LWN.net Logo

LWN.net Weekly Edition for February 9, 2006

Looking a Novell gift horse in the mouth

Novell's February 7 press release proclaiming its contributions to the X.org and GNOME projects was generally well received. It is hard to disagree with better graphics and more fun eye candy, after all. Novell's work shows that the free software community has the potential to take the leadership on desktop issues, and that is a good thing. Free software desktops will only take over the world if the community can produce a desktop experience that is truly better than the alternatives.

The issue that has come up in some quarters, however, is that of "community." Developers in the wider GNOME community, in particular, are feeling somewhat excluded from the process. Novell's work, to them, is not a community development - it's a product which has emerged in complete form from a corporate cathedral. While it is great that Novell is doing this work, they say, wouldn't it have been better to involve the community from the outset? Now community members are in a position of reviewing a large drop of code that they had no part in designing, and not all of them are happy about it.

If the words of Novell's Dan Winship are representative of the company's position (he claims to be speaking only for himself), Novell believes it has taken the right approach:

If we had proposed the changes on the mailing lists, it would have started a huge discussion about what people hated about the design ("you can't make the panel menu depend on beagle!!!") and how it should be different. And then we could have either (a) completely ignored everyone and done it ourselves anyway, or (b) had a long conversation about the merits of the design and then not actually finished the code in time for NLD10.

So we did it ourselves, and now either GNOME will like what we did, in which case, yay, free code for GNOME, or GNOME won't like what we did, in which case, no harm no foul for GNOME, and yay, brand differentiation for Novell.

Dan goes on to say that it simply is not possible to perform software design in a community setting. Everything good which has ever been done in the GNOME project has been the result of a small group's work. All big community debates tend to do is to slow down or stop the process. "Design by committee," says Dan, does not work.

GNOME hacker Jeff Waugh disagrees does not want to give up on community involvement in design:

This is a very sorry state of affairs for GNOME. But it is not only Novell and its employees who have adopted this commons-sapping, community-tearing, morally and intellectually lazy approach to open design and development in GNOME.... Ultimately, this is *killing our community*. And it must be fought.

One useful perspective in the discussion came from Alan Cox, who made a distinction between "design by community" and "design in the community." The latter approach leaves the bulk of the design work in the small group which is most interested in it, but which recognizes that the community may have something to add. When design work is taken out of the community altogether, something is lost:

If you design stuff in secret then publish it, it will have no review of quality, no style checking, no security audit, no extra pairs of eyes and extra brains on it. Mouths are in oversupply but brains/eyes are not.

Jeff agreed, and went on to compare GNOME development with how the Linux kernel is managed:

While the Linux process has its warts, there are two things it is great at that we should mention here: First, a fairly easy to understand technical and social leadership - decisions get made. Second, a pretty uncompromising approach to design in the community - it's really hard to drop a pre-cooked hairball (cat hair *or* angel hair) into the kernel process without getting roasted, spanked and harshly reviewed.

If, from this particular perspective, the kernel process is seen as being more successful than GNOME, it might be worth asking why. It is indeed true that the kernel community responds poorly to large piles of code which appear out of the blue. Often, such code must go through substantial revisions before it will be considered for merging - the community gets its say in the end after all. The reiser4 experience is a good example; the new version of the Reiser filesystem showed up in complete form, with a request for expedited merging. Numerous problems were found with the code, however, and reiser4 remains out of the kernel years later, even with numerous fixes made and features removed. In the kernel space, most developers learn, sooner or later, to involve the community early in a project's life.

The leadership issue is worth a look as well. As Jeff pointed out, the kernel has a relatively clear decision-making process, though it can be frustrating for contributors to work with. Discussions tend not to go on forever because, in one way or another, decisions get made. Instead, says Jeff, GNOME is "without coherent leadership." He would like to see the GNOME project structure reworked so that decisions are easier to make - though what form those changes would take is yet to be worked out.

Another issue, raised by Havoc Pennington, is the vision the project has for itself. The GNOME project, says Havoc, needs to come up with a better idea of who its user community is and to not be afraid to lose users who are outside of that community. When the project has a clearer sense of what it is trying to do, decisions will be easier to make. The kernel project knows what it is trying to do:

They are writing a component for use by developers, not an end-user product. And they aren't ashamed of it and they optimize for it and they do it well.

Havoc suggests that GNOME might want to take a similar approach: create a series of components which can be rearranged and customized by distributors and gadget-makers to fit their specific needs. Such an orientation would let GNOME focus on making the best tool possible while allowing others, who are arguably closer to the ultimate users, to make the desktop fit those users' needs.

That leads to one of the driving forces behind this entire debate. To a great extent, companies distributing Linux (or products incorporating Linux) tend not to differentiate their offerings with kernel features. Distributors do add kernel patches, but the size of those patches has gone down considerably with the advent of the 2.6 development process. This is an important point: the development process change has had the effect of significantly reducing the differences between distributors' kernels. But user interface changes are visible to all who work with a system in a way which most kernel changes are not. Distributors will thus always have a strong incentive to put their particular mark on the desktop and to try to have the coolest features first. So, at best, we are likely to see more desktop work done in relative secret until it is deemed ready to be shipped. At worst, we could see a repeat of the highly tweaked desktops shipped during the worst of the proprietary Unix days.

Distributors have strong reasons to differentiate their offerings, but they also depend heavily on projects like GNOME to provide the foundation on which they can create those offerings. Taking much of their development semi-proprietary may help sales in the next year or so, but that could happen at the cost of eventually tearing apart the community upon which they depend, even if they do not necessarily respect its design guidance. If GNOME is to remain healthy well into the future, these two forces will have to be reconciled. The solution will likely involve a combination of project governance changes and a more community-oriented approach by all participating companies. This should be something the community can achieve.

Comments (29 posted)

Easter eggs and free software

Someday, when you feel that you have been sufficiently productive for a while, fire up the OpenOffice.org spreadsheet application. Select a cell, and insert =Game("StarWars") into that cell. Launch missiles at alien creatures until you feel ready to get something useful done again. Yes, the OpenOffice.org developers, evidently feeling that the application [StarWars] had become too small and quick, decided to toss in an easter egg. Judging from the occasional German-language popup window, this feature has been present for quite some time. Others exist as well, happy hunting.

Easter eggs have been present in software - free and proprietary - for many years. Old versions of make used to respond to "make love" with "not war?"; your editor notes with sadness that GNU make does not retain that feature. In general, easter eggs are a way for developers to express themselves, and are generally seen by users as amusing, or harmless at the worst. Recently, however, an OpenOffice user complained about the presence of the StarWars game. Free programs, he says, should not contain hidden features like that. One of the advantages of free software is supposed to be the lack of surprises; if you install an office suite, that is what you should get. The hiding of games, pictures of the developers, and other unrelated features in free software threatens to make the whole enterprise appear to be insufficiently serious.

Others have argued that easter eggs can endanger the use of free software in settings (like schools) where hidden games might not be welcome. This is, they say, one Microsoft feature that we do not need to emulate. To that end, various bug reports have been filed asking for the removal of easter egg features.

As a counterpoint, one could argue that free software is supposed to be fun for both its developers and its users. Those who don't want to play "StarWars" might be well advised to install a sense of humor upgrade and simply not invoke the feature - which, after all, one has to go looking for in the first place. When the code police start going after easter eggs, humorous diagnostics (the kernel still has several variants of the "peripheral is on fire" message), or possibly offensive code comments, some of the developers will start to think that they want to go elsewhere.

As free software development processes mature and the user base increases, it seems likely that many of the easter eggs are likely to disappear, especially in the larger, more mainstream applications. Developers who are interested in code quality and bloat will see an easy way to remove an apparently unnecessary feature. Projects which have their own PR departments (and, yes, such projects exist) will not welcome the sort of attention that easter eggs bring. And those which remain may be excised by the more business-oriented distributors. But, free software developers being what they are, there will always be a surprise or two waiting for those who know where to look.

Comments (22 posted)

Page editor: Jonathan Corbet

Security

crypt_blowfish

In the early days of Unix, the DES-based algorithm used to encrypt (actually, to generate hashes from) passwords was considered to be quite secure. Hashing a password took a significant fraction of a second, so brute-force attacks were considered impractical. The possibility of attacks using hardware-based DES engines was closed off by the addition of a "salt" parameter which perturbed the algorithm slightly. All in all, the early crypt() authors felt pretty good about their work, to the point that the encrypted passwords were stored in a world-readable file and nobody worried about it.

Along came faster processors and smarter software. Simple passwords became easy to crack with the right software (which was widely available), and the harder passwords looked less hard all the time. So a few changes were made, including moving the password hashes to a read-protected file and changing to the MD5 hashing algorithm. Everything looked better for a while. But along came faster processors and smarter software, and now MD5 passwords look rather less secure than they once did.

The attentive reader might notice a pattern here. Hashing algorithms must be sufficiently expensive to compute that they are not susceptible to brute-force attacks. But they cannot be so expensive that the user community rebels. So the designers of a password hashing algorithm must find a compromise between security from attackers and security from aggravated users. As computers inevitably become more powerful, that compromise must shift in favor of the attackers.

A solution to this problem was presented by Niels Provos and David Mazières in a 1999 USENIX paper. Their conclusion was that, in order to have a future-proof password hashing algorithm, one must be able to dial up the computational cost of that algorithm over time. If the cost can be provided as a parameter - and stored with the hashed password - then password hashing can be made more expensive (in terms of CPU cycles) while maintaining compatibility with currently-hashed passwords.

The authors implemented a version of the Blowfish algorithm with a tweak to the key schedule generation mechanism. That code has a "cost" parameter which controls how expensive the generation step is; a higher cost will result in a longer key schedule generation task. Needless to say, code checking a password must use the same cost as the code which initially generated the hash, or the results will not match.

OpenBSD has used the variable-cost Blowfish code (called "bcrypt") for some years now, but it is still relatively difficult to find on Linux systems. Perhaps that will change with the release of crypt_blowfish 1.0, just announced by Solar Designer. This release, being "the first mature version," comes with a password-hashing interface and a PAM module for hooking it into Linux systems. It should, thus, be relatively easy for distributors to add to their configurations, as an option, at least. Making the front door to Linux systems a little more secure has just gotten easier.

(For more information, see the crypt_blowfish web page).

Comments (6 posted)

New vulnerabilities

ADOdb: PostgresSQL command injection

Package(s):adodb CVE #(s):CVE-2006-0410
Created:February 6, 2006 Updated:April 17, 2006
Description: Andy Staudacher discovered that ADOdb does not properly sanitize all parameters. By sending specifically crafted requests to an application that uses ADOdb and a PostgreSQL backend, an attacker might exploit the flaw to execute arbitrary SQL queries on the host.
Alerts:
Gentoo 200604-07 2006-04-14
Debian DSA-1031-1 2006-04-08
Debian DSA-1030-1 2006-04-08
Debian DSA-1029-1 2006-04-08
Gentoo 200602-02 2006-02-06

Comments (none posted)

gnocatan: buffer overflow

Package(s):gnocatan CVE #(s):CVE-2006-0467
Created:February 3, 2006 Updated:February 7, 2006
Description: A problem has been discovered in gnocatan, the computer version of the settlers of Catan boardgame, that can lead the server and other clients to exit via an assert, and hence does not permit the execution of arbitrary code. The game has been renamed into Pioneers after the release of Debian sarge.
Alerts:
Debian DSA-964-1 2006-02-03

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-0454
Created:February 8, 2006 Updated:February 18, 2006
Description: A denial of service vulnerability has been found in the kernel ICMP code; kernel 2.6.15.3 fixes the problem.
Alerts:
Mandriva MDKSA-2006:040 2006-02-17
Ubuntu USN-250-1 2006-02-13
Trustix TSLSA-2006-0006 2006-02-10
SuSE SUSE-SA:2006:006 2006-02-09
Fedora FEDORA-2006-102 2006-02-07

Comments (1 posted)

mozilla: multiple vulnerabilities

Package(s):mozilla CVE #(s):CVE-2005-4134 CVE-2006-0292 CVE-2006-0296
Created:February 2, 2006 Updated:May 4, 2006
Description: Mozilla has three new vulnerabilities. The Javascript interpreter has a problem with dereferencing objects. A user can visit a specially crafted web page which can crash the browser or cause it to execute arbitrary code.

The XULDocument.persist() function has a bug that can be triggered by viewing specially crafted web sites, RDF data can be injected into the localstore.rdf file, allowing arbitrary javascript code to be executed.

The Mozilla history saving mechanism is vulnerable to a denial of service attack, visiting sites with extra-long titles can cause a crash or very slow startup the next time the browser is run.

Alerts:
Ubuntu USN-275-1 2006-04-27
Debian DSA-1046-1 2006-04-27
Fedora-Legacy FLSA:180036 2006-02-23
Mandriva MDKSA-2006:037 2006-02-07
Mandriva MDKSA-2006:036 2006-02-07
Fedora FEDORA-2006-076 2006-02-02
Fedora FEDORA-2006-075 2006-02-02
Red Hat RHSA-2006:0200-01 2006-02-02
Red Hat RHSA-2006:0199-01 2006-02-02

Comments (none posted)

OpenOffice.org: bypass security settings

Package(s):openoffice.org CVE #(s):CVE-2005-4636
Created:February 3, 2006 Updated:February 7, 2006
Description: OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not prevent the user from clicking the WWW-browser button in the Hyperlink dialog, which makes it easier for attackers to trick the user into bypassing intended security settings.
Alerts:
Mandriva MDKSA-2006:033 2006-02-02

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2006-0207 CVE-2006-0208
Created:February 2, 2006 Updated:March 23, 2006
Description: PHP has a response splitting vulnerability, remote attackers can inject arbitrary HTTP headers via an unknown method, possibly using a Set-Cookie header. Also, a number of cross-site scripting vulnerabilities can be used by remote attackers to inject arbitrary web scripts or html pages.
Alerts:
Gentoo 200603-22 2006-03-22
Ubuntu USN-261-1 2006-03-10
Mandriva MDKSA-2006:028 2006-02-01

Comments (none posted)

PHP: safe_mode bypass

Package(s):php CVE #(s):CVE-2005-3391
Created:February 8, 2006 Updated:March 10, 2006
Description: A vulnerability in the PHP GD extension (prior to version 4.4.1) can enable a remote attacker to bypass safe_mode restrictions.
Alerts:
Mandriva MDKSA-2006:035-1 2006-03-09
Slackware SSA:2006-045-07 2006-02-15
Mandriva MDKSA-2006:035 2006-02-07

Comments (none posted)

unzip: long file name buffer overflow

Package(s):unzip CVE #(s):CVE-2005-4667
Created:February 6, 2006 Updated:May 2, 2007
Description: A buffer overflow in UnZip 5.50 and earlier allows local users to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.
Alerts:
Red Hat RHSA-2007:0203-02 2007-05-01
Fedora-Legacy FLSA:180159 2006-04-04
Debian DSA-1012-1 2006-03-21
Mandriva MDKSA-2006:050 2006-02-27
Ubuntu USN-248-2 2006-02-15
Ubuntu USN-248-1 2006-02-13
Fedora FEDORA-2006-098 2006-02-06

Comments (1 posted)

xpdf heap based buffer overflow

Package(s):kpdf xpdf kdegraphics poppler CVE #(s):CVE-2006-0301
Created:February 3, 2006 Updated:March 17, 2006
Description: Another heap based buffer overflow has been found in xpdf and other programs that share the same code. This one is in Splash.cc and it can cause crashes and possibly arbitrary code execution.
Alerts:
Fedora-Legacy FLSA:175404 2006-03-16
Mandriva MDKSA-2006:054 2006-03-08
Gentoo 200602-12 2006-02-21
Debian DSA-979-1 2006-02-17
Ubuntu USN-249-1 2006-02-13
Slackware SSA:2006-045-04 2006-02-15
Slackware SSA:2006-045-09 2006-02-15
Debian DSA-974-1 2006-02-15
Debian DSA-972-1 2006-02-15
Debian DSA-971-1 2006-02-14
Red Hat RHSA-2006:0206-01 2006-02-13
Red Hat RHSA-2006:0201-01 2006-02-13
Gentoo 200602-05 2006-02-12
Gentoo 200602-04 2006-02-12
Fedora FEDORA-2006-104 2006-02-10
Fedora FEDORA-2006-103 2006-02-10
Fedora FEDORA-2006-105 2006-02-10
Mandriva MDKSA-2006:032 2006-02-02
Mandriva MDKSA-2006:031 2006-02-02

Comments (none posted)

Updated vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2005-3352
Created:December 14, 2005 Updated:May 10, 2006
Description: Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details.
Alerts:
Slackware SSA:2006-129-01 2006-05-10
SuSE SUSE-SR:2006:004 2006-02-24
Fedora-Legacy FLSA:175406 2006-02-18
Gentoo 200602-03 2006-02-06
Fedora FEDORA-2006-052 2006-01-20
Red Hat RHSA-2006:0158-01 2006-01-17
Ubuntu USN-241-1 2006-01-12
Trustix TSLSA-2005-0074 2005-12-23
Mandriva MDKSA-2006:007 2006-01-05
Red Hat RHSA-2006:0159-01 2006-01-05
OpenPKG OpenPKG-SA-2005.029 2005-12-14

Comments (none posted)

auth_ldap: format string vulnerability

Package(s):auth_ldap CVE #(s):CVE-2006-0150
Created:January 10, 2006 Updated:February 28, 2006
Description: The auth_ldap package is an httpd module that allows user authentication against information stored in an LDAP database. A format string flaw was found in the way auth_ldap logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if auth_ldap is used for user authentication.
Alerts:
Fedora-Legacy FLSA:177694 2006-02-27
Debian DSA-952-1 2006-01-23
Mandriva MDKSA-2006:017 2006-01-19
Red Hat RHSA-2006:0179-01 2006-01-10

Comments (none posted)

blender: integer overflow

Package(s):blender CVE #(s):CVE-2005-4470
Created:January 6, 2006 Updated:June 15, 2006
Description: Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.
Alerts:
Debian-Testing DTSA-29-1 2006-06-15
Debian DSA-1039-1 2006-04-24
Gentoo 200601-08 2006-01-13
Ubuntu USN-238-2 2006-01-06
Ubuntu USN-238-1 2006-01-06

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
Alerts:
Gentoo 200608-27 2006-08-29
Debian DSA-1088-1 2006-06-03
Debian DSA-1083-1 2006-05-31
Gentoo 200512-11 2005-12-20
Debian-Testing DTSA-23-1 2005-12-05

Comments (none posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:March 17, 2010
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
CentOS CESA-2010:0145 2010-03-17
Red Hat RHSA-2010:0145-01 2010-03-15
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

curl: buffer overflow

Package(s):curl CVE #(s):CVE-2005-4077
Created:December 8, 2005 Updated:March 27, 2006
Description: The curl file transfer utility has a buffer overflow vulnerability in the URL authentication code. If an overly long URL is used, a buffer overflow can result, allowing for local unauthorized access.
Alerts:
Gentoo 200603-25 2006-03-27
Debian DSA-919-2 2006-03-10
Trustix TSLSA-2005-0072 2005-12-16
Red Hat RHSA-2005:875-01 2005-12-20
Gentoo 200512-09 2005-12-16
Ubuntu USN-228-1 2005-12-12
Fedora FEDORA-2005-1137 2005-12-12
Fedora FEDORA-2005-1136 2005-12-12
Debian DSA-919-1 2005-12-12
OpenPKG OpenPKG-SA-2005.028 2005-12-10
Mandriva MDKSA-2005:224 2005-12-08
Fedora FEDORA-2005-1129 2005-12-08
Fedora FEDORA-2005-1130 2005-12-08

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 10, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dia: missing input sanitizing

Package(s):dia CVE #(s):CAN-2005-2966
Created:October 4, 2005 Updated:April 6, 2006
Description: Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user.
Alerts:
Debian DSA-1025-1 2006-04-06
Mandriva MDKSA-2005:187 2005-10-20
Gentoo 200510-06 2005-10-06
Debian DSA-847-1 2005-10-08
SuSE SUSE-SR:2005:022 2005-10-07
Ubuntu USN-193-1 2005-10-04

Comments (none posted)

drupal: several vulnerabilities

Package(s):drupal CVE #(s):CVE-2005-3973 CVE-2005-3974 CVE-2005-3975
Created:January 27, 2006 Updated:February 1, 2006
Description: Several security related problems have been discovered in drupal, a fully-featured content management/discussion engine. Several cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CVE-2005-3973). When running on PHP5, Drupal does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission (CVE-2005-3974). An interpretation conflict allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension (CVE-2005-3975).
Alerts:
Debian DSA-958-1 2006-01-27

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

evolution: format string issues

Package(s):evolution CVE #(s):CAN-2005-2549 CAN-2005-2550
Created:August 15, 2005 Updated:March 23, 2006
Description: Evolution has format string issues. SITIC advisory SA05-001 contains more information.
Alerts:
Debian DSA-1016-1 2006-03-23
SuSE SUSE-SA:2005:054 2005-09-16
Red Hat RHSA-2005:267-01 2005-08-29
Gentoo 200508-12 2005-08-23
Mandriva MDKSA-2005:141 2005-08-17
Fedora FEDORA-2005-742 2005-08-11
Fedora FEDORA-2005-743 2005-08-11

Comments (2 posted)

fetchmail: multidrop bug

Package(s):fetchmail CVE #(s):CVE-2005-4348
Created:December 20, 2005 Updated:May 27, 2006
Description: Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode.
Alerts:
rPath rPSA-2006-0084-1 2006-05-26
Fedora-Legacy FLSA:164512 2006-05-12
Slackware SSA:2006-045-01 2006-02-15
Debian DSA-939-1 2006-01-13
Ubuntu USN-233-1 2006-01-02
Mandriva MDKSA-2005:236 2005-12-23
Fedora FEDORA-2005-1187 2005-12-20
Fedora FEDORA-2005-1186 2005-12-20

Comments (none posted)

ffmpeg: buffer overflow

Package(s):ffmpeg CVE #(s):CVE-2005-4048
Created:December 15, 2005 Updated:March 17, 2006
Description: The avcodec_default_get_buffer() function of the ffmpeg library has a buffer overflow vulnerability. A user can be tricked into playing a maliciously created PNG movie, allowing the attacker to run arbitrary code with the user's privileges.
Alerts:
Debian DSA-1005-1 2006-03-16
Debian DSA-1004-1 2006-03-16
Debian DSA-992-1 2006-03-10
Gentoo 200603-03 2006-03-04
Gentoo 200602-01 2006-02-05
Gentoo 200601-06 2006-01-10
Ubuntu USN-230-2 2005-12-16
Ubuntu USN-230-1 2005-12-14
Mandriva MDKSA-2005:228 2005-12-14
Mandriva MDKSA-2005:229 2005-12-14
Mandriva MDKSA-2005:232 2005-12-14
Mandriva MDKSA-2005:230 2005-12-14
Mandriva MDKSA-2005:231 2005-12-14

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968
Created:September 22, 2005 Updated:February 15, 2006
Description: The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing.
Alerts:
Slackware SSA:2006-045-02 2006-02-15
Fedora-Legacy FLSA:168375 2006-01-09
Ubuntu USN-200-1 2005-10-11
Ubuntu USN-155-3 2005-10-04
Debian DSA-838-1 2005-10-02
Gentoo GLSA 200509-11:02 2005-09-18
SuSE SUSE-SA:2005:058 2005-09-30
Mandriva MDKSA-2005:170 2005-09-26
Mandriva MDKSA-2005:169 2005-09-26
Slackware SSA:2005-269-01 2005-09-26
Fedora FEDORA-2005-934 2005-09-26
Fedora FEDORA-2005-933 2005-09-26
Fedora FEDORA-2005-932 2005-09-26
Fedora FEDORA-2005-931 2005-09-26
Fedora FEDORA-2005-930 2005-09-26
Fedora FEDORA-2005-929 2005-09-26
Fedora FEDORA-2005-928 2005-09-26
Fedora FEDORA-2005-927 2005-09-26
Fedora FEDORA-2005-926 2005-09-26
Ubuntu USN-186-2 2005-09-25
Ubuntu USN-186-1 2005-09-23
Red Hat RHSA-2005:789-01 2005-09-22
Red Hat RHSA-2005:785-01 2005-09-22

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-2103
Created:August 10, 2005 Updated:February 27, 2006
Description: Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:158543 2006-02-25
Slackware SSA:2005-242-03 2005-08-31
Fedora FEDORA-2005-751 2005-08-17
Fedora FEDORA-2005-750 2005-08-17
Mandriva MDKSA-2005:139 2005-08-15
Gentoo 200508-06 2005-08-15
Ubuntu USN-168-1 2005-08-12
Red Hat RHSA-2005:589-01 2005-08-09

Comments (none posted)

gallery: cross-site scripting vulnerability

Package(s):gallery CVE #(s):
Created:January 26, 2006 Updated:February 1, 2006
Description: Gallery, a web-based photo management system, has an input sanitizing problem with the user's fullname. An attacker can create a specially crafted fullname and inject script code into a victim's browser window in order to compromise the user's gallery.
Alerts:
Gentoo 200601-13 2006-01-26

Comments (2 posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gdk-pixbuf: multiple vulnerabilities

Package(s):gdk-pixbuf gtk2 CVE #(s):CVE-2005-3186 CVE-2005-2976 CVE-2005-2975
Created:November 15, 2005 Updated:March 20, 2006
Description: The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code when the file was opened by a victim.

Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim.

Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim.

Alerts:
Fedora-Legacy FLSA:173274 2006-03-16
Debian DSA-913-1 2005-12-01
Debian DSA-911-1 2005-11-29
Trustix TSLSA-2005-0066 2005-11-18
Mandriva MDKSA-2005:214 2005-11-18
Ubuntu USN-216-1 2005-11-16
SuSE SUSE-SA:2005:065 2005-11-16
Gentoo 200511-14 2005-11-16
Fedora FEDORA-2005-1088 2005-11-15
Fedora FEDORA-2005-1087 2005-11-15
Fedora FEDORA-2005-1086 2005-11-15
Fedora FEDORA-2005-1085 2005-11-15
Red Hat RHSA-2005:811-01 2005-11-15
Red Hat RHSA-2005:810-01 2005-11-15

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 10, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

imagemagick: arbitrary command execution

Package(s):imagemagick CVE #(s):CVE-2005-4601 CVE-2006-0082
Created:January 24, 2006 Updated:March 24, 2006
Description: Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be exploited to execute arbitrary commands with the user's privileges. These vulnerability become particularly critical if malicious images are sent as email attachments and the email client uses imagemagick to convert/display the images (e. g. Thunderbird and Gnus).
Alerts:
SuSE SUSE-SR:2006:006 2006-03-17
Gentoo 200602-13 2006-02-26
Slackware SSA:2006-045-03 2006-02-15
Red Hat RHSA-2006:0178-01 2006-02-14
Gentoo 200602-06 2006-02-13
Debian DSA-957-2 2006-01-31
Mandriva MDKSA-2006:024 2006-01-26
Debian DSA-957-1 2006-01-26
Ubuntu USN-246-1 2006-01-24

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 10, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2005-3732
Created:December 1, 2005 Updated:June 8, 2006
Description: ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons.
Alerts:
Fedora-Legacy FLSA:190941 2006-06-06
Red Hat RHSA-2006:0267-01 2006-04-25
Debian DSA-965-1 2006-02-06
Mandriva MDKSA-2006:020 2006-01-25
SuSE SUSE-SA:2005:070 2005-12-20
Gentoo 200512-04 2005-12-12
Ubuntu USN-221-1 2005-12-01

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: heap overflow

Package(s):kdelibs CVE #(s):CVE-2006-0019
Created:January 19, 2006 Updated:March 17, 2006
Description: Konqueror's kjs JavaScript interpreter engine has a heap overflow vulnerability. Specially crafted JavaScript code could be placed on a web site, leading to arbitrary code execution. Other kde applications are also subject to this vulnerability.
Alerts:
Fedora-Legacy FLSA:178606 2006-03-16
Slackware SSA:2006-045-05 2006-02-15
Gentoo 200601-11 2006-01-22
Mandriva MDKSA-2006:019 2006-01-20
Fedora FEDORA-2006-050 2006-01-20
SuSE SUSE-SA:2006:003 2006-01-20
Debian DSA-948-1 2005-01-20
Ubuntu USN-245-1 2006-01-20
Red Hat RHSA-2006:0184-01 2006-01-19

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-3356 CVE-2005-4605 CVE-2005-4618 CVE-2005-4639 CVE-2006-0095 CVE-2006-0096
Created:January 18, 2006 Updated:March 7, 2006
Description: The latest set of kernel vulnerabilities includes:

  • A reference counting bug in sys_mq_open(), exploitable by a local user to crash the kernel. (CVE-2005-3356)

  • A misuse of signed data types in /proc, potentially providing read access to random kernel memory. (CVE-2005-4605)

  • An off-by-one error in sysctl(), with the potential for arbitrary code execution. (CVE-2005-4618)

  • A buffer overflow in the TwinHan DST Frontend/Card DVB driver; potential code execution. (CVE-2005-4639)

  • A potential key disclosure in dm-crypt. (CVE-2006-0095)

  • Missing capability check could (maybe) allow arbitrary users to load new firmware into SDLA WAN cards. (CVE-2006-0096)
Alerts:
Red Hat RHSA-2006:0132-01 2006-03-07
Trustix TSLSA-2006-0004 2006-01-27
Ubuntu USN-244-1 2006-01-18

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-2709 CVE-2005-2973 CVE-2005-3055 CVE-2005-3180 CVE-2005-3271 CVE-2005-3272 CVE-2005-3273 CVE-2005-3274 CVE-2005-3275 CVE-2005-3276
Created:November 22, 2005 Updated:March 15, 2006
Description: Al Viro discovered a race condition in the /proc file handler of network devices. A local attacker could exploit this by opening any file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that interface was shut down. Under certain circumstances this could lead to a kernel crash or even arbitrary code execution with full kernel privileges. (CVE-2005-2709)

Tetsuo Handa discovered a local Denial of Service vulnerability in the udp_v6_get_port() function. On computers which use IPv6, a local attacker could exploit this to trigger an infinite loop in the kernel. (CVE-2005-2973)

Harald Welte discovered a Denial of Service vulnerability in the USB devio driver. A local attacker could exploit this by sending an "USB Request Block" (URB) and terminating the sending process before the arrival of the answer, which left an invalid pointer and caused a kernel crash. (CVE-2005-3055)

Pavel Roskin discovered an information leak in the Orinoco wireless card driver. When increasing the buffer length for storing data, the buffer was not padded with zeros, which exposed a random part of the system memory to the user. (CVE-2005-3180)

A resource leak has been discovered in the handling of POSIX timers in the exec() function. This could be exploited to a Denial of Service attack by a group of local users. (CVE-2005-3271)

Stephen Hemminger discovered a weakness in the network bridge driver. Packets which had already been dropped by the packet filter could poison the forwarding table, which could be exploited to make the bridge forward spoofed packages. (CVE-2005-3272)

David S. Miller discovered a buffer overflow in the rose_rt_ioctl() function. By calling the function with a large "ngidis" argument, a local attacker could cause a kernel crash. (CVE-2005-3273)

Neil Horman discovered a race condition in the connection timer handling. This allowed a local attacker to set up an expiration handler which modified the connection list while the list still being traversed, which could result in a kernel crash. This vulnerability only affects multiprocessor (SMP) systems. (CVE-2005-3274)

Patrick McHardy noticed a logic error in the network address translation (NAT) connection tracker. A remote attacker could exploit this by causing two packets for the same protocol to be NATed at the same time, which resulted in a kernel crash. (CVE-2005-3275)

Paolo Giarrusso discovered an information leak in the sys_get_thread_area(). The returned structure was not properly cleared, which exposed a small amount of kernel memory to userspace programs. This could possibly expose confidential data. (CVE-2005-3276)

Alerts:
Red Hat RHSA-2006:0144-01 2006-03-15
Red Hat RHSA-2006:0140-01 2006-01-19
Red Hat RHSA-2006:0101-01 2006-01-17
Mandriva MDKSA-2005:235 2005-12-21
Debian DSA-922-1 2005-12-14
Debian DSA-921-1 2005-12-14
SuSE SUSE-SA:2005:068 2005-12-14
SuSE SUSE-SA:2005:067 2005-12-06
Mandriva MDKSA-2005:220 2005-11-30
Mandriva MDKSA-2005:219 2005-11-30
Mandriva MDKSA-2005:218 2005-11-30
Fedora FEDORA-2005-1104 2005-11-28
Trustix TSLSA-2005-0064 2005-11-11
Ubuntu USN-219-1 2005-11-22

Comments (2 posted)

kernel multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-3527 CVE-2005-3783 CVE-2005-3784 CVE-2005-3805 CVE-2005-3806 CVE-2005-3808
Created:January 20, 2006 Updated:April 18, 2006
Description: Here's another set of vulnerabilities in the Linux kernel:
  • A race condition in the 2.6 kernel could allow a local user to cause a DoS by triggering a core dump in one thread while another thread has a pending SIGSTOP (CVE-2005-3527).
  • The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using CLONE_THREAD, does not use the thread group ID to check whether it is attaching to itself, which could allow local users to cause a DoS (CVE-2005-3783).
  • The auto-reap child process in 2.6 kernels prior to 2.6.15 include processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a crash (CVE-2005-3784).
  • A locking problem in the POSIX timer cleanup handling on exit on kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local user to cause a deadlock involving process CPU timers (CVE-2005-3805).
  • The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to 2.4.32 and 2.6.14 modifies the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a crash by triggering a free of non-allocated memory (CVE-2005-3806).
  • An integer overflow in 2.6.14 and earlier could allow a local user to cause a hang via 64-bit mmap calls that are not properly handled on a 32-bit system (CVE-2005-3808).
Alerts:
Mandriva MDKSA-2006:072 2006-04-17
Debian DSA-1018-2 2006-04-05
Debian DSA-1018-1 2006-03-26
Debian DSA-1017-1 2006-03-23
Fedora-Legacy FLSA:157459-2 2006-03-16
Fedora-Legacy FLSA:157459-1 2006-03-16
Fedora-Legacy FLSA:157459-4 2006-03-16
Fedora-Legacy FLSA:157459-3 2006-03-16
SuSE SUSE-SA:2006:012 2006-02-27
Mandriva MDKSA-2006:044 2006-02-21
Red Hat RHSA-2006:0191-01 2006-02-01
Mandriva MDKSA-2006:018 2006-01-20

Comments (none posted)

LibAST: privilege escalation

Package(s):libast CVE #(s):CVE-2006-0224
Created:January 30, 2006 Updated:February 15, 2006
Description: Michael Jennings discovered an exploitable buffer overflow in the configuration engine of LibAST. The vulnerability can be exploited to gain escalated privileges if the application using LibAST is setuid/setgid and passes a specifically crafted filename to LibAST's configuration engine.
Alerts:
Debian DSA-976-1 2006-02-15
Mandriva MDKSA-2006:029 2006-02-02
Gentoo 200601-14 2006-01-29

Comments (none posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libmail-audit-perl: insecure temporary file creation

Package(s):libmail-audit-perl CVE #(s):CVE-2005-4536
Created:January 31, 2006 Updated:March 20, 2006
Description: Niko Tyni discovered that the Mail::Audit module, a Perl library for creating simple mail filters, logs to a temporary file with a predictable filename in an insecure fashion when logging is turned on.
Alerts:
Debian DSA-960-3 2006-03-20
Debian DSA-960-2 2006-01-31
Debian DSA-960-1 2006-01-31

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
rPath rPSA-2006-0183-1 2006-10-05
Mandriva MDKSA-2005:190 2005-10-20
Gentoo 200508-22 2005-08-31
Debian DSA-785-1 2005-08-25

Comments (none posted)

libTIFF: buffer overflow

Package(s):libtiff CVE #(s):CAN-2005-1544
Created:May 10, 2005 Updated:February 18, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafted TIFF image, resulting in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:042 2006-02-17
Debian DSA-755-1 2005-07-13
Ubuntu USN-130-1 2005-05-19
Gentoo 200505-07 2005-05-10

Comments (1 posted)

libungif: memory corruption

Package(s):libungif CVE #(s):CAN-2005-2974
Created:November 3, 2005 Updated:March 20, 2006
Description: The libungif library has a vulnerability in the GIF file colormap handling code. A maliciously crafted GIF file can cause out of bounds memory writing and register corruption.
Alerts:
Fedora-Legacy FLSA:174479 2006-03-16
SuSE SUSE-SR:2005:026 2005-11-11
Mandriva MDKSA-2005:207 2005-11-09
Debian DSA-890-1 2005-11-09
Ubuntu USN-214-1 2005-11-07
Gentoo 200511-03 2005-11-04
Red Hat RHSA-2005:828-01 2005-11-03
Fedora FEDORA-2005-1046 2005-11-03
Fedora FEDORA-2005-1045 2005-11-03

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Fedora-Legacy FLSA:168264 2006-03-07
Fedora-Legacy FLSA:152803 2006-01-09
Fedora FEDORA-2005-815 2005-08-26
Fedora FEDORA-2005-808 2005-08-25
Red Hat RHSA-2005:198-01 2005-06-08
Red Hat RHSA-2005:473-01 2005-05-24
Red Hat RHSA-2005:412-01 2005-05-11
Debian DSA-723-1 2005-05-09
Mandriva MDKSA-2005:081 2005-05-05
Mandriva MDKSA-2005:080 2005-04-28
Red Hat RHSA-2005:044-01 2005-04-06
Red Hat RHSA-2005:331-01 2005-03-30
Fedora FEDORA-2005-273 2005-03-29
Fedora FEDORA-2005-272 2005-03-29
Ubuntu USN-97-1 2005-03-16
Gentoo 200503-15 2005-03-12
Ubuntu USN-92-1 2005-03-07
Gentoo 200503-08 2005-03-04

Comments (none posted)

lsh-utils: local file descriptor leak

Package(s):lsh-utils CVE #(s):CVE-2006-0353
Created:January 26, 2006 Updated:February 1, 2006
Description: The lshd SSH2 protocol server has a file descriptor leak. User shells started by lshd can access randomness generator file descriptors, allowing the server seed file to be truncated. A denial of service is possible, and session keys may become vulnerable to cracking.
Alerts:
Debian DSA-956-1 2006-01-26

Comments (none posted)

lynx: arbitrary command execution

Package(s):lynx CVE #(s):CVE-2005-2929
Created:November 14, 2005 Updated:September 14, 2009
Description: An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx.
Alerts:
Gentoo 200909-15 2009-09-12
Fedora-Legacy FLSA:152832 2005-12-17
OpenPKG OpenPKG-SA-2005.026 2005-12-03
Fedora FEDORA-2005-1079 2005-11-14
Fedora FEDORA-2005-1078 2005-11-14
Gentoo 200511-09 2005-11-13
Mandriva MDKSA-2005:211 2005-11-12
Red Hat RHSA-2005:839-01 2005-11-11

Comments (none posted)

mailman: denial of service

Package(s):mailman CVE #(s):CVE-2005-3573
Created:December 2, 2005 Updated:March 8, 2006
Description: Scrubber.py in Mailman 2.1.4 - 2.1.6 does not properly handle UTF8 character encodings in filenames of e-mail attachments, which allows remote attackers to cause a denial of service.
Alerts:
Red Hat RHSA-2006:0204-01 2006-03-07
Debian DSA-955-1 2006-01-25
Ubuntu USN-242-1 2006-01-16
Mandriva MDKSA-2005:222 2005-12-02

Comments (none posted)

mod_auth_pgsql: format string flaws

Package(s):mod_auth_pgsql CVE #(s):CVE-2005-3656
Created:January 6, 2006 Updated:February 28, 2006
Description: The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database. Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication.
Alerts:
Fedora-Legacy FLSA:177326 2006-02-27
Gentoo 200601-05 2006-01-10
Debian DSA-935-1 2006-01-10
Mandriva MDKSA-2006:009 2006-01-06
Ubuntu USN-239-1 2006-01-09
Red Hat RHSA-2006:0164-01 2006-01-05

Comments (none posted)

mod_python: remote access vulnerability

Package(s):mod_python CVE #(s):CAN-2005-0088
Created:February 10, 2005 Updated:April 10, 2006
Description: mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result.
Alerts:
Fedora-Legacy FLSA:152896 2006-04-04
Conectiva CLA-2005:926 2005-03-02
Debian DSA-689-1 2005-02-23
Red Hat RHSA-2005:100-01 2005-02-15
Gentoo 200502-14 2005-02-13
Trustix TSLSA-2005-0003 2005-02-11
Ubuntu USN-80-1 2005-02-11
Red Hat RHSA-2005:104-01 2005-02-10
Fedora FEDORA-2005-140 2005-02-10
Fedora FEDORA-2005-139 2005-02-10

Comments (none posted)

mozilla-thunderbird: GUI display truncation vulnerability

Package(s):mozilla-thunderbird CVE #(s):CVE-2006-0236
Created:January 26, 2006 Updated:February 1, 2006
Description: Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 have a GUI display truncation vulnerability. A user can be tricked into downloading a maliciously created attachment with a hidden filename extension and potentially execute the dangerous payload.
Alerts:
Mandriva MDKSA-2006:021 2006-01-25

Comments (none posted)

mydns: denial of service

Package(s):mydns CVE #(s):CVE-2006-0351
Created:January 31, 2006 Updated:February 2, 2006
Description: MyDNS contains an unspecified flaw that may allow a remote denial of service. An attacker could cause a denial of service by sending malformed DNS queries to the MyDNS server.
Alerts:
Debian DSA-963-1 2006-02-02
Gentoo 200601-16 2006-01-30

Comments (none posted)

mysql: low-impact security fix

Package(s):mysql CVE #(s):CAN-2005-1636
Created:July 20, 2005 Updated:February 22, 2006
Description: An update to MySQL version 4.1.12 fixes a low-impact security problem (bz#158689).
Alerts:
Mandriva MDKSA-2006:045 2006-02-21
Red Hat RHSA-2005:685-01 2005-10-05
Debian DSA-783-1 2005-08-24
Fedora FEDORA-2005-557 2005-07-20

Comments (1 posted)

nbd: arbitrary code execution

Package(s):nbd CVE #(s):CVE-2005-3534
Created:January 6, 2006 Updated:March 7, 2011
Description: Kurt Fitzner discovered that the NBD (network block device) server did not correctly verify the maximum size of request packets. By sending specially crafted large request packets, a remote attacker who is allowed to access the server could exploit this to execute arbitrary code with root privileges.
Alerts:
SuSE SUSE-SR:2006:001 2006-01-13
Ubuntu USN-237-1 2006-01-06

Comments (none posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Fedora-Legacy FLSA:152904 2006-05-12
Fedora FEDORA-2005-435 2005-08-16
Red Hat RHSA-2005:371-01 2005-05-17
Mandrake MDKSA-2005:028 2005-02-01
Gentoo 200501-44 2005-01-30

Comments (none posted)

nfs-server: buffer overflow

Package(s):nfs-server CVE #(s):CVE-2006-0043
Created:January 26, 2006 Updated:February 15, 2006
Description: The obsoleted nfs-server package has a remotely exploitable buffer overflow vulnerability in the rpc.mountd service's realpath() function. Remote attackers can launch a specially crafted mount request, this leads to a buffer overflow and allows the execution of code with root privileges.
Alerts:
Debian DSA-975-1 2006-02-15
SuSE SUSE-SA:2006:005 2006-01-26

Comments (none posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 2006-02-25
Red Hat RHSA-2005:014-01 2005-01-12
Mandrake MDKSA-2005:005 2005-01-11

Comments (none posted)

ntp: uses wrong gid

Package(s):ntp CVE #(s):CAN-2005-2496
Created:August 26, 2005 Updated:August 11, 2006
Description: When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update.
Alerts:
Red Hat RHSA-2006:0393-01 2006-08-10
Mandriva MDKSA-2005:156 2005-09-06
Debian DSA-801-1 2005-09-05
Ubuntu USN-175-1 2005-09-01
Fedora FEDORA-2005-812 2005-08-26

Comments (none posted)

openmotif: buffer overflows

Package(s):openmotif CVE #(s):CVE-2005-3964
Created:December 29, 2005 Updated:July 27, 2006
Description: The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code.
Alerts:
Fedora FEDORA-2006-854 2006-07-26
Red Hat RHSA-2006:0272-01 2006-04-04
Gentoo 200512-16 2005-12-28

Comments (none posted)

openssh: GSSAPI credential disclosure

Package(s):openssh CVE #(s):CAN-2005-2798
Created:September 7, 2005 Updated:February 3, 2006
Description: OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
Alerts:
SuSE SUSE-SR:2006:003 2006-02-03
Ubuntu USN-209-1 2005-10-17
Mandriva MDKSA-2005:172 2005-10-06
Red Hat RHSA-2005:527-01 2005-10-05
Fedora FEDORA-2005-860 2005-09-12
Trustix TSLSA-2005-0047 2005-09-09
Fedora FEDORA-2005-858 2005-09-07

Comments (none posted)

OpenSSH: double shell expansion

Package(s):openssh CVE #(s):CVE-2006-0225
Created:January 23, 2006 Updated:July 20, 2006
Description: OpenSSH has a double shell expansion vulnerability in local to local and remote to remote copy with scp.
Alerts:
Red Hat RHSA-2006:0298-01 2006-07-20
Red Hat RHSA-2006:0044-01 2006-03-07
Ubuntu USN-255-1 2006-02-21
Gentoo 200602-11 2006-02-20
Fedora-Legacy FLSA:168935 2006-02-18
OpenPKG OpenPKG-SA-2006.003 2006-02-18
Slackware SSA:2006-045-06 2006-02-15
SuSE SUSE-SA:2006:008 2006-02-14
Mandriva MDKSA-2006:034 2006-02-06
Fedora FEDORA-2006-056 2006-01-23

Comments (none posted)

otrs: multiple vulnerabilities

Package(s):otrs CVE #(s):CVE-2005-3893 CVE-2005-3894 CVE-2005-3895
Created:December 16, 2005 Updated:February 15, 2006
Description: Several vulnerabilities were discovered in the CMS system OTRS. Multiple SQL injection vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, multiple cross-site scripting vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, and Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, when AttachmentDownloadType is set to inline, renders text/html e-mail attachments as HTML in the browser when the queue moderator attempts to download the attachment.
Alerts:
Debian DSA-973-1 2006-02-15
SuSE SUSE-SR:2005:030 2005-12-16

Comments (none posted)

Paros: default administrator password

Package(s):paros CVE #(s):CVE-2005-3280
Created:January 30, 2006 Updated:February 1, 2006
Description: Andrew Christensen discovered that in older versions of Paros the database component HSQLDB is installed with an empty password for the database administrator "sa". Since the database listens globally by default, an attacker can connect and issue arbitrary commands, including execution of binaries installed on the host.
Alerts:
Gentoo 200601-15 2006-01-29

Comments (none posted)

pcre3: arbitrary code execution

Package(s):pcre3 CVE #(s):CAN-2005-2491
Created:August 23, 2005 Updated:March 10, 2006
Description: A buffer overflow has been discovered in the PCRE, a widely used library that provides Perl compatible regular expressions. Specially crafted regular expressions triggered a buffer overflow. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library.
Alerts:
Red Hat RHSA-2006:0197-01 2006-03-09
Fedora-Legacy FLSA:168516 2006-03-07
Debian DSA-821-1 2005-09-28
Debian DSA-819-1 2005-09-23
Debian DSA-817-1 2005-09-22
Gentoo 200509-08 2005-09-12
Red Hat RHSA-2005:358-01 2005-09-08
Red Hat RHSA-2005:761-02 2005-09-08
Trustix TSLSA-2005-0045 2005-08-26
OpenPKG OpenPKG-SA-2005.018 2005-09-05
SuSE SUSE-SA:2005:051 2005-09-05
Gentoo 200509-02 2005-09-03
Debian DSA-800-1 2005-09-02
Ubuntu USN-173-4 2005-08-31
Slackware SSA:2005-242-01 2005-08-31
SuSE SUSE-SA:2005:049 2005-08-30
SuSE SUSE-SA:2005:048 2005-08-30
Ubuntu USN-173-3 2005-08-30
Mandriva MDKSA-2005:155 2005-08-29
Mandriva MDKSA-2005:154 2005-08-26
Mandriva MDKSA-2005:153 2005-08-26
Mandriva MDKSA-2005:151 2005-08-25
Mandriva MDKSA-2005:152 2005-08-25
Gentoo 200508-17 2005-08-25
Ubuntu USN-173-2 2005-08-24
Fedora FEDORA-2005-803 2005-08-24
Fedora FEDORA-2005-802 2005-08-24
Ubuntu USN-173-1 2005-08-23

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

perl: integer overflow

Package(s):perl CVE #(s):CVE-2005-3962 CVE-2005-3912
Created:December 1, 2005 Updated:February 27, 2006
Description: Perl has an sprintf integer overflow vulnerability that may be used for a denial of service, remote code execution and information leakage.
Alerts:
Fedora-Legacy FLSA:176731 2006-02-25
Debian DSA-943-1 2006-01-16
Red Hat RHSA-2005:881-01 2005-12-20
Red Hat RHSA-2005:880-01 2005-12-20
SuSE SUSE-SA:2005:071 2005-12-20
Fedora FEDORA-2005-1145 2005-12-14
Fedora FEDORA-2005-1144 2005-12-14
Ubuntu USN-222-2 2005-12-12
Trustix TSLSA-2005-0070 2005-12-09
Mandriva MDKSA-2005:225 2005-12-08
Gentoo 200512-02 2005-12-07
Gentoo 200512-01 2005-12-07
OpenPKG OpenPKG-SA-2005.025 2005-12-03
Mandriva MDKSA-2005:223 2005-12-02
Ubuntu USN-222-1 2005-12-02
Fedora FEDORA-2005-1116 2005-12-01
Fedora FEDORA-2005-1113 2005-12-01

Comments (none posted)

phpbb2: multiple vulnerabilities

Package(s):phpbb2 CVE #(s):CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537
Created:December 22, 2005 Updated:February 11, 2008
Description: The phpbb2 web forum has a number of vulnerabilities including: a web script injection problem, a protection mechanism bypass, a security check bypass, a remote global variable bypass, cross site scripting vulnerabilities, an SQL injection vulnerability, a remote regular expression modification problem, missing input sanitizing, and a missing request validation problem.
Alerts:
Debian DSA-925-1 2005-12-22

Comments (none posted)

phpMyAdmin: multiple vulnerabilities

Package(s):phpmyadmin CVE #(s):CVE-2005-4079 CVE-2005-3665
Created:December 12, 2005 Updated:November 20, 2006
Description: Stefan Esser reported multiple vulnerabilities found in phpMyAdmin. The $GLOBALS variable allows modifying the global variable import_blacklist to open phpMyAdmin to local and remote file inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to conduct an XSS attack via the $HTTP_HOST variable and a local and remote file inclusion because the contents of the variable are under total control of the attacker (CVE-2005-3665, PMASA-2005-8).
Alerts:
Debian DSA-1207-2 2006-11-19
Debian DSA-1207-1 2006-11-09
SuSE SUSE-SA:2006:004 2006-01-26
Gentoo 200512-03 2005-12-11

Comments (none posted)

postgresql: database initialization errors

Package(s):postgresql CVE #(s):CAN-2005-1409 CAN-2005-1410
Created:May 4, 2005 Updated:February 28, 2006
Description: PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Alerts:
Fedora-Legacy FLSA:157366 2006-02-27
Mandriva MDKSA-2005:093 2005-05-26
Red Hat RHSA-2005:433-01 2005-06-01
Gentoo 200505-12 2005-05-15
Fedora FEDORA-2005-368 2005-05-10
Ubuntu USN-118-1 2005-05-04

Comments (none posted)

pound: HTTP Request Smuggling Attack

Package(s):pound CVE #(s):CVE-2005-3751
Created:January 10, 2006 Updated:June 8, 2006
Description: HTTP requests with conflicting Content-Length and Transfer-Encoding headers could lead to HTTP Request Smuggling Attack, which can be exploited to bypass packet filters or poison web caches.
Alerts:
Gentoo 200606-05 2006-06-07
Debian DSA-934-1 2006-01-09

Comments (none posted)

pstotext: remote execution of arbitrary code

Package(s):pstotext netpbm CVE #(s):CAN-2005-2471
Created:August 1, 2005 Updated:March 28, 2006
Description: Max Vozeler reported that pstotext calls the GhostScript interpreter on untrusted PostScript files without specifying the -dSAFER option. An attacker could craft a malicious PostScript file and entice a user to run pstotext on it, resulting in the execution of arbitrary commands with the permissions of the user running pstotext. See this Secunia advisory for more information.
Alerts:
Debian DSA-1021-1 2006-03-28
Debian DSA-792-1 2005-08-31
Red Hat RHSA-2005:743-01 2005-08-22
Fedora FEDORA-2005-728 2005-08-17
Fedora FEDORA-2005-727 2005-08-17
Ubuntu USN-164-1 2005-08-11
Mandriva MDKSA-2005:133 2005-08-09
Gentoo 200508-04 2005-08-05
Gentoo 200507-29 2005-07-31

Comments (2 posted)

Py2Play: remote execution of arbitrary Python code

Package(s):Py2Play CVE #(s):CAN-2005-2875
Created:September 19, 2005 Updated:September 6, 2006
Description: Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client.
Alerts:
Gentoo 200509-09:02 2005-09-17
Debian DSA-856-1 2005-10-10
Gentoo 200509-09 2005-09-17

Comments (none posted)

scorched3d: multiple vulnerabilities

Package(s):scorched3d CVE #(s):
Created:November 15, 2005 Updated:August 11, 2006
Description: Luigi Auriemma discovered multiple flaws in the Scorched 3D game server, including a format string vulnerability and several buffer overflows. A remote attacker could exploit these vulnerabilities to crash a game server or execute arbitrary code with the rights of the game server user.
Alerts:
Gentoo 200511-12:03 2005-11-15
Gentoo 200511-12 2005-11-15

Comments (none posted)

scponly: privilege escalation

Package(s):scponly CVE #(s):CVE-2005-4532
Created:December 29, 2005 Updated:February 13, 2006
Description: The scponly restricted shell has a privilege escalation vulnerability. Local users can chroot into arbitrary directories, and can gain root privileges if a directory contains hard links to setuid programs. Also, scponly does not properly validate command line parameters to the scp and rsync commands.
Alerts:
Debian DSA-969-1 2006-02-13
Gentoo 200512-17 2005-12-29

Comments (none posted)

spamassassin: denial of service

Package(s):spamassassin CVE #(s):CVE-2005-3351
Created:November 9, 2005 Updated:March 7, 2006
Description: Spamassassin through version 3.0.4 can be made to dump core if a message arrives with too many addresses in the To: field.
Alerts:
Red Hat RHSA-2006:0129-01 2006-03-07
Mandriva MDKSA-2005:221 2005-12-02
Fedora FEDORA-2005-1066 2005-11-09
Fedora FEDORA-2005-1065 2005-11-09

Comments (none posted)

squid: authentication handling

Package(s):squid CVE #(s):CAN-2005-2917
Created:September 30, 2005 Updated:March 15, 2006
Description: Upstream developers of squid, the popular WWW proxy cache, have discovered that changes in the authentication scheme are not handled properly when given certain request sequences while NTLM authentication is in place, which may cause the daemon to restart.
Alerts:
Red Hat RHSA-2006:0045-01 2006-03-15
Red Hat RHSA-2006:0052-01 2006-03-07
Fedora-Legacy FLSA:152809 2006-02-18
Mandriva MDKSA-2005:181 2005-10-11
Ubuntu USN-192-1 2005-09-30
Debian DSA-828-1 2005-09-30

Comments (none posted)

struts: cross-site scripting vulnerability

Package(s):struts CVE #(s):CVE-2005-3745
Created:January 12, 2006 Updated:March 8, 2006
Description: The Struts error display system has a cross-site scripting vulnerability. An attacker may be able to maliciously craft a URL that can trick a user into thinking they are looking at a trusted site when they are not.
Alerts:
Red Hat RHSA-2006:0161-01 2006-03-07
Red Hat RHSA-2006:0157-01 2006-01-11

Comments (none posted)

sudo: vulnerability via scripts

Package(s):sudo CVE #(s):CAN-2005-4158 CVE-2006-0151
Created:December 16, 2005 Updated:September 1, 2006
Description: Perl and Python scripts run via Sudo can be subverted.
Alerts:
Mandriva MDKSA-2006:159 2006-08-31
Debian DSA-946-2 2006-04-08
Slackware SSA:2006-045-08 2006-02-15
SuSE SUSE-SR:2006:002 2006-01-20
Debian DSA-946-1 2006-01-20
Ubuntu USN-235-2 2006-01-09
Ubuntu USN-235-1 2006-01-05
Mandriva MDKSA-2005:234 2005-12-20
Fedora FEDORA-2005-1147 2005-12-16

Comments (none posted)

sudo: missing input sanitizing

Package(s):sudo CVE #(s):CVE-2005-2959
Created:October 25, 2005 Updated:February 19, 2006
Description: Tavis Ormandy noticed that sudo, a program that provides limited super user privileges to specific users, does not clean the environment sufficiently. The SHELLOPTS and PS4 variables are dangerous and are still passed through to the program running as privileged user. This can result in the execution of arbitrary commands as privileged user when a bash script is executed. These vulnerabilities can only be exploited by users who have been granted limited super user privileges.
Alerts:
OpenPKG OpenPKG-SA-2006.002 2006-02-18
Trustix TSLSA-2005-0062 2005-11-04
Ubuntu USN-213-1 2005-10-28
Mandriva MDKSA-2005:201 2005-10-27
Debian DSA-870-1 2005-10-25

Comments (none posted)

sudo: race condition

Package(s):sudo CVE #(s):CAN-2005-1993
Created:June 21, 2005 Updated:February 24, 2006
Description: Charles Morris discovered a race condition in sudo which could lead to privilege escalation. If /etc/sudoers allowed a user the execution of selected programs, and this was followed by another line containing the pseudo-command "ALL", that user could execute arbitrary commands with sudo by creating symbolic links at a certain time.
Alerts:
Fedora-Legacy FLSA:162750 2006-02-23
Debian DSA-735-2 2005-07-07
Debian DSA 735-1 2005-07-01
Red Hat RHSA-2005:535-04 2005-06-29
SuSE SUSE-SA:2005:036 2005-06-24
OpenPKG OpenPKG-SA-2005.012 2005-06-23
Gentoo 200506-22 2005-06-23
Slackware SSA:2005-172-01 2005-06-22
Mandriva MDKSA-2005:103 2005-06-21
Fedora FEDORA-2005-473 2005-06-21
Fedora FEDORA-2005-472 2005-06-21
Ubuntu USN-142-1 2005-06-21

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: multiple DoS issues

Package(s):tcpdump CVE #(s):CAN-2005-1280 CAN-2005-1279 CAN-2005-1278
Created:May 2, 2005 Updated:April 10, 2006
Description: The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. (CAN-2005-1280)

tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet, which is not properly handled by RT_ROUTING_INFO, or LDP packet, which is not properly handled by the ldp_print function. (CAN-2005-1279)

The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. (CAN-2005-1278)

Alerts:
Fedora-Legacy FLSA:156139 2006-04-04
Debian DSA-850-1 2005-10-09
Mandriva MDKSA-2005:087 2005-05-11
Red Hat RHSA-2005:417-02 2005-05-11
Red Hat RHSA-2005:421-02 2005-05-11
Gentoo 200505-06 2005-05-09
Ubuntu USN-119-1 2005-05-06
Fedora FEDORA-2005-351 2005-05-02

Comments (none posted)

tetex: integer overflows

Package(s):tetex CVE #(s):CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
Created:January 19, 2006 Updated:May 23, 2006
Description: The teTeX PDF parsing library has an integer overflow vulnerability. A carefully crafted PDF file can be used by an attacker to crash teTeX and possibly execute arbitrary code.
Alerts:
Slackware SSA:2006-142-01 2006-05-23
Fedora-Legacy FLSA:152868 2006-05-12
Gentoo 200603-02 2006-03-04
Red Hat RHSA-2006:0160-01 2006-01-19

Comments (none posted)

texinfo: temporary file vulnerability

Package(s):texinfo CVE #(s):CAN-2005-3011
Created:October 5, 2005 Updated:November 9, 2006
Description: Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability.
Alerts:
Ubuntu USN-194-2 2006-01-09
Fedora FEDORA-2005-991 2005-10-14
Fedora FEDORA-2005-990 2005-10-14
Mandriva MDKSA-2005:175 2005-10-06
Ubuntu USN-194-1 2005-10-06
Gentoo 200510-04 2005-10-05

Comments (none posted)

trac: cross-site scripting vulnerability

Package(s):trac CVE #(s):CVE-2005-4305
Created:January 26, 2006 Updated:February 1, 2006
Description: Trac, a web-based project management and bug tracking system, has a cross-site scripting attack vulnerability that may be exploited for the purpose of execution of arbitrary JavaScript code.
Alerts:
Gentoo 200601-12 2006-01-26

Comments (1 posted)

udev: insecure files in /dev/input

Package(s):udev CVE #(s):CVE-2005-3631
Created:December 20, 2005 Updated:February 28, 2006
Description: Richard Cunningham discovered a flaw in the way udev sets permissions on various files in /dev/input. It may be possible for an authenticated attacker to gather sensitive data entered by a user at the console, such as passwords.
Alerts:
Fedora-Legacy FLSA:175818 2006-02-27
Red Hat RHSA-2005:864-01 2005-12-20

Comments (none posted)

unalz: arbitrary code execution

Package(s):unalz CVE #(s):CVE-2005-3862
Created:January 30, 2006 Updated:February 1, 2006
Description: Ulf Härnhammer from the Debian Audit Project discovered that unalz, a decompressor for ALZ archives, performs insufficient bounds checking when parsing file names. This can lead to arbitrary code execution if an attacker provides a crafted ALZ archive.
Alerts:
Debian DSA-959-1 2006-01-30

Comments (none posted)

up-imapproxy: format string vulnerabilities

Package(s):up-imapproxy CVE #(s):CAN-2005-2661
Created:October 10, 2005 Updated:March 7, 2006
Description: up-imapproxy contains two format string vulnerabilities which could be exploited to execute arbitrary code.
Alerts:
Gentoo 200603-04 2006-03-06
Debian DSA-852-1 2005-10-09

Comments (none posted)

uw-imap: buffer overflow

Package(s):uw-imap CVE #(s):CAN-2005-2933
Created:October 11, 2005 Updated:April 10, 2006
Description: "infamous41md" discovered a buffer overflow in uw-imap, the University of Washington's IMAP Server that allows attackers to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:184098 2006-04-04
Fedora-Legacy FLSA:170411 2006-04-04
Fedora FEDORA-2005-1112 2005-12-08
Fedora FEDORA-2005-1115 2005-12-08
Red Hat RHSA-2005:850-01 2005-12-06
Red Hat RHSA-2005:848-01 2005-12-06
Mandriva MDKSA-2005:194 2005-10-26
Trustix TSLSA-2005-0055 2005-10-07
Mandriva MDKSA-2005:189 2005-10-20
SuSE SUSE-SR:2005:023 2005-10-14
Gentoo 200510-10 2005-10-11
Debian DSA-861-1 2005-10-11

Comments (none posted)

vixie-cron: crontab allows any user to read another users crontabs

Package(s):vixie-cron CVE #(s):CAN-2005-1038
Created:April 15, 2005 Updated:March 15, 2006
Description: crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. See also this Security Focus report.
Alerts:
Red Hat RHSA-2006:0117-01 2006-03-15
Red Hat RHSA-2005:361-01 2005-10-05
Fedora FEDORA-2005-320 2005-04-15

Comments (none posted)

w3c-libwww: possible stack overflow

Package(s):w3c-libwww CVE #(s):CVE-2005-3183
Created:October 14, 2005 Updated:May 2, 2007
Description: xtensive testing of libwww's handling of multipart/byteranges content from HTTP/1.1 servers revealed multiple logical flaws and bugs in Library/src/HTBound.c
Alerts:
Red Hat RHSA-2007:0208-02 2007-05-01
Ubuntu USN-220-1 2005-12-01
Mandriva MDKSA-2005:210 2005-11-09
Fedora FEDORA-2005-953 2005-10-07
Fedora FEDORA-2005-952 2005-10-07

Comments (1 posted)

xine-lib: buffer overflows

Package(s):xine-lib CVE #(s):CAN-2004-1379
Created:September 22, 2004 Updated:April 10, 2006
Description: xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code.
Alerts:
Fedora-Legacy FLSA:152873 2006-04-04
Debian DSA-657-1 2005-01-25
Mandrake MDKSA-2004:105 2004-10-06
Slackware SSA:2004-266-04 2004-09-22
Gentoo 200409-30 2004-09-22

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

xloadimage: buffer overflows

Package(s):xloadimage CVE #(s):CAN-2005-3178
Created:October 10, 2005 Updated:May 15, 2006
Description: Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:152923 2006-05-12
Gentoo 200510-26 2005-10-30
Mandriva MDKSA-2005:192 2005-10-20
Red Hat RHSA-2005:802-01 2005-10-18
Debian DSA-859-1 2005-10-10
Debian DSA-858-1 2005-10-10
Fedora FEDORA-2005-981 2005-10-10

Comments (none posted)

xorg-x11: heap overflow

Package(s):xorg-x11 CVE #(s):CAN-2005-2495
Created:September 12, 2005 Updated:March 8, 2006
Description: The pixmap memory allocation code in the X.Org X window system is vulnerable to an integer overflow, a local user can use this to execute arbitrary code with elevated privileges.
Alerts:
Fedora-Legacy FLSA:168264-2 2006-03-07
Slackware SSA:2005-269-02 2005-09-26
SuSE SUSE-SA:2005:056 2005-09-26
Debian DSA-816-1 2005-09-19
Fedora FEDORA-2005-894 2005-09-16
Fedora FEDORA-2005-893 2005-09-16
Trustix TSLSA-2005-0049 2005-09-16
Red Hat RHSA-2005:501-01 2005-09-15
Mandriva MDKSA-2005:164 2005-09-13
Red Hat RHSA-2005:396-01 2005-09-13
Red Hat RHSA-2005:329-01 2005-09-12
Ubuntu USN-182-1 2005-09-12
Gentoo 200509-07 2005-09-12

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

xpdf: heap overflows

Package(s):xpdf gpdf kpdf poppler CVE #(s):CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627
Created:January 11, 2006 Updated:March 10, 2006
Description: Xpdf, the associated poppler library, and other applications using that library are susceptible to a new set of buffer overflows discovered by Chris Evans and infamous41md. These overflows could be exploited, via a malicious PDF file, to execute arbitrary code on the target system.
Alerts:
Fedora-Legacy FLSA:176751 2006-03-07
Mandriva MDKSA-2006:030 2006-02-02
Debian DSA-962-1 2006-02-01
Debian DSA-961-1 2006-02-01
Gentoo 200601-17 2006-01-30
Debian-Testing DTSA-28-1 2005-01-25
Debian DSA-950-1 2006-01-23
Trustix TSLSA-2006-0002 2006-01-13
Debian DSA-940-1 2006-01-13
Mandriva MDKSA-2006:012 2006-01-12
Fedora FEDORA-2005-028 2006-01-12
Fedora FEDORA-2005-029 2006-01-12
Debian DSA-938-1 2006-01-12
Debian DSA-937-1 2006-01-12
SuSE SUSE-SA:2006:001 2006-01-11
Red Hat RHSA-2006:0177-01 2006-01-11
Red Hat RHSA-2006:0163-01 2006-01-11
Mandriva MDKSA-2006:011 2006-01-10
Mandriva MDKSA-2006:010 2006-01-10
Debian DSA-936-1 2006-01-11

Comments (none posted)

xpdf: denial of service

Package(s):xpdf kpdf CVE #(s):CAN-2005-2097
Created:August 9, 2005 Updated:August 2, 2006
Description: A flaw was discovered in Xpdf in that could allow an attacker to construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened.
Alerts:
Debian DSA-1136-1 2006-08-02
Mandriva MDKSA-2005:138-1 2005-09-19
Debian DSA-780-1 2005-08-22
SuSE SUSE-SR:2005:019 2005-08-19
Fedora FEDORA-2005-732 2005-08-17
Fedora FEDORA-2005-733 2005-08-17
Gentoo 200508-08 2005-08-16
Fedora FEDORA-2005-730 2005-08-15
Fedora FEDORA-2005-729 2005-08-15
Mandriva MDKSA-2005:136 2005-08-11
Mandriva MDKSA-2005:135 2005-08-11
Mandriva MDKSA-2005:134 2005-08-11
Mandriva MDKSA-2005:138 2005-08-11
Red Hat RHSA-2005:708-01 2005-08-10
Red Hat RHSA-2005:706-01 2005-08-09
Red Hat RHSA-2005:671-01 2005-08-09
Red Hat RHSA-2005:670-01 2005-08-09
Ubuntu USN-163-1 2005-08-09

Comments (none posted)

xpdf: integer overflows

Package(s):xpdf, poppler, cupsys, tetex-bin CVE #(s):CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627
Created:January 5, 2006 Updated:November 30, 2006
Description: xpdf has a number of integer overflows. A remote attacker can trick a user into opening a maliciously crafted pdf file, allowing the attacker to execute code with the privileges of the local user. This also affects the Poppler library, cupsys and tetex-bin.
Alerts:
Fedora FEDORA-2006-1220 2006-11-30
Debian DSA-932-1 2006-01-09
Debian DSA-931-1 2006-01-09
Ubuntu USN-236-2 2006-01-09
Mandriva MDKSA-2006:008 2006-01-06
Mandriva MDKSA-2006:006 2006-01-05
Mandriva MDKSA-2006:005 2006-01-05
Mandriva MDKSA-2006:004 2006-01-05
Mandriva MDKSA-2006:003 2006-01-05
Ubuntu USN-236-1 2006-01-05

Comments (none posted)

zlib: buffer overflow

Package(s):zlib CVE #(s):CAN-2005-1849
Created:July 21, 2005 Updated:April 11, 2006
Description: zlib has a vulnerability that can cause code that executes it to crash if a corrupted file is opened.
Alerts:
Mandriva MDKSA-2006:070 2006-04-10
Debian DSA-1026-1 2006-04-06
Gentoo 200603-18 2006-03-21
Ubuntu USN-151-4 2005-11-09
Ubuntu USN-151-3 2005-10-28
Fedora-Legacy FLSA:162680 2005-09-14
Debian DSA-797-1 2005-09-01
Gentoo 200508-01 2005-08-01
Gentoo 200507-28 2005-07-30
SuSE SUSE-SA:2005:043 2005-07-28
OpenPKG OpenPKG-SA-2005.014 2005-07-28
Mandriva MDKSA-2005:124 2005-07-22
Slackware SSA:2005-203-03 2005-07-23
Ubuntu USN-151-2 2005-07-22
Fedora FEDORA-2005-626 2005-07-22
Fedora FEDORA-2005-625 2005-07-22
Gentoo 200507-19 2005-07-22
Red Hat RHSA-2005:584-01 2005-07-21
Ubuntu USN-151-1 2005-07-21
Debian DSA-763-1 2005-07-20

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current stable 2.6 release is 2.6.15.3, released on February 6. It contains a single, one-line fix for a remotely-exploitable denial of service vulnerability in the ICMP code.

The 2.6.15.4 release is under review as of this writing. It is a rather larger patch with almost two dozen important fixes.

The current 2.6 prepatch is 2.6.16-rc2, released by Linus on February 2. In addition to the expected big pile of fixes, this prepatch adds another set of semaphore-to-mutex conversions, a USB driver for ET61X151 and ET61X251 camera controllers, a big Video4Linux update, the direct migration patches, some slab allocator tweaks for NUMA machines, several new system calls (openat() and friends, pselect(), ppoll()), a big ACPI update, and the EDAC error detection/correction code. The long-format changelog has lots of details.

The mainline git repository contains almost 500 post-rc2 patches as of this writing. They are dominated by fixes, but there is also a patch to export the system's CPU topology in sysfs, parallel port support for SGI O2 systems, administrator-changeable permissions in configfs, an OCFS2 update, the unshare() system call, and various architecture updates.

The current -mm tree is 2.6.16-rc2-mm1. Recent changes to -mm include a rework of the mempool code, a new version of the core timekeeping and NTP rework patches, better scheduler support for multicore systems, a feature for forcing kernel allocations to be spread across NUMA nodes, and an LED driver subsystem.

Comments (none posted)

Kernel development news

Quotes of the week

We've got bin-only kernel modules, much of which are clearly immoral, they are clearly hurting us and still we do things to keep them going - e.g. the refusal to remove 8K stacks from the .config. We are increasingly getting into a situation where loopholes are found and utilized to give back as little as possible, upsetting the balance.

so i believe _something_ should be done to tip the balance, because the negative effects are already hurting us. I'd support the move to the GPLv3 only as a tool to move the balance back into a fairer situation, not as some new moral mechanism. The GPLv3 might be overboard for that, but still the situation does exist undeniably.

-- Ingo Molnar

After seven years and hundreds of issues, I've decided to take a break from writing Kernel Traffic for awhile. I'd like to thank all the people who helped out, providing me with hosting space, hardware to work on, suggestions and bug reports, and money. And I'd especially like to thank Linus and the rest of the kernel developers for so powerfully changing the world for the better.

-- Zack Brown

Comments (9 posted)

Asynchronous I/O and vectored operations

The file_operations structure contains pointers to the basic I/O operations exported by filesystems and char device drivers. This structure currently contains three different methods for performing a read operation:

    ssize_t (*read) (struct file *filp, char __user *buffer, size_t size, 
                     loff_t *pos);
    ssize_t (*readv) (struct file *filp, const struct iovec *iov, 
                      unsigned long niov, loff_t *pos);
    ssize_t (*aio_read) (struct kiocb *iocb, char __user *buffer, 
                         size_t size, loff_t pos);

Normal read operations end up with a call to the read() method, which reads a single segment from the source into the supplied buffer. The readv() method implements the system call by the same name; it will read one segment and scatter it into several user buffers, each of which is described by an iovec structure. Finally, aio_read() is invoked in response to asynchronous I/O requests; it reads a single segment into the supplied buffer, possibly returning before the operation is complete. There is a similar set of three methods for write operations.

Back in November, Zach Brown posted a vectored AIO patch intended to provide a combination of the vectored (readv()/writev()) operations and asynchronous I/O. To that end, it defined a couple of new AIO operations for user space, and added two more file_operations methods: aio_readv() and aio_writev(). There was some resistance to the idea of creating yet another pair of operations, and a feeling that there was a better way. The result, after work by Christoph Hellwig and Badari Pulavarty, is a new vectored AIO patch with a much simpler interface - at the cost of a significant API change.

The observation was made that a number of subsystems use vectored I/O operations internally in all cases, even in the case of a "scalar" read() or write() call. For example, the read() function in the current mainline pipe driver is:

    static ssize_t
    pipe_read(struct file *filp, char __user *buf, size_t count, loff_t *ppos)
    {
	struct iovec iov = { .iov_base = buf, .iov_len = count };
	return pipe_readv(filp, &iov, 1, ppos);
    }

Here, the read() method is essentially superfluous; it is provided simply because the API requires it. So, it was asked, rather than adding more vectored I/O operations, why not just "vectorize" the standard API? The resulting patch set brings about that change in a couple of steps.

The first of those is to change the prototypes for the asynchronous I/O methods to:

    ssize_t (*aio_read) (struct kiocb *iocb, const struct iovec *iov, 
             unsigned long niov, loff_t pos);
    ssize_t (*aio_write) (struct kiocb *iocb, const struct iovec *iov,  
             unsigned long niov, loff_t pos);

Thus, the single buffer has been replaced with an array of iovec structures, each describing one segment of the I/O operation. For the current single-buffer AIO read and write commands, the new code creates a single-entry iovec array and passes it to the new methods. (It's worth noting that, as the code is currently written, that iovec array is no longer valid after aio_read() or aio_write() returns; that array will need to be copied for any operation which remains outstanding when those functions finish).

The prototypes of a couple of VFS helper functions (generic_file_aio_read() and generic_file_aio_write()) have been changed in a similar manner. These changes ripple through every driver and filesystem providing AIO methods, making the patch reasonably large. A second patch then adds two new AIO operations (IOCB_CMD_PREADV and IOCB_CMD_PWRITEV) to the user-space interface, making vectored asynchronous I/O available to applications.

The patch set then goes one step further by eliminating the readv() and writev() methods altogether. With this patch in place, any filesystem or driver which wishes to provide vectored I/O operations must do so via aio_read() and aio_write() instead. Note that this change does not imply that asynchronous operations themselves must be supported - it is entirely permissible (if suboptimal) for aio_read() and aio_write() to operate synchronously at all times. But this patch does make it necessary for modules wishing to provide vectored operations to, at a minimum, provide the file_operations methods for asynchronous I/O. If the AIO methods are not available for a given device or filesystem, a call to readv() or writev() will be emulated through multiple calls to read() or write(), as usual.

Finally, with this patch in place, it is possible for a driver or filesystem to omit the read() and write() methods altogether if the asynchronous versions are provided. If, for example, only aio_read() is provided, all read() and readv() system calls will be handled by the aio_read() method. If, someday, all code implements the AIO methods, the regular read() and write() methods could be removed altogether. That would result in an interface which contained only one method for all read operations (and one more for writes). This change would also realize the vision expressed at the 2003 Kernel Summit that all I/O paths inside the kernel would, in the end, be made asynchronous.

There has been little discussion of the current patch set, so it is hard to predict what may ultimately become of it. Given that it simplifies a core kernel API while simultaneously making it more powerful, however, chances are that some version of this patch will find its way into the kernel eventually.

(For more information on the AIO interface, see this Driver Porting Series article or chapter 15 of LDD3).

Comments (1 posted)

Software suspend - again

Last week's Kernel Page looked at one small piece of the software suspend debate. Meanwhile, the wider discussion has flared up yet again, and looks unlikely to slow down. Developers of the in-kernel suspend-to-disk code are working on moving parts of it to user space and generally tweaking the existing structure. Nigel Cunningham and other supporters of the Suspend2 patches, instead, still hope to see that work merged, eventually replacing much of the existing implementation. The discussion does not appear to be nearing any sort of resolution.

One has become clear, though: Pavel Machek has a firm grip on the current in-tree swsusp code, and that puts Suspend2 at a significant disadvantage. Pavel has taken a strong position against many aspects of the Suspend2 code, and seems determined that it will never be merged. One gets the sense, sometimes, that he just wishes Nigel and his code would go away. Nigel is somewhat more persistent than that, however.

At one point, the two suggested that Linus and Andrew should make a decision between the two implementations and settle the debate. Andrew, however, does not want to do that:

You're unlikely to hear anything dispositive from either of us on this... What we hope and expect is that you'll come up with an agreed path in accordance with general kernel coding and development principles. Linus and I don't want to have to make tiebreak decisions - if we have to do that, the system has failed.

So much for the easy solution. Since then, the relevant parties have been talking, but without a whole lot of apparent progress.

Perhaps the more interesting part of Andrew's note, however, was this:

If you want my cheerfully uninformed opinion, we should toss both of them out and implement suspend3, which is based on the kexec/kdump infrastructure. There's so much duplication of intent here that it's not funny.

kexec(), remember, is a relatively new system call used to boot from one kernel directly into another without going through the whole BIOS startup ritual. The kdump code uses kexec() to perform safe crash dumps. When the kernel panics, it uses kexec() to boot into a small, special-purpose kernel which has been lurking in a reserved part of memory for just this occasion. The new kernel restricts itself to the reserved memory, so the entire memory image of the old, crashed kernel remains intact. That image can then be written to disk in a relatively safe manner.

It is true that suspend-to-disk can be thought of as a sort of kernel dump; the only difference is this little desire to be able to restart the kernel from the dump image at a future time. Using kdump for suspend-to-disk has some obvious appeal. A great deal of effort now goes into freezing most processes on the system - but not the ones needed to complete the suspend process. The suspend code also must be very careful about what kernel state it changes as it goes about its work. Simply jumping into a separate dump kernel has the potential to make many of those problems go away. It might almost be like the Good Old Days, when BIOS-based suspend code simply worked most of the time.

A kdump-based suspend would not be without its costs. In particular, some people might balk at reserving a substantial chunk of memory for the suspend kernel. And, of course, the entire idea remains vaporware for now.

Andrew's suggestion generated little discussion on the mailing list. But, just maybe, it will have ignited a gleam in some hacker's eye. A simpler, more robust suspend mechanism based on kdump which appeared out of left field might just solve this problem - and put the whole tiresome debate in the past - for good.

Comments (22 posted)

PID virtualization: a wealth of choices

A set of patches for the management of virtual process IDs within containers was discussed here a few weeks ago. That patch set drew some interest, but a fair amount of concern as well. It is a large set of changes reaching all over the kernel; it seemed to many that there should be a better way. Since then, two candidates for the "better way" have been posted, and the situation seems less clear than ever. This sort of virtualization is clearly of interest to a number of projects, but there is little consensus on how it should be done.

One of the new entrants is the OpenVZ PID virtualization code, posted by Kirill Korotaev but originally developed by Alexey Kuznetsov. These patches introduce a container called a VPS (virtual private server), each of which can virtualize a number of aspects of the host system, including process IDs. Each process has a real and virtual PID; all PIDs of the virtual variety are identified by having a specific bit set. In the simple case, the virtual-PID bit is the only difference between the real and virtual IDs, but more complex mappings are possible as well.

There is the usual set of functions to convert between real and virtual PIDs (and group, process group, and thread IDs as well). All code which deals with user space must work with virtual PIDs, but internal code uses real PIDs, so a certain amount of awareness is called for. Since there is a specific bit used to mark virtual PIDs, the code is at least able to catch situations where the wrong type of PID is used. There is also a change to the internal fork() implementation allowing a process to be created with a specific virtual PID; this feature can be used to launch a new container with its top-level process having PID 1.

The other implementation is this "process ID namespace" patch set from Eric Biederman. It does away with the concept of virtual PIDs in favor of a different view of the problem. For starters, every process gets a "wait ID" - the process ID by which its parents know it. In most cases, the "wait ID" will be the same as the PID, but, in cases where a process is the leader of a virtualized group, the two will be different.

Then Eric adds process ID spaces. A process ID space (pspace) is simply a range of independent PIDs, associated with tree of processes. By default, the entire system shares one process space, but, by way of a clone() flag, a new process can be created in its own space. Process IDs are unique within any one pspace, but may be duplicated in other spaces. So the kernel, when it must identify a process unambiguously using a PID, must now use a (pspace, PID) tuple. Functions which deal in PIDs - kill_pg() or find_task_by_pid(), for example - get a new pspace parameter.

This approach has the advantage that there is no distinction between real and virtual PIDs - all PIDs are interpreted relative to a PID space. There is no real possibility of confusing real and virtual PIDs, or interpreting PIDs relative to the wrong pspace. So it should be a relatively safe addition to the kernel. On the other hand, Eric's patches don't even try to address the larger virtualization problem; anybody wanting to implement complete containers will still have to do that work separately. Of course, as has been seen, a few projects have already done that work; it's just a matter of seeing which implementation, if any, gets into the mainline.

On that question, it is far too early to say what might happen. Linus has indicated that he likes the container concept from the OpenVZ patches, but that does not necessarily extend to the PID virtualization part of it. Eric has tried to focus the discussion with a summary of the relevant issues and questions which must be resolved going forward. But there is a certain amount of disagreement, and a few projects which have each invested significant time into their particular approaches. It may be a while before the dust settles on this one.

Comments (3 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Memory management

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Tools to roll your own distribution

Creating live Linux CDs has become a fairly common pastime. Many of the distributions added to the distributions list in the past year are live CDs tailored to specific purposes. Many people start with a live CD that they like and then add and subtract packages to create the CD of their dreams. Debian-based KNOPPIX remains one of the most popular distributions to use as a starting point.

Many major vendors will create a live CD to showcase a current snapshot of a release, and often a live CD is used to showcase some other software package. IBM developerWorks takes a look at how to distribute your software packages on a live Linux CD.

The Slackware-based SLAX-Live CD is another popular starting point. SLAX and many variants use shell scripts from the Linux Live project to tailor their favorite distribution into a live CD.

Canonical Ltd. created Launchpad, a suite of tools (some proprietary, some free) that allows Ubuntu Linux to be easily turned into Kubuntu, Edubuntu, and a host of other variants.

Fedora fans now have the Kadischi Fedora Live CD Project, which has recently created Fedora Core 5 Test 2 live CDs.

This is only a quick view of the growing number of tools for rolling your own Linux distribution.

Comments (6 posted)

New Releases

BLAG30002 Released

BLAG Linux and GNU has released BLAG30002 (Johannesburg). "BLAG30002 is based on Fedora Core 3 plus updates, adds apps from Dag, Freshrpms, NewRPMS, and includes custom packages. BLAG30002 is the latest update to the BLAG30k series, using the last updates from Fedora before moving to the Fedora Legacy project."

Full Story (comments: none)

GoblinX

The GoblinX Linux Project has released GoblinX Premium 2006.1 edition, exclusively at On-Disk.com.

Full Story (comments: none)

Distribution News

Ubuntu Distro Sprint

Progress on Dapper Drake continues, in spite of the "Distro Plague of Death" that had most of the team down before day 3. Most team members were back at work by Day 4, looking at upstream timezone data structures, klibc build failures on Sparc, remaining X bugs, and more. Here's the Day 5 progress report, and the final report from Day 6.

Comments (none posted)

Ubuntu archive now running on Soyuz (Launchpad)

The migration of Ubuntu's archive to Launchpad's archive management infrastructure, Soyuz, has been completed successfully. For most users this should be completely transparent.

Full Story (comments: none)

Debian Project Leader Elections 2006: Call for nominations

It's time once again for the Debian Project Leader Elections. Nominations will be open until February 26, 2006.

Full Story (comments: none)

Extremadura Sessions: the i18n infrastructure session September 2006

The Debian i18n team is planning on a session in Extremadura, Spain next September. Click below for more information.

Full Story (comments: none)

YDL v4.1 goes Gold-Master --again.

Yellow Dog Linux pulled the gold-master 4.1 ISOs from replication in order to correct some bugs. These have mostly been squashed now, and the gold-master CD-Rs are again on their way to the replication facility. "[One] bug which concerns dual and quad-core G5 Power Macs remains open. We put our best into this issue, but as with all software projects a line must be drawn and the product must ship. As such, this bug is not a show-stopper and the work-around requires less than a minute, post-installation."

Full Story (comments: none)

Unofficial Fedora FAQ Update

The Unofficial Fedora FAQ has had an update. "Also, fedorafaq.org is proud to announce our new subscription service, The Insider FAQ! We provide answers to all sorts of Fedora and Red Hat questions that are not normal fedorafaq.org questions, but with the same detail and simplicity as fedorafaq.org. :-) Try it out, it's really useful, really cheap, and it helps support fedorafaq.org!"

Full Story (comments: none)

Fedora Core 5 Test 3 Slip

The Fedora Core 5 test3 release has slipped by a week. Test 3 is now due by February 20, 2006.

Full Story (comments: 1)

New Distributions

Musix GNU+Linux

Musix is a 100% Free Debian-based operating system intended for musicians, audiophiles and other users. It contains an enormous collection of free programs. It can run as a live CD/DVD and can also be installed to a hard drive. Currently supported languages (as of February 2006): English, French, Spanish, Portuguese, Catalán, Vascuence and Gallego.

Comments (none posted)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for February 7, 2006 covers Debian packages for the Kolab groupware server, an update for the stable Debian release, Finnish Debian community has been honored by the Finnish Linux User's Group (FLUG), the call for Project Leader nominations, graphical installer development, and several other topics.

Full Story (comments: none)

Fedora Weekly News Issue 32

This week's Fedora Weekly News has the following articles: Red Hat commits to MIT's $100 laptop, Interview with Orv Beach at SCALE, A Report from Solutions Linux 2006, Fedora Core 5 Test 3 Slip, LinuxQuestions.org Members Choice Awards, Create a custom Linux distribution online, and more.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of February 6, 2006 is out. This issue covers GNOME 2.12 moves to stable, Gentoo developer receives a donated Wi-Spy spectrum analyzer, Poppler and KPDF, EUSecWest conference, OSC 2006 (spring edition) in Tokyo, and several other topics.

Comments (none posted)

Born: 'Mandriva Linux Inside' e-mag

The first edition of Mandriva Linux Inside has been released in PDF format. It includes the reborn "Cooker Weekly News", which is also available here.

Full Story (comments: none)

DistroWatch Weekly

The DistroWatch Weekly for February 6, 2006 is out. "With all eyes on the final stages of development of Fedora Core 5 and SUSE Linux 10.1, other distributions are not resting either; we bring you interesting information about the upcoming releases of Novell Linux Desktop 10 and Kubuntu 6.04. Interested in network security and penetration testing? The brand new BackTrack live CD provides an amazing collection of tools just for this purpose; we'll take a quick look at the first beta released over the weekend. Also in this issue: try the new smart-urpmi for Mandriva and read how a vice president of a large financial firm fell in love with Gentoo. Finally, our January donation, the largest DistroWatch.com has ever made, goes to Gambas and Krusader."

Comments (none posted)

Package updates

Fedora updates

Bug fix updates and upgrades (featuring KDE 3.5.1) for Fedora Core 4: gnome-python2-extras, vixie-cron, selinux-policy-targeted, selinux-policy-strict, libselinux, udev, kernel, autofs, arts, kdeaccessibility, kdeaddons, kdeadmin, kdeartwork, kdebase, kdebindings, kdeedu, kdegames, kdegraphics, kde-i18n, kdelibs, kdemultimedia, kdenetwork, kdepim, kdesdk, kdeutils, kdevelop, kdewebdev, audit, module-init-tools, authd, docbook-style-xsl, cups, audit.

Comments (none posted)

Newsletters and articles of interest

Leapsoft launches African Linux distribution (Computer Business Review)

Computer Business Review covers Nigerian distribution, Wazobia Linux. "Lagos, Nigeria-based Leapsoft is aiming to over come those hurdles by providing its Linux distribution in Hausa, Yoruba and Igbo, the three most spoken languages in Nigeria, as well as English. It is also aiming to translate Linux into popular African languages. The operating system comes with translations of the OpenOffice.org 2.0 productivity suite, multiple browsers, desktop search, automated networking tools, multi-media software, and application development tools, amongst other things."

Comments (none posted)

Page editor: Rebecca Sobol

Development

A look at GCJ 4.1

February 8, 2006

This article was contributed by Mark Wielaard

One of the components of the GNU Compiler Collection (GCC) is GCJ, the GNU Compiler for the Java programming language. GCJ is a compiler that can generate both native code and bytecode from Java source files. GCJ includes a runtime library (libgcj) that provides all runtime support, the core class libraries, a garbage collector, and a bytecode interpreter. Programs created by gcj can dynamically load and interpret class files or native shared libraries resulting in pure, or mixed native/interpreted applications.

Version 4.0 of GCJ introduced a new deployment model that made is much easier for distributors to package traditional Java programs as native applications without requiring any source level changes. For version 4.1 of GCJ, this new binary compatibility (BC) ABI has also been used for parts of the core library, but only for a minimal subset which includes XML, CORBA and imageio. This change means that those parts of the core library can easily be upgraded with newer versions by the end user. In time, it will become possible to upgrade more parts of the core libraries in a similar manner.

All of the major GNU/Linux distributions use GCJ to support programs like OpenOffice, Eclipse and Tomcat. So it is not surprising that the improvements in GCJ 4.1 have been very application and distribution driven. All of the applications supported by GCJ 4.0 run with more stability under GCJ 4.1. And support has been added for a large range of programs like the Azureus bittorrent client, the RSSOwl feed reader, the JOnAS application server, and the java-gnome based system monitoring and debugging tool Frysk.

The core library from GCJ 4.0 was based on GNU Classpath 0.15, which was released almost a year ago. The core library of GCJ 4.1 has been updated to use GNU Classpath 0.19, plus selected bug fixes from the new 0.20 release. GNU Classpath is a shared development effort that is supported by a wide variety of projects. These projects include interpreters like JamVM and SableVM, just in time compilers like Kaffe and Cacao, operating systems like JNode and IKVM, and .NET/Mono interoperability and "java-in-java" implementations like JikesRVM. With around 20 projects being based on GNU Classpath and more than 40 people from all these different groups working very hard this last year, the coverage and completeness of the core libraries have increased enormously. An overview of all the supported packages can be found here.

Besides lots of correctness and completeness fixes in the more basic packages (lang, math, io, net, text and util), GCJ 4.1 will support HTTP operations on data larger than available memory. It will better support the new NIO package, including correct file locking. Support for AWT, the abstract window toolkit, has been much improved through better integration with GTK+, allowing the transparent copy/paste of various data types between applications. Image loading should be faster and more robust. And the GNU JAWT implementation makes it possible to interface AWT Canvas painting with native screen resources (allowing the jogl OpenGL bindings to work).

XML support has been expanded to include xml.transform and xml.xpath. Free Swing has seen a lot of updates that should make it possible to run simple GUI applications using various look-and-feels, and includes support for JTrees and JTables. RMI and Corba implementations have been added, including support for RMI over IIOP. There is even a sample distributed five-in-a-row game included that has been implemented using Free Swing and Corba.

Looking toward GCJ 4.2

GCC 4.1 has been in freeze since November, to make sure all regressions are fixed. This means that no major features have been added since then. GCJ now supports dropping a classpath directory inside the GCC source tree to get updated core library support. Because of the intertwined nature of the Java language, runtime and libraries, this isn't completely trivial for end users yet. The core GCJ developers will have a much easier way to get a more up-to-date core library. End-users will have to wait until version 4.2 for easier core library upgrading, through more extensive BC ABI support.

A lot of projects for GCJ 4.2 have already started. There is a lot of interest in making static linking work more smoothly, especially for embedded devices and for windows developers. There are different projects for shrinking the size of executables, by stripping reflection data, or the core library (micro-libgcj). There is also work on getting more precise information to the garbage collector in order to decrease overall memory usage. To better support debugging of interpreted classes, (for native compiled classes you can just use GDB) support for JDWP is being added to the libgcj interpreter. This should also enable debugging applications from inside of IDEs like Eclipse.

The GNU Classpath core libraries are also being updated to support even more core packages. Work is being done on integration of a full JCE crypto provider (GNU Crypto and Jessie) to provide transparent https, ssl and tls networking support. The regular expression engine, gnu.regex, is being updated from the old Posix syntax to provide compatibility with the util.regex syntax and features. StAX support has been added, and work is being done to provide xml.validation. The beans package has been extended to support XMLEncoder serialization.

Printing support through CUPS is being added. An ALSA provider that handles MIDI In ports and a DSSI provider that handles software synthesizers has been added. Lots of new security related tests have been added to the Mauve project to check the permission-based access controls in the core library. And GNU Classpath has added support for the new Java 1.5 language features like generics, although those are still being developed in a separate branch.

Beyond GCJ and GNU Classpath

The GPLv3 draft has been enthusiastically received by the GCJ and GNU Classpath hackers. The Java programming language has traditionally been used for extensions to other projects such as Apache and Eclipse. Software from those projects have been licensed under GPLv2-incompatible licenses, preventing cooperation and code sharing. The proposed License Compatibility clause in GPLv3 will make code sharing between GCJ/GNU Classpath and Apache/Eclipse possible.

Tom Tromey is the main developer of GCJX, the GCJ frontend successor that supports the new 1.5 language features. He surprised everybody soon after the GPLv3 draft was released by proposing to look into replacing the Java source-to-bytecode part of the GCJ compiler with the Eclipse compiler (ECJ) instead of using his own GCJX effort. The GPLv3 isn't final yet (and won't be for a year), and there are lots of technical issues to discuss. But sharing code and resources between projects seems like a very attractive feature.

Various GCJ hackers will meet in two weeks at the GNU Classpath and Friends meeting during FOSDEM. It will be very interesting to see how the roadmap of these projects looks at the conclusion of that event.

Comments (9 posted)

System Applications

Backup Software

GPar2 version 0.2 released (SourceForge)

Version 0.2 of GPar2 has been announced. "GPar2 is a GTK+ GUI for par2 recovery sets. This new release provides more feedback, printing the status of each file in the archive. Some bugs in the progressbars have also been fixed. It comes with libpar2 (currently 0.2), which is widely based on par2cmdline client."

Comments (none posted)

Database Software

MySQL 4.1.18 has been released

Version 4.1.18 of the MySQL database has been released. "Due to a critical performance related bug (Bug#15935) 4.1.17 was not released. The bug was introduced within 4.1.16, we therefore recommend all users to upgrade directly to 4.1.18 if they are using 4.1.15 or earlier."

Full Story (comments: none)

pgDesigner - Datamodel designer for PostgreSQL

Version 0.0.24 of pgDesigner, a data model designer for the PostgreSQL database, has been announced. "Currently it is still in state of development, but it can be used calmly like base for the construction of database."

Comments (none posted)

phpMyAdmin 2.8.0-beta1 is released (SourceForge)

Version 2.8.0-beta1 of phpMyAdmin, a web-based MySQL database management application, is available. "Welcome to this first beta for phpMyAdmin 2.8.0. The jump from 2.7.0 to 2.8.0 is partly because from now on, versions with the same X.Y number will have the same feature set, while the third number will be for bug fixes. Also, 2.8.0 has a new web-based setup script."

Comments (none posted)

PostgreSQL Weekly News

The February 5, 2006 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL database articles, events and resources.

Full Story (comments: none)

Filesystem Utilities

Ghost for Linux 0.18 released

Stable version 0.18 of Ghost for Linux has been announced. "Ghost for Linux is a hard disk and partition imaging and cloning tool similar to Norton Ghost and (tm) by Symantec. The created images are optionally compressed, and they can be stored on a local hard drive or transferred to an anonymous FTP server. A drive can be cloned using the Click'n'Clone; function."

Comments (none posted)

KleanSweep 0.2.4 released

Version 0.2.4 of KleanSweep has been announced. "KleanSweep allows you to reclaim disk space by finding unneeded files. It can search for files based on several criteria: you can seek for empty files, backup files, broken symbolic links, dead menu entries, duplicated files, orphaned files (files not found in the RPM database), and more."

Comments (none posted)

Libraries

Ajax JSP Tag Library 1.2 Beta 1 released (SourceForge)

Version 1.2 Beta 1 of the Ajax JSP Tag Library is out. "The AJAX Tag Library is a set of JSP tags that simplify the use of Asynchronous JavaScript and XML (AJAX) technology in JavaServer Pages. This tag library eases development by not forcing J2EE developers to write the necessary JavaScript to implement an AJAX-capable web form. We are pleased to announce the immediate availability of the AJAX JSP Tag Library release 1.2 Beta 1. Version 1.2 Beta 1 includes many enhancements to the JavaScript and several tags."

Comments (none posted)

IT++ 3.9.1 released (SourceForge)

Version 3.9.1 of IT++ is available with bug fixes. "IT++ is a C++ library of mathematical, signal processing, speech processing, and communications classes and functions. It is being developed by researchers in these areas and is widely used by researchers, both in the communications industry and universities."

Comments (none posted)

Networking Tools

AIM Sniff 1.0beta (stable) released

Stable version 1.0beta of AIM Sniff has been announced. "AIM Sniff is a utility for monitoring and archiving AIM and MSN messages across a network. It can be used to monitor for cases of harassment or warez trading. It has the ability to do a live dump (actively sniff the network) or read a PCAP file and parse the file for IM messages. You also have the option of dumping the information to a MySQL database or STDOUT."

Comments (3 posted)

SICM v0.93 is now released (SourceForge)

Version 0.93 of SICM has been announced, it includes several new capabilities. "SICM is a tool to monitor, graph and alert the capacity of computing devices and applications. SICM runs on a Windows or Linux device on your network, 24 hours every day and constantly records the capacity parameters of any networked device using snmp, ping or custom modules. The recorded data is stored for later reference via a user friendly menu-driven web browser. E-mail alerts are raised if a user determined number of queries fail."

Comments (none posted)

Web Site Development

MoinMoin 1.5.2 (advanced wiki engine) released

Version 1.5.2 of MoinMoin, an advanced Python-based wiki engine, has been released. "MoinMoin 1.5.2 is a bug fix release. The 1.5 branch brings you several new features such as the GUI editor, which allows the users to edit pages in a WYSIWYG environment, and many bug fixes."

Comments (none posted)

Silva 1.5 released

Version 1.5 of Silva, a content management system, is out. "Silva 1.5 is the first Silva release that really starts using Zope 3 technology in the core, and is the first step in a longer evolution. It does not have a lot of externally visible feature changes, but focuses on making Silva work with Zope 2.8 and Five 1.2."

Full Story (comments: none)

Zimbra Collaboration Suite 3.0 released

Zimbra has announced the availability of version 3.0 of the Zimbra Collaboration Suite. "ZCS 3.0 builds on the groundbreaking server and user interface technologies that have made the beta versions so successful. These include integrated search, single-copy mail store, discovery, anti-spam and anti-virus/security capabilities on the back end, and a rich, full-featured, AJAX-based Web client that brings e-mail and calendar items to life through Web mash-ups on the front end."

Comments (none posted)

Doing HTTP Caching Right: Introducing httplib2 (O'Reilly)

Joe Gregorio introduces httplib2 on O'Reilly. "In the latest installment of Joe Gregorio's The Restful Web column Joe goes a bit nuts, presenting httplib2, a Python HTTP client library written with the goal of doing caching in HTTP right."

Comments (none posted)

Desktop Applications

Audio Applications

Ardour 0.99.1 released

Maintenance release 0.99.1 of Ardour, a multi-track audio recording studio, has been announced. "This is the first maintenance release of the Ardour 0.99.x series. Many serious issues were fixed and stability is improved."

Comments (none posted)

jack_capture v0.2.2 released

Version 0.2.2 of jack_capture, A JACK Audio Connection Kit application for copying audio streams to files, is out with several new features.

Full Story (comments: none)

Rhythmbox 0.9.3 announced

Version 0.9.3 of Rhythmbox, an integrated music management application, is out. "On behalf of the Rhythmbox developers, I'm proud to announce the fourth release of the Rhythmbox 0.9 series, which includes a large number of fixes, improvements and new features. Notable new features include a play queue, GStreamer 0.10 support, full remote gnome-vfs support, much improved DAAP support, library "watching" and support for mass-storage audio players."

Full Story (comments: none)

soniK 1.0beta1 announced

Version 1.0beta1 of soniK, A KDE-based digital audio editor, is out. "This is the first beta release for soniK 1.0."

Full Story (comments: none)

CAD

PythonCAD 28 now available

Release 28 of PythonCAD, a scriptable drafting program, has been announced. "The twenty-eighth release of PythonCAD offers improved abilities to edit entities in a drawing. Previous releases had inconsistent behavior for entity modification as some operations first required selecting then entities to change and then selecting the operation to perform, where other changes were accomplished by first selecting the action and then selecting entities. The latest release allows for entity modifications to be performed in either mode, thus making the code more consistent as well as easier to use."

Full Story (comments: none)

Desktop Environments

GARNOME 2.13.90 announced

Version 2.13.90 of GARNOME, the bleeding edge GNOME distribution, is available. "We are pleased to announce the release of GARNOME 2.13.90 Desktop and Developer Platform. This release includes all of GNOME 2.13.90 (aka 2.14.0 Beta 1) plus a whole bunch of updates that were released after the GNOME freeze date."

Full Story (comments: none)

GNOME 2.13.90 released

Development version 2.13.90 of the GNOME desktop has been announced. "With this release we're entering the UI freeze period which means that no changes in the user interface should be done without approval from the release team. Mail any changes to release-team@gnome.org for review and we prefer png's to a 1000 line patch to some XML file :-)"

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

Novell announces Xgl/Compiz release

Novell has sent out a press release on the release of its in-house developed Xgl code and an associated compositing window manager called "compiz." "Under the leadership of engineer David Reveman, Novell has sponsored the effort to develop the Xgl graphics subsystem to benefit both hardware vendors and software developers, and thus end users. Novell's release of Compiz enables developers to easily create graphical effects plug-ins which deliver rich visual effects, including transparency and advanced animation. For the first time, open source developers have the ability to easily add industry-standard effects like transparency and window animations to the Linux desktop, supported on the broadest possible set of hardware." Some more information can be found on the openSUSE Xgl page, but screenshots are sadly lacking. (Update: there are a couple of images on ZDNet).

Comments (10 posted)

Electronics

XCircuit 3.6.3 released

Development version 3.6.3 of XCircuit, an electronic schematic drawing package, is out with expanded undo capabilities.

Comments (none posted)

Games

Animation added to WorldForge

The WorldForge game project is using Blender to create game animations. "With the new IK System from Blender, the animation process has become much easier. The new rig also helps because of the automation contraints. I also went ahead and gave the hands a full set of fingers because I am seeing this in many commercial games. The current animations that you see are going to be avaible only for Ember and are going to happen relatively quick."

Comments (none posted)

ScummVM 0.8.1 released (SourceForge)

Version 0.8.1 of ScummVM has been announced. "The ScummVM team is pleased to announce the release of ScummVM 0.8.1. ScummVM is a cross-platform interpreter for more than 50 point-and-click adventure games. This release fixes several bugs from 0.8.0, improves support for Humongous Entertainment games and several international versions."

Comments (none posted)

Sear 0.6.1 released

Version 0.6.1 of the game Sear has been announced. "This release brings many improvements to the GUI components. The character creation dialog now has a list of playable character types. This fixes one of major issues with the previous release. Speech Bubbles have been added to improve dialog with other players and NPC’s and there is also a basic help system. Other GUI components allow adjusting key bindings and video modes. Two new console commands have been added. /me for emotes and /eat (added to inventory dialog) to nourish our character."

Comments (none posted)

Interoperability

Wine 0.9.7 released

Version 0.9.7 of Wine has been announced. Changes include: "Directory change notifications can use inotify now, Hardware breakpoints in the Wine debugger, Beginnings of support for tape APIs, A bunch of improvements to the IDL compiler, Better scheme for mapping My Documents etc. to Unix directories, and Lots of bug fixes."

Comments (none posted)

Wine Weekly Newsletter

Issue #304 of the Wine Weekly Newsletter has been published. Topics include: WineTools & Wine, SCSI Tape Drive Support, JACK Audio Driver, Overriding Executables With Winecfg, and Hook Problems.

Comments (none posted)

Office Applications

iReport 1.1.0 released (SourceForge)

Version 1.1.0 of iReport, a Java-based reporting tool, is available with new features, bug fixes and more.

Comments (none posted)

Web Browsers

Mozilla Firefox 1.5.0.1 Released (MozillaZine)

Version 1.5.0.1 of the Mozilla Firefox browser has been announced. "The first security and stability update to Mozilla Firefox 1.5 has been released. It is recommended that all Firefox users upgrade to this latest version." See the release notes for details. Note that this release fixes a security problem for which exploits already exist.

Comments (none posted)

Annodex Firefox Extension: Core 0.2.1

Core 0.2.1, an Annodex media extension for Firefox, has been announced. "The Annodex Firefox Extension turns the Mozilla Firefox web browser into an Annodex browser. It supports playback of Annodex media encoded with the open-standard Ogg Theora video codec and the Ogg Vorbis audio codec, uses timed URIs to perform efficient, bandwidth-friendly server-side seeking on Annodex media, enables hyperlinking into and out of Annodex media, and displays a "table of contents"-like clip list for CMML content."

Full Story (comments: none)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

The minutes from the January 30, 2006 mozilla.org staff meeting have been announced. "Issues discussed include Firefox 1.5.0.1 Release, Firefox 2 and 3 Planning, Thunderbird, XULRunner, Personnel and Marketing".

Comments (none posted)

Miscellaneous

WIKINDX 3.2.3 released (SourceForge)

WIKINDX 3.2.3 has been announced, it features minor feature enhancements and bug fixes. "WIKINDX is a single or multi-user research environment storing searchable bibliographies, notes and citations and integrated with a WYSIWYG word processor for the authoring of publication-ready articles automatically formatted to chosen citation styles."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The February 7, 2006 edition of the Caml Weekly News is out. Topics include: Type-safe interface to Postgres's SQL, OCaml & .NET and async networking.

Full Story (comments: none)

Java

What Is a Portlet, Part 2 (O'ReillyNet)

Sunil Patil discusses portlets in part two of an O'Reilly article series. "Portlets aim to be your next desktop, providing small pieces of web-based functionality that can be aggregated on a portal page. In this article, Sunil Patil delves deeper into the JSR-168 portlet spec by showing off edit mode, JSP integration, the portlet tag library and preferences API, and Pluto's admin console."

Comments (none posted)

Perl

Test-Driving X11 GUIs (O'Reilly)

George Nistorica uses Perl's X11::GUITest to test X11 applications. "Interfaces to GUI applications like DCOP or D-BUS allow you to interact with GUI applications in order to get at their internal states or set some arbitrary states. Sometimes GUIs don't allow for such interaction and you need to "click" them. If you're writing such an application, you need some sort of regression tests for it to make sure your widget/windows are as accessible as they should be. If this is the case, there is a Perl module to help you: X11::GUITest."

Comments (none posted)

PHP

PHP Weekly Summary

The February 6, 2006 edition of the PHP Weekly Summary is available. "Topics include: Fishy code, a class named Betty, open() calls and APC, TextIterator, FastCGI reaches 5_1 branch".

Comments (none posted)

Python

PyChecker 0.8.17 released

Version 0.8.17 of PyChecker, a tool for finding bugs in Python source code, has been announced. It features two new command line options.

Comments (none posted)

python-dev Summary

The January 1-15, 2006 edition of the python-dev Summary is online with coverage of the python-dev mailing list.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The February 6, 2006 edition of Dr. Dobb's Python-URL! is online with a new collection of Python language articles.

Full Story (comments: none)

Ruby

Ruby Weekly News

The February 5th, 2006 edition of the Ruby Weekly News looks at the latest discussions from the ruby-talk mailing list.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The February 6, 2006 edition of Dr. Dobb's Tcl-URL! is out with all new Tcl/Tk articles and resources.

Full Story (comments: none)

IDEs

Eclipse Checkstyle Plug-in 4.1.0 beta2 released (SourceForge)

Eclipse Checkstyle Plug-in 4.1.0 beta2 has been announced. "The eclipse-cs Checkstyle plug-in integrates the well-known source code analyzer Checkstyle into today's leading IDE - Eclipse. With the Checkstyle Eclipse plug-in your code is constantly inspected for problems. Within the Eclipse workbench you are notified of problems via the Eclipse Problems View and source code annotations just as you would see with compiler errors or warnings. Version 4.1.0 beta2 of the eclipse-cs plugin was just released. It contains some bugfixes and minor features over 4.1.0 beta."

Comments (none posted)

Test Suites

LDTP 0.3.0 Released

Version 0.3.0 of The GNU/Linux Desktop Testing Project (LDTP), a desktop testing framework, is out with a new newsletter. "Welcome to the sixth issue of LDTP Newsletter! LDTP community has reached another important milestone with the release of LDTP 0.3.0. This release features the new architecture which is a result of more than 3 months of hard work by the LDTP community. This newsletter also includes latest news on our approach towards achieving an automated test engine. Useful references have been included at the end of this article for those who wish to hack/use LDTP."

Full Story (comments: none)

Miscellaneous

DISIT 01a beta released

Version 01a beta of DISIT, an open-source x86 disassembler, is available for testing.

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

X graphics get a boost (NewsForge)

NewsForge takes a look at Novell's Xgl framework improvements. "According to Nat Friedman, Novell's Xgl architecture will allow a move away from a raster model of drawing to a vector model, which will provide a "modern" graphics model that should be usable for the next 10 to 15 years. "We're gonna be in good shape for that now, this takes away major concerns. The only other OS that offers the capability to do this is Mac OS X, and the only reason is because they have a tight link to the hardware ... all we're doing is taking advantage of that hardware too. Windows doesn't have this yet and we do ... we're not going to cede 3D graphics acceleration to proprietary software.""

Comments (41 posted)

The Next Battleground for VoIP (O'Reilly)

Andrew Sheppard predicts difficult times for telephone companies in an O'Reilly article. "When the ground upon which we stand moves, it is the result of a tremor, an earthquake, or a tectonic shift. Internet telephony started as a tremor only a few short years ago. It is now an earthquake. And within a decade, or perhaps less, it will have resulted in a tectonic shift in how phone calls are made the world over. Indeed, it will radically alter how people communicate in all manner of ways, not just by voice. Clearly, the future of telephony is the internet, for which geographic location and distance don't matter. To borrow some words from Churchill: the battle between VoIP and PSTN/POTS is over, and I expect the battle for mobile telephony is about to begin."

Comments (6 posted)

Fon time (Linux Journal)

Here's a look at Fon from Doc Searls' blog. "At the Fon site, you download software that you install on your FON compatible WiFi routher. Namely, a generic Linksys WRT54G/GS/GL (versions 1x to 4x), which are the ones with Linux inside. You can get one through Fon's store for twenty-five dollars or euros. This is, obviously, below cost."

Comments (1 posted)

Trade Shows and Conferences

Novell Linux Desktop Demonstration Videos (GnomeDesktop)

GnomeDesktop.org mentions the availability of a video demo of the Novell Linux Desktop 10 system. "A preview of Novell Linux Desktop 10 (NLD10) was shown to an audience at the Solutions Linux conference this week in Paris. We have a selection of videos which display a variety of amazing effects through the use of XGL, including transparency, wobbling windows, a 3D Cube for desktop switching, and a task switcher which displays a preview of windows."

Comments (none posted)

The Producer Electronics Revolution, Part I (Linux Journal)

Doc Searls is in Las Vegas for the Consumer Electronics Show. "Next was Larry Page, co-founder of Google. This talk was especially interesting to me, because Larry would seem to be the least likely public speaker among top Google brass. He's shy, tends to mumble and never struck me as a stage hog. (Like, for example, me.) He was terrific. Unlike the earlier keynotes I saw, Larry's speech wasn't scripted, and he didn't read it off a screen. Instead, he paced the stage with a stack of paper in his hand, occasionally telling the techie running the slides to go forward or back, and was charmingly low key and good humored."

Comments (2 posted)

The SCO Problem

Report on Hamilton, Canada LUG Special Session on SCO v. IBM (Groklaw)

Groklaw has a report from the Hamilton Linux User Group's special session on the SCO v. IBM litigation. "The Hamilton Linux User Group tonight had a special session nominally on the SCOG vs. IBM court case but actually covering a wide range of topics sometimes only vaguely related -- but all of the topics would be familiar to any regular reader of Groklaw. The panel featured Peter Salus (Unix and Linux historian), Robert Young (co-founder of Red Hat), and Ren Bucholz (EFF Policy Co-ordinater). For the first hour, the panelists discussed a variety of issues."

Comments (none posted)

Companies

To grow, Borland to cut off its roots (ZDNet)

ZDNet looks at Borland's change of direction, noting that free software has closed off its old business model. "Today, Borland's traditional business is being undercut by open-source. In the past two years, the rise of freely available open-source IDEs, notably the Eclipse software, has cut the legs out from beneath the stand-alone tools market, said analysts."

Comments (5 posted)

VMware cuts VMware Server price to zero (NewsForge)

NewsForge reports that VMware is planning on releasing a free server. "Raghu Raghuram, VMware's vice president of datacenter and desktop platform products, said that the product would be "an advancement over GSX," VMware's current entry-level server virtualization product, and that VMware would begin directing new customers to VMware Server. Though the release is free as in beer, the product is not being released under an open source license. However, Raghuram said that VMware Server will not offer the advanced management tools found in VMware ESX Server. "It does not have all the capability and advanced functionality ... that you'd need for large-scale rollouts.""

Comments (7 posted)

Business

Open Source's New Frontiers (Business Week)

Business Week has put up a series of articles on open source, covering topics like database systems, MontaVista, software patents, and GPLv3. "Stallman's aim is nothing short of utopian. He wants to capitalize on the economy's growing addiction to open-source code as a means of forcing his social vision -- free software for everyone -- on information technology and consumer electronics writ large. 'In the world we're living in right now, no one can make small, cheap consumer electronics without our software,' says Eben Moglen, general counsel of the Free Software Foundation and co-author of GPL3. 'Our pre-market clout, our use as a raw material of manufacturing, is now large enough to bring an industry coalition into being.'"

Comments (13 posted)

Linux at Work

Linux powers autonomous military ground vehicle (LinuxDevices)

LinuxDevices looks at an unmanned vehicle that is controlled by Linux. "iRobot used embedded Linux to build an autonomous unmanned ground vehicle (UGV) aimed at military scouting, guarding, and hauling applications. The "R-Gator" is based on John Deere's diesel-powered, 658cc M-Gator military utility vehicle platform, with control, navigation, and object-avoidance systems based on BlueCat Linux from LynuxWorks."

Comments (5 posted)

Legal

BitTorrent to crack down on use of name (ZDNet)

ZDNet reports that the creators of the BitTorrent file-swapping application will be cracking down on how other software developers use the name. "BitTorrent's speedy downloading features has made it one of the most popular tools online for distributing large files such as movies or software, both legally and illegally. The company is trying to turn its own Web site into a hub for distributing movies legally, and has been in close discussions with Hollywood studios for months."

Comments (6 posted)

Interviews

The open-source programmer who means business (ZDNet)

ZDNet talks to Alan Cox about the GPLv3, Sony BMG, software patents and more. "Q: The first public discussion draft of GPL 3 (General Public License version 3) was released a couple of weeks ago. What are your initial thoughts on it? Cox: The majority of it looks very sensible, such as letting copyright information be displayed in an "about" box, rather than relying on command line instructions (as is the case in GPL 2). Some of the more contentious stuff has sensibly been made optional. One of the other nice things is the work to make the GPL compatible with other licenses. That's really important--it will allow people to share more code."

Comments (none posted)

$100 Laptop: Great for the world, great for Linux (ZDNet)

ZDNet interviews Red Hat's Mike Evans about the One Laptop per Child initiative. "ZDNet: Some argue that the $100 target price is unrealistic, and that a machine would already exist at or near this price through market competition if it was possible? M.E.: There are existing models of other technologies, whether it be Dell or Apple, but nothing on this grand a scale, with this price point and with this academic and historical horsepower behind it. The people at the MIT labs have 20-plus years of computer expertise. To me the timing is especially interesting. If someone attempted to do this four years ago it wouldn't have worked, but now I have seen that there is a real will among developing countries to bring their people forward right now."

Comments (35 posted)

Interview with Samantha Kleinberg on CL-GODB, Common Lisp & Bioinformatics

Emre Sevinc has published an interview with Samantha Kleinberg. "Samantha Kleinberg from New York University is one of the software developers who participated in Google's Summer of Code in 2005. She has developed CL-GODB project using Common Lisp. Her having used Common Lisp and becoming one of the Google celebrities drew our attention and we didn't hesitate to ask about the details. She has provided clear-cut and right-to-the-point answers."

Comments (4 posted)

Richard Stallman on P2P (LinuxP2P)

There is an interview with Richard Stallman on the LinuxP2P site. "I no longer endorse Creative Commons. I cannot endorse Creative Commons as a whole, because some of its licenses are unacceptable. It would be self-delusion to try to endorse just some of the Creative Commons licenses, because people lump them together; they will misconstrue any endorsement of some as a blanket endorsement of all. I therefore find myself constrained to reject Creative Commons entirely."

Comments (13 posted)

FOSDEM: Three New Interviews

FOSDEM (Free and Open source Software Developers' European Meeting) is coming up at the end of February. As usual, the FOSDEM team is interviewing the speakers and three new interviews have been posted on FOSDEM's website. Click below for more about FOSDEM and pointers to this week's interviews with Michael Meeks, Developer of OpenOffice.org 2.0, Jon Trowbridge, Maintainer of Beagle, and Jan Janak, Core Team Member of SER (The SIP Express Router).

Full Story (comments: none)

Resources

Theming Bash (O'ReillyNet)

O'ReillyNet takes a look at creating and using (bash) shell themes. "Shell themes are shell presets that, when invoked, customize the shell with various useful commands for working on a specific project. For example, I can type Theme perl/nav-menu, and then gain some shell commands that are useful for working on my navigation menu module. Among other things, it will also automatically change my directory to ~/progs/perl/www/Nav-Menu/trunk/module/, where I work on the module."

Comments (2 posted)

Setting up international character support (Linux.com)

Linux.com looks at support for international characters. "Created in 1992 by Ken Thompson on a placemat in a New Jersey diner, UTF-8 has today become a computing standard. Most recent Linux distributions support UTF-8, although many, including Debian, give users the option of using legacy locales that contain only the characters needed for a specific language."

Comments (18 posted)

At the Sounding Edge: Article 24 (Linux Journal)

In this edition of At the Sounding Edge Dave Phillips revisits some of the core Linux audio applications to see what's new. "The following notes are mini-reports on the development status of some high-profile Linux audio applications. The basic Linux sound system is in good condition, with mature versions of ALSA, JACK, LADSPA, MidiShare, libsndfile and other low-to-middle level system components now available. The engines behind Linux audio applications are running nicely, thanks to various kernel tunings, and some of those applications have attained the status of professional usability. Of course, problems remain. Hardware support is still narrow compared to what's available for Win/Mac audio people. In addition, configuration difficulties still can be show-stoppers for new users."

Comments (3 posted)

My sysadmin toolbox (Linux.com)

Linux.com hears from another sysadmin who lists vim, man, mc, ssh, screen, rsync and other favorite tools. "If you need to find differences between two files, you will want to use diff. Running diff -u file1 file2 will show you where they differ. It can also be useful for scripting, if you want to send from a remote system just the changes between certain files. To do this, you can create a cron job and pipe out differences to your email."

Comments (9 posted)

Repairing Windows PCs the Linux way (Linux-Watch)

Linux-Watch takes a look at repairing Windows PCs with live Linux CDs. "Do you want to know the basics of repairing Windows systems with Knoppix Linux? You should. It's incredibly useful information to have, since with Knoppix, or other live CD-based Linuxes, you can do life-saving surgery on near-dead Windows systems."

Comments (none posted)

Reviews

Test drive: D-Link DWL-922 Wireless G Network Starter Kit (NewsForge)

Glenn Mullikin hacks on a D-Link DWL-922 Wireless G Network Starter Kit. "D-Link doesn't advertise Linux support for the kit, but I decided to give it a whirl anyway to see how well it fared. The kit comes with D-Link's DI-524 Wireless G router, which has all the features you would expect a router to have, including plenty of security options, and the DWL-G122 USB 2.0 wireless adapter, which you can use at Wi-Fi hotspots or on your LAN."

Comments (4 posted)

Openbox: A lightweight window manager (Linux.com)

Linux.com reviews the Openbox window manager. "Most Linux-based distributions for the masses have either GNOME, KDE, or both desktops, yet the startup times and resources required by both GNOME and KDE make them unsuitable for old or lower-end hardware. My quest for a standards-compliant, fast, lightweight, and extensible window manager led me to Openbox. Openbox complies with both the Inter-Client Communication Conventions Manual (ICCCM) and the Extended Window Manager Hints (EWMH). Originally derived from Blackbox, Openbox version 3 was completely rewritten in C. Among its fancy features, it supports chainable key bindings, customizable mouse actions, and multi-head Xinerama."

Comments (53 posted)

OpenZoep: An Open Source VoIP Engine (O'ReillyNet)

O'ReillyNet covers OpenZoep. "OpenZoep (pronounced "open soup") is a client-side telephony and instant messaging (IM) communications engine. It supports computer-to-computer (peer-to-peer) VoIP calls, instant messaging, and outbound PSTN and SIP calls to free and premium SIP providers. OpenZoep is available under the GPL license, as well as a commercial license for companies that do not wish to publish the source code of their commercial products based on OpenZoep."

Comments (1 posted)

Capturing real-world knowledge with Protégé OWL (NewsForge)

NewsForge reviews Protégé OWL. "Protégé OWL runs on my PowerBook all the time, right next to Mail, iCal, and Firefox. I use it daily in places where in the past I might have looked reluctantly at Microsoft Access or an open source alternative. Protégé OWL manages all of the corporate records and information of the small public-sector telecommunications company that I run. The ontology acts as a conventional records-management system, recording file and document numbers, dates, file notes, and cross-references."

Comments (none posted)

Miscellaneous

Ben Goodger Reflects on the History of Firefox

Firefox Lead Engineer Ben Goodger has some reflections on the history of Firefox. "The relationship between Netscape and the Mozilla open source project was uneasy. Mozilla wanted an independent identity, to be known as the community hub in which contributors could make investments of code and trust, while companies like Netscape productized the output. Netscape was not satisfied to let Mozilla turn the crank however; building and shipping a product with as many constraints as the Netscape browser was -- and remains -- a mighty challenge. Netscape was convinced it was the only one that knew what needed to be done. At the time, I think it was true." (Found on MozillaZine)

Comments (1 posted)

To GPL 3 or not to GPL 3, that is the Linux question (Linux-Watch)

Linux-Watch follows ongoing discussions about GPLv3 and the Linux kernel. "Linus Torvalds made it clear on January 25th in a message to the Linux Kernel Mailing List (LKML), that as far as he was concerned, the Linux operating system is going to stay under General Public License 2 and not migrate to GPL 3. Discussion of the matter, however, has not come to an end. Richard M. Stallman, primary author of the GPL and founder of the Free Software Foundation (FSF) isn't interested in fighting with Torvalds over the matter. "I don't want to have an argument with him about this," Stallman said."

Comments (11 posted)

OOo Off the Wall: The Elephant in the Living Room -- OOo and MS Office (Linux Journal)

Linux Journal looks at the relationship between OpenOffice.org and MS Office. "For OpenOffice.org (OOo), MS Office (MSO) is the elephant in the living room. As much as the project might want to ignore MSO, it cannot. Many potential users never have used anything except MSO, and most have to share files with MSO users at some point. The lucky exceptions, of course, are those in a free software work or educational environment, who deal only with equally lucky family members and friends."

Comments (none posted)

Andrew Tridgell Completes OSDL Fellowship (LinuxElectrons)

LinuxElectrons notes that Andrew Tridgell has completed an OSDL Fellowship. "''An enormous amount of progress towards the completion of Samba 4 was made while I was an OSDL fellow, which culminated in the release of the first technology preview release of Samba4 last week,'' said Tridgell. ''Having time to concentrate just on the one project really helped. Many thanks to OSDL for providing the fellowship and supporting Samba development.''"

Comments (none posted)

Which is Better: A Partitioned OS or a Partitioned Machine? (IT-Director)

IT-Director questions Linux-only virtualization technologies. "While we are rather fond of hardware-based virtualizations, software approaches such as VMware or Xen are quite capable, and do support multiple operating systems on a machine. In fact, Xen is already slated to be included in SUSE 10 later this year. Given the push for efficiency evident in the marketplace, combined with a best-of-breed approach to applications and operating systems, virtualization schemes that do not support multiple OSes seem to achieve less than the full potential of virtualization."

Comments (7 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Annodex Foundation launched at linux.conf.au

The Annodex Foundation was launched at the recent linux.conf.au event. "Annodex is an open source technology that allows the creation of audiovisual content as 'webs' of audio and video, which are fully integrated with the text-based search and surfing capabilities of the World Wide Web. Increasing activity and uptake of the open media technology Annodex has spurred its open source development community into creating the Annodex Foundation, making it sustainable outside its originating organisation, the CSIRO."

Full Story (comments: none)

Debian Founder Ian Murdock Appointed CTO of the Free Standards Group

The Free Standards Group (FSG) has announced that Debian founder Ian Murdock has been appointed its chief technology officer and elected chair of the Linux Standard Base workgroup. "As founder of Debian -- one of the most successful open source projects in history -- and commercial custom Linux platform provider Progeny, Murdock brings unmatched experience building open source communities, driving technical consensus and solving Linux distribution challenges. His experience will immediately enhance the open standards initiatives of the Free Standards Group and the Linux Standard Base."

Comments (2 posted)

Linux and Open Source Initiative formed (eFinland)

eFinland reports that Linux users have formed the Finnish Linux and Open Source Initiative forum. "The founders of the forum include IBM, Ericsson, Nokia, the Universities of Helsinki and Oulu, the Tampere University of Technology, the Helsinki Institute for Information Technology, the Finnish IT center for science CSC, and the Centre for Open Source Software COSS."

Comments (none posted)

eBox platform released

The eBox platform, a network appliance that is licensed under the GPL, has been released. "eBox manages network services, such as proxy cache, content filter, DHCP server, file sharing, Windows PDC or firewall, through an easy and straightforward manner through a web interface. The officially supported system to use eBox is Debian Sarge GNU/Linux and a tailored Sarge Debian installer including eBox packages is available." (Thanks to Isaac Clerencia.)

Full Story (comments: none)

Commercial announcements

Astaro and Utimaco announce partnership

Astaro Corporation has announced a partnership with Utimaco Safeware AG. "Astaro plans to integrate Utimaco technology into its Unified Threat Management security architecture, and offer the world's first security appliance integrating strong encryption and digital signature mechanisms based on the S/MIME and OpenPGP industry standards."

Comments (none posted)

CrossOver Office for Linspire supports Microsoft Windows software

Linspire, Inc. has announced the release of CrossOver Office 5.0 for Linspire. "CodeWeavers, Inc., the leading Windows-to-Linux software developer, and Linspire, Inc., maker of the easy-to-use desktop Linux operating system, today announced the release of CrossOver Office 5.0 for Linspire. Linspire users who purchase CrossOver Office can run dozens of Windows applications, including Microsoft Office 2003, Adobe Photoshop and Intuit's Quicken and Quickbooks, natively from their Linspire desktop Linux operating system."

Comments (none posted)

Flander accelerates development of mobile Linux smartphones

Flander will present a reference design of its mobile Linux smartphone platform at the 3GSM conference in Barcelona, Spain. 3GSM takes place on February 13-16, 2006. "The mobile-software testing and development company Flander develops the architecture of mobile Linux smartphones. A unique feature of Flander’s reference design is that it supports several software vendors. The reference model significantly accelerates the development process and time-to-market of mobile Linux smartphones as well as reducing associated costs."

Full Story (comments: none)

Funambol's Open Source Push Email

Funambol has announced an open-source push email product for mobile phones. "Funambol, the mobile open source software company, today announced the release of Funambol v3, the first open source push email product for carriers and enterprises. Funambol v3 allows customers to deploy this year's "killer app" push email to the widest range of mobile phones."

Full Story (comments: none)

IBM gives-away DB2 Linux - not a trial version

IBM has released a free version of their DB2 Express-C Universal Database for Linux. "IBM is giving-away DB2 Express-C, a version of DB2 Universal Database Express Edition to the developer community. DB2 Express-C is a no-charge data server for use in application development and deployment. It provides the same core data server features as DB2 Universal Database Express Edition. DB2 Express-C offers a solid base to build and deploy all applications including: C/C++, Java, .NET, PHP, and more."

Full Story (comments: none)

Jitterbit announces Jitterbit Open Edition

Jitterbit, Inc. has announced the availability of the open-source Jitterbit Open Edition business integration product. "Jitterbit's open source integration tool delivers a quick and easy way to design, configure, test, and deploy integration solutions. It supports most standards-based protocols, including Web Services (SOAP), XML, and connectivity to popular databases."

Comments (none posted)

Krugle Announces Search Engine for Source Code at DEMO Conference

Krugle, Inc. has announced a search engine for source code and related technical content. ""Krugle is a search engine for programmers," said Krugle Co-Founder and CEO, Steve Larsen. "Today programming is more about efficiently assembling and integrating code, than it is about writing new code from scratch. The problem is, finding and evaluating the available code takes too much time. That's the problem Krugle solves.""

Comments (3 posted)

MySQL AB Opens Japanese Subsidiary

MySQL AB has announced the opening of a Japanese subsidiary in Tokyo. "MySQL K.K. is partnering with a number of large and leading Japanese resellers and systems integrators to deliver MySQL solutions to the enterprise market, including NEC System Technologies Ltd, NTT Comware, Sumisho Computer Systems Corporation, NRI, Open Source Japan, SmartStyle, and Time Intermedia."

Comments (none posted)

Opera integrates BitTorrent in upcoming browser

Opera Software has announced that it has teamed with BitTorrent Inc. to include the BitTorrent(tm) protocol in the upcoming version of the Opera Web browser.

Full Story (comments: 4)

Sleepycat and CollabNet Open Source Collaboration

Sleepycat Software and CollabNet have announced that the two companies have collaborated, along with the Subversion open source community, to optimize the integration between Berkeley DB and Subversion, ensuring that data is stored reliably and with full, automatic recoverability after a system or application failure.

Full Story (comments: 12)

Sun Announces Release of Open Source NetBeans 5 IDE

Sun Microsystems, Inc. has announced the release of NetBeans 5.0 IDE. "NetBeans 5.0 IDE provides comprehensive support for building Java SE, Java EE, and Java ME applications and includes a variety of unique new features and significant enhancements such as NetBeans GUI Builder (formerly Project Matisse), that differentiates it from all other developer tools."

Comments (4 posted)

TimeSys Introduces free LinuxLink Evaluation

TimeSys has announced a free LinuxLink Evaluation Subscription for Pentium-class Processors. "Embedded developers can use the evaluation subscription to rapidly determine how LinuxLink by TimeSys(TM) can speed and simplify efforts to create a commercial-grade custom Linux platform for any target processor."

Full Story (comments: none)

New Books

C# Cookbook, Second Edition - O'Reilly's Latest Release

O'Reilly has published the book C# Cookbook, Second Edition by Jay Hilyard and Stephen Teilhet.

Full Story (comments: none)

Resources

Bugzilla/Subversion/Wiki Integration Guide (Segetech)

Segetech has announced the availability of a Bugzilla/Subversion/Wiki Integration Guide. "This document provides a detailed configuration guide to integrate incrementally several Open Source development tools ... Bugzilla/SVN/MediaWiki are all linked to each other and they together with mailing lists and various SVN utilities provide easily accessible way to see changes to documentation and source code, handling of bug reports, and people contributing to projects without any additional tools or preparations ..."

Comments (none posted)

FSF Europe Newsletter

The February 8, 2006 edition of the Free Software Foundation Europe Newsletter is online. Topics include: Fellowship meetings in Vienna and Berlin, Discussion about Free Software in Austrian schools started, First draft of GPLv3 presented and Microsoft still trying to avoid competition.

Full Story (comments: none)

Linux Gazette #123 is out!

The February 2006 edition of Linux Gazette is out. This month's articles include Re-compress your gzipp'ed files to bzip2 using a Bash script (HOWTO), uClinux on Blackfin BF533 STAMP - A DSP Linux Port, A Short Tutorial on XMLHttpRequest(), Configuring Apache for Maximum Performance, and much more.

Comments (none posted)

Contests and Awards

Extend Firefox Contest Finalists Announced (MozillaZine)

MozillaZine announces the finalists for the Extend Firefox Contest. "Adblock, All-In-One Sidebar, Deepest Sender, DownThemAll!, Firefox Showcase, Forecastfox Enhanced, Groowe Search Toolbar, IE Tab, My Stickies, PDF Download, Platypus, Reveal, Sage, ScrapBook, Separe, Viamatic foXpose, Web Developer and Wizz RSS News Reader will be vying for awards in eleven categories, including Best New Extension, Best Upgraded Extension and Best Use of New Firefox 1.5 features."

Comments (none posted)

Realm Systems Announces Winners in BlackDog(TM) Skills Contest

Realm Systems has announced the category winners in the Project Black Dog skills contest. "The online DogPound discussion group has been very active in talking about the BlackDog, a pocket-sized, self-contained server with a built-in biometric reader and Debian-based Linux operating system. Unlike any other mobile computing device, BlackDog contains its own processor, memory and storage, and is completely powered by the USB port of a host computer with no external power adapter required."

Comments (none posted)

Education and Certification

LPI Offers Certification Exams at LinuxWorld Mexico

The Linux Professional Institute will be holding Linux Certification Exams at LinuxWorld Mexico in Mexico City on February 14-17, 2006.

Full Story (comments: none)

Upcoming Events

Black Hat USA CFP opens

A call for papers has gone out for the Black Hat USA security conference. The event takes place from July 29 to August 3 in Las Vegas, NV. Submissions are due by June 30.

Full Story (comments: none)

Novell and Red Hat Sponsor Desktop Linux Summit

Novell and Red Hat are the top sponsors of the upcoming Desktop Linux Summit. "The Desktop Linux Summit today announced that Linux industry giants Novell and Red Hat have signed on as platinum sponsors for the show, which is the only event to focus exclusively on Linux and open source software for the desktop. In its fourth year, the Summit will be held April 24-25, 2006 at the Manchester Grand Hyatt in downtown San Diego, California."

Comments (none posted)

Call for Participation Opens for 2006 O'Reilly EuroOSCON

A Call for Participation has gone out for the 2006 O'Reilly EuroOSCON. "This year's theme is "Opening Innovation." With free and open source software use on the rise all across the continent and particularly in governments, EuroOSCON creates a place for developers, sys admins, entrepreneurs, and business people working in free and open source software to come together to delve into critical issues across the spectrum of open source technologies. EuroOSCON takes place 18-21 September in Brussels, Belgium. Proposals are being accepted until 6 March."

Full Story (comments: none)

GUADEC 2006 - Call for Papers (GnomeDesktop)

A Call for Papers has gone out for the 2006 GNOME Users and Developers European Conference (GUADEC). The event takes place on June 24-30, 2006 in Catalonia, Spain, submissions are due by March 31.

Comments (none posted)

First ImageJ User and Developer Conference (LinuxMedNews)

LinuxMedNews has an announcement for the first ImageJ User and Developer Conference "ImageJ is a public domain Java image processing program inspired by NIH Image for the Macintosh. It runs, either as an online applet or as a downloadable application, on any computer with a Java 1.1 or later virtual machine. Downloadable distributions are available for Windows, Mac OS, Mac OS X and Linux." The event will be held in Luxembourg on May 18 and 19, 2006.

Comments (none posted)

NSPW 2006 Call for Papers

A Call for Papers has gone out for the New Security Paradigms Workshop. The event takes place in Schloss Dagstuhl, Germany on September 18-21, 2006. Submissions are due by March 26.

Full Story (comments: none)

NYPHPCon 2006

The New York PHP Conference & Expo 2006 will take place on June 14-16, 2006. "The New York PHP Conference & Expo 2006 is taking place in midtown Manhattan, New York City, at the historic New Yorker Hotel. There will be three full days of sessions, tutorials, exhibits, and networking events." A call for papers is open, submissions should be sent in by April 15.

Comments (none posted)

Python 14 Conference CFP

A call for proposals has gone out for the Python 14 Conference. The event will be held in conjunction with the 2006 O'Reilly Open Source Convention in Portland, Oregon on July 24-28, 2006. Proposals are due by February 13.

Comments (none posted)

SugarCRM CEO John Roberts to Deliver Keynote at OSBC West

SugarCRM Inc. has announced the selection of its CEO for giving the OSBC West keynote address. "John Roberts, chairman, CEO and co-founder of SugarCRM Inc., has been selected to deliver a keynote address on the open source business model at OSBC West, the Open Source Business Conference that opens in San Francisco on February 14. Roberts and Clint Oram, the company's general manager of Sugar Online & co-founder, will also give three other presentations at the conference."

Comments (none posted)

Want to host the Plone Conference 2006?

The 2006 Plone Conference is looking for a host. "Who is interested in playing host to this most talented and excellent community? Who shall come forth to take his/her rightful place in the Hall of Plone Heroes? Where shall we assemble and marshal our forces, and what shall the battle plan be?"

Comments (none posted)

Rockbox International Developers Conference 2006

The Rockbox International Developers Conference 2006 will be held in Stockholm, Sweden on March 18 and 19, 2006. "We thought we'd get together for a two-day Rockbox hacking session, and that it would be cool if there were some other Rockbox devs who would drop by and share the fun."

Full Story (comments: none)

Keynotes Announced for 2nd SELinux Symposium

The keynotes for the second annual Security-Enhanced Linux Symposium have been announced. The event takes place in Baltimore, MD on February 27 through March 3. "The second annual Security-Enhanced Linux Symposium has announced that its keynote speakers will be IT security pioneer Steve Walker, president of Steve Walker & Associates and managing partner of Walker Ventures, and Dr. Steve Marsh, director of the Central Sponsor for Information Assurance unit in the UK Cabinet Office."

Full Story (comments: none)

Events: February 9 - April 6, 2006

Date Event Location
February 9 - 10, 2006X Developer's Conference(XDevConf)(Sun Campus)Santa Clara, CA
February 9 - 10, 2006LinuxAsia Conference and Expo 2006(India Habitat Centre)New Delhi, India
February 9, 2006OSCMS SummitVancouver, BC, Canada
February 10 - 12, 2006CodeCon 2006San Francisco, CA
February 10, 2006SCALE Workshop On Open Standards For Government Organizations(Airport Radisson)Los Angeles, CA
February 10, 2006PHP Conference UK 2006(Keyworth Centre)London, England
February 11 - 12, 2006Southern California Linux Expo(SCALE 4x)(Airport Radisson)Los Angeles, California
February 14 - 16, 2006Open Source Business Conference(OSBCWest 06)(The Argent Hotel)San Francisco, CA
February 20 - 21, 2006EuSecWest/core06 conferenceLondon, England
February 24 - 26, 2006PyCon 2006(Dallas/Addison Marriott Quorum hotel)Addison, TX
February 25 - 26, 2006FOSDEM 2006(ULB Campus)Brussels, Belgium
February 26 - 28, 2006OSDC::Israel::2006(Netanya Academic College)Netanya, Israel
February 27 - March 3, 2006SELinux Symposium and Developer Summit(Wyndham Hotel)Baltimore, MD
February 28 - March 3, 2006Black Hat Europe Briefings and Training 2006(Grand Hotel Krasnapolsky)Amsterdam, the Netherlands
March 3 - 4, 2006LinuxForum 2006Copenhagen, Denmark
March 6 - 9, 2006O'Reilly Emerging Technology Conference(ETech)(Manchester Grand Hyatt)San Diego, CA
March 17 - 19, 2006Libre Graphics Meeting 2006(Ecole d'Ingénieurs CPE)Lyon, France
March 18 - 19, 2006Rockbox International Developers Conference 2006Stockholm, Sweden
March 19 - 24, 2006Novell BrainShare 2006(Salt Palace Convention Center)Salt Lake City, UT
March 21 - 23, 2006UKUUG Spring Conference 2006Durham, UK
March 25, 2006Penguin DaySeattle, WA
March 29 - 31, 2006PHP Quebec 2006(Plaza Montreal Hotel)Montreal, Canada
April 3 - 6, 2006Embedded Systems Conference(ESC)(McEnery Convention Center)San Jose, CA
April 3 - 7, 2006CanSecWest/core06(Marriott Renaissance Harbourside hotel)Vancouver, Canada

Comments (none posted)

Web sites

The Firebird News Portal

A new news portal is open for the Firebird database. It contains: "Links to sites around the world that specialise in news about Firebird or otherwise of interest to Firebird users."

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds