Your editor, ancient relic that he is, first discovered the wonders of
global email around 1981, thanks to a BSD-running VAX with a blazingly fast
1200-baud uucp connection. A USENET addiction was quick to follow; on the
net, it was possible to converse with a few thousand people on literally
hundreds of computers! It was an eye-opening introduction to what a
global conversation could be like, both good and bad; hopefully some of
those ill-advised, youthful conversations on net.singles and net.politics
are lost forever.
As it happens, your editor was late to the party, and the old-timers were
busily worrying about how the whole thing was going to collapse under the
load of all these new, clueless users. USENET proved to be resilient,
however, to the point that the "death of the net" idea became a sort of
running joke. It survived its rapid growth, thanks to faster modems,
better software (including a thing called "rn" posted by a young Larry
Wall), and user education. USENET survived the loss of the central
"seismo" hub, in the process (as seismo's connections were shifted over to
a new host called "uunet") kicking off the commercial ISP industry. It
survived the abrupt arrival of AOL, initially connected via a uucp link of
its own (here's a classic
posting on how the AOL folks were perceived at that time). It even
survived the beginning of the spam onslaught - the famous "green card spam"
was carried via USENET, not email.
USENET was a useful medium for a long time. Among other things, much of
the very early Linux development conversation happened over USENET; your
editor decided to go for Linux after noting that the relevant groups had
much more going on than the BSD groups. When LWN was first launched, the
announcement went to comp.os.linux.announce - the news source for
Linux users at that time. Many years earlier, Richard Stallman's first GNU
Manifesto posting happened on USENET. The next time you complain about
your distributor's repository, think back to the joy of receiving GNU emacs
over USENET - as a large number of 50KB chunks which you got to piece back
together yourself.
The legacy of USENET also surrounds us in other forms. Many of the
features in your fancy mail client which allow you to deal with your
incoming flood were first worked out for netnews reading. News clients
still have their uses; your editor would have a hard time keeping up with
so many lists if it weren't for the highly useful, NNTP-based Gmane repository.
The Globe and Mail has recently declared
the death of USENET, as a result of Rogers Communications deciding to
stop providing netnews access to its customers. Others might have noted the
death of USENET earlier this year, when AOL disconnected its customers.
But the fact of the matter is that USENET has been dead as a medium for
useful conversations for some years now. It is too open, too easy to flood
with spam, too easy to forge control messages for. The signal-to-noise
ratio of USENET - often not all that high to begin with - sunk to a point
that most people had no remaining desire to deal with it.
So it is not surprising that the commercial service providers are pulling
the plug on USENET. A news feed requires significant bandwidth, and its
contents seem to be mostly spam and porn. Few customers care anymore.
There are much better alternatives out there now; the global conversation
has moved on to different forums. USENET is dead, and, at this point, few
of us miss it. But USENET played an important role in the history of the
net as a whole. Those of you who were there: raise a glass to the memory
of USENET at your next opportunity.
Comments (48 posted)
November 22, 2005
This article was contributed by Glyn Moody
It is almost ten years to the day that Bill Gates made his "Pearl Harbor"
speech, which placed the Internet at the heart of everything Microsoft did.
The recent
announcements
of
Windows
Live and
Office
Live may not be quite so epoch making, but it nonetheless represents a
major change of direction for Microsoft, and has interesting implications
for free software.
The parallels between Microsoft's two strategy shifts are striking.
Both were triggered in part by spectacular IPOs: Netscape's in 1995,
Google's in 2004. Both sought to head off the same threat of
OS-independent computing. Back in 1995, Gates was worried that
Netscape's software might create a "Webtop" platform, where Java
applets would be downloaded over the Internet into the browser to
provide word processors, spreadsheets and the rest. In 2005, another
Net-based approach software services of the kind popularized by
Google not only allows the browser to provide those same functions,
but comes with a flourishing ad-based revenue model to sustain it.
Gates's response is also similar in both cases: to embrace the basic idea so as to
reduce the appeal of rival offerings, and then, ultimately, to use it
to tie users more closely to his products. The success of that
technique can be seen in the dominance of Internet Explorer, which not
only replaced Netscape
Navigator as the most popular browser, but managed to subvert Web
standards to such an extent that
Navigator was ultimately perceived as inferior since it was unable to
work with the huge number of IE-specific sites.
One lesson to be learned from this history is that Microsoft should never be
underestimated, even perhaps especially - when it seems to be
wrong-footed and forced to adopt technologies that apparently threaten
its empire. Fear has always given the company focus. The new Windows
Live system may look innocuous and even
conciliatory it can not only be accessed from GNU/Linux machines,
but also explicitly
supports
Firefox - but the back-end hooks into Microsoft's products
are likely to be deep.
The second and probably more important lesson to be drawn is that the much
talked-about
Google Office service if and when it does come is not going to be
the Microsoft Office killer that many seem to imagine. Whatever Google or
anyone else might do in this sphere, Microsoft can simply match it, at
least in terms of functionality.
But one thing that Microsoft is unlikely to offer is support for truly open
file formats, its recent announcement
of the "open standardization" of Office formats notwithstanding. The
technical and legal details of this will need to be examined closely to see
whether it is yet another case of Microsoft apparently promising much, but
in reality delivering considerably less. After all, if it did support a
completely open file format, the barrier to switching to other office
suites would disappear.
Until the approval
of the new OpenDocument Format (ODF) standard by OASIS, there were many
alternatives to Microsoft's office file formats, but none around which
other manufacturers or major users could rally. With ODF, there is now not
only an official standard, but a real
choice of software that supports (or will support) it.
The key role that ODF will play in tomorrow's battles between open and
proprietary approaches is already evident in the furore surrounding the
Commonwealth of Massachusetts's decision
to adopt ODF as an official file format. The rather forced logic of Microsoft's
comments on this move is an indication of the company's
difficulties in neutralizing this threat. Moreover, Massachusetts may turn
out to be no simple loss of business, but a tipping point that could lead
to large-scale defections from Microsoft's proprietary formats to open
standards. Anyone who doubts that such a shift is possible should bear in
mind that WordPerfect and Lotus 1-2-3 once dominated their respective
sectors as totally as the programs that displaced them - Microsoft Word and
Excel - do now.
An even more serious blow to Microsoft's grip on the office market
could come from Europe. The European Union (EU) is keen to promote
what it calls open document
exchange formats. One of its
technical subcommittees approved a series
of recommendations that effectively
back ODF provided it becomes a recognized standard. Bizarrely,
OASIS does not count as a standards body in this context, and so ODF has
been submitted to
the better-known International Organization for Standardization (ISO). ODF
could emerge as
an ISO standard sometime next year. At that point, the EU may well
throw its considerable weight behind ODF by specifying it as the
preferred format for public sector communications in Europe.
Microsoft is acutely aware of this threat: it is no coincidence that
it announced the standardization of its Office formats in Paris, not
Redmond.
Private sector support is gathering momentum, too. The original donor of
the OpenOffice.org code, Sun, has naturally adopted ODF in its StarOffice
8.0, and also offers
a grid-based service for bulk conversion of Microsoft Office documents
into ODF files. Another major player in this area is IBM, which uses
OpenOffice.org formats for its groupware product Workplace,
likely to be the successor to Lotus Notes.
The strength of both of these companies' commitment is shown by the fact
that, despite their other differences, Sun and IBM jointly
hosted an ODF summit at the beginning of November; those attending
included Google, Nokia, Novell, Oracle and Red Hat. One of the items
discussed was the creation of a formal ODF Foundation to promote the
standard. An Open Document
Fellowship bringing together individuals interested in the development
of ODF (including the present writer) already exists.
ODF is fast emerging as one of the most important recent developments
in the software world had it not existed, Microsoft would surely
never have embarked on its "open standardization" process. In time,
its appearance in May this year might even turn out to be as pivotal
as Bill Gates' Pearl Harbor Day speech. At the very least, it
represents a rich new vein that can be mined by open source
programmers keen to make their mark. As a young standard, there are
still gaps in its software support. Items on the wish list include:
- A plug-in that would allow Microsoft Office users to read and write
ODF files (a server-based
approach is already under development).
- Improved accessibility for disabled users (one of the issues that is
threatening to derail the Massachusetts decision).
- A simple ODF reader,
along the lines of Adobe's Acrobat, that would enable users to read
ODF documents without installing an entire office suite.
- A lightweight
ODF editor even smaller than Abiword, say that would allow
simple changes to ODF text files.
- A Wiki-like collaborative editing system based around ODF Work on OpenFormula, which
complements and extends ODF
In the browser wars of the late 1990s, Bill Gates was able to wrest
control of the web from Netscape because of the latter's short-sighted
attempts to beat Microsoft at its own game notably by adding
proprietary twists to HTML. Today, as Microsoft re-invents
itself in the image of Web
2.0, the situation is rather different. The importance and power of
open standards is more evident, and the free software community is no
longer a small and apparently marginal group but, instead, the most important
counterpoise to Microsoft, well placed to resist any moves to
"de-commoditize" key technologies like Ajax.
And this time, there is a chance to go on the offensive. The open
source world has long had the desire to end Microsoft's dominance on
the desktop; with ODF not GNU/Linux, as many have believed it may
finally have the means.
(Glyn Moody is author of Rebel Code: Linux and the open source
revolution.).
Comments (17 posted)
One might think that the SonyBMG rootkit story would start to fade away,
but that is not, yet, the case. Here's an update on the last week's
developments.
Those of you who have not yet read Bruce
Schneier's Wired article on this episode may want to give it a look.
He points out that one might have reasonably expected all of those security
and anti-virus companies to say something about SonyBMG's software, given
that it has been in circulation for over a year, has arguably infected
hundreds of thousands of computers, and even phones home. Most of these
companies have yet to explain why they missed such an obvious security
compromise for so long.
Meanwhile, the EFF has launched a
class-action suit against SonyBMG. As Ed Felten points out,
the EFF is taking an interesting approach by putting the spotlight on
SonyBMG's other DRM software: Sunncomm's MediaMax. MediaMax lacks some of
the rootkit features found in XCP, but it is still highly unpleasant
software which, among other things, phones home.
Worse yet, one component of MediaMax, a system service called
sbcphid, is loaded into memory and ready to run at all times, even
when there is no disc in the CD drive and no music is being
played. And it runs as a kernel process, meaning that it has access
to all aspects of the system. This is another component that can
only add to security risk; and again the user has no choice.
Widening the focus to other invasive DRM software is an important step to
take if we want to win the larger battle, rather than just punishing
SonyBMG for the XCP episode.
The state of Texas has also filed
suit, charging SonyBMG with violations of the Texas anti-spyware act.
What is perhaps most interesting - and hopeful - about this incident is how
it has expanded the debate on DRM schemes. A quick news search shows just
how widely the mainstream, non-technical press has covered this story.
CERT has highlighted it for its November 15
Current Activity Report, offering some valuable advice: "Use
caution when installing software. Do not install software from sources that
you do not expect to contain software, such as an audio CD." Even
the Gartner Group has chimed in,
pointing out that the software is easily circumvented, and suggesting that
the music industry is now likely to push (even more) for legislation
requiring that DRM features be incorporated into computer products.
A legislative attack seems like a fairly safe prediction - such attacks
have been ongoing for some time, after all. But the climate, which was not
entirely favorable to legally-mandated DRM even before, has become
harsher. SonyBMG's nasty DRM code has not impeded file sharers or
commercial "pirates" in any way - it was, instead, an attack on the people
who chose to actually buy the CD for themselves. DRM schemes are an attack
on paying customers, and those customers are now figuring that out. More
encouragingly, there are occasional
signs that the industry is getting a clue as well.
Even more to the point, though, is that the SonyBMG rootkit has raised the
question of whether we have the right to control our own computers. The
nearly unanimous answer is that, yes, we have that right, and the
entertainment industry cannot take that right away from us in the name of
stopping copyright infringement - or, in the case of SonyBMG's software,
simply keeping their customers from putting music onto their iPods. Your
editor once heard Jim Gettys say, at some conference or other, that the DRM
fight would be like the encryption battle: we would win, but there would be
a decade or two of pain to endure first. SonyBMG, by making the issue so
incredibly clear, may have done us the favor of shorting out several of
those years of pain. Looking back some years from now, we might just find
ourselves thanking them.
Comments (9 posted)
Page editor: Jonathan Corbet
Security
While some states in the U.S. have enacted anti-spyware legislation,
nothing has yet happened at the federal level. That may soon change as a
result of
Senate bill
687, which has recently passed its first test in the Commerce, Science,
and Transportation Committee. This bill, sponsored by Conrad Burns,
carries the somewhat awkward title of the "Software Principles Yielding
Better Levels of Consumer Knowledge Act," or "Spy block" for short.
There are several parts to the proposed law:
- Section 2 prevents "surreptitious installation" of software. Illegal
acts include installations which conceal the fact that software is
being installed, or which does not offer an opportunity to block the
installation. Fooling users into installing something other than what
they were expecting is also prohibited. This section makes sense as a
basic protection of a user's control over his or her own computer, but
it contains an important exception: "upgrades" to software which is
already installed. Something which can be called an "upgrade" can be
installed in a hidden manner with no required user consent.
- Section 3 is the spyware section: it disallows the installation of
surreptitious information collection software. Here, too, there is an
important exception: "This section shall not be interpreted to
prohibit a person from causing the installation of software that
collects and transmits only information that is reasonably needed to
determine whether or not the user of a protected computer is licensed
or authorized to use the software."
- Section 4 bans adware (it uses that term). The main activity
prohibited here is to install software which displays advertisements
without making the source of the ad clear.
- Section 5 addresses other ways of taking over control. The first part
blocks the sending of "unsolicited information or material" to other
computers - it essentially outlaws the creation of spammer botnets.
Hijacking web sessions is also disallowed, as is changing a user's
home page, web proxy, bookmarks, or firewall settings.
- Section 6 exempts ISPs for liability if all they did was carry some
malevolent bits from elsewhere. Various other sections describe how
the law would fit with other legislation and how it would be
enforced.
- Finally, section 11 is an umbrella for anti-spyware companies.
Essentially it says that you can't be sued for identifying and
removing software from a system if it (1) violates this law, and
(2) the user consents.
This law, as written, is a good statement of users' rights to control their
computers - as far as it goes. It is an interesting exercise to ponder
how this act would apply to the SonyBMG rootkit episode. The software was
not installed surreptitiously, and it's not clear that it engaged in the
collection of information. Simply phoning home is not addressed by this
bill, unfortunately. The law's exceptions also leave some large holes in
its protection. So, despite its good intentions, the "Spy block" act is
not likely to lead to much in the way of serious change.
Comments (22 posted)
Brief items
KDE.News
reports on a recent
meeting of the security developers from the leading web browsers.
"
Our initial and primary focus is, and continues to be, addressing
issues in PKI as implemented in our web browsers. This involves finding a
way to make the information presented to the user more meaningful, easier
to recognise, easier to understand, and perhaps most importantly, finding a
way to make a distinction for high-impact sites (banks, payment services,
auction sites, etc) while retaining the accessibility of SSL and identity
for smaller organisations."
Comments (1 posted)
New vulnerabilities
egroupware: multiple vulnerabilities
| Package(s): | egroupware |
CVE #(s): | CVE-2005-0870
CVE-2005-2600
CVE-2005-3347
CVE-2005-3348
|
| Created: | November 17, 2005 |
Updated: | December 9, 2005 |
| Description: |
A number of vulnerabilities have been found in egroupware,
a web-based groupware suite.
Phpsysinfo has several cross-site scripting vulnerabilities,
The the tree view of FUD Forum Bulletin Board Software has
a cross-site scripting problem, phpsyinfo has a local variable
overwrite problem, and phpsyinfo has an input sanitizing
issue. |
| Alerts: |
|
Comments (none posted)
FUSE: mtab corruption through fusermount
| Package(s): | fuse |
CVE #(s): | CVE-2005-3531
|
| Created: | November 22, 2005 |
Updated: | January 24, 2006 |
| Description: |
Thomas Biege discovered that fusermount fails to securely handle
special characters specified in mount points. A local attacker could corrupt the contents of the /etc/mtab file by mounting over a maliciously-named directory using fusermount, potentially allowing the attacker to set unauthorized mount options. |
| Alerts: |
|
Comments (none posted)
gnump3d: insecure temp files, path traversal
| Package(s): | gnump3d |
CVE #(s): | CVE-2005-3349
CVE-2005-3355
|
| Created: | November 21, 2005 |
Updated: | November 22, 2005 |
| Description: |
Ludwig Nussel discovered several temporary files that are created with predictable filenames in an insecure fashion and allows local attackers to craft symlink attacks. Also the theme parameter to HTTP requests may be used for path traversal. |
| Alerts: |
|
Comments (none posted)
inkscape: arbitrary code execution
| Package(s): | inkscape |
CVE #(s): | CVE-2005-3737
|
| Created: | November 21, 2005 |
Updated: | December 7, 2005 |
| Description: |
A buffer overflow has been discovered in the SVG importer of Inkscape.
By tricking an user into opening a specially crafted SVG image this
could be exploited to execute arbitrary code with the privileges of
the Inkscape user. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276) |
| Alerts: |
|
Comments (2 posted)
netpbm-free: buffer overflows
| Package(s): | netpbm-free |
CVE #(s): | CVE-2005-3632
CVE-2005-3662
|
| Created: | November 21, 2005 |
Updated: | December 20, 2005 |
| Description: |
Greg Roelofs discovered and fixed several buffer overflows in pnmtopng
which is also included in netpbm, a collection of graphic conversion
utilities, that can lead to the execution of arbitrary code via a
specially crafted PNM file. |
| Alerts: |
|
Comments (1 posted)
openswan: Denial of Service
| Package(s): | openswan |
CVE #(s): | |
| Created: | November 21, 2005 |
Updated: | November 22, 2005 |
| Description: |
NISCC has reported two Denial of Service issues in Openswan. The first
involves a specially crafted 3DES packet with an invalid key length. These
have been fixed in Openswan 2.4.4. |
| Alerts: |
|
Comments (none posted)
xmail: buffer overflow
| Package(s): | xmail |
CVE #(s): | CVE-2005-2943
|
| Created: | November 21, 2005 |
Updated: | December 14, 2005 |
| Description: |
A buffer overflow has been discovered in the sendmail program of
xmail, an advanced, fast and reliable ESMTP/POP3 mail server that
could lead to the execution of arbitrary code with group mail
privileges. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
acidlab: SQL injection
| Package(s): | acidlab |
CVE #(s): | CVE-2005-3325
|
| Created: | November 14, 2005 |
Updated: | November 16, 2005 |
| Description: |
Remco Verhoef has discovered a vulnerability in acidlab, Analysis
Console for Intrusion Databases, and in acidbase, Basic Analysis and
Security Engine, which can be exploited by malicious users to conduct
SQL injection attacks. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
chmlib: several vulnerabilities
| Package(s): | chmlib |
CVE #(s): | CVE-2005-2659
CVE-2005-2930
CVE-2005-3318
|
| Created: | November 7, 2005 |
Updated: | November 28, 2005 |
| Description: |
Several vulnerabilities have been discovered in chmlib, a library for
dealing with CHM format files. |
| Alerts: |
|
Comments (none posted)
common-lisp-controller: design error
| Package(s): | common-lisp-controller |
CVE #(s): | CAN-2005-2657
|
| Created: | September 14, 2005 |
Updated: | November 21, 2005 |
| Description: |
François-René Rideau discovered a bug in common-lisp-controller, a
Common Lisp source and compiler manager, that allows a local user to
compile malicious code into a cache directory which is executed by
another user if that user has not used Common Lisp before.
|
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
emacs: lisp execution vulnerability
| Package(s): | emacs |
CVE #(s): | CAN-2003-1232
|
| Created: | November 10, 2005 |
Updated: | November 16, 2005 |
| Description: |
Version 21.2 of the EMACS editor has a vulnerability in which
text files containing Lisp code can be executed without warning
the user. Attackers can cause users to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enigmail: information disclosure
| Package(s): | enigmail |
CVE #(s): | CVE-2005-3256
|
| Created: | October 20, 2005 |
Updated: | December 13, 2005 |
| Description: |
The key selection dialog from the Mozilla Thunderbird enigmail plugin
has an information disclosure vulnerability.
A key with an empty user id from a user's keyring will be used by
default, allowing a message to be decrypted. This can lead to an
unauthorized information disclosure. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmailconf: insecure file creation
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-3088
|
| Created: | October 26, 2005 |
Updated: | November 22, 2005 |
| Description: |
The fetchmailconf utility can create files which are world-readable for a brief period. These files may contain passwords, and thus should not be created in this manner.
|
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (none posted)
flash-plugin: buffer overflow
| Package(s): | flash-plugin |
CVE #(s): | CVE-2005-2628
|
| Created: | November 10, 2005 |
Updated: | November 25, 2005 |
| Description: |
The Mozilla browser Macromedia Flash Player plug-in has a
buffer overflow vulnerability. A user who opens a maliciously
created Macromedia Flash file may be tricked into executing
arbitrary code. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
ftpd: remote buffer overflow
| Package(s): | ftpd |
CVE #(s): | CVE-2005-3524
|
| Created: | November 14, 2005 |
Updated: | November 16, 2005 |
| Description: |
A buffer overflow vulnerability has been found in the linux-ftpd-ssl
package. A command that generates an excessively long response from the
server may overrun a stack buffer. An attacker that has permission to create directories that are accessible via the FTP server could exploit this vulnerability. Successful exploitation would execute arbitrary code on the local machine with root privileges. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
Comments (none posted)
krb5: double-free flaw
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0175
CAN-2005-0488
CAN-2005-1175
CAN-2005-1689
|
| Created: | July 12, 2005 |
Updated: | December 6, 2005 |
| Description: |
The krb5 authentication has a double-free flaw which may be
initiated by a remote unauthenticated attacker.
Also, a single byte heap overflow in the krb5_unparse_name() function
can lead to a denial of service and an information disclosure may
be caused by a malicious telnet server. See
This report for more
information. |
| Alerts: |
|
Comments (none posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libgda2: format string vulnerabilities
| Package(s): | libgda2 |
CVE #(s): | CAN-2005-2958
|
| Created: | October 25, 2005 |
Updated: | November 18, 2005 |
| Description: |
Steve Kemp discovered two format string vulnerabilities in libgda2,
the GNOME Data Access library for GNOME2, which may lead to the
execution of arbitrary code in programs that use this library. |
| Alerts: |
|
Comments (none posted)
libnet-ssleay-perl: weakened cryptographic operations
| Package(s): | libnet-ssleay-perl |
CVE #(s): | CAN-2005-0106
|
| Created: | May 3, 2005 |
Updated: | January 27, 2006 |
| Description: |
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libTIFF: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2005-1544
|
| Created: | May 10, 2005 |
Updated: | February 18, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libungif: memory corruption
| Package(s): | libungif |
CVE #(s): | CAN-2005-2974
|
| Created: | November 3, 2005 |
Updated: | March 20, 2006 |
| Description: |
The libungif library has a vulnerability in the GIF file
colormap handling code. A maliciously crafted GIF file can
cause out of bounds memory writing and register corruption. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
Mantis: multiple vulnerabilities
| Package(s): | mantisbt |
CVE #(s): | CVE-2005-3091
CVE-2005-3335
CVE-2005-3336
CVE-2005-3338
CVE-2005-3339
|
| Created: | October 28, 2005 |
Updated: | December 22, 2005 |
| Description: |
Mantis contains several vulnerabilities, including a remote file inclusion
vulnerability, an SQL injection vulnerability, multiple cross site
scripting vulnerabilities and multiple information disclosure
vulnerabilities. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
mysql: buffer overflow
| Package(s): | mysql |
CVE #(s): | CAN-2005-2558
|
| Created: | September 12, 2005 |
Updated: | January 12, 2006 |
| Description: |
The mysql CREATE FUNCTION can be used to create a buffer overflow.
A specially crafted long function name can be used by a local attacker
to crash the server or execute arbitrary code with the privileges of
the server. |
| Alerts: |
|
Comments (none posted)
mysql: low-impact security fix
| Package(s): | mysql |
CVE #(s): | CAN-2005-1636
|
| Created: | July 20, 2005 |
Updated: | February 22, 2006 |
| Description: |
An update to MySQL version 4.1.12 fixes a low-impact security
problem (bz#158689). |
| Alerts: |
|
Comments (1 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openssh: GSSAPI credential disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2005-2798
|
| Created: | September 7, 2005 |
Updated: | February 3, 2006 |
| Description: |
OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
|
| Alerts: |
|
Comments (none posted)
openssl: protocol rollback
| Package(s): | openssl |
CVE #(s): | CAN-2005-2969
|
| Created: | October 12, 2005 |
Updated: | December 19, 2005 |
| Description: |
OpenSSL prior to version 0.9.7h or 0.9.8a contains a vulnerability which could enable an attacker to force the use of the older, less secure SSL 2.0 protocol. See this advisory for details or this analysis for even more details. |
| Alerts: |
|
Comments (1 posted)
openvpn: format string vulnerability
| Package(s): | openvpn |
CVE #(s): | CVE-2005-3393
CVE-2005-3409
|
| Created: | November 2, 2005 |
Updated: | December 12, 2005 |
| Description: |
OpenVPN 2.0.x contains a format string vulnerability which can be exploited by a hostile server; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
pcre3: arbitrary code execution
| Package(s): | pcre3 |
CVE #(s): | CAN-2005-2491
|
| Created: | August 23, 2005 |
Updated: | March 10, 2006 |
| Description: |
A buffer overflow has been discovered in the PCRE, a widely used library
that provides Perl compatible regular expressions. Specially crafted
regular expressions triggered a buffer overflow. On systems that accept
arbitrary regular expressions from untrusted users, this could be exploited
to execute arbitrary code with the privileges of the application using the
library. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
perl: symlink vulnerability
| Package(s): | perl |
CVE #(s): | CAN-2005-0448
|
| Created: | March 9, 2005 |
Updated: | January 30, 2006 |
| Description: |
The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2005-3390
CVE-2005-3389
CVE-2005-3388
CVE-2005-3353
|
| Created: | November 8, 2005 |
Updated: | December 23, 2005 |
| Description: |
There are multiple vulnerabilities in PHP, including malicious requests may overwrite the GLOBALS array, the parse_str() function may enable the
register_globals setting, cross-site scripting bugs in phpinfo() and a bug in EXIF image parsing that may crash the process. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: local file inclusion and XSS
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-2869
CVE-2005-3300
CVE-2005-3301
|
| Created: | October 25, 2005 |
Updated: | November 18, 2005 |
| Description: |
Stefan Esser discovered that by calling certain PHP files directly, it
was possible to workaround the grab_globals.lib.php security model and
overwrite the $cfg configuration array. Systems running PHP in safe
mode are not affected. Futhermore, Tobias Klein reported several
cross-site-scripting issues resulting from insufficient user input
sanitizing. A local attacker may exploit this vulnerability by sending
malicious requests, causing the execution of arbitrary code with the rights
of the user running the web server. Furthermore, the cross-site scripting
issues give a remote attacker the ability to inject and execute malicious
script code or to steal cookie-based authentication credentials,
potentially compromising the victim's browser. |
| Alerts: |
|
Comments (none posted)
phpsysinfo: cross-site-scripting
| Package(s): | phpsysinfo |
CVE #(s): | CAN-2005-0870
|
| Created: | May 18, 2005 |
Updated: | November 15, 2005 |
| Description: |
The phpsysinfo program contains several cross-site scripting vulnerabilities. |
| Alerts: |
|
Comments (none posted)
phpsysinfo: programming errors
| Package(s): | phpsysinfo |
CVE #(s): | CVE-2005-3347
CVE-2005-3348
|
| Created: | November 15, 2005 |
Updated: | November 23, 2005 |
| Description: |
Christopher Kunz discovered that local variables get overwritten
unconditionally and are trusted later, which could lead to the inclusion of
arbitrary files. Christopher Kunz also discovered that user-supplied input
is used unsanitized, causing a HTTP Response splitting problem. |
| Alerts: |
|
Comments (none posted)
postgresql: database initialization errors
| Package(s): | postgresql |
CVE #(s): | CAN-2005-1409
CAN-2005-1410
|
| Created: | May 4, 2005 |
Updated: | February 28, 2006 |
| Description: |
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
|
| Alerts: |
|
Comments (none posted)
Pound: buffer overflow
| Package(s): | pound |
CVE #(s): | CVE-2005-1391
|
| Created: | May 2, 2005 |
Updated: | January 10, 2006 |
| Description: |
Steven Van Acker has discovered a buffer overflow vulnerability in the
"add_port()" function in Pound 1.8.2+. A remote attacker could send a
request for an overly long hostname parameter, which could lead to the
remote execution of arbitrary code with the rights of the Pound daemon
process. |
| Alerts: |
|
Comments (none posted)
pstotext: remote execution of arbitrary code
| Package(s): | pstotext netpbm |
CVE #(s): | CAN-2005-2471
|
| Created: | August 1, 2005 |
Updated: | March 28, 2006 |
| Description: |
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option. An
attacker could craft a malicious PostScript file and entice a user to run
pstotext on it, resulting in the execution of arbitrary commands with the
permissions of the user running pstotext. See this Secunia advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
RAR: format string and buffer overflow
| Package(s): | rar |
CVE #(s): | |
| Created: | November 14, 2005 |
Updated: | November 16, 2005 |
| Description: |
Tan Chew Keong reported two vulnerabilities in RAR: a format string error
exists when displaying a diagnostic error message that informs the user of
an invalid filename in an UUE/XXE encoded file and some boundary errors in
the processing of malicious ACE archives can be exploited to cause a buffer
overflow. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
smb4k: temporary file vulnerability
| Package(s): | smb4k |
CVE #(s): | CVE-2005-2851
|
| Created: | September 7, 2005 |
Updated: | December 7, 2005 |
| Description: |
Smb4K has a temporary file vulnerability which can allow an unprivileged user to read certain files which would otherwise be inaccessible.
|
| Alerts: |
|
Comments (none posted)
spamassassin: denial of service
| Package(s): | spamassassin |
CVE #(s): | CVE-2005-3351
|
| Created: | November 9, 2005 |
Updated: | March 7, 2006 |
| Description: |
Spamassassin through version 3.0.4 can be made to dump core if a message arrives with too many addresses in the To: field. |
| Alerts: |
|
Comments (none posted)
squid: authentication handling
| Package(s): | squid |
CVE #(s): | CAN-2005-2917
|
| Created: | September 30, 2005 |
Updated: | March 15, 2006 |
| Description: |
Upstream developers of squid, the popular WWW proxy cache, have
discovered that changes in the authentication scheme are not handled
properly when given certain request sequences while NTLM
authentication is in place, which may cause the daemon to restart. |
| Alerts: |
|
Comments (none posted)
sudo: missing input sanitizing
| Package(s): | sudo |
CVE #(s): | CVE-2005-2959
|
| Created: | October 25, 2005 |
Updated: | February 19, 2006 |
| Description: |
Tavis Ormandy noticed that sudo, a program that provides limited super
user privileges to specific users, does not clean the environment
sufficiently. The SHELLOPTS and PS4 variables are dangerous and are
still passed through to the program running as privileged user. This
can result in the execution of arbitrary commands as privileged user
when a bash script is executed. These vulnerabilities can only be
exploited by users who have been granted limited super user
privileges. |
| Alerts: |
|
Comments (none posted)
sudo: race condition
| Package(s): | sudo |
CVE #(s): | CAN-2005-1993
|
| Created: | June 21, 2005 |
Updated: | February 24, 2006 |
| Description: |
Charles Morris discovered a race condition in sudo which could lead to
privilege escalation. If /etc/sudoers allowed a user the execution of
selected programs, and this was followed by another line containing
the pseudo-command "ALL", that user could execute arbitrary commands
with sudo by creating symbolic links at a certain time. |
| Alerts: |
|
Comments (none posted)
sylpheed: buffer overflow
| Package(s): | sylpheed |
CVE #(s): | CVE-2005-3354
|
| Created: | November 9, 2005 |
Updated: | January 6, 2006 |
| Description: |
The sylpheed mail client, prior to versions 1.0.6 and 2.0.4, contains a buffer overflow in the LDIF address book import code. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: multiple DoS issues
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1280
CAN-2005-1279
CAN-2005-1278
|
| Created: | May 2, 2005 |
Updated: | April 10, 2006 |
| Description: |
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278) |
| Alerts: |
|
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
ucd-snmp: denial of service
| Package(s): | ucd-snmp |
CVE #(s): | CAN-2005-2177
|
| Created: | August 9, 2005 |
Updated: | January 27, 2006 |
| Description: |
A denial of service bug was found in the way ucd-snmp uses network stream
protocols. A remote attacker could send a ucd-snmp agent a specially
crafted packet which will cause the agent to crash. |
| Alerts: |
|
Comments (none posted)
uim: privilege escalation
| Package(s): | uim |
CVE #(s): | CVE-2005-3149
|
| Created: | October 4, 2005 |
Updated: | December 7, 2005 |
| Description: |
Masanari Yamamoto discovered that Uim uses environment variables
incorrectly. This bug causes a privilege escalation if setuid/setgid
applications are linked to libuim. This bug only affects
immodule-enabled Qt (if you build Qt 3.3.2 or later versions with
USE="immqt" or USE="immqt-bc"). |
| Alerts: |
|
Comments (none posted)
unzip: race condition
| Package(s): | unzip |
CVE #(s): | CAN-2005-2475
|
| Created: | September 29, 2005 |
Updated: | January 12, 2006 |
| Description: |
Unzip has a race condition vulnerability
in the handling of output files.
During file unpacking, a local attacker can modify the permissions
of arbitrary files in the victim's directory. |
| Alerts: |
|
Comments (none posted)
up-imapproxy: format string vulnerabilities
| Package(s): | up-imapproxy |
CVE #(s): | CAN-2005-2661
|
| Created: | October 10, 2005 |
Updated: | March 7, 2006 |
| Description: |
up-imapproxy contains two format string vulnerabilities which could be exploited to execute arbitrary code.
|
| Alerts: |
|
Comments (none posted)
util-linux: unintentional grant of privileges by umount
| Package(s): | util-linux |
CVE #(s): | CAN-2005-2876
|
| Created: | September 13, 2005 |
Updated: | December 19, 2005 |
| Description: |
Linux umount command as provided in the util-linux package in
versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information. |
| Alerts: |
|
Comments (none posted)
uw-imap: buffer overflow
| Package(s): | uw-imap |
CVE #(s): | CAN-2005-2933
|
| Created: | October 11, 2005 |
Updated: | April 10, 2006 |
| Description: |
"infamous41md" discovered a buffer overflow in uw-imap, the University
of Washington's IMAP Server that allows attackers to execute arbitrary
code. |
| Alerts: |
|
Comments (none posted)
vixie-cron: crontab allows any user to read another users crontabs
| Package(s): | vixie-cron |
CVE #(s): | CAN-2005-1038
|
| Created: | April 15, 2005 |
Updated: | March 15, 2006 |
| Description: |
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report. |
| Alerts: |
|
Comments (none posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xloadimage: buffer overflows
| Package(s): | xloadimage |
CVE #(s): | CAN-2005-3178
|
| Created: | October 10, 2005 |
Updated: | May 15, 2006 |
| Description: |
Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
xorg-x11: heap overflow
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2005-2495
|
| Created: | September 12, 2005 |
Updated: | March 8, 2006 |
| Description: |
The pixmap memory allocation code in the X.Org X window system is
vulnerable to an integer overflow, a local user can use this to
execute arbitrary code with elevated privileges. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-1849
|
| Created: | July 21, 2005 |
Updated: | April 11, 2006 |
| Description: |
zlib has a vulnerability that can cause code that executes it to crash
if a corrupted file is opened. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The 2.6.14.3 stable kernel release is in review as of this writing;
it should be released sometime around November 25. It contains 23
patches with important fixes, most of which are in the networking
subsystem.
The current 2.6 prepatch is 2.6.15-rc2, released by Linus on
November 19. It is mostly made up of a large pile of fixes, but there
is also a big x86-64 update (including the DMA32 memory zone) which got
missed for -rc1. The long-format changelog has the
details.
Linus's git repository contains 100 or so fixes merged since -rc2. Among
them is the new VM_UNPAGED VMA feature, described below.
The current -mm tree is 2.6.15-rc1-mm2.
Recent changes to -mm include various memory management and memory hotplug
patches, a relayfs update, a number of kernel shrinking patches from the
-tiny tree, a reiser4 update, some software suspend improvements, a kdump
update, and lots of fixes.
Comments (none posted)
Kernel development news
The market for USB devices is certainly dynamic; new gadgets are released
at a high rate. Unfortunately, Linux kernels and their associated drivers
are not always updated quite as quickly. The result can be that the kernel
fails to recognize and drive a new gadget, even though existing drivers may
be entirely capable of doing the job. The driver simply does not know that
the device is one it can handle, so the kernel does not bind the two
together.
Greg Kroah-Hartman has posted a
simple patch which should help fix this situation. With the patch in
place, each USB driver gets a new sysfs attribute (new_id). If a
system administrator writes two values (the vendor and product ID numbers
reported by the device) to that attribute, those numbers form a new device
ID associated with the driver. Immediately after the write, the driver
will recognize the device, and everybody will be happy. No changes to the
drivers themselves are necessary. Of course, one
could create confusion by associating a device with an inappropriate
driver, but a bit of attention should suffice to avoid that problem.
This patch came out a bit late for 2.6.15, so it is more likely to show up
in 2.6.16 or thereafter.
Comments (3 posted)
The kernel contains a mechanism, called "notifiers" or "notifier chains,"
which allows kernel code to ask to be told when something interesting
happens. A number of notifier chains are currently in use in the kernel;
chains exist for memory hotplug events, CPU frequency policy changes, USB
hotplug events, module loading and unloading, system reboots, network
device changes, and more. Notifiers are a simple and easy way to get the
word out, so they are increasingly being used throughout the kernel.
The interface to notifiers is simple. There is one structure type:
struct notifier_block
{
int (*notifier_call)(struct notifier_block *self,
unsigned long event, void *data);
struct notifier_block *next;
int priority;
};
A notifier chain is thus a simple, singly-linked list with no separate
head. A kernel subsystem which wishes to be notified of specific events
fills out a notifier_block structure and passes it to:
int notifier_chain_register(struct notifier_block **chain,
struct notifier_block *notifier);
The chain is kept sorted in increasing priority order. Sending out an
event is a matter of calling:
int notifier_call_chain(struct notifier_block **chain,
unsigned long event, void *data);
Notifiers registered in the chain will be called, in increasing priority
order, with the given event and data values. Any
notifier can return a value with the NOTIFY_STOP_MASK
bit set, with the result that no further notifiers will be called. The
return value from the last notifier is return from
notify_call_chain(). In some cases, the combination of
NOTIFY_STOP_MASK and the return value is used to allow notifiers
to veto proposed actions.
The current notifier implementation is quite simple, not much more than one
page of code. Alan Stern recently noticed a little problem, however:
notifier_call_chain() goes through the list without any sort of
locking. Changes to the notifier list are protected by a global notifier
lock, but that lock is ignored when notifiers are called. Thus, if
notifier_call_chain() is called while some other part is adding or
removing notifiers, a mess could result.
One might be tempted to fix the problem by simply acquiring the lock in
notifier_call_chain(), but life it not so simple. The current
lock for notifiers is a spinlock, but, as it turns out, some notifier
functions can sleep. So holding the lock while calling notifiers is not
possible. Switching the lock to a semaphore is also out for similar
reasons: some notifier chains can be called from atomic contexts. So a
more complicated fix is called for.
That fix has been posted by Chandra
Seetharaman. It appears that notifier chains have to be split into two
types: those which can sleep, and those which are entirely atomic. A new
notifier_type enum has been created with two values:
ATOMIC_NOTIFIER and BLOCKING_NOTIFIER. There is also now
an explicit type (struct notifier_head) for the head of a notifier
chain. Chains are now declared with something like:
NOTIFIER_HEAD(name, type);
Some new rules have been adopted for notifiers as well; one of those is
that notifiers are only added or removed in non-atomic context. With that
rule in place, each notifier_head structure can contain a
semaphore (an rwsem, actually) which protects access to the
chain. The new registration function is:
int notifier_chain_register(struct notifier_head *chain,
struct notifier_block *notifier);
Addition of a notifier is relatively easy to do in a safe manner. The
"next" pointer in the new entry is set first, followed by the "next"
pointer in the appropriate place in the list. By throwing in some memory
barriers, the patch ensures that the chain is always in a consistent
state.
The new form of notifier_call_chain() is:
int notifier_call_chain(struct notifier_head *chain,
unsigned long event, void *data);
If the chain is of the BLOCKING_NOTIFIER variety,
notifier_call_chain() can simply acquire the chain semaphore and
call the notifiers safely. Acquiring the semaphore is not possible for
ATOMIC_NOTIFIER chains, however, so, in that case, the code simply
calls rcu_read_lock() to ensure that it will not be preempted
while calling the notifiers.
The new prototype for the unregistration function is:
int notifier_chain_unregister(struct notifier_head *chain,
struct notifier_block *notifier);
For blocking chains, removal of notifiers is straightforward; the code can
simply acquire the semaphore and do its work knowing that nobody else will
be traversing the chain. For atomic notifiers, however,
notifier_call_chain() does not acquire the semaphore, so the
possibility of races is real. Removing the notifier from the chain is
still straightforward: a single pointer assignment takes the notifier out
in an atomic manner. But code in another processor may have stumbled
across that notifier before it was removed from the chain; in that case, it
may still have a reference to it. So the destruction of the removed
notifier must wait until the kernel can be sure that no references remain.
This is just the sort of situation that the read-copy-update (RCU)
mechanism was created for. In many applications, the way to destroy this
structure would be to set up an rcu_head structure, pass it to
call_rcu(), and wait for a callback to finish the job. In this
case, however, callers to notifier_chain_unregister() are not
expecting callbacks later on, and, in any case, notifier removal is not a
performance-critical operation. So the unregister code simply calls
synchronize_rcu() to block until all current RCU read locks have
been released. Once synchronize_rcu() has returned, the
unregistration code can safely return as well, knowing that no references
to the removed notifier exist.
The new design adds one other new constraint: notifiers cannot remove
themselves from the chain. Both the use of the semaphore and the use of
RCU would lead to deadlocks in that situation, resulting in developer
notifications by way of bugzilla and annoyed email.
Comments (1 posted)
The
page structure, used to describe the memory in the system,
includes a set of flags; one of those flags is
PG_reserved. For a
long time, this bit has marked pages which are not part of the regular
memory management regime; pages so marked include the kernel text (which
really should not be swapped out) and the I/O memory in the legacy ISA hole
at 640K. Occasionally, device drivers have explicitly set the reserved bit
on ordinary memory so that it could be mapped into user space with
remap_pfn_range(). This technique has been discouraged for years,
but still persists in spots.
The 2.6.15 kernel removes, for all practical purposes, the reserved bit.
Space for page flags is tight, and it was figured that, in 2.6, this bit
was no longer needed. The page reclaim code no longer cycles through the
system memory map, so it does not need this bit to know which pages to
avoid. For the other uses, the VM_RESERVED bit in the
vm_area structure could be used instead. So, in 2.6.15-rc2, the
PG_reserved bit is (almost) ignored, and the kernel respects
VM_RESERVED by not freeing pages found in areas with that bit
set.
Unfortunately, it seems a number of drivers set VM_RESERVED for
all VMAs which are mapped into user space. Some of these areas are
actually normal memory pages, which the driver maps into the process's
address space one-by-one when its nopage() function is called.
Hugh Dickins noticed that, in this case, those pages will never be returned
to the system, since the VM_RESERVED flag prevents them from being
freed. The right fix for the problem is probably to get rid of
VM_RESERVED altogether; its use is mostly a legacy from the 2.4
days. But going into a bunch of drivers and tweaking their memory
management code when this kernel is already at a -rc2 release looks like a
certain way to introduce obscure bugs. So Hugh decided to go in and make
fundamental changes to the low-level memory management code instead.
The result is a new VMA flag, VM_UNPAGED. This flag says,
explicitly, that the pages in this VMA are not to be managed, and in
particular, should not be freed. It essentially takes over the meaning
previously held by VM_RESERVED, but in an arguably better-defined
manner. Calls to remap_pfn_range() will cause the
VM_UNPAGED flag to be set. But areas of RAM managed by a driver
nopage() function will not have VM_UNPAGED set, so their
memory will be managed normally.
Various other subtleties, such as what happens when a process with
VM_UNPAGED VMAs forks, had to be dealt with. But the end result
of all this work
should be that things function again, with no driver changes. At some
point, the use of VM_RESERVED in drivers may be taken out, but
that's a post-2.6.15 thing.
Meanwhile, one other interesting result of the PG_reserved removal
is that remap_page_range() can now be used to remap any set of
addresses, not just those marked reserved.
Comments (3 posted)
Patches and updates
Kernel trees
Build system
Core kernel code
Device drivers
- Bartlomiej Zolnierkiewicz: ide update.
(November 19, 2005)
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
- Stephen Hemminger: TCP CUBIC.
(November 18, 2005)
Architecture-specific
Miscellaneous
Page editor: Jonathan Corbet
Distributions
New Releases
The Gentoo Release Engineering team has
announced
Gentoo Linux 2005.1-r1. "
The 2005.1-r1 release is simply a media
refresh over the 2005.1 release. What this means is that it used the same
base snapshot, and has very few changes. It is essentially nothing more
than a bug-fix release. Though offered to all architecture teams, only a
few had bugs that were large enough to warrant an interim release before
2006.0's release next year. This media refresh is only of stages and the
InstallCD images. The PackageCD images from 2005.1 are still valid and have
not been rebuilt."
Comments (none posted)
Flight CD 1 is the first in a series of milestone CD images that will be
released throughout the Dapper development cycle. While Flight CD 1 should
be reasonably free of showstopper CD-build or installer bugs, it just might
break your system. It's available in both Ubuntu (GNOME) and Kubuntu (KDE)
versions, so check it out and join in the
bug
day, on November 24.
Full Story (comments: 11)
The
Aurora Sparc Project has
announced (click below for the announcement) the second beta of Build-2.0
with ISO images. "
For those of you who have no earthly idea what I'm
talking about, allow me to explain. The Aurora SPARC Project is an effort to
support SPARC (32 and 64 bit) hardware on Linux. Specifically, we rebuild
Fedora Core for SPARC." Build-2.0 matches fairly well with Fedora
Core 3.
Full Story (comments: none)
New Distributions
Zeroshell is a Live CD
distribution aimed at providing the main network services a LAN requires.
It is also available as a 128MB Compact Flash image useful if you have to
boot your box from this device instead from CDROM. Zeroshell 1.0.0 is
undergoing testing, with a final release expected in December 2005.
Comments (none posted)
SLAMPP is Live CD Linux
distribution that can also be installed to a hard drive. This
Slackware/SLAX based distribution is designed to be used as an instant home
server. SLAMPP 1.1 was
recently
released.
Comments (none posted)
Distribution Newsletters
The Debian Weekly News for November 22, 2005 looks at C++ library problems
in testing, a live CD for children, project leader delegations, a new
debtags package search, lca05 miniconf: call for presentations, new
features for the packages overview page, and several other topics.
Full Story (comments: none)
The latest
Fedora Weekly
News covers Boston FUDCon 2006, New Features Coming in moin 1.5, Fedora
netdev Kernels, First Fedora Ambassadors Meeting, Fedora Logo on
distrowatch.com, New Favicon on fedoraproject.org, How to build rpm for
kmenu-gnome, Building a Simple Calendar Server with Fedora, Set up the VNC
Server in Fedora, Flash Player 7.0.61 Released, Firefox 1.5 RC 3 Released,
and several other topics.
Comments (none posted)
The
Gentoo
Weekly Newsletter for the week of November 21, 2005 covers the European
Gentoo Developer Conference, the removal of phpgroupware from the tree,
2005.1-r1 release for select architectures, GWN via RSS feed, and more.
Comments (none posted)
The
DistroWatch
Weekly for November 21, 2005 is out. "
There is no rest for the
developers of most distributions - following new development releases of
SUSE and Ubuntu last week, the first test release of Fedora Core 5 is also
expected shortly. What do you think of the new Mandriva 2006 and how does
it compare with other KDE-centric distributions, such as Kubuntu 5.10? A
long-time Mandriva user offers his views. Also in this issue: a new release
of TheOpenCD, a quick look at RR4 Linux and an observation about the
changing attitude of Microsoft towards Linux. Last but not least, the GNU
Image Manipulation Program, affectionately known as GIMP, is exactly 10
years old today."
Comments (none posted)
Package updates
Fedora Core 4 updates:
perl (bug
fixes),
GFS-kernel (update to
2.6.14-1.1637_FC4 kernel),
dlm-kernel
(update to 2.6.14-1.1637_FC4 kernel),
cman-kernel (update to 2.6.14-1.1637_FC4
kernel),
gnbd-kernel (update to
2.6.14-1.1637_FC4 kernel).
Comments (none posted)
Mandriva Linux 2006.0 updates
file
(corrects x86_64 segfault) and
drakxtools (bug
fixes).
Comments (none posted)
Trustix Secure Linux has various bug fixes for:
cyrus-imapd, initscripts, mailman, xinetd,
ebtables,
iproute,
isdn4k-utils, pkgconfig, tsl-utils and
atk,
backuppc, bind, clamav, curl, dhcp, expat, file, fontconfig, glib12,
gtk12+, gtk2+, libglade, mono, opencdk, pango, pcre, php4, samba, vim,
xorg-x11.
Comments (none posted)
Distribution reviews
Mad Penguin
reviews Mandriva
2006. "
Mandriva (the artist formerly known as Mandrake) has always
been about the desktop. Sure, they've got their enterprise products just
like any other major Linux software developer, but from this author's
armchair, it sure would seem their heart and soul is rooted deeply in the
Linux desktop... and there's nothing wrong with that. Their French heritage
shows in their passion for excellence and it hasn't gone unnoticed. After
all, somebody has got to make sure the Linux desktop is on a constant
upswing, right?"
Comments (none posted)
Lockergnome
begins
a review of Linspire. "
Folks, I have installed more 'easy to
use' Linux distros than I'd care to mention. Many of them have outstanding
installers. Xandros for instance, is very attractive to install and gives
you a user-friendly feel during the install process. Linspire also provides
an outstanding install outline that is both easy to use and to follow for
most users. Yet unlike every other distro that I have tried to install on
my notebook computer, Linspire actually detected my video card without any
help from me whatsoever."
Comments (8 posted)
Page editor: Rebecca Sobol
Development
Version 0.43 of
Inkscape, a
Scalable Vector Graphics
(SVG) drawing tool,
has been announced.
Inkscape started out as a fork of the
Sodipodi project.
The Inkscape project definition states:
Inkscape is an Open Source vector graphics editor, with capabilities similar to Illustrator, Freehand, CorelDraw, or Xara X using the W3C standard Scalable Vector Graphics (SVG) file format. Supported SVG features include shapes, paths, text, markers, clones, alpha blending, transforms, gradients, patterns, and grouping. Inkscape also supports Creative Commons meta-data, node editing, layers, complex path operations, bitmap tracing, text-on-path, flowed text, direct XML editing, and more. It imports formats such as JPEG, PNG, TIFF, and others and exports PNG as well as multiple vector-based formats.
Inkscape's main goal is to create a powerful and convenient drawing tool fully compliant with XML, SVG, and CSS standards.
A number of new features have been added to version 0.43, including:
- A connector tool for drawing auto-routing lines between objects.
- Support for collaborative editing, multiple users can simultaneously edit a diagram.
- Pressure and tilt sensitivity have been added to the calligraphy tool.
- Improvements have been made to the node editing capabilities of the Bezier curve drawing tool.
- New extensions are available for envelope distortion, whirling, and the addition of nodes.
- Precision has been improved and limits have been expanded.
- The SVG compliance is better.
- The documentation has been updated.
- Numerous bug fixes have been incorporated.
The version 0.43
release notes list all of the changes in more detail.
Several of the new capabilities were produced by participants in Google's
Summer of Code program.
Inkscape is easy to learn, fun to use, and well documented.
Some user-contributed
screenshots
show a variety of the images that have been created.
If that's not enough, a list of online
galleries is available.
A sampling of the project's documentation includes the
Inkscape FAQ,
online
user documentation
with manuals and tutorials and the book
A Guide to Inkscape by Tavmjong Bah.
The future of Inkscape is outlined in the
project roadmap. The future point releases leading up
to the 1.0 release have been well defined.
If you have not tried Inkscape yet, it is definitely worth the effort.
The tutorials are well written, they provide a nice jump start on the
learning curve.
Source code and packaged versions of Inkscape 0.43 are available
here.
Comments (6 posted)
System Applications
Clusters and Grids
Simple Grid Protocol version 1.02 has been released, it includes new
features and bug fixes.
"
The Simple Grid Protocol is designed to allow users on a TCP/IP
network or the Internet to run programs on their computer which
utilize the unused CPU resources of other computers on a network
or the Internet."
Full Story (comments: none)
Database Software
Version 2.0 Beta of the Firebird relational database is available
with many new features.
"
This
version of Firebird 2 is an beta version, meant for field testing only
and not for use in production."
Full Story (comments: none)
Version 5.0.16 of the MySQL database has been released.
"
This is a bugfix release for the current production version."
Full Story (comments: none)
The November 20, 2005 edition of the PostgreSQL Weekly News
is online, take a look for new PostgreSQL database resources
and articles.
Full Story (comments: none)
Interoperability
Samba.org
mentions a new series on managing Samba.
"
SearchOpenSource.com is running a series of articles on Managing Samba by the Samba Team's John H. Terpstra. For part one, see Windows network identity basics. Part two is on User rights and privileges. John's goal in writing this series is to:
provide a better understanding of the relationship between Windows networking accounts and their equivalent on the Unix or Linux server that is running Samba."
Comments (none posted)
Web Site Development
Version 1.7.3 of the Midgard web content management system is out.
"
Midgard's 1.7 branch is a major overhaul of the whole Content
Management System. Besides the stable and mature Content Management
features of first generation Midgard, it also ships a preview version
of second generation Midgard capabilities, allowing developers to
have a glimpse at the new day of Midgard2."
Full Story (comments: none)
Christopher H. Laco
works with Handel on O'Reilly.
"
While the CPAN community has solved most of the problems quite nicely with modules like Data::FormValidator, HTML::FillInForm, DateTime, and the various FromForm/QuickForm/FormBuilder modules, I still yearned for a lightweight, straightforward shopping cart module that didn't involve installed an entire CMS or B2B solution. Thus, Handel.
Later I will show you how to get a functional shopping cart up and running using no lines of code. You heard that correctly: no lines of code. Zero. None. Nada."
Comments (none posted)
Desktop Applications
Audio Applications
A new Subversion server for amaroK music player sub-projects
has been announced.
"
Are you an amaroK script developer or are you developing a KDE application that should not be in KDE's Subversion for various reasons? We have the solution. The amaroK project is proud to announce the amaroK Subversion server, a service for amaroK script developers, launched as a thank you gesture to all the supporters who donated to the project during its fundraiser. We hope this will encourage the awesome amaroK community in their extremely valuable amaroK script writing."
Comments (none posted)
Version 0.2.19 of QjackCtl, a GUI control panel for the JACK Audio
Connection Kit, has been released. Changes include build improvements,
bug fixes, and other enhancements.
Full Story (comments: none)
Version 0.9.60 of the Rivendell radio automation system is out
with new capabilities and bug fixes.
Full Story (comments: none)
Desktop Environments
Dropline GNOME 2.12.1
has been announced.
"
We are pleased to announce the release of Dropline GNOME 2.12.1 ported to Slamd64 10.2 Linux (compiled for x86_64 architecture).
An ISO image is available to download through bittorrent, a direct ISO download is also available from a mirror.
This is our first port to x86-64 architecture and as such there may be bugs, please report them to our bug tracking page."
Also,
Freerock GNOME 2.12.1
(for Slackware) is also available.
Comments (none posted)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
Miguel de Icaza notes the
Mono 1.1.10 release with
a lengthy document on where the Mono project (at least, the part of it housed at Novell) plans to go from here.
Comments (25 posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
Version 4.2.3.2 of the
Xfce
lightweight desktop environment is out:
"
A "micro" release to fix a regression in the window manager settings".
Comments (none posted)
Electronics
Version 0.7.93 of gSpiceUI, a Spice electronic simulation engine,
has been announced.
"
Again this version has some major changes to it. The most obvious are that
the main application frame is now resizable and the addition of a
configuration file.
Be warned, this version hasn't had much testing."
Comments (none posted)
Financial Applications
Version 2.6.3 of
SQL-Ledger, a web-based double
entry accounting package, is available. See the
What's New document for change information.
Comments (none posted)
Games
The WorldForge game project
has announced
the release of Cyphesis 0.5.3.
"
Cyphesis is a small to medium scale server for WorldForge games, with builtin AI. This version includes the demo game Mason which is currently in development. This release is intended for server administrators wishing to run a Mason server and World developers developing new worlds or game systems."
Comments (none posted)
Marcus von Appen explains GUI selection in PyGame with
this tutorial.
"
From time to time questions about GUI elements for pygame come up. The following sections give some links to GUI modules and libraries written for pygame and try - where possible - to give an advice to which library you should refer for your pygame project."
Comments (none posted)
GUI Packages
Version 3.0.9 of
SPTK,
the Simply Powerful Toolkit, is out with new database functionality
and bug fixes.
Comments (none posted)
Medical Applications
Version 0.8.1.1 of FreeMED, an open-source medical record system
has been announced.
"
This release is a bugfix and security release before the
0.8.2 release cycle."
Comments (none posted)
Music Applications
Version 0.3.7 of
GTick, a
metronome application, is out with the following changes:
"
Fixed FreeBSD sound interface, fixed integer size for sound file playback".
Comments (none posted)
PDA Software
A port of the
wxWidgets cross-platform
GUI toolkit to the GPE Palmtop Environment
has been announced.
"
wxGPE is the port of wxWidgets to the GPE Palmtop Environment. GPE is based on X11 and the GTK+ toolkit and runs on some PDAs otherwise running Microsoft PocketPC, such as many HP iPaq devices, Sharp Zarus devices, the Nokia 770 Internet Tablet device, as well as a number of specialized handheld devices and embedded devices. wxGPE is mostly based on wxGTK, the GTK+ port of the wxWidgets C++ GUI library plus a number of adaptions to smaller screen size and other pecularities of GPE."
Comments (none posted)
Web Browsers
Version 1.5 Release Candidate 3 of Mozilla Firefox
is available for testing.
"
Like the earlier release candidates, Mozilla Firefox 1.5 Release
Candidate 3 is intended to allow testers to ensure that there are no
last-minute problems with the Firefox 1.5 code."
Comments (1 posted)
Miscellaneous
KDE.News
mentions a new
article
by Benjamin Meyer on Type Managers, interfaces for specific file types.
"
KDE developer Benjamin Meyer explains the concept of a Type Manager as a new form of specialist file manager application. "In the past few years many of us have been introduced to a new type of application, the Type Manager. There are many Type Managers out there such as digiKam and amaroK that are gaining market share and a rabid fan base of users . Type Managers seem to have that magic combinations of features that makes users love them. I have been taking a closer look at the Type Manager, what makes them so useful, what they really provide for the user and came to some surprising results." He concludes that Type Managers are part of the future of the desktop."
Comments (none posted)
Languages and Tools
Caml
The November 15-22, 2005 edition of the Caml Weekly News is out
with new Caml language discussions.
Full Story (comments: none)
Haskell
The November 9, 2005 edition of the Haskell Communities &
Activities Report is online with the latest news from the Haskell community.
Full Story (comments: none)
Java
The November 13-20, 2005 edition of This week on harmony-dev
covers the latest progress on Harmony, an open-source Java implementation.
"
Much of this weeks discussion was a controversy about a keyword scanning
tool and some legal issues. There where two code contributions this
week: Mikhail Loenko contributed "security, crypto, and x-net libraries"
on behalf of Intel and Zoë Slattery contributed a "perl keyword scanner
and sample files"."
Full Story (comments: none)
Python
A group of python-dev Summaries came out this week, take a look for
the Python discussions for:
September 1-15,
September 16-30,
October 1-15 and
October 16-31.
Comments (none posted)
Ruby
Version 0.1.0 of ruby/audio has been announced.
"
ruby/audio is a library that makes dealing with audio data a little
easier than it has been historically in ruby. It also wraps libsndfile,
which makes reading and writing audio data a LOT easier than it has been
historically in ruby."
Full Story (comments: none)
The November 20th, 2005 edition of the
Ruby Weekly News looks at the latest discussions
from the ruby-talk mailing list.
Comments (none posted)
Tcl/Tk
The November 21, 2005 edition of Dr. Dobb's Tcl-URL! is online
with the latest Tcl/Tk development news.
Full Story (comments: none)
XML
Leigh Dodds
introduces SPARQL in an O'Reilly tutorial article.
"
This tutorial, the first of a three-part series, introduces SPARQL -- a query language and data access protocol for the Semantic Web. SPARQL is defined in terms of the W3C's RDF data model and will work for any data source that can be mapped into RDF. The specification is under development by the RDF Data Access Working Group (DAWG) and has recently reached Last Call Working Draft."
Comments (none posted)
Debuggers
The first release candidate of the GDB 6.4 debugger is available for testing.
"
There should be no surprise there as I have been doing nightly builds
off the branch since it was created and didn't receive any build
breakage incident."
Full Story (comments: none)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Bruce Perens
reports from the UN
World Summit on the Information Society (WSIS) in Tunis, Tunisia.
"
Richard [Stallman] is opposed to RF ID, because of the many privacy
violations that are possible. It's a real problem, and one worth lobbying
about. At the 2003 WSIS in Geneva, there was objection to the RF ID cards
that were used, resulting in a promise that they would not be used in
2005. That promise, it turns out, was not kept. In addition, Richard was
given a hastily-produced ID with a visible RF ID strip. Mine was made on a
longer schedule, it seems, and had an RF ID strip that wasn't visible. I
knew it was there because they clearly had us put our cards to a reader at
the entrance gate."
Comments (52 posted)
BusinessWeek has run
an
article by OSDL chief Stuart Cohen on the use of Linux in mobile
phones. "
But Redmond critics forget sometimes why Microsoft
won. Hardware makers rushed into a market with products that were
compatible with Windows. By building "open systems" on Windows, IBM,
Compaq, and others were able to compete with and beat Apple on the
desktop. Open won over closed. Linux holds the same promise for the mobile
industry, with none of the downside. No single vendor owns Linux, so you
won't hear that horrible sucking sound of all the value flowing to one
monopoly operating-system supplier. What crimped innovation on the desktop
will not happen with mobile phones running Linux."
Comments (none posted)
Companies
eWeek
covers
the sale of Black Hat to CMP Media.
"
Jeff Moss has sold his Black Hat security think tank to technology publisher CMP Media LLC in a deal valued in the range of $14 million.
The deal gives the Manhasset, N.Y.-based CMP Media the assets and intellectual property of Black Hat Inc., one of the most prominent security conferences on the calendar.
The DefCon underground hacker meet-up, which is also owned by Moss, was not included in the deal."
Comments (none posted)
Bruce Schneier
writes about Sony's rootkit in Wired. "
What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home."
Comments (29 posted)
Linux Adoption
Linux Journal continues looking at Linux use in Italian schools, with this
article about the
island of Sardinia. "
Before installing Slackware, the only free
software regularly used in Villacidro ran on Windows. The school ran
Firefox and, on machines with at least 64MB of RAM, OpenOffice.org. In May
of this year, the situation changed completely, thanks to two separate
events."
Comments (none posted)
Legal
Groklaw
follows the OpenDocument Format adoption issue in Massachusetts.
"
Does it get any uglier than what we are witnessing in Massachusetts? Serial killers are worse, I grant you. But watching the politicos in Massachusetts try to kill off OpenDocument Format is surely Top Ten ugly.
Guess what they are now trying? I'll refer you to Andy Updegrove's blog, where he gives us the latest icky chapter. It seems opponents of ODF have come up with a new amendment to a new bill, since they couldn't get S 2256 passed this session, and ODF has become a political football in an old-fashioned power play."
Comments (3 posted)
The folks at Groklaw have already posted
a copy of the state of Texas's complaint against SonyBMG in text format. It charges SonyBMG with violating the state's anti-spyware act, with particular attention to the cloaking aspect of Sony's software. "
Despite Sony BMGs assertions, various news sources have recently reported the spread of newly created viruses which exploit Sony BMGs cloaking technology. As a result, a consumer without knowledge of the installation of the Aries.sys file on their computer may be vulnerable to new security risks, and given the cloaked nature of these files, and the extremely burdensome impediments to removing them, that consumer may find it difficult or impossible to protect themselves from future risks."
Also of interest: this BoingBoing posting suggesting that this episode might just be resulting in the acquisition of some clue by Sony's management.
Comments (10 posted)
Interviews
KDE.News
mentions
the latest
interview in the
People Behind KDE series.
"
This man maintains KDE's text editor Kate and the associated KTextEditor
interface. He also keeps three cats and disappears from his girlfriend for a
week each year in the name of KDE. The star of tonight's People Behind KDE
interview is Christoph Cullmann."
Comments (none posted)
Resources
Linux.com
shows how to
create mirror directories with Mirdir. "
Mirdir is licensed under
the GPL. You can download your choice of an executable RPM, source RPM, or
a source tarball. To install it on my SUSE 10 desktop box, I chose the
executable RPM, used su to install as root, and entered rpm -Uvh
mirdir-2.1-1.i386.rpm. On my Ubuntu Breezy machine, I decompressed the
tarball, entered the Mirdir subdirectory, ran ./configure and make."
Comments (17 posted)
Here's an O'Reilly
book
excerpt on Python hacks for the Nokia Smartphone. "
The current
Nokia phones do not come with the Python runtime environment
preinstalled. You have to download and install Python yourself. You can
download the Python for Series 60 package from the Forum Nokia web site
under the Series 60 Platform --> Tools and SDKs category. The download
package is a zip file with the .sis installation files, documentation, and
example code. Make sure you read the Getting Started document in the
download bundle to choose the correct .sis file for your phone."
Comments (2 posted)
Linux Devices is
hosting 16
papers on real-time and embedded Linux. "
LinuxDevices.com is
pleased to publish the proceedings from the Seventh Real-Time Linux
Workshop held in Lille, France, November 3-4, 2005, at the University for
Science and Technology of Lille (USTL). The papers span a broad range of
topics, ranging from fundamental real-time technologies to applications,
hardware, and tools. "
Comments (2 posted)
Chris Adamson
queries a number of bloggers and prominent developers about the
viability of Ruby as a successor to Java.
"
Bruce Tate's Beyond Java argues that Java's reign as the top enterprise development language must eventually come to an end and that, for the first time in a decade, major enterprise innovation is occurring outside of the Java realm. In the book, he looks at the unique traits that has allowed to Java to achieve its unprecedented level of success, and then considers what new languages would have to do and be to succeed Java.
Later chapters look at specific languages contending in this space, and clearly favors Ruby as the front-runner."
Comments (none posted)
Jeremy Jones
writes
about installing Ubuntu Linux on a Dell Inspiron laptop, on
O'ReillyNet. "
When I received the laptop, Hoary was the current
version of Ubuntu. I have since upgraded to Breezy. I popped in the Ubuntu
Hoary install CD (disk 1 of 1) and powered on the machine. Of course, I had
to set the BIOS to boot from CD. The installer came up and started asking
me questions."
Comments (5 posted)
Reviews
Linux Journal
looks
at the Free Software Foundation - India. "
Some of the Free
Software Foundation India's (FSF-India) accomplishments include helping to
fight patent threats in the country and promoting the use of free software
in schools, government and other cultural institutions. In mid-2005,
FSF-India put together an ambitious four-nation meeting in Kerala, India,
which featured representatives from Venezuela, Brazil, Italy and
India."
Comments (3 posted)
Groklaw
takes a
look at an online patent course. "
Dr. Robert Rines, who has been
inducted into the National Inventors Hall of Fame, taught the class from
his book, Create or Perish, and the book is available, by chapters as
PDFs. The course homepage has a graphic showing Thomas Edison's 1879 patent
application for an "Improvement in Electric Lights." The final chapter is
interesting, because he talks about some of the problems with the patent
system, but you know about all that already. What is probably the most
valuable chapter for us to read is the one on how patent law works, chapter
3. It explains what can and can't be patented. They keep stretching
that line, of course."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Electronic Frontier Foundation (EFF) is going to court in North
Carolina to prevent Diebold Election Systems, Inc. from evading North
Carolina law. "
EFF, with the assistance from the North Carolina law
firm of Twiggs, Beskind, Strickland & Rabenau, P.A., intervened in the case
on behalf of McCloy, the founder of the North Carolina Coalition for
Verified Voting. In a brief filed Wednesday, EFF argued that Diebold had
failed to show why it was unable to meet various new election law
provisions requiring source code escrow and identification of programmers.
North Carolina experienced one of the most serious malfunctions of e-voting
systems in the 2004 presidential election when over 4,500 ballots were lost
in a voting system provided by Diebold competitor UniLect Corp."
Full Story (comments: 7)
The Electronic Frontier Foundation (EFF), along with two class action law
firms, has filed a lawsuit against Sony BMG, demanding that the company
repair the damage done by the First4Internet XCP and SunnComm MediaMax
software it included on over 24 million music CDs. Click below for the
EFFs press release. For information on other suits against Sony see
sonysuit.com.
Full Story (comments: 21)
GnomeDesktop.org
has announced
the opening of the questioning phase of the GNOME Foundation election.
"
Before the voting starts, a debate will happen. We usually send
questions to the candidates to launch the debate. If you want to see some
discussion about what is important to you, here's your chance to make it
happen!"
Comments (none posted)
Even the Gartner Group has put out
a pronouncement on the SonyBMG debacle. "
After more than five years of trying, the recording industry has not yet demonstrated a workable DRM scheme for music CDs. Gartner believes that it will never achieve this goal as long as CDs must be playable by stand-alone CD players. The industry may now refocus its attention on seeking legislation requiring the PC industry to include DRM technology in its products. Gartner believes the industry would be better-served by efforts to develop solutions that use DRM as an accounting/tracking tool, rather than as a lock. This approach would enable them to move to play-based business models not tied to hardware, and to track their digital assets without complicating users' ability to move legitimately acquired content to whatever devices they choose."
Comments (54 posted)
Commercial announcements
Bytware Inc. has announced a new anti-virus solution for Linux.
"
StandGuard Anti-Virus for Linux brings the industry-leading power of
McAfee's scanning engine and the ease-of-use of the award-winning StandGuard
Anti-Virus to Linux running on x86-based PCs. StandGuard Anti-Virus for
Linux (x86-based PCs) allows users to detect and clean the full 150,000+
threats identified by McAfee's AVERT, a huge improvement over the 40,000
viruses that some Linux solutions promise to detect."
Full Story (comments: 4)
Cluster File Systems, Inc. has
announced the free availability of their Lustre file system V1.4.5.
"
Cluster File Systems(TM), Inc.
(CFS), the leader in high-performance parallel file systems, this week
released the latest update to the open source Lustre(TM) file system. Lustre
version 1.4.5, available to CFS customers since August 2005, is now available
to the general public at no cost."
Comments (1 posted)
Macromedia
has released their Flash Media Server 2, according to an article on
Publish.com.
"
Flash Media Server 2 is a foundation for delivering both recorded and live Flash video in large-scale deployments such as video on demand, live Web broadcasts, MP3 streaming, video blogging and video/audio chat applications, the company added.
"Flash allows a publisher complete creative control over a piece of work," Chris Hock, Macromedia's director of product management for Flash video, told Ziff Davis Internet. "Because Flash just works across all platformsWindows, Linux, Mac, all of themthey can just QA it once and know it'll look good everywhere it's used.""
Comments (none posted)
Novell, Inc. has
announced
that Dr. Jeffrey Jaffe has been appointed executive vice president and
chief technology officer for Novell. "
Dr. Jaffe, 51, brings
unparalleled technology and business experience from over 25 years at IBM
and Lucent Technologies. He will be responsible for Novell's technology
direction, as well as leading Novell's product business units. He will
report to Ron Hovsepian, president and chief operating officer,
Novell."
Comments (1 posted)
QNX Software Systems has
announced a set of development objectives for their CDT code base.
"
QNX Software Systems, the
company leading the C/C++ Development Tools (CDT) project on behalf of the
Eclipse Foundation, today announced the development objectives set by the
contributing members at the CDT Contributors Summit held last month.
The CDT team agreed upon several priorities for the next release of the
CDT code base, including improved build management and debugging. A new
indexer, called the Persisted Document Object Model (PDOM), will also be
developed to improve system performance."
Comments (none posted)
Sun Microsystems, Inc. has
announced that it will be distributing, integrating and supporting
(but not correctly spelling) the PostgreSQL database in Solaris 10.
"
Today Sun announced that it will be integrating the Postgres open source
data base into the Solaris 10 OS and providing world-wide 24x7 support for
customers who wish to develop and deploy open source database solutions into
their enterprise environments. Sun is working with the PostgresSQL community
to take advantage of the advanced technologies in the Solaris 10 OS, such as
Predictive Self-Healing, Solaris Containers and Solaris Dynamic Tracing
(DTrace)."
Comments (16 posted)
New Books
Syngress has published the book
Phishing Exposed by Lance
James.
Full Story (comments: none)
O'Reilly has published the book
Essential PHP Security
by Chris Shiflett.
Full Story (comments: none)
O'Reilly has published the book
Podcasting Pocket Guide by Kirk McElhearn, Richard Giles and Jack D. Herrington.
Full Story (comments: none)
Sams Publishing has published the book
SUSE Linux 10 by Mike McCallister.
Full Story (comments: none)
O'Reilly has published the book
Twisted Network Programming Essentials by Abe Fettig.
Full Story (comments: none)
Signate has published the book
VoIP Telephony with Asterisk,
second edition by Paul Mahler.
Full Story (comments: none)
Resources
The Electronic Frontier Foundation has announced a new
guide to student blogging.
"
Just what are students allowed to publish about their
school, their teachers, and their classmates? The
Electronic Frontier Foundation (EFF) released a guide to
student blogging Friday to help kids learn about their
rights and how to defend them. These are important issues
for millions of students: a study this month by the Pew
Internet & American Life Project says approximately 4
million teens keep a blog."
Full Story (comments: none)
A new
Wireless HotSpot HowTo is available.
"
Yunus Bookwala has published a tutorial dealing with setting up a WLAN
HotSpot on a Linksys WRT54GS router using OpenWrt, ChilliSpot, and
FreeRadius."
Full Story (comments: none)
Contests and Awards
BitMover, the company behind BitKeeper, has
announced an "open source awards program." The first recipient is Joe English, for his work on the
Tile project.
Comments (13 posted)
A new GIMP splash screen contest
has been announced.
"
It is GIMP's Tenth Anniversary and close enough to the time for the 2.2.10 release of stable GIMP making it a very good time for a splash contest. This contest is very simple. We are collecting images with tutorials and when it is all done, the GIMP's Lead Developers will pick the one they find most appropriate."
Comments (none posted)
PathScale, Inc. has
announced the winning of three HPCwire 2005 awards for its EKOPath Compiler Suite.
"
The PathScale EKOPath Compiler Suite won the Editors' Choice
award for the "Most Significant New HPC Software Product for 2005," and both
the Readers' and Editors' Choice Awards for the software product with the
"Best Software Price Performance.""
Comments (none posted)
Education and Certification
The Linux Professional Institute has announced that it has now given over
100,000 Linux certification examinations. That is double the total from
one year ago.
Full Story (comments: 2)
Event Reports
O'Reilly presents a wrap-up of the First Annual O'Reilly European Open
Source Convention.
"
Nearly 500 developers, programmers, hackers, and systems and network
administrators attended tutorials, sessions, on-stage discussions,
informal events, and hallway conversations focusing on almost every
aspects of the open source platform."
Full Story (comments: none)
Upcoming Events
The next openlab openday will be held on December 11, 2005 in
London, England.
"
In the past year, openlab has been a self sufficient project driven by
like minded people to promote and demonstrate the use of open source free
software in the context of real-time audio/visual performance practice.
We have organized live performances, workshops, a radio show and various
other activities. Of course, we also enjoyed our meetings and drinking
beers;)"
Full Story (comments: none)
ShmooCon 2006 will be held in Washington, D.C. on January 13-15.
Event tracks include Break It!, Build It! and Bof It!.
Full Story (comments: none)
A SNORT video conference has been announced by the folks
at Irvine Underground.
"
We will be having a Video Conference with SNORT Lead Developer, Marc
Norton at our next meeting in Irvine, CA on December 9th."
Snort is an open-source network
intrusion prevention and detection system.
Full Story (comments: none)
| Date | Event | Location |
| November 23, 2005 | 5tas Jornadas
Regionales de Software Libre | Rosario, Santa Fe, Argentina |
| November 29 - December 2, 2005 | FOSS.IN/2005 | (Bangalore Palace)Bangalore, India |
| December 4 - 9, 2005 | Large Installation
System Administration Conf.(LISA) | San Diego, CA |
| December 5 - 7, 2005 | Open Source Developers'
Conference(OSDC) | (Monash University's Caulfield campus)Melbourne, Australia |
| December 10 - 14, 2005 | ApacheCon 2005 | (Sheraton San
Diego Hotel and Marina)San Diego, CA |
| December 27 - 30, 2005 | 22nd Chaos
Communication Congress | Berlin, Germany |
| January 13 - 15, 2006 | ShmooCon
2006 | (Wardman Park Marriott Hotel)Washington, D.C. |
Comments (none posted)
Web sites
LinuxMedNews has
an announcement for the new
ganfydd site.
"
ganfydd is a qualified medical reference wiki established in the UK. It uses
the Mediawiki software and has a variant Creative Commons content licence."
Comments (none posted)
Page editor: Forrest Cook