LWN.net Logo

LWN.net Weekly Edition for September 29, 2005

The Grumpy Editor's Guide to Personal Finance Managers, Part 2

Personal finance managers are complex applications, though it is only recently that finance applications available under free licenses have reached anything near the capabilities of the proprietary alternatives. In the first part of this series, your editor introduced the three packages under review (GnuCash, Grisbi, and KMyMoney) and covered the basic tasks of setting up accounts and entering transactions. A good personal finance manager can do more than that, however. So this article, the second and final part of this series, looks at a few advanced features.

Reports

Any spreadsheet can compute the balance of a banking account and let you know just when that account became overdrawn. One of the useful things a personal finance manager can do is to generate reports which provide a more complete picture of what is happening with one's money. Such reports can prove most useful at those animated dinner-table discussions on why the accounts are overdrawn yet again. The financial situation may be disastrous, but at least you have a nice pie chart explaining the situation.

For those who do need pie charts, GnuCash is currently the only viable option. This program offers a wide set of reports in both tabular and [Piechart] graphical formats, with a high degree of configurability. Unlike account registers, reports are displayed in the GnuCash main window, so only one can be viewed at once. Reports are persistent across sessions, so one need not worry about having to repeat a lengthy series of customizations.

GnuCash can export reports to HTML files, nice for posting a group's finances on the web. HTML export only seems to work for the tabular reports, however; the others yield a blank page. There is a "stylesheet" feature which affects both on-screen and exported reports. Two stylesheets are provided: "ugly" and "ugly with brighter colors" (the GnuCash developers used less informative names).

[KMyMoney report] KMyMoney 0.8 does not provide graphical reports, but it does have a wide variety of tables. The display is readable, and highly configurable. Reports are persistent, but the mechanism takes a little getting used to. When a report is created, it is represented by a tab in the top of the report frame. The next time KMyMoney is started, that tab will be missing, but the report (if customized) will appear in the tree-oriented list of options. KMyMoney reports can be exported in HTML and CSV formats.

[Grisbi report] Grisbi, too, only offers tabular reports. There is an unbelievable number of configuration options, obtained by navigating through two layers of tabbed windows. The output has the requisite information, but is, in your editor's opinion, relatively hard to read. While both GnuCash and KMyMoney can create reports on investments, balances, and net worth (along with transactions), Grisbi is limited to transactions only.

None of the packages reviewed offers a useful report seen in some proprietary offerings: a projection of an account's balance into the future taking scheduled transactions into account. Such reports are necessarily inaccurate, but they can give a useful indication of whether trouble is approaching in the near future or not.

GnuCash's graphical reports set it apart (for now - KMyMoney 0.9 will have charts as well), but the truth of the matter is that the tabular reports are the truly useful ones. Unless your dinner-table budget discussions require using OpenOffice to present the situation, pie charts and the like are not often helpful for real decision making. KMyMoney's tabular reports are as good as GnuCash's, and arguably easier to read. Grisbi's narrower range of reports detracts from its usefulness here.

Scheduled transactions

Any worthwhile personal finance manager will have the ability to handle transactions scheduled for the future. This feature can be useful for future cash flow planning, speeding up the transaction entry process, or for simply getting a reminder to send off that car payment before the repo man shows up with a tow truck. Scheduled transactions can also be used to handle loan repayment and to help track loan balances.

GnuCash has a well-developed transaction scheduler, currently the best of the three packages reviewed here. The usual parameters can be set: amount, begin date, number of occurrences, payment frequency, accounts to use, etc. GnuCash has the widest selection of frequencies, and is the only one [Scheduler screenshot] which can handle semi-monthly events. Since semi-monthly paychecks can be common - at least in the US - its omission in the other finance managers is an annoyance. An existing transaction can be used as a template for a scheduled transaction, which is a nice time saver.

Scheduled transactions can be entered automatically into the relevant ledgers, or they can wait for a manual action by the user. Another feature unique to GnuCash is a popup reminder of due transactions when the program starts up; those transactions can be edited and entered immediately, or that work can be postponed for later. The main window for scheduled transactions offers both a list view and a six- or twelve-month calendar showing when events will occur.

The GnuCash scheduled transaction code does appear to be a work in progress in spots. Different graphical conventions in parts make it look like something bolted on late in the development process. There is a mention of variables which can be used in transactions, but no apparent way to use the capability. Your editor was also able to crash GnuCash by playing with the scheduler windows.

KMyMoney offers many of the features needed in a transaction scheduler, but this feature needs a bit of work yet. Your editor succeeded in crashing the scheduler when attempting to create an event from an existing [Schedule editor] transaction; let it be said that crashes in a program intended to be managing one's money can be disconcerting. That said, KMyMoney's scheduler is close to what it needs to be.

The transaction editor contains the usual information. There is no provision, however, for split transactions, and no reminder options. The list of available frequencies does not include semi-monthly. It does offer both "fortnightly" and "every other week," however, leading the user to wonder just what the difference is. "Quarterly" and "every three months" are also distinct options.

The main scheduler window comes up in a list view, sorted by transaction type. There is also a single-month calendar view which is far less useful than the multi-month calendar provided by GnuCash. The single-month calendar has space to put actual information - payee and amount, for example - on the screen, but KMyMoney, instead, just puts in a large, red number showing only how many transactions fall due that day. The list and calendar views cannot be seen at the same time. One might think that double-clicking on an event in the list view would allow editing that event, but, instead, it switches to the calendar view. There appears to be no way to get KMyMoney to step through transactions which have fallen due; instead, they must be selected and entered, one at a time, from the list view.

[Grisbi scheduler] Grisbi's scheduler is the least featureful and hardest to work with of the set. A number of features, such as creating a scheduled transaction from an existing register entry, do not appear to actually work. The editor is awkward to use, and makes poor use of the screen space. There is no useful calendar view. The list of available frequencies is quite small. If you are a Grisbi user, you'll be able to create and work with basic scheduled transactions, but it will be harder than it needs to be.

As mentioned above, none of the packages reviewed here is able to perform any sort of future cash flow projection based on scheduled transactions. Another missing feature, found in some proprietary packages, is the ability to detect manual entry of (what appears to be) a regular transaction and offer to create a schedule; this is not a feature that all users will miss, however.

Both GnuCash and KMyMoney have nice utilities for dealing with loan payments. A series of dialogs collects the relevant information and sets up an appropriate scheduled transaction. GnuCash displays a repayment table when the loan is set up, but there appears to be no way to ever get that table back later on. GnuCash also neglects to initialize the loan account to the starting balance; the user must do that separately or the loan balance will not be properly accounted. Both packages can handle interest calculations and various add-on payments. Grisbi, instead, has no functionality for dealing with loans.

Investing support

No modern personal finance manager would be complete without providing the ability to watch as one's money vanishes into the stock market. Both GnuCash and KMyMoney have investment tracking capabilities, with similar features. Grisbi, instead, lacks any sort of investment handling.

GnuCash and KMyMoney both treat stocks and mutual funds in a way similar to their treatment of currencies: they are commodities which, at any given time, can be exchanged for money at a particular price. Both of them can go to online sites to update their idea of what stocks and funds are worth, making it easy to get a snapshot of the value of a portfolio at any time.

[Commodity editor] The GnuCash way of dealing with stocks is borderline painful. The user must create a "commodity" entry describing the stock, providing information like the ticker symbol and where to get online updates. Then it becomes possible to create a new account associated with that stock. Only then can purchases and sales be entered. Sales are particularly obnoxious: one might think that entering the number of shares sold in the "sell" column would do the trick, but the Wrong Thing happens. One must, instead, enter a negative number of shares. It is not clear why there are separate columns, given this behavior.

KMyMoney is a little more straightforward, providing a set of dialogs which hold the user's hand through the process of setting up a new investment. [KMyMoney investment screen] The creation of individual accounts for each stock or fund is not required (or, at least, is hidden from the user). "Buy" and "sell" operations are easy to enter correctly. KMyMoney also has handling for brokerage fees; GnuCash can do the same through split transactions, but the user must take explicit action to make that happen.

KMyMoney has an explicit "dividend reinvest" operation, while GnuCash forces the user to figure out how to get the same effect via the register. GnuCash, instead, has an operation for dealing with stock splits. KMyMoney makes do with "add shares" and "remove shares" operations, which causes shares to arrive from (or disappear into) the void.

Both programs can generate reports showing the value of an investment portfolio and return over a period of time. Neither, however, can handle capital gains calculations - something that US users, at least, would appreciate. Neither program can plot the value of a portfolio over time. It does not appear to be possible to set up scheduled investment transactions in either program.

Other notes and conclusion

Your editor imported one year's worth of financial transactions into all three programs, and was able to make a couple of other observations. First of all, the size of the resulting files varied considerably:

PackageFile size (KB)
GnuCash1700
Grisbi410
KMyMoney54

The interesting thing is that all three packages use (different) XML-based file formats. KMyMoney compresses the file, however; when uncompressed, the file weighs in at 725KB. Grisbi gains its space savings by using a great many single-letter attributes.

The other observation is that KMyMoney is far slower to start up than the other two packages.

As mentioned in the first part of this report, GnuCash has a whole set of business-related features not found in the other two packages. These include a database of customers, vendors, and employees, and the ability to generate and track invoices. Job tracking is built in, and there is some capability for dealing with tax tables. The business features have a bit of an unfinished feel to them, however, and your editor suspects that very few businesses are actually using them.

GnuCash also has a poorly-maintained ability to operate with PostgreSQL as a back end. Sadly, this backend is unable to deal with business objects, making it unusable by the group which would be most likely to want that capability.

So which program would a grumpy editor recommend? One can start by eliminating Grisbi. This application has reached a level of functionality which, only a few years ago, would have placed it among the best available in the free software community. At this point, however, it lacks too much in the way of features, usability, and charm to be seriously considered by most users.

Among the other two, GnuCash still comes out on top with regard to both features and usability. Your editor hesitates to recommend GnuCash without reservation, however. One of the most important things to do when evaluating a free package is to come to a conclusion regarding the health of the development community. Unless you plan to take over maintenance and addition of new features yourself, it is nice to know that there is a strong community behind the software.

The GnuCash development community appears, from the outside, to be stuck in some sort of low point. The port to GNOME 2 has been ongoing for years, but there still is little idea of when it will be complete; as a result, distributors are considering dropping GnuCash because the pain of maintaining GNOME 1, now used almost exclusively by GnuCash, is getting to be too much. Discussion on the development mailing list is muted, and releases are increasingly scarce. GnuCash is at a bit of a crisis point. If its developers do not resolve the GNOME 2 issue and get development moving again in the near future, this outstanding application could be facing the end of its active life.

KMyMoney, instead, is on a roll. The development community is active and happy, features are being added at an impressive pace, and that 1.0 release appears to be getting closer. At current rates, it will be a matter of months, at most, before KMyMoney surpasses GnuCash in every area which matters to most users - and keeps on going. For this reason, along with the fact that KMyMoney 0.80 is nearly good enough already, your editor would have to recommend KMyMoney to anybody looking for a free personal finance manager at this time.

Comments (9 posted)

The Authors' Guild and Google Print

September 28, 2005

By Pamela Jones, Editor of Groklaw

Lawyers, like the rest of us, are reacting with great interest and some passion to the Author's Guild's copyright infringement lawsuit against Google over its new Google Print Library Project, by which Google plans to scan books from the libraries of Harvard, Stanford, Oxford, the University of Michigan, and the New York Public Library and make them searchable by keyword. Google describes the project's goals like this:

The Library Project's aim is simple: make it easier to find relevant books. We hope to guide users to books — specifically books they might not be able to find any other way — all while carefully respecting authors' and publishers' copyrights. Our ultimate goal is to work with publishers and libraries to create a comprehensive, searchable, next-generation card catalog of all books in all languages that helps users discover new books and publishers find new readers.

The Author's Guild describes it differently. To them, it's massive copyright infringement, pure and simple. The lawyers are trying to figure out who is right and which side is more likely to prevail, to the extent anyone can predict a fair use case, but there are bigger issues raised by this litigation. Here's the complaint [PDF] and Google's public statement in response. If you'd like to follow the lawyers' discussions, here are some places where you can do so: Susan Crawford's blog, William Patry's The Patry Copyright Blog, and Eric Goldman's Technology and Marketing Law Blog, and here's Andrew Raff's excellent collection of attorney reactions on IPTAblog. You might enjoy reading Tim O'Reilly's thoughtful take on the lawsuit, looking at it from a publisher's point of view.

How Google Print Library Works

What exactly is Google doing with Google Print? First, what *isn't* it doing? It isn't making copyrighted books available cover to cover against anyone's will. There are three parts to Google Print. One, Google makes books available in their entirety only when the books are in the public domain, like Project Gutenberg has done for years. Second, when publishers or authors agree, it makes sections available, the page the keyword appears on and a few pages on either side, but that is a separate facet of the project, the Google Print Publisher Program. The one the Author's Guild is fighting over is the third part, Google's Print Library Program, and for that Google will show only a few sentences on both sides of the keyword searched for, and not necessarily complete sentences. You never see a full page, let alone an entire book. You will also find bibliographic information and where you can find related information on the web. In all cases, you will also be directed to nearby libraries and bookstores where the book is available for purchase or loan, including second-hand bookstores for out-of-print books.

Screenshots of the three different offerings can be viewed here. And Google's Common Questions about the Google Print Library Project says that Google Print is "designed to help you discover books, not read them from start to finish. It's like going to a bookstore and browsing – only with a Google twist."

Google's Side

On the Google side, the clearest arguments are presented by EFF's Jason Schultz, who explains the four fair use tests; Jonathan Band's paper, "The Google Print Library Project: A Copyright Analysis" [PDF]; and Susan Crawford on her blog, all of whom essentially say that copying entire books in order to make a digital keyword-based catalog is transformative and is fair use. Google isn't copying more than is necessary, they argue, because you can't search for keywords unless you have the whole book available. And anyway, where's the harm to the market? They cite the Kelly v. Arriba Soft case [PDF], in which the defendant made thumbnails of other people's photos available online in response to search requests, with links to the original works, if anyone wanted to purchase them. Arriba's use was ruled fair use, despite the fact that not only was an entire copy of the original made, a smaller version of it, in its entirety, was made available to the public. Google is only showing a sentence or two, not the entire book, for works where the author hasn't given approval to show more. If Arriba is fair use, why isn't Google Print's Library Project also?

If you wrote an article for a magazine and quoted a sentence or two, likely no one would complain, because it's so obviously fair use, so why is it a problem for Google to do the same thing with books? And what is the difference between Google collecting the world's content made available on the Internet so as to make it searchable and collecting keywords from the world's books? Copyright holders can opt out. If Google Print violates copyright law, why doesn't Google, period?

A common theme on both sides of the argument goes like this: Google has had a fantastic idea, one that can benefit the human race, and almost everyone hopes there is a way for them to do this. It's just a question of how to do it right. Google is shouldering the expense and effort of making a library card catalogue, so to speak, of the world's knowledge and offering it free to the world. Can anyone *not* want that to happen?

Authors should want to be included so they can be found. The world does its research now predominantly online, and authors, particularly authors whose works aren't selling like hot cakes, have everything to gain from being included in Google Print.

Author's Guild's Side

On the Author's Guild side is the argument that authors have the right to decide when others may or may not copy their works. This case differs from Google indexing the web's content, because a license can be inferred when someone puts content on the web and doesn't take steps to ban Google and other search engines with a robots.txt file. There is no equivalent implied permission from the authors of these books.

Copyright law gives copyright holders the right to make copies, period, and no one else can do so without permission. Libraries don't own the copyrights to these works, so they can't give permission, it is argued. Google will violate copyright law, no matter how little it shows the world, because it will make copies and store them on its servers. The onus is on Google to contact all the authors and publishers and get permissions, one by one, they say. If that is so onerous and costly that Google Print Library can't happen, so be it. The law is the law. This side cites the MP3 decision [PDF].

We might wish it could happen, some on that side say, but copyright law is what it is, so it can't. Some even predict that this litigation will shut down search engines like Google's. A few hope that happens. Some of the complaints about Google Print seem more emotional than based on fact. One comment on Boing Boing by a publisher is particularly interesting:

Google Print for Libraries has two pretty major flaws. One being giving a digital copy of all of our works to the participating libraries where they will then most likely be used in e-course reserves without any compensation to either author or publisher. University Libraries have an awful track record at compensating for e-course reserves and post our content frequently without any restrictions or security.

The second being Google will be profiting (through GoogleAds) on this content again without compensating the authors or publishers. Fair use should exclude commercial use. Even Creative Commons licenses (which I grant to my flikr account) gives you that option.

If we expect the production of good scholarship to be a viable, it has to be paid for somehow.

A little more accurate information may help calm these fears. First, fair use doesn't exclude commercial use. I can write a parody, for example, of your book, even if you don't want me to, and I can sell my parody. Second, take a look at the terms of the Google-University of Michigan agreement [PDF], which is available on the university's web site, and you will see that Google has bound the University, and any of its partners, to limitations on access and use. Further, should there ever be a dispute between an author and Google about including a work, the work can be removed by Google, and the University must then follow suit. Authors can always opt out.

What about the allegation that Google will make money from this project from ads? Google says there won't be any ads on the books scanned from a library. This is important, because the Complaint specifically alleges that Google will be profiting by ads: "4. Google has announced plans to reproduce the Works for use on its website in order to attract visitors to its web site and generate advertising revenue thereby." As for the links to bookstores, Google says that the links they will provide will not be "paid for by those sites, nor does Google or any library benefit if you buy something from one of these retailers." Clause 4.3 of the agreement says that the service will be provided "at no direct cost to end users".

While the Author's Guild makes much of Google allegedly profiting off of its members' work, a strong argument can be made that it's the other way around, since Google is providing a new way for readers to discover their members' books, even those on the deep, deep backlist, as you can see in this example.

Are There Problems with the Complaint?

Then there are some attorneys already pointing out flaws, procedural defects they believe they see in the Author's Guild complaint. It is supposedly a class action, but some see a problem with class certification. The complaint defines the class as all persons or entities that hold the copyright to a literary work that is contained in the library of the University of Michigan. Class action lawsuits are supposed to represent the group the few who are named allegedly represent, but Lawrence Solum, who is an author, a member of the plaintiff class in the sense that he has several works in the University of Michigan's library, opposes the lawsuit and says he will be harmed if the Author's Guild prevails:

I have a very strong objective interest in Google Print succeeding -- because as a scholar, I benefit from the dissemination of my works and because reaching agreement with Google will be costly to me and Google, essentially killing the project. A substantial intraclass conflict of interest destroys "adequacy of representation," making class certification inappropriate, both under the federal rules of civil procedure and under the due process clause of the fifth amendment of the U.S. Constitution. . . . Pro-bono representation for intervenors opposing certification, anyone?"

Is it Copying That Causes Harm, or Distribution?

Think about brick and mortar libraries. Suppose I were a librarian. I want to catalogue every book in my library and do it by keyword, so readers can come to the library and look up information by keywords on index cards that I laboriously file alphabetically in file cabinets. Each keyword will show you where in that library you can find a book that uses that keyword, with the page given, and additionally tells you where, in nearby bookstores, you can buy the book.

Would my painstaking work be a copyright offense? It's laughable to even think of it. Now, suppose I take all my index cards, and I laboriously hand type them into a computer. I have a computer database now, listing every keyword. Now have I violated copyright? Again, it doesn't pass the laugh test, does it?

But what if I realize that instead of the hand method, all I have to do is scan in the whole book and then pick out keywords by algorithm. Now am I a copyright infringer? If so, why? On the technicality that I had to scan in the whole book, thus making a copy, in order to break it down into keywords for my card catalogue of my library's contents? Purists for the law will say "Yes. You are an infringer," because you made a copy.

And they are right. You did. But exactly who is harmed by this scenario? The end result is exactly the same, whether I do the work by hand or by computer, except that Google deliberately limits how much I can see, whereas in the library, the keyword would lead me to the entire book, which presumably I could borrow, take home and scan or Xerox myself, if I don't care about copyright. If the copy merely stays on Google's servers, used only for making a digital card catalogue, in what way is the author or the publisher harmed? Have they lost any sales? Google isn't displaying the works in their entirety on its website, as the Author's Guild seems to imagine. It isn't selling the books or offering them for download. It is offering a tool to search books. Where is the harm to the market? Libraries have special rights under Copyright Law. Why shouldn't this project?

The Big Picture Questions

For those of us who are not lawyers, our dominant reaction to this lawsuit is probably that if Google Print Library violates copyright law, somebody needs to change the law. This litigation raises some important questions: What is a library in the digital age? What is a book? Is Google Print going to do away with books as containers of knowledge, replaced by searchable databases? What about this litigation's effect on copyright law in the US? Is it possible, as one comment on the Conglomerate blog suggests, that if it wins, "Google may be planting the seeds of the destruction of copyright as we know it"?

Computers are, under current law, the ultimate infringers, in the sense that you can't read anything on a computer without making a copy in RAM. There is, in short, no way to avoid making a copy, if you access at all. It's the gotcha of copyright law in the digital age, and at some point, some say, we need to think about that issue and decide what to do about it. If you want the hairs on your head to stand straight up, note the lack of comprehension of the tech involved in using a computer by reading the MAI SYSTEMS CORP. v. PEAK COMPUTER, INC., 991 F.2d 511 (9th Cir. 1993) decision: "After reviewing the record, we find no specific facts . . . which indicate that the copy created in the RAM is not fixed."

Susan Crawford explains:

All computers do is copy. Copyright law has this idea of strict liability -- no matter what your intent is, if you make a copy without authorization, you're an infringer. So computers are natural-born automatic infringers. Copyright law and computers are always running into conflict -- we really need to rewrite copyright law.

Ernest Miller and Joan Feigenbaum, in their very interesting paper "Taking the Copy out of Copyright" [PDF], suggest that we drop the copy from copyright law and focus on distribution instead. After all, it's distribution that harms authors and publishers, not copies on a Google server no one can see or access but Google.

We watched Napster get hogtied, killed, cremated and scattered to the winds, and most of us were sad that the law was trying to snuff out a great new idea because the courts seemed not to grasp the tech and the real potential for businesses founded on this new technology. But the world's books? Should the law block a new way to research and find books on any topic any human has ever written about, broken down and searchable by keyword, a way to to find specific books by keyword in the finest libraries in the world, without having to travel there physically?

Larry Lessig puts it like this:

Google Print could be the most important contribution to the spread of knowledge since Jefferson dreamed of national libraries. It is an astonishing opportunity to revive our cultural past, and make it accessible. . . . Google wants to do nothing more to 20,000,000 books than it does to the Internet: it wants to index them, and it offers anyone in the index the right to opt out. If it is illegal to do that with 20,000,000 books, then why is it legal to do it with the Internet? The "authors'" claims, if true, mean Google itself is illegal. Common sense, or better, commons sense, revolts at the idea. And so too should you.

The Author's Guild has only 8,000 members. I say "only" because Groklaw has more members than that. The value to the public of Google's Print Library collection so far outweighs the value of one book to one author or even 8,000 books to 8,000 authors, that it is hard to comprehend how any law could be permitted that could allow such a result as shutting down Google on the demand of those 8,000 authors.

Copyright law is designed to protect authors, yes, but it is supposed to do so in a balance with the public good. Copyright law's purpose is to further the public good by promoting more works of authorship, so as to make knowledge available. When did that part of the law's purpose get forgotten? Protecting authors' rights is a means to the end of making knowledge more freely available, which is exactly what Google is trying to do. If the Author's Guild succeeds in blocking this project, it will have managed to turn copyright into a means for restricting the spread of ideas and reducing the public good.

Comments (25 posted)

An LWN status update

The LWN subscription experiment is now three years old. One might well conclude that it is no longer an "experiment"; it is simply the way LWN works. This anniversary is as good a time as any to look at how well it is working, and where we think things might go from here.

LWN currently just over 3100 active subscribers; approximately 1000 more read LWN by way of group subscriptions. We are pleased that Red Hat Inc. has recently signed up as a corporate subscriber, as have a few other, smaller groups. This subscription level is nice to have, but it is very similar to what we had last year - especially on the individual side. For the time being, at least, our subscriber level is essentially flat.

Money from subscriptions goes to pay three full-time editors, one very part-time bookkeeper, health insurance, travel costs, bandwidth, computers, lawyers (not too often, fortunately), credit card processing fees, and all the other incidental costs of running a business. LWN currently pays for no office space, and plans for the procurement of a corporate yacht remain stalled (which is just as well, considering that a yacht is of limited use in Colorado). We are pleased that Rackspace.com continues to donate bandwidth for the main server, that TrustCommerce covers their part of our credit card fees, and that various sponsors have made it possible for LWN staff to attend conferences and meetings in distant parts of the world.

The end result, however, is that the current subscription level is not sufficient for sustainable operation even with the current staff. And LWN in its current form will not be truly sustainable without at least one additional staff member. So we must find a way to bring in more revenue to fund that staff member, raise our payments for outside authors to a more competitive level, attend (and report on) important free software events, deal with the long list of site improvement ideas, broaden our coverage, cope with the next inevitable horrifying health insurance cost increase, and, just maybe, give a long-delayed raise to the current staff. That might just make the grumpy editor feel a little better about the world.

We have a long list of ideas on how we might bring about that increase. Most of them are oriented toward making LWN a more valuable resource and trying to actively sell LWN subscriptions. One short-term idea (which we would like feedback on) is increasing the lockout time on subscription-only content to two weeks, or possibly more. We value our free readers, and we live for those "I finally decided to subscribe" notes, but we also have to strike a balance which respects those who are actually paying for LWN's existence. In the longer term, we may seek some sort of financing to help grow LWN into a truly sustainable business.

One thing we do not intend to change is our commitment to providing the net's most comprehensive, accurate, and well-written coverage of the Linux and free software development communities. That is what LWN set out to do back in 1997, and we've never seen any reason to try for anything else. The years in between have been a wild ride, with amazing ups and downs. But, during that time, Linux has gotten stronger, and we have built up the best group of readers we could have hoped for. We expect that the coming years will be just as interesting - and just as successful.

Comments (101 posted)

Page editor: Jonathan Corbet

Security

Rule set based access control

SELinux has become, to many, the mechanism for high-security Linux deployments. The SELinux framework is considered sufficiently powerful, flexible, and universal that some developers have contemplated removing the Linux security module (LSM) interface altogether. When SELinux does everything, why have hooks for anything else? The fact of the matter, however, is that SELinux is not the only high-security approach out there. On September 27, version 1.2.5 of the Rule Set Based Access Control (RSBAC) patch was released. RSBAC has been around for several years, but it has never quite achieved the prominence of SELinux.

Like SELinux, RSBAC inserts hooks throughout the kernel source. RSBAC does not use the LSM framework, however. This page explains why; in short, the RSBAC developer (Amon Ott) does not like how LSM exposes kernel internals to security modules, and the LSM hooks are not nearly extensive enough for RSBAC. In fact, RSBAC adds hooks in many places (individual device drivers, for example) where LSM does not tread. RSBAC hooks can also change system state in ways not allowed with the LSM framework.

With the hooks in place, RSBAC allows for several different access control regimes, all of which can be mixed and matched as desired. Available options include:

  • Authenticated user: essentially a list of user IDs which may be assumed by each process on the system. This module is required by most other RSBAC security schemes.

  • User management: a replacement for the PAM and shadow mechanisms which moves most of the user and group management tasks into the kernel.

  • Role compatibility: assigns roles to users and programs, and ensures that they match at run time.

  • Access control lists: a variant of file ACLs which can take additional RSBAC features (such as roles) into account.

  • Mandatory access control: assigns security levels to processes and objects, and prevents access between different levels.

  • Dazuko: a specialized interface for virus scanning applications. Dazuko creates a special purpose device which can be used to intercept file accesses; malware scans can then be performed before the access is allowed to succeed. There is a ClamAV interface to Dazuko.

There are several other models available, see the RSBAC models page for the full list. One thing that should be clear is that the RSBAC framework has been used to implement a wide variety of access control mechanisms. The project's long history suggests a stable user base, and RSBAC has been adopted by some distributions (including the Adamantix (formerly "Trusted Debian") and Hardened Gentoo projects). The non-LSM approach seems likely to keep RSBAC out of the mainline kernel indefinitely (nobody is even proposing merging it), but RSBAC appears to be a viable option regardless.

Comments (2 posted)

Brief items

RHEL 5 going for Common Criteria EAL 4 rating

Red Hat (along with IBM and Trusted Computer Solutions) has announced that the upcoming release of Red Hat Enterprise Linux is being evaluated for Common Criteria EAL 4 certification. "This CCEVS evaluation means Red Hat Enterprise Linux will reach a level of security previously achieved by only a handful of trusted operating systems. Red Hat Enterprise Linux is now positioned to provide best-of-breed security capabilities for commercial operating systems, offering the government, as well as businesses, unprecedented choice for security applications."

Comments (19 posted)

PwnZilla 5 Exploits IDN Link Buffer Overflow (MozillaZine)

MozillaZine reports that a recently developed Firefox IDN link buffer overflow vulnerability exploit has been developed. "The PwnZilla 5 code takes advantage of the international domain name (IDN) link buffer overflow flaw, details of which were published earlier this month. The weblog post says that the exploit code "could let attackers take complete control over computers cruising the Web with unpatched versions of the Firefox Internet browser". Previous public exploits for the vulnerability have been basic proof-of-concepts that simply crash the browser."

Comments (2 posted)

New vulnerabilities

courier: missing input sanitizing

Package(s):courier CVE #(s):CAN-2005-2820
Created:September 26, 2005 Updated:October 11, 2005
Description: Jakob Balle discovered that with "Conditional Comments" in Internet Explorer it is possible to hide javascript code in comments that will be executed when the browser views a malicious email via sqwebmail. Successful exploitation requires that the user is using Internet Explorer.
Alerts:
Ubuntu USN-201-1 2005-10-11
Debian DSA-820-1 2005-09-24

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CAN-2005-2874
Created:September 22, 2005 Updated:September 28, 2005
Description: CUPS has a vulnerability that can be triggered by processing corrupted HTTP requests. A remote user can use this to cause a denial of service.
Alerts:
Red Hat RHSA-2005:772-01 2005-09-27
Fedora FEDORA-2005-908 2005-09-22

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968
Created:September 22, 2005 Updated:February 15, 2006
Description: The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing.
Alerts:
Slackware SSA:2006-045-02 2006-02-15
Fedora-Legacy FLSA:168375 2006-01-09
Ubuntu USN-200-1 2005-10-11
Ubuntu USN-155-3 2005-10-04
Debian DSA-838-1 2005-10-02
Gentoo GLSA 200509-11:02 2005-09-18
SuSE SUSE-SA:2005:058 2005-09-30
Mandriva MDKSA-2005:170 2005-09-26
Mandriva MDKSA-2005:169 2005-09-26
Slackware SSA:2005-269-01 2005-09-26
Fedora FEDORA-2005-934 2005-09-26
Fedora FEDORA-2005-933 2005-09-26
Fedora FEDORA-2005-932 2005-09-26
Fedora FEDORA-2005-931 2005-09-26
Fedora FEDORA-2005-930 2005-09-26
Fedora FEDORA-2005-929 2005-09-26
Fedora FEDORA-2005-928 2005-09-26
Fedora FEDORA-2005-927 2005-09-26
Fedora FEDORA-2005-926 2005-09-26
Ubuntu USN-186-2 2005-09-25
Ubuntu USN-186-1 2005-09-23
Red Hat RHSA-2005:789-01 2005-09-22
Red Hat RHSA-2005:785-01 2005-09-22

Comments (none posted)

HelixPlayer: arbitrary code execution

Package(s):HelixPlayer CVE #(s):CAN-2005-2710
Created:September 27, 2005 Updated:October 10, 2005
Description: A format string bug was discovered in the way HelixPlayer processes RealPix (.rp) files. It is possible for a malformed RealPix file to execute arbitrary code as the user running HelixPlayer.
Alerts:
SuSE SUSE-SA:2005:059 2005-10-10
Gentoo 200510-07 2005-10-07
Debian DSA-826-1 2005-09-29
Fedora FEDORA-2005-941 2005-09-27
Fedora FEDORA-2005-940 2005-09-27
Red Hat RHSA-2005:762-02 2005-09-27
Red Hat RHSA-2005:788-01 2005-09-27

Comments (none posted)

kernel: buffer overflow

Package(s):kernel CVE #(s):CAN-2005-2490 CAN-2005-2492
Created:September 22, 2005 Updated:October 5, 2005
Description: The Linux kernel has a stack-based buffer overflow problem in the sendmsg function. Local users may use this to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:514-01 2005-10-05
Mandriva MDKSA-2005:171 2005-10-03
Fedora FEDORA-2005-906 2005-09-22
Fedora FEDORA-2005-905 2005-09-22

Comments (none posted)

kernel: DoS vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-1767 CAN-2005-3044
Created:September 26, 2005 Updated:September 28, 2005
Description: A Denial of Service vulnerability was detected in the stack segment fault handler. A local attacker could exploit this by causing stack fault exceptions under special circumstances (scheduling), which lead to a kernel crash. (CAN-2005-1767)

Vasiliy Averin discovered a Denial of Service vulnerability in the "tiocgdev" ioctl call and in the "routing_ioctl" function. By calling fget() and fput() in special ways, a local attacker could exploit this to destroy file descriptor structures and crash the kernel. (CAN-2005-3044)

Alerts:
Red Hat RHSA-2005:663-01 2005-09-28
Ubuntu USN-187-1 2005-09-25

Comments (none posted)

opera: script insertion attacks

Package(s):opera CVE #(s):CAN-2005-3006 CAN-2005-3007
Created:September 26, 2005 Updated:September 28, 2005
Description: Attached files are opened without any warnings directly from the user's cache directory. This can be exploited to execute arbitrary Javascript in context of "file://". Normally, filename extensions are determined by the "Content-Type" in Opera Mail. However, by appending an additional '.' to the end of a filename, an HTML file could be spoofed to be e.g. "image.jpg.". These two vulnerabilities combined may be exploited to conduct script insertion attacks if the user chooses to view an attachment named e.g. "image.jpg." e.g. resulting in disclosure of local files. These are fixed in Opera 8.50.
Alerts:
SuSE SUSE-SA:2005:057 2005-09-26

Comments (none posted)

qt: buffer overflow in zlib

Package(s):qt CVE #(s):
Created:September 26, 2005 Updated:September 28, 2005
Description: Qt links to a bundled vulnerable version of zlib when emerged with the zlib USE-flag disabled. This may lead to a buffer overflow. By creating a specially crafted compressed data stream, attackers can overwrite data structures for applications that use Qt, resulting in a Denial of Service or potentially arbitrary code execution.
Alerts:
Gentoo 200509-18 2005-09-26

Comments (none posted)

webmin, usermin: remote code execution through PAM authentication

Package(s):webmin usermin CVE #(s):CAN-2005-3042
Created:September 26, 2005 Updated:October 7, 2005
Description: Keigo Yamazaki discovered that the miniserv.pl webserver, used in both Webmin and Usermin, does not properly validate authentication credentials before sending them to the PAM (Pluggable Authentication Modules) authentication process. The default configuration shipped with Gentoo does not enable the "full PAM conversations" option and is therefore unaffected by this flaw.
Alerts:
Mandriva MDKSA-2005:176 2005-10-07
Gentoo 200509-17 2005-09-24

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

apache information disclosure if modssl=yes

Package(s):apache CVE #(s):CAN-2005-2700
Created:September 2, 2005 Updated:November 10, 2005
Description: An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
Alerts:
Fedora-Legacy FLSA:166941 2005-11-09
Gentoo 200509-12 2005-09-19
SuSE SUSE-SA:2005:052 2005-09-12
Red Hat RHSA-2005:773-01 2005-09-15
Slackware SSA:2005-251-03 2005-09-14
Debian DSA-807-1 2005-09-12
Slackware SSA:2005-251-02 2005-09-09
Fedora FEDORA-2005-849 2005-09-07
Mandriva MDKSA-2005:161 2005-09-08
Fedora FEDORA-2005-848 2005-09-07
Debian DSA-805-1 2005-09-08
Ubuntu USN-177-1 2005-09-07
Red Hat RHSA-2005:608-01 2005-09-06
OpenPKG OpenPKG-SA-2005.017 2005-09-02

Comments (none posted)

httpd: off-by-one overflow and cross-site scripting

Package(s):apache httpd CVE #(s):CAN-2005-1268 CAN-2005-2088
Created:July 25, 2005 Updated:November 7, 2005
Description: Watchfire reported a flaw that occurred when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL).

Alerts:
Slackware SSA:2005-310-04 2005-11-07
Debian DSA-803-1 2005-09-08
Ubuntu USN-160-2 2005-09-07
SuSE SUSE-SA:2005:046 2005-08-16
Fedora-Legacy FLSA:157701 2005-08-10
Ubuntu USN-160-1 2005-08-04
Mandriva MDKSA-2005:130 2005-08-03
Mandriva MDKSA-2005:129 2005-08-03
Fedora FEDORA-2005-638 2005-08-02
Fedora FEDORA-2005-639 2005-08-02
Trustix TSLSA-2005-0038 2005-07-29
SuSE SUSE-SR:2005:018 2005-07-28
Red Hat RHSA-2005:582-01 2005-07-25

Comments (none posted)

awstats: command injection vulnerability

Package(s):awstats CVE #(s):CAN-2005-1527
Created:August 11, 2005 Updated:November 10, 2005
Description: AWStats has a command injection vulnerability that can be exploited by specially crafting referrer URLs that contain Perl code. The code can then be executed with the privileges of the web server.
Alerts:
Debian DSA-892-1 2005-11-10
Gentoo 200508-07 2005-08-16
Ubuntu USN-167-1 2005-08-11

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CAN-2005-2919 CAN-2005-2920
Created:September 19, 2005 Updated:September 29, 2005
Description: The release notes for ClamAV 0.87 note that this version fixes vulnerabilities in the handling of UPX and FSG compressed executables.
Alerts:
Debian DSA-824-1 2005-09-29
SuSE SUSE-SA:2005:055 2005-09-26
Trustix TSLSA-2005-0051 2005-09-23
Debian-Testing DTSA-19-1 2005-09-22
Mandriva MDKSA-2005:166 2005-09-20
Gentoo 200509-13 2005-09-19

Comments (none posted)

common-lisp-controller: design error

Package(s):common-lisp-controller CVE #(s):CAN-2005-2657
Created:September 14, 2005 Updated:November 21, 2005
Description: François-René Rideau discovered a bug in common-lisp-controller, a Common Lisp source and compiler manager, that allows a local user to compile malicious code into a cache directory which is executed by another user if that user has not used Common Lisp before.
Alerts:
Debian DSA-811-2 2005-11-21
Debian DSA-811-1 2005-09-14

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Alerts:
Mandriva MDKSA-2005:237 2005-12-23
Red Hat RHSA-2005:806-01 2005-11-10
Debian DSA-846-1 2005-10-07
Ubuntu USN-189-1 2005-09-29
Red Hat RHSA-2005:378-01 2005-07-21
Mandriva MDKSA-2005:116-1 2005-07-19
Mandriva MDKSA-2005:116 2005-07-11
Trustix TSLSA-2005-0030 2005-06-24
Gentoo 200506-16 2005-06-20

Comments (1 posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 10, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

elm: buffer overflow

Package(s):elm CVE #(s):CAN-2005-2665
Created:August 23, 2005 Updated:November 11, 2005
Description: A buffer overflow flaw in Elm was discovered that was triggered by viewing a mailbox containing a message with a carefully crafted 'Expires' header. An attacker could create a malicious message that would execute arbitrary code with the privileges of the user who received it.
Alerts:
Slackware SSA:2005-311-01 2005-11-08
Red Hat RHSA-2005:755-01 2005-08-23

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ethereal: dissector vulnerabilities

Package(s):ethereal CVE #(s):CAN-2005-2365 CAN-2005-2367 CAN-2005-2360 CAN-2005-2361 CAN-2005-2362 CAN-2005-2363 CAN-2005-2364 CAN-2005-2366
Created:July 28, 2005 Updated:October 10, 2005
Description: The ethereal network traffic analyzer has several vulnerabilities, involving traffic dissectors. Dissectors have buffer overflows, format string overflows, and crashing/denial of service issues.
Alerts:
Debian DSA-853-1 2005-10-09
Red Hat RHSA-2005:687-01 2005-08-10
Mandriva MDKSA-2005:131 2005-08-04
Fedora FEDORA-2005-655 2005-07-29
Fedora FEDORA-2005-651 2005-07-28
Gentoo 200507-27 2005-07-28

Comments (none posted)

evolution: format string issues

Package(s):evolution CVE #(s):CAN-2005-2549 CAN-2005-2550
Created:August 15, 2005 Updated:March 23, 2006
Description: Evolution has format string issues. SITIC advisory SA05-001 contains more information.
Alerts:
Debian DSA-1016-1 2006-03-23
SuSE SUSE-SA:2005:054 2005-09-16
Red Hat RHSA-2005:267-01 2005-08-29
Gentoo 200508-12 2005-08-23
Mandriva MDKSA-2005:141 2005-08-17
Fedora FEDORA-2005-742 2005-08-11
Fedora FEDORA-2005-743 2005-08-11

Comments (2 posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-2103
Created:August 10, 2005 Updated:February 27, 2006
Description: Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:158543 2006-02-25
Slackware SSA:2005-242-03 2005-08-31
Fedora FEDORA-2005-751 2005-08-17
Fedora FEDORA-2005-750 2005-08-17
Mandriva MDKSA-2005:139 2005-08-15
Gentoo 200508-06 2005-08-15
Ubuntu USN-168-1 2005-08-12
Red Hat RHSA-2005:589-01 2005-08-09

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora-Legacy FLSA:155510 2005-12-17
Fedora-Legacy FLSA:154272 2005-07-15
SuSE SUSE-SR:2005:010 2005-04-08
Mandrake MDKSA-2005:069 2005-04-07
Mandrake MDKSA-2005:068 2005-04-07
Ubuntu USN-108-1 2005-04-05
Red Hat RHSA-2005:343-01 2005-04-05
Red Hat RHSA-2005:344-01 2005-04-01
Fedora FEDORA-2005-268 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-265 2005-03-30

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 10, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 10, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Debian DSA-713-1 2005-04-21
Gentoo 200504-11 2005-04-13

Comments (1 posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdeedu: tempfile handling vulnerabilities

Package(s):kdeedu CVE #(s):CAN-2005-2101
Created:August 15, 2005 Updated:September 22, 2005
Description: Ben Burton notified the KDE security team about several tempfile handling related vulnerabilities in langen2kvtml, a conversion script for kvoctrain. The script must be manually invoked. The script uses known filenames in /tmp which allow an local attacker to overwrite files writeable by the user invoking the conversion script.
Alerts:
Debian DSA-818-1 2005-09-22
Mandriva MDKSA-2005:159 2005-09-06
Fedora FEDORA-2005-744 2005-08-16
Fedora FEDORA-2005-745 2005-08-15

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

krb5: double-free flaw

Package(s):krb5 CVE #(s):CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689
Created:July 12, 2005 Updated:December 6, 2005
Description: The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information.
Alerts:
Ubuntu USN-224-1 2005-12-06
Debian DSA-757-1 2005-07-17
Trustix TSLSA-2005-0036 2005-07-14
Mandriva MDKSA-2005:119 2005-07-13
SuSE SUSE-SR:2005:017 2005-07-13
Gentoo 200507-11 2005-07-12
Fedora FEDORA-2005-553 2005-07-12
Red Hat RHSA-2005:562-01 2005-07-12
Fedora FEDORA-2005-552 2005-07-12
Red Hat RHSA-2005:567-02 2005-07-12

Comments (none posted)

libconvert-uulib-perl: arbitrary code execution

Package(s):libconvert-uulib-perl CVE #(s):CAN-2005-1349
Created:May 20, 2005 Updated:January 27, 2006
Description: Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:022 2006-01-26
Debian DSA-727-1 2005-05-20

Comments (1 posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libnet-ssleay-perl: weakened cryptographic operations

Package(s):libnet-ssleay-perl CVE #(s):CAN-2005-0106
Created:May 3, 2005 Updated:January 27, 2006
Description: Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content.
Alerts:
Mandriva MDKSA-2006:023 2006-01-26
Ubuntu USN-113-1 2005-05-03

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
rPath rPSA-2006-0183-1 2006-10-05
Mandriva MDKSA-2005:190 2005-10-20
Gentoo 200508-22 2005-08-31
Debian DSA-785-1 2005-08-25

Comments (none posted)

libTIFF: buffer overflow

Package(s):libtiff CVE #(s):CAN-2005-1544
Created:May 10, 2005 Updated:February 18, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafted TIFF image, resulting in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:042 2006-02-17
Debian DSA-755-1 2005-07-13
Ubuntu USN-130-1 2005-05-19
Gentoo 200505-07 2005-05-10

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Fedora-Legacy FLSA:168264 2006-03-07
Fedora-Legacy FLSA:152803 2006-01-09
Fedora FEDORA-2005-815 2005-08-26
Fedora FEDORA-2005-808 2005-08-25
Red Hat RHSA-2005:198-01 2005-06-08
Red Hat RHSA-2005:473-01 2005-05-24
Red Hat RHSA-2005:412-01 2005-05-11
Debian DSA-723-1 2005-05-09
Mandriva MDKSA-2005:081 2005-05-05
Mandriva MDKSA-2005:080 2005-04-28
Red Hat RHSA-2005:044-01 2005-04-06
Red Hat RHSA-2005:331-01 2005-03-30
Fedora FEDORA-2005-273 2005-03-29
Fedora FEDORA-2005-272 2005-03-29
Ubuntu USN-97-1 2005-03-16
Gentoo 200503-15 2005-03-12
Ubuntu USN-92-1 2005-03-07
Gentoo 200503-08 2005-03-04

Comments (none posted)

lm-sensors: insecure temp files

Package(s):lm-sensors CVE #(s):CAN-2005-2672
Created:August 23, 2005 Updated:November 10, 2005
Description: Javier Fernández-Sanguino Peña noticed that the pwmconfig script created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with full root privileges since pwmconfig is usually executed by root.
Alerts:
Red Hat RHSA-2005:825-01 2005-11-10
Fedora FEDORA-2005-1054 2005-11-07
Fedora FEDORA-2005-1053 2005-11-07
Debian-Testing DTSA-17-1 2005-09-15
Debian DSA-814-1 2005-09-15
Gentoo 200508-19 2005-08-30
Mandriva MDKSA-2005:149 2005-08-25
Ubuntu USN-172-1 2005-08-23

Comments (1 posted)

Mailutils: format string vulnerability in imap4d

Package(s):mailutils CVE #(s):CAN-2005-2878
Created:September 19, 2005 Updated:October 13, 2005
Description: The imap4d server contains a format string bug in the handling of IMAP SEARCH requests.
Alerts:
Debian-Testing DTSA-20-1 2005-10-13
Debian DSA-841-1 2005-10-04
Gentoo 200509-10 2005-09-17

Comments (none posted)

mantis: missing input sanitizing

Package(s):mantis CVE #(s):CAN-2005-2556 CAN-2005-2557
Created:August 19, 2005 Updated:September 26, 2005
Description: Two security related problems have been discovered in Mantis, a web-based bug tracking system. A remote attacker could insert arbitrary SQL code into SQL statements and a remote attacker was able to insert arbitrary HTML code bug reports, hence, cross site scripting.
Alerts:
Gentoo 200509-16 2005-09-24
Debian DSA-778-1 2005-08-19

Comments (none posted)

masqmail: input sanitizing and symlink vulnerabilities

Package(s):masqmail CVE #(s):CAN-2005-2662 CAN-2005-2663
Created:September 21, 2005 Updated:October 10, 2005
Description: Masqmail fails to properly sanitize addresses when sending failed mail, allowing a local attacker to run arbitrary commands as the mail user. There is also a symlink vulnerability which can be exploited to overwrite files.
Alerts:
Debian DSA-848-1 2005-10-08
Mandriva MDKSA-2005:168 2005-09-20

Comments (none posted)

mod_python: remote access vulnerability

Package(s):mod_python CVE #(s):CAN-2005-0088
Created:February 10, 2005 Updated:April 10, 2006
Description: mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result.
Alerts:
Fedora-Legacy FLSA:152896 2006-04-04
Conectiva CLA-2005:926 2005-03-02
Debian DSA-689-1 2005-02-23
Red Hat RHSA-2005:100-01 2005-02-15
Gentoo 200502-14 2005-02-13
Trustix TSLSA-2005-0003 2005-02-11
Ubuntu USN-80-1 2005-02-11
Red Hat RHSA-2005:104-01 2005-02-10
Fedora FEDORA-2005-140 2005-02-10
Fedora FEDORA-2005-139 2005-02-10

Comments (none posted)

mozilla: buffer overflow

Package(s):mozilla CVE #(s):CAN-2005-2871
Created:September 12, 2005 Updated:October 20, 2005
Description: The Mozilla browser, Firefox and Thunderbird have a buffer overflow vulnerability. A local user can be tricked into clicking URL that can cause the local application to crash, and possibly execute arbitrary code. See this article for more information.
Alerts:
Debian DSA-868-1 2005-10-20
Debian DSA-866-1 2005-10-20
Red Hat RHSA-2005:791-01 2005-10-06
Slackware SSA:2005-278-01 2005-10-06
Debian DSA-837-1 2005-10-02
Fedora FEDORA-2005-963 2005-09-30
Fedora FEDORA-2005-962 2005-09-30
Gentoo 200509-11 2005-09-18
Ubuntu USN-181-1 2005-09-12
Red Hat RHSA-2005:769-01 2005-09-09
Red Hat RHSA-2005:768-01 2005-09-09
Fedora FEDORA-2005-873 2005-09-10
Fedora FEDORA-2005-874 2005-09-10
Fedora FEDORA-2005-871 2005-09-10
Fedora FEDORA-2005-872 2005-09-10

Comments (none posted)

mysql: buffer overflow

Package(s):mysql CVE #(s):CAN-2005-2558
Created:September 12, 2005 Updated:January 12, 2006
Description: The mysql CREATE FUNCTION can be used to create a buffer overflow. A specially crafted long function name can be used by a local attacker to crash the server or execute arbitrary code with the privileges of the server.
Alerts:
Fedora-Legacy FLSA:167803 2006-01-10
Ubuntu USN-180-2 2005-12-05
OpenPKG OpenPKG-SA-2005.024 2005-12-03
Debian DSA-833-2 2005-10-04
Debian DSA-833-1 2005-10-01
Debian DSA-831-1 2005-09-30
Debian DSA-829-1 2005-09-30
Mandriva MDKSA-2005:163 2005-09-12
Ubuntu USN-180-1 2005-09-12

Comments (none posted)

mysql: low-impact security fix

Package(s):mysql CVE #(s):CAN-2005-1636
Created:July 20, 2005 Updated:February 22, 2006
Description: An update to MySQL version 4.1.12 fixes a low-impact security problem (bz#158689).
Alerts:
Mandriva MDKSA-2006:045 2006-02-21
Red Hat RHSA-2005:685-01 2005-10-05
Debian DSA-783-1 2005-08-24
Fedora FEDORA-2005-557 2005-07-20

Comments (1 posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Fedora-Legacy FLSA:152904 2006-05-12
Fedora FEDORA-2005-435 2005-08-16
Red Hat RHSA-2005:371-01 2005-05-17
Mandrake MDKSA-2005:028 2005-02-01
Gentoo 200501-44 2005-01-30

Comments (none posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 2006-02-25
Red Hat RHSA-2005:014-01 2005-01-12
Mandrake MDKSA-2005:005 2005-01-11

Comments (none posted)

ntp: uses wrong gid

Package(s):ntp CVE #(s):CAN-2005-2496
Created:August 26, 2005 Updated:August 11, 2006
Description: When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update.
Alerts:
Red Hat RHSA-2006:0393-01 2006-08-10
Mandriva MDKSA-2005:156 2005-09-06
Debian DSA-801-1 2005-09-05
Ubuntu USN-175-1 2005-09-01
Fedora FEDORA-2005-812 2005-08-26

Comments (none posted)

openssh: GSSAPI credential disclosure

Package(s):openssh CVE #(s):CAN-2005-2798
Created:September 7, 2005 Updated:February 3, 2006
Description: OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
Alerts:
SuSE SUSE-SR:2006:003 2006-02-03
Ubuntu USN-209-1 2005-10-17
Mandriva MDKSA-2005:172 2005-10-06
Red Hat RHSA-2005:527-01 2005-10-05
Fedora FEDORA-2005-860 2005-09-12
Trustix TSLSA-2005-0047 2005-09-09
Fedora FEDORA-2005-858 2005-09-07

Comments (none posted)

OpenSSL: information leak

Package(s):openssl CVE #(s):CAN-2005-0109
Created:May 23, 2005 Updated:October 11, 2005
Description: Hyper-Threading technology, as used in FreeBSD other operating systems and implemented on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. See this LWN article for more information.
Alerts:
Trustix TSLSA-2005-0028 2005-06-13
Mandriva MDKSA-2005:096 2005-06-06
Red Hat RHSA-2005:476-01 2005-06-01
Fedora FEDORA-2005-390 2005-05-23
Fedora FEDORA-2005-389 2005-05-23

Comments (none posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

openvpn: multiple vulnerabilities

Package(s):openvpn CVE #(s):CAN-2005-2531 CAN-2005-2532 CAN-2005-2533 CAN-2005-2534
Created:August 23, 2005 Updated:October 10, 2005
Description: A number of vulnerabilities were discovered in OpenVPN that were fixed in the 2.0.1 release:

A DoS attack against the server when run with "verb 0" and without "tls-auth" when a client connection to the server fails certificate verification, the OpenSSL error queue is not properly flushed. This could result in another unrelated client instance on the server seeing the error and responding to it, resulting in a disconnection of the unrelated client.

A DoS attack against the server by an authenticated client that sends a packet which fails to decrypt on the server, the OpenSSL error queue was not properly flushed. This could result in another unrelated client instance on the server seeing the error and responding to it, resulting in a disconnection of the unrelated client.

A DoS attack against the server by an authenticated client is possible in "dev tap" ethernet bridging mode where a malicious client could theoretically flood the server with packets appearing to come from hundreds of thousands of different MAC addresses, resulting in the OpenVPN process exhausting system virtual memory.

If two or more client machines tried to connect to the server at the same time via TCP, using the same client certificate, a race condition could crash the server if --duplicate-cn is not enabled on the server.

Alerts:
Debian DSA-851-1 2005-10-09
Mandriva MDKSA-2005:145 2005-08-22

Comments (none posted)

pam_ldap: plain text authentication leak

Package(s):pam_ldap CVE #(s):CAN-2005-2069
Created:July 14, 2005 Updated:October 17, 2005
Description: pam_ldap and nss_ldap ignore the "ssl start_tls" ldap.conf setting, allowing an attacker to sniff unencrypted passwords and other information.
Alerts:
Red Hat RHSA-2005:767-01 2005-10-17
Red Hat RHSA-2005:751-01 2005-10-17
SuSE SUSE-SR:2005:020 2005-09-12
Ubuntu USN-152-1 2005-07-21
Mandriva MDKSA-2005:121 2005-07-18
Gentoo 200507-13 2005-07-14

Comments (none posted)

pcre3: arbitrary code execution

Package(s):pcre3 CVE #(s):CAN-2005-2491
Created:August 23, 2005 Updated:March 10, 2006
Description: A buffer overflow has been discovered in the PCRE, a widely used library that provides Perl compatible regular expressions. Specially crafted regular expressions triggered a buffer overflow. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library.
Alerts:
Red Hat RHSA-2006:0197-01 2006-03-09
Fedora-Legacy FLSA:168516 2006-03-07
Debian DSA-821-1 2005-09-28
Debian DSA-819-1 2005-09-23
Debian DSA-817-1 2005-09-22
Gentoo 200509-08 2005-09-12
Red Hat RHSA-2005:358-01 2005-09-08
Red Hat RHSA-2005:761-02 2005-09-08
Trustix TSLSA-2005-0045 2005-08-26
OpenPKG OpenPKG-SA-2005.018 2005-09-05
SuSE SUSE-SA:2005:051 2005-09-05
Gentoo 200509-02 2005-09-03
Debian DSA-800-1 2005-09-02
Ubuntu USN-173-4 2005-08-31
Slackware SSA:2005-242-01 2005-08-31
SuSE SUSE-SA:2005:049 2005-08-30
SuSE SUSE-SA:2005:048 2005-08-30
Ubuntu USN-173-3 2005-08-30
Mandriva MDKSA-2005:155 2005-08-29
Mandriva MDKSA-2005:154 2005-08-26
Mandriva MDKSA-2005:153 2005-08-26
Mandriva MDKSA-2005:151 2005-08-25
Mandriva MDKSA-2005:152 2005-08-25
Gentoo 200508-17 2005-08-25
Ubuntu USN-173-2 2005-08-24
Fedora FEDORA-2005-803 2005-08-24
Fedora FEDORA-2005-802 2005-08-24
Ubuntu USN-173-1 2005-08-23

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

perl: symlink vulnerability

Package(s):perl CVE #(s):CAN-2005-0448
Created:March 9, 2005 Updated:January 30, 2006
Description: The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries.
Alerts:
Fedora-Legacy FLSA:152845 2006-01-24
Red Hat RHSA-2005:674-01 2005-10-05
Fedora FEDORA-2005-600 2005-07-22
Mandriva MDKSA-2005:079 2005-04-28
Debian DSA-696-1 2005-03-22
Ubuntu USN-94-1 2005-03-09

Comments (none posted)

php: arbitrary code execution

Package(s):php CVE #(s):CAN-2005-2498
Created:August 19, 2005 Updated:October 4, 2005
Description: A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user.
Alerts:
Debian DSA-842-1 2005-10-04
Debian DSA-840-1 2005-10-04
Gentoo 200509-19 2005-09-27
Debian-Testing DTSA-15-1 2005-09-13
Slackware SSA:2005-251-04 2005-09-09
Debian DSA-798-1 2005-09-02
Slackware SSA:2005-242-02 2005-08-31
Gentoo 200508-21 2005-08-31
Gentoo 200508-20 2005-08-30
Debian DSA-789-1 2005-08-29
Gentoo 200508-18 2005-08-26
Fedora FEDORA-2005-810 2005-08-25
Fedora FEDORA-2005-809 2005-08-25
Gentoo 200508-14 2005-08-24
Gentoo 200508-13 2005-08-24
Mandriva MDKSA-2005:146 2005-08-22
Ubuntu USN-171-1 2005-08-20
Red Hat RHSA-2005:748-01 2005-08-19

Comments (none posted)

phpsysinfo: cross-site-scripting

Package(s):phpsysinfo CVE #(s):CAN-2005-0870
Created:May 18, 2005 Updated:November 15, 2005
Description: The phpsysinfo program contains several cross-site scripting vulnerabilities.
Alerts:
Debian DSA-724-1 2005-05-18

Comments (none posted)

postgresql: database initialization errors

Package(s):postgresql CVE #(s):CAN-2005-1409 CAN-2005-1410
Created:May 4, 2005 Updated:February 28, 2006
Description: PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Alerts:
Fedora-Legacy FLSA:157366 2006-02-27
Mandriva MDKSA-2005:093 2005-05-26
Red Hat RHSA-2005:433-01 2005-06-01
Gentoo 200505-12 2005-05-15
Fedora FEDORA-2005-368 2005-05-10
Ubuntu USN-118-1 2005-05-04

Comments (none posted)

Pound: buffer overflow

Package(s):pound CVE #(s):CVE-2005-1391
Created:May 2, 2005 Updated:January 10, 2006
Description: Steven Van Acker has discovered a buffer overflow vulnerability in the "add_port()" function in Pound 1.8.2+. A remote attacker could send a request for an overly long hostname parameter, which could lead to the remote execution of arbitrary code with the rights of the Pound daemon process.
Alerts:
Gentoo 200504-29 2005-04-30

Comments (none posted)

pstotext: remote execution of arbitrary code

Package(s):pstotext netpbm CVE #(s):CAN-2005-2471
Created:August 1, 2005 Updated:March 28, 2006
Description: Max Vozeler reported that pstotext calls the GhostScript interpreter on untrusted PostScript files without specifying the -dSAFER option. An attacker could craft a malicious PostScript file and entice a user to run pstotext on it, resulting in the execution of arbitrary commands with the permissions of the user running pstotext. See this Secunia advisory for more information.
Alerts:
Debian DSA-1021-1 2006-03-28
Debian DSA-792-1 2005-08-31
Red Hat RHSA-2005:743-01 2005-08-22
Fedora FEDORA-2005-728 2005-08-17
Fedora FEDORA-2005-727 2005-08-17
Ubuntu USN-164-1 2005-08-11
Mandriva MDKSA-2005:133 2005-08-09
Gentoo 200508-04 2005-08-05
Gentoo 200507-29 2005-07-31

Comments (2 posted)

Py2Play: remote execution of arbitrary Python code

Package(s):Py2Play CVE #(s):CAN-2005-2875
Created:September 19, 2005 Updated:September 6, 2006
Description: Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client.
Alerts:
Gentoo 200509-09:02 2005-09-17
Debian DSA-856-1 2005-10-10
Gentoo 200509-09 2005-09-17

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

ruby: arbitrary command execution

Package(s):ruby CVE #(s):CAN-2005-1992
Created:June 21, 2005 Updated:October 6, 2005
Description: Ruby (versions < 1.8.2) is vulnerable to arbitrary command execution on XMLRPC servers.
Alerts:
Gentoo 200510-05 2005-10-06
Red Hat RHSA-2005:543-01 2005-08-05
Mandriva MDKSA-2005:118 2005-07-12
Gentoo 200507-10 2005-07-11
Debian DSA-748-1 2005-07-10
Ubuntu USN-146-1 2005-06-29
Fedora FEDORA-2005-475 2005-06-22
Fedora FEDORA-2005-474 2005-06-22

Comments (none posted)

shorewall: rule bypass vulnerability

Package(s):shorewall CVE #(s):CAN-2005-2317
Created:July 21, 2005 Updated:October 10, 2005
Description: Shorewall has a vulnerability in which a client that is accepted by MAC address filtering can bypass other rules, allowing access to all open services on the firewall.
Alerts:
Ubuntu USN-197-1 2005-10-10
Debian DSA-849-1 2005-10-08
Gentoo 200507-20:02 2005-07-22
Gentoo 200507-20 2005-07-22
Mandriva MDKSA-2005:123 2005-07-20

Comments (none posted)

slocate: long path bug

Package(s):slocate CVE #(s):CAN-2005-2499
Created:August 22, 2005 Updated:October 5, 2005
Description: A bug was found in the way slocate processes very long paths. A local user could create a carefully crafted directory structure that would prevent updatedb from completing its file system scan, resulting in an incomplete slocate database.
Alerts:
Red Hat RHSA-2005:346-01 2005-10-05
Red Hat RHSA-2005:345-02 2005-09-28
Mandriva MDKSA-2005:147 2005-08-22
Fedora FEDORA-2005-771 2005-08-22
Fedora FEDORA-2005-770 2005-08-22
Red Hat RHSA-2005:747-02 2005-08-22

Comments (none posted)

smb4k: temporary file vulnerability

Package(s):smb4k CVE #(s):CVE-2005-2851
Created:September 7, 2005 Updated:December 7, 2005
Description: Smb4K has a temporary file vulnerability which can allow an unprivileged user to read certain files which would otherwise be inaccessible.
Alerts:
Debian-Testing DTSA-25-1 2005-12-05
Gentoo 200511-15 2005-11-18
Mandriva MDKSA-2005:157 2005-09-06

Comments (none posted)

squid: DoS issues

Package(s):squid CVE #(s):CAN-2005-2794 CAN-2005-2796
Created:September 6, 2005 Updated:November 7, 2005
Description: Squid-2.5.10-r2 and earlier has three Denial of Service issues.
Alerts:
Debian DSA-809-3 2005-11-07
Debian DSA-809-2 2005-09-30
SuSE SUSE-SA:2005:053 2005-09-16
Red Hat RHSA-2005:766-01 2005-09-15
Ubuntu USN-183-1 2005-09-13
Mandriva MDKSA-2005:162 2005-09-12
Debian DSA-809-1 2005-09-13
OpenPKG OpenPKG-SA-2005.021 2005-09-10
Gentoo 200509-06 2005-09-07
Fedora FEDORA-2005-852 2005-09-06
Fedora FEDORA-2005-851 2005-09-06

Comments (none posted)

sudo: race condition

Package(s):sudo CVE #(s):CAN-2005-1993
Created:June 21, 2005 Updated:February 24, 2006
Description: Charles Morris discovered a race condition in sudo which could lead to privilege escalation. If /etc/sudoers allowed a user the execution of selected programs, and this was followed by another line containing the pseudo-command "ALL", that user could execute arbitrary commands with sudo by creating symbolic links at a certain time.
Alerts:
Fedora-Legacy FLSA:162750 2006-02-23
Debian DSA-735-2 2005-07-07
Debian DSA 735-1 2005-07-01
Red Hat RHSA-2005:535-04 2005-06-29
SuSE SUSE-SA:2005:036 2005-06-24
OpenPKG OpenPKG-SA-2005.012 2005-06-23
Gentoo 200506-22 2005-06-23
Slackware SSA:2005-172-01 2005-06-22
Mandriva MDKSA-2005:103 2005-06-21
Fedora FEDORA-2005-473 2005-06-21
Fedora FEDORA-2005-472 2005-06-21
Ubuntu USN-142-1 2005-06-21

Comments (none posted)

sysreport: insecure temporary file

Package(s):sysreport CVE #(s):CAN-2005-2104
Created:August 9, 2005 Updated:November 11, 2005
Description: Bill Stearns discovered a bug in the way sysreport creates temporary files. It is possible that a local attacker could obtain sensitive information about the system when sysreport is run.
Alerts:
Fedora FEDORA-2005-1072 2005-11-10
Fedora FEDORA-2005-1071 2005-11-10
Red Hat RHSA-2005:598-01 2005-08-09

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: denial of service

Package(s):tcpdump CVE #(s):CAN-2005-1267
Created:June 9, 2005 Updated:October 10, 2005
Description: Several tcpdump protocol decoders contain programming errors which can cause them to go into infinite loops.
Alerts:
Debian DSA-854-1 2005-10-09
Slackware SSA:2005-195-10 2005-07-15
Ubuntu USN-141-1 2005-06-21
Mandriva MDKSA-2005:101 2005-06-15
Fedora FEDORA-2005-407 2005-06-16
Gentoo 200505-06:02 2005-05-09
Red Hat RHSA-2005:505-01 2005-06-13
Fedora FEDORA-2005-406 2005-06-09

Comments (none posted)

tcpdump: multiple DoS issues

Package(s):tcpdump CVE #(s):CAN-2005-1280 CAN-2005-1279 CAN-2005-1278
Created:May 2, 2005 Updated:April 10, 2006
Description: The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. (CAN-2005-1280)

tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet, which is not properly handled by RT_ROUTING_INFO, or LDP packet, which is not properly handled by the ldp_print function. (CAN-2005-1279)

The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. (CAN-2005-1278)

Alerts:
Fedora-Legacy FLSA:156139 2006-04-04
Debian DSA-850-1 2005-10-09
Mandriva MDKSA-2005:087 2005-05-11
Red Hat RHSA-2005:417-02 2005-05-11
Red Hat RHSA-2005:421-02 2005-05-11
Gentoo 200505-06 2005-05-09
Ubuntu USN-119-1 2005-05-06
Fedora FEDORA-2005-351 2005-05-02

Comments (none posted)

turqstat: buffer overflow

Package(s):turqstat CVE #(s):CAN-2005-2658
Created:September 15, 2005 Updated:September 21, 2005
Description: Turquoise SuperStat is a Fidonet and Usenet statistics gathering application. A malicious NNTP server can cause a buffer overflow condition.
Alerts:
Debian DSA-812-1 2005-09-15

Comments (none posted)

ucd-snmp: denial of service

Package(s):ucd-snmp CVE #(s):CAN-2005-2177
Created:August 9, 2005 Updated:January 27, 2006
Description: A denial of service bug was found in the way ucd-snmp uses network stream protocols. A remote attacker could send a ucd-snmp agent a specially crafted packet which will cause the agent to crash.
Alerts:
Mandriva MDKSA-2006:025 2006-01-26
Ubuntu USN-190-2 2005-11-21
Debian DSA-873-1 2005-10-26
Red Hat RHSA-2005:395-01 2005-10-05
Ubuntu USN-190-1 2005-09-29
Red Hat RHSA-2005:373-01 2005-09-28
Mandriva MDKSA-2005:137 2005-08-11
Red Hat RHSA-2005:720-01 2005-08-09

Comments (none posted)

util-linux: unintentional grant of privileges by umount

Package(s):util-linux CVE #(s):CAN-2005-2876
Created:September 13, 2005 Updated:December 19, 2005
Description: Linux umount command as provided in the util-linux package in versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information.
Alerts:
Fedora-Legacy FLSA:168326 2005-12-18
Red Hat RHSA-2005:782-01 2005-10-11
SuSE SUSE-SR:2005:021 2005-09-30
Debian DSA-825-1 2005-09-29
Debian DSA-823-1 2005-09-29
Mandriva MDKSA-2005:167 2005-09-20
Gentoo 200509-15 2005-09-20
Ubuntu USN-184-1 2005-09-19
Fedora FEDORA-2005-886 2005-09-14
Fedora FEDORA-2005-887 2005-09-14
Slackware SSA:2005-255-02 2005-09-13

Comments (none posted)

vixie-cron: crontab allows any user to read another users crontabs

Package(s):vixie-cron CVE #(s):CAN-2005-1038
Created:April 15, 2005 Updated:March 15, 2006
Description: crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. See also this Security Focus report.
Alerts:
Red Hat RHSA-2006:0117-01 2006-03-15
Red Hat RHSA-2005:361-01 2005-10-05
Fedora FEDORA-2005-320 2005-04-15

Comments (none posted)

wget: file overwrites and arbitrary code execution

Package(s):wget CVE #(s):CAN-2004-1487 CAN-2004-1488
Created:June 9, 2005 Updated:September 27, 2005
Description: wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite certain files via a redirection URL containing a ".." that resolves to the IP address of the malicious server, which bypasses wget's filtering for ".." sequences.

wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code.

Alerts:
Red Hat RHSA-2005:771-01 2005-09-27
Ubuntu USN-145-2 2005-09-06
Ubuntu USN-145-1 2005-06-28
Mandriva MDKSA-2005:098 2005-06-09

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xorg-x11: heap overflow

Package(s):xorg-x11 CVE #(s):CAN-2005-2495
Created:September 12, 2005 Updated:March 8, 2006
Description: The pixmap memory allocation code in the X.Org X window system is vulnerable to an integer overflow, a local user can use this to execute arbitrary code with elevated privileges.
Alerts:
Fedora-Legacy FLSA:168264-2 2006-03-07
Slackware SSA:2005-269-02 2005-09-26
SuSE SUSE-SA:2005:056 2005-09-26
Debian DSA-816-1 2005-09-19
Fedora FEDORA-2005-894 2005-09-16
Fedora FEDORA-2005-893 2005-09-16
Trustix TSLSA-2005-0049 2005-09-16
Red Hat RHSA-2005:501-01 2005-09-15
Mandriva MDKSA-2005:164 2005-09-13
Red Hat RHSA-2005:396-01 2005-09-13
Red Hat RHSA-2005:329-01 2005-09-12
Ubuntu USN-182-1 2005-09-12
Gentoo 200509-07 2005-09-12

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

xpdf: denial of service

Package(s):xpdf kpdf CVE #(s):CAN-2005-2097
Created:August 9, 2005 Updated:August 2, 2006
Description: A flaw was discovered in Xpdf in that could allow an attacker to construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened.
Alerts:
Debian DSA-1136-1 2006-08-02
Mandriva MDKSA-2005:138-1 2005-09-19
Debian DSA-780-1 2005-08-22
SuSE SUSE-SR:2005:019 2005-08-19
Fedora FEDORA-2005-732 2005-08-17
Fedora FEDORA-2005-733 2005-08-17
Gentoo 200508-08 2005-08-16
Fedora FEDORA-2005-730 2005-08-15
Fedora FEDORA-2005-729 2005-08-15
Mandriva MDKSA-2005:136 2005-08-11
Mandriva MDKSA-2005:135 2005-08-11
Mandriva MDKSA-2005:134 2005-08-11
Mandriva MDKSA-2005:138 2005-08-11
Red Hat RHSA-2005:708-01 2005-08-10
Red Hat RHSA-2005:706-01 2005-08-09
Red Hat RHSA-2005:671-01 2005-08-09
Red Hat RHSA-2005:670-01 2005-08-09
Ubuntu USN-163-1 2005-08-09

Comments (none posted)

Zebedee: Denial of Service vulnerability

Package(s):zebedee CVE #(s):
Created:September 20, 2005 Updated:September 21, 2005
Description: Zebedee crashes when "0" is received as the port number in the protocol option header. By performing malformed requests a remote attacker could cause Zebedee to crash.
Alerts:
Gentoo 200509-14 2005-09-20

Comments (none posted)

zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-2096
Created:July 6, 2005 Updated:October 27, 2005
Description: zlib has a buffer overflow vulnerability that can be exploited by inflation of corrupted files, this can be used to crash zlib or possibly remotely execute code.
Alerts:
Mandriva MDKSA-2005:196 2005-10-26
Debian DSA-797-2 2005-09-28
Fedora FEDORA-2005-565 2005-07-13
Slackware SSA:2005-189-01 2005-07-10
Trustix TSLSA-2005-0034 2005-07-08
Mandriva MDKSA-2005:112 2005-07-06
Fedora FEDORA-2005-523 2005-07-07
Fedora FEDORA-2005-524 2005-07-07
OpenPKG OpenPKG-SA-2005.013 2005-07-07
Ubuntu USN-148-1 2005-07-06
SuSE SUSE-SA:2005:039 2005-07-06
Red Hat RHSA-2005:569-01 2005-07-06
Gentoo 200507-05 2005-07-06
Debian DSA-740-1 2005-07-06

Comments (6 posted)

zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-1849
Created:July 21, 2005 Updated:April 11, 2006
Description: zlib has a vulnerability that can cause code that executes it to crash if a corrupted file is opened.
Alerts:
Mandriva MDKSA-2006:070 2006-04-10
Debian DSA-1026-1 2006-04-06
Gentoo 200603-18 2006-03-21
Ubuntu USN-151-4 2005-11-09
Ubuntu USN-151-3 2005-10-28
Fedora-Legacy FLSA:162680 2005-09-14
Debian DSA-797-1 2005-09-01
Gentoo 200508-01 2005-08-01
Gentoo 200507-28 2005-07-30
SuSE SUSE-SA:2005:043 2005-07-28
OpenPKG OpenPKG-SA-2005.014 2005-07-28
Mandriva MDKSA-2005:124 2005-07-22
Slackware SSA:2005-203-03 2005-07-23
Ubuntu USN-151-2 2005-07-22
Fedora FEDORA-2005-626 2005-07-22
Fedora FEDORA-2005-625 2005-07-22
Gentoo 200507-19 2005-07-22
Red Hat RHSA-2005:584-01 2005-07-21
Ubuntu USN-151-1 2005-07-21
Debian DSA-763-1 2005-07-20

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch remains 2.6.14-rc2; no prepatches have been released over the last week.

The flow of patches into Linus's git repository has slowed; that repository currently contains some key management improvements, a SCSI update, some netfilter patches, an InfiniBand update, and lots of fixes.

The current -mm tree is 2.6.14-rc2-mm1. Recent changes to -mm include a cs5535 ALSA driver, a new device_is_registered() helper function (since merged), some network time protocol cleanups, the controversial (see thread starting here) Adaptec serial attached storage patch set, and the usual pile of fixes.

The current 2.4 prepatch is 2.4.32-rc1, released by Marcelo on September 22. This prepatch adds a small set of fixes (some backported from 2.6) to the upcoming 2.4.32 release.

Comments (none posted)

Kernel development news

User-space software suspend

Suspend-to-disk is a feature desired by many Linux users; both laptop and desktop users can benefit from being able to save the state of the system to a local drive and, after a reboot, find everything as they left it. The current in-kernel suspend mechanism works for many, but not everybody is comfortable with the large amount of invasive code required. The out-of-tree suspend2 implementation adds quite a few worthwhile features, but at the cost of expanding the software suspend implementation still further. Concern over putting some of the suspend2 features into the kernel has been one of the factors preventing its merging so far.

Pavel Machek, the maintainer of the in-kernel suspend implementation, has now complicated the pictured with the swsusp3 patch, which moves some of the work of suspending the system into user space. This code is said to work; if this approach continues to show promise, it could point the way toward adding suspend2's features without growing the kernel.

The software suspend process, in very rough terms, works like this:

  1. All processes on the system (with a few exceptions) are put into a special "frozen" state.

  2. Any memory which has on-disk backing store is forced out to disk; this step essentially clears the system of all user-space pages. Any kernel memory which can be done without - caches and such - is also dropped.

  3. Any remaining memory which is not in reserved space (not part of the kernel text, for all practical purposes) is written to a suspend image on the disk. Also written is a map saying where the pages came from in the first place.

  4. The system is shut down.

When the system is resumed, these steps are reversed in the opposite order - except that user-space memory remains on disk until faulted in by the newly-restarted system.

The swsusp3 patch does not move all of the above work to user space - much of it must be done in the kernel. What does move is step 3 - the writing of kernel memory - to disk. This operation is handled by way of /dev/kmem. To that end, the swsusp3 patch adds a set of scary ioctl() calls to the /dev/kmem driver.

The new user-space suspend program begins by locking itself into memory. This step is required - it would not do for it to change the memory state in the middle of the process via page faults. A call to the new IOCTL_FREEZE operation on /dev/kmem performs the first two steps listed above: freezing processes and clearing memory. The IOCTL_ATOMIC_SNAPSHOT call then puts devices on hold and creates an in-kernel list of pages which must be saved.

The ioctl(/dev/kmem, IOCTL_ATOMIC_SNAPSHOT) call returns a pointer to that list of pages. The user-space program can then obtain the list (by reading it from /dev/kmem) and pass through it. Each page on the list is read from kernel memory and written to the suspend image file. Finally, the list itself is written to the suspend image. Once that is done, the system can be powered down.

The resume process writes the saved image back into kernel memory. It has the additional problem, however, of having to deal with two kernels at once. This process will be running under a freshly-booted kernel (the "resume kernel") with its own idea of the state of the world; that state will eventually be overwritten by the state from the suspended kernel, but that step must be handled carefully. The resume process cannot simply overwrite arbitrary kernel memory, since it is counting on the resume kernel to continue to function until all of the suspended kernel's memory has been read in. So the user-space resume process must be able to allocate pages in kernel space.

The answer is, of course, another ioctl() command, IOCTL_KMALLOC, which executes a get_zeroed_page() call and returns the address of the resulting page to user space. Once a full set of pages has been loaded with the suspended kernel's memory, an updated page map can be stored in the kernel, and an IOCTL_ATOMIC_RESTORE operation tells the resume kernel to finish the process.

This code is very much in an early stage; even people who do not hesitate to use software suspend may want to be careful with swsusp3 on systems they actually care about resuming. Once things settle down, however, swsusp3 could open the door to a number of features, including graphical progress displays and the ability to interrupt the suspend process, which users have been asking for.

Comments (11 posted)

Swap prefetching

It's a common occurrence: some large application runs briefly and pushes all kinds of useful memory out to swap space. Examples include large ld runs, backups, slocate, and others. Once the program is done, the Linux system is left with a great deal of free memory, and a substantial amount of useful application data stuck in swap space. When the user tries to use a running application, everything stops while it populates that free memory with its pages. Wouldn't it be nice if the system could restore swapped out pages when the memory becomes available and avoid making the user wait later on?

A number of attempts have been made at prefetching swapped data in the past. It has proved hard, however, to repopulate memory from swap in a way which does not adversely affect the performance of the system as a whole. A well-intended interactivity optimization can easily turn into a performance hit in real use. Con Kolivas has been making another try at it, however, with a series of prefetch patches based on code originally written by Thomas Schlichter. Version 11 of the swap prefetch patch was posted on September 23.

This patch creates two new data structures to track pages which have been evicted to swap. Each swapped page is represented by a swapped_entry_t structure; this structure is added to a linked list and a radix tree. The list enables the prefetch code to find the most recently swapped pages, with the idea that those pages are more likely to be useful in the near future than others which have been languishing in swap for longer. The radix tree, instead, allows the quick removal of entries without having to search the entire (possibly very long) list to find them.

Whenever a page is pushed out to swap, it is also added to the list and radix tree. There is a limit on how many pages will be remembered; it is currently set to a relatively high value which keeps the swapped page entries from occupying more than 5% of RAM. If that limit is exceeded, an older entry will be recycled. The add_to_swapped_list() code also refuses to wait for any locks; if there is a conflict with another processor, it will simply forget a page rather than spin on the lock. The consequence of forgetting a page (it will never be prefetched) is relatively small, so holding up the swap process for contention is not worth it in this case.

The code which actually performs prefetching is even more timid; every effort has been made to make the process of swap prefetching as close to free as possible. The prefetch code only runs once every five seconds - and that gets pushed back any time there is VM activity. The number of available free pages must be substantially above the minimum desired number, or prefetching will not happen. The code also checks that no writeback is happening, that the number of dirty pages in the system is relatively small, that the number of mapped pages is not too high, that the swap cache is not too large, and that the available pages are outside of the DMA zone. When all of those conditions are met, a few pages will be read from swap into the swap cache; they remain on the swap device so that they can be immediately reclaimed should a sudden shortage of memory develop.

Con claims that the end result is worthwhile:

In testing on modern pc hardware this results in wall-clock time activation of the firefox browser to speed up 5 fold after a worst case complete swap-out of the browser on an static web page.

That seems like a benefit worth having, if the cost of the prefetch code is truly low. Discussion on the list has been limited, suggesting that developers are unconcerned about the impacts of prefetching - or simply uninterested at this point.

Comments (13 posted)

securityfs

Some observers might well believe that the kernel has accumulated plenty of special-purpose virtual filesystems. Even so, 2.6.14 will include yet another one: securityfs. This filesystem is meant to be used by security modules, some of which were otherwise creating their own filesystems; it should be mounted on /sys/kernel/security. Securityfs thus looks, from user space, like part of sysfs, but it is a distinct entity.

The API for securityfs is quite simple - it only exports three functions (defined in <linux/security.h>). The usual first step will be to create a directory specific to the security module at hand with:

    struct dentry *securityfs_create_dir(const char *name, 
                                         struct dentry *parent);

If parent is NULL, the directory will be created in the root of the filesystem.

That directory can be populated with files using:

    struct dentry *securityfs_create_file(const char *name, 
                                          mode_t mode,
				          struct dentry *parent,
                                          void *data,
					  struct file_operations *fops);

Here, name is the name of the file, mode is the permissions the file will have, parent is the containing directory (or NULL for the filesystem root), data is a private data pointer, and fops is a file_operations structure containing the methods which actually implement the file. The calling module must provide operations which make the file behave as desired. Securityfs differs from sysfs in this regard; it makes no attempt to hide the low-level file implementation. As a result, security modules can do ill-advised things like creating highly complex files, providing ioctl() operations, and more. Most modules, however, will simply want to provide straightforward open(), read(), and (maybe) write() methods and be done with it.

All of these files and directories should be cleaned up when the module is unloaded. The same function is used for both files and directories:

    void securityfs_remove(struct dentry *dentry);

There is no automatic cleanup of files performed, so this step is mandatory.

Those wanting to see an example of securityfs in action can look at this patch in 2.6.14 which causes the seclvl module to use it.

Comments (13 posted)

Patches and updates

Kernel trees

Build system

Core kernel code

Development tools

  • Marco Costalba: qgit-0.95. (September 26, 2005)

Device drivers

  • dmitry pervushin: SPI. (September 28, 2005)

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Page editor: Jonathan Corbet

Distributions

News and Editorials

A quick look at Ubuntu 5.10 Preview

The Ubuntu Linux 5.10 (Breezy Badger) Preview was released earlier this month, so we decided to take a look. The Preview is very close to what the final release will look like and it has been quite stable on my old test box so far.

Ubuntu has plenty of documentation on the wiki site, available in many different languages. For those who don't have much experience in installing Linux distributions you can find instructions for downloading the iso image, burning a CD, installing the operating system, and beyond.

The installation is straightforward and took me about one and half hours to get to a usable desktop system. My test box is somewhat old and slow, a legacy from LWN's training days, with a few newer components. The processor is a P2-350, with 192 Mb of RAM, and a 20 Gb hard drive.

Upon completing installation I decided to get at least some of the updates that were available. The system told me there were some 370 updates available. I deselected some of them, based on the fact that this computer does not currently have access to a printer, speakers, or a CD burner. Those things belong to another box, and the monitor, keyboard and mouse are shared by means of KVM switch. Once I had the system busy downloading and installing nearly 300 updates, I starting getting some work done, logging on to the LWN server and firing up a couple of emacs windows over the SSH connection. These remote sessions were very responsive considering that the system was busy downloading updates.

I have not been using this release for very long, but so far I have not found any show stoppers. Ubuntu 5.10 Preview is a nice system, easy to install and easy to use.

Comments (none posted)

New Releases

Ubuntu Colony CD 5

The Ubuntu Colony CD 5 is ready. This is the fifth in a series of milestone CD images released during the Breezy development cycle, and it's likely to be the last before the stable Breezy release.

Full Story (comments: none)

Distribution News

Debian Project news

Colin Watson has announced his resignation as Debian Release Manager. "[It] became clear that a combination of my work commitments, the preparations for my wedding in August, moving house, and acquiring a new stepson were leaving me less and less time for release management work, and furthermore that each time I tried to get back on top of things I was spending too much time getting up to speed and not enough time doing useful work."

Numerous bugs have been closed recently. "Three massive closings were done within the RFP (request for package) and ITP (intent to package) WNPPs, and one more was done to the ITA (intent to adopt) ones."

A new archive has been announced for the preservation of materials (video, audio, slides, example code used, etc.) gathered, used at or derived from real life meetings.

Comments (none posted)

Mandriva Upcoming Product End of Life Notice

Here's a reminder from Mandriva that the End of Life status for some Mandriva products is approaching. Mandrakelinux 10.0 will no longer be supported as of the 30th of September, 2005. Mandrakelinux 10.1 will be entering base support at the same time.

Full Story (comments: none)

Whitebox Linux Shutdown

Whitebox Linux did shut down this week in anticipation of power outages caused by Hurricane Rita. As of this writing the server is back up.

Full Story (comments: none)

The Linux HomeDistro web site

The Linux HomeDistro web site focuses on those distributions which are suitable for home PCs. "The HomeDistro site reviews Linux distributions and ranks them for home PC use. Helpful tips and package suggestions are offered plus there is a forum to allow input."

Full Story (comments: none)

Xubuntu

The Ubuntu MOTU are working on Xfce flavored desktop system. "The initial participants are the MOTU Xfce team and various other people who have expressed interest in xfce+ubuntu in the past months (you know who you are) but everybody else's contributions are welcomed. We intend to release as close to breezy as possible so in the coming weeks there's going to be plenty of work to be done."

Full Story (comments: none)

Distribution Newsletters

Debian Weekly News

The September 27 issue of the Debian Weekly News is out; this week's topics include GL library duplication, whether libc5 should still be supported (seven years after libc6 came out), a possible Debian OpenSolaris port, and more.

Full Story (comments: none)

Fedora Weekly News #15

This week's Fedora Weekly News looks at Mozilla Firefox 1.0.7, Xorg package update problems, news for ASUS K8N-DL owners, the Fedora FAQ merger effort, meeting minutes for Fedora Documentation and Fedora Marketing, a review The Present and Future with Fedora Core 4 and more.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of September 26, 2005 is out. This edition covers a new IRC channel for ebuilders, a reminder for the European Gentoo developer conference call for papers, and several other topics.

Comments (none posted)

Package updates

Fedora updates

Fedora Core 4 updates: xorg-x11 (several bug fixes), shadow-utils (rebuild), system-config-netboot (bug fixes), squid (update to STABLE11), selinux-policy-targeted (fixes from rawhide), system-config-bind (bug fixes and updated translations), x86info (update to 1.15), xinitrc (bug fix), audit (bug fixes, update man page), openobex (added `OBEX_ServerAccept' to the exported symbols), selinux-policy-targeted (put back in role sysadm_r unconfined_t), ruby (new upstream release), shadow-utils (useradd -l option returns), policycoreutils (update to rawhide version).

Fedora Core 3 updates: system-config-netboot (bug fixes), xorg-x11 (several bug fixes), squid (update to STABLE11), ruby (new upstream release).

Comments (none posted)

Trustix Secure Linux TSL-2005-0050

Trustix has fixed a variety of bugs in anaconda, cvs, initscripts, mod_security, mrtg, php, quagga and setup.

Full Story (comments: none)

Newsletters and articles of interest

ISP-Server Setup - Ubuntu 5.0.4 "The Hoary Hedgehog" (HowtoForge)

HowtoForge demonstrates how to set up a server on Ubuntu 5.04 "the Hoary Hedgehog". "This is a detailed description about the steps to be taken to setup a Ubuntu based server (Ubuntu 5.0.4 - The Hoary Hedgehog) that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/POP3s/IMAP/IMAPs, Quota, Firewall, etc.)."

Comments (none posted)

Distribution reviews

Auditor: The security tool collection (Linux.com)

Linux.com takes a look at the security tools in the live CD Auditor. "Let's say you've been called in to examine a possible compromised server, and until the integrity of the server has been established you are not allowed to install any forensic software or even take the server offline. You can take your Auditor CD and start running the chkrootkit utility to see if any known rootkits are installed on the server. If you find any suspicious activity, you can take a disk image with the dd command and examine it for any possible rootkits or strange processes."

Comments (none posted)

Asianux 2.0 (Linux.com)

Linux.com looks at Asianux 2.0. "Despite its ostentatious goal of becoming "the" Asian Linux, Asianux enters an Asian Linux market that is already extremely competitive, with Novell SUSE, Turbolinux, Red Hat Enterprise Linux, and The Sun Wah Linux Distribution, which are all jostling for a piece of Asia's Linux market. The three Asianux companies have plans to expand the distro's reach and introduce Malaysian and Indian companies to its fold. If they can successfully execute this strategy, Asianux will expand to a larger portion of Asia. If the companies build on Asianux as a common platform, and localize it, it will provide a definite edge to the distribution over other Asian distributions. In the current climate in Asia, where piracy is rampant, Asianux won't take market share away from Windows, since to Windows users, Asianux looks no different than their current operating system, and both come at the same price."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The GNU Classpath distro DevJam - Europe

September 28, 2005

This article was contributed by Mark Wielaard

The latest releases of GCJ, GNU Classpath, Kaffe and various other free software projects have made it possible for the various GNU/Linux distributions to package non-trivial applications and libraries written in the java programming language. To coordinate and advance the state of the packages, the Debian packagers suggested having a DevJam during the Oldenburg Linux Developers Meeting, which was held from September 21 to 25.. They invited various packagers from other distributions, as well as upstream developers.

The Oldenburg Linux Developers Meeting is set up in a way that makes participation as easy and inexpensive as possible. There is no entrance fee, but donations are welcome. There are several large rooms at the University of Oldenburg where people can install their computers, use the network and possibly sleep when they get tired of hacking. During the whole event a 'continuous breakfast' is provided (with lots of coffee). There are no formal presentations, but people break away from time to time in separate rooms for informal discussions. All this makes the Oldenburg meeting a really intense and productive meeting, although most participants have severe sleep deprivation at the end.

In total there were around 60 hackers present in Oldenburg, mostly working on various kernel porting efforts. Also, several Debian groups such as the Installer and Security teams were present. The GNU Classpath distro DevJam group consisted of around 14 people. Attendees included several packagers from Debian, Gentoo, Fedora, OpenEmbedded and SUSE, and some developers from the GNU Classpath, GCJ, Kaffe and Cacao projects. The participants seemed to agree on the goals (a mature Free Software packaging and development toolchain), which kept the discussions largely free of politics, and focused on technical issues.

The main subjects discussed where the completeness of the free toolchains, common packager frustrations with upstream packages written in the java programming language and how to combine and integrate GCJ ahead of time compilation with a traditional Java environment.

Completeness of the toolchain

Stuart Ballard maintains japitools, a tool that can show binary compatibility issues between libraries. On kaffe.org he maintains an overview of the binary compatibility between the free and proprietary core library implementations. GNU Classpath recently reached more then 90% api coverage when compared with the proprietary 1.4 JDK library. There is still a lot to do on the correctness, robustness and performance of the library. Some parts, such as printing, have 100% interface coverage according to japi, but no back-end implementation yet. But the recent progress has been amazing. For most of the missing parts, there are already people working on their completion. Also, a special development branch has been started to provide new 1.5 library work based on generics and other language extensions. These new language extensions are supported by GCJX, a new compiler developed by Tom Tromey. In the future, GCJX will replace the current GCJ compiler in GCC.

For the distributions a lot of the focus is not on completeness (filling that last 10%), but on making real world applications work. The interaction between the packagers and the upstream developers seems to be tight, and working out nicely. The programs that are packaged by the distributions seem to work well now, but for people wanting a full free replacement for the Java platform, a lot of work is still needed. The main worry at the moment is that there is no plan yet for a complete security audit of the full stack. This prevents distributions from packaging applet viewers and interesting applications that make use of the permission-based security framework using signed jar files.

Common packaging headaches

There were several talks about the ways Gentoo, Fedora and Debian package stuff. All of the distributions face one common problem: In the tradition Java world, there is no strong versioning system. Small updates to libraries often break source or binary compatibility. A lot of projects written in the Java language "package the world", meaning that they often just include all of the projects they depend on. Inclusions are done as binary jar blobs, probably to guard against the weak versioning of traditional jars. Luckily the JPackage project has been collecting dependency information and splitting up programs and their library dependencies in separate packages. Fedora has been trying to base all of their packages on JPackage. The other distros would also try to push any improvements (at least the versioning and dependency information) to JPackage so they can easily be shared between the various packagers.

GCJ and ahead of time compilation

With GCJ 4 it is easy to mix and map traditional java byte code with ahead of time compiled shared libraries. Ahead of time compilation reduces startup time and can reduce resource usage since several processes can use the same shared library. One of the tools for this is gcj-dbtool, written by Andrew Haley. gcj-dbtool allows for setting up a system-wide database mapping of classes to pre-compiled shared objects. Using the MD5 sum of a class in this database, a program that loads a class or jar file will automatically map in the correct ahead of time compiled shared library without needing to interpret or just in time compile the byte code. This process can be made almost completely transparent to the program, developer and packager using aot-compile. This is a new tool written by Gary Benson for automagically finding, extracting and pre-compiling all classes found in a package with gcj, then storing them in the correct gcj-dbtool database. Together with gcj-java-compat, by Thomas Fitzsimmons, it provides a traditional looking Java platform that automatically uses ahead of time compiled code whenever possible without the user or developer having to setup anything special. The aot-compile tool is currently somewhat RPM specific, but will be made generic enough so that it can be adopted by the other packaging systems.

Future developments

Debian has been moving a large set of packages from contrib to main using the above tools. More then 50 packages that used to depend on a proprietary Java toolchain can now be freely used. For some packages, like Eclipse, gcj ahead of time compilation is being added. Fedora has rolled out Fedora Core 4, which included some native-compiled applications like Eclipse and the OpenOffice.org 2 plugins written in Java. All of those were precompiled with gcj. For Fedora Core 5, they want to add some major applications like the Jonas application server. For a list of potential packages that might pop up in future releases of the various distributions look at the free section of jpackage.org. The meeting seems to have been such a success that there are already plans for a DevJam++ meeting.

Comments (1 posted)

System Applications

Clusters and Grids

Release 2.0.2 of Linux-HA is now available

Release 2.0.2 of Linux-HA, the Linux High Availability project, has been announced. "This release has been restricted to a small number of important bug fixes."

Full Story (comments: none)

Database Software

The first MySQL 5.0 release candidate

The first release candidate for MySQL 5.0 is out. The announcement (click below) calls 5.0 "certainly the most important release in MySQL's history." Changes include many new SQL standard features (views, triggers, and stored procedures, for example), some new storage engines, and more.

Full Story (comments: none)

PostgreSQL Weekly News

The September 25, 2005 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL database articles.

Full Story (comments: none)

Proboscis 0.1 Released

Proboscis version 0.1 has been released. "This is the first release announcement for Proboscis[1], the PQueue based Green Trunk implementation. It is a PostgreSQL driver/interface for Python. Another one? Well, yes and no. Proboscis is not libpq based, nor does it primarily produce a DB-API 2.0 interface(0.2 may include a layer for DB-API 2.0 users)."

Comments (none posted)

PyODB version 0.5 released

Version 0.5 of PyODB, a Python unixODBC API binding, has been announced. "This release contains improvements to the mapping between the SQL and Python datatypes and a re-write of the data retrieval code. Also some changes to the reference counting."

Comments (none posted)

ZODB 3.5.1 final released

Version 3.5.1 final of ZODB, the Zope Object Database, is out. "ZODB 3.5.1 contains (just) a few bugfixes relative to 3.5.0, involving Zope 3's zeoctl and mkzeoinst scripts, and the ZopeUndo.Prefix class."

Full Story (comments: none)

Mail Software

bogofilter 0.96.2 released

Version 0.96.2 of bogofilter, an email spam/ham classifier, has been released. Click below for the release notes.

Full Story (comments: none)

Networking Tools

Release of libnfnetlink, libnfnetlink_conntrack and conntrack

The netfilter project has released three new applications: libnfnetlink - a low-level userspace library for nfnetlink based communication, libnfnetlink_conntrack - a library for userspace access to the in-kernel connection tracking table, and conntrack - a command line program for listing, querying, deleting, updating entries in the connection tracking table.

Full Story (comments: none)

Telecom

Bayonne 2 1.0 release candidate (SourceForge)

The first release candidate for GNU Bayonne 2, a business-oriented telephony application server, has been announced. "GNU Bayonne 2 1.0 is composed of a subset of those services and features found in the recently introduced, and very rapidly advancing GNU Bayonne 2 development effort. Features were chosen for introduction in this release candidate that were already stable and effective for production use and supportable under GNU/Linux and other platforms."

Comments (none posted)

Web Site Development

Gallery 1.5.1 Release (SourceForge)

Version 1.5.1 of Gallery, a web-based photo gallery application, has been released. "This release is primarily a bugfix release but includes several new features that should make this worth the upgrade."

Comments (none posted)

mnoGoSearch 3.2.34 released

Version 3.2.34 of the mnoGoSearch web site search engine has been released. See the change history for release details.

Comments (none posted)

Quixote 2.2 released

Version 2.2 of Quixote, a Python-based web development platform, is out with numerous improvements.

Full Story (comments: none)

Desktop Applications

Business Applications

JFreeReport 0.8.6 released (SourceForge)

Version 0.8.6 of JFreeReport, an embedded report generator written in Java, has been announced. "JFreeReport 0.8.6 adds the ability to distribute wide pages over multiple physical pages, much like spreadsheet applications like Excel print overly large tables. The new StackedLayoutManager simplifies the usage of dynamic elements and improvements in the XML parser implementations allow the definition of global stylesheets for all available report definition formats."

Comments (none posted)

Tina POS 0.0.10 released (SourceForge)

Version 0.0.10 of Tina POS, a point of sales application with a touch screen interface, has been announced. "This version adds new functionality: reservations management for restaurants, and a inventory diary report. A new italian translation. The sales chart changed, now is a jasperreports report. Bugs fixed: reports can be exported to PDF format and graphics are printed, not the black rectangle. And a new picture of Tina."

Comments (none posted)

Calendar Software

Initial Lightning Roadmap Published (MozillaZine)

MozillaZine has announced the publication of a project roadmap for the Lightning calendar project. "An initial roadmap for the Lightning calendar project has been created by Dan Mosedale. The document, which is currently rather sparse, sets out the basic plan for the Mozilla Thunderbird calendaring and scheduling add-on, specifying the aims for Lightning 0.1 (targetted for November this year), Lightning 0.2 and the future."

Comments (none posted)

Desktop Environments

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

GNOME 2.14 schedule is up

The GNOME 2.14 schedule has been announced.

Full Story (comments: none)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Accessibility

Accessibility Cooperation

The Gnome and KDE Accessibility Projects together with the Free Standards Group Accessibility Work group (FSG Accessibility) have issued a Statement On Desktop Accessibility Development. "We wish to allay any concern that our standardization efforts might be focused on any one particular toolkit or desktop technology to the exclusion of other toolkits and desktops. We believe it is imperative to preserve choice and to maximize available options for users. Therefore we are developing an accessibility standard based on functional performance criteria implemented in messaging protocols fully independent of any particular toolkit or desktop technology. We believe users who are persons with disabilities should be empowered to choose technologies from any and all environments which provide accessibility just as other desktop users today routinely use a mix of technologies from different desktop environments. Our goal is seamless interoperability." (Found on KDE.News and GnomeDesktop)

Comments (none posted)

Games

Statfink 0.6 is released (SourceForge)

Version 0.6 of Statfink, a Football (US style) statistics tracker and live scorer, has been announced. "Version 0.6 fixes a bunch of things and adds a bunch of things, check the changelog for details. Trust me, you want it. It automatically grabs all your league's team data for your Yahoo fantasy football leagues and calculates your entire league's scores, live as the games happen! Don't pay for this functionality when you can host this program and provide it to your entire league!"

Comments (none posted)

GUI Packages

wxWidgets 2.6.2 has been released

Version 2.6.2 of wxWidgets, a cross-platform GUI framework, is available. "This is a bug fix release."

Comments (none posted)

Imaging Applications

GIMP 2.3.4 announced (GnomeDesktop)

Unstable version 2.3.4 of the GIMP, an image manipulation program, has been announced. "GIMP 2.3.4 has lots of changes all over the place, with the focus on usability. Most notable change is that plug-in dialogs are now transient to the image window and that the menus are being reorganized. This is an ongoing effort and you are invited to participate."

Comments (none posted)

Videos of KimDaBa in Action (KDE.News)

KDE.News mentions the availability of training videos for KimDaBa, the KDE Image Database. "For those of you who do not understand how to use KimDaBa, there is now no reason not to use it. KimDaBa is the first KDE application to offer small flash videos with voice-overs describing how to use it. See the tutorials at KimDaBa's video page or read on below for Jesper's description of how and why to make video tutorials of applications."

Comments (none posted)

Interoperability

Wine Traffic

The September 23, 2005 edition of Wine Traffic has been published. Topics include: Summer of Code Wrapup, Docs Needed, FreeDCE & Wine, WineD3D and DirectX7, Wine & WindowsCE, Finding Memory Leaks, Printing & Acrobat Reader and Running Wine From Source Tree.

Comments (none posted)

Mail Clients

Mozilla Thunderbird 1.0.7 Release Candidates Available (MozillaZine)

Release candidate builds of Mozilla Thunderbird version 1.0.7 have been announced. "Thunderbird 1.0.7 is a minor update that will fix a few bugs, including a return receipt regression introduced in version 1.0.2 (bug 289091) and the Linux command line URL parsing security flaw (bug 307185)."

Comments (none posted)

Multimedia

GStreamer newsletter and release roadmap (GnomeDesktop)

GnomeDesktop.org has announced the availability of a new GStreamer newsletter. "The new[s]letter covers recent developments and changes and is meant to become a regular feature. Andy also sent out a mail proposing a roadmap for doing GStreamer 0.10 placing the 0.10 release in early December."

Comments (none posted)

Music Applications

ALSA MIDI Kommander launched

The ALSA MIDI Kommander project has been launched. "ALSA MIDI Kommander is a DCOP interface exposing many ALSA Sequencer features for shell scripts, Kommander scripts, or KDE programs requiring MIDI Sequencer services. A few MIDI utilities have been developed with this tool, which can be used both as programming examples and as real work tools."

Full Story (comments: none)

KMidimon 0.4.1 released

Version 0.4.1 of KMidimon is out with multiple improvements. "KMidimon is an application to monitor MIDI events coming from a MIDI external port or application via the ALSA sequencer. It is especially useful if you want to debug MIDI software or your MIDI setup."

Full Story (comments: none)

Om 0.2.0 announced

Version 0.2.0 of Om is out with bug fixes and other improvements. "Om is a realtime OSC controlled modular synthesizer (effects processor, etc, etc) for Jack systems with LADSPA and/or DSSI plugins."

Full Story (comments: none)

Office Applications

Two new ooo-build releases

The ooo-build project has announced two new releases: 1.3.16 and 1.9.129. Both add bug fixes and a small number of new features.

Comments (none posted)

Science

BKchem 0.11.0 pre2 is out

Version 0.11.0 pre2 of BKchem, a chemical drawing application, has been announced. "The second preview release of the 0.11 branch is out. This release focuses on improving the InChI reading capabilities. BKchem can now successfully read 98.5% of InChIs generated from the NCI database (about 120 000 compounds)."

Comments (none posted)

Web Browsers

Mozilla 1.7.12 Released (MozillaZine)

Mozilla version 1.7.12 has been announced. "Fixes are included for the international domain name (IDN) link buffer overflow vulnerability and the Linux command line URL parsing flaw. There are also other security and stability changes, including a fix for a crash experienced when using certain Proxy Auto-Config scripts. In addition, some regressions introduced by previous 1.7.x security updates have been resolved. If this description sounds like our article on Mozilla Firefox 1.0.7, that's because most of the fixes included in the two releases are the same."

Comments (none posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

The minutes from the September 19, 2005 mozilla.org staff meeting have been announced. "Issues discussed include releases and the Mozilla Foundation."

Comments (none posted)

Miscellaneous

QFE 0.4.3 released. (SourceForge)

Version 0.4.3 of QFE is available. "QFE is full-featured FTN message editor with a graphical interface. It written on C++/Qt and does not depend on either KDE or Gnome. This is a minor release with minor enhancements and bugfixes. See Changelog for full details about changes and improvements."

Comments (none posted)

Languages and Tools

C#

SharpMimeTools 0.3 beta released (SourceForge)

Version 0.3 of SharpMimeTools has been announced. "SharpMimeTools is an open source MIME parser/decoder assembly that is written in C#. It fully works under .NET and Mono. We have reached 0.3 milestone. So here is a new beta (0.3b). It has new features, some improvements and fixes."

Comments (none posted)

Caml

Caml Weekly News

The September 27, 2005 edition of the Caml Weekly News is online with the weekly roundup of Caml language articles.

Full Story (comments: none)

Java

This week on harmony-dev

The September 18-24, 2005 edition of This week on harmony-dev covers the latest developments from the Harmony open-source Java project.

Full Story (comments: none)

What Is Hibernate (O'ReillyNet)

James Elliott introduces Hibernate on O'Reilly. "Hibernate is a free open source Java package that makes it easy to work with relational databases. James Elliott describes the "enlightened laziness" that resulted in the development of Hibernate, how it works, and when it makes good sense to use it in your projects."

Comments (none posted)

Lisp

SBCL 0.9.5 released

Version 0.9.5 of SBCL (Steel Bank Common Lisp) is out. "This version adds support for several additional external formats, new timers, a byte rotation optimization, and fixes several bugs."

Full Story (comments: none)

PostScript

ESP Ghostscript 8.15.1 released

Version 8.15.1 of ESP Ghostscript has been released. "ESP Ghostscript 8.15.1 is the first stable release based on GPL Ghostscript 8.15 and includes an enhanced configure script, the CUPS raster driver, many GPL drivers, support for dynamically loaded drivers (currently implemented for the X11 driver), and several GPL Ghostscript bug fixes. The new release also fixes all of the reported STRs from ESP Ghostscript 7.07.x."

Comments (none posted)

Python

Python 2.4.2 (final) released

Final version 2.4.2 of Python has been released, it features over 60 bug fixes.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The September 26, 2005 edition of Dr. Dobb's Python-URL! is out with the latest Python language discussions.

Full Story (comments: none)

Ruby

Ruby Weekly News

The September 25th, 2005 edition of the Ruby Weekly News looks at the latest discussions from the ruby-talk mailing list.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The September 28, 2005 edition of Dr. Dobb's Tcl-URL! is online with the latest Tcl/Tk articles.

Full Story (comments: none)

Editors

PyPE 2.2 released

Version 2.2 of PyPE, the Python Programmers Editor, is available. Here are the changes: "Fixes a few minor functionality bugs and adds a handful of useful features: the ability to spawn external applications via an embedded shell, selection of search results from find in files selects the actual result, and encodings support during opening and saving."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

It's Final - MA Goes With Open Document (Groklaw)

Groklaw reports the Commonwealth of Massachusetts has posted its final decision to use only formats that conform to the Open Document format for office productivity applications. "The bottom line is this: whose documents are they? Do the people of Massachusetts have the right to control their own documents? Does a governmental agency have the right to decide what software it wishes to use, particularly if it believes it can save money? If it does, then all the hue and cry is pointless. And the real issue, as Kriss pointed out, is the issue of sovereignty, and the very important issues of access and control not only now but also in the distant future."

Comments (11 posted)

Google's Summer of Code concludes (NewsForge)

NewsForge reports on the completion of Google's Summer of Code program. "The original program called for 200 students. However, after an announcement on Slashdot, interest was so high that Google doubled the number of applications it would accept. In the end, DiBona said the Summer of Code received 8,744 applications and accepted more than 400 projects, with 41 FOSS projects participating. Major beneficiaries included the Apache Software Foundation with 38, KDE with 24, and FreeBSD with 20. Smaller and more specialized projects also benefited, with WINE, Samba, and Mambo each receiving six."

Comments (1 posted)

Free the Cell Phone! (Wired)

Wired reports on the latest example of DMCA abuse: preventing the unlocking of cellular phones. "But CellPhoneCo isn't asserting that Unlocko's program copies any copyright-protected software or content. Its claim is more subtle. Unlocko's software reprograms your mobile phone so it bypasses the 'secret handshake' CellPhoneCo's locking software requires before the phone will operate. After 'circumventing' the handshake requirement, the phone -- like virtually any modern piece of electronics -- runs software installed on its internal chip. Therefore, CellPhoneCo claims, Unlocko's program unlawfully circumvents a technological measure controlling access to the phone's copyright-protected software." Incidentally, your editor was discouraged to see an increasing number of locked phones for sale in Italy this summer; this is no longer just a U.S. issue.

Comments (29 posted)

Companies

IBM's Power-style promotion of Cell (IT Manger's Journal)

IT Manger's Journal looks at IBM's efforts to promote the Cell processor. "With nine processor cores, 234 million integrated transistors, clock speeds topping 4GHz, and support for multiple operating systems, including Linux and real-time operating systems suited for home media devices, Cell may be most effective with the latest and greatest in embedded applications and consumer electronics, according to Hofstee. The Cell engineer said that similar to the Power processor, Cell will be ideal for the Linux operating system, and IBM will look to leverage the new chip's Linux likeability."

Comments (none posted)

Linux Adoption

Open-Source Success Roiling Software Field (Investors.com)

Investors.com covers the increasing acceptance of the open-source development model by the business world. "For every multimillion-dollar software program being sold, there's a good chance that at least one free alternative can do the same thing, at a fraction of the cost. If that's good news for tech buyers, it's downright chilling for tech investors. "There is an open-source application that is maturing in every software category that exists," said Pete Kronowitt, a strategic planner for Intel (INTC) who helps manage the chipmaker's dealings with open-source firms. "Open-source is poised to commoditize those segments. We're already seeing it." Few open-source programs claim to be as complex or full featured as their commercial counterparts. But for many customers, they're more than adequate."

Comments (none posted)

Open Source Goes Corporate (InformationWeek)

InformationWeek looks at Linux deployments in several large companies. "From ABN Amro Bank NV in the financial industry to Yahoo Inc. on the Web, billion-dollar companies are expanding their embrace of the Linux operating system and other open-source components for a wide range of purposes. The Linux penguin has hit the big time. If you missed the announcement of this industry-changing development, that's because it never went out. The deployment of open-source software is happening a project at a time, and many of them are never publicly discussed. So InformationWeek set out to find out just how large corporations are using the stuff, conducting interviews with 10 big companies that are beyond the dabbling stage."

Comments (2 posted)

Legal

Debian trademark policy under question (News.com)

News.com covers possible changes to the Debian trademark policy. "The leader of the Debian Linux distribution has called for changes to be made to the open-source project's trademark policy, to ensure it has the appropriate level of protection against legal challenges. Debian's current trademark policy states that businesses can use the Debian trademark if they make a CD of the Debian version of Linux, but cannot use Debian in the name of their business. Branden Robinson, Debian's project leader, said on Tuesday that this policy needs an update."

Comments (1 posted)

What has Microsoft done for Massachusetts lately? (NewsForge)

Sam Hiser analyzes an open letter from Microsoft's Alan Yates regarding the adoption of the OpenDocument standard by Massachusetts. "Alan Yates' public letter reveals many chinks in Microsoft's armor and shows his company's lack of fitness, and unwillingness, to compete on a level pitch. This is a letter of arrogance and deliberate misdirection. In it, Yates expresses his warm concern for the citizens of The Commonwealth, his grave misgivings about the appropriate use of their tax dollars, and his fond hopes for their future felicity with office software -- his Office software."

Comments (none posted)

Peru Passes Free Software Law - That's Free as in Free Speech (Groklaw)

Groklaw reports that Peru has passed its law encouraging procurement of Free Software by the government.
The law defines free software and proprietary software by means of the licenses, as per my own translation:

1. Free Software: is software whose license guarantees the following: unrestricted use of the program for any use; unrestricted right to study the code and figure out how the program works; to make and distribute copies of the program; to modify the program and freely distribute the modifications under the same free conditions as the original program.

2. Proprietary software: is software whose license does not permit you to do all or any of the things listed in the above definition.

Comments (9 posted)

Interviews

RMS: The GNU GPL Is Here to Stay (O'ReillyNet)

O'Reilly's OnLAMP talks with Richard Stallman about the GPL v3. "RMS: The GNU GPL is designed to achieve the goals of the Free Software Movement; specifically, to ensure that every user of a program gets the essential freedoms--to run it, to study and change the source code, to redistribute copies, and to publish modified versions. The GPL does that job very well; most other free software licenses don't try."

Comments (45 posted)

Janet Theobroma (People Behind KDE)

The People Behind KDE interview Janet Theobroma, a graphic artist. "In what ways do you make a contribution to KDE? I organize art related KDE contests, created and maintain the new KDE-Artists.org website and the Kollaboration Forums." (Found on KDE.News)

Comments (none posted)

Aaron Seigo on the Upcoming OSDW in San Diego

Wade Olson interviews Aaron Siego for the upcoming Open Source Desktop Workshop in San Deigo. "WO: Whats the primary message to people who are considering attending? Who are you targetting? AS: Well, for these developers, number one, the Open Source desktop is something that is worth looking at from a developer's perspective. We've got an amazing technology stack as far as application development goes. There are opportunities within the projects as well as in the commercial economy around the Open Source desktops. So that's really what the message is, to help developers feel confident to roll out applications for the Open Source desktop, whether for KDE or GNOME or whatever."

Comments (none posted)

Resources

Protecting Linux against automated attackers (Linux.com)

Ryan Twomey presents some useful security tips on Linux.com. "As many systems administrators will tell you, attacks from automated login scripts specifically targeting common account names with weak passwords have become a substantial threat to system security, especially via SSH (a popular program that allows remote users to log in to a Linux computer and execute commands locally). Here are some common-sense rules to follow that can greatly improve security, as well as several scripts to cut down on the computing resources wasted by these attacks."

Comments (none posted)

Peter van der Linden's Guide to Linux: A Lesson in Encryption, Part 2 (Linux Journal)

Linux Journal continues its book excerpt series on encryption with part two. "To cope with the uncertainties, or at least express them, the GPG program has the concept of levels of trust in keys. A key that someone leaves on a CD on your desk may have a low level of trust. Perhaps someone switched or copied the CD. A key that you yourself generated a moment ago can be trusted absolutely. You might notice that the output when we generated a key included the text "key marked as ultimately trusted.""

Comments (none posted)

Peter van der Linden's Guide to Linux: A Lesson in Encryption, Part 3 (Linux Journal)

Linux Journal presents an excerpt from chapter 11, "Keeping Your Data Private", of Peter van der Linden's Guide to Linux. "People often sign files or e-mail that they encrypt. That way, only the intended recipient can read it, and the recipient knows that you are definitely the person who sent it, too. Computerized signatures based on encryption are far more reliable than written signatures that are forged on a daily basis by people with criminal intent. But computerized signatures are only as good as the encryption scheme and key length you use. For GPG, that's a pretty good assurance, until you start to look at all the interfaces outside GPG that can be subverted."

Comments (none posted)

The Daemon, the GNU and the Penguin (Groklaw)

Groklaw presents chapter 19 of the online book "The Daemon, the GNU and the Penguin" by Dr. Peter Salus. This chapter is titled "Just for Fun" and covers the early history of Linux.

Comments (1 posted)

Linux LDAP authentication (Linux.com)

Dave Kline explains LDAP authentication under Linux in a Linux.com article. "When you have to administer a network of many machines, you quickly find out how much duplication of effort is involved with normal administrative tasks. Routine operations like changing passwords, canceling accounts, and modifying groups become time-consuming if repeated on many individual machines. Centralizing user and authentication information can solve these issues. The former king of centralized authentication systems was NIS, or Network Information System. NIS is a simple and well-supported technology, but it's also insecure. LDAP, short for Lightweight Directory Access Protocol, is now the preferred way of managing centralized user accounts."

Comments (1 posted)

At the Sounding Edge: A September Trio (Linux Journal)

Dave Phillips touches on several Linux audio topics in this Linux Journal column. "Toledo Hip-Hop is a cooperative project for bringing together and promoting area hip-hop artists. The group recruited artists and performers for the Reboot project and donated its production abilities toward creating a professionally polished sound. Reboot was created and produced with proprietary software, but its creators acutely are aware of the desirability of switching to Linux. As my AGNULA T-shirt says, there is no free expression without control of the tools, and the people I met at the meeting are aware of the importance of this level of control."

Comments (none posted)

Reviews

What Is Firefox (O'ReillyNet)

O'ReillyNet has a three page article on Firefox. "Firefox 1.0 was released in November 2004. Since then, there have been supplementary releases, mainly to address security and stability issues. The current official release is 1.0.7. In the meantime, however, work has been continuing on the next major release. That release was to be 1.1, but because of all the new features added, it was deemed worthy to be bumped up to a 1.5 version. Firefox 1.5 Beta 1 was released on September 8, 2005, and Firefox 1.5 final is due in November after further beta releases."

Comments (1 posted)

Inkscape review: It's all in the UI (NewsForge)

NewsForge reviews Inkscape. "One obvious interface choice in Inkscape is a reliance on keyboard and mouse button combinations rather than a straight point and click interface. This choice is a mixed blessing. On the one hand, once the combinations are learned, they are far more efficient than relying on a menu or toolbars. As much as possible, they keep your mouse on the drawing, and your hands on the keyboard. On the other hand, they mean a learning curve steep enough for a cardiovascular workout."

Comments (2 posted)

KDE 4 promises radical changes to the free desktop (NewsForge)

NewsForge looks ahead to KDE 4. "Its developers see KDE 4 as a chance to experiment and introduce new concepts and applications that do more than build on the strength of KDE's existing architecture. Just as KDE 3 brought major transformations in that architecture, developers are looking to KDE 4 to transform the desktop experience and enable a surge in third-party application development. With a KDE 4 release not likely to happen for at least another year, the developers have plenty of time to experiment."

Comments (28 posted)

Miscellaneous

In Memoriam: John R. Hall (Linux Journal)

Linux Journal notes the passing of John R. Hall. "John R. Hall, a respected programmer, writer and Linux advocate, passed away on September 17 at age 24. John studied computer science at the Georgia Institute of Technology and was the author of Programming Linux Games, which he wrote at age 19 while interning with Loki Software. He later worked at Treyarch."

Comments (none posted)

How will Linux be leveraged in next-gen supercomputers? (NewsForge)

NewsForge takes a look at the next generation of supercomputers. "[Top500 list co-founder and co-editor Erich] Strohmaier indicated that multi-core processors will be a bigger driver of performance than operating system software in the next round of faster supercomputers, but also said Linux must adapt to continue to be successful. "It's a matter of four or eight cores instead of megahertz," he said. "Which means that Linux has to put more emphasis on multi-threaded performance and parallel performance. Linux has been single-threaded, traditionally. I think that, in general, has to change, which will help the community as well.""

Comments (22 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Austin Group Status Report

The Austin Group has published a status report for September 2005. "The Austin Common Standards Revision Group (CSRG) is a joint technical working group established to consider the matter of a common revision of ISO/IEC 9945-1, ISO/IEC 9945-2, IEEE Std 1003.1, IEEE Std 1003.2 and the appropriate parts of the Single UNIX Specification."

Full Story (comments: none)

EFF: Google's Card Catalog Should Be Left Open

The Electronic Frontier Foundation (EFF) has issued a press release (click below) applauding Google's effort to create the digital equivalent of a library card catalog. The Authors Guild is less enthused, and has filed a class-action copyright infringement suit.

Full Story (comments: none)

EFF: A broadcast flag update

Danny O'Brien is writing for the EFF these days; his hand can be seen in this update on the ongoing efforts to get the broadcast flag wired into U.S. law. "Listen. Suppose our sympatico politicos carve out a bunch of Digital TV provisions that, in fact, do have something to do with government finance? Suppose they stick those provisions in the Senate Commerce Committee's reconciliations bill (due October 26th), where they're practically untouchable? But some key clauses on which these provisions depend will be omitted. Consequently, it will it be vitally important that Congress passes another Digital TV bill to fill the gaps. That Digital TV bill will contain -- oh, look at that! -- the Broadcast Flag language. Oh, and the RIAA's Digital Radio Broadcast Flag, too, just for the sake of completeness."

Comments (22 posted)

Open Letter to Alan Yates of Microsoft (KDE.News)

KDE.News has published an open letter to Microsoft's Alan Yates regarding the OpenDocument format. "..on page 8 you write: "The draft policy identifies four products that support the OpenDocument format: Sun's StarOffice, OpenOffice.org, KOffice, and IBM Workplace. In reality, these products are slight variations of the same StarOffice code base, which Sun acquired from a German company in 1999. The different names are little more than unique brands applied by the vendors to the various flavors of the code base that they have developed. In essence, a commitment to the OpenDocument format is a commitment to a single product or technology. This approach to product selection by policy violates well-accepted public procurement norms." I understand your worries, but fortunately I am able to put your mind to rest: KOffice is in fact not related to StarOffice or OpenOffice."

Comments (none posted)

Xara sponsors Open Source project

Xara has announced its sponsorship of an open-source project for a universal vector graphics translator. "The Uber-converter is a universal vector graphics translator that can convert between numerous different vector formats. It is an Open Source software project produced by Scratch Computing."

Full Story (comments: none)

Commercial announcements

Codase Launches Source Code Search Service

Codase, Inc. has launched the alpha version of its advanced source code search service. "Codase is a new kind of search service for open source code. Rather than treating code as text, Codase understands programming languages, and treats code as code, the way it's supposed to be. This unique and syntax-aware approach provides the most accurate and detailed search results with fine granularity levels of controls. With Codase, developers can search functions, classes, strings, constants, macros, comments and other programming language constructs."

Full Story (comments: none)

Monarch Empro and ULB Get Latest Dual-Core AMD Opterons

Monarch Computer Systems has announced updates to its workstation line. "The Dual-Core AMD Opteron processors have the same wattage profile as their single-core processors, about 95 watts. This means that the new Empro and ULB systems with the Dual-Core AMD Opteron processor Model 880 or Model 280 offer greater performance without increasing heat or power requirements."

Comments (1 posted)

Mozilla Foundation Relocates to New Offices (MozillaZine)

MozillaZine reports that both the Mozilla Foundation and Corporation have moved. "The primary reason for this move is space: the Mozilla Foundation and the Mozilla Corporation combined now have around forty employees, most of whom are based in Mountain View. This is about four times the number of workers initially employed by the nascent Mozilla Foundation when it moved into the Villa Street offices in 2003."

Comments (none posted)

Open Source Astronomy V10 available

The Random Factory is selling version 10 of the Open Source Astronomy CDROM project. "This release updates all the packages previously included in the Linux for Astronomy V7,8 & 9, and includes many new packages."

Full Story (comments: none)

Oracle Database 10g Release 2 on Linux Sets World Record

Oracle Corporation has announced a new benchmark record. "Running atop an eight-node HP BladeSystem cluster of ProLiant BL25p server blades, each with one AMD Opteron 2.6 GHz processor and Red Hat Enterprise Linux v.4, Oracle Database 10g Release 2 and Oracle Real Application Clusters achieved record-breaking performance of 13,284.2 QphH@300GB with a price- performance ratio of $34.20/QphH@300GB. This new industry-leading result surpasses IBM DB2's best TPC-H 300 GB benchmark running on IBM hardware using half the number of processors."

Comments (none posted)

Pointsec Announces Encryption Solution for Linux

Pointsec Mobile Technologies has announced its endpoint encryption solution for Linux. "With Pointsec for Linux(TM), corporations can now employ centrally managed full-disk encryption to protect information stored on Linux laptops and desktops."

Comments (none posted)

VA and ThoughtWorks partner on CruiseControl

VA and ThoughtWorks have announced an alliance to jointly develop agile development solutions for enterprise customers. "The two companies will offer a turn-key solution that integrates VA Software’s SourceForge Enterprise Edition, the leading collaborative development platform; CruiseControl, the popular continuous integration build tool open sourced by ThoughtWorks; and ThoughtWorks’ best practices for agile and distributed agile development."

Full Story (comments: none)

New Books

Essential SNMP, Second Edition - O'Reilly's Latest Release

O'Reilly has published the book Essential SNMP, Second Edition by Douglas R. Mauro and Kevin J. Schmidt.

Full Story (comments: none)

Learning SQL - O'Reilly's Latest Release

O'Reilly has published the book Learning SQL by Alan Beaulieu.

Full Story (comments: none)

Secure Coding in C and C++

Secure Coding in C and C++ by Robert Seacord is available from Addison Wesley Professional. Click below for an excerpt from the book.

Full Story (comments: none)

Security and Usability - O'Reilly's Latest Release

O'Reilly has published the book Security and Usability by Lorrie Faith Cranor and Simson Garfinkel.

Full Story (comments: none)

No Starch Press Releases "The TCP/IP Guide"

No Starch Press has published The TCP/IP Guide by Charles M. Kozierok.

Full Story (comments: none)

Resources

The LDP Weekly News

The September 21, 2005 edition of the Linux Documentation Project Weekly News is out with the latest new documentation releases.

Comments (none posted)

Tutorial: Setting up a firewall with Debian

Matt LaPlante has put together a detailed, multi-step tutorial on creating a firewall using Debian. Basic setup, firewall rules, and several protocols are covered now, with some advanced sections (PPTP, IPSec, ...) "coming soon."

Comments (1 posted)

Contests and Awards

Florian Mueller nominated for Europeans of the Year awards

Florian Mueller has announced his nomination for the European Voice EV50 Europeans of the Year award. "Florian Mueller, the founder of the NoSoftwarePatents.com campaign, has been nominated for the most prestigious award in EU politics, the "EV50 Europeans of the Year". The campaigner, who successfully opposed an EU directive on software patents, now has the chance to become "EU Campaigner of the Year" or even the overall "European of the Year"."

Full Story (comments: none)

Surveys

ONJava 2005 Reader Survey Results, Part 1 (O'ReillyNet)

O'Reilly presents part one of the 2005 ONJava Reader Survey results. Included are some language usage statistics from the Java community: "There's some interesting volatility in the middle tier of responses to this question. C/C++ is used by 18 percent of our readers, down from 27 percent last year. Are there more Java-only developers, is there less need for JNI, or is there some other factor? Other languages are down in this year's survey, including C# (down five points to ten percent), Perl (down seven points to 17 percent), PHP (down four points to 20 percent), and Python (down eight points to 11 percent). VB and Ruby were up slightly. Of the write-ins, only JavaScript (two percent) was mentioned in significant numbers."

Comments (4 posted)

Upcoming Events

EFF Hosts 15th Anniversary Bash

The Electronic Frontier Foundation will hold a 15th Anniversary Bash on October 2, 2005 in San Francisco, CA. "Please join us for delicious Mexican food and drinks from Pancho Villa and a 3-D cake. You'll also hear a special address from our founders, John Perry Barlow and John Gilmore. Our musical guests are Gypsy Jazz from the Zegnotronic Rocket Society and DJ Ripley and Kid Kameleon."

Full Story (comments: none)

FOSS.IN 2005

The event formerly known as Linux-Bangalore has reworked itself as FOSS.IN. The conference has been expanded, and will be held from November 29 to December 2 at the Bangalore Palace. For those who wish to present there, the call for participation has gone out, with submissions due by October 8.

Comments (none posted)

Proposals for the 2006 MySQL Users Conference Now Being Accepted

A call for proposals has gone out for the 2006 MySQL Users Conference. The even takes place in Santa Clara, CA on April 24-27, 2006, presentations are due by November 7.

Full Story (comments: none)

Events: September 29 - November 24, 2005

Date Event Location
September 29 - 30, 2005OpenOffice.org Conference 2005(OO.oCon)Koper (Capodistria), Slovenia
September 29, 2005Hack in the Box Security Conference(HITBSecConf2005)Kuala Lumpur, Malaysia
September 29 - 30, 2005IEEE International Conference on Cluster Computing(Cluster 2005)Boston, Massachusetts
September 30 - October 2, 2005LinuconAustin, Texas
October 1, 2005Ohio LinuxFest 2005Columbus, OH
October 2 - 5, 2005Gelato October 2005 Meeting for Linux on ItaniumPorto Alegre, Brazil
October 5 - 6, 2005LinuxWorld LondonOlympia, London, UK
October 5 - 7, 2005Web 2.0 Conference(Argent Hotel)San Francisco, CA
October 6, 2005Fedora Users and Developers Conference(FUDCon London)(LinuxWorld Conference and Expo UK)London, UK
October 6, 2005Boston PHP User Group Security MeetingBoston, Mass.
October 7 - 9, 2005Indie Games Con 2005(IGC)Eugene, Oregon
October 8 - 10, 2005GNOME Boston Summit(Gates Building)Cambridge, MA
October 8, 2005LinuxForum BOF-dagDenmark
October 12 - 13, 2005IT Underground(ITU)Warsaw, Poland
October 13 - 14, 2005Open Source Desktop WorkshopsSan Diego, CA
October 13, 2005@System Security ConferencePisa, Italy
October 14 - 15, 2005HackLu 2005(Chambre des Metiers)Kirchberg, Luxembourg
October 14 - 16, 2005Blender Conference 2005(De Waag)Amsterdam, the Netherland
October 16 - 23, 2005piksel05Bergen, Norway
October 17 - 20, 2005O'Reilly European Open Source Convention(EuroOSCON)(NH Grand Hotel Krasnapolsky)Amsterdam, the Netherlands
October 18 - 21, 2005Zend/PHP Conference and Expo 2005(Hyatt Regency SF Airport Hotel)Burlingame, CA
October 18, 2005Dynamic Languages Symposium 2005(DLS05)San Diego, CA
October 19 - 21, 2005Australian Unix Users Group Conference 2005(AUUG)Sydney, Australia
October 24 - 28, 200512th Annual Tcl/Tk Conference(Red Lion Hotel)Portland, Oregon
October 30, 2005
October 31 - November 11, 2005
Ubuntu Below Zero(downtown Holiday Inn)Montreal, Canada
November 6 - 9, 2005International PHP Conference 2005Frankfurt, Germany
November 7 - 9, 2005Open Source Database Conference 05(NH-Hotel Frankfurt-Mörfelden)Frankfurt, Germany
November 8 - 9, 2005Association Française des Utilisateurs de PHP(AFUP)Paris, France
November 13 - 15, 2005Firebird Conference 2005(Hotel Olsanka)Prague, Czech Republic
November 15 - 18, 2005Embedded Technology 2005(ET2005)Yokohama, Japan
November 15 - 17, 2005LinuxWorld GermanyFrankfurt, Germany
November 18, 2005European Gentoo developer meetingSchloss Kransberg, Germany
November 20 - 23, 20055tas Jornadas Regionales de Software LibreRosario, Santa Fe, Argentina

Comments (none posted)

Web sites

remix.linux - a CMS for linux audio users

The remix.linux site has been launched. "remix.linux provides a place for subscribers of the Linux Audio Users list to share/remix/extend/master each others work, with the freedoms offered by Creative Commons licenses. It is inspired by ccMixter and powered by ccHost. While the emphasis is on samples and remixing, anyone who doesn't have access to a webserver to put their original songs may upload complete songs here (though you are encouraged to make the seperate tracks available, too)."

Full Story (comments: none)

Page editor: Forrest Cook

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds