related violations.
Sharman, the distributor of Kazaa, does not have entirely clean hands -
nobody disputes that many people use Kazaa to engage in copyright
infringement. In its defense, Sharman argued that it had no control over
the behavior of Kazaa users, that it had warned them about infringing
copyrights, and that the license agreement for the software prohibited its
use to make unauthorized copies of copyrighted materials.
The judge actually bought that argument - to an extent. The ruling
in this case clears the defendants of many charges of copyright
infringement. The judge did find, however, that the defendants had
"authorized" users to infringe copyrights, and that this act violated
Australian copyright law.
The defendants will now have to pay damages. Kazaa will be allowed to
continue to exist, but a new version must be released within two months
with filters designed to block infringing uses. In particular, the
software will have to accept a list (provided by publishers) of claimed
works, and block attempts to trade files which match entries in the lists.
It is not hard to imagine that file traders will respond to the keyword
matching in the same way spammers have; expect to see some creative
spellings attached to music files in the near future.
The judge seemed to have a real interest in not shutting down peer-to-peer
communications altogether, and mandated that the filtering be imposed
"... without unnecessarily intruding on others' freedom of speech and
communication." The fact is, however, that this is yet another
ruling holding software developers responsible for the acts of certain of
their users. Manufacturers of cutlery, automobiles, and firearms are not
held to such standards, but people who innovate in the software area do so
at their own risk. Thus far, most of the legal firepower has been
aimed at commercial file sharing operations, but that does not mean that
pure free software projects are immune to this sort of attack.
Blizzard v. bnetd
One free software project which has been subject to this sort of attack is
bnetd, last mentioned here two
weeks ago. The Eighth Circuit Court of Appeals has now issued its ruling in
this case [PDF], and the news is not good: bnetd lost on all counts.
The logic remains unchanged from the prior court's ruling; for example:
The bnetd.org emulator had limited commercial purpose because its
sole purpose was to avoid the limitations of Battle.net. There is
no genuine issue of material fact that Appellants designed and
developed the bnetd.org server and emulator for the purpose of
circumventing Blizzard's technological measures controlling access
to Battle.net and the Blizzard games. Summary was properly granted
in favor of Blizzard and Vivendi on the anti-trafficking
violations.
The idea that free software has fewer rights because it has "limited
commercial purpose" is chilling, to say the least. In any case, the
interoperability exception to the DMCA has been shown to mean little, once
again.
Comments (15 posted)
The
UserLinux project was founded by
Bruce Perens in 2003 with this mission:
Provide businesses with freely available, high quality Linux
operating systems accompanied by certifications, service, and
support options designed to encourage productivity and security
while reducing overall costs.
More informally, Bruce was disappointed with the currently-available
"enterprise" Linux offerings, which he sees as taking much of the freedom
out of free software. His goal was to create a new distribution (based on
Debian) which would be 100% free, aimed at the needs of smaller businesses,
and supported by a wide network of independent companies. UserLinux would
thus fill in the gap between the unsupported "development" distributions
and the expensive, restrictive packages offered by Red Hat and Novell.
A small community coalesced around the idea and got busy with peripheral
tasks: creating a web site (carrying the unfortunate tag line "Linux for
Business" once used by Caldera), designing a logo, writing a trademark
policy, and so on. But UserLinux never really got around to building a
distribution. This was partly by design: UserLinux was intended to be a
version of Debian Sarge with only minimal changes. A few metapackages
would be put together, and the package mix as a whole would be greatly
thinned down. But UserLinux never intended to create a new distribution;
it was more of a repackaging effort with an attempt to build a support
network around it.
The UserLinux experience carries a warning for future efforts: any business
or development plan which has a step reading like this:
- Wait for the next Debian stable release to come out.
is more than usually likely to encounter delays. UserLinux got to that
step, and found itself waiting for the Sarge release. For a long time.
This wait killed any momentum UserLinux may have had.
Nonetheless, the Debian Sarge release happened in June. Three months
later, nothing has been heard from UserLinux. So, finally, an interested
observer asked what was going on. Bruce responded that UserLinux was, indeed, still
alive, but, unfortunately, everything was waiting on him personally.
Essentially, the customer who was going to pay me to work on this
evaporated, and some time later I started running out of money to
support the project. I subsequently took a job with Sourcelabs. I
have 50% of my work time to work on whatever Open Source I choose
(courtesy of Sourcelabs) but so far have been pulled in a lot of
directions and thus not much has gotten done on UL of late.
Bruce may indeed succeed in getting others interested in doing some of the
lifting to make UserLinux 1.0 a reality. But a distribution which can
be stalled because one person gets busy is not going to be particularly
appealing to businesses looking for an alternative to the current support
offerings. UserLinux, in other words, appears to have little chance of
achieving its initial goals, even if it does get a release out.
The slow release of Sarge is one thing which happened to UserLinux, but
there is another unexpected event which came along as well: Ubuntu. In
many ways, Ubuntu is what UserLinux intended to be: a 100% free,
Debian-based distribution with relatively long support periods and
available commercial support offerings. Ubuntu seems to have beat out
UserLinux by virtue of not waiting for a stable Debian release, putting a
great deal of attention into ease of use and making things "just work," and
the small advantages that come from having a few tens of millions of
dollars of seed money in the bank. As a result, Ubuntu has a real
distribution, with a large and enthusiastic user community.
Not everybody is comfortable with Ubuntu, despite the fact that the
company's models appear to have put their clothes back on. Bruce's message
puts it this way:
I think the project continues to have value and I don't believe
that basing on the work of any one company, even Ubuntu which may
be more of a rich man's hobby project than a company, is the
solution for support of Linux distributions.
The creation of the
Ubuntu Foundation may help to ease the concerns about the distribution
being controlled by a single company. Meanwhile, Ubuntu has been building
a distributed support network along the lines of the one envisioned by
UserLinux, and a certification scheme is in the works. The 6.04 release,
due next year, will be supported for five years (for server use) - if the
Ubuntu Foundation lasts that long.
In other words, it seems that the distribution UserLinux wanted to create
has come to be - it just didn't happen quite the way they had intended.
Anybody who wants to carry the UserLinux banner forward as a separate
project should first be able to tell the world what they will do that
existing distributors are not doing, and how they will turn UserLinux into
a viable organization that businesses will trust. Without answers to those
questions, UserLinux will remain a project with a nice logo, but with no
software or users.
Comments (9 posted)
Page editor: Jonathan Corbet
Security
It is often said that, while free software suffers from security flaws just
like the proprietary variety does, fixes for those flaws come out much more
quickly. For most users, however, security patches do not arrive until
packaged by their distributor. So, every now and then, it is worthwhile to
take a look at how quickly various distributors manage to get the fixes
out. The following table lists a subset of recent vulnerabilities and the
number of days required for each distributor to issue an update. For the
purposes of this table, the clock starts when a vulnerability is disclosed,
or when the first distributor alert is issued, whichever comes first.
The above table lists a subset of relatively important vulnerabilities
disclosed since July, 2005. Distributions marked "n/a" do not ship the
vulnerable package; a marking of "--" means that the update has not, yet,
been released. Missing updates can mean one of two things: (1) the
distributor simply has not gotten around to releasing an update yet, or
(2) the relevant package is of the second class citizen variety, such
as those found in Fedora Extras or Ubuntu's Universe.
Even though the set of vulnerabilities above is relatively small, some
patterns emerge. Some distributors (Fedora, Gentoo, Debian, Red Hat) have
managed to close most of the listed vulnerabilities. A couple of others
have fallen seriously behind, however, leaving users running vulnerable
software. Some distributors tend to be quite fast in getting updates out;
others are slower. Perhaps the biggest surprise is the current lag time on
Debian's updates; Debian used to be one of the faster distributions to get
updates out.
It is worth noting, as well, that the increasingly popular "non-core"
package repositories can be a hazard for administrators who are not paying
attention. Clamav is used as a virus filter on many sites, and the recent
vulnerability is real and exploitable. An administrator who relies upon a
distribution's update mechanism may not have noticed that, when she used
yum or apt-get to install clamav, it came from Fedora
Extras or Ubuntu Universe. As a second class citizen package, clamav will
not be updated by the distributor, and will remain vulnerable for an
unknown period of time. Any security-conscious site which uses such
packages should have a mechanism in place to note and respond to security
problems in those packages.
Comments (12 posted)
New vulnerabilities
affix: remote command execution
| Package(s): | affix |
CVE #(s): | CAN-2005-2716
|
| Created: | September 2, 2005 |
Updated: | September 6, 2005 |
| Description: |
Kevin Finisterre reports that affix, a package used to manage
bluetooth sessions under Linux, uses the popen call in an unsafe
fashion. A remote attacker can exploit this vulnerability to execute
arbitrary commands on a vulnerable system. |
| Alerts: |
|
Comments (none posted)
apache information disclosure if modssl=yes
| Package(s): | apache |
CVE #(s): | CAN-2005-2700
|
| Created: | September 2, 2005 |
Updated: | November 10, 2005 |
| Description: |
An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
|
| Alerts: |
|
Comments (none posted)
courier: missing input sanitizing
| Package(s): | courier |
CVE #(s): | CAN-2005-2724
|
| Created: | September 1, 2005 |
Updated: | September 6, 2005 |
| Description: |
The courier sqwebmail application has an input sanitizing
vulnerability that can be exploited by a remote attacker for
the purpose of causing a script insertion attack. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
mplayer: heap overflow
| Package(s): | mplayer |
CVE #(s): | CAN-2005-2718
|
| Created: | September 1, 2005 |
Updated: | September 7, 2005 |
| Description: |
mplayer's ad_pcm.c code has a heap overflow vulnerability.
The faulty code handles the strf chunk of PCM audio streams.
A maliciously created audio or video file could be created,
allowing code to be executed with the privileges of the
user who is running mplayer. |
| Alerts: |
|
Comments (none posted)
net-SNMP: packaging flaw
| Package(s): | net-snmp |
CVE #(s): | |
| Created: | September 6, 2005 |
Updated: | September 6, 2005 |
| Description: |
James Cloos reported that Perl modules from the Net-SNMP package look
for libraries in an untrusted location. This is due to a flaw in the
Gentoo package, and not the Net-SNMP suite. |
| Alerts: |
|
Comments (none posted)
openssh: privilege escalation
| Package(s): | openssh |
CVE #(s): | |
| Created: | September 6, 2005 |
Updated: | September 6, 2005 |
| Description: |
A security bug introduced in OpenSSH version 4.0 caused gateway ports (SSH client command line option "-o 'GatewayPorts yes'") to be accidentally activated for dynamic port forwardings (SSH client command line option "-D [address:]port") when the listen address was not explicitly specified. As a result, the SSH client performed a wildcard bind for the listening socket on the SSH client machine instead of a bind to just "localhost". This way the dynamic port forwardings can be accessed also from outside the SSH client machine. |
| Alerts: |
|
Comments (none posted)
openssh: GSSAPI credential disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2005-2798
|
| Created: | September 7, 2005 |
Updated: | February 3, 2006 |
| Description: |
OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
|
| Alerts: |
|
Comments (none posted)
OpenTTD: remote execution of arbitrary code
| Package(s): | OpenTTD |
CVE #(s): | CAN-2005-2763
|
| Created: | September 5, 2005 |
Updated: | September 6, 2005 |
| Description: |
Alexey Dobriyan discovered several format string vulnerabilities in
OpenTTD. A remote attacker could exploit these vulnerabilities to crash the
OpenTTD server or client and possibly execute arbitrary code with the
rights of the user running OpenTTD.
|
| Alerts: |
|
Comments (none posted)
polygen: denial of service
| Package(s): | polygen |
CVE #(s): | CAN-2005-2656
|
| Created: | September 1, 2005 |
Updated: | September 6, 2005 |
| Description: |
polygen has a vulnerability in which precompiled grammar objects
are created with world write permissions.
A local attacker can use this to fill up a local filesystem
and cause a denial of service. |
| Alerts: |
|
Comments (none posted)
smb4k: temporary file vulnerability
| Package(s): | smb4k |
CVE #(s): | CVE-2005-2851
|
| Created: | September 7, 2005 |
Updated: | December 7, 2005 |
| Description: |
Smb4K has a temporary file vulnerability which can allow an unprivileged user to read certain files which would otherwise be inaccessible.
|
| Alerts: |
|
Comments (none posted)
squid: DoS issues
| Package(s): | squid |
CVE #(s): | CAN-2005-2794
CAN-2005-2796
|
| Created: | September 6, 2005 |
Updated: | November 7, 2005 |
| Description: |
Squid-2.5.10-r2 and earlier has three Denial of Service issues. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
affix: two remote vulnerabilities
| Package(s): | affix |
CVE #(s): | CAN-2005-2250
CAN-2005-2277
|
| Created: | July 19, 2005 |
Updated: | September 2, 2005 |
| Description: |
A buffer overflow in the Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2
and 3.2.0 allows remote attackers to execute arbitrary code via a long
filename in an OBEX file share. Also remote attackers may execute
arbitrary commands via shell metacharacters in the filename argument of a
PUT command. |
| Alerts: |
|
Comments (none posted)
apache2: CGI script denial of service
| Package(s): | apache2 |
CVE #(s): | |
| Created: | August 25, 2005 |
Updated: | August 31, 2005 |
| Description: |
Apache 2 has a vulnerability in which a remote attacker can
access certain CGI scripts, causing exhaustion of all
RAM and a denial of service. |
| Alerts: |
|
Comments (none posted)
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd |
CVE #(s): | CAN-2005-1268
CAN-2005-2088
|
| Created: | July 25, 2005 |
Updated: | November 7, 2005 |
| Description: |
Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback. In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL). |
| Alerts: |
|
Comments (none posted)
awstats: command injection vulnerability
| Package(s): | awstats |
CVE #(s): | CAN-2005-1527
|
| Created: | August 11, 2005 |
Updated: | November 10, 2005 |
| Description: |
AWStats has a command injection vulnerability that can
be exploited by specially crafting referrer URLs that
contain Perl code. The code can then be executed with the
privileges of the web server. |
| Alerts: |
|
Comments (2 posted)
backup-manager: insecure permissions and tempfile
| Package(s): | backup-manager |
CVE #(s): | CAN-2005-1855
CAN-2005-1856
|
| Created: | August 26, 2005 |
Updated: | August 31, 2005 |
| Description: |
Two bugs have been found in backup-manager: backup files are created with
default permissions making them world readable, even though they may
contain sensitive information and the optional CD-burning feature of
backup-manager uses a hardcoded filename in a world-writable directory for
logging. This can be subject to a symlink attack. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
courier: DNS failure vulnerability
| Package(s): | courier |
CVE #(s): | CAN-2005-2151
|
| Created: | August 25, 2005 |
Updated: | August 31, 2005 |
| Description: |
The Courier mail server has a problem with DNS failures
and Sender Policy Framework (SPF) records.
Remote attackers can use this to corrupt memory
and cause a denial of service. |
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
CUPS: multiple vulnerabilities
| Package(s): | CUPS |
CVE #(s): | CAN-2004-2154
|
| Created: | July 14, 2005 |
Updated: | September 20, 2005 |
| Description: |
The CUPS printing system has a problem with queue name
case-sensitivity matching that can cause a security policy override. An
unauthorized user can use this to gain print to a protected queue. |
| Alerts: |
|
Comments (none posted)
cvs: insecure temp file
| Package(s): | cvs |
CVE #(s): | CAN-2005-2693
|
| Created: | August 23, 2005 |
Updated: | September 9, 2005 |
| Description: |
Insecure temporary file usage was found in the cvsbug program. It is possible that a malicious user could use this to execute arbitrary
instructions as the user running cvsbug. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dhcpcd: denial of service
| Package(s): | dhcpcd |
CVE #(s): | CAN-2005-1848
|
| Created: | July 13, 2005 |
Updated: | September 13, 2005 |
| Description: |
The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash.
|
| Alerts: |
|
Comments (none posted)
elm: buffer overflow
| Package(s): | elm |
CVE #(s): | CAN-2005-2665
|
| Created: | August 23, 2005 |
Updated: | November 11, 2005 |
| Description: |
A buffer overflow flaw in Elm was
discovered that was triggered by viewing a mailbox containing a message
with a carefully crafted 'Expires' header. An attacker could create a
malicious message that would execute arbitrary code with the privileges of
the user who received it. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: dissector vulnerabilities
Comments (none posted)
evolution: format string issues
Comments (2 posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdeedu: tempfile handling vulnerabilities
| Package(s): | kdeedu |
CVE #(s): | CAN-2005-2101
|
| Created: | August 15, 2005 |
Updated: | September 22, 2005 |
| Description: |
Ben Burton notified the KDE security team about several tempfile
handling related vulnerabilities in langen2kvtml, a conversion
script for kvoctrain. The script must be manually invoked. The
script uses known filenames in /tmp which allow an local
attacker to overwrite files writeable by the user invoking the
conversion script. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2005-1913
CAN-2005-1761
|
| Created: | July 1, 2005 |
Updated: | September 9, 2005 |
| Description: |
Several vulnerabilities in the 2.6 kernel have been
fixed, including a subthread exec problem (CAN-2005-1913)
and a ia64 ptrace + sigrestore_context problem (CAN-2005-1761). |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2005-2098
CAN-2005-2099
CAN-2005-2456
CAN-2005-2457
CAN-2005-2458
CAN-2005-2459
CAN-2005-2548
CAN-2005-2555
|
| Created: | August 19, 2005 |
Updated: | September 19, 2005 |
| Description: |
David Howells discovered a local Denial of Service vulnerability in
the key session joining function. Under certain user-triggerable
conditions, a semaphore was not released properly, which caused
processes which also attempted to join a key session to hang forever.
(CAN-2005-2098)
David Howells discovered a local Denial of Service vulnerability in
the keyring allocator. A local attacker could exploit this to crash
the kernel by attempting to add a specially crafted invalid keyring.
(CAN-2005-2099)
Balazs Scheidler discovered a local Denial of Service vulnerability in
the xfrm_compile_policy() function. By calling setsockopt() with an
invalid xfrm_user policy message, a local attacker could cause the
kernel to write to an array beyond its boundaries, thus causing a
kernel crash. (CAN-2005-2456)
Tim Yamin discovered that the driver for compressed ISO file systems
did not sufficiently validate the input data. By tricking an user into
mounting a malicious CD-ROM with a specially crafted compressed ISO
file system, he could cause a kernel crash. (CAN-2005-2457)
It was discovered that the kernel's embedded zlib compression library
was still vulnerable to two old vulnerabilities of the standalone zlib
library. This library is used by various drivers and can also be used
by third party modules, so the impact varies. (CAN-2005-2458,
CAN-2005-2459)
Peter Sandstrom discovered a remote Denial of Service vulnerability in
the SNMP handler. Certain UDP packages lead to a function call with
the wrong argument, which resulted in a crash of the network stack.
(CAN-2005-2548)
Herbert Xu discovered that the setsockopt() function was not
restricted to privileged users. This allowed a local attacker to
bypass intended IPSec policies, set invalid policies to exploit flaws
like CAN-2005-2456, or cause a Denial of Service by adding policies
until kernel memory is exhausted. Now the call is restricted to
processes with the CAP_NET_ADMIN capability. (CAN-2005-2555) |
| Alerts: |
|
Comments (3 posted)
kernel: multiple vulnerabilities
Comments (none posted)
krb5: double-free flaw
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0175
CAN-2005-0488
CAN-2005-1175
CAN-2005-1689
|
| Created: | July 12, 2005 |
Updated: | December 6, 2005 |
| Description: |
The krb5 authentication has a double-free flaw which may be
initiated by a remote unauthenticated attacker.
Also, a single byte heap overflow in the krb5_unparse_name() function
can lead to a denial of service and an information disclosure may
be caused by a malicious telnet server. See
This report for more
information. |
| Alerts: |
|
Comments (none posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libnet-ssleay-perl: weakened cryptographic operations
| Package(s): | libnet-ssleay-perl |
CVE #(s): | CAN-2005-0106
|
| Created: | May 3, 2005 |
Updated: | January 27, 2006 |
| Description: |
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libTIFF: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2005-1544
|
| Created: | May 10, 2005 |
Updated: | February 18, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
lm-sensors: insecure temp files
| Package(s): | lm-sensors |
CVE #(s): | CAN-2005-2672
|
| Created: | August 23, 2005 |
Updated: | November 10, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the pwmconfig script created
temporary files in an insecure manner. This could allow a symlink attack to
create or overwrite arbitrary files with full root privileges since
pwmconfig is usually executed by root. |
| Alerts: |
|
Comments (1 posted)
maildrop: missing privilege release
| Package(s): | maildrop |
CVE #(s): | CAN-2005-2655
|
| Created: | August 30, 2005 |
Updated: | August 31, 2005 |
| Description: |
Max Vozeler discovered that the lockmail program from maildrop, a
simple mail delivery agent with filtering abilities, does not drop
group privileges before executing commands given on the commandline,
allowing an attacker to execute arbitrary commands under with group
mail privileges. |
| Alerts: |
|
Comments (none posted)
mantis: missing input sanitizing
| Package(s): | mantis |
CVE #(s): | CAN-2005-2556
CAN-2005-2557
|
| Created: | August 19, 2005 |
Updated: | September 26, 2005 |
| Description: |
Two security related problems have been discovered in Mantis, a
web-based bug tracking system. A remote attacker could insert arbitrary
SQL code into SQL statements and a remote attacker was able to insert
arbitrary HTML code bug reports, hence, cross site scripting. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
Mozilla: frame injection spoofing
| Package(s): | mozilla firefox |
CVE #(s): | CAN-2004-0718
CAN-2005-1937
|
| Created: | August 15, 2005 |
Updated: | September 19, 2005 |
| Description: |
A vulnerability has been discovered in Mozilla and Mozilla Firefox
that allows remote attackers to inject arbitrary Javascript from one
page into the frameset of another site. Thunderbird is not affected
by this. |
| Alerts: |
|
Comments (none posted)
mysql: low-impact security fix
| Package(s): | mysql |
CVE #(s): | CAN-2005-1636
|
| Created: | July 20, 2005 |
Updated: | February 22, 2006 |
| Description: |
An update to MySQL version 4.1.12 fixes a low-impact security
problem (bz#158689). |
| Alerts: |
|
Comments (1 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
OpenSSL: information leak
| Package(s): | openssl |
CVE #(s): | CAN-2005-0109
|
| Created: | May 23, 2005 |
Updated: | October 11, 2005 |
| Description: |
Hyper-Threading technology, as used in FreeBSD other operating systems and
implemented on Intel Pentium and other processors, allows local users to
use a malicious thread to create covert channels, monitor the execution of
other threads, and obtain sensitive information such as cryptographic keys,
via a timing attack on memory cache misses. See this LWN article for more information. |
| Alerts: |
|
Comments (none posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
openvpn: multiple vulnerabilities
| Package(s): | openvpn |
CVE #(s): | CAN-2005-2531
CAN-2005-2532
CAN-2005-2533
CAN-2005-2534
|
| Created: | August 23, 2005 |
Updated: | October 10, 2005 |
| Description: |
A number of vulnerabilities were discovered in OpenVPN that were fixed in
the 2.0.1 release:
A DoS attack against the server when run with "verb 0" and without
"tls-auth" when a client connection to the server fails certificate
verification, the OpenSSL error queue is not properly flushed. This could
result in another unrelated client instance on the server seeing the error
and responding to it, resulting in a disconnection of the unrelated client.
A DoS attack against the server by an authenticated client that sends a
packet which fails to decrypt on the server, the OpenSSL error queue was
not properly flushed. This could result in another unrelated client
instance on the server seeing the error and responding to it, resulting in
a disconnection of the unrelated client.
A DoS attack against the server by an authenticated client is possible in
"dev tap" ethernet bridging mode where a malicious client could
theoretically flood the server with packets appearing to come from hundreds
of thousands of different MAC addresses, resulting in the OpenVPN process
exhausting system virtual memory.
If two or more client machines tried to connect to the server at the same
time via TCP, using the same client certificate, a race condition could
crash the server if --duplicate-cn is not enabled on the server. |
| Alerts: |
|
Comments (none posted)
pam_ldap: plain text authentication leak
| Package(s): | pam_ldap |
CVE #(s): | CAN-2005-2069
|
| Created: | July 14, 2005 |
Updated: | October 17, 2005 |
| Description: |
pam_ldap
and nss_ldap ignore the "ssl start_tls" ldap.conf setting, allowing an
attacker to sniff unencrypted passwords and other information. |
| Alerts: |
|
Comments (none posted)
pcre3: arbitrary code execution
| Package(s): | pcre3 |
CVE #(s): | CAN-2005-2491
|
| Created: | August 23, 2005 |
Updated: | March 10, 2006 |
| Description: |
A buffer overflow has been discovered in the PCRE, a widely used library
that provides Perl compatible regular expressions. Specially crafted
regular expressions triggered a buffer overflow. On systems that accept
arbitrary regular expressions from untrusted users, this could be exploited
to execute arbitrary code with the privileges of the application using the
library. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
perl: symlink vulnerability
| Package(s): | perl |
CVE #(s): | CAN-2005-0448
|
| Created: | March 9, 2005 |
Updated: | January 30, 2006 |
| Description: |
The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries. |
| Alerts: |
|
Comments (none posted)
php: arbitrary code execution
| Package(s): | php |
CVE #(s): | CAN-2005-2498
|
| Created: | August 19, 2005 |
Updated: | October 4, 2005 |
| Description: |
A bug was discovered in the PEAR XML-RPC Server package included in PHP. If
a PHP script is used which implements an XML-RPC Server using the PEAR
XML-RPC package, then it is possible for a remote attacker to construct an
XML-RPC request which can cause PHP to execute arbitrary PHP commands as
the 'apache' user. |
| Alerts: |
|
Comments (none posted)
phpldapadmin: programming error
| Package(s): | phpldapadmin |
CVE #(s): | CAN-2005-2654
|
| Created: | August 30, 2005 |
Updated: | September 6, 2005 |
| Description: |
Alexander Gerasiov discovered that phpldapadmin, a web based interface
for administering LDAP servers, allows anybody to access the LDAP
server anonymously, even if this is disabled in the configuration with
the "disable_anon_bind" statement. |
| Alerts: |
|
Comments (none posted)
phpsysinfo: cross-site-scripting
| Package(s): | phpsysinfo |
CVE #(s): | CAN-2005-0870
|
| Created: | May 18, 2005 |
Updated: | November 15, 2005 |
| Description: |
The phpsysinfo program contains several cross-site scripting vulnerabilities. |
| Alerts: |
|
Comments (none posted)
postgresql: database initialization errors
| Package(s): | postgresql |
CVE #(s): | CAN-2005-1409
CAN-2005-1410
|
| Created: | May 4, 2005 |
Updated: | February 28, 2006 |
| Description: |
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
|
| Alerts: |
|
Comments (none posted)
Pound: buffer overflow
| Package(s): | pound |
CVE #(s): | CVE-2005-1391
|
| Created: | May 2, 2005 |
Updated: | January 10, 2006 |
| Description: |
Steven Van Acker has discovered a buffer overflow vulnerability in the
"add_port()" function in Pound 1.8.2+. A remote attacker could send a
request for an overly long hostname parameter, which could lead to the
remote execution of arbitrary code with the rights of the Pound daemon
process. |
| Alerts: |
|
Comments (none posted)
ProFTPD: format string vulnerabilities
| Package(s): | proftpd |
CVE #(s): | CAN-2005-2390
|
| Created: | August 1, 2005 |
Updated: | September 6, 2005 |
| Description: |
Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2 allow
attackers to cause a denial of service or obtain sensitive information via
certain inputs to the shutdown message from ftpshut, or the SQLShowInfo
mod_sql directive. |
| Alerts: |
|
Comments (none posted)
pstotext: remote execution of arbitrary code
| Package(s): | pstotext netpbm |
CVE #(s): | CAN-2005-2471
|
| Created: | August 1, 2005 |
Updated: | March 28, 2006 |
| Description: |
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option. An
attacker could craft a malicious PostScript file and entice a user to run
pstotext on it, resulting in the execution of arbitrary commands with the
permissions of the user running pstotext. See this Secunia advisory for more information. |
| Alerts: |
|
Comments (2 posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: arbitrary command execution
| Package(s): | ruby |
CVE #(s): | CAN-2005-1992
|
| Created: | June 21, 2005 |
Updated: | October 6, 2005 |
| Description: |
Ruby (versions < 1.8.2) is vulnerable to arbitrary command execution on
XMLRPC servers. |
| Alerts: |
|
Comments (none posted)
shorewall: rule bypass vulnerability
| Package(s): | shorewall |
CVE #(s): | CAN-2005-2317
|
| Created: | July 21, 2005 |
Updated: | October 10, 2005 |
| Description: |
Shorewall has a vulnerability in which a client that is accepted by
MAC address filtering can bypass other rules, allowing access to
all open services on the firewall. |
| Alerts: |
|
Comments (none posted)
simpleproxy: format string vulnerability
| Package(s): | simpleproxy |
CVE #(s): | CAN-2005-1857
|
| Created: | August 26, 2005 |
Updated: | August 31, 2005 |
| Description: |
Ulf Harnhammar from the Debian Security Audit Project discovered a
format string vulnerability in simpleproxy, a simple TCP proxy, that
can be exploited via replies from remote HTTP proxies. |
| Alerts: |
|
Comments (none posted)
slocate: long path bug
| Package(s): | slocate |
CVE #(s): | CAN-2005-2499
|
| Created: | August 22, 2005 |
Updated: | October 5, 2005 |
| Description: |
A bug was found in the way slocate processes very long paths. A local user
could create a carefully crafted directory structure that would prevent
updatedb from completing its file system scan, resulting in an incomplete
slocate database. |
| Alerts: |
|
Comments (none posted)
SquirrelMail: several XSS vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2005-1769
|
| Created: | June 21, 2005 |
Updated: | September 16, 2005 |
| Description: |
Several cross site scripting (XSS) vulnerabilities have been
discovered in SquirrelMail versions 1.4.0 - 1.4.4. |
| Alerts: |
|
Comments (none posted)
sudo: race condition
| Package(s): | sudo |
CVE #(s): | CAN-2005-1993
|
| Created: | June 21, 2005 |
Updated: | February 24, 2006 |
| Description: |
Charles Morris discovered a race condition in sudo which could lead to
privilege escalation. If /etc/sudoers allowed a user the execution of
selected programs, and this was followed by another line containing
the pseudo-command "ALL", that user could execute arbitrary commands
with sudo by creating symbolic links at a certain time. |
| Alerts: |
|
Comments (none posted)
sysreport: insecure temporary file
| Package(s): | sysreport |
CVE #(s): | CAN-2005-2104
|
| Created: | August 9, 2005 |
Updated: | November 11, 2005 |
| Description: |
Bill Stearns discovered a bug in the way sysreport creates temporary files.
It is possible that a local attacker could obtain sensitive information
about the system when sysreport is run. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: denial of service
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1267
|
| Created: | June 9, 2005 |
Updated: | October 10, 2005 |
| Description: |
Several tcpdump protocol decoders contain programming errors which can
cause them to go into infinite loops. |
| Alerts: |
|
Comments (none posted)
tcpdump: multiple DoS issues
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1280
CAN-2005-1279
CAN-2005-1278
|
| Created: | May 2, 2005 |
Updated: | April 10, 2006 |
| Description: |
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278) |
| Alerts: |
|
Comments (none posted)
thunderbird mozilla firefox: multiple vulnerabilities
| Package(s): | thunderbird firefox mozilla |
CVE #(s): | CAN-2005-0989
CAN-2005-1159
CAN-2005-1160
CAN-2005-1532
CAN-2005-2261
CAN-2005-2265
CAN-2005-2266
CAN-2005-2269
CAN-2005-2270
|
| Created: | July 20, 2005 |
Updated: | September 1, 2005 |
| Description: |
Multiple vulnerabilities have been found in the Mozilla Thunderbird email
client, as well as the Mozilla Suite and Firefox and Mozilla based other
browsers. Bugs include an anonymous function handling bug, a JavaScript
validation problem, privileged UI code handling DOM nodes, a JavaScript
privilege escalation, a problem with Javascript in XBL controls, improper
handling of child frames, a DOM name code execution vulnerability, and
a base object clone problem.
|
| Alerts: |
|
Comments (none posted)
ucd-snmp: denial of service
| Package(s): | ucd-snmp |
CVE #(s): | CAN-2005-2177
|
| Created: | August 9, 2005 |
Updated: | January 27, 2006 |
| Description: |
A denial of service bug was found in the way ucd-snmp uses network stream
protocols. A remote attacker could send a ucd-snmp agent a specially
crafted packet which will cause the agent to crash. |
| Alerts: |
|
Comments (none posted)
vixie-cron: crontab allows any user to read another users crontabs
| Package(s): | vixie-cron |
CVE #(s): | CAN-2005-1038
|
| Created: | April 15, 2005 |
Updated: | March 15, 2006 |
| Description: |
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report. |
| Alerts: |
|
Comments (none posted)
wget: file overwrites and arbitrary code execution
| Package(s): | wget |
CVE #(s): | CAN-2004-1487
CAN-2004-1488
|
| Created: | June 9, 2005 |
Updated: | September 27, 2005 |
| Description: |
wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite
certain files via a redirection URL containing a ".." that resolves to the
IP address of the malicious server, which bypasses wget's filtering for
".." sequences.
wget 1.8.x and 1.9.x does not filter or quote control characters when
displaying HTTP responses to the terminal, which may allow remote malicious
web servers to inject terminal escape sequences and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-2096
|
| Created: | July 6, 2005 |
Updated: | October 27, 2005 |
| Description: |
zlib has a buffer overflow vulnerability that can be exploited
by inflation of corrupted files, this can be used to crash zlib
or possibly remotely execute code. |
| Alerts: |
|
Comments (6 posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-1849
|
| Created: | July 21, 2005 |
Updated: | April 11, 2006 |
| Description: |
zlib has a vulnerability that can cause code that executes it to crash
if a corrupted file is opened. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 release remains 2.6.13; the first 2.6.14 prepatch
has not yet been released. According to
Andrew
Morton's September 5 kernel status report, there is quite a bit of
stuff yet to be merged, so we may not see 2.6.14-rc1 for a few more days.
That prepatch is already taking shape in Linus's git repository, however.
Merged patches include
wireless extensions v19, relayfs,
the ipw2100 and ipw2200 wireless network drivers,
the hostap driver (which allows a suitably equipped system to function as a
wireless access point), a number of swap file improvements, a new set of
sparse memory support patches (preparing the kernel for memory hotplug), a
number of kernel build system improvements, a klist API change (see below),
a large InfiniBand update (with a shared receive queue implementation), a
PHY abstraction layer for ethernet drivers, a serial ATA update, four-level
page table support for the ppc64 architecture, some sk_buff structure
shrinking patches, a big netfilter update (including netlink interface to a
number of netfilter internals and a user-space packet logging capability),
a new linked list primitive, a DCCP implementation (see last week's Kernel Page), and
more.
The current -mm release is 2.6.13-mm1. Recent changes to
-mm include a big TTY layer buffering rewrite, an IBM accelerometer driver,
and a number of architecture updates.
Comments (2 posted)
Kernel development news
The 2.6.6 kernel contained, among many other things, a patch implementing
single-page (4K) kernel stacks on the x86 architecture. Cutting the kernel
stack size in half reduces the kernel's per-process overhead and eliminates
a major consumer of multi-page allocations. So running with the smaller
stack size is good for kernel performance and robustness. The only problem
has been certain code paths in the kernel which require more stack space
than that. Overrunning the kernel stack will corrupt kernel memory and
lead to unfortunate behavior in a hurry.
Over time, however, most of these problems have been taken care of, to the
point that Adrian Bunk recently asked: is
it time to eliminate the 8K stack option entirely for x86? Some
distributors (e.g. Fedora) have been shipping kernels with 4K stacks for
some time without ill effect. What problems might result, Adrian asked, if
4K stacks became the only option for everyone?
It turns out that there are a few problems still. For example, the reiser4
filesystem
still cannot work with 4K stacks. There is, however, a patch
in the works which should take care of that particular problem.
A more complicated issue comes up in certain complex storage
configurations. If a system administrator builds a fancy set of RAID
volumes involving the device mapper, network filesystems, etc., the path
between the decision to write a block and the actual issuance of I/O can
get quite long. This situation can lead to stack overflows in strange and
unpredictable times.
What happens here is that a filesystem will decide to write a block, which
ends up creating a call to the relevant block driver's
make_request() function (or the block subsystem's generic version
of it). For stacked block devices, such as a RAID volume, that I/O request
will be transformed into a new request for a different device, resulting in
a new, recursive make_request() call. Once a few layers have been
accumulated, the call path gets deep, and the stack eventually runs out.
Neil Brown has posted a patch to resolve
this problem by serializing recursive make_request() calls. With
this patch, the kernel keeps an explicit stack of bio structures
needing submission, and only processes one at a time in any given task.
This patch will truncate the deep call paths, and should resolve the
problem.
That leaves one other problem outstanding: NDISwrapper. This code is a
glue layer which allows Windows network drivers to be loaded into a Linux
kernel; it is used by people who have network cards which are not otherwise
supported by Linux. NDIS drivers, it seems, require larger stacks. Since
they are closed-source drivers written for an operating system which makes
larger stacks available, there is little chance of fixing them. So a few
options have been discussed:
- Ignoring the problem. Since NDISwrapper is a means for loading
proprietary drivers into the kernel - and Windows drivers at that -
many kernel developers will happily refuse to support it at all. The
fact is, however, that disallowing 8K stacks would break (formerly)
working systems for many users, and there are kernel developers who do
not want to do that.
- Hack NDISwrapper to maintain its own special stack, and to switch to
that stack before calling into the Windows driver. This solution
seems possible, but it is a nontrivial bit of hacking to make it work
right.
- Move NDISwrapper into user space with some sort of mechanism for
interrupt delivery and such. These mechanisms exist, so this solution
should be entirely possible.
No consensus solution seems to have emerged as of this writing. There is
time, anyway; removing the 8K stack option is not a particularly urgent
task, and certainly will not be considered for 2.6.14.
Comments (29 posted)
Andrew Morton has stated that the OCFS2 cluster filesystem is likely to be
merged for 2.6.14. OCFS2 is not the only such filesystem under
development, however, and the developers behind the GFS2 filesystem are
wondering when it, too, might be merged - into -mm,
at least. Much work has been done on GFS to address
concerns which have
been raised previously; the developers think that it is getting close to
ready for wider exposure. The resulting discussion raised a couple of
interesting questions about the kernel development process.
The first one was asked by Andrew Morton:
"why?". Given that OCFS2 is going in, does the kernel really need another
clustered filesystem? What, in particular, does GFS bring that OCFS2
lacks? The answers took two forms: (1) Linux has traditionally hosted
a large variety of filesystems, and (2) since cluster filesystems are
relatively new, users should be able to try both and see which one
works better for them. David Teigland also posted a list of GFS features.
GFS will probably win this argument; there is a clear user community, and
filesystems tend not to have any impact on the rest of the kernel. But,
still, some developers are starting to wonder; consider, for example, this message from Suparna Bhattacharya:
And herein lies the issue where I tend to agree with Andrew on --
its really nice to have multiple filesystems innovating freely in
their niches and eventually proving themselves in practice, without
being bogged down by legacy etc. But at the same time, is there
enough thought and discussion about where the
fragmentation/diversification is really warranted, vs improving
what is already there, or say incorporating the best of one into
another, maybe over a period of time?
The other issue which came up was the creation of a user-space API for the
distributed lock manager (DLM) used by GFS. If nothing else, the two
cluster filesystem should have a common API so that applications can be
written for either one. One option for this API might be "dlmfs", a
virtual filesystem used with OCFS2. The dlmfs approach allows normal
filesystem operations to be used for lock management tasks; even shell
scripts can perform locking. Concerns with dlmfs include relatively slow
performance and a certain unease with
aspects of the interface:
Actually I think it's rather sick. Taking O_NONBLOCK and making it
a lock-manager trylock because they're
kinda-sorta-similar-sounding? Spare me. O_NONBLOCK means "open
this file in nonblocking mode", not "attempt to acquire a clustered
filesystem lock". Not even close.
(Andrew Morton).
It is not clear that better alternatives exist, however.
One could implement it all with a big set of ioctl() calls, but
nobody really wants to do that. Another approach would be to create a new
set of system calls specifically for lock management. Some have argued in
favor of system calls, but others, such as Alan Cox, are strongly opposed:
Every so often someone decides that a deeply un-unix interface with
new syscalls is a good idea. Every time history proves them totally
bonkers. There are cases for new system calls but this doesn't
seem one of them.
Alan lists a number of reasons why a file descriptor-based approach makes
sense for this sort of operation - they mostly come down to well-understood
semantics and the fact that many things just work.
This is clearly a discussion which could go on for some time. Daniel
Phillips points out that this is not
necessarily a problem. There are currently no user-space users of any DLM
API beyond a few filesystem management tools, so there is no great hurry to
merge any API. The cluster filesystems could go in without any user-space
DLM interface at all while the developers figure out what that interface
should be. And, says Daniel, perhaps there should not be one at all.
Despite the perceived elegance of having a single lock manager on the
system, having user space rely upon its own, user-space DLM is a workable
solution which could simplify the kernel side of things.
Comments (5 posted)
The klist type implements a linked list with built-in locking; it was
described here
last March.
The 2.6.14 kernel will contain a couple of API changes affecting klists.
The first is a simple change for a couple of klist
functions, which now have the following prototypes:
void klist_add_head(struct klist_node *node, struct klist *list);
void klist_add_tail(struct klist_node *node, struct klist *list);
The change is that the order of the two parameters has been switched. This
change makes the klist functions use the same ordering as the older
list_head functions, hopefully leading to a lower level of
programmer confusion.
The more complicated change has to do with reference counting. The klist
list iteration functions can hold references to objects on the list, but
the higher level code (which actually creates the objects) does not know
about those references. Somehow, the klist code must be able to tell the
next layer up about references it holds during list iteration. To that
end, klist_init() has picked up a couple of new parameters:
void klist_init(struct klist *list, void (*get)(struct klist_node *node),
void (*put)(struct klist_node *node));
The get() and put() functions are a bit of glue code
which allows the klist code to take and release references. All code using
klists must now provide these functions at initialization time.
Comments (none posted)
Patches and updates
Kernel trees
Build system
Core kernel code
Development tools
Device drivers
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
If you visit
Asianux.com, you'll find
yourself on a web site of a project with plenty of ambition. Perhaps the
best indication of it is a chart on
this page
which attempts to define the sphere of influence of the main enterprise
Linux distributions in the world, with Red Hat dominant in North America,
SUSE in Europe and -- you've guessed it -- Asianux on much of the huge (and
potentially very lucrative) Asian continent. Although the reality is a
little more complex than the chart would like to us to believe, the Asianux
project has succeeded in attracting much attention in the Linux media. With
the recent release of Asianux 2.0 we decided to download the two ISO images
for the i386 architecture (images for x86_64 and pSeries processors are
also available) and install it on a Pentium 4 box to take it for a test
drive.
Before we start, it is important to stress that Asianux is not meant to be
used as a standalone product. Although this is not clearly stated on the
project's web site, the lack of any security and errata pages makes it
obvious; in fact, since the release of Asianux 1.0 in April 2004 the
project has issued just a single service pack, rather than regular security
updates to vulnerable applications, as one would expect from an enterprise
Linux distribution. Instead, Asianux serves as a base for the three
participating Linux vendors - China's Red Flag Software, Japan's Miracle
Corporation, and Korea's Haansoft. Of the three, only Red Flag has so far
released a product based on Asianux 2.0 - a development snapshot of Red
Flag Linux 5.0 Desktop, which is available for free download from Red
Flag's web site.
Asianux 2.0 is not an independently developed distribution, but rather
obviously based on Red Hat Enterprise Linux 4. This is also true of the
Anaconda installer, which, although heavily modified and themed, offers
roughly the same steps as any recent Red Hat or Fedora installation
program. Nevertheless, there are some differences;
for example, the partitioning stage in Asianux also offers ReiserFS and XFS
formatting options, but, on the other hand, it completely omits the option
to select SELinux functionality, leaving SELinux disabled instead. The
package selection is also simplified with the only two options being a
"minimal install" and "install everything". Also unlike the Fedora/Red Hat
installation program, where some configuration takes place after the first
reboot, in Asianux, the package installation step is immediately followed
by monitor setup, while the first reboot triggers the good old Kudzu for
further hardware configuration. The step to add non-root users has been
removed from the Asianux installation program.
The system can boot into a console login prompt or KDM. The only available
desktop environment in Asianux 2.0 is KDE 3.2.1 with a "start button" and
window decorations and widgets strongly resembling Windows 98. The set of
available applications is rather limited, but this is hardly surprising
given the fact that Asianux is designed to be a base to build upon, rather
than an all-encompassing Linux distribution. As such, don't expect to find
much beyond the simplest of tools for common tasks. The only area that has
some interesting applications is system administration, which includes
several graphical front-ends for analyzing SELinux policies, a tool for
authentication configuration, Guarddog firewall configuration, and the
usual printer and network setup tools. Also present is a "Control Panel"
with several modules that are virtual copycats of their counterparts from
Microsoft Windows.
Although the name "Asianux" implies that the operating system is designed
for the large Asian continent full of diverse cultures, languages and
writing systems, the truth is that Asianux only supports four Asian
languages, or to be more precise, four Asian character sets - simplified
Chinese (used in China and Singapore), traditional Chinese (used in Taiwan
and Hong Kong), Japanese and Korean - these are often referred to as CJK
languages. It also supports English. Somewhat surprisingly, the system
locale defaults to the national language code set (e.g. Big5, GB2312) as
selected during installation, rather than Unicode (UTF8). The input of CJK
characters is offered via SCIM, an increasingly popular and intelligent
utility (originally developed by Turbolinux) for typing the complex
character sets of East Asian languages.
After spending an afternoon in Asianux 2.0 we found few reasons to complain
about the operating system. Although the application set is a little
outdated and we didn't particularly care for the Windows-like look and feel
of the default theme, we found the system solid, responsive, and with
trouble-free input of the four supported character sets. The extra
graphical utilities included in the system provided for a pleasant
surprise. A little less impressive is the Asianux web sites, which lacks
documentation and any interactive community resources, such as mailing
lists, user forums or Wikis. Also, the distribution is developed completely
behind closed doors without any public participation and without any public
development releases.
Now for the all-important question: are there any compelling reasons for an
Asian company to choose Asianux over its main competitors - the enterprise
offerings by Red Hat, Novell and even Turbolinux, which has been active on
the Chinese and Japanese markets? After all, Red Hat, SUSE and Turbolinux
have been supporting CJK languages for a long time. The latest release of
Red Hat Enterprise Linux and the upcoming release of SUSE Linux Enterprise
Server will also support a number of Indian languages, not to mention many
other languages on the continent, including those of the Middle East and
South East Asia. As such, one can argue that both Red Hat and SUSE are, in
fact, more "Asian", at least in terms of language support, than Asianux
itself.
If Asianux wants to become a leading Linux player on the continent, it needs
to do two things. Firstly, it needs to invite other main Asian Linux
players to join the development effort - Turbolinux is an obvious example
of a highly experienced and relatively successful Linux vendor with good
sales in China and Japan, but large Linux companies also operate in
Thailand, India and other countries. Secondly, the project should open up
to community participation - in a fashion similar to Fedora Foundation,
OpenSUSE or OpenSolaris. This is a trend that has already started in other
parts of the world and Asian Linux companies would be wise not to ignore
it.
Comments (none posted)
New Releases
Ubuntu has released Colony CD 4, the fourth in a series of milestone CD
images with a snapshot of the Breezy development cycle. This will be the
last Colony CD release before the Breezy preview.
Full Story (comments: none)
Novell
announces that SUSE Linux 10.0 will come out "in early October."
"
SUSE Linux 10.0 is created by the openSUSE project, a recently launched
community initiative sponsored by Novell that promotes the use of Linux
everywhere. A first for Novell, SUSE Linux 10.0 will include code changes and
bug fixes initiated with developer input from across the worldwide Linux
community."
Comments (4 posted)
Distribution News
The mirrors for download.fedora.us mirrors will completely remove FC3 and
FE3 from the apt-only fedora.us mirror network on September 10th.
"
The Fedora Project recommends that users migrate away from apt to
newer tools like yum or smartpm. Even upstream Conectiva has given up on
apt, instead worked on their new client smartpm rewritten from
scratch. Apt-rpm has bugs (virtual provides bugs like #164601) and missing
functionality (like multilib) that may never be fixed, making it impossible
to support for the Fedora Project." Also fedora.us will no longer
make security updates for RH8 Extras.
Full Story (comments: none)
MadTux/eLucis is organizing a drive to
raise funds for the Debian Project. They will donate 40% of their gross
proceeds for the week of Sept 19-Sept 24, 2005 to support Debian
development.
Full Story (comments: none)
The shadow package maintenance team has announced the release of version
4.0.12-1 of the shadow package, in experimental. "
Please test it as
much as possible by installing the new passwd and login packages. Package
maintainers who use "su" in their maintainer scripts should test them with
the new su as much as possible."
Full Story (comments: none)
Anthony Towns reports on changes to the Debian Bug Tracking System (BTS).
Click below to find out about the latest features that have been added to
the BTS.
Full Story (comments: none)
The Ubuntu Documentation Project (UDP) has announced the release of version
1.0 of the
Ubuntu
Documentation Style Guide. The Style Guide is a reference tool used by
the Ubuntu Documentation Project members and contributors.
Full Story (comments: none)
Two weeks ago we introduced
Freespire, a distribution made from
the freely available sources used by Linspire. Unfortunately Freespire
was not ready to be outed. News.com
reports
on Linspire's response, which included giving away free copies of Linspire
Five-O. Freespire will be renamed
Squiggle to avoid further confusion
with Linspire.
Comments (none posted)
New Distributions
Elive is a live CD with the
Enlightenment 17 and 16 desktop environments. It features hardware
autodetection and self-configuration, as well as wide support for different
kinds of monitors. Hard disk install is also supported. It has also the
capability of writing in a virtual system (in the live CD mode), which
allows the user to install any program through apt-get or compile it. Here
is the
list of packages
included in the new 0.3 release.
Comments (none posted)
Distribution Newsletters
The Debian Weekly News for September 6, 2005 covers a quiz to test your
knowledge of Debian, the KDE transition status, a discussion on the
license for wiki content, run levels and the Linux Standards Base, and
several other topics.
Full Story (comments: none)
The 12th issue of the
Fedora Weekly
News covers the upcoming FUDCon London, meeting minutes for the Fedora
Documentation and Fedora Marketing meetings, a Fedora Glossary, and more.
Comments (none posted)
The Gentoo Weekly Newsletter for September 5 is out. Topics this week
include the election of a new Gentoo developer council, the simultaneous
support of PHP4 and PHP5, and the question of whether Tor users should be
allowed into the Gentoo forums.
Full Story (comments: none)
Here's the latest report from the Masters of the Ubuntu Universe, with an
introduction to the newest MOTUs and look at what's new in the Universe.
Full Story (comments: none)
The
DistroWatch
Weekly for September 5, 2005 is out. "
The first full week in
September should be an exciting one for users and fans of Free Software -
GNOME 2.12, Ubuntu 5.10 Preview, and SUSE Linux 10.0 RC1 are all expected
to hit the download mirrors later this week. But before that happens we
will take a brief look at the "smart" package manager in Mandriva, check
out "SUPER", a performance-enhancing subproject of SUSE Linux, and revisit
the Linspire versus Freespire controversy. Our featured distribution of the
week is Elive, a great live CD featuring the Enlightenment window manager -
a project that is also the recipient of our US$250 August 2005
donation."
Comments (none posted)
Package updates
Updates for
Fedora Core 4:
xorg-x11
(lots of bug fixes),
evince (add
evince-0.4.0-dbus-fix.patch),
openmotif
(fix mrm initialization error),
cman-kernel
(rebuilt for kernel 2.6.12-1.1447_FC4),
gnbd-kernel (rebuilt for kernel
2.6.12-1.1447_FC4),
dlm-kernel (rebuilt for
kernel 2.6.12-1.1447_FC4),
GFS-kernel
(rebuilt for kernel 2.6.12-1.1447_FC4),
lockdev (bug fix),
perl-Compress-Zlib (update to 1.37),
termcap (rebuild),
ckermit (use baudboy.h to create per-device
lock(s) in /var/lock),
kdegraphics
(backport CVS patches),
pam (fix potential
auditing problems),
util-linux (bug fix),
tar (provide man page),
tzdata (updates for time zone changes).
Updates for Fedora Core 3: perl-Compress-Zlib (update to 1.37), perl-DBI (old and low priority security
update), tzdata (updates for time zone
changes).
Comments (none posted)
Updates for
Trustix Secure Linux 2.2 & 3.0 fix various bugs:
4suite, aspell, bind, cpplus-trustix, dmapi,
kernel, lftp, logwatch, mc, mrtg, nano, openssh, php4, php, sqlite2,
sqlite3, tsl-utils, xfsdump and
a2ps,
amanda, apache-ant, autofs, dev, gcc4, gpm, iptables, kernel, lrzsz, mc,
module-init-tools, mrtg, newt, openswan, setup, slang, sysstat,
tsl-utils.
Comments (none posted)
Distribution reviews
TuxMachines
takes a look
at Beyond Linux From Scratch. "
I had the basic LFS 6.1 install in
place and I was hoping I only needed to pick up from there. The BLFS
docbook lists such topics as security, filesystems, shells, editors,
differing networking configurations, and my main goal here: X and window
managers."
Comments (none posted)
A Windows zealot
discovers
Ubuntu, on Flexbeta. "
Ubuntu has what is, quite possibly, the
friendliest Linux user community of any distribution I've ever tried. Their
forums are home to thousands of users, many of them completely new to
Linux. Any question you could possibly have has probably already been asked
and answered there, but if you can't find your answer you can post about it
in one of their many forums. It is very rare someone won't have an answer
to your question, and if you can't find an answer you can always ask them
on IRC."
Comments (none posted)
Page editor: Rebecca Sobol
Development
The
GNOME project has
announced the release of version 2.12 of the
GNOME Desktop and Developer Platform:
The GNOME Foundation today released the
latest version of the GNOME Desktop and Developer Platform, the leading
desktop for Linux and Unix operating systems. Version 2.12 improves the
usability and power of GNOME in response to user feedback and developer
contributions, and includes thousands of changes which refine the easiest and
friendliest free software desktop.
In keeping with GNOME's "users first" philosophy, GNOME makes stable
releases every six months. This allows developers and distributors to plan
their GNOME-based products with confidence. As a result, distributions such as
Fedora, SUSE, and Ubuntu will include GNOME 2.12 in the next release of their
products, providing GNOME 2.12 to millions of users.
The
GNOME 2.12 start page
introduces the new release, and includes a link to a bootable Live CD
for those wishing to give the software a test run.
The
version 2.12 release notes is a good starting place for release information.
The changes in this release are grouped according to the needs of users,
systems administrators, and software developers. The
What's New For Users document lists the user-visible changes.
These include:
- The new ClearLooks default theme for an uncluttered screen
presentation.
- The Nautilus file manager has a new list view display option
for simplified navigation.
- Nautilus also has improved text dragging operations.
- The CD burning utility now has the ability to easily copy Audio CDs.
- The clipboard utility adds the ability to remember copied data
after the source window has been closed.
- The control panel can now be run with a vertical orientation.
- Applications can now cause their Window List entries to flash in order
to gain attention.
- The Totem video player has had a number of enhancements.
- The Sound Juicer CD ripper application has enhancements for supporting
portable music players.
- The Epiphany web browser adds a new Find Bar, better error messages,
shareable bookmarks, and support for the GNOME printing system.
- The Evolution Email and Groupware client has had improvements to the
menu layout and attachments bars, and adds support for Groupwise proxy
and IMAP accounts.
- The Control Center has a new About Me panel for
managing personal information.
- Improvements have been added to the Evince document viewer, the
GNOME image viewer, the Yelp Help Viewer, the GNOME search tool,
GNOME Dictionary, and the games.
The
What's New For Administrators document lists changes to the
administration utilities, including:
- Improvements to the Sabayon user profile manager.
- The menu system now uses the freedesktop menu specification,
a menu editor is available for customizations.
- A new Services Administration tool is available under the System Tools
configuration menu, it is used for configuring the services that run at
boot time.
- The System Log Viewer application provides a standard GUI
interface for observing system log files.
What's New For Developers introduces a number of API enhancements
to the GTK+ GUI framework, and Cross-platform development improvements.
Also, this release of GNOME adds support for the
Cairo SVG library.
The GNOME
Internationalization effort continues to increase the number
of supported languages.
For a hint at what's to come in the next release, see the
Looking to GNOME 2.14 and Beyond document.
Comments (5 posted)
System Applications
Database Software
The September 5, 2005 edition of the PostgreSQL Weekly News
covers the latest releases of the PostgreSQL database and
related software.
Full Story (comments: none)
Version 3.7 of PyGreSQL, a Python module for interfacing to a
PostgreSQL database, is out with numerous improvements.
Full Story (comments: none)
Version 3.5 final of ZODB, the Zope Object DataBase, is out.
"
ZODB 3.5 is very close to ZODB 3.4.1 in features. Subtransactions
are deprecated in 3.5 (in favor of savepoints), and 3.5 adds a simple
multi-database feature (a way to group multiple databases into a collection,
such that a connection to any database in the collection can be used to
obtain connections to the other databases in the collection)."
Full Story (comments: none)
Networking Tools
Version 1.0 of J2EP
is out and is considered ready for general use.
"
J2EP is a reverse proxy running on a Servlet 2.3 compatible engine. A reverse
proxy proxies traffic to servers and not, like a standard proxy, outgoing
traffic. A reverse proxy can be used when you want to give access to your
internal server but not open the firewall for direct connections. Then the
client can connect to the proxy and the proxy will connect to the server."
Comments (none posted)
Security
OpenSSH 4.2 is out. The changes are mostly security-oriented; they include
one which might cause interoperability problems with very old versions of
OpenSSH. Click below for the details.
Full Story (comments: none)
Web Site Development
Version 1.48 of GNU Hosting Helper, a web hosting management package,
has been announced.
"
GNU Hosting Helper now supports MyDNS name server software and a
Postfix/MySQL virtual mail system along with already having supported
standard Sendmail and Postfix installations, BIND name server software,
virtually any FTPd server software, and Apache web server."
Comments (none posted)
Desktop Applications
Audio Applications
href="http://wiki.xmms2.xmms.se/index.php/Main_Page">XMMS2, the
X(cross)platform Music Multiplexing System is an effort to
rewrite the poplular
XMMS (X Multimedia System)
music player.
Comments (none posted)
Calendar Software
MozillaZine
covers the progress on the Sunbird and the Mozilla
Calendar project.
"
Simon Paquet has written a progress report on Sunbird and the Mozilla
Calendar project. The post details the bugs that have been fixed over the
past two and a half months.
The next planned Sunbird release is 0.3alpha1."
Comments (none posted)
Desktop Environments
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
Electronics
Version 3.3.32 of
XCircuit,
an electronic schematic drawing application, is out.
Changes include a bug fix and a new
-replace file load
option.
Comments (none posted)
Release 20050830 of the gEDA Suite CDROM, a set of electronics
applications,
has been announced.
See the
README document for details.
Comments (none posted)
Financial Applications
Version 2.4.16 of
SQL-Ledger,
a web-based accounting system, has been released.
Changes include BOM formatting for assembly items, partsgroup selection
improvements, and improved portability.
Comments (none posted)
Fonts and Images
The
STIX consortium is assembling
a royalty-free character font for mathematical typesetting purposes.
The consortium is accepting comments regarding the project's draft license.
"
Unfortunately, the license does not quite meet the free-software,
open-source, or DFSG criteria. It allows you to add glyphs to the font,
as long as you release the new font under a different name, but you cannot
modify the existing glyphs (even if you rename the font)."
Full Story (comments: none)
Games
Version 0.22 of Metal Mech
is available with bug fixes.
"
Metal Mech is a Web-based mass multiplayer game of battle between robots and
space exploration. It is a game of strategy, economics, role-playing, and
combat. Each player can handle their own war robot and battle against other
players to be the Emperor of the Universe. Players battle against each other
for resources, energy, money, buildings, and more."
Comments (none posted)
Graphics
Version 1.1.5 of
TesselSphere, an OpenGL spherical subdivision utility for plotting
particle and geodesic modules,
has been announced. Here are the changes:
"
Now links to WildMagic version 3 and STLport 5.0 2. Fixes a nasty bug on linux where some geodesic grid vertices failed to intersect with an ellipsoidal envelope. 3. Separated some of the UI classes. (UI will undergo major overhaul in the next release). 4. New base class TS_Envelope; this will eventually allow projection into all kinds of envelopes; at present it just projects into a TS_Ellipsoid. 5."
Comments (none posted)
Interoperability
Release 20050830 of Wine
has been announced.
Changes include more theming support, crypto dll improvements,
better LDAP support, a new MSXML implementation, MSHTML
improvements, bug fixes, and more.
Comments (none posted)
Web Browsers
MozillaZine
reports on plans to drop SSL version 2 in Mozilla Firefox.
"
Unfortunately, there are a number of known security flaws in SSL 2.0, which
was the first public version of the protocol (no applications shipped with
support for SSL 1.0). Therefore, the Mozilla Foundation is eager to disable
support for SSL 2.0 and have all Firefox installations use only the newer and
more secure SSL 3.0 and TLS 1.0 protocols."
Comments (none posted)
MozillaZine
reports
that a new Web-based Mozilla testing tool called Litmus is in need of
testing. "
The Mozilla quality assurance team is keen for Litmus to
get some small-scale testing now before it's promoted to a wider
audience. Mozilla Firefox and Mozilla Thunderbird testers interested in
experimenting with Litmus should follow the instructions in the weblog post
and leave feedback and comments there. Any Firefox and Thunderbird problems
discovered in the process should be posted to Litmus itself."
Comments (none posted)
Fini Alring has
written
an article introducing several Firefox extensions, including JavaScript
Console, DOM Inspector, Venkman - JavaScript Debugger, Web Developer
Extension, Greasemonkey, Platypus, ColorZilla, and more. (Found on
MozillaZine)
Comments (none posted)
The minutes from the August 22, 2005 mozilla.org staff meeting
have been announced.
"
Issues discussed include Firefox and Thunderbird 1.5, New
Newsgroups, Trademarks, DevMo and Software Update."
Comments (none posted)
The minutes from the August 29, 2005 mozilla.org staff meeting
have been announced.
"
Issues discussed include Mozilla Firefox 1.5, Mozilla
Thunderbird 1.5, newsgroups, DevMo and conferences."
Comments (none posted)
Languages and Tools
Caml
The September 6, 2005 edition of the Caml Weekly News
is online with the latest articles about the Caml language.
Full Story (comments: none)
Haskell
The August 30, 2005
edition
of the Haskell Weekly News is online with the latest Haskell news.
Topics covered this week include several new packages and discussions
about arrays and binary files.
Comments (none posted)
The September 6, 2005
edition of the Haskell
Weekly News is online with the latest Haskell news. Topics
covered this week include the announcement of the cabal-get system, h4sh
0.2, time limits on computation, and new hosting for cvs.haskell.org.
Comments (none posted)
Java
Version 0.18 of GNU Classpath, the essential libraries for java, is out.
"
This is our first release after "The Big Merge" with GCC/GCJ. GNU
Classpath can now be used as a subdirectory of libgcj inside the GCC
tree so it will be much easier to keep GCC up-to-date with the latest
GNU Classpath developer release snapshots."
Full Story (comments: none)
The August 28 - September 3, 2005 edition of
This week on harmony-dev
is online with coverage of the latest developments to the
Harmony open-source Java platform.
Full Story (comments: none)
PHP
Version 5.0.5 of
PHP
has been released.
"
This version is a maintenance release, that contains numerous bug fixes, including security fixes to vulnerabilities found in the XMLRPC package. All users of PHP 5.0 are encouraged to upgrade to this version."
Comments (1 posted)
Python
Version 3.15 of PyQt, the Python language bindings for the
Qt GUI Toolkit, is out. Changes include:
improved integration between Qt's ActiveQt framework and Python's
win32com modules, support for QScintilla v1.6
and support for Python's cyclic garbage collector.
Full Story (comments: none)
The September 5, 2005 edition of Dr. Dobb's Python-URL!
is online with the latest Python language article links.
Full Story (comments: none)
Ruby
The September 4th, 2005 edition of the
Ruby Weekly News brings you the latest discussions
from the ruby-talk mailing list.
Comments (none posted)
Tcl/Tk
The September 1, 2005 edition of Dr. Dobb's Tcl-URL!
is online with new Tcl/Tk articles and resources.
Full Story (comments: none)
The September 5, 2005 edition of Dr. Dobb's Tcl-URL!
has been published, take a look for the latest Tcl/Tk articles
and resources.
Full Story (comments: none)
Editors
Version 0.9.2.3 of RText
is available with many new features.
"
RText is a customizable programmer's text editor written in Java. Some of its
features include: syntax highlighting, editing multiple documents at once,
printing and print preview, find/replace/find in files dialogs, undo/redo,
and online help."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
InformationWeek has posted
a
lengthy article on how "anti-piracy" efforts in China are pushing the
country toward Linux. "
China in particular will see compound annual
growth rates of 25.6 percent in the number of developers in the next three
years, predicts IDC analyst Stephen Hendrick. It's a good bet that many of
them will be working on the Linux platform, especially since Linux is
already gaining traction among Chinese college students."
Comments (7 posted)
HP's Stormy Peters has
a
column in ComputerWorld urging the free software community to start
playing the software patent game for real. "
Building its own
portfolio of actual patents, not just the right to use them, enables the
open-source community to effectively defend open-source software and to use
its patents to negotiate cross-patent agreements. Open-source developers
should file for as many software patents as they can and stockpile them. By
working with the system, you can file for patents, accumulate them and use
them to protect your software rights."
Comments (8 posted)
Trade Shows and Conferences
KDE.News
reports from
aKademy. "
The 2005 KDE conference aKademy in Malaga, Spain,
ends on Sunday 4th of September. Up to now the conference has been hugely
successful with more than 250 visitors. The Users and Administrators
Conference and the Developers and Contributors Conference have both
concluded, the Coding Marathon is continuing for two more days."
Comments (none posted)
KDE.News
looks at the
presentations by the KDE-Usability group, at aKademy. "
Usability
has grown over the year since the last aKademy. During the Coding Marathon
portion of the conference, the KDE-Usability group gave several
presentations and tutorials so developers can learn more about usability,
and get live usability support while they hacked away. It was a great
success and there were a lot of great bug fixes completed during the
weekend. The following is a summary of the presentations and tutorials from
the conference."
Comments (none posted)
KDE.News provides
wrap-up coverage
of the aKademy conference.
"
The aKademy 2005 KDE Developers Conference finished yesterday with a second
day of talks to prepare for KDE 4. Topics of the day included integration
with other programming platforms, marketing KDE and accessibility. In their
keynote, David Carson and Deepika Chauhan from Nokia described the challenges
involved with porting KHTML to the series 60 platform."
Comments (none posted)
Companies
The Register
covers the IBM version of the Windows vs Linux TCO comparison.
"
IBM is kicking some total cost of ownership (TCO) dirt in Microsoft's face, releasing a numbers survey that claims Linux is cheaper to deploy and manage than Windows.
An IBM-sponsored Robert Frances Group study found it is 40 per cent cheaper to buy, implement and run an application server on an x86 server running Linux than on a similar server running Windows. Robert Frances polled IT executives at 20 mid-sized and large companies with 250 or more employees."
Comments (8 posted)
Interviews
Edd Dumbill
talks
with Axel Hecht, a member of Mozilla Europe's board of directors, and a
major contributor to the Mozilla project, on O'ReillyNet. "
ED:
Are there any recent technical changes that have helped Mozilla become a
more viable platform? AH: There is a considerable amount of energy
going into XULRunner these days. This is the platform that we will port our
applications to. We are going to start with Firefox, but there are already
people actively using the IRC client Chatzilla as an XULRunner
application. XULRunner will include Gecko and a set of other modules usable
for application creation."
Comments (6 posted)
developerWorks
talks
with Stanley Kwong, who will be giving a technical briefing about Power
Architecture in the People's Republic of China. "
Stan Kwong: I'm in
charge of the worldwide technical briefings and also a lot of the technical
events. You can kind of look at us as the evangelists for IBM, the
face-to-face evangelists. I started with developerWorks about four years
ago. Given the background of how we try to evangelize, specifically in
terms of the Web and the developer online community, IBM started feeling
that there was a major need in terms of the entire world to have
evangelists going out there to talk a lot about our technology and also
about products. So from a very small staff, we began doing technical
briefings."
Comments (3 posted)
Reviews
Linux.com
reviews Kontact, a personal information manager.
"
KDE's Kontact personal information manager acts as a centralized viewing and editing interface for email, contacts, to-do list, calendar, and notes. Kontact provides you with a Summary view of all the important information you have stored on computer. It also warns you when birthdays and anniversaries are fast approaching, and can even tell you the weather conditions in as many cities as you set it up to show. It's pretty good-looking to boot."
Comments (2 posted)
Rami Rosen
introduces Xen in a Linux Journal article.
"
The Xen VMM (virtual machine monitor) is an open-source project that is being developed in the computer laboratory of the University of Cambridge, UK. It enables us to create many virtual machines, each of which runs an instance of an operating system.
These guest operating systems can be a patched Linux kernel, version 2.4 or 2.6, or a patched NetBSD/FreeBSD kernel. User applications can run on guest OSes as they are, without any change in code. Sun also is working on a Solaris-on-Xen port."
Comments (9 posted)
Miscellaneous
Groklaw
reports on a plan to migrate all of the Massachusetts state agencies
to the OpenDocument standard by the beginning of 2007.
"
As they
themselves acknowledge, "Given the majority of Executive Department agencies
currently use office applications such as MS Office, Lotus Notes and
WordPerfect that produce documents in proprietary formats, the magnitude of
the migration effort to this new open standard is considerable."
Considerable, yes, but if your goal is interoperability, both necessary and
worth the effort, as anyone who has ever tried to interoperate in WordPerfect
with someone working in MS Office can testify."
Comments (2 posted)
This IT-Director article describes the frustrations some developers feel regarding the commercialization of free software, and comes to a strange conclusion. "
Inevitably, the pioneer spirit is eroded as commercial organisations pick, choose and adapt Open Source software to meet their own strategy. Open Source will lose its original ethos. Ultimately, Open Source software which does not make commercial sense, or at least indirectly contribute towards the commercial strategies of the software vendors and their corporate markets, is doomed to a dead end."
Comments (15 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Free Software Foundation and FSF Europe have sent out an announcement
regarding the next phase in the process leading to version 3 of the
GPL. "
The project will bring together thousands of organisations, software
developers, and software users from around the globe during 2006, in
an effort to update the world's most popular Free Software licence. The
GPLv3 promises to be one of the largest participatory comments and
adoption efforts ever undertaken." There is a €150,000 grant
from Stichting NLnet supporting this project, but not many specifics (yet) on
what will actually be done.
Full Story (comments: 11)
Louis Suarez-Potts has sent an announcement regarding Sun's retirement
of the Sun Industry Standards Source License (SISSL).
"
How does this move affect OpenOffice.org? As most know,
OpenOffice.org code was launched under the dual banner of the SISSL
and LGPL; licensees could choose which one they wanted to use, and
nearly all have chosen the LGPL. Effective with the announcement
that Sun is retiring the SISSL, however, OpenOffice.org will in the
future only be licensed under the LGPL."
Full Story (comments: none)
Commercial announcements
Brightstar has
announced its involvement in the "One Laptop Per Child" project. "
The $100 laptop is envisioned as a Linux-based, full color, full screen
laptop enabled with both WiFi and cellular technology and produced to be able
to handle a rugged, child's environment." A little more information is available on
this Media Lab page.
Comments (10 posted)
Computer Associates has
announced that it will not assert patent infringement claims against free software projects using technology covered by any of 14 patents. The
list of patents includes one entitled "graphical display of data," among others.
Comments (8 posted)
Panda Software has announced malware certification for its
Panda SambaSecure Antivirus product.
"
Panda SambaSecure has obtained Checkmark Level 1 and 2 certification on detection and disinfection
of malware, which is a good indicator of the quality level of our products."
Full Story (comments: none)
According to
this press release, the SCO Group and MySQL AB have joined forces, with SCO shipping a commercial version of mysql on OpenServer. "
As part of the agreement,
the companies will work together on a range of joint marketing, sales,
training, business development and support programs that will benefit
customers throughout the Americas, Europe and Asia." The PR has dropped SCO's usual "owner of the Unix operating system" line as well.
Comments (11 posted)
Servertec has released its suite of Java products under the GNU
Library General Public License. A number of embedded web servers
for embedded platforms and other utilities are included.
Full Story (comments: none)
SWsoft has announced a partnership with HP relating to
its Virtuozzo server virtualization solution.
"
SWsoft, an established leader in server
automation and virtualization software, today announced complete
Virtuozzo-based server virtualization solutions on IntelR ItaniumR 2
processor-based HP Integrity servers and other HP platforms."
Full Story (comments: none)
New Books
Addison-Wesley has published the book
Beyond the C++ Standard Library: An Introduction to Boost
by Björn Karlsson.
Full Story (comments: none)
O'Reilly has published the book
Podcasting Hacks
by Jack D. Herrington.
Full Story (comments: none)
Resources
The Electronic Frontier Foundation has published
a guide to DRM in online music. "
This guide 'translates' the marketing messages by the major services, giving you the real deal rather than spin. Understanding how DRM and the DMCA pose a danger to your rights will help you to make fully informed purchasing decisions. Before buying DRM-crippled music from any service, you should consider the following examples and be sure to understand how the service might limit your ability to make lawful use of the music you purchase."
Comments (13 posted)
The FSF Europe newsletter looks at the GPLv3, a report from Karsten Gerloff
at the ATTAC Germany summer academy, the AFFS General Meeting and improving
the infrastructure.
Full Story (comments: 5)
The initial release of the InterBase and Firebird Developer Magazine
is available as a free PDF download.
"
In this issue: cover story "Inside savepoints" about internals of savepoints mechanism, interesting article "How to use temporary tables in InterBase", overview of "Embedded User Authentication in InterBase 7.5", practical guide "How to avoid 10054 errors", and so on."
Comments (none posted)
The
September Linux
Gazette is out. This edition has the usual features plus articles
such as 'Linux Analog to Digital Converter', 'Microprocessor Simulator on
Linux', 'New Use for Old Hardware: A Network Copier', 'Using The QEMU
Emulator, My Thoughts And Experiences', 'Digital Television', 'Snort Inline
Part II', and more.
Comments (none posted)
A new
FAQ about Mozilla newsgroups
has been announced.
"
The
document covers issues such as access to the new newsgroups, access to the
old newsgroups, the mailing lists and anti-spam measures. Last month, it was
announced that Mozilla newsgroups will be moved to a server hosted by Giganews."
Comments (none posted)
The latest edition of MyOSS Magazine - Edition 5 (Chronicles of FaTUX) is
available for
download. This
issue looks at Live CDs, code design, PythonCard, HackInTheBox conference
tickets and more. Click below for a more through summary, or just grab a
copy.
Full Story (comments: none)
Contests and Awards
KDE.News
covers
two KDE-Artists.org artwork challenges for
amaroK and Kontact.
"
The amaroK developers are currently working on the 1.3 release of their live CD. If you are an Open Source artist and are interested in creating the amaroK 1.3 live CD artwork then join the 7 day artwork challenge. Excellent prizes await the winner."
Comments (none posted)
GnomeDesktop
has announced
the winner of the GNOME 2.12 splash screen contest.
"
The winner of the 2.12 splash screen competition is GNOME in Silk - evolving 2 by Xilef. The new splash screen will be used in the official GNOME 2.12 release in a few days."
The image resembles a foot-shaped pill dissolving in water.
Comments (none posted)
SSC Publications, Inc. has
announced the winners of its first-annual TUX Magazine
Readers' Choice Awards. Winners include Kubuntu/Ubuntu, KDE,
Firefox, Thunderbird, Gaim, and more.
Comments (none posted)
Upcoming Events
Jeff Waugh has announced the Badger Badger Badger Tour.
"
I will be travelling for a month and a half, criss-crossing the northern
hemisphere, to bring the world of Ubuntu to your doorstep. Expect badgers,
mushrooms, schnaaaaaakes, an awful lot of Ubuntu CDs, and a healthy dose of
madcap hijinks! If you would like to catch up with me during my journey, add
your details to the wiki page, or reply to this email."
Full Story (comments: none)
The third Fedora User Conference
has been announced. The event will be held in London
on October 6, 2005.
"
The Fedora Project, a Red Hat-sponsored and community-supported open source project, today announced that the third Fedora User and Developer Conference (FUDCon) will take place on the second day of this years LinuxWorld in London on 6th October, 2005 at the Olympia Exhibition Centre. Following successful conferences of the Fedora Community in Boston in February and during Linux Tag in Karlsruhe, Germany in June this year, this third conference will further enable Fedora participants in the UK to exchange their views on various topics around the current state of the Fedora Project including infrastructure and development issues."
Comments (none posted)
| Date | Event | Location |
| September 8 - 9, 2005 | International Computer
Music Conference(ICMC 2005) | Barcelona, Spain |
| September 11 - 15, 2005 | Novell
Brainshare 2005 | (CCIB)Barcelona, Spain |
| September 12 - 15, 2005 | Embedded Systems
Conference | (Hynes Convention Center)Boston, Mass |
| September 14 - 16, 2005 | php|works | (Holiday Inn Yorkdale)Toronto,
Canada |
| September 16 - 18, 2005 | ToorCon
7 | (San Diego Convention Center)San Diego, CA |
| September 17 - 18, 2005 | Freedel | New Delhi, India |
| September 19 - 21, 2005 | Plone
Conference 2005 | (Semper Depot, Lehargasse)Vienna, Austria |
| September 20 - 23, 2005 | New Security Paradigms
Workshop(NSPW) | (UCLA Conference Center)Lake Arrowhead, California |
| September 23 - 24, 2005 | Sixth Symposium on
Trends in Functional Programming(TFP 2005) | Tallinn, Estonia |
| September 26 - 29, 2005 | Hack in the Box
Security Conference(HITBSecConf2005) | Kuala Lumpur, Malaysia |
| September 26 - 30, 2005 | IEEE International
Conference on Cluster Computing(Cluster 2005) | Boston, Massachusetts |
| September 28 - 30, 2005 | OpenOffice.org Conference
2005(OO.oCon) | Koper (Capodistria), Slovenia |
| September 30 - October 2, 2005 | Linucon | Austin, Texas |
| October 1, 2005 | Ohio LinuxFest
2005 | Columbus, OH |
| October 2 - 5, 2005 | Gelato October 2005 Meeting for
Linux on Itanium | Porto Alegre, Brazil |
| October 5 - 6, 2005 | LinuxWorld
London | Olympia, London, UK |
| October 6, 2005 | Fedora Users and
Developers Conference(FUDCon London) | (LinuxWorld Conference and Expo UK)London,
UK |
| October 7 - 9, 2005 | Indie Games Con
2005(IGC) | Eugene, Oregon |
| October 8 - 10, 2005 | GNOME Boston
Summit | (Gates Building)Cambridge, MA |
| October 8, 2005 | LinuxForum
BOF-dag | Denmark |
| October 12 - 13, 2005 | IT
Underground(ITU) | Warsaw, Poland |
| October 13 - 14, 2005 | Open Source Desktop
Workshops | San Diego, CA |
| October 14 - 15, 2005 | HackLu
2005 | (Chambre des Metiers)Kirchberg, Luxembourg |
| October 14 - 16, 2005 | Blender Conference
2005 | (De Waag)Amsterdam, the Netherland |
| October 16 - 23, 2005 | piksel05 | Bergen, Norway |
| October 17 - 20, 2005 | O'Reilly European Open Source
Convention 2005(EuroOSCON) | Amsterdam, The Netherlands |
| October 18 - 21, 2005 | Zend/PHP Conference
and Expo 2005 | (Hyatt Regency SF Airport Hotel)Burlingame, CA |
| October 18, 2005 | Dynamic
Languages Symposium 2005(DLS05) | San Diego, CA |
| October 19 - 21, 2005 | Australian
Unix Users Group Conference 2005(AUUG) | Sydney, Australia |
| October 24 - 28, 2005 | 12th Annual
Tcl/Tk Conference | (Red Lion Hotel)Portland, Oregon |
October 30, 2005 - November 11, 2005 | Ubuntu Below Zero | (downtown Holiday
Inn)Montreal, Canada |
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| "David S. Miller" <davem-AT-davemloft.net> |
| To: |
| corbet-AT-lwn.net |
| Subject: |
| TOE performance |
| Date: |
| Wed, 31 Aug 2005 22:42:29 -0700 (PDT) |
| Cc: |
| jmorris-AT-namei.org, jgarzik-AT-pobox.com |
In response to: http://lwn.net/Articles/149941/
You might want to ask the Chelsio guys to provide some performance
metric other than their "land speed record" that, as Linux networking
stack maintainer, I'm frankly sick of hearing about over and over
again.
What's more interesting to me is an area I know TOE is poor in, and
that is TCP connection rates. It's all too easy to make one sole
connection pump a lot of data, but it's hard to make a web or database
server serve hundreds of thousands of connections per second. TOE
cards generally cannot do that because each connection setup/teardown
requires setting up and tearing down state on the network card, which
subsequently kills TCP connection rates.
So if you're a scientist trying to break the land speed record between
Stanford University in California and some place in the middle of
Europe on the other side of the planet, yeah TOE is probably a great
toy to play with.
TOE users are niche, always have been, and always will be. It is no
mistake that the Chelsio guys do not delve into this aspect of their
technology.
And the study they mentioned in their mail to you of course will be
full of accolades for their approach. If you read only the documents
posted on their web site, you might think that TOE is the best thing
since sliced bread.
The TOE folks are frankly between a rock and a hard place. They need
some support in upstream Linux for their solution to really be far
reaching and viable, yet the negative aspects of their technology are
such that this is likely not going to happen.
They also refuse to actively consider stateless offloads, which are
much better for long term maintainability and do not bypass the Linux
TCP networking stack we've been tuning for 10+ years. Doing so would
at least make these guys appear less anti-social and I would certainly
pay more attention to their concerns if they at least made some
efforts in this area. But they'll never do something so open minded
because their whole buisness model surrounds TOE.
With that in mind I applaud folks like Lenoid Grossman who are working
on stateless TCP receive offloads for highspeed networks on the
products they work on.
Take care.
Comments (2 posted)
Page editor: Jonathan Corbet