Second Life is one of many multiplayer
role-playing games springing up on the net. Unlike some others, Second
Life gives its players a significant amount of freedom to create their
virtual world; players also get ownership rights to their creations. The
Second Life developers have made an effort to strengthen the ties between
the virtual and real worlds; the idea of making a living in the Second Life
"metaverse" is heavily promoted. Various "real life" personalities -
Lawrence Lessig, for example - have made high-profile appearances there.
Like many such services, Second Life has built itself an infrastructure
heavily based on Linux and other free software tools. Also like many such
services, Second Life has returned that favor by providing clients for
proprietary operating systems, but not for Linux. Until recently, that
is. There is now an alpha-test Linux
client available for free download. It is still very much a
proprietary client - no source, x86-only, etc. But it is a start, at
least.
Your editor would, of course, rather be reading memory management patches
or following the interminable "bait Joerg Schilling" festival on linux-kernel.
But journalistic ethics required that time be taken out from such rewarding
activities to see how this new client works. LWN readers would expect no
less.
Alas, no joy was to be found in that direction. This client, it seems,
requires a 3D-capable graphics card. It also requires that the
proprietary driver be installed for said card. Your editor is willing to
make many sacrifices for the cause, but jumping into the world of
binary-only kernel modules was pushing things a little too far. So no
Second Life; there was real work to get done anyway.
An important thought came out of this exercise anyway. We, in the Linux
community, will certainly want to be able to participate in this sort of
virtual universe in the future. These worlds will only get more realistic,
engaging, and compelling. They will host a growing number of real-world
meetings and events. Even if we, personally, have no particular
yearnings for a second life in the virtual world, we may well end up going
there just for a chance to visit our children. So it is important that Linux
users are not excluded from this sort of experience.
Unfortunately, the lack of free drivers for contemporary video
hardware threatens to exclude us from that experience. Even those of us
who see no need for a 3D version of vi (emacs, of course, will have a full
3D Lisp mode) may have the occasional desire to dress up as some sort of furry
animal and commune with the virtual world natives. Much of
what will be interesting in the future of computing will involve
increasingly realistic interfaces - and that will require good graphics
support. If Linux does not provide that support, people will use something
else.
Assuming we will eventually get past that issue, there is another, more
important question to be answered: why, exactly, should we build our
virtual worlds on somebody else's substrate? Even if we "own" our
creations, they run on somebody else's server (which they can unplug at any
time), uses their currency (which they can degrade at any time), and is
subject to their rules (which they can change at any time). A virtual
world which is not free is, well, not free.
Instead, the creation of a true "metaverse" should be a project which is a
natural for the free software community. A decent set of open protocols
and libraries should make it possible for interested people to set up their
own neighborhoods on their own servers and tie them all together into a
distributed - but integrated - whole. The net was built on free software,
and it has served as a platform for no end of interesting developments. If
we build our virtual worlds on free software as well, people will, beyond
doubt, create environments beyond our wildest imagination. It is hard to
see why we would want it any other way.
There are some virtual world projects out there. MUPPETS is an
academic project with an educational focus; its last release was last
July. MUPPETS appears to be a Windows-only application, however.
The Croquet project looks
like it is oriented toward people who want to get some real work done, but
it looks like it could be put to wider uses. The Open Source Metaverse Project
is an attempt to make something very much like a free Second Life. This
project appears to have stalled, however; there is still some life in its
forums, but the last development release was in August, 2004. Solipsis
is an attempt to create a true, distributed virtual world, but it is at a
very early stage. Interverse has some
nice screen shots, but the project appears to have come to a halt. Verse is a
3D-oriented network protocol associated with the Blender project; it looks
like it could be a useful component. The Virtual Object System is a collection
of projects around the 3D, virtual reality theme; it released version
0.23.0-pre1 in January. And so on.
So there's a number of projects out there, but it is not clear that any of
them have truly reached a critical mass. One
would think that such an inherently fun project would attract more
developers. Evidently free software developers have other itches to
scratch. So we may find ourselves, in the future, building our virtual
worlds on non-free platforms and hoping that the Second Life folks live up
to their hints that they might open up their protocols - in 2010.
Comments (14 posted)
When people go looking for successful free software business models, the
dual-license approach tends to turn up near the top of the list. With this
model, a company releases a software component under a copyleft-style
license so that all may make use of it. This company also offers the same
software (or, perhaps, an enhanced version of it) under a paid, commercial
license, allowing other companies to incorporate it into their products
without the need to make their own code available. This model will clearly
be most successful for software which works as a building block for larger
systems. The dual-license model has been employed by
companies like MySQL AB, Trolltech, FSMLabs, Sleepycat Software, and
others.
The dual-license model can look like the best of both worlds. The free
software community gets high-quality, supported code - and often good
documentation as well. Developers get paid for working on that code. The
company which makes all this happen gets to stay in business. That
company's customers get (1) the use of the code in their proprietary
projects, and (2) an immediate indication of what it is costing them
to keep their own code non-free.
This model is not suitable for every project, and it is not without its
disadvantages. One of the strongest of those, perhaps, is the disincentive
it presents to potential contributors. A dual-license company can only
accept contributions which it will be able to sell under its commercial
license; in practice, that implies copyright assignments or some other form
of explicit permission from each contributor. Some developers are happy to
contribute code under such conditions - those contributions
improve the free version of the package, and the developer still probably
gets much more back than he or she ever could contribute. But others are
less interested in contributing code which can be taken proprietary for
somebody else's exclusive commercial benefit.
Another potential snag in the dual-license model was highlighted this week
when Oracle announced
its acquisition of Sleepycat Software. Like Innosoft (acquired by
Oracle last year), Sleepycat provides a transactional engine for MySQL's
database offerings. MySQL gets that code under a dual-license arrangement
which, in turn, allows MySQL to include it in its own dual-license
products. The result is that Oracle now controls two important components
shipped by MySQL.
Sleepycat CEO Mike Olson says that
neither the free software community nor Sleepycat's commercial customers
should be concerned about this acquisition. But Mr. Olson spoke
a little differently after the Innosoft acquisition:
Speaking at the Open Source Business Conference, SleepyCat CEO
Michael Olson said he believes Oracle's takeover of Innobase, the
Finnish developer of InnoDB, a discrete open source transactional
database technology that ships with MySQL, is an acknowledgment of
the growing importance of open source and of MySQL in
particular. "Any attempt to disrupt a competitor is an
acknowledgement that the competitor matters," Olson said. "And I
think that acquisition was in significant part an attempt to
disrupt MySQL's business."
(Thanks to Jim Thompson for the pointer
to that article).
It is worth noting that neither acquisition can do immediate harm to the
free software community. The code which was released under a free license
remains free and cannot be taken back. The worst-case scenario would
appear to be that developers could be taken off the projects, slowing or
stopping the development of that code.
The situation might be a little more perilous for MySQL AB, however, and
its customers as well. Oracle is now in a position to change the licensing
terms for both database backends, or even to make them unavailable for
dual-licensing altogether. And that points out an important aspect of the
dual-licensing model: if you buy into the proprietary side of dual-licensed
software, you are very much in the proprietary software world. And, at
that point, you can be impacted by policy changes by your supplier - or by
their suppliers as well.
Buying proprietary access to dual-licensed software may still be the best
path for many companies. It can enable the use of high-quality,
community-reviewed software at a reasonable price. But dual-licensed
software should not be seen as free software with some commercially
inconvenient strings removed. It is proprietary software, with all the
risks that come with the proprietary model.
Comments (18 posted)
Yet another analyst report comparing the costs of running Linux and Windows
networks has been released. The report was funded by a corporation with a
clear interest in the outcome, but, of course, the authors claim to have
done entirely independent work. It features data collected from a number
of different companies (the way these companies were selected is not
disclosed) and from "self-selected" respondents to a web survey.
Information on the availability and cost of administrators was obtained
from "a cursory survey of resumes" from online job boards. Surprisingly
enough, the report is strongly favorable to the company which sponsored
it.
The Linux community, once again, has come together to debunk the findings
in this survey. Well, actually, maybe not. This report was sponsored by
Levanta and OSDL, and is unequivocally favorable to Linux.
Those who are interested in the details are encouraged to look at the press
release, the executive summary, or
the full,
21-page, pie-chart-stuff report [PDF]. In essence, however, it says
this: Linux systems are cheaper to purchase and install, cheaper and more
reliable to administer, and more secure than the alternatives. Linux
administration staff can be had cheaply, and is in plentiful supply. Oh,
and if those administrators are well equipped with "sophisticated
administration tools," such as those sold by, say, Levanta, they'll be even
more efficient.
Much of what is found on these glossy pages corresponds to the experience
of those of us who have managed large networks of systems. A Linux
administrator really can manage more systems than a Windows administrator.
But the sad fact, which not all in the community seem to want to
recognize, is that this report is the same sort of subjective analyst
recycle bin fodder that the proprietary software companies crank out. We
should not invest it with a higher level of credibility than the other
offerings in its genre.
It is worth noting that this report appears to have had the
desired initial effect. The technical press has dutifully carried the
"Linux is cheaper" news. Presumably, the pointy-haired bosses who are held
to be impressed by these reports will be suitably influenced. It seems
that these analyst reports are simply part of how this game is played. People who
are trying to get some real work done on a Linux platform need a stack of
glossy paper to justify their decisions to certain levels of management. The other side is producing a
long stream of these reports; if the Linux side has no reports of its own,
it looks like it has no answer at all. So it may be a good thing that
somebody is going to the effort of producing all this paper. But we
shouldn't make the mistake of believing that reports like this one prove
anything.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
February 13, 2006
This article was contributed by Jake Edge.
With its first major release in nearly 2 years,
Nmap has made great strides
in speed and usability. Nmap 4.00 was released on 31 January and has a
very large
list
of features and upgrades since the 3.50 release in February 2004.
Nmap is a "network mapper" that allows a network administrator or curious
user to discover many things about a network or host. Nmap will do host
discovery to determine which hosts are available and port scanning to
determine open ports and what services are running behind those ports.
It can also try to determine which operating system is running on a target machine by
examining the contents of packets and responses using a technique known
as
TCP/IP
stack fingerprinting. One of the main uses for Nmap is security
auditing a network in order to detect and possibly disable any and all
unnecessary services running on a host or network.
The feature that users are most excited about, according to
Fyodor, creator of Nmap, is status reporting which
provides real-time information on how much progress Nmap has made and an
estimated time of completion. One can get this report by pressing return
while Nmap is running; other keys will increase or decrease the verbosity
and debug levels or toggle packet tracing. This makes for a much
nicer user experience:
With Nmap 3.50, you would start a scan and Nmap would
quietly chug away for a variable amount of time (from minutes to
hours) before suddenly reporting results for a target host. ...
Staring at a screen for 30 minutes waiting for
Nmap to complete is frustrating, but when you know the time in advance
you can simply go out for lunch.
Speed and memory usage improvements in the port scanning engine were a big
focus of the improvements made since 3.50. Several functions, such as reverse
DNS lookup and UDP scans have been parallelized and Nmap now uses raw
Ethernet packets to do ARP requests which speeds up host detection
significantly. The speed improvements were not readily apparent
in the relatively simple scans the author tried; they are largely geared for
scanning many thousands of ports on large numbers of hosts.
Documentation was another focus of the 4.00 effort and Fyodor has rewritten
the man page,
an install guide, and
a version detection guide.
He says:
Open source software is frequently characterized as having poor
documentation. I tried to fight that stereotype by putting a lot of
work into Nmap 4.00 docs.
Thanks to the DAG
repository, upgrading to Nmap 4.00 was painless on the (now obsolete)
Fedora Core 3
distribution. Running Nmap is fairly straightforward, but there are an
enormous number of options and ways to specify targets. Wading through
the very comprehensive man page is required to do anything very complicated,
though Nmap often seems to suggest useful options when scans fail and this
feature can be very helpful.
Nmap 4.00 looks to be a very solid release of a tool that should be on
every administrator's list of essential security tools.
Comments (5 posted)
New vulnerabilities
adzapper: denial of service
| Package(s): | adzapper |
CVE #(s): | CVE-2006-0046
|
| Created: | February 9, 2006 |
Updated: | February 15, 2006 |
| Description: |
If the adzapper proxy advertisement add-on is installed as a squid
plugin, it can cause high proxy host CPU resource consumption,
resulting in a denial of service. |
| Alerts: |
|
Comments (none posted)
elog: multiple vulnerabilities
Comments (none posted)
gnutls: denial of service
| Package(s): | gnutls |
CVE #(s): | CVE-2006-0645
|
| Created: | February 13, 2006 |
Updated: | March 6, 2006 |
| Description: |
Several flaws were found in the way libtasn1 decodes DER. An attacker
could create a carefully crafted invalid X.509 certificate in such a way
that could trigger this flaw if parsed by an application that uses GNU TLS.
This could lead to a denial of service (application crash). It is not
certain if this issue could be escalated to allow arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
heimdal: privilege escalation
| Package(s): | heimdal |
CVE #(s): | CVE-2006-0582
|
| Created: | February 13, 2006 |
Updated: | March 17, 2006 |
| Description: |
A privilege escalation flaw has been found in the heimdal rsh (remote
shell) server. This allowed an authenticated attacker to overwrite
arbitrary files and gain ownership of them. |
| Alerts: |
|
Comments (none posted)
kronolith: cross-site scripting
| Package(s): | kronolith |
CVE #(s): | CVE-2005-4189
|
| Created: | February 14, 2006 |
Updated: | February 15, 2006 |
| Description: |
Johannes Greil of SEC Consult discovered several cross-site scripting
vulnerabilities in kronolith, the Horde calendar application. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
noweb: insecure temporary file
| Package(s): | noweb |
CVE #(s): | CVE-2005-3342
|
| Created: | February 13, 2006 |
Updated: | February 27, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit project
discovered that a script in noweb, a web like literate-programming
tool, creates a temporary file in an insecure fashion. |
| Alerts: |
|
Comments (none posted)
PostgreSQL: privilege escalation
| Package(s): | postgresql |
CVE #(s): | CVE-2006-0553
|
| Created: | February 15, 2006 |
Updated: | February 19, 2006 |
| Description: |
From the advisory: "By issuing SET ROLE with a specially crafted argument, it is possible
for any logged-in database user to acquire the privileges of any other
database user, including superusers. Database superuser status allows
access to the machine's filesystem and hence might be used to mount
remote attacks against the rest of the server's operating system." This problem has been fixed in PostgreSQL releases 8.0.7, 7.4.12, and 7.3.14. |
| Alerts: |
|
Comments (none posted)
sun-jdk: privilege escalation
Comments (none posted)
Updated vulnerabilities
ADOdb: PostgresSQL command injection
| Package(s): | adodb |
CVE #(s): | CVE-2006-0410
|
| Created: | February 6, 2006 |
Updated: | April 17, 2006 |
| Description: |
Andy Staudacher discovered that ADOdb does not properly sanitize all
parameters. By sending specifically crafted requests to an application
that uses ADOdb and a PostgreSQL backend, an attacker might exploit the
flaw to execute arbitrary SQL queries on the host. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
auth_ldap: format string vulnerability
| Package(s): | auth_ldap |
CVE #(s): | CVE-2006-0150
|
| Created: | January 10, 2006 |
Updated: | February 28, 2006 |
| Description: |
The auth_ldap package is an httpd module that allows user authentication
against information stored in an LDAP database. A format string flaw was
found in the way auth_ldap logs information. It may be possible for a
remote attacker to execute arbitrary code as the 'apache' user if auth_ldap
is used for user authentication. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflow
| Package(s): | ffmpeg |
CVE #(s): | CVE-2005-4048
|
| Created: | December 15, 2005 |
Updated: | March 17, 2006 |
| Description: |
The avcodec_default_get_buffer() function of the ffmpeg library
has a buffer overflow vulnerability. A user can be tricked into
playing a maliciously created PNG movie, allowing the attacker to
run arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
imagemagick: arbitrary command execution
| Package(s): | imagemagick |
CVE #(s): | CVE-2005-4601
CVE-2006-0082
|
| Created: | January 24, 2006 |
Updated: | March 24, 2006 |
| Description: |
Florian Weimer discovered that the delegate code did not correctly
handle file names which embed shell commands (CVE-2005-4601). Daniel
Kobras found a format string vulnerability in the SetImageInfo()
function (CVE-2006-0082). By tricking a user into processing an image
file with a specially crafted file name, these two vulnerabilities
could be exploited to execute arbitrary commands with the user's
privileges. These vulnerability become particularly critical if
malicious images are sent as email attachments and the email client
uses imagemagick to convert/display the images (e. g. Thunderbird and
Gnus). |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: heap overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-0019
|
| Created: | January 19, 2006 |
Updated: | March 17, 2006 |
| Description: |
Konqueror's kjs JavaScript interpreter engine has a heap overflow
vulnerability. Specially crafted JavaScript code could be placed on
a web site, leading to arbitrary code execution.
Other kde applications are also subject to this vulnerability. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-0454
|
| Created: | February 8, 2006 |
Updated: | February 18, 2006 |
| Description: |
A denial of service vulnerability has been found in the kernel ICMP code; kernel 2.6.15.3 fixes the problem. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-3356
CVE-2005-4605
CVE-2005-4618
CVE-2005-4639
CVE-2006-0095
CVE-2006-0096
|
| Created: | January 18, 2006 |
Updated: | March 7, 2006 |
| Description: |
The latest set of kernel vulnerabilities includes:
- A reference counting bug in sys_mq_open(), exploitable by a local user to crash the kernel. (CVE-2005-3356)
- A misuse of signed data types in /proc, potentially providing read access to random kernel memory. (CVE-2005-4605)
- An off-by-one error in sysctl(), with the potential for arbitrary code execution. (CVE-2005-4618)
- A buffer overflow in the TwinHan DST
Frontend/Card DVB driver; potential code execution. (CVE-2005-4639)
- A potential key disclosure in dm-crypt. (CVE-2006-0095)
- Missing capability check could (maybe) allow arbitrary users to load new firmware into SDLA WAN cards. (CVE-2006-0096)
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276) |
| Alerts: |
|
Comments (2 posted)
kernel multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-3527
CVE-2005-3783
CVE-2005-3784
CVE-2005-3805
CVE-2005-3806
CVE-2005-3808
|
| Created: | January 20, 2006 |
Updated: | April 18, 2006 |
| Description: |
Here's another set of vulnerabilities in the Linux kernel:
- A race condition in the 2.6 kernel could allow a local user to cause a
DoS by triggering a core dump in one thread while another thread has a
pending SIGSTOP (CVE-2005-3527).
- The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using
CLONE_THREAD, does not use the thread group ID to check whether it is
attaching to itself, which could allow local users to cause a DoS
(CVE-2005-3783).
- The auto-reap child process in 2.6 kernels prior to 2.6.15 include
processes with ptrace attached, which leads to a dangling ptrace
reference and allows local users to cause a crash (CVE-2005-3784).
- A locking problem in the POSIX timer cleanup handling on exit on
kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local
user to cause a deadlock involving process CPU timers (CVE-2005-3805).
- The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to
2.4.32 and 2.6.14 modifies the wrong variable in certain circumstances,
which allows local users to corrupt kernel memory or cause a crash by
triggering a free of non-allocated memory (CVE-2005-3806).
- An integer overflow in 2.6.14 and earlier could allow a local user to
cause a hang via 64-bit mmap calls that are not properly handled on a
32-bit system (CVE-2005-3808).
|
| Alerts: |
|
Comments (none posted)
xpdf heap based buffer overflow
| Package(s): | kpdf xpdf kdegraphics poppler |
CVE #(s): | CVE-2006-0301
|
| Created: | February 3, 2006 |
Updated: | March 17, 2006 |
| Description: |
Another heap based buffer overflow has been
found in xpdf and other programs that share the same code. This one is
in Splash.cc and it can cause crashes and possibly arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
LibAST: privilege escalation
| Package(s): | libast |
CVE #(s): | CVE-2006-0224
|
| Created: | January 30, 2006 |
Updated: | February 15, 2006 |
| Description: |
Michael Jennings discovered an exploitable buffer overflow in the
configuration engine of LibAST. The vulnerability can be exploited to gain
escalated privileges if the application using LibAST is setuid/setgid and
passes a specifically crafted filename to LibAST's configuration engine. |
| Alerts: |
|
Comments (none posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libmail-audit-perl: insecure temporary file creation
| Package(s): | libmail-audit-perl |
CVE #(s): | CVE-2005-4536
|
| Created: | January 31, 2006 |
Updated: | March 20, 2006 |
| Description: |
Niko Tyni discovered that the Mail::Audit module, a Perl library for
creating simple mail filters, logs to a temporary file with a predictable
filename in an insecure fashion when logging is turned on. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libTIFF: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2005-1544
|
| Created: | May 10, 2005 |
Updated: | February 18, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libungif: memory corruption
| Package(s): | libungif |
CVE #(s): | CAN-2005-2974
|
| Created: | November 3, 2005 |
Updated: | March 20, 2006 |
| Description: |
The libungif library has a vulnerability in the GIF file
colormap handling code. A maliciously crafted GIF file can
cause out of bounds memory writing and register corruption. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mailman: denial of service
| Package(s): | mailman |
CVE #(s): | CVE-2005-3573
|
| Created: | December 2, 2005 |
Updated: | March 8, 2006 |
| Description: |
Scrubber.py in Mailman 2.1.4 - 2.1.6 does not properly handle UTF8
character encodings in filenames of e-mail attachments, which allows
remote attackers to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
mod_auth_pgsql: format string flaws
| Package(s): | mod_auth_pgsql |
CVE #(s): | CVE-2005-3656
|
| Created: | January 6, 2006 |
Updated: | February 28, 2006 |
| Description: |
The mod_auth_pgsql package is an httpd module that allows user
authentication against information stored in a PostgreSQL database.
Several format string flaws were found in the way mod_auth_pgsql logs
information. It may be possible for a remote attacker to execute arbitrary
code as the 'apache' user if mod_auth_pgsql is used for user
authentication. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CVE-2005-4134
CVE-2006-0292
CVE-2006-0296
|
| Created: | February 2, 2006 |
Updated: | May 4, 2006 |
| Description: |
Mozilla has three new vulnerabilities.
The Javascript interpreter has a problem with
dereferencing objects. A user can visit a specially crafted web page
which can crash the browser or cause it to execute arbitrary code.
The XULDocument.persist() function has a bug that can be triggered by
viewing specially crafted web sites, RDF data can be injected into the
localstore.rdf file, allowing arbitrary javascript code to be executed.
The Mozilla history saving mechanism is vulnerable to a denial of
service attack, visiting sites with extra-long titles can cause a
crash or very slow startup the next time the browser is run. |
| Alerts: |
|
Comments (none posted)
mysql: low-impact security fix
| Package(s): | mysql |
CVE #(s): | CAN-2005-1636
|
| Created: | July 20, 2005 |
Updated: | February 22, 2006 |
| Description: |
An update to MySQL version 4.1.12 fixes a low-impact security
problem (bz#158689). |
| Alerts: |
|
Comments (1 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
nfs-server: buffer overflow
| Package(s): | nfs-server |
CVE #(s): | CVE-2006-0043
|
| Created: | January 26, 2006 |
Updated: | February 15, 2006 |
| Description: |
The obsoleted nfs-server package has a remotely exploitable buffer overflow
vulnerability in the rpc.mountd service's realpath() function.
Remote attackers can launch a specially crafted mount request,
this leads to a buffer overflow and allows the execution of code
with root privileges. |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openmotif: buffer overflows
| Package(s): | openmotif |
CVE #(s): | CVE-2005-3964
|
| Created: | December 29, 2005 |
Updated: | July 27, 2006 |
| Description: |
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
OpenSSH: double shell expansion
| Package(s): | openssh |
CVE #(s): | CVE-2006-0225
|
| Created: | January 23, 2006 |
Updated: | July 20, 2006 |
| Description: |
OpenSSH has a double shell expansion vulnerability in local to local and
remote to remote copy with scp. |
| Alerts: |
|
Comments (none posted)
otrs: multiple vulnerabilities
| Package(s): | otrs |
CVE #(s): | CVE-2005-3893
CVE-2005-3894
CVE-2005-3895
|
| Created: | December 16, 2005 |
Updated: | February 15, 2006 |
| Description: |
Several vulnerabilities were discovered in the CMS system OTRS. Multiple
SQL injection vulnerabilities in index.pl in Open Ticket Request System
(OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, multiple cross-site
scripting vulnerabilities in index.pl in Open Ticket Request System (OTRS)
1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, and Open Ticket Request System
(OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, when
AttachmentDownloadType is set to inline, renders text/html e-mail
attachments as HTML in the browser when the queue moderator attempts to
download the attachment. |
| Alerts: |
|
Comments (none posted)
pcre3: arbitrary code execution
| Package(s): | pcre3 |
CVE #(s): | CAN-2005-2491
|
| Created: | August 23, 2005 |
Updated: | March 10, 2006 |
| Description: |
A buffer overflow has been discovered in the PCRE, a widely used library
that provides Perl compatible regular expressions. Specially crafted
regular expressions triggered a buffer overflow. On systems that accept
arbitrary regular expressions from untrusted users, this could be exploited
to execute arbitrary code with the privileges of the application using the
library. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
perl: integer overflow
| Package(s): | perl |
CVE #(s): | CVE-2005-3962
CVE-2005-3912
|
| Created: | December 1, 2005 |
Updated: | February 27, 2006 |
| Description: |
Perl has an sprintf integer overflow vulnerability
that may be used for a denial of service, remote code
execution and information leakage. |
| Alerts: |
|
Comments (none posted)
PHP: safe_mode bypass
| Package(s): | php |
CVE #(s): | CVE-2005-3391
|
| Created: | February 8, 2006 |
Updated: | March 10, 2006 |
| Description: |
A vulnerability in the PHP GD extension (prior to version 4.4.1) can enable a remote attacker to bypass safe_mode restrictions. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-0207
CVE-2006-0208
|
| Created: | February 2, 2006 |
Updated: | March 23, 2006 |
| Description: |
PHP has a response splitting vulnerability, remote attackers can inject
arbitrary HTTP headers via an unknown method, possibly using a
Set-Cookie header.
Also, a number of cross-site scripting vulnerabilities can be used by
remote attackers to inject arbitrary web scripts or html pages. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
postgresql: database initialization errors
| Package(s): | postgresql |
CVE #(s): | CAN-2005-1409
CAN-2005-1410
|
| Created: | May 4, 2005 |
Updated: | February 28, 2006 |
| Description: |
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
|
| Alerts: |
|
Comments (none posted)
pound: HTTP Request Smuggling Attack
| Package(s): | pound |
CVE #(s): | CVE-2005-3751
|
| Created: | January 10, 2006 |
Updated: | June 8, 2006 |
| Description: |
HTTP requests with conflicting Content-Length and Transfer-Encoding headers
could lead to HTTP Request Smuggling Attack, which can be exploited to
bypass packet filters or poison web caches. |
| Alerts: |
|
Comments (none posted)
pstotext: remote execution of arbitrary code
| Package(s): | pstotext netpbm |
CVE #(s): | CAN-2005-2471
|
| Created: | August 1, 2005 |
Updated: | March 28, 2006 |
| Description: |
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option. An
attacker could craft a malicious PostScript file and entice a user to run
pstotext on it, resulting in the execution of arbitrary commands with the
permissions of the user running pstotext. See this Secunia advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
scponly: privilege escalation
| Package(s): | scponly |
CVE #(s): | CVE-2005-4532
|
| Created: | December 29, 2005 |
Updated: | February 13, 2006 |
| Description: |
The scponly restricted shell has a privilege escalation vulnerability.
Local users can chroot into arbitrary directories, and can gain root
privileges if a directory contains hard links to setuid programs.
Also, scponly does not properly validate command line parameters
to the scp and rsync commands. |
| Alerts: |
|
Comments (none posted)
spamassassin: denial of service
| Package(s): | spamassassin |
CVE #(s): | CVE-2005-3351
|
| Created: | November 9, 2005 |
Updated: | March 7, 2006 |
| Description: |
Spamassassin through version 3.0.4 can be made to dump core if a message arrives with too many addresses in the To: field. |
| Alerts: |
|
Comments (none posted)
squid: authentication handling
| Package(s): | squid |
CVE #(s): | CAN-2005-2917
|
| Created: | September 30, 2005 |
Updated: | March 15, 2006 |
| Description: |
Upstream developers of squid, the popular WWW proxy cache, have
discovered that changes in the authentication scheme are not handled
properly when given certain request sequences while NTLM
authentication is in place, which may cause the daemon to restart. |
| Alerts: |
|
Comments (none posted)
struts: cross-site scripting vulnerability
| Package(s): | struts |
CVE #(s): | CVE-2005-3745
|
| Created: | January 12, 2006 |
Updated: | March 8, 2006 |
| Description: |
The Struts error display system has a cross-site scripting vulnerability.
An attacker may be able to maliciously craft a URL that can trick
a user into thinking they are looking at a trusted site when they are not. |
| Alerts: |
|
Comments (none posted)
sudo: vulnerability via scripts
| Package(s): | sudo |
CVE #(s): | CAN-2005-4158
CVE-2006-0151
|
| Created: | December 16, 2005 |
Updated: | September 1, 2006 |
| Description: |
Perl and Python scripts run via Sudo can be subverted. |
| Alerts: |
|
Comments (none posted)
sudo: missing input sanitizing
| Package(s): | sudo |
CVE #(s): | CVE-2005-2959
|
| Created: | October 25, 2005 |
Updated: | February 19, 2006 |
| Description: |
Tavis Ormandy noticed that sudo, a program that provides limited super
user privileges to specific users, does not clean the environment
sufficiently. The SHELLOPTS and PS4 variables are dangerous and are
still passed through to the program running as privileged user. This
can result in the execution of arbitrary commands as privileged user
when a bash script is executed. These vulnerabilities can only be
exploited by users who have been granted limited super user
privileges. |
| Alerts: |
|
Comments (none posted)
sudo: race condition
| Package(s): | sudo |
CVE #(s): | CAN-2005-1993
|
| Created: | June 21, 2005 |
Updated: | February 24, 2006 |
| Description: |
Charles Morris discovered a race condition in sudo which could lead to
privilege escalation. If /etc/sudoers allowed a user the execution of
selected programs, and this was followed by another line containing
the pseudo-command "ALL", that user could execute arbitrary commands
with sudo by creating symbolic links at a certain time. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: multiple DoS issues
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1280
CAN-2005-1279
CAN-2005-1278
|
| Created: | May 2, 2005 |
Updated: | April 10, 2006 |
| Description: |
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278) |
| Alerts: |
|
Comments (none posted)
tetex: integer overflows
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
udev: insecure files in /dev/input
| Package(s): | udev |
CVE #(s): | CVE-2005-3631
|
| Created: | December 20, 2005 |
Updated: | February 28, 2006 |
| Description: |
Richard Cunningham discovered a flaw in the way udev sets permissions on
various files in /dev/input. It may be possible for an authenticated
attacker to gather sensitive data entered by a user at the console, such as
passwords. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
up-imapproxy: format string vulnerabilities
| Package(s): | up-imapproxy |
CVE #(s): | CAN-2005-2661
|
| Created: | October 10, 2005 |
Updated: | March 7, 2006 |
| Description: |
up-imapproxy contains two format string vulnerabilities which could be exploited to execute arbitrary code.
|
| Alerts: |
|
Comments (none posted)
uw-imap: buffer overflow
| Package(s): | uw-imap |
CVE #(s): | CAN-2005-2933
|
| Created: | October 11, 2005 |
Updated: | April 10, 2006 |
| Description: |
"infamous41md" discovered a buffer overflow in uw-imap, the University
of Washington's IMAP Server that allows attackers to execute arbitrary
code. |
| Alerts: |
|
Comments (none posted)
vixie-cron: crontab allows any user to read another users crontabs
| Package(s): | vixie-cron |
CVE #(s): | CAN-2005-1038
|
| Created: | April 15, 2005 |
Updated: | March 15, 2006 |
| Description: |
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report. |
| Alerts: |
|
Comments (none posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xloadimage: buffer overflows
| Package(s): | xloadimage |
CVE #(s): | CAN-2005-3178
|
| Created: | October 10, 2005 |
Updated: | May 15, 2006 |
| Description: |
Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
xorg-x11: heap overflow
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2005-2495
|
| Created: | September 12, 2005 |
Updated: | March 8, 2006 |
| Description: |
The pixmap memory allocation code in the X.Org X window system is
vulnerable to an integer overflow, a local user can use this to
execute arbitrary code with elevated privileges. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: heap overflows
| Package(s): | xpdf gpdf kpdf poppler |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 11, 2006 |
Updated: | March 10, 2006 |
| Description: |
Xpdf, the associated poppler library, and other applications using that library are susceptible to a new set of buffer overflows discovered by Chris Evans and infamous41md. These overflows could be exploited, via a malicious PDF file, to execute arbitrary code on the target system. |
| Alerts: |
|
Comments (none posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-1849
|
| Created: | July 21, 2005 |
Updated: | April 11, 2006 |
| Description: |
zlib has a vulnerability that can cause code that executes it to crash
if a corrupted file is opened. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 prepatch is 2.6.16-rc3,
released on February 12.
As would be expected for this phase of the development cycle, the additions
are mostly fixes, but 2.6.16-rc3 also contains a patch to export the
system's CPU topology in sysfs, parallel port support for SGI O2 systems,
administrator-changeable permissions in configfs, an OCFS2 update, the
unshare() system call,
and various architecture updates. See
the
long-format changelog for the details.
The mainline git repository, as of this writing, holds about 100 fixes
merges after 2.6.16-rc3.
The current -mm tree is 2.6.16-rc3-mm1. Recent changes
to -mm include some memory management system call tweaks (see below), the
EXPORT_SYMBOL_GPL_FUTURE() macro (see below), and various fixes.
The current stable 2.6 release is 2.6.15.4, announced on February 10.
This one contains a fair number of fixes for crashes and other undesirable
behavior.
Comments (8 posted)
Kernel development news
The kernel has a couple of macros for making internal symbols available to
loadable modules:
EXPORT_SYMBOL(symbol);
EXPORT_SYMBOL_GPL(symbol);
The second form is used for kernel symbols which are only available to
modules with a GPL-compatible license. The idea behind GPL-only symbols is
that they are so deeply internal to the kernel that any module using them
can only be a derived product of the kernel. Either that, or it's a
relatively new symbol whose creator simply wanted it to be GPL-only.
Greg Kroah-Hartman has recently proposed a new variant:
EXPORT_SYMBOL_GPL_FUTURE(symbol)
Its purpose would be to mark symbols
which will be changed to a GPL-only export at some point in the future. If
such a symbol is used by a non-GPL module, the kernel will emit warnings to
the effect that the module will break at a future time. With luck, the
warnings will help authors of proprietary modules prepare for changes ahead
of time.
This patch raised a few eyebrows. When GPL-only exports were first added
to the kernel, they went in with the understanding that only new symbols
would be tagged GPL-only. The current module interface - while always
subject to change - was not to have symbols withdrawn arbitrarily. So, if
the export status of symbols should not change, what is the use of this
patch? Greg has a couple of uses in mind:
- The read-copy-update symbols are due to turn GPL-only in April of this
year. The use of RCU by non-GPL modules has always been legally
problematic: RCU is a patented technique which has been licensed by
IBM for use in GPL code. Non-GPL modules will (in the absence of
other arrangements) lack a license for RCU, and thus should not be
using those symbols anyway.
- Current plans call for making the core USB subsystem GPL-only in early
2008. The argument here is that this subsystem has changed greatly
over time, and that it is possible to create full-speed USB drivers in
user space.
It is not clear that there will be uses beyond these; resistance to a
larger-scale restricting of exported symbols remains strong. So the weapon
of choice for those who wish to make life difficult for proprietary modules
is likely to remain the combination of API changes and restrictions on new
symbols.
Comments (9 posted)
A couple of Linux-specific additions to the memory-related system call API
have recently found their way into the -mm tree. There is a bit of
pressure to get them into 2.6.16, though that may be unlikely at this late
date. This may be a good time to look at the proposed changes, however,
along with the pressures which motivated them.
Prepare yourself, as your editor is about to inflict his primitive drawing
skills upon the world again. Consider a situation which, with some
imagination, could be described by the diagram to the right. A process has
a particular memory page of interest, pointed to by a page table entry.
That process has arranged with a device driver to exchange data through
this page; as a result, the driver has a pointer to the associated
page structure, possibly obtained with get_user_pages().
At this stage, all is working well.
But then the process decides to reproduce. The resulting call to fork() has
a number of consequences beyond the creation of a child process. That
call will attempt to avoid copying the parent process's
memory since, for much of the memory range, there is unlikely to ever be a
reason to do so. Instead, both parent and child will be set up with page table
entries pointing to the same physical page in memory, but that page will
now be write protected. As long as neither process attempts to write to
the page, the situation can remain as shown in the diagram to the left.
Both processes - and the driver - can share the same physical page. If
either process calls fork() again, the result will be a third
process also sharing that page, and so on. Often, no process will attempt
to write to the page for as long as it is in this shared state, and no copy
will ever have to be performed.
Life is not always so easy, however. If the parent process makes a change
to the page - writing some new data to be passed through to the driver, for
example - the hardware will trap the write attempt. The kernel will
respond by allocating a new page, copying the old page's contents there,
and pointing the parent process's page table entry to the new,
write-enabled page. At that point, the write attempt can go forward, and
everybody will be happy.
Or maybe not. The copy-on-write operation described above will break the
parent process's connection with the old page. But there is no way to
inform the driver of that change. The result will be the situation shown
on the right: the driver retains a reference to the page which now belongs
exclusively to the child process(es). The parent process and the driver
will no longer be able to communicate with each other. Additionally, if
the parent had used mlock() to lock the original page into memory,
that lock, too, will remain with the original page. The page which the
parent had thought was pinned into RAM will become pageable, with
potentially bad effects on performance and security.
One could try to address this problem by changing the copy-on-write logic
to always maintain the connection between the parent process and its
original pages. That would require the COW code to find any other
processes with references to the page, however, and assign the copied
page to them. That change would slow the code and invite interesting race
conditions, however; remember that there could be a large number of other
processes with references to the page. So the solution proposed by Michael Tsirkin takes a
different approach.
If a process has pages which it has locked into memory or set up to be
shared with a device driver, chances are that it never wants its children
to have access to that memory in the first place. So Michael's patch adds
a couple of new flags to the madvise() system call. A process
with special memory can call madvise() with the new
MADV_DONTFORK flag; the kernel will respond by setting the
VM_DONTCOPY flag in the associated virtual memory area structure;
thereafter, any newly-created child process simply will not see that part
of the address space. There is also a MADV_DOFORK flag which
cancels the effect of MADV_DONTFORK.
Meanwhile, another change found in current -mm came as a result of this complaint about the behavior of the
msync() system call, which is used to flush modified parts of a
memory-mapped file back to disk. In particular, the
complainer, whose real name is unclear, just noticed that msync()
changed its semantics between 2.4 and 2.6. In the 2.4 kernel, a call to
msync(..., MS_ASYNC) would mark the indicated memory range as
being dirty and begin the process of writing those pages to disk. In 2.6,
instead, no I/O is started directly from msync(); instead, the
pages will remain dirty in the page cache until the virtual memory
subsystem gets around to flushing them out.
The original complainer asked that the old behavior be restored, but that
seems unlikely to happen. For most workloads, the best performance is
achieved by letting the kernel decide just when to write each part of the
file back to disk. But there was also some recognition that an option to
start I/O immediately (without necessarily waiting for it) would be a
useful thing in some situations. The answer, as implemented by Andrew Morton, leaves the
msync() call alone, however; instead, Andrew has added a couple of
new options to the posix_fadvise() system call:
- LINUX_FADV_ASYNC_WRITE will start write I/O on the given
range of pages. If some of those pages are already under I/O, the
operation will not be restarted, leaving open the possibility that
late changes might not make it to disk.
- LINUX_FADV_WRITE_WAIT will wait for any I/O currently in
progress on the given range of pages, but does not actually start any
I/O.
In practice, these calls will often need to be made in combinations. An
application which needs to assure itself that all modified pages are on
disk must first perform a wait call (thus ensuring that all pages under I/O
are written), a write call (to start I/O on remaining dirty pages), and a
second wait call (to allow that I/O to complete). But any application
wanting the 2.4 msync() behavior can get it with a single
LINUX_FADV_ASYNC_WRITE call.
Chances are good that both of these changes could land in the mainline in
the 2.6.17 time frame.
Comments (5 posted)
One of the many features added during the 2.5 development series was the
"futex" - a sort of fast, user-space mutual exclusion primitive. In the
non-contended case, futexes can be obtained and released with no kernel
involvement at all, making them quite fast. When contention does happen
(one process tries to obtain a futex currently owned by another), the
kernel is called in to queue any waiting processes and wake them up when
the futex becomes available. When queueing is not needed, however, the
kernel maintains no knowledge of the futex, keeping its overhead low.
There is one problem with keeping the kernel out of the picture, however.
If a process comes to an untimely end while holding a futex, there is no
way to release that futex and let other processes know about the problem.
The SYSV semaphore mechanism - a much more heavyweight facility - has an
"undo" mechanism which can be called into play in this sort of situation,
but there is no such provision for futexes. As a result, a few different
"robust futex" patches have been put together over the past years; LWN looked at one of them in January,
2004. These patches have tended to greatly increase the cost of futexes,
however, and none have been accepted into the mainline.
Ingo Molnar, working with Thomas Gleixner and Ulrich Drepper, has tossed
aside those years' worth of work and, in a couple of days, produced a new robust futex patch which,
he hopes, will find its way into the mainline. The new patch has the
advantage of being fast, but, as Ingo notes:
Be warned though - the patchset does things we normally dont do in
Linux, so some might find the approach disturbing. Parental advice
recommended ;-)
The fundamental problem to solve is that the kernel must, somehow, know
about all futexes held by an exiting process in order to release them. A
past solution has been the addition of a system call to notify the kernel
of lock acquisitions and releases. That approach defeats one of the main
features of futexes - their speed. It also adds a record-keeping and
resource limiting problem to the kernel, and suffers from some problematic
race conditions.
So Ingo's patch takes a different approach. A list of held futexes is
maintained for each thread, but that list lives in user space. All the
thread has to do is to make a single call to a new system call:
long set_robust_list(struct robust_list_head *head, size_t size);
That call informs the kernel of the location of a linked list of held
futexes in the calling process's address space; there is also a
get_robust_list() call for retrieving that information.
Typically, this call would be made by glibc, and never seen by the
application. Glibc would also take on the task of maintaining the list of
futexes.
When a process dies, the kernel looks for a pointer to a user-space futex
list. Should that pointer be found, the kernel will carefully walk through
it, bearing in mind that, as a user-space data structure, it could be
accidentally or maliciously corrupt. For each held futex, the kernel will
release the lock and set it to a special value indicating that the previous
holder made a less-than-graceful exit. It will then wake a waiting
process, if one exists. That process will be able to see that it has
obtained the lock under dubious circumstances (user-space functions like
pthread_mutex_lock() are able to return that information) and take
whatever action it deems to be necessary. The kernel will release a
maximum of one million locks; that keeps the kernel from looping forever on
a circular list. Given the practical difficulties of making a million-lock
application work at all, that limit should not constrain anybody for quite
some time.
There is still a race condition here: if a process dies between the time it
acquires a lock and when it updates the list, that lock might not be
released by the kernel. Getting around that problem involves a bit of poor
kernel hacker's journaling. The head of the held futex list contains a
single-entry field which can be used to point to a lock which the
application is about to acquire. The kernel will check that field on exit,
and, if it points to a lock actually held by the application, that lock
will be released with the others. So, if glibc sets that field before
acquiring a lock (and clears it after the list is updated), all locks held
by the application will be covered.
The discussion on this patch was just beginning when this article was
written. There is some concern about having the kernel walking through
user-space data structures; the chances of trouble and security problems
are certainly higher when that is going on. Other issues may yet come up
as well. But, since this is clearly not a 2.6.16 feature in any case,
there will be time to talk about them.
Comments (6 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
- Junio C Hamano: GIT 1.2.0.
(February 13, 2006)
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
A
reader comment in
last week's LWN, requesting a more detailed round-up of the available tools
for building custom live CDs, inspired today's feature. Although there are
more than a hundred bootable Linux, BSD and OpenSolaris-based distributions
for seemingly every taste and purpose, it might still be useful, on
occasion, to build one's own - customized to one's exact needs. The reasons
are unimportant since they are likely to vary as much as the end result of
any such undertaking. Instead, I'd like to concentrate on what the readers
are probably most interested in - finding an answer about how much effort
is required to build a custom Linux live CD and whether the end result is
worth it.
I have never built a live CD before. For my first attempt I decided to go
with the Slackware-based Linux-Live
script by Tomas Matejicek, the author of the SLAX live CD. The reason?
I expected Linux-Live to be about the simplest way to build a Linux live
CD. I don't have any facts to back up this statement, but the increasing
abundance of Slackware-based live CD projects, most of which use Linux-Live
to build their products, together with the uncomplicated nature of
Slackware itself, gave me confidence before embarking on this project.
Incidentally, Linux-Live is released under the GNU General Public License.
Linux-Live is a script designed to build a bootable live CD from an existing
Linux installation. A number of prerequisites must be fulfilled before the
script can be executed; the most important among them is support for
Unionfs and Squashfs modules in the Linux kernel. There are two ways to go
about fulfilling this requirement: you can either download and compile two
overlay filesystem modules, or download a pre-compiled kernel from the
Linux-Live web site with all the necessary modules (as well as ALSA and
proprietary MadWiFi drivers) already included. The latter option, however, will only
work on a Slackware installation. The Unionfs and Squashfs requirements
also mean that only kernel versions 2.6.9 or higher are supported.
After going through the documentation included in Linux-Live, I set out to
create my live CD. First, I installed a minimal Slackware 10.1
system, with only the packages in a/, ap/ and n/ selected for installation.
This was to reduce the possibility of a failure and also to minimize any
time-wasting in case something goes wrong. Since Slackware still defaults
to the 2.4 kernel series, I also downloaded the binary kernel 2.6.13.2 from
Linux-Live.org and installed it with pkginstall. It is not
necessary to reboot into the new kernel; as long as it is installed on the
system and the correct kernel version is specified in the 'config' file of
the Linux-Live script, it can be used. Then I download the Linux-Live
script, decompressed and untarred it in the /tmp directory, updated the
'config' file with the new kernel version, and executed the
rumme.sh script. After about six minutes of hard work, a 160 MB
livecd.iso file was generated.
I burned it onto a CD-RW and rebooted the system. I held my breath,
half-expecting the system to ignore the CD and just present me with the
usual boot loader, but to my pleasant surprise, it was a SLAX logo that
first appeared on the screen, indicating that the CD was indeed bootable.
After I pressed 'Enter', the live CD went through the boot process - it took
its time, I might add, since besides the normal boot procedure, the
operating system also completed a hardware detection and configuration
step. But eventually it stopped at a boot prompt, ready to accept a login
by any of the user/password combination -- and with the same home
directories -- as the Slackware system on the hard disk. Networking was
also configured.
Encouraged by this success, I decided to try something more ambitious. I
rebooted into my Slackware 10.1 installation, then added all software from
the x/ and kde/ and l/ directories, configured X.Org, modified
the /etc/inittab file to boot into a graphical login prompt, and repeated
the process of generating the live CD. This time, the routine took much
longer, around 20 minutes, and the resulting ISO image was 496 MB in size.
Again, I burned it to a CD-RW disk and rebooted the system. Then I watched,
with a considerable amount of amazement, as the CD went through a normal
boot process before confidently starting the KDM login manager. Success!
I spent an afternoon re-creating Slackware live CDs in various
configurations. While the process seemed to go smoothly most of the time, I
noted a few mysterious "gotchas" on occasion. As an example, sometimes the
original Slackware installation would no longer boot after running the ISO
build script (the boot process would stop at Loading Linux...). There is
also a documented problem with the fact that Slackware tries to test the
status of the root partition by re-mounting it read-only, a test which
fails on a live CD with Unionfs, resulting in a warning message and
requiring user input. A minor, but annoying blemish. A few of my live CDs
also failed to boot, for reasons unknown to me, with a "init Id 'x'
respawning too fast" error. Probably the most serious issue with
Linux-Live, however, is lack of documentation (apart from a few "readme"
style files included with the script) explaining the process and providing
hints for using the script on distributions other than Slackware. The
project would also benefit from having a Wiki as well as user forums which
adventurous live CD builders could use to search for answers and exchange
experiences.
All things considered, my first attempt at building a custom live CD was a
success. As I suspected before I embarked on the project, Linux-Live is a
very simple and fast method for creating a live CD from a Slackware
installation. Due to lack of time to research topics on compiling Unionfs
and Squashfs as kernel modules, I haven't tried it on any other
distribution, but the project's web site does give an impression that the
script is fairly universal. However, Linux-Live badly needs better
documentation and user interactive areas for those times when things don't
go as expected.
Comments (1 posted)
Distribution News
A new
Ubuntu Testing
project has been launched.
"
You planned to do a test installation of Ubuntu Dapper to catch a
glimpse on how the development is going? You have an old box, you want
to test Ubuntu on and want to help us with test results?"
Several testing levels are available, from quick to advanced.
Full Story (comments: none)
Squash a bug, get a hug. That's the idea behind Hug Day. The next Hug Day
will be February 17, 2006. "
Where to join the Hug Day? #ubuntu-bugs
on freenode IRC. And you can go there every other day too!"
Full Story (comments: none)
If you will be visiting FOSDEM look for the openSUSE project there.
"
The openSUSE team will be talking about a broad range of topics,
from a general overview of the current status, future plans for the
project, and the distribution SUSE Linux to technical tutorials and a first
demonstration of the openSUSE build service. We're looking forward to
seeing you all there and discussing the future of the project!"
Full Story (comments: none)
This update covers a delay in the SUSE Linux 10.1 schedule (beta 4 is now
due on February 16), Novell's decision not to ship non-GPL kernel modules,
kernel changes, a bug in the beta3 Fontconfig package, major changes in the
package manager and Xgl in SUSE Linux 10.1.
Full Story (comments: 1)
Here's a
note from Mandriva's new
maintainer of X.org, Gustavo Pichorim Boiko, on what he is planning. On
X.org: "
I have already started packaging Xorg 7.0 but I don't have
any set of packages useful at this moment." On Xgl and Xegl:
"
Mandriva is not going to officially adopt the Novell Xgl server
(Xglx). Instead, we are trying to push the Xegl[2] development."
Matthieu Duchemin has posted a how-to for
running Xgl with compiz under Mandriva 2006.
Comments (none posted)
Nominations are still open for Debian Project Leader. "
Prospective
leaders should be familiar with the constitution, but, just to review:
there's a three week period when interested developers nominate themselves,
followed by a three week period with no nominations [intended for
campaigning], followed by three weeks for the election itself."
Full Story (comments: none)
Here's an update on the status of the next revision of the current stable
Debian distribution (sarge).
Full Story (comments: none)
Distribution Newsletters
The Debian Weekly News for February 14, 2006 is out. In this issue; Lars
Wirzenius nominates himself for DPL, Message-ID lookup for list mails
re-implemented, Debian's policy on trademarks, support for the wireless
system in the iBook G4, and more.
Full Story (comments: none)
This week the
Fedora Weekly
News looks at SCALE: Fedora Booth at Southern California Linux Expo,
SCALE: Fedora Presentation at Southern California Linux Expo, FUDCon Boston
2006 Call for Papers, FedoraFAQ.org announces The Insider FAQ, Fedora
Projects Weekly Report 2006-02-13, and several other topics.
Comments (none posted)
The
Gentoo
Weekly Newsletter for February 13, 2006 covers the release of eselect
1.0, a Polish Gentoo clone, and several other topics.
Comments (none posted)
The second issue of the Ubuntu Desktop News is out. Topics covered include
Avahi, changes in the Dapper desktop, ekiga, and an interview with "desktop
hero" Daniel Holbach.
Full Story (comments: 3)
The
DistroWatch
Weekly for February 13, 2006 is out. "
Xgl. The "word" has surely
entered the consciousness of many Linux users who, thanks to Novell's
enhancements dramatically unveiled last week, can look forward to an
exciting new world on their Linux desktops later this year. Naturally, SUSE
Linux is likely to be the first one to integrate the new features into
their upcoming release, although expect some delays from the original
schedule. In other news: Mandriva's CEO describes his working day, the
developers of MEPIS consider switching their base to Ubuntu, Gentoo gets an
updated Portage tool, and Slackware moves closer to version 11.0 with one
massive update. The latest release of Mockup, a Debian-based distribution
built with Qt 4, is the feature of our "first look" series."
Comments (none posted)
Package updates
Updates for
Fedora Core 4:
cpuspeed
(updates),
man (fix the makewhatis
problem),
xmltex (bug fixes),
pam_krb5 (bug fixes),
postgresql (update to PostgreSQL 8.0.7),
selinux-policy-strict (allow zebra to connect
to bgp),
selinux-policy-targeted (allow
zebra to connect to bgp).
Comments (none posted)
Mandriva Linux 2006.0 updates:
ghostscript (bug fixes),
postgresql (upgrade to PostgreSQL 8.0.7).
Comments (none posted)
This has been a busy week in
Slackware
Linux, starting with this
lengthy changelog
entry for last Thursday, followed by some
minor fixes on Friday, and some
PHP updates after that.
Comments (none posted)
Various bug fixes are available in
cyrus-impad, imagemagick, iptables, kernel,
l7-protocols, php, net-snmp, samba, squid, quagga and
bind, iproute, iptables, kerberos5, kernel, mdadm,
samba for TSL 3.0 & 2.2.
Comments (none posted)
Newsletters and articles of interest
Linux.com
installs
Gentoo using Kororaa. "
Kororaa is available in several
flavors. You can choose between KDE and GNOME, and between x86 and AMD64
processor versions. The x86 version is optimized for Pentium III
processors. To install Kororaa you need two CDs. You can download a
universal install CD, and you have to select the package CD for your
desktop environment of choice and your processor. I chose the x86 version
for KDE and started the installation."
Comments (none posted)
The MEPIS distribution
may switch from Debian to Ubuntu, according to NewsForge.
"
MEPIS, one of the more popular Debian-derived distributions, may be moving in a new direction soon. MEPIS founder Warren Woodford is considering building future MEPIS releases from Ubuntu sources rather than from Debian. SimplyMEPIS 3.4-3, which is scheduled for release today, has been quite a challenge to build, according to Woodford. "It's taking up all my time, fighting the Etch pool.... We've had a lot of trouble, because the Debian community has become so active, it's been difficult to get this out, so I'm looking at alternatives to getting out stable releases.""
Comments (5 posted)
HowtoForge
covers
the installation of ColdFusion 7.x on Debian Sarge (3.1r1). "
Why
This Tutorial? Because there is no documentation about ColdFusion
installation on Debian on the internet. As you know Debian Linux is not
supported officially by Adobe. But Debian is one of the mosts used and well
known Linux distributions especially for server usage and I think there
would be some other people who want to use Debian and ColdFusion
together."
Comments (none posted)
NewsForge
presents
a glimpse of Mandriva PowerPack 2006. "
Linux on the desktop has
certainly come a long way. The community tools available on any
distribution are so powerful and great to use that the fact that they are
free is a wonderful bonus. I work with enterprise applications designed
with PHP and MySQL. I'm addicted to OpenOffice.org 2.0, KDE, and Firefox. I
have fun with Nvu for HTML editing, amaroK for streaming radio and
organizing my MP3 files, and the GIMP for high-end image editing."
Comments (none posted)
Distribution reviews
Linux.com has a
review of
SimplyMEPIS. "
SimplyMEPIS is a KDE-based, Debian-derived distro
that focuses on desktop use. The previous stable release came out in May of
2005, but the newest version of SimplyMEPIS is scheduled for release today,
and it looks like a great release for anyone who's interested in desktop
Linux."
Comments (none posted)
Mad Penguin
reviews
VectorLinux SOHO 5.1.1 Deluxe. "
[VectorLinux] is a derivative of
Slackware Linux that has been optimized to run beautifully on any PC new or
old, and with a most excellent compliment of included applications. All of
this on two CDs. VectorLinux is, without a doubt, the single most
impressive redistribution of Slackware available. Why? Because it retains
Slackware's ease of use and overall feel, but adds a nice performance boost
and extra applications to the package. In other words, VectorLinux has the
Slackware mojo... and then some."
Comments (none posted)
NewsForge
reviews
PC-BSD. "
The PC-BSD team recently released its second release
candidate for 1.0. With the final release rapidly approaching, we thought
now would be a good time to take a look at what's coming in PC-BSD, a
relatively new BSD distribution based on FreeBSD. It's specifically
designed for desktop users, and offers a GUI installer that makes it simple
for any user to install."
Comments (none posted)
O'ReillyNet
takes
a look at Metrix Pebble. "
Metrix Pebble is a variant of the
popular Pebble Linux distribution supported by my wireless company, Metrix
Communication. Although it is built on the framework laid down in the
original Pebble, Metrix Pebble is very different from its aging progenitor
in many important respects."
Comments (none posted)
Page editor: Rebecca Sobol
Development
John the Ripper
is a general purpose password cracking application:
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.
Version 1.7 of John
was announced
on February 9 by Solar Designer:
"John the Ripper became a lot faster, primarily at DES-based hashes.
This is possible due to the use of better algorithms (bringing more
inherent parallelism of trying multiple candidate passwords down to
processor instruction level), better optimized code, and new hardware
capabilities (such as AltiVec available on PowerPC G4 and G5 processors)." This is the first release that is not considered
a development snapshot.
Version 1.7 of John also adds better use of x86 MMX hardware,
improved vectorization support, an event
logging framework, new build targets, and more.
Compiling a working version of John was a simple matter of downloading
the source code, reading the installation documentation, and running
a make command with the specified computer architecture.
The passwd file and shadow file, with the encrypted passwords, were
combined into a working password file using the supplied unshadow
command. John was then run with the unshadowed password file.
Decryption is a compute-intensive operation, it would be
advisable to run John on the fastest system you have access to, and import
password files to that machine.
I did a test run John on my new 3Ghz Athlon 64 Lini box,
it quickly spit out the default password for the default gvuser
account, then proceeded to crank heavily (near 100% cpu utilization)
for a long time with no further output. John had amassed nearly an
hour of CPU time by the time I finished this article.
John should be considered an important utility for any systems
administrator's collection of tools. It found a weak password on
my system (since changed) and will be useful for testing other
password files for weak points. Administrators with Internet-exposed
or otherwise accessible machines would be advised to give this handy
utility a spin.
Comments (9 posted)
System Applications
Clusters and Grids
Release 2.0.3 of Linux-HA, a cluster management system, is out.
"
There are many fixes, and for the first time ever, a GUI! This new
release also provides support for monitoring by Common Information Model
(CIM) agents."
Full Story (comments: none)
Database Software
Version 2.00 Beta 2 of the Firebird database
has been announced.
"
Firebird 2 contains a large number of new features, including derived tables, support for Execute Block, increased table sizes, new improved index code (the 252-byte index length limit is no longer applicable), expression indices, numerous optimiser improvements, enhanced security features, support for on-line incremental backups, new international language support, along with numerous other improvements and bug fixes."
Comments (none posted)
Version 5.1.6-alpha of the MySQL database is available.
"
This is a new alpha development release, adding new features and
fixing recently discovered bugs."
Full Story (comments: none)
PostgreSQL version 8.1.3
has been announced.
"
PostgreSQL minor version 8.1.3 has been released, containing a patch for a serious security issue present in the 8.1 branch. All users of 8.1 are urged to upgrade at the earliest opportunity.
Minor versions 8.0.7, 7.4.12, and 7.3.14 are being released at the same time as well. These contain only minor bug fixes to the 8.0, 7.4 and 7.3 versions and can be upgraded on a more planned schedule, unless of course you are encountering one of the bugs described."
Comments (none posted)
The February 12, 2006 edition of the PostgreSQL Weekly News
is online with new PostgreSQL articles and resources.
Full Story (comments: none)
LDAP Software
Version 0.9 of LAT, the LDAP Administration Tool,
has been announced, it features several new capabilities.
Full Story (comments: none)
Libraries
Version 0.9.4 of Oggz, a C library for working with Ogg files and streams,
is available with several new capabilities and bug fixes.
"
Oggz comprises liboggz and the command-line tools oggzinfo, oggzdump,
oggzdiff, oggzmerge, oggzrip, oggz-scan and oggz-validate."
Full Story (comments: none)
Mail Software
Dada Mail version 2.10.6
has been released.
"
Dada Mail is an intuitive, web-based e-mail list management system, which runs on any hosting account that can execute custom CGI scripts. Dada Mail is also a conceptual art project
This version of Dada Mail includes many new features, including a screen caching scheme, to allow often-used and resource-intensive HTML web screens to be cached to be shown again, instead of relying on redundant processing of the same information."
Comments (none posted)
Networking Tools
Version 4.3p2 of OpenSSH has been released.
"
This is a release of Portable OpenSSH only, to resolve some
portability bugs. There are no new features, only fixes".
Full Story (comments: none)
Security
Version 0.14 of Sussen, a tool for checking vulnerabilities and
configuration issues on computer systems, has been announced.
Changes include an improved OVAL interpreter, bug fixes and code cleanup.
Full Story (comments: none)
Web Site Development
Version 3.2.7 of
mod_python,
the Apache Python language extension, is out. See the
online documentation for information on this version.
Comments (1 posted)
Version 4.0 of TWiki, a Perl-based wiki application,
has been announced.
"
TWiki.org today announced version 4.0 of its popular enterprise collaboration platform TWiki. Code-named Dakar, the structured wiki features highly-requested features including a WYSIWYG (what-you-see-is-what-you-get) editor, an enhanced security model, and a REST (representational state transfer) interface, among others."
Comments (none posted)
Frank Wiles
shows how to debug mod_perl applications on O'Reilly.
"
Because of the added complexity of being inside of the Apache web server, debugging mod_perl applications is often not as straightforward as it is with regular Perl programs or CGIs. Is the problem with your code, Apache, a CPAN module you are using, or within mod_perl itself? How do you tell? Sometimes traditional debugging techniques will not give you enough information to find your problem.
Perhaps, instead, you're baffled as to why some code you just wrote is running so slow. You're probably asking yourself, "Isn't this mod_perl stuff supposed to improve my code's performance?" Don't worry, slow code happens even to the best of us. How do you profile your code to find the problem?
This article shows how to use the available CPAN modules to debug and profile your mod_perl applications."
Comments (none posted)
Desktop Applications
Audio Applications
Version 0.90 of CLAM is out with numerous enhancements.
"
CLAM is a framework for research and application development
in the Audio and Music Domain. It offers a conceptual model
as well as tools for the analysis, synthesis and processing
of audio signals."
Full Story (comments: none)
Version 1.4.5rc1 of JACK Rack, a virtual patch panel for the JACK
Audio Connection Kit, is out with several new features and bug fixes.
Full Story (comments: none)
Desktop Environments
Version 2.12.3 of the GNOME desktop environment has been announced.
"
We are pleased to announce the release of Gnome 2.12.3, the final
release in the 2.12 series of Gnome."
Full Story (comments: none)
Version 2.12.3 of GARNOME, the bleeding edge GNOME distribution,
has been announced.
"
Incorporating
the GNOME 2.12.3 Desktop and Developer Platform (the final release in
the 2.12 series), together with a host of third-party GNOME packages,
Bindings and the Mono(tm) Platform -- this release irons out yet-more
bugs, hopefully adds yet-more stability and ships with the latest and
greatest stable releases."
Full Story (comments: none)
Rodney Dawes has made a new branch of gnome-icon-theme for GNOME 2.14.
"
I have just branched gnome-icon-theme for gnome-2-14, from an earlier
date in the 2.13 cycle, where the changes to follow the naming spec have
not yet been implemented. A couple of fixes and a new icon used by the
search functionality added to Nautilus in 2.14, are still in however."
Full Story (comments: none)
The GNOME release team has announced its GNOME 2.14 module plans.
Take a look for the status of gnome-power-manager,
libnotify/notification-daemon, gnome-screensaver, and more.
Full Story (comments: none)
GnomeDesktop
covers
the release of Compiz.
"
Compiz, the OpenGL window/composite manager, has been released following David Reveman's talk at XDevconf yesterday.
"Compiz is an OpenGL compositing manager that use GLX_EXT_texture_from_pixmap for binding redirected top-level windows to texture objects. It has a flexible plug-in system and it is designed to run well on most graphics hardware.""
Comments (none posted)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The first Technical Working Group for KDE has
been elected. "
This
initial Working Group is elected for a period of six months. After this
period an evaluation of the Working Group will take place. If it proves
successful, elections will take place once every year. The group will help
the hundreds of KDE developers in reaching technical decisions. Read on to
learn about the members of the first Technical Working Group." The
members of the working group are David Faure, Dirk Müller, George Staikos,
Gunnar Schmidt, Lubos Lunak, Stephan Kulow and Thiago Macieira.
Comments (none posted)
KDE.News
covers
the contribution of Polish translations to KDE by Mandriva.
"
The Polish department of Mandriva has contributed over 100 files of documentation translations to the Polish localisation team. The commits (1, 2) are made up of over 8000 messages. This allows Polish people to get an even better experience when using KDE in their native language."
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
Electronics
Development version 3.6.4 of
XCircuit,
an electronic schematic drawing package, is out with several bug fixes.
Comments (none posted)
Financial Applications
GnuCash 1.9.0 has been released. Do note that this is an unstable,
development release; best not to apply it to your important financial
decisions quite yet. But it's important because it's the long-awaited,
first GTK2-based GnuCash release. Congratulations to the GnuCash
developers for reaching this milestone, and let's hope that it stabilizes
quickly.
Full Story (comments: 9)
Games
Version 0.8.2 of ScummVM, a cross-platform interpreter for point-and-click
adventure game engines,
is available.
"
Due to a bug discovered in 0.8.1, which rendered Broken Sword 2 unplayable, we're forced to release ScummVM 0.8.2 "Broken Broken Sword 2". Also, we used this opportunity to fix the WinCE builds, as well as the MacOS X bundle."
Comments (none posted)
GUI Packages
Release candidate 1 of wxWidgets 2.6.3, a cross-platform GUI package,
is available.
Changes include:
"
Support for Windows Mobile devices * enhanced GTK+ 2 support * XRC resource system compiled as standard * radical overhaul of the Mac OS X port * replacement build system, Bakefile * better integration with STL * a CppUnit-based test suite * sizer improvements * new Gnome printing features * ODBC enhancements such as BLOB support and Unicode support on Windows * wxTaskBarIcon support on Mac OS X and Linux as well as Windows * arbitrary shapes for top-level windows * flicker reduction on Windows * better theme support * alpha channels for images * Compilation of the wxMSW port on Unix using Winelib * plus many API enhancements and bug fixes to existing classes."
Comments (none posted)
Interoperability
The February 10, 2006 edition of
Wine Traffic is online with coverage of
the Wine project. Topics include:
Wine 0.9.7 & CXO for Linspire, Eating Dogfood, MP3 Decoding,
Demangling Symbols and Winelib & Easy Distribution.
Comments (none posted)
Mail Clients
Stable version 7.91 of MH-E, an EMACS interface to the MH mail system,
has been announced.
The
source notes contain the change information:
"
Version 7.91 is the second 8.0 beta release and fixes several bugs
that were uncovered in wider testing."
Comments (none posted)
Music Applications
The Fastbreeder audio synthesizer project is taking a new approach
to generating sounds.
"
Fastbreeder is essentially a 4 button synth. The idea is to grow code by
choosing from a range of automatically generated variations of functions,
you don't have to know how they work, but each function creates a sound
which can be selected by you. The following generation is then created
containing mutants of your chosen sound. You can refine and develop the
sound just by auditioning and choosing the best one each time."
Full Story (comments: none)
Peer to Peer
Version 2.4.0.0 of Azureus, a cross-platform java BitTorrent client,
has been announced.
"
This release has many new features and improvements including:
Encrypted/Obfuscated data transfer, High speed LAN transfer and
Improved download algorithm."
Comments (none posted)
Science
Stable version 0.9.0 of BioImageXD
is available.
"
BioImageXD - Free and open source software for analysis, processing and 3D rendering of multi dimensional microscopy images. It uses free software such as Python, wxPython, VTK, and is a free replacement for very expensive commercial 3D microscopy analysis and visualisation software BioImageXD is a collaborative open source free software project, designed and developed by microscopists, cell biologists and programmers from the Universities of Jyväskylä and Turku in Finland, and collaborators worldwide."
Comments (none posted)
Web Browsers
MozillaZine
points to
a weblog entry by Firefox hacker Ben Goodger about memory usage in Firefox 1.5. "
What I think many people are talking about however with Firefox 1.5 is not really a memory leak at all. It is in fact a feature.
To improve performance when navigating (studies show that 39% of all page navigations are renavigations to pages visited < 10 pages ago, usually using the back button), Firefox 1.5 implements a Back-Forward cache that retains the rendered document for the last few session history entries. This can be a lot of data. It's a trade-off. What you get out of it is faster performance as you navigate the web."
Comments (42 posted)
MozillaZine
considers ideas from Mozilla Bloggers about the review of
browser extensions.
"
Several Mozilla Bloggers have recently expressed concerns about the review
process for extensions at addons.mozilla.org. David Baron feels that crashes and memory leaks caused by extensions could change user perception of quality of Mozilla products as a whole. Unlike the Mozilla source code, extensions do
not benefit from an extensive community review process."
Comments (none posted)
The minutes from the February 7, 2006 Firefox Team Status Meeting
have been announced.
"
Issues discussed include status updates on planned Firefox 2
features, schedule revisit calling for a 2 week slip, decision to use
dev-apps-firefox as the newsgroup/mailing list for discussion of development
issues and action items for the upcoming alpha1 release."
Comments (none posted)
The minutes from the February 6, 2006 mozilla.org staff meeting
have been announced.
"
Issues discussed include Firefox 1.5.0.1 Feeback, Upcoming
Releases, Firefox 2, Personnel and Marketing."
Comments (none posted)
Miscellaneous
Version 0.10.0 of Gourmet, a cross-platform recipe management application,
has been announced.
"
Gourmet 0.10.0 involves a major rewrite of the database backend. Import is much faster now and we do much better with large databases. Update from old versions should be safe (we won't clobber the last database) but requires a bit of magic that isn't easy to package up nicely. So we're holding off on installers (.deb, .rpm, .exe) for the time being. "
Comments (none posted)
Version 1.1.0 of Roundup, an Issue Tracker application,
has been announced. Changes include new features and some bug fixes.
Full Story (comments: none)
Languages and Tools
Caml
The February 7-14, 2006 edition of the Caml Weekly News is out with new
Caml language articles.
Full Story (comments: none)
Java
Guy Pardon
discusses the operation of J2EE code without a server in an O'Reilly
article.
"
Thanks to modern notions like inversion-of-control (IoC) and aspect-oriented programming (AOP) represented in lightweight containers like the Spring framework, the programming model for J2EE can be made a lot simpler and more elegant. Nevertheless, even with these tools, the application server still remains an important source of complexity and cost. This article proposes a further simplification of J2EE, by showing a way to eliminate the overhead of the runtime platform: the application server. In particular, this article shows that many applications no longer need an application server to run."
Comments (none posted)
PHP
The
PHP Weekly Summary for February 13, 2006 is out. Topics include:
SOAP bug?, pecl/spread, Standalone module build, Unsigned integers,
The taming of the shrew, OSCON 2006, API docs, JANI missing from core,
Iterator API change and Magic cmd /s.
Comments (none posted)
Python
Stable version 1.1 of
PyInstaller
has been released.
"
PyInstaller is a program that packages Python programs into stand-alone executables, under Windows, Linux and Irix. This is similar to the famous py2exe, but PyInstaller works with any version of Python since 1.5, it builds smaller executables thanks to transparent compression, it is multi-platform (so you can build one-file binaries also under Linux), and use the OS support to load the dynamic libraries, thus ensuring full compatibility."
See the
Change Log file for release details.
Comments (none posted)
Version 1.0.4 of python-openid, a Python language OpenID library,
has been announced. This is a maintenance release, it features bug
fixes and other improvements.
Full Story (comments: none)
Version 0.9.0-pre1 of Urwid, a curses-based UI library for Python,
is out.
"
This is a development release intended only for those interested in working
with the new Layout classes and those who want to help improve UTF-8
support."
Full Story (comments: none)
Linux Journal presents
part 3
in a series on learning Python by Collin Park. The series
covers the creation of a Sudoku puzzle game.
"
ow it's time for this new Python user to do the hard work--code the program
to fill in the blanks of Sudoku puzzles."
Comments (none posted)
The February 13, 2006 edition of Dr. Dobb's Python-URL! is online with
a new collection of Python article links.
Full Story (comments: none)
Christopher Roach
works with decision trees with Python in an O'Reilly article.
"
This article introduces a popular and easy-to-use datamining tool called a decision tree that should help you solve your marketing dilemma.
Decision trees are a topic of artificial intelligence. More specifically, they belong to the subfield of machine learning. This is due to their ability to learn--through example--to classify individual records in a data set."
Comments (none posted)
Ruby
The February 12th, 2006 edition of the
Ruby Weekly News looks at the latest discussions
from the ruby-talk mailing list.
Comments (none posted)
Tcl/Tk
The February 14, 2006 edition of Dr. Dobb's Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
XML
Nuxeo has released the code for an XForms engine for SWT
and Eclipse.
"
This engine will be used in the Apogee project recently submitted as a
proposal to the Eclipse Foundation. Apogee aims at building a framework
to create ECM-oriented desktop applications, independent from vendor or
technologies. This framework could be used to create applications that
will be integrated with Documentum, Interwoven, Nuxeo CPS or any ECM
platform."
Full Story (comments: none)
Joshua Tauberer
uses XML to track US government legislation in an O'Reilly article.
"
No matter where you fall in debates over free software or DRM, there's one type of information that is unarguably meant to be free, and that's information about our government. The more knowledge citizens have about government the better. So how can we use XML and the Semantic Web to make it easier to get that knowledge, and to foster civic participation?"
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Here's
a BBC
article describing British concerns about the (DRM-inspired) encryption
features in the upcoming Windows release. "
Windows Vista is due to
be rolled out later this year. Cambridge academic Ross Anderson told MPs it
would mean more computer files being encrypted. He urged the government to
look at establishing 'back door' ways of getting around encryptions. The
Home Office later told the BBC News website it is in talks with
Microsoft." That's the sort of thing that could inspire interest in
free software desktops.
Comments (15 posted)
Groklaw has
an
article by David A. Wheeler on the openness of the open document
format. "
But is OpenDocument really an open standard, or not? For
example, can anyone implement it? Was its development process completely
controlled by a single party (which would not be open), or is there
evidence that it's a consensus result by many? It's generally accepted that
OpenDocument is an open standard, but recently I've been told that some
people are claiming otherwise. So let's figure out what the criteria are
for an open standard, and then see if OpenDocument meets those
criteria."
Comments (11 posted)
Trade Shows and Conferences
Groklaw has
a report
from SCALE, the Southern California Linux Expo. "
The first day
of the Southern California Linux Expo was dedicated to the Open Document
Format. All of the speakers at the workshop stressed the importance of an
Open Standard to achieve vendor-independence and create conditions where
innovation and competition can flourish. Peter Quinn, the former CIO of
Massachusetts, opened the workshop with a summary of the events that
surrounded the Massachusetts decision to standardize their document
formats."
Comments (none posted)
The SCO Problem
Groklaw
covers the latest movement in the SCO case.
"
Well, *now* SCO's really gone and done it. They got used to IBM's restraint, I guess, and told a story to the Utah court, and now they are being called on it. First, we saw Oracle dispute SCO's story about the subpoenas in its motion to quash in California, and now Intel has filed in Utah a Nonparty Intel's Response to SCO's Motion For Leave to Take Certain Prospective Depositions, and they are hopping mad. Mad enough to tell Judges Kimball and Wells that what SCO said about Intel is "unfair and untrue": Although Intel takes no position on whether SCO's Discovery Extension Motion should be granted, Intel is compelled to respond to SCO's misrepresentations about Intel's conduct."
Comments (3 posted)
Companies
SearchOpenSource
explores Microsoft's strategies for undermining Linux adoption efforts.
"
Two themes dominate the stories I hear about the tribulations of using and adopting non-Microsoft business desktops: the difficulty in finding compatible hardware and the stranglehold Microsoft Word has on users. In the last week, IT pros have shared their experiences with these two adoption inhibitors. They're representative of other stories I've heard."
Comments (11 posted)
ZDNet
reports
that Gentoo founder Daniel Robbins has quit his job at Microsoft.
"
Robbins told ZDNet UK in an e-mail Monday that he decided to leave
because he was not able to use all his technical skills in his
role."
Comments (8 posted)
ZDNet
reports on some changes at XenSource. "
Although Xen's influence has been spreading, making a business out of the software is a different challenge. Although IBM, Hewlett-Packard and other industry allies are helping XenSource to improve the Xen foundation, they become potential competitors when it comes to selling management tools such as XenSource's XenOptimizer."
Comments (none posted)
Linux Adoption
Fox News
looks at the adoption of Linux by non technical users.
"
Danny and Linda Lee, who are both in their mid-50s, know as much about computers as they do about gangsta rap.
Yet Mr and Mrs Lee's computer at their home in Bedhampton, Hampshire, England, doesn't run Microsoft Windows. Nor is it a newbie-friendly Mac.
"I gave my parents a machine running Linux, and they know no different," says their son Wayne."
(Thanks to Peter Masiar.)
Comments (5 posted)
Linux at Work
LinuxDevices has
a brief look at
the Meshnode router. "
The Meshnode router includes two WiFi
radios, and supports mesh configurations based on OLSR (optimized link
state routing). Because it runs a normal Debian Linux distribution, the
device might be a good platform for WiFi hackers and developers interested
in running fairly full Linux environments." More information can be
found on
meshnode.org.
Comments (5 posted)
Legal
Groklaw
presents
an article by Roy Bixler entitled
Digital Copyright Issues in
Academic Publishing. "
As technology affects publishers of all
kinds, whether the medium is video, audio or print, it is interesting to
see how the publishers adapt to the changing environment. The primary
challenge lies with the ease of making digital copies of works and the
implications that has for the application of copyright law. Laws like the
Digital Millienium Copyright Act in the US, which enforce technical
restrictions on making copies, are well-known and are primarily associated
with the music and film industries. However, due to the market failure of
e-books, technological change has not been as quick to affect the print
medium."
Comments (1 posted)
Groklaw
looks at
the agenda for a for Public Meeting of the US Patent & Trademark
Office and the Open Source Software Community. "
The USPTO has
posted the day's agenda for the February 16th meeting regarding the Open
Source as Prior Art and Open Patent Review initiatives. It begins at 10 AM
and runs until 2 PM. Directions. You can't just show up, though, and be
sure of getting in. You must register by email to guarantee a seat. The
Open Source as Prior Art segment begins at 10:15, so please don't be
late. That is the one I am most interested in hearing about. One of the
things listed for that segment is the following goal: "Identify interest
and resources for ongoing effort." The Patent Review segment is at
11:15."
Comments (1 posted)
Interviews
KDE.News
looks at Kalzium,
KDE's interactive periodic table, and points to a People Behind KDE
interview with Carsten
Niehaus. "
I am the main author and maintainer of Kalzium, KDE's
periodic table of the elements. I have also represented KDE at several
exhibitions, for example last year I was at Systems, LinuxTag, Wikimania
and LinuxInfoTag Dresden."
Comments (none posted)
Resources
NewsForge
takes
a look at calendaring software. "
A number of high-profile open
source applications use CalDAV, chief among them the Mozilla Calendar
project. Given its association with the Mozilla suite, it is likely the
most widely deployed and tested CalDAV client. The Calendar extensions for
Firefox and Thunderbird, the standalone Sunbird calendar app, and the
in-progress Mozilla Lightning groupware client are cross-platform and all
support CalDAV."
Comments (none posted)
Linux Journal
looks at
Ethereal for network analysis. "
Besides basic monitoring,
Ethereal offers a lot of analyzing options. In my example at the start of
this article, I could have used a filter to pull out the expected
traffic. For example, adding tcp.port != 80 to the filter window and
clicking the Apply button would have excluded any port 80 (HTTP) traffic
from the display." Originally published in Linux Gazette issue 98.
Comments (3 posted)
For those who say that Linux doesn't have good application support,
Linux.com
covers
several diet and nutrition applications that run on Linux. "
Fitday
calculates your basic caloric needs from your weight and activity levels,
and displays graphs to show your progress (or lack of progress). There's
also a database of fitness activities from which to choose; enter your
activity and the length of time you performed it, and Fitday calculates the
calories burned. Now if I could only find a Linux program that cooks the
food...." ...and cleans the kitchen.
Comments (1 posted)
Linux.com
uses
MultiTail to follow log files. "
Troubleshooting often involves
having to watch logfiles in real time. That means using tail or a similar
utility to see new messages that are added to a logfile by Apache, MySQL,
X.org, or whatever program you're trying to deal with at the time. While
tail is usually readily available on *nix systems, I prefer to use
MultiTail whenever possible. It has some features that you won't find in
tail, such as filtering and a color display, and MultiTail allows you to
follow the output from a command as easily as following a logfile."
Comments (1 posted)
Reviews
The EFYTimes
looks at the
release of Akshar Naveen on Linux (ANL), a multilingual office suite
(English, Hindi, Bangla, Gujarati and Punjabi) using the open document
format. "
Akshar Naveen on Linux comes loaded with features, such as
independent office suite including text editor, spreadsheet, presentation,
HTML editor, drawing and database. It is compliant with ODF and Unicode
formats. ANL incorporates an enhanced dictionary, e-mail facility,
different keyboard settings, a number converter, an inbuilt PDF converter
and database support. It facilitates Indian language web publishing as
well."
Comments (none posted)
NewsForge
reviews the Chandler 0.6 release. "
Manipulating calendar events in Chandler is exceptionally fluid. Events are represented as colored blocks that can be stretched, compressed, or dragged and dropped with the mouse, each change automatically updating the start and end times. You interact with calendar events as if they were tangible objects, which is a tremendous boon. This is the first calendar application to implement this behavior usably in Linux."
Comments (none posted)
Tom Adelstein
looks at FreeNX on O'Reilly.
"
Imagine X server technology with compression so tight that GNOME and KDE sessions yield impressive response times when run over modems with SSH encryption. FreeNX is an addition to the remote desktop line with stunning performance. Thin clients use small amounts of bandwidth while handling audio and video, printing, and other heavy applications, and permit the use of session suspension instead of termination. As long as you wish to primarily use Linux, FreeNX provides real virtual KVM switches without hardware."
Comments (none posted)
PC World
examines
the issues of getting Linux to run on the new Macs. "
Moshe Bar, a
technology entrepreneur, said he has been able to run both FreeBSD Unix and
Debian Linux on a new Mactel machine using virtualization software from
XenSource, which he co-founded. But Apple's protectiveness of its hardware
specs has so far prevented Bar from getting the graphics, sound or Wi-Fi to
work."
Comments (8 posted)
Miscellaneous
NewsForge
follows the progress of Gnash, an open-source player for Adobe
Shockwave/Flash files.
"
Gnash currently works as a standalone application, implementing almost all of Flash 7. The project is developing a test suite to ascertain what remains to be done, and Savoye hopes the suite will prove valuable to other free Flash implementations as well.
Adapting the standalone player into a Mozilla/Firefox plugin is more challenging, Savoye says. Although detailed resources are available for developers creating browser extensions, Savoye reports that there is little documentation for plugin creators."
Comments (29 posted)
Tim Marsland
introduces
OpenSolaris on Xen in his weblog. "
We wanted to start the
conversation with working code. So we have a snapshot of our development
tree for OpenSolaris on Xen, synced up with Nevada build 31. That code
snapshot should be able to boot and run on all the hardware that build 31
can today, plus it can boot as a diskless unprivileged domain on Xen
3.0. While we were in our final approach to this release, we got live
migration to work too, which is one of the key features we've been working
on." (Thanks to Eric Boutilier)
Comments (4 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Electronic Frontier Foundation has sent out a press release that
recommends avoiding the latest version of Google Desktop.
"
San Francisco - Google today announced a new "feature" of
its Google Desktop software that greatly increases the risk
to consumer privacy. If a consumer chooses to use it, the
new "Search Across Computers" feature will store copies of
the user's Word documents, PDFs, spreadsheets and other
text-based documents on Google's own servers, to enable
searching from any one of the user's computers. EFF urges
consumers not to use this feature, because it will make
their personal data more vulnerable to subpoenas from the
government and possibly private litigants, while providing
a convenient one-stop-shop for hackers who've obtained a
user's Google password."
Full Story (comments: none)
The Electronic Frontier Foundation has announced a challenge to
a Clear Channel Communications patent.
"
The Electronic Frontier
Foundation (EFF)
filed a challenge Monday to an illegitimate patent from
Clear Channel Communications. The patent -- for a system
and method of creating digital recordings of live
performances -- locks musical acts into using Clear Channel
technology and blocks innovations by others."
Full Story (comments: none)
The Free Software Foundation has sent out an update on the GPLv3 process.
High points include the availability of a video stream from the opening
session of the GPLv3 conference (where Eben Moglen walked attendees through
the new text) and a defense of the anti-DRM provisions.
Full Story (comments: 71)
The FSFE and FRK have announced a partnership.
The Free Knowledge Foundation / Fundación Conocimiento Libre (FKF) and
Free Software Foundation Europe (FSFE) are proud to announce their new
official associate status, working together for the promotion and
protection of Free Software in Spain."
Full Story (comments: none)
The gpl-violations.org project has sent out
a press release on a successful effort to bring an Austrian company (which provides systems for the Austrian health system) into GPL compliance. "
According to gpl-violations.org, SVC B.u.E. GmbH used GPL licensed software,
including Linux, in the Software running on the "GINA" (Gesundsheits
Informations Netzwerk Adapter). 'GINA' is installed at every doctor's clinic
and acts as a gateway between the Health Information Network and the clinic."
Comments (none posted)
KDE.News
mentions
the release of the latest KDE e.V. quarterly report.
"
KDE e.V. has released its second quarterly report covering the activities of KDE's legal body for the last three months. This quarter saw the first meeting of the new KDE e.V. board and of course the creation of the Technical Working Group."
Comments (none posted)
Commercial announcements
ACCESS Co., Ltd., and its wholly owned subsidiary, PalmSource, Inc. have
announced
the latest evolution of Palm OS for Linux, the ACCESS Linux Platform,
tailored for smartphones and mobile devices.
Comments (2 posted)
BEA Systems, Inc. has
announced
that it will open source a significant portion of BEA Kodo, its persistence
engine, under the name Open JPA. "
Today's announcement will benefit
all Java users, particularly those who prefer to develop using a blended
model of commercial software and open source frameworks."
Comments (2 posted)
BitRock has announced the release of a new version of LAMPStack.
"
BitRock LAMPStack 2.0 is an update to BitRock's integrated, easy to
install LAMP distribution. The new, freely available LAMPStack includes
Apache, PHP, MySQL, Python, phpmyadmin and supporting libraries."
Full Story (comments: none)
Boingo Wireless Inc. has
announced that the Boingo's Wi-Fi toolkit will be used in
E28 Limited smartphones.
"
E28 Limited, a pioneer in Linux-based smartphones, and Boingo Wireless Inc., a leading Wi-Fi service provider for business travelers, today announced plans to incorporate Boingo's Wi-Fi toolkit for handsets into E28's line of dual-mode smartphones. The dual-mode smartphones will include roaming authentication to Boingo's 25,000 Wi-Fi hot spots worldwide to enhance Internet access options and
provide high-bandwidth, low-cost alternative networks for broadband
applications such as VoIP and streaming media."
Comments (none posted)
Levanta and OSDL have put out
a press release announcing the results of a Linux v. Windows study. Surprisingly, this one comes out in favor of Linux. "
'Get the Truth on Linux Management' concludes that in many cases, Linux is
likely to be a significantly less expensive platform to acquire and manage
than Windows. Respondents indicated that the average resource costs
(salaries, training, and support) are no longer significantly higher than
Windows and that the management of Linux is of minimal concern when
considering the overall TCO." Those wanting to skip the release can go straight to
the executive summary or
the full report [PDF].
Comments (13 posted)
Linux Networx has
announced its largest supercomputer order.
"
Linux Networx, the Linux
Supercomputing Company, announced today that the Department of Defense (DoD)
High Performance Computing Modernization Program (HPCMP), has placed the
largest single order for Linux Supercomputers in the company's history. The
DoD purchased five supercomputers from Linux Networx including three Advanced
Technology Clusters (ATC's) and one LS-1 for the Army Research Laboratory
(ARL) Major Shared Resource Center (MSRC), and an additional LS-1 for Dugway
Proving Ground."
Comments (none posted)
The Linux Professional Institute has issued over 30,000
LPI Certifications.
"
This milestone clearly demonstrates the growing demand for a solid base
of highly skilled and certified Linux professionals. It is also further
evidence of the value of a vendor-neutral Linux certification to the
enterprise environment where such a concrete demonstration of skills and
knowledge is a necessity," said Jim Lacey, President and CEO of the
Linux Professional Institute."
Full Story (comments: none)
MySQL AB
has announced the receipt of new funding.
"
MySQL AB, developer of the world's most popular open source database, today announced the completion of an $18.5 million Series C round of financing led by Institutional Venture Partners (IVP), the Menlo Park, California-based venture capital firm. Corporate investors in the round were Intel Capital; Red Hat; SAP Ventures, a division of SAP AG; and Presidio STX, the U.S.-based venture investment subsidiary of Sumitomo Corporation.
MySQL AB will use the proceeds to fund continued growth into the enterprise database market, including new product development as well as expansion of business development, sales and marketing activities."
Comments (none posted)
Oracle has
announced the acquisition of long-time open source database supplier Sleepycat Software. "
Sleepycat Software's Berkeley DB is the most widely used open source
database in the world with deployments estimated at more than 200 million.
Berkeley DB is distributed under a dual license model, i.e. available under a
public license and also available under a commercial license. Well-known open
source projects such as the Linux and BSD UNIX operating systems, Apache web
server, OpenLDAP directory, OpenOffice productivity software, and many others
embed Berkeley DB technology." Terms not disclosed. Also not disclosed is whether there will be any changes in the Berkeley DB licensing terms.
Comments (10 posted)
rPath has announced the general availability of its flagship product,
rBuilder. rBuilder is a platform for creating and maintaining Linux
software appliances. "
rBuilder transforms Linux from being just
another port for application developers to being a strategic element of a
subscription business model."
Full Story (comments: 2)
SGI has
announced
an alliance with GTSI Corp. to grow Linux System Sales in the US
government sector.
"
In a joint effort
to grow revenues from the sale of 64-bit Linux(R) solutions to government agencies at all levels, Silicon Graphics (OTC: SGID) and GTSI Corp. (Nasdaq: GTSI) today announced an agreement establishing GTSI as a front line
government channels supplier providing SGI(R) solutions to federal, state and
local government customers."
Comments (none posted)
STMicroelectronics has
announced a new 802.11g IC for use in cellular phones, Linux
drivers are available.
"
Suitable for enterprise smart phones and consumer multimedia handsets,
this complete WLAN solution provides high-speed power efficient IEEE802.11g
performance without compromising battery life. The compact nature of the
STLC4370 reference design has enabled its design into multiple form-factor
mobile phones including candy bar, compact PDA, and innovative fold-open
keyboard designs."
Comments (none posted)
Sun Microsystems has
announced
that its OpenSPARC initiative has released the UltraSPARC Architecture 2005
and HyperVisor API specifications to help jumpstart the porting of Linux,
BSD and other operating systems, middleware and applications to the
UltraSPARC T1 processor.
Comments (none posted)
Web Software distributor Tecnick.com is switching to an open-source
distribution model.
"
After 5 years of commercial distribution, Tecnick.com has made all its
products Open Source Software by adopting the licensing policy of the
Free Software Foundation. The new business model is
simple, the software is essentially free, customers pay only for
enhancements, services and support."
Full Story (comments: none)
TimeSys has announced the availability of a LinuxLink Subscription for
the Freescale's MPC8548E Communications Processor.
"
LinuxLink by TimeSys(TM) is the first commercial offering to
support the majority of embedded developers who build and assemble
their own commercial-grade custom Linux platform by delivering
on-demand access to continuously-updated processor-optimized Linux and
components, a rich development environment and community support. This
is a significant departure from commercial Linux vendors that dictate
feature sets and release schedules, resulting in platforms that
diverge significantly from the Open Source community."
Full Story (comments: none)
New Books
Syngress has published the book
Penetration Tester's Open
Source Toolkit by Johnny Long.
Full Story (comments: none)
Resources
Mattias Wadenstein mentioned
this overview on how to distribute large projects over the Internet.
"
This is a brief overview on how the Academic Computer Club at Umeå University managed to setup a system that could sustain 2Gbit/s of downloads to the general public for the latest Debian and Ubuntu releases."
Full Story (comments: none)
The February 2006 edition of the
The Globus Consortium Journal is out. This issue covers
Grid and Enterprise Data Management.
Comments (none posted)
Alex Halderman and Edward Felten have published
a retrospective on the SonyBMG rootkit episode [PDF]. "
This paper is a case study of the design, implementation, and deployment of anti-copying technologies.
We present a detailed technical analysis of the security and privacy implications of two systems, XCP and
MediaMax, which were developed by separate companies (First4Internet and SunnComm, respectively) and
shipped on millions of music compact discs by Sony-BMG, the world's second largest record company. We
consider the design choices the companies faced, examine the choices they made, and weigh the consequences of those choices. The lessons that emerge are valuable not only for compact disc copy protection,
but for copy protection systems in general."
Comments (none posted)
Contests and Awards
The Electronic Frontier Foundation is calling for nominations for its 2006
Pioneer Awards. "
Pioneer Awards nominations are open to individuals
or organizations from any country. Nominations are reviewed by a panel of
judges chosen for their knowledge of the technical, legal, and social
issues associated with information technology."
Full Story (comments: none)
Upcoming Events
KDE.News
has announced
the 2006
aKademy-es event.
"
aKademy-es 2006 is scheduled to be a small event for all KDE
users and developers from Spain to attend talks, share experiences, etc. It
will take place in Barcelona from Friday 3rd to Sunday 5th of March."
Comments (none posted)
The
European Common Lisp Meeting 2006
will be held in Hamburg, Germany on April 29-30 2006.
Full Story (comments: none)
pulvermedia and Isen.com LLC has
announced the Freedom-to-Connect summit. The event will be held in
Washington, DC on April 3 and 4, 2006.
"
This two-day summit will bring business, policy and
technology thought leaders to the nation's capital to share their
perspectives, insights and wisdom, thus helping to build a better, more
complete understanding of how policy and technology might evolve together to
create and advance the future of communications and the Internet."
Comments (none posted)
A call for papers has gone out for the Fedora FUDCon Boston 2006
The event takes place in Boston, MA on April 7 after the
LinuxWorld Conference and Expo, submissions are due by February 23.
Full Story (comments: none)
Registration is open for the Gelato ICE: Itanium® Conference
& Expo. The event will take place in San Jose, CA on
April 23-26, 2006.
Full Story (comments: none)
The Linux Users Group of Davis, CA will hold a Linux installfest
on February 18 from 10:00 AM until 6:00 PM.
Full Story (comments: none)
The OpenOffice.org Conference Team is looking for a location for the 2006
OOoCon. "
Vienna, Austria and Lyon, France have been proposed as
locations for the OpenOffice.org Conference 2006 (OOoCon 2006). We invite
you to go to the following web page to submit a vote for your favourite
location."
Vote
here.
Full Story (comments: none)
Xara is sponsoring the Libre Graphics Meeting, the event takes place in
Lyon, France on March 17-19, 2006.
Full Story (comments: none)
| Date | Event | Location |
| February 16, 2006 | Open Source Business
Conference(OSBCWest 06) | (The Argent Hotel)San Francisco, CA |
| February 20 - 21, 2006 | EuSecWest/core06
conference | London, England |
| February 24 - 26, 2006 | PyCon
2006 | (Dallas/Addison Marriott Quorum hotel)Addison, TX |
| February 25 - 26, 2006 | FOSDEM
2006 | (ULB Campus)Brussels, Belgium |
| February 26 - 28, 2006 | OSDC::Israel::2006 | (Netanya Academic College)Netanya,
Israel |
| February 27 - March 3, 2006 | SELinux
Symposium and Developer Summit | (Wyndham Hotel)Baltimore, MD |
| February 28 - March 3, 2006 | Black Hat Europe
Briefings and Training 2006 | (Grand Hotel Krasnapolsky)Amsterdam, the
Netherlands |
| March 3 - 4, 2006 | LinuxForum
2006 | Copenhagen, Denmark |
| March 3 - 5, 2006 | Akademy-es
2006 | Barcelona, Spain |
| March 6 - 9, 2006 | O'Reilly
Emerging Technology Conference(ETech) | (Manchester Grand Hyatt)San Diego, CA |
| March 8 - 10, 2006 | New Orleans Plone
Symposium | (Astor Crowne Plaza)New Orleans, LA |
| March 17 - 19, 2006 | Libre
Graphics Meeting 2006 | (Ecole d'Ingénieurs CPE)Lyon, France |
| March 18 - 19, 2006 | Rockbox
International Developers Conference 2006 | Stockholm, Sweden |
| March 19 - 24, 2006 | Novell BrainShare
2006 | (Salt Palace Convention Center)Salt Lake City, UT |
| March 21 - 23, 2006 | UKUUG Spring
Conference 2006 | Durham, UK |
| March 25, 2006 | Penguin
Day | Seattle, WA |
| March 29 - 31, 2006 | PHP Quebec
2006 | (Plaza Montreal Hotel)Montreal, Canada |
| April 3 - 6, 2006 | Embedded Systems
Conference(ESC) | (McEnery Convention Center)San Jose, CA |
| April 3 - 7, 2006 | CanSecWest/core06 | (Marriott Renaissance Harbourside
hotel)Vancouver, Canada |
| April 3 - 4, 2006 | Freedom To Connect
2006(FTC) | (AFI Silver Theater)Washington, DC |
| April 3 - 6, 2006 | LinuxWorld Conference and
Expo | (Boston Convention and Exposition Center)Boston, MA |
| April 7 - 9, 2006 | Notocaon 3 | (Holiday
Inn Select Cleveland)Cleveland, OH |
| April 11 - 12, 2006 | CELF
Embedded Linux Conference | San Jose, California |
Comments (none posted)
Page editor: Forrest Cook