OSDL has recently released two documents aimed at helping free software
developers who wish to make use of software patents which have been made
put into a patent commons. They are (both in PDF format):
The Overview document provides a brief introduction to the legal theory
behind patent infringement and talks about the various ways in which people
can get in trouble for using patented technology. The core bit of advice
would appear to be "know what the covered patent provides and do not go
beyond it." Thus, for example:
Another affirmative act that may serve as a basis for patent
infringement liability is improving on patented technology the
alleged infringer is legally entitled to use, yet the improvements
are already patented.
The paper describes just how easy it is to get into trouble, even when
using technology which, it seems, is covered by a patent which has been
donated to the community:
A patent grants the right to exclude others from a particular area
of claimed technology, but does not confer the right to practice an
invention.... If, for example, Patent A claims a method of using a
particular algorithm with a particular type of processor, and
someone legally entitled to use Patent A tries to improve the
scalability of the algorithm so that it can be used with a second
processor, it is possible that a second patent, Patent B, already
claims this improvement. The result is that someone legally
entitled to use the Patent A must obtain a license to use the
technology claimed in Patent B, and an individual entitled to use
the technology claimed in Patent B must obtain a license to use the
technology claimed in Patent A.
Software patents, in other words, are dangerous territory, and even having the
license to use a particular patented technology does not really mean that
using that technology is safe. But we already knew that.
The developer's guide is similar, in that it advocates understanding what
is truly covered by a patent and not exceeding that patent's claims.
Specifically:
Guideline 3: Developers should only use the technology in the way
described in the pledged patents, staying within the scope of
technology claimed. Developers should not assume that patented
improvements to the technology claimed in the patents have also
been pledged to the Patent Commons. Improvements are, by
definition, distinct from the contributed patents and may, in fact,
already be patented by someone else who has not made a pledge to
the Patent Commons. A search of patents for any improvements (when
you know you want to improve upon a pledged patent) is advisable.
It also suggests being clear on how any patent donation might be terminated
in the future. This can only be good advice; a "patent pledge" which can
vanish in the future is not worth a whole lot.
For developers, however, the best information to be found in these
documents may not be quite what its authors had intended. From the
Overview:
In sum, the more an alleged infringer knows about a patent that is
claiming the technology of a product that she is making, using or
selling, the greater the likelihood that she will be liable for
damages for patent infringement.
Ignorance, sometimes, is bliss. That is why Linus Torvalds discouraged looking at patents
back in 2002:
The fact is, technical people are better off not looking at
patents. If you don't know what they cover and where they are, you
won't be knowingly infringing on them. If somebody sues you, you
change the algorithm or you just hire a hit-man to whack the stupid
git.
The fact of the matter is that all of the discussion in these documents of
"relying on pledged patents" to "innovate safely" is pretty well useless
for developers. A patent pledged for use in free software is much like a
single mine removed from a minefield. It is a good thing, but it does not
make the field much safer to walk across. The existence of the patent
commons does not change the nature of the minefield.
Any developer who tries to "innovate safely" by restricting work to
algorithms covered by pledged patents - while carefully avoiding improving
on those algorithms in any way - will be unable to innovate and will be no
safer. The range of algorithms covered by software patents in the
U.S. (and elsewhere) is astounding; there is no way to write any sort of
non-trivial program without infringing on at least a few of them. The
patent commons will not change that situation in any useful way; it is not
something upon which developers can rely.
Where pledged patents may be more useful is with organizations like the
Open Invention Network (discussed here last week) which can use patents
offensively against those who attack the free software community. But the
real solution is to fix the legal system and - in parts of the world which
do not currently recognize software patents - keep it from becoming
broken. As long as the system empowers and encourages patent trolls, there
will be patent trolls, and a few "maybe safe if you do not try to improve
on them" patents in a patent commons will not discourage them. So, while
the new documents can provide some useful insights into the hazards of
software patents, no developer should, after having read those documents,
feel any safer.
Comments (10 posted)
LWN readers are familiar with
Rockbox;
this project (which has developed free firmware for a number of digital
audio players) has been mentioned here several times, and was
reviewed in detail last
January. Since Rockbox operates in the sensitive area of media playback,
it is not entirely surprising that the project has managed to attract an
unpleasant cease-and-desist note from an outside party. It
is
surprising, however, that the dispute involves jewels.
In particular, the Rockbox developers have received a notice from a manager
at PopCap Games, the makers of "Bejeweled." He came out swinging:
The game PluginJewels, for use on RockBox and available at
http://www.rockbox.org/twiki/bin/view/Main/PluginJewels, is a
blatant copyright violation of Bejeweled, the popular match-three
game owned by my company, PopCap Games, Inc., of Seattle,
Washington, USA. I am writing to you to demand that you remove
PluginJewels from www.rockbox.org and all other sites where users
may download this game for the Rockbox, no later than April 30,
2006. PopCap Games takes seriously all copyright and trademark
violations of our games and, if necessary, we will enforce our
rights to the fullest extent of the law.
The initial reaction is best described as "befuddled"; the "Jewels" game
found in Rockbox contains no code or other materials from PopCap's game, so
it is hard to see where the copyright violation might come from. A subsequent message makes things more clear,
however; PopCap takes issue with the jewel icons used in Jewels. It is,
says PopCap, "obvious that someone on the PluginJewels team ripped
the graphics from one of the Astraware-licensed versions of our
game."
| Bejewelled | Rockbox |
 | ![[Rockbox
jewels]](/images/ns/rockbox-jewels.png) |
The figure on the right shows a subsection of the images (provided by
PopCap) meant to back up this claim; Bejeweled appears on the left, Rockbox
is on the right. A quick inspection shows some obvious similarities - the
Rockbox jewels were clearly meant to resemble those from the original game.
But they are just as clearly not identical - the Rockbox jewels have not
been "ripped" from an official version of Bejeweled. In fact, they came
from
Gwled, where they
were explicitly developed for use with that game. They are an independent
- if imitative - creation.
The message from PopCap makes it clear that the game itself is not a
problem; it states that "non-infringing gem art needs to be
substituted for the infringing gem art." So not only is Rockbox not
threatened, but even the "Jewels" game should be safe. All that is
required is to replace the artwork with something seen as being
non-infringing. Jewels would be the same game if users were matching
penguins, mathematical symbols, or mug shots of SCO executives. But even a
change of that magnitude is not required; PopCap only wants "non-infringing
gem art."
The Rockbox developers have not, as of this writing, decided how they will
respond to this request. None of them seem to think they have actually
infringed upon PopCap's copyrights. But, says
Daniel Stenberg:
However, I don't think we'd lose anything by being "soft" and
simply modify our jewels somewhat so that they don't look so
similar to their versions, just to be nice.
That seems like it could be a reasonable solution to the problem. There
appears to be a number of people, however, who oppose making any changes to
appease PopCap. Their position is that Rockbox has done nothing wrong, has
violated no copyrights, and that to give in to this sort of demand would be
an invitation to others who would harass the project with infringement
claims. They would rather tell PopCap to simply take a hike.
A smaller group suggests that, since Gwled provided the artwork under the
GPL, (1) Gwled has stated that it has the right to distribute that
artwork, and (2) PopCap should be sent over to present its claims to
the Gwled developers. There would appear to be little support for the idea
of simply dumping the problem onto another GPL-licensed project, however.
Rockbox may well be in the right on this issue, and it may well be that,
legally, the project is under no obligation to change anything. It may
also well be that the project could find itself having to argue that point
in court. The free software community faces a wide variety of legal
challenges, with others certainly to come in the future. We should pick
our battles carefully. The Rockbox developers will have to make their own
decision in this case; in so doing, they will want to consider whether the
goals of the project are truly served by taking a hard-line stand over a
set of little jewel icons.
Comments (10 posted)
The good folks at ZDNet have been doing their best to stir up the
proprietary driver debate over the last week. Things got started with
this article
containing a classic quote:
For Nvidia, intellectual property is a secondary issue. 'It's so
hard to write a graphics driver that open-sourcing it would not
help,' said Andrew Fear, Nvidia's software product manager. In
addition, customers aren't asking for open-source drivers, he
said.
The first part seems better suited to somebody holding a management post at
SCO. Free software developers have created a system which scales from tiny
embedded systems to supercomputers. Their work powers much of the net.
When given the necessary information, free software developers are able to
support new hardware more quickly than anybody else.
But, it seems, they are not up to the task of writing a driver for a
graphics adapter.
It is true that contemporary graphics cards are complicated devices. They
are usually the most powerful processor in the system, and they have all
kinds of strange timing and memory management issues. But the idea that
the developers who built an entire free system would be stymied by the
complexity of a graphics adapter would be insulting if it weren't so
comical.
The claim that customers have not been asking for free drivers is more
discouraging, as many, many Linux users have been very clear about their
wishes for years. Nvidia knows that there is demand for free
drivers out there; it simply chooses to ignore that demand.
Perhaps when Nvidia's real customers - large system integrators - start to
complain, the message will be heard. To that end, those of us who buy
systems need to insist that they come with fully free software. The
vendors who sell "Linux-installed" systems with proprietary drivers,
ndiswrapper, etc. are not really helping. When those vendors understand
that their customers want free systems, they will, in turn, put
pressure on their suppliers.
From there, ZDNet columnist John Carroll was shocked to learn that
Linux lacks a stable kernel API.
ATI may claim that they accept the fluidity of the kernel interface
"as part of our day-to-day responsibilities in Linux," but I bet
that is said through clenched teeth after months trying to get a
driver to work across distributions.
Fragmentation didn't work for old-school Unix. Linux solved the
structural issue by providing a level of consistency made possible
through use of the GPL. It's worth remembering that before
attempting to justify an unjustifiable lack of a consistent Linux
kernel interface.
This discussion misses the point entirely. The way to get a driver to work
across distributions is to get it into the mainline kernel. Then it will
work across distributions - more distributions than any company could ever
support - and across architectures as well. When the company abandons the
driver in favor of next year's products, it will still work. When a
security problem comes up, it will be fixed. And there will be no
"fragmentation" problems.
There are a lot of other reasons for insisting on free drivers - see this article from last November
for a more thorough discussion. There also is no defensible
reason for keeping hardware programming information secret. True competitors will
reverse engineer the hardware anyway, and no hardware company makes its
money by selling device drivers. Hardware manufacturers in many areas have
figured this out, with the result that Linux has outstanding support for
their products. Hopefully the remaining holdout vendors will catch on,
soon, that there is a large and growing market waiting for them.
Comments (38 posted)
Page editor: Jonathan Corbet
Security
The Mozilla Foundation has owned up to a new list of vulnerabilities in its
code; these holes open up the frightening prospect of arbitrary code
execution by remote attackers. Any system running Firefox, Thunderbird,
SeaMonkey, or anything based on the underlying Mozilla components (RSS
aggregators) may be vulnerable, and should be looking for updates. Here's
what has been turned up:
- There is a long list of JavaScript-related vulnerabilities, including
problems with crypto.generateCRMFRequest() (CVD-2006-1728), a
security restrictions bypass vulnerability (CVE-2006-1726), a "cloned
parent" access restriction failure (CVE-2006-1734), and a regular
expression memory corruption bug (apparently no CVE number at the
moment).
- Cascading style sheets account for a couple of problems, including an
integer overflow bug (CVE-2006-1730) and an array overflow
vulnerability (CVS-2006-1739).
- The Extensible
Binding Language (XBL) facility has an access restriction failure
(CVE-2006-1733) and a privilege escalation vulnerability
(CVE-2006-1735).
- Other troubles include "memory corruption via a particular sequence of
HTML tags" (CVE-2006-0749), a DHTML memory corruption bug
(CVE-2006-1724), and "an unspecified vulnerability" in how display
styles are handled.
Disabling JavaScript should protect against the first set of
vulnerabilities, but will do nothing for the rest of them. The only way to
protect against the full set is to update the software; new versions are
available from Mozilla. For distributor updates, see the LWN vulnerability entry.
A list of remotely-exploitable vulnerabilities this long is worrisome,
especially when it refers to a package as popular as Firefox. This browser
has gained millions of users; its reputation for better security is one of
the reasons for this success. But a single, widespread exploit of a
Firefox vulnerability could set things back in a hurry.
Unfortunately, it would seem that such an exploit is bound to happen,
sooner or later. A web browser is a seriously complex piece of code which
is simultaneously exposed to potentially hostile input from the net and
used for tasks requiring a high degree of trust - working with financial
sites, for example. Why should an attacker bother with phishing when a
browser vulnerability can enable the installation of a keystroke logging
"extension"? There can be no doubt that attackers will be tempted by a
potential payoff of that magnitude. We must hope that the security fixes
will continue to reach us ahead of the attackers.
(See also: the CERT advisory
for these vulnerabilities).
Comments (7 posted)
New vulnerabilities
bsdgames: buffer overflow
| Package(s): | bsdgames |
CVE #(s): | CVE-2006-1744
|
| Created: | April 17, 2006 |
Updated: | April 19, 2006 |
| Description: |
A buffer overflow problem has been discovered in sail, a game contained
in the bsdgames package, a collection of classic textual Unix games, which
could lead to games group privilege escalation. |
| Alerts: |
|
Comments (none posted)
fcheck: insecure temporary file
| Package(s): | fcheck |
CVE #(s): | CVE-2006-1753
|
| Created: | April 17, 2006 |
Updated: | April 19, 2006 |
| Description: |
Steve Kemp from the Debian Security Audit project discovered that
a cronjob contained in fcheck, a file integrity checker, creates
a temporary file in an insecure fashion. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (1 posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
ADOdb: PostgresSQL command injection
| Package(s): | adodb |
CVE #(s): | CVE-2006-0410
|
| Created: | February 6, 2006 |
Updated: | April 17, 2006 |
| Description: |
Andy Staudacher discovered that ADOdb does not properly sanitize all
parameters. By sending specifically crafted requests to an application
that uses ADOdb and a PostgreSQL backend, an attacker might exploit the
flaw to execute arbitrary SQL queries on the host. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
clamav: multiple vulnerabilities
| Package(s): | clamav |
CVE #(s): | CVE-2006-1614
CVE-2006-1615
CVE-2006-1630
|
| Created: | April 6, 2006 |
Updated: | April 12, 2006 |
| Description: |
The ClamAV anti-virus toolkit has three vulnerabilities.
the PE header parser has an integer overflow problem,
the logging code has format string vulnerabilities that may lead
to the execution of arbitrary code, and
the cli_bitset_set() function can be used to create a denial
of service. |
| Alerts: |
|
Comments (1 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
crossfire: arbitrary code execution
| Package(s): | crossfire |
CVE #(s): | CVE-2006-1010
|
| Created: | March 14, 2006 |
Updated: | April 24, 2006 |
| Description: |
It was discovered that Crossfire, a multiplayer adventure game, performs
insufficient bounds checking on network packets when run in "oldsocketmode",
which may possibly lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
curl: heap-based buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2006-1061
|
| Created: | March 21, 2006 |
Updated: | June 28, 2006 |
| Description: |
Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows
remote attackers to execute arbitrary commands via a TFTP URL (tftp://)
with a valid hostname and a long path. |
| Alerts: |
|
Comments (none posted)
dia: buffer overflows
| Package(s): | dia |
CVE #(s): | CVE-2006-1550
|
| Created: | April 3, 2006 |
Updated: | May 3, 2006 |
| Description: |
Three buffer overflows were discovered in the Xfig file format importer.
By tricking a user into opening a specially crafted .fig file with dia, an
attacker could exploit this to execute arbitrary code with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
doomsday: format string vulnerability
| Package(s): | doomsday |
CVE #(s): | CVE-2006-1618
|
| Created: | April 6, 2006 |
Updated: | April 12, 2006 |
| Description: |
The doomsday gaming engine has a format string vulnerability
that may be utilized by a remote attacker for
the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
freeradius: authentication bypass
| Package(s): | freeradius |
CVE #(s): | CVE-2006-1354
|
| Created: | March 24, 2006 |
Updated: | June 5, 2006 |
| Description: |
An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote
attackers to bypass authentication or cause a denial of service (server
crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state
machine module. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gnupg: incorrect signature verification
| Package(s): | gnupg |
CVE #(s): | CVE-2006-0049
|
| Created: | March 13, 2006 |
Updated: | May 15, 2006 |
| Description: |
Another vulnerability has been found in
GnuPG. "Signature verification of non-detached signatures may give a
positive result but when extracting the signed data, this data may be
prepended or appended with extra data not covered by the signature. Thus
it is possible for an attacker to take any signed message and inject extra
arbitrary data." |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
horde: two remotely exploitable vulnerabilities
| Package(s): | horde |
CVE #(s): | CVE-2006-1491
CVE-2006-1260
|
| Created: | April 5, 2006 |
Updated: | April 14, 2006 |
| Description: |
Versions of horde prior to 3.1.1 have two vulnerabilities, both of which are remotely exploitable: code execution in the help viewer and an input validation error which could allow read access to arbitrary files. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-3527
CVE-2005-3783
CVE-2005-3784
CVE-2005-3805
CVE-2005-3806
CVE-2005-3808
|
| Created: | January 20, 2006 |
Updated: | April 18, 2006 |
| Description: |
Here's another set of vulnerabilities in the Linux kernel:
- A race condition in the 2.6 kernel could allow a local user to cause a
DoS by triggering a core dump in one thread while another thread has a
pending SIGSTOP (CVE-2005-3527).
- The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using
CLONE_THREAD, does not use the thread group ID to check whether it is
attaching to itself, which could allow local users to cause a DoS
(CVE-2005-3783).
- The auto-reap child process in 2.6 kernels prior to 2.6.15 include
processes with ptrace attached, which leads to a dangling ptrace
reference and allows local users to cause a crash (CVE-2005-3784).
- A locking problem in the POSIX timer cleanup handling on exit on
kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local
user to cause a deadlock involving process CPU timers (CVE-2005-3805).
- The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to
2.4.32 and 2.6.14 modifies the wrong variable in certain circumstances,
which allows local users to corrupt kernel memory or cause a crash by
triggering a free of non-allocated memory (CVE-2005-3806).
- An integer overflow in 2.6.14 and earlier could allow a local user to
cause a hang via 64-bit mmap calls that are not properly handled on a
32-bit system (CVE-2005-3808).
|
| Alerts: |
|
Comments (none posted)
libapreq2: algorithm weakness
| Package(s): | libapreq2-perl apache2 |
CVE #(s): | CVE-2006-0042
|
| Created: | March 14, 2006 |
Updated: | April 18, 2006 |
| Description: |
An algorithm weakness has been discovered in Apache2::Request, the
generic request library for Apache2 which can be exploited remotely
and cause a denial of service via CPU consumption. |
| Alerts: |
|
Comments (5 posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libimager-perl: denial of service
| Package(s): | libimager-perl |
CVE #(s): | CVE-2006-0053
|
| Created: | April 10, 2006 |
Updated: | April 12, 2006 |
| Description: |
The libimager-perl Perl extension has a vulnerability
in which maliciously created 4-channel JPEG images
can cause a segmentation fault and cause a denial of service.
|
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mailman: denial of service
| Package(s): | mailman |
CVE #(s): | CVE-2006-0052
|
| Created: | March 30, 2006 |
Updated: | June 9, 2006 |
| Description: |
Mailman 2.1.5 and below have a denial of service vulnerability
in the Scrubber.py script. If a maliciously created message
with a mime multi part format is received, mailman delivery
can be stopped. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CVE-2005-4134
CVE-2006-0292
CVE-2006-0296
|
| Created: | February 2, 2006 |
Updated: | May 4, 2006 |
| Description: |
Mozilla has three new vulnerabilities.
The Javascript interpreter has a problem with
dereferencing objects. A user can visit a specially crafted web page
which can crash the browser or cause it to execute arbitrary code.
The XULDocument.persist() function has a bug that can be triggered by
viewing specially crafted web sites, RDF data can be injected into the
localstore.rdf file, allowing arbitrary javascript code to be executed.
The Mozilla history saving mechanism is vulnerable to a denial of
service attack, visiting sites with extra-long titles can cause a
crash or very slow startup the next time the browser is run. |
| Alerts: |
|
Comments (none posted)
Mozilla Thunderbird: remote code execution and DoS
| Package(s): | mozilla-thunderbird |
CVE #(s): | CVE-2006-0884
|
| Created: | March 3, 2006 |
Updated: | May 4, 2006 |
| Description: |
The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier
allows user-complicit attackers to bypass javascript security settings and
obtain sensitive information or cause a crash via an e-mail containing a
javascript URI in the SRC attribute of an IFRAME tag, which is executed
when the user edits the e-mail. |
| Alerts: |
|
Comments (1 posted)
mplayer: integer overflows
| Package(s): | mplayer |
CVE #(s): | CVE-2006-1502
|
| Created: | April 10, 2006 |
Updated: | May 1, 2006 |
| Description: |
MPlayer 1.0pre7try2 has multiple integer overflow vulnerabilities.
Remote attackers can maliciously craft an ASF file or an AVI file
in order to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openmotif: buffer overflows
| Package(s): | openmotif |
CVE #(s): | CVE-2005-3964
|
| Created: | December 29, 2005 |
Updated: | July 27, 2006 |
| Description: |
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
OpenSSH: double shell expansion
| Package(s): | openssh |
CVE #(s): | CVE-2006-0225
|
| Created: | January 23, 2006 |
Updated: | July 20, 2006 |
| Description: |
OpenSSH has a double shell expansion vulnerability in local to local and
remote to remote copy with scp. |
| Alerts: |
|
Comments (none posted)
openvpn: arbitrary code execution
| Package(s): | openvpn |
CVE #(s): | CVE-2006-1629
|
| Created: | April 11, 2006 |
Updated: | April 27, 2006 |
| Description: |
OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute
arbitrary code on the client by using setenv with the LD_PRELOAD
environment variable. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
plone: unauthorized access
| Package(s): | plone |
CVE #(s): | CVE-2006-1711
|
| Created: | April 12, 2006 |
Updated: | April 12, 2006 |
| Description: |
From the Debian advisory: "It was discovered that the Plone content management system lacks security
declarations for three internal classes. This allows manipulation of user
portraits by unprivileged users." |
| Alerts: |
|
Comments (none posted)
pound: HTTP Request Smuggling Attack
| Package(s): | pound |
CVE #(s): | CVE-2005-3751
|
| Created: | January 10, 2006 |
Updated: | June 8, 2006 |
| Description: |
HTTP requests with conflicting Content-Length and Transfer-Encoding headers
could lead to HTTP Request Smuggling Attack, which can be exploited to
bypass packet filters or poison web caches. |
| Alerts: |
|
Comments (none posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
squirrelmail: multiple vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-0188
CVE-2006-0195
CVE-2006-0377
|
| Created: | February 28, 2006 |
Updated: | June 8, 2006 |
| Description: |
Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to
inject arbitrary web pages into the right frame via a URL in the
right_frame parameter. NOTE: this has been called a cross-site scripting
(XSS) issue, but it is different than what is normally identified as
XSS. (CVE-2006-0188)
Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to
1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks
via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2)
a newline in a "url" specifier, which is processed by certain web browsers
including Internet Explorer. (CVE-2006-0195)
CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote
attackers to inject arbitrary IMAP commands via newline characters in the
mailbox parameter of the sqimap_mailbox_select command, aka "IMAP
injection." (CVE-2006-0377) |
| Alerts: |
|
Comments (none posted)
sudo: vulnerability via scripts
| Package(s): | sudo |
CVE #(s): | CAN-2005-4158
CVE-2006-0151
|
| Created: | December 16, 2005 |
Updated: | September 1, 2006 |
| Description: |
Perl and Python scripts run via Sudo can be subverted. |
| Alerts: |
|
Comments (none posted)
tetex: integer overflows
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
tin: buffer overflow
| Package(s): | tin |
CVE #(s): | CVE-2006-0804
|
| Created: | February 19, 2006 |
Updated: | November 24, 2006 |
| Description: |
An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier
which can lead to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
webcalendar: multiple vulnerabilities
| Package(s): | webcalendar |
CVE #(s): | CVE-2005-3949
CVE-2005-3961
CVE-2005-3982
|
| Created: | March 15, 2006 |
Updated: | May 15, 2006 |
| Description: |
The PHP-based webcalendar package suffers from three vulnerabilities: a set of SQL injection problems (CVE-2005-3949), an input sanitizing failure allowing local files to be overwritten (CVE-2005-3961), and a response splitting vulnerability (CVE-2005-3982). |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xloadimage: buffer overflows
| Package(s): | xloadimage |
CVE #(s): | CAN-2005-3178
|
| Created: | October 10, 2005 |
Updated: | May 15, 2006 |
| Description: |
Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: potential vulnerabilities
| Package(s): | xpdf gpdf |
CVE #(s): | CVE-2006-1244
|
| Created: | February 27, 2006 |
Updated: | April 13, 2006 |
| Description: |
Derek Noonburg has fixed several potential vulnerabilities in xpdf,
which are also present in gpdf, the Portable Document Format (PDF)
viewer with Gtk bindings. |
| Alerts: |
|
Comments (none posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
xscreensaver: possible password exposure
| Package(s): | xscreensaver |
CVE #(s): | CVE-2004-2655
|
| Created: | April 11, 2006 |
Updated: | May 24, 2006 |
| Description: |
In some cases, xscreensaver did not properly grab the keyboard when
reading the password for unlocking the screen, so that the password
was typed into the currently active application window. The only known
vulnerable case was when xscreensaver activated while an rdesktop session
was currently active. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current stable 2.6 release is 2.6.16.6
2.6.16.7 2.6.16.8 2.6.16.9,
announced on April 19; it
contains a fix for an information leak vulnerability on some AMD
processors. Of the prior releases,
2.6.16.6 contains a fairly long
list of fixes, while
2.6.16.7
and
2.6.16.8 are single-patch
security fixes.
The current 2.6 prepatch is 2.6.17-rc2, announced by Linus on
April 18. There's a lot of fixes in this release, but it also
contains a simplified form of the scheduler starvation avoidance
patch, some tweaks to the memory overcommit algorithm, the removal of
the obsolete blkmtd and qlogicfc drivers, the removal of the unmaintained
Sangoma WAN drivers, the splice() and tee() system calls, and
pollable sysfs attributes.
See the
long-format changelog for the details.
For the record, it is worth noting that the prototypes for the
splice() methods in the file_operations structure have
changed again. This week's version:
ssize_t (*splice_write)(struct pipe_inode_info *pipe, struct file *out,
loff_t *offset, size_t len, unsigned int flags);
ssize_t (*splice_read)(struct file *in, loff_t *offset,
struct pipe_inode_info *pipe, size_t len,
unsigned int flags);
The offset parameter, describing where in the stream I/O should
start, is new.
A few dozen patches (all fixes) have been merged into the mainline after
the -rc2 release.
The current -mm tree is 2.6.17-rc1-mm3. Recent changes
to -mm include an ACPI dock driver, i2c virtual adapter support, a number
of memory management tweaks, a trusted platform module (TPM) driver update,
and a new version of the zlib library.
Comments (none posted)
Kernel development news
I don't think anyone is smart enough to configure Apache with
SELinux. I've installed Apache maybe 20 times in my life, which is
plenty, and I eventually realized it was SELinux and just turned
the damn thing off after an hour of trying to fix it.
-- Dave Aitel
Keep in mind as well that SELinux "complexity" is purely a
reflection of complexity in Linux; SELinux just exposes the
existing interactions and provides a way to control them. The
SELinux mechanism itself is fairly simple.
-- Stephen Smalley
Comments (19 posted)
The developers interested in containers and virtualization have discussed
interfaces to virtualize access to a number of system resources. None,
however, have talked about virtualizing access to the system time. Until
now, that is. With Jeff Dike's
time
virtualization patches any process tree can
have its own idea of what time it is.
Jeff's patch adds a new "time namespace" structure to the task structure.
By default, all processes share the normal host system's idea of time. But
a new option (CLONE_TIME) to the unshare() system call
allows a process to disconnect from the system time. After such a call,
that process - and any children it creates - will be able to keep its own
time value. Setting a virtualized time value is, unlike changing the
normal system time, an unprivileged operation.
Internally, a virtualized time is stored as a simple offset; whenever a
process requests the current time, the offset is added to the the current
system time and the sum is returned. This approach has the advantages of
being simple and fast; a process running with virtualized time also does
not give up time adjustments made, for example, by NTP. On the other hand,
this implementation does not support the ability to confuse processes by
messing deeply with their idea of time - running time at a different rate,
for example, or even backward. Chances are that this omission will not
upset more than a small percentage of potential users of virtualized time,
however.
Jeff's purpose is to speed up the gettimeofday() system call in
User-mode Linux instances. If the kernel allows process subtrees to have
their own time values, then User-mode Linux can simply use the host's
gettimeofday() call, rather than intercepting that call and
implementing it itself. Since gettimeofday() is one of the most
frequently-used system calls, this optimization can make a significant
difference.
One other change is required, however, for User-mode Linux to get the
benefit from this change. UML performs much of its process control using
ptrace(); in particular, it intercepts and interprets system calls
with the PTRACE_SYSCALL operation. What is really needed for a
fast gettimeofday() is the ability to not intercept that
particular call. So Jeff's patch also extends ptrace() by adding
a PTRACE_SYSCALL_MASK operation. This new operation can set a
bitmask indicating which system calls should be intercepted, and which
should be executed without stopping.
The result, with a suitably patched UML, is a gettimeofday() call
which runs at about 99% of the native process speed. That may well be good
enough to make this patch a piece of the growing set of interfaces
supporting virtualization and containers.
Comments (4 posted)
Dan Bonachea recently
reported a problem.
It seems that he has a program where multiple threads are simultaneously
writing to the same file descriptor. Occasionally, some of that output
disappears - overwritten by other threads. Random loss of output data is
not generally considered to be a desirable sort of behavior, and,
says Dan, POSIX requires that
write()
calls be thread-safe. So he would like to see this behavior fixed.
Andrew Morton quickly pointed out the
source of this behavior. Consider how write() is currently
implemented:
asmlinkage ssize_t sys_write(unsigned int fd, const char __user *buf,
size_t count)
{
struct file *file;
ssize_t ret = -EBADF;
int fput_needed;
file = fget_light(fd, &fput_needed);
if (file) {
loff_t pos = file_pos_read(file);
ret = vfs_write(file, buf, count, &pos);
file_pos_write(file, pos);
fput_light(file, fput_needed);
}
return ret;
}
There is no locking around this function, so it is possible for two (or
more) threads performing simultaneous writes to obtain the same value for
pos. They will each then write their data to the same file
position, and the thread which writes last wins.
Putting some sort of lock (using the inode lock, perhaps) around the entire
function would solve the problem and make write() calls
thread-safe. The cost of this solution would be high, however: an extra
layer of locking when almost no application actually needs it. Serializing
write() operations in this way would also rule out simultaneous
writes to the same file - a capability which can be useful to some
applications.
So some developers have questioned whether this behavior should be fixed at
all. It is not something which causes problems for over 99.9% of applications,
and, for those which need to be able to perform this sort of simultaneous
write, there are other options available. These include user-space locking
or using the O_APPEND option. So, it is asked, why add
unnecessary overhead to the kernel?
Linus responds that it is a "quality of implementation" issue, and that if
there is a low-cost way of getting the system to behave the way users would
like, it might as well be done. His proposal is to apply a lock to the file
position in particular. His patch adds a f_pos_lock mutex to the
file structure and uses that lock to serialize uses of and changes
to the file position. This change will have the effect of serializing
calls to write(), while leaving other forms (asynchronous I/O,
pwrite()) unserialized.
The patch has not drawn a lot of comments, and it has not been merged as of
this writing. Its ultimate fate will probably depend on whether avoiding
races in this obscure case is truly seen to be worth the additional cost
imposed on all users.
Comments (none posted)
Back in 2001, the
very
first Linux kernel summit included a discussion on security policies.
At that meeting, it was decided that there was no interest in patching in
the several competing implementations which were available at that time.
Instead, developers interested in security were asked to create a generic
interface which could be used by any security policy. The result was the
Linux Security Modules (LSM) API - a long list of hooks which can be used
to intercept almost any operation of interest within the kernel.
Last year, some developers were heard to mumble that perhaps LSM should be
removed from the kernel. Since LSM was merged, there has been only one
serious security mechanism using it to emerge: SELinux. Since there is
only one LSM user, and since SELinux can be thought of as a fairly generic
security framework in its own right, it is not clear that there is a need
for the LSM interface. The discussion died down last year, however, and
there has been little talk of yanking out LSM.
Until now. In response to a current discussion on LSM hooks, James Morris
has posted a patch adding LSM
to the "feature removal" schedule. The end of LSM is not a distant event
either: the proposed date is this coming June - the 2.6.18 kernel, in other
words. If this patch goes through, LSM will be gone in the very near
future.
The early indications suggested that it could go through: several kernel
developers have argued in favor of the removal of LSM, while none
asked for it to be retained. The only disagreement - mild - was over the
removal date, with some arguing that 2.6.18 is too soon. Those in favor of
an early removal, however, claim that last year's discussion should count
as the usual one-year warning for this sort of change, and that there is no
need to wait any longer.
One might well wonder what the hurry is to remove this API from the
kernel. There is, in fact, more than just the "only one user" argument in
circulation. James's patch includes this text:
[LSM] also attracts a regular stream of misconceived and broken
security module submissions to mainline, such as BSD Security
Levels, and developers are seeing LSM as the answer to everything
rather than really thinking about what they need and how to
architect the code properly and generally.
So LSM becomes a general temptation to solve problems in the wrong way.
Beyond the security levels module (which, among other things, is seen as
having open vulnerabilities and no maintainer interest), the developers may
be thinking of past episodes like the debate over the realtime security
module or the Integrity
Measurement Architecture, neither of which is best implemented as a
security module.
The real issue, however, may be this one:
There is also a growing number of proprietary modules hooking into
LSM in unsafe ways, not necessarily even for security purposes. The
LSM interface semantics are too weak and such an API does not
belong in the mainline kernel.
The 2.6 kernel - intentionally - does not give loadable modules access to
the system call table. But the LSM interface is almost as good - it gives
a loadable module the opportunity to intercept almost any operation that
the kernel may attempt to perform. The LSM hooks are supposed to limit
themselves to internal record keeping and returning an allow/deny status to
the kernel - but there is no way to enforce that sort of restriction. The
GPL-only status of the LSM API does not help much either.
The people involved are wary of publicly pointing fingers at companies
suspected of misusing the LSM interface. One example which can be found,
however, is the kernel generalized event
management module which was posted to the kernel-mentors list last
year. When KGEM was loaded, it would shove aside any currently-loaded
security policy and install itself in its place. It would then feed
security-related events through to a (proprietary) user-space application,
which would make decisions aimed at protecting Linux users from the
pressing threat of virus attacks. There were a lot of issues over how this
module was implemented, but using LSM to override existing security
policies and provide hooks for proprietary code was considered especially
distasteful.
These reasons and strong developer pressure notwithstanding, it is not clear that
LSM will actually go away anytime soon. There is not yet a consensus that
SELinux should be seen as the One True Security Policy; many potential
users find its complexity hard to deal with and often simply turn it off.
The power of SELinux is unquestioned, but its usability is another story.
There are other users of the LSM API out there, they just have not been
submitted for inclusion into the mainline. These include:
- Novell's AppArmor, which is the security policy shipped with current
SUSE releases. AppArmor is free software, but has never been
submitted for review. The discussion of removing the LSM interface
appears to have lit a fire under some rear
ends at Novell, and
the first AppArmor submission is said to be imminent. (In fact, it
was posted just after this article was
published).
Some of the
early discussion, however, suggests that AppArmor could have a hard
path into the mainline. In particular, its use of file pathnames as
the core of its security policy has been strongly questioned. In a
system capable of hard and soft links, multiple namespaces, shared
subtrees, and more, the meaning of any specific pathname is far from
clear. That is why SELinux uses extended attributes to apply
labels directly to files, rather than relying on their pathnames.
- The Linux Intrusion Detection
System (LIDS) is an LSM user. The LIDS developers have asked that
LSM not be removed, but have not made any statements regarding if and
when they might submit their module for merging.
- The Dazuko module is used by tools
like ClamAV. Dazuko seems somewhat like KGEM, in that it exports an
interface for user-space programs to make decisions. It is not clear
that such an interface can ever make it through the review process.
- Multiadm is a
module which allows privileges to be handed out to non-root users.
Given that security is something other than a completely solved problem, it
would be surprising if there were any single approach which was suitable
for all users. So something may well emerge and qualify as the second user
which keeps the LSM API in place.
Or, at least, which keeps some sort of API in place. If LSM stays around,
the kernel developers will probably make changes which make the API harder
to abuse. These might include finding ways to restrict what LSM hooks can
do and providing compile-time options to wire in a single security policy
at kernel build time. So, while there is a reasonable chance that future
kernels will include an LSM interface, it might be a rather different
interface than the one there today. Any security module developers who
want to have a say in how the interface evolves would be well advised to
join the discussion soon.
Comments (15 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Now that the
Dapper beta freeze has begun,
it is time to start thinking about what comes next. According to the Mark
Shuttleworth, Ubuntu will
get Edgy.
The Dapper Drake, due out June 1st, will be supported for five years. It
will still be nice and fresh, if a bit staid and stable for those who need
stability. It is the perfect time to launch the Edgy Eft, the cutting edge,
youthful newt of a distribution. Edgy is ready to take risks and explore
new territory, even if that means getting a little bloody. Look for Xen,
Xgl/AIGLX, SELinux and other new technologies to show up in Edgy.
Now is the time to get your "out there" ideas in. The Launchpad spec
tracker is where this flood of new technology will be managed. The
list is already full of ideas like Beagle integration, better Bluetooth
support, Debian patch feeding, cluster installation management, embedded
Ubuntu, thin clients and much more. What would you like to see in Edgy?
Comments (15 posted)
New Releases
The OpenSUSE project has announced the first SUSE Linux 10.1 release
candidate. There does not seem to be a set of release notes available, but
a
most annoying
bugs page exists. Click below for the announcement and download
pointers. Here is an
update on known
issues.
Full Story (comments: 2)
The
Aurora SPARC Linux Project has
announced (click below) the release of Aurora SPARC Linux Build 2.0. The
Aurora SPARC Project is an effort to support SPARC (32 and 64 bit) hardware
on Linux. This release is a full tree of sparc packages that match up
pretty closely to Fedora Core 3.
Full Story (comments: none)
The second update to Debian "sarge" is out. It contains a long list of
security updates and a shorter list of important bug fixes.
Full Story (comments: 5)
Strategiy
reports
that ValueSYS and Loghat Al-Asr Magazine have made available an OpenSUSE
live CD localized in Egyptian.
Comments (none posted)
Distribution News
The draft schedule for the Fedora Core 6 release has been posted. The
consensus of the Fedora developers seems to be that the nine-month schedule
used with FC5 did not help make a better release, so FC6 will be a
six-month release. The current plan calls for the first development freeze
in early June and the final release on September 20.
Full Story (comments: none)
Here's a quick update on the Fedora Project Board. Click below for the
wiki links to see who is on the board, when they will be meeting, and a
summary of the first board meeting at FUDCon.
Full Story (comments: none)
Steve Langasek
covers the X11R7, AKA Xorg
7.0, transition in unstable. "
While the XSF are busily working
through the bugs that are properly their own, I'll take a moment to let the
rest of you know what the implications are for other packages, now that
things have settled somewhat and we have a clear idea of where things stand
and where they're going."
Anthony Towns covers the status of the
AMD64 port in etch. "The amd64 architecture has been added to etch,
and over the next few weeks (particularly as the X.org changes get worked
out) should become fairly complete. amd64 in etch should be debootstrapable
at this point, and usable in some situations, but is obviously pretty
limited while it doesn't have X. Hopefully this will improve pretty
rapidly."
It's Bug-Squashing Party time. "For
long-lasting delight, we will be squashing bugs from Thursday (April 20th)
to Sunday (April 23rd), in all timezones. Coordination will, as usual,
happen through the #debian-bugs channel on irc.debian.org. For real
interaction, if you are attending FISL, look for us at the Debian booth; it
should not be hard to find. Make sure you stop by for an hour at least, and
feel free to spend your whole weekend working with us, as there are lots of
things you can have fun with. If you are not a Debian Developer, do not be
afraid; there is much you can do to help, such as triaging bugs and writing
or testing patches that fix problems so a developer can prepare a
maintainer or non-maintainer upload."
Comments (none posted)
Distribution Newsletters
The April 18 issue of the Debian Weekly News is out; it looks at the
project leader election, the newly-formed python modules team, the X11R7
transition, and several other topics.
Full Story (comments: none)
This edition of the
Fedora
Weekly News covers Fedora Project Board Update, Fedora Reloaded 5
Podcast, FUDConBoston 2006 Videos, Users at LinuxWorld talk up security,
LinuxWorld Boston 2006 Wrap-Up, Red Hat keeps its grip on Fedora, FUDCon
and folding the Fedora Foundation, plus FC5 reviews and more.
Comments (none posted)
The
Gentoo
Weekly Newsletter for the week of April 17, 2006 covers LWE Boston,
Python 2.4.3 in Portage, old-style PHP packages going away, Forums
internationalization effort, and several other topics.
Comments (none posted)
The
DistroWatch
Weekly for April 17, 2006 is out. "
As usual, we'll start with
re-visiting some of the interesting news events of the past week, including
the release of SUSE Linux 10.1 RC1, the election of Anthony Towns as the
new Debian Project Leader, and the announcement about a new 64-bit edition
of Arch Linux. This is followed by links to a handful of interesting
articles: an interview with Bruce Perens about reviving UserLinux, a new
review of the latest alpha release of Ubuntu, and a useful tutorial about
keeping a FreeBSD server farm up-to-date. Finally, a special report from
Japan analyses the current state of Linux adoption in the country."
Comments (none posted)
Package updates
Updates for
Fedora Core 5:
netpbm
(bug fixes),
bind (bug fixes),
at-spi (documentation improvements, new
locales),
librsvg2 (bug fixes),
atk (enhanced documentation),
dasher (update to 4.0.2),
sound-juicer (bug fixes),
glib2 (update to 2.10.2),
gtk2 (update to 2.8.17),
pango (update to 1.12.1),
beagle (update to 0.2.4),
metacity (bug fixes),
gnome-terminal (update to 2.14.1),
gtk-doc (update to 1.6),
yelp (bug fixes),
nautilus-cd-burner (update to 2.14.2),
gnome-desktop (update to 2.14.1),
gnome-session (update to 2.14.1),
libgtop2 (updated translations),
gnome-system-monitor (update to 2.14.1),
libwnck (bug fixes),
gnopernicus (update to 1.0.4),
gnome-screensaver (update to 2.14.1),
gnome-games (update to 2.14.1),
gnome-applets (update to 2.14.1),
gnome-panel (update to 2.14.1),
gtkhtml3 (update to 3.10.1),
gnome-user-docs (update to 2.14.2),
gedit (bug fixes),
gnome-desktop (update to 2.14.1.1),
evolution (update to 2.6.1),
eog (update to 2.14.1),
epiphany (update to 2.14.1),
libgnome (update to 2.14.1),
libgnomeui (update to 2.14.1),
file-roller (update to 2.14.1),
eel2 (update to 2.14.1),
gnome-power-manager (bug fixes),
xorg-x11-server (bug fixes),
gtksourceview (update to 1.6.1),
gnome-utils (update to zenity 2.14.1),
nautilus (update to 2.14.1),
evolution-data-server (update to 1.6.1),
evolution-connector (update to 2.6.1),
libsoup (update to 2.2.92),
control-center (bug fixes),
kde-i18n (fix file conflict),
gnome-pilot-conduits (rebuilt against
pilot-link-0.11.8),
arts (update to KDE
3.5.2),
kdelibs (update to KDE 3.5.2),
kdebase (update to KDE 3.5.2),
kdeaccessibility (update to KDE 3.5.2),
kdeaddons (update to KDE 3.5.2),
kdeadmin (update to KDE 3.5.2),
kdeartwork (update to KDE 3.5.2),
kdebindings (update to KDE 3.5.2),
kdeedu (update to KDE 3.5.2),
kdegames (update to KDE 3.5.2),
kdegraphics (update to KDE 3.5.2),
kde-i18n (update to KDE 3.5.2),
kdemultimedia (update to KDE 3.5.2),
kdenetwork (update to KDE 3.5.2),
kdepim (update to KDE 3.5.2),
kdesdk (update to KDE 3.5.2),
kdeutils (update to KDE 3.5.2),
kdevelop (update to KDE 3.5.2),
kdewebdev (update to KDE 3.5.2),
gnome-pilot (rebuilt against
pilot-link-0.11.8),
jpilot (rebuilt against
pilot-link-0.11.8),
libvirt (upstream
release update),
pilot-link (rebuilt),
util-linux (bug fixes),
psmisc (rebuilt),
gnupg (patched),
perl-DBD-Pg (upgrade to upstream version
1.48),
perl-XML-Dumper (upgrade to 0.81),
jwhois (update),
m2crypto (fix SSL.Connection.accept),
firefox (fix broken language packs).
Updates for Fedora Core 4: netpbm
(bug fixes), bind (bug fix), evolution (rebuilt against the latest
pilot-link), arts (update to KDE 3.5.2), kdeaccessibility (update to KDE 3.5.2), kdeaddons (update to KDE 3.5.2), kdeadmin (update to KDE 3.5.2), kdeartwork (update to KDE 3.5.2), kdebase (update to KDE 3.5.2), kdebindings (update to KDE 3.5.2), kdeedu (update to KDE 3.5.2), kdegames (update to KDE 3.5.2), kdegraphics (update to KDE 3.5.2), kde-i18n (update to KDE 3.5.2), kdelibs (update to KDE 3.5.2), kdemultimedia (update to KDE 3.5.2), kdenetwork (update to KDE 3.5.2), kdepim (update to KDE 3.5.2), kdesdk (update to KDE 3.5.2), kdeutils (update to KDE 3.5.2), kdevelop (update to KDE 3.5.2), kdewebdev (update to KDE 3.5.2), jpilot (rebuilt against pilot-link-0.11.8), gnome-pilot (rebuilt against
pilot-link-0.11.8), gnome-pilot-conduits
(rebuilt against pilot-link-0.11.8), pilot-link (rebuilt).
Comments (none posted)
Newsletters and articles of interest
Linux Format
talks
with Bruce Perens about UserLinux. "
The problem for me with
UserLinux was that when I started it I was an independent entrepreneur; I
had a one-person consulting company. So I had to go and make enough sales
so that I made a living every month, I had to be an open source leader, and
I had to run a number of projects. There simply wasn't room for all of
that, and at some point... no one was paying me to work on UserLinux, and
supporting my family came first."
Comments (none posted)
O'ReillyNet
covers
setting up a build system for FreeBSD. "
To set up a FreeBSD build
system, you need three components. A build server is the first
requirement. It should be either a fairly beefy uniprocessor or a lesser
SMP-based machine. The second component is a staging server, which is
basically a test machine where you can test the build without potentially
destroying a production box. This doesn't have to be a machine with much
fanfare, but it should be as close as possible to the rest of your machines
to ensure an accurate test platform. The third component, called the build
set, consists of all the clients to which you want to install the
updates. These are your production machines."
Comments (none posted)
HowtoForge
details the
process of setting up a Fedora Core 5 server on a 64-bit system.
"
This is a detailed description how to set up a Fedora Core 5 based
server that offers all services needed by ISPs and hosters (web server
(SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP
server, MySQL server, POP3/IMAP, Quota, Firewall, etc.). This tutorial is
written for the 64-bit version of Fedora Core 5, but should apply to the
32-bit version with very little modifications as well."
Comments (none posted)
The folks at Lobby4Linux.com
take a look at Elive
and interview the developer. "
Lobby4Linux.com has been active in an
attempt to not only simplify Linux, but to incorporate an easier menu and
help system. We have described what this "Linux on Training Wheels" or
"Linux-Lite" would look like. In our search for such a distro, we stumbled
across Elive. Elive is a Debian-based distro that incorporates both the
E-16 and E-17 Enlightenment environments."
Comments (none posted)
Distribution reviews
Mad Penguin
reviews
Ubuntu's Dapper Drake Flight 5 (alpha). "
Performance with this
release was very good. It's been a while since I reviewed Ubuntu 5.10, but
it feels faster to me. Call me crazy. It definitely outperformed Fedora
Core 5 on the same machine. Hands down. This is good news for Ubuntu I
suppose, since Fedora 5 is the "big thing" right now in distroland. When
Ubuntu Dapper comes to fruition, it is going to be something to contend
with on the desktop."
Comments (1 posted)
eWeek
reviews
Fedora Core 5. "
Fedora 5 ships with an updated version of the
open-source Xen hypervisor project, which first appeared in Fedora in
Version 4. We noticed right away that the Fedora team has smoothed out some
of the under-the-hood wrinkles that had marred Fedora's previous Xen
implementation. For instance, Xen requires particular modifications to a
system's C library to avoid a specific performance hit; with earlier Fedora
versions, this called for some hackery to get Xen working properly."
Comments (none posted)
Here's a
quick
look at Frugalware. "
Frugalware is in a good niche between
Slackware and ArchLinux. Frugalware's philosophy is similar to that of
ArchLinux -- make the system simple and logical so you don't have to rely
on a GUI to use it. The thing I like most about Frugalware is that, unlike
ArchLinux, it provides a full stable branch in addition to the current one,
which is updated every six months."
Comments (none posted)
Page editor: Rebecca Sobol
Development
Stable version 2.0.0 of CMF, the Zope Content Management Framework,
was announced this week.
Zope is an
open source web application server, see the
What Is Zope document
for details.
![[Zope]](/images/ns/zopecom.png)
Recently, the Zope project has been going through
a major rewrite, transitioning from Zope2 to
Zope3 with the help of
Five,
a Zope 2 to 3 transition product.
CMF
is one of the major components of Zope.
The CMF (Content Management Framework) adds numerous tools and services to Zope to allow community or organization based content management, complete with a workflow system and a powerful customization framework. The CMF Workflow system uses Zope's built in security architecture. One thing this allows is for the "edit permission" to be taken away from an author who has submitted a document for review and publishing. This ensures that what the reviewer sees cannot change during or after review without the author intentionally taking back the document.
CMF 2.0.0 brings a lot of changes, including:
- The replacement of CMFSetup with GenericSetup-integration.
- A switch to Zope 3 interfaces with backward compatibility to Zope 2.
- Further integration with with Zope 3/Five technologies.
- The folding-in of the previous CMFonFive add-on product.
- Experimental Five-style browser views for CMFDefault and CMFCalendar.
- Changes to the first day of the week preference settings in the CalendarTool.
- New pluggable TypeInformation objects.
- Some new-style Actions.
- Bug fixes and other improvements.
A longer list of new features added in the version 2.0.0 alpha and beta
releases is shown in the CMF 2.0.0
CHANGES document.
The next release, CMF 2.1, is described in the
CMF Roadmap, it should be out this summer.
CMF 2.1 will add missing pieces to the Zope 3 integration
effort, feature new local skin customization capabilities,
convert all of the views to the Zope 3 style, complete the transition to
Zope 3 container events and more. In short, this is a major
move toward the Zope 3 technology. For further reading, see the
CMF documentation
resources.
CMF 2.0.0 is available for download
here.
Comments (none posted)
System Applications
Database Software
The April 16, 2006 edition of the PostgreSQL Weekly News
is online with the latest PostgreSQL database articles and resources.
Full Story (comments: none)
Interoperability
The Samba news
mentions changes to mod_ntlm_winbind.
"
Ronan Waide has done some work updating mod_ntlm_winbind for Apache2. mod_ntlm_winbind is an Apache module that provides NTLM and Basic authentication via winbind. Support for both plaintext and NTLM auth in the same module as also been added."
Comments (none posted)
Mail Software
Version 2.1.8 of Mailman, a mailing list management application,
has been announced.
"
In this release, we have fixed a cross-site
scripting security bug in the previous release (CVE-2006-1712),
integrated a new version of email library (email-2.5.7), and added
bounce processing supports for number of sites and MUAs. It is highly
recommended that all sites using 2.1.7 and before should update to this
release."
Comments (none posted)
Security
Version 0.18 of Sussen, a tool that checks for vulnerabilities and configuration issues on computer systems, is out with new capabilities,
cleaned up code and improved documentation.
Full Story (comments: none)
Desktop Applications
Audio Applications
The second release of the Ambisonics plugins, a set of audio plugins
for the Ardour sound editor, have been announced.
Changes include an 8-speaker cube decoder, and some code cleanups.
Full Story (comments: none)
Version 0.9.6.2 of Snd-ls, a distribution of the SND sound editor,
is available.
"
The biggest thing about this release of Snd-ls is probably that the
rt-player is enabled by default. The rt-player is an alternative player
engine for SND that plays soundfiles using the rt-extension and reads data
from disk through a buffer. The result is less clicks, and more channels
can be played safely at once."
Full Story (comments: none)
Desktop Environments
Gnomedesktop.org
has announced the release of GNOME 2.14.1.
"
This is the first release in a series of point releases for the 2.14 branch. Come and see all the bug fixing, all the new translations and all the updated documentations brought to you by the wonderful team of GNOME contributors! While development has started on the Gnome 2.15/2.16 road, we didn't forget about making a new release that is rock solid. And simply better than the previous one."
Comments (none posted)
Version 2.14.1 of GARNOME, the bleeding edge GNOME distribution, is out.
"
This release
incorporates the GNOME 2.14.1 Desktop and Developer Platform, fine-tuned
and updated with love by the GARNOME Team.
It includes updates and fixes after the official GNOME freeze, together
with a host of third-party GNOME packages, Bindings and the Mono(tm)
Platform -- this is the second release of the current stable GNOME
branch, ironing out yet-more bugs, hopefully adding yet-more stability
and ships with the latest and greatest stable releases."
Full Story (comments: none)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
KDE.News has
announced
the April 16, 2006 edition of the
KDE Commit-Digest.
"
In this week's KDE Commit-Digest: Furious activity in Digikam, KmPlot and
amaroK, compile and linking fixes for applications in trunk with CMake and
multi-platform porting fixes. Furthermore, KSmileTris was removed from the
kdegames module in trunk."
Comments (none posted)
Version 4.4 beta 1 of
Xfce,
a lightweight desktop environment, is out
"
Xfce 4.4 features new tools such as the much anticipated "Thunar" file manager as well as several huge improvements of its core components. Please help us making Xfce 4.4 the best Xfce release ever, download it, try it, help us fixing it!"
Comments (none posted)
Electronics
Version 0.4.2 of Covered, a Verilog code coverage utility,
has been announced
with the following changes:
"
Bug fix release and added support for multi-line definitions."
Comments (none posted)
Development snapshot 20060414 of
PCB
is available.
"
PCB is an interactive printed circuit board editor for the X11 window system. PCB includes a rats nest feature, design rule checking, and can provide industry standard RS-274-X (Gerber), NC drill, and centroid data (X-Y data) output for use in the board fabrication and assembly process. PCB offers high end features such as an autorouter and trace optimizer which can tremendously reduce layout time. "
Comments (none posted)
Financial Applications
GnomeDesktop.org
covers
the latest release of GnuCash, a financial management application.
"
The GnuCash development team proudly announces GnuCash 1.9.5 aka "The
final countdown begins", the sixth of several unstable 1.9.x releases of the
GnuCash Open Source Accounting Software which will eventually lead to the
stable version 2.0.0. This release contains many bugfixes since the fifth
release but is still only intended for developers and adventurous testers who
want to help tracking down bugs."
Comments (none posted)
Version 2.6.9 of SQL-Ledger, a web-based accounting system,
has been announced.
Changes include new code for multiple latex runs, pagebreak code improvements
and bug fixes.
Comments (none posted)
Games
The WorldForge virtual world project has
an announcement
for a new Keep module.
"
I guess you guys already found the keep model. I was going to post on Monday but today will work. This model builds on everthing that I have done. Same textures, dimension, same doors etc."
Comments (none posted)
Asteroids meets XBill with the release of
TuxFighter 0.49 on the PyGame site.
"
Your goal is to waste valuable lifetime (or even paid worktime) while steering and spinning a pinguin-shaped alter ego throug a universe full of nasty enemys. The enemys try to collide into you but YOU CAN FIGHT BACK ! Shoot rockets at your enemys but be careful, you have always just twice the number of rockets as the number of enemys on the screen. So aim careful, because some rockets may bounce back from the edge of the screen. Gain extra points or even applause by killing enemys be a rocket reflecting from walls."
Comments (none posted)
Imaging Applications
Version 2.2.11 of the GIMP
has been announced.
"
This is a bug-fix release in the stable 2.2 series."
Comments (none posted)
Interoperability
Version 0.9.12 of Wine
has been announced.
Changes include:
"
New Winelib Internet Explorer application (all 5 lines of it),
Several improvements to the font support,
More work on the IDL compiler,
Faster drawing of the cards in Solitaire (very important feature),
A number of fixes for issues found by the Coverity code cheker and
Lots of bug fixes."
Comments (none posted)
Medical Applications
LinuxMedNews
covers
the release of Hui OpenVista Version 4.0.
"
The most notable enhancement to Hui OpenVista 4.0 is a
more streamlined installation process. Version 4.0 provides a preconfigured
baseline system that simplifies the steps needed to convert the Freedom of
Information Act (FOIA) version of VistA to Hui OpenVista. This enables users
to quickly download the baseline as a starting point for configuring the
system to their specific requirements..."
Comments (none posted)
LinuxMedNews
looks at the MirrorMed project.
"
The MirrorMed project shows how Free and Open Source Software (FOSS) in medicine can create a successful electronic medical record/electronic health record(EMR/EHR) by using code from several projects: OpenEMR, FreeMed, Uversa's ClearHealth and the FreeB medical billing project. Together, these projects have threaded the needle and become the few that survive the real world in Health IT."
Comments (none posted)
Music Applications
Release 0.1 pre 1 (the first public version) of Slag, a pattern-based
audio sequencer that can be used as a simple drum box, is available.
"
Slag is a pattern-based audio sequencer that can currently be
used as a simple drum box. It features real-time editing, optional
JACK support with individual ports for tracks, volume settings for
pads and tracks, a virtually unlimited number of tracks and patterns,
the ability to link song parts together, and real-time audio file
output. It's licensed under the GNU GPL."
Full Story (comments: none)
News Readers
GnomeDesktop.org
covers
the latest release of Pan.
"
The Pan newsreader project is active again making new releases.
The 0.9x releases are a series of unstable betas of a C++ rewrite of Pan
that adds multiserver and nzb support, reduces memory use by over two
thirds, can cut the time to download new headers by over two thirds,
and slashes the time it takes to load headers from disk by almost
90%."
Comments (none posted)
Office Applications
GnomeDesktop.org
has announced the April, 2006 edition of the
Beagle Newsletter.
"
With the release of GNOME 2.14, three new additions to the desktop environment have come with the ability to search your Beagle index. First, Nautilus now allows users to create new searches within the file browser and save searches based on that query. If enabled, Nautilus will use Beagle for this searching. Second, a new panel applet has been included for quick searching. The panel applet, Deskbar, allows you to query Google, Yahoo! and a number of other websites in real time. If the Beagle plug-in is enabled, your files can be quickly searched using this handy tool. Finally, Yelp, the GNOME help tool can utilize Beagle for quick searching of the systems help documentation."
Comments (none posted)
Office Suites
Build 2.0.2.7 of the OpenOffice.org office suite has been announced,
it features a bug fix and a build improvement.
Full Story (comments: none)
Web Browsers
MozillaZine
reports
that
Firefox
1.5.0.2 and
Firefox 1.0.8
have been released. These updates contain
several
security fixes.
Comments (none posted)
Word Processors
Version 2.4.4 of the AbiWord word processor
has been announced.
"
The changes from v2.4.2 to v2.4.4 include, amongst others:
Substantially updated the OpenDocument import and export filters,
Lots of tweaks to the Windows interface,
Various fixes to our Right-to-Left text handling routines".
Comments (none posted)
Miscellaneous
Version 1.0 of Xj3D has been announced.
"
Xj3D is an open source X3D browser, developer library and test
environment for the X3D virtual reality and augmented reality
standard. A principal goal of Xj3D is conformance to the X3D spec
while still maintaining high performance using OpenGL hardware
acceleration. The milestone 1.0 release is available for Windows,
Linux, Mac OS X, and Solaris. It implements CADGeometry, DIS,
GeoSpatial, H-Anim, as well as extensions for Rigid Body Physics,
Particle Systems, Clipping planes, Picking Utilities, Abstract Device
IO."
Full Story (comments: none)
Languages and Tools
Caml
The April 11-18, 2006 edition of the Caml Weekly News
is out with new Caml language articles.
Full Story (comments: none)
Java
KDE.News has
an announcement
for the
KDE Look and Feel for Java effort.
"
Sekou Diakite has released an alpha version of a KDE Look and Feel for Java. This is an interesting step forward in Linux/Unix desktop integration since Java applications can now use the KDE/Qt libraries for drawing Java widgets and even directly use existing KDE widgets such as the file or color choosers. See the webpage for further details of this accomplishment including future plans and, of course, screenshots."
Comments (none posted)
Python
Version 0.9.3 of Urwid, a console UI library for Python, is out.
"
This release adds support for gpm and mouse dragging to the raw_display
module, improves mouse release reporting and fixes a few text layout
bugs. If you are interested in Urwid's mouse support please try the
input test example program and let me know if it works properly in your
environment."
Full Story (comments: none)
The April 17, 2006 edition of Dr. Dobb's Python-URL! is online with
a new collection of Python article links.
Full Story (comments: none)
Ruby
Linux Journal covers the latest Ruby developments with a new edition of
The Gemcutter's Workshop.
"
Recapping another busy couple of weeks in Ruby land as well as the first international Ruby conference.
The past two weeks have been another busy bi-week in terms of Ruby releases and community activity. I'd like to start out with a couple of big release announcements and a mailing list posting and then move on to two big events."
Comments (none posted)
Tcl/Tk
The April 18, 2006 edition of Dr. Dobb's Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
XML
Joshua Tauberer
uses RDF to work with census data in part two of an O'Reilly
article series.
"
The U.S. government is a treasure trove of structured information. In my last article I talked about legislative information, but there's much more--gigabytes upon gigabytes more. The 2000 Census compiled tons of population statistics. Let's get some of it into the Semantic Web.
So I'll grab one small 14MB slice of data out of the census records and turn it into RDF."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Doc Searls
predicts
the end of radio. "
Today, if I want to put a show on the radio, I
don't bother with radio at all. I record an .mp3 file, put it on a Web site
and "enclose" a pointer in an RSS feed. Anybody who picks up the feed or
downloads the file can get the recording, anywhere on the Net. Which is
"right here" for anywhere with a connection, anywhere in the world. Which
is why radio as we know it is doomed."
Comments (11 posted)
NetworkWorld
covers
a McAfee report claiming a correlation between open source software and the
spread of root kits. "
"The predominant reason for the growth in use
of stealthy code is because of sites like Rootkit.com," says Stuart
McClure, senior vice president of global threats at McAfee. Rootkit.com's
41,533 members do post rootkit source code anonymously, then discuss and
share the open source code. But it's naïve to say the Web site exists for
malicious purposes, contends Greg Hoglund, CEO of security firm HBGary and
operator of Rootkit."
Comments (15 posted)
The SCO Problem
Yes, the SCO case is still going on. Groklaw has
had some fun with the transcript of a hearing regarding SCO's abortive subpoenas to Intel and others. Quoting Judge Wells: "
Noting that at the outset of this case or prior to its filing, it was expressed to the media and others that SCO possessed evidence regarding the misappropriation of source code. At this point, don't you have enough evidence to go forward in that regard or, to be candid about it, does it constitute fishing at this point?"
Comments (none posted)
Companies
Joe 'Zonker' Brockmeier
looks
for a Linspire PC at Micro Center. "
Last November, Linspire
issued a press release announcing that Micro Center would be devoting floor
space and staff to desktop Linux. I decided to take a trip to my local
Micro Center this week to see how that initiative was going. Unfortunately,
the answer is not so well. According to the release, Micro Center
customers should be able to "try and buy several desktop and laptop
computers pre-installed with Linspire Linux." Further, "new sections will
put desktop Linux software and products in high-traffic areas of the store,
giving Linux products a significant amount of retail space and boosting
visibility of Linux within each store.""
Comments (none posted)
ZDNet
revisits
the proprietary driver debate. "
For Nvidia, intellectual
property is a secondary issue. 'It's so hard to write a graphics driver
that open-sourcing it would not help,' said Andrew Fear, Nvidia's software
product manager. In addition, customers aren't asking for open-source
drivers, he said."
Comments (30 posted)
The Register
takes a
look at Sun's press release for its open source DRM, which lists
Lawrence Lessig as a supporter. "
Was DRM less bad because it was
'open source'? Professor Lessig tells us that he should have reviewed the
Sun Microsystems press release before it went out. It doesn't fully reflect
his position, he says, and he's emphatic that this blessing doesn't
constitute an endorsement." (Thanks to Ciarán O'Riordan)
Comments (10 posted)
Legal
Groklaw
presents
Prior Art and Its Uses: A Primer, by Theodore C. McCullough.
"
The question of what constitutes prior art can be confusing, to say
the least. Moreover, the issue of when one can and cannot use a particular
type of prior art in attacking the patentability of a particular invention
is equally confusing. The following is a high-level outline of the some of
the key concepts regarding what constitutes prior art, and how to apply it
to address the patentability of an invention. The purpose of this primer is
not to serve as formal legal advice, nor should it be considered as
such. Rather, the purpose of this primer is to assist the general public,
including those in the Open Source Community, with helping to improve
patent quality."
Comments (none posted)
Interviews
The Financial Times
talks
with Larry Ellison about Oracle's plans. "
'I'd like to have a
complete stack,' he said. 'We're missing an operating system. You could
argue that it makes a lot of sense for us to look at distributing and
supporting Linux.'" (Thanks to Thomas Kirby).
Comments (6 posted)
ComputerWorld
talks
with Louis Gutierrez, CIO of the Information Technology Division (ITD)
of Massachusetts. "
Gutierrez, a 2002 Computerworld Premier 100
honoree, left a position as chief technology strategist at the University
of Massachusetts Medical School to fill the CIO post that had been vacant
since Peter Quinn resigned in January. No stranger to government, he served
as the state's first CIO from 1996 to 1998 and returned in 2003 as CIO of
its executive office of Health and Human Services (HHS), where he worked
through June 2004." (Thanks to Pete Link)
Comments (1 posted)
Behind Ubuntu
presents an
interview with Kubuntu developer Jonathan Riddell. "
How and
when did you get involved in Ubuntu? I knew that Ubuntu was going to
be big and that it didn't feature my favourite desktop, so I wrote a blog
post explaining why KDE people should get involved. That was the top google
for "Ubuntu linux" for while and when Ubuntu dug out their plans for a KDE
versions they contacted me to see if I could help." (Found on
KDE.News)
Comments (none posted)
KernelTrap has an
interview with
Andrey Savochkin. "
Andrey Savochkin leads the development of the
kernel portion of OpenVZ, an operating system-level server virtualization
solution. In this interview, Andrey offers a thorough explanation of what
virtualization is and how it works. He also discusses the differences
between hardware-level and operating system-level virtualization, going on
to compare OpenVZ to VServer, Xen and User Mode Linux."
Comments (2 posted)
Resources
Joe Barr
looks at the
cdck program. "
Ever wonder if that ISO or backup CD or DVD you
burned last year is still good? This week we'll take a look at a small
command-line utility called cdck that checks the condition of data on the
media and let you know if it's still good."
Comments (none posted)
Linux Journal
looks at
combining documents and other advantages of using styles in
OpenOffice.org. "
WordPerfect veterans raise the idea of a Reveal
Codes feature for Writer every couple of months. In response, a macro that
gives the appearance of Reveal Codes without the functionality has been
written. However, the feature isn't likely to appear in any upcoming
version of Writer. For one thing, while WordPerfect is a code-based word
processor, in which every piece of formatting is embedded in a manner not
too different from HTML tags, Writer is a frame-based one processor. That
means the characteristics for a selection of text are defined separately
from the text itself. As a result, no direct equivalent of Reveal Codes is
possible."
Comments (2 posted)
NewsForge looks at
running
Rockbox on an iPod. "
Over the past few years, I've been ripping
my CD collection to Ogg Vorbis, intending to one day find a portable player
for all those tracks of synthpop, reggae, and comedy. Now I've finally
found a player for my 60-or-so gigs of Ogg files which has the the
ergonomics, battery life, and accessory market of the iPod. The secret to
having a player that deals with so many codecs, but that looks and acts
like an iPod, is that it is an iPod -- just one that I converted last night
with a firmware swap to run the excellent, open source system called
Rockbox. Rockbox isn't perfect -- and it sure isn't for everyone -- but I'm
pleased as punch with it."
Comments (9 posted)
IBM developerWorks
looks
at porting applications to 64-bit systems. "
Linux was one of the
first cross-platform operating systems to use 64-bit processors, and now
64-bit systems are becoming commonplace in servers and desktops. Many
developers are now facing the need to port applications from 32-bit to
64-bit environments. With the introduction of Intel® Itanium® and other
64-bit processors, making software 64-bit-ready has become increasingly
important."
Comments (none posted)
Linux.com
covers
email filtering using procmail. "
Procmail is a Mail Delivery Agent
(MDA), meaning it can be used along with a Mail Transfer Agent (MTA) such
as mutt or sendmail to filter messages. Procmail processes all messages
before they are delivered to your mailbox. You can have your incoming
messages distributed into various folders based on preset criteria such as
the subject of a message or the recipient. The use of regular expressions
for creating rules and the ability to run multiple rules on messages make
procmail a very precise mail filtering program."
Comments (5 posted)
Linux.com
presents
another look into the toolbox with OpenSSH, Socat, Bash, Midnight
Commander, Aptitude, Knoppix, awk, Expect, Scite and Ipcalc.
"
Carrying an operating system with me at all times is bliss. I rarely
leave home without a Knoppix CD. Knoppix has always been great, but it got
even better with the inclusion of UnionFS, which allows me to install
packages as if the CD were writable."
Comments (none posted)
Reviews
NewsForge
looks
at the Python program ccPublisher 2. "
Creative Commons (CC)
offers licenses that allow you to publish material with clear-cut licensing
terms that reserve some of your rights while giving the public others. CC
offers a number of tools to implement the licenses into the metadata of
various media formats. Until recently, its ccPublisher program, which
allows you to upload CC-licensed content to the Internet Archive, had
official binary releases only for Apple Macintosh OS X and Microsoft
Windows XP. This is about to change, with the upcoming release of
ccPublisher 2."
Comments (4 posted)
NewsForge
looks
at HMS Scrubber. "
Two new open source software projects are
ready to wipe patient histories clean of personal information so
researchers can learn from medical cases without endangering privacy. One
of the GPLed software programs, HMS Scrubber version 1.0, was recently able
to remove more than 98 percent of identifiers -- such as name, address, and
Social Security number -- from 1,254 pathology reports processed from three
hospitals. Developed by a team from the Beth Israel Deaconess Medical
Center in Boston and other American institutions, the software holds
promise beyond pathology in nearly all medical records, which are integral
to research, but are full of privacy pitfalls, says Bruce Beckwith, a Beth
Israel doctor and developer of the new software."
Comments (1 posted)
eWeek
reviews
GNOME 2.14. "
Sabayon, interestingly, uses the nested X-Window
capability of the X.org Foundation's X.org graphics system, in which you
can launch a new session in a window within your current session. In this
session within a session, we could set desktop preferences, add task bar
items and change font sizes, among other things, and then save that set of
configurations as a profile that we could apply to other users."
Comments (3 posted)
Linux.com
looks at
rPath. "
rPath's goal, according to a white paper on the company
Web site, is "a source control system married to a package system." To
achieve this goal, rPath has developed three closely related projects:
Conary, a package management system; rPath Linux; and rBuilder, a tool for
working with Conary repositories. With these projects, rPath claims to be
able to drastically reduce the time required to build a Linux
release."
Comments (none posted)
NewsForge
looks at scuttle, a tool for setting up a local del.icio.us-like site. "
Using del.icio.us to manage your bookmarks has its advantages, but it has its limitations too. You can't install del.icio.us on your local network, you can't modify it to suit your needs, and you can't be sure whether the service will still be there tomorrow. Scuttle, on the other hand, is an open source social bookmarking application that offers functionality similar to del.icio.us without the shortcomings."
Comments (none posted)
Linux Journal
reviews
the book VPNs Illustrated: Tunnels, VPNs, and IPsec by Jon
C. Snader. "
VPNs Illustrated: Tunnels, VPNS, and IPsec
offers a clear and concise evaluation of the technology that allows private
networks to extend through insecure channels. Overall, the purpose of this
book is to inform readers of the benefits a VPN can offer. This is done
through examples, diagrams and source code analysis. As a reference guide,
the material does a good job of informing the reader about private
networking over a public channel."
Comments (none posted)
NewsForge
looks
at Zfone. "
Zfone is PGP creator Phil Zimmermann's latest
brainchild, a small desktop application that encrypts VoIP softphone
conversations using strong encryption and peer-to-peer
communication. Zimmermann released the first public beta last month. While
I'm intrigued by the concept, getting the application to work is another
story."
Comments (11 posted)
Miscellaneous
Linux.com
goes to
EasyLinux.info for a script called Fedora Frog. "
Raivis Dejus,
Linux Center project coordinator at the University of Latvia, runs
EasyLinux.info. He finished Frog about a week ago, he says, adapting the
Automatix script for the RPM-based Fedora Core and using yum to handle
downloading and installing the packages. Dejus used his own ideas and some
tips from others on the Internet to create Frog. "It seemed like a thing
that had to be done," he says. "Ubuntu has Automatix and I decided that
Fedora should have something similar.""
Comments (none posted)
NewsForge
tests
a cross-platform virus. "
Our tests shows the code's viral nature
is sometimes -- but not always -- effective on both platforms, depending on
the kernel being used. Of course, it's impossible for us to test every
version of the kernel out there, but thus far, it looks like those prior to
version 2.6.16 are susceptible, and at least some of those after that
release are not. Here's how we tested at NewsForge."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Digium has announced the formation of the Asterisk (telecom project)
Advisory Council.
"
Composed of five experienced Asterisk community contributors,
the Council will assist in the overall management of Asterisk including
the selection and supervision of community developers, release cycles and contributions."
Full Story (comments: none)
The Electronic Frontier Foundation (EFF) has announced (click below) the
release of
Unintended
Consequences: Seven Years Under the DMCA, a collection of reports of
the misuses of the DMCA.
Full Story (comments: none)
Bruce Perens is bothered by a recent event: "
Microsoft has been
paying the large domain resellers to move their 'parked' sites to IIS on
Microsoft Server. Moving the parked customers of a single large reseller,
GoDaddy.com, caused a shift of 4.5 Million domain names, or 5% of total
server share from Apache to Microsoft IIS in the Netcraft report. This is
an 'appearance' change only, because the sites involved have no
content. But managers believe figures like those in the Netcraft report,
and act on them." His response is
OpenSourceParking.com, a place
where idle domains can be parked and show up in the Linux column. He also
plans to use the resulting advertising revenue to fund an open-source
political action committee.
Comments (61 posted)
Technocrat.net
looks at
California AB2097, which implements the people's right to know how
their votes are counted - rather than to have the details cloaked with DMCA
and trade-secret law applying to present proprietary voting software. The
hearing is Tuesday April 18 in Sacramento, California.
Comments (none posted)
Commercial announcements
FSMLabs has
announced a collaboration with Advantech on a single board
computer platform.
"
The first qualified board is an Advantech fanless "3.5 inch Biscuit
SBC" that uses 10 watts to run RTLinux hard real-time under the full load
of sophisticated middleware like Java, databases, and web servers. Users
can choose to run the industry standard Linux networking stack or FSMLabs'
agile zero-copy real-time networking on the built in Ethernet."
Comments (none posted)
Linux Networx has
announced the naming of Robert
Neumeister, Jr. as its new executive vice president and chief financial
officer.
"
A proven CFO with extensive experience in the technology
industry, Neumeister has achieved repeated success at Fortune 500 companies
and technology start-ups both domestically and internationally. Mr.
Neumeister's experience includes financial leadership through periods of
rapid growth as well as leveraged buyouts and initial public offerings
(IPO's)."
Comments (none posted)
Solsoft Inc. has announced Solsoft NetfilterOne 1.2, a graphical interface
that will automate the design, deployment and documentation of security
rules and policies as they pertain to a networked netfilter firewall.
Linux Netfilter Iptables version 1.3 is now supported.
Full Story (comments: none)
Unitrends Corporation has
announced the GOLD release of their Rapid Recovery System.
"
Among the enhancements announced today are increased capabilities to
Unitrends' Hot BareMetal(TM) capability, at the core of its exclusive
Continuous System Protection(SM), allowing Linux users, running
SuSe/Novell, Red Hat, Debian, Gentoo and more, to capture an image of the
entire operating system at any point in time, without having to first shut
down the server application or interrupt operations."
Comments (none posted)
Contests and Awards
The 2006 Google Summer of Code event
has been launched.
"
The Google Summer of Code is a program that helps student developers create open source programs. Google is planning on identifying and funding several hundred projects over three months, with the help of open source, free software and technology companies mentoring and inspiring students.
The application process opens officially on May 1 2006, and Google hopes to fund over 400 participants this year. Only students enrolled in an accredited institution to get the chance at the funding for the Summer of Code." See the
2006 Summer of Code
web site for more information.
Comments (none posted)
The winner of the latest round of the OpenOffice.org article contest
has been announced.
"
CP Hennessy has won the latest round of the contest with an excellent
article on the citation facilities of OpenOffice.org. Titled,
"Current Implementation of the OpenOffice.org Bibliographic
Component," the work examines "the APIs available to the programmer
to manipulate the citation data, and how these API calls actually map
to real C++ classes in the OpenOffice.org source code.""
Full Story (comments: none)
Linux.com has
an
announcement for the Linux Symposium essay contest. "
First prize
is a shiny new Intel Centrino Duo laptop. Second prize: an iPod
nano. Entrants must be registered to attend the 2006 Linux Symposium in
Ottawa, Canada, July 19-22, and must be at least 16 years old. The essays
are to be no more than 1,500 words, and should be submitted in English as
plain text, PDF, or Perl. The deadline is June 30, and winners will be
announced during the welcome reception of the conference July 19."
Comments (none posted)
A new
Ludum Dare 48-Hour Game
Programming Competition will happen on April 28-30 2006.
"
The new competition has been announced, and I am currently working on getting the site ready for the competition. The last competition we used Wiki pages, and besides still not having the winners announced other things went fairly well. After I get the site up for the new competition the last competition will be moved into the new site and the winners will be announced."
Comments (none posted)
The new
tuxisalive.com
contest has been announced.
"
Kysoh SA, a developer of electronic devices for geeks by geeks, today
launched a big contest on their buzz site (www.tuxisalive.com). Tux is alive and it's
not a plush. You always dreamed of having a live penguin at home but didn't know
how? Take part of the genesis of Tux by participating with Kysoh's big contest."
Full Story (comments: none)
Education and Certification
LinuxMedNews has
an announcement for a new VistA Training Institute.
"
In 2005, the Hui partnered with the University of Hawaii and VistA subject matter experts throughout the continental U.S. to develop a VistA training and certification curricula for clinical application coordinators and system administrators. The VistA Institute curricula will serve as a resource to enhance the technical and clinical training competency needed to implement, support and encourage adoption of VistA in the healthcare market worldwide, explained Hui Director Stanley M. Saiki, Jr., M.D..."
Comments (none posted)
Event Reports
Michael Opdenacker has sent in a report of the recent Consumer Electronics
Linux Forum (CELF) conference.
"
For the first time, it was called "Embedded Linux
Conference", as the ELC accronym is now free after the end of the
Embedded Linux Consortium last year. For the first time too, it was open
to the general public (for a very moderate registration fee), and not
only to CELF members like last year.
This conference featured approximately 40 talks, tutorials or Bird Of a
Feather sessions as well as several product demos, 100% targeted to
embedded system developers."
Full Story (comments: none)
Calls for Presentations
A call for papers has gone out for the IPR '06 Workshop on Intellectual Property protection for software and its implications for
Free/Libre and Open Source Software.
The event will take place in Como, Italy on June 10, 2006,
papers are due by May 15.
Full Story (comments: none)
Upcoming Events
The speaker lineup for the Recon 2006 security conference has
been announced.
The event will take place on June 16-18, 2006 in Montreal, Canada.
Training sessions will be offered before and after the conference.
Full Story (comments: none)
| Date | Event | Location |
| April 20 - 22, 2006 | Forum
Internacional Software Livre 7.0(FISL) | Porto Alegre, Brazil |
| April 20 - 22, 2006 | International
Conference on Availability, Reliability and Security(AReS 2006) | Vienna,
Austria |
| April 20, 2006 | UK Python
Conference | (Randolph Hotel)Oxford, England |
| April 21 - 23, 2006 | Penguicon
4.0 | Livonia, Michigan |
| April 23 - 26, 2006 | ItaniumR Conference and
Expo 2006(Gelato ICE) | San Jose, CA |
| April 24 - 26, 2006 | LinuxWorld &
NetworkWorld Canada 2006 Conference & Expo | (Metro Toronto Convention Centre, North
Bldg.)Toronto, Canada |
| April 24 - 27, 2006 | MySQL Users
Conference | Santa Clara, CA |
| April 24 - 25, 2006 | 2006 Desktop Linux
Summit | (Manchester Grand Hyatt)San Diego, CA |
| April 24 - 26, 2006 | SambaXP 2006 | (Clarion
Parkhotel)Göttingen, Germany |
| April 26 - 28, 2006 | php|tek
2006 | (Orlando Airport Marriott Hotel)Orlando, FL |
| April 27 - 30, 2006 | Linux Audio
Conference(LAC2006) | (ZKM)Karlsruhe, Germany |
| April 29, 2006 | Linuxfest
Northwest 2006 | Bellingham, WA |
| April 29 - 30, 2006 | European Common Lisp
Meeting 2006 | Hamburg, Germany |
| May 1 - 6, 2006 | DallasCon
2006 | (Richardson Hotel)Dallas, TX |
| May 3 - 6, 2006 | LinuxTag
2006 | (Rhein-Main-Hallen)Wiesbaden, Germany |
| May 4, 2006 | openSUSE Day at LinuxTag 2006 | Wiesbaden, Germany |
| May 6 - 7, 2006 | WebTech 2006 | Sofia,
Bulgaria |
| May 8 - 18, 2006 | LinuxWorld on Tour Conference
and Expo 2006(LOT2006) | Montreal Ottawa Calgary Vancouver |
| May 12 - 13, 2006 | BSDCan
2006 | (University of Ottawa)Ottawa Canada |
| May 13, 2006 | DebianDay | Oaxtepec, Mexico |
| May 14 - 22, 2006 | DebConf 6 | Oaxtepec,
Mexico |
| May 26 - 27, 2006 | FreedomHEC | Seattle, WA |
| May 30 - June 3, 2006 | 2006 USENIX Annual Technical
Conference | (Boston Marriott Copley Place)Boston, MA |
| June 13 - 14, 2006 | Where 2.0
Conference | (Fairmont Hotel San Jose)San Jose, CA |
| June 13 - 14, 2006 | Gartner Open Source
Summit 2006 | (Palau de Congressos de Catalunya)Barcelona, Spain |
| June 14 - 16, 2006 | New York PHP Conference and
Expo 2006 | (New Yorker Hotel)New York, NY |
Comments (none posted)
Web sites
KDE.News
has announced
the new
Try KDE site.
"
Try KDE is a new resource listing ways that you can try out KDE without commiting to a full GNU/Linux or BSD install. It includes links to live cds, VMware player images and Klik bundles as well as links to KDE desktops available over NX, with explanations of these technologies. It is linked to from the KDE frontpage and will be updated regularly as more resources are discovered."
Comments (none posted)
Miscellaneous
KDE.News
follows
the progress of the K3b Fundraiser 2006 effort.
"
At the beginning of March 2006, I started a fundraising campaign
with the goal of collecting 1000 Euro by
the end of the month in order to buy a new computer system. I soon
discovered how very unrealistic this goal
was! You -- the K3b users -- taught me a lesson: by the end of the second
day I had already received more than 1000 Euro and in the end the goal was
surpassed by far."
Comments (none posted)
Page editor: Forrest Cook