Since it was enacted, the U.S. Digital Millennium Copyright Act (DMCA) has
stifled security research, led to the arrest of visiting programmers, shut
down fair use, prohibited the creation of free DVD players for Linux, and
facilitated anti-competitive moves by manufacturers of printer cartridges
and garage door openers, among others. The EFF and others have been
pushing
for a reform of the DMCA for some time, and the occasional member of
Congress has tried to bring that about. The DMCA is a law which clearly
needs fixing.
Now, there is a new attempt to amend the DMCA in the works; a copy
of the DMCA with the proposed changes highlighted [PDF] is available
for those who are interested. This proposal, however, would have the
effect of making the DMCA significantly worse. Here are a few highlights:
- No longer content with criminalizing copyright infringement, the new
law would make even attempted infringement illegal - with the same
penalties. There would be no need to actually copy anything to
violate the new DMCA.
- The new law authorizes the impounding of "records documenting
the manufacture, sale, or receipt of items involved in such
violation" Such records certainly will include Internet
service provider logs.
- The penalty for copyright infringement will be raised to a maximum of
ten years in prison - twenty for repeat offenses. In the future,
rational criminals will not copy CDs; the potential penalty for simply
stealing them will be lower. The new ten-year penalty will apply to
those committing the heinous crime of recording a live concert as
well.
- The use of wiretapping and similar techniques is authorized for
investigations into criminal copyright infringement or recording of
live performances.
- Criminal and civil forfeiture powers would be available to law enforcement agencies
dealing with copyright cases.
The addition of forfeiture powers is, perhaps, the scariest part of this
whole proposal. Civil forfeiture has long been a part of the U.S. "drug
war," with the result that many law enforcement actions - often against
innocent people - have been motivated
primarily by the prospect of seizing valuable property. If this law goes
through, any music player, laptop, or server deemed to have somehow
participated in copyright infringement will be subject to seizure by the
police - along with the houses they are found in. Anybody who thinks this
power would not be abused has not been paying much attention.
As of this writing, the proposed legislation has not yet been formally
introduced for consideration, but has been circulated among some members of
the House of Representatives.
A different bill which, according to the
EFF has been introduced is the "PERFORM act." This law can be thought
of as a sort of broadcast flag for the net; it would require those
broadcasting copyrighted material on the net to use DRM-afflicted formats.
No more Vorbis or Theora streams - or even MP3. And, obviously, no way to
tune into such streams using free software.
These bills make it clear that the powers behind the expansion of
"intellectual property rights" are not yet satisfied and want more. This
sort of thing will keep coming, and not just in the U.S. If we value our
freedom, we must be prepared to keep fighting - and to work to push the
pendulum in the other direction.
Comments (12 posted)
April 25, 2006
By Pamela Jones, Editor of Groklaw
[
Editor's note: The case of KAM Industries and the JMRI project is an
important one; it is one of the first times where a free software developer
has been directly attacked by a patent holder and held responsible for
royalties for every downloaded copy. If we wish to be able to post
software without risking hundreds of thousands of dollars (or more) in
royalty demands, we must quickly put an end to this sort of thing. We
asked Groklaw founder Pamela Jones to put together a summary of this case
and what we can do about it; the following is her response.]
The Right to Create blog has a letter from the attorney, Victoria
K. Hall, who is representing Robert Jacobsen, the man who was sent the
bill for $203.000 for allegedly infringing patents with
his open source model train software. He has struck
first, filing a
lawsuit himself, Jacobsen v. Katzer et al, charging that the patent
was fraudulently obtained and hence is invalid and unenforceable. The
complaint also says the patent is invalid on the grounds of obviousness
and for failure to meet the written description requirement of 35 U.S.C.
Sec. 112.
So, on one side we find an Open Source developer, and, on the other, a guy
wielding
questionable software patents. Of course, as in all litigation, it's
important
to keep in mind that nothing is proven by a complaint. It's just the opening
salvo, and we haven't yet heard the defendants' side.
Hall is asking the community to look
for prior art. Let me tell you a little bit about the case, from the
materials in the complaint Jacobsen has filed. It may help you to
more effectively find prior art. It will surely motivate you.
The lawsuit
The case is 5:2006cv01905, filed in the US District Court for the
Northern District of California, San Francisco Division, for those of you
with Pacer accounts. The plaintiff lives there and works at the Lawrence
Berkeley National Laboratory of the University of California and he also
teaches physics there. He's also a model train hobbyist who has written, with
others,
open source code called JMRI, or Java Model Railroad Interface,
which
allows you to control how model trains run on a track. He's the primary
developer of the software through the JMRI Project.
Ms. Hall, although located in Maryland, is admitted to practice in
California as well as in Maryland state courts and is a patent attorney
admitted to practice before the USPTO. Interestingly, she worked in the
chemical engineering and software industries for nine years before she
went to law school.
The suit is an action for declaratory judgment that
Katzer's patent, US Patent No. 6,530,329, called the '329 patent, is
"invalid, unenforceable, void and/or not infringed by Plaintiff
Jacobsen". What's a declaratory judgment?
Here's US Code Title 28, Ch
151, § 2201, the Declaratory
Judgment Act. And here is a definition from
Cornell's Legal Information Institute. If someone is threatening to sue
you, but hasn't yet, in certain limited circumstances, you can take the
initiative rather than waiting for the axe to fall, go to court and in
essence say: "This person or this company is threatening to sue me and I
need our respective rights with respect to this dispute settled, so this
cloud over my or my company's head doesn't ruin my business."
The court doesn't have to hear a request for a declaratory judgment. It
has discretion. It's an enabling statute, and your case has to fit into
the confines of the Declaratory Judgment Act, namely you have to have an
actual "controversy" in the constitutional sense. That means it isn't a
hypothetical problem and it isn't moot, meaning, first, that you really
have a realistic and reasonable apprehension of actually being sued, and
second, that the court can settle your problem with a declaratory
judgment.
If the judge accepts the dispute, he can issue a declaratory
judgment, in which he "declares" what each party's rights are, the idea
being that if, for example, he declares that you aren't infringing your
adversary's patent, then you can't be sued.
Mr. Jacobsen's complaint is also a complaint for "violation of federal
antitrust laws, the Lanham Act, and California Unfair Competition Act
and for libel." The Complaint asks for a decree that the defendants
Katzer and his company "have attempted to monopolize the market for
multi-train control systems software in the United States" in violation
of Section 2 of the Sherman Act.
The defendants
The named defendants are Matthew Katzer, KAMIND Associates, Inc. d/b/a
KAM Industries, and Kevin Russell. Katzer is a model train hobbyist who
has written software code for controlling model trains and is an expert
in the field. He has several patents, and the complaint states that
Jacobsen believes there are more pending. KAM is Katzer's business,
selling products embodying Katzer's patents.
Here's the surprising twist. The third defendant, Kevin Russell, is their
lawyer.
He works for a firm in Oregon, Chernoff, Vilhauer, McClung & Stenzel. He's
now
accused of libel, and the court is asked to find
against the defendants, jointly and severally, to the tune of $50,000
plus punitive damages.
Russell filed a a request
under the U.S. Freedom of Information Act,
with the Lawrence
Berkeley National Laboratory, not only accusing Jacobsen of patent
infringement,
but claiming that the Lab "had sponsored the allegedly infringing JMRI
Project's activities."
The DOE turned down the request in December of 2005, but not before
Jacobsen was embarrassed and had to explain the whole "harassment story,"
as he describes it, to his boss and the DOE FOIA liaison. The complaint
also says
it interfered with his work, resulting in a loss of income. The FOIA
request, Jacobsen says,
caused him embarrassment, particularly because he's "a scientist whose
work
involves the creation of intellectual property."
The complaint continues, saying that Russell knew that the
Lab, which has a contract with the U.S. Department of Energy, which has
nothing to do with the JMRI Project.
The defendants made the allegation, says the complaint, "to effect
Defendants' goal to
embarrass Plaintiff Jacobsen and force him to shut down the JMRI Project
and to pay royalties to Defendant KAM."
The patent
According to Jacobson, the basis for claiming that the patent is not valid
is the defendant's history of applying for patents
on what others invent without telling the
patent office about the prior art. Another charge is that Katzer
didn't tell the patent office that some of KAM's products "were in
public use, published, offered for sale or sold more than 1 year before
Defendant Katzer filed the '461 application," which would disqualify
them for patent protection. The patent in question, '329, claims the
benefit of earlier patent applications' filing dates, '461 being the
earliest filed in the chain that '329 issues from.
The complaint lists prior art dating back to the 1986 that it says
Katzer ought to have told the USPTO about, since the complaint alleges
he knew about them. For example, in late March of 2002, the story
continues, the JMRI Project software's client-server capabilities were
described in a posting to a public mailing list, which Katzer is on.
Then in April 14, 2002, the first version of JMRI with the new
capabilities was released for public download and announced on several
mailing lists and on the JMRI website. "Three days later, Defendant
Katzer filed a patent application tailored to claim the capabilities of
the JMRI Project software." Again, the Complaint says, Katzer didn't
tell the patent examiner about the JMRI Project.
Jacobsen says he received a letter from KAM in March of 2005, offering
to license for $19 per program installed on a computer, saying that JMRI
was infringing claim 1 of the '329 patent. Jacobsen says he wrote a
letter back asking exactly how he was infringing, and his answer was a
letter in August, saying that he was infringing claim 1 and that they
were now investigating to see if any other patents were infringed by
JMRI. Oh, and the price to license was now $29. The letter also
demanded $203,000 for the 7,000 copies already distributed. In October
came a bill with finance charges, so the total had risen to more than
$206,000. He's gotten bills roughly every month since.
Jacobsen is about to release a new version of his software, and that's
why he's asking the Court to bring resolution to the matter, because he
believes the defendants will sue him when he releases the new version. He's
also
asking for redress.
The request
Aside from the declaratory judgments, the antitrust decree, and the
libel damages, the Plaintiff is asking for the following:
- An injunction ordering Defendant Katzer to identify all patents
and patents applications filed in the United States and throughout the
world, to produce to their respective patent offices all material
references discovered through this litigation, and to request
re-examination (or the nearest equivalent proceeding outside the U.S.)
of any patents issuing from the patent applications.
- An award of treble damages for the loss of income and other
property on the antitrust claim.
- A decree that Defendants Katzer and
KAM have engaged in unlawful, unfair and/or fraudulent business
practices in violation of the California Unfair Competition Act,
California Business and Professions Code, and an order enjoining them
from any future such conduct.
- An order finding that Katzer
cybersquatted on the trademarked name, www.decoderpro.com in violation of
the Lanham Act and requiring him to turn the domain name over to
Plaintiff Jacobsen.
- An order enjoining Defendant Katzer and
Defendant KAM, and all persons and entities under their direction or
control, from engaging in or carrying out any further anti-competitive
or bad faith conduct
- An order referring the matter to the U.S. Attorney's Office for
investigation into antitrust violations, perjury, mail fraud, and
cancellation proceedings against any patents involved in this
litigation, and any related patents.
-
An order awarding costs and attorney's fees as permitted by law,
including 35 U.S.C. Section 285.
What you can do
Ms. Hall in her letter asks that no one harass the defendants "through
calls, letters, faxes, emails, etc. It does NOT advance the case in Mr.
Jacobsens favor." What does help is to find prior art. Groklaw just
published a basic tutorial on prior art, Prior
Art and Its Uses - a Primer, by a patent attorney, Theodore C.
McCullough. It might help you.
Here is what
Ms. Hall is asking for:
The key date is prior art existing
before June 24, 1998, and more importantly, prior art existing before
June 24, 1997. The prior art that we are looking for is:
- A
patent or printed publication that described the invention. Source can
be from anywhere in the world.
- Evidence of public use, offer for
sale, or sale in the United States. (If its from outside the U.S.,
please make a note and send it so we can follow up.)
- Evidence of
another person inventing the same thing in the U.S. the invention must
not have been suppressed, concealed or abandoned.
- If the evidence
is not the exact invention, then any information (in addition to the
evidence) suggesting that the evidence could be combined with something
else to successfully make the invention.
Here's her contact
information, if you do find prior art. Snail mail is the best, she
says. I can't help but point out
that had the Peer to
Patent Project mentioned in McCullough's article
been in place a few years ago, these patents might well have been
blocked before they issued, and all this woe could have been prevented.
If nothing else, this incident can help us
to understand what patents project like that are designed to address.
So, there you have the information and the tools to get started
searching for prior art. Happy hunting.
Comments (25 posted)
April 26, 2006
This article was contributed by Glyn Moody
As
the previous feature on
open content noted, the need for an appropriate license was felt from
the earliest days. Strangely, it was not Richard Stallman who filled
this gap: even though the GNU General Public License dates back
to 1984, it was only in 2000 that the corresponding
GNU
Free Documentation License was created. As a result, the honor
for the creation of the first formal non-software open license goes
to David Wiley.
In
the summer of 1998, Wiley had joined the graduate program in
Instructional Psychology and Technology at Brigham Young University,
where he began doctoral work on “learning objects” -
small-scale, reusable computer-based educational materials designed
to be used in a variety of settings. This was just a couple of
months after the term “open source” had been devised at
the Freeware Summit, and Wiley realized that what was needed was a
kind of open source for instructional content.
He
contacted people like Richard Stallman and Eric Raymond to ask their
advice, and drew up his first license in July 1998. Wiley decided to
call his approach “open content” - a term which he seems to have
been the first to use consistently. For Stallman, the idea of “open”
as opposed to “free” is anathema, and he also refuses to
refer to works as “content”, so ultimately he wanted
nothing to do with this new “OpenContent
License”, even though he and Wiley had previously worked together in
an attempt to tweak the GNU GPL for content. Raymond, by contrast,
was an important influence on the fledgling open content idea, as the
following passage
from the newly-created Opencontent.org site indicates:
OpenContent
advocates adoption of the principles Eric S. Raymond outlines in his
essay “The Cathedral and the Bazaar” for use in the
development of Content. ... The Bazaar model for Content development
will bring these same benefits to online instructional content;
namely the creativity, expertise, and problem-solving power of a
potentially infinite team of instructional designers and subject
matter experts. A development effort of this kind will fill the
Internet with high quality, well-maintained, frequently updated
Content.
More
input was provided by Tim O'Reilly and Andy Oram, making the license
more palatable to publishers so that online versions of printed
books and journals could be distributed for free. The result was the
Open Publication License
(OPL), released in June 1999. Appropriately enough, Raymond's
“Cathedral and the Bazaar” was released under the OPL (as
was his “Brief History of Hackerdom”). A number of other
books, mostly in the field of computing, adopted the license,
including GTK+/Gnome
Application Development by Havoc Pennington, and Grokking
the GIMP, by Carey Bunks. It was also adopted for Bruce Perens'
Open
Source Series, published by Prentice Hall.
Although
the OPL led to a modest increase in open content being made
available, the license still had some problems. One was that it came
in four versions – OPL, OPL-A, OPL-B and OPL-AB - according to
which, if any, of two optional clauses were included. These dealt
with the thorny issues of “substantively modified works”
and whether the work or derivatives of it could be published in book
form for commercial purposes. The combinations obviously made it
harder to be sure what exactly an OPL license permitted, and meant
that users were forced to refer to the license to find out what their
rights were. What was needed was some legal input to produce a
series of open content licenses that clearly delineated what could
and could not be done with them.
Fortunately,
in the second half of the 1990s, a group of lawyers were becoming
increasingly interested in the interrelated issues of copyright,
intellectual property, digital content and the public domain.
Pioneers here include Pamela Samuelson, James Boyle and Yochai
Benkler. But the person who has become most closely associated with
this whole area is undoubtedly Larry
Lessig.
He
rose to prominence with his book “Code
and other laws of Cyberspace”, which asserted that the
Net's software codes necessarily implied legal codes. From this
early interest in architectures and their growing power to affect
everyday life, Lessig's focus gradually shifted back to the legal
domain, where he sought to counter the threats posed by the music and
film industries to the new creative possibilities opened up by the
Net.
His
first attempt at a solution was the creation of Copyright's
Commons in 1999, “a coalition devoted to promoting the
public availability of literature, art, music, and film.” Its
principal instrument was the use of what it called
“counter-copyright”,
which “strips away the exclusivity that a copyright provides
and allows others to use your work as a source or a foundation for
their own creative ideas. The counter-copyright initiative is
analogous to the idea of open source in the software context.”
When
Copyright's Commons became involved in the Eldred
vs. Ashcroft lawsuit – which tried to block the
extension of US copyright by 20 years - it also pioneered what it
called “openlaw”, where legal arguments were posted
online for open discussion.
It
was Lessig who argued the Eldred vs. Ashcroft case in court –
and lost, much to his chagrin.
A more positive outcome from this work was the creation of a second,
more ambitious, organization called Creative
Commons, and the drawing up of a series of formal open content
licenses. Like Wiley's Open Publication license, these Creative
Commons licenses allow several options. While this lends them
great flexibility, it also means that there is now a confusing array
of Creative Commons licenses. Indeed, Richard Stallman no longer
supports the Creative Commons project because not all of these
licenses meet his requirements for freedom.
Despite
Stallman's concerns, there is no doubt that the Creative Commons
licenses have transformed the open content scene. They offer
creators a range of rigorous licenses that have been drawn up by
lawyers with a deep understanding of the issues of copyright in the
Net age. An important recent court case in the Netherlands has
confirmed
their legality, at least in that jurisdiction.
Wiley's
original licenses were created for educational materials, and among
the first applications of the Creative Commons licenses were two
major open content projects in the field of what has come to be
called open courseware, both funded by the Hewlett
Foundation. Just as open source avoids re-inventing the wheel by
building on existing code, so open courseware aims to save time,
effort and money by making educational material freely available for
others to re-use, extend and improve.
The
first such project, Connexions, came
from Rice University. It was the brainchild of Richard Baraniuk,
professor of electrical engineering, who was directly inspired by the
example of open source. Connexions uses a content creation platform
called Rhaptos, which is released under the GNU GPL. The other major
open courseware project came from MIT. One of the people behind the
OpenCourseWare idea –
which arose out of an earlier failed attempt to make money from
selling MIT courses online – was Hal Abelson, who is also one
of the founders of Creative Commons. This joint involvement
simplified the issue of licensing, something that was a major issue
for Rice initially, until it too adopted a Creative Commons license.
MIT
does not use an open source platform, but David Wiley has started a
project called eduCommons,
based on Plone, that offers this
facility. Another of his free software projects, called Open
Learning Support, and now part of eduCommons, provides Rice's
Connexions and MIT's OpenCourseWare with online discussion boards.
Baraniuk, for his part, is working on a range of ancillary open
source software, including systems to aid translation, and a rating
system for courses. It is also worth mentioning the free software
course management package Moodle,
which is widely used around the world, and Sakai,
a similar project, funded by the Hewlett Foundation.
Although
both Connexions and OpenCourseWare allow course materials to be
modified, they do not make any provision in their platforms for true
collaborative development. The final article in this short series
will explore how this issue has been addressed by open content projects.
Glyn
Moody writes about open source and open content at opendotdotdot.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
April 26, 2006
This article was contributed by Jake Edge.
Over the last month, there have been eleven separate releases in the 2.6.16
stable kernel series, seven of which were single-patch releases for security
related issues. This flurry of security fixes would make one think that
there was a concerted effort by an individual or organization to try and
find kernel security problems, but that is not the case. It is entirely
coincidental that all of these fixes came about at around the same time.
A chronological look at each of these fixes gives a nice picture of the
diverse places that kernel developers are looking for bugs in general
and security bugs in particular.
Roughly a week after the original 2.6.16 release, the 2.6.16.1 release
contained 19 patches, including one that fixed
CVE-2006-1242.
Code had been put into the kernel in the 2.4 series to stop leaking
information in the form of fragment IDs in TCP packets that did not
require them. Packets that have the DF (don't fragment) bit set do
not need a fragment ID and eliminating that information is a
countermeasure to a technique called
idle scanning.
Unfortunately when the original change was made, the response to a
certain kind of packet (a SYN-ACK packet) was missed and that was
discovered in March.
The 2.6.16.2 release came out on 7 April and had a quite a few
fixes including a change
to the sysfs interface covered
by LWN two weeks ago.
On the 11th and 12th of April, there were 3 releases, each of which
included just one security fix. 2.6.16.3 is a fix for a bug that would
allow a user to oops the kernel by passing invalid arguments to the keyctl
utility
(CVE-2006-1522).
If the user specified a key as the target for an "add key" operation,
rather than a keyring, a invalid dereference in the kernel would result.
A call to BUG_ON() in the __group_complete_signal() function
(which is part of the RCU signal handling code)
"has unknown impact and attack vectors" and was patched as 2.6.16.4. If a
user process could cause the condition in the BUG_ON call, it could
oops the kernel and lead to a denial of service.
(CVE-2006-1523).
A difference in the way Intel and AMD 64-bit CPUs handle non-canonical return
addresses led to the 2.6.16.5 release. The Intel CPU reports the exception
on the SYSRET instruction which causes the kernel exception handler
to run using the user stack.
(CVE-2006-0744).
Kernel processing using a user created stack would seem rife with opportunities
for exploitation.
The 2.6.16.6 release came out a week later with another long
list of patches, two of which
have security implications. The m32r architecture had a bug in the
get_user and put_user macros that did not check the
address passed to them which would allow access outside of the process
address space.
A more widespread issue was addressed with a patch in this
release and then fixed in the 2.6.16.7 release later in the day.
The MADV_REMOVE vulnerability
(CVE-2006-1524) has been present in kernels since 2.4 and allows local users
to potentially bypass the access restrictions on a read-only attachment
of shared memory. The user process could call mprotect() and gain
write permission on a piece of memory even though the memory was
explicitly set to be read-only when shared via the shared memory IPC
mechanism.
Prior to 2.6.16.8, the kernel was vulnerable to users causing a kernel panic
by requesting a route for a multicast IP address
(CVE-2006-1525). Using a simple 'ip' command from the shell would cause a
null pointer dereference in ip_route_input and panic the kernel.
This is another example of a local denial of service vulnerability.
2.6.16.9 patches a problem that affected both Linux and FreeBSD kernels
running on AMD processors which would allow a malicious process running on
the same CPU to determine portions of the state of floating point
instructions in a target process. AMD had some
comments on the bug and
provided some background information on why they chose to implement the
FXRSTOR and FXSAVE instructions differently than they
are implemented in Intel processors. Essentially, these two instructions
do not save and restore all of the same registers as Intel does and this
allows information to leak from one process to another. The patch ensures
that the floating point state is constant between context switches on
affected processors.
(CVE-2006-1056)
Last on our tour of kernel security fixes is a patch made in 2.6.16.11
and released on Monday that
disallows backslashes in path components unless POSIX paths have been
negotiated. This change is for the CIFS (aka Samba) filesystem code;
one can only imagine the kinds of havoc one could cause by putting
backslashes (the standard Windows path separator) into CIFS paths.
This bug is
CVE-2006-1863,
but the CVE database just shows a placeholder page for that
number at the time of this writing.
Observant readers will have noticed that
we skipped over 2.6.16.10 as it was a release with quite a few patches, none
of which were noted as being security related.
As this laundry list of issues shows, there are a wide variety of places
that kernel bugs can impact security, but the many eyes of kernel developers
seem to be finding and fixing them. This process plays out in the open
and that can give competitors ammunition to claim that Linux is less
secure than certain proprietary systems. Reasonable people
would more likely come to the conclusion that Linux developers are much more
interested in finding these issues and fixing them. The kernel
community has no interest in hiding vulnerabilities or playing games
with security patch descriptions to make the OS look more secure. PR
considerations just do not seem to be on the radar of the technical
contributors and that is just as it should be.
Comments (2 posted)
New vulnerabilities
abc2ps: buffer overflows
| Package(s): | abc2ps abcmidi |
CVE #(s): | CVE-2006-1513
CVE-2006-1514
|
| Created: | April 25, 2006 |
Updated: | April 26, 2006 |
| Description: |
Erik Sjölund discovered that abc2ps, a translator for ABC music
description files into PostScript, does not check the boundaries when
reading in ABC music files resulting in buffer overflows.
The abcmidi-yaps utility suffers from similar problems. |
| Alerts: |
|
Comments (none posted)
beagle: command line injection
| Package(s): | beagle |
CVE #(s): | |
| Created: | April 21, 2006 |
Updated: | April 26, 2006 |
| Description: |
Chris Evans discovered that while indexing, Beagle will build certain
command lines in an insecure manner. When Beagle executes external
helper applications, it is possible to cause beagle to execute
arbitrary commands as the user running beagle. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
Comments (none posted)
fbida: insecure temporary file creation
| Package(s): | fbida |
CVE #(s): | CVE-2006-1695
|
| Created: | April 24, 2006 |
Updated: | May 22, 2006 |
| Description: |
The fbgs script in the fbi package 2.01-1.4, when the TMPDIR environment
variable is not defined, allows local users to overwrite arbitrary files
via a symlink attack on temporary files in /var/tmp/fbps-[PID]. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-1056
CVE-2006-1525
CVE-2006-1524
CVE-2006-0744
CVE-2006-1522
CVE-2006-1055
|
| Created: | April 20, 2006 |
Updated: | May 4, 2006 |
| Description: |
Multiple kernel vulnerabilities have been fixed, including
an x87 information leak between processes, an ip_route_input panic,
a MADV_REMOVE vulnerability, an mprotect write permission problem,
insecure MPBL0010 driver sysfs permissions, an x86_64 force IRET issue,
RCU signal handling, a key addition oops, a sysfs write buffer issue
and more. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-0996
CVE-2006-1494
CVE-2006-1608
|
| Created: | April 25, 2006 |
Updated: | May 24, 2006 |
| Description: |
There are several vulnerabilities in PHP v5.1.2 and earlier.
- A cross-site scripting (XSS) vulnerability in phpinfo (info.c) allows
remote attackers to inject arbitrary web script or HTML via long array
variables. (CVE-2006-0996)
- A directory traversal vulnerability in file.c allows local users to
bypass open_basedir restrictions and allows remote attackers to create
files in arbitrary directories via the tempnam function. (CVE-2006-1494)
- The copy function in file.c allows local users to bypass safe mode and
read arbitrary files via a source argument containing a compress.zlib://
URI. (CVE-2006-1608)
|
| Alerts: |
|
Comments (none posted)
ruby1.8: denial of service
| Package(s): | ruby1.8 |
CVE #(s): | CVE-2006-1931
|
| Created: | April 24, 2006 |
Updated: | May 10, 2006 |
| Description: |
The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which
allows attackers to cause a denial of service (blocked connections) via a
large amount of data. |
| Alerts: |
|
Comments (none posted)
xzgv: heap overflow
| Package(s): | xzgv |
CVE #(s): | CVE-2006-1060
|
| Created: | April 21, 2006 |
Updated: | June 12, 2006 |
| Description: |
Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate
insufficient memory when rendering images with more than 3 output
components, such as images using the YCCK or CMYK colour space. When
xzgv or zgv attempt to render the image, data from the image overruns a
heap allocated buffer. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bsdgames: buffer overflow
| Package(s): | bsdgames |
CVE #(s): | CVE-2006-1744
|
| Created: | April 17, 2006 |
Updated: | April 19, 2006 |
| Description: |
A buffer overflow problem has been discovered in sail, a game contained
in the bsdgames package, a collection of classic textual Unix games, which
could lead to games group privilege escalation. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
crossfire: arbitrary code execution
| Package(s): | crossfire |
CVE #(s): | CVE-2006-1010
|
| Created: | March 14, 2006 |
Updated: | April 24, 2006 |
| Description: |
It was discovered that Crossfire, a multiplayer adventure game, performs
insufficient bounds checking on network packets when run in "oldsocketmode",
which may possibly lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
curl: heap-based buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2006-1061
|
| Created: | March 21, 2006 |
Updated: | June 28, 2006 |
| Description: |
Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows
remote attackers to execute arbitrary commands via a TFTP URL (tftp://)
with a valid hostname and a long path. |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dia: buffer overflows
| Package(s): | dia |
CVE #(s): | CVE-2006-1550
|
| Created: | April 3, 2006 |
Updated: | May 3, 2006 |
| Description: |
Three buffer overflows were discovered in the Xfig file format importer.
By tricking a user into opening a specially crafted .fig file with dia, an
attacker could exploit this to execute arbitrary code with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
fcheck: insecure temporary file
| Package(s): | fcheck |
CVE #(s): | CVE-2006-1753
|
| Created: | April 17, 2006 |
Updated: | April 19, 2006 |
| Description: |
Steve Kemp from the Debian Security Audit project discovered that
a cronjob contained in fcheck, a file integrity checker, creates
a temporary file in an insecure fashion. |
| Alerts: |
|
Comments (none posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (1 posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
freeradius: authentication bypass
| Package(s): | freeradius |
CVE #(s): | CVE-2006-1354
|
| Created: | March 24, 2006 |
Updated: | June 5, 2006 |
| Description: |
An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote
attackers to bypass authentication or cause a denial of service (server
crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state
machine module. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gnupg: incorrect signature verification
| Package(s): | gnupg |
CVE #(s): | CVE-2006-0049
|
| Created: | March 13, 2006 |
Updated: | May 15, 2006 |
| Description: |
Another vulnerability has been found in
GnuPG. "Signature verification of non-detached signatures may give a
positive result but when extracting the signed data, this data may be
prepended or appended with extra data not covered by the signature. Thus
it is possible for an attacker to take any signed message and inject extra
arbitrary data." |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mailman: denial of service
| Package(s): | mailman |
CVE #(s): | CVE-2006-0052
|
| Created: | March 30, 2006 |
Updated: | June 9, 2006 |
| Description: |
Mailman 2.1.5 and below have a denial of service vulnerability
in the Scrubber.py script. If a maliciously created message
with a mime multi part format is received, mailman delivery
can be stopped. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CVE-2005-4134
CVE-2006-0292
CVE-2006-0296
|
| Created: | February 2, 2006 |
Updated: | May 4, 2006 |
| Description: |
Mozilla has three new vulnerabilities.
The Javascript interpreter has a problem with
dereferencing objects. A user can visit a specially crafted web page
which can crash the browser or cause it to execute arbitrary code.
The XULDocument.persist() function has a bug that can be triggered by
viewing specially crafted web sites, RDF data can be injected into the
localstore.rdf file, allowing arbitrary javascript code to be executed.
The Mozilla history saving mechanism is vulnerable to a denial of
service attack, visiting sites with extra-long titles can cause a
crash or very slow startup the next time the browser is run. |
| Alerts: |
|
Comments (none posted)
Mozilla Thunderbird: remote code execution and DoS
| Package(s): | mozilla-thunderbird |
CVE #(s): | CVE-2006-0884
|
| Created: | March 3, 2006 |
Updated: | May 4, 2006 |
| Description: |
The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier
allows user-complicit attackers to bypass javascript security settings and
obtain sensitive information or cause a crash via an e-mail containing a
javascript URI in the SRC attribute of an IFRAME tag, which is executed
when the user edits the e-mail. |
| Alerts: |
|
Comments (1 posted)
mplayer: integer overflows
| Package(s): | mplayer |
CVE #(s): | CVE-2006-1502
|
| Created: | April 10, 2006 |
Updated: | May 1, 2006 |
| Description: |
MPlayer 1.0pre7try2 has multiple integer overflow vulnerabilities.
Remote attackers can maliciously craft an ASF file or an AVI file
in order to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openmotif: buffer overflows
| Package(s): | openmotif |
CVE #(s): | CVE-2005-3964
|
| Created: | December 29, 2005 |
Updated: | July 27, 2006 |
| Description: |
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
OpenSSH: double shell expansion
| Package(s): | openssh |
CVE #(s): | CVE-2006-0225
|
| Created: | January 23, 2006 |
Updated: | July 20, 2006 |
| Description: |
OpenSSH has a double shell expansion vulnerability in local to local and
remote to remote copy with scp. |
| Alerts: |
|
Comments (none posted)
openvpn: arbitrary code execution
| Package(s): | openvpn |
CVE #(s): | CVE-2006-1629
|
| Created: | April 11, 2006 |
Updated: | April 27, 2006 |
| Description: |
OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute
arbitrary code on the client by using setenv with the LD_PRELOAD
environment variable. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
pound: HTTP Request Smuggling Attack
| Package(s): | pound |
CVE #(s): | CVE-2005-3751
|
| Created: | January 10, 2006 |
Updated: | June 8, 2006 |
| Description: |
HTTP requests with conflicting Content-Length and Transfer-Encoding headers
could lead to HTTP Request Smuggling Attack, which can be exploited to
bypass packet filters or poison web caches. |
| Alerts: |
|
Comments (none posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
squirrelmail: multiple vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-0188
CVE-2006-0195
CVE-2006-0377
|
| Created: | February 28, 2006 |
Updated: | June 8, 2006 |
| Description: |
Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to
inject arbitrary web pages into the right frame via a URL in the
right_frame parameter. NOTE: this has been called a cross-site scripting
(XSS) issue, but it is different than what is normally identified as
XSS. (CVE-2006-0188)
Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to
1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks
via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2)
a newline in a "url" specifier, which is processed by certain web browsers
including Internet Explorer. (CVE-2006-0195)
CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote
attackers to inject arbitrary IMAP commands via newline characters in the
mailbox parameter of the sqimap_mailbox_select command, aka "IMAP
injection." (CVE-2006-0377) |
| Alerts: |
|
Comments (none posted)
sudo: vulnerability via scripts
| Package(s): | sudo |
CVE #(s): | CAN-2005-4158
CVE-2006-0151
|
| Created: | December 16, 2005 |
Updated: | September 1, 2006 |
| Description: |
Perl and Python scripts run via Sudo can be subverted. |
| Alerts: |
|
Comments (none posted)
tetex: integer overflows
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
tin: buffer overflow
| Package(s): | tin |
CVE #(s): | CVE-2006-0804
|
| Created: | February 19, 2006 |
Updated: | November 24, 2006 |
| Description: |
An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier
which can lead to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
webcalendar: multiple vulnerabilities
| Package(s): | webcalendar |
CVE #(s): | CVE-2005-3949
CVE-2005-3961
CVE-2005-3982
|
| Created: | March 15, 2006 |
Updated: | May 15, 2006 |
| Description: |
The PHP-based webcalendar package suffers from three vulnerabilities: a set of SQL injection problems (CVE-2005-3949), an input sanitizing failure allowing local files to be overwritten (CVE-2005-3961), and a response splitting vulnerability (CVE-2005-3982). |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xloadimage: buffer overflows
| Package(s): | xloadimage |
CVE #(s): | CAN-2005-3178
|
| Created: | October 10, 2005 |
Updated: | May 15, 2006 |
| Description: |
Three buffer overflows were discovered in xloadimage when handling the image title name. A malicious user can construct a NIFF file that when viewed and processed (with either zoom, reduce or rotate) by xloadimage, will cause the program to overwrite the return address and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
xscreensaver: possible password exposure
| Package(s): | xscreensaver |
CVE #(s): | CVE-2004-2655
|
| Created: | April 11, 2006 |
Updated: | May 24, 2006 |
| Description: |
In some cases, xscreensaver did not properly grab the keyboard when
reading the password for unlocking the screen, so that the password
was typed into the currently active application window. The only known
vulnerable case was when xscreensaver activated while an rdesktop session
was currently active. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current stable 2.6 kernel is 2.6.16.11,
released on April 24. It
is a single-patch release containing a fix for a CIFS filesystem
vulnerability. 2.6.16.10, also released on the 24th, contained a larger
set of important fixes.
The current 2.6 prepatch remains 2.6.17-rc2; there have been no -rc
releases over the last week. Patches are accumulating in the mainline git
repository, however; they are mostly fixes, but there is also trusted
platform module (TPM) 1.2 support, multiple page size support for the
PA-RISC architecture, and the vmsplice() system call (see below).
There have been no -mm tree releases over the last week.
Comments (1 posted)
Kernel development news
Jens Axboe sent around
a note on the status of
splice(). He notes that the
splice() and
tee() interfaces - on both the user and
kernel side - should be stable now, with no further changes anticipated.
The
sendfile() system call has been reworked to use the
splice() machinery, though that process will not be complete until
after the 2.6.18 kernel cycle opens.
While splice() might be stable, things are still happening. In
particular, Jens has added yet
another system call:
long vmsplice(int fd, void *buffer, size_t len, unsigned int flags);
While the regular splice() call will connect a pipe to a file,
this call, instead, is designed to feed user-space memory directly into a
pipe. So the memory range of len bytes starting at
buffer will be pushed into the pipe represented by fd. The
flags argument is not currently used.
Using vmsplice(), an application which generates data in a memory
buffer can send that data on to its eventual destination in a zero-copy
manner. With a suitably-sized buffer, the application can do easy
double-buffering; half of the buffer can be under I/O with
vmsplice() while the other half is being filled. If the buffer is
big enough, the application need only call vmsplice() each time
half of the buffer has been filled, and the rest will simply work with no
need for multiple threads or complicated synchronization mechanisms.
Getting the buffer size right is important, however. If the buffer is at least
twice as large as the maximum number of pages that the kernel will load
into a pipe at an given time, a successful vmsplice() of half of
the buffer can be safely interpreted by the application as meaning that the
other half of the buffer is no longer under I/O. Since half of the
buffer will completely fill the space available within a kernel pipe, that
half can only be inserted when all other data has been consumed out of the
pipe - in simple situations, anyway. So, after vmsplice()
succeeds, the application
can safely refill the second half with new data. If the application gets
confused, however, it could find itself overwriting data which has not yet
been consumed by the kernel.
Jens's patch adds a couple of fcntl() operations intended to help
in this regard. The F_GETPSZ operation will return the maximum
number of pages which can be inserted into a pipe buffer, which is also the
maximum number of pages which can be under I/O from a vmsplice()
operation. There is also F_SETPSZ for changing the maximum size,
though that operation just returns EINVAL for now. Linus,
however, worries that this information is
not enough to know that a given page is no longer under I/O. In situations
where there are other buffers in the kernel - perhaps just another pipe in
series -
the kernel could still have references to a page even after that page has
been consumed out of the original pipe. Networking adds some challenges of
its own: if a page has been vmsplice()ed to a TCP socket, it will
not be reusable until the remote host has acknowledged the receipt of the
data contained within that page. That acknowledgment will arrive long
after the page has been consumed out of the pipe buffer.
What this all means is that the vmsplice() interface probably
needs a bit more work. In particular, there may need to be yet another
system call which will allow an application to know that the kernel is done
with a specific page. The current vmsplice() implementation is
also unable to connect an incoming pipe to user-space memory. Making the
read side work is a rather more complicated affair, and may not happen
anytime in the near future.
Comments (9 posted)
The
OpenVZ project is a GPL-licensed
subset of SWSoft's proprietary Virtuozzo offering. With OpenVZ, a Linux
system can implement multiple "virtual environments", each of which
appears, to the processes running within it, to be a separate, standalone
system. Virtual environments can have their own IP addresses and be
subjected to specific resource limits. They are, in other words, an
implementation of the container concept, one of several for Linux. In
recent times the various virtualization and container projects have shown a
higher level of interest in getting at least some of their code merged into
the mainline kernel, and OpenVZ is no exception. So the OpenVZ developers
have been maintaining a higher profile on the kernel mailing lists.
The latest news from OpenVZ is this announcement of a new
release with a major feature addition: live checkpointing and migration of
virtual environments. An environment (being a container full of Linux
processes) can be checkpointed to a file,
allowing it to be restarted at some later time. But it is also possible to
checkpoint a running virtual environment and move it to another system,
with no interruption in service. This feature, clearly meant to be
competitive with Xen's live migration capabilities, enables run-time load
balancing across systems.
The OpenVZ patch, weighing at 2.2MB, is not for the faint of heart; it
makes the price to be paid for these features quite clear. Much of what is
contained within the patch has been discussed here before; for example, it
contains the PID virtualization
patches, and every bit of code within the kernel must be aware of
whether it is working with "real" or "virtual" process IDs. A number of
other kernel interfaces must be changed to support OpenVZ's virtualization
features; among other things, many device drivers and filesystems require
tweaks.
As might be expected, the checkpointing code is on the long and complicated
side. The checkpoint process starts by putting the target process(es) on
hold, in a manner similar to what the software suspend code does. Then it
comes down to a long series of routines which serialize and write out
every data structure and bit of memory associated with a virtual
environment. The obvious things are saved: process memory, open files,
etc. But the code must also save the full state of each TCP socket
(including the backlog of sk_buff structures waiting to be
processed), connection tracking information, signal handling status, SYSV
IPC information, file descriptors obtained via Unix-domain sockets,
asynchronous I/O operations, memory mappings, filesystem namespaces, data
in tmpfs files, tty settings, file locks, epoll() file
descriptors, accounting information, and more.
For each of the objects to be saved, an in-file version of the kernel data
structure must be created. Each dump routine then serializes one or more
data structures into the proper format for writing to the checkpoint file.
It all apparently works, but it has the look of a highly brittle system -
almost any change to the kernel's data structures seems guaranteed to break
the checkpoint and restore code. Even if the checkpoint and restore code
were merged into the mainline, getting kernel developers to understand (and
care about) that code would be a challenge. Keeping it working must be be an
ongoing hassle, whether or not the code is in the mainline tree.
None of the above should be interpreted to say that OpenVZ's features are
not worth the cost. Virtual environments, checkpointing, and live
migration are powerful and useful features. But the virtualization of
everything within the kernel will lead to a higher level of internal
complexity and higher maintenance costs. The decision process which draws
the line determining which features are merged and which are not will be
interesting to watch.
Comments (3 posted)
Novell
announced the release
of the AppArmor security module last January. Then everything went quiet;
in particular, no attempt was made to get the AppArmor code merged into the
mainline kernel. The silence was broken last week, however, as a result of
the discussion on the possible
removal of the Linux security module (LSM) API. The submission of the
AppArmor code has had the desired short-term effect: the discussion has
moved away from removal of the LSM interface and toward the merits of
AppArmor. The AppArmor developers may not see that shift as a blessing at
the moment, however.
As expected, AppArmor has taken a fair amount of criticism. The largest
complaint is the fact that AppArmor uses pathnames for its security
policies. Using AppArmor, a system administrator can provide a list of
files accessible by a given application; anything not on the list becomes
inaccessible. Other things - such as capabilities - are also configurable,
but there is no controversy over that aspect of the system. It is the use
of path names which raises the red flags.
The sticking point is that a given file name is not the file itself. So,
while /etc/shadow might identify the shadow password file, that
name is not the shadow password file. If an attacker is able to
create another name for that file (through the use of links or namespaces,
perhaps), that other name could become a way for the attacker to access the
shadow password file. So, even if AppArmor forbids access to
/etc/shadow for a given application, that application might still
have access to other pathnames which could be made to refer to the same
file.
AppArmor thus differs from the SELinux approach, which attaches labels to
objects and enforces access control rules based on the labels. With
SELinux, the shadow password file has the same label (and, thus, the same
access rules) regardless of the name by which it is accessed. So SELinux
lacks a possible failure mode (rule bypass through different file names)
that exists in AppArmor. Of course, as any
SELinux administrator knows, maintaining file labels in a consistent and
correct state poses challenges of its own.
The other problem with the AppArmor approach is that the LSM API is not
well suited to pathname-based security policies. As a result, AppArmor
must often go through a fair amount of (potentially expensive) pain to
obtain the names corresponding to files. The impedance mismatch between
AppArmor and LSM is not generally seen as a reason to keep AppArmor out of
the kernel, but it has led to suggestions that the AppArmor developers
should either extend LSM for pathname-based policies or just add their own
patches and drop LSM altogether. If AppArmor gets past the other
objections, some work will almost certainly have to be done in this area.
At this point, how any decision will be made on merging AppArmor is far
from clear. It has not escaped notice that some of the strongest criticism
of AppArmor is coming from the SELinux camp; SELinux developer Stephen
Smalley has defended that criticism this
way:
We're not threatened by alternatives. We're concerned about a
technically unsound approach. The arguments being raised against
pathname-based access control are about the soundness of that
technical approach, not whether there should be any alternatives to
SELinux.
The proponents of AppArmor claim that the approach is sound. Unlike
SELinux, AppArmor does not attempt to be the ultimate security solution for
all situations. Instead, it simply puts a lid on applications which might
be compromised by an attacker. AppArmor raises the bar by limiting what a
broken application might do; it does not attempt to regulate the
interactions between every application and every object in the system.
This approach is, it is claimed, enough to significantly raise the security
of a system while maintaining an administrative interface which is
accessible to mere mortals. And, for AppArmor's goals, a pathname-based
access control mechanism is said to be good enough. It will probably be
some time before we will see whether the kernel development community
agrees with that claim.
(See also: this
detailed criticism of pathname-based access control by Joshua Brindle).
Comments (29 posted)
Patches and updates
Kernel trees
Build system
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Mark Shuttleworth has issued an
invitation
for the
Kubuntu and
KDE community to meet at
LinuxTag in Wiesbaden, Germany on
May 6, 2006.
The LinuxTag event is a perfect opportunity for us to engage directly
with the KDE user and developer communities. Germany is in many ways the
heart of the KDE community, so we have been looking for a way to pull
together a summit of leaders, users, developers and translators from that
country and this event is hopefully going to be just that.
During its relatively short existence Kubuntu has been perceived as a
second class citizen, never getting quite as much attention or polish as
its GNOME counterpart. This meeting will, hopefully, be the beginning of a
real change in that status.
There are some lofty goals for this meeting. Developing a partnership with
the KDE project. Nominating a Kubuntu leadership team and forming
additional teams to work on artwork, documentation, quality assurance,
translation, marketing and distribution.
Eventually, if Kubuntu seems sufficiently popular, we may have Kubuntu
releases timed with KDE releases, just as Ubuntu releases are currently
timed with GNOME releases.
Mark doesn't say so, but it sounds like there could be Canonical employment
for a KDE hacker, or two.
Comments (2 posted)
New Releases
The beta release of the distribution now known as "Ubuntu 6.06 LTS" is
available. "LTS" stands for "long-term support," and, presumably, sounds
more professional than "Dapper Drake." Among other things, this release
includes a "desktop CD" which can be used in both live and install modes.
Update: The 6.06 LTS beta is available for Kubuntu and Edubuntu, with additional 6.06 beta versions
for Xubuntu and as ports for UltraSparc, IA64 and HPPA (1.1 and later)
CPUs.
Full Story (comments: 1)
SUSE Linux 10.1 RC2 has been released (click below for the announcement).
According to this
schedule update RC3
should be out soon.
Full Story (comments: none)
Openwall GNU/Linux (Owl) has
made several announcements. First Owl has been ported to the
x86-64 architecture (also known as AMD64 and Intel EM64T). The Owl
2.0-stable branch is now available under /pub/Owl/2.0-stable on the FTP
mirrors. John the Ripper 1.7.0.2 has been released. Click below for
details on these and other announcements.
Full Story (comments: none)
Eagle Linux is
an educational, distributed as a how-to manual that walks the user through
the steps necessary to create a customized live CD distribution. It is
also available as an ISO image. Click below for the 2.3 release
announcement.
Full Story (comments: none)
Debian From
Scratch (DFS) is a single, full rescue CD capable of working with all
major filesystems, LVM and software RAID. It also supports compiling a new
kernel. The DFS ISO images contain a small Debian mirror subset that lets
you use cdebootstrap, along with the other utilities on the CD, to perform
a manual, "Gentoo-like" installation. Click below for the 0.99.0 release
announcement.
Full Story (comments: none)
KDE.News
takes a quick look at
some recent releases from KDE-centric distributions. "
"Tomahawk
Desktop is an advanced multimedia centric KDE desktop". *** QiLinux 2.0rc1
free edition was released with KDE 3.5.2, "QiLinux is a KDE-centric
distribution for desktop and server made completely from scratch". ***
Arabian Linux has released version 0.6, "It's the first Arabic live
distribution using KDE as the default GUI and the first to have the Arabic
language enabled in consoles". *** Finally Kubuntu 6.06 LTS Beta was
announced with the promise of Long Term Support."
Comments (none posted)
Distribution News
Newly elected Debian Project Leader Anthony Towns has sent out his first
"bits from the DPL" posting. Among other things, he is creating a
"second-in-charge" position to which some of the project leader's
responsibilities will be delegated.
Full Story (comments: none)
A summary of the recent Fedora board meeting
has been
posted. You can find general information about the board
here. Meeting schedules and
summaries
can be
found here.
Full Story (comments: none)
Mark Loeser has made a proposal for a Gentoo quality assurance team, now in
the third version. This team would be responsible for the overall quality of
the distribution which could include removing unmaintained and broken
packages, fixing typos, keeping documentation up-to-date and maintaining a
list of current "QA Standards". Click below for a text version of the
proposal, which has now been converted to GLEP (Gentoo Linux Enhancement
Proposal) format
here.
Full Story (comments: none)
Linspire, Inc. has
announced
plans for a no-cost version of their operating system called Freespire.
"
Freespire is venturing into new territory by offering a free
community Linux operating system that includes the option for legally
licensed proprietary software pieces in the core distribution. The
Freespire community project and Web site are now live at
http://www.freespire.org, with the first beta release of the operating
system to be made available for download in August."
Comments (49 posted)
Ubuntu is once again participating in the Google Summer of Code, and plans
to make as many projects as possible available for students to work on.
"
It is a great opportunity to expose new students to the wonderful
world of Ubuntu, get some exciting projects off the ground and get good
exposure for the projects, students and organisations alike."
Full Story (comments: none)
Distribution Newsletters
The Debian Weekly News for April 25, 2006 looks at the Debian Live
Initiative, a how-to on using Alioth for packaging, Google Summer of Code
2006, an upgrade conflict, proper closing of old, resolved bug reports,
removing Mozilla, and several other topics.
Full Story (comments: none)
The
Fedora
Weekly News for April 24, 2006 covers Red Hat Magazine | April 2006,
Fedora Project Board meeting summary, Fedora Sponsored Media Program,
Fedora Core 5 CD/DVD Art, FISL: See you next year!, and more.
Comments (none posted)
The
Gentoo
Weekly Newsletter for the week of April 24, 2006 covers OpenLDAP 2.3 on
its way into Portage, call for comments on new subforums and several other
topics.
Comments (none posted)
Here's the latest Mandriva Community Newsletter. Topics include Mandriva
Kiosk Lite in beta testing for Club members, Linux training through
Mandriva Club, Mandriva to take part in major European IT management
project, and more.
Full Story (comments: none)
The
DistroWatch
Weekly for April 24, 2006 is out. "
A flurry of distribution
releases and related announcements were the highlights of the past
week. The Ubuntu project has released the complete set of betas of all
their derivatives, including the newly added Xubuntu, and also made an
initial announcement concerning the development of Edgy Eft, the code name
of its next release. Similarly, the Fedora project has announced an
estimated release schedule for the development of Fedora Core 6. Also in
this issue: updates on the status of Mandriva's Cooker repository, new
minor release by Linspire, a comparison of journalled files system on
Debian, and an interesting interview with the lead developer of Elive. In
the First Look series we share our first impressions of CCux Linux
0.9.8. Finally, a little statistical titbit: with the recent addition of
Xubuntu, the DistroWatch database now contains exactly 500
distributions."
Comments (none posted)
Package updates
Updates for
Fedora Core 5:
gnome-pilot (bug fix),
tzdata (upstream 2006d),
procps (bug fixes),
procinfo (bug fix),
gnome-user-share (patched),
cscope (inverted overflow fix),
foomatic (preparing for CUPS 1.2),
gimp (bug fixes),
gimp-help (update to version 2-0.10),
autofs (bug fixes),
anthy (new upstream release),
setools (bump for FC5),
rhythmbox (update to 0.9.4),
gnome-menus (update to 2.14.0),
file-roller (update to 2.14.2),
gnome-utils (bug fixes),
selinux-policy (bump for FC5),
nut (update to 2.0.3).
Updates for Fedora Core 4: gnome-pilot (bug fix), qt (bug fix), tzdata (upstream 2006d), jwhois (update to 3.2.3), gimp (bug fixes), system-config-date (use pam system-auth), gimp-help (update to version 2-0.10), autofs (bug fixes), nut (bug fixes).
Comments (none posted)
Slackware changes for this week include upgrades to slocate, udev, mysql,
guile (which may be removed soon), several alsa packages, ImageMagick,
mozilla (which probably won't be included in the next release) and more.
Plus linux-2.6.16.9 kernel packages in testing and some hotplug patching.
Click below for details.
Full Story (comments: none)
Trustix has issued a bug fix advisory covering various bug fixes in jwhois,
mrtg, perl-dbd-mysql and perl-dbd-pg for TSL 2.2 & 3.0.
Full Story (comments: none)
Distribution reviews
Steven J. Vaughan-Nichols
looks at SUSE
10.1 RC1. "
This is one really, really cool and solid
distribution. OK, before I go any further I should point out that SUSE 10.1
(code name: Agama Lizard) isn't actually released yet. I've been kicking
the tires of the first SUSE 10.1 "Release Candidate.""
Comments (none posted)
NewsForge
looks
at OpenBSD on the desktop. "
Over the years, OpenBSD has built a
reputation for integrated security and reliability, but most people think
of it as an operating system suitable only for firewalls and servers. The
truth is that OpenBSD also works well as a desktop system; in fact, I use
it on an IBM ThinkPad R50e notebook as my main system."
Comments (none posted)
NewsForge
looks
at FreeBSD on the desktop. "
I recently installed FreeBSD 6 on a
new notebook computer. The installation went quickly; I got a terminal
screen in less than 40 minutes. The only packages I wanted from the
installation disk were Lynx, a Web browser, and cvsup-without-gui, a tool
with which you can upgrade your sources from a FreeBSD mirror. With only
the base system at its disposal, FreeBSD can give you a hands-on experience
from hour zero: it has a compiler (gcc), a download utility (fetch), an
editor (vi), and a bunch of other tools (OpenSSH, SendMail, Revision
Control System) that can help or entertain you during the rest of the
installation."
Comments (none posted)
Page editor: Rebecca Sobol
Development
April 26, 2006
This article was contributed by Hendrik Weimer
Vox Libertas
Voice over IP (VoIP) telephony has seen an enormous boom recently.
Saving costs by routing calls via the Internet or by using
software-based solutions instead of expensive hardware has been the
driving factor for the adoption of VoIP.
Ekiga,
the application formerly known as GnomeMeeting, is the free
software community's answer to these needs.
In contrast to GnomeMeeting, Ekiga supports the
Session Initiation Protocol (SIP) as well as
H.323.
Ekiga can also handle multiple H.323 and SIP accounts at the same time.
There are several different protocols in the VoIP arena.
The oldest is H.323, which was developed
by the International Telecommunication Union (ITU).
The protocol isn't especially firewall-friendly due to the use of
multiple dynamically-chosen port numbers.
SIP is slightly better in this respect and it is
used in many hardware VoIP phones. Another interesting protocol is
IAX2,
developed by the Asterisk project, since it communicates only over a
single UDP port. However, very few clients support it.
Also worth mentioning is the proprietary Skype protocol, which has some
serious security implications, according to what researchers
presented (PDF) at the Black Hat Europe 2006 conference.
Skype clients can be abused for the purpose of port scanning,
distributed Denial of Service (dDoS) attacks and other unpleasant things.
To circumvent the problems faced when dealing with
Network Address Translation (NAT),
a
Simple Traversal of UDP over NATs (STUN) server can be
used. However, this won't work in a properly firewalled environment. In
this case, you usually end up with running a separate H.323 or SIP
proxy.
Since the first release of Ekiga came out only a few weeks ago,
very few GNU/Linux distributions include binary packages.
However, the project itself offers
packages
for every major Linux distribution.
If you decide to use one of them, make sure that you have installed
the latest libraries needed by Ekiga, or you will run into trouble.
When Ekiga is launched for the first time, it asks the user a few
questions and then shows the main window.
From there, you can make outgoing calls or specify how to react to
incoming calls. Ekiga supports the transferring of calls
immediately, or after a certain delay.
The default behavior is to
display a pop-up window when an incoming call is received.
Unfortunately, the window is active immediately, meaning you
can erroneously accept or reject a call depending on what you are
typing or where you are clicking when the call comes in.
Clearly, this is an area of the code that needs some attention.
Ekiga supports both audio and video
communication. Setting up video
devices is trivially easy if the device is
supported by the Video4Linux drivers.
Participation in conferences is possible, but requires an additional
Multipoint Control Unit (MCU).
MCUs are available as hardware or software, the
OpenH323 project
offers a free implementation called OpenMCU.
Even though extensions to H.323 and SIP allow encryption of calls,
Ekiga currently does not support that feature. Ekiga does include a
text chat function.
In contrast to many other VoIP suites, Ekiga can register with several
different SIP registrars and H.323 gatekeepers at the same time.
These services provide a mapping from SIP and H.323 URLs
(the equivalent of a phone number) to the IP address of a
particular user.
To find out someone's SIP or H.323 URL, Ekiga can ask
LDAP and
ILS
servers.
In summary, Ekiga should serve all your VoIP needs. And with the
widespread adoption of VoIP, you can expect it to become even better
over time.
Comments (5 posted)
System Applications
Clusters and Grids
Release 2.0.5 of Linux-HA, a cluster management application, is out
with a long list of enhancements.
"
2.0.5 has significant bug fixes and enhancements making it a worthwhile
upgrade for anyone running R2 CRM-style configurations, or who want to.
I just tried the 2.0.5 GUI, and it's really cool. You can definitely
put it through its paces with the GUI."
Full Story (comments: none)
Database Software
Version 5.0.20a of the MySQL database is out.
"
This is a bugfix release for the current production release family.
It replaces 5.0.20, published last week.
For the benefit of all those who did not download and install, I repeat
the 5.0.20 news in this announcement, while mentioning the differences
between 5.0.20 and 5.0.20a in a separate paragraph."
Full Story (comments: none)
The April 24, 2006 edition of the PostgreSQL Weekly News
is online with the latest PostgreSQL database articles and resources.
Full Story (comments: none)
Kunal Jaggi
discusses Database Connection Pooling with Tomcat on O'Reilly.
"
You know how to open and use database connections for each user, but what
about optimizing for many concurrent users? Rather than creating and
destroying connections over and over again, established practice calls for
use of a pool of connections that can be reused. Kunal Jaggi shows how to
implement this strategy in Tomcat."
Comments (none posted)
Interoperability
Version 3.0.23pre1 of Samba has been announced.
"
This is a preview release of the Samba 3.0.23 code base and
is provided for testing only. This release is *not* intended
for production servers. There has been a substantial amount
of development since the 3.0.21 series of stable releases.
We would like to ask the Samba community for help in testing
these changes as we work towards the next significant production
upgrade Samba 3.0 release.
There has been a substantial amount of cleanup work done
during this development cycle. Two weeks of development time
was dedicated to fixing bugs reported by the Coverity source
code scans."
Full Story (comments: none)
Networking Tools
Version 3.0 of PowerDNS Recursor, an internet name server,
has been announced.
"
We consider this version of the PowerDNS recursor to be the most advanced resolver publicly available. Given current levels of spam, phishing and other forms of internet crime we think no recursor should offer less than the best in spoofing protection. We urge all operators of resolvers without proper spoofing countermeasures to consider PowerDNS, as it is a Better Internet Nameserver Daemon.
As mentioned previously, the new recursor is at least 64000 times harder to spoof than previous releases."
Comments (none posted)
Printing
Version 1.2 rc 3 of the CUPS printing system
has been announced,
it includes many bug fixes and more.
"
The third release candidate of CUPS 1.2 is now available for download from the CUPS web site. We are also providing binary packages for Red Hat Enterprise Linux 4 (32-bit + 64-bit Intel), Fedora Core 4 (32-bit Intel), and MacOS X 10.4 (32-bit PowerPC + Intel) for your convenience."
Comments (none posted)
ESP Ghostscript version 8.15.2
has been announced.
"
ESP Ghostscript 8.15.2 is the second stable release based on GPL Ghostscript 8.15 which adds enhanced CUPS raster support for CUPS 1.2, improves the Open Printing Vector API driver, updates the CID font support files, and fixes several bugs that were reported against 8.15.1."
Comments (none posted)
Security
Version 0.19 of Sussen, a vulnerability checker, is out.
"
This release is mostly bugfixes to the OVAL interpreter."
Full Story (comments: none)
Web Site Development
Version 1.7.5 of the Midgard content management framework is available.
"
Midgard's 1.7 branch is a major overhaul of the whole Content
Management System. Besides the stable and mature Content Management
features of first generation Midgard, it also ships a preview version
of second generation Midgard capabilities, allowing developers to
have a glimpse at the new day of Midgard2.
1.7.5 is maintenance and bugfix release."
Full Story (comments: none)
Dan Kubb
introduces RESTful Rails in an O'Reilly article.
"
This article introduces a very simple application that uses the RESTful Rails plugin. It will provide an introduction to dispatching to different handlers based on the HTTP method used in a request. If you plan on following along you should already have the latest version of Rails installed (1.1.1 at the time of writing), along with a database of your choice."
Comments (none posted)
Desktop Applications
Audio Applications
New releases of the Fluendo mp3 decoder and mpeg demuxer
have been announced.
"
We have released version 0.10.2 of the Fluendo mp3 sourcecode and
version 0.10.4 of the Fluendo mpegdemuxer sourcecode.
Both releases are minor bugfix releases with various small fixes, check
the ChangLog for details."
Full Story (comments: none)
Version 0.4.1 of jackEQ is out with a djEQ plugin bug fix.
"
jackEQ is a tool for routing and manipulating audio from/to multiple
input/output sources. It runs in the JACK Audio Connection Kit, and uses
LADSPA for its backend DSP work, specifically the DJ EQ swh plugin
created by Steve Harris, one of jackEQ's main authors.
jackEQ is intended to provide an accessible method for tweaking the
treble, mid and bass of any JACK aware applications output."
Full Story (comments: none)
Version 1.0 beta 2 of soniK, an audio editor for the KDE environment,
is out with a number of bug fixes. Testers are needed.
Full Story (comments: none)
Data Visualization
Version 0.6 of
PyScript,
a Python module that generates PostScript graphics, is out.
According to the
change log:
"
The major change in this release has been the complete rewrite of the Talk and Poster classes inside the presentation library. Associated with this are the usual bug fixes, documentation additions and minor other changes."
Comments (none posted)
Desktop Environments
Dropline GNOME version 2.14.1
has been announced.
"
After many hours of work getting the bugs out, 2.14.1 is finally available for download. Weve really outdone ourselves this time, with a lot of new art from Silvestre Herrera (aka ertz) including the awesome new Yasis icon theme, along with the latest versions of all of the included applications, and a few our users suggested be included in this release."
Comments (none posted)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
GnomeDesktop.org
has announced a new edition of the
GNOME Journal.
"
It features insights into the Portland
Project which were gained from a conversation with one of its lead
architects, Waldo Bastian, an introduction to GNOME's new deskbar, an
interview with Elijah Newren, GNOME's release manager, and three simple tips
for designing application interfaces you should know. Writers in this edition
are Sri Ramakrishna, Davyd Madeley, Lucas Rocha, and Claus Schwarm,
respectively."
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
KDE.News is running
part two
in a series on KDE 3.5.
"
Two weeks ago, you read about several apps which keep KDE 3.5 alive. Today's issue of the mini-series provides even more reasons to love KDE. Covered applications include Krita, the image and painting application, Guidance, a configuration tool, frontends to Beagle and finally Scribus, the Qt-based DTP application."
Comments (1 posted)
KDE.News
has announced
a new version of the
KDE Commit-Digest.
"
In this week's KDE Commit-Digest: KDE 4 porting continues at great pace, with more applications able to be compiled with CMake daily. Portability fixes for non-X11 platforms. KDiskManager, a KDE 4 application for disk management -- based on Solid -- is imported into KDE SVN."
Comments (none posted)
Electronics
Version 2006-04-24 of
Kicad,
an electronic schematic/printed circuit board CAD system, is out
with bug fixes, the ability to select a PDF browser, and more.
Comments (none posted)
Snapshot 20060422 of PCB, a printed circuit CAD application,
has been announced.
"
I've made a new snapshot of pcb. I made this one so quickly after the previous partly because of the continued outage of the anonymous CVS server which has prevented interested users from tracking CVS sources. Also this snapshot fixes a couple of big bugs (load layout menu didn't do anything)."
Comments (none posted)
Games
Version 0.6.0 of Atlas-C++
has been announced,
it features RPM spec file improvements and other minor changes.
"
Atlas-C++ is the standard implementation of the WorldForge Atlas protocol. This release is functionaly identical to the second release candidate for 0.6.0 and is the first release in the new 0.6 series. This release is primarilly aimed at developers and users who want to build the WorldForge system for themselves."
Comments (none posted)
Mail Clients
MozillaZine
reports
that Thunderbird 1.5.0.2 and Thunderbird 1.0.8 have been released. These
updates contain several security and stability fixes.
Comments (none posted)
Medical Applications
LinuxMedNews
reports
that
MirrorMed, an open-source
Electronic Health Record and practice management system written in PHP,
is being managed with subversion.
"
MirrorMed development can be now tracked via subversion at the MirrorMed subversion repository at sourceforge. Further MirrorMed is now the first project that has a published guide to becoming a MirrorMed Developer. Watch the forums for dicsussion about how best to use subversion."
Comments (none posted)
RSS Software
The first Linux release of
Democracy Player
is available.
"
Democracy
Player is a cross-platform video rss downloader and viewer. It is
free, open-source software developed by the Participatory Culture
Foundation, a 501c3 non-profit organization."
Full Story (comments: none)
Web Browsers
MozillaZine
reports on
the
SeaMonkey
1.0.1 release, which fixes multiple security issues and several
critical bugs. See the
release
notes for more information.
Comments (none posted)
Miscellaneous
Paul N. has announced the initial release of HyperMammut.
"
I released today an experimental software that allows you to process the
sound/image as a single FFT (and other) transforms.
Also, the program can transform sound to images and vice-versa. Because of
this, you can apply a blurring or swirling effect to sound, or
revereberation/flange effect to images ;-)
Many effects sounds/looks very strange (in my opinion theese are the strangest
sounds I ever heard - hard to describe in words - better listen them)."
Full Story (comments: none)
Languages and Tools
Caml
The April 18-25, 2006 edition of the Caml Weekly News
is out with new Caml language articles.
Full Story (comments: none)
Python
The April 24, 2006 edition of Dr. Dobb's Python-URL! is online with
a new collection of Python article links.
Full Story (comments: none)
Tcl/Tk
The April 24, 2006 edition of Dr. Dobb's Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
Cross Compilers
The
SDCC
cross compiler has been migrated to the Subversion version control system.
"
SDCC is a Freeware, retargettable, optimizing ANSI - C compiler that targets the Intel 8051, Maxim 80DS390 and the Zilog Z80 based MCUs. Work is in progress on supporting the Motorola 68HC08 as well as Microchip PIC16 and PIC18 series. The entire source code for the compiler is distributed under GPL."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Here's
an
article in The Register about the process of getting virtualization
technology into the Linux kernel. "
Xen, by contrast, wants to make
the most of its open source ties and create the tightest possible bonds
with Linux. Behind closed doors, some Xen backers say that Sun, Microsoft
and Novell will refuse to support VMI. Such political manoeuvering shows
how seriously Xen backers take this debate."
Comments (7 posted)
Here's
a
News.com report on the latest attempt to expand copyright law in the
U.S. "
Jessica Litman, who teaches copyright law at Wayne State
University, views the DMCA expansion as more than just a minor change. 'If
Sony had decided to stand on its rights and either McAfee or Norton
Antivirus had tried to remove the rootkit from my hard drive, we'd all be
violating this expanded definition,' Litman said." The law would
also bring civil forfeiture to copyright enforcement.
Comments (7 posted)
Trade Shows and Conferences
Joe Barr
reports
on the Desktop Linux Summit. "
The Desktop Linux Summit (DLS) 2006
kicked off yesterday in the Manchester Grand Hyatt in downtown San
Diego. The summit, now in its fourth year, was created by Linspire, but it
has outgrown its uni-distro roots, with sponsors and speakers coming from
competing Linux vendors such as Mandriva, Novell, Red Hat, and Ubuntu. An
opening day crowd of more than 600 attendees heard a range of speakers
reflecting that diversity."
Comments (none posted)
Doc Searls
writes
about his talk at the Desktop Linux Summit. "
When I gave the
organizers that title [Plug & Pray], I was still laboring under the
assumption that Linux was still a little bit behind in the desktop
area. Since then I have been assured by Kernel Hackers of the First Water
that this is not so -- that in fact this assumption belongs among the
collection of myths and lies about Linux (which Greg Kroah-Hartman will
detail at the July 2006 Linux Symposium in Ottowa)."
Comments (none posted)
ZDNet
covers a talk by Martin Mickos at the MySQL Users Conference, with an emphasis on his comments about Oracle. "
The InnoDB 'storage engine,' which remains open-source software, is firmly in Mickos' plus column. 'We renewed our contract with Oracle for several years,' he said.
In the minus column are the no-cost database products such as Oracle's Express Edition or IBM's DB2 Community Edition, which Mickos labeled as 'crippleware,' designed to hook customers on full-featured but expensive versions."
Comments (4 posted)
DesktopLinux.com
covers
the recent Desktop Linux Printing Summit.
"
The meeting was attended by about 40 developers from printer vendors, such as Hewlett-Packard, Lanier, and Lexmark; to operating system distributors like Apple Computer, Debian, and Novell; to those two Linux desktop powers, GNOME and KDE; and more. Their job? To nail down exactly what's wrong with printing and Linux, and to work out ways to resolve these problems once and for all." See Kurt Pfeifle's
report
on LWN for more information.
Comments (none posted)
Companies
Mercury News
covers
a change in Sun leadership. "
Sun Microsystems announced Monday that
its longtime chief executive Scott McNealy is stepping down from the helm
and will be succeeded by the struggling computer and software company's
No. 2 executive, Jonathan Scwhartz." (Thanks to Biju Chacko)
Comments (25 posted)
Business
ZDNet
considers
the latest corporate buzz, providing "stacks" of software that include
the operating system, middleware and user applications.
"
Just this week, Oracle CEO Larry Ellison told the Financial Times that he would "like to have a complete stack." Oracle makes billions of dollars selling databases and business applications. In recent years, the company has bought up many other companies, including rivals like PeopleSoft and Siebel Systems.
"We're missing an operating system. You could argue that it makes a lot of sense for us to look at distributing and supporting Linux," Ellison told the newspaper."
Comments (8 posted)
Linux Adoption
iTWire
reports
on the expected expansion of the Chinese Linux market.
"
According to technology research group IDC's latest research, China Linux 2006-2010 Forecast and Analysis, China's Linux market revenue reached just $11.8 million in 2005, up 27.1% over 2004. However, 2005 saw a steady growth in the China Linux market, brought about mainly by the huge volume of government procurements and large-scale SCO Unix replacement by major banks and industrial projects such as Telecommunication and Internet cafes.
Along with the growing acceptance of Linux in the China market, IDC also noted that Linux servers were adopted for high-end, mission critical support applications in some industries and Linux desktops were able to withstand the competition of pirated Windows to hold its market share."
Comments (none posted)
NewsForge
covers
Free Software in Rome and throughout Italy. "
The plan of the
province of Rome is ambitious. Time will tell how much of it will be
implemented and become the norm in all of Italy. However, digital
innovation has already proved to be a successful factor of local
development, which, just like FLOSS, starts small but eventually arrives
inside national administrations. Again like FLOSS, direct cooperation among
among cities, even of different countries, can lead to far-reaching,
unexpected results."
Comments (none posted)
Interviews
KDE.News
introduces this
People Behind KDE
interview
with Frans Englich. "
In what ways do you make a contribution to
KDE? As with most other KDE developers I do a little bit of each. I
try to help the KDE-artists with technical issues, have been involved with
Free Desktop's icon naming spec (seconded by the Tango project), and
written parts of kdelibs' KUtils library, for example. Occasionally, I stir
the water with an article or two."
Comments (none posted)
ComputerWorld
talks
with Jane Silber, chief operating officer at Canonical. "
Our
mantra throughout this development cycle was 'rigid and boring.' Someone
would say, 'This feature is really shiny and cool; let's put it in,' and
I'd say, 'Nope, we need to be rigid and boring.'"
Comments (3 posted)
Resources
ZDNet
looks at the ups and downs of authenticating email systems.
"
There are two main ways of authenticating e-mail: Sender ID and DomainKeys Identified Mail, or DKIM. Backed by Yahoo and Cisco Systems, DKIM relies on public key cryptography. It attaches a digital signature to outgoing e-mail, so recipients can verify that the message comes from its claimed source.
Sender ID is further along in adoption than DKIM. It requires Internet service providers, companies and other Internet domain holders to publish SPF (Sender Policy Framework) records to identify their mail servers. This usually does not require new hardware or software; the most arduous part is doing an inventory of mail servers and the subsequent maintenance of that record."
Comments (4 posted)
Linux Journal
takes a
look at some beta book programs. "
I've been working with
technical books for quite a while now, as a reader, a reviewer and an
author. I've also been working with Linux and other free software for a
long time. Often, I've wondered how publishers could take advantage of the
testing that software receives as it goes through alpha and beta
cycles. Recently, several publishers have begun to take advantage of that
testing cycle for their books. Here, I take a look at how they're
doing. I'm not involved in any of these books, so what follows is
completely an outsider's view."
Comments (2 posted)
Linux.com
looks at Linux digital audio access protocol (DAAP) implementations. "
The more music you have, and the more computers you use, the bigger the hassle it becomes to try to synchronize everything. Without a simple sharing solution like DAAP, the easiest way to manage a centralized music collection for multiple PCs is keep all the files together on a central server, shared through Samba or NFS. DAAP accomplishes the same goal with far less administrative overhead, and provides interesting features like smart playlists at no extra cost."
Comments (1 posted)
Debian Administration has
a comparison of
filesystems running on Debian Etch. "
There are a lot of Linux
filesystems comparisons available but most of them are anecdotal, based on
artificial tasks or completed under older kernels. This benchmark essay is
based on 11 real-world tasks appropriate for a file server with older
generation hardware (Pentium II/III, EIDE hard-drive)."
Comments (77 posted)
Linux.com has a
howto
article on setting up a load-balanced LAMP cluster. "
The
ubiquitous Linux, Apache, MySQL, and PHP/Perl/Python (LAMP) combination
powers many interactive Web sites and projects. It's not at all unusual for
demand to exceed the capacity of a single LAMP-powered server over
time. You can take load off by moving your database to a second server, but
when demand exceeds a two-server solution, it's time to think
cluster."
Comments (none posted)
Linux Journal
looks
at Linux system administration in different environments.
"
Regardless of your environment, you will find that some tasks are
common to all system administration functions. For example, monitoring
system services and starting and stopping them takes on a role of its
own. Your Linux box might appear to be running smoothly while one or more
processes have stopped. A Linux server might seem happy on the outside, for
example, while the database serving Web pages has failed."
Comments (none posted)
Linux.com
looks at
running .Net applications on Linux using Mono. "
With Mono,
Monodevelop, and XSP in place, you can throw away Microsoft Visual Studio
and you can throw away Windows, and you don't have to throw away the valued
experience of your .Net programmers."
Comments (5 posted)
Linux.com
presents
another edition of the toolbox with a focus on networking tools.
"
Tripwire is a great tool for checking to see whether files have been
created, deleted, or modified. Tripwire stores a snapshot of your files in
its database, and you can compare your files against the snapshot to
discover any changes that might indicate a compromise. Tripwire's main
feature is file integrity checking, and it's capable of checking VFAT
filesystems and verifying installed RPMs."
Comments (6 posted)
HowtoForge
shows how to optimize mail setups that use DSPAM and MySQL 4.1.
"
DSPAM is a scalable and open-source content-based spam filter designed for multi-user enterprise systems. It's great at filtering out spam but on busy mailservers the pruning of the MySQL databases takes way too long time ...
The default purge-4.1.sql script provided with DSPAM can be heavily optimized by adding indexes to the database and using the indexes properly when pruning."
Comments (none posted)
Dmitri Popov
explains some Thunderbird mail client tricks in a NewsForge article.
"
Even if you use Thunderbird on a daily basis, you probably don't know it inside out. There are still quite a few 'hidden' features not covered in the online help that can significantly improve your emailing habits. And since Thunderbird's functionality can be expanded via extensions, you can add some clever features to it too."
Comments (21 posted)
Reviews
Linux-Watch
looks at the
upcoming Linux Standard Base 3.1 release with desktop application
support. "
The first LSB 3.1 certified desktop distribution is
expected to come from Xandros, on May 1st. Other major Linux distributors
such as Red Hat, Novell, Ubuntu, the DCC Alliance members, and others also
plan to certify their versions of Linux to LSB 3.1, [Free Standards Group]
added."
Comments (none posted)
Miscellaneous
The OpenDocument Format may become an ISO standard, according to
this article
on ZDNet.
"
"The ODF Alliance is now actively supporting adoption of the OpenDocument Format as a worldwide standard of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)," the group said in a statement. "The ODF Alliance and its members have contacted various national voting entities recommending approval and are optimistic of a positive outcome.""
Comments (2 posted)
KDE.News
covers the KDE
demonstration at the Long Beach, California Cambodian New Year Day
celebration.
"
The day started out with Aaron Johnson bringing the equipment and Daniel
Dotsenko setting up the booth. This being the first time that a Free Software
booth was setup in Long Beach, there was bound to be glitches. The main
problem was that the organisers were not able to provide the power that was
promised in order to run the computers. That left the fallback of providing
software and flyers. On hand were some Kubuntu install and Knoppix live CDs.
However, there were not enough and within two hours, all the CDs were gone,
as were the flyers."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
KDE has announced that its core library Qt® from Trolltech® is part of the
Linux Standard Base (LSB) Final Release 3.1 standards specification
document. The new LSB desktop standard includes the Qt 3.3 libraries and
the tools required to create Qt-based applications, both of which are the
foundation of KDE. An additional standard includes Qt 4, the next
generation technology which will be used in the upcoming KDE 4 release.
Full Story (comments: 27)
Commercial announcements
Arkeia Software has announced full support for MySQL Version 5.0
by its MySQL hot backup module.
"
The widely used Arkeia Software hot backup module for MySQL allows users to develop a flexible
backup strategy that protects data without interruption. Utilizing Arkeia's convenient GUI
navigator, the module performs incremental, differential or full MySQL backup while data is online,
live and accessible."
Full Story (comments: none)
Continuent, Inc. announced their Continuent m/cluster 2006
product at the MySQL Users Conference.
"
This newest version of Continuent's m/cluster
software provides the highest levels of availability and scalability for
applications built using the MySQL database, and includes support for
MySQL 5.0. Continuent m/cluster is part of a suite of Continuent products
that deliver high availability for virtually any database environment."
Full Story (comments: none)
GoDaddy.com has
announced support for web sites that use Ruby on Rails.
"
Ruby on Rails is an open-source framework which lets developers easily
assemble rich and dynamic Web sites. Programming with Rails allows a Web
designer to wrap applications easily around a database. It has been widely
acclaimed in Web development and software engineering circles as a new
standard for ease of development and speed of delivery.
"Our customers are finding Ruby on Rails to be incredibly valuable in
shaping their online presence," said Bob Parsons, GoDaddy.com CEO and
Founder. "We are pleased to be able to offer support for a framework that
increases the utility of the sites we host.""
Comments (none posted)
Hewlett Packard
will offer new services for the MySQL database.
"
As part of an agreement, HP will provide consulting, integration and support services for customers implementing MySQL Network database software into their technology environments. HP and its channel partners also will resell MySQL Network subscription services. HP plans to sell the services directly beginning in May and via channel partners in June.
MySQL will train HP Services professionals on its products so HP can provide its MySQL Network customers with support."
Comments (none posted)
Laszlo Systems, Inc. has
announced a partnership with the Dojo Foundation.
"
Laszlo Systems, the
corporate sponsor of the open source advanced Ajax application development
platform, OpenLaszlo, today announced a strategic technical partnership
agreement with the Dojo Foundation, the popular community-driven open
source project behind the Ajax software library, the Dojo Toolkit. Under
this agreement, the Dojo Toolkit will be licensed for use in Laszlo's open
source projects and Laszlo, in turn, will contribute libraries to the Dojo
Foundation, thereby furthering the advancement of the growing Ajax and open
source communities at large."
Comments (none posted)
Fujitsu Computer Products of America, Inc. has
announced the successful testing of a joint 10-Gigabit
Ethernet networking solution with Myricom, Inc.
"
Addressing the demands of HPC environments seeking broader interoperability
and of enterprises requiring HPC-caliber performance in media, storage, and
other intensive applications, Myricom and Fujitsu demonstrated
interoperability and near-wire-speed user-level throughput in combined
tests of both companies' latest 10-Gigabit products."
Comments (none posted)
Open-Xchange, Inc. has released Open-Xchange Server 0.8.2, a comprehensive
feature update for the community edition of Open-Xchange Server.
Full Story (comments: none)
The first public Beta of the Opera 9 browser is out with some
unique capabilities.
"
This version includes Widgets, small Web programs running in
their own windows that are fun, easy-to-use and live on users' desktops.
The Opera 9 Beta also features support for BitTorrent, a popular file
downloading technology, in addition to an easy-to-use content blocker
and thumbnail previews of tabbed sites.
And yes, Opera remains available free of charge."
Full Story (comments: none)
RealNetworks, Inc. has
announced the reception of a fundamental patent for streaming media
technology and applications.
"
The recently-issued patent (U.S. Patent No.
6,985,932, "Click-to-Stream") covers the core methods used when consumers
select links to stream audio-visual media via web browsers and other media
players. Reflecting Real's role as the pioneer of streaming media, the
patent covers innovations going back to November 30, 1994, more than four
months before Real introduced the groundbreaking RealAudio(R), which
transformed the Web by bringing streaming audio to the Internet for the
first time."
Comments (none posted)
Novell, Inc. has
announced a partnership with Reuters that will involve supporting the
Reuters Market Data System (RMDS) on SUSE Linux.
"
The move will allow Reuters clients to take the market standard data platform RMDS and run it on SUSE Linux Enterprise Server, which is becoming increasingly popular within the financial services industry. In addition, Reuters has joined Novell's PartnerNet(R) program and has certified RMDS on
SUSE Linux Enterprise Server to help ensure the future success of joint
financial services customers."
Comments (none posted)
SRC, a developer of geographic business intelligence software, has
announced the release of its Explorer geocoder technology to the open
source community. "
SRC's Explorer is the industry's first open
sourced geocoder that is data and country independent, enabling developers
to integrate digital address databases in any country to support geocoding
processes."
Full Story (comments: none)
New Books
O'Reilly has published the book
MySQL Stored Procedure Programming
by Guy Harrison with Steven Feuerstein.
Full Story (comments: none)
Education and Certification
The Linux Professional Institute will hold Linux certification testing
at the LinuxWorld and NetworkWorld Canada Conference & Expo.
The event will take place on April 24-26, 2006 in Toronto, Canada.
Full Story (comments: none)
A new PostgreSQL database course has been announced.
has been announced.
"
The Powergres/PostgreSQL development group of SRA OSS is pleased to announce a new PostgreSQL course. This intensive 3 day hands-on course is for new and junior level DBAs who are pursuing the PostgreSQL CE (PostgreSQL Certified Engineer) qualification certification system. The course is designed to prepare the DBA for the PostgreSQL Silver test, http://www.vue.com/sra/ where he will learn how to install, configure, administrate and execute queries for both the 7.4.x and 8.x versions of PostgreSQL."
Comments (none posted)
Calls for Presentations
A
call for papers has gone out for
PHP at FrOSCon. The event will be held in Bonn, Germany on June 24-25, 2006,
submissions are due by May 31.
Comments (none posted)
A Call for Papers has gone out for the NLUUG fall conference.
The event is being held on September 14, 2006 in Gelderland, the Netherlands.
Submissions are due by May 7.
Full Story (comments: none)
Upcoming Events
The first db4o User Conference (dUC) will take place in London, England
on July 10 and 11, 2006.
"
The list of speakers includes Ted Neward and Andrew Cowie, renown individuals in the Java/.NET and
Java/Linux communities, respectively, Stefan Edlich and Jim Paterson, authors of the upcoming book
"The Definitive Guide to db4o", as well as db4objects' own Carl Rosenberger and Christof Wittig."
Full Story (comments: none)
O'Reilly has sent out an announcement for the 2006
O'Reilly Open Source Convention (OSCON 2006).
"
This year, OSCON will focus on the connections between business and open
source. As OSCON program chair Nat Torkington explains, "The growth in
stability and scope of open source has been part of this evolving
symbiotic relationship between commerce and creativity. If you're a
business, you're probably struggling to understand how decisions are made
in the chaotic world of open source. If you're an open source project,
you're probably wondering how to get taken seriously by the businesses you
want to work with. We're tackling law, marketing, public relations,
engineering, and the overall issue of governance.""
The event will take place on July 24-28, 2006 in Portland, Oregon.
Full Story (comments: none)
| Date | Event | Location |
| April 27 - 30, 2006 | Linux Audio
Conference(LAC2006) | (ZKM)Karlsruhe, Germany |
| April 27, 2006 | MySQL Users
Conference | Santa Clara, CA |
| April 27 - 28, 2006 | php|tek
2006 | (Orlando Airport Marriott Hotel)Orlando, FL |
| April 29, 2006 | Linuxfest
Northwest 2006 | Bellingham, WA |
| April 29 - 30, 2006 | European Common Lisp
Meeting 2006 | Hamburg, Germany |
| May 1 - 6, 2006 | DallasCon
2006 | (Richardson Hotel)Dallas, TX |
| May 3 - 6, 2006 | LinuxTag
2006 | (Rhein-Main-Hallen)Wiesbaden, Germany |
| May 4, 2006 | openSUSE Day at LinuxTag 2006 | Wiesbaden, Germany |
| May 6 - 7, 2006 | WebTech 2006 | Sofia,
Bulgaria |
| May 8 - 18, 2006 | LinuxWorld on Tour Conference
and Expo 2006(LOT2006) | Montreal Ottawa Calgary Vancouver |
| May 12 - 13, 2006 | BSDCan
2006 | (University of Ottawa)Ottawa Canada |
| May 13, 2006 | DebianDay | Oaxtepec, Mexico |
| May 14 - 22, 2006 | DebConf 6 | Oaxtepec,
Mexico |
| May 26 - 27, 2006 | FreedomHEC | Seattle, WA |
| May 30 - June 3, 2006 | 2006 USENIX Annual Technical
Conference | (Boston Marriott Copley Place)Boston, MA |
| June 13 - 14, 2006 | Where 2.0
Conference | (Fairmont Hotel San Jose)San Jose, CA |
| June 13 - 14, 2006 | Gartner Open Source
Summit 2006 | (Palau de Congressos de Catalunya)Barcelona, Spain |
| June 14 - 16, 2006 | New York PHP Conference and
Expo 2006 | (New Yorker Hotel)New York, NY |
| June 16 - 18, 2006 | Recon
2006 | (Plaza Hotel Centre-Ville)Montreal, Canada |
Comments (none posted)
Audio and Video programs
O'Reilly
has announced two new podcast releases.
"
How do we go about attracting more women to write open source code? Danese Cooper has been looking at different models that work and is trying to spread the word. We also continue our conversation with Jane McGonigal about super gaming. This week she talks about the community that surrounds some of her games and some of the emerging patterns that she has noted."
Comments (none posted)
Audio and video streaming media will be broadcast from the 2006
Linux Audio Conference.
"
The linux audio conference 2006, which takes place at the zkm in
karlsruhe/germany from april 27 to april 30, will be streamed live for
your convenience, inspiration and enjoyment."
Full Story (comments: none)
Miscellaneous
Here's a report from FISL (Internacional Free Software Forum) in Brazil,
where Richard Stallman was selling autographs. "
There's nothing
inherently wrong with charging for someone to use your image or your
calligraphy, but it makes you think, huh?"
Full Story (comments: 2)
Page editor: Forrest Cook