One of the comments posted on
last week's article about the Java
license change asked: how can Debian distribute Sun's Java under the
new license? A number of clauses, including the requirement that Java be
distributed with the operating system and the restrictions on shipping Java
"in conjunction with" alternative implementations, would seem to rule out a
Debian Java package. It turns out that a number of Debian developers are
wondering the same thing; in addition, there are questions about the
process that was involved. Sun's Java was fast-tracked into non-free, with
the traditional extended debate on debian-legal having been shorted out
entirely. Since Debian does very few things without enduring a public
brawl first, the addition of Java without discussion raised some eyebrows.
Various people have tried to answer the resulting questions. The
definitive word, perhaps, comes from Debian
Project Leader Anthony Towns:
There are three factors that are particularly relevant: the first
is Sun's intentions and ability and interest to work with us as a
proxy for the broader free software community -- this is an
important issue because it ensures that we can resolve any problems
with the license, and reduces the concern that Sun will try to
screw us over, as it would become a PR problem rather than just a
quiet argument on the lists;
There is a point here: Sun has been very public about how happy it is about
Debian's inclusion of Java. For the company to suddenly say that it isn't
happy after all would be a big, public turnaround and would invite a fair
amount of criticism. There would have to be a big reason for Sun to make
such a move.
Anthony continues:
the second is that both the legal principle of estoppel and the
general common sense principle of not going back on your word if
you want people to work with you prevents Sun from realistically
saying "the FAQ is completely wrong and should be ignored";
The DLJ FAQ
does, indeed, make a lot of encouraging noises about what the license terms
really mean. It says, for example, that there is no problem with shipping
other Java implementations. The FAQ leads off with this rather less
encouraging text, however:
Note: This FAQ is provided to help explain the Operating System
Distributor License for Java; nothing in this FAQ is intended to
amend the license, so please consult the license itself for the
precise terms and conditions that actually apply.
This is the text that makes many Debian developers say that the FAQ is
irrelevant and should be ignored. It may well be that Sun has, by way of
estoppel, blocked itself from a rigorous enforcement of the license terms
by publishing this FAQ, but that is a question which cannot be definitively
answered outside of a courtroom - and, even then, the answer only applies
to one jurisdiction.
Finally:
and the third aspect, which is probably most important, is that
should any of these problems actually happen, we can fairly simply
just drop Sun Java from non-free if we can't come to a better
conclusion.
So, if things go wrong, Debian can just stop distributing Java and the
problems go away.
These arguments all make sense, but there is something important which
should be noted about them: they are arguments of convenience. They could
be loosely paraphrased as "it looks like we can get away with it, and, if
that turns out not to be true, we'll just stop." Debian, however, has
never been about convenience - the project is far more concerned with
freedom and doing the right thing. Distributing software in a way which
does not comply with its license is very much counter to the way the Debian
Project works - even if it looks like the act would go unpunished. But
there is little in Anthony's response saying that Debian is truly compliant
with the Distributor License for Java.
Sun employee Tom Marble has argued that
there is no conflict between Debian and the DLJ. Like Anthony, he refers
to the FAQ, but without addressing the text in the FAQ itself directing
people to the license for the "precise terms and conditions." With regard
to alternative technologies, Tom says:
From FAQ #8, "there is nothing in the DLJ intended to prevent you
from shipping alternative technologies with your OS distribution."
When I say mix and match I mean please don't take bits from the
alternate technologies (see above) and put them into use with the
Java platform (e.g. replace rt.jar which is part of the platform
with an alternate rt.jar). In a similar way please don't take bits
from the Java platform and use them as part of or to complete
alternate technologies (e.g. plugin.jar).
This could be a reasonable interpretation of the license, though it would
be much nicer if the license expressed these terms directly. Anybody who finds this
argument to be a suitably convincing and binding statement of the intent of
the license can, perhaps, conclude that Debian's distribution of Java in
non-free is compliant with that license. Of course, some of the other
terms, having to do with choice of venue for legal disputes, export
restrictions, and indemnification of Sun, may still be problematic for a
number of Debian developers.
Regardless of whether one believes that Debian's distribution of Java is
compliant, there is still the question of process: why was the Debian
community not involved in the decision? The answer is straightforward: all
of the relevant information was under embargo until Sun made its
announcement at JavaOne. The only way for Debian to have a Java package
when Sun announced - and for Sun to announce that said package existed -
was for the process to happen in secret. So the new license was examined
privately by Anthony Towns, James Troup, and Jeroen van Wolffalaar, and all
three pronounced it to be acceptable.
Michael Banck had an interesting take on
this process:
I think this was somewhat similar to the embargoed security
releases our security team handles for us. Sure we could just have
disclosed the license to -legal beforehand, but then Sun probably
would never talk to us about doing things like this one again and
just tend to OpenSUSE or some other community distribution next
time to collaborate with when they might open source Java.
So Debian, by cooperating with Sun on the disclosure of information, was
able to be a part of the initial PR splash. A question which has not been
asked - in public, at least - is: just how does Debian benefit from
participating in Sun's PR experience, and is it worth the cost of bypassing
the usual public discussion?
Comments (39 posted)
May 24, 2006
This article was contributed by Mark Wielaard
Every year around JavaOne there is a lot
talk about Java and whether we will ever see a free alternative
for it. Since 2000, various projects aiming to provide a free
alternative for the Java platform have been working together toward
this goal. This cooperation became much stronger when in 2003 various
developers from GNU Classpath, Kaffe, GCJ, JamVM, IKVM/Mono and others
met each other in person during some informal meetings at
Linux Kongress, FOSDEM and LinuxTag in Europe. What had before been
competing projects became projects that would cooperate wherever
technically possible, especially around the core class libraries as
provided by GNU Classpath. The competition turned into something
positive and playful. The GNU project even sponsored the Fast Free Eclipse contest
which was ultimately won by GCJ in August 2003 (with JikesRVM and
IKVM/Mono close behind).
At the end of 2004 Red Hat brought all these groups together again
during the Alternative Runtime Summit at the MIT campus in
Boston. They invited a large and diverse group of people to talk about
their projects and also invited representatives of the traditional
Gnome, GCC/GDB/GNU toolchain and Mono groups, plus representatives
of the Apache and Eclipse groups, to discuss various ways to build
bridges between the various communities. Richard Stallman gave a
lecture on the
Java trap and a Sun representative was also invited. Sun decided
to not join the fun at that time, but we did establish that our
goals were not that different.
Although none of us knew how the future would look, it was clear
that everybody was very positive about sharing their experiences and
working ever more together. Everybody left the Alternative Runtime
Summit feeling our goals united us much more than the different
technical paths we were taking to reach them divided us. There was
also a definite feeling that we would be able to provide a full free
alternative to the Java platform. And that the alternative(s) would be
much more then Java and that it would go beyond and extend the
traditional GNU platform.
The realization that we were in this together and that a free
alternative for Java should be integrated as much as possible with the
rest of the free platform had some important results. Our next meeting
at FOSDEM 2005 was all about building
bridges. We focused on alternative execution mechanisms like GCJ
and Mono, hooking into Gnome with java-gnome and doing continuous
integration tests against the Apache Java code base through Gump.
Another way to cooperate and, at the same time, help our users to try out
our work more easily was done by collaborating with the various
GNU/Linux distributions to package traditional Java programs and
libraries so they could be easily used with the various free
alternatives. During the Oldenburg DevJam Meeting
various packagers, compiler and runtime hackers came together to
define standards for interoperability and packaging conventions. Users
can now easily try out various compilers, libraries and the
alternative execution strategies for their code. This effort was so
successful that even Sun is now adopting the JPackage alternative
ideas for their own (proprietary) packages aimed at the GNU/Linux
platform (although their current license seems to
disallow any mixing and matching with the various free
subcomponents).
One of our success stories is the packaging of
Eclipse for the various GNU/Linux distributions. Although Eclipse
traditionally emphasizes the proprietary Windows platform,
the Eclipse developers have been extremely supportive of our efforts
and have helped find alternatives whenever the free toolchain didn't
have a particular language or library feature yet.
After setting up Gump integration
tests with Kaffe and seeing that we were almost there, the Apache
group became very enthusiastic about joining in. Since a lot of the
packages that are bundled by the free distributions were actually based on code by
the Apache group, that seemed like a very cool idea. After a couple
of conference calls between the FSF, ASF and various project members
we launched the Harmony!
project.
Unfortunately, from the start the project seemed plagued by
miscommunication and confusion about intentions. The original announcement
hadn't been proofread by some of the participants which lead to corrections
by the Kaffe team, clarifications
by the GCJ team and updates from
the GNU Classpath team about the original intent of the
project. Sadly, these first impressions were hard to shake off.
And
soon a lot more miscommunication and confusion started. Some people
joined that were very vocal about the project being Apache (and not
GNU!), some people said that their company regulations didn't allow
them to study anything on gnu.org, including the GNU
Classpath VM Integration Guide. Others said that using anything
that used the "gnu." Java package namespace would be impossible
to clear with their legal departments. IBM wanted to donate code,
but suggested using an alternative runtime interface which would be
suitable for their proprietary J9 VM (but not for any of the 30
projects currently based on GNU Classpath).
After 9 months of
trying to cooperate we organized a new meeting during FOSDEM
2006 to get all players together again. And, although 60 people
attended, including core GNU Classpath, GCJ, Kaffe, Cacao, JamVM and
IKVM hackers, only one Harmony person showed up, and none of the
people from the backing companies. All this means that, despite the
fact that there is now some code available donated by Intel, there is
no practical cooperation between the original free software projects
backing Harmony and the project now known as Apache Harmony. All this
made some people think of Harmony as a company consortium in the guise
of an ASF project and not a full community project. But there is still
some hope that the final result will be merged with the existing
projects at some point and that there will be more community
involvement in the future.
One thing we had completely overlooked in our Harmony effort was
the fear
uncertainty and doubt in the Apache Java world about the GPL, the LGPL,
and the GPL exception statements used by GNU Classpath and other GCC
runtime libraries. At the Alternative Runtime Summit we had discussed
The
Free Software Community, the GPL, Compromising and Control. And
David Turner from the FSF was present to explain LGPL and
Java. We (the Classpath developers) had naively assumed that in turn
for using an explicit GPL +
linking exception for GNU Classpath, so it could be used with code
distributed under the ASL, we would get back an exception to the ASL
for larger works distributed under the GPL.
Sadly that did not
happen. Partly because the Apache group doesn't hold the copyright on
code contributions so cannot change any of the terms of the code it
distributes (the FSF had offered to track down all contributors, but
this proved to be too large a number to be practical) and partly
because it doesn't want to make any exception for its code base
since it fears that would confuse its users. But most Apache people
did agree that it would be nice if code distributed under the ASL
would be reusable in larger GPLed works, just like it is reusable for
proprietary code. And the FSF agreed that none of the extra
requirements in the ASL were inhibiting the freedom of users.
As a result, you
will see various improvements in the GPLv3 draft based on our
discussions. The GPLv3 clarifies the system library exception,
explicitly states people can grant exceptions to the GPL, like the FSF
has done for the various GCC runtime libraries, and adds compatibility
clauses for certain requirements found in the ASL and EPL licenses. We
hope that when GPLv3 is finalized we will see more code flow between
the projects and reuse of various Apache and Eclipse technologies in
the GNU, Gnome and KDE worlds.
One of the efforts that does seem to pay off is our cooperation on
the Mauve Completeness,
Correctness and Compatibility testsuite. Mauve contains more than
45.000 core library tests and has various modules for testing core
class library implementations, byte code verifiers, source to byte
code and native code compiler tests. It also contains the Wonka visual
test suite and the Jacks Compiler Killer Suite. Every release of GNU
Classpath comes with a little overview of how well we do on the
tests. This is especially important because we have so many different
compiler and execution mechanisms available. It also enables us to
measure compatibility despite the fact that we don't have access to
the TCK suite that Sun uses to determine whether something is Java
compatible.
Now that Sun is again thinking about whether and how to open up
more we have even been in contact with some Sun engineers who would
like to start some cooperation by combining
out testsuites. For Sun compatibility has always been a very
touchy point. So some hope this will be the start of a better
cooperation of the Sun Java group with the rest of the free software
community. It seems that our continuous progress and nice integration
with the GNU/Linux desktop at least got their attention.
Comments (6 posted)
Back in September, 2005,
the
Grumpy Editor's Guide to Personal Finance Managers concluded that the
development energy and momentum seemed to belong to the KMyMoney project.
GnuCash, instead, seemed dispirited with little activity on its mailing
list and little visible progress toward its long-awaited 2.0 release.
Some distributors, hoping to be done with GTK1, were making noises about
dropping GnuCash altogether. At that time, KMyMoney looked like the
application with the brightest future.
Since then, there has been a significant surge in activity on the GnuCash
side while KMyMoney, to an outside observer, appears to have slowed down.
Clear goals for the GnuCash 2.0 release have been set, a series of pre-2.0
test releases has come out, and 2.0 final is currently planned for
June 11. GnuCash, it seems, is back. Your editor, whose desperate
attempts to balance the family budget are made on a system running the
Fedora development tree, got a rather unplanned opportunity to try out
GnuCash 1.9 (the pre-2.0 test release) when the Fedora hackers quietly
slipped it in as a replacement for the stable version. A few months of
financial firefighting later, it's time for a quick review.
Those who are expecting a lot of flashy new features from GnuCash 2.0
may be disappointed. The big change in this release is not the
heavily-requested animated pie chart feature. Instead, GnuCash has made
the (rather delayed) jump to the GTK2 toolkit. This change was a major bit
of work for the GnuCash developers, who had to drop some discontinued
libraries altogether and reimplement various features (graphical reports,
for example) in a completely different environment. So what 2.0 brings is
not a whole lot of new features, but a new platform which is ready for the
creation of tomorrow's new features.
One thing seasoned GnuCash users will notice early on is the tabbed
interface on the main window. In the stable 1.x releases, opening an
account results in the creation of a new register window; in 2.0, a new tab
is created instead. This behavior is arguably more consistent - even in
1.x, reports showed up in that version's form of tabs rather than in their
own window; now everything works that way. But, for users who are used to
being able to have more than one register on the screen simultaneously, the
new behavior can be a little annoying. Fortunately, there is an option to
move a tab into a new window, so users who like their screen cluttered
should still be happy.
Other than the new tabs, the GnuCash user experience is little changed from
the 1.x release. Things generally work and look as they did before. From
your editor's experience, it all appears to be quite stable (though your
editor has not spent any real time playing with the business features).
Except for a couple of minor keyboard focus issues, the transition appears
to have been completed successfully. For those interested in testing the
development releases, it's worth noting that the file format does not
appear to have changed, making it possible to make changes with a
development release, then go back to 1.8.x without trouble. It is worth
noting that the PostgreSQL backend is not yet working properly, but that is
consistent with the earlier GnuCash releases as well.
Of course, no major release can be completely without new features. The
GnuCash developers have found time to implement the use of UTF-8 for better
handling of non-western characters
and the ability to import the "MT940" files available from some banks. But the
most interesting (for users) developments in the 2.x series are likely to
show up in 2.1 and later releases. Now that the painful transition to a
contemporary toolkit has been made, the developers will have the time to do
fun stuff again, and the project should be more accessible for new
developers as well.
The free software community has been surprisingly slow to push the state of
the art in the personal finance area. One would think this particular itch
would afflict a great many developers - even the hungriest of starving
hackers has some financial management to do, and we can't all push
the work off onto our Windows-using spouses. Be that as it may, the
situation is slowly changing. Between KMyMoney and the new, refurbished
GnuCash, the community now has two high-quality platforms suitable for the
creation of tomorrow's personal financial software. Your editor is looking
forward to seeing where things go from here.
Comments (9 posted)
Page editor: Jonathan Corbet
Security
May 24, 2006
This article was contributed by Jake Edge.
Eye catching headlines are seen every day on the web, but one needs to
be careful not to distort the contents of the article. A recent SecuriTeam
article
is headlined "Holes in the Linux Random Number Generator" but that title
overstates the actual contents of the
paper (PDF) it is announcing.
The three authors of the paper provide a nice detailed description of the
Linux random number generator (RNG) and the algorithms that it uses, while
also reporting a very theoretical attack. The basic attack is against the
"forward security" of the RNG via a single compromise of the contents of
the entropy pool. This value can be used to run the RNG algorithm in reverse
and recover previous states of the entropy pool. Doing this enough times
can recover keys that have been previously generated.
There are a number of reasons why this attack is considered to have little
impact on real world systems. The most obvious is that if an attacker can
access the state of the entropy pool, they have already broken the security
of the system and can, as root, do any number of different things to the
system. If recovering previously generated keys is the object of the attack,
the paper outlines ways to do that, but the processing requirements are
enormous as Ted Ts'o points out:
To put this in
perspective, generating a 1024 bit RSA key will require approximately
14 turns of the crank, so if you are lucky with the positioning of the
index *and* you penetrate the machine and capture the state of the
pool (which as I mentioned, probably means you've rooted the box and
the system will probably have to be reinstalled from trusted media
anyway), *and* a 1024-bit RSA key had just been generated, you would
be able to determine that 1024-bit RSA key with a work factor of
approximately O(2**68) if you are lucky (probability 1 in 8), and
O(2**96) if you are not.
The paper also describes a well known feature of the Linux RNG implementation
as if it were a newly discovered denial of service issue. The
/dev/random device
was specifically designed to block when the entropy pool had insufficient
entropy to satisfy the request. The /dev/urandom device is
provided as an alternative that generates very good random numbers and
does not block (and is therefore not
vulnerable to a denial of service).
For any but the most sensitive applications (key generation being an
obvious choice), /dev/urandom is the recommended source for random
numbers. Alan Cox sums up the situation nicely:
The denial of service when no true entropy exists is intentional and
long discussed. User consumption of entropy can be controlled by
conventional file permissions, acls and SELinux already, or by a policy
daemon or combinations thereof. It is clearly better to refuse to give
out entropy to people than to give false entropy.
The paper has sparked an interesting
discussion
on the linux kernel mailing list and has lead to some concrete suggestions
for improving the algorithm, but it would be an exaggeration to conclude that
the paper describes real world Linux security concerns. An administrator
or security professional reading the SecuriTeam headline might easily
be led astray.
Comments (6 posted)
New vulnerabilities
awstats: missing input sanitizing
| Package(s): | awstats |
CVE #(s): | CVE-2006-2237
|
| Created: | May 19, 2006 |
Updated: | June 20, 2006 |
| Description: |
Hendrik Weimer discovered that specially crafted web requests can
cause awstats, a powerful and featureful web server log analyzer, to
execute arbitrary commands. |
| Alerts: |
|
Comments (none posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 19, 2009 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
dia: format string vulnerabilities
| Package(s): | dia |
CVE #(s): | CVE-2006-2453
CVE-2006-2480
|
| Created: | May 24, 2006 |
Updated: | June 8, 2006 |
| Description: |
The dia drawing utility suffers from several format string vulnerabilities exploitable via a maliciously crafted dia file - or a file with a well-chosen name. |
| Alerts: |
|
Comments (none posted)
hostapd: insufficient boundary checks
| Package(s): | hostapd |
CVE #(s): | CVE-2006-2213
|
| Created: | May 22, 2006 |
Updated: | May 25, 2006 |
| Description: |
Matteo Rosi and Leonardo Maccari discovered that hostapd, a wifi network
authenticator daemon, performs insufficient boundary checks on a key length
value, which might be exploited to crash the service. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-1859
CVE-2006-1860
|
| Created: | May 19, 2006 |
Updated: | May 24, 2006 |
| Description: |
Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16
allows attackers to cause a denial of service (memory consumption) via
unspecified actions related to an "uninitialized return value," aka "slab
leak."
lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers
to cause a denial of service (fcntl_setlease lockup) via actions that cause
lease_init to free a lock that might not have been allocated on the stack. |
| Alerts: |
|
Comments (none posted)
kernel-patch-vserver: privilege escalation
| Package(s): | kernel-patch-vserver |
CVE #(s): | CVE-2006-2110
|
| Created: | May 22, 2006 |
Updated: | May 24, 2006 |
| Description: |
Jan Rekorajski discovered that the kernel patch for virtual private servers
does not limit context capabilities to the root user within the virtual
server, which might lead to privilege escalation for some virtual server
specific operations. |
| Alerts: |
|
Comments (none posted)
kphone: insecure file creation
| Package(s): | kphone |
CVE #(s): | CVE-2006-2442
|
| Created: | May 22, 2006 |
Updated: | May 25, 2006 |
| Description: |
Sven Dreyer discovered that KPhone, a Voice over IP client for KDE,
creates a configuration file world-readable, which could leak sensitive
information like SIP passwords. |
| Alerts: |
|
Comments (none posted)
libextractor: heap-based buffer overflows
| Package(s): | libextractor |
CVE #(s): | CVE-2006-2458
|
| Created: | May 22, 2006 |
Updated: | May 31, 2006 |
| Description: |
Luigi Auriemma has found two heap-based buffer overflows in libextractor
0.5.13 and earlier: one of them occurs in the asf_read_header function in
the ASF plugin, and the other occurs in the parse_trak_atom function in the
Qt plugin. |
| Alerts: |
|
Comments (none posted)
mpg123: buffer overflows
| Package(s): | mpg123 |
CVE #(s): | CVE-2006-1655
|
| Created: | May 24, 2006 |
Updated: | July 3, 2006 |
| Description: |
mpg123 does not properly validate MPEG 2.0 layer 3 files, leading to a number of buffer overflow vulnerabilities. |
| Alerts: |
|
Comments (none posted)
OpenLDAP: boundary error
| Package(s): | openldap |
CVE #(s): | |
| Created: | May 23, 2006 |
Updated: | May 24, 2006 |
| Description: |
According to this Secunia
advisory, a weakness exists in OpenLDAP which is caused due to a
boundary error in slurpd within the handling of the status file. This can
be exploited to cause a stack-based buffer overflow via an overly long
hostname read from the status file. The weakness has been reported to be in
OpenLDAP version 2.3.21 and earlier. |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpgroupware: missing input sanitizing
| Package(s): | phpgroupware |
CVE #(s): | CVE-2005-2781
|
| Created: | May 22, 2006 |
Updated: | May 24, 2006 |
| Description: |
It was discovered that the Avatar upload feature of FUD Forum, a component
of the web based groupware system phpgroupware, does not sufficiently
validate uploaded files, which might lead to the execution of injected web
script code. |
| Alerts: |
|
Comments (none posted)
popfile: missing input sanitizing
| Package(s): | popfile |
CVE #(s): | CVE-2006-0876
|
| Created: | May 22, 2006 |
Updated: | May 24, 2006 |
| Description: |
It has been discovered that popfile, a bayesian mail classifier, can
be forced into a crash through malformed character sets within email
messages, which allows denial of service. |
| Alerts: |
|
Comments (none posted)
postgresql: SQL injection
| Package(s): | postgresql |
CVE #(s): | CVE-2006-2313
CVE-2006-2314
|
| Created: | May 24, 2006 |
Updated: | June 6, 2007 |
| Description: |
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash. |
| Alerts: |
|
Comments (1 posted)
zoo: archive problem
| Package(s): | bin |
CVE #(s): | |
| Created: | May 23, 2006 |
Updated: | May 24, 2006 |
| Description: |
A security problem
is zoo's fullpath() function could cause problems if zoo was run in an
automated way, or if a user were to open a malicious zoo archive manually. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: denial of service
| Package(s): | apache |
CVE #(s): | |
| Created: | May 11, 2006 |
Updated: | May 17, 2006 |
| Description: |
There a bug involving Apache 1.3.35 and glib concerning
wildcards in Include directives. If an Include statement
is issued in an already included file, Apache can be caused to
crash. |
| Alerts: |
|
Comments (1 posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
curl: heap-based buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2006-1061
|
| Created: | March 21, 2006 |
Updated: | June 28, 2006 |
| Description: |
Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows
remote attackers to execute arbitrary commands via a TFTP URL (tftp://)
with a valid hostname and a long path. |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
fbida: insecure temporary file creation
| Package(s): | fbida |
CVE #(s): | CVE-2006-1695
|
| Created: | April 24, 2006 |
Updated: | May 22, 2006 |
| Description: |
The fbgs script in the fbi package 2.01-1.4, when the TMPDIR environment
variable is not defined, allows local users to overwrite arbitrary files
via a symlink attack on temporary files in /var/tmp/fbps-[PID]. |
| Alerts: |
|
Comments (none posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (1 posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
freeradius: authentication bypass
| Package(s): | freeradius |
CVE #(s): | CVE-2006-1354
|
| Created: | March 24, 2006 |
Updated: | June 5, 2006 |
| Description: |
An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote
attackers to bypass authentication or cause a denial of service (server
crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state
machine module. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-2271
CVE-2006-2272
CVE-2006-2274
CVE-2006-2275
CVE-2006-1864
|
| Created: | May 12, 2006 |
Updated: | July 13, 2006 |
| Description: |
Multiple vulnerabilities in the Linux have been found.
- An error in the Stream Control Transmission Protocol (SCTP) code that
uses incorrect state table entries when certain ECNE chunks are received in
CLOSED state, could be exploited by attackers to cause a kernel panic via a
specially crafted packet.
- An error exist when handling incoming IP-fragmented SCTP control
chunks, which could be exploited by attackers to cause a kernel panic via a
specially crafted packet.
- Linux SCTP (lksctp) allows remote attackers to cause a denial of
service (infinite recursion and crash) via a packet that contains two or
more DATA fragments, which causes an skb pointer to refer back to itself
when the full message is reassembled, leading to infinite recursion in the
sctp_skb_pull function
- Linux SCTP (lksctp) allows remote attackers to cause a denial of
service (deadlock) via a large number of small messages to a receiver
application that cannot process the messages quickly enough, which leads to
"spillover of the receive buffer."
- A vulnerability has been identified due to an input validation error
when processing arguments containing backslash ("\\") characters passed to
certain commands (e.g. "cd"), which could be exploited by authenticated
attackers to escape chroot restrictions for a CIFS or SMBFS mounted
filesystem.
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libtiff: denial of service
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2024
|
| Created: | April 28, 2006 |
Updated: | May 31, 2006 |
| Description: |
Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent
attackers to cause a denial of service via a TIFF image that triggers
errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2)
certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and
(d) tif_zip.c; (3) and improper restoration of setfield and getfield
methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f)
tif_fax3.c, and tif_zip.c. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mailman: denial of service
| Package(s): | mailman |
CVE #(s): | CVE-2006-0052
|
| Created: | March 30, 2006 |
Updated: | June 9, 2006 |
| Description: |
Mailman 2.1.5 and below have a denial of service vulnerability
in the Scrubber.py script. If a maliciously created message
with a mime multi part format is received, mailman delivery
can be stopped. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
mysql: information leaks
| Package(s): | mysql mysql-dfsg |
CVE #(s): | CVE-2006-1516
CVE-2006-1517
|
| Created: | May 8, 2006 |
Updated: | June 23, 2006 |
| Description: |
Stefano Di Paola discovered an information leak in the login packet
parser. By sending a specially crafted malformed login packet, a
remote attacker could exploit this to read a random piece of memory,
which could potentially reveal sensitive data. (CVE-2006-1516)
Stefano Di Paola also found a similar information leak in the parser
for the COM_TABLE_DUMP request. (CVE-2006-1517) |
| Alerts: |
|
Comments (1 posted)
nagios: buffer overflow
| Package(s): | nagios |
CVE #(s): | CVE-2006-2162
|
| Created: | May 8, 2006 |
Updated: | May 31, 2006 |
| Description: |
A buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before
2.3 allows remote attackers to execute arbitrary code via a negative
content length (Content-Length) HTTP header. |
| Alerts: |
|
Comments (none posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openmotif: buffer overflows
| Package(s): | openmotif |
CVE #(s): | CVE-2005-3964
|
| Created: | December 29, 2005 |
Updated: | July 27, 2006 |
| Description: |
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
OpenSSH: double shell expansion
| Package(s): | openssh |
CVE #(s): | CVE-2006-0225
|
| Created: | January 23, 2006 |
Updated: | July 20, 2006 |
| Description: |
OpenSSH has a double shell expansion vulnerability in local to local and
remote to remote copy with scp. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-0996
CVE-2006-1494
CVE-2006-1608
|
| Created: | April 25, 2006 |
Updated: | May 24, 2006 |
| Description: |
There are several vulnerabilities in PHP v5.1.2 and earlier.
- A cross-site scripting (XSS) vulnerability in phpinfo (info.c) allows
remote attackers to inject arbitrary web script or HTML via long array
variables. (CVE-2006-0996)
- A directory traversal vulnerability in file.c allows local users to
bypass open_basedir restrictions and allows remote attackers to create
files in arbitrary directories via the tempnam function. (CVE-2006-1494)
- The copy function in file.c allows local users to bypass safe mode and
read arbitrary files via a source argument containing a compress.zlib://
URI. (CVE-2006-1608)
|
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpldapadmin: cross-site scripting
| Package(s): | phpldapadmin |
CVE #(s): | CVE-2006-2016
|
| Created: | May 15, 2006 |
Updated: | May 17, 2006 |
| Description: |
Several cross-site scripting vulnerabilities have been discovered in
phpLDAPadmin, a web based interface for administering LDAP servers,
that allows remote attackers to inject arbitrary web script or HTML. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
pound: HTTP Request Smuggling Attack
| Package(s): | pound |
CVE #(s): | CVE-2005-3751
|
| Created: | January 10, 2006 |
Updated: | June 8, 2006 |
| Description: |
HTTP requests with conflicting Content-Length and Transfer-Encoding headers
could lead to HTTP Request Smuggling Attack, which can be exploited to
bypass packet filters or poison web caches. |
| Alerts: |
|
Comments (none posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
quagga: multiple vulnerabilities
| Package(s): | quagga |
CVE #(s): | CVE-2006-2223
CVE-2006-2224
CVE-2006-2276
|
| Created: | May 15, 2006 |
Updated: | July 24, 2006 |
| Description: |
Paul Jakma discovered that Quagga's ripd daemon did not properly
handle authentication of RIPv1 requests. If the RIPv1 protocol had
been disabled, or authentication for RIPv2 had been enabled, ripd
still replied to RIPv1 requests, which could lead to information
disclosure. (CVE-2006-2223)
Paul Jakma also noticed that ripd accepted unauthenticated RIPv1
response packets if RIPv2 was configured to require authentication and
both protocols were allowed. A remote attacker could exploit this to
inject arbitrary routes. (CVE-2006-2224)
Fredrik Widell discovered that Quagga did not properly handle certain
invalid 'sh ip bgp' commands. By sending special commands to Quagga, a
remote attacker with telnet access to the Quagga server could exploit
this to trigger an endless loop in the daemon (Denial of Service).
(CVE-2006-2276) |
| Alerts: |
|
Comments (1 posted)
quake: buffer overflow
| Package(s): | quake3-bin |
CVE #(s): | CVE-2006-2236
|
| Created: | May 10, 2006 |
Updated: | January 12, 2009 |
| Description: |
Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server. |
| Alerts: |
|
Comments (none posted)
rsync: integer overflow
| Package(s): | rsync |
CVE #(s): | CVE-2006-2083
|
| Created: | May 8, 2006 |
Updated: | June 6, 2006 |
| Description: |
An integer overflow in the receive_xattr function in the extended
attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers to
execute arbitrary code via crafted extended attributes that trigger a
buffer overflow. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
squirrelmail: multiple vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-0188
CVE-2006-0195
CVE-2006-0377
|
| Created: | February 28, 2006 |
Updated: | June 8, 2006 |
| Description: |
Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to
inject arbitrary web pages into the right frame via a URL in the
right_frame parameter. NOTE: this has been called a cross-site scripting
(XSS) issue, but it is different than what is normally identified as
XSS. (CVE-2006-0188)
Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to
1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks
via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2)
a newline in a "url" specifier, which is processed by certain web browsers
including Internet Explorer. (CVE-2006-0195)
CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote
attackers to inject arbitrary IMAP commands via newline characters in the
mailbox parameter of the sqimap_mailbox_select command, aka "IMAP
injection." (CVE-2006-0377) |
| Alerts: |
|
Comments (none posted)
sudo: vulnerability via scripts
| Package(s): | sudo |
CVE #(s): | CAN-2005-4158
CVE-2006-0151
|
| Created: | December 16, 2005 |
Updated: | September 1, 2006 |
| Description: |
Perl and Python scripts run via Sudo can be subverted. |
| Alerts: |
|
Comments (none posted)
tetex: integer overflows
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
tin: buffer overflow
| Package(s): | tin |
CVE #(s): | CVE-2006-0804
|
| Created: | February 19, 2006 |
Updated: | November 24, 2006 |
| Description: |
An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier
which can lead to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
vnc: authentication bypass
| Package(s): | vnc |
CVE #(s): | |
| Created: | May 16, 2006 |
Updated: | May 17, 2006 |
| Description: |
It was possible to bypass vnc authentication in version 4.1.1. |
| Alerts: |
|
Comments (none posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
webcalendar: information disclosure
| Package(s): | webcalendar |
CVE #(s): | CVE-2006-2247
|
| Created: | May 15, 2006 |
Updated: | May 17, 2006 |
| Description: |
David Maciejak noticed that webcalendar, a PHP-Based multi-user calendar,
returns different error messages on login attempts for an invalid password
and a non-existing user, allowing remote attackers to gain information
about valid usernames. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-1664
|
| Created: | April 27, 2006 |
Updated: | February 27, 2008 |
| Description: |
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed. |
| Alerts: |
|
Comments (none posted)
X.Org: buffer overflow
| Package(s): | xorg-x11-server xorg-x11 |
CVE #(s): | CVE-2006-1526
|
| Created: | May 3, 2006 |
Updated: | January 10, 2007 |
| Description: |
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
xscreensaver: possible password exposure
| Package(s): | xscreensaver |
CVE #(s): | CVE-2004-2655
|
| Created: | April 11, 2006 |
Updated: | May 24, 2006 |
| Description: |
In some cases, xscreensaver did not properly grab the keyboard when
reading the password for unlocking the screen, so that the password
was typed into the currently active application window. The only known
vulnerable case was when xscreensaver activated while an rdesktop session
was currently active. |
| Alerts: |
|
Comments (none posted)
xzgv: heap overflow
| Package(s): | xzgv |
CVE #(s): | CVE-2006-1060
|
| Created: | April 21, 2006 |
Updated: | June 12, 2006 |
| Description: |
Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate
insufficient memory when rendering images with more than 3 output
components, such as images using the YCCK or CMYK colour space. When
xzgv or zgv attempt to render the image, data from the image overruns a
heap allocated buffer. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current stable 2.6 kernel is 2.6.16.18,
released on May 22 with a
single fix for a remote denial of service problem in the netfilter SNMP NAT
code.
2.6.16.17 was released
on May 20 with a rather larger set of fixes.
The current 2.6 prepatch remains 2.6.17-rc4. Fixes continue to
accumulate in the mainline git repository, however, and it looks like the
-rc5 release could happen sometime soon.
The current -mm tree is 2.6.17-rc4-mm3. Recent changes
to -mm include the big serial ATA
patch set, an S/390 hypervisor filesystem, the Secmark packet filtering
code, a new set of page migration patches, a new framework for hardware
random number generator support, the file_operations read/write
consolidation patch (since dropped until some problems are fixed), and the
UTS namespace patches (see below). The next -mm release will also include
the genirq patch set (see below).
Comments (none posted)
Kernel development news
Guys, a kernel developer who cannot understand that user space is
important should just drop their pretentions of being a kernel
developer, and go play with some toy system like Hurd
instead. There you can say "user space doesn't matter".
-- Linus Torvalds
Comments (11 posted)
Greg Kroah-Hartman has decided that it's time to put an end to people
sneering that Linux lacks a proper device driver development kit. So, he
has created
the first
Linux DDK. It includes a fresh 2.6.16.18 kernel, a full copy of
LDD3, and copies of all the in-tree
kernel documentation. A CD image can be downloaded
from
kernel.org.
Comments (11 posted)
James Morris's
secmark
patches have been circulating for a few weeks now. Secmark is a new
mechanism for filtering network packets through SELinux. Your editor had
pondered writing an article about secmark, but that turns out to be
unnecessary; James
did it first.
The idea is to separate labeling and enforcement. Specifically:
use iptables to select and label packets, then use SELinux to
enforce security policy using these packet labels. This utilizes
the expressiveness of iptables rulesets, as well as the flexibility
of any its many matches and targets, and powerful components such
as connection tracking. At the same time, enforcement of security
policy remains the responsibility of the SELinux AVC, and access
control rules can be meaningfully analyzed as part of overall
SELinux policy analysis.
Read the full article for a detailed description of what secmark does and
how to use it.
Comments (1 posted)
Serge Hallyn recently posted
a
new version of the UTS namespaces patch. This code, a small part of
the "lightweight virtualization" or "containers" concept, allows various
bits of system naming information (the stuff which can be seen with
uname, essentially) to differ between sets of processes on the
same system. It may not seem like a big thing, but, as a piece of
container technology which has received the approval of several projects
working in this area, it gives a hint of how the larger problem might be
solved.
Andrew Morton responded with a note praising
the way the work has been done, but asking a fundamental question:
Generally, I think that the whole approach of virtualising the OS
so it can run multiple independent instances of userspace is a good
one. It's an extension and a strengthening of things which Linux
is already doing and it pushes further along a path we've been
taking for many years. If done right, it's even possible that each
of these featurettes could improve the kernel in its own right -
better layering, separation, etc. [...]
All of which begs the question "now what?".
The worry is that the kernel developers could merge a large amount of
non-trivial code, make a number of internal kernel interfaces more
complicated, and still not have an end result that is useful to the
containers community. The fact that the developers working in this area
were able to agree on a patch for UTS namespaces is encouraging, but it is
not a guarantee that consensus will be reached on the more complicated
changes. The possibility of an intractable disagreement derailing the
whole process partway through is a real one.
On the other hand, keeping all of the container code out of the kernel
until it is reasonably complete has its own costs. Some of the container
changes look to be relatively large and intrusive. Maintaining them all
out of the tree would not be a great deal of fun. Neither would merging
the whole mess at some future point when enough developers can agree that
they are "done."
There are a number of features needed by the projects concerned with
virtualization and containers. They include:
- The UTS namespace patch mentioned above.
- PID virtualization,
isolating each group of processes on the system from each other, and
allowing process IDs to be reused between containers.
- Namespaces for SYSV interprocess communication primitives (semaphores,
shared memory, and message queues).
- Time virtualization, so
that each container can have its own idea of what time it is.
- Virtualization of user and group ID values.
- Network namespaces, intended to give each container a specific set of
network interfaces to which it has access. When used in conjunction
with IP aliases, this feature can set up a separate IP address for
each container and keep containers from accessing each others'
traffic.
The ability to virtualize the view of the filesystem through namespaces is
also required, but Linux has had that capability for some years now. Some
of the more advanced container capabilities - live checkpointing and
process migration, for example - will require yet another set of deep
kernel hooks.
Most container concepts need most of the items from the list above to be
able to provide useful isolation. So, somehow, a path must be found to get
those features into the kernel without running into a blocking disagreement
partway through - assuming that container support is considered desirable
in general, of course.
Andrey Savochkin came up with a proposal
which could be a good step forward: implement the network namespaces
feature first. It is one of the most complex features, and it must be
implemented in a way which doesn't upset the highly refined sensibilities
of the networking subsystem developers. Some fairly tricky side problems -
such as virtualizing access to /proc and sysfs - will have to be
solved in the process. All told, it may be the hardest part of the
problem, and it may be the place where an extended disagreement is most
likely to show up.
Often, developers like to take on the easier parts of a problem first,
then apply any lessons learned to the harder parts. In this case, however,
starting with the hardest part may make some sense. If no universally
acceptable solution can be found, the idea of generalized container support
in the kernel can be dropped before too much other code has been merged.
If, instead, the developers involved are able to implement something which
pleases (or, at least, does not mortally offend) everybody, they should be
able to get over any other roadblocks which may show up later on. In that
case, the various pieces of the puzzle could be merged with confidence as
they become ready.
Comments (3 posted)
The Linux kernel has a generic layer for the handling of hardware
interrupts, hidden behind a standard API. There's only one problem: not
all architectures use this layer. In particular, ARM is a holdout. It
seems that interrupt handling in the ARM world is a complicated,
subarchitecture-specific business which does not fit into the current
"generic" code at all, so ARM sticks with its own code - even though there
is a fair amount of overlap with code found in the generic subsystem. But,
even for the architectures which are able to use it, the current IRQ
subsystem has shortcomings which are becoming increasingly apparent.
An attempt to change the situation can be seen in the genirq patch set by Thomas
Gleixner and Ingo Molnar. These patches attempt to take lessons learned
about optimal interrupt handling on all architectures, mix in the quirks
found in the fifty (yes, fifty) ARM subarchitectures, and create a new IRQ subsystem
which is truly generic, and more powerful as well. It is a big patch set
which reworks a great deal of crucially important low-level code. Expect
some interesting discussion before any eventual mainline merge.
After some cleanup work, the patch gets serious with the creation of a new
irq_chip structure. This structure is based on the old
hw_interrupt_type structure, but it includes a rather longer list
of low-level operations. The things for which the kernel can now request
a specific interrupt controller include:
- startup(): enable the interrupt and generally get the
controller ready to handle it.
- shutdown(): completely shut down the interrupt.
- enable(): enable the interrupt.
- disable(): disable the interrupt.
- ack(): inform the controller that the CPU has begun
processing the interrupt.
- end(): inform the controller that interrupt processing is
done.
- mask(): mask a specific interrupt, blocking its delivery.
- mask_ack(): a combination of mask() and
ack() which can be optimized on some platforms.
- unmask(): unmask an interrupt.
- set_affinity(): bind an interrupt to a specific CPU.
- retrigger(): re-create and re-deliver an interrupt.
- set_type(): set the flow type (described below) of the
interrupt.
- set_wake(): enable or disable wake-on-interrupt behavior.
Many of these methods existed previously, but the mask(),
mask_ack(), unmask(), set_type(), and
set_wake() functions are new. With this set of functions, kernel
code can manage interrupt controller chips in a fine-grained manner.
Moving up a level, the existing irq_desc structure, which holds
all of the kernel's information about any specific interrupt, now has a
pointer to an associated irq_chip structure. It also has a new
method, handle_irq(), pointing to the function which actually
handles this interrupt. That, perhaps, is the most fundamental change from
the existing system, which uses a single handler function
(__do_IRQ()) for all interrupts. It is a recognition of the fact
that not all interrupts are equal, so there is little to gain by trying to
deal with them all in a single, big function.
The biggest difference between interrupts is what is called the "flow
type" - a combination of how the interrupt is signaled and how the system
processes it. The genirq patches define these flow types:
- Level-triggered interrupts are active as long as the device asserts
its IRQ line. These interrupts must be masked while being processed,
and can only be unmasked after the device has stopped asserting the
interrupt.
- Edge-triggered interrupts are signaled by a change in the interrupt
line - from low voltage to high, from high to low, or both. These
interrupts do not necessarily have to be masked while being processed,
but, if they are not masked, more interrupts can arrive before the
first has been handled. So the kernel must track "pending"
interrupts, and the interrupt handler must loop until all interrupts
have been dealt with.
- "Simple" interrupts do not require any special control, and can be
processed directly.
- Per-CPU interrupts are bound to a single CPU. They are much like
simple interrupts, but even simpler: since the handler will only run
on one CPU, there is no need for locking.
The current IRQ code attempts to handle all of the above cases in a single,
large routine. The new code, instead, creates a number of flow-specific
handler functions, then sets the appropriate one as the
handle_irq() method in the interrupt descriptor. The result is
code which can be optimized for specific needs, and shorter code paths in
the interrupt system as a whole. If a particular hardware platform has
quirks which are not addressed by the current handlers, creating a new one
is a relatively straightforward task.
At the kernel API level, the changes are relatively small; changes to
drivers are not generally required. There are a few new capabilities,
however. One is that there are some new flags which can be passed to
request_irq():
- SA_TRIGGER_LOW and SA_TRIGGER_HIGH: treat the
interrupt source as being level-triggered, with interrupts happening
at either the high or low level.
- SA_TRIGGER_FALLING and SA_TRIGGER_RISING: treat the
interrupt as being edge-triggered.
This addition to the API actually happened in 2.6.16, but only the ARM
architecture had any support for it at all. With the genirq patches, all
architectures support these flags, and the appropriate flow handler will be
selected internally. When interrupts are shared, however, all users must
agree on how the triggering will be handled.
It is also possible to change the flow type of an IRQ directly with:
int set_irq_type(unsigned int irq, unsigned int type);
Here, type should be one of IRQ_TYPE_EDGE_RISING,
IRQ_TYPE_EDGE_FALLING, IRQ_TYPE_EDGE_BOTH,
IRQ_TYPE_LEVEL_HIGH, IRQ_TYPE_LEVEL_LOW,
IRQ_TYPE_SIMPLE, or IRQ_TYPE_PERCPU. Calling this
function has the same effect as specifying the trigger type with
request_irq(), but it offers a wider range of possibilities. It
also does not check for compatibility with any other users of a shared
interrupt, so a certain potential for confusion exists.
Some devices can generate interrupts which should wake up the system from a
suspended state. Wake-on-LAN behavior in network adaptors is one example;
allowing the keyboard to wake the system is another. Kernel code can
enable or disable this behavior in the interrupt controller with:
int set_irq_wake(unsigned int irq, unsigned int on);
An error code will be returned if the chip-level controller does not
implement this operation.
There has been a relatively small amount of discussion so far; the biggest
objection seems to be a claim that the
separate flow handlers are an unnecessarily complex addition. The decision
on whether genirq is merged very likely depends on whether the ARM
maintainers are willing to drop their architecture-specific IRQ
implementation and move to the new, generic version. Without that, the
genirq code, which contains a lot of work aimed specifically at ARM's
needs, will not truly be a generic solution. In the mean time, genirq has
found its way into the -mm tree.
Comments (none posted)
The kernel has long used "tainting" as a way of noting that something has
happened which may affect the stability of the system. Should a kernel
oops occur, the resulting kernel trace includes information on the kernel's
taint status. This information can then be used by developers to ask hard
questions about what was really going on. The taint flag was originally
added to flag the use of binary-only kernel modules, but its use has grown
since then. Events which will taint a current kernel include the forced
removal of a module, loading a module without proper (or matching) version
information, or running an SMP kernel with processors not designed for
SMP operation. Machine check exceptions and certain kinds of memory
management errors will also result in a tainted kernel.
A recent patch by Ted Ts'o
expands the taint concept in an interesting way. It adds a new file
(/proc/sys/kernel/tainted); should user space write to that file,
the kernel will be marked tainted with the new "U" flag. The
idea, says Ted, is to flag "when userspace is potentially doing
something naughty that might compromise the kernel." It took a few
more questions before the real
truth of the matter came out:
The problem is that the Real-Time Specification for Java (RTSJ)
**requires** that the JVM provide class functions which provide
direct access to physical memory; all physical memory. In fact,
the RTSJ compliance test explicitly checks for this; it requires
that you give the compliance test the address of a few hundred megs
of physical memory for the test. The absolutely hilarious bit
about all of this is that the same customer who wants RTSJ
compliance because of federal procurement regulations is also
interested in using SELinux.
The idea of using SELinux on a system where Java code is free to mess
around with physical memory does involve a fair amount of cognitive
dissonance. But The Customer Is Always Right, so Ted is making this work.
Not entirely willingly, though:
In fact, I was so unhappy about being forced by the RTSJ
specification to do this insane thing that I wanted to make sure
that if it were ever used, it would set a TAINT flag to warn people
that just about anything unsane could have happened, and the
system's stability was at the mercy of the competence of Java
application programmers.
Nobody has stepped forward to say that the kernel should not be tainted in
such a situation. Instead, one might almost be able to merge a patch
causing the kernel to emit scary horror-movie sounds as well.
There appears to be general agreement that this patch makes sense;
certainly there are plenty of situations where user-space actions might
affect the stability of the system. There was one request for a log
message to be stored with the user-space taint flag so that the reason for
its presence would be more clear later on. A concern was also raised that
some distributions were using the "U" flag for other reasons (to
flag the presence of "unsupported" modules), though it is not clear that
this is actually happening. Collisions over the use of taint flags could
indeed create confusion, so Dave Jones has suggested that any taint flags
used in out-of-tree code should at least be documented with a comment in
the mainline kernel. Whether any such flags exist remains to be seen,
however.
Comments (19 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
There was some discussion this week on the Fedora-devel list about the
schedule for Fedora Core 6. You can find the thread
here.
Fedora Core releases 1 though 4 had a (roughly) six month development
cycle, but for FC5 the schedule was extended by an extra three (plus)
months. Now that FC5 is out there has been a bit of confusion about the
FC6 timeline.
Fedora was always envisioned as a fast-paced distribution. Some of the
major packages used by Fedora (GNOME, X.org, OpenOffice.org) are on six
month schedules. Having a Fedora release on a six month schedule means new
versions these packages for every release. This is convenient for those
who like their desktop to run with the latest and greatest software.
While some people preferred the longer timeline of FC5, others didn't care
about the length of the schedule, but they did want it to be predictable
(e.g. predict now when we might expect the FC10 release).
Most people agreed that six months is the right schedule for most Fedora
releases, with the flexibility to change as needed and that's what we can
expect in the future.
Comments (1 posted)
New Releases
The downloadable DVD version of SUSE Linux 10.1 is now available for the
x86 and x86-64 architectures. The DVD contains the packages of the 5 CDs
and the Addon CD.
Full Story (comments: none)
Distribution News
Mandriva has launched Mandriva Kiosk, a Web-based one-click software
installation service. "
This new online service provides access to the
latest versions of the most popular applications through a simple
installation process, so that anyone and everyone can benefit from a
personally tailored system."
Full Story (comments: none)
There was an informal BoF at DebConf to discuss cross-team issues related
to the kernel. Topics discussed include which kernel to release with Etch,
kernel updates during Etch lifetime, dropping 2.4 from Etch, non-free
modules + firmware, external module packages, divergence between linux-2.6
packaging and kernel-package behavior and kernel udeb creation process.
Full Story (comments: none)
Steve McIntyre reports that irc.debian.org is moving to OFTC, the Open and
Free Technology Community, and away from Freenode. "
For a long time,
irc.debian.org has been provided as a service by Freenode, the well-known
Free Software friendly IRC network. However, as time has passed, more and
more of our discussions have instead been taking place on OFTC, the Open
and Free Technology Community. In recognition of that, we have decided to
move the irc.debian.org alias over to use OFTC. OFTC is also a sister
organisation of Debian, as both are supported and represented by Software
in the Public Interest, Inc." The change will take place on Sunday
June 4.
Full Story (comments: none)
Kororaa developer Chris Smart
responds to
charges of GPL violation. "
Thirdly, I did not announce this
email through fear of being sued, but because I wanted to know the truth
and what the options are. I want it to be clear that Kororaa, being a GPL
project, must fully comply with the GPL. The question is whether including
the nVidia and ATI drivers constitutes a violation and as we have all seen,
it's not an easy answer. It appears everyone has their own opinion on
whether this is or isn't a violation and are quick to draw
conclusions. No-one has really looked at this objectively, however."
Comments (33 posted)
Rock Linux is working toward a new release; a
roadmap has been posted showing how the project developers expect things to go.
Full Story (comments: none)
The Ubuntu release team, the Canonical business department and others have
decreed that the next round of daily CD image builds will be renamed.
"
Instead of "dapper-live-*", there will be "dapper-desktop-*",
reflecting the rename to "desktop CD" that we started at the Dapper Beta
release to indicate that the live CD is now also installable."
Full Story (comments: none)
New Distributions
The first release of the
Safedesk Terminal Server Project is available for download.
"
STS is a new open source project to develop a Linux
thin-client server based on Debian Live Net.
This is the first Linux terminal server to
offer local USB storage, sound and streaming video support and the
design allows one server with a gigabit port to serve as many as 100+
clients at a time. This release contains a full GNOME-based desktop with
OpenOffice, OpenClipart, GIMP, Inkscape, GAIM, and F-Spot plus the usual
GNOME applications. It can be fully customize including the installation
of KDE."
Full Story (comments: 1)
Distribution Newsletters
The Debian Weekly News for May 23, 2006 looks at a successful install of
NetBSD 3 inside the new Xen 3 virtual machine monitor available in Debian
unstable, library packages with debugging capabilities, daily builds of the
graphical installer, Sun Java distributed by Debian, DebConf6 successfully
finished, a Project Leader report, and more.
Full Story (comments: none)
This week the
Fedora Weekly
News covers Red Hat Magazine May 2006, Changing the way that
Development lands, New ticketing system for the Fedora Project, Fedora
Board chair looks ahead, Documentation leadership grows, The gift that
keeps on giving, Unofficial FAQ Update: 2006-05-11, Phoronix: Fedora
Rawhide 2006-05-16, and several other topics.
Comments (none posted)
The
Gentoo
Weekly Newsletter for the week of May 22, 2006 covers GCC 4.1 to be
added this week, Summer of Code update, old-style PHP packages removed from
the tree, reports from Milan and Graz events, managing overlays with layman
and more.
Comments (none posted)
This is the first Kubuntu newsletter, keeping you up to date with
current Kubuntu development. Read on for Shipit CDs, LinuxTag and the
Kubuntu Council.
Full Story (comments: none)
Issue #120 of the Mandriva Community Newsletter has been published.
Also, a new release of the e-magazine
Mandriva Linux Inside (pdf) is out.
Full Story (comments: 3)
The
DistroWatch
Weekly for May 22, 2006 is out. "
Lots of activity on the
Mandriva front - the new Kiosk, public release of Mandriva One, and many
Cooker updates hint at the beginning of an exciting new beta testing period
for the French distribution maker. In other news, we link to a number of
interesting SUSE articles, inform about a much improved new version of
Debian's APT, provide an update on the Kororaa controversy, and say
good-bye to both Libranet and FreeBSD's Alpha port. In the Interviews
section, we talk to Miklós Vajna, the project founder and lead developer of
Frugalware Linux."
Comments (none posted)
Package updates
Updates for
Fedora Core 5:
psmisc
(sync with upstream),
policycoreutils (bump
for FC5),
pirut (bug fixes),
ntp (bug fixes),
libstdc++so7 (fix ppc target in wrapper
script),
scim (rebuild against new
libstdc++so7),
scim-anthy (rebuild),
scim-chewing (rebuild),
scim-hangul (rebuild),
scim-m17n (rebuild),
scim-pinyin (rebuild),
scim-tables (rebuild),
vnc (not specified),
tog-pegasus (bug fixes),
avahi (bug fixes),
lftp (upgrade to 3.4.6),
librsvg2 (update to 2.14.4),
libraw1394 (update to 1.2.1),
mcelog (update to 0.7),
xen (updated and patched),
xen (update userspace tools to 3.0.2-2),
hal-cups-utils (fix the CUPS 'hal' backend
location),
system-config-printer (bug
fixes),
cman-kernel (update to
2.6.16-1.2122_FC5),
dlm-kernel (update to
2.6.16-1.2122_FC5),
GFS-kernel (update to
2.6.16-1.2122_FC5),
gndb-kernel (update to
2.6.16-1.2122_FC5),
system-config-securitylevel (bug fix),
selinux-policy (bump for FC5),
cups (fixes some bugs in 1.2.0).
Updates for Fedora Core 4: vnc
(really fixed authentication), ntp (update
to stable-4.2.0a), system-config-services
(use pam_stack), mcelog (update to 0.7).
Comments (none posted)
Fedora Extras has updated
kphone (security fix) for
FC3,
FC4 and
FC5.
Comments (none posted)
Mandriva has updated gstreamer-plugins that fix an audio CD bug.
Full Story (comments: none)
Updates for
rPath Linux 1:
conary
(1.0.15 maintenance release),
gvim (bug fix
for x86_64),
ypbind (bug fix),
system-config-network (bug fix),
cups (remove execute permission for
/etc/logrotate.d/cups),
system-config-securitylevel (separate multiple
components),
libao (move plugins for
better dependency resolution),
group-core
(group-core now contains system-config-securitylevel).
Comments (none posted)
Slackware has linux-2.6.16.18 packages in testing, a few new packages and
lots of updated packages. Click below for this week's slice of the change
log.
Full Story (comments: none)
Trustix has updated squid, fixing various bugs.
Full Story (comments: none)
Newsletters and articles of interest
In this
article
on Linux Forums, one man searches for a Linux distribution for an old
laptop. "
I am faced with a challenge: I need to find a Linux
distribution that is both small enough, efficient enough and easy enough to
maintain for my laptop. Realizing that all Linux distributions are not
created equal, I did my research and was able to narrow my list to a
handful of distributions that may be suitable for my needs and my
laptop. Throughout the course of this article, I am going to test each of
these distributions on my laptop and discuss my experiences. I will attempt
to install and evaluate each distribution for a period of a couple of
days. Based on my findings, I will select the distribution that best suits
my needs."
Comments (none posted)
This edition of the Jem Report
covers the
addition of (non-free) software to SUSE Linux 10.1 OSS. "
When
you're done installing SUSE Linux 10.1 OSS, your desktop system is not
complete. You might still need support for Java programs, MP3 audio files,
and browser plugins for Macromedia Flash, Adobe Acrobat, RealPlayer, and
Windows Media Video. You may also want to add support for playing DVD
videos on your computer, and to try out the new XGL graphical toys. Here's
how to effectively make SUSE Linux 10.1 into the perfect desktop
OS."
Comments (none posted)
NewsForge
hears
from a fan of Fedora Core 5. "
I like playing with the newest
software games, toys, and applications. At the same time, I have work to
do, and I need a solid, stable platform that I don't have to babysit. As a
full-time blogger and part-time Web programmer, I need a wide variety of
tools at my disposal, and I frequently need the latest versions of
available software. Balancing stability against the bleeding edge is a
difficult trick, and that's why Fedora Core 5 is my desktop OS."
Comments (none posted)
Distribution reviews
Joe Barr
reviews
SUSE 10.1. "
With SUSE 10.1, Novell has embraced and extended its
role as the leading desktop distribution. Given the amount of eye-popping
eye candy and playtime 3-D effects available on this desktop, it's easy to
forget that Novell is all about bringing Linux to the corporate -- not the
home -- desktops. Yes, the money is all in the server market these days,
but after the revolution Linux will inherit its rightful share of desktops,
too."
Comments (none posted)
MadPenguin
reviews SUSE
Linux 10.1. "
I've said it before and I will say it again: SUSE
Linux is one of the most polished desktop on the market today. It just
is. You can argue that your favorite distro is better for one reason or
another but you cannot deny that SUSE is one sexy desktop. They spend some
quality time making sure everything looks like it belongs and fits together
like an intricate puzzle. Even the splash screens to applications such as
GIMP and OpenOffice.org visually fit right in."
Comments (1 posted)
Joe 'Zonker' Brockmeier
reviews
the GParted live CD on Linux.com.
"
Need a way to resize NTFS partitions, mirror disk images, or otherwise muck about with disk partitions -- and don't want to use a proprietary package like Partition Magic? If so, the GNOME Partition Editor (GParted) is an excellent open source tool for the task. The GParted team released the GParted live CD version 0.2.4-2 this month, so I decided it was a good time to take GParted for a spin.
GParted handles Ext2, Ext3, FAT16, FAT32, JFS, ReiserFS, Reiser4, NTFS, XFS, and other filesystem formats. At a bare minimum, GParted can detect, read, copy, and create partitions using those file systems -- and, in some cases, can shrink, expand, and move partitions."
Comments (11 posted)
Here is a
brief
review of Ubuntu/Kubuntu. "
I decided to try out Linux again. A
couple years ago I gave SUSE Linux a shot for the desktop, and it was not
quite ready for primetime. UI elements were all over the place, the system
would not always respond as intended, it was a bit messy. Today I thought
it would be fun to try Ubuntu and Kubuntu Linux (GNOME and KDE
respectively). I could not remember which I liked better, so I gave them
both a shot. My setup is a Fujitsu TabNote 4020d."
Comments (none posted)
DesktopLinux
takes a quick
look at Puppy Linux. "
Australia-based Puppy's most redeeming
feature is that it has a small footprint yet is full-featured, including
all sorts of configuration and application installation wizards. Puppy can
boot from a 64MB thumb drive, and the whole OS is small enough to run
directly from system RAM. The result is that all applications start quickly
and respond to user input instantly. Another advantage is that Puppy can
often be a great choice for older, under-powered hardware."
Comments (none posted)
Page editor: Rebecca Sobol
Development
X11R7.1, the "
First Modular Source Code Roll-up Release of the
X Window System",
has been announced by the
X.Org Foundation.
The Modular concept of X11R7 is explained:
All X11R7.0 derivative ("modularized") releases divide the source code into
logically distinct modules, separately developed, built, and maintained by
the community of X.Org developers. This concentrates and accelerates
development time, supporting continuous modification, testing, and
publication of each module.The new modular format offers focused
development, and rapid and independent updates and distribution of tested
modular components as they are ready, freed from the biennial maintenance
release timetable. These changes in source code management, giving openness
and transparency to the source code base and employing current technology,
invite a new generation of developers to contribute, building on the long
tradition of the X Window System.
The X11R7.1
release notes
detail the
recent changes to the new release, they include:
- Improvements to the new EXA acceleration architecture.
- Integration of the kdrive DDX system for low memory footprint embedded X servers.
- Accelerated indirect GLX clients with support for hardware acceleration.
- A new GLX_EXT_texture_from_pixmap extension for improving OpenGL rendering.
- Improvements to screensaver blocking functions.
- Early support for redirecting video to off-screen surfaces.
- Operating system support enhancements for Linux and other platforms.
- Improvements to the keyboard mappings, support for the new xkeyboard-config project.
- Support for the XVideo Extension (Xv), allowing improved YUV color support.
- The addition of Anti-Aliased text support to some core X11 applications.
- Numerous video driver enhancements.
- Bug fixes and other improvements.
The
Overview of X11R7.1 document gives a general view of the
operation of X11R7. It also mentions the complete rewrite of the
Xinerama extension, which is an improved system for managing multiple
physical screens. Numerous changes to the text font system are
covered as well.
Major releases of X11 are scheduled for six month intervals.
X11R7.2 should come out "around November" of 2006.
The detailed
release schedule mentions the target dates for the
upcoming X11R7.2 release candidates.
The
changes for X11R7.2 document lists what is to come in the next
release.
Planned changes include support for new platforms, the addition of new
run-time configurable variables, changes to the loader mechanism, expansion of the Xinerama extension, deprecation of unused features, general code cleanup and bug fixes.
Congratulations go to the X.Org team for keeping this complicated
and critical piece of software up to date with the evolving hardware
and software needs.
Comments (3 posted)
System Applications
Database Software
The May 21, 2006 edition of the PostgreSQL Weekly News
is online with the latest PostgreSQL DBMS articles and resources.
Full Story (comments: none)
Embedded Systems
Stable version 1.1.3 of
BusyBox, a condensed collection
of command line utilities for embedded system, is out.
"
BusyBox 1.1.3 is another bugfix release. It makes passwd use salt, fixes a memory freeing bug in ls, fixes "build all sources at once" mode, makes mount -a not abort on the first failure, fixes msh so ctrl-c doesn't kill background processes, makes patch work with patch hunks that don't have a timestamp, make less's text search a lot more robust (the old one could segfault), and fixes readlink -f when built against uClibc."
Comments (none posted)
Printing
Version 1.2.1 of CUPS, the Common UNIX Printing System,
has been announced.
"
CUPS 1.2.1 fixes several build, platform, and printing bugs."
Comments (none posted)
Telecom
Nokia has
announced the release of its "S60 WebKit" under the BSD license. "
Nokia's open sourcing of the engine to its high-performance S60 mobile
browser, which replicates on handheld devices the true web-page rendering
of complete desktop browsers, marks the start of a collaborative open
source effort that will enable smartphone users industry-wide to push
beyond the millions of mobile-friendly pages currently on the web and begin
to experience full web browsing of the estimated 25 billion pages on the
Internet today."
Comments (18 posted)
Web Site Development
Version 4.39 of
DataparkSearch Engine is available.
"
DataparkSearch Engine is a full-featured open sources web-based search engine released under the GNU General Public License and designed to organize search within a website, group of websites, intranet or local system. DataparkSearch consists of two parts. The first part is indexing mechanism (indexer). Indexer walks over html hypertext references and stores found words and new references into database. The second part is web CGI front-end to provide search using data collected by indexer."
Comments (none posted)
Miscellaneous
Version 4.3.0 of HylaFAX, a fax modem control application,
has been announced.
"
This release introduces several powerful new features to HylaFAX, and so we encourage you to check it out. No release would be complete without bugfixes of course, and this one has plenty. As always, our sincerest thanks go to all who participate in the development and testing process."
Comments (none posted)
Desktop Applications
Audio Applications
KDE.News has
the release announcement for amaroK 1.4, dubbed "fast forward." "
Fast Forward comes with improved media device support, featuring enhanced iPod support that handles the latest iPod devices, support for IFP/IRiver devices, a new plugin for generic media devices, and the ability to handle as many of these devices as you'd like."
There's a lot more, see
the "what's new" page for a full list.
Comments (none posted)
Version 0.3.0 of aubio, an audio labeling library, is out with new
features and documentation.
"
aubio is a library
for audio labelling. The goal of this project is to provide automatic
feature extraction algorithms to other audio software projects. Features
include onset detection, beat tracking, and pitch detection. Functions
can be used offline in sound editors and software samplers, or online in
audio effects and virtual instruments."
Full Story (comments: none)
Chris Cannam has announced version 0.9 of his
Sonic Visualiser project.
"
Sonic Visualiser contains advanced waveform and spectrogram viewers,
as well as editors for many sorts of audio annotations. Besides
visualisation, it can make and play selections based on the locations
of automatically detected features, seamlessly loop playback of single
or multiple noncontiguous regions, synthesise annotations for playback,
and slow down playback while retaining display synchronisation."
Full Story (comments: none)
CAD
Release 31 of PythonCAD, a scriptable drafting program, has been announced.
"
The latest release features improvements to the entity splitting
code and a new split operation, automatic entity splitting. The
splitting code has been rewritten which fixed several bugs while
making the code simpler and clearer to understand. The new autosplitting
code is a feature that, when activated, will make the program
split existing entities in a drawing when a newly added point
lands on the entity."
Full Story (comments: none)
Data Visualization
Version 1.05 of Asymptote
is out with lots of new features.
"
Asymptote is powerful script-based vector graphics language for technical drawing, inspired by MetaPost but with an improved C++-like syntax. Asymptote provides for figures the same high-quality level of typesetting that LaTeX does for scientific text."
Comments (none posted)
Bug fix release 5.6.1 of PLplot, a data plotting application,
has been announced.
"
This release corrects a number of outstanding issues with plplot that were
discovered subsequent to the 5.6.0 release. It represents the ongoing efforts
of the community to improve the PLplot plotting package."
Comments (none posted)
Desktop Environments
Version 2.15.2 of GNOME has been announced
"
This is our second development release on our road towards GNOME 2.16.0,
which will be released in September 2006. GNOME 2.15.2 works well and
you should definitely try it to see how well it works."
Full Story (comments: none)
Version 2.15.2 of GARNOME, the bleeding edge GNOME distribution, is out.
"
This is the second release in the unstable cycle, with more features,
more fixes and yet more madness added. It is for anyone who wants to get
his hands dirty on the development branch, or who'd like to get a peek
at future features. If you want to help spot issues in GARNOME, (or,
better yet, fix 'em ;-) this release is for you as well."
Full Story (comments: none)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
KDE.News has
the announcement of the latest
quarterly report from KDE e.V. [PDF]. It covers a wide range of activities within the KDE community, including the creation of a number of working groups, trademark management, and more.
Comments (none posted)
KDE.News
has announced
the availability of the May 21, 2006
KDE Commit-Digest.
"
In this week's KDE Commit-Digest: Huge optimisations in ksysguard. Solid switches to CMake. aRts, KPDF removed in trunk/, whilst oKular continues to be developed as its replacement. amaroK gets support for Creative Zen devices. coreapps/ module created (as proposed on kde-core-devel). More work on supporting Intel compilers."
Comments (none posted)
Desktop Publishing
Version 1.0 of jLibrary
has been announced.
"
jLibrary 1.0 final has been released. jLibrary is the first Open Source
Document Management System based on Eclipse Rich Client Platform. It uses a
backend based on the JSR-170 reference implementation, Apache Jackrabbit, and
can run on any J2EE compliant application server like jboss, Geronimo, or
even Apache Tomcat."
Comments (none posted)
Electronics
Version 0.34 of
Gnucap,
the Gnu Circuit Analysis Package, has been announced.
"
This is primarily a bug fix and compatibility release."
Comments (none posted)
Financial Applications
Version 2.6.11 of SQL-Ledger, a web-based accounting system,
has been announced. It features a fix to the purchase order date code.
Comments (none posted)
Games
Version 0.2.2 of EntityForge, a 3D graphical media display, animation
and manipulation tool from the WorldForge game project,
has been announced.
"
The code has been updated for the latest versions of cal3d,
gtkglextmm and sigc++."
Comments (none posted)
GUI Packages
The Gideon Designer GTK+ GUI builder project will offer new language
support.
"
Gideon Designer will support languages other than C++. This will be achieved by means of a new language-independent library, GuiLoader, and its language bindings. The library is intended to parse GuiXml files (Gideon save format) and create widgets at run-time by request of a client application."
Full Story (comments: none)
Version 0.8.2 of PythonCard, a cross-platform Python GUI designer,
has been announced.
"
Release 0.8.2 includes over 50 sample applications and tools to help users build applications in Python, including codeEditor, findfiles, and resourceEditor (layout editor).
New samples include a US-UK converter and a Sudoku solver. There are a new set of "convenience" functions to assist is creating pop-up menus and some commonly used custom dialogs (usage of these is demonstrated in the Sudoku sample, as well as in a new sample "helpful wrappers")..."
Comments (none posted)
Imaging Applications
Version 0.5 of the Xara Xtreme drawing tool (
briefly reviewed here last
March) is now out. "
There has been substantial progress since the previous 0.4 stable release.
All tools are now fully functional with most menu options and some galleries
also completed. Xara recently passed build number 1000, representing more
than 1000 patches, submissions and fixes to the public code repository."
Full Story (comments: 1)
Interoperability
Version 0.9.13 of Wine
has been announced.
Changes include:
New GPhoto backend for TWAIN, Dynamic drive configuration using HAL,
A gazillion Direct3D fixes, New TCP transport for RPC and Lots of bug fixes.
Comments (2 posted)
GnomeDesktop.org has
an announcement
for the new Wine-doors project. Wine-doors allows Win32
applications to be run on Unix through the wine compatibility layer.
"
Wine-doors provides a yum style interface for management of windows applications and libraries on UNIX, allowing the user to specify multiple repositories and retrieve information about applications before installing them using xml descriptions in PackLists and ApplicationPacks. Wine-doors also keeps track of installed applications and allows the community to manage ApplicationPacks to ensure smooth installation and execution on linux also providing desktop entries ensuring adequete shell integration with the gnome/kde desktops."
Comments (none posted)
Medical Applications
LinuxMedNews
looks at
the Eclipse Open Healthcare Framework project.
"
Eclipse is a highly regarded Free and Open
Source, cross-platform, Java-centric, Integrated Development Environment
(IDE). According to the project proposal page the goal of OHF: '...is to
extend the Eclipse Platform to create an open-source framework for building
interoperable, extensible healthcare systems. We also intend to develop a
complementary set of exemplary tools. OHF will enable software providers and
integrators to cost-effectively create customized offerings for healthcare
delivery organizations that comply with government regulations and industry
standards."
Comments (none posted)
Office Suites
KDE.News has
an announcement
for KOffice 1.5.1.
"
The KOffice team today released the first bug-fix release in their 1.5 series. Critical bugs in KSpread, KWord and Krita were fixed, thanks to the helpful input of our users. We also have updated languages packs."
Comments (none posted)
Video Applications
The first alpha release of the Dirac codec - a free, high-quality video
codec developed by the BBC - is available. "
Be aware that the files
created by the encoder is not 100% valid Dirac
files so any files created at this point might not work with future
versions of the decoder or with other decoder implementations like the
C++ one from the BBC. Be also aware that performance is slow at this
point as very little optimization work is done so only high performance
computers will be able to playback created files smoothly." The
codec is licensed under the MPL, the GPL, the LGPL, and the MIT license, so
there should be a satisfactory choice for almost anybody.
Full Story (comments: 11)
Miscellaneous
Stable version 2.3.0 of pari, a cross-platform computer algebra system,
is available.
"
This is a major STABLE release, ending the 2.2.* development
cycle, which started about 5 years ago. For those still using pari-2.1.*,
it is time to upgrade !"
Full Story (comments: none)
Languages and Tools
Caml
The May 23, 2006 edition of the Caml Weekly News
is out with new Caml language articles.
Full Story (comments: none)
Java
The latest changes to
GCJ,
the GNU Compiler for Java, include support for the HP-UX PA platform
and support for the GNU Classpath 0.91 library.
Comments (none posted)
Version 1.0.0-PR3 of SwingSet, an open-source Java toolkit with
standard Java Swing component replacements, is out.
"
SwingSet 1.0.0 Preview Release 3 is the first new release of SwingSet in
over a year. This release adds extra functions to the SSDBNav interface
to give more control to the programmer to create & manage different
events on the DataNavigator. A number of new classes have also been
added in the formatting package, and work continues to finalize &
document this package and its subpackages."
Full Story (comments: none)
The Harmony Project - which just saw its first birthday - is working to
develop an entirely free Java implementation. At JavaOne, Harmony hacker
Geir Magnusson
announced that Harmony is
about to received a substantial code donation from Intel: a complete
implementation of the Swing/AWT user interface toolkits. This code takes
Harmony much closer to its goal of creating a fully compatible Java
environment. (See also:
Danese
Cooper's post on Sun and Java).
Comments (21 posted)
PHP
Version 1.0.0-pre2 of the PHP Yadis Library has been announced.
"
This release includes bug-fixes and more unit tests."
Full Story (comments: none)
Python
The May 22, 2006 edition of Dr. Dobb's Python-URL! is online with
a new collection of Python article links.
Full Story (comments: none)
Tcl/Tk
The May 22, 2006 edition of Dr. Dobb's Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
XML
Adrian Holovaty
uses XML to format news stories.
"
I like structured data. My favorite projects tend to be those that deal with, and exploit, structured information: events, restaurants, crime, and political information.
But one thing that's always bothered me is that the bread-and-butter of my chosen field, journalism, is relentlessly unstructured. The primary product of journalists -- the news story -- is just a giant blob of text."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Groklaw
reports
that the Open Invention Network has bought some new patents, with the
express purpose of protecting Linux. "
Anyone can license them
royalty-free, so long as they agree not to assert patents against "the
Linux environment." These three are added to the 39 valuable web services
patents that OIN got from Commerce One last December, and there are two
more patents announced that have issued from that purchase."
Comments (1 posted)
NewsForge
looks
at the Open Source Lab at Oregon State University in Corvallis.
"
"Gentoo wouldn't be where it is today without the support of the
OSL," says Gentoo Linux Board Member and Infrastructure Lead Kurt
Lieber. "They've been a long-time supporter of ours, offering free hosting,
bandwidth, use of hardware, etc. They've also established a very robust,
scalable mirror infrastructure with ~1Gbps of capacity. We rarely have
download issues now when we release new versions of Gentoo." Lieber says
OSL services have been exemplary, "and in fact, it's better than what I
would expect from commercial vendors in a lot of respects."
Comments (5 posted)
Trade Shows and Conferences
NewsForge
reports
on DebConf6. "
In many ways, Debian is more of a social movement than
a free software distribution. One of the greatest tenets of this movement
is that quality control is more important than release schedules, feature
requests, and even usability. If a free software package is accepted as one
of the 15,000+ currently supported as part of the main Debian distribution,
it is a virtual guarantee that it is stable, does what it is supposed to
do, and interacts correctly with other Debian-endorsed software packages. A
free software developer -- individual or corporate -- whose work becomes
part of Debian can rightfully point to that inclusion with pride."
Comments (2 posted)
NewsForge has
a report and pictures from the anti-DRM protest at WinHEC. "
As chilly Seattle rain drifted down, the 'DRM Elimination Crew' marched back and forth in their suits, handing out brochures like 'Microsoft Vista - DRM'd and Defective By Design,' 'DRM IS Digital Restrictions Management,' and 'Restricting you the User,' to curious passers-by."
Comments (3 posted)
Companies
The Salt Lake Tribune
covers Linux Networx.
"
Over the past month, [Linux Networx] has contracted with NASA and
now ATK Launch Systems for customized editions of some of its most advanced
creations. Terms, including expected installation dates and costs, were not
disclosed. But the deals likely run into the millions of dollars."
Comments (none posted)
eWeek
reports on Sun's moves toward supporting the Eclipse development
platform.
"
Sun Microsystems and the Eclipse Foundation are actively working together after years of competition and grudging respect for each other's efforts.
In an interview May 17 at the JavaOne conference here, Mike Milinkovich, executive director of the Eclipse Foundation, said Eclipse has recognized its first committer to an Eclipse project from Sun.
"As of today we have our first committer from Sun," Milinkovich said. "They have committed code for the Eclipse platform for enabling SWT [Standard Widget Toolkit] for the Solaris x86/Motif.""
Comments (2 posted)
Linux-Watch
takes a look
at how Canonical makes money with Ubuntu. "
Specially, Shuttleworth
has said, in his Ubuntu wiki, that Canonical "will never introduce a
'commercial' version of Ubuntu. There will never be a difference between
the 'commercial' product and the 'free' product, as there is with Red Hat
(RHEL and Fedora). Ubuntu releases will always be free." However, "There
are proprietary apps that are certified for Ubuntu. Some
Ubuntu-derivatives, like Impi (a South-African customized business Linux
distribution) are targeted toward vertical markets that demand specific
software, currently proprietary, which they bundle.""
Comments (2 posted)
Linux Adoption
LinuxDevices
looks at Iomega's switch to Linux on one of its NAS devices.
"
Iomega has switched its wireless network attached storage (NAS) system from Windows Storage Server 2003 to Linux, and dropped the price from $1,300 to $900. It has also reduced RAM from 256MB to 64MB, and added wireless access point capabilities and automated USB camera downloads, reports ExtremeTech in an in-depth review of the "StorCenter 1TB.""
Comments (1 posted)
Linux at Work
ZDNet
looks at the latest OLPC prototype. "
Other details about progress on the systems appeared on the OLPC site over the weekend. For instance, a team from Linux vendor Red Hat has trimmed the software distribution from 400MB to about 250MB, uncompressed. 'There is still low-hanging fruit left to pull out of the image, including bitmap fonts we don't use (7MB), the X font server (1MB) and Perl (30MB),' the site says."
Comments (25 posted)
Legal
New Zealander Peter Calveley
is challenging Amazon.com's one-click shopping patent, according to
NewsForge.
"
Calveley got irritated with Amazon last year when, he claims, the company took too long to ship a book he ordered and paid for. "They insisted that they sent it via UPS but there was no tracking number," he writes in a blog entry. "UPS, when I called them, insisted that there had to be a tracking number!" A few weeks later he received the book, but felt that the slow delivery merited revenge in the form of "utu," an ancient part of Maori Law, which says that exacting payment from others for wrongdoing is an obligation."
Comments (none posted)
Interviews
KDE.News
introduces this
People Behind KDE
interview with
José Nuno Coelho Sanarra Pires. "
When did you first hear of
KDE? I first heard of KDE about 1997, when I was at the
University. At that time, I was getting tired of using the simpler window
managers on Linux (fvwm, twm, and so on) and I started looking for some
desktop environment which could at least be a little bit similar to
Windows. When I started to investigate something about it, I saw the
Trolltech's page for Qt and then I saw some info about a project which was
getting born at that time, KDE. When I saw the screenshot, I said: "That's
it; this is something that deserves to be seen". I guess it was the
1.0beta3 at that time."
Comments (none posted)
KDE.News
interviews the
developers from OpenSync and KDE PIM. "
As you are now getting close
to version 1.0 of OpenSync, which is expected to become the new
synchronisation framework for KDE and other free desktops, we are quite
interested in the merits it can provide for KDE users and for developers,
as well as for the Open Source Community as a whole."
Comments (none posted)
O'Reilly is running two interviews involving the Ruby language.
The first interview is entitled
Zed on Ruby, Rails, Mongrel, and More and the second is an
Interview with Luis Lavena.
Comments (none posted)
Resources
Carla Schroder
discusses the killing of processes in a ServerWatch article.
"
Man page authors tend to wobble between addressing end users and ace programmers. That's why you see statements like "the do list is executed as long as the last command in list returns a non-zero exit status." Which is as helpful as saying "send the process a SIGHUP". But not to worry, for today we shall peel off the mask of mystery that covers these deep dark subjects."
Comments (4 posted)
HowtoForge
mirrors
a website with rsync. "
This tutorial shows how you can mirror
your web site from your main web server to a backup server that can take
over if the main server fails. We use the tool rsync for this, and we make
it run through a cron job that checks every x minutes if there is something
to update on the mirror. Thus your backup server should usually be up to
date if it has to take over."
Comments (none posted)
Linux Journal
covers
ways to hide information inside an OpenOffice.org document. "
Why
would you want to hide content in an OpenOffice.org Writer document? The
most common reason is to maintain two similar versions of a document within
the same file. For instance, if you are a teacher preparing an exam, you
might want to use the same file to print a version of the exam to
distribute to students, and another one, complete with answers, to give to
markers. If necessary, you can view the complete document on the screen,
but when printing or sharing files, you can hide or reveal content
depending on what you want each audience to see. By using Writer's hide
functions, you no longer need to worry about multiple versions of a
document remaining in sync."
Comments (8 posted)
Reviews
Linux.com
views pictures
on the console with fbida. "
Fbida (previously known as fbi) is
an image viewer for the Linux console. Some people -- console veterans
included -- might find the idea of viewing pictures on the console a little
bit silly; why not just use X Windows and a graphical viewer or even a
photo editor? The answer to that question varies from "running X on my
server is not an option, but I'd like to be able to view some pictures
while I'm waiting for the compilation of a new kernel to finish" to
"because I can." Pick your excuse and read on to find out more about
fbida."
Comments (2 posted)
Miscellaneous
Groklaw has
Richard Stallman's article about the change in Java licensing. "
Why did this non-incident generate a large and confused reaction? Perhaps because people do not read these announcements carefully. Ever since the term 'open source' was coined, we have seen companies find ways to use it and their product name in the same sentence. (They don't seem to do this with 'free software', though they could if they wanted to.) The careless reader may note the two terms in proximity and falsely assume that one talks about the other."
Comments (12 posted)
NewsForge
reports
that the Computer Society of India (CSI) is organizing a FOSS training
program for the faculty of various IT schools in India. "
Initially
the program, which is being conducted along with the Center of
International Cooperation for Computerization (CICC), Singapore and CDAC
Chennai, is focusing on the southern region of the country. But according
to CSI's H.R. Mohan, similar seminars are being planned for other regions
of India."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
FFII has sent out a press release on a seemingly obscure (but important)
ruling by the European Commission. "
In a reply to a question from Polish MEP and
inventor Adam Gierek, the European Commission has confirmed that the
European Patent Office's (EPO) case law is not binding for member
states, nor (under the proposed Community Patent regulation) for the
European Court of Justice (ECJ). For the first time, the Commission
has also clearly stated that computer programs are not patentable
subject matter, without hiding behind the infamous 'as such'
cop-out."
Full Story (comments: 3)
The Free Software Foundation has launched DefectiveByDesign.org, a
direct-action campaign that will target Big Media and corporations
peddling Digital Restrictions Management (DRM). "
An initiative of
the Free Software Foundation (FSF), Defective By Design is urging all
technologists to get involved at the start of the campaign. "Technologists
are very aware of the dangers of DRM," said Peter Brown, Executive Director
of the FSF."
Full Story (comments: none)
The Electronic Frontier Foundation has announced
the winning of a second patent office reexamination of Test.com's online
test-taking patent.
"
The reexamination order is the
second granted in just two months after petitions from
EFF's Patent Busting Project.
EFF filed the reexamination request because the extremely
broad patent claims to cover almost all methods of online
testing. Test.com has used this patent to demand payments
from universities with distance education programs that
give tests online. But EFF, in conjunction with Theodore
C. McCullough of the Lemaire Patent Law Firm, showed that
Test.com was not the first to come up with this testing
method -- IntraLearn Software Corporation had been
marketing an online test-taking system long before Test.com
filed its patent request."
Full Story (comments: none)
KDE.News
reports that the KDE
Project has joined the ODF Alliance. "
The position of the
OpenDocument Format (ODF) was today strengthened by the K Desktop
Environment (KDE) joining the ODF Alliance. KDE joins other partners such
as Oracle, SUN Microsystems, Mandriva, IBM and Junta de Andalucia in
promoting the OpenDocument Format as a market leader in document exchange
and storage."
Comments (none posted)
Commercial announcements
Mercury Computer Systems, Inc. has
announced their LNXexec product.
"
LNXexec
provides the full features of Linux with a rich set of application
programming interfaces (APIs) for developing real-time multicomputer
applications.
Introduced as part of the Mercury MCOE (Multicomputer Operating
Environment) Release 6.4.0, LNXexec enables customers to migrate to the
open systems environments, such as Open Architecture Computing Environment
(OACE) and X-Midas, that are demanded by today's users."
Comments (none posted)
NCR Corporation and Novell have announced a global agreement to offer
Novell Linux Point of Service on NCR RealPOS retail point-of-sale (POS)
terminals. "
The agreement between Novell and NCR - one of the
world's largest store automation solution vendors - makes a secure,
reliable software platform and hardware combination available for retailers
deploying Linux-based POS solutions. NCR's plans call for offering Novell
Linux Point of Service on NCR EasyPoint(TM) kiosks and NCR FastLane(TM)
self-checkout in the future."
Full Story (comments: none)
Penguin Computing, Inc. has
announced the new Relion 1600 and 2600 servers.
"
Penguin's 1U Relion 1600 and 2U Relion 2600 servers feature SATA, SCSI
and SAS storage options to suit a variety of storage needs, expansion slots
for PCI Express serial input/output technology, to accommodate
high-performance cluster fabrics and enterprise-class storage adapters, and
optional PCI-X slots, for legacy expansion cards. Both Relion product
families offer the latest memory technology, up to 32GB of fully buffered
dual in-line memory modules (DIMMs), for lower latency and higher
throughput and error correction features to ensure reliable operation and
data integrity at full bus speeds."
Comments (none posted)
Rackspace Managed Hosting, LWN's web host, has announced its results for
the first quarter of 2006. The company's revenue grew 58 percent over the
same period in 2005 to $45.7 million. Net income in the first quarter of
2006 was $4.2 million, a 121 percent increase over the same quarter the
previous year. Rackspace has experienced 29 consecutive quarters of
revenue growth since the company's inception.
Full Story (comments: none)
rPath has won a DOE grant.
"
rPath is pleased to announce that it is a recipient of a $100,000 Small
Business Innovation Research grant from the Department of Energy (DOE).
rPath will use the grant to enable its rBuilder platform to create Xen
virtual machine images for deployment in grid environments such as the Open
Science Grid <
http://www.opensciencegrid.org/index.php>."
Full Story (comments: none)
SGI has
announced
that an SGI Altix high-performance computing system is helping to create a
better swimsuit.
Comments (none posted)
Undo Software
has announced UndoDB, a bidirectional debugger for compiled programs.
"
A bidirectional debugger allows programmers to run a program backwards in time as well as forwards. The program can be stepped back line-by-line, or rewound to any point in its history. Furthermore, programmers can play the program forwards and backwards in a totally repeatable fashion, allowing them to "home in" on the cause of a bug.
Bidirectional debuggers are much more powerful than their traditional counterparts, which only allow programmers to step their programs forwards in time. This is particularly true for bugs whose root cause occurs long before the ill effects manifest themselves, and for bugs that occur only intermittently. " A 30 day test version of the software is
available for download.
Comments (3 posted)
New Books
Pragmatic Bookshelf has published the book
Pragmatic Subversion, 2nd Edition by Mike Mason.
Full Story (comments: none)
Resources
LinuxMedNews
has announced
the publication of a new Journal.
"
From the website announcement: 'Source Code for Biology and Medicine is an open access, peer-reviewed, online journal soon to be launched by BioMed Central. Source Code for Biology and Medicine will encompass all aspects of workflow for information systems, decision support systems, client user networks, database management, and data mining. Source Code for Biology and Medicine aims to publish source code for distribution and use in the public domain in order to advance biological and medical research..."
Comments (none posted)
Surveys
The Plone Foundation
has announced a survey for the 2006 Plone Conference.
"
The Plone Foundation has invited the Seattle Plone community to put together a bid for hosting the 2006 Plone Conference, and has requested that we do a bit of background research to aid in planning and to assess the level of interest and enthusiasm in the Plone community.
We've put together a 10-minute survey to help us gather some of that information. "
Comments (none posted)
Event Reports
The Gelato Federation presents coverage of the 2006 Itanium Conference.
"
Over 200 scientists, developers, and engineers convened from all around
the globe for the April 2006 Gelato ICE: Itanium Conference & Expo. The event was organized by
the Gelato Federation, an international user community dedicated to
advancing Linux on the IntelItanium architecture. It was the largest gathering of Linux
and Itanium professionals that the world has seen to date with delegates from more than 80
companies and institutions attending. Conference sponsors included HP, Intel, and the Itanium
Solutions Alliance, and media sponsors included HPCwire and Linux HPC.org."
Full Story (comments: none)
The proceedings from the 4th International Linux Audio Conference, held at
the end of April in Karlsruhe, Germany, are now available as
a 3MB PDF
file. Papers and slides from individual talks can also be found on the
LAC 2006 web site.
There is a wealth of information there, with something likely to be of
interest to almost any Linux audio user.
Comments (none posted)
Calls for Presentations
A
Call for Papers has gone out for
php|works / db|works.
The event takes place in Toronto, Canada on September 12-15, 2006,
submissions are due by June 5.
Comments (none posted)
A
call for proposals has gone out for Europython 2006.
"
Registration for Europython (3-5 July) at CERN in Geneva is now open,
if you feel submitting a talk proposal there's still time until
the 31th of May.
If you want to talk about a library you developed, or you know well
and want to share your knowledge, or about how you are making the best
out of Python through inventive/elegant idioms and patterns (or if you
are a language guru willing to disseminate your wisdom),
you can submit a proposal for the Python Language and Libraries
track".
Comments (none posted)
AFUP, the Association Française des Utilisateurs de PHP, has posted a Call to speakers for the Paris
"Forum PHP 2006". The event takes place on November 9 and 10, 2006.
Comments (none posted)
Upcoming Events
The Third International GPLv3 Conference will take place in Barcelona,
Spain on June 22 and 23, 2006.
"
In January, a year-long public consultation process for updating the GNU
General Public License was launched. Commonly called "the GPL", this
licence is used by the majority of Free Software to detail the distribution
terms of the software.
This coming conference will approximately mark the half-way point of
that process."
Full Story (comments: none)
KDE.News has
an announcement
for an upcoming KDE Multimedia Meeting .
"
Multimedia in KDE has been in the news lately, especially Phonon, the new
multimedia framework for KDE 4. Phonon still needs a lot of work, as do the
applications which are going to use it. So, in the spirit of the previous KDE
PIM meeting, Annahoeve in Achtmaal, The Netherlands, will again be visited by
a group of KDE developers. From Friday the 26th to Sunday the 28th of May,
more than 15 developers from 4 continents will have a unique chance to talk
about and work on Multimedia in KDE."
Comments (none posted)
The folks at LugRadio will hold the
LugRadio Live
event on July 22 and 23, 2006 at Wolverhampton University in the UK.
A call for papers is currently open.
"
LUGRadio Live is an annual event driven by, and for the Open Source community. The event includes a range of speakers, exhibitors and other attractions, all housed within a unique event with a unique atmosphere. Last years event in June 2005 was a huge success, and this year LUGRadio Live 2006 will be nothing you have seen before."
Comments (none posted)
The
New York PHP Conference and Expo
will be held on June 14-16, 2006 at the New Yorker Hotel in Manhattan, NY.
Comments (none posted)
The Third Annual Web 2.0 Conference will take
place in San Francisco, CA on November 7-9, 2006.
"
This year's theme is "Disruption and
Opportunity," focusing on the services, applications, businesses, and
models that are reshaping the business landscape and creating
opportunities for entrepreneurs who understand the power of the Internet."
Full Story (comments: none)
| Date | Event | Location |
| May 26 - 27, 2006 | FreedomHEC | Seattle, WA |
| May 26 - 28, 2006 | KDE Multimedia
Meeting | (Annahoeve)Achtmaal, The Netherlands |
| May 30 - June 3, 2006 | 2006 USENIX Annual Technical
Conference | (Boston Marriott Copley Place)Boston, MA |
| June 13 - 14, 2006 | Where 2.0
Conference | (Fairmont Hotel San Jose)San Jose, CA |
| June 13 - 14, 2006 | Gartner Open Source
Summit 2006 | (Palau de Congressos de Catalunya)Barcelona, Spain |
| June 14 - 16, 2006 | New York PHP Conference and
Expo 2006 | (New Yorker Hotel)New York, NY |
| June 16 - 18, 2006 | Recon
2006 | (Plaza Hotel Centre-Ville)Montreal, Canada |
| June 18 - 23, 2006 | Ubuntu Developer
Summit | Charles de Gaulle, Paris, France |
| June 22 - 23, 2006 | 3rd International GPLv3
Conference | Barcelona, Spain |
| June 24 - 25, 2006 | Free and Open
Source Conference(FrOSCon) | (St. Augustin)Bonn, Germany |
| June 24 - 30, 2006 | 2006 GNOME Users and Developers
European Conference(GUADEC) | Catalonia, Spain |
| June 24 - 25, 2006 | PHP
Vikinger | Skien, Norway |
| June 27 - 29, 2006 | Corporate Channel and Computing
Expo(C3) | (Jacob K. Javits Convention Center)New York, NY |
| June 28 - 30, 2006 | GCC and GNU Toolchain
Developers' Summit | (Ottawa Congress Centre)Ottawa, Canada |
| June 29 - July 2, 2006 | UKUUG Linux
Technical Conference | (University of Sussex)Brighton, UK |
| June 30 - July 1, 2006 | WebTech
2006 | (Kempinski Hotel Zografski)Sofia, Bulgaria |
| July 3 - 4, 2006 | 3rd European Lisp
Workshop | Nantes, France |
| July 3 - 5, 2006 | EuroPython
2006 | (CERN)Geneva, Switzerland |
| July 4 - 8, 2006 | 7th Libre Software
Meeting(LSM) | (Nancy 1 University)Vandoeuvre-les-Nancy, France |
| July 5 - 8, 2006 | V Jornades de Programari
Lliure | Barcelona, Spain |
| July 8 - 9, 2006 | PostgreSQL Anniversary
Summit | Toronto, Canada |
| July 10 - 11, 2006 | Global
db4o User Conference(dUC) | (Imperial College, South Kensington)London, UK |
| July 13 - 14, 2006 | Detection of
Intrusions and Malware, and Vulnerability Assessment(DIMVA) | Berlin, Germany |
| July 15 - 16, 2006 | Crystal Space
Conference | (University of Aachen)Aachen, Germany |
| July 16 - 19, 2006 | 2nd International Symposium
on Free/Open Source Software, Technologies and Content(FOSSTEC 2006) | Orlando, Florida,
USA |
| July 19 - 22, 2006 | Ottawa Linux Symposium
2006(OLS 2006) | Ottawa, Canada |
Comments (none posted)
Audio and Video programs
The Blender Foundation has announced the online availability of the movie
Elephants Dream.
"
All 3D related files are under the Creative Commons Attribute license,
so artists can create their own interpretation of the movie (or use
them for entirely unrelated work etc), learn from the files, etc."
Full Story (comments: none)
LinuxMedNews
takes note
of a new webcast on choosing a web content management platform.
"
Here is a 40 minute Quicktime webcast that
is an entertaining, practical side by side comparison of 5 popular
development environments with the conclusion that ZOPE-based Plone is the
best for web development. Some of the metrics are: 225 minutes for a J2EE web
application versus about 10 minutes for a web application in Plone that is
more functional than the J2EE one. They also like Rails and Django some but
the winner is Plone."
Comments (1 posted)
Page editor: Forrest Cook