LWN.net Logo

LWN.net Weekly Edition for October 6, 2005

The broadcast flag returns

The broadcast flag is an attempt to mandate the use of digital restrictions management (DRM) technology with U.S digital television and radio broadcasts. In short, the broadcast flag regulations, as adopted by the Federal Communications Commission, would require that reception equipment honor a "do not copy" bit in a digital signal. The end result is that, among other things, free TV and radio systems would not be allowed, since they would fail the "robustness" requirement in the regulations. Happily, a federal court threw out the broadcast regulation last May, ruling that the FCC was not authorized to regulate what a piece of equipment does with a signal after reception.

The return of the broadcast flag was inevitable; the commercial interests behind this sort of regulation never give up that easily - or at all. Even so, the return of the broadcast flag has been surprisingly quick. Twenty U.S. members of Congress are now pushing for legislation which would give the FCC the regulatory authority it currently lacks. Susan Crawford has posted the proposed language:

The Federal Communications Commission (a) has authority to adopt such regulations governing digital audio broadcast transmissions and digital audio receiving devices that are appropriate to control the unauthorized copying and redistribution of digital audio content by or over digital reception devices, related equipment, and digital networks, including regulations governing permissible copying and redistribution of such audio content....

This language is quite broad - the FCC would be empowered to regulate "digital networks" in whatever ways it sees fit to keep the entertainment industry happy. It does not take much imagination to foresee heavy-handed rules which are not particularly friendly to free software. This legislation needs to be defeated; BoingBoing has a list of offending "congressjerks" and their contact information. We don't doubt that they would be delighted to hear from their constituents on this matter.

The broadcast flag looks like a U.S. problem, but the situation in Europe is similar. The EFF has just posted a report on the activities of the Digital Video Broadcasting project, a body which sets television standards for use in Europe, Australia, and even parts of Asia. The upcoming DVB standard contains some familiar provisions:

This project is called Content Protection and Copy Management (CPCM), and the DVB has put it centre-stage in its plans for DVB 3.0, the forthcoming version of the DVB standard. The scope of the U.S. broadcast flag regulation was relatively narrow -- the redistribution control flag could only be present or absent. DVB CPCM, by contrast, is specifying remarkably fine-grained and elaborate means by which broadcasters can control the detailed functionality of receiving devices. In effect, CPCM and its constituent specifications amount to a complicated, lengthy, and, at present, secret body of private law that describes rules and restrictions potentially applicable to all manufacturers of DTV devices.

The CPCM includes provisions for "proximity control" and such, regulating just how far a digital signal can be propagated. It includes a revocation feature allowing existing hardware to be disabled should the industry conclude that it has been compromised. The inevitable "robustness requirement" will make it impossible to create digital television systems with free software. The CPCM, in other words, is the broadcast flag, only worse.

A broadcast flag for Europe is not inevitable. The process which CPCM will have to follow is long: it must be adopted as a European telecommunications standard, then mandated by law in each nation. There is plenty of warning, and no end of good reasons to fight back. With effort - and luck - our ability to create free television systems can be preserved on both sides of the Atlantic.

Comments (6 posted)

The Battle for Wesnoth hits 1.0

At linux.conf.au 2005 in Canberra, kernel hacker Rusty Russell was heard to voice a complaint. It seems that he had discovered The Battle for Wesnoth, and his productivity had suffered ever since. He mentioned it again some months later in Ottawa, so one presumes that the problem had not yet gone away. Rusty is [Wesnoth screenshot] not the only developer who has been afflicted by the Wesnoth disease over the last year. If the pace of free software development appears to have slowed recently, Wesnoth may well be to blame.

Battle for Wesnoth 1.0 was released on October 2. Your editor, being a serious type, does not normally see fit to play computer games (those past episodes with DND, rogue, empire, netrek, nethack, etc. were just aberrations, honest). But a 1.0 release of a popular, GPL-licensed game calls out for investigation; journalistic ethics require it. So your editor pulled down the new release and checked it out. For a while. In fact, the LWN Weekly Edition almost did not happen this week, and it's all Wesnoth's fault.

Wesnoth is a two-dimensional swords, sorcery, and strategy game. In its most basic form, the player must lead an army of elvish fighters against the enemy (played by the computer), occupy villages, rape, pillage, and wipe out the opposing leader. There is a variety of different character types with different capabilities, and characters grow with experience. The game includes a tutorial which makes getting started easy. There is also a pleasant set of musical tracks and (sometimes less pleasant) sound effects that go with the game. Your editor did not know, previously, that ghosts would grunt when struck.

[Editor screenshot] The game was designed to be extended. An editor packaged with Wesnoth (and which is fun to work with in its own right) makes it easy to design battlefields, and tools are available for the creation of complete games. Many "campaigns" designed by users are hosted on the central Wesnoth server; they are easily downloaded from within the game and played. Wesnoth also offers multi-player operation.

It has often been said that gaming is one area where free software will never come close to the proprietary competition. The high expense and hit-oriented nature of the commercial game industry simply sets the bar too high. And, in fact, Wesnoth is still a far cry from commercial battle games available for proprietary platforms. The turn-oriented play, relatively simple animation, and hexagonal-grid landscape all look primitive compared to a high-budget commercial game.

But the gap is closing. Wesnoth as a game is engaging, challenging, and visually and aurally pleasing. Wesnoth may not be able to compete with the latest commercial blockbuster, but it does demonstrate that the free software community is getting better at creating games. In this area, as with many others, our reach is increasing.

There is another important aspect to Wesnoth's success which was also pointed out by Rusty. There is plenty of good programming in Wesnoth, but it doesn't stop there. Somebody has spent quite a bit of time designing graphics and animated effects. Others have contributed music which one is tempted to leave playing even after one has been crushed by the opposition and seen one's castles go up in flames. As free software develops, there will be more need for people who can make these kinds of contributions. Wesnoth has set an example - applicable to a much wider range of development projects - on how non-code contributors can be welcomed. For that, if nothing else, the Wesnoth 1.0 release deserves hearty congratulations.

Now your editor must go off and retry The Eastern Invasion one more time...

Comments (26 posted)

Page editor: Jonathan Corbet

Security

Complete coverage in Linux security modules

The Linux Security Module (LSM) framework is intended to allow security modules to lock down a system by inserting checks whenever the kernel is about to do something interesting. A security module hooks into those check points and, for each operation, convinces itself that the operation is allowed by the security policy currently in force. This approach can work well if checks have been placed in all of the relevant locations. A missing check could open a door allowing a user-space process to do something which the site's policy would disallow.

Kostik Belousov recently noticed this sort of problem in the 2.6 kernel: it seems that the readv() and writev() system calls ran without calling the associated LSM hook. The missing check means that a process which uses these calls (rather than read() or write()) could perform file I/O which was not subject to oversight by any security modules currently loaded in the system. The practical effect of this vulnerability is minimal: any security module worth its bits will have done its access checks when the file is opened, so the ability to do unchecked reads and writes should not open any gaping holes in the system.

The more important point is how easily this sort of opening can come about. When the security modules patch was originally merged into the kernel, it included checks on readv() and writev(). But those system calls were later rewritten, and the LSM hooks fell by the wayside. This change apparently happened around 2.5.47, but it only came to light now.

Most kernel developers are only peripherally aware of the LSM system. Very few of them know how to code an LSM call, and the rules for the insertion of LSM checks are not particularly well documented. Code which is missing an LSM call still appears to work just fine in normal testing and use. The end result of all this is that it is trivially easy to omit an important check, or to delete one by accident. Such mistakes can then go unnoticed for years.

Anybody who depends on a Linux security module (such as SELinux) is depending on comprehensive checking within the kernel. But, as has been demonstrated here, it is hard to feel sure that the LSM checks are, indeed comprehensive. There are many code paths through the kernel. When a relatively simple system call can go unprotected for so long, how secure do we feel about the more complex paths? It would seem that a thorough audit is called for. An automated audit might even be better; it may well be possible to adapt a tool like sparse to detect unchecked paths through the kernel. Some work in this area could do a lot to increase the level of trust which can be placed in LSM-based modules.

Comments (6 posted)

New vulnerabilities

abiword: buffer overflow

Package(s):abiword CVE #(s):CAN-2005-2964
Created:September 29, 2005 Updated:November 14, 2005
Description: The RTF import module of the AbiWord word processor has a buffer overflow vulnerability. A user can be tricked into opening a maliciously crafted RTF file, giving the attacker the ability to execute code with the permissions of the user.
Alerts:
Debian DSA-894-1 2005-11-14
Gentoo 200510-17 2005-10-20
Ubuntu USN-203-1 2005-10-13
Fedora FEDORA-2005-955 2005-09-30
Gentoo 200509-20 2005-09-30
Ubuntu USN-188-1 2005-09-29

Comments (none posted)

apachetop: insecure temporary file

Package(s):apachetop CVE #(s):CAN-2005-2660
Created:October 4, 2005 Updated:October 5, 2005
Description: Eric Romang discovered an insecurely created temporary file in apachetop, a realtime monitoring tool for the Apache webserver that could be exploited with a symlink attack to overwrite arbitrary files with the user id that runs apachetop.
Alerts:
Debian DSA-839-1 2005-10-04

Comments (none posted)

arc: temporary file vulnerabilities

Package(s):arc CVE #(s):CAN-2005-2945 CAN-2005-2992
Created:October 5, 2005 Updated:October 5, 2005
Description: The arc archiver program suffers from two independent temporary file vulnerabilities.
Alerts:
Debian DSA-843-1 2005-10-05

Comments (none posted)

backupninja: insecure temporary file

Package(s):backupninja CVE #(s):
Created:September 30, 2005 Updated:October 5, 2005
Description: Moritz Muehlenhoff discovered the handler code for backupninja creates a temporary file with a predictable filename, leaving it vulnerable to a symlink attack.
Alerts:
Debian DSA-827-1 2005-09-29

Comments (none posted)

Berkeley MPEG Tools: multiple insecure temporary files

Package(s):mpeg-tools CVE #(s):CAN-2005-3115
Created:October 3, 2005 Updated:October 5, 2005
Description: Mike Frysinger of the Gentoo Security Team discovered that mpeg_encode and the conversion utilities were creating temporary files with predictable or fixed filenames. The 'test' make target of the MPEG Tools also relied on several temporary files created insecurely.
Alerts:
Gentoo 200510-02 2005-10-03

Comments (none posted)

cfengine: insecure temporary files

Package(s):cfengine CVE #(s):CAN-2005-2960
Created:October 3, 2005 Updated:October 14, 2005
Description: Javier Fernández-Sanguino Peña discovered several insecure temporary file uses in cfengine, a tool for configuring and maintaining networked machines, that can be exploited by a symlink attack to overwrite arbitrary files owned by the user executing cfengine, which is probably root.
Alerts:
Mandriva MDKSA-2005:184 2005-10-13
Ubuntu USN-198-1 2005-10-10
Debian DSA-836-1 2005-10-01
Debian DSA-835-1 2005-10-01

Comments (none posted)

dia: missing input sanitizing

Package(s):dia CVE #(s):CAN-2005-2966
Created:October 4, 2005 Updated:April 6, 2006
Description: Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user.
Alerts:
Debian DSA-1025-1 2006-04-06
Mandriva MDKSA-2005:187 2005-10-20
Gentoo 200510-06 2005-10-06
Debian DSA-847-1 2005-10-08
SuSE SUSE-SR:2005:022 2005-10-07
Ubuntu USN-193-1 2005-10-04

Comments (none posted)

gopher: buffer overflows

Package(s):gopher CVE #(s):CAN-2005-2772
Created:September 30, 2005 Updated:October 5, 2005
Description: Several buffer overflows have been discovered in gopher, a text-oriented client for the Gopher Distributed Hypertext protocol, that can be exploited by a malicious Gopher server.
Alerts:
Debian DSA-832-1 2005-09-30

Comments (1 posted)

gtkdiskfree: insecure temp file

Package(s):gtkdiskfree CVE #(s):CAN-2005-2918
Created:September 29, 2005 Updated:October 5, 2005
Description: The gtkdiskfree utility creates temporary files in an insecure manner.
Alerts:
Gentoo 200510-01 2005-10-03
Debian DSA-822-1 2005-09-29

Comments (none posted)

Hylafax: insecure temporary file creation in xferfaxstats

Package(s):hylafax CVE #(s):CAN-2005-3069
Created:September 30, 2005 Updated:October 13, 2005
Description: Javier Fernandez-Sanguino has discovered that xferfaxstats cron script supplied by Hylafax < 4.2.2 insecurely creates temporary files with predictable filenames.
Alerts:
Debian DSA-865-1 2005-10-13
Mandriva MDKSA-2005:177 2005-10-07
Gentoo 200509-21 2005-09-30

Comments (none posted)

mod-auth-shadow: authorization bypass

Package(s):mod-auth-shadow CVE #(s):CAN-2005-2963
Created:October 5, 2005 Updated:October 27, 2005
Description: The apache mod-auth-shadow module can, incorrectly, override other authorization mechanisms, allowing access which would otherwise be denied.
Alerts:
Mandriva MDKSA-2005:200 2005-10-27
Debian DSA-844-1 2005-10-05

Comments (none posted)

ntlmaps: wrong permissions

Package(s):ntlmaps CVE #(s):CAN-2005-2962
Created:September 30, 2005 Updated:October 5, 2005
Description: Drew Parsons noticed that the post-installation script of ntlmaps, an NTLM authorization proxy server, changes the permissions of the configuration file to be world-readable. It contains the user name and password of the Windows NT system that ntlmaps connects to and, hence, leaks them to local users.
Alerts:
Debian DSA-830-1 2005-09-30

Comments (none posted)

prozilla: arbitrary code execution

Package(s):prozilla CVE #(s):CAN-2005-2961
Created:October 3, 2005 Updated:October 5, 2005
Description: Tavis Ormandy discovered a buffer overflow in prozilla, a multi-threaded download accelerator, which may be exploited to execute arbitrary code.
Alerts:
Debian DSA-834-1 2005-10-01

Comments (none posted)

squid: authentication handling

Package(s):squid CVE #(s):CAN-2005-2917
Created:September 30, 2005 Updated:March 15, 2006
Description: Upstream developers of squid, the popular WWW proxy cache, have discovered that changes in the authentication scheme are not handled properly when given certain request sequences while NTLM authentication is in place, which may cause the daemon to restart.
Alerts:
Red Hat RHSA-2006:0045-01 2006-03-15
Red Hat RHSA-2006:0052-01 2006-03-07
Fedora-Legacy FLSA:152809 2006-02-18
Mandriva MDKSA-2005:181 2005-10-11
Ubuntu USN-192-1 2005-09-30
Debian DSA-828-1 2005-09-30

Comments (none posted)

texinfo: temporary file vulnerability

Package(s):texinfo CVE #(s):CAN-2005-3011
Created:October 5, 2005 Updated:November 9, 2006
Description: Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability.
Alerts:
Ubuntu USN-194-2 2006-01-09
Fedora FEDORA-2005-991 2005-10-14
Fedora FEDORA-2005-990 2005-10-14
Mandriva MDKSA-2005:175 2005-10-06
Ubuntu USN-194-1 2005-10-06
Gentoo 200510-04 2005-10-05

Comments (none posted)

uim: privilege escalation

Package(s):uim CVE #(s):CVE-2005-3149
Created:October 4, 2005 Updated:December 7, 2005
Description: Masanari Yamamoto discovered that Uim uses environment variables incorrectly. This bug causes a privilege escalation if setuid/setgid applications are linked to libuim. This bug only affects immodule-enabled Qt (if you build Qt 3.3.2 or later versions with USE="immqt" or USE="immqt-bc").
Alerts:
Debian-Testing DTSA-22-1 2005-12-05
Debian DSA-895-1 2005-11-14
Mandriva MDKSA-2005:198 2005-10-26
Gentoo 200510-03 2005-10-04

Comments (none posted)

unzip: race condition

Package(s):unzip CVE #(s):CAN-2005-2475
Created:September 29, 2005 Updated:January 12, 2006
Description: Unzip has a race condition vulnerability in the handling of output files. During file unpacking, a local attacker can modify the permissions of arbitrary files in the victim's directory.
Alerts:
Debian DSA-903-2 2006-01-12
Debian DSA-903-1 2005-11-21
Mandriva MDKSA-2005:197 2005-10-26
Trustix TSLSA-2005-0053 2005-09-30
Ubuntu USN-191-1 2005-09-29

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

apache information disclosure if modssl=yes

Package(s):apache CVE #(s):CAN-2005-2700
Created:September 2, 2005 Updated:November 10, 2005
Description: An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
Alerts:
Fedora-Legacy FLSA:166941 2005-11-09
Gentoo 200509-12 2005-09-19
SuSE SUSE-SA:2005:052 2005-09-12
Red Hat RHSA-2005:773-01 2005-09-15
Slackware SSA:2005-251-03 2005-09-14
Debian DSA-807-1 2005-09-12
Slackware SSA:2005-251-02 2005-09-09
Fedora FEDORA-2005-849 2005-09-07
Mandriva MDKSA-2005:161 2005-09-08
Fedora FEDORA-2005-848 2005-09-07
Debian DSA-805-1 2005-09-08
Ubuntu USN-177-1 2005-09-07
Red Hat RHSA-2005:608-01 2005-09-06
OpenPKG OpenPKG-SA-2005.017 2005-09-02

Comments (none posted)

httpd: off-by-one overflow and cross-site scripting

Package(s):apache httpd CVE #(s):CAN-2005-1268 CAN-2005-2088
Created:July 25, 2005 Updated:November 7, 2005
Description: Watchfire reported a flaw that occurred when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL).

Alerts:
Slackware SSA:2005-310-04 2005-11-07
Debian DSA-803-1 2005-09-08
Ubuntu USN-160-2 2005-09-07
SuSE SUSE-SA:2005:046 2005-08-16
Fedora-Legacy FLSA:157701 2005-08-10
Ubuntu USN-160-1 2005-08-04
Mandriva MDKSA-2005:130 2005-08-03
Mandriva MDKSA-2005:129 2005-08-03
Fedora FEDORA-2005-638 2005-08-02
Fedora FEDORA-2005-639 2005-08-02
Trustix TSLSA-2005-0038 2005-07-29
SuSE SUSE-SR:2005:018 2005-07-28
Red Hat RHSA-2005:582-01 2005-07-25

Comments (none posted)

awstats: command injection vulnerability

Package(s):awstats CVE #(s):CAN-2005-1527
Created:August 11, 2005 Updated:November 10, 2005
Description: AWStats has a command injection vulnerability that can be exploited by specially crafting referrer URLs that contain Perl code. The code can then be executed with the privileges of the web server.
Alerts:
Debian DSA-892-1 2005-11-10
Gentoo 200508-07 2005-08-16
Ubuntu USN-167-1 2005-08-11

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CAN-2005-2919 CAN-2005-2920
Created:September 19, 2005 Updated:September 29, 2005
Description: The release notes for ClamAV 0.87 note that this version fixes vulnerabilities in the handling of UPX and FSG compressed executables.
Alerts:
Debian DSA-824-1 2005-09-29
SuSE SUSE-SA:2005:055 2005-09-26
Trustix TSLSA-2005-0051 2005-09-23
Debian-Testing DTSA-19-1 2005-09-22
Mandriva MDKSA-2005:166 2005-09-20
Gentoo 200509-13 2005-09-19

Comments (none posted)

common-lisp-controller: design error

Package(s):common-lisp-controller CVE #(s):CAN-2005-2657
Created:September 14, 2005 Updated:November 21, 2005
Description: François-René Rideau discovered a bug in common-lisp-controller, a Common Lisp source and compiler manager, that allows a local user to compile malicious code into a cache directory which is executed by another user if that user has not used Common Lisp before.
Alerts:
Debian DSA-811-2 2005-11-21
Debian DSA-811-1 2005-09-14

Comments (none posted)

courier: missing input sanitizing

Package(s):courier CVE #(s):CAN-2005-2820
Created:September 26, 2005 Updated:October 11, 2005
Description: Jakob Balle discovered that with "Conditional Comments" in Internet Explorer it is possible to hide javascript code in comments that will be executed when the browser views a malicious email via sqwebmail. Successful exploitation requires that the user is using Internet Explorer.
Alerts:
Ubuntu USN-201-1 2005-10-11
Debian DSA-820-1 2005-09-24

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Alerts:
Mandriva MDKSA-2005:237 2005-12-23
Red Hat RHSA-2005:806-01 2005-11-10
Debian DSA-846-1 2005-10-07
Ubuntu USN-189-1 2005-09-29
Red Hat RHSA-2005:378-01 2005-07-21
Mandriva MDKSA-2005:116-1 2005-07-19
Mandriva MDKSA-2005:116 2005-07-11
Trustix TSLSA-2005-0030 2005-06-24
Gentoo 200506-16 2005-06-20

Comments (1 posted)

cups: denial of service

Package(s):cups CVE #(s):CAN-2005-2874
Created:September 22, 2005 Updated:September 28, 2005
Description: CUPS has a vulnerability that can be triggered by processing corrupted HTTP requests. A remote user can use this to cause a denial of service.
Alerts:
Red Hat RHSA-2005:772-01 2005-09-27
Fedora FEDORA-2005-908 2005-09-22

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 10, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

elm: buffer overflow

Package(s):elm CVE #(s):CAN-2005-2665
Created:August 23, 2005 Updated:November 11, 2005
Description: A buffer overflow flaw in Elm was discovered that was triggered by viewing a mailbox containing a message with a carefully crafted 'Expires' header. An attacker could create a malicious message that would execute arbitrary code with the privileges of the user who received it.
Alerts:
Slackware SSA:2005-311-01 2005-11-08
Red Hat RHSA-2005:755-01 2005-08-23

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ethereal: dissector vulnerabilities

Package(s):ethereal CVE #(s):CAN-2005-2365 CAN-2005-2367 CAN-2005-2360 CAN-2005-2361 CAN-2005-2362 CAN-2005-2363 CAN-2005-2364 CAN-2005-2366
Created:July 28, 2005 Updated:October 10, 2005
Description: The ethereal network traffic analyzer has several vulnerabilities, involving traffic dissectors. Dissectors have buffer overflows, format string overflows, and crashing/denial of service issues.
Alerts:
Debian DSA-853-1 2005-10-09
Red Hat RHSA-2005:687-01 2005-08-10
Mandriva MDKSA-2005:131 2005-08-04
Fedora FEDORA-2005-655 2005-07-29
Fedora FEDORA-2005-651 2005-07-28
Gentoo 200507-27 2005-07-28

Comments (none posted)

evolution: format string issues

Package(s):evolution CVE #(s):CAN-2005-2549 CAN-2005-2550
Created:August 15, 2005 Updated:March 23, 2006
Description: Evolution has format string issues. SITIC advisory SA05-001 contains more information.
Alerts:
Debian DSA-1016-1 2006-03-23
SuSE SUSE-SA:2005:054 2005-09-16
Red Hat RHSA-2005:267-01 2005-08-29
Gentoo 200508-12 2005-08-23
Mandriva MDKSA-2005:141 2005-08-17
Fedora FEDORA-2005-742 2005-08-11
Fedora FEDORA-2005-743 2005-08-11

Comments (2 posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968
Created:September 22, 2005 Updated:February 15, 2006
Description: The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing.
Alerts:
Slackware SSA:2006-045-02 2006-02-15
Fedora-Legacy FLSA:168375 2006-01-09
Ubuntu USN-200-1 2005-10-11
Ubuntu USN-155-3 2005-10-04
Debian DSA-838-1 2005-10-02
Gentoo GLSA 200509-11:02 2005-09-18
SuSE SUSE-SA:2005:058 2005-09-30
Mandriva MDKSA-2005:170 2005-09-26
Mandriva MDKSA-2005:169 2005-09-26
Slackware SSA:2005-269-01 2005-09-26
Fedora FEDORA-2005-934 2005-09-26
Fedora FEDORA-2005-933 2005-09-26
Fedora FEDORA-2005-932 2005-09-26
Fedora FEDORA-2005-931 2005-09-26
Fedora FEDORA-2005-930 2005-09-26
Fedora FEDORA-2005-929 2005-09-26
Fedora FEDORA-2005-928 2005-09-26
Fedora FEDORA-2005-927 2005-09-26
Fedora FEDORA-2005-926 2005-09-26
Ubuntu USN-186-2 2005-09-25
Ubuntu USN-186-1 2005-09-23
Red Hat RHSA-2005:789-01 2005-09-22
Red Hat RHSA-2005:785-01 2005-09-22

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-2103
Created:August 10, 2005 Updated:February 27, 2006
Description: Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:158543 2006-02-25
Slackware SSA:2005-242-03 2005-08-31
Fedora FEDORA-2005-751 2005-08-17
Fedora FEDORA-2005-750 2005-08-17
Mandriva MDKSA-2005:139 2005-08-15
Gentoo 200508-06 2005-08-15
Ubuntu USN-168-1 2005-08-12
Red Hat RHSA-2005:589-01 2005-08-09

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora-Legacy FLSA:155510 2005-12-17
Fedora-Legacy FLSA:154272 2005-07-15
SuSE SUSE-SR:2005:010 2005-04-08
Mandrake MDKSA-2005:069 2005-04-07
Mandrake MDKSA-2005:068 2005-04-07
Ubuntu USN-108-1 2005-04-05
Red Hat RHSA-2005:343-01 2005-04-05
Red Hat RHSA-2005:344-01 2005-04-01
Fedora FEDORA-2005-268 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-265 2005-03-30

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 10, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

HelixPlayer: arbitrary code execution

Package(s):HelixPlayer CVE #(s):CAN-2005-2710
Created:September 27, 2005 Updated:October 10, 2005
Description: A format string bug was discovered in the way HelixPlayer processes RealPix (.rp) files. It is possible for a malformed RealPix file to execute arbitrary code as the user running HelixPlayer.
Alerts:
SuSE SUSE-SA:2005:059 2005-10-10
Gentoo 200510-07 2005-10-07
Debian DSA-826-1 2005-09-29
Fedora FEDORA-2005-941 2005-09-27
Fedora FEDORA-2005-940 2005-09-27
Red Hat RHSA-2005:762-02 2005-09-27
Red Hat RHSA-2005:788-01 2005-09-27

Comments (none posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 10, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Debian DSA-713-1 2005-04-21
Gentoo 200504-11 2005-04-13

Comments (1 posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (1 posted)

kernel: DoS vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-1767 CAN-2005-3044
Created:September 26, 2005 Updated:September 28, 2005
Description: A Denial of Service vulnerability was detected in the stack segment fault handler. A local attacker could exploit this by causing stack fault exceptions under special circumstances (scheduling), which lead to a kernel crash. (CAN-2005-1767)

Vasiliy Averin discovered a Denial of Service vulnerability in the "tiocgdev" ioctl call and in the "routing_ioctl" function. By calling fget() and fput() in special ways, a local attacker could exploit this to destroy file descriptor structures and crash the kernel. (CAN-2005-3044)

Alerts:
Red Hat RHSA-2005:663-01 2005-09-28
Ubuntu USN-187-1 2005-09-25

Comments (none posted)

kernel: buffer overflow

Package(s):kernel CVE #(s):CAN-2005-2490 CAN-2005-2492
Created:September 22, 2005 Updated:October 5, 2005
Description: The Linux kernel has a stack-based buffer overflow problem in the sendmsg function. Local users may use this to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:514-01 2005-10-05
Mandriva MDKSA-2005:171 2005-10-03
Fedora FEDORA-2005-906 2005-09-22
Fedora FEDORA-2005-905 2005-09-22

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

krb5: double-free flaw

Package(s):krb5 CVE #(s):CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689
Created:July 12, 2005 Updated:December 6, 2005
Description: The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information.
Alerts:
Ubuntu USN-224-1 2005-12-06
Debian DSA-757-1 2005-07-17
Trustix TSLSA-2005-0036 2005-07-14
Mandriva MDKSA-2005:119 2005-07-13
SuSE SUSE-SR:2005:017 2005-07-13
Gentoo 200507-11 2005-07-12
Fedora FEDORA-2005-553 2005-07-12
Red Hat RHSA-2005:562-01 2005-07-12
Fedora FEDORA-2005-552 2005-07-12
Red Hat RHSA-2005:567-02 2005-07-12

Comments (none posted)

libconvert-uulib-perl: arbitrary code execution

Package(s):libconvert-uulib-perl CVE #(s):CAN-2005-1349
Created:May 20, 2005 Updated:January 27, 2006
Description: Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:022 2006-01-26
Debian DSA-727-1 2005-05-20

Comments (1 posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libnet-ssleay-perl: weakened cryptographic operations

Package(s):libnet-ssleay-perl CVE #(s):CAN-2005-0106
Created:May 3, 2005 Updated:January 27, 2006
Description: Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content.
Alerts:
Mandriva MDKSA-2006:023 2006-01-26
Ubuntu USN-113-1 2005-05-03

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
rPath rPSA-2006-0183-1 2006-10-05
Mandriva MDKSA-2005:190 2005-10-20
Gentoo 200508-22 2005-08-31
Debian DSA-785-1 2005-08-25

Comments (none posted)

libTIFF: buffer overflow

Package(s):libtiff CVE #(s):CAN-2005-1544
Created:May 10, 2005 Updated:February 18, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafted TIFF image, resulting in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:042 2006-02-17
Debian DSA-755-1 2005-07-13
Ubuntu USN-130-1 2005-05-19
Gentoo 200505-07 2005-05-10

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Fedora-Legacy FLSA:168264 2006-03-07
Fedora-Legacy FLSA:152803 2006-01-09
Fedora FEDORA-2005-815 2005-08-26
Fedora FEDORA-2005-808 2005-08-25
Red Hat RHSA-2005:198-01 2005-06-08
Red Hat RHSA-2005:473-01 2005-05-24
Red Hat RHSA-2005:412-01 2005-05-11
Debian DSA-723-1 2005-05-09
Mandriva MDKSA-2005:081 2005-05-05
Mandriva MDKSA-2005:080 2005-04-28
Red Hat RHSA-2005:044-01 2005-04-06
Red Hat RHSA-2005:331-01 2005-03-30
Fedora FEDORA-2005-273 2005-03-29
Fedora FEDORA-2005-272 2005-03-29
Ubuntu USN-97-1 2005-03-16
Gentoo 200503-15 2005-03-12
Ubuntu USN-92-1 2005-03-07
Gentoo 200503-08 2005-03-04

Comments (none posted)

lm-sensors: insecure temp files

Package(s):lm-sensors CVE #(s):CAN-2005-2672
Created:August 23, 2005 Updated:November 10, 2005
Description: Javier Fernández-Sanguino Peña noticed that the pwmconfig script created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with full root privileges since pwmconfig is usually executed by root.
Alerts:
Red Hat RHSA-2005:825-01 2005-11-10
Fedora FEDORA-2005-1054 2005-11-07
Fedora FEDORA-2005-1053 2005-11-07
Debian-Testing DTSA-17-1 2005-09-15
Debian DSA-814-1 2005-09-15
Gentoo 200508-19 2005-08-30
Mandriva MDKSA-2005:149 2005-08-25
Ubuntu USN-172-1 2005-08-23

Comments (1 posted)

Mailutils: format string vulnerability in imap4d

Package(s):mailutils CVE #(s):CAN-2005-2878
Created:September 19, 2005 Updated:October 13, 2005
Description: The imap4d server contains a format string bug in the handling of IMAP SEARCH requests.
Alerts:
Debian-Testing DTSA-20-1 2005-10-13
Debian DSA-841-1 2005-10-04
Gentoo 200509-10 2005-09-17

Comments (none posted)

masqmail: input sanitizing and symlink vulnerabilities

Package(s):masqmail CVE #(s):CAN-2005-2662 CAN-2005-2663
Created:September 21, 2005 Updated:October 10, 2005
Description: Masqmail fails to properly sanitize addresses when sending failed mail, allowing a local attacker to run arbitrary commands as the mail user. There is also a symlink vulnerability which can be exploited to overwrite files.
Alerts:
Debian DSA-848-1 2005-10-08
Mandriva MDKSA-2005:168 2005-09-20

Comments (none posted)

mod_python: remote access vulnerability

Package(s):mod_python CVE #(s):CAN-2005-0088
Created:February 10, 2005 Updated:April 10, 2006
Description: mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result.
Alerts:
Fedora-Legacy FLSA:152896 2006-04-04
Conectiva CLA-2005:926 2005-03-02
Debian DSA-689-1 2005-02-23
Red Hat RHSA-2005:100-01 2005-02-15
Gentoo 200502-14 2005-02-13
Trustix TSLSA-2005-0003 2005-02-11
Ubuntu USN-80-1 2005-02-11
Red Hat RHSA-2005:104-01 2005-02-10
Fedora FEDORA-2005-140 2005-02-10
Fedora FEDORA-2005-139 2005-02-10

Comments (none posted)

mozilla: buffer overflow

Package(s):mozilla CVE #(s):CAN-2005-2871
Created:September 12, 2005 Updated:October 20, 2005
Description: The Mozilla browser, Firefox and Thunderbird have a buffer overflow vulnerability. A local user can be tricked into clicking URL that can cause the local application to crash, and possibly execute arbitrary code. See this article for more information.
Alerts:
Debian DSA-868-1 2005-10-20
Debian DSA-866-1 2005-10-20
Red Hat RHSA-2005:791-01 2005-10-06
Slackware SSA:2005-278-01 2005-10-06
Debian DSA-837-1 2005-10-02
Fedora FEDORA-2005-963 2005-09-30
Fedora FEDORA-2005-962 2005-09-30
Gentoo 200509-11 2005-09-18
Ubuntu USN-181-1 2005-09-12
Red Hat RHSA-2005:769-01 2005-09-09
Red Hat RHSA-2005:768-01 2005-09-09
Fedora FEDORA-2005-873 2005-09-10
Fedora FEDORA-2005-874 2005-09-10
Fedora FEDORA-2005-871 2005-09-10
Fedora FEDORA-2005-872 2005-09-10

Comments (none posted)

mysql: buffer overflow

Package(s):mysql CVE #(s):CAN-2005-2558
Created:September 12, 2005 Updated:January 12, 2006
Description: The mysql CREATE FUNCTION can be used to create a buffer overflow. A specially crafted long function name can be used by a local attacker to crash the server or execute arbitrary code with the privileges of the server.
Alerts:
Fedora-Legacy FLSA:167803 2006-01-10
Ubuntu USN-180-2 2005-12-05
OpenPKG OpenPKG-SA-2005.024 2005-12-03
Debian DSA-833-2 2005-10-04
Debian DSA-833-1 2005-10-01
Debian DSA-831-1 2005-09-30
Debian DSA-829-1 2005-09-30
Mandriva MDKSA-2005:163 2005-09-12
Ubuntu USN-180-1 2005-09-12

Comments (none posted)

mysql: low-impact security fix

Package(s):mysql CVE #(s):CAN-2005-1636
Created:July 20, 2005 Updated:February 22, 2006
Description: An update to MySQL version 4.1.12 fixes a low-impact security problem (bz#158689).
Alerts:
Mandriva MDKSA-2006:045 2006-02-21
Red Hat RHSA-2005:685-01 2005-10-05
Debian DSA-783-1 2005-08-24
Fedora FEDORA-2005-557 2005-07-20

Comments (1 posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Fedora-Legacy FLSA:152904 2006-05-12
Fedora FEDORA-2005-435 2005-08-16
Red Hat RHSA-2005:371-01 2005-05-17
Mandrake MDKSA-2005:028 2005-02-01
Gentoo 200501-44 2005-01-30

Comments (none posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 2006-02-25
Red Hat RHSA-2005:014-01 2005-01-12
Mandrake MDKSA-2005:005 2005-01-11

Comments (none posted)

ntp: uses wrong gid

Package(s):ntp CVE #(s):CAN-2005-2496
Created:August 26, 2005 Updated:August 11, 2006
Description: When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update.
Alerts:
Red Hat RHSA-2006:0393-01 2006-08-10
Mandriva MDKSA-2005:156 2005-09-06
Debian DSA-801-1 2005-09-05
Ubuntu USN-175-1 2005-09-01
Fedora FEDORA-2005-812 2005-08-26

Comments (none posted)

openssh: GSSAPI credential disclosure

Package(s):openssh CVE #(s):CAN-2005-2798
Created:September 7, 2005 Updated:February 3, 2006
Description: OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
Alerts:
SuSE SUSE-SR:2006:003 2006-02-03
Ubuntu USN-209-1 2005-10-17
Mandriva MDKSA-2005:172 2005-10-06
Red Hat RHSA-2005:527-01 2005-10-05
Fedora FEDORA-2005-860 2005-09-12
Trustix TSLSA-2005-0047 2005-09-09
Fedora FEDORA-2005-858 2005-09-07

Comments (none posted)

OpenSSL: information leak

Package(s):openssl CVE #(s):CAN-2005-0109
Created:May 23, 2005 Updated:October 11, 2005
Description: Hyper-Threading technology, as used in FreeBSD other operating systems and implemented on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. See this LWN article for more information.
Alerts:
Trustix TSLSA-2005-0028 2005-06-13
Mandriva MDKSA-2005:096 2005-06-06
Red Hat RHSA-2005:476-01 2005-06-01
Fedora FEDORA-2005-390 2005-05-23
Fedora FEDORA-2005-389 2005-05-23

Comments (none posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

openvpn: multiple vulnerabilities

Package(s):openvpn CVE #(s):CAN-2005-2531 CAN-2005-2532 CAN-2005-2533 CAN-2005-2534
Created:August 23, 2005 Updated:October 10, 2005
Description: A number of vulnerabilities were discovered in OpenVPN that were fixed in the 2.0.1 release:

A DoS attack against the server when run with "verb 0" and without "tls-auth" when a client connection to the server fails certificate verification, the OpenSSL error queue is not properly flushed. This could result in another unrelated client instance on the server seeing the error and responding to it, resulting in a disconnection of the unrelated client.

A DoS attack against the server by an authenticated client that sends a packet which fails to decrypt on the server, the OpenSSL error queue was not properly flushed. This could result in another unrelated client instance on the server seeing the error and responding to it, resulting in a disconnection of the unrelated client.

A DoS attack against the server by an authenticated client is possible in "dev tap" ethernet bridging mode where a malicious client could theoretically flood the server with packets appearing to come from hundreds of thousands of different MAC addresses, resulting in the OpenVPN process exhausting system virtual memory.

If two or more client machines tried to connect to the server at the same time via TCP, using the same client certificate, a race condition could crash the server if --duplicate-cn is not enabled on the server.

Alerts:
Debian DSA-851-1 2005-10-09
Mandriva MDKSA-2005:145 2005-08-22

Comments (none posted)

opera: script insertion attacks

Package(s):opera CVE #(s):CAN-2005-3006 CAN-2005-3007
Created:September 26, 2005 Updated:September 28, 2005
Description: Attached files are opened without any warnings directly from the user's cache directory. This can be exploited to execute arbitrary Javascript in context of "file://". Normally, filename extensions are determined by the "Content-Type" in Opera Mail. However, by appending an additional '.' to the end of a filename, an HTML file could be spoofed to be e.g. "image.jpg.". These two vulnerabilities combined may be exploited to conduct script insertion attacks if the user chooses to view an attachment named e.g. "image.jpg." e.g. resulting in disclosure of local files. These are fixed in Opera 8.50.
Alerts:
SuSE SUSE-SA:2005:057 2005-09-26

Comments (none posted)

pam_ldap: plain text authentication leak

Package(s):pam_ldap CVE #(s):CAN-2005-2069
Created:July 14, 2005 Updated:October 17, 2005
Description: pam_ldap and nss_ldap ignore the "ssl start_tls" ldap.conf setting, allowing an attacker to sniff unencrypted passwords and other information.
Alerts:
Red Hat RHSA-2005:767-01 2005-10-17
Red Hat RHSA-2005:751-01 2005-10-17
SuSE SUSE-SR:2005:020 2005-09-12
Ubuntu USN-152-1 2005-07-21
Mandriva MDKSA-2005:121 2005-07-18
Gentoo 200507-13 2005-07-14

Comments (none posted)

pcre3: arbitrary code execution

Package(s):pcre3 CVE #(s):CAN-2005-2491
Created:August 23, 2005 Updated:March 10, 2006
Description: A buffer overflow has been discovered in the PCRE, a widely used library that provides Perl compatible regular expressions. Specially crafted regular expressions triggered a buffer overflow. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library.
Alerts:
Red Hat RHSA-2006:0197-01 2006-03-09
Fedora-Legacy FLSA:168516 2006-03-07
Debian DSA-821-1 2005-09-28
Debian DSA-819-1 2005-09-23
Debian DSA-817-1 2005-09-22
Gentoo 200509-08 2005-09-12
Red Hat RHSA-2005:358-01 2005-09-08
Red Hat RHSA-2005:761-02 2005-09-08
Trustix TSLSA-2005-0045 2005-08-26
OpenPKG OpenPKG-SA-2005.018 2005-09-05
SuSE SUSE-SA:2005:051 2005-09-05
Gentoo 200509-02 2005-09-03
Debian DSA-800-1 2005-09-02
Ubuntu USN-173-4 2005-08-31
Slackware SSA:2005-242-01 2005-08-31
SuSE SUSE-SA:2005:049 2005-08-30
SuSE SUSE-SA:2005:048 2005-08-30
Ubuntu USN-173-3 2005-08-30
Mandriva MDKSA-2005:155 2005-08-29
Mandriva MDKSA-2005:154 2005-08-26
Mandriva MDKSA-2005:153 2005-08-26
Mandriva MDKSA-2005:151 2005-08-25
Mandriva MDKSA-2005:152 2005-08-25
Gentoo 200508-17 2005-08-25
Ubuntu USN-173-2 2005-08-24
Fedora FEDORA-2005-803 2005-08-24
Fedora FEDORA-2005-802 2005-08-24
Ubuntu USN-173-1 2005-08-23

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

perl: symlink vulnerability

Package(s):perl CVE #(s):CAN-2005-0448
Created:March 9, 2005 Updated:January 30, 2006
Description: The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries.
Alerts:
Fedora-Legacy FLSA:152845 2006-01-24
Red Hat RHSA-2005:674-01 2005-10-05
Fedora FEDORA-2005-600 2005-07-22
Mandriva MDKSA-2005:079 2005-04-28
Debian DSA-696-1 2005-03-22
Ubuntu USN-94-1 2005-03-09

Comments (none posted)

php: arbitrary code execution

Package(s):php CVE #(s):CAN-2005-2498
Created:August 19, 2005 Updated:October 4, 2005
Description: A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user.
Alerts:
Debian DSA-842-1 2005-10-04
Debian DSA-840-1 2005-10-04
Gentoo 200509-19 2005-09-27
Debian-Testing DTSA-15-1 2005-09-13
Slackware SSA:2005-251-04 2005-09-09
Debian DSA-798-1 2005-09-02
Slackware SSA:2005-242-02 2005-08-31
Gentoo 200508-21 2005-08-31
Gentoo 200508-20 2005-08-30
Debian DSA-789-1 2005-08-29
Gentoo 200508-18 2005-08-26
Fedora FEDORA-2005-810 2005-08-25
Fedora FEDORA-2005-809 2005-08-25
Gentoo 200508-14 2005-08-24
Gentoo 200508-13 2005-08-24
Mandriva MDKSA-2005:146 2005-08-22
Ubuntu USN-171-1 2005-08-20
Red Hat RHSA-2005:748-01 2005-08-19

Comments (none posted)

phpsysinfo: cross-site-scripting

Package(s):phpsysinfo CVE #(s):CAN-2005-0870
Created:May 18, 2005 Updated:November 15, 2005
Description: The phpsysinfo program contains several cross-site scripting vulnerabilities.
Alerts:
Debian DSA-724-1 2005-05-18

Comments (none posted)

postgresql: database initialization errors

Package(s):postgresql CVE #(s):CAN-2005-1409 CAN-2005-1410
Created:May 4, 2005 Updated:February 28, 2006
Description: PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Alerts:
Fedora-Legacy FLSA:157366 2006-02-27
Mandriva MDKSA-2005:093 2005-05-26
Red Hat RHSA-2005:433-01 2005-06-01
Gentoo 200505-12 2005-05-15
Fedora FEDORA-2005-368 2005-05-10
Ubuntu USN-118-1 2005-05-04

Comments (none posted)

Pound: buffer overflow

Package(s):pound CVE #(s):CVE-2005-1391
Created:May 2, 2005 Updated:January 10, 2006
Description: Steven Van Acker has discovered a buffer overflow vulnerability in the "add_port()" function in Pound 1.8.2+. A remote attacker could send a request for an overly long hostname parameter, which could lead to the remote execution of arbitrary code with the rights of the Pound daemon process.
Alerts:
Gentoo 200504-29 2005-04-30

Comments (none posted)

pstotext: remote execution of arbitrary code

Package(s):pstotext netpbm CVE #(s):CAN-2005-2471
Created:August 1, 2005 Updated:March 28, 2006
Description: Max Vozeler reported that pstotext calls the GhostScript interpreter on untrusted PostScript files without specifying the -dSAFER option. An attacker could craft a malicious PostScript file and entice a user to run pstotext on it, resulting in the execution of arbitrary commands with the permissions of the user running pstotext. See this Secunia advisory for more information.
Alerts:
Debian DSA-1021-1 2006-03-28
Debian DSA-792-1 2005-08-31
Red Hat RHSA-2005:743-01 2005-08-22
Fedora FEDORA-2005-728 2005-08-17
Fedora FEDORA-2005-727 2005-08-17
Ubuntu USN-164-1 2005-08-11
Mandriva MDKSA-2005:133 2005-08-09
Gentoo 200508-04 2005-08-05
Gentoo 200507-29 2005-07-31

Comments (2 posted)

Py2Play: remote execution of arbitrary Python code

Package(s):Py2Play CVE #(s):CAN-2005-2875
Created:September 19, 2005 Updated:September 6, 2006
Description: Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client.
Alerts:
Gentoo 200509-09:02 2005-09-17
Debian DSA-856-1 2005-10-10
Gentoo 200509-09 2005-09-17

Comments (none posted)

qt: buffer overflow in zlib

Package(s):qt CVE #(s):
Created:September 26, 2005 Updated:September 28, 2005
Description: Qt links to a bundled vulnerable version of zlib when emerged with the zlib USE-flag disabled. This may lead to a buffer overflow. By creating a specially crafted compressed data stream, attackers can overwrite data structures for applications that use Qt, resulting in a Denial of Service or potentially arbitrary code execution.
Alerts:
Gentoo 200509-18 2005-09-26

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

ruby: arbitrary command execution

Package(s):ruby CVE #(s):CAN-2005-1992
Created:June 21, 2005 Updated:October 6, 2005
Description: Ruby (versions < 1.8.2) is vulnerable to arbitrary command execution on XMLRPC servers.
Alerts:
Gentoo 200510-05 2005-10-06
Red Hat RHSA-2005:543-01 2005-08-05
Mandriva MDKSA-2005:118 2005-07-12
Gentoo 200507-10 2005-07-11
Debian DSA-748-1 2005-07-10
Ubuntu USN-146-1 2005-06-29
Fedora FEDORA-2005-475 2005-06-22
Fedora FEDORA-2005-474 2005-06-22

Comments (none posted)

shorewall: rule bypass vulnerability

Package(s):shorewall CVE #(s):CAN-2005-2317
Created:July 21, 2005 Updated:October 10, 2005
Description: Shorewall has a vulnerability in which a client that is accepted by MAC address filtering can bypass other rules, allowing access to all open services on the firewall.
Alerts:
Ubuntu USN-197-1 2005-10-10
Debian DSA-849-1 2005-10-08
Gentoo 200507-20:02 2005-07-22
Gentoo 200507-20 2005-07-22
Mandriva MDKSA-2005:123 2005-07-20

Comments (none posted)

slocate: long path bug

Package(s):slocate CVE #(s):CAN-2005-2499
Created:August 22, 2005 Updated:October 5, 2005
Description: A bug was found in the way slocate processes very long paths. A local user could create a carefully crafted directory structure that would prevent updatedb from completing its file system scan, resulting in an incomplete slocate database.
Alerts:
Red Hat RHSA-2005:346-01 2005-10-05
Red Hat RHSA-2005:345-02 2005-09-28
Mandriva MDKSA-2005:147 2005-08-22
Fedora FEDORA-2005-771 2005-08-22
Fedora FEDORA-2005-770 2005-08-22
Red Hat RHSA-2005:747-02 2005-08-22

Comments (none posted)

smb4k: temporary file vulnerability

Package(s):smb4k CVE #(s):CVE-2005-2851
Created:September 7, 2005 Updated:December 7, 2005
Description: Smb4K has a temporary file vulnerability which can allow an unprivileged user to read certain files which would otherwise be inaccessible.
Alerts:
Debian-Testing DTSA-25-1 2005-12-05
Gentoo 200511-15 2005-11-18
Mandriva MDKSA-2005:157 2005-09-06

Comments (none posted)

squid: DoS issues

Package(s):squid CVE #(s):CAN-2005-2794 CAN-2005-2796
Created:September 6, 2005 Updated:November 7, 2005
Description: Squid-2.5.10-r2 and earlier has three Denial of Service issues.
Alerts:
Debian DSA-809-3 2005-11-07
Debian DSA-809-2 2005-09-30
SuSE SUSE-SA:2005:053 2005-09-16
Red Hat RHSA-2005:766-01 2005-09-15
Ubuntu USN-183-1 2005-09-13
Mandriva MDKSA-2005:162 2005-09-12
Debian DSA-809-1 2005-09-13
OpenPKG OpenPKG-SA-2005.021 2005-09-10
Gentoo 200509-06 2005-09-07
Fedora FEDORA-2005-852 2005-09-06
Fedora FEDORA-2005-851 2005-09-06

Comments (none posted)

sudo: race condition

Package(s):sudo CVE #(s):CAN-2005-1993
Created:June 21, 2005 Updated:February 24, 2006
Description: Charles Morris discovered a race condition in sudo which could lead to privilege escalation. If /etc/sudoers allowed a user the execution of selected programs, and this was followed by another line containing the pseudo-command "ALL", that user could execute arbitrary commands with sudo by creating symbolic links at a certain time.
Alerts:
Fedora-Legacy FLSA:162750 2006-02-23
Debian DSA-735-2 2005-07-07
Debian DSA 735-1 2005-07-01
Red Hat RHSA-2005:535-04 2005-06-29
SuSE SUSE-SA:2005:036 2005-06-24
OpenPKG OpenPKG-SA-2005.012 2005-06-23
Gentoo 200506-22 2005-06-23
Slackware SSA:2005-172-01 2005-06-22
Mandriva MDKSA-2005:103 2005-06-21
Fedora FEDORA-2005-473 2005-06-21
Fedora FEDORA-2005-472 2005-06-21
Ubuntu USN-142-1 2005-06-21

Comments (none posted)

sysreport: insecure temporary file

Package(s):sysreport CVE #(s):CAN-2005-2104
Created:August 9, 2005 Updated:November 11, 2005
Description: Bill Stearns discovered a bug in the way sysreport creates temporary files. It is possible that a local attacker could obtain sensitive information about the system when sysreport is run.
Alerts:
Fedora FEDORA-2005-1072 2005-11-10
Fedora FEDORA-2005-1071 2005-11-10
Red Hat RHSA-2005:598-01 2005-08-09

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: denial of service

Package(s):tcpdump CVE #(s):CAN-2005-1267
Created:June 9, 2005 Updated:October 10, 2005
Description: Several tcpdump protocol decoders contain programming errors which can cause them to go into infinite loops.
Alerts:
Debian DSA-854-1 2005-10-09
Slackware SSA:2005-195-10 2005-07-15
Ubuntu USN-141-1 2005-06-21
Mandriva MDKSA-2005:101 2005-06-15
Fedora FEDORA-2005-407 2005-06-16
Gentoo 200505-06:02 2005-05-09
Red Hat RHSA-2005:505-01 2005-06-13
Fedora FEDORA-2005-406 2005-06-09

Comments (none posted)

tcpdump: multiple DoS issues

Package(s):tcpdump CVE #(s):CAN-2005-1280 CAN-2005-1279 CAN-2005-1278
Created:May 2, 2005 Updated:April 10, 2006
Description: The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. (CAN-2005-1280)

tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet, which is not properly handled by RT_ROUTING_INFO, or LDP packet, which is not properly handled by the ldp_print function. (CAN-2005-1279)

The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. (CAN-2005-1278)

Alerts:
Fedora-Legacy FLSA:156139 2006-04-04
Debian DSA-850-1 2005-10-09
Mandriva MDKSA-2005:087 2005-05-11
Red Hat RHSA-2005:417-02 2005-05-11
Red Hat RHSA-2005:421-02 2005-05-11
Gentoo 200505-06 2005-05-09
Ubuntu USN-119-1 2005-05-06
Fedora FEDORA-2005-351 2005-05-02

Comments (none posted)

ucd-snmp: denial of service

Package(s):ucd-snmp CVE #(s):CAN-2005-2177
Created:August 9, 2005 Updated:January 27, 2006
Description: A denial of service bug was found in the way ucd-snmp uses network stream protocols. A remote attacker could send a ucd-snmp agent a specially crafted packet which will cause the agent to crash.
Alerts:
Mandriva MDKSA-2006:025 2006-01-26
Ubuntu USN-190-2 2005-11-21
Debian DSA-873-1 2005-10-26
Red Hat RHSA-2005:395-01 2005-10-05
Ubuntu USN-190-1 2005-09-29
Red Hat RHSA-2005:373-01 2005-09-28
Mandriva MDKSA-2005:137 2005-08-11
Red Hat RHSA-2005:720-01 2005-08-09

Comments (none posted)

util-linux: unintentional grant of privileges by umount

Package(s):util-linux CVE #(s):CAN-2005-2876
Created:September 13, 2005 Updated:December 19, 2005
Description: Linux umount command as provided in the util-linux package in versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information.
Alerts:
Fedora-Legacy FLSA:168326 2005-12-18
Red Hat RHSA-2005:782-01 2005-10-11
SuSE SUSE-SR:2005:021 2005-09-30
Debian DSA-825-1 2005-09-29
Debian DSA-823-1 2005-09-29
Mandriva MDKSA-2005:167 2005-09-20
Gentoo 200509-15 2005-09-20
Ubuntu USN-184-1 2005-09-19
Fedora FEDORA-2005-886 2005-09-14
Fedora FEDORA-2005-887 2005-09-14
Slackware SSA:2005-255-02 2005-09-13

Comments (none posted)

vixie-cron: crontab allows any user to read another users crontabs

Package(s):vixie-cron CVE #(s):CAN-2005-1038
Created:April 15, 2005 Updated:March 15, 2006
Description: crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. See also this Security Focus report.
Alerts:
Red Hat RHSA-2006:0117-01 2006-03-15
Red Hat RHSA-2005:361-01 2005-10-05
Fedora FEDORA-2005-320 2005-04-15

Comments (none posted)

webmin, usermin: remote code execution through PAM authentication

Package(s):webmin usermin CVE #(s):CAN-2005-3042
Created:September 26, 2005 Updated:October 7, 2005
Description: Keigo Yamazaki discovered that the miniserv.pl webserver, used in both Webmin and Usermin, does not properly validate authentication credentials before sending them to the PAM (Pluggable Authentication Modules) authentication process. The default configuration shipped with Gentoo does not enable the "full PAM conversations" option and is therefore unaffected by this flaw.
Alerts:
Mandriva MDKSA-2005:176 2005-10-07
Gentoo 200509-17 2005-09-24

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xorg-x11: heap overflow

Package(s):xorg-x11 CVE #(s):CAN-2005-2495
Created:September 12, 2005 Updated:March 8, 2006
Description: The pixmap memory allocation code in the X.Org X window system is vulnerable to an integer overflow, a local user can use this to execute arbitrary code with elevated privileges.
Alerts:
Fedora-Legacy FLSA:168264-2 2006-03-07
Slackware SSA:2005-269-02 2005-09-26
SuSE SUSE-SA:2005:056 2005-09-26
Debian DSA-816-1 2005-09-19
Fedora FEDORA-2005-894 2005-09-16
Fedora FEDORA-2005-893 2005-09-16
Trustix TSLSA-2005-0049 2005-09-16
Red Hat RHSA-2005:501-01 2005-09-15
Mandriva MDKSA-2005:164 2005-09-13
Red Hat RHSA-2005:396-01 2005-09-13
Red Hat RHSA-2005:329-01 2005-09-12
Ubuntu USN-182-1 2005-09-12
Gentoo 200509-07 2005-09-12

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

xpdf: denial of service

Package(s):xpdf kpdf CVE #(s):CAN-2005-2097
Created:August 9, 2005 Updated:August 2, 2006
Description: A flaw was discovered in Xpdf in that could allow an attacker to construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened.
Alerts:
Debian DSA-1136-1 2006-08-02
Mandriva MDKSA-2005:138-1 2005-09-19
Debian DSA-780-1 2005-08-22
SuSE SUSE-SR:2005:019 2005-08-19
Fedora FEDORA-2005-732 2005-08-17
Fedora FEDORA-2005-733 2005-08-17
Gentoo 200508-08 2005-08-16
Fedora FEDORA-2005-730 2005-08-15
Fedora FEDORA-2005-729 2005-08-15
Mandriva MDKSA-2005:136 2005-08-11
Mandriva MDKSA-2005:135 2005-08-11
Mandriva MDKSA-2005:134 2005-08-11
Mandriva MDKSA-2005:138 2005-08-11
Red Hat RHSA-2005:708-01 2005-08-10
Red Hat RHSA-2005:706-01 2005-08-09
Red Hat RHSA-2005:671-01 2005-08-09
Red Hat RHSA-2005:670-01 2005-08-09
Ubuntu USN-163-1 2005-08-09

Comments (none posted)

zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-2096
Created:July 6, 2005 Updated:October 27, 2005
Description: zlib has a buffer overflow vulnerability that can be exploited by inflation of corrupted files, this can be used to crash zlib or possibly remotely execute code.
Alerts:
Mandriva MDKSA-2005:196 2005-10-26
Debian DSA-797-2 2005-09-28
Fedora FEDORA-2005-565 2005-07-13
Slackware SSA:2005-189-01 2005-07-10
Trustix TSLSA-2005-0034 2005-07-08
Mandriva MDKSA-2005:112 2005-07-06
Fedora FEDORA-2005-523 2005-07-07
Fedora FEDORA-2005-524 2005-07-07
OpenPKG OpenPKG-SA-2005.013 2005-07-07
Ubuntu USN-148-1 2005-07-06
SuSE SUSE-SA:2005:039 2005-07-06
Red Hat RHSA-2005:569-01 2005-07-06
Gentoo 200507-05 2005-07-06
Debian DSA-740-1 2005-07-06

Comments (6 posted)

zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-1849
Created:July 21, 2005 Updated:April 11, 2006
Description: zlib has a vulnerability that can cause code that executes it to crash if a corrupted file is opened.
Alerts:
Mandriva MDKSA-2006:070 2006-04-10
Debian DSA-1026-1 2006-04-06
Gentoo 200603-18 2006-03-21
Ubuntu USN-151-4 2005-11-09
Ubuntu USN-151-3 2005-10-28
Fedora-Legacy FLSA:162680 2005-09-14
Debian DSA-797-1 2005-09-01
Gentoo 200508-01 2005-08-01
Gentoo 200507-28 2005-07-30
SuSE SUSE-SA:2005:043 2005-07-28
OpenPKG OpenPKG-SA-2005.014 2005-07-28
Mandriva MDKSA-2005:124 2005-07-22
Slackware SSA:2005-203-03 2005-07-23
Ubuntu USN-151-2 2005-07-22
Fedora FEDORA-2005-626 2005-07-22
Fedora FEDORA-2005-625 2005-07-22
Gentoo 200507-19 2005-07-22
Red Hat RHSA-2005:584-01 2005-07-21
Ubuntu USN-151-1 2005-07-21
Debian DSA-763-1 2005-07-20

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current stable 2.6 release is 2.6.13.3, announced on October 3. It adds a handful of fixes, many in the networking subsystem.

The current 2.6 prepatch is 2.6.14-rc3, released by Linus on September 30. This prepatch is fairly large; most of the patches are small fixes, but there's also some key management improvements, a SCSI update, some netfilter patches, and an InfiniBand update. See the long-format changelog for the details.

Linus's git repository contains a relatively small number of fixes added after -rc3.

The current -mm tree is 2.6.14-rc2-mm2. Recent changes to -mm include the (temporary) dropping of a big set of PCMCIA patches, some memory management work, a workqueue change (uses per-CPU allocations now), and various fixes.

Comments (2 posted)

Kernel development news

Quotes of the week

visionary [n]: onanist with strong exhibitionist tendencies; from "visions", the source of inspiration they refer to when it becomes obvious that they have lost both sight and capacity for rational thought.
-- Al Viro

A "spec" is close to useless. I have _never_ seen a spec that was both big enough to be useful _and_ accurate.

And I have seen _lots_ of total crap work that was based on specs. It's _the_ single worst way to write software, because it by definition means that the software was written to match theory, not reality.

-- Linus Torvalds

Comments (3 posted)

Nested classes

The device model/sysfs "class" subsystem is a mechanism which allows different kernel subsystems to export device-independent interfaces to user space. With a recent kernel, a number of interesting class hierarchies can be found. For example, /sys/class/net represents all of the network interfaces in the system, /sys/class/sound shows the audio devices, and /sys/class/graphics can be used to find frame buffers.

[Network class diagram] The class API has changed little since it was documented in this LWN driver porting article. Kernel code registers a class structure to create a directory in /sys/class, then populates it with class_device objects. This API has worked for some time, but it has its limitations; it forces a two-level class->device structure which is unable to represent all of the relevant data structures in the kernel. For many class hierarchies, such as the network device class tree shown in the diagram to the right, two levels is sufficient. Other subsystems, however, have had trouble with this limitation.

[Block class diagram] Consider, for example, the block subsystem, as represented by the simplified diagram to the left. The block subsystem deals in block devices, of course, and those are represented in the second layer of the diagram. Each block device, however, can contain partitions, which are (virtual) block devices in their own right. Putting all of those partitions in the top layer of the block class hierarchy would lose the relationship between those partitions and the physical devices where they live; the deeper hierarchy truly does make sense. There are also other objects, such as the request queue, which need to be present in the class tree. The fact that the class subsystem cannot represent this structure is one of the reasons why the block layer has its own sysfs subtree, under /sys/block, even though it logically belongs under /sys/class.

This issue recently came to a head when Dmitry Torokhov reworked the input subsystem to make use of sysfs. The input class tree also fails to fit neatly into the class subsystem, though for slightly different reasons. The input layer can export multiple interfaces to the same device; a touch screen can show up as a serial device, as an event generator, or as a mouse, for example. Even a straightforward mouse can appear by itself, or as part of the multiplexed "mice" device.

As a way of representing the structure of the input subsystem, Dmitry implemented a "subclass" mechanism. Various objections to the implementation were raised, however, and Greg Kroah-Hartman went off to design a solution he liked better. His patch has now been posted for review; it is also part of the -mm tree.

Greg's solution does not involve subclasses at all; instead, the class_device structure has acquired a new parent field. The function which creates class_device structures has a new prototype:

    struct class_device *class_device_create(struct class *cls,
					     struct class_device *parent,
					     dev_t devt,
					     struct device *device, 
					     char *fmt, ...);

The parent argument is new. If it is non-NULL, the new class_device will be placed under the parent class_device in sysfs, rather than directly under the class itself. Needless to say, this change breaks all users of the class subsystem; if it goes into the mainline, all out-of-tree code using classes will have to be updated.

This interface should work reasonably well in the block case, where partitions can truly be thought of as child devices. Dmitry is less pleased with it for the input subsystem, however. He would like to be able to set up different hotplug handlers for lower-level entries, but, since those handlers are set up at the class level, an implementation without subclasses does not provide that capability. There are other objections as well; the parent mechanism makes it a little harder to set up the sort of hierarchy Dmitry would like to create, for example.

As of this writing, there has been no further discussion of the interface. There is a distinct chance that it could change before it makes its way into the mainline. In one way or another, however, support for a deeper /sys/class is likely to be merged.

Comments (none posted)

On the value of EXPORT_SYMBOL_GPL

When a loadable module is inserted, any references it makes to kernel functions and data structures must be linked to the current running kernel. The module loader does not provide access to all kernel symbols, however; only those which have been explicitly exported are available. The export requirement narrows the API seen by modules, though not by all that much: there are over 6,000 symbols exported in the 2.6.13 kernel.

Exports come in two flavors: vanilla (EXPORT_SYMBOL) and GPL-only (EXPORT_SYMBOL_GPL). The former are available to any kernel module, while the latter cannot be used by any modules which do not carry a GPL-compatible license. The module loader will enforce this distinction by denying access to GPL-only symbols if the module's declared license does not pass muster. Currently, less that 10% of the kernel's symbols are GPL-only, but the number of GPL-only symbols is growing. There is a certain amount of pressure to make new exports GPL-only in many cases.

It has often been argued that there is no practical difference between the two types of exports. Those who believe that all kernel modules are required by the kernel license to be GPL-licensed see all symbols as being implicitly GPL-only in any case. Another camp, which sees the module interface as a boundary which the GPL cannot cross, does not believe that GPL-only restrictions can be made to stick. In any case, GPL-only symbols can be easily circumvented by patching the kernel, falsely declaring a GPL-compatible license, or by inserting a shim module which provides wider access to the symbols of interest.

Linus, however, believes that GPL-only exports are significant.

I've talked to a lawyer or two, and (a) there's an absolutely _huge_ difference and (b) they liked it.

The fact is, the law isn't a blind and mindless computer that takes what you say literally. Intent matters a LOT. And using the xxx_GPL() version to show that it's an internal interface is very meaningful indeed.

One of the lawyers said that it was a much better approach than trying to make the license explain all the details - codifying the intention in the code itself is not only more flexible, but a lot less likely to be misunderstood.

He also points out that circumventing a GPL-only export requires an explicit action, making it clear that the resulting copyright infringement was a deliberate act.

Regardless of any legal significance they may have, the GPL-only exports do succeed in communicating the will of the large subset of the kernel development community which wants to restrict the use of non-free kernel modules. The outright banning of such modules may not be on the agenda anytime soon, but the functionality available to them is not likely to grow much.

Comments (27 posted)

The Linux Kernel Primer

Your editor recently received a copy of The Linux Kernel Primer, by Claudia Salzberg Rodriguez, Gordon Fischer, and Steven Smolski, published by Prentice Hall. This volume describes itself as "the definitive guide to Linux kernel programming"; it has chapters on processes, scheduling, I/O, filesystems, memory management, and the bootstrap process. It appears to be a guide to internal kernel APIs for the 2.6 kernel.

Reviewing kernel-related books is a difficult task. Your editor could easily be seen as having a conflict of interest in such cases, with any criticism viewed as an attempt to steer purchasers toward his own, possibly competing work. So, in the interests of full disclosure, let it be said: the author of this review is an author of a different, kernel-related book, and anything found here should be viewed with suspicion.

Because the simple fact is that your editor cannot recommend this book. It shows every sign of having been put together in a hurry, with basic grammatical errors being a frequent occurrence. The material is disorganized, with no clear ordering of concepts. Factual errors are not hard to find. The sample code provided is visibly buggy.

The book does not say, anywhere, which version of the kernel is covered - something any serious reader will want to know. Various hints through the text suggest that the authors were working from the 2.6.7 kernel at the latest, however, making the book somewhat obsolete before it hits the shelves. The version of struct file shown in the book is from 2.6.1; struct page comes from 2.6.4. The list of I/O schedulers does not include CFQ - added in 2.6.6.

The fundamental fault in this book, however, is this: there is no mention, anywhere, of concurrency issues. Even the few pages devoted to interrupts fail to mention race conditions or the primitives used to control interrupt delivery. Spinlocks and semaphores do not merit coverage until page 409 - and, even then, the API for working with them is not discussed. There is no way to write code for the 2.6 kernel without taking concurrency into account. Your editor cannot understand why the authors felt that this topic could be passed over.

More documentation for the kernel is a good thing. The kernel is a complex program, and kernel hackers can certainly benefit from a variety of views of how the kernel API works. In this case, however, your editor would recommend staying with the other books in this field, including Linux Kernel Development by Robert Love, and Understanding The Linux Kernel by Bovet and Cesati (third edition due in November).

Comments (4 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

A Look at EnGarde Secure Linux 3.0

October 5, 2005

This article was contributed by Ladislav Bodnar

EnGarde Secure Linux is a relatively old name in the world of Linux distributions. In development since 1999 by Guardian Digital, the product was originally based on Red Hat Linux, but reduced in size to include server-only applications and enhanced with a web-based system administration utility called "WebTool". Besides its high-end enterprise range of products, the company has also released several "Community" editions - somewhat limited in features but free for non-commercial use. EnGarde's previous versions were frequently praised by reviewers so when the company announced a new version 3.0 late last week (its first new release in over two years), we were eager to take it for a test drive.

EnGarde Secure Linux 3.0 "Community" comes on a single CD available for both the i386 and x86_64 architectures. Its default installation method starts rather unconventionally - with setting up the root password and networking, before proceeding with package installation. This might seem like an odd sequence for a "secure" distribution; given that all the necessary packages are on the CD, why would anyone want to perform a system installation with networking enabled? Soon the reason becomes apparent: the EnGarde installation CD also serves as a live CD so users can evaluate the product without having to install it to their hard disks. Since all system configuration is performed remotely through a web browser, having functional networking on the system running EnGarde is essential.

Nice idea in theory, but in practice we couldn't get it to work. While we had no trouble connecting to the EnGarde system with https://ip_address:1023, after typing in the user name ("admin") and password ("lock&%box"), we were greeted with an error message - an undefined subroutine in sysstat.pm. So much for trying to evaluate EnGarde Secure Linux in a "live CD" mode!

Next, we decided to do a full installation, hoping for better luck. Disappointingly, bugs continued to plague us here as well; although the installer detected both hard disks, it did not acknowledge the presence of any of the several Linux partitions on the first one, claiming "no partitions defined" and forcing us to create new ones. However, not wanting to repartition the first disk, we couldn't find a way to create new partitions on the second disk - the installer insisted on creating /dev/hda1, no matter which hard disk we had selected! Only after physically unplugging the power supply from the first hard disk and disabling it in the BIOS, we were finally able to install EnGarde on the second disk (/dev/hdc).

Granted, most users who intend to use EnGarde Secure Linux in a production environment are unlikely to dual boot their system so they won't face these kinds of problems. Nevertheless, if the installer has options which they don't work as advertised, then something is not quite right.

Eventually we installed the system where we wanted it. The package selection screen gave us an option to select one or more installation classes from a short list containing "Databases", "DNS", "Firewall", "Mail Services", "Network Intrusion Detections" and "Web Services", before proceeding to the network configuration part. Here, the opening screen promised support for network configuration with a static IP address, DHCP or PPPoE, but once we pressed the "next" button, we were forced to set up a static IP address, with options for DHCP or PPPoE nowhere to be seen (presumably because the machine only had one network card, which would have a static IP address in most common configurations). After this final step, we were prompted to reboot the system.

Up until this point our experiences with EnGarde Secure Linux 3.0 were mixed at best. Fortunately, things improved dramatically once the system was installed and when we finally had a chance to investigate the distribution's web-based administration interface - Guardian Digital WebTool. Written in Perl, WebTool has obviously been inspired by Webmin, although it sports a considerably different (and arguably more pleasant) user interface (see screenshots). After the first login, we were required to change the system's root password and WebTool's login password, set up IP address(es) with permissions to connect to the EnGarde system, and effect a few other configuration changes. Once completed, we had the first taste of what it feels like administering a remote system from a web browser when we rebooted the system with a single mouse click.

Shortly afterward we were once again logged into WebTool. Due to a few early bugs reported on the distribution's mailing lists (and impressively fast responses by EnGarde developers), we decided to start with updating the system. This can be done through the free and convenient Guardian Digital Secure Network (GDSN), but before we were allowed to proceed, we had to obtain an activation number and password by registering the product on the company's web site. After the update, we continued looking through the user interface and checking out all the configuration and reporting options. Although not as comprehensive as we had expected, WebTool had pages for most important server administration tasks, including a backup and restore utility, a UPS configuration module, as well as the usual pages for managing DNS, web, mail, SSH and FTP servers. Certain services had extensive configurations options (we especially enjoyed the Firewall configuration page), while others were very basic (e.g. the Apache configuration page only allowed adding, modifying and deleting Virtual Hosts).

What does the word "Secure" represent in EnGarde Secure Linux? By default, the distribution installs in "secure" mode, with SE Linux and Mandatory Access Control (MAC) enabled. It has carefully tuned file permissions of important system, configuration and log files so that they are not accessible to unprivileged users who might login to the system. There are other small enhancements, such as the unavailability of a "single user mode" and the presence of several intrusion detection and network monitoring tools, with real-time reporting facilities in WebTool. The company also maintains the very useful LinuxSecurity.com portal. On the negative side, the documentation on the distribution's web site has not been updated since version 1.5, so most new features in the latest release are not yet documented.

Overall, EnGarde Secure Linux 3.0 "Community" is a mixed bag. Obvious bugs in the installer and lack of up-to-date documentation are two big negatives. On the other hand, the developers have been very responsive to bug reports and the updated WebTool, combined with new security enhancements in the distribution, will appeal to those users who need an intuitive and easy-to-administer server system. Perhaps the product could have been much more impressive if it had been given a longer beta testing period, rather than just one rushed week between the only release candidate and the final release. With version 3.0 looking more like an unfinished and poorly tested beta release, perhaps a bug fix version won't be too far away; hopefully, by that time the developers will have also updated their documentation and completed the help files.

Comments (none posted)

Distribution News

Debian Project news

The Debian project has split the public frontend of security.debian.org. "After the release of an update to XFree86 (Debian Security Advisory 816) it became obvious that the old machine was not able to properly serve the needs of the large number of users anymore. The outgoing 100MBit/s connection was totally saturated during 70% of the day and the machine was throttling."

The release team is requalifying existing ports for etch. "To that end, I would like to invite you to join Anthony Towns and myself on IRC this Sunday, October 9 from 0000-0200 UTC in the #debian-tech channel on irc.oftc.net. The goal of this two-hour session is to come up with a "qualification declaration" for as many architectures as possible, and to further refine the architecture criteria as necessary."

Comments (none posted)

New Distributions

amaroK Live 1.3 Released with Open Music (KDE.News)

KDE.News introduces the amaroK Live CD, version 1.3. The amaroK Live CD was developed as a way to demonstrate the features of the amaroK music player, not as a complete system. "Most of the music on the CD has been provided by Magnatune, a revolutionary music label which aims to reinvent the music business, applying the lessons learned from the open source movement to the recording industry. Fair use, remix rights, and musicians actually being paid!"

Comments (none posted)

FreeMED Live CD 0.1 available (LinuxMedNews)

LinuxMedNews introduces the first release of the FreeMED Live CD, version 0.1. It is based on Kubuntu 5.04 (Hoary) with FreeMED 0.8.0 and REMITT 0.3 configured for test use.

Comments (none posted)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for October 4, 2005 is now available. This issue covers the rise of GNU/Linux, Debian at work in the Australian Taxation Office, the DPL Team Status Issue Tracker, changes to the release team, a report from the Darmstadt QA Team Meeting, and several other topics.

Full Story (comments: none)

Fedora Weekly News

The latest edition of the Fedora Weekly News covers the release of Mozilla Thunderbird 1.0.7, RealPlayer 10.0.6 and Helix Player 1.0.6 Security Update, /proc/acpi/sleep obsoleted and removed, an overview of Fedora based distributions, an updated Fedora Core 4 ISO for PPC and more.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of October 3, 2005 looks at the Python upgrade to 2.4, Gentoo/ALT revisited, the Kansai open-source conference in Japan, and several other topics.

Comments (none posted)

DistroWatch Weekly, Issue 120

The DistroWatch Weekly for October 3, 2005 is out. "We are at the start of an exciting week, with Mandriva Linux 2006, SUSE Linux 10.0 and Ubuntu Linux 5.10 RC all expected within the next few days. Fans of certain other distributions might not be so lucky, though, as last week's announcement about Libranet's "restructuring" leaves many wondering about the future of this once popular Debian-based project. Our featured distribution of the week is Puppy Linux, but we also introduce amaroK Live, a PCLinuxOS-based live CD that combines the power of the amaroK media player with Free Music."

Comments (none posted)

Package updates

Fedora updates

Fedora Core 4 updates: rp-pppoe (bug fix), nc (update from OpenBSD upstream CVS), squid (some minor fixes), system-config-users (require rhpl), kernel (big rebase, this time to 2.6.13), vino (keyboard handling fix), util-linux (bug fix), gtk2 (bug fix), unixODBC (bug fixes), pyrex (add patch to fix pyrex distutils), setools (bump for FC4), cpuspeed (use ACPI as a fallback driver), microcode_ctl (upstream 1.12 release), gnome-utils (update to gcalctool 5.6.31), ruby (fixed file list), termcap (new descriptions), policycoreutils (update to rawhide version), selinux-policy-targeted (bug fixes and merge from rawhide), selinux-policy-strict (bug fixes and merge from rawhide), system-config-users (fix variable names), postgresql (update to latest PostgreSQL community release), ncpfs (bug fixes), nfs-utils (bug fixes).

Fedora Core 3 updates: rp-pppoe (bug fixes), squid (some minor fixes), gtk2 (bug fix), ruby (fixed file list), system-config-bind (bug fixes, updated translations), ncpfs (bug fixes).

Comments (none posted)

Trustix Secure Linux Bugfix Advisory TSL-2005-0052

Trustix has fixed bugs in net-tools, php, time, xdelta and zsh.

Full Story (comments: none)

Newsletters and articles of interest

Installing Debian (O'ReillyNet)

O'ReillyNet takes a look the Debian installation. "This article walks you through the Debian installation process. If you have special requirements, it almost certainly won't cover those, but it will tell you how to cater for them."

Comments (none posted)

Mark Shuttleworth: FAQs: Why and Whither for Ubuntu?

Mark Shuttleworth talks about Ubuntu and other projects on the Ubuntu wiki site. "Why are you funding Ubuntu, instead of giving the money to Debian? I spent a lot of time thinking about how best to make a contribution to the open source world, and how best to explore the ideas I am personally interested in, such as the best ways to deploy open source on the desktop. One option was to stand for the position of DPL (I'm a DD, first maintainer of Apache in 1996 blah blah) and drive those ideas inside Debian. In the end I decided to create a parallel distribution, and invest in the infrastructure to make inter-distro collaboration a lot more efficient."

Comments (none posted)

Ubuntu carves niche in Linux landscape (News.com)

News.com covers Ubuntu and its growing pains. "There are some lumps, though. "Perhaps the worst of Ubuntu is that we are still a relatively young project, and having moved so quickly to the forefront of Linux, it's been a challenge to stay focused on our vision," [Ubuntu CTO Matt] Zimmerman said. "There is now a vast user community around Ubuntu, full of energy and excitement about a wide variety of different ideas, while realistically we can only pursue some of these at once.""

Comments (none posted)

First Linux Beta with Debian Core Arrives (eWeek)

eWeek reports that MEPIS has released the first distribution based on the Debian Common Core. "MEPISLite is an entry level version of desktop MEPIS designed for home users. It has been used successfully with as little as a 2GB hard drive and a Pentium 2 processor with 128MB of RAM. The distribution comes with a full complement of software including KDE's Koffice office suite and the Firefox Web browser."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Wine to Reach A Major Milestone

October 5, 2005

This article was contributed by Brian Vincent

In just a few weeks, Wine will be reaching a major milestone: a beta release. Until now, Wine has been one of the largest projects under development that has never seen a beta. Wine's codebase is approaching 1.5 million lines, contributed by nearly 700 individuals over the past 11 years. Two successful commercial products are based on the code, and it is used in a production environment by several large corporations. While Wine often catches flack within the open-source community for bringing Windows compatibility to Linux, there are two facts that are undeniable:
  • Windows has the largest library of software available, including a huge number of applications that have no comparable Linux alternative.
  • Legacy software from a vendor that has gone out of business will never get ported to Linux.

Wine's acronym paradoxically comes from both the phrases WINdows Emulator and Wine Is Not an Emulator. Don't worry, Wine's developers really don't care (much) which you prefer since it fits both descriptions to some degree. At its core, Wine is an implementation of the Win32 API designed to run on top of Unix-like operating systems. KDE, of course, relies on Qt and GNOME on GTK, and in this regard Wine simply implements yet another API. The difference is, Win32 was designed by Microsoft and happens to be one of the most widely used APIs in existence.

The Wine beta release will come at an interesting time. Microsoft is not planning on releasing any major new API components until Windows Vista ships. Even then, it will be a while until any major applications require the new API. As a result, Wine has a few years to stabilize the existing APIs.

Besides implementing the Win32 API, Wine contains several unique features for running Windows programs on Linux. On Linux, the ELF binary format describes executables and libraries. Microsoft uses a different format, PE (Portable Executable), for the same purpose. The PE format is more complex and allows multiple resources to be embedded in one file. Wine implements a special loader to open PE files. Windows also contains primitives, such as threading, that are much different than on Linux. Wine's wineserver is used to synchronize between threads and processes using custom IPC code. It performs many of the low-level functions done by the kernel on Windows. If that isn't exciting enough for you, Wine also comes with winemine, a minesweeper game.

Wine's architecture has stabilized quite a bit over the past few years. Items tackled just this summer include:

  • Graphical tools for Wine's configuration (regedit and winecfg).
  • DirectX 9 support.
  • Support for allowing applications to open web pages.
  • A new RichEdit control.
  • Improved support for the Microsoft Installer.
  • Beginnings of 64-bit support (Win64).
  • Theming for controls.
  • Authentication using Samba 4 interfaces.
  • Improved filesystem integration.
In addition, a shift in focus from core components to higher-level libraries has brought better compatibility. Out of the box, Wine's default settings are sufficient for running many programs. In June the old config file was removed and replaced with the new winecfg utility.

A lot of things are in the process of being cleaned up for the beta release. Wine's application database, which lists compatible applications, has seen a complete overhaul over the past year. Some new capabilities have been added in the past few weeks. Work is underway to rewrite major portions of the Wine User Guide to bring it up to date. Finally, wine's Bugzilla bug database has been pruned of items that have been fixed.

So let's be realistic, how well does it work? Thanks to recent work done by CodeWeavers, most Windows programs now install. For a long time, just getting a program to install was a huge hurdle, things have really improved in that area.

Many small to medium-sized programs run just fine, though you may notice little discrepancies. Larger programs, such as Photoshop, Word, Excel, or Quicken can be coaxed into running, but they have traditionally suffered from regressions in Wine. As a work-around, CodeWeavers' CrossOver Office is able to run those programs, so the technology is definitely capable. Games usually don't run out of the box because of copy protection schemes that aren't compatible with Wine.

The focus of the beta release is to provide a starting point for stabilizing Wine. Tons of bugs need to be fixed and entire APIs remain to be finished off. The beta release won't be a magic bullet that suddenly makes Wine perfect, but all of the tools and interfaces will be in place.

It will also be feature complete from a packaging standpoint, and distributions are encouraged to begin testing integration. For anyone interested in development, there's still a lot of work to be done and plenty of ways to get involved.

Stay tuned to WineHQ for announcements.

Comments (4 posted)

System Applications

Audio Projects

Rivendell v0.9.53 announced

Version 0.9.53 of Rivendell, an audio automation system for use in radio stations, is out with bug fixes and some new features.

Full Story (comments: none)

Database Software

Firebird 1.5.3 Release Candidate 2 released

Version 1.5.3 Release Candidate 2 of the Firebird database is out. "The Firebird Project is pleased to announce the second -- hopefully last -- release candidate for the forthcoming Firebird 1.5.3 release, for testing. Download kits are available for Windows and Linux."

Comments (none posted)

PostgreSQL Weekly News

The October 2, 2005 edition of the PostgreSQL Weekly News is online with new PostgreSQL discussions and resources.

Full Story (comments: none)

Interoperability

Samba 3.0.20a Available for Download

Version 3.0.20a of Samba has been announced, it features several bug fixes. Click here for a more detailed list of changes.

Full Story (comments: none)

LDAP Software

LAT 0.7.3 Released

Version 0.7.3 of LAT, the LDAP Administration Tool, is out with new features, bug fixes, and code cleanups.

Full Story (comments: none)

Libraries

Cairo release 1.0.2 now available

Release 1.0.2 of the Cairo graphics library has been announced. "This is a maintenance (bug-fix only) release in the cairo 1.0 series. It is the first such release since 1.0.0. (There is no 1.0.1 release since that number was used during the development between 1.0.0 and 1.0.2.) This release maintains source and binary compatibility with cairo 1.0.0. We'd like to give particular thanks to the many individuals who have tested cairo since 1.0.0, (and turned up a fair number of bugs)."

Full Story (comments: none)

Printing

How To Restrict Disk, Memory and CPU Usage (CUPS)

The CUPS printing project has a short article on tuning CUPS system resources. "If you are running into a performance problem with disk space, memory and CPU usage, editing one or more of the following directives inside the /etc/cups/cupsd.conf file may aid the situation."

Comments (none posted)

Web Site Development

Five 1.1 released

Version 1.1 of Five (Zope 2 plus 3) has been announced. Changes include Zope 3-style i18n, Zope 3 to Zope 2 interface bridging, more standard ZCML directives, and code improvements.

Comments (none posted)

Zope 3.1.0 released

Version 3.10 of the Zope web development platform has been released. "Zope 3 is the next major Zope release and has been written from scratch based on the latest software design patterns and the experiences of Zope 2. It is in our opinion that Zope 3.1 is more than ready for production use, which is why we decided to drop the X for experimental from the name. We will also continue to work on making the transition between Zope 2 and Zope 3 as smooth as possible. As a first step, Zope 2.8 includes Zope 3 features in the form of Five."

Comments (none posted)

LogMiner 1.4 released (SourceForge)

Version 1.4 of LogMiner, an Apache logfile analysis package, has been announced. "In release 1.4, configuration has been made simpler by removing the need to list all your sites in the [Logs] section."

Comments (none posted)

webcockpit 1.5.0 released (SourceForge)

Version 1.5.0 of webcockpit has been announced, it includes several new features. "Webcockpit is a Web Application generator for realtime charting and monitoring solutions. This minor release improves greatly the tabulation power – by using ‘displaytag’ JSP taglib for runtime HTML table generation. Features include sorting, or grouping by column, pagination, data export to csv, excel and xml formats and having full control of the table’s CSS style markup."

Comments (none posted)

Desktop Applications

Business Applications

faces 0.5.0 released

Version 0.5.0 of faces, a project management tool, has been announced. Here is the change summary: "The report definition mechanism has changed significantly. The autocompletion function has been improved. Real online help is now available. A new calendar report has been added. The cleaning mechanism of the HTML generator has been modified."

Comments (none posted)

Desktop Environments

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

Dropline GNOME 2.12.0 released (GnomeDesktop)

Version 2.12.2 of Dropline GNOME has been announced. "After several weeks of testing, the latest version of Dropline GNOME is finally available. This release sees updates to virtually every package, and is our first release built specifically for Slackware 10.2. We would like to thank all of the testers that helped in the development of this release. We couldn't do it without you!"

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

This Month in SVN - October (KDE.News)

KDE.News looks at the latest edition of This Month in SVN. "Welcome to the last issue of This Month in SVN for the KDE 3.5 series. As KDE 3.5 is in feature freeze and nearing release, future articles will be focusing on the development of KDE4 and other related projects like Plasma and Appeal. If you've been intrigued by the new features in these issues and are raring to try them out, please consider installing the KDE 3.5 beta packages if your distro has provided them. The more beta testers we have reporting bugs, the better our release product can be!"

Comments (1 posted)

Desktop Publishing

Scribus 1.3.1 released

Version 1.3.1 of Scribus, an open-source page layout application, is out. "The 1.3.1 release is the second development version towards a new stable 1.4. Building on the 1.3.0 version released in July, 1.3.1 brings new features never before available in any open source application."

Full Story (comments: none)

Electronics

XCircuit 3.4.0 released

Version 3.4.0 of XCircuit, an electronic schematic drawing package, is available. This release features substantial revisions to the user interface and input mechanism.

Comments (none posted)

Financial Applications

SQL-Ledger 2.6 released

Version 2.6 of SQL-Ledger, a web-based accounting system, is out with many changes. See the What's New document for details.

Comments (none posted)

Games

Atlas-C++ 0.5.98 Released

Version 0.5.98 of Atlas-C++ has been released by the WorldForge game project. "Atlas-C++ is the standard implementation of the WorldForge Atlas protocol. This should be the final release on the development branch, which is working towards the 0.6 series. This release is primarilly aimed at developers, though it is also required by the upcoming Eris release, and will be required by future client releases."

Comments (none posted)

QueriEd 2.4 Released (SourceForge)

Version 2.4 of QueriEd is out with support for a new game and bug fixes. QueriEd is: "A Java library to query game servers such as Half Life Source, Battlefield 2 and UT servers to find out the map, number of players, and players scores. There are different game servers with query protocols that can be added to this package."

Comments (none posted)

Interoperability

Wine Traffic

The September 30, 2005 edition of Wine Traffic is out with new Wine project articles. Topics include: Summer of Code Updates: Single Sign-On, and Theming, Red Hat/Fedora RPMs, Build Changes, Compile Problems from Wine-20050830, Lotus Notes Breakage and Fix and Finding Stack Corruption.

Comments (none posted)

Mail Clients

Mozilla Thunderbird 1.0.7 Released (MozillaZine)

Version 1.0.7 of Mozilla Thunderbird, an email client, has been announced. "Amongst other changes, this minor release includes fixes for a return receipt regression introduced in version 1.0.2 (bug 289091) and the Linux command line URL parsing security flaw."

Comments (none posted)

SharpWebMail 0.12 beta released (SourceForge)

Version 0.12 beta of SharpWebMail has been announced, it features improvements and bug fixes. "SharpWebMail is an ASP.NET webmail application that is written in C#. It uses a POP3 or IMAP servers as the mailstore and sends mail through a SMTP server. It is very simple to configure (only a few settings in the web.config file). You can compose HTML messages, search your inbox, read complex mime messages, have multiple address books and much more. It fully works under .NET and Mono."

Comments (none posted)

Medical Applications

Python X12 Medical Billing Library (LinuxMedNews)

Fred Trotter makes note of the pyx12 library on LinuxMedNews. "As the originator of FreeB I am usually up on whats happening in the open source medical billing world. Imagine my surprise when I found out that someone has put out a really excellent X12 parsing and validating tool! John Holland has written and excellent python library called pyx12."

Comments (none posted)

Multimedia

mplayer-plugin 3.11 released

Version 3.11 of mplayer-plugin, browser plugin that supports various movie formats, is available. This release has a playlist bug fix. (Thanks to Kevin DeKorte.)

Comments (none posted)

Music Applications

MMA version 0.16 is available

Beta version 0.16 of MMA, the Musical MIDI Accompaniment, is out for testing. Here are the change notes: "Beta 0.16: Lots of little bug fixes, new SWINGMODE, more note offset and length options, NOTESPAN directive, better KEYSIG support, enhanced VOLUME options, negative offsets (prior bar) in patterns."

Full Story (comments: none)

Qsynth 0.2.4 released

Version 0.2.4 of Qsynth, a fluidsynth GUI front-end, is out with usability improvements and a bug fix.

Full Story (comments: none)

Office Applications

HylaFAX 4.2.2 Released

Version 4.2.2 of HylaFAX, a fax modem interface package, is out with a number of new features. See the release notes for more information.

Comments (none posted)

Office Suites

The first OpenOffice.org 2.0 release candidate

The first OpenOffice.org 2.0 release candidate is out. See the product page for information on this release, the features page for a quick tour of enhancements in 2.0, or the download page to get your copy.

Comments (20 posted)

OpenOffice.org Newsletter

The September 30, 2005 edition of the OpenOffice.org Newsletter is online. Take a look for new OpenOffice.org resources and events.

Full Story (comments: none)

RSS Software

PenguinTV 0.77 is available

Version 0.77 of PenguinTV, an improved RSS reader, has been announced "This version fixes many bugs and improves performance. This is a recommended upgrade."

Comments (none posted)

Science

JGAP 2.4 released (SourceForge)

Version 2.4 of JGAP is available. "JGAP is a genetic algorithms package written in Java. It is designed to require minimum effort to use "out of the box," but is also designed to be highly modular to allow for custom components to be easily plugged in by the more adventurous. JGAP version 2.4 advances and extends the previous release, see the changelog for details. This release contains some few new features and many new unit tests."

Comments (none posted)

Metro 4.06 Released (SourceForge)

Version 4.06 of Metro has been announced. "Metro is a tool designed to evaluate the difference between two triangular meshes. Metro adopts an approximated approach based on surface sampling and point-to-surface distance computation. The tool is widely used in the surface simplification research community (approx 200 citations of the tool in scientific papers according to google scolar). Current version uses multiple search structures. Now the mesh comparison can be done exploiting a static uniform grid, a hashed grid or a hierarchy of AA box."

Comments (none posted)

Web Browsers

Google Toolbar for Mozilla Firefox Out of Beta (MozillaZine)

MozillaZine covers the latest release of the Google Toolbar for Mozilla Firefox. "The official Google Blog has announced that the Google Toolbar for Mozilla Firefox is now out of beta. This first non-beta release of the browser extension integrates the functionality of Google Suggest, which offers a list of possible search queries as you type. This version also works with Firefox's built-in toolbar customisation feature, allowing users to rearrange and place the Google Toolbar buttons anywhere in their toolbar setup."

Comments (none posted)

Gervase Markham Explains Automatic Resolution of Old Unconfirmed Bugs Plan (MozillaZine)

MozillaZine reports on plans to automatically resolve some old unconfirmed bugs in Firefox, Thunderbird, Mozilla Application Suite, Core or Toolkit products. Gervase Markham has written a weblog post explaining the thinking behind the plan.

Comments (none posted)

Word Processors

AbiWord-2.4 released

Footnotes carries the news of the AbiWord 2.4 release. New features include on-the-fly grammar checking, equation editing, OpenDocument support, and better GNOME-Office integration. The release notes have the details.

Comments (1 posted)

Miscellaneous

PyKeylogger 0.6.4 released (SourceForge)

Version 0.6.4 of PyKeylogger is out with bug fixes. "PyKeylogger is a simple keylogger written in python. It is primarily designed for personal backup purposes, rather than stealth keylogging (though it can do that, too). It does not raise any trust issues, since it is a short python script that you can easily examine."

Comments (none posted)

Languages and Tools

C

GCC 4.0.2 Released

Version 4.0.2 of GCC, the GNU Compiler Collection, is available. "This release is a minor release, containing primarily fixes for regressions in GCC 4.0.1 relative to previous releases."

Full Story (comments: none)

Caml

Caml Weekly News

The October 4, 2005 edition of the Caml Weekly News is online. Take a look for all new Caml language articles.

Full Story (comments: none)

Haskell

Haskell Weekly News

The September 27, 2005 edition of the Haskell Weekly News is online with the latest Haskell news. Topics covered this week include Haskell winning the 2005 ICFP contest and a new independent package providing the GHC API.

Comments (none posted)

Haskell Weekly News

The October 4, 2005 edition of the Haskell Weekly News is online with the latest Haskell news. Topics covered this week include a new issue of The Monad.Reader, the Haskell workshop at ICFP, Endian conversion, and the strictness of putChar.

Comments (none posted)

The Monad.Reader wikizine

Issue #5 of The Monad Reader is online with the latest Haskell language articles. "For issue five, the subjects are a short introduction to Haskell, generating polyominoes, a ray tracer, number parameterized types, practical graph manipulation, and a short introduction to software testing in Haskell."

Full Story (comments: none)

Java

This week on harmony-dev

The October 1, 2005 edition of This week on harmony-dev covers the latest developments in the Harmony open-source Java platform project.

Full Story (comments: none)

Lisp

MIT releases Lisp Machine source code as open source

MIT has released the Lisp Machine source code. "MIT has released under a 'BSD like' license the source code of the Lisp Machines developed at MIT. Lisp Machines were special-purpose computers designed for running Lisp code. They were popular in the 1980s, especially for AI applications. Improved versions were commercially produced and distributed by companies such as Symbolics, Texas Instruments and Lisp Machines Inc."

Full Story (comments: none)

Perl

The State of the Onion 9 (O'Reilly)

Larry Wall has written issue #9 of the The State of the Onion, an amusing read that covers the current state of Perl development. "This last year, we were starting to lose our sense of fun in the Perl community. Though we tried to be careful about not making promises, everyone knew in their hearts that five years is an awfully long time to wait for anything. People were getting tired and discouraged and a little bit dreary. Then Autrijus Tang showed up. Maybe we should call him "Ace" Tang. He basically said, "Look, we'll never get this done unless we optimize for fun." So fun is exactly what the Pugs project is optimized for. Mind you, Autrijus's idea of fun is to learn Haskell and then write a prototype of Perl 6 in it."

Comments (none posted)

The Perl 6 Summary

The September 25, 2005 edition of The Perl 6 Summary is available with the latest Perl 6 development news.

Comments (none posted)

PHP

PHP Weekly Summary for August 1, 2005

The PHP Weekly Summary for August 1, 2005 is out. Topics include: PHP-GTK corner, PHP 5.1 RC 1 alert, PHP-GTK 2 back on track, web services vs allow_url_fopen, internals wiki? and NetWare team to come on board.

Comments (none posted)

PHP Weekly Summary for August 8, 2005

The PHP Weekly Summary for August 8, 2005 is out. Topics include: libxml2 errors, PHP-GTK corner, Property overloading RFC, libxml2 errors, moving extensions to PECL, International Open Source Database Conference, CVS vs SVN, streams, URI handling and XML, allow_url_fopen and SOAP, and More namespace stuff.

Comments (none posted)

PHP Weekly Summary for August 15, 2005

The PHP Weekly Summary for August 15, 2005 is out. Topics include: Property overloading [continued], is_a and instanceof, upgrading to PHP 5.1 and Apache 2.2, PHP 5.1 branched, internal class static properties, memory and multiple exceptions, Unicode support design document, PHP 6.0 wishlist, Mostly Unicode and Whatever happened to gcov?

Comments (none posted)

Ruby

Ruby Weekly News

The October 2nd, 2005 edition of the Ruby Weekly News looks at the latest discussions from the ruby-talk mailing list.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The October 3, 2005 edition of Dr. Dobb's Tcl-URL! is out with the weekly collection of Tcl/Tk articles.

Full Story (comments: none)

Version Control

Mercurial loses a developer

Bryan O'Sullivan, a former developer of the Mercurial source code management system (covered here a few weeks ago) has announced that he will not be contributing to the project for a while. It seems that he was contacted by BitMover, the company behind BitKeeper. "However, Larry [McVoy] conveyed his very legitimate worry that a fast, stable open source project such as Mercurial poses a threat to his business, and that he considered it 'unacceptable' that an employee of a customer should work on a free project that he sees as competing. To avoid any possible perception of conflict, I have volunteered to Larry that as long as I continue to use the commercial version of BitKeeper, I will not contribute to the development of Mercurial." Click below for the full message.

Full Story (comments: 51)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

FOX's Anti-MASS FUD is a Dud (Groklaw)

Groklaw dissects some FUD From Fox News. "If you go to Fox News, or in my case, if someone sends you the url, you find the following blurb: Wrong Move - Massachusetts adopts a bad technology policy that will cost taxpayers and consumers. Of course, it sends you to an editorial about the Commonwealth of Massachusetts' decision to use the OpenDocument format. And it's our chance to see inside of Microsoft's head, because it's a guest editorial by James Prendergast of Americans for Technology Leadership. The editorial has the hilarious title, "Massachusetts Should Close Down OpenDocument." Like they could close down OpenDocument, even if they had a mind to."

Comments (10 posted)

Torvalds' Baby Comes of Age (BusinessWeek)

BusinessWeek has an interview with Linus Torvalds. "What about Linux on the desktop? Why hasn't it taken off? Oh, it has absolutely taken off, but some people seem to think that "take off" means that suddenly everybody is running it. That's clearly not true. It's a very slow conversion. There are more people running it this year than there were last year, and it all looks and works a bit better all the time. But did everybody suddenly convert? No. It's one step at a time." (Thanks to Rolf Heckemann)

Comments (none posted)

Cry freedom (Times Online)

Times Online has an article by Gervase Markham. "And if you do not understand and value a freedom, it's very easy to lose it, or for someone to persuade you to give it up. You probably will not even notice it's gone until you need it and suddenly find it's not there. The pragmatic "use what's best" approach of Open Source leads to the conclusion that if another program is better, you should use it, even if it's not Open Source. So if Skype is the best software for making telephone calls over the net, you should choose it; after all, it's "free" - it costs nothing - right?"

Comments (none posted)

Trade Shows and Conferences

Community converges on Ohio LinuxFest (NewsForge)

NewsForge reports from the Ohio Linux Fest. "The LinuxFest had three conference tracks, Userspace, Tech, and Community -- though several of the talks didn't quite fit the track that they were in. It didn't really matter -- most of the attendees were mixing and matching tracks liberally. I bounced among the different tracks, and noticed a lot of the same faces in each talk. The quality of the talks, overall, was very good. A few speakers were obviously a bit green when it comes to public speaking, but most of the people I talked to found the topics engaging anyway."

Comments (1 posted)

KDE at the 2005 Ohio Linux Fest (KDE.News)

KDE.News covers the KDE presence at the 2005 Ohio Linux Fest. "With over 700 attendees and a speaking track packed full of goodies, the one-day Ohio Linux Fest held this past Saturday in the city of Columbus was an unqualified success. KDE had a booth at the event which was kept exceedingly busy the entire day. Most of the people who visited the booth mentioned that they use KDE and several asked that we pass on their appreciation to the entire KDE team for all the work that they have put into it over the years."

Comments (none posted)

Companies

Andreessen joins board of Zend Technologies (News.com)

Marc Andreessen and Guarav Dhillon have joined the Zend Technologies board of directors. "Zend Technologies expanded its board of directors with Netscape co-founder Marc Andreessen and Guarav Dhillon, who was founder and CEO of data integration software maker Informatica. Zend makes development tools for the open-source language PHP."

Comments (none posted)

Linux Adoption

Linux misses Windows of opportunity (The Age)

An Australian publication called The Age looks at a failed attempt at a transition to Linux. "Mr Horton called in Red Hat-recommended contractors to install Red Hat Enterprise Linux and ensure it was configured according to SAP standards, a process which took two weeks. "You have to be using the right certified components, otherwise SAP won't give you the support. To go through and match everything off was quite tedious," Mr Horton says. "After doing all that, we came to a very interesting situation where the machine would basically, putting it in Windows terms, core dump or blue screen at random. It would run for weeks or so and then just bang, it would stop."" (Thanks to Andrew Kornak.)

Comments (21 posted)

French military body to install Linux cluster (Silicon.com)

Silicon.com covers plans to install a high-performance Linux cluster for technical and scientific work, at an agency of the French Ministry of Defense. "The Technical Establishment of Bourges (ETBS), which tests and manufactures armaments, has issued a tender for the supply of a 64-bit Linux cluster, according to a document on an EU website. The deadline of the tender was reached on Thursday but it was unclear from the tender document when the ETBS plans to start implementing the cluster."

Comments (none posted)

Legal

Patent suits not likely, says IP attorney (IT Manager's Journal)

IT Manager's Journal looks at reasons why suing open-source companies over patent issues may be unwise. "Proprietary software companies could sue open source software developers or end users for patent infringement, but they probably won't, says one intellectual property attorney. If they do, the Open Source Development Labs (OSDL) plans to be ready. Though the threat of lawsuits is often heard rumbling over the horizon like an approaching storm, the potential benefits for patent holders probably aren't attractive enough to spark litigation, says James Gatto, a patent and intellectual property attorney with Pillsbury Winthrop law firm."

Comments (2 posted)

Microsoft's Linux-related patents rejected (ZDNet)

ZDNet reports that the U.S. Patent Office has rejected Microsoft's FAT patents (which ZDNet calls "Linux-related"). "The patent office delivered its ruling late last month but made it public this week. With one of the patents, the decision is what's considered a final rejection, while with another it's considered nonfinal. In both cases, Microsoft has the ability to pursue its claims further."

Comments (none posted)

The Idea Economy (Herald Tribune)

The International Herald Tribune has taken a look at the patent system. "'In certain cases,' said Elsa Lion, an analyst at the London research firm Ovum, 'technology companies are beginning to realize they have more to gain by releasing patents to the general public than by hoarding licensing income.' By giving away some of their knowledge, companies like IBM and Nokia are not just polishing their image among the Internet generation. They also questioning a business strategy that has become a bedrock of contemporary capitalism: Whoever has the most patents wins."

Comments (none posted)

Interviews

David Sugar talks about GNU Bayonne (NewsForge)

NewsForge talks with GNU Bayonne developer David Sugar. "Bayonne started as a platform that allows one to create and deploy applications that interact by voice and through TouchTone keypads with people over the telephone network. Bayonne includes its own scripting language for writing telephony applications, which is designed for use in very high port -capacity solutions, as well as offering services to telephony enable Perl, Python, and other common scripting languages."

Comments (none posted)

Resources

First Monday open source special

The October 2005 edition of First Monday is all about open source. There are several new articles (by Benjamin Mako Hill, Bruce Perens, and others) along with reprints of many older pieces. Even if you didn't want to read "The Cathedral and the Bazaar" again, there's some interesting stuff here.

Comments (1 posted)

What Is Free Software (O'ReillyNet)

Karl Fogel defines "free software" in this O'ReillyNet article. "Free software is software that may be modified and redistributed freely by anyone, with no significant restrictions on how the code may be changed, the uses to which it may be put, or the parties with whom it may be shared. From this simple definition flow many unexpected consequences."

Comments (5 posted)

What Is Quartz (O'ReillyNet)

Chuck Cavaness introduces Quartz on O'Reilly. "Quartz is an open source job-scheduling framework written entirely in Java and designed for use in both J2SE and J2EE applications. It offers great flexibility without sacrificing simplicity. You can create simple or complex schedules for executing any job. It includes features such as database support, clustering, plugins, prebuilt jobs for EJB, JavaMail and others, support for cron-like expressions, and many more."

Comments (none posted)

What Is Web 2.0 (O'Reilly)

Tim O'Reilly introduces Web 2.0. "The bursting of the dot-com bubble in the fall of 2001 marked a turning point for the web. Many people concluded that the web was overhyped, when in fact bubbles and consequent shakeouts appear to be a common feature of all technological revolutions. Shakeouts typically mark the point at which an ascendant technology is ready to take its place at center stage. The pretenders are given the bum's rush, the real success stories show their strength, and there begins to be an understanding of what separates one from the other."

Comments (none posted)

Converting from CVS to Subversion with cvs2svn (O'ReillyNet)

O'ReillyNet covers CVS to Subversion conversion with cvs2svn. "Before you start converting, you may need to do a little housekeeping on your CVS repository. First and foremost, make a copy of your CVS repository and work only with the copy--I can't stress this enough. A lot of the cleanup work we're going to do here can be done after you've converted, but I prefer to do the work before converting as it makes for a "cleaner" Subversion repository."

Comments (2 posted)

Protecting Files at Home Using Encrypted Containers (Linux Journal)

The Linux Journal has posted a tutorial on the use of dm_crypt to create encrypted filesystems within files. "I have read many articles on encrypting entire partitions and drives, but I chose to use containers instead. By using containers, I have the flexibility to move them around, back them up to CD or DVD and not mount them when I don't need them.

Comments (8 posted)

Reviews

The $100 laptop moves closer to reality (News.com)

News.com follows the progress of a project that aims to produce a $100 windup-powered laptop computer that runs Linux. ""This is the most important thing I have ever done in my life," Negroponte said on Wednesday during a presentation at Technology Review's Emerging Technologies Conference at MIT. "Reception has been incredible. The idea is simple. It's an education project, not a laptop project. If we can make education better--particularly primary and secondary schools--it will be a better world." He said a goal of the project is to make the low-cost PC idea a grassroots movement that will spread in popularity, like the Linux operating system or the Wikipedia free online encyclopedia. "This is open-source education. It's a big issue."

Comments (3 posted)

AOpen box inspired by Mac Mini (News.com)

News.com looks at new Pentium D-based computers from AOpen. "Taiwanese computer maker AOpen is scheduled to release two versions of its Pandora desktop just in time for the holiday shopping season, the company said Thursday. The company said Apple Computer's Mac Mini inspired its latest desktop PC. Pandora is one of several 2-inch-tall computers being sold as home entertainment PCs. A Linux-based version of the mini tower is expected to sell at retail for $399, while the Windows XP-based box will go for $499."

Comments (15 posted)

Apache's Beehive 1.0 generates buzz (News.com)

News.com notes the Beehive 1.0 release. "Beehive consists of three main parts: NetUI, Controls and Web Service Metadata (WSM). NetUI is an MVC framework built on top of Apache Struts, adding a set of JSP tags for building HTML pages, and more complex UI controls such as data grids. Controls are back-end J2EE classes aimed at providing a consistent interface to different data sources and other resources."

Comments (1 posted)

What Is Asterisk (O'ReillyNet)

O'Reillynet offers an introduction to Asterisk. "Simply put, Asterisk is the most flexible and extensible telephone system in existence. Full source code is available, so if you need a feature you can add it yourself. Although I must say, they've done a very thorough job with the first release. Try asking your current PBX vendor for full source code for their PBXs. Hell, just try asking them for documentation."

Comments (11 posted)

A first look at GIMP 2.4 (NewsForge)

NewsForge looks at what's coming with the GIMP 2.4 release. "2.4 is the first GIMP release to support color management, a feature dearly missed by photographers and designers up until now. In the preferences dialog you will find a new Color Management control panel where you can set rendering intent and specify your working colorspace and device profiles."

Comments (6 posted)

Radio's Next Generation: Radii (Linux Journal)

Linux Journal takes a look at the Linux-powered device called Radii. "Radii is a radio: a box with buttons and dials used to select bands and tune stations in a familiar way. Because this radio receives Internet radio, it provides hundreds of noise-free stations with a wide variety of listening options. The band selection dial, instead of AM and FM, is used to select genres such as News, Sports and Rock. The station selection dial scrolls through station names that can be tuned by clicking the select button."

Comments (none posted)

Trusted Linux will wear a Red Hat (NewsForge)

NewsForge looks at Trusted Linux. "Last October, Trusted Computer Solutions announced it would release Trusted Linux, a version of the open source operating system that is hardened enough to meet the requirements of the United States Director of Central Intelligence. This week, TCS said it is instead teaming up with IBM and Red Hat, and that Trusted Linux will now be released as an as-yet-unnamed Red Hat product in 2006."

Comments (none posted)

Darik's Boot and Nuke: A great tool for obliterating your data (NewsForge)

NewsForge has a review of Darik's Boot and Nuke. "Do you know what happened to your data when you disposed of your last PC? With identity theft on the rise, it's important to make sure your information is removed before you get rid of that old hard drive. Thanks to the work of developer Darik Horn, there's an excellent tool to wipe data off of a hard disk: Darik's Boot and Nuke (DBAN)."

Comments (3 posted)

The Arrival of NX, Part 5: Using NX (Linux Journal)

Kurt Pfeifle continues this series on NX on Linux Journal. "The NoMachine NX Client license says, "Redistribution of NX Client software, including commercial Closed Source packages, is allowed, free of charge, for commercial and non-commercial use...". This enabled Klaus Knopper to include the NoMachine NX Client in Knoppix, versions 3.6 and later, even though it is not free software. It also is included in Kanotix. The NX Client is released in binary form under a free for commercial and non-commercial use license similar to the Adobe Acrobat reader software that we find in most Linux distributions. A KDE-based NX client, kNX, also is available. kNX works and is used by quite a few people daily, but it more of a proof-of-concept implementation, though, and its use is not yet generally recommended."

Comments (13 posted)

Miscellaneous

Open Graphics Project Status Update (KernelTrap)

KernelTrap has a status report on the Open Graphics Project. "I started the Open Graphics Project in October of 2004 at Tech Source, Inc. I suggested to my employer and to the world that a worthwhile product category, which doesn't currently exist, is graphics cards that are designed specifically with Free and Open Source software (FOSS) in mind. Rather than having to beg graphics card vendors for access to their register specs, I thought it would be easier to just ask members of the FOSS community what kind of hardware they need, work with them to develop a specification, and then build that hardware. "Open Architecture" became the main idea, making it easy for FOSS developers to get the information they need to develop FOSS drivers to take full advantage of the hardware." (Thanks to Bernard Bencic)

Comments (18 posted)

From the Editor - dmarti:~$ logout (Linux Journal)

Don Marti concludes his Linux Journal column with some advice. "Since this is my last column as editor in chief, I get to give a bunch of advice, so I'll cover two great inventions that we should all take a fresh look at and come up with more things like them. First, the most important technology for the Internet isn't on the Internet. Want a hint? 12:00. 12:00. 12:00. The second most important technology has a symbol that you probably look at in a Web browser several times a day."

Comments (none posted)

Linux Licensing: barriers to developers (ZDNet)

ZDNet's Paul Murphy is trying to convince us that the GPL is a problem. "The GPL works, and works well, to empower innovation - but also represents a peaceful implementation of Karl Marx's famous dictum that the state should take from each individual according to the individual's abilities, and give to each individual according to that individual's needs. Indeed the GPL doesn't different in principle (although it's certainly dramatically different in practice!) from the communist Chinese policy of state confiscation of intellectual property for state use." It seems he prefers the CDDL.

Comments (33 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

EFF: Trusted Computing Group Helps Lock Down Mobile Phones

The Electronic Frontier Foundation has sent out a press release that criticizes a new plan for a new cell phone technology. "The Trusted Computing Group (TCG), an industry consortium developing controversial computer security specifications, has released a wish list of applications of TCG technology to cell phone security. Unfortunately, much of this "security" aims to help cell phone carriers cement their control over their customers."

Full Story (comments: none)

Three New Companies Join The GNOME Foundation's Advisory Board

The GNOME Foundation has announced the joining of three new members to its advisory board. "The GNOME Foundation today announced three new corporate members -- OpenedHand Ltd., Imendio AB and Fluendo S.L. These young growing companies are eager to support the GNOME Desktop project and become more deeply involved by joining GNOME's advisory board. Based in the United Kingdom, Sweden and Spain, and specializing in different applications of the GNOME platform, they reflect the diversity and optimism of the GNOME community."

Comments (none posted)

New IPI Publication, Intellectual Property Rights and Human Rights

The Institute for Policy Innovation has released a new publication entitled Intellectual Property Rights and Human Rights. "Several internationally recognized documents such as The U.S. Constitution, The American Declaration on the Rights and Duties of Men, The Universal Declaration of Human Rights and the International Covenant on Economics, Social and Cultural Rights make it clear that those concerned about human rights made a conscious and concerted effort to ensure that intellectual property rights were protected, said IPI President Tom Giovanetti."

Full Story (comments: 2)

KDE e.V. Assembly Meeting 2005 Notes (KDE.News)

KDE.News has announced the availability of the notes from the KDE e.V. meeting. "KDE's legal body KDE e.V. held its Annual General Meeting at aKademy 2005 last month. Notes from the meeting are now available. A new board was chosen voting in Cornelius Schumacher and Aaron Seigo, and continuing Mirko Böhm and Eva Brucherseifer. Our thanks to the retiring board members Matthias Kalle Dalheimer and Harri Porten. The meeting decided to create working groups to streamline KDE development and activity, notes from the meeting discussing working groups are also available."

Comments (none posted)

Petition Aims to Improve eBay's Mozilla Firefox Support (MozillaZine)

MozillaZine has announced a petition to get eBay to improve its Firefox browser support. "Online auction news site AuctionBytes is reporting that some eBay sellers have started a petition to persuade the auction giant to support Mozilla Firefox and other alternative browsers. According to the article, some features on the eBay Sell Your Item page are optimised for Microsoft Internet Explorer and do not work correctly in Firefox and other browsers. In addition, there is no Firefox version of eBay Toolbar, which is currently only available for Internet Explorer on Windows."

Comments (none posted)

Apply now for DMCA exceptions

The Digital Millennium Copyright Act includes a provision allowing the Library of Congress to exempt certain activities from the anti-circumvention clause. To that end, the Library occasionally asks for exemption requests and makes its decisions. That process has just started again, with requests due by the beginning of December. For the curious, here are the results from the previous iteration, which happened in 2003. See also Seth Finkelstein's guide on writing DMCA exemption requests.

Comments (1 posted)

Commercial announcements

DELL NEWS: New Open-Source Ready Consumer Desktop

Dell has announced the Dimension E510n desktop computer for tech-savvy customers. It comes with a blank hard drive and a copy of FreeDOS to get started. The Dimension E510n is available immediately in the United States. The base configuration starts at $849 with a Pentium 4 630 processor, 512 MB DDR2 memory, 128 MB ATI(r) RADEON X300SE HyperMemory video card, 80 GB SATA hard drive and 1-year limited warranty.

Full Story (comments: 12)

Jataayu and MontaVista partner on mobile phone effort

Jataayu and MontaVista have announced a partnership. "Jataayu Software, a leading vendor of mobile device solutions, today announced that it has joined the Mobilinux Open Framework Partner Program. MontaVista's Mobilinux Open Framework is a program designed to increase the adoption of Linux within the mobile phone industry by providing handset vendors and mobile operators with solutions consisting of components from best of breed mobile software providers and MontaVista's Mobilinux OS platform. The primary goal of this program is to provide mobile handset vendors and operators with the architectural freedom to create and deliver differentiated products and services."

Full Story (comments: none)

PathScale and Voltaire Sign Agreement on High Performance Grid Backbone

PathScale has announced a partnership with Voltair involving InfiniBand cluster connect adapters. "One of the first Voltaire customers to receive the PathScale adapter is the Sandia National Laboratory's research facility in Livermore, CA. According to Dr. Matt Leininger, computational scientist at Sandia National Laboratories, "We see Voltaire's collaboration with PathScale as a very positive development that will make it easier for us to build extremely large InfiniBand-based clusters based on the OpenIB software stack. The ability to couple the PathScale InfiniBand adapter to Hypertransport has some significant advantages in terms of latency and effective bandwidth for many of our complex applications such as structure mechanics, computational fluid dynamics and combustion codes."

Comments (none posted)

Red Hat Reports Fiscal Second Quarter Results

Red Hat has announced its second quarter results. The fiscal quarter ended on August 31, 2005. "Total revenue for the quarter was $65.7 million, a year-over-year increase of 42% and a sequential increase of 8%. Subscription revenue was $54.3 million, an increase of 56% year-over-year and 10% sequentially."

Comments (4 posted)

Sun makes an OASIS patent pledge

Sun has issued a pledge not to enforce its patents against any implementation of the OpenDocument format specification - version 1.0 at least. There is one exception, though: Sun still reserves the right to use its patents against anybody else who asserts patent claims against OpenDocument.

Comments (17 posted)

Wind River launches a Linux distribution

Wind River Systems has announced the forthcoming availability of its Linux distribution for embedded systems. It is, says Wind River, "the first true commercial-grade Linux for device manufacturers." The distribution is based on a "pristine source" 2.6.10 kernel and includes what appears to be a nice development environment and the inevitable pile of service offerings.

Comments (none posted)

New Books

Ambient Findability - O'Reilly's Latest Release

O'Reilly has published the book Ambient Findability by Peter Morville.

Full Story (comments: none)

Asterisk: The Future of Telephony - O'Reilly's Latest Release

O'Reilly has published the book Asterisk: The Future of Telephony by Jim Van Meggelen, Jared Smith, and Leif Madsen.

Full Story (comments: none)

Practical Development Environments - O'Reilly's Latest Release

O'Reilly has published the book Practical Development Environments by Matthew B. Doar.

Full Story (comments: none)

Resources

The Linux Documentation Project Weekly News

The September 28, 2005 edition of the Linux Documentation Project Weekly News is available, take a look for the latest new documentation releases.

Comments (none posted)

Linux Gazette #119

The October Linux Gazette is out. The edition has Notes from Linux World 2005 - San Francisco, a Book Review of Knoppix Hacks, Optimizing Website Images with the Littleutils, After the Summer of Code and much more.

Comments (none posted)

TUX Issue #7 Now Available (GnomeDesktop)

GnomeDesktop.org has an announcement for issue #7 of Tux Magazine. "The latest issue of Tux Magazine is available in PDF format. Once you get past the silly bickering in the beginning of the issue, there are 3 very good articles, one on gThumb, another on GnuCash, and the last on Inkscape."

Comments (none posted)

Contests and Awards

CMP Media Announces Winners of 2005 Readers' Choice Awards

CMP Media LLC has announced the winners of its 2005 Readers' Choice Awards. ""We're always looking for ways to recognize the best products and vendors in software development; therefore, we've evolved the Readers' Choice Awards program to look at the different aspects of the development process," noted Software Development magazine Technical Editor Rosalyn Lum. "Last year, the Fortune 500 dominated the winner's list, but this year we're also recognizing lesser-known products from small to medium-sized companies, and we're very pleased with the results.""

Comments (none posted)

Surveys

ONJava 2005 Reader Survey Results, Part 2 (O'ReillyNet)

O'Reilly has published part two of the ONJava 2005 Reader Survey Results. "Is there anything else you'd like to tell our Java editors? Well, 226 people responding to the 2005 ONJava Reader Survey did. In this article, we show what they said and discuss what we're doing with the site."

Comments (none posted)

Upcoming Events

Big Nerd Ranch Europe is open for Business

Big Nerd Ranch has announced the first European PostgreSQL and Cocoa Bootcamps. The events will be held in Italy during December and January. "Following a constant demand the Big Nerd Ranch will be offering their classes in Europe. The Big Nerd Ranch Europe, operated by Stefanie Höfling, is located in Bonn, Germany".

Full Story (comments: none)

Government Open Source Conference - Portland, Oregon

The first annual Government Open Source Conference (GOSCON) will take place in Portland, Oregon on October 13 and 14, 2005.

Full Story (comments: none)

Marketing and Selling Open Source Software 2005

Two Marketing and Selling Open Source Software 2005 events have been announced. The first event will take place in Burlington, MA. on October 6 and 7, and the second will take place in San Jose, CA on November 10 and 11. "Featuring expert speakers on applications, licensing, marketing strategy, legal issues and more, the two-day conference for executives and sales and marketing managers will help companies understand how Open Source is impacting their bottom lines and how to make that impact positive."

Full Story (comments: none)

Call for Papers - DIMVA 2006

A Call for Papers has gone out for DIMVA 2006, The third GI SIG SIDAR Conference on Detection of Intrusions & Malware, and Vulnerability Assessment. Papers are due by January 13, 2006 and the event will be held on July 13 and 14, 2006 in Berlin, Germany.

Full Story (comments: none)

Events: October 6 - December 1, 2005

Date Event Location
October 6, 2005Fedora Users and Developers Conference(FUDCon London)(LinuxWorld Conference and Expo UK)London, UK
October 6, 2005LinuxWorld LondonOlympia, London, UK
October 6 - 7, 2005Web 2.0 Conference(Argent Hotel)San Francisco, CA
October 6, 2005Boston PHP User Group Security MeetingBoston, Mass.
October 7 - 9, 2005Indie Games Con 2005(IGC)Eugene, Oregon
October 8 - 10, 2005GNOME Boston Summit(Gates Building)Cambridge, MA
October 8, 2005LinuxForum BOF-dagDenmark
October 12 - 13, 2005IT Underground(ITU)Warsaw, Poland
October 13 - 14, 2005Open Source Desktop WorkshopsSan Diego, CA
October 13, 2005@System Security ConferencePisa, Italy
October 13 - 14, 2005Government Open Source Conference(GOSCON)Portland, OR
October 14 - 15, 2005HackLu 2005(Chambre des Metiers)Kirchberg, Luxembourg
October 14 - 16, 2005Blender Conference 2005(De Waag)Amsterdam, the Netherland
October 16 - 23, 2005piksel05Bergen, Norway
October 17 - 20, 2005O'Reilly European Open Source Convention(EuroOSCON)(NH Grand Hotel Krasnapolsky)Amsterdam, the Netherlands
October 18 - 21, 2005Zend/PHP Conference and Expo 2005(Hyatt Regency SF Airport Hotel)Burlingame, CA
October 18, 2005Dynamic Languages Symposium 2005(DLS05)San Diego, CA
October 19 - 21, 2005Australian Unix Users Group Conference 2005(AUUG)Sydney, Australia
October 24 - 28, 200512th Annual Tcl/Tk Conference(Red Lion Hotel)Portland, Oregon
October 30 -
November 11, 2005
Ubuntu Below Zero(downtown Holiday Inn)Montreal, Canada
November 6 - 9, 2005International PHP Conference 2005Frankfurt, Germany
November 7 - 9, 2005Open Source Database Conference 05(NH-Hotel Frankfurt-Mörfelden)Frankfurt, Germany
November 8 - 9, 2005Association Française des Utilisateurs de PHP(AFUP)Paris, France
November 12 - 18, 2005SC|05(Washington State Convention and Trade Center)Seattle, WA
November 13 - 15, 2005Firebird Conference 2005(Hotel Olsanka)Prague, Czech Republic
November 15 - 18, 2005Embedded Technology 2005(ET2005)Yokohama, Japan
November 15 - 17, 2005LinuxWorld GermanyFrankfurt, Germany
November 18, 2005European Gentoo developer meetingSchloss Kransberg, Germany
November 20 - 23, 20055tas Jornadas Regionales de Software LibreRosario, Santa Fe, Argentina
November 29 - December 2, 2005FOSS.IN/2005(Bangalore Palace)Bangalore, India

Comments (none posted)

Audio and Video programs

'The California Report' Radio Show Profiles Mozilla (MozillaZine)

MozillaZine reports that a radio show called The California Report looks at the Mozilla and Firefox browsers. "The profile discusses Mozilla and Mozilla Firefox with an emphasis on explaining the open source development methodology behind the software. Mitchell Baker, Mike Shaver and Robert O'Callahan are all featured." The audio program is available online.

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

Open Source is not a "business model"

From:  Leon Brooks <leon-AT-cyberknights.com.au>
To:  Cordelia Lee <news-AT-asia.cnet.com>, letters-AT-lwn.net
Subject:  Open Source is not a "business model"
Date:  Fri, 30 Sep 2005 07:45:56 +0800

Cordialia Lee wrote for CNet:
 
    http://asia.cnet.com/zd/news/software/0,39044164,39270644...
 
> Any product or service should be chosen for being the most suitable
> to use," [DPP of CompTIA, Michael] Mudd said. "Open standards,
> technical neutrality and interoperability are far more important
> than the business model itself. That's our view."
 
Open source is not a "business model", it's a development process.
Organisations can layer a business model around an Open Source
development process, or a "secret sauce" development process, or a
mixture of the two without necessarily altering their business model.
 
However, it's much harder to build a monopoly or any other unhealthy
business model around Open Source, and the Malaysian Government
rightfully objects to being at the wrong end of a monopoly.
 
The preference for Open Source not only helps Malaysia to save its
people's money up front, but also reduces the amount of control which
(rightfully) self-interested foreign corporations exercise over its IT
operations.
 
If you examine CompTIA's funding, you will discover that the single
biggest source is a foreign convicted monopolist, and it's not hard to
imagine a connection between that factor and Mudd's opinion.
 
Cheers; Leon
 
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Member, Perth Linux User Group
http://slpwa.asn.au/ Member, Linux Professionals WA
http://osia.net.au/ Member, Open Source Industry Australia
http://linux.org.au/ Member, Linux Australia

Comments (none posted)

Page editor: Jonathan Corbet

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds