The Ubuntu 5.10 release is out, and the initial reviews are good. The
Ubuntu team, however, is not taking time out to drink beer and relax before
pondering its next release. Well, OK, maybe they are taking a little
time. But, when the hangovers wear off, they are still putting some
thought into their next release, which will break some new ground.
Meanwhile, the Debian Project is looking forward to its next release as
well. In both cases, the planning process gives us a hint of what to
expect from these distributions in the near future.
Ubuntu's approach has been to crank out a distribution every six months,
integrating a great deal of bleeding-edge software each time. This process
has been through three cycles now, with obvious success. The next release
(6.04, or "Dapper Drake") will be different, however: Ubuntu has stated
that 6.04 will be supported for three years on desktops, and five years on
server systems. That is quite a promise for such a young company to make,
but, if Ubuntu can live up to it, the popularity of this distribution could
grow. Thus far, five-year support has come with a hefty price tag; the
prospect of free updates from Ubuntu for that long could make a number of
companies wonder just what they are paying for. The fact that Ubuntu's
security response time tends to be excellent can only help in that regard.
All this depends on Ubuntu being able to make a credible promise of
long-term support. This week, Ubuntu's Jeff Waugh took some steps in that
direction with these thoughts on the Dapper
release process. If this proposal becomes policy,
Dapper will, indeed, be a different
sort of release.
The core of the proposed Dapper process is this: the upstream version freeze which
was imposed for the 5.10 release will remain in place. Essentially, the
distribution will be frozen for the next six months, with the bulk of
development effort going into ensuring that it is the most stable,
supportable release possible. Another way of looking at it is that all of
those users happily downloading the Breezy release now get to be the beta
testers for 6.04. This is a major change for Ubuntu, but, as Jeff put it:
We can't just follow the same release process and expect to be able
to ship a long term supportable system. 6.04 will be different, so
we need to think about it differently.
Of course, too much stability would be contrary to the Ubuntu spirit, so
the developers are leaving themselves a bit of room to toss in some newer
packages. So 6.04 will have a few, small upgrades, including:
- GNOME 2.14 (and whatever is the current KDE)
- Firefox 1.5
- The modular X.org 7 release
- OpenOffice.org 2.0
- A newer kernel, probably 2.6.14
The list of exceptions is expected to be discussed at the upcoming UbuntuBelowZero
gathering. The picture coming into focus now suggests that 6.04 will
include some major upgrades, but much of the infrastructural code,
especially that used on server systems, will remain at the version shipped
with 5.10.
The Debian Project got its Sarge release out the door last June. By normal
Debian timelines, it is thus quite early to be thinking about pulling
things together for another release. Instead, Debian developers should be
busily testing the patience of sid users by filling it with unstable,
incompatible, major package updates. Well, the developers have indeed been
on top of that task, but release manager Steve Langasek is trying to ruin
the fun with this plan for the next Debian
release, called "etch."
That release will be put together by Steve, along with new co-release
manager Andreas Barth. They have a timeline, which involves a toolchain
freeze at the end of next July, a general freeze in October 2006, and the
etch release is planned, with great precision, for December 4, 2006.
July seems like a distant prospect, but Steve notes that
this deadline does not leave a whole lot of time for big changes:
What's not spelled out in the above timeline is that this basically
leaves people until around the end of the year to to implement any
dastardly plans they have that require sweeping changes to the
archive, followed by another half a year of comparatively minor
changes (you know, the kind that *don't* render half the libraries
RC-buggy in a single upload...)
If this timeline holds, we should see the shape of the etch release by the
beginning of next year. Looking at the current plan, it seems that etch
will have made the switch to gcc 4.0 and (finally) X.org. Another
long-delayed advance will be support for the amd64 architecture as an
official Debian port. Then there is the crucial business of purging
the distribution of non-free documentation, and non-free firmware as
well. Tasks on the wishlist include full SELinux support, a default UTF-8
locale, multiarch support, and more.
The following eleven months of stabilization seem glacial by Ubuntu
standards, but it is an optimistic timeline for Debian. One interesting
change that the project is considering is to continue to allow
non-maintainer updates to all packages throughout the etch cycle. Debian
developers have historically been the lords of their particular bits of
package turf, so non-maintainer updates have always been a sensitive
issue. The release managers believe, however, that non-maintainer updates
speed the release process - and make Debian a better distribution as well.
Both distributions have a lot to gain if they can make their plans stick.
Ubuntu will have produced a stable distribution which it can credibly
promise to support for five years, all while keeping its six-month release
cycle. Debian, meanwhile, will be able to get a stable distribution out in
a timely manner without compromising its high quality standards. In both
cases, the end result can only be good for Linux users.
[Update: Ubuntu patron Mark Shuttleworth has posted his position on freezing for 6.04; he is
inclined to be more permissive - for a while at least - on what gets into
that release.]
Comments (19 posted)
One problem with governments is that, unsurprisingly, powerful interests
try to direct governmental power toward their own ends. Those who
would fight power grabs quickly learn a hard lesson: those pushing for more
power usually need only win once, while those who oppose them must win over
and over again. This dynamic can be seen, for example, in the current
broadcast flag debate in the U.S. This flag has already been defeated
once, but nobody doubts that it will return, perhaps repeatedly.
In Europe, the debate on software patents is likely to go the same way.
Those who have a substantial amount to gain if software patents are adopted
throughout the EU are unlikely to simply give up just because they lost the
battle last July. So software patents in Europe will almost certainly be
back. Now it is starting to look like the vehicle for the next attempt to
impose software patents might be a process called the "Community Lisbon
Programme."
This program is part of an effort to improve the health of European
economies by making the EU as a whole more efficient and competitive. It
is a large undertaking touching on many areas, including regulation, internal
markets, environmental issues, global trade agreements and more. Deep
within a
recently-released document [PDF] on the implementation of the program
is a section on intellectual property rights ("IPR"). It reads, in part:
Companies and their clients need IPR which stimulates innovation,
provides a stable context in which to make investment decisions,
and encourages the development of efficient new business
models. The debate engendered by the proposed directive on the
patentability of computer-implemented inventions has demonstrated
that framing IPR rules which balance the needs of all stakeholders
is by no means easy. The Commission will therefore launch a
dialogue with industry and other interested parties in 2006 to
determine what more might usefully be done to provide European
industry with a sound IPR framework.
It is not hard to imagine that the result of this process could be a
renewed directive establishing software patents in Europe. This time,
however, it could be buried within a much larger chunk of EU-level
industrial policy legislation, and, thus, harder to defeat.
Clearly, the free software community needs to be among the "other
interested parties" participating in this process. We have many thoughts
on what makes up a "sound IPR framework," and they should be heard early
on. In the later stages of this program, when it truly comes into public
view, it will be too late to effect changes on issues like patents.
Comments (12 posted)
Back in 1993, Bob Young created a company called "ACC Corporation," which,
among other things, dealt in early Linux distributions. In 1995, ACC
acquired Marc Ewing's Red Hat Linux distribution; the combined company was
then named Red Hat software. Over the coming years, Red Hat would
transform the Linux business environment, become the first Linux-related
company to obtain big-name venture capital, and the first to go public.
Regardless of how one feels about the company or its distribution, it is
hard to deny that Red Hat has had a big influence on the Linux community as
a whole.
On October 18, Red Hat announced
that Bob Young had resigned from the company's board of directors, with the
intent of spending more time on his other endeavor: Lulu.com. Bob's role in the company had been
shrinking for years; he had not been involved in day-to-day management for
some time. Still, when one thinks of the names involved with the early Red
Hat (Marc Ewing, Donnie Barnes, Michael Johnson, Eric Troan, ...), it
becomes clear that they have all moved on. Bob was the last of the crowd
which helped to set new standards for Linux distributions and showed that
it was possible to build a business around Linux.
Bob's vision was not always perfect - remember that Red Hat went public
with a business plan
stating that its Internet portal was the key to its future
profitability. Still, he clearly got some things right. Seeking an
example of how he saw things in the early days, your editor spent some time
digging through his mailbox. What turned up was this message on how Red Hat chose Linux over
BSD, sent to the free software business mailing list back in 1998. It
makes an interesting read:
When we launched Red Hat Software, Inc, we planned to sell an
operating system. It doesn't take a rocket scientist to recognize
that being in the OS business meant that we were competing with
Microsoft.
While our ambitions at the outset were quite limited, we can drink
as much beer as anyone, and on those occasions when our natural
intelligence was at its most limited, we'd speculate on what
Microsoft's reaction would be when we became a real threat.
They concluded that a GPL-licensed system would not be as vulnerable to the
famous "embrace and extend" strategy as a system covered by the BSD
license. Were it not for the licensing issue (and a couple of others,
mentioned in the message) and adequate supplies of beer, Bob and Marc might
just have gone into business with "Red Hat BSD."
Bob has been well rewarded for his role in the creation of Red Hat - he
still owns about 5% of the company, according to the proxy information sent
out for last August's board election. Still, it is worth a moment to say
"thanks, Bob." Linux would certainly have succeeded without Red Hat, but
it would have been a different, and possibly slower, path to success.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
There has been a fairly long list of kernel vulnerabilities over the last
few months, but few of them have received much serious attention (outside
of the security groups at numerous distributors, who have been duly issuing
patches as the issues come up). Here's a selection of recent problems.
| CVE | Fixed-in | Description |
| CAN-2005-2098 |
2.6.12.5 2.6.13 |
The session keyring code had an error path which could
fail to release the session management semaphore. As a result, any
local user could cause processes to hang. |
| CAN-2005-2099 |
2.6.12.5 2.6.13 |
A keyring which failed to instantiate correctly could
leave behind a NULL pointer which would subsequently be dereferenced by
the kernel, causing an oops. |
| CAN-2005-1761 |
2.6.12.1 |
A ptrace() bug on the ia64 architecture
enables local denial of service attacks. (Patch) |
| CAN-2005-1913 |
2.6.12.1 |
The subthread exec code did not properly reparent
timers, leading to an oops caused by a local user when signals are
delivered to the wrong thread. (Patch) |
| CAN-2005-2456 |
2.6.13 |
The XFRM policy parser had an array overflow, enabling
denial of service attacks by local users. (Patch) |
| CAN-2005-2457 |
2.6.13 |
Mounting a malicious compressed ISO filesystem could
lead to a kernel oops |
CAN-2005-2458
CAN-2005-2459 |
2.6.13 |
Two zlib vulnerabilities which can be used to oops the
kernel and create denial of service attacks. |
| CAN-2005-2490 |
2.6.13.1 |
A race condition with user space allows a local
attacker to change the contents of a message passed to the 32-bit
version of sendmsg() on 64-bit architectures. The result is a
locally exploitable buffer overflow. (Patch) |
| CAN-2005-2492 |
2.6.13.1 |
An unchecked user-space dereference in
sendmsg() can be exploited to oops the system. (Patch) |
| CAN-2005-2548 |
2.6.9 |
A hostile UDP packet could cause the 8021Q VLAN code
to oops, leading to remote denial of service attacks.
|
| CAN-2005-2555 |
2.6.13 |
The kernel failed to restrict kernel socket policy
loading to administrative users. (Patch)
|
| CAN-2005-3044 |
2.6.13.2 |
The 32-bit ioctl() handler on x86-64 was
missing an fput() call. This error could be exploited by a
local attacker to corrupt kernel data structures. (Patch) |
| CAN-2005-3053 |
2.6.13 |
The set_mempolicy() system call, used to tweak memory
behavior on NUMA systems, did not properly check the
policy argument. A local attacker could, by supplying a
negative value, could cause a kernel oops. (Patch) |
| CAN-2005-3106 |
2.6.11 |
A race condition between core dumps and exec() could
enable a local attacker to deadlock the system. (Patch) |
| CAN-2005-3107 |
2.6.11 |
Another local deadlock related to core dumps and
ptrace(). (Patch) |
| CAN-2005-3108 |
2.6.11 |
The right sort of I/O mapping could create information
leaks and kernel oopses on the x86-64 platform. It is hard to see
how this one could be exploited by an unprivileged user. (Patch) |
| CAN-2005-3109 |
2.6.11 |
A maliciously created HFS filesystem could oops the
kernel, if the system was configured to allow users to mount such
filesystems. (Patch) |
| CAN-2005-3110 |
2.6.12 |
A race condition in the netfilter ebtables module can
cause a kernel oops on SMP systems. (Patch). |
| CAN-2005-3119 |
2.6.13.4 |
A memory leak in the key request code could be used in
denial of service attacks. (Patch) |
| CAN-2005-3180 |
2.6.13.4 |
The orinoco driver can leak information onto the net. (Patch) |
| CAN-2005-3181 |
2.6.13.4 |
A memory leak in the audit code can be used for denial of service
attacks. (Patch) |
That is a long list of vulnerabilities. The fact that almost all of them
are "only" denial of service problems, and that only one of those is truly
remotely exploitable, is of limited consolation.
One may well wonder why the kernel is the source of so many security holes,
far more than any other package on the system. The complexity of the
kernel and the environment in which it runs, the fact that many
often-harmless bugs (such as memory leaks) turn into security issues for
the kernel, and the high level of auditing which is done on kernel code are
all part of the answer to that question. Unfortunately, the flow of
security issues in the kernel is unlikely to stop anytime soon.
Comments (6 posted)
It has been known for some time that high-resolution color printers added
codes to their output which would enable that output to be traced. The EFF
has now
found and decoded those marks for a
number of popular printers. It turns out that the scheme used is fairly
simple - an unencrypted code which includes the printing time and the
serial number of the printer. See
the EFF's printer
list to see if your printer encodes this information, and
this page to
learn how to find and decode the markings.
The moral of the story is clear: if we do not control our devices, they
will not work in our interests. There are plenty of good reasons for
wanting to be able to print anonymously, and there is no doubt that this
sort of watermarking can be used for the suppression of dissent and the
shutting down of whistle-blowers. Thanks to the EFF, we can at least see
this particular bit of technological ratware. But, as the EFF says:
"Even worse, it shows how the government and private industry make
backroom deals to weaken our privacy by compromising everyday equipment
like printers. The logical next question is: what other deals have been or
are being made to ensure that our technology rats on us?"
Comments (5 posted)
Brief items
If you are running the Snort intrusion detection system along with the
"Back Orifice" preprocessor, you want to read the attached advisory (click
below). Back Orifice suffers from a buffer overflow which can be exploited
by any remote attacker who can get a UDP packet onto your network. The
hole can be closed by upgrading to snort 2.4.3, or by disabling Back
Orifice.
Full Story (comments: 1)
New vulnerabilities
curl/wget: NTLM username buffer overflow
| Package(s): | curl wget |
CVE #(s): | CAN-2005-3185
|
| Created: | October 14, 2005 |
Updated: | November 7, 2005 |
| Description: |
A vulnerability in libcurl's NTLM function can overflow a stack-based
buffer if given too long a user name or domain name in NTLM authentication
is enabled and either a) pass a user and domain name to libcurl that
together are longer than 192 bytes or b) allow (lib)curl to follow HTTP
redirects and the new URL contains a URL with a user and domain name that
together are longer than 192 bytes. See this iDEFENSE Labs advisory for more details. |
| Alerts: |
|
Comments (none posted)
lynx: stack overflow
| Package(s): | lynx |
CVE #(s): | CAN-2005-3120
|
| Created: | October 17, 2005 |
Updated: | November 7, 2005 |
| Description: |
Ulf Harnhammar discovered a stack overflow
bug in Lynx when handling connections to NNTP (news) servers. An attacker
could create a web page redirecting to a malicious news server which could
execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
netpbm: buffer overflow in "pnmtopng"
| Package(s): | netpbm-free |
CVE #(s): | CAN-2005-2978
|
| Created: | October 18, 2005 |
Updated: | October 28, 2005 |
| Description: |
A buffer overflow was found in the "pnmtopng" conversion program. By
tricking an user (or automated system) to process a specially crafted
PNM image with pnmtopng, this could be exploited to execute arbitrary
code with the privileges of the user running pnmtopng. |
| Alerts: |
|
Comments (none posted)
OpenWBEM: arbitrary code execution
| Package(s): | OpenWBEM |
CVE #(s): | |
| Created: | October 17, 2005 |
Updated: | October 19, 2005 |
| Description: |
The SUSE Security Team performed a security review of important parts of the OpenWBEM system. During the audit, several integer wrap arounds and buffer overflows have been discovered and fixed. If exploited, they allow remote attackers to execute arbitrary code with root privileges. |
| Alerts: |
|
Comments (none posted)
Perl, Qt-UnixODBC, CMake: RUNPATH issues
| Package(s): | perl qt-unixodbc CMake |
CVE #(s): | |
| Created: | October 17, 2005 |
Updated: | October 19, 2005 |
| Description: |
Some packages may introduce insecure paths into the list of directories
that are searched for libraries at runtime. Furthermore, packages
depending on the MakeMaker Perl module for build configuration may have
incorrectly copied the LD_RUN_PATH into the DT_RPATH. A local attacker, who is a member of the "portage" group, could create a malicious shared object in the Portage temporary build directory that would be loaded at runtime by a dependent executable, potentially resulting in privilege escalation.
|
| Alerts: |
|
Comments (none posted)
php: open_basedir directive handling
| Package(s): | php4 |
CVE #(s): | CAN-2005-3054
|
| Created: | October 17, 2005 |
Updated: | October 24, 2005 |
| Description: |
A bug has been found in the handling of the open_basedir directive. Contrary to the specification, the value of open_basedir
was handled as a prefix instead of a proper directory name even if it
was terminated by a slash ('/'). For example, this allowed PHP scripts
to access the directory /home/user10 when open_basedir was configured
to '/home/user1/'. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: arbitrary code execution
| Package(s): | phpmyadmin |
CVE #(s): | |
| Created: | October 17, 2005 |
Updated: | October 19, 2005 |
| Description: |
Maksymilian Arciemowicz reported that in libraries/grab_globals.lib.php, the $__redirect parameter was not correctly validated. Systems running PHP in safe mode are not affected. A local attacker may exploit this vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server. |
| Alerts: |
|
Comments (none posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
abiword: buffer overflow
| Package(s): | abiword |
CVE #(s): | CAN-2005-2964
|
| Created: | September 29, 2005 |
Updated: | November 14, 2005 |
| Description: |
The RTF import module of the AbiWord word processor has a
buffer overflow vulnerability. A user can be tricked into
opening a maliciously crafted RTF file, giving the attacker
the ability to execute code with the permissions of the user. |
| Alerts: |
|
Comments (none posted)
apache information disclosure if modssl=yes
| Package(s): | apache |
CVE #(s): | CAN-2005-2700
|
| Created: | September 2, 2005 |
Updated: | November 10, 2005 |
| Description: |
An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
|
| Alerts: |
|
Comments (none posted)
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd |
CVE #(s): | CAN-2005-1268
CAN-2005-2088
|
| Created: | July 25, 2005 |
Updated: | November 7, 2005 |
| Description: |
Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback. In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL). |
| Alerts: |
|
Comments (none posted)
awstats: command injection vulnerability
| Package(s): | awstats |
CVE #(s): | CAN-2005-1527
|
| Created: | August 11, 2005 |
Updated: | November 10, 2005 |
| Description: |
AWStats has a command injection vulnerability that can
be exploited by specially crafting referrer URLs that
contain Perl code. The code can then be executed with the
privileges of the web server. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cfengine: insecure temporary files
| Package(s): | cfengine |
CVE #(s): | CAN-2005-2960
|
| Created: | October 3, 2005 |
Updated: | October 14, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered several insecure temporary
file uses in cfengine, a tool for configuring and maintaining
networked machines, that can be exploited by a symlink attack to
overwrite arbitrary files owned by the user executing cfengine, which
is probably root. |
| Alerts: |
|
Comments (none posted)
common-lisp-controller: design error
| Package(s): | common-lisp-controller |
CVE #(s): | CAN-2005-2657
|
| Created: | September 14, 2005 |
Updated: | November 21, 2005 |
| Description: |
François-René Rideau discovered a bug in common-lisp-controller, a
Common Lisp source and compiler manager, that allows a local user to
compile malicious code into a cache directory which is executed by
another user if that user has not used Common Lisp before.
|
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
elm: buffer overflow
| Package(s): | elm |
CVE #(s): | CAN-2005-2665
|
| Created: | August 23, 2005 |
Updated: | November 11, 2005 |
| Description: |
A buffer overflow flaw in Elm was
discovered that was triggered by viewing a mailbox containing a message
with a carefully crafted 'Expires' header. An attacker could create a
malicious message that would execute arbitrary code with the privileges of
the user who received it. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
graphviz: insecure temporary file
| Package(s): | graphviz |
CVE #(s): | CAN-2005-2965
|
| Created: | October 10, 2005 |
Updated: | October 21, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered insecure temporary file
creation in graphviz, a rich set of graph drawing tools, that can be
exploited to overwrite arbitrary files by a local attacker. |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
Hylafax: insecure temporary file creation in xferfaxstats
| Package(s): | hylafax |
CVE #(s): | CAN-2005-3069
|
| Created: | September 30, 2005 |
Updated: | October 13, 2005 |
| Description: |
Javier Fernandez-Sanguino has discovered that xferfaxstats cron script
supplied by Hylafax < 4.2.2 insecurely creates temporary files with
predictable filenames. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
Comments (none posted)
koffice: KWord RTF import buffer overflow
| Package(s): | koffice |
CVE #(s): | CAN-2005-2971
|
| Created: | October 12, 2005 |
Updated: | November 7, 2005 |
| Description: |
The KOffice RTF import module suffers from a buffer overflow vulnerability
which could be exploited via a malicious RTF file. See the KDE
advisory for details. |
| Alerts: |
|
Comments (none posted)
krb5: double-free flaw
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0175
CAN-2005-0488
CAN-2005-1175
CAN-2005-1689
|
| Created: | July 12, 2005 |
Updated: | December 6, 2005 |
| Description: |
The krb5 authentication has a double-free flaw which may be
initiated by a remote unauthenticated attacker.
Also, a single byte heap overflow in the krb5_unparse_name() function
can lead to a denial of service and an information disclosure may
be caused by a malicious telnet server. See
This report for more
information. |
| Alerts: |
|
Comments (none posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libnet-ssleay-perl: weakened cryptographic operations
| Package(s): | libnet-ssleay-perl |
CVE #(s): | CAN-2005-0106
|
| Created: | May 3, 2005 |
Updated: | January 27, 2006 |
| Description: |
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libTIFF: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2005-1544
|
| Created: | May 10, 2005 |
Updated: | February 18, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libuser: denial of service
| Package(s): | libuser |
CVE #(s): | CAN-2004-2392
|
| Created: | October 11, 2005 |
Updated: | October 12, 2005 |
| Description: |
Several denial of service bugs were discovered in libuser. Under certain
conditions it is possible for an application linked against libuser to
crash or operate irregularly. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | linux-source-2.6.10, linux-source-2.6.8.1 |
CVE #(s): | CAN-2005-3053
CAN-2005-3106
CAN-2005-3107
CAN-2005-3108
CAN-2005-3109
CAN-2005-3110
|
| Created: | October 10, 2005 |
Updated: | October 27, 2005 |
| Description: |
A Denial of Service vulnerability was discovered in the
sys_set_mempolicy() function. By calling the function with a negative
first argument, a local attacker could cause a kernel crash.
(CAN-2005-3053)
A race condition was discovered in the handling of shared memory
mappings with CLONE_VM. A local attacker could exploit this to cause a
deadlock (Denial of Service) by triggering a core dump while waiting
for a thread which had just performed an exec() system call.
(CAN-2005-3106)
A race condition was found in the handling of traced processes. When
one thread was tracing another thread that shared the same memory map,
a local attacker could trigger a deadlock (Denial of Service) by
forcing a core dump when the traced thread was in the TASK_TRACED
state. (CAN-2005-3107)
A vulnerability has been found in the "ioremap" module. By performing
certain IO mapping operations, a local attacker could either read
memory pages he has not normally access to (information leak) or cause
a kernel crash (Denial of Service). This only affects the amd64
platform. (CAN-2005-3108)
The HFS and HFS+ file system drivers did not properly verify that the
file system that was attempted to be mounted really was HFS/HFS+. On
machines which allow users to mount arbitrary removable devices as HFS
or HFS+ with an /etc/fstab entry, this could be exploited to trigger a
kernel crash. (CAN-2005-3109)
Steve Herrel discovered a race condition in the "ebtables" netfilter
module. A remote attacker could exploit this by sending specially
crafted packets that caused a value to be modified after it had
been read but before it had been locked. This eventually lead to a
kernel crash. This only affects multiprocessor machines (SMP).
(CAN-2005-3110)
|
| Alerts: |
|
Comments (none posted)
lm-sensors: insecure temp files
| Package(s): | lm-sensors |
CVE #(s): | CAN-2005-2672
|
| Created: | August 23, 2005 |
Updated: | November 10, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the pwmconfig script created
temporary files in an insecure manner. This could allow a symlink attack to
create or overwrite arbitrary files with full root privileges since
pwmconfig is usually executed by root. |
| Alerts: |
|
Comments (1 posted)
Mailutils: format string vulnerability in imap4d
Comments (none posted)
mod-auth-shadow: authorization bypass
| Package(s): | mod-auth-shadow |
CVE #(s): | CAN-2005-2963
|
| Created: | October 5, 2005 |
Updated: | October 27, 2005 |
| Description: |
The apache mod-auth-shadow module can, incorrectly, override other authorization mechanisms, allowing access which would otherwise be denied.
|
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
mozilla: buffer overflow
| Package(s): | mozilla |
CVE #(s): | CAN-2005-2871
|
| Created: | September 12, 2005 |
Updated: | October 20, 2005 |
| Description: |
The Mozilla browser, Firefox and Thunderbird have a buffer overflow
vulnerability. A local user can be tricked into clicking URL that
can cause the local application to crash, and possibly execute arbitrary
code. See this article
for more information. |
| Alerts: |
|
Comments (none posted)
mysql: buffer overflow
| Package(s): | mysql |
CVE #(s): | CAN-2005-2558
|
| Created: | September 12, 2005 |
Updated: | January 12, 2006 |
| Description: |
The mysql CREATE FUNCTION can be used to create a buffer overflow.
A specially crafted long function name can be used by a local attacker
to crash the server or execute arbitrary code with the privileges of
the server. |
| Alerts: |
|
Comments (none posted)
mysql: low-impact security fix
| Package(s): | mysql |
CVE #(s): | CAN-2005-1636
|
| Created: | July 20, 2005 |
Updated: | February 22, 2006 |
| Description: |
An update to MySQL version 4.1.12 fixes a low-impact security
problem (bz#158689). |
| Alerts: |
|
Comments (1 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openssh: GSSAPI credential disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2005-2798
|
| Created: | September 7, 2005 |
Updated: | February 3, 2006 |
| Description: |
OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
|
| Alerts: |
|
Comments (none posted)
openssl: protocol rollback
| Package(s): | openssl |
CVE #(s): | CAN-2005-2969
|
| Created: | October 12, 2005 |
Updated: | December 19, 2005 |
| Description: |
OpenSSL prior to version 0.9.7h or 0.9.8a contains a vulnerability which could enable an attacker to force the use of the older, less secure SSL 2.0 protocol. See this advisory for details or this analysis for even more details. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
pam_ldap: plain text authentication leak
| Package(s): | pam_ldap |
CVE #(s): | CAN-2005-2069
|
| Created: | July 14, 2005 |
Updated: | October 17, 2005 |
| Description: |
pam_ldap
and nss_ldap ignore the "ssl start_tls" ldap.conf setting, allowing an
attacker to sniff unencrypted passwords and other information. |
| Alerts: |
|
Comments (none posted)
pcre3: arbitrary code execution
| Package(s): | pcre3 |
CVE #(s): | CAN-2005-2491
|
| Created: | August 23, 2005 |
Updated: | March 10, 2006 |
| Description: |
A buffer overflow has been discovered in the PCRE, a widely used library
that provides Perl compatible regular expressions. Specially crafted
regular expressions triggered a buffer overflow. On systems that accept
arbitrary regular expressions from untrusted users, this could be exploited
to execute arbitrary code with the privileges of the application using the
library. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
perl: symlink vulnerability
| Package(s): | perl |
CVE #(s): | CAN-2005-0448
|
| Created: | March 9, 2005 |
Updated: | January 30, 2006 |
| Description: |
The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries. |
| Alerts: |
|
Comments (none posted)
phpsysinfo: cross-site-scripting
| Package(s): | phpsysinfo |
CVE #(s): | CAN-2005-0870
|
| Created: | May 18, 2005 |
Updated: | November 15, 2005 |
| Description: |
The phpsysinfo program contains several cross-site scripting vulnerabilities. |
| Alerts: |
|
Comments (none posted)
postgresql: database initialization errors
| Package(s): | postgresql |
CVE #(s): | CAN-2005-1409
CAN-2005-1410
|
| Created: | May 4, 2005 |
Updated: | February 28, 2006 |
| Description: |
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
|
| Alerts: |
|
Comments (none posted)
Pound: buffer overflow
| Package(s): | pound |
CVE #(s): | CVE-2005-1391
|
| Created: | May 2, 2005 |
Updated: | January 10, 2006 |
| Description: |
Steven Van Acker has discovered a buffer overflow vulnerability in the
"add_port()" function in Pound 1.8.2+. A remote attacker could send a
request for an overly long hostname parameter, which could lead to the
remote execution of arbitrary code with the rights of the Pound daemon
process. |
| Alerts: |
|
Comments (none posted)
pstotext: remote execution of arbitrary code
| Package(s): | pstotext netpbm |
CVE #(s): | CAN-2005-2471
|
| Created: | August 1, 2005 |
Updated: | March 28, 2006 |
| Description: |
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option. An
attacker could craft a malicious PostScript file and entice a user to run
pstotext on it, resulting in the execution of arbitrary commands with the
permissions of the user running pstotext. See this Secunia advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: bypass object flags
| Package(s): | ruby1.8 |
CVE #(s): | CAN-2005-2337
|
| Created: | October 10, 2005 |
Updated: | October 21, 2005 |
| Description: |
The object oriented scripting language Ruby supports safely executing
untrusted code with two mechanisms: safe level and taint flag on
objects. Dr. Yutaka Oiwa discovered a vulnerability that allows
Ruby methods to bypass these mechanisms. In systems which use this
feature, this could be exploited to execute Ruby code beyond the
restrictions specified in each safe level. |
| Alerts: |
|
Comments (none posted)
smb4k: temporary file vulnerability
| Package(s): | smb4k |
CVE #(s): | CVE-2005-2851
|
| Created: | September 7, 2005 |
Updated: | December 7, 2005 |
| Description: |
Smb4K has a temporary file vulnerability which can allow an unprivileged user to read certain files which would otherwise be inaccessible.
|
| Alerts: |
|
Comments (none posted)
SPE: insecure file permissions
| Package(s): | SPE |
CVE #(s): | |
| Created: | October 17, 2005 |
Updated: | October 19, 2005 |
| Description: |
It was reported that due to an oversight all SPE's files are set as
world-writeable. A local attacker could modify the executable files, causing arbitrary code to be executed with the permissions of the user running SPE.
|
| Alerts: |
|
Comments (none posted)
squid: DoS issues
| Package(s): | squid |
CVE #(s): | CAN-2005-2794
CAN-2005-2796
|
| Created: | September 6, 2005 |
Updated: | November 7, 2005 |
| Description: |
Squid-2.5.10-r2 and earlier has three Denial of Service issues. |
| Alerts: |
|
Comments (none posted)
squid: authentication handling
| Package(s): | squid |
CVE #(s): | CAN-2005-2917
|
| Created: | September 30, 2005 |
Updated: | March 15, 2006 |
| Description: |
Upstream developers of squid, the popular WWW proxy cache, have
discovered that changes in the authentication scheme are not handled
properly when given certain request sequences while NTLM
authentication is in place, which may cause the daemon to restart. |
| Alerts: |
|
Comments (none posted)
squirrelmail: cross-site scripting
| Package(s): | squirrelmail |
CVE #(s): | CAN-2005-3128
|
| Created: | October 12, 2005 |
Updated: | October 12, 2005 |
| Description: |
Yet another cross-site scripting vulnerability has been found in squirrelmail; this one affects the "Address Add" plugin. |
| Alerts: |
|
Comments (none posted)
sudo: race condition
| Package(s): | sudo |
CVE #(s): | CAN-2005-1993
|
| Created: | June 21, 2005 |
Updated: | February 24, 2006 |
| Description: |
Charles Morris discovered a race condition in sudo which could lead to
privilege escalation. If /etc/sudoers allowed a user the execution of
selected programs, and this was followed by another line containing
the pseudo-command "ALL", that user could execute arbitrary commands
with sudo by creating symbolic links at a certain time. |
| Alerts: |
|
Comments (none posted)
sysreport: insecure temporary file
| Package(s): | sysreport |
CVE #(s): | CAN-2005-2104
|
| Created: | August 9, 2005 |
Updated: | November 11, 2005 |
| Description: |
Bill Stearns discovered a bug in the way sysreport creates temporary files.
It is possible that a local attacker could obtain sensitive information
about the system when sysreport is run. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: multiple DoS issues
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1280
CAN-2005-1279
CAN-2005-1278
|
| Created: | May 2, 2005 |
Updated: | April 10, 2006 |
| Description: |
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278) |
| Alerts: |
|
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
ucd-snmp: denial of service
| Package(s): | ucd-snmp |
CVE #(s): | CAN-2005-2177
|
| Created: | August 9, 2005 |
Updated: | January 27, 2006 |
| Description: |
A denial of service bug was found in the way ucd-snmp uses network stream
protocols. A remote attacker could send a ucd-snmp agent a specially
crafted packet which will cause the agent to crash. |
| Alerts: |
|
Comments (none posted)
uim: privilege escalation
| Package(s): | uim |
CVE #(s): | CVE-2005-3149
|
| Created: | October 4, 2005 |
Updated: | December 7, 2005 |
| Description: |
Masanari Yamamoto discovered that Uim uses environment variables
incorrectly. This bug causes a privilege escalation if setuid/setgid
applications are linked to libuim. This bug only affects
immodule-enabled Qt (if you build Qt 3.3.2 or later versions with
USE="immqt" or USE="immqt-bc"). |
| Alerts: |
|
Comments (none posted)
unzip: race condition
| Package(s): | unzip |
CVE #(s): | CAN-2005-2475
|
| Created: | September 29, 2005 |
Updated: | January 12, 2006 |
| Description: |
Unzip has a race condition vulnerability
in the handling of output files.
During file unpacking, a local attacker can modify the permissions
of arbitrary files in the victim's directory. |
| Alerts: |
|
Comments (none posted)
up-imapproxy: format string vulnerabilities
| Package(s): | up-imapproxy |
CVE #(s): | CAN-2005-2661
|
| Created: | October 10, 2005 |
Updated: | March 7, 2006 |
| Description: |
up-imapproxy contains two format string vulnerabilities which could be exploited to execute arbitrary code.
|
| Alerts: |
|
Comments (none posted)
util-linux: unintentional grant of privileges by umount
| Package(s): | util-linux |
CVE #(s): | CAN-2005-2876
|
| Created: | September 13, 2005 |
Updated: | December 19, 2005 |
| Description: |
Linux umount command as provided in the util-linux package in
versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information. |
| Alerts: |
|
Comments (none posted)
uw-imap: buffer overflow
| Package(s): | uw-imap |
CVE #(s): | CAN-2005-2933
|
| Created: | October 11, 2005 |
Updated: | April 10, 2006 |
| Description: |
"infamous41md" discovered a buffer overflow in uw-imap, the University
of Washington's IMAP Server that allows attackers to execute arbitrary
code. |
| Alerts: |
|
Comments (none posted)
vixie-cron: crontab allows any user to read another users crontabs
| Package(s): | vixie-cron |
CVE #(s): | CAN-2005-1038
|
| Created: | April 15, 2005 |
Updated: | March 15, 2006 |
| Description: |
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: arbitrary code execution
| Package(s): | xine-lib |
CVE #(s): | CAN-2005-2967
|
| Created: | October 10, 2005 |
Updated: | October 12, 2005 |
| Description: |
Ulf Harnhammar discovered a format string vulnerability in the CDDB
module's cache file handling in the Xine library, which is used by packages
such as xine-ui, totem-xine, and gxine. By tricking an user into playing a
particular audio CD which has a specially-crafted CDDB entry, a remote
attacker could exploit this vulnerability to execute arbitrary code with
the privileges of the user running the application. Since CDDB servers
usually allow anybody to add and modify information, this exploit does not
even require a particular CDDB server to be selected. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xloadimage: buffer overflows
| Package(s): | xloadimage |
CVE #(s): | CAN-2005-3178
|
| Created: | October 10, 2005 |
Updated: | May 15, 2006 |
| Description: |
Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
xorg-x11: heap overflow
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2005-2495
|
| Created: | September 12, 2005 |
Updated: | March 8, 2006 |
| Description: |
The pixmap memory allocation code in the X.Org X window system is
vulnerable to an integer overflow, a local user can use this to
execute arbitrary code with elevated privileges. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-2096
|
| Created: | July 6, 2005 |
Updated: | October 27, 2005 |
| Description: |
zlib has a buffer overflow vulnerability that can be exploited
by inflation of corrupted files, this can be used to crash zlib
or possibly remotely execute code. |
| Alerts: |
|
Comments (6 posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-1849
|
| Created: | July 21, 2005 |
Updated: | April 11, 2006 |
| Description: |
zlib has a vulnerability that can cause code that executes it to crash
if a corrupted file is opened. |
| Alerts: |
|
Comments (none posted)
Resources
Version v2.5 of the Metasploit Framework is out. This release now has three user interfaces, 105 exploits, and 75 different payloads; click below for the full release announcement.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 prepatch remains 2.6.14-rc4. The final 2.6.14
kernel was supposed to be out by now, but, as of this writing, it has not
been released. Once the swiotlb problem (see below) has been worked out,
2.6.14 should follow shortly.
The current -mm tree is 2.6.14-rc4-mm1. Recent changes
to -mm include a fair number of VM scalability patches, the nested class
devices patch set (see below), a big x86-64 update, the removal of the
PageReserved() flag, the swap prefetching patches, some
kernel keyring enhancements, the error detection and correction patch set,
a RAID update, and lots of fixes.
Comments (none posted)
Kernel development news
I'm with Roman on this one - the old "show me the code" trick which
people use to quash other people's objections is rather poor form -
we should simply address the objections as raised.
--
Andrew Morton
Comments (none posted)
For those wanting to know more about how the 2.6 virtual memory subsystem
works: Rik van Riel has put together
a detailed article on how
page fault handling is handled on the i386 architecture. This document is
apparently the first of many, all of which should show up on the
Linux MM Internals page.
Comments (none posted)
Linus was set on releasing the 2.6.14 kernel on October 17, when a
little issue came up. Serge Belyshev
discovered that it is easy to cause the system
to stop opening files for user-space applications. He posted a program
which, in essence, does the following:
while (1) {
int fd = open("/dev/null", O_RDONLY);
close(fd);
}
After some 50,000 iterations, the open fails with a "too many open files in
system" message. This behavior can be problematic in more realistic
situations; it evidently can cause highly-parallel kernel builds to fail,
and it also exposes the system to local denial of service attacks. So it
is worth tracking down.
The kernel places a limit on the number of files which are allowed to be
open simultaneously. That limit is not normally expected to include files
which have been closed, however. The problem, as it turns out, is a
virtual filesystem scalability patch which was merged in September.
That patch eliminates some locking around file structures in the
kernel, and, to that end, defers certain tasks (such as file cleanup) to
the read-copy-update
mechanism. For this particular case, file
structures corresponding to closed files are building up in the RCU
callback list, and RCU is not getting around to freeing them in time.
Initially, it was thought that the culprit was another patch which put a
limit on the processing of the RCU callback lists. Those lists can get
quite long, and lengthy callback processing was causing latency problems
elsewhere in the kernel. So a "batch size" of ten was imposed; after ten
callbacks have been processed, the RCU subsystem defers the rest until
later. It seemed that this limit was causing the freeing of file
structures to languish. Raising the batch limit to 10,000 seemed to
improve the situation, so Linus merged a patch to that effect.
But, in fact, the higher batch limit did not solve the problem for real.
RCU callbacks cannot be called immediately after being queued. They must,
instead, wait until every processor on the system has scheduled at least
once. This "quiescence" requirement is the kernel's way of ensuring that no
references to the freed structure remain; it's a key part of how RCU
works. If a process chews through file structures quickly enough,
they will accumulate while the kernel waits for the grace period to run
out, and no changes to the batch limits will help. The only way to be able
to process those callbacks - and free the associated structures - is to
force every processor to schedule.
A couple of patches have been posted in an attempt to deal with this
problem. One of them simply changes the way file structures are
accounted for - they are removed from the count of open files when the RCU
callback is queued, rather than when it is executed. This patch stops
programs from running into the maximum open file limit, but does nothing to
stop the growth of the RCU callback queues. So the patch which got merged,
instead, is this one from Eric Dumazet,
which keeps track of the length of the callback list. Should the list get
to be too long (where "too long" is wired at 10,000 entries), a reschedule
is forced so that the callbacks can be processed. This patch appears to
have dealt with the problem well enough to allow 2.6.14 to come out, though
more refinement may be required afterward.
Unfortunately for those who are waiting for 2.6.14, another problem turned
up. Some 64-bit architectures which
lack I/O memory management units must be very careful in setting up DMA
areas. A number of devices can only reliably deal with 32-bit DMA
addresses, so DMA areas must be allocated in the lower part of memory. To
that end, the x86-64 and ia64 architectures use a mechanism called the
"software I/O translation buffer", or swiotlb. It is simply a large chunk
of low memory, allocated at boot time, which is used as a bounce buffer for
DMA operations involving 64-bit-challenged devices.
It was noted that the 2.6.14-rc4 kernel can
allocate the swiotlb area in high memory, which defeats the entire
purpose. This revelation led to a long discussion of how swiotlb memory
should be allocated. It turns out that there is no easy way of finding the
low memory on the system. Once upon a time, that memory would belong to
CPU 0, but on some contemporary NUMA
systems, the low memory might be elsewhere. So the real solution
appears to iterate through all CPUs on the system, try to allocate from
each of them, and test to see if the resulting memory is within the DMAable
range. If not, the memory is freed and the next processor is tried. A
couple of patches implementing this approach are circulating; none has been
merged as of this writing.
Comments (3 posted)
Two weeks ago, this page
looked
at nested classes in sysfs as a way of representing the input subsystem
device hierarchy to user space. This week, Greg Kroah-Hartman posted
a set of patches with the latest
version of
class_device nesting; the selling feature this time
around was that the patches "actually work." With this patch set, it is
possible to create a hierarchy under
/sys/class which represents
the known input devices on the system and their relationship to the actual
system hardware. Greg also notes that this patch set makes possible the
long-anticipated move of
/sys/block into the class hierarchy.
So all would seem to be well in sysfs land. But Greg finished his
announcement with the following:
Oh, one final thing. I really don't think that input should be a
class. It looks like a "bus" and acts like a "bus" (you have
different devices that have different drivers bind to them, and you
want to load those drivers with the hotplug mechanism.)
This note opened the floodgates to a wider discussion; it seems that a
number of people are not entirely happy with the /sys/class
hierarchy. Udev hacker Kay Sievers complained:
The nesting classes implement a fraction of a device hierarchy in
/sys/class. It moves arbitrary relation information into the class
directory, where nothing else than device classification belongs.
What is the rationale behind sticking device trees into class?
What seems to have happened here is that a number of devices, mostly of the
virtual variety, have found their home in the class hierarchy rather than
with the other devices. As a result, the class tree has grown more
complicated, and it has moved away from its original purpose, which was to
be a way of grouping devices which share the same interface and function.
So Kay (among others) has proposed that much of what is currently in the
class tree be moved over to /sys/devices with the rest of the
device information. The idea is that user space does not really care about
the distinction between "real" and "virtual" devices, and the kernel
interface should not either.
Greg, who holds a big vote on device model issues, has responded thusly:
Ok, I've spent a while thinking about this proposal and originally
I thought it was the same thing we had heard years ago. But I was
wrong, moving the class stuff into the device tree is the right
thing to do, as long as we keep them as new "things" in the tree...
So it would seem that big changes are in store for the Linux device model.
This code has grown and evolved considerably since its introduction in 2.5;
it may be time for a big rework. Actually changing things without causing
major pain for users could be a bit of a challenge, however. It will have
to be approached carefully.
The plan under consideration for now is to simply try to solve the input
subsystem problem for 2.6.15. That most likely involves the nested
class_device patches, perhaps with some changes to avoid breaking
things in user space (and udev in particular). Things look more
ambitious in the longer term:
Then, we move the class stuff into real devices. There was always
a lot of duplication with the class and device code, and this shows
that there is a commonality there. At the same time, I'll work on
making the attribute stuff easier and possibly merge the kobject
and device structures together a bit (possibly I said, I don't know
quite how much yet...)
The end result is that there is likely to be some significant churn in the
device model code in the coming months. There will almost certainly be
consequences for the driver API, and for user space as well. If it all
works out, however, we should end up with a device model which is easier to
understand and work with in both kernel and user space.
Comments (8 posted)
LWN
looked at the ktimers
patch about one month ago. Work continues on the new kernel timer
mechanism; the
latest version
of the patch includes a new "clockevents" abstraction intended to make
high-resolution timer support easier to implement in an
architecture-independent way. The patch appears to be coming together
well, and there has been little in the way of criticism.
...with the exception of one observer, who has kept up a steady stream of
complaints about the new mechanism. His objections include the name (he
would rather see "process timers" than "ktimers"), the use of
high-resolution time within the kernel, and various "unnecessary
complexities." The discussion has been mostly unfruitful, to the point that
the normally even-keeled Ingo Molnar tried to end it with a shut up and show me the code challenge. That
led Andrew Morton to state that "show me the code" is no longer an
acceptable arguing point for kernel discussions, and that the objections
should be addressed regardless.
Getting a handle on the objections has proved hard; it is not clear that
the person in question (Roman Zippel) truly understands the patches. One
bit of the
discussion is worth a look, however. It has been repeatedly pointed out
that the existing kernel timer mechanism is optimized for timeouts which
rarely actually expire, while ktimers are expected to expire.
Roman claimed:
Whether the timer event is delivered or not is completely
unimportant, as at some point the event has to be removed anyway,
so that optimizing a timer for (non)delivery is complete nonsense.
This claim led to a required-reading response
from Ingo on the history of the kernel timer mechanism and why
optimizing for delivery (or the lack thereof) is not nonsense. That
particular branch of
the discussion, at least, should not need to go much further.
Andrew Morton has, in the past, stated that he would be highly reluctant to
merge new code over the objections of a developer. The need to address all
objections can be highly frustrating to kernel hackers, especially when new
complaints seem to keep turning up as the old ones are resolved. The
result of this process, when it works well, can be a stronger kernel. But
it can also be the delaying of useful
code which few people have problems with. It is starting to look like that
may be the outcome in the ktimers case; the code will almost certainly be
merged in the end, perhaps with almost no changes resulting from the
current discussion.
Comments (none posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
I have to admit that I have never been a big fan of SUSE Linux. With the
boxed sets not available in my part of the world, coupled with prohibitive
international shipping costs in online stores, the only option for
obtaining SUSE Linux, until recently, was to wait patiently for the
distribution's RPM package tree to appear on its servers and perform a
remote FTP install. This usually happened 2 - 3 months after the official
product release, by which time other distributions might have released
newer versions with more up-to-date packages and perhaps more exciting
features.
After SUSE was acquired by Novell, things began to change. Version 9.1 was
the first SUSE Linux release that was made available in the form of a
downloadable single-CD ISO image - an equivalent of SUSE's "Personal"
edition. Novell became even more generous with the next two releases as
both versions 9.2 and 9.3 appeared on its servers as five CD images and one
DVD image, which effectively represented SUSE's Professional edition
without the commercial applications and support. Finally, in August 2005,
Novell opened SUSE Linux to public participation in its beta testing
program and the ISO images of SUSE Linux 10.0 were released for free
download as soon as the boxed products were ready to ship.
For many Linux hobbyists and enthusiasts, participating in a distribution's
beta program, reporting bugs, and exchanging information with the
developers on a mailing list is one of the key reasons for choosing a
distribution. Excited by the prospect of joining the testing process, I
rushed to download the first beta of SUSE 10.0 as soon as it was announced,
updating it after each new beta and release candidate. The newly created
openSUSE mailing lists quickly gained a large number of subscribers as
other SUSE enthusiasts discovered the joy of helping a project to fix the
bugs and produce the best possible release. Overnight, SUSE Linux became an
open project where the developers and testers were having "a lot of fun"
building a great distribution.
Finally, the long awaited October 6th arrived and SUSE Linux 10.0 final was
released to public mirrors. The resulting rush utterly surprised the SUSE
release team which, until then, had little experience with making large
files available for public download. The main SUSE server, which also
hosted BitTorrent files, was virtually inaccessible for several days,
preventing legitimate mirrors from synchronizing with the main server in
order to take some of the load away.
There was also some confusion over all the different editions of SUSE Linux
10.0. Although both the "OSS" and "GM" (GoldMaster) editions are free to
download, the "OSS" edition contains Free Software only, while the "GM"
edition includes some freely distributable but proprietary applications,
such as Acrobat Reader or RealPlayer. Furthermore, the retail edition ships
with additional commercial applications, as well as a printed manual and
installation support. A 1 GB "LiveDVD" edition, also available for free
download, is meant for those who wish to evaluate the product or test
hardware compatibility. The "OSS" edition (distributed as five CD images)
supports x86, x86_64 and PowerPC architectures, while the "GM" edition
(distributed as five CD images or one DVD image) only supports the x86 and
x86_64 processors.
SUSE Linux 10.0 is not a revolutionary release. Instead, it seems like a
transitional product from a closed-door SUSE to an open project similar to
Fedora Core. As such, the initial release was probably a testing ground for
all the new bug reporting and information exchange infrastructure. That
said, SUSE 10.0 does ship the latest versions of most applications; in
fact, the GNOME 2.12 packages were included in SUSE just one day before the
final release candidate went public - this might give us an indication of
how cutting edge SUSE 10.0 really is. Several new applications, such as the
amaroK media player, Krita vector drawing program, Mozilla Sunbird calendar
application, and Novell iFolder file synchronization tool were also added.
The new SUSE now ships with AppArmor Lite (included as a YaST module) - an
answer to Red Hat's SELinux functionality and a piece of technology Novell
acquired earlier this year from Immunix.
Early reviews of SUSE 10.0 indicate general satisfaction with the product.
The installer is slightly simplified to hide some of the "expert" options
while the latest version of the KDE desktop looks better than ever. Some
issues remain, however. Multimedia playback of many popular audio and video
formats is not included, so further downloads and tweaking are required to
set these up. Some users have also complained about the lack of integration
of PDF and other plugins into Firefox. The distribution also contains newer
versions of the Beagle desktop search engine and Xen virtualization
technology, but because they are not considered mature enough, they are not
part of the default install. Wireless networking also remains a problem
area for many users. And the ever-present complaint about the sluggishness
of YaST is still valid - although well-designed and very useful, especially
for Linux newcomers, the time it takes to complete certain tasks can test
your patience, even on a reasonably powerful computer.
With SUSE 10.0 behind us, openSUSE's true direction should manifest itself
more clearly in the next release - version 10.1, scheduled for early March
2006. It will go through the full cycle of four alpha (the second of which
is expected this week, complete with the latest beta of KDE 3.5) and four
beta releases, before one last release candidate. This is where the
openSUSE project is likely to start fulfilling its promise to build a
product that can be deployed and enjoyed by any computer user, not just the
venerable "Linux enthusiast". From this perspective, SUSE 10.0 represents
little more than an open continuum of SUSE's 9.x releases. The upcoming
SUSE 10.1, however, might be an altogether different product.
Comments (2 posted)
New Releases
Mandriva
has announced the release of Mandriva Linux 2006.
"
Mandriva 2006 is the only Linux distribution to provide the official
support for Intel Centrino mobile technology and to offer a
complete integration of Skype, the popular free voice calling
over Internet software. Other key features include desktop search,
interactive firewall and auto-install server functionality."
Full Story (comments: 2)
The Ubuntu 5.10 "Breezy Badger" release is out.
The announcement has download information and
a list of new features; these include a thin client mode, integration with
Launchpad.net, and all the latest new software.
Kubuntu 5.10, the KDE-based version of the
distribution, is also available as is the classroom version,
Edubuntu 5.10.
Comments (none posted)
Yet another variant of Ubuntu 5.10 has been released. The new server
edition features a different kernel, a different package mix, no desktop
environment, and "
safe and text-oriented boot mode for better clarity and
infinite justice on boot." Click below for the full announcement.
Full Story (comments: 4)
The Ubuntu Porting Team has announced the release of Breezy Badger for
three new architectures, IA64, HPPA (1.1 and later) and SPARC (UltraSPARC
only). "
The Porting Team was born about a year ago, and it's made up
only by volunteers, motivated by love for Ubuntu and uncommon hardware.
Hence the criteria for ports architectures is more about what those
individuals decide than any rational decision making process. None of
these new architectures are officially supported by the Ubuntu team. If we
can get a large enough user base, we may be able to change that."
Full Story (comments: none)
Source Mage has
announced
the release of the 0.9.5 stable ISO image.
There's not much to say that hasn't already been said. I've personally
installed 3 or 4 systems that are getting good use on this ISO. But if
you've missed out on the other emails, 0.9.5 features:
* A new completely revamped installer
* significatnly newer versions of spells
* Was generated using a repeatable system (this is a big feat)
* Is extremely cool!
Comments (none posted)
OpenPKG 2.5 is out; the biggest change this time around appears to be the
transition to gcc 4.0. Click below for the full release announcement.
Full Story (comments: none)
Distribution News
If you are closing bugs in the Debian BTS, there are three simple rules
that you can follow to make sure that the BTS always has correct
information about what version of your package fixes a bug (especially a
security hole). Click below for details.
Full Story (comments: none)
Distribution Newsletters
The Debian Weekly News for October 18, 2005 is out. In this edition, a
review of Elive 0.3, the m68k port and etch, Debian installer beta
preparation, the GNOME 1 transition, installing Debian Sarge, list message
ID lookup, Debian OpenSolaris, and more.
Full Story (comments: none)
The
Fedora
Weekly News has articles on FUDCon3 Presentations, How to check Hotmail
with KMail, How to setup disk software mirroring, Linux (Fedora) stars in
MS movie?, Fedora CD Labels, How much space?, and other topics.
Comments (none posted)
The
Gentoo
Weekly Newsletter for the week of October 17, 2005 covers the release of
a new USE flag editor, the introduction of subforums, and several other
topics.
Comments (none posted)
DistroWatch
Weekly for October 17, 2005 is out. "
The timely release of
Ubuntu Linux 5.10 and its sister distributions last Thursday was the event
of the week - this issue naturally starts with a closer look at "Breezy
Badger". We'll also investigate wireless network configuration on SUSE
Linux 10.0, feature the unusual, Slackware-inspired Kate OS distribution,
and ask why the otherwise Linux-friendly Google has expended so little
effort to make Google Earth available on our preferred operating
system."
Comments (none posted)
Package updates
Fedora Core 4 updates:
lftp
(upgrade to upstream version 3.2.1),
wget
(update to 1.10.2),
selinux-policy-targeted
(fixes for bluetooth and hal),
selinux-policy-strict (fixes for bluetooth and
hal),
dhcp (bug fixes).
Comments (none posted)
Mandriva has updated shorewall packages for Multi Network Firewall 2.0.
Full Story (comments: none)
Newsletters and articles of interest
eWeek
looks into
Linspire's licensing program for schools. "
"We put our students
in a room with Linspire, just to see how they would adapt after using
Microsoft Windows," said Scott Back, Technology Coordinator for Shelby
Eastern Schools, outside Indianapolis, Ind. "Guess what? They figured it
out right away without any training or special help.""
Comments (none posted)
Red Herring
covers
the release of Ubuntu's Breezy Badger. "
The new release, Ubuntu
5.10, also features Edubuntu, a specialized version of Ubuntu developed for
and in collaboration with educators. Edubuntu is designed for deployment in
classrooms. Edubuntu is currently being used at Yorktown High School in
Arlington, Virginia, where it has been championed by Jeff Elkner, a
computer science teacher at the school. Mr. Elkner is one of the developers
of Edubuntu."
Comments (none posted)
Distribution reviews
Robert Storey has written a
review of
Ubuntu, on DistroWatch. "
I must confess that I was caught off
guard by the overnight success of Ubuntu, and thus neglected to review it
(or even download it) when it first arrived on the servers. However, it's
just as well that I didn't bother, because for the past year, not a week
has gone by without somebody writing an Ubuntu review and posting it to one
(or all) of the popular geek web sites. Indeed, it's become something of a
joke that the only things you can't avoid in life are death, taxes and
Ubuntu reviews."
Comments (none posted)
TuxMachines.org
reviews
Mandriva Linux 2006. "
All in all, as I've followed the
development of Mandriva 2006, one thing has become clear. Mandriva is ever
improving and it is reflected in this new more polished stable operating
system. Featured here is only a taste. Throughout the entire development
cycle I experienced very few applications crashes and never a major X
server crash or system lock up. The compromises between bleeding-edge and
stable applications has paid off tremendously for Mandriva."
Comments (none posted)
Page editor: Rebecca Sobol
Development
The
Java Parallel Processing Framework (JPPF) is a cross-platform
GPL-licensed tool set for controlling the execution of CPU-intensive
tasks across multiple execution nodes. JPPF is intended to be used in the
scientific data processing field.
Java Parallel Processing Framework is a set of tools and APIs to facilitate the parallelization of CPU intensive applications, and distribute their execution over a network of heterogenous nodes.
It is intended to run in clusters and grids.
A brief feature list of JPPF includes:
- API support for delegation of parallelized tasks to local and remote nodes.
- User interface tools for task administration and monitoring functions.
- Java Swing-based user interface.
- Real-time adaptive load balancing.
- Scalable to an arbitrary number of nodes.
- Fail-over and recovery support.
- Limited code intrusiveness.
- Runs on Linux and several Windows variants.
The
architecture document gives a top-level overview of the
system's design.
The
user's manual shows how to set up and fine tune JPPF for solving
an example matrix multiplication problem.
The JPPF
API documentation details the underlying code, and the
screenshots page shows the software in action.
The initial JPPF beta release, version 0.6.0,
has been announced.
"This release is the first beta version of the Java Parallel Processing Framework. From now on, all the work will be dedicated to testing, bug fixing, and documentation fixing, until it is deemed "stable".
There will be intermediate beta, then release candidate, release, so don't lose hope."
The release features a complete user guide, a new matrix
multiplication example, bug fixes and documentation improvements.
JPPF is available for download
here.
Dependencies include version 5 of the Java 2, Standard Edition (J2SE)
and Apache Ant 1.6.2 or newer. See the
readme document for installation details.
Comments (none posted)
System Applications
Database Software
The October 16, 2005 edition of the PostgreSQL Weekly News
is online with the latest PostgreSQL database articles.
Full Story (comments: none)
Version 3.5.6 of
phpPgAdmin,
a web-based administration tool for PostgreSQL,
has been announced.
"
This release fixes the serious problems that phpPgAdmin had under PHP 4.4.0 with strict references."
Comments (none posted)
Version 3.2.10 final of ZODB, the Zope Object Database, is out.
"
ZODB 3.2.10 contains a few bugfixes relative to 3.2.9, all in obscure error
cases. The most serious is a workaround for what appears to be a rare race
bug in Microsoft's implementation of socket binding on Windows platforms."
Full Story (comments: none)
Version 3.4.2 final of ZODB, the Zope Object Database, is out.
"
ZODB 3.4.2 mostly contains obscure error-case bugfixes relative to 3.4.1.
One important fix: most applications that do subtransaction commits do so
to reduce RAM consumed by the ZODB memory ("pickle") cache. When
subtransactions were reimplemented on top of savepoints, this cache
reduction no longer occurred. That was an oversight, and is repaired in
3.4.2."
Full Story (comments: none)
Interoperability
Version 3.0.20b of Samba has been released.
"
This is the latest stable release of Samba. This is the version
that production Samba servers should be running for all current
bug-fixes."
Full Story (comments: none)
Version 3.0.21 pre 1 of Samba has been released.
It includes several bug fixes and some improved compatibility
features.
Full Story (comments: none)
Mail Software
Stable version 3.6.0 of
DSPAM,
a scalable, open-source statistical anti-spam filter, is out.
See the
release notes for change information.
Comments (none posted)
Telecom
Harald Welte and others have been
busily hacking on the Motorola A780, a Linux-powered cell phone. They have now launched the
OpenEZX project as the focal point for the effort to create a 100% free software stack for phones based on the Motorola EZX platform. If this project succeeds, it will lead to a new level of open communications platforms.
Comments (9 posted)
Web Site Development
Version 1.3.34 of the Apache web server is out.
"
This version of Apache is principally a bug and security fix
release."
Full Story (comments: none)
Apache 2.0.55 is out; click below for the full announcement. This is a
bugfix release, and, in particular, it contains fixes for several security
problems. If you're running your own build of Apache, you probably want
this release.
Full Story (comments: none)
Version 2.3.2 of Campsite, an open-source multilingual content
management system (CMS), is out.
"
Version 2.3.2 is a maintenance release."
Full Story (comments: none)
Julio M. Merino Vidal
introduces thttpd on O'Reilly.
"
The Apache HTTP Server is the most popular web server due to its functionality, stability, and maturity. However, this does not make it suitable for all uses: slow machines and embedded systems may have serious problems running it because of its size. Here is where lightweight HTTP servers come into play, as their low-memory footprints deliver decent results without having to swap data back to disk."
Comments (none posted)
Eric T. Peterson
introduces Web Analytics on O'Reilly.
"
In general terms, web analytics is the process of collecting data about the activities of people accessing your website (visitors)--how they found you, when they visited, what pages they looked at, what they bought or downloaded, and so on--and mining that data for information that can be used to improve said website."
Comments (none posted)
Version 2.8.2 of the Zope web development platform
has been released. Several new features have been added.
Comments (none posted)
Miscellaneous
Version 0.6.5 of PyKeylogger, a keyboard logging application,
is out.
"
This is a bugfix release. Fixed the first-ever reported bug (1323518), logging to onefile. If you report more bugs, more bugs will get fixed."
Comments (none posted)
Desktop Applications
Audio Applications
The
Ardour project, which is producing
a multi-track audio editor, has had a pending 1.0 release for a number
of months. The
project status
indicates a slight change in direction:
"
We have decided to skip version 1.0 and go straight to 2.0 with a basic port to GTK2. Work is already under way, progress is good."
Comments (3 posted)
Version 0.4.5 of
gnormalize,
an audio format converter which can adjust the volume level, is out.
This release adds:
"
The ability to select more than one album or artist by pressing control key and mouse button."
Comments (none posted)
Desktop Environments
An ISO image of Dropline GNOME 2.12.1
is available.
"
This release is an incremental improvement with many bugfixes and refinements over 2.12.0."
Comments (none posted)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The KDE Project has
announced
the release of KDE 3.5 Beta 2. (Found on
KDE.News)
Comments (none posted)
Version 3.4.3 of KDE
has been announced.
"
This release includes many bugfixes and increased translation coverage compared to previous versions. The 3.4.3 info page has the links to download the source and packages are available for Arch Linux, Kubuntu, Slackware and SuSE. Konstruct is the easy way to build from source."
See the
full announcement for details.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
Electronics
Snapshot 20051012 of Icarus Verilog, an electronic simulation
language compiler,
has been announced.
"
This snapshot includes noticible improvements in bug count and run
time. Also, I've been using the devel trunk in my day job work for
a while now, so I would say that it is now an improvement over the
stable 0.8 releases."
Comments (none posted)
Version 2.0 Beta 23 of
Logism is out with bug fixes.
"
Logisim, an extensive Java-based educational tool for graphical design and
simulation of digital logic circuits, has been updated to a new version, 2.0
Beta 23. The new version repairs a significant bug with configuring the
behavior of a small number of built-in components (Constant, Clock), and it
repairs a minor problem with some images in the beginner's tutorial."
Comments (none posted)
Version 0.0.4 beta of
Simted,
a cross-platform engine for modeling electronics with nonlinear ordinary differential equations, is out.
Changes include an improved API, better stability, more
examples, and new documentation.
Comments (none posted)
Version 051009 of SvxLink
has been announced.
"
SvxLink is a repeater controller and a general voice services system with features such as EchoLink and voice mail. For this release a nasty networking bug has been fixed and a voice mail system has been added."
Comments (none posted)
Fonts and Images
Release 0.18 of the Open Clip Art Library, a collection of
images, is out.
"
For the month of September, the Open Clip Art Library sought imagery related
to pets including images of different breeds appropriate for use by animal
shelters.
For the upcoming 0.19 release, due November 1, 2005, the theme is Halloween."
Full Story (comments: none)
Games
Release 1.9.2 of Bygfoot Football Manager
has been announced, changes include bug fixes and some new features.
"
Bygfoot is a small and simple graphical football (a.k.a. soccer) manager game featuring many international leagues & cups. You manage a team from one such league: you form the team, buy & sell players, get promoted or relegated and of course try to be successful."
Comments (none posted)
Version 0.3.3 of Ember
has been released by the WorldForge game project.
"
Ember is a fully functional 3d client for the WorldForge project. It takes advantage of the latest graphic cards to present a beautiful, fully interactive world. An easy to use GUI allows the player to interact with both the world and other players with ease.
This release adds support for the latest Atlas, Eris and Ogre libraries, which brings much increased stability and performance. The GUI and input system has also been further refined, as well as the options available to the user in the ember.conf file."
Comments (none posted)
Version 0.2.4 of MetalMech
is out with new XML locking code and bug fixes.
"
Metal Mech is a Web-based mass multiplayer game of battle between robots and
space exploration. It is a game of strategy, economics, role-playing, and
combat. Each player can handle their own war robot and battle against other
players to be the Emperor of the Universe. Players battle against each other
for resources, energy, money, buildings, and more."
Comments (none posted)
Interoperability
The October 14, 2005 edition of
Wine Traffic is online. Topics include:
LWN Article, Direct3D 7, version 2, Still Image Architecture,
Winelib & Native Apps, and Fixing Bugs.
Comments (none posted)
Mail Clients
Version 7.85 of MH-E, the Emacs interface to the MH mail system,
has been announced.
"
Version 7.85 heralds a migration of the CVS repository from SourceForge
to Savannah only for those files that were already part of Emacs. As a
result, two incompatibilities were introduced with this release: the
location of MH-E in the load-path has changed, and mh-e-autoloads.el was
renamed to mh-autoloads.el."
Full Story (comments: none)
Music Applications
Version 0.9.1 of DSSI, an audio plugin API for software instruments
and effects, is out.
"
This release does _not_ contain any changes to the DSSI API itself,
which has been stable now since the 0.4 release fifteen months ago
(with minor additions at 0.9). Instead, it contains numerous
clarifications to the specification and documentation, and the
included reference host and example programs have become
significantly more robust."
Full Story (comments: none)
Office Suites
Linux Journal is running
part two
of a series on controlling OpenOffice.org.
"
Last time we learned the vocabulary and the concepts. Now we're ready to look
at the code that will let us interact with OOo Calc."
Comments (none posted)
Web Browsers
Preview release 2 of XForms 1.0 for Firefox
has been announced.
"
Aaron Reed writes: "The Mozilla project today released a second preview of
its XForms extension, available as a .xpi and ready to be used to extend the
recently released Beta 2 version of Firefox 1.5. XForms 1.0 is a W3C
recommendation that allows web page authors to take advantage of structured
data and client-side validation when designing forms. XForms is designed to
be embedded in XML documents, such as XHTML 1.0. Mozilla XForms support has
been developed over the last year by IBM, Novell, and independent
contributors.""
Comments (none posted)
Word Processors
Version 2.4.1 of
AbiWord
has been
announced.
"
The AbiWord team is happy to announce AbiWord v2.4.1. Since the 2.4.0
release we have received a lot of great feedback from our users, which
led to a number of useful bugreports as well. This is the first
bugfixing releasing in the new stable 2.4 series to address some of
those bugreports."
Comments (none posted)
Languages and Tools
Caml
The October 18, 2005 edition of the Caml Weekly News is online
with the latest Caml language articles.
Full Story (comments: none)
Haskell
The October 18, 2005
edition of the Haskell
Weekly News is online with the latest Haskell news. Topics
covered this week include several new releases, the future Haskell
standard, Zlib bindings, and a proposal for class aliases.
Comments (none posted)
Java
Sun Microsystems, Inc. has
announced the availability of the Jini Technology Starter Kit v2.1, available under the Apache 2.0 license. "
The Jini Technology Starter Kit enables developers to leverage advanced
Java dynamic networking technology, making it easier for developers to build
competitive applications in technology growth markets such as edge networking,
grid computing, e-business, and enterprise integration."
Comments (6 posted)
Koen Vervloesem
uses Ant for running diagnostics.
"
Determining what's gone wrong with your software--source or binary--in a
remote location is no simple task. Before taking a call and walking the user
through error-prone troubleshooting, why not collect information about the
user's system and the application files?"
Comments (none posted)
Justin Gehtland and Bruce Tate continue their O'Reilly introductory
series on Spring with
part two.
"
In part one of this two-part series dubbed "What Is Spring" (and excerpted from Chapter 1 of Spring: A Developer's Notebook), authors Bruce Tate and Justin Gehtland showed you how to automate a simple application and enable it for Spring. Today, the authors will cover how to use Spring to help you develop a simple, clean, web-based user interface (excerpted from Chapter 2, "Building a User Interface")."
Comments (none posted)
Perl
The October 3-9, 2005 edition of
This Week on perl5-porters is available with a number of
new Perl articles.
Comments (none posted)
PHP
Zend Technologies, Inc. has
announced the launch of the "PHP Collaboration Project," an initiative designed to push PHP-based web applications forward. The project's first two initiatives are "
a Web application framework which will standardize
the way PHP applications are built," and the incorporation of PHP support into Eclipse.
Comments (1 posted)
Python
The October 17, 2005 edition of Dr. Dobb's Python-URL!
is online with the latest new Python articles.
Full Story (comments: none)
Version 161 of DrPython, an editing environment for Python,
has been announced.
"
The buggy debugger was removed for now. Focus is now set in each tab when switching documents. The focus is set to the current document when a program ends. Code for the Save A Copy function was added. SourceBrowser auto-refresh is now saved again. The location of the mode dialog bitmaps was changed."
Comments (none posted)
Version 0.7 of TestOOB
has been released, it features major feature enhancements.
"
TestOOB (Python Testing Out Of (The) Box) is an advanced unit testing framework for Python. It integrates effortlessly with existing PyUnit (module "unittest") test suites."
Comments (none posted)
Ruby
O'ReillyNet
takes
a look at Ruby on Rails. "
It has been just over a year since the
public debut of Ruby on Rails on July 25, 2004. In this short time, Rails
has progressed from an already impressive version 0.5 to an awe-inspiring,
soon-to-be-released version 1.0 that managed to retain its ease of use and
high productivity while adding a mind-boggling array of new features. This
article introduces the components of the upcoming Ruby on Rails 1.0 and
shows you what the fuss is all about."
Comments (none posted)
Bruce Perens has announced the ModelSecurity project.
"
I've developed /ModelSecurity/, a new Ruby on Rails facility
that helps developers implement a security /defense in depth/ by
implementing access control within the data model."
Full Story (comments: none)
Tcl/Tk
The October 19, 2005 edition of Dr. Dobb's Tcl-URL! is online
with the latest Tcl/Tk articles and resources.
Full Story (comments: none)
Debuggers
Version 3 of Dwarf, a debugger, is up for public review.
"
Version 3 of the DWARF standard builds on the previous
version and includes support for C++ namespaces. It extends
previous support for C, Java, Ada, Fortran and Cobol. There
is improved support for optimized code, which has often
been difficult to debug. Improvements have also been made
to make it easier to eliminate duplicate debugging information."
Full Story (comments: 1)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
The Times is running
a column by Gervase Markham on the importance of open formats. "
Paradigm shifts are often preceded by tiny, almost unnoticeable shivers. So you could be forgiven for missing the news that late last month, the government of the Commonwealth of Massachusetts (for historical reasons it does not call itself a state) decided that all the documents its employees create have to be in a data format called OpenDocument.
What makes this more than an obscure bit of United States government administrivia? Well, it could be the trigger for a revolution that will increase consumer choice and ensure the survival of documents that could be of historical importance in the future."
Comments (1 posted)
Forbes
looks
at Eben Moglen and his efforts to open up the radio spectrum.
"
Should the FCC try to crack down, the hackers have a powerful
weapon: The First Amendment. An offshoot of the Free Software Foundation
called GNU Radio is developing a new generation of radios and TV receivers
that use software for just about everything except the antenna and the
power source. The FCC can prohibit manufacturers from selling radios that
transmit on illegal frequencies, but it would have trouble shutting down a
Web site distributing software that does the same thing."
Comments (10 posted)
NewsForge
covers
the formation of the Free Standards Group LSB Desktop Project. "
Jim
Zemlin, executive director of the FSG, said that the Desktop specification
would be an "incremental component on top of the LSB Core." The LSB Core
specification covers standard system libraries, the Filesystem Hierarchy
Standard (FHS), the executable format, standard commands and utilities, and
other components that would be found in a standard Linux system."
Comments (6 posted)
Trade Shows and Conferences
Doc Searls
goes
cruising on the latest Geek Cruise. "
You can think of Geek
Cruises as conferences at a hotel with a hull. You'd be right, mostly. In
fact, they're more like intensive lectures in a subject, given by Masters
at a small Caribbean or Alaskan or Mediterranean or Hawaiian university
that features bars, night clubs, pools, music, a casino and unlimited
quantities of food."
Comments (none posted)
Companies
Hewlett-Packard has signed new
subscription agreements with Novell and Red Hat, according to
this article
on eWeek.
"
"In a nutshell, what this does is take internal Linux usage at HP up a notch. While there are currently more than 15,000 Linux-based systems in use within the company, these are umbrella license agreements for the whole company and allow us to build and deploy internal Linux systems and solutions more easily and more rapidly," Efrain Rovira, HP's worldwide director of Linux marketing in Houston, told eWEEK on Wednesday."
Comments (none posted)
Yahoo.com
reports
that AMD and HCL Infosystems plan to sell a personal computer for less than
10,000 rupees (220 dollars), in India. "
The computer, which uses the
open-source Linux operating system, includes a 1.6 GHz processor, a 15-inch
monitor and 40 gigabytes of hard drive space. "Why is it that every Indian
doesn't have a PC on their list of things to get this Diwali but the
cellphone is there?" said Ajay M. Marathe, president of the Indian arm of
AMD. Diwali, the Indian festival of lights, is traditionally the biggest
shopping season in the country." (Thanks to Philip Webb)
Comments (3 posted)
Linux Adoption
NewsForge
covers
the winners in the Race to Linux. "
Actually, there were three
separate races -- one for each of three different applications. The target
applications were Microsoft's Issue Tracker Kit, Time Tracker Starter Kit,
and Reports Starter Kit. No doubt Microsoft is thrilled about its starter
kits being used to demonstrate methods of running .Net applications on
Linux. Chris Maunder, founder of The Code Project, said that they chose
the Microsoft starter kits because "we wanted applications that weren't too
difficult, that were simple, that were well-written, popular applications,
in the hope that people would be familiar with them in the first
place.""
Comments (none posted)
IT News
reports
that Canara Bank has selected Red Hat Enterprise Linux as its platform of
choice to automate more than 1,000 branches across India. "
Red Hat
Enterprise Linux will be deployed on more than 1,000 servers and 10,000
desktops at Canara Bank to provide a robust, secure and scalable solution
for powering the bank's business critical IT infrastructure. Under the
first phase of deployment, Red Hat Enterprise Linux has been rolled out at
approximately 500 branches in three months. Close to 500 Red Hat Enterprise
Linux servers and 5000 Red Hat Desktops have been deployed in this
phase. The bank is said to be actively pursuing deployment in additional
branches as well to meet its target of 100% automation in its banking
services environment." (Thanks to Biju Chacko)
Comments (none posted)
Interviews
KDE.News has
an interview with
David Carson and Deepika Chauhan from Nokia. "
What was your
experience of aKademy? We had a great time at aKademy, and we got
much more out of it than we ever anticipated. We came to aKademy since we
wanted to thank the KDE community for the great components created by them
that form the basis of the future Series 60 browser, meet some of the
contributors in person, and share with the community our experiences of
building a browser around WebCore/KHTML and JavascriptCore/KJS. The
conference gave us a better understanding of the working model of KDE. We
hope that we can work together with KDE on the mobile browser. We have
observed a lot of excitement among developers in contributing to the mobile
applications and we hope the community can bring their innovations to the
mobile platform."
Comments (none posted)
Resources
ars technica
looks at a few popular Linux audio editing packages.
"
Given Linux's strengths, weaknesses, history, and ideology, it's interesting to see where Free/Libre and Open Source Software (FOSS) competes well with proprietary software, where it falls behind, and where it provides novel innovation. The FOSS pro-level Digital Audio Workstation (DAW), Ardour, competes with industry-standard apps like ProTools, Logic, Nuendo, and Digital Performer. Audacity, on the other hand, is a more casual FOSS audio editor, but infuses the task with some distinctly geeky scripting facilities. SND, "modeled loosely after Emacs and an old, sorely-missed PDP-10 sound editor named Dpysnd," is a distinctly Linux audio app, complete with an ass-ugly interface, a mountainous learning curve, and the ability to wash your dishes if you know how to ask."
(Thanks to Andy Kauffman.)
Comments (2 posted)
Groklaw has
posted
the next installment of
The Daemon, the GNU and the Penguin,
subtitled "Tanenbaum and Torvalds". "
Linus posted his queries, his
information and his work on comp.os.minix beginning in mid-1991. But on 29
January 1992, Andy Tanenbaum posted a note with the line: "Subject: LINUX
is obsolete""
Comments (5 posted)
Edition 6 of
MyOSS Magazine
is out with coverage of open-source efforts involving Malaysia.
Topics include: Linux Live CDs - Part 2, Libraries in GNU/Linux &
Other Flavours and Podcasting in GNU/Linux.
Comments (none posted)
Reviews
KDE.News has
chosen KDissert,
KDE's mindmapping tool, as the application of the month and has an
interview with Thomas Nagy, lead
developer of the project.
Comments (14 posted)
Mayank Sharma
looks at the Off-the-Record plugin for Gaim in a NewsForge article.
"
Sometimes encryption isn't enough to keep your conversations private. With
standard encryption, it's theoretically possible for someone to steal your
secret encryption keys and decipher the conversation. For conversations that
need to be kept confidential, the Off-the-Record (OTR) plugin for Gaim saves
the day. It leaves no trace of a conversation ever having taken place."
Comments (1 posted)
According to
LinuxDevices.com, Neuros is looking for input on the development of its
next, Linux-based media player. "
Neuros is currently designing a
successor to the 442 portable media player, and has published the
specifications for a development board that it calls the 'first prototype.'
Neuros invites hackers, open source software authors, and interested
readers to review and weigh in on the design, which is expected to be
finalized in about a week."
Comments (4 posted)
Here's
an Ubuntu
review (the version is not specified) in the Inquirer. "
Here's
the other thing: it worked. It said, 'Choose a user name and a password.'
It logged me in. And there was an entire computer, ready to go. It
connected to the Internet. Firefox went places. Email
downloaded. OpenOffice...officed. I mean, call that open source? Where's the
anguish and pain? Where's the six weeks of downloading drivers and learning
how to compile source code? A shocking lapse of standards, I call
it."
Comments (22 posted)
Miscellaneous
NewsForge
covers
the launch of the National Center for Open Source Policy and Research
(NCOSPR). "
The mission of the NCOSPR will be to guide government
agencies through the array of open source software available, as well as to
develop specific solutions for individual agencies with its resource
center. The center is also behind Government Forge, a portal to host and
maintain open source software relevant to government agencies and other
public entities."
Comments (3 posted)
ZDNet's Paul Murphy is at it again:
this column
asserts that Linux has lost its momentum. But he has a recipe for getting
it back... "
So what's the the most important lesson we can learn from
Microsoft? that nothing sells like success. Start counting installs and
making those numbers widely available, and pretty soon what's recently
become largely a stealth phenomenon could start to snowball again."
Who knew it was so simple?
Comments (13 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Electronic Frontier Foundation has sent out a Media Release
regarding a new threat to the Google Image Search.
"
The Electronic Frontier Foundation (EFF)
filed a brief Wednesday in support of Google Image Search,
arguing that a federal district court should reject a
request for a preliminary injunction that could shut the
service down.
In its lawsuit, adult entertainment website Perfect 10
claims that Google violates its copyrights by making and
delivering thumbnail images of its photos as Internet
search results."
Full Story (comments: 1)
The Electronic Frontier Foundation has sent out a press release
concerning the European Commission's stance on digital rights management.
"
The Electronic Frontier Foundation (EFF) has
criticized a European Commission group for assuming that
digital rights management (DRM) is the only way to foster
development of the home audiovisual market.
In comments filed last week, EFF European Affairs
Coordinator Cory Doctorow took the Networked Audiovisual
Systems and Home Platforms (NAVSHP) group to task for its
report on developing a harmonized system of DRM
requirements. Doctorow urged NAVSHP to explore approaches
grounded in empirical research, not industry mythology."
Full Story (comments: none)
LinuxMedNews
has announced the creation of the
Open Source EHR Katrina Relief Network.
"
After the podcast call to action Jordan Glogau and Fred Trotter have decided to announce the Open Source EHR Katrina Relief Network.
The idea is to use groups of open source volunteers to get clinics and hopsitals in Katrina effected areas up and running using open source medical software."
Comments (none posted)
The Free Software Foundation Europe is encouraging the
European Commission to continue putting pressure on Microsoft.
"
"Given that
people were stunned by the apparently large antitrust fine of 500
Million EUR, it is interesting to see how Microsoft has now spent six
to seven times that amount on the case just to make sure they won't
have to compete in an open market.""
Full Story (comments: none)
The Free Software Foundation Europe has sent out a pronouncement on the new
"shared source" licenses announced by Microsoft. "
According to FSFEs
first glance, the 'Microsoft Permissive License'
(Ms-PL) and 'Microsoft Community License' (Ms-CL) both appear to
satisfy the four freedoms that define Free Software. In particular:
The Ms-CL also appears to implement a variation of the Copyleft idea,
which was first implemented by the GNU General Public License (GPL)."
Full Story (comments: 15)
GnomeDesktop
celebrates
the 1000th application to be added to
GnomeFiles.org.
"
GnomeFiles.org (GTK+ software
repository) is celebrating 1000 applications added to its database. Since
GnomeFiles' launch 1.5 years ago the site grew enormously and it now serves
more than 22,000 web pages per day on average and it includes a recently
improved cHTML version for mobile browsers (mostly optimized for PDAs and
smartphones, less-featured phones should be using its WAP version)."
Comments (none posted)
OpenOffice.org is celebrating its fifth year of existence.
"
On this day, five years ago, the fledgling OpenOffice.org community
provided the first public access to the source code donated from
StarOffice by Sun Microsystems. The OpenOffice.org community had
recently been formed, and declared it's intent "to create, as a
community, the leading international office suite that will run on all
major platforms and provide access to all functionality and data"."
A simultaneous release of OpenOffice.org 2.0 was also scheduled, but it
has been delayed in order to fix some critical bugs,
according to ZDNet.
Full Story (comments: 2)
HP and Red Hat have announced the sponsorships of several delegates
for the upcoming SELinux Symposium.
"
This is modeled somewhat on the Sun Regional Developer Program for LCA.
In this case, delegates are nominated by the community and will be
selected for the program based on their achievements in SELinux. This is
for developers, documentors, people who help on mailing lists, people
organize user groups, students doing interesting research etc."
Full Story (comments: none)
NoSoftwarePatents.com has
announced
another way to fight software patents in Europe and beyond. Florian
Mueller, founder of the NoSoftwarePatents campaign, is running for
"European of the Year". "
This is a campaign for a cause, not for a
person. A respected jury has nominated Florian Mueller as a figurehead of
our movement, and he has made it clear that we will all be winners if he
becomes elected. By voting for Florian in a public Internet poll, you and
your friends - no matter where in the world you live - can send out a
strong signal that politicians must act against software patents."
(Thanks to John Rigg)
Comments (11 posted)
Commercial announcements
atsec information security corporation is working with IBM to perform a
Common Criteria evaluation of Red Hat Enterprise Linux v.5 on a broad range
of IBM eServer systems. "
Upon completion of the evaluation, Red Hat
Enterprise Linux will have achieved a level of security previously reached
by only a handful of trusted operating systems, providing security
capabilities for commercial operating systems. The certification of Red Hat
Linux will offer the government and businesses an unprecedented choice for
security applications."
Full Story (comments: 3)
Coraid, Inc. has launched a Linux-based network attached storage (NAS)
server appliance together with a highly targeted Linux NAS distribution
that integrates with the company's EtherDrive Storage to create a low cost
network attached file server with unlimited storage capacity. A single
Coraid CLN/20 Linux NAS server can literally have thousands of disks
connected via Ethernet, and exported with NFS.
Full Story (comments: none)
Dartware has announced the release of InterMapper 4.4,
a network monitoring application. A number of new hardware probes
are included.
Full Story (comments: none)
ITTIA has announced the use of their embedded database systems by
Oshkosh trucks.
"
Users of Oshkosh trucks require systems that work quickly and reliably, and
Oshkosh expects the same from the software that helps keep their vehicles on
top. The company spent significant time and resources to valuate various
embedded databases before they selected an ITTIA database solution. The
superior performance of db.*, coupled with ITTIA's technical support and
training made db.* a great choice from a technical perspective. The
open-source nature and low cost of db.* made the decision obvious from a
business perspective."
Full Story (comments: none)
Linspire, Inc. has
announced an educational discount program.
"
In a nationwide effort to help provide
students with affordable computers, Linspire, Inc. today launched a new,
low-cost licensing program for schools who wish to install a Linux desktop
operating system as an alternative to the more expensive Microsoft Windows
operating system. Through the program, educators will be able to sign up for
single copies or per-unit volume license packs of Linspire at special educator
rates."
Comments (none posted)
OSDL has sent out a press release for it's Mobile Linux Initiative, which
is aimed at promoting the use of Linux in mobile phones. "
MLI participants will work on operating system technical
challenges, foster development of applications for Linux-based mobile
devices, deliver requirements definition documents and use cases, and host
complementary open source projects that support the initiative. MontaVista
Software, Motorola, PalmSource, Trolltech, and Wind River are among the first
members to participate in MLI."
Full Story (comments: none)
Open Source Development Labs (OSDL)
has announced its latest member, PalmSource, Inc.
"
PalmSource announced last year that it would build its new applications
framework on and port its Palm OS platform to run on Linux. As a member of
OSDL and an MLI participant, PalmSource will work with other Lab members and
the development community to advance the use of Linux in mobile devices."
Comments (none posted)
Silicon Graphics has
announced the purchase of a new supercomputer by three Belgian research
agencies.
"
Three Belgian research agencies, allied under the name "Space Pole,"
purchased a 56-processor SGI(R) Altix(R) 3700 supercomputer with 112GB of
globally shared memory and integrated with a 4TB SGI(R) InfiniteStorage TP900
solution. The Space Pole will run Novell's SuSE Linux Enterprise Server, Ver.
9 on the new Altix system."
Comments (none posted)
Solsoft Inc. has announced its Solsoft NetfilterOne, a graphical interface
that will automate the design, deployment and documentation of security
rules and policies as they pertain to a networked netfilter firewall.
Full Story (comments: none)
SugarCRM Inc. has
announced the receipt of $18.77 million in Series C funding.
"
The size of the round reflects SugarCRM's status as the most successful
open source enterprise application in the industry. The company's Sugar Open
Source Edition has been downloaded more than 350,000 times since its
introduction in July 2004, while Professional and Enterprise editions with
advanced features and technical support have attracted over 300 commercial
customers."
Comments (none posted)
New Books
Prentice Hall has published the book
Core Web Application Development
with PHP and MySQL by Marc Wandschneider.
Full Story (comments: none)
O'Reilly has published the book
Internet Forensics
by Robert Jones.
Full Story (comments: none)
Prentice Hall has published the book
Self-Service Linux:
Mastering the Art of Problem Determination by
Mark Wilding and Dan Behman.
Full Story (comments: none)
Resources
The second issue of the InterBase and Firebird Developer Magazine
is available for download.
Comments (none posted)
HowtoForge presents
a tutorial
by Falko Timme on using rdiff-backup.
"
This tutorial describes how to do automated server backups with the tool rdiff-backup. rdiff-backup lets you make backups over a network using SSH so that the data transfer is encrypted. The use of SSH makes rdiff-backup very secure because noone can read the data that is being transferred. rdiff-backup makes incremental backups, thus saving bandwidth."
Comments (none posted)
Contests and Awards
The Free Software Foundation (FSF) has announced the creation of the "Free
Software Award for Projects of Social Benefit", and a call for
nominations. "
This award is presented to the project or team
responsible for applying free software, or the ideas of the free software
movement, in a project that intentionally and significantly benefits
society in other aspects of life."
Full Story (comments: 4)
Sun Wah Linux Limited (Hong Kong) has
announced
the successful completion of the 2005 Golden Penguin Greater China Open
Source Software Competition. "
This is the largest OSS competition
jointly organized by Mainland China, Hong Kong SAR, Taiwan and the Macau
SAR. It aims at promoting the research and strategic development of new
software, and encouraging the development and establishment of Open Source
Software (OSS) in the Greater China Region."
Comments (none posted)
NewsForge
reports that SugarCRM will hold the
SugarCRM 2005 Developer Contest to mark the 100th extension on the
SugarForge.org project site.
"
The company is offering awards for three categories. SugarCRM plans to give away $500 for the best theme template, $1,000 for the best business and productivity module, and $1,000 for the most innovative module. The entries must be installable using SugarCRM's new Module Loader, and must be received by October 31. Winners will be announced on November 14, and developers may enter as many modules or templates as they want."
Comments (none posted)
Education and Certification
Free Electrons has sent out a press release with a one-year report on
its Embedded Linux Training course.
"
After the first release of the free materials of its Embedded Linux
Training in October 2004, Free Electrons
(http://free-electrons.com)
released a summary of the numerous improvements brought to this training
in 1 year:
http://free-electrons.com/news/news.2005-10-15.
A few highlights: 13 lectures or presentations (1000 pages, doubled in 1
year), 11 practical labs, a dedicated live distribution for embedded
system and kernel developers, translations to several languages."
Full Story (comments: none)
The Linux Professional Institute will be holding free
certification tests at the LinuxWorld Conference &
Expo in Frankfurt, Germany on November 15 and 16, 2005.
Full Story (comments: none)
Red Hat has launched the new
Red Hat Certified Security Specialist (RHCSS) certification program.
"
Adding to its award-winning Red Hat Certified Engineer (RHCE) program, and Red Hat Certified
Architect (RHCA) program, Red Hat Certified Security Specialist (RHCSS) is the first performance
based certification focused on security competency for enterprise Linux servers."
Full Story (comments: none)
Upcoming Events
KDE.News
has announced
a number of upcoming German KDE events.
"
October in Germany is filled with a lot of local Free Software events and KDE is present at them. Join us first at Berlinux 2005 on Fri October 21 and Sat 22. Then we are off to Dresden for Linux-Info-Tag Dresden 2005 on Sat October 29. Read on for how we'll be helping the users to explore the full range of wonders in KDE."
Comments (none posted)
A Call For Participation has gone out for the LCA 2006
OpenOffice.org Miniconf. The event will take place on January
23 and 24, 2006 in Dunedin, New Zealand.
Proposals are due by November 4.
Full Story (comments: none)
A
Call for Speakers
has gone out for the PHP Quebec Conference 2006. The event will take place
in Montreal, Quebec, Canada on March 29-31, 2006. Submissions are due
by November 4.
Comments (none posted)
A
Call for Proposals
has gone out for PyCon 2006. The event will be held in Addison, Texas
on February 24-26, 2006. Submissions are due by October 31.
Comments (none posted)
| Date | Event | Location |
| October 20 - 21, 2005 | Zend/PHP Conference
and Expo 2005 | (Hyatt Regency SF Airport Hotel)Burlingame, CA |
| October 20 - 21, 2005 | Australian
Unix Users Group Conference 2005(AUUG) | Sydney, Australia |
| October 20 - 23, 2005 | piksel05 | Bergen, Norway |
| October 20, 2005 | O'Reilly
European Open Source Convention(EuroOSCON) | (NH Grand Hotel Krasnapolsky)Amsterdam, the
Netherlands |
| October 24 - 28, 2005 | 12th Annual
Tcl/Tk Conference | (Red Lion Hotel)Portland, Oregon |
| October 26 - 27, 2005 | Internet Identity
Workshop(IIW) | (Hillside Club)Berkeley, CA |
| October 29 - 30, 2005 | OpenFest
2005 | (Inter Expo Center)Sofia, Bulgaria |
October 30, 2005 October 31 - November 11, 2005 | Ubuntu Below Zero | (downtown Holiday
Inn)Montreal, Canada |
| November 6 - 9, 2005 | International PHP
Conference 2005 | Frankfurt, Germany |
| November 7 - 9, 2005 | Open Source Database
Conference 05 | (NH-Hotel Frankfurt-Mörfelden)Frankfurt, Germany |
| November 8 - 9, 2005 | Association Française
des Utilisateurs de PHP(AFUP) | Paris, France |
| November 9 - 10, 2005 | Forum PHP Paris
2005 | Paris, France |
| November 12 - 18, 2005 | SC|05 | (Washington State Convention and Trade
Center)Seattle, WA |
| November 13 - 15, 2005 | Firebird Conference
2005 | (Hotel Olsanka)Prague, Czech Republic |
| November 15 - 18, 2005 | Embedded
Technology 2005(ET2005) | Yokohama, Japan |
| November 15 - 17, 2005 | LinuxWorld
Germany | Frankfurt, Germany |
| November 18, 2005 | European Gentoo
developer meeting | Schloss Kransberg, Germany |
| November 20 - 23, 2005 | 5tas Jornadas
Regionales de Software Libre | Rosario, Santa Fe, Argentina |
| November 29 - December 2, 2005 | FOSS.IN/2005 | (Bangalore Palace)Bangalore, India |
| December 4 - 9, 2005 | Large Installation
System Administration Conf.(LISA) | San Diego, CA |
| December 5 - 7, 2005 | Open Source Developers'
Conference(OSDC) | (Monash University's Caulfield campus)Melbourne, Australia |
Comments (none posted)
Audio and Video programs
O'Reilly
has announced a new edition of its online audio magazine.
"
This week, O'Reilly's audio magazine program Distributing the Future features
day one from the Web 2.0 conference. John Battelle and Tim O'Reilly set the
stage for this year's conference, Barry Diller talks about Ask Jeeves and
Google, Bran Ferren explains why human interface is holding us back, and
Philip Rosedale welcomes you to a Second Life."
Comments (none posted)
Page editor: Forrest Cook