Various discussions on the problems associated with binary-only kernel
modules have turned, sooner or later, to the same idea: the world needs a
database of hardware which "just works" with Linux. With this database,
consumers (that's us) could look up potential hardware purchases and know,
immediately, whether it would function with our Linux systems or not.
Vendors would eventually see the value of being listed in this database
and, as a result, have a greater motivation to ensure that their hardware
is supported.
It's a nice idea, but not a particularly new one. Your editor has seen a
fair number of these databases come and go over the last ten years.
Starting a "just works" database is easy, but keeping it current and
relevant is hard, for a number of reasons:
- The variety of hardware out there is huge. Simply testing and
creating entries for a meaningful subset of the available gadgets is a
major task.
- Vendors feel free to change the internal makeup of their gadgets
without telling anybody - or changing the model number. The changes
in the LinkSys WRT54G router are a recent example. This behavior
complicates the database (which must now have information on telling
working hardware from paperweights) - and its maintenance.
- Nobody can actually have all that hardware around, so information must
come from a wide community. Most of us only buy hardware
sporadically, so we tend to have little motivation to help with the
ongoing maintenance of a hardware database. Some of the information
which is contributed may also be of dubious reliability.
- Companies which might help with the maintenance of such a database
have their own incentives to deal with. Red Hat maintains a hardware
list, for example, but it (1) is small, and (2) talks
about RHEL, not about Linux in general. The company once known as
Linuxcare had the proper motivation to maintain a good list, but,
well, Linuxcare didn't weather the dotcom bust very well.
- Weird factors come into play. The BlueZ project used to have a very
nice list of working hardware, but that list
was pulled down as a result of objections from the "Bluetooth
Qualification Administrator."
Any future attempt to build a Linux hardware compatibility database will
have to find a way to overcome the problems listed above. The task is not
impossible, but it may well beyond what a volunteer project can sustain.
It looks, instead, like the kind of work which can be helped by the
addition of a stream of money. Perhaps an industry group (OSDL, say) would
like to serve the community by taking this task on.
Meanwhile, your editor notes with dismay an increase in the number of
Linux-installed hardware vendors who are shipping systems with proprietary
drivers. Once upon a time, the purchase of a system with Linux
pre-installed was worth the extra cost just because the running Linux
instance was a positive proof that the hardware was, indeed, supported.
When these vendors ship non-free "Linux" systems, they violate that
guarantee - and destroy much of the value of their product. Unfortunately,
"buyer beware" remains necessary advice for those buying hardware to work
with Linux.
Comments (57 posted)
GStreamer is an extensive
support library for the creation of multimedia applications. Audio and
video applications can be constructed as a series of pipelines; there are
graphical tools which can be used to help put all of the pieces together in
the right order. GStreamer has been used as the back end for a number of
common applications, including Totem, Amarok, Banshee, and many others.
The project recently celebrated the release of
GStreamer 0.10,
which improves the system in a number of ways.
According to GStreamer hacker Christian Schaller, future releases of
GStreamer may contain a feature which is less welcome to many: digital restrictions
management (DRM) support. There are, says Mr. Schaller, clear
reasons why one might want to support DRM-enabled GStreamer modules:
Because they give you access to playback things you wouldn't
otherwise. Many music stores only offers DRM'ed WMA files for
download, and without a system supporting Windows DRM these files
are useless on your Linux system. DRM also includes stuff such as
the protection mechanism on the upcoming high-definition DVD's.
It appears that any DRM features would be packaged into separate modules,
making it easy to install a DRM-free GStreamer in the future.
Distributions could put the DRM modules into a separate package - or leave
them out entirely. So, it is claimed, the implementation of DRM in
GStreamer would not place any restrictions on current or future uses of the
system.
Some skepticism on this claim would appear to be warranted. Any DRM module
which is to gain the trust of the entertainment industry (much less avoid
DMCA suits) will have to prevent the user from capturing an unencrypted
stream. To that end, GStreamer will have to be able to create "secure
pipelines"; DRM modules will then refuse to connect to modules which cannot
be "trusted" with protected content. If GStreamer is to retain its current
power and flexibility, many of its standard modules - and certainly those
concerned with the actual playing and display of media - will have to be
reworked to participate in secure pipelines. Either that, or significant
parts of the GStreamer will have to be duplicated in a "secure" mode. It
is hard to see how the entire GStreamer pipeline could be made to be secure
without affecting people who have no interest in DRM-enabled content.
There is also the obvious question of how DRM can be done securely in an
environment where source is available. Mr. Schaller points at Sun's "Opera" project as a
possible example of how things could be done, and notes:
There might be some ramifications of being free software which will
make the resulting system have conditions for use that makes it
painful, like a requirement for being online when playing back as
an example, but its definitely not impossible.
Still, anybody who can hack on the source can obtain an unencrypted stream
from a GStreamer DRM module. So it seems clear that such modules are
expected to be shipped in a binary-only mode. Even then, though, one
should remember that the Linux kernel is free software too. So even if the
GStreamer pipeline is entirely secure and uncrackable, a quick kernel hack
will still make the capturing of unrestricted streams easy. That suggests,
in turn, that the people looking to put DRM code into GStreamer envision
operating in environments where users cannot install their own kernels.
The TPM chips being put into an increasing number of computers may make
that kind of restriction possible, but the real target is probably
elsewhere: embedded systems.
The use of GStreamer to make non-hackable, Linux-based media gadgets will
be nothing new; various companies are creating such devices now. But the
incorporation of DRM capabilities into our free system seems like a step in
the wrong direction. Features like secure pipelines represent a loss of
control over our own systems - the very control that drives many of use to
use free software in the first place. So users and distributors may want
to think long and hard before allowing DRM-enabled GStreamer near their
systems.
Comments (62 posted)
Heated battles between supporters of the GNOME and KDE desktops are a
longstanding tradition in the free software world. This tradition has
somewhat fallen into neglect in recent years; the relicensing of the Qt
libraries took away the most readily available flame fuel. Still, one
needs to have a good desktop fight every now and then, if just for old
times' sake. It's traditional, after all.
The end of the year is approaching, and work is slowing down on a number of
fronts. The 2.6.15 kernel is well into the stabilization phase, so there
is relatively little work to be done on that front. As a result, it seems
that Linus Torvalds had a bit of spare time to engage in a nostalgic flame
exercise. In response to a question on printer configuration dialogs,
Linus made
his desktop preference clear:
I personally just encourage people to switch to KDE.
This "users are idiots, and are confused by functionality"
mentality of Gnome is a disease. If you think your users are
idiots, only idiots will use it. I don't use Gnome, because in
striving to be simple, it has long since reached the point where it
simply doesn't do what I need it to do.
Those who are interested in the discussion that resulted can read the
full thread. Some of it contains language which is not necessarily
work- or family-safe.
GNOME developers often complain that their approach to user interface
design is misunderstood. But the fact is that they have, indeed, left
behind a certain subset of their user base which has grown tired of seeing
features and options disappear in the name of usability. The low point for
the de-featuring of GNOME applications was probably early in the 2.x
series, but the fact remains: GNOME does not allow things which certain
types of users want to do.
This gap is there explicitly by design; Jeff Waugh put
it this way:
We're not aiming for "powerfully extensible". We're aiming for
"Just Works". Some people will hate that. Some will love
it. Personally, I'd rather have passionate users, lovers and
haters, than be than average and ignored, and I think you'll find
most GNOME developers feel the same way.
Havoc Pennington also compared
the implementation of one often-requested feature (the ability to
arbitrarily rebind mouse buttons in Metacity) to selling maternity clothes
for men. One can only assume he is not implying that people who want to
rebind buttons are, in fact, pot-bellied transvestites.
Havoc notes that he has never encountered anybody wanting to rebind
mouse buttons who was not a "historical Unix user." Whether that is
because these "historical Unix users" are, in addition to possessing
questionable taste in clothing, just unusually fussy about mouse buttons,
or whether the rest of the user base simply is not used to the idea that
this sort of behavior can be changed is not clear. What is clear is that
the GNOME project has chosen to target the subset of users who are content
to have a number of user interface choices made for them as long as the
result "just works."
Flaming the GNOME developers for this decision is a mistake. There is
clearly a user base for the GNOME desktop, and who can say that it is wrong
for the GNOME developers to create a system which works for those users?
Over time, these developers may also figure out how to support both the
"just works" crowd and the small minority of dress-wearing Unix relics;
there is some evidence that this might be happening. In the mean time, the
"just works" users may become hooked on the free software experience, and,
eventually, discover the power of being able to optimize the desktop for
their own needs and workload.
But, even if GNOME truly becomes the "desktop for idiots," there are other
desktop alternatives out there, including (but not limited to) KDE. One
might well ask why we should have multiple desktop projects if their end
projects are indistinguishable. Let them, instead, choose their user bases
and provide those users with the best desktop they can. If the desktops
diverge from each other, the result will be more choice for users - and
plenty of material to feed our GNOME/KDE flame war tradition well into the
future.
Comments (225 posted)
Page editor: Jonathan Corbet
Security
A recent
IT-Director
article discussed some of the reasons why small businesses (in the
author's opinion) might not want to make the jump to free software. One of
them was the following:
Technical support will involve participating in internet forums,
asking people of unknown capability for help with any problems and
trusting that what comes back is a real fix, not some means of a
malicious person gaining access to the user's system. This
haphazard way of supporting IT is unattractive, especially for
smaller businesses with limited in-house expertise.
The article goes on to say that businesses respond to this problem by
purchasing support from distributors. Paid support plans are a fine
alternative in many situations, but people who have spent much time
performing system administration have usually learned that, often, answers
from the net can be quicker and more clueful than those from the paid
providers. So the idea that community support could be used as a way to
attack a system is disconcerting.
At first, it also seems rather unlikely. One wonders where this concern
came from, given that there may not be a single case of a system having
been compromised by way of "help" provided through a community forum. As a
business sizes up the threats to its systems, malicious advice from the net
should probably appear fairly low on the list.
That said, this possibility may be worth a little thought. The phishing
problem shows that there is no shortage of people out there with an
interest in social engineering attacks. Provision of bogus advice would
not scale in the way mass phishing attacks do, but it might also fall on
more fertile ground. A system administrator with a broken system,
disgruntled users, and a pointy-haired boss breathing down his or her neck
might be inclined to follow seemingly helpful advice from the net without
thinking about it much first. In a world where software installation
instructions begin with "turn off your antivirus software," any of a number
of ill-advised suggestions might seem entirely reasonable.
So, sooner or later, some joker will probably attempt this sort of attack.
For those who are especially concerned about this possibility, here's a few
possible defenses:
- When asking for help on the net, consider using a non-work email
address. Requests from admin@big-defense-contractor.com may be more
likely to attract suspicious replies. It can only help to keep
potential attackers from knowing where the relevant systems are
located.
- Be highly suspicious of any replies which are not copied back to the
list where the question was originally asked. Hostile advice posted
to a public list will likely be spotted quickly, but there is no
public review of private mail.
- Make a point of understanding any suggested remedies before trying
them.
The above is all entirely obvious stuff, but it should be sufficient to
defend against most social engineering attacks disguised as responses to
requests for help. As is the case in many areas of security, a bit of
common sense goes a long way.
Comments (14 posted)
New vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
courier: unauthorized access
| Package(s): | courier |
CVE #(s): | CVE-2005-3532
|
| Created: | December 8, 2005 |
Updated: | December 14, 2005 |
| Description: |
The Courier mail server's courier-authdaemon can grant access to
deactivated accounts, allowing for unauthorized access to information. |
| Alerts: |
|
Comments (none posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
ethereal: buffer overflow
| Package(s): | ethereal |
CVE #(s): | CVE-2005-3651
|
| Created: | December 13, 2005 |
Updated: | January 4, 2006 |
| Description: |
A buffer overflow has been discovered in ethereal, a commonly used
network traffic analyzer that causes a denial of service and may
potentially allow the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
kernel: key rebinding
| Package(s): | kernel |
CVE #(s): | CVE-2005-3257
|
| Created: | December 14, 2005 |
Updated: | January 4, 2006 |
| Description: |
Linux kernels through 2.6.14 allow any user to rebind console keys; this opening can be exploited to inject commands when other users are logged in. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
poppler: arbitrary code execution
| Package(s): | poppler |
CVE #(s): | CVE-2005-3191
CAN-2005-3193
|
| Created: | December 8, 2005 |
Updated: | January 16, 2006 |
| Description: |
The poppler PDF rendering library has a heap overflow vulnerability
that can be exploited by viewing specially crafted PDF files.
An attacker can cause a crash or the execution of arbitrary
code. This vulnerability is related to
a similar vulnerability with xpdf. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
apache2: memory leak
| Package(s): | apache2 |
CVE #(s): | CVE-2005-2970
|
| Created: | December 6, 2005 |
Updated: | December 19, 2005 |
| Description: |
A memory leak was found in the Apache 2 'worker' module in the
handling of aborted TCP connections. By repeatedly triggering this
situation, a remote attacker could drain all available memory, which
eventually led to a Denial of Service. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
egroupware: multiple vulnerabilities
| Package(s): | egroupware |
CVE #(s): | CVE-2005-0870
CVE-2005-2600
CVE-2005-3347
CVE-2005-3348
|
| Created: | November 17, 2005 |
Updated: | December 9, 2005 |
| Description: |
A number of vulnerabilities have been found in egroupware,
a web-based groupware suite.
Phpsysinfo has several cross-site scripting vulnerabilities,
The the tree view of FUD Forum Bulletin Board Software has
a cross-site scripting problem, phpsyinfo has a local variable
overwrite problem, and phpsyinfo has an input sanitizing
issue. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enigmail: information disclosure
| Package(s): | enigmail |
CVE #(s): | CVE-2005-3256
|
| Created: | October 20, 2005 |
Updated: | December 13, 2005 |
| Description: |
The key selection dialog from the Mozilla Thunderbird enigmail plugin
has an information disclosure vulnerability.
A key with an empty user id from a user's keyring will be used by
default, allowing a message to be decrypted. This can lead to an
unauthorized information disclosure. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
Comments (none posted)
evolution: format string issues
Comments (2 posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FUSE: mtab corruption through fusermount
| Package(s): | fuse |
CVE #(s): | CVE-2005-3531
|
| Created: | November 22, 2005 |
Updated: | January 24, 2006 |
| Description: |
Thomas Biege discovered that fusermount fails to securely handle
special characters specified in mount points. A local attacker could corrupt the contents of the /etc/mtab file by mounting over a maliciously-named directory using fusermount, potentially allowing the attacker to set unauthorized mount options. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
helix-player: integer overflow
| Package(s): | helix-player |
CVE #(s): | CVE-2005-2629
|
| Created: | December 2, 2005 |
Updated: | December 7, 2005 |
| Description: |
An integer overflow has been discovered in helix-player, the helix
audio and video player. This flaw could allow a remote attacker to
run arbitrary code on a victims computer by supplying a specially
crafted network resource. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
inkscape: arbitrary code execution
| Package(s): | inkscape |
CVE #(s): | CVE-2005-3737
|
| Created: | November 21, 2005 |
Updated: | December 7, 2005 |
| Description: |
A buffer overflow has been discovered in the SVG importer of Inkscape.
By tricking an user into opening a specially crafted SVG image this
could be exploited to execute arbitrary code with the privileges of
the Inkscape user. |
| Alerts: |
|
Comments (none posted)
inkscape: insecure temp files
| Package(s): | inkscape |
CVE #(s): | CVE-2005-3885
|
| Created: | December 5, 2005 |
Updated: | December 7, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered that Inkscape's ps2epsi.sh
script, which converts PostScript files to Encapsulated PostScript
format, creates a temporary file in an insecure way. A local attacker
could exploit this with a symlink attack to create or overwrite
arbitrary files with the privileges of the user running Inkscape. |
| Alerts: |
|
Comments (1 posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276) |
| Alerts: |
|
Comments (2 posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libnet-ssleay-perl: weakened cryptographic operations
| Package(s): | libnet-ssleay-perl |
CVE #(s): | CAN-2005-0106
|
| Created: | May 3, 2005 |
Updated: | January 27, 2006 |
| Description: |
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libTIFF: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2005-1544
|
| Created: | May 10, 2005 |
Updated: | February 18, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libungif: memory corruption
| Package(s): | libungif |
CVE #(s): | CAN-2005-2974
|
| Created: | November 3, 2005 |
Updated: | March 20, 2006 |
| Description: |
The libungif library has a vulnerability in the GIF file
colormap handling code. A maliciously crafted GIF file can
cause out of bounds memory writing and register corruption. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mailman: denial of service
| Package(s): | mailman |
CVE #(s): | CVE-2005-3573
|
| Created: | December 2, 2005 |
Updated: | March 8, 2006 |
| Description: |
Scrubber.py in Mailman 2.1.4 - 2.1.6 does not properly handle UTF8
character encodings in filenames of e-mail attachments, which allows
remote attackers to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
Mantis: multiple vulnerabilities
| Package(s): | mantisbt |
CVE #(s): | CVE-2005-3091
CVE-2005-3335
CVE-2005-3336
CVE-2005-3338
CVE-2005-3339
|
| Created: | October 28, 2005 |
Updated: | December 22, 2005 |
| Description: |
Mantis contains several vulnerabilities, including a remote file inclusion
vulnerability, an SQL injection vulnerability, multiple cross site
scripting vulnerabilities and multiple information disclosure
vulnerabilities. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
mysql: buffer overflow
| Package(s): | mysql |
CVE #(s): | CAN-2005-2558
|
| Created: | September 12, 2005 |
Updated: | January 12, 2006 |
| Description: |
The mysql CREATE FUNCTION can be used to create a buffer overflow.
A specially crafted long function name can be used by a local attacker
to crash the server or execute arbitrary code with the privileges of
the server. |
| Alerts: |
|
Comments (none posted)
mysql: low-impact security fix
| Package(s): | mysql |
CVE #(s): | CAN-2005-1636
|
| Created: | July 20, 2005 |
Updated: | February 22, 2006 |
| Description: |
An update to MySQL version 4.1.12 fixes a low-impact security
problem (bz#158689). |
| Alerts: |
|
Comments (1 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
netpbm-free: buffer overflows
| Package(s): | netpbm-free |
CVE #(s): | CVE-2005-3632
CVE-2005-3662
|
| Created: | November 21, 2005 |
Updated: | December 20, 2005 |
| Description: |
Greg Roelofs discovered and fixed several buffer overflows in pnmtopng
which is also included in netpbm, a collection of graphic conversion
utilities, that can lead to the execution of arbitrary code via a
specially crafted PNM file. |
| Alerts: |
|
Comments (1 posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openssh: GSSAPI credential disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2005-2798
|
| Created: | September 7, 2005 |
Updated: | February 3, 2006 |
| Description: |
OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
|
| Alerts: |
|
Comments (none posted)
openssl: protocol rollback
| Package(s): | openssl |
CVE #(s): | CAN-2005-2969
|
| Created: | October 12, 2005 |
Updated: | December 19, 2005 |
| Description: |
OpenSSL prior to version 0.9.7h or 0.9.8a contains a vulnerability which could enable an attacker to force the use of the older, less secure SSL 2.0 protocol. See this advisory for details or this analysis for even more details. |
| Alerts: |
|
Comments (1 posted)
openvpn: format string vulnerability
| Package(s): | openvpn |
CVE #(s): | CVE-2005-3393
CVE-2005-3409
|
| Created: | November 2, 2005 |
Updated: | December 12, 2005 |
| Description: |
OpenVPN 2.0.x contains a format string vulnerability which can be exploited by a hostile server; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
pcre3: arbitrary code execution
| Package(s): | pcre3 |
CVE #(s): | CAN-2005-2491
|
| Created: | August 23, 2005 |
Updated: | March 10, 2006 |
| Description: |
A buffer overflow has been discovered in the PCRE, a widely used library
that provides Perl compatible regular expressions. Specially crafted
regular expressions triggered a buffer overflow. On systems that accept
arbitrary regular expressions from untrusted users, this could be exploited
to execute arbitrary code with the privileges of the application using the
library. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
perl: symlink vulnerability
| Package(s): | perl |
CVE #(s): | CAN-2005-0448
|
| Created: | March 9, 2005 |
Updated: | January 30, 2006 |
| Description: |
The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries. |
| Alerts: |
|
Comments (none posted)
perl: integer overflow
| Package(s): | perl |
CVE #(s): | CVE-2005-3962
CVE-2005-3912
|
| Created: | December 1, 2005 |
Updated: | February 27, 2006 |
| Description: |
Perl has an sprintf integer overflow vulnerability
that may be used for a denial of service, remote code
execution and information leakage. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2005-3390
CVE-2005-3389
CVE-2005-3388
CVE-2005-3353
|
| Created: | November 8, 2005 |
Updated: | December 23, 2005 |
| Description: |
There are multiple vulnerabilities in PHP, including malicious requests may overwrite the GLOBALS array, the parse_str() function may enable the
register_globals setting, cross-site scripting bugs in phpinfo() and a bug in EXIF image parsing that may crash the process. |
| Alerts: |
|
Comments (none posted)
postgresql: database initialization errors
| Package(s): | postgresql |
CVE #(s): | CAN-2005-1409
CAN-2005-1410
|
| Created: | May 4, 2005 |
Updated: | February 28, 2006 |
| Description: |
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
|
| Alerts: |
|
Comments (none posted)
Pound: buffer overflow
| Package(s): | pound |
CVE #(s): | CVE-2005-1391
|
| Created: | May 2, 2005 |
Updated: | January 10, 2006 |
| Description: |
Steven Van Acker has discovered a buffer overflow vulnerability in the
"add_port()" function in Pound 1.8.2+. A remote attacker could send a
request for an overly long hostname parameter, which could lead to the
remote execution of arbitrary code with the rights of the Pound daemon
process. |
| Alerts: |
|
Comments (none posted)
pstotext: remote execution of arbitrary code
| Package(s): | pstotext netpbm |
CVE #(s): | CAN-2005-2471
|
| Created: | August 1, 2005 |
Updated: | March 28, 2006 |
| Description: |
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option. An
attacker could craft a malicious PostScript file and entice a user to run
pstotext on it, resulting in the execution of arbitrary commands with the
permissions of the user running pstotext. See this Secunia advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
smb4k: temporary file vulnerability
| Package(s): | smb4k |
CVE #(s): | CVE-2005-2851
|
| Created: | September 7, 2005 |
Updated: | December 7, 2005 |
| Description: |
Smb4K has a temporary file vulnerability which can allow an unprivileged user to read certain files which would otherwise be inaccessible.
|
| Alerts: |
|
Comments (none posted)
spamassassin: denial of service
| Package(s): | spamassassin |
CVE #(s): | CVE-2005-3351
|
| Created: | November 9, 2005 |
Updated: | March 7, 2006 |
| Description: |
Spamassassin through version 3.0.4 can be made to dump core if a message arrives with too many addresses in the To: field. |
| Alerts: |
|
Comments (none posted)
squid: authentication handling
| Package(s): | squid |
CVE #(s): | CAN-2005-2917
|
| Created: | September 30, 2005 |
Updated: | March 15, 2006 |
| Description: |
Upstream developers of squid, the popular WWW proxy cache, have
discovered that changes in the authentication scheme are not handled
properly when given certain request sequences while NTLM
authentication is in place, which may cause the daemon to restart. |
| Alerts: |
|
Comments (none posted)
sudo: missing input sanitizing
| Package(s): | sudo |
CVE #(s): | CVE-2005-2959
|
| Created: | October 25, 2005 |
Updated: | February 19, 2006 |
| Description: |
Tavis Ormandy noticed that sudo, a program that provides limited super
user privileges to specific users, does not clean the environment
sufficiently. The SHELLOPTS and PS4 variables are dangerous and are
still passed through to the program running as privileged user. This
can result in the execution of arbitrary commands as privileged user
when a bash script is executed. These vulnerabilities can only be
exploited by users who have been granted limited super user
privileges. |
| Alerts: |
|
Comments (none posted)
sudo: race condition
| Package(s): | sudo |
CVE #(s): | CAN-2005-1993
|
| Created: | June 21, 2005 |
Updated: | February 24, 2006 |
| Description: |
Charles Morris discovered a race condition in sudo which could lead to
privilege escalation. If /etc/sudoers allowed a user the execution of
selected programs, and this was followed by another line containing
the pseudo-command "ALL", that user could execute arbitrary commands
with sudo by creating symbolic links at a certain time. |
| Alerts: |
|
Comments (none posted)
sylpheed: buffer overflow
| Package(s): | sylpheed |
CVE #(s): | CVE-2005-3354
|
| Created: | November 9, 2005 |
Updated: | January 6, 2006 |
| Description: |
The sylpheed mail client, prior to versions 1.0.6 and 2.0.4, contains a buffer overflow in the LDIF address book import code. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: multiple DoS issues
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1280
CAN-2005-1279
CAN-2005-1278
|
| Created: | May 2, 2005 |
Updated: | April 10, 2006 |
| Description: |
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278) |
| Alerts: |
|
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
trackballs: symlink vulnerability
| Package(s): | trackballs |
CVE #(s): | |
| Created: | December 7, 2005 |
Updated: | December 7, 2005 |
| Description: |
Trackballs follows symbolic links, possibly allowing unprivileged users to access and modify files accessible by the games group. |
| Alerts: |
|
Comments (none posted)
ucd-snmp: denial of service
| Package(s): | ucd-snmp |
CVE #(s): | CAN-2005-2177
|
| Created: | August 9, 2005 |
Updated: | January 27, 2006 |
| Description: |
A denial of service bug was found in the way ucd-snmp uses network stream
protocols. A remote attacker could send a ucd-snmp agent a specially
crafted packet which will cause the agent to crash. |
| Alerts: |
|
Comments (none posted)
uim: privilege escalation
| Package(s): | uim |
CVE #(s): | CVE-2005-3149
|
| Created: | October 4, 2005 |
Updated: | December 7, 2005 |
| Description: |
Masanari Yamamoto discovered that Uim uses environment variables
incorrectly. This bug causes a privilege escalation if setuid/setgid
applications are linked to libuim. This bug only affects
immodule-enabled Qt (if you build Qt 3.3.2 or later versions with
USE="immqt" or USE="immqt-bc"). |
| Alerts: |
|
Comments (none posted)
unzip: race condition
| Package(s): | unzip |
CVE #(s): | CAN-2005-2475
|
| Created: | September 29, 2005 |
Updated: | January 12, 2006 |
| Description: |
Unzip has a race condition vulnerability
in the handling of output files.
During file unpacking, a local attacker can modify the permissions
of arbitrary files in the victim's directory. |
| Alerts: |
|
Comments (none posted)
up-imapproxy: format string vulnerabilities
| Package(s): | up-imapproxy |
CVE #(s): | CAN-2005-2661
|
| Created: | October 10, 2005 |
Updated: | March 7, 2006 |
| Description: |
up-imapproxy contains two format string vulnerabilities which could be exploited to execute arbitrary code.
|
| Alerts: |
|
Comments (none posted)
util-linux: unintentional grant of privileges by umount
| Package(s): | util-linux |
CVE #(s): | CAN-2005-2876
|
| Created: | September 13, 2005 |
Updated: | December 19, 2005 |
| Description: |
Linux umount command as provided in the util-linux package in
versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information. |
| Alerts: |
|
Comments (none posted)
uw-imap: buffer overflow
| Package(s): | uw-imap |
CVE #(s): | CAN-2005-2933
|
| Created: | October 11, 2005 |
Updated: | April 10, 2006 |
| Description: |
"infamous41md" discovered a buffer overflow in uw-imap, the University
of Washington's IMAP Server that allows attackers to execute arbitrary
code. |
| Alerts: |
|
Comments (none posted)
vixie-cron: crontab allows any user to read another users crontabs
| Package(s): | vixie-cron |
CVE #(s): | CAN-2005-1038
|
| Created: | April 15, 2005 |
Updated: | March 15, 2006 |
| Description: |
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report. |
| Alerts: |
|
Comments (none posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xloadimage: buffer overflows
| Package(s): | xloadimage |
CVE #(s): | CAN-2005-3178
|
| Created: | October 10, 2005 |
Updated: | May 15, 2006 |
| Description: |
Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
xmail: buffer overflow
| Package(s): | xmail |
CVE #(s): | CVE-2005-2943
|
| Created: | November 21, 2005 |
Updated: | December 14, 2005 |
| Description: |
A buffer overflow has been discovered in the sendmail program of
xmail, an advanced, fast and reliable ESMTP/POP3 mail server that
could lead to the execution of arbitrary code with group mail
privileges. |
| Alerts: |
|
Comments (none posted)
xorg-x11: heap overflow
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2005-2495
|
| Created: | September 12, 2005 |
Updated: | March 8, 2006 |
| Description: |
The pixmap memory allocation code in the X.Org X window system is
vulnerable to an integer overflow, a local user can use this to
execute arbitrary code with elevated privileges. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: arbitrary code execution
| Package(s): | xpdf |
CVE #(s): | CVE-2005-3193
|
| Created: | December 6, 2005 |
Updated: | January 11, 2006 |
| Description: |
Several flaws were discovered in Xpdf. An
attacker could construct a carefully crafted PDF file that could cause Xpdf
to crash or possibly execute arbitrary code when opened. |
| Alerts: |
|
Comments (none posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-1849
|
| Created: | July 21, 2005 |
Updated: | April 11, 2006 |
| Description: |
zlib has a vulnerability that can cause code that executes it to crash
if a corrupted file is opened. |
| Alerts: |
|
Comments (none posted)
zope 2.7: design error
| Package(s): | zope |
CVE #(s): | CVE-2005-3323
|
| Created: | November 25, 2005 |
Updated: | December 13, 2005 |
| Description: |
A vulnerability has been discovered in zope 2.7 that allows remote
attackers to insert arbitrary files via include directives in
reStructuredText functionality. |
| Alerts: |
|
Comments (1 posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 prepatch remains 2.6.15-rc5; Linus, it seems, has
been too busy stirring up desktop flamewars to get -rc6 out the door.
A slow stream of patches continues to accumulate in the mainline git
repository. These consist mostly of fixes, but there is also the removal
of the "incomplete mapping" support discussed here last week (it was deemed
unnecessary), a new rcu_barrier() primitive to wait until all
queued RCU callbacks have run, and a build system change making the
"optimize for size" option available for all configurations.
The current -mm tree is 2.6.15-rc5-mm2. Recent changes
to -mm include a couple of new inotify flags controlling which files are to
be watched, a Sony laptop ACPI driver, basic PCI domain support, a
schedule_on_each_cpu() function to run code on every processor, a
new high-resolution timers implementation, and a "batch" scheduling policy.
Comments (none posted)
Kernel development news
The Linux kernel contains a full counting semaphore implementation. Given
a semaphore, a call to
down() will sleep until the semaphore
contains a positive value, decrement that value, and return. Calling
up() increments the semaphore's value and wakes up a process
waiting for the semaphore, if one exists. If the initial value of the
semaphore is ten, then ten different threads can call
down()
without blocking.
Most users of semaphores do not use the counting feature, however.
Instead, they initialize the semaphore to a value of one, allowing a single
thread to hold the semaphore at any given time. This mode of use turns a
semaphore into a "mutex," a mutual exclusion primitive which can be used to
implement critical sections. Using a semaphore in this way is entirely
valid.
There is one little issue, however: a simple binary mutex can often be
implemented more cheaply than a full counting semaphore. If a semaphore is
used in the mutex mode, the extra cost of the counting capability is simply
wasted. Linux semaphores also suffer from highly architecture-dependent
implementations, to the point that any changes to the semaphore API are
very difficult to make. So cleaning up semaphores has been one of those
items on the "do to" list for some time.
David Howells went ahead and did
it. His patch adds a new, binary mutex type to the kernel. Since
almost all of the semaphores currently in use are, in reality, mutexes,
David changed the prototypes of most of the semaphore functions
(down() and variants, up(), init_MUTEX(),
DECLARE_MUTEX()) to take a mutex rather than a semaphore. To make
things work again, most semaphore declarations have been changed to
struct mutex, but, beyond the declaration change, code using
mutexes need not be modified.
For code which truly needs a semaphore, a new set of functions has been
provided:
void down_sem(struct semaphore *sem);
void up_sem(struct semaphore *sem);
int down_sem_trylock(struct semaphore *sem);
...
Kernel code which was actually using the counting capability of semaphores
has been changed to use the new functions.
This patch makes fundamental changes to the kernel's mutual exclusion
mechanisms, creates a flag day which breaks all out-of-tree code, and is
generally quite large. But there is surprisingly little resistance to the
patch in general. Some developers are concerned that some counting
semaphores may have been converted to mutexes erroneously - it is hard to
audit that much code and be absolutely sure of how every semaphore is
used. It has also been noted that the posted mutex implementation may
actually be slower than the semaphores it replaces, but that is something
which, it is assumed, can be fixed. In general, however,
almost nobody objects to making this sort of change.
There are some disagreements over just how the change should be done,
however. Some developers do not want to see the old down() and
up() functions switched to a different type which has no counter
to bump "down" or "up." The alternative would be to create a completely
new API for mutexes; Alan Cox has suggested
names like sleep_lock() and sleep_unlock(). A completely
new API would make it clear what is really going on; it would also make it possible to
change over users gradually as they are audited.
Some developers would rather see a big flag day than a
year-long series of patches slowly converting semaphore users over to
mutexes. For them, the mutex changeover is a chance to get the API right,
and they would rather see everything changed over at once. Gradual
changeovers, it is argued, never seem to come to a conclusion; examples
include the continued existence of the big kernel lock and the
long-deprecated sleep_on() functions. Rather than live with a
deprecated API for years, it may be better to just take the pain all at
once and be done with it.
It has also been pointed out that there is another mutex patch in
circulation: the real-time preemption tree has had mutexes for the last
year. So far, there has been no real debate on whether the -rt
implementation is better; Ingo Molnar does not seem to be pushing it, even
though this might be a good opportunity to merge a significant chunk of the
-rt tree into the mainline.
In the end, it looks like some sort of mutex patch is likely to be merged
into a future mainline kernel - though it almost certainly will not be
ready when the 2.6.16 window opens. The form of that patch could change
significantly, however; stay tuned.
Comments (9 posted)
For years, otherwise useful kernel patches have been rejected because they
use language features which are not supported by version 2.95 of the gcc
compiler. The developers have been reluctant to remove support for this
ancient version of gcc (released in 1999) because some not-so-old
distributions used it, and because a couple of architectures required it.
More importantly, however: gcc 2.95 simply runs faster than later
versions. For a kernel hacker waiting for a build to complete, compilation
speed can be far more important than additional language features or more
highly optimized code generation.
In the middle of the mutex conversation, however, it was pointed out that
some of the alternatives under consideration would not work with 2.95. In
response, Andrew Morton, the biggest defender of 2.95 compatibility, threw in the towel. It seems that quite a few
things in the kernel already fail to work with 2.95, and the situation is
not getting better. So, says Andrew:
It's time to give up on it and just drink more coffee or play more
tetris or something, I'm afraid.
He followed up with a patch officially
removing gcc 2.95 compatibility from the kernel. A suggestion to drop gcc 3.0 quickly
followed; the 3.0 release was never widely used, and it lacks some features
that the kernel developers would like to use. Moving directly to 3.1 as
the oldest supported gcc would make life easier without a whole lot
of additional pain.
Nothing has been merged into the mainline yet - and may not be until 2.6.16
opens. But the writing is clearly on the wall: anybody still trying to use
these older compilers with current kernels will have to upgrade soon.
Comments (11 posted)
The i386 processor family poses a challenge for kernel builders. These
processors have maintained instruction set compatibility for many years;
code built for early Pentium processors will likely still run on current
hardware. The problem is that code built for these older processors will
fail to take advantage of features added later on. The "least common
denominator" approach can thus lead to sub-optimal use of current CPUs.
The kernel has a number of ways of dealing with this challenge. In some
cases it can make decisions at run time, using processor features only if
they are found to be present. Other features are only available by way of
build-time configuration options; selecting these will result in a kernel
which will not run on older systems. Yet another mechanism is the
"alternatives" feature, which allows the kernel to optimize itself at boot
time. Consider this example of alternatives use (from
include/asm-i386/system.h):
#define mb() alternative("lock; addl $0,0(%%esp)", \
"mfence", \
X86_FEATURE_XMM2)
This macro places a memory barrier in the code, ensuring that all memory
reads and writes initiated before the barrier complete before execution
continues. The default implementation is essentially a bus-locked no-op;
it will work anywhere. On newer systems, however, the more efficient
mfence instruction is available, and it would be nice to use it.
The alternative() macro compiles in the default code, but also
makes a note of its location (and alternative implementation) in a special
ELF section. Early in the boot process, the kernel calls
apply_alternatives(), which makes a pass through that special
section. Every alternative instruction which is supported by the running
processor is patched directly into the loaded kernel image; it will be
filled with no-op instructions if need be. Once
apply_alternatives() has finished its work, the kernel behaves as
if it had been compiled for the processor it is actually running on. This
mechanism allows
distributors to ship generic kernels which can optimize themselves at boot
time.
The 2.6 mainline uses alternatives sparingly: for barriers, prefetch hints,
and saving the floating point unit state. Gerd Knorr, however, believes
that the use of alternatives could be expanded to further reduce the range
of kernels which distributors need to ship - and to improve runtime
flexibility as well. In particular, he thinks that kernels can be
optimized for single- or multiprocessor systems on the fly.
Gerd's SMP alternatives patch
is an implementation of this concept. It creates an new macro
(alternative_smp()) which can be used to specify optimal
implementations of an operation on both uniprocessor and SMP systems; the
proper version will then be selected at runtime. The main use of SMP
alternatives in his patch is with spinlock operations; spinlocks can be
patched in or edited out, as dictated by the configuration of the system at
boot time.
There are a couple of interesting features in Gerd's patch. One is in the
handling of the i386 architecture's lock prefix. This prefix,
when applied to specific instructions, causes the instruction to run in a
bus-locked, atomic manner. It is used for operations which must be seen
coherently across a multiprocessor system; these include semaphore
operations and the atomic_t implementation. Use of the
lock prefix on uniprocessor systems imposes a runtime cost with no
benefit; it would be nice to edit those out. The SMP alternatives patch
takes a shortcut here; it simply remembers each location where a
lock prefix appears. If the kernel boots on a uniprocessor
system, all of those prefixes can be quickly overwritten with no-ops.
A more interesting - and more controversial - feature of this patch is
that, when the kernel is converted between the SMP and uniprocessor mode,
the overwritten instructions are remembered. At some point the the future,
then, the alternatives code can reverse the change, switching the kernel
back to the full SMP implementation. The code is then run whenever a CPU
hotplug event happens, optimizing the kernel for the system's new
configuration. A system can be initially booted with a single processor,
and the alternatives code will edit out all of the SMP-related
instructions. If another processor is added later on, the kernel will be
automatically converted back into a fully SMP-capable mode. If processors
are removed, the SMP code can be taken out too. All within a running
system, with no need to reboot.
This feature may seem useful to a rather small minority of users - and it
is. But that minority may be bigger than one thinks. Virtualization
systems (and Xen in particular) are implementing the ability to configure
the number of (virtual) CPUs in each running instance on the fly, in
response to the load on each. So it may really be that a busy, virtualized
server will have CPUs hot-plugged into it, and that those processors will
go away when the load drops. Enabling the kernel to reconfigure itself on
the fly when this happens will allow each Xen instance to run a kernel
which is optimized for its current situation.
The CPU hotplug may be a hard sell - self-modifying code in a running
kernel tends to make people nervous. The rest of the SMP alternatives
patch seems likely to find a place in the mainline, eventually.
Comments (29 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
With the year 2005 coming to an end, let's take a brief look at some of the
changes on the Linux distribution landscape over the past 12 months.
Arguably the most exciting event of the year was the announcement by Novell
to open up the development of SUSE
Linux to public participation. Popular as SUSE has always been, the
creation of the openSUSE project has clearly won many new users who have
found the attraction of free ISO images, combined with SUSE's reputation
for ease of use and excellent administration tools, irresistible. More
importantly, many developers, beta testers and volunteer contributors have
flocked to openSUSE and several SUSE-based subprojects were born on the
project's Wiki-style web site. With reviews overwhelmingly positive, the
new SUSE Linux 10.0 can safely be declared a winner in gathering most media
attention, as well as attracting many new users in 2005.
Another distribution that has been marching from strength to strength is Ubuntu Linux. Although the project
has only just celebrated its first birthday, the success of Ubuntu has
demonstrated two interesting phenomena. Firstly, if done right, even a
newly created distribution can become enormously popular - without the need
to spend a single penny on advertising. Secondly, Linux users aren't
particularly attached to a distribution and are quite willing to switch to
a new product - if it fits their needs better. The credibility of Ubuntu
was also boosted when its sponsor, Canonical Ltd, announced the creation of
the $10 million Ubuntu Foundation; the upcoming version 6.04 will be
enterprise ready in a sense that security updates will be provided for a
minimum period of 5 years.
In contrast, Fedora and Mandriva, the two traditional power houses of the
Linux distribution world, have had a relatively quiet year. Partly
responsible for this is the fact that both distributions have extended
their release cycles - from 6 months to 9 and 12 months, respectively. The
September release of Mandriva Linux
2006 attracted mixed reviews in the media; perhaps a victim of its own
success and its reputation for being one of the most user-friendly products
on the market, the expectations are always high and even the slightest
inconsistency or lack of attention to detail tends to result in harsh
criticism by the reviewers. And although Mandriva remains a popular and
much appreciated operating system, its long release cycle and
the increasingly commercial nature of the product will undoubtedly result
in some of its more advanced users drifting towards one of the
non-commercial, community distributions.
Similarly, the Fedora project has
also lost some ground this year, especially on the desktop. The lack of
beta testing excitement that used to characterize the third quarter of each
year and the relative calm on the project's mailing list (even after the
recent release of the first beta of Fedora Core 5) are an indication that
some Fedora users might have started looking elsewhere. The project's next
stable release of is due in late February, which means that, unlike Ubuntu,
which has essentially synchronized its releases with those of the GNOME
desktop, it will just miss GNOME 2.14 (scheduled for release on March
15, 2006). That said, Fedora Core 5 will form the basis of the upcoming Red
Hat Enterprise Linux 5, so it is expected to be one of the better tested
releases, without too many experimental features.
The traditionally more server- and geek-oriented Debian GNU/Linux and Slackware Linux continued in their
development work, even producing an odd stable release, which, in case of
Debian, is a fairly rare achievement. By some accounts, Debian is the
fastest-growing server distribution available today - perhaps a tribute to
the project's legendary quality control and stability of the operating
system. Both Debian and Slackware stayed with the tried and tested 2.4
kernel series (at least on the i386 platform), while Slackware remained the
only major distribution shipping a vanilla kernel with its product. But
despite its unusually conservative nature, Slackware continues to have
surprisingly strong following, thus confirming that adding extra (and
sometimes buggy) bells and whistles might not necessarily be the best way
to increase the Linux user base.
Besides the above-mentioned main distributions, dozens of smaller projects
continued fighting for the market share with the big boys. We keep getting
very positive reports from users of PCLinuxOS and KANOTIX, two free, user-friendly
distributions designed for the desktop. Those who wish to bring an older
machine or a laptop back to life might consider trying Damn Small Linux or Puppy Linux, two small, incredibly
fast and light-weight operating systems. And if you ever get tired of
Linux, it's nice to know that several exciting alternatives were born
during this past year, including Nexenta, a project that attempts to
marry the OpenSolaris kernel with GNU and Debian utilities, and PC-BSD, which is building an easy-to-use
installer and graphical administration utilities for FreeBSD.
What can we expect in 2006? While Fedora will be the first distribution with
a new release in the new year, both SUSE and Ubuntu are already deep in the
development of their next versions - expect two new releases from each
during the course of the year. Among the commercial projects, Linspire 6.0
and Xandros Desktop 4 should feature in the headlines sometimes during the
first half of 2006 as both companies continue in their quests to remove the
last barriers of Linux acceptance among non-technical computer users.
Mandriva's next new release is only expected in the third quarter of the
year, while Debian's current plan is to complete the development of "etch"
just before the end of the year. On the enterprise Linux front, both Red
Hat and Novell are likely to announce major new releases. With the current
trend in municipalities and government offices to migrate parts of their IT
infrastructure to Free Software, both are well-positioned to take advantage
of these new opportunities.
Comments (11 posted)
New Releases
64 Studio is a native x86_64 Linux
distribution, based on Debian testing and designed specifically for
creative desktop users. Version 0.6.0 alpha was released this week and is
available for
download.
Full Story (comments: none)
DesktopLinux
covers the
recent release of
Ark Linux 2005.2.
"
A new version of Ark Linux, v2005.2 -- touted as an "easy-to-use
distribution designed for non-technical users" -- was released Monday. It's
based on Linux kernel 2.6.14rc2 and boasts the new KDE 3.5 desktop,
OpenOffice.org 2.0, overall improvements to system size and speed, and
better automatic handling of inserted CDs and DVDs, the project
said."
Comments (none posted)
Openwall GNU/Linux has released
an ISO snapshot of -current with a new installer that implements an
ncurses/CDK-based user interface and many other patches and updates.
Full Story (comments: none)
Quantian 0.7.9.1 has been released. This version is based on Knoppix 4.0.2
and adds hundreds of scientific / numeric packages, as well as the
openMosix enabled 2.4.27 kernel.
Full Story (comments: 4)
Ubuntu has a Flight CD 2 ready. This is the second in a series of milestone
CD images that will be released throughout the Dapper development cycle, as
images that are known to be reasonably free of showstopper CD-build or
installer bugs. The Kubuntu Flight CD 2 is also available.
Full Story (comments: none)
Hidden away in the December 10 Slackware changelog (click below) is this
news: "
I know a lot of you have been wondering what's going on here, and the news
is that my wife Andrea delivered our first child, a daughter Briah Cecilia
(briah at slackware dot com :-) on 2005-11-22, and that event (and the weeks
that led up to it) has had to take priority over the usual tasks of
download/compile/test/package/upload." Congratulations, Patrick
and family!
Full Story (comments: 5)
Distribution News
Intel has generously provided ten notebook computers for Debian Developers
in developing countries.
Full Story (comments: none)
The latest Fedora-netdev kernel (kernel-2.6.14-1.1644_FC4.netdev.5) is
available for FC4.
Full Story (comments: none)
The Ubuntu Server Team has been established to pursue short term, high
impact goals for the Ubuntu 6.04 release, such as server hardware testing
and kernel quality assurance. Watch for Dapper Drake Server Daily Builds
to become available for testing.
Full Story (comments: none)
New Distributions
QiLinux Docet is an Italian Educational Live Cd designed for
Italian-speaking Schools. It is based on
QiLinux and can be downloaded from the
Download section of the QiLinux web site.
Full Story (comments: none)
Distribution Newsletters
The Debian Weekly News for December 13, 2005 covers a call for talks at
FOSDEM, progress with C++ transitions, joining forces with Skolelinux,
stabilizing the Linux Landscape with Debian, the release of DCC Common Core
3.0, new features on buildd.net, and several other topics.
Full Story (comments: none)
The latest edition of the
Fedora Weekly
News looks at Fedora Logo Approval, Foss.in - Fedora report, Fedora
Ambassadors FAQ, Fedora Core 5 Test 1 Review, Netcraft stats for web
servers, Real Introduces Rhapsody.com, and more.
Comments (none posted)
The
Gentoo
Weekly Newsletter for the week of December 12, 2005 covers Qt4 as it
moves into Portage, an Alpha project status update, the release of a GWN
guide, Gentoo Forums statistics visualized, and other topics.
Comments (none posted)
The Mandriva Linux Community Newsletter looks at the release of Mandriva
Linux 2006 Free, Mandriva Linux 2006 Installation Party a success, a Mad
Penguin review, and more.
Full Story (comments: none)
The
DistroWatch
Weekly for December 12, 2005 is out. "
This issue covers a
variety of interesting topics, including a call to protest against
introducing a DMCA-style law in France, Linux migration efforts by Berlin,
Prague and Cape Town, and an insider's feedback to our last week's feature
on backporting newly released applications to existing distributions. In
the news section we'll introduce Security Enhanced SUSE, congratulate
Patrick Volkerding, and draw your attention to a newly compiled list of
FreeBSD projects for volunteer programmers. Finally, we'll take a brief
look at the new Ark Linux 2005.2."
Comments (none posted)
Package updates
Fedora Core 4 updates:
fetchmail
(upstream maintenance release),
mc (bug
fixes),
yum (bug fixes and additional
caching),
kbd (removes loadkeys),
GFS-kernel (built against 2.6.14-1.1653_FC4
kernel),
cman-kernel (built against
2.6.14-1.1653_FC4 kernel),
dlm-kernel
(built against 2.6.14-1.1653_FC4 kernel),
gndb-kernel (built against 2.6.14-1.1653_FC4
kernel),
dhcp (bug fixes),
xterm (upgrade to upstream version 207).
Fedora Core 3 updates: fetchmail
(upstream maintenance release), mc (bug
fixes).
Comments (none posted)
Trustix Secure Linux updates:
amavisd-new,
cpplus, mrtg, mysql and slocate &
apache and postfix.
Comments (none posted)
Newsletters and articles of interest
BlogSpot has a
Concise
apt-get / dpkg primer for new Debian users. "
Debian is one of
the earliest Linux distribution around. It caught the public's fancy
because of the ease of installing and uninstalling applications on it. When
many other linux distributions were bogged down in dependency hell, Debian
users were shielded from these problems owing to Debian's superior package
handling capablities using apt-get." (Found on
DebianPlanet)
Comments (2 posted)
Distribution reviews
The Globe and Mail
reviews
SUSE Linux 10.0. "
I did have one heart-stopping moment when the
just-installed system couldn't find its way to the Internet. I opened up
various setup procedures to see if I could fix that, and was confronted by
the kind of mind-crushing geekery that has hampered Linux's acceptance
among the newbies for such a long time. I backed out of it without changing
a thing. But by the time I had done that, SUSE reported that it had located
the Internet all by itself, and I was off and surfing. The whole experience
still baffles me."
Comments (none posted)
Page editor: Rebecca Sobol
Development
Version 1.0 of
Ruby on Rails
(also known as Rails), a web development framework that uses the
Ruby language,
was announced
this week. Rails uses a database back-end.
"
Rails 1.0 is mostly about making all the work we've been doing solid.
So it's not packed with new features over 0.14.x, but has spit,
polish, and long nights applied to iron out kinks and ensure that it
works mostly right, most of the time, for most of the people."
Rails is designed for achieving rapid productivity while maintaining
programmer happiness, both of which are desirable goals.
The project tutorials claim that it is possible to implement
various high level web site features in just minutes.
Rails is a full-stack framework for developing database-backed web applications according to the Model-View-Control pattern. From the Ajax in the view, to the request and response in the controller, to the domain model wrapping the database, Rails gives you a pure-Ruby development environment. To go live, all you need to add is a database and a web server.
Rails is a cross-platform project and it works with your choice of web
servers, including Apache and
lighttpd.
Rails also offers a choice of databases, including MySQL, PostgreSQL,
Firebird, as well as some proprietary choices.
There is a wide variety of Rails
documentation
available online, the
API definition
is a good place to go to view the inner workings of the project.
The Rails
screencasts
section features a number of live tutorials examples on how to
create useful web functionality in a short amount of time,
and other conference presentations.
The Rails 1.0 announcement mentions the schedule for next release:
"Rails 1.1 is already pretty far along in
development and will see some of the biggest upgrades of any Rails
release. Hopefully some time in February."
For further reading, take a look at the Wikipedia
entry on Ruby
and the humorous
why's (poignant) guide to Ruby, which sets a new standard
for programming language manuals.
If you are looking for a good excuse to learn Ruby, Rails could be
the perfect motivator.
Comments (1 posted)
System Applications
Audio Projects
Version 0.100.7 of the JACK Audio Connection Kit has been
released, it features several bug fixes.
Full Story (comments: none)
Clusters and Grids
Version 1.2.4 of Linux-HA (Heartbeat) is out.
"
Barring unforeseen circumstances this is the final release of the 1.2
series, and contains several important bug fixes, and a minor security fix.
It extends our tradition of high quality through excellent code,
exhaustive automated testing, zero warnings in source."
Full Story (comments: none)
Database Software
Version 4.1.16 of MySQL is out.
"
This is a bugfix release for the recent production version."
Full Story (comments: none)
The December 11, 2005 edition of the PostgreSQL Weekly News
is online with the latest PostgreSQL database news and resources.
Full Story (comments: none)
Embedded Systems
GnomeDesktop has
an announcement
for the
Xynth Windowing System.
"
New embedded and portable windowing system, client/server interface between display hardware (mouse, keyboard, video displays) and the desktop environment that works on many hardware, including embedded devices (handhelds, set-top boxes, etc.) has been released by Xynth.
They say "The name Xynth comes from the coordinate system, which is the heart of the Xynth Windowing System design."
Comments (none posted)
Filesystem Utilities
Version 2.5.4 of EVMS, the Enterprise Volume Management System,
has been released.
"
This is the fourth maintenance release in the EVMS 2.5.x series, and is primarily intended to fix some recent bug-reports, as well as to update to the most recent kernel and Device-Mapper releases."
Comments (none posted)
Printing
Version 0.0.2 of
JASmine, an accounting system for the CUPS printing system,
is available.
See the
release notes for more information.
Comments (none posted)
Web Site Development
Apache Software Foundation has
announced the release of Apache Beehive 1.0, a J2EE web Framework.
"
Beehive uses JSR-175 annotations to simplify application development for
developers and the creation of Java development tools by independent software
vendors.
Beehive is built around three projects, NetUI, Controls and Web Service
Metadata (WSM), all of which can be used together or separately depending on
the requirements of a specific application."
Comments (none posted)
The Apache Software Foundation has
announced the release of version 1.0 of the
Geronimo application server. "
Apache Geronimo 1.0 introduces complete J2EE 1.4 certification, support
for Java Business Integration (JBI), Jetty or Tomcat Web container deployment
options, a complete Web-enabled management console based on Java Portlets,
full integration with the Eclipse Web Tools Project, and integration of Apache
Derby and the Apache Directory Server." The project page notes that the release went out a little early, so Geronimo 1.0 is not actually downloadable as of this writing.
Comments (none posted)
Stable version 0.8.4 of
Booh
is available.
"
Booh is a static Web-Album generator. It's a program that takes one or several series of photos and videos, and automatically build static web pages to browse them, creating thumbnails etc." The
download page
has the change information.
Comments (none posted)
Linux.com
looks at PhpDig.
"
PhpDig will index your site as frequently as you like via a cron job. Results are consistent and testable within minutes. PhpDig will crawl a single or multiple Web sites following links within the domain according to known rules and store the results in a MySQL database.
Users can then use a search form provided by PhpDig to enter criteria and see immediately which pages appear to be relevant; and the results page is not subjected to commercial advertising."
Comments (none posted)
Version 0.7 of UseBB, the light and Open Source
PHP/MySQL bulletin board package,
is available.
"
Version 0.7 is a major feature enhancements release."
Comments (none posted)
Miscellaneous
Stable version 2.01 of Linux-Vserver, a virtualization technology, is out.
"
The Linux-VServer project is a soft partitioning concept based on kernel
Contexts, providing isolation of process, network and filesystem,
permitting the creation of many independent Virtual Private Servers
(VPS) that run simultaneously on a single physical server at full
speed, efficiently sharing hardware resources."
Full Story (comments: none)
Desktop Applications
Audio Applications
Version 0.99.0 of gtkpod, a platform independent GUI for Apple's iPod
using GTK2,
has been announced.
"
The main new features are podcast, video and cover art support, type-ahead search functionality, better handling of compilation CDs. An 'Edit Details' dialog now allows easy editing of all track data including cover art."
Comments (1 posted)
Version 0.1 of MadJACK has been announced.
"
MadJACK is a MPEG Audio Deck for the Jack Audio Connection Kit with
an OSC based control interface. It was written as a backend for DJ
music playback and is released under the GPL licence."
Full Story (comments: none)
CAD
Version 1.2.0 of Sailcut CAD, a CAD system for wind sail makers,
has been announced.
"
The Sailcut CAD project is pleased to announce release 1.2.0 of its sail plotting package. Sailcut CAD's code has undergone a major overhaul for this release and has been ported to Qt 4. This release also features a number of improvements requested by users such as displaying the coordinates of the sail's corners in the Dimensions screen, better support for drawing kites and a new printout mode for users plotting sails by hand."
Comments (none posted)
Desktop Environments
Version 2.13.3-PRE of GARNOME, the bleeding edge GNOME distribution,
has been announced.
"
This is a *pre* release for smoketesting. The actual next unstable
release is expected within the next 2 days."
Also, GARNOME 2.12.2.1
has been released,
it features bug fixes and Firefox 1.5.
Comments (none posted)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
Electronics
Version 2.0.3of Logisim, a graphical design and simulation tool for
logic circuits,
is available.
"
The new version introduces a module for logging
simulation results into a file. Additionally, the new version introduces a
Probe component into its base built-in library, and it repairs a few
relatively minor bugs."
Comments (none posted)
Version 0.5.7 of Signs, a logic synthesis tool and gate level simulator for circuit descriptions in VHDL and other hardware description languages,
has been announced.
"
This release featured lots of ATPG/Faultsim bugfixes and a much improved netlist viewer, which handles busses correctly. Performance of the handling of large netlists was improved."
Comments (none posted)
Development version 3.5.2 of
XCircuit,
an electronic schematic drawing application, is out with bug fixes.
Comments (none posted)
Financial Applications
Version 1.3 of TrustMaster
is available.
"
TrustMaster is a financial application designed to manage trust deferrable expenses. TrustMaster is written in Java and deployed using the Java Web Start Framework. Data is stored in the embedded Apache Derby database.
Release 1.3 utilizes TrustMaster's new reporting framework to provide Account List and Account Detail reports. Many more reports will be added in the near future. Also included in this release is the ability to delete erroneous entries the from Entries Dialog."
Comments (none posted)
Graphics
GnomeDesktop
looks at
the 2D animation software
Synfig, which was recently
released as open-source code.
Comments (none posted)
GUI Packages
KDE.News
mentions
the availability of a new
tutorial on PyQt.
"
Sebastian Kügler has written a new PyQt tutorial. Python is the perfect
language to start learning programming with and this tutorial takes you
through making a basic Qt based program. He also shows how pyuic from PyKDE
Extensions makes it possible to use Qt Designer with Python."
Comments (none posted)
Imaging Applications
Version 2.2.1 of Comix, an image viewer designed to handle comic books,
is available.
"
Version 2.2.1 contains a lot of bugfixes, mainly concerning the new thumbnail feature."
Comments (none posted)
Interoperability
Version 0.9.3 of Wine (Wine is Not an Emulator)
has been announced.
It features OLE improvements, better audio driver management,
browser improvements, new dbghelp APIs, wineserver directory objects, and
bug fixes.
Comments (none posted)
Issue 301 of the
Wine Weekly News is available. Topics include:
News: Wine 0.9.3, Accelerating DirectDraw, Git Scripts, Finding Regressions,
Feedback on aRTs, ESounD, and JACK Drivers, Fedora 64-bit x86, and
Relay Segfaults.
Comments (none posted)
Multimedia
Version 0.10 of GStreamer, a streaming multimedia framework, is available.
"
One and a half year. A large number of developers contributing. High
expectations and a lot of pressure. The wait is over, GStreamer 0.10 has
arrived! GStreamer 0.10 is a huge step forward for GNU/Linux and Unix
multimedia. Power, stability, functionality, deployment, industry
support, GStreamer 0.10 has it all. Prepare yourself for the revolution!" See the
release announcement for a long list of new features.
Full Story (comments: 10)
Miscellaneous
Version 0.8 of fluxus, a scheme scripting environment for audio or osc
driven 3D animation, is available for your viewing pleasure.
Changes include mouse interactivity, native JACK support, JPEG
screen dumps, and more.
Full Story (comments: none)
Languages and Tools
C
Version 3.4.5 of GCC, the Gnu Compiler Collection, is available.
"
This version is a minor release, from the 3.4.x series, fixing
regressions with respect to previous versions of GCC."
Full Story (comments: none)
Caml
The November 29 - December 13, 2005 edition of the Caml Weekly News
is online with new Caml language articles.
Full Story (comments: none)
Java
Version 1.3.6 of iText, a JAVA-PDF Library,
is available. Here are the changes:
"
You can now define a repeating footer for a PdfPTable. Lists and combo fields can now be set in the AcroFields object. There was some serious debugging activity in the area of class Table (thank you Karsten Klein!). The toolbox looks a little bit different now. There's a new tool that allows you to inspect the internals of a PDF file."
Comments (none posted)
Version 3.0.4 of Jameleon, an automated testing framework,
is available.
"
Changes were made to the Jameleon Core, Jiffie Plug-in and HttpUnit Plug-in. All modules have been compiled against Java 1.4.2 and should work with both Java 5.0 and 1.4.2."
Comments (none posted)
Pascal
Version 2.0.2 of Free Pascal has been announced.
"
This is a bug fix release, so don't expect a big new feature
list here. Most of the almost 700 changes made to 2.0.2 since 2.0.0
are fixes for some issues."
Full Story (comments: none)
Perl
Phil Crow shows how to
test Perl code on O'Reilly.
"
For the last several years, there has been more and more emphasis on automated testing. No self-respecting CPAN author can post a distribution without tests. Yet some things are hard to test. This article explains how writing Test::Files gave me a useful tool for validating one module's output and taught me a few things about the current state of Perl testing."
Comments (none posted)
Python
The December 14, 2005 edition of Dr. Dobb's Python-URL! is online
with the latest Python language articles and resources.
Full Story (comments: none)
Ruby
The December 11th, 2005 edition of the
Ruby Weekly News looks at the latest discussions
from the ruby-talk mailing list.
Comments (none posted)
Tcl/Tk
The December 8, 2005 edition of Dr. Dobb's Tcl-URL! is online
with the latest Tcl/Tk articles and resources.
Full Story (comments: none)
The December 12, 2005 edition of Dr. Dobb's Tcl-URL! is available with
the latest Tcl/Tk news and resources.
Full Story (comments: none)
Build Tools
The Apache Software Foundation has
announced the release of Apache Maven 2.0 and Continuum 1.0.
"
Maven 2.0 is based on a unified Project Object Model (POM) architecture,
which consists of metadata describing clear, consistent phases for building
projects. Maven 2.0 offers a unique plug-in environment that provides an
extensible development framework to support multiple languages for total
re-usability across projects. It also features new software "DNA" mapping to
track and manage transitive build dependencies across repositories.
Continuum 1.0 enables continuous integration by both automating the
testing and packaging phases of the software build, and providing reports on
build status, including success, failure and unit test coverage."
Comments (1 posted)
Test Suites
Version 3.1.1 of STAF, the Software Testing Automation Framework
the associated STAX package,
are available with bug fixes.
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
eWeek
covers a recent OSDL meeting which included over two dozen
representatives from various Linux desktop projects.
"
The most concrete result from the meeting, however, was the creation of the Portland Project.
"Portland will provide a common set of Linux desktop interfaces that allows applications to easily integrate with the Linux desktop that the end user or his organization has chosen to work with," said Waldo Bastian, a KDE engineer and a FreeDesktop leader."
Comments (36 posted)
KDE.News
reports on the recent
KDE Quality Assurance Meeting. "
After having some food, Ellen
Reitmayr of OpenUsability.org fame was kind enough to educate the rest of
us about usability. The fact that a whole bunch of factors which influence
the usability of the user interface can easily be checked automatically
came as a relieving surprise (so the idea wasn't all that crazy after
all!). During her explanations, it became apparent that even though many
things are terribly difficult to check automatically it would be a big
achievement if we could have nightly checks for the low hanging
fruits. Getting them out of the way (and there are a lot of them) would
give the usability people more time to focus on the things which actually
require human intervention."
Comments (none posted)
Trade Shows and Conferences
LinuxDevices
reports that
LinuxWorld Boston 2006 organizers are considering an embedded Linux
pavilion. "
According to Exhibits Coordinator Ellen Boland, the
Invisible Linux pavilion concept is modeled after a similar, successful
pavilion at a LinuxWorld Expo in Germany. Although currently still at the
"concept stage," several companies have expressed interest, she
says. "Obviously, mobile is the hot area. We're talking to embedded Linux
users such as Nokia, Motorola, and PalmSource, as well as embedded Linux OS
and service providers.""
Comments (none posted)
Joe 'Zonker' Brockmeier
reports from the 19th Large Installation System Administration (LISA) Conference in San Diego. "
LISA is a strong community show, and you'll hear a lot of references to the "hallway track," the between-sessions time where geeks get together between classes and socialize. I've already met a number of interesting folks from other companies, and have had a great time chatting with other geeks in attendance and finding out what kind of work they do, and what tools they use." Day 2 is also
available.
Comments (1 posted)
Joe 'Zonker' Brockmeier
reports
from the 19th Large Installation System Administration Conference (LISA).
"
At LISA, no matter how well you plan your schedule, the odds are
good that you won't be able to attend all of the sessions that you're
interested in. Case in point: On Friday morning I had to choose between a
refereed papers session about management tools, an invited talk on wireless
security, guru sessions on change management and security/cryptography, or
Kevin Bankston's invited talk on "How Sysadmins Can Protect Free Speech and
Privacy on the Electronic Frontier." In the end, I opted for Bankston's
talk."
Comments (none posted)
Companies
eWeek
looks
at Mandriva's growing business. "
Today, the company has
approximately 130 employees with most of them in France and Brazil. With a
market cap of about 35 million Euros and quarterly revenues of
approximately 5.5 million Euros, Mandriva is now fiscally stable."
Comments (none posted)
Red Hat has announced a
challenge grant
for donations to the Creative Commons.
"
Red Hat supports Creative Commons in their mission. Creative Commons is in the midst of a year-end fund drive, and Red Hat has established a matching program to help them meet their goal. If you donate to Creative Commons, Red Hat will match your donation dollar for dollar, up to a maximum of $5000 total for all donations." The challenge will end on
December 31. (Thanks to Benjamin Kosnik.)
Comments (2 posted)
NewsForge
looks at the latest developments from Turbolinux.
"
Turbolinux, recovered and prospering in its new incarnation as an Osaka Securities Exchange-listed company, is looking to achieve success in Asian markets beyond Japan and China. The company, now a subsidiary of booming Japanese portal operator Livedoor, has announced plans to double its percentage of income from exports to neighboring countries to 20% within the next couple of years. The latest venture for Turbolinux is into the relatively untapped Vietnamese market, where it has started to conduct market research under a contract with Japan's Ministry of Economy, Trade and Industry."
Comments (1 posted)
Linux Adoption
The seventh
edition of
Linux in Italian Schools looks at how Free and Open Source Software is
helping Italian schools with adult education and training programs.
"
The first module of the 2002 program, for example, ranged from
teaching the definition of ICT and its influence on society and daily life
to ergonomics and legal implications of computer security. The next module
explained in detail how to create folders, what home directories and file
permissions are and why, on Linux, disks have to be mounted. Immediately
after this, students would learn what a graphical user interface is and how
to choose one from GNOME, KDE and the others."
Comments (none posted)
IT-Director
tries to discourage business interest in open source, especially on the desktop. "
Technical support will involve participating in internet forums, asking people of unknown capability for help with any problems and trusting that what comes back is a real fix, not some means of a malicious person gaining access to the user's system. This haphazard way of supporting IT is unattractive, especially for smaller businesses with limited in-house expertise."
Comments (11 posted)
Legal
Groklaw
looks at a letter from the CCIA regarding open office standards.
"
The Computer & Communications Industry Association (CCIA) has just sent Ecma International a letter calling upon the international standards group to reject "Microsoft's proposal for what it calls an open standard for office productivity applications."
"Far from fostering competition," the letter, signed by Ed Black, President and CEO of CCIA said, "Microsoft's proposal seems destined to assure that only Microsoft will produce software that can interoperate fully with its products.""
Comments (9 posted)
Groklaw
shows the
agenda for a meeting to discuss open formats. "
The agenda for
the December 14 meeting, "An Open Forum on the Future of Electronic Data
Formats for the Commonwealth," the Hart public meeting, has now been
distributed to interested parties. It's in .doc format, natch. Sigh. Some
of the Massachusetts senators really do think the whole world uses
Microsoft. Thanks to OpenOffice.org, I was able to read it anyway, even
though I don't use Microsoft's Word. There is life without
Microsoft."
Comments (none posted)
The British government
will hold a year-long review of the UK's intellectual property
rights system.
"
The review will provide an analysis of the performance of the UK IP system, including:
the way in which Government administers the awarding of IP and their support to consumers and business;
how well businesses are able to negotiate the complexity and expense of the copyright and patent system, including copyright and patent licensing arrangements, litigation and enforcement; and
whether the current technical and legal IP infringement framework reflects the digital environment, and whether provisions for fair use by citizens are reasonable."
(Thanks to Nick Talbott.)
Comments (11 posted)
Interviews
The latest
interview in
The People Behind KDE series features András Mantia.
"
Q:In what ways do you make a contribution to KDE?
A:In general my biggest contribution is C++ code and some documentation. Ideas and discussions might also be considered as a contribution.
The main area where I work is the kdewebdev module in general and Quanta Plus especially. Together with Eric Laffoon we are the heart of Quanta and its current maintainers. Outside of kdewebdev, I contributed to some extends to the KDE libraries, to KDevelop, kdetv and some patches here and there which I don't count."
Comments (none posted)
LXer
interviews
Fabio Marzocca, author of the BUM Boot-Up Manager.
"
LXer: How did you get involved with Linux, and Ubuntu in particular?
Fabio: I have a typical experimenting approach towards anything is new, and when Linux came out I was extremely curious. Then, about 4 years ago, I was tired about Windows capabilities because I felt it was choking any free experimenting activity, so I gave Linux a try.... and I fallen in love!"
Comments (none posted)
John Littler
interviews
Hideya Kawahara about Project Looking Glass. "
3D has practically
taken over video gaming. Lifelike, if not very pleasant, worlds exist
aplenty--worlds that most users find easily navigable without any training
whatsoever. Is the world of spreadsheets, word processors, and the like
just unsuitable for 3D? Is it a case of "If it ain't broke, don't fix it"?
Or is it that we've lacked imagination? John Littler recently talked to
Hideya Kawahara about an open source 3D desktop project that he started and
that Sun subsequently took under its wing."
Comments (none posted)
LXer has
an
interview with Marten Mickos, CEO of MySQL AB. "
The top goal is
always to produce something about which our users and customers can say,
"It just works!". This means focusing on reliability, performance and ease
of use. Yes, we also add new features, but new features are not our top
priority. We try to make sure that we fit into the new IT architectures --
the LAMP stack, web applications, new types of enterprise applications, and
so on."
Comments (none posted)
eWeek has posted
an interview with
Red Flag VP Zhongyuan Zheng. "
And from the end of last year, the
central government asked the provincial governments and the city
governments to buy legal software to replace all of the previously illegal
software. These governments - city and provincial - compared the
performance, capabilities and price of desktop Linux and Windows and they
considered whether they could migrate all their applications from Windows
to Linux. So finally about 30 percent of desktops in China now use
Linux. Microsoft has about 60 percent."
Comments (2 posted)
Resources
O'ReillyNet is
looking
for better bug tracking systems. "
More than most tools, bug
trackers serve lots of different groups of people. Developers want to know
which bugs need to be fixed. Testers want to know which bugs have been
fixed in each build. Managers want answers to very different questions:
"What kinds of bugs are there?" "Who should work on this bug?" and, "Is the
number of critical bugs increasing or decreasing?""
Comments (10 posted)
Groklaw
looks
at security reasons to use OpenDocument format. "
Here is a
letter that security professional Dan Geer has just sent to Massachusetts
Senator Marc Pacheco, and he tells me he sent similar letters to Secretary
of the Commonwealth Francis Galvin and Senate President Robert
Travaligni. He warns them that the Commonwealth needs to mitigate its risk
by avoiding a computing monoculture. If a private company received such a
letter, I assure you that their lawyers would take it very seriously, as it
would put them on notice, actual notice. Dr. Geer strongly supports
OpenDocument Format, as you will see, and his reasons include concern about
security issues."
Comments (none posted)
Reviews
The Linux Journal continues its look at OpenOffice.org features with
this article on master documents. "
Master documents aren't a feature of Writer that everyone needs. If you never write documents longer than 30 pages, you probably can ignore them entirely. However, if you ever write anything longer--especially a document that shares some parts with other documents--take the time to learn about them."
Comments (none posted)
Miscellaneous
Linux-Watch
looks at Linux
certification programs. "
[As] Linux increasingly is entering
businesses' front doors rather than as a skunk-works project in the
back-room, the people hiring Linux-workers are more likely to be in human
resources than in IT. That, in turn, means you're more likely to be judged
by your degrees and certifications than by your experience and
skills."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Electronic Frontier Foundation has sent out a media release regarding
the new Online Rights Canada organization.
"
Online Rights Canada (ORC) launched in Canada
Friday, giving Canadians a new voice in critical technology
and information policy issues. The grassroots organization
is jointly supported by the Canadian Internet Policy &
Public Interest Clinic (CIPPIC) and the Electronic Frontier
Foundation (EFF)."
Full Story (comments: none)
The Electronic Frontier Foundation has sent out a press release
concerning their suit over the illegal certification of
three electronic voting systems in North Carolina.
"
North Carolina law requires the Board of Elections to
rigorously review all voting system code "prior to
certification." Ignoring this requirement, the Board of
Elections on December 1st certified voting systems offered
by Diebold Election Systems, Sequoia Voting Systems, and
Election Systems and Software without having first obtained
let alone reviewed the system code.
"This is about the rule of law," said EFF Staff Attorney
Matt Zimmerman. "The Board of Elections has simply ignored
its mandatory obligations under North Carolina election
law."
Full Story (comments: 18)
The FFII has sent out a dispatch (click below) on the adoption of the data
retention directive by the European Parliament. It looks like a worst-case
outcome: massive privacy invasion, few limits on how data can be used (the
entertainment industry will be pleased), and more. "
Among other harsh measures, the
directive mandates recording of the source and destination of all
emails you send and every call you make, and your location and
movement during mobile phone calls. Additionally, the directive says
nothing about who has to pay for all this logging, which will
significantly distort the internal telecommunications market."
Full Story (comments: 33)
The preliminary results for this year's GNOME Foundation board election
have been posted. The board going forward would appear to consist of Luis
Villa, Jeff Waugh, Federico Mena-Quintero, Jonathan Blandford, David Neary,
Anne Østergaard, and Vincent Untz. Click below for the full results.
Full Story (comments: none)
KDE.News
reports on the
creation of KDE India. "
A group of enthusiastic KDE users and
developers met last week at the FOSS.IN conference in Bangalore, one of the
largest Free and Open Source Software meetings in the world, to combine
their efforts in various regions of the country under a common banner and
build a central platform for all things KDE in India. Along with spreading
KDE awareness in India, especially in colleges and with local businesses,
KDE.in has a few more practical goals. KDE.in will provide Indian KDE
developers and users with a community hub to coordinate with and support
each other."
Comments (1 posted)
Commercial announcements
Telecom provider Alcatel will be using the MySQL cluster database,
according to this
press release.
"
Under the agreement, Alcatel will use the high-availability MySQL Cluster database in its Multi-access Data Server (MDS) platform, to be used as part of several Alcatel network products, including the Home Location Register (HLR), IP Multimedia Home Subscriber Server (IM-HSS) and Unlicensed Mobile Access (UMA) systems."
Comments (none posted)
Genuitec has announced the release of MyEclipse 4.1.
"
Backed by world-class support, MyEclipse is the
comprehensive J2EE®- and Web-development tool suite
designed for Enterprise developers and consultants looking for top value in
a commercial-grade Integrated Development Environment (IDE). MyEclipse 4.1
is the first Eclipse-based platform to support AJAX development, offer an
integrated image editor and include new Web 2.0 development capabilities."
Full Story (comments: none)
SGI has
announced the selection of an SGI 1280 processor supercomputer
by Tohoku University's Institute of Fluid Science.
"
The new supercomputer, shipped this summer, is comprised of a scalable
SGI(R) Altix(R) 3000 scalar parallel server based on the 64-bit Linux(R)
OS, a vector parallel NEC computer, a scalable Silicon Graphics Prism(TM)
visualization system, external secondary storage systems and data archive
systems, all of which are interconnected via high-speed network, enabling
sharing of large files with the SGI(R) InfiniteStorage CXFS(TM) shared
filesystem and the NEC GFS global file system attached to the Storage Area
Network (SAN)."
Comments (none posted)
SugarCRM Inc. has
announced the release of version 4.0 of their Sugar Suite
customer relationship management (CRM) software.
"
Guided by customer and
community input, Sugar Suite 4.0 introduces powerful new functionality such as
advanced reporting and customizable dashboards, campaign management, workflow
management and access control, email processing and enhanced lead sharing."
Comments (none posted)
Novell has
announced a deal with the Swiss federal government whereby much of the federal infrastructure will move over to SUSE Linux. All told, Novell expects that over 3000 servers will run SUSE.
Comments (5 posted)
VMware, Inc. has
announced their new VMware Player.
"
VMware, Inc., the global leader
in virtual infrastructure software for industry-standard systems, today
announced the general availability of VMware Player, a free new product that
enables anyone to easily run, evaluate and share software in a virtual machine
on a Windows or Linux PC. In addition, VMware announced that it has partnered
with the Mozilla Corporation to deliver the Browser Appliance, a virtual
machine powered by Mozilla Firefox that allows users to securely browse the
Internet."
Comments (none posted)
New Books
The book
Counter Hack Reloaded, Second Edition by Edward Skoudis
and Tom Liston will be published by Prentice Hall, PTR on December 30.
Full Story (comments: none)
O'Reilly has published the book
Designing Interfaces
by Jenifer Tidwell.
Full Story (comments: none)
O'Reilly has published the book
Head First HTML with CSS & XHTML
by Elisabeth Freeman and Eric Freeman.
Full Story (comments: none)
O'Reilly has published the book
Linux Multimedia Hacks by Kyle Rankin.
Full Story (comments: none)
SitePoint has published the book
Run Your Own Linux & Apache Web Server
by Stuart Langridge and Tony Steidler-Dennison.
Full Story (comments: none)
Prentice Hall has published the book
Point & Click OpenOffice.org by Robin 'Roblimo' Miller.
Full Story (comments: none)
O'Reilly has published the book
Wireless Networking Magic
by Rob Flickenger and Roger Weeks.
Full Story (comments: none)
Resources
The December 8, 2005 edition of the Free Software Foundation Europe
Newsletter is online. Topics include:
First Austrian Fellowship meeting, Tweakfest in Zurich,
UN World Summit on Information Society, LinuxWorld Expo in Frankfurt/Main,
Seminar in Dublin about preventing software patentability,
Jornadas Regionales de Software Libre in Rosario (Argentinia),
LinuxDay in Italy, Removal of Free Software from WSIS "Vienna Conclusions"
and Welcoming the Free Software Foundation Latin America.
Full Story (comments: none)
Surveys
GnomeDesktop.org
requests your input
for the 2006 GNOME marketing slogan.
Comments (1 posted)
Upcoming Events
Novell, Inc. has
announced
the dates for its BrainShare Conference, March 19 - 24, 2006.
"
Attendees will be able to select from over 200 sessions conducted by
Novell employees, customers and partners, with topics ranging from
enterprise data center management to implementing open source software and
securing IT information assets."
Comments (none posted)
LinuxMedNews has announced a
call for papers for a special track on the use of
OSS and ODF in Health and Medical Systems at the
IEEE International Symposium on Computer-Based Medical Systems.
The conference will take place in Salt Lake City, Utah on June
22 and 23, 2006.
Comments (none posted)
Registration for PyCon 2006 is open. The event will take place in
Addison, Texas on February 24-26, 2006.
Full Story (comments: none)
The Modern Computer Music and DSP Programming Tools Workshop will be
held in Mainz, Germany on December 20, 2005.
Full Story (comments: none)
| Date | Event | Location |
| December 15 - 20, 2005 | Umeet Virtual
Meeting(UMEET 2005) | Online |
| December 15, 2005 | 24th Annual Minnesota
Government IT Symposium | St. Paul, Minnesota |
| December 27 - 30, 2005 | 22nd Chaos
Communication Congress | Berlin, Germany |
| January 13 - 15, 2006 | ShmooCon
2006 | (Wardman Park Marriott Hotel)Washington, D.C. |
| January 23 - 28, 2006 | linux.conf.au
2006 | Dunedin, New Zealand |
| January 23 - 25, 2006 | Black Hat Federal
Briefings and Training 2006 | (Sheraton Crystal City)Washington, D.C. |
| January 24 - 26, 2006 | O'Reilly
Emerging Telephony Conference | (San Francisco Airport Marriott)San Francisco,
CA |
Comments (none posted)
Web sites
Segetech Ltd has announced the launch of their
Segetech Open Source Rendezvous
site.
"
Segetech, Ltd., provider of Open Source
customization and integration services, today announced the launch of
Segetech Open Source Rendezvous portal. The portal contains detailed
guides to configure and integrate some of the most widely used Open Source
components as seamless computing environments. The site is available
immediately without registration or membership fee."
Full Story (comments: none)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Alastair Stevens <alastair-AT-altrux.me.uk> |
| To: |
| tech-AT-guardian.co.uk, letters-AT-lwn.net |
| Subject: |
| Andrew Brown's article on OpenOffice |
| Date: |
| Thu, 08 Dec 2005 22:51:35 +0000 |
Dear Sirs
I have just read Andrew Brown's musings on OpenOffice* in this week's
technology supplement, and I'm compelled to disagree with his conclusions.
I'm been an OpenOffice user for some years myself, and I agree that it
has its major flaws, and that its development pace is more glacial than
many would like. However, it is well known that the open source model
doesn't always work well for certain classes of software, this being one
of them. That conclusion is nothing new.
But to generalise it into a sweeping slur on the open source development
model is completely wrong. Open source has more than proved itself in
the arena of infrastructure software; after all, vast portions of the
Internet's servers have run on it for years. There are countless
examples of open source projects powered by a healthy and active
community of participants, which produce rapidly-maturing, stable and
remarkably bug-free products.
OpenOffice is a unique project, with lofty challenges and daunting
goals; but to paint its shortcomings onto the entire, vast open source
movement is deeply misleading.
Yours etc
Alastair Stevens
Cambridge, UK
* http://technology.guardian.co.uk/weekly/story/0,16376,166...
--
o
Alastair Stevens : fruit of 1976 /-'_ LPI (Level 1)
>> www.altrux.me.uk |\/(*) /\__ Linux Certified
________________________________ . .(*) _____/ \___________________
Still suffering with IE? Ignite a new web - www.GetFirefox.com
Comments (3 posted)
Page editor: Jonathan Corbet