LWN.net Logo

LWN.net Weekly Edition for June 8, 2006

Behavioral standards in the free software community

The GNOME community has recently started a discussion on the adoption of a code of conduct for community members. While a number of people clearly think that such a code makes sense, others are just as clearly uncomfortable with the idea. The free software community is traditionally an open and unregulated group. Its members are concerned with quality of contributions and inclusiveness; there is relatively little interest in conduct rules, and an active dislike for self-appointed enforcers and attempts to exclude potential contributors. So the number of projects with written behavioral codes is relatively small.

Such codes do exist, however, whether or not they are written down. Anybody who doubts this fact may want to ponder on the likely fate of a developer who attempts to contribute plagiarized code. But other standards clearly exist as well. Consider, for example, this case: a Debian developer was not only asked to leave DebConf last month, but was removed from the project altogether. A weblog entry from a nearby participant reads:

The difference in values between Ted and the rest of our project was just too immense. When I was walking out of the room at around 7 in the morning next day my final sentence was "Ted, even if you spend rest of the Debconf apologizing and making friends, I do not see a future for you in this project." and the most important was that Ted and John seemed to agree with me on that

Only two months earlier, Debian went through a protracted debate on whether another developer should be forcibly expelled from the project. In both cases, the issue was not one of plagiarism or other crime; instead, these people are being pushed out for being jerks - for somebody's value of "jerk." Their behavior is said to be so unpleasant, and so off-putting for other members of the project, that their presence is no longer welcome. This is the sort of behavior that the proposed GNOME code of conduct seeks to regulate as well. This proposal contains items like "be respectful and considerate" and "don't be racist." Its supporters are trying to maintain a GNOME community which is pleasant to work in, and which does not drive potential contributors away.

They have a point: it has been noted, for example, that female participation in free software projects is often close to zero. That is, as some have observed, below the usual percentage of women in the general population; but it is also well below the percentage of women found working in technical fields. There is a whole population of potential contributors out there who have chosen not to be a part of the free software community. One very possible reason for their absence is the sort of behavior encountered on mailing lists, at conferences, and in other places where the community gathers. Perhaps, if standards of behavior were higher, more people would choose to participate.

(Then again, the problem could be elsewhere: Richard Stallman chimed in with a claim that the use of the term "open source" may be the real reason why women chose not to participate. This particular line of reasoning has not attracted a large following, however).

Alan Cox points out that the issue is a little broader:

I'd be wary of pursuing just the "women in GNOME" issue, because many of the same things put off far more than just women. Running around shouting "pants off" is not, for example, very compatible with the Japanese cultural expectations.

One can, without great difficulty, make an argument that, as the free software community "grows up" and tries to expand beyond its "western white male geek" stereotype, it should look harder at how its members behave. If one contributor is sufficiently unpleasant to repel the participation of numerous others, then perhaps the community truly is better off without that person. So maybe the community truly does need to be prepared to expel people who are too difficult to be around. Codes of conduct might just make sense.

But consider an episode from just over three years ago, when a prominent developer (let's call him "X" for the moment) was stripped of his commit privileges and kicked out of an important project. One of the people involved in this action justified it with these words:

What X has done is among the most low-class, unprofessional, and tactless things I have ever experienced in my professional career.... Bottom line, in my opinion, is that what X did is unacceptable on its face and he deserves to be held accountable for it. So he's out.

This looks like a clear application of a code of conduct; somebody behaves badly, and is booted from the project. Nothing to complain about. Except that X, in this case, was Keith Packard, who was busily trying to reform the XFree86 project. That project's decision to exclude Keith turned out to be fatal; XFree86 still exists - it even put out a release in May - but nobody cares anymore.

This episode highlights the dangers of behavioral codes. They can be used as a way of silencing people who have something inconvenient to say, but sometimes those people need to be heard. Codes of conduct can evolve into a sort of stifling "political correctness" where people become afraid to express their thoughts. The creation of such an environment will suck the life out of a project more quickly than any number of unpleasant people.

The community as a whole may well want to think about how people interact, and how that interaction can be made more pleasant and more globally inclusive. Behavior which is rude, sexist, racist, or worse runs counter to our values (one hopes), and it makes us weaker. So discussions of how we wish to treat each other and how we can avoid pushing away people who could make our community richer are worth having. But we must work toward that goal without silencing our more outspoken members; sometimes they are saying something we should hear, even if it makes us uncomfortable.

Comments (31 posted)

How clean must the room be?

The discussion on what features should be merged into the 2.6.18 kernel has begun (see this week's Kernel Page for the details). One item which was mentioned is the acx100 driver, which has been sitting in the -mm tree for some time. This driver works, is useful to a broad community of users, and appears to be entirely acceptable to the kernel developers who have reviewed it - except for one little problem.

This driver, it seems, was developed by reverse engineering a binary-only driver released by TI for the 2.4 kernels. Reverse engineering is not a problem in itself, as long as due care is taken to avoid copying any code from the non-free driver. The normal way of taking due care is to employ a "clean room" technique: the person who does the reverse engineering work writes a document describing how the hardware functions, but does not write any code. Instead, another developer, who has never looked at the original driver in any way, writes the new driver based on the information in the document. This approach shields the developers from any charges of copying code, since they have never seen the code in question.

The acx100 driver was not developed in this way; instead, the people who did the reverse engineering went on to implement the new driver directly. Nobody has alleged that these developers copied any code in this process. But the process they used opens the door to such charges in the future. So the code is seen as being tainted, even though it is probably entirely legitimate. This taint has been enough to keep the driver out of the kernel.

One kernel developer objects to this course of events, calling it excessive:

I disagree there (not speaking for any company just for myself here): the "clean room" thing is ONLY a USA thing, and is not even required in the USA. It is a "we want to be extra safe in the USA" thing only.

He goes on to say that, if the developers can certify that they copied no code, and especially if the work was done outside of the USA, the driver should be able to go into the mainline kernel.

Others disagree, however, noting that "being extra safe" is no bad thing. The SCO case has shown how disruptive a copyright-based challenge to the Linux code base can be. Linux has, by all appearances, come through that challenge looking even better than it did before; the kernel code truly is clean. What a shame it would be to merge code which ends up bringing on another lawyer storm and ruining the kernel's hard-won clean bill of health. Sad though it may be, leaving out the driver might be the better choice.

Still, there is a lingering issue here: which laws should be allowed to control which code is accepted into the kernel? By many accounts, the acx100 driver would pass muster in Europe; it is U.S. laws that are of concern. But the laws of, for example, Haiti, Egypt, and Georgia have not been consulted. Complying with laws across the entire planet would be a tall order. Conflicts with laws on, say, spectrum use, surveillance capabilities, or "piracy prevention" in various parts of the world seem increasingly likely. Steering a global operating system through this maze will be an interesting challenge.

Comments (14 posted)

The UK Parliament on DRM

The All Party Parliamentary Internet Group is an organization in the UK which "exists to provide a discussion forum between new media industries and Parliamentarians for the mutual benefit of both parties." It is open to members of the House of Commons and the House of Lords; its actual makeup (in terms of party representation and such) is not entirely clear. This group decided to have a hard look at the interaction of digital rights management (DRM) schemes and copyright law. To that end, they received written input from dozens of groups on all sides of the copyright dispute and listened to a large number of interested people. The result of all this work is a report [PDF] and a series of recommendations.

This group shows some signs of having actually understood the problem - or parts of it, at least. A reading of the full report is recommended for those who are interested in the issue. For everybody else, here is a set of select quotes.

To start with, the group does not buy the notion that DRM schemes will always be easily overcome.

In the future it must be expected that TPMs [technical protection measures] will rely more and more upon specialist hardware functionality ­ and that some systems will prove to be extremely complex to overcome and to develop generic evasion technology for. It would therefore be unwise to base public policy upon a continuation of the situation that TPMs are relatively easy to overcome. It may well be that propping up technical measures with legislation will become entirely irrelevant. Equally, assuming that egregious problems caused by TPMs can be addressed by just `breaking into the system' may become unrealistic. (¶ 21).

So the "speed bump" view of DRM does not necessarily apply into the future.

Often, the discussion at the political level appears to have lost track of what copyright is for. So it is somewhat refreshing that this group has not forgotten entirely:

Copyright is generally understood to be a trade-off. The creator of copyright material is given a monopoly on exploiting it for a period of time. Currently for a new song or book this is until the creator dies plus 70 years. At the end of this period, the created work enters the public domain and may be exploited by anyone. This scheme is intended to ensure that there are incentives for creators, without creating an indefinite monopoly....

However, should all available versions of the material be protected by highly effective TPM systems, it may prove impossible, when the copyright expires, for the exploitation to occur ­ because the material will remain inaccessible except via the monopolistic TPM system. (¶ 32-4).

The report goes on, however, to dismiss this concern by claiming that "all available versions" of any given work are unlikely to go under DRM anytime soon. The authors may find themselves surprised by the ambitions of the entertainment industry.

At least some of the costs of DRM are understood:

From a completely different perspective, Intel told us that it was important that the legal infrastructure does not inhibit technical innovation ­ and they feel that the `trade-off' should address this as well! As an example, they pointed out that there were no portable video jukeboxes on the market ­ just devices capable of video downloads or playing consumer recordings ­ because it was against the DVD consortium rules to create a portable device. (¶ 49).

Alternative licenses from the Creative Commons and elsewhere are touched upon:

Several of the rights-holders were rather negative about these licenses, suggesting that the creators and performers did not always understand what they were "giving away forever" and how it could affect an artist's ability to enter into an exclusive license at a later stage in their career. Although artists should naturally consider these matters, we suspect that these licenses are clearer than many media industry contracts. (¶ 71).

The report's authors seem to believe that the worst DRM-related problems will be addressed in the market. But, they say, fully-informed consumers will help to bring that about:

Because, as we have observed, consumers expect to copy CDs, we believe that all CDs should in future come with a prominent label saying, "you are not permitted to make any copies of this CD for any reason"... The prominent label should add, when appropriate, "and if you try to make a copy, you should note that we have tried very hard to ensure that you will fail". Doubtless, even clearer and more accurate wording is possible....

For some types of content the labelling will need to warn the user, "you cannot access some parts of this DVD without a working Internet connection to enable us to record your identity", or "your playing of this song may be recorded in marketing databases in foreign countries". (¶ 100-102).

There is also some discussion of what happens if a DRM-using vendor goes out of business or changes policies. The potential loss of an individual's media collection is raised, but the possibility that valuable material could be lost to society as a whole is not.

There is little patience with DRM code which ignores users' commands, hides itself, or endangers the host system:

[W]e recommend that OFCOM publish guidance to make it clear that companies distributing TPM systems in the UK would, if they have features such as those in Sony-BMG's MediaMax and XCP systems, run a significant risk of being prosecuted for criminal actions. (¶ 118).

The authors received input from a number of groups related to free software, but the bulk of that input appears to have been boiled down to about two sentences. The lack of free DVD players is mentioned, as is the effect of governmental DRM mandates. The report claims, however, that no DRM mandates are in view in Europe; evidently broadcast flags and anti-circumvention laws don't count. In general, the needs of the free software community were either not understood or not seen to be important.

So, in the end, the APIG report is not all that one might have hoped for. Still, this document shows a higher level of understanding of the issues than can be found in many other government venues. Let us hope that it is a sign of progress in the right direction.

Comments (7 posted)

Page editor: Jonathan Corbet

Security

New security releases for Firefox and Thunderbird

Security vulnerabilities in the Firefox browser and Thunderbird mail client are scary. Both tools are widely used, exposed to arbitrary data from the Internet, and used with important (and confidential) information. A widespread exploit has the potential to affect large numbers of people in highly unfortunate ways. So, whenever the Mozilla Project fixes a set of vulnerabilities, it's worth paying attention.

The recently released Firefox 1.5.0.4 addresses a fairly long list of vulnerabilities. Some of the most significant of those (the ones rated "critical") are:

There are also several vulnerabilities which are not considered to be quite as frightening, but which are still in need of fixing.

Thunderbird 1.5.0.4 is also out, with its own vulnerability list. Only one of these is deemed critical: a double-free error on an invalid VCard which appears to be exploitable. It is worth noting, however, that Thunderbird uses much of the Firefox code base for rendering HTML, so it can also suffer from Firefox's vulnerabilities. So, in particular, if a user allows the execution of JavaScript in incoming mail (an especially bad idea which is not the default behavior), most of the Firefox vulnerabilities listed above are also exploitable in Thunderbird.

There is another common theme found in all of the Firefox vulnerabilities: they can all be mitigated by turning off JavaScript. The sad fact is that executable content seems to be a hard thing to get right; it is an ongoing source of vulnerabilities in almost every context where it can be found. So it is not surprising that many people simply turn off JavaScript entirely. It is unfortunate that so many web sites are inaccessible to browsers running without JavaScript, forcing security-conscious users to enable a problematic feature they might prefer to do without.

(See the LWN vulnerability entry for distributor updates addressing these problems. As of this writing, the list of updates is discouragingly short, with only Slackware and rPath getting fixed out within the first couple of days after disclosure).

Comments (11 posted)

New vulnerabilities

evolution: denial of service

Package(s):evolution CVE #(s):
Created:June 1, 2006 Updated:June 6, 2006
Description: Evolution is vulnerable to a denial of service attack. The display of maliciously crafted images can crash the application if the "Load images if sender is in address book" option in enabled.
Alerts:
Mandriva MDKSA-2006:094 2006-06-01

Comments (none posted)

mozilla products have multiple vulnerabilities

Package(s):mozilla seamonkey firefox thunderbird CVE #(s):CVE-2006-2775 CVE-2006-2776 CVE-2006-2777 CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2782 CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787
Created:June 5, 2006 Updated:August 2, 2006
Description: There are multiple vulnerabilities in products based on Mozilla components, particularly Gecko. This CERT advisory contains details.
Alerts:
Debian DSA-1134-1 2006-08-02
Ubuntu USN-297-3 2006-07-26
Ubuntu USN-323-1 2006-07-25
Ubuntu USN-296-2 2006-07-25
Debian DSA-1120-1 2006-07-23
Debian DSA-1118-1 2006-07-22
Red Hat RHSA-2006:0578-01 2006-07-20
SuSE SUSE-SA:2006:035 2006-06-23
Gentoo 200606-21 2006-06-19
Fedora FEDORA-2006-717 2006-06-15
Fedora FEDORA-2006-715 2006-06-15
Ubuntu USN-297-2 2006-06-15
Ubuntu USN-297-1 2006-06-13
Gentoo 200606-12 2006-06-11
Slackware SSA:2006-155-02 2006-06-05
rPath rPSA-2006-0091-1 2006-06-02

Comments (none posted)

mysql: SQL injection vulnerability

Package(s):mysql CVE #(s):CVE-2006-2753
Created:June 2, 2006 Updated:June 16, 2006
Description: This MySQL 4.1.20 release announcement covers an SQL injection vulnerability.
Alerts:
Ubuntu USN-303-1 2006-06-16
Fedora FEDORA-2006-702 2006-06-13
Fedora FEDORA-2006-703 2006-06-13
Gentoo 200606-13 2006-06-11
Red Hat RHSA-2006:0544-01 2006-06-09
Trustix TSLSA-2006-0034 2006-06-09
Mandriva MDKSA-2006:097 2006-06-07
Debian DSA-1092-1 2006-06-08
Slackware SSA:2006-155-01 2006-06-05
rPath rPSA-2006-0089-1 2006-06-01

Comments (none posted)

rug: remote command execution

Package(s):rug CVE #(s):CVE-2006-2703
Created:June 1, 2006 Updated:June 6, 2006
Description: The rug tool from the RedCarpet remote administration utility does not verify SSL certificates from the server, leaving it vulnerable to a man in the middle attack. An attacker can read traffic and insert commands.

Also, the /etc/ximian/rcd.conf file permissions are set incorrectly, leaving the rc password exposed.

Alerts:
SuSE SUSE-SA:2006:029 2006-05-31

Comments (none posted)

spamassassin: arbitrary command execution

Package(s):spamassassin CVE #(s):CVE-2006-2447
Created:June 6, 2006 Updated:June 15, 2006
Description: A vulnerability has been discovered in SpamAssassin, a Perl-based spam filter using text analysis, that can allow remote attackers to execute arbitrary commands. This problem only affects systems where spamd is reachable via the internet and used with vpopmail virtual users, via the "-v" / "--vpopmail" switch, and with the "-P" / "--paranoid" switch.
Alerts:
Mandriva MDKSA-2006:103 2006-06-14
Gentoo 200606-09 2006-06-11
rPath rPSA-2006-0096-1 2006-06-07
Red Hat RHSA-2006:0543-01 2006-06-06
Fedora FEDORA-2006-598 2006-06-06
Fedora FEDORA-2006-658 2006-06-06
Debian DSA-1090-1 2006-06-06

Comments (none posted)

xmcd: insecure file permissions

Package(s):xmcd CVE #(s):CVE-2006-2542
Created:June 2, 2006 Updated:June 6, 2006
Description: The xmcdconfig creates directories world-writeable allowing local users to fill the /usr and /var partition and hence cause a denial of service. This problem has been half-fixed since version 2.3-1.
Alerts:
Debian DSA-1086-1 2006-06-02

Comments (none posted)

Updated vulnerabilities

awstats: missing input sanitizing

Package(s):awstats CVE #(s):CVE-2006-2237
Created:May 19, 2006 Updated:June 20, 2006
Description: Hendrik Weimer discovered that specially crafted web requests can cause awstats, a powerful and featureful web server log analyzer, to execute arbitrary commands.
Alerts:
SuSE SUSE-SA:2006:033 2006-06-20
Ubuntu USN-290-1 2006-06-08
Gentoo 200606-06 2006-06-07
Debian DSA-1075-1 2006-05-26
Ubuntu USN-285-1 2006-05-23
Debian DSA-1058-1 2006-05-18

Comments (none posted)

binutils: buffer overflow

Package(s):binutils CVE #(s):CVE-2006-2362
Created:May 27, 2006 Updated:August 29, 2006
Description: The GNU Binutils has a buffer overflow vulnerability in libbfd. Maliciously crafted Tektronix Hex Format files with improper length characters can cause a crash and possibly lead to the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:153 2006-08-28
Ubuntu USN-292-1 2006-06-09
OpenPKG OpenPKG-SA-2006.009 2006-05-26

Comments (none posted)

blender: integer overflow

Package(s):blender CVE #(s):CVE-2005-4470
Created:January 6, 2006 Updated:June 15, 2006
Description: Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.
Alerts:
Debian-Testing DTSA-29-1 2006-06-15
Debian DSA-1039-1 2006-04-24
Gentoo 200601-08 2006-01-13
Ubuntu USN-238-2 2006-01-06
Ubuntu USN-238-1 2006-01-06

Comments (none posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Red Hat RHSA-2007:0244-02 2007-05-01
Fedora FEDORA-2006-511 2006-05-04
Fedora FEDORA-2006-510 2006-05-04

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
Alerts:
Gentoo 200608-27 2006-08-29
Debian DSA-1088-1 2006-06-03
Debian DSA-1083-1 2006-05-31
Gentoo 200512-11 2005-12-20
Debian-Testing DTSA-23-1 2005-12-05

Comments (none posted)

cherrypy: information disclosure

Package(s):cherrypy CVE #(s):CVE-2006-0847
Created:May 31, 2006 Updated:May 31, 2006
Description: The CherryPy web development framework (prior to version 2.1.1) has a directory traversal vulnerability which could lead to undesired information disclosure.
Alerts:
Gentoo 200605-16 2006-05-30

Comments (none posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:March 17, 2010
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
CentOS CESA-2010:0145 2010-03-17
Red Hat RHSA-2010:0145-01 2010-03-15
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

vixie-cron: privilege escalation

Package(s):cron CVE #(s):CVE-2006-2607
Created:May 31, 2006 Updated:June 1, 2009
Description: The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Alerts:
Ubuntu USN-778-1 2009-06-01
Red Hat RHSA-2006:0539-01 2006-07-12
Gentoo 200606-07 2006-06-09
SuSE SUSE-SA:2006:027 2006-05-31
rPath rPSA-2006-0082-1 2006-05-25

Comments (1 posted)

cscope: buffer overflows

Package(s):cscope CVE #(s):CVE-2004-2541
Created:May 22, 2006 Updated:June 19, 2009
Description: A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.
Alerts:
CentOS CESA-2009:1102 2009-06-19
CentOS CESA-2009:1101 2009-06-16
Red Hat RHSA-2009:1102-01 2009-06-15
Red Hat RHSA-2009:1101-01 2009-06-15
Gentoo 200606-10 2006-06-11
Debian DSA-1064-1 2006-05-19

Comments (1 posted)

curl: heap-based buffer overflow

Package(s):curl CVE #(s):CVE-2006-1061
Created:March 21, 2006 Updated:June 28, 2006
Description: Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.
Alerts:
OpenPKG OpenPKG-SA-2006.012 2006-06-28
Trustix TSLSA-2006-0016 2006-03-24
Gentoo 200603-19 2006-03-21
Fedora FEDORA-2006-189 2006-03-21

Comments (none posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dia: format string vulnerabilities

Package(s):dia CVE #(s):CVE-2006-2453 CVE-2006-2480
Created:May 24, 2006 Updated:June 8, 2006
Description: The dia drawing utility suffers from several format string vulnerabilities exploitable via a maliciously crafted dia file - or a file with a well-chosen name.
Alerts:
Gentoo 200606-03 2006-06-07
SuSE SUSE-SR:2006:012 2006-06-02
Red Hat RHSA-2006:0541-02 2006-06-01
Mandriva MDKSA-2006:093 2006-05-30
Fedora FEDORA-2006-580 2006-05-24
Ubuntu USN-286-1 2006-05-24

Comments (none posted)

dovecot: information disclosure

Package(s):dovecot CVE #(s):CVE-2006-2414
Created:May 31, 2006 Updated:June 14, 2006
Description: The Dovecot imap server contains a directory traversal vulnerability which could be exploited by authenticated users to read files other than their mailboxes.
Alerts:
Ubuntu USN-288-4 2006-06-13
Debian DSA-1080-1 2006-05-29

Comments (1 posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla CVE #(s):CVE-2006-0749 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742
Created:April 14, 2006 Updated:June 9, 2006
Description: There are multiple vulnerabilities in Firefox and related products including Thunderbird, SeaMonkey and the Mozilla Suite. This CERT Advisory contains additional information.
Alerts:
Ubuntu USN-296-1 2006-06-09
Fedora-Legacy FLSA:189137-2 2006-06-06
Fedora-Legacy FLSA:189137-1 2006-06-06
Gentoo 200605-09 2006-05-08
Slackware SSA:2006-123-02 2006-05-04
Fedora FEDORA-2006-494 2006-05-03
Fedora FEDORA-2006-493 2006-05-03
Fedora FEDORA-2006-491 2006-05-03
Fedora FEDORA-2006-490 2006-05-03
Fedora FEDORA-2006-487 2006-05-03
Fedora FEDORA-2006-495 2006-05-03
Fedora FEDORA-2006-492 2006-05-03
Fedora FEDORA-2006-486 2006-05-03
Fedora FEDORA-2006-489 2006-05-03
Fedora FEDORA-2006-488 2006-05-03
Ubuntu USN-276-1 2006-05-03
Slackware SSA:2006-120-01 2006-05-01
Gentoo 200604-18 2006-04-28
Mandriva MDKSA-2006:078 2006-04-25
Mandriva MDKSA-2006:076 2006-04-25
Debian DSA-1044-1 2006-04-26
SuSE SUSE-SA:2006:022 2006-04-25
Mandriva MDKSA-2006:075 2006-04-24
Slackware SSA:2006-114-01 2006-04-25
Gentoo 200604-12 2006-04-23
Red Hat RHSA-2006:0330-01 2006-04-21
SuSE SUSE-SA:2006:021 2006-04-20
Ubuntu USN-271-1 2006-04-19
Fedora FEDORA-2006-411 2006-04-18
Fedora FEDORA-2006-410 2006-04-18
Red Hat RHSA-2006:0329-01 2006-04-18
Slackware SSA:2006-107-01 2006-04-17
Red Hat RHSA-2006:0328-01 2006-04-14

Comments (1 posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

freeradius: authentication bypass

Package(s):freeradius CVE #(s):CVE-2006-1354
Created:March 24, 2006 Updated:June 5, 2006
Description: An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.
Alerts:
Debian DSA-1089-1 2006-06-03
Mandriva MDKSA-2006:066 2006-04-05
Gentoo 200604-03 2006-04-04
Red Hat RHSA-2006:0271-01 2006-04-04
SuSE SUSE-SA:2006:019 2006-03-28
Mandriva MDKSA-2006:060 2006-03-23

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 10, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

ImageMagick: heap overflow vulnerability

Package(s):ImageMagick CVE #(s):CVE-2006-2440
Created:May 25, 2006 Updated:September 5, 2006
Description: The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result.
Alerts:
Debian DSA-1168-1 2006-09-04
Fedora FEDORA-2006-588 2006-05-24
Fedora FEDORA-2006-587 2006-05-24

Comments (none posted)

ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2005-3732
Created:December 1, 2005 Updated:June 8, 2006
Description: ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons.
Alerts:
Fedora-Legacy FLSA:190941 2006-06-06
Red Hat RHSA-2006:0267-01 2006-04-25
Debian DSA-965-1 2006-02-06
Mandriva MDKSA-2006:020 2006-01-25
SuSE SUSE-SA:2005:070 2005-12-20
Gentoo 200512-04 2005-12-12
Ubuntu USN-221-1 2005-12-01

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2275 CVE-2006-1864
Created:May 12, 2006 Updated:July 13, 2006
Description: Multiple vulnerabilities in the Linux have been found.
  • An error in the Stream Control Transmission Protocol (SCTP) code that uses incorrect state table entries when certain ECNE chunks are received in CLOSED state, could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • An error exist when handling incoming IP-fragmented SCTP control chunks, which could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (infinite recursion and crash) via a packet that contains two or more DATA fragments, which causes an skb pointer to refer back to itself when the full message is reassembled, leading to infinite recursion in the sctp_skb_pull function
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer."
  • A vulnerability has been identified due to an input validation error when processing arguments containing backslash ("\\") characters passed to certain commands (e.g. "cd"), which could be exploited by authenticated attackers to escape chroot restrictions for a CIFS or SMBFS mounted filesystem.
Alerts:
Red Hat RHSA-2006:0580-01 2006-07-13
Red Hat RHSA-2006:0579-01 2006-07-13
Debian DSA-1103-1 2006-06-27
SuSE SUSE-SA:2006:028 2006-05-31
Red Hat RHSA-2006:0493-01 2006-05-24
Mandriva MDKSA-2006:086 2006-05-18
Trustix TSLSA-2006-0026 2006-05-12

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

kernel: netfilter memory corruption

Package(s):kernel CVE #(s):CVE-2006-2444
Created:May 25, 2006 Updated:July 5, 2006
Description: The 2.6.12 kernel has a remote memory corruption vulnerability that can be remotely triggered by loading the ip_nat_snmp_basic module and traffic is network-translated on port 161 or 162.
Alerts:
Mandriva MDKSA-2006:116 2006-07-05
Ubuntu USN-302-1 2006-06-15
Trustix TSLSA-2006-0030 2006-05-26
Mandriva MDKSA-2006:087 2006-05-24

Comments (none posted)

kernel: information disclosure

Package(s):kernel CVE #(s):CVE-2006-1343
Created:May 31, 2006 Updated:July 20, 2006
Description: The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release.
Alerts:
Red Hat RHSA-2006:0437-01 2006-07-20
Debian DSA-1097-1 2006-06-14
Fedora FEDORA-2006-698 2006-06-11
Fedora FEDORA-2006-697 2006-06-11
Trustix TSLSA-2006-0032 2006-06-05
rPath rPSA-2006-0087-1 2006-05-31

Comments (none posted)

libextractor: heap-based buffer overflows

Package(s):libextractor CVE #(s):CVE-2006-2458
Created:May 22, 2006 Updated:May 31, 2006
Description: Luigi Auriemma has found two heap-based buffer overflows in libextractor 0.5.13 and earlier: one of them occurs in the asf_read_header function in the ASF plugin, and the other occurs in the parse_trak_atom function in the Qt plugin.
Alerts:
Debian DSA-1081-1 2006-05-29
Gentoo 200605-14 2006-05-21

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
rPath rPSA-2006-0183-1 2006-10-05
Mandriva MDKSA-2005:190 2005-10-20
Gentoo 200508-22 2005-08-31
Debian DSA-785-1 2005-08-25

Comments (none posted)

libpng: heap based buffer overflow

Package(s):libpng CVE #(s):CVE-2006-0481
Created:February 13, 2006 Updated:December 15, 2008
Description: A heap based buffer overflow bug was found in the way libpng strips alpha channels from a PNG image. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash or execute arbitrary code when the file is opened by a victim.
Alerts:
Gentoo 200812-15 2008-12-14
Red Hat RHSA-2006:0205-01 2006-02-13

Comments (1 posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CVE-2006-2656
Created:May 26, 2006 Updated:June 8, 2006
Description: The tiffsplit command has a problem in the way that it handles fixed-size buffers, a stack overflow can result.
Alerts:
Ubuntu USN-289-1 2006-06-08
Debian DSA-1091-1 2006-06-08
Mandriva MDKSA-2006:095 2006-06-05
Fedora FEDORA-2006-592 2006-05-25
Fedora FEDORA-2006-591 2006-05-25

Comments (none posted)

libtiff: denial of service

Package(s):libtiff CVE #(s):CVE-2006-2024
Created:April 28, 2006 Updated:May 31, 2006
Description: Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c.
Alerts:
Gentoo 200605-17 2006-05-30
Red Hat RHSA-2006:0425-01 2006-05-09
Debian DSA-1054-1 2006-05-09
Mandriva MDKSA-2006:082 2006-05-03
Ubuntu USN-277-1 2006-05-03
SuSE SUSE-SR:2006:009 2006-04-28
Fedora FEDORA-2006-474 2006-04-27
Fedora FEDORA-2006-473 2006-04-27

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

lynx: arbitrary command execution

Package(s):lynx CVE #(s):CVE-2005-2929
Created:November 14, 2005 Updated:September 14, 2009
Description: An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx.
Alerts:
Gentoo 200909-15 2009-09-12
Fedora-Legacy FLSA:152832 2005-12-17
OpenPKG OpenPKG-SA-2005.026 2005-12-03
Fedora FEDORA-2005-1079 2005-11-14
Fedora FEDORA-2005-1078 2005-11-14
Gentoo 200511-09 2005-11-13
Mandriva MDKSA-2005:211 2005-11-12
Red Hat RHSA-2005:839-01 2005-11-11

Comments (none posted)

lynx: denial of service

Package(s):lynx CVE #(s):CVE-2004-1617
Created:May 26, 2006 Updated:June 1, 2006
Description: The lynx text-mode web browser has a problem understanding invalid html involving the TEXTAREA tag. An infinite loop can happen, resulting in a denial of service.
Alerts:
Debian DSA-1085-1 2006-06-01
Debian DSA-1077-1 2006-05-26
Debian DSA-1076-1 2006-05-26

Comments (1 posted)

mailman: denial of service

Package(s):mailman CVE #(s):CVE-2006-0052
Created:March 30, 2006 Updated:June 9, 2006
Description: Mailman 2.1.5 and below have a denial of service vulnerability in the Scrubber.py script. If a maliciously created message with a mime multi part format is received, mailman delivery can be stopped.
Alerts:
Red Hat RHSA-2006:0486-01 2006-06-09
SuSE SUSE-SR:2006:008 2006-04-07
Debian DSA-1027-1 2006-04-06
Ubuntu USN-267-1 2006-04-03
Mandriva MDKSA-2006:061 2006-03-29

Comments (none posted)

mpg123: buffer overflows

Package(s):mpg123 CVE #(s):CVE-2006-1655
Created:May 24, 2006 Updated:July 3, 2006
Description: mpg123 does not properly validate MPEG 2.0 layer 3 files, leading to a number of buffer overflow vulnerabilities.
Alerts:
Gentoo 200607-01 2006-07-03
Mandriva MDKSA-2006:092 2006-05-26
Debian DSA-1074-1 2006-05-24

Comments (none posted)

MySQL: logging bypass

Package(s):mysql CVE #(s):CVE-2006-0903
Created:April 4, 2006 Updated:May 21, 2008
Description: MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Ubuntu USN-274-2 2006-05-15
Ubuntu USN-274-1 2006-04-27
Mandriva MDKSA-2006:064 2006-04-03

Comments (2 posted)

mysql: information leaks

Package(s):mysql mysql-dfsg CVE #(s):CVE-2006-1516 CVE-2006-1517
Created:May 8, 2006 Updated:June 23, 2006
Description: Stefano Di Paola discovered an information leak in the login packet parser. By sending a specially crafted malformed login packet, a remote attacker could exploit this to read a random piece of memory, which could potentially reveal sensitive data. (CVE-2006-1516)

Stefano Di Paola also found a similar information leak in the parser for the COM_TABLE_DUMP request. (CVE-2006-1517)

Alerts:
SuSE SUSE-SA:2006:036 2006-06-23
Debian DSA-1079-1 2006-05-29
Debian DSA-1073-1 2006-05-22
Debian DSA-1071-1 2006-05-22
Fedora FEDORA-2006-553 2006-05-17
Fedora FEDORA-2006-554 2006-05-17
Gentoo 200605-13 2006-05-11
Slackware SSA:2006-129-02 2006-05-10
Mandriva MDKSA-2006:084 2006-05-10
Ubuntu USN-283-1 2006-05-08

Comments (1 posted)

nagios: buffer overflow

Package(s):nagios CVE #(s):CVE-2006-2162
Created:May 8, 2006 Updated:May 31, 2006
Description: A buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header.
Alerts:
Ubuntu USN-287-1 2006-05-29
Debian DSA-1072-1 2006-05-22
SuSE SUSE-SR:2006:011 2006-05-19
Gentoo 200605-07a 2006-05-07
Ubuntu USN-282-1 2006-05-08
Gentoo 200605-07 2006-05-07

Comments (none posted)

nbd: arbitrary code execution

Package(s):nbd CVE #(s):CVE-2005-3534
Created:January 6, 2006 Updated:March 7, 2011
Description: Kurt Fitzner discovered that the NBD (network block device) server did not correctly verify the maximum size of request packets. By sending specially crafted large request packets, a remote attacker who is allowed to access the server could exploit this to execute arbitrary code with root privileges.
Alerts:
SuSE SUSE-SR:2006:001 2006-01-13
Ubuntu USN-237-1 2006-01-06

Comments (none posted)

ntp: uses wrong gid

Package(s):ntp CVE #(s):CAN-2005-2496
Created:August 26, 2005 Updated:August 11, 2006
Description: When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update.
Alerts:
Red Hat RHSA-2006:0393-01 2006-08-10
Mandriva MDKSA-2005:156 2005-09-06
Debian DSA-801-1 2005-09-05
Ubuntu USN-175-1 2005-09-01
Fedora FEDORA-2005-812 2005-08-26

Comments (none posted)

openmotif: buffer overflows

Package(s):openmotif CVE #(s):CVE-2005-3964
Created:December 29, 2005 Updated:July 27, 2006
Description: The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code.
Alerts:
Fedora FEDORA-2006-854 2006-07-26
Red Hat RHSA-2006:0272-01 2006-04-04
Gentoo 200512-16 2005-12-28

Comments (none posted)

OpenSSH: double shell expansion

Package(s):openssh CVE #(s):CVE-2006-0225
Created:January 23, 2006 Updated:July 20, 2006
Description: OpenSSH has a double shell expansion vulnerability in local to local and remote to remote copy with scp.
Alerts:
Red Hat RHSA-2006:0298-01 2006-07-20
Red Hat RHSA-2006:0044-01 2006-03-07
Ubuntu USN-255-1 2006-02-21
Gentoo 200602-11 2006-02-20
Fedora-Legacy FLSA:168935 2006-02-18
OpenPKG OpenPKG-SA-2006.003 2006-02-18
Slackware SSA:2006-045-06 2006-02-15
SuSE SUSE-SA:2006:008 2006-02-14
Mandriva MDKSA-2006:034 2006-02-06
Fedora FEDORA-2006-056 2006-01-23

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2006-1990 CVE-2006-1991 CVE-2006-3017
Created:May 25, 2006 Updated:August 18, 2006
Description: The php wordwrap() function is vulnerable to an integer overflow. Attackers can submit long arguments to cause a heap-based buffer overflow, allowing arbitrary code execution.

PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function. An attacker can use an out-of-bounds offset argument to cause a memory access violation, causing a denial of service.

A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables

Alerts:
Slackware SSA:2006-217-01 2006-08-07
Gentoo 200605-08:02 2006-05-08
Fedora-Legacy FLSA:175040 2006-07-27
Ubuntu USN-320-2 2006-07-26
Red Hat RHSA-2006:0567-01 2006-07-25
Ubuntu USN-320-1 2006-07-19
Red Hat RHSA-2006:0568-01 2006-07-12
Mandriva MDKSA-2006:122 2006-07-13
SuSE SUSE-SA:2006:034 2006-06-22
SuSE SUSE-SA:2006:031 2006-06-14
Mandriva MDKSA-2006:091 2006-05-24

Comments (none posted)

phpbb2: missing input sanitizing

Package(s):phpbb2 CVE #(s):CVE-2006-1896
Created:May 22, 2006 Updated:February 11, 2008
Description: It was discovered that phpbb2, a web based bulletin board, insufficiently sanitizes values passed to the "Font Color 3" setting, which might lead to the execution of injected code by admin users.
Alerts:
Debian DSA-1066-1 2006-05-20

Comments (none posted)

phpbb2: multiple vulnerabilities

Package(s):phpbb2 CVE #(s):CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537
Created:December 22, 2005 Updated:February 11, 2008
Description: The phpbb2 web forum has a number of vulnerabilities including: a web script injection problem, a protection mechanism bypass, a security check bypass, a remote global variable bypass, cross site scripting vulnerabilities, an SQL injection vulnerability, a remote regular expression modification problem, missing input sanitizing, and a missing request validation problem.
Alerts:
Debian DSA-925-1 2005-12-22

Comments (none posted)

phpMyAdmin: multiple vulnerabilities

Package(s):phpmyadmin CVE #(s):CVE-2005-4079 CVE-2005-3665
Created:December 12, 2005 Updated:November 20, 2006
Description: Stefan Esser reported multiple vulnerabilities found in phpMyAdmin. The $GLOBALS variable allows modifying the global variable import_blacklist to open phpMyAdmin to local and remote file inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to conduct an XSS attack via the $HTTP_HOST variable and a local and remote file inclusion because the contents of the variable are under total control of the attacker (CVE-2005-3665, PMASA-2005-8).
Alerts:
Debian DSA-1207-2 2006-11-19
Debian DSA-1207-1 2006-11-09
SuSE SUSE-SA:2006:004 2006-01-26
Gentoo 200512-03 2005-12-11

Comments (none posted)

postgresql: SQL injection

Package(s):postgresql CVE #(s):CVE-2006-2313 CVE-2006-2314
Created:May 24, 2006 Updated:June 6, 2007
Description: The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a newly-discovered set of SQL injection issues. Details about the problem can be found on the technical information page; in short: multi-byte encodings can be used to defeat normal string sanitizing techniques. The update fixes one problem related to invalid multi-byte characters, but punts on another by simply disallowing the old, unsafe technique of escaping single quotes with a backslash.
Alerts:
Fedora FEDORA-2007-0249 2007-06-06
Trustix TSLSA-2006-0059 2006-10-27
Gentoo 200607-04 2006-07-09
SuSE SUSE-SA:2006:030 2006-06-09
Ubuntu USN-288-3 2006-06-09
Ubuntu USN-288-2 2006-06-09
Mandriva MDKSA-2006:098 2006-06-07
Debian DSA-1087-1 2006-06-03
Ubuntu USN-288-1 2006-05-29
rPath rPSA-2006-0080-1 2006-05-24
Red Hat RHSA-2006:0526-02 2006-05-23
Fedora FEDORA-2006-578 2006-05-23
Fedora FEDORA-2006-579 2006-05-23

Comments (1 posted)

pound: HTTP Request Smuggling Attack

Package(s):pound CVE #(s):CVE-2005-3751
Created:January 10, 2006 Updated:June 8, 2006
Description: HTTP requests with conflicting Content-Length and Transfer-Encoding headers could lead to HTTP Request Smuggling Attack, which can be exploited to bypass packet filters or poison web caches.
Alerts:
Gentoo 200606-05 2006-06-07
Debian DSA-934-1 2006-01-09

Comments (none posted)

Py2Play: remote execution of arbitrary Python code

Package(s):Py2Play CVE #(s):CAN-2005-2875
Created:September 19, 2005 Updated:September 6, 2006
Description: Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client.
Alerts:
Gentoo 200509-09:02 2005-09-17
Debian DSA-856-1 2005-10-10
Gentoo 200509-09 2005-09-17

Comments (none posted)

quagga: multiple vulnerabilities

Package(s):quagga CVE #(s):CVE-2006-2223 CVE-2006-2224 CVE-2006-2276
Created:May 15, 2006 Updated:July 24, 2006
Description: Paul Jakma discovered that Quagga's ripd daemon did not properly handle authentication of RIPv1 requests. If the RIPv1 protocol had been disabled, or authentication for RIPv2 had been enabled, ripd still replied to RIPv1 requests, which could lead to information disclosure. (CVE-2006-2223)

Paul Jakma also noticed that ripd accepted unauthenticated RIPv1 response packets if RIPv2 was configured to require authentication and both protocols were allowed. A remote attacker could exploit this to inject arbitrary routes. (CVE-2006-2224)

Fredrik Widell discovered that Quagga did not properly handle certain invalid 'sh ip bgp' commands. By sending special commands to Quagga, a remote attacker with telnet access to the Quagga server could exploit this to trigger an endless loop in the daemon (Denial of Service). (CVE-2006-2276)

Alerts:
Fedora FEDORA-2006-845 2006-07-22
Fedora FEDORA-2006-843 2006-07-22
Red Hat RHSA-2006:0533-01 2006-06-01
Red Hat RHSA-2006:0525-01 2006-06-01
Gentoo 200605-15 2006-05-21
Debian DSA-1059-1 2006-05-19
Ubuntu USN-284-1 2006-05-15

Comments (1 posted)

quake: buffer overflow

Package(s):quake3-bin CVE #(s):CVE-2006-2236
Created:May 10, 2006 Updated:January 12, 2009
Description: Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server.
Alerts:
Gentoo 200901-06 2009-01-11
Gentoo 200605-12 2006-05-10

Comments (none posted)

rsync: integer overflow

Package(s):rsync CVE #(s):CVE-2006-2083
Created:May 8, 2006 Updated:June 6, 2006
Description: An integer overflow in the receive_xattr function in the extended attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers to execute arbitrary code via crafted extended attributes that trigger a buffer overflow.
Alerts:
Fedora FEDORA-2006-599 2006-06-05
Fedora FEDORA-2006-601 2006-06-05
Gentoo 200605-05 2006-05-06

Comments (none posted)

scorched3d: multiple vulnerabilities

Package(s):scorched3d CVE #(s):
Created:November 15, 2005 Updated:August 11, 2006
Description: Luigi Auriemma discovered multiple flaws in the Scorched 3D game server, including a format string vulnerability and several buffer overflows. A remote attacker could exploit these vulnerabilities to crash a game server or execute arbitrary code with the rights of the game server user.
Alerts:
Gentoo 200511-12:03 2005-11-15
Gentoo 200511-12 2005-11-15

Comments (none posted)

shadow-utils: mailbox creation vulnerability

Package(s):shadow-utils CVE #(s):CVE-2006-1174
Created:May 25, 2006 Updated:June 12, 2007
Description: The useradd tool from the shadow-utils package has a potential security problem. When a new user's mailbox is created, the permissions are set to random garbage from the stack, potentially allowing the file to be read or written during the time before fchmod() is called.
Alerts:
Red Hat RHSA-2007:0431-01 2007-06-11
rPath rPSA-2007-0096-1 2007-05-11
Red Hat RHSA-2007:0276-02 2007-05-01
Gentoo 200606-02 2006-06-07
Mandriva MDKSA-2006:090 2006-05-24

Comments (none posted)

squirrelmail: multiple vulnerabilities

Package(s):squirrelmail CVE #(s):CVE-2006-0188 CVE-2006-0195 CVE-2006-0377
Created:February 28, 2006 Updated:June 8, 2006
Description: Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. (CVE-2006-0188)

Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. (CVE-2006-0195)

CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection." (CVE-2006-0377)

Alerts:
Fedora-Legacy FLSA:190884 2006-06-06
Red Hat RHSA-2006:0283-01 2006-05-03
Gentoo 200603-09 2006-03-12
Debian DSA-988-1 2006-03-08
Fedora FEDORA-2006-133 2006-03-03
Mandriva MDKSA-2006:049 2006-02-27

Comments (none posted)

sudo: vulnerability via scripts

Package(s):sudo CVE #(s):CAN-2005-4158 CVE-2006-0151
Created:December 16, 2005 Updated:September 1, 2006
Description: Perl and Python scripts run via Sudo can be subverted.
Alerts:
Mandriva MDKSA-2006:159 2006-08-31
Debian DSA-946-2 2006-04-08
Slackware SSA:2006-045-08 2006-02-15
SuSE SUSE-SR:2006:002 2006-01-20
Debian DSA-946-1 2006-01-20
Ubuntu USN-235-2 2006-01-09
Ubuntu USN-235-1 2006-01-05
Mandriva MDKSA-2005:234 2005-12-20
Fedora FEDORA-2005-1147 2005-12-16

Comments (none posted)

texinfo: temporary file vulnerability

Package(s):texinfo CVE #(s):CAN-2005-3011
Created:October 5, 2005 Updated:November 9, 2006
Description: Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability.
Alerts:
Ubuntu USN-194-2 2006-01-09
Fedora FEDORA-2005-991 2005-10-14
Fedora FEDORA-2005-990 2005-10-14
Mandriva MDKSA-2005:175 2005-10-06
Ubuntu USN-194-1 2005-10-06
Gentoo 200510-04 2005-10-05

Comments (none posted)

tiff: denial of service

Package(s):tiff CVE #(s):CVE-2006-2120
Created:May 27, 2006 Updated:May 31, 2006
Description: The tiff image library is vulnerable to a denial of service attack. Images with specially crafted Yr/Yg/Yb values that exceed the YCR/YCG/YCB values can cause a crash of the associated application.
Alerts:
Debian DSA-1078-1 2006-05-27

Comments (none posted)

tin: buffer overflow

Package(s):tin CVE #(s):CVE-2006-0804
Created:February 19, 2006 Updated:November 24, 2006
Description: An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier which can lead to a buffer overflow.
Alerts:
Gentoo 200611-18 2006-11-24
OpenPKG OpenPKG-SA-2006.005 2006-02-19

Comments (none posted)

typespeed: buffer overflow

Package(s):typespeed CVE #(s):CVE-2006-1515
Created:May 31, 2006 Updated:June 19, 2006
Description: The typespeed game has a buffer overflow in its network data processing code which could possibly be exploited to execute arbitrary code.
Alerts:
Gentoo 200606-20 2006-06-19
Debian DSA-1084-1 2006-05-31

Comments (none posted)

unzip: long file name buffer overflow

Package(s):unzip CVE #(s):CVE-2005-4667
Created:February 6, 2006 Updated:May 2, 2007
Description: A buffer overflow in UnZip 5.50 and earlier allows local users to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.
Alerts:
Red Hat RHSA-2007:0203-02 2007-05-01
Fedora-Legacy FLSA:180159 2006-04-04
Debian DSA-1012-1 2006-03-21
Mandriva MDKSA-2006:050 2006-02-27
Ubuntu USN-248-2 2006-02-15
Ubuntu USN-248-1 2006-02-13
Fedora FEDORA-2006-098 2006-02-06

Comments (1 posted)

w3c-libwww: possible stack overflow

Package(s):w3c-libwww CVE #(s):CVE-2005-3183
Created:October 14, 2005 Updated:May 2, 2007
Description: xtensive testing of libwww's handling of multipart/byteranges content from HTTP/1.1 servers revealed multiple logical flaws and bugs in Library/src/HTBound.c
Alerts:
Red Hat RHSA-2007:0208-02 2007-05-01
Ubuntu USN-220-1 2005-12-01
Mandriva MDKSA-2005:210 2005-11-09
Fedora FEDORA-2005-953 2005-10-07
Fedora FEDORA-2005-952 2005-10-07

Comments (1 posted)

xine-lib: buffer overflow

Package(s):xine-lib CVE #(s):CVE-2006-1664
Created:April 27, 2006 Updated:February 27, 2008
Description: xine-lib does an improper input data boundary check on MPEG streams. A specially crafted MPEG file can be created that can cause arbitrary code execution when the file is accessed.
Alerts:
Gentoo 200802-12 2008-02-26
Gentoo 200604-16 2006-04-26

Comments (none posted)

X.Org: buffer overflow

Package(s):xorg-x11-server xorg-x11 CVE #(s):CVE-2006-1526
Created:May 3, 2006 Updated:January 10, 2007
Description: There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information.
Alerts:
Fedora-Legacy FLSA:190777 2006-06-06
Trustix TSLSA-2006-0024 2006-05-05
Mandriva MDKSA-2006:081-1 2006-05-04
Ubuntu USN-280-1 2006-05-04
Slackware SSA:2006-123-01 2006-05-04
Red Hat RHSA-2006:0451-01 2006-05-04
SuSE SUSE-SA:2006:023 2006-05-03
Mandriva MDKSA-2006:081 2006-05-02
Gentoo 200605-02 2006-05-02

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

xpdf: denial of service

Package(s):xpdf kpdf CVE #(s):CAN-2005-2097
Created:August 9, 2005 Updated:August 2, 2006
Description: A flaw was discovered in Xpdf in that could allow an attacker to construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened.
Alerts:
Debian DSA-1136-1 2006-08-02
Mandriva MDKSA-2005:138-1 2005-09-19
Debian DSA-780-1 2005-08-22
SuSE SUSE-SR:2005:019 2005-08-19
Fedora FEDORA-2005-732 2005-08-17
Fedora FEDORA-2005-733 2005-08-17
Gentoo 200508-08 2005-08-16
Fedora FEDORA-2005-730 2005-08-15
Fedora FEDORA-2005-729 2005-08-15
Mandriva MDKSA-2005:136 2005-08-11
Mandriva MDKSA-2005:135 2005-08-11
Mandriva MDKSA-2005:134 2005-08-11
Mandriva MDKSA-2005:138 2005-08-11
Red Hat RHSA-2005:708-01 2005-08-10
Red Hat RHSA-2005:706-01 2005-08-09
Red Hat RHSA-2005:671-01 2005-08-09
Red Hat RHSA-2005:670-01 2005-08-09
Ubuntu USN-163-1 2005-08-09

Comments (none posted)

xpdf: integer overflows

Package(s):xpdf, poppler, cupsys, tetex-bin CVE #(s):CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627
Created:January 5, 2006 Updated:November 30, 2006
Description: xpdf has a number of integer overflows. A remote attacker can trick a user into opening a maliciously crafted pdf file, allowing the attacker to execute code with the privileges of the local user. This also affects the Poppler library, cupsys and tetex-bin.
Alerts:
Fedora FEDORA-2006-1220 2006-11-30
Debian DSA-932-1 2006-01-09
Debian DSA-931-1 2006-01-09
Ubuntu USN-236-2 2006-01-09
Mandriva MDKSA-2006:008 2006-01-06
Mandriva MDKSA-2006:006 2006-01-05
Mandriva MDKSA-2006:005 2006-01-05
Mandriva MDKSA-2006:004 2006-01-05
Mandriva MDKSA-2006:003 2006-01-05
Ubuntu USN-236-1 2006-01-05

Comments (none posted)

xzgv: heap overflow

Package(s):xzgv CVE #(s):CVE-2006-1060
Created:April 21, 2006 Updated:June 12, 2006
Description: Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate insufficient memory when rendering images with more than 3 output components, such as images using the YCCK or CMYK colour space. When xzgv or zgv attempt to render the image, data from the image overruns a heap allocated buffer.
Alerts:
Gentoo 200604-10:02 2006-04-21
Debian DSA-1038-1 2006-04-22
Debian DSA-1037-1 2006-04-21
Gentoo 200604-10 2006-04-21

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current stable 2.6 kernel is 2.6.16.20, released on June 5. This one contains several fixes for serious problems; none of them look immediately security-related, however.

The current 2.6 prepatch is 2.6.17-rc6, released on June 5. There are enough fixes here that Linus decided to do one more -rc release. Details can be found in the long-format changelog.

No patches have been merged into the mainline repository since -rc6, as of this writing.

The current -mm tree is 2.6.17-rc6-mm1. Recent changes to -mm include improved force feedback support in the input driver and a large number of patches related to the locking validator.

Comments (none posted)

Kernel development news

Quote of the week

The older policy was to get stuff roughly right, merge it into a tree then beat on it. Now everyone is blocking anything that is the slightest imperfect which makes it impossible to add anything large to the tree because it will *never* be perfect before a merge and hack session and it will never be perfect in everyones eyes...

Perfection is the enemy of progress and of success. We risk moving back to the case we got into in 2.4 when merging got so hard that most vendors shipped kernels bearing no relationship to the "upstream" tree. Probably worse this time as there is no common "unofficial" tree like -ac so they will all ship different variants and combinations.

-- Alan Cox

Comments (14 posted)

What's not going into 2.6.18

The 2.6.17 development cycle is coming to an end, with the final release likely to happen before the middle of June. So, naturally, the attention of the kernel developers is turning toward the 2.6.18 cycle. As a way of encouraging thought on what should happen then, Andrew Morton has posted a 2.6.18 merge plan summary describing how he expects to dispose of the patches currently sitting in the -mm tree. There has been occasional talk of doing a bugfix-only kernel cycle, but it's clear that 2.6.18 won't be that cycle - there are a lot of patches tagged for merging.

The features which are expected to be merged are interesting, but they are best discussed once they hit the mainline repository; until then, their fate remains uncertain. So, for now, suffice to say that 2.6.18 will likely include an S/390 hypervisor filesystem, a number of memory management patches, some software suspend improvements, a new i386 hardware clock subsystem, some SMP scheduler improvements, the swap prefetch patches (maybe), priority-inheriting futexes, a rework of the /proc/pid code, a number of MD (RAID) improvements, a new kernel-space inotify API, and a bunch of code from subsystem trees which does not appear in -mm directly. As is usual, a great deal of code will be flowing into the mainline for the next release.

It can also be interesting to look at what will not be merged. From Andrew's posting, the following big patch sets are likely to be held back:

  • There is a great deal of code which requires action by various subsystem maintainers. But, says Andrew, "I continue to have some difficulty getting this material processed." He will step up his efforts to get responses from maintainers, but some patches will likely continue to languish.

    In particular, some dismay has been expressed regarding how long it can take to get drivers into the mainline. It seems that, perhaps, the quality bar is being set too high. It is always possible to find things to criticize in a body of code, but sometimes the best thing to do is to proceed with the code one has and improve it as part of an ongoing process. There is concern that reviewers are insisting on perfection and keeping out code which is good enough, and which could be of value to Linux users.

  • The acx100 driver supports a useful range of wireless chipsets. Unfortunately, there are some concerns about how this driver was developed and whether its inclusion could cause legal problems for Linux. Until that issue is resolved, this driver is likely to remain out in the cold.

  • The per-task delay accounting patches are sitting on the edge. The main concern here appears to be that these patches create a new interface for getting per-task information from the kernel. Any other new code which exports that sort of information (and a number of patches exist) will be expected to use this new API. So more review and discussion may be called for here. There is also a separate patch set for non-task-oriented statistics which will probably not be merged this time around for the same reason.

  • eCryptfs is uncertain as well. This filesystem implements its own mechanism for stacking on top of a base filesystem, but the primary reviewer would rather see the creation of a generic stacking layer for all to use. This is an issue which is often encountered by people trying to do new things; they are asked to make their infrastructure more generic. The intent is good, but it can cause delays and extra work for developers trying to add new features.

  • The UTS namespaces patch. This patch, which implements a small part of the container concept, is not particularly useful on its own. So it will probably wait until more of the container infrastructure is in place.

  • The adaptive readahead patches are deemed to be too young for now. Some benchmark results show significant performance improvements from these patches, but others are less clear.

  • Reiser4. Says Andrew: "We need to do something about this. It does need an intensive review and there aren't many people who have the experience to do that right, and there are fewer who have the time. Uptake by a vendor or two would be good." This filesystem has been waiting on the sidelines for a very long time, and no prospective merge is yet in sight.

  • The generic IRQ code is said to be "still stabilizing" and more likely to be merged in 2.6.19. That is also the case for the lock validator.

All of this is subject to change when the merge window actually opens. Developers are making cases for specific patches; Ingo Molnar is asking for reconsideration of the generic IRQ and lock validator patches, for example. Watch this space in the coming weeks to see what really happens.

Comments (8 posted)

Putting a lid on USB power

Kernel bugs are bad news. Among the worst bugs are regressions - situations where a once-working system breaks after a kernel upgrade. The kernel developers have been taking an increasingly hard line against regressions; patches which break working systems will usually be reverted, even if those patches fix other problems. The idea, as pushed by Linus, is that once a system works, it should continue to work into the future.

As it happens, a number of USB users have found that, on upgrading to 2.6.16, their systems do not work anymore. But, in this case, this "regression" is not seen as such by the developers and is not likely to change. This issue is a good demonstration of the sort of tradeoffs which operating systems developers must make.

USB ports can supply power to the devices plugged into them; this power is sufficient to drive many devices, as well as totally unrelated items (such as USB-powered LED lamps). There are limits to the amount of power which can be supplied, however. USB devices will communicate their maximum current draw to the host, which can then decide whether it has the capacity available or not. If sufficient power is not available, the device will not be allowed to configure itself and operate.

There are many rules in the USB specification on how power configuration should work. One of those applies to unpowered USB hubs - the ones which lack a power supply of their own. The total current drawn by an unpowered hub cannot be allowed to exceed what the host can supply; in particular, the USB specification limits devices on unpowered USB hubs to 100 mA of current. Even if only one hub port is in use, that single port is limited to that value, despite the fact that a larger draw should work in that situation.

Prior to 2.6.16, the Linux kernel did not actually check power requirements before configuring devices. With 2.6.16, however, any device whose stated maximum power requirement exceeds 100 mA will not be allowed to configure itself on an unpowered hub. Thus, devices which worked in that mode in earlier kernels now fail to operate; not all users are entirely pleased.

The argument has been made that, since these configurations almost always work in the real world, the kernel should not be shutting them down now. The fact is, however, that running hardware outside of its specifications is always a dangerous thing to do. Often one will get away with it, but sometimes things can fail badly. A fairly large class of USB devices are mass storage devices; the consequences of power-related problems with these devices could include corrupted data and damaged hardware. These are not consequences which the USB developers wish to inflict on their users, so, instead, they refuse to operate devices out of their specifications.

To the developers, the fact that some previously-working hardware now fails to operate is not a regression. It is a bug fix, with the kernel finally performing some due diligence which should have been happening all along. They do not intend to change this behavior.

As it happens, it is possible to convince the kernel to override its good sense and configure the device anyway. It is not easy, however. Essentially, the steps are this:

  • Run lsusb -v and find the entry for the device of interest. Your editor's USB mouse, for example, is described by an entry starting "Bus 001 Device 003: ID 046d:c01b Logitech, Inc. MX310 Optical Mouse". This mouse is plugged into a hub listed previously as being "Bus 001, Device 002". Together, these numbers turn into a path number "1-2.3". This number is important.

  • Under that same device entry will be found one or more possible device configurations, along with their associated power requirements. Each of these configurations includes a bConfigurationValue number describing it. The number associated with the desired configuration must be found; in many cases it is one.

  • Force the device configuration with a line like:

        echo -n 1 > /sys/bus/usb/devices/1-2.3/bConfigurationValue
    

    The configuration values and path number must be replaced with the actual values determined from the lsusb output.

Needless to say, this sequence of steps is not entirely easy - and it must be repeated each time the device is plugged in. For those who are comfortable writing udev rules, this configuration change can be automated without too much trouble. Perhaps the desktop environments will eventually be made smart enough to detect this situation and offer (with suitable scary warnings) to override the kernel for specific devices. But it might just be better to buy a powered hub or plug the device directly into the host.

Comments (14 posted)

SMPnice

A great deal of work has gone into making the Linux scheduler work well on multiprocessor systems. Whenever it appears to make sense, the scheduler will shift processes from one CPU to another in order to keep all CPUs equally busy (in an approximate sense), but, since moving a process is expensive, the scheduler tries to avoid unnecessary moves. SMP performance was problematic on early 2.6 releases, but it has been reasonably solid for the last couple of years.

There is one situation, however, where the current scheduler does not work as well as one would like. Imagine a simple system with two processors. If two CPU-bound processes, each running at normal priority, are started on this system, the scheduler will eventually run one process on each CPU. If two niced (low-priority) processes (also CPU-bound) are then started, one would normally expect the scheduler to ensure that those processes get less CPU time than the normal-priority processes.

If the processes are distributed such that one normal-priority and one low-priority process end up on each CPU, that expectation will be met; the low-priority processes will get a relatively small amount of CPU time. It is just as likely, however, that both normal-priority processes will end up on the same CPU, with the two low-priority processes on the other. In this case, the two normal-priority processes will be contending for the same CPU, while the low-priority processes fight for the other. As a result, the low-priority processes will get as much CPU time as the others, their reduced priority notwithstanding. That is almost certainly not what the user had in mind when the process priorities were set.

The problem is that the scheduler looks only at the length of the run queue on each CPU, without taking priorities into account. So, in either case above, the CPUs appear to be equally busy, and no redistribution of processes will occur. To fix this problem, the load balancing code must be made to understand that not all running processes are created equal.

A solution can be found in the "smpnice" patch set, implemented by Peter Williams with input from a number of other developers. The smpnice code changes the load balancer so that it does not just look at run queue lengths. Instead, each process is assigned a "load weight," which is derived from its priority. When load balancing decisions are made, the scheduler compares total load weights rather than the length of the run queues. If a load weight imbalance is detected, the scheduler will move a process to bring things back into line. If the imbalance is large, high-priority processes will be moved; when the imbalance is small, however, a low-priority process will be moved instead.

The basic idea makes sense, but this set of patches has been a long time in development. The scheduling code is full of subtle heuristics which are easily upset. So early versions of the smpnice patches caused benchmark regressions and ran into a number of difficulties. For example, a processor running a very high-priority process will tend to appear to be the most heavily loaded, with the result that load balancing no longer occurs between other processors on the system. This problem was fixed by ignoring processors which have no processes which can be moved. Some load balancing heuristics which would move high-priority processes were broken, resulting in suboptimal scheduling decisions; now, if a process would have the highest priority on the new CPU, it is considered first for moving. Various stability problems, where processes would oscillate between processors, have also been ironed out.

With all of these fixes applied, the smpnice code appears to be stabilizing, with the result that it might just make it into the 2.6.18 kernel. That should improve life for people running multiple-priority workloads on SMP systems.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

  • Marco Costalba: qgit 1.3. (June 5, 2006)
  • Jonas Fonseca: tig 0.4. (June 6, 2006)

Device drivers

Documentation

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

The ROCK Linux Mission Statement

The ROCK Linux distribution has new Mission Statement, even more recently revised. "After 10 years of ROCK, we felt it's about time ;)." There is a new roadmap too.

ROCK Linux is one of the oldest projects that provides a Linux Distribution Build Kit. That is, ROCK Linux provides the tools you need to create a customized distribution from source packages.

The Crystal ROCK target ISO image is available for those who want a quick start and it is used as a test case for ROCK Linux. One part of the mission statement is to test and guarantee functionality of the basic packages, including Crystal ROCK. This includes issuing security advisories and maintaining errata documents.

The ROCK Linux Build System uses shell scripts to keep it easy to modify the build to your requirements. Support is provided for Alpha AXP, ARM, HPPA-RISC, IA-64, MIPS, PowerPC, Sparc, x86 and x86_64. According to the roadmap ROCK developers are working on hal/dbus integration, udevtrigger/udevsettle integration into bootdisk and /etc/initscript, hotplug rules for udev, and more for the next release. A new installer will be in the works after that. While there has not been a new release of ROCK Linux for some time, one is planned for the near future.

So check out the ROCK Linux Manual and build the distribution that's right for you.

Comments (none posted)

New Releases

Xandros Releases 64-bit Xandros Server

Xandros has announced that the Xandros Server now supports 64-bit processors from Intel and AMD. Support for Intel® EM64T and AMD64® processors will be provided to Xandros customers at no additional charge.

Full Story (comments: none)

Ubuntu 6.06 LTS released

It's official: Ubuntu 6.06 LTS (once known as "Dapper Drake") has been released. Click below for the full announcement, which includes download information and a summary of new features. Kubuntu 6.06 LTS and Xubuntu 6.06 are also available.

Full Story (comments: 3)

SUSE Linux 10.1 Live DVD available

The SUSE Linux 10.1 Live DVD is available for download now.

Full Story (comments: none)

Fedora Core 5 Re-Spin Released

The Fedora project has made new Fedora Core 5 "Re-Spin" disc images available. "The Fedora Unity Project is proud to announce the release of DVD ISO Re-Spins of Fedora Core 5. These ISOs are based upon Fedora Core 5 and all updates released as of May 23rd, 2006. They are available for i386 and x86_64 architectures as of Wednesday, May 31st, 2006 via BitTorrent. The x86_64 Re-Spin is currently available for testing only."

Full Story (comments: 3)

Distribution News

Debian 3.0 ("woody") support ends June 30

The Debian Project has announced that Debian 3.0, otherwise known as "woody," will be unsupported after June 30. Any remaining woody users probably want to make the jump to "sarge" by then.

Full Story (comments: none)

Debian IRC Network moves to OFTC

It is official. "Starting with today the Debian IRC host alias irc.debian.org directs to irc.oftc.net maintained by the Open and Free Technology Community (OFTC). An increasing number of online discussions has been taken place in this network already despite irc.debian.org pointing to a different network. In recognition of that, Debian has decided to move the irc.debian.org alias over."

Full Story (comments: none)

Creation of the debian-publicity list

The debian-publicity team has been created to help create a better public image for the Debian Project. "We held a BoF at DebConf6 about "Representing Debian". We discussed many topics and this mail is not intended as an exhaustive summary (you will have to wait for the video recording to watch the discussion). Instead it's just a notice that things are changing and that you're invited to help us improve Debian's image."

Full Story (comments: none)

Summary of Debconf i18n/l10n activities

Christian Perrier presents a summary of the i18n/l10n activities at DebConf. "The work on internationalisation (i18n) and localisation (l10n) at Debconf6 has been particularly interesting and productive. The main topic has been the discussion on l10n infrastructure, both summarizing existing features and services (most of them being summarized in the paper I published along with Javier Fernandez Sanguino) and future features."

Full Story (comments: none)

GCC 4.1 now the default GCC version for Debian etch

The compilers from GCC 4.1 provide now the default compiler for etch for Ada, C, C++, Objc, ObjC++, Fortran95 and for the Java language. The packages should be in the archive now.

Full Story (comments: none)

Ubuntu begins Edgy development

The initial timeline for Edgy development has been posted. Much of the planning for Edgy will take place at the Paris summit so proposals need to be submitted before then. The deadline for proposing specifications is June 12, 2006.

The Ubuntu Hardened team is setting goals for proactive security in Edgy. "There is already a Proactive Security Roadmap, created originally as a Breezy specification but never brought to fruition. The specification for this details several steps that can be taken to reduce the risk of exploitation of existing vulnerabilities. This e-mail contains my suggestions for first steps that should be taken to give Ubuntu users the benefit of largely increased security."

Comments (none posted)

The problem of Firefox in Ubuntu Breezy

For those of you running Ubuntu 5.10 ("breezy"), the following message on security support for Firefox in that release is worth reading. Essentially, the Ubuntu developers are in a bind because the current round of Firefox security fixes is impossible to backport to the 1.0.8 release shipped in breezy, and, in any case, they suspect that security fixes beyond those which have been officially acknowledged are present in 1.5.0.4. So the chances are that breezy users will need to upgrade Firefox to 1.5.0.4. This situation is likely to repeat itself over the lifetime of the current "dapper" release, which will have support (for desktop components) for three years.

Full Story (comments: 50)

Fedora Project Board Update

A summary of the June 6 Fedora Project Board meeting is available. Among the topics discussed were version control, infrastructure, possibilities for the next FUDCon, Fedora Legacy, the testing project announced at the Red Hat Summit, and more.

Comments (none posted)

rPath releases alpha version of rMake

rpath Linux has announced an alpha version of rMake. "rMake is a new tool for building software using Conary in a simple, controlled way. Before rMake, you had to install the right software on your system in order to use "cvc cook" to build a package. With rMake, a fresh clean build chroot is created automatically with everything a package needs to build--and only those items."

Full Story (comments: none)

New Distributions

Report from the "Dzongkha Linux launch"

Christian Perrier reports on the "Dzongkha Linux launch". Dzongkha is the national language of Bhutan, a country located between India and China. The Bhutan Department of Information Technology (DIT) has built a complete system with complete support for the Dzongkha language. "The system is based on Linux and more specifically on Debian. It consists of one CD which can be either installed or used as a live CD (the installation system is using Morphix, not D-I which was not ready at that moment)."

Full Story (comments: none)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for June 6, 2006 covers the increased the performance of debtags, the trustability of the web of trust, the end of support for Woody, improving Debian's publicity, Debian Conference 6: hot, spicy and working hard, Debian IRC moves to OFTC, and several other topics.

Full Story (comments: none)

Fedora Weekly News Issue 49

This week the Fedora Weekly News covers Fedora Core 5 Re-Spin 20060523 released, the Fedora Interview Program, Fedora People at Red Hat Summit 2006, news coverage on Red Hat Summit 2006, adding new RPM packages to a fedora DVD, 45 Minutes to a Moodle Education Server, Red Hat Turns Over Testing Tools To Fedora, and several other topics.

Comments (none posted)

Ubuntu Weekly Newsletter - Issue #1

The first issue of the Ubuntu Weekly Newsletter looks at a new look for www.ubuntu.com, Dapper release parties, Java in Multiverse, VMware Player in Multiverse, Ubuntu 6.06 LTS released, Kubuntu 6.06 LTS released, Edubuntu 6.06 LTS released, Xubuntu 6.06 released, the Paris Developers Summit, Edgy Eft Ideas and more.

Full Story (comments: none)

DistroWatch Weekly, Issue 154

The DistroWatch Weekly for June 6, 2006 is out. "The long-awaited version 6.06 of the Ubuntu family of Linux distributions dominated the headlines of many open source news sites last week; we'll comment on the release and share our first impressions of the new product. In other news, the second Red Hat Summit, concluded last week, was characterised by the launch of several new initiatives, while the Debian release team has been busy finalising the feature set for the December release of Debian "etch". Also, don't miss our opinion piece about the changing landscape of Linux users prompted by the recent release of the binary-only Picasa photo management software for Linux. Finally, we are pleased to announce that the May 2006 DistroWatch donation has been awarded to LilyPond and Lua."

Comments (none posted)

Minor distribution updates

Ark Linux 2006.1-rc2 and Ark Linux Live 2006.1-rc2 released

The Ark Linux team has announced the immediate availability of Ark Linux 2006.1-rc2 and Ark Linux Live 2006.1-rc2. "This is the last release candidate of Ark Linux 2006.1, which will be released as soon as OpenOffice.org 2.0.3 and kernel 2.6.17 are released and integrated. The current release candidate includes prerelease versions of those."

Full Story (comments: none)

dyne:bolic 2.0 codename DHORUBA

dyne:bolic has announced the release of dyne:bolic 2.0 codename DHORUBA. "The brand new 2.0 "DHORUBA" release comes out after two years of development and it's a complete rebuild and rewrite of the whole system, it brings new possibilities in customizing the running system and makes it modular and very easy to include new software, much more usable and mantainable than before."

Comments (none posted)

Package updates

Fedora updates

Updates for Fedora Core 5: eclipse (bump for FC5), perl-String-CRC32 (upgrade to upstream version 1.4), texinfo (bug fix), alsa-lib (bug fix), procps (bug fix), policycoreutils (bump for FC5), gnome-media (upgrade to stable upstream version), yelp (upgrade to stable upstream version), hal (patched), gnome-applets (upgrade to stable upstream version), file-roller (upgrade to stable upstream version), pam (upgrade to latest upstream version), sound-juicer (upgrade to latest upstream version), vte (upgrade to latest upstream version), nautilus-cd-burner (upgrade to stable upstream version), gnome-desktop (upgrade to stable upstream version), epiphany (update to 2.14.2.1), eog (upgrade to stable upstream version), gtk2 (update to 2.8.18), glib2 (update to 2.10.3), gnome-session (upgrade to stable upstream version), gnome-screensaver (upgrade to stable upstream version), pango (upgrade to stable upstream version), evolution-data-server (update to 1.6.2), libsoup (update to 2.6.2), evolution-connector (update to 2.6.2), evolution (update to 2.6.2), gnome-games (upgrade to stable upstream version), gnome-themes (latest stable upstream release), gedit (latest stable upstream release), gnome-terminal (latest stable upstream release), totem (latest stable upstream release), gthumb (latest stable upstream release), gnome-utils (update zenity to 2.14.2), gnome-vfs2 (latest stable upstream release), libwnck (latest stable upstream release), control-center (latest stable upstream release), gnome-backgrounds (update to 2.14.2.1), module-init-tools (added blacklist-compat), evolution (fix broken dependencies), evolution-webcal (rebuild for new evolution-data-server).

Updates for Fedora Core 4: texinfo (bug fix), procps (bug fix), libbtctl (update for FC4), gnome-bluetooth (update for FC4)

Updates for Fedora Extras 5: dia (security fix).

Comments (none posted)

Mandriva updates

Mandriva has updated xorg-x11 packages to address a bug with keyboard layouts.

Full Story (comments: none)

rPath updates

rPath Linux has updated conary (maintenance release), cElementTree (add the turbogears suite), conary again (bug fixes), and booty and mkinitrd (better Xen support).

Comments (none posted)

Slackware updates

This week the Slackware current change log shows that the linux-2.6.16.19 kernel packages that entered testing on May 31 have already been upgraded to linux-2.6.16.20 kernel packages. Other upgrades include subversion, gkrellm, jfsutils, apache, KDE and more.

Comments (none posted)

Trustix Secure Linux updates

Trustix has fixed various bugs in mrtg and ntp.

Full Story (comments: none)

Newsletters and articles of interest

Customizing Dynebolic version 2 (Linux.com)

Linux.com covers the creation of a customized live CD using Dynebolic. "Dynebolic is a live CD distro packed with tools for working with sound and video files. Dynebolic uses the Squashfs filesystem to fit a lot of applications into a small space, along with a speed-tweaked kernel and the tools to perform well on low-end equipment. The upcoming Dyne:II release also lets you add and remove tools to create your own custom version of the distro. Here's how."

Comments (none posted)

Multi Distro is Linux times 9 on a single CD-R (Linux.com)

Linux.com takes a look at Multi Distro. "Multi Distro includes nine live CD Linux distributions in one ISO file that you can burn to a single disc. It uses the GRUB boot loader to present the user with a main menu from which they can choose which distro they want to run. By showing you how to make your own live CD composed of multiple live CD distros, Multi Distro packs a big punch."

Comments (none posted)

The Perfect Setup - Ubuntu 6.06 LTS Server (HowtoForge)

HowtoForge shows how to set up a Ubuntu 6.06 LTS (Dapper Drake) server that offers all services needed by ISPs and hosters.

Comments (none posted)

My desktop OS: Zeta (NewsForge)

NewsForge looks at BeOS based Zeta. "Zeta is based on the Be Operating System (BeOS). I have used BeOS since the free BeOS 5 Personal Edition was released in 2000, and its ease of use, quick boots, and minimal hardware requirements allowed BeOS to take full advantage of my computer, which had a 300MHz Celeron CPU, 64MB RAM, and 3dFX Voodoo 3 video adapter. Unfortunately, BeOS developer Be Inc. disbanded by the end of 2001, leaving an operating system that was unable to have more than 1GB of RAM, couldn't support up-to-date AMD and Intel CPUs without special boot disks, and lacked support for hard drives with more than 80GB of space and newer video cards."

Comments (none posted)

Distribution reviews

Review: CCux Linux (Linux.com)

Linux.com has a review of CCux Linux. "CCux Linux is a performance-oriented distribution whose main idea is to remove everything that is not i686-related, such as old compatibility packages, and to have everything from the kernel up compiled in the i686 flavor. Last month's release of CCux version 0.9.8 is also an up-to-date distro, having kernel 2.6.16, KDE 3.5.2, and Firefox 1.5.0.2. I found it to be a damn good distro."

Comments (none posted)

Damn Small Linux sneaks up on v3.0 (DesktopLinux)

DesktopLinux looks at the first release candidate of Damn Small Linux (DSL) 3.0. "The Damn Small Linux (DSL) project shipped the first release candidate of version 3.0 of its 49.5 MB bootable live CD distribution May 29. The changelog notes nine key feature updates in the new edition, including new sample unc extensions, abiword, cups, and opera852."

Comments (1 posted)

Puppy Linux arrives at v2.0 (DesktopLinux)

DesktopLinux covers the 2.0 release of Puppy Linux. ""This is a major upgrade from the 1.xx series," the project team said in the release announcement. "How to summarize five months' work? The graphical user interface is much the same, as most work has been on the underlying architecture. In a nutshell, the fundamental architecture and boot-up/shutdown scripts are a total rewrite, from scratch, no relationship to any other distro.""

Comments (none posted)

STX Linux: A second life for older hardware (Linux.com)

Linux.com looks at STX Linux on older hardware. "Creator Michael "STIBS" Stibane calls STX Linux "a desktop Linux distribution especially targeted to older hardware." I tested version 1.0 of the Slackware 10.2-based distro on an old laptop with a 300MHz Celeron processor, 80MB of RAM, and a 4GB hard disk. I found this young distro for old hardware has promise."

Comments (none posted)

Ubuntu's Dapper Drake is one impressive Linux distro (Linux-Watch)

Linux-Watch reviews Ubuntu 6.06 LTS. "I took the slowest and oldest of my regular test systems, a 120MHz Pentium with a 10GB hard-drive and 64MB of RAM. This system normally runs NT 4.0 for testing older Windows networking. I was able to quickly and easily install Ubuntu Server."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The current state of the BusyBox project

June 7, 2006

This article was contributed by Rob Landley

My name is Rob Landley, and I'm the new maintainer of BusyBox.

BusyBox is a small and simple implementation of a set of standard Linux command line utilities. A minimal system built from BusyBox, the uClibc C library for embedded Linux and a stripped down version of the 2.6 Linux kernel known as Linux-Tiny provides a complete Linux command line environment that can boot in 4 megabytes of ram from less than 2 megabytes of disk space. This makes BusyBox very popular for use in embedded Linux systems.

A Linux system built from just six packages (BusyBox, uClibc, Linux, GCC, binutils, and make) provides a build environment that can recompile itself from source code. In its default configuration, the 1.2.x versions of BusyBox will provide at least minimal replacements for twenty-one standard packages: bzip2, coreutils, dhcp, diffutils, e2fsprogs, file, findutils, gawk, grep, inetutils, less, modutils, net-tools, procps, sed, shadow, sysklogd, sysvinit, tar, util-linux, and vim. All of these utilities are provided by a single executable that is less than 1 megabyte in size.

BusyBox's "swiss army knife" design is one of its most noticeable space-saving features. One binary file has many symbolic links pointing to it, named for the commands that Busybox replaces. Busybox determines which applet to behave as by examining argv[0] to see which name it was called under.

A lot of BusyBox's appeal beyond the embedded world is simplicity. For example, the gnu coreutils version of cat.c is currently 772 lines of C code, while the busybox version is 40 lines of C code. Which one would you rather try to read through and understand, port to a new environment or audit for security holes?

BusyBox applets are smaller than other implementations because code size is the primary design goal. Many BusyBox applets are fresh implementations starting from the SingleUnix Specification version 3, with various GNU-compatible extensions added from the man pages as desired. Other applets have been derived from NetBSD or elsewhere, but we constantly rewrite and re-implement everything we feel we can make smaller, simpler, or less memory intensive. This means that existing applets can actually shrink over time. The project has also adopted the rule that any new feature that adds size has a configuration option to remove it at compile time.

Building BusyBox is fairly straightforward, the process has been modeled after the Linux kernel build method. The build process involves extracting the source, configuring with a linux-style "make menuconfig" command, then running make and make install. Other make options include: "make defconfig" to enable all standard features, "make allnoconfig" to start with everything disabled, and "make oldconfig" for dealing with previously used .config files. From menuconfig, each applet is independently selectable. Many applets have sub-features that can be disabled to save space. Cross-compiling is regularly tested with targets set to popular embedded processors and the x86-64 platform.

Project History

BusyBox was started in 1996 by Debian's then-maintainer Bruce Perens, as part of the Debian boot/rescue floppy disk project. In 1999, Erik Andersen saw potential for BusyBox beyond the Debian boot disk, rewrote the project extensively, and over the next few years built an active development community around it. During this time Erik similarly rewrote and built a development community around uClibc. As embedded Linux grew in importance, both projects became more time consuming. After the BusyBox 1.00 release, Erik focused on uClibc (which is still pre-1.0) and handed off BusyBox maintainership to me, I am currently trying to take over the world with it.

Taking over the world involves making BusyBox a good choice for use in general purpose Linux servers and workstations as well as its traditional role in embedded systems. For example, our completely rewritten bunzip2 code is not only 1/10th the size of the standard implementation, but also 10% faster. Our udev replacement (mdev) is much easier to configure, and in some cases can be used without any configuration file at all. Our mount command was the first to autodetect attempts to mount image files, so specifying "-o loop" became optional. Space-constrained environments like bootable CDs, or the One Laptop Per Child project could especially benefit from BusyBox.

The future goals of BusyBox include making the code even smaller, improving support for systems with no memory management unit, adding a test suite and adding the ability to make standalone versions of individual applets.

Comments (2 posted)

System Applications

Database Software

SQLite 3.3.6 released

Version 3.3.6 of SQLite, a C library that implements an SQL database engine, is out. "Changes include improved tolerance for windows virus scanners and faster :memory: databases. There are also fixes for several obscure bugs. Upgrade if you are having problems."

Comments (none posted)

LDAP Software

LAT 1.1.3 announced

Version 1.1.3 of LAT, the LDAP Administration Tool, is out. "This release is the 4th of the 1.1.x development cycle which will eventually become v1.2. If you need a stable release stick with the 1.0 branch."

Full Story (comments: none)

Mail Software

Apache SpamAssassin 3.0.6 is out

Version 3.0.6 of Apache SpamAssassin is available. "3.0.6 fixes a remote code execution vulnerability if spamd is run with the "--vpopmail" and "-P" options. If either/both of those options are not used, there is no vulnerability."

Full Story (comments: none)

Apache SpamAssassin 3.1.3 is out

Version 3.1.3 of Apache SpamAssassin has been announced. "3.1.3 fixes a remote code execution vulnerability if spamd is run with the "--vpopmail" and "-P" options. If either/both of those options are not used, there is no vulnerability. There was also a fix for the userstate directory and prefs file not being created."

Full Story (comments: none)

Printing

Debugging SNMP Printer Detection Problems (CUPS)

The folks at the CUPS printing project have published a tutorial on debugging SNMP-related printing problems. "The new SNMP network printer detection functionality in CUPS 1.2 sometimes exposes problems in vendor SNMP or IPP implementations. If you are experiencing long delays in loading the CUPS web interface administration page, or if you don't see your printer listed, the following instructions will help you to diagnose those problems and/or provide important feedback to the CUPS developers so that we can correct problems and improve the SNMP backend in future releases."

Comments (none posted)

Web Site Development

mnoGoSearch 3.2.39 announced

Version 3.2.39 of mnoGoSearch, a web site search engine, is out. See the change history document for details.

Comments (none posted)

Plone 2.1.3 released

Version 2.1.3 of the Plone web development platform has been released. "Although they didn't manage to quite time to sync up with the Ubuntu Dapper Drake release ;-), it's very exciting to report the release of Plone 2.1.3, which bundles up four months of bug fixes, usability enhancements and performance tweaks."

Comments (none posted)

Desktop Applications

Audio Applications

Instability of Ardour 2.0 solved, 6 weeks of effort pays off!

A tough bug has been fixed in Ardour, a multi-track audio recording application. See the problem report for details. "Sometimes when you write a complex piece of software like Ardour you are faced with a series of high level, interesting and complex design questions. Unfortunately, its also true that at other times you will be faced with problems that exist at the deepest levels of the software and are often trivial in their extent yet major in their impact. Such has recently been the case with Ardour 2.0, which would not run with any reasonable stability when built with recent versions of the GTK+ GUI toolkit. One Ardour developer (and user), Sampo Savolainen, spent more than 6 weeks debugging this, and just recently got to the bottom of the problem. The error was a single line of code in GTK itself, and manifested in Ardour only because we made a call to a function that was never actually needed."

Comments (none posted)

Data Visualization

Grace 5.1.20 released

Version 5.1.20 of Grace, a WYSIWYG 2D plotting tool for X11 and Motif, has been announced. Changes include a new SGN() function, changes to the tick spacing, and bug fixes.

Comments (none posted)

Desktop Environments

GNOME 2.14.2 Released (GnomeDesktop)

GNOME 2.14.2 has been announced. "This is the second release in a series of point releases for the 2.14 branch. Come and see all the bug fixing, all the new translations and all the updated documentation brought to you by the wonderful team of GNOME contributors! While development has started on the Gnome 2.15/2.16 road, work on the stable branch continues to make it even more solid."

Comments (none posted)

GARNOME 2.14.2 is out

Release 2.14.2 of GARNOME, the bleeding edge GNOME distribution, is out. "This release incorporates the GNOME 2.14.2 Desktop and Developer Platform, fine-tuned and updated with love by the GARNOME Team."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE 3.5.3 Released (KDE.News)

Version 3.5.3 of the K Desktop Environment (KDE) has been announced. "The KDE Project today announced the immediate availability of KDE 3.5.3, a maintenance release for the latest generation of the most advanced and powerful free desktop for GNU/Linux and other UNIXes. Unusually for a maintenance release, new features were implemented due to the long release cycle of the eagerly-awaited KDE 4. Stability and speed were also improved, along with increasingly complete translations in 65 languages." See the release announcement for more information.

Comments (2 posted)

KDE Commit-Digest (KDE.News)

The June 4, 2006 edition of the KDE Commit-Digest has been announced. The content summary says: "Kopete 0.12 is released after 10 months of development. Usability fixes in RSIBreak and experiments in amaroK. Common KOffice color management initiative - "pigment" - started. User interface optimisations in Adept package manager. KDE 4 changes: DCOP is finally removed from trunk/. The KDE 4 icon theme, Oxygen, is imported into KDE SVN."

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Electronics

Covered 20060530 is out

Release 20060530 of Covered, a Verilog code coverage analysis utility, has been announced. Here are the changes: "Contains FSM state/arc coverage info in GUI. Contains assertion coverage info in GUI and ASCII output files. Contains GUI syntax highlighter. Allows multiple files to be merged with a single call to the merge command. Lots of bug fixes/enhancements/documentation updates."

Comments (none posted)

XCircuit 3.4.24 released

Stable version 3.4.24 of XCircuit, an electronic circuit drawing program, is available with build improvements.

Comments (none posted)

GUI Packages

OpenExposition 0.2.0 released

Version 0.2.0 of OpenExposition has been announced. "OpenExposition is a library aimed at automatic generation of user interfaces. The programmer only needs to specify what parts of the code need to be exposed to the user, and OpenExposition does the rest. Currenly, OpenExposition allows access to variables (either directly or through a pair of set/get methods), and class methods. It can construct the user interface graphically (using either the multi-platform FLTK library or Cocoa on Mac OS X), programatically (through Python), and aurally (using the speech synthesis and recognition capabilities on Mac Os X). The 0.2.0 release introduces a separation of C++ and Objective C files, so that C++ only environments don't have to deal with Objective-C++ .mm files. Also, the automatic GUI construction has been slightly improved."

Comments (none posted)

Imaging Applications

GIMP 2.3.9 Development Release (GnomeDesktop)

Development Release 2.3.9 of the GIMP has been announced. "GIMP 2.3.9 is the latest and hopefully one of the last development snapshots on the way to version 2.4 of the GNU Image Manipulation Program. The source code can be downloaded from ftp.gimp.org. There are quite a number of changes, all listed at developer.gimp.org."

Comments (none posted)

Interoperability

Wine 0.9.14 released

Version 0.9.14 of Wine has been announced. The list of changes includes: Better MS/RPC compatibility, Many fixes to Direct3D shaders, Several improvements to the header control and Lots of bug fixes.

Comments (none posted)

Wine Weekly Newsletter

Issue #315 of the Wine Weekly Newsletter has been published. Topics include: Summer of Code, Picasa, MacOS X Audio & Video Drivers, 1.0 Tasks, How Are We Doing?, WoW - Breakage, Updated Fedora Packages, and Shell Integration and RSS Feed.

Comments (none posted)

Office Suites

KOffice 2.0, The Vision (KDE.News)

KDE.News looks ahead to KOffice 2.0. "KOffice is working on its future, one based on KDE4. KOffice is starting new initiatives with libraries like Flake and Pigment that are going to be used for all KOffice applications. For the users of KOffice those changes are invisible until the 2.0 previews actually start to appear some months from now. Therefore the KOffice crew wants to show you their goals of what KOffice 2 is going to look like."

Comments (4 posted)

OpenOffice.org Newsletter

The May, 2006 edition of the OpenOffice.org Newsletter is online with the latest OO.o office suite articles and events.

Full Story (comments: none)

Miscellaneous

SeaMonkey 1.0.2, Firefox 1.5.0.4 and Thunderbird 1.5.0.4

New versions of SeaMonkey, Mozilla Firefox and Mozilla Thunderbird have been released with security and stability fixes. Here's the SeaMonkey announcment and release notes. Here's a look at the security issues fixed in Mozilla Firefox 1.5.0.4 and the release notes. Here is the security summary and release notes for Mozilla Thunderbird 1.5.0.4.

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The June 6, 2006 edition of the Caml Weekly News is out with new Caml language articles.

Full Story (comments: none)

JSP

Working with the Google Web Toolkit (O'ReillyNet)

Robert Cooper looks at the Google Web Toolkit in an O'Reilly article. "GWT is, in essence, a JavaScript generator. The interesting thing is what this JavaScript is generated from: Java. GWT takes Java code written against a special API and converts it into browser-runnable Ajax code. If that weren't enough to make it cool, it also includes a test harness that will execute the Java code inline with a test browser, allowing you to step-through debug, profile and unit test your Ajax front end in your favorite IDE or at the command line."

Comments (2 posted)

Perl

FEAR-less Site Scraping (O'Reilly)

Yung-chung Lin uses Perl to automate the reading of web pages in an O'Reilly article. "Imagine that you have an assignment that you need to fetch all of the web pages of a given website, scrape data from them, and transfer the data to another place, such as a database or plain files. This is a common scenario for data scraping tasks, and CPAN has plenty of modules for this job. While I was developing site-scraping scripts, retrieving data from some sites of the same type, I realized that I had repeated many identical or very similar code structures..."

Comments (none posted)

PHP

PHP OpenID 1.1.0 released

Version 1.1.0 of the PHP OpenID library is out with bug fixes.

Full Story (comments: none)

PHP Standalone OpenID Server 1.0 announced

Initial release version 1.0 of the PHP Standalone OpenID Server is available. "This server uses the JanRain PHP OpenID library (version 1.1.0). The server supports admin-controlled and public account creation, Yadis discovery, and Simple Registration. MySQL is required."

Full Story (comments: none)

PHP Yadis 1.0.0 released

Version 1.0.0 of the PHP Yadis library is out with an XRDS-processing fix.

Full Story (comments: none)

Python

Dr. Dobb's Python-URL!

The June 7, 2006 edition of Dr. Dobb's Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Ruby

Ruby Weekly News

The June 4th, 2006 edition of the Ruby Weekly News looks at the latest discussions on the ruby-talk mailing list.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The June 5, 2006 edition of Dr. Dobb's Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

XML

Converting Between XML and JSON (O'Reilly)

Stefan Goessner discusses the conversion between XML and JSON (JavaScript Object Notation) in an O'Reilly article. "More and more web service providers seem to be interested in offering JSON APIs beneath their XML APIs. One considerable advantage of using a JSON API is its ability to provide cross-domain requests while bypassing the restrictive same domain policy of the XmlHttpRequest object. On the client-side, JSON comes with a native language-compliant data structure, with which it performs much better than corresponding DOM calls required for XML processing. Finally, transforming JSON structures to presentational data can be easily achieved with tools such as JSONT."

Comments (1 posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

OpenOffice.org virus debunked by experts (NewsForge)

NewsForge looks at claims that a macro virus could infect OpenOffice.org. "The next day, the OpenOffice.org home page posted an acknowledgement of the story, adding that the project was consulting with Kaspersky Lab about the virus. On June 2, OpenOffice.org issued a press release, downplaying the story. "This is a known risk with any capable macro language," the release explained, adding, "This 'proof of concept' virus is not new information, and does not require a software patch."" Here is the press release from OpenOffice.org.

Comments (33 posted)

The State of Linux 2006 (Tom's Hardware)

Tom's Hardware has published a "state of Linux" article. It is lengthy, but still on the superficial side. "In days gone by, the personification of Linux might have conjured up the image of a hotshot college kid full of half-baked ideas and sharp edges. But that college kid has now graduated into the business world, and unleashed his furious entrepreneurial spirit. Today, Linux has a sharper, more refined edge than before, and has branched out into private, public, enterprise and governmental sectors. Linux also spans all manner of hardware platforms, and serves an incredibly wide variety of purposes."

Comments (4 posted)

Trade Shows and Conferences

KDE 4 Multimedia Meeting exceeds expectations (NewsForge)

NewsForge covers the KDE 4 Multimedia Meeting. "KDE members associated with the desktop environment's major multimedia components and marketing efforts met last weekend in Achtmaal, The Netherlands, at the KDE 4 Multimedia Meeting (K4M, previously known as K3M). Attendees discussed goals for their projects and wrote a fair amount of code that promises exciting improvements in KDE 4's multimedia components. K4M attendees hailed from 15 countries and four continents. While open source software is often developed by individuals separated by thousands of miles who communicate through email and IRC, airfare and lodging expenses may be justified for short bursts of fantastically productive meetings such as this."

Comments (none posted)

Ploneability 06 Report

by Paul Everitt covers the 2006 Ploneability conference. "Romilly gave the talk of the day. She explained the motivation that led to the DCMS project and the way they approached the RFP and tender process. She then gave an insider's view of how the selection process worked, including a series of graphs showing the actual results of their grading criteria on various vendors and software packages. Romilly explained how open source was added to the list a bit late in the process and how it challenged the traditional ways to do a vendor selection. Romilly also described the features of "Enterprise Plone", the package that resulted from the Oxfam project. (Note: The Oxfam project can take some or all of the credit for CMFEditions, Kupu, LinguaPlone, CompositePack, and more.) This was a remarkable session. Very rarely do you get the honest scoop on the crucial details. The audience, I think, realized that they were getting wildly, wildly valuable information, and engaged in a serious discussion."

Comments (none posted)

Red Hat goes all out for developers (Linux-Watch)

Linux-Watch reports on the Red Hat Summit, and looks at the newly launched 108 site. "If you were looking for new products at Red Hat Inc.'s second annual Red Hat Summit, you came to the wrong place. But, if you were interested in bigger and better development tools, you came to the right place. Red Hat CEO Matthew Szulik introduced the company's new open-source developer community Web site, "108," in the show's morning meetings. This new site is intended to help open source developers share resources; build and fetch code; find and meet other developers, interact with them; and collaborate with them."

Comments (4 posted)

Day 2 keynotes at the Red Hat Summit (NewsForge)

NewsForge covers Eben Moglen's Red Hat Summit keynote address. "He began by bringing up some of the bogeymen falsely associated with free software by those whose business interests are threatened by it: politics and profits. Much of the rest of his talk skewered, refuted, or demolished those mythical memes. He mentioned the decor in the reception area at Red Hat, which he noticed during a visit there in 1999, not long after the company had gone public. He noted a plaque on the wall which read, "Every revolution begins as an idea in one man's mind.""

Comments (none posted)

Red Hat Summit sessions educate, stimulate (NewsForge)

Joe Barr reports on the Red Hat Summit. "My only real problem with this year's Red Hat Summit was trying to decide which talks to attend whenever I wasn't writing, eating, or partying. The problem wasn't finding sessions I was interested in, but deciding which one to attend when several appealing talks were happening at the same time. Here's a brief recap of what I learned in three of the 90 break-out sessions available to attendees."

Comments (none posted)

Companies

Lenovo backpedals on Linux (Linux-Watch)

Lenovo is the company that bought IBM's ThinkPad line. Linux-Watch takes a look at the company's waffling stance on Linux. "Last week, the world's #3 computer vendor, Lenovo, was saying "We will not have models available for Linux, and we do not have custom order, either. What you see is what you get. And at this point, it's Windows." Whoops! Now, Lenovo is going back as fast as it can on its "no Linux here" stance."

Comments (3 posted)

Novell shares fall on drop in Linux-products revenue (CentreDaily.com)

CentreDaily.com reports on a drop in Novell's stock price. "Novell Inc. stock plunged Thursday after the networking-software maker said second-quarter revenue from Linux products had slipped from the previous quarter. At midday, Novell shares dropped $1.35, or 17.5 percent, to $6.38 on the Nasdaq Stock Market. The amount of the revenue decline was not specified in a conference call held Wednesday after the financial markets closed. ``We're signing a lot of longer-term contracts where the revenue recognition gets pushed out,'' Chairman and Chief Executive Jack Messman said."

Comments (9 posted)

SanDisk goes after the iPod iPuppets (CNet)

Back in January, LWN predicted that manufacturers of digital audio players would eventually become interested in Rockbox. Now this CNet UK article suggests that the time has come. "SanDisk is reported to have quietly approached the open source developers behind Rockbox, a free operating system for MP3 players. The company is said to be interested in porting the Rockbox software to its e200 player.... Not only would a Rockbox port earn SanDisk credibility with grassroot geeks, but the software offers a number of appealing features, including support for nearly every codec going."

Comments (8 posted)

Red Hat completes JBoss acquisition (Linux-Watch)

Linux-Watch reports that Red Hat's acquisition of JBoss is final. "Starting immediately, JBoss has become a division of Red Hat. Customers will now have access to a single, "proven" global production support organization that can service both Red Hat and JBoss customers, in addition to procuring JBoss offerings through Red Hat's established global channels, according to Red Hat. [Red Hat Senior VP of Enterprise Solutions Timothy] Yeaton said that "JBoss will be an autonomous division. There will be no office closings and we're keeping the entire core JBoss team.""

Comments (none posted)

Legal

Death by DMCA (Spectrum)

IEEE Spectrum has an article on the costs of the DMCA and related legislation. There will be few surprises here for most LWN readers, but it is a good, comprehensive summary. "Now, in an even more vexing situation, U.S. entertainment companies are successfully spreading the copyright code changes established by the DMCA around the world. Laws similar to the DMCA now exist in Japan, Australia, and much of Europe. At least nine additional countries, including Chile, Guatemala, and Singapore have also been pressured to enact DMCA-like laws as part of a devil's bargain with U.S. trade negotiators, who say the copyright change is necessary to secure free trade pacts with the United States that would govern all sorts of commerce. And in Europe, the body charged with defining the European digital television standards is mixing in content-protection obligations, responding yet again to pressure from major U.S. movie studios."

Comments (2 posted)

Denmark's Resolution on Open Standards (Groklaw)

Groklaw looks at Denmark's resolution on open standards. "Groklaw member elhaard sends us a bit more detail about the Danish resolution that passed yesterday. We put the story in News Picks. The motion is called "B 103" and all material about it (even Parliament transcripts) can be found at the Parliament's home page. It's only in Danish, though. So he helps us out again, translating the last publicly shown version of the resolution."

Comments (none posted)

Adobe yet to explain why no PDF in Microsoft Office (ITWire)

Here's an ITWire article on the strange removal of PDF support from Microsoft's Office product. "Adobe has reportedly demanded that Microsoft charge users for the PDF facility in Office 2007. Microsoft has refused and intends to offer the PDF facility as a separate free download. Meanwhile the word on the street is that Adobe is preparing to mount an antitrust case against Microsoft in Europe, where the software giant is unpopular with regulators. The whole episode appears to border on the ludicrous, given that Microsoft Office is compatible with the open source look-alike Open Office.org 2.0, which enables documents to be saved as PDF files." That which hits Office today may hit OpenOffice.org tomorrow.

Comments (43 posted)

Interviews

Gilles Caulier (People Behind KDE)

The People Behind KDE talks with Gilles Caulier. "How and when did you get involved in KDE? My first KDE contributions were French GUI translations from 2001 to 2002. I have translated Konqueror, KMail, KDevelop and K3b. KDE was the first graphical environnement that I have used under Linux. Because I'm originally a win32 developer, I was immediately charmed by the KDE project's looks and goals." (Found on KDE.News)

Comments (none posted)

Jon 'maddog' Hall on FOSS in the developing world (NewsForge)

NewsForge interviews Jon 'maddog' Hall. "One way of getting the price of the OLPC down is through high-volume manufacturing. This is why Mr. Negroponte wants to have millions of these laptops committed. I would guess that most of these would be manufactured in Taiwan or China, not in South Africa. Therefore, millions of rand (dollars, dinar, yen) will flow into China, not stay in South Africa. On the other hand, there are lots of computers being upgraded by banks and companies. They will be "throwing out" good system boxes that would run Linux perfectly fine, and which could be donated to a local charity. By gathering these boxes up, pulling their components apart, reconfiguring them, installing Linux on them, and selling them for $100 -- or even $50 -- you could give a person a good job. "

Comments (5 posted)

Interview: Mark Shuttleworth (451 Group)

The 451 Group (an analyst operation) has published part 2 of an interview with Ubuntu founder Mark Shuttleworth. "Ubuntu is in my mind the emergence of a second generation of Linux platform or Linux distribution. [It's] built not on the idea that Linux should look like proprietary software, but that Linux should really deliver what free software can deliver. I should put that slightly differently: Ubuntu aims to deliver the real promise of free software, and that spans a number of different areas. First, we believe that the software should be highly functional and reliable, because we do believe that free software has a potential to be better quality software, that the processes that actually produce the software results in software that is better understood, better scrutinized, better tested, and so on. So we try to integrate all those processes into Ubuntu itself."

Comments (2 posted)

Daniel Silverstone (Behind Ubuntu)

Behind Ubuntu interviews Canonical programmer Daniel Silverstone. "What are your plans for Edgy? I'll be back on the Launchpad team working on various features for Launchpad to make the developers of Ubuntu have an even better time of it. We have Personal Package Archives in the pipeline -- those will allow people to have their own small apt-get/synaptic compatible archives served by, and built by, Launchpad. And we have many and various other things to work on, including the much vaunted derivative distributions support. Life will be exciting for distro developers in the dapper+1 cycle. With a shortened development cycle the extra tools we can provide for them will be all the more important."

Comments (none posted)

Resources

GNU grep's new features (Linux.com)

Michael Stutz investigates some new features added to the GNU grep utility. "If you haven't been paying attention to GNU grep recently, you should be happily surprised by some of the new features and options that have come about with the 2.5 series. They bring it functionality you can't get anywhere else -- including the ability to output only matched patterns (not lines), color output, and new file and directory options."

Comments (41 posted)

Manage Apache Download Speed And Traffic Limits With mod_cband (HowtoForge)

Falko Timme shows how to throttle Apache2 bandwidth with mod_cband in a HowtoForge article. "In this tutorial I will describe how to install and configure mod_cband on an Apache2 web server. mod_cband is an Apache 2 module which provides bandwidth quota and throttling. It solves the problem of limiting users' and virtualhosts' bandwidth usage. The current version can set virtualhosts' and users' bandwidth quotas, maximal download speed, requests-per-second speed and the maximal number of simultanous IP connections."

Comments (2 posted)

Management Guidelines on Migrating to Open Source/OpenData Standards Software, by Carlo Daffara (Groklaw)

Groklaw presents Guidelines on Migrating to Open Source/Open Data Standards Software by Carlo Daffara. "The main drive for a successful migration to Open Source and Open Data Standards software(OS/ODS) always starts with a clear assessment of the IT landscape, a clear vision of the needs and benefits of the transitions and continual support. The differences of OS development models and support may require a significant change in the way software and services are accounted for and procured, and in general a shift of responsibility from outside contractors to in-house personnel."

Comments (none posted)

How to suspend and hibernate a laptop under Linux (Linux.com)

Linux.com looks at suspend and hibernate on a Linux laptop. "Many people prefer working with laptops instead of desktops for the flexibility they offer. Some of them would also like to switch to a free and open source operating system like GNU/Linux and have their laptop do all the things that proprietary OSes offer, such as suspending their laptops. Several distributions try to make this work out of the box, but knowing what's under the hood always comes in handy, particularly when something goes wrong and needs fixing. Let's take a look at how to suspend and hibernate your laptop under Linux."

Comments (14 posted)

Reviews

GNU Radio Opens an Unseen World (Wired)

Wired looks at the GNU Radio project. "Building a general radio that can receive and transmit, and attaching it to a software system that can fill in the gaps of what we normally think of as radio, is kind of like the Enterprise's deflector dish: Give engineering 20 minutes and it can do anything the captain needs to move the plot along. "

Comments (1 posted)

Discovering your network with Netdisco (Linux.com)

Linux.com takes a look at Netdisco. "Netdisco is built on open source packages such as Perl, various Perl modules, Net-SNMP, PostgreSQL, Mason, Apache, and mod_perl. One of its key components is the SNMP::Info Perl module, which Baker also wrote. See the project's requirements page for other modules Netdisco requires to run properly."

Comments (2 posted)

First look: Xara Xtreme LX (Linux.com)

Linux.com reviews Xara Xtreme LX. "In short, Xara LX's interface is highly contextual and sometimes unconventional. While few of its interface characteristics are unique, the combination of so many of them is. New users may find themselves scrambling at first, or resorting to the online help or company Web site more often than they are used to. But once they understand the basic logic -- and learn to pay attention to the status bar at the bottom of the window -- they will quickly find Xara LX's editing window both refreshingly uncluttered and outstandingly efficient."

Comments (1 posted)

Miscellaneous

Consortium brings open source database projects together (NewsForge)

NewsForge looks at the Open Source Database Consortium. "The OSDBC was formed at the first Open Source Database Conference (OpenDBCon) last year in Germany. According to Zak Greant, who was the lead organizer of OpenDBCon and who with Arjen Lenz of MySQL helped get the OSDBC off the ground, the idea behind the consortium is to share information between the various open source database projects that can help improve "the entire class of free software/open source database solutions.""

Comments (none posted)

New additions to Jeremy Allison's Low Point Archive

Three new articles have been added to the Samba project's collection of articles by Jeremy Allison. New titles include: "We are the champions...", "Unintelligent Design" and "Why we fight".

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Carrier Grade Debian

OSDL has sent out a press release stating that the Debian Project has registered its compliance with the Carrier Grade Linux specification. "The Debian CGL implementation is the first step in plans to build a telco-Debian custom distribution that will tout full CGL compliance with all primary requirements and the majority of roadmap items."

Full Story (comments: 3)

EFF: Appeals Court Corrects Dangerous Web Privacy Ruling

The Electronic Frontier Foundation has sent out a media release concerning a web privacy ruling. "San Francisco - The 11th Circuit Court of Appeals has corrected a dangerous lower court ruling that threatened Internet privacy. In doing so, it preserved the privacy of password-protected websites as well as the right to read public sites. The decision followed the arguments made in an amicus brief filed by the Electronic Frontier Foundation (EFF)."

Full Story (comments: none)

LPI Announces Haansoft Corporation as Korean Affiliate

The Linux Professional Institute has announced its new Korean Affiliate, Haansoft Corporation. "This initiative in Korea represents a key component of LPI's Regional Enablement Initiative in North East Asia. “We are delighted to welcome Haansoft to our worldwide team of Master Affiliates. They are the final cornerstone in our efforts to promote Linux professionalism within CJK (China, Japan, and Korea).""

Full Story (comments: none)

Commercial announcements

Autodesk announces Web Map Publishing Software

Autodesk, Inc. announced its Autodesk MapGuide Enterprise 2007 product. "Following its groundbreaking contribution to the open source community, Autodesk, Inc. today announced the commercial version of its open source web mapping platform, Autodesk MapGuide Enterprise 2007. This certified version features all of the benefits of the open source version, plus additional quality assurance, technical support, connectivity to additional data sources including Oracle and SQL Server, as well as integration of numerous third-party components."

Comments (none posted)

Digium Announces Major Upgrade to Asterisk Business Edition

Digium has announced Asterisk Business Edition B.1, the first major upgrade of its Asterisk Business Edition, the professional-grade version of Asterisk. "The upgraded release includes enhanced security and scalability provided by Ranch Network's Asterisk security code, speech recognition capabilities through the LumenVox Speech Engine, text-to-speech applications through the Cepstral Text-to-Speech System and a customized Linux distribution to simplify installation. Asterisk Business Edition B.1 will also feature built-in support for Intel Dialogic Products and Aculab Prosody X cards."

Full Story (comments: none)

Jive Software Announces Open-Source of Spark IM Client

Jive Software, Inc. has announced the release of its Spark IM Client application under the LGPL license. "Spark, based on the open IETF standard XMPP (Jabber) protocol, is a cross-platform, Java-based Client optimized for use with Jive Software's Open-Source XMPP Wildfire Server. With this announcement, all of the applications an organization needs for a complete EIM ("Enterprise Instant Messaging") system are available under Open-Source licensing terms from Jive Software."

Comments (none posted)

NetEqualizer Announces Business Relationship With CompUSA

APConnections, Inc. has announced a partnership with CompUSA, who will be selling their NetEqualizer appliance. "The NetEqualizer is a plug-and-play bandwidth control appliance that is flexible and scalable. NetEqualizer's unique technology differs significantly from other appliances. It uses "behavior shaping" which dynamically and automatically controls network flow for the best WAN Optimization. It is built on Linux and works with all operating systems."

Comments (none posted)

Novell's second quarter results

Novell has announced its second quarter financial results - a small profit. "During the second fiscal quarter 2006, Novell reported total Open Platform Solutions revenue of $57 million, which was up from $20 million in the year ago period. Total Open Platform Solutions included $46 million from sales of Open Enterprise Server (OES), up $38 million year-over-year, and $10 million of revenue from Linux Platform Products, up 20 percent year-over-year."

Comments (2 posted)

Red Hat launches "Mugshot"

Red Hat has launched a site called Mugshot; it is the company's attempt to get into the "social networking" sphere. It's invitation-only for now. Mugshot is said to be an entirely open source project, but the "download" link is currently missing. There is a FAQ and a developer site with a bit more information.

Comments (2 posted)

Sun Announces JBoss as Newest Member to NetBeans Partner Program

Sun Microsystems, Inc. has announced the latest member of its NetBeans Partner Program, JBoss. ""We are endorsing the NetBeans IDE because of JBoss and Sun's mutual dedication to simplifying development of standards-based Java EE applications. We will work closely with the NetBeans team to develop a plug-in for the NetBeans IDE that provides developers with the tools for doing development with JBoss Application Server. NetBeans has great momentum in the market because it consistently delivers innovative solutions to enhance developer productivity," said Marc Fleury, founder and President of JBoss, Inc."

Comments (none posted)

TI Announces DaVinci(TM) Technology Development Kit

Texas Instruments Incorporated has announced its new video software development kit. "Continuing to streamline the creation of innovative digital video systems, Texas Instruments (NYSE: TXN) (TI) today announced a new digital video software development kit based on DaVinci technology. The new software development kit incorporates exceptional software integration and system visualization technology with a full Linux operating system to integrate and tune complex systems quickly and efficiently."

Comments (none posted)

Wind River adds support for AMD Opteron-Based Sun Blade Server

Wind River Systems, Inc. has announced its plans to support the Sun Microsystems Netra CP3020 Opteron processor ATCA blade server. "For customers who require a commercial-grade CGL solution on the industry's fastest, densest and most reliable blade server, Wind River is working on an optimized port of its Platform for Network Equipment, Linux Edition environment for Sun's Netra ATCA blade server and AMD Opteron processor-based Sun Netra blade systems."

Comments (none posted)

New Books

Enterprise JavaBeans 3.0 - New from O'Reilly

O'Reilly has published the book Enterprise JavaBeans 3.0, Fifth Edition by Bill Burke and Richard Monson-Haefel.

Full Story (comments: none)

No Starch Press releases "The Art of RAW Conversion"

No Starch Press has published the book The Art of RAW Conversion by Uwe Steinmueller and Jürgen Gulbins.

Full Story (comments: none)

Resources

Bridging the Digital Divide in Health: The Role of FOSS (LinuxMedNews)

LinuxMedNews mentions the availability of a presentation on open-source health software. "According to Molly Cheah on the openhealth list Dr. Joan Dzenowagis has a presentation entitled Bridging the Digital Divide in Health The Role of Free and Open Source Software: "Dr. Joan Dzenowagis, is based at the World Health Organization, where she is Project Manager of the United Nations Health InterNetwork, led by WHO. This initiative is one of the four initiatives of the UN Millennium Action Plan launched by Secretary General Kofi Annan in September 2000."

Comments (none posted)

Linux Brochure Project (LBP) version 1.3.0 released

Version 1.3.0 of the Linux Brochure Project is available. "LBP is a GPL'd Linux advocacy and publicity project which documents key Linux information in a standard-size brochure (two sides of a single letter- or A4-sized sheet of paper which is Z-folded into the six mini-pages of the brochure)." See the change log for details.

Full Story (comments: none)

Florian Mueller's software patent battle book downloadable

Florian Mueller has released his book No Lobbyists As Such - The War over Software Patents in the European Union under the Creative Commons noncommercial, no-derivatives license; it is available as a large PDF file. "On 377 pages, Mueller tells the story of the legislative process that ended in July last year with a landslide vote of the European Parliament against a proposal for a software patent directive."

Full Story (comments: none)

Linux Gazette #127

Linux Gazette has released the June 2006 edition of the newsletter, with articles on FVWM, Knoppix, amaroK, and much more.

Comments (none posted)

Event Reports

A summary of the LSB meeting

KDE hacker Aaron Seigo was at the recent Linux Standard Base meeting in Boston; he has written up and posted a summary of what happened there. "There was discussion of a common packaging API for "installanywhere"/"installshield" type apps to use. At first there was pushback from distros but by the end after open and frank discussion and Ian's graceful handling of things there seemed to be consensus that this was a possibility indeed. Still a long ways to go on it, but something ISVs are pushing for and something that, with enough flexibility, the OSVs agree they can probably provide. This is not to be a replacement for .deb or .rpm or apt-get/yum/etc but a way for OSVs to provide simple hooks to register files with the package management system in an OS-neutral way."

Full Story (comments: 1)

Samba eXPerience 2006 archive

The materials from the Samba eXPerience 2006 conference are available. "In our archive you will find impressions and information gathered at the samba eXPerience 2006: all talks as OGG audio files, slides from the conference as PDF, pictures in JPG format".

Comments (none posted)

Calls for Presentations

Akademy 2006 Call for Participation (KDE.News)

KDE.News has published a call for participation for the 2006 KDE World Summit (aKademy). "The aKademy 2006 conference team is calling for contributors to present their work and vision to the KDE community. This years' conference takes place at Trinity College, Dublin, Republic of Ireland, from September 23rd to September 30th. All presentations will be held during the "KDE Contributors Conference" event on September 23rd and 24th." Abstracts are due before Friday, June 30.

Comments (none posted)

The Firebird Conference 2006 CFP

A call for papers has gone out for the Firebird Conference 2006, submissions are due by July 31. "The fourth Firebird Worldwide Conference will take place at the Andels Hotel in Prague, Czech Republic from the 12th November 2006 until 14th November 2006. The Andels Hotel is a new 4-star hotel, which is located very close to downtown, just across the river."

Comments (none posted)

Upcoming Events

LinuxWorld UK 2006 announced

LinuxWorld 2006 UK will showcase the latest technology, debate the use of Open Source in business, touch on virtualisation and give advice on Linux-based mobile phones. LinuxWorld Conference & Expo will take place at Olympia 2, 25-26th October 2006.

Full Story (comments: none)

Events: June 8 - August 3, 2006

Date Event Location
June 13 - 14, 2006Where 2.0 Conference(Fairmont Hotel San Jose)San Jose, CA
June 13 - 14, 2006Gartner Open Source Summit 2006(Palau de Congressos de Catalunya)Barcelona, Spain
June 14 - 16, 2006New York PHP Conference and Expo 2006(New Yorker Hotel)New York, NY
June 16 - 18, 2006Recon 2006(Plaza Hotel Centre-Ville)Montreal, Canada
June 18 - 23, 2006Ubuntu Developer SummitCharles de Gaulle, Paris, France
June 19 - 22, 2006Collaborative Technologies Conference(Seaport Hotel)Boston, MA
June 22 - 23, 20063rd International GPLv3 ConferenceBarcelona, Spain
June 24 - 25, 2006Free and Open Source Conference(FrOSCon)(St. Augustin)Bonn, Germany
June 24 - 30, 20062006 GNOME Users and Developers European Conference(GUADEC)Catalonia, Spain
June 24 - 25, 2006PHP VikingerSkien, Norway
June 27 - 29, 2006Corporate Channel and Computing Expo(C3)(Jacob K. Javits Convention Center)New York, NY
June 28 - 30, 2006GCC and GNU Toolchain Developers' Summit(Ottawa Congress Centre)Ottawa, Canada
June 29 - July 2, 2006UKUUG Linux Technical Conference(University of Sussex)Brighton, UK
June 30 - July 1, 2006WebTech 2006(Kempinski Hotel Zografski)Sofia, Bulgaria
July 3 - 4, 20063rd European Lisp WorkshopNantes, France
July 3 - 5, 2006EuroPython 2006(CERN)Geneva, Switzerland
July 4 - 8, 20067th Libre Software Meeting(LSM)(Nancy 1 University)Vandoeuvre-les-Nancy, France
July 5 - 8, 2006V Jornades de Programari LliureBarcelona, Spain
July 8 - 9, 2006PostgreSQL Anniversary SummitToronto, Canada
July 10 - 11, 2006Global db4o User Conference(dUC)(Imperial College, South Kensington)London, UK
July 13 - 14, 2006Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA)Berlin, Germany
July 15 - 16, 2006Crystal Space Conference(University of Aachen)Aachen, Germany
July 16 - 19, 20062nd International Symposium on Free/Open Source Software, Technologies and Content(FOSSTEC 2006)Orlando, Florida, USA
July 19 - 22, 2006Ottawa Linux Symposium 2006(OLS 2006)Ottawa, Canada
July 22 - 23, 2006LugRadio Live(Wolverhampton University)Wolverhampton, UK
July 24 - 28, 2006O'Reilly Open Source Convention(OSCON 2006)Portland, Oregon
July 29 - August 3, 2006Black Hat USA 2006 Briefings and Training(Caesars Palace)Las Vegas, NV

Comments (none posted)

Miscellaneous

Sun updates the DLJ FAQ

In response to questions which have come up, Sun has written a new version of the FAQ for the Distributor's License for Java. "Of course, if Sun clearly says in an FAQ that it's okay to do something (and we haven't made a blatant typographical error), we're not going to sue you -- even if one could make a clever legal argument that the license doesn't permit it. We believe in simplicity and transparency, and pledge to work diligently with the community to achieve those objectives." The language on shipping alternative Java implementations has been clarified as well.

Comments (28 posted)

Page editor: Forrest Cook

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds