Back at the beginning of 2005,
Pervasive
Software decided that there was money to be made by
selling support services for the
PostgreSQL relational database management
system. It seems like a good idea; PostgreSQL is a rock-solid system,
increasingly fast, offering a number of interesting features. It is
running in no end of production environments - including, it should be
said, on the LWN.net server. Free RDBMS systems look poised to create
trouble for their proprietary competition just like Linux made life
difficult for proprietary Unix systems. PostgreSQL is clearly around for
the long haul, and looks like a winning bet.
Not for Pervasive, however; the company has just published an open letter to the
PostgreSQL community stating that, while the company remains a big fan
of PostgreSQL, it is getting out of the PostgreSQL business.
The money, it seems, simply wasn't there. Pervasive is not the first to
come to this conclusion; a few years ago, a company called Great Bridge
failed with the same model, despite employing several high-profile
PostgreSQL developers. Red Hat still offers its version of PostgreSQL, but
the last posted news for that product is dated November, 2005, and the
product is not mentioned anywhere in Red Hat's last annual report.
PostgreSQL, it seems, is a hard business. According to Pervasive, the
problem is that the free support is just too good:
While we always knew that PostgreSQL is a solid product with
advanced database capabilities and that it has a very real
opportunity to shake up the high-end database market, we
underestimated the high level of quality support and expertise
already available within the PostgreSQL community. In this
environment, we found that the opportunity for Pervasive Software
to meaningfully increase adoption of PostgreSQL by providing an
alternative source for support and services was quite limited.
It is true that the PostgreSQL community is capable and helpful; any
company which wishes to offer something better than what the community
provides has a very high standard to meet. But there almost certainly has
to be more to it than that. MySQL AB has had a fair amount of commercial
success - something which companies working with PostgreSQL have not been
able to duplicate. One might guess that the
PostgreSQL community is more helpful than the MySQL community, and, as a
result, there is more commercial opportunity in the MySQL realm. This does
not seem like an idea that is likely to go very far. Something else is
happening.
Perhaps commercial PostgreSQL support is simply an idea whose time has not
come. Most PostgreSQL users may still be early adopters - people who are
willing and able to handle the support details themselves. The larger
market of users who are more interested in buying support services,
perhaps, has simply not developed yet. To the extent that this hypothesis
holds water, the companies which have tried to create a market in
PostgreSQL services have not done an adequate job of selling its merits to
potential customers. That would indicate that more work has to be done to
spread the word on what a good product PostgreSQL truly is; there needs to
be a serious brand-building effort.
There is another factor which should be taken into account here, however.
Much of MySQL AB's success does not come from support services; instead, it
comes from licensing. The MySQL code is licensed under the GPL, and the
copyrights are all held by MySQL AB; as a result, MySQL AB is able to offer
proprietary-style licenses to companies which wish to use MySQL, but which
do not wish to license their own products under the GPL. PostgreSQL,
instead, carries a BSD license and its copyrights are held by a number of
different groups. So there is no "GPL exception" business model possible
for PostgreSQL. Anybody wanting to use PostgreSQL in a proprietary product
can do so without asking permission (or buying licenses) from anybody.
What all this means is that anybody trying to build a business around
PostgreSQL must rely entirely upon services. They must convince potential
customers that PostgreSQL is good enough to merit consideration over any
number of proprietary alternatives, but not so good that these customers
can support it themselves. The latter part should be relatively easy -
there's still no end of customers who require support services before they
will consider deploying a system. But convincing companies to walk away
from their proprietary database vendors remains a hard sell. PostgreSQL,
along with a number of other free database management systems, is a
high-quality project. Eventually the commercial world will
understand that fact, just like it has slowly figured out that Linux is
worthy of its attention. But, until that time comes, making money from
PostgreSQL will be a challenging task.
Comments (30 posted)
The Free Software Foundation has released
a second draft of version 3 of
the GPL. This draft incorporates comments made in the first draft,
filtered, of course, by the FSF's goals. The resulting changes tweak some
terms, clarify others, and generally increase the international
applicability of the license. The fundamental nature of the license and
its goals has not changed, however, and quite a few people who disliked the
first draft will have reason to be displeased with this version as well.
Those interested in the details of the changes and why they were made may
want to look at the FSF's
rationale document [PDF].
The term which, perhaps, upset the most people was the anti-DRM provision
requiring recipients to be able to install and run modified versions
of the software. In particular, if GPLv3-licensed software is shipped on a
device which will only run binaries signed by a particular private key,
that key must be provided with the source code. The wording of this term
has changed in the second draft, but its intent has not. It now reads:
The Corresponding Source also includes any encryption or
authorization keys necessary to install and/or execute modified
versions from source code in the recommended or principal context
of use, such that they can implement all the same functionality in
the same range of circumstances. (For instance, if the work is a
DVD player and can play certain DVDs, it must be possible for
modified versions to play those DVDs. If the work communicates with
an online service, it must be possible for modified versions to
communicate with the same online service in the same way such that
the service cannot distinguish.)
The FSF, it seems, is serious about not allowing
GPLv3-licensed code to be used on locked-down systems.
The first draft included a term saying, in effect, that any covered
software was not an "effective technical measure" protecting access to
copyrighted work. That term was intended to block use of the DMCA to lock
down systems built with GPL-licensed code. That term has been reworded:
When you convey a covered work, you waive any legal power to forbid
circumvention of technical measures that include use of the covered
work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing the legal rights
of third parties against the work's users.
The new wording has the same intent, but it is intended to apply to
anti-circumvention laws in other countries (and the EU Copyright Directive
in particular).
A fundamental term is the one stating that anybody who distributes software
under the GPL, and who owns patents covering some of the techniques used by
that software, is giving the recipients the right to use those techniques.
The first draft expressed this term as an explicit grant of licenses to use
the relevant patents. The second draft, instead, requires anybody distributing
the software to accept a covenant not to assert their patents against users of
the software. The FSF has evidently written a separate opinion document -
not yet published - which describes the reasons for making this change.
The prohibition on distribution of "covered works that illegally
invade users' privacy" has been removed. Evidently, there was a
strong public reaction against this term, so it came out.
The language in the first draft which allowed charging up to ten times the
actual cost for source code distribution is gone. The GPLv2 language,
limiting charges to the "reasonable cost" of shipping the source, is back.
The second draft has added a new term stating that making the source
available for free download (for three years) is sufficient to satisfy the
source distribution requirements of the license. It has also been made
clear that redistribution of a program through a peer-to-peer client (as
happens automatically with a protocol like BitTorrent) does not require
accepting the license and taking on the source distribution requirements.
The language on additional terms has been changed somewhat. There is now
an explicit prohibition on terms regarding who pays attorney's fees,
choice-of-venue terms, arbitration clauses, etc. There is also a clause
saying that, if the software has been received with any disallowed
additional restrictions ("no commercial use" restrictions being given as an
example), the recipient may simply ignore those restrictions.
The first draft of version 3
of the Lesser GPL is also available. The new LGPL is much shorter and
simpler than its predecessor, mostly because it is expressed as a patch to
GPLv3. The intent of the LGPL has not changed much. There are
terms intended to make it possible to run a proprietary application with a
modified version of the LGPL-licensed library, however - including a
requirement that installation keys, if needed, be distributed with the
source.
By the FSF's schedule, the rest of the year will be dedicated to receiving
comments on the new draft of the GPLv3. The FSF has previously said that
it would like to adopt the final version of the new license in January,
2007, and there is no indication that this timeline has changed. There
will be another series of public meetings, with the next meeting happening in
Bangalore, India, on August 23 and 24. Anybody who has opinions
on the drafts, and who has not yet expressed them to the FSF, may want to
do so in the near future or forever hold their peace.
Comments (53 posted)
August 2, 2006
This article was contributed by Stacey Quandt
On July 24, 2006, AMD and ATI announced they will merge in order to
combine AMD's strength in microprocessor technology with ATI's
proficiency in graphics, chipsets and consumer electronics. The
transaction, valued at US $5.4 billion, is expected to close toward the end
of 2006,
subject to approval by ATI shareholders, regulatory
approvals and other customary closing conditions. At first blush, the
obvious implications of the merger focus on the market pressure this
combination
will place on Nvidia and Intel, and how it will enable AMD and ATI to
accelerate innovation in the commercial, consumer electronics and mobile
computing segments.
In the near term, the merger enables the companies to create an
integrated graphics business and deliver core logic chipsets to compete
with Intel in the consumer market. In the long-term, the combined company
should be well positioned to develop
coprocessor-based media and physics acceleration technologies which will enable
advances in chips beyond today's cores.
If viewed from an open source perspective, some additional questions surface:
1) Will AMD, which has cultivated a strong relationship with the Linux
community, work with ATI to release open source drivers - including
supporting suspend/resume on laptops?; and 2) How will a combined AMD and
ATI influence the growth of the Linux desktop and handheld market?
There will probably be no comments from the companies until after the sale has closed. But
the potential benefits to the open source community resulting from a combined AMD
and ATI are intriguing. In this context, it is worth remembering that
Intel - AMD's primary competitor - has been working to provide free
Linux drivers for its video chipsets.
It would be absurd to believe that open source
graphics drivers and advances in Linux laptops and handheld devices are
the motivation behind this merger. But the opportunity for AMD to prosper in the Linux market
from embedded systems to servers, coupled with AMD's long-term goal of
beating Intel to market, makes the release of open source drivers
possible as a tactical outcome of a larger strategic vision. Any
augmentation of AMD's Linux and open source strategies will most likely
be revealed subsequent to the merger, so look for possible changes in
early 2007.
Comments (12 posted)
Page editor: Jonathan Corbet
Security
We recently posted
a brief item
about an Apache vulnerability which has the potential to be remotely
exploitable. A number of distributors have responded to this vulnerability
with the appropriate updates, but there is no update for Red Hat Enterprise
Linux. Thanks to
a helpful
comment, we know that this is not a case of Red Hat letting its
customers down; instead, RHEL is simply not vulnerable to this particular
bug. Since there is no need for an update, none has been issued.
In this case, RHEL users can get information about this (non-)
vulnerability from the Red Hat knowledge
base - as long as they don't mind the disclaimer that "Red Hat
makes no express or implied claims to its validity." In general,
however, it remains difficult for users of any distribution to determine
whether their installed systems are exposed to any specific vulnerability.
The release of an update generally provides a positive answer, but, until
that update comes out, users do not know for sure. Linux distributors
would do well for their users by providing this information in an
easily-found location.
As it happens, there are a couple of distributions which do make some
information available:
- Fedora maintains a
list of CVE numbers, along with comments on whether the
distribution is vulnerable or not. It fails the "easily found" test,
however: the list is maintained as a text file in a CVS repository,
and one must go into the CVS web interface to see it. But, once one
knows about the file, it is easy to pull it up and get information on
specific problems. For the Apache problem, Fedora was indeed
vulnerable, and the problem was fixed via a backport.
- Some time back, LWN received a somewhat indignant message to the
effect that we should have looked up a vulnerability in the Debian Security Bug Tracker.
There is a lot of good information there on specific vulnerabilities;
the CVE-2006-3747
page (for the same Apache vulnerability) notes that stable has
been fixed, but that testing and unstable are vulnerable.
This tracker also fails the "easily found" test: it is not hosted
under a debian.org domain, and there is no mention of it on the Debian security
information or security FAQ
pages. A determined user can find a non-vulnerabilities
page which has some useful information, but it does not have the full
story.
Most of the time, Linux distributors do a high-quality job of tracking and
responding to vulnerabilities. It is rare that users of a high-profile
distribution remain without updates for serious vulnerabilities for any
serious period of time. They could help their users a bit more, however,
if they were to make more of their tracking information available. More
visibility into the system will increase confidence that problems are being
addressed - especially in cases where a distribution is not vulnerable and
the problem does not exist in the first place.
Comments (4 posted)
New vulnerabilities
apache: off-by-one buffer overflow
| Package(s): | apache apache2 httpd |
CVE #(s): | CVE-2006-3747
|
| Created: | July 28, 2006 |
Updated: | August 2, 2006 |
| Description: |
Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite
module's ldap scheme handling. On systems which activate
"RewriteEngine on", a remote attacker could exploit certain rewrite
rules to crash Apache, or potentially even execute arbitrary code
(this has not been verified).
"RewriteEngine on" is disabled by default. Systems which have this
directive disabled are not affected at all. |
| Alerts: |
|
Comments (3 posted)
audacious: buffer overflow
| Package(s): | audacious |
CVE #(s): | CVE-2006-3581
CVE-2006-3582
|
| Created: | August 2, 2006 |
Updated: | September 13, 2006 |
| Description: |
Audacious (prior to version 1.1.0) suffers from a buffer overflow which could be exploitable via a maliciously crafted media file. |
| Alerts: |
|
Comments (none posted)
drupal: arbitrary file execution
| Package(s): | drupal |
CVE #(s): | CVE-2006-2742
CVE-2006-2743
CVE-2006-2831
CVE-2006-2832
CVE-2006-2833
|
| Created: | July 27, 2006 |
Updated: | August 2, 2006 |
| Description: |
The Drupal web platform has a number of remotely exploitable
vulnerabilities including:
An SQL injection vulnerability in the "count" and "from" variables of the database interface.
Incorrect file extension handling in an Apache/mod_mime environment.
A cross-site scripting vulnerability in the upload module.
A cross-site scripting vulnerability in the taxonomy module. |
| Alerts: |
|
Comments (none posted)
freeciv: denial of service
| Package(s): | freeciv |
CVE #(s): | CVE-2006-3913
|
| Created: | August 1, 2006 |
Updated: | August 4, 2006 |
| Description: |
A buffer overflow in Freeciv 2.1.0-beta1 and earlier, and SVN from July 15,
2006 and earlier, allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a (1) negative chunk_length
or a (2) large chunk->offset value in a PACKET_PLAYER_ATTRIBUTE_CHUNK
packet in the generic_handle_player_attribute_chunk function in
common/packets.c, and (3) a large packet->length value in the
handle_unit_orders function in server/unithand.c. |
| Alerts: |
|
Comments (none posted)
heartbeat: permission error
| Package(s): | heartbeat |
CVE #(s): | CVE-2006-3815
|
| Created: | July 28, 2006 |
Updated: | August 15, 2006 |
| Description: |
Yan Rong Ge discovered that wrong permissions on a shared memory page in
heartbeat, the subsystem for High-Availability Linux could be exploited by
a local attacker to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel-source-2.6.8 |
CVE #(s): | CVE-2006-3626
|
| Created: | July 27, 2006 |
Updated: | August 23, 2006 |
| Description: |
The kernel process filesystem has a race condition that can be
exploited for the purpose of privilege escalation.
This affects multiple architectures. |
| Alerts: |
|
Comments (1 posted)
libtiff: buffer overflows
Comments (none posted)
mantis: cross-site scripting
Comments (none posted)
mozilla: multiple vulnerabilities
Comments (none posted)
osiris: format string vulnerability
| Package(s): | orisis |
CVE #(s): | CVE-2006-3120
|
| Created: | July 28, 2006 |
Updated: | August 3, 2006 |
| Description: |
Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project
have found several format string security bugs in osiris, a
network-wide system integrity monitor control interface. A remote
attacker could exploit them and cause a denial of service or execute
arbitrary code. |
| Alerts: |
|
Comments (none posted)
sitebar: missing input validation
| Package(s): | sitebar |
CVE #(s): | CVE-2006-3320
|
| Created: | August 1, 2006 |
Updated: | August 2, 2006 |
| Description: |
A cross-site scripting vulnerability has been discovered in sitebar,
a web based bookmark manager written in PHP, which allows remote
attackers to inject arbitrary web script or HTML. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
asterisk: buffer overflow
| Package(s): | asterisk |
CVE #(s): | CVE-2006-2898
|
| Created: | June 15, 2006 |
Updated: | July 27, 2006 |
| Description: |
The Asterisk PBX application has a buffer overflow vulnerability in the
IAX2 channel driver that can be used for the remote execution of
arbitrary code.
|
| Alerts: |
|
Comments (none posted)
binutils: buffer overflow
| Package(s): | binutils |
CVE #(s): | CVE-2006-2362
|
| Created: | May 27, 2006 |
Updated: | August 29, 2006 |
| Description: |
The GNU Binutils has a buffer overflow vulnerability in libbfd.
Maliciously crafted Tektronix Hex Format files with improper length
characters can cause a crash and possibly lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
courier: denial of service
| Package(s): | courier |
CVE #(s): | CVE-2006-2659
|
| Created: | June 9, 2006 |
Updated: | August 4, 2006 |
| Description: |
A denial of service vulnerability has been found in the function for
encoding email addresses. Addresses containing a '=' before the '@'
character caused the Courier to hang in an endless loop, rendering the
service unusable. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | June 1, 2009 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 19, 2009 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
fbi: incorrect filtering
| Package(s): | fbi |
CVE #(s): | CVE-2006-3119
|
| Created: | July 24, 2006 |
Updated: | August 24, 2006 |
| Description: |
Toth Andras discovered that the fbgs framebuffer postscript/PDF viewer
contains a typo, which prevents the intended filter against malicious
postscript commands from working correctly. This might lead to the
deletion of user data when displaying a postscript file. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | June 1, 2010 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gimp: arbitrary code execution
| Package(s): | gimp |
CVE #(s): | CVE-2006-3404
|
| Created: | July 10, 2006 |
Updated: | July 27, 2006 |
| Description: |
Henning Makholm discovered that gimp did not sufficiently validate the
'num_axes' parameter in XCF files. By tricking a user into opening a
specially crafted XCF file with Gimp, an attacker could exploit this
to execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
gnupg: remote denial of service
| Package(s): | gnupg |
CVE #(s): | CVE-2006-3082
|
| Created: | June 21, 2006 |
Updated: | July 28, 2006 |
| Description: |
A vulnerability was discovered in GnuPG 1.4.3 and 1.9.20 (and earlier) that
could allow a remote attacker to cause gpg to crash and possibly overwrite
memory via a message packet with a large length. |
| Alerts: |
|
Comments (1 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
hiki: denial of service
| Package(s): | hiki |
CVE #(s): | CVE-2006-3379
|
| Created: | July 24, 2006 |
Updated: | July 26, 2006 |
| Description: |
Akira Tanaka discovered a vulnerability in Hiki Wiki, a Wiki engine
written in Ruby that allows remote attackers to cause a denial of
service via high CPU consumption using by performing a diff between
large and specially crafted Wiki pages. |
| Alerts: |
|
Comments (none posted)
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-2440
|
| Created: | May 25, 2006 |
Updated: | September 5, 2006 |
| Description: |
The ImageMagick DisplayImageCommand has a heap overflow vulnerability.
If an maliciously created unexpanded glob is passed to ImageMagick,
a heap overflow can result. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdebase: privilege escalation
| Package(s): | kdebase |
CVE #(s): | CVE-2006-2449
|
| Created: | June 15, 2006 |
Updated: | August 28, 2006 |
| Description: |
The KDE Display Manager(KDM) is vulnerable to a local symlink attack.
A local user can use this to read arbitrary files that they do not
have permission to access. See this KDE
advisory for more information. |
| Alerts: |
|
Comments (none posted)
kdelibs: denial of service
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-3672
|
| Created: | July 21, 2006 |
Updated: | July 26, 2006 |
| Description: |
KDE Konqueror 3.5.1 and earlier allows remote attackers to cause a denial
of service (application crash) by calling the replaceChild method on a DOM
object, which triggers a null dereference, as demonstrated by calling
document.replaceChild with a 0 (zero) argument. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2006-2451
|
| Created: | July 7, 2006 |
Updated: | July 26, 2006 |
| Description: |
The Linux kernel, versions 2.6.13 through 2.6.17.3, has a privilege
escalation vulnerability that is related to the handling of core dumps.
Local users can create a program that can core dump to a
directory that the user does not have permission to write to.
This can be exploited for the use of a disk consumption denial
of service attack, or the unauthorized gaining of root privileges. |
| Alerts: |
|
Comments (2 posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-2445
CVE-2006-2448
CVE-2006-3085
|
| Created: | June 23, 2006 |
Updated: | August 11, 2006 |
| Description: |
There is a race condition error in the "posix-cpu-timers.c" script that
does not prevent another CPU from attaching the timer to an exiting
process. This could be exploited by attackers to cause a denial of
service.
A flaw due to errors in "powerpc/kernel/signal_32.c" and
"powerpc/kernel/signal_32.c" could allow userspace to provoke a machine
check on 32-bit kernels.
An infinite loop in "netfilter/xt_sctp.c" could be exploited by attackers
to exhaust all available memory resources, creating a denial of service
condition. |
| Alerts: |
|
Comments (none posted)
libdumb: arbitrary code execution
| Package(s): | libdumb |
CVE #(s): | CVE-2006-3668
|
| Created: | July 24, 2006 |
Updated: | August 9, 2006 |
| Description: |
Luigi Auriemma discovered that DUMB, a tracker music library, performs
insufficient sanitizing of values parsed from IT music files, which might
lead to a buffer overflow and execution of arbitrary code if manipulated
files are read. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
Net::Server: format string vulnerability
| Package(s): | libnet-server-perl per-net-server |
CVE #(s): | CVE-2005-1127
|
| Created: | July 24, 2006 |
Updated: | August 11, 2006 |
| Description: |
Peter Bieringer discovered that the Perl Net::Server, is vulnerable to a format string attack which may be exploitable by remote attackers. Among others, the "postgrey" utility is affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | December 15, 2008 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libtunepimp: buffer overflows
| Package(s): | libtunepimp |
CVE #(s): | CVE-2006-3600
|
| Created: | July 13, 2006 |
Updated: | August 2, 2006 |
| Description: |
The libtunepimp tag parser has multiple buffer overflow vulnerabilities.
If a user can be tricked into opening specially crafted tagged
multimedia files, arbitrary code can be executed with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
libwmf: integer overflow
| Package(s): | libwmf |
CVE #(s): | CVE-2006-3376
|
| Created: | July 13, 2006 |
Updated: | November 6, 2006 |
| Description: |
libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mozilla products have multiple vulnerabilities
Comments (none posted)
mutt: IMAP namespace buffer overflow
| Package(s): | mutt |
CVE #(s): | CVE-2006-3242
|
| Created: | June 28, 2006 |
Updated: | October 24, 2006 |
| Description: |
TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently
check the validity of namespace strings. If an user connects to a malicious
IMAP server, that server could exploit this to crash mutt or even execute
arbitrary code with the privileges of the mutt user. See this Secunia advisory for more
information. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openmotif: buffer overflows
| Package(s): | openmotif |
CVE #(s): | CVE-2005-3964
|
| Created: | December 29, 2005 |
Updated: | July 27, 2006 |
| Description: |
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-1990
CVE-2006-1991
CVE-2006-3017
|
| Created: | May 25, 2006 |
Updated: | August 18, 2006 |
| Description: |
The php wordwrap() function is vulnerable to an integer overflow.
Attackers can submit long arguments to cause a heap-based buffer
overflow, allowing arbitrary code execution.
PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function.
An attacker can use an out-of-bounds offset argument to cause a
memory access violation, causing a denial of service.
A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
postgresql: SQL injection
| Package(s): | postgresql |
CVE #(s): | CVE-2006-2313
CVE-2006-2314
|
| Created: | May 24, 2006 |
Updated: | June 6, 2007 |
| Description: |
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash. |
| Alerts: |
|
Comments (1 posted)
ppp: privilege escalation
| Package(s): | ppp |
CVE #(s): | CVE-2006-2194
|
| Created: | July 6, 2006 |
Updated: | August 14, 2006 |
| Description: |
Marcus Meissner discovered that the winbind plugin of pppd does not
check the result of the setuid() call. On systems that configure PAM
limits for the maximum number of user processes and enable the winbind
plugin, a local attacker could exploit this to execute the winbind
NTLM authentication helper as root. Depending on the local winbind
configuration, this could potentially lead to privilege escalation. |
| Alerts: |
|
Comments (none posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
quake: buffer overflow
| Package(s): | quake3-bin |
CVE #(s): | CVE-2006-2236
|
| Created: | May 10, 2006 |
Updated: | January 12, 2009 |
| Description: |
Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server. |
| Alerts: |
|
Comments (none posted)
ruby: multiple vulnerabilities
| Package(s): | ruby |
CVE #(s): | CVE-2006-3694
|
| Created: | July 24, 2006 |
Updated: | August 28, 2006 |
| Description: |
Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote
attackers to bypass "safe level" checks via unspecified vectors involving
the alias function and "directory operations". |
| Alerts: |
|
Comments (none posted)
samba: memory exhaustion
| Package(s): | samba |
CVE #(s): | CVE-2006-3403
|
| Created: | July 11, 2006 |
Updated: | July 26, 2006 |
| Description: |
The smbd daemon maintains internal data structures used track active
connections to file and printer shares. In certain circumstances an
attacker may be able to continually increase the memory usage of an smbd
process by issuing a large number of share connection requests. This
defect affects all Samba configurations, according to this advisory. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
sendmail: denial of service
| Package(s): | sendmail |
CVE #(s): | CVE-2006-1173
|
| Created: | June 15, 2006 |
Updated: | November 1, 2006 |
| Description: |
Sendmail has a vulnerability in the way it handles multi-part MIME messages.
A remote attacker can create a specially crafted email message that can
be used to crash the sendmail process, causing a denial of service. |
| Alerts: |
|
Comments (none posted)
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils |
CVE #(s): | CVE-2006-1174
|
| Created: | May 25, 2006 |
Updated: | June 12, 2007 |
| Description: |
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called. |
| Alerts: |
|
Comments (none posted)
shiela:arbitrary code execution
| Package(s): | shiela |
CVE #(s): | CVE-2006-3633
|
| Created: | July 25, 2006 |
Updated: | July 26, 2006 |
| Description: |
Brian Caswell discovered vulnerabilities in OSSP Shiela, a CVS repository
access control and logging extension. The vulnerabilities allow arbitrary
code execution during CVS file commits if a filename is specially crafted
to contain shell commands. |
| Alerts: |
|
Comments (none posted)
sudo: vulnerability via scripts
| Package(s): | sudo |
CVE #(s): | CAN-2005-4158
CVE-2006-0151
|
| Created: | December 16, 2005 |
Updated: | September 1, 2006 |
| Description: |
Perl and Python scripts run via Sudo can be subverted. |
| Alerts: |
|
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
tin: buffer overflow
| Package(s): | tin |
CVE #(s): | CVE-2006-0804
|
| Created: | February 19, 2006 |
Updated: | November 24, 2006 |
| Description: |
An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier
which can lead to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
webmin: arbitrary file read
| Package(s): | webmin |
CVE #(s): | CVE-2006-3392
|
| Created: | July 19, 2006 |
Updated: | August 7, 2006 |
| Description: |
Webmin before 1.290 and Usermin before 1.220 calls the simplify_path
function before decoding HTML, which allows remote attackers to read
arbitrary files. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-2802
|
| Created: | June 9, 2006 |
Updated: | September 29, 2006 |
| Description: |
Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input
module. By tricking an user into opening a malicious remote media
location, a remote attacker could exploit this to crash Xine library
frontends (like totem-xine, gxine, or xine-ui) and possibly even
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-1664
|
| Created: | April 27, 2006 |
Updated: | February 27, 2008 |
| Description: |
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed. |
| Alerts: |
|
Comments (none posted)
xine-ui: format string vulnerabilities
| Package(s): | xine-ui |
CVE #(s): | CVE-2006-2230
|
| Created: | June 9, 2006 |
Updated: | January 24, 2007 |
| Description: |
Several format string vulnerabilities have been discovered in xine-ui,
the user interface of the xine video player, which may cause a denial
of service. |
| Alerts: |
|
Comments (none posted)
X.Org: buffer overflow
| Package(s): | xorg-x11-server xorg-x11 |
CVE #(s): | CVE-2006-1526
|
| Created: | May 3, 2006 |
Updated: | January 10, 2007 |
| Description: |
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
zope: privilege escalation
| Package(s): | zope |
CVE #(s): | CVE-2006-3458
|
| Created: | July 13, 2006 |
Updated: | August 9, 2006 |
| Description: |
Zope version 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 has a
privilege escalation vulnerability related to its failure to deactivate the
raw command. Remote users with privileges to edit zope pages with
RestructuredText can cause arbitrary files to become exposed. |
| Alerts: |
|
Comments (1 posted)
Resources
SearchSecurity.com
compares the security patch response time across a number of popular
Linux distributions.
"
So, why pick one brand instead of another? One reason is security. Not the security of the code itself, but how fast security patches get applied and published. The faster a security patch can be applied, the smaller the window of opportunity for attacks that exploit those vulnerabilities. Therefore, all other things being equal, security managers would prefer a Linux distribution with a record of speedy publication of fixes for security issues."
Comments (6 posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 prepatch is 2.6.18-rc3,
released on July 29. The
patch rate is beginning to slow as this kernel stabilizes, so this prepatch
adds a number of fixes but not much else. The
long-format
changelog has the details.
Well over 100 fixes have been merged into the mainline repository since
-rc3 was released.
The current -mm tree is 2.6.18-rc2-mm1. Recent changes
to -mm include a big x86-64 update, an NFS update, and lots of fixes.
Comments (4 posted)
Kernel development news
I will, in fact, claim that the difference between a bad programmer
and a good one is whether he considers his code or his data
structures more important. Bad programmers worry about the
code. Good programmers worry about data structures and their
relationships.
-- Linus Torvalds
Comments (12 posted)
Marcelo Tosatti has
announced the
availability of the third 2.4.33 release candidate, containing a very small
number of patches. He has also announced that the 2.4 maintainership is
passing on to Willy Tarreau, who has been running the 2.4 "hotfix" patch
series for some time. Many thanks are due to Marcelo, who has maintained
the 2.4 kernel since 2.4.16.
Comments (2 posted)
Burning data to a CD or DVD is a complicated task, involving the use of a
wide range of SCSI commands. So, any application which burns discs must
have the ability to send special SCSI operations to the drive. Just before
the 2.6.8 kernel came out, however, the kernel developers decided that
applications should not be able to send just
any SCSI command. Some
of those commands could lead the drive to rewrite its firmware, catch fire,
or replace music tracks with recordings of Richard Stallman singing. In an
attempt to keep such undesirable things from happening, Linus
added a late patch which blocked
unprivileged users from using
any SCSI commands which do not appear in an
in-kernel whitelist.
It is almost certainly true that no user ever destroyed a CD drive with a
2.6.8 system. In fact, very few of them even wrote discs; the filtering at
that stage was so severe that unprivileged users could not do anything
useful at all. Subsequent updates made things better, however, and by
about 2.6.10 burning worked again for most users.
Not for all users, however. As Dave Jones recently noted on the linux-scsi list, the command
filtering still trips up some Plextor drives. The cdrecord utility tries
to send vendor-specific commands to those drives, but the kernel
filters them out. Everything then comes to a halt, and the user must retry
the operation as root to get the job done. Dave asked: might it be a good
idea to add a per-vendor exceptions capability to the filtering code?
The response which came back from a couple of block subsystem developers
was that the command filtering should simply be taken out altogether.
Evidently this topic had been discussed at the recent storage summit, and
the participants had agreed that this feature should be removed. James
Bottomley put it this way:
If we're going to allow users access to burn CDs, it's impossible
to police them with certainty as this case indicates. If we allow
vendor specific commands down, there are bound to be some that
format the drive or destroy the firmware...
So I think ripping the table out and acknowledging we have no
security is better than giving the illusion of having it.
There are a number of complaints about the filtering code. It is a way of
encoding policy in the kernel, which is generally frowned upon - even
though the policy, in this case, is really an attempt to enforce a
difference between access to a disc within a drive and access to the drive
itself. The command list will never be entirely correct; it seems that
some drives must receive the appropriate, vendor-specific incantations or
they will refuse to write discs. Some commands mean different things to
different types of devices; what's safe for a CD burner might be a
destructive operation on a different SCSI-like device. It also doesn't
help that there are, in fact, two different SCSI command filters in the
kernel (one in drivers/scsi/sg.c, the other in
block/scsi_ioctl.c) which implement different policies. For all of these
reasons, attendees at the storage summit apparently agreed to take the
filtering out.
There's just one little problem with this plan: Linus feels differently about filtering:
Put another way: you will remove that command filtering in
block/scsi_ioctl.c only in a kernel that I don't maintain, or by
disabling it in some way that is so hidden that I won't
notice. Because I'm not so stupid as to think that it's ok for
normal users to set driver passwords or rewrite the disk firmware
just because they have write permissions to the device. That's
pretty damn final.
This statement would appear to be pretty damn final. That does not mean
that the situation cannot be improved, however. The leading idea at the
moment would appear to be to allow a privileged user to make changes to the
command filter table. Distributions could then ship tools which detect
problematic devices and modify the filtering tables accordingly; the whole
thing could be transparently integrated with the hotplug functionality.
Jens Axboe has a
patch (originally from Peter Jones) which turns the filter list into a
per-device object, tweakable through sysfs, so each device could have its
own set of exceptions.
Just how this interface works may yet require some discussion to nail
down. But the configurable, per-device filter looks like the way forward.
It retains the filtering of dangerous commands while moving the policy
decisions to user space. Once the policy can be changed, distributors can
do the work to ensure that specific devices are well supported, or, if they
prefer, simply mark all commands as "allowed" and, for all practical
purposes, remove the filter altogether.
Comments (11 posted)
Hans Reiser is nothing if not persistent. Back in October, 2002, he
requested that his new reiser4
filesystem be included into the 2.5 development kernel before it went into
the pre-2.6 stabilization mode. Nearly four years have passed, during
which reiser4 has been through endless linux-kernel debates, numerous
changes to fix problems found by reviewers, the removal of core features,
and a long wait in the -mm kernel. Despite all of this, reiser4 is still
not in the mainline - but Hans has not given up.
There have been a number of obstacles to overcome so far. The "files as
directories" feature tweaked POSIX semantics in a way that disturbed some
people, and, more importantly, had crucial locking problems; that feature
has been removed. The posted benchmarks have not been entirely credible to
all observers. There is concern about how committed the reiser4 developers
are to ongoing support of the filesystem, once it is merged. Hans tends to
have difficult relations with other kernel developers, and does not always
respond entirely gracefully to (often not entirely graceful) review
comments. The end result has been a difficult path toward inclusion for a
filesystem which truly does offer some interesting ideas and the potential
for top-level performance.
Partially as a result of a feeling that the reiser4 process has gone on for
too long, the debate has returned to linux-kernel. Hans and company would
like to see reiser4 put into 2.6.19, and it seems that they might just
succeed.
Some outstanding issues remain, though some of them may not be as
problematic as some people think. The biggest of those, probably, is the
reiser4 plugin concept. Plugins allow the filesystem to behave differently
for every file stored there; they can add features like compression,
encryption, or many of the more esoteric things currently done with FUSE.
Plugins raise all kinds of red flags in the development community. So, for
example, Linus states:
As long you call them "plugins" and treat them as such, I (and I
suspect a lot of other people) are totally uninterested, and in
fact, a lot of people will suspect that the primary aim is to
either subvert the kernel copyright rules, or at best to create a
mess of incompatible semantics with no sane overlying rules for
locking etc.
Jeff Garzik has concerns as well:
I don't want to be the distro support person trying to fix a crash
in "reiser4", where the customer has secretly replaced the standard
inode data structure with a plugin written by an intern, and
secretly replaced the directory algorithm with a closed source
plugin from PickYourVendor. Trying picking through that mess with a
filesystem debugger.
The message for the reiser4 developers over the last few years is that any
such mechanism, if it makes sense at all, should be implemented within the
VFS level, rather than within any specific filesystem. Reiser4 plugins are
seen as a separate, private VFS with a long potential for problems.
What a number of people have not realized, perhaps, is that the plugin
issue is much smaller than it once might have been. They cannot be loaded
at run time, so there should not be copyright issues like those that
accompany closed-source kernel modules. And most of the plugin
functionality has been removed in response to past comments. Andrew
Morton, who has recently reviewed the code
himself, comments:
The plugins appear to be wildly misnamed - they're just an internal
abstraction layer which permits later feature additions to be added
in a clean and safe manner. Certainly not worth all this fuss.
From Andrew's point of view, the biggest problems would appear to be the
lack of direct I/O and extended attribute support. Direct I/O looks like
it might not be too far in the future, but it does not appear that there is
any immediate prospect of extended attributes. That means that, among
other things, a reiser4 filesystem cannot support SELinux. That limitation
may cause some distributors to leave reiser4 support out, even after
reiser4 has finally been merged into the mainline kernel.
The remaining objections may be enough to dissuade some users or
distributors from working with reiser4, but it would seem that they should
not be enough to block the merging of reiser4 into the mainline. A new
filesystem does not affect anybody who does not use it, and the bad
pitfalls for reiser4 users (deadlocks, for example) should be long gone.
So it may just be that Hans Reiser's long wait is nearing its end.
Comments (16 posted)
Last week's article on
network channels suggested that channels might not be the way of the future
at all. Since then, there has been a great deal of discussion on how
networking might move forward on many levels, some of which might yet
include channels. Your editor plans to gain an understanding of
the Grand Unified Flow Cache and related concepts (such as Rusty's plans to
thrash up netfilter yet again) for a future article; for now,
we'll look at a different aspect of networking (and beyond): a user-space
events interface.
Unlike some other operating systems, Linux currently lacks a system call
for generalized event reporting. Linux applications, instead, use calls
like poll() to figure out when there is work to be done.
Unfortunately, poll() does not solve the entire problem, so
application event loops must do complicated things to deal with things like
signals. Handling asynchronous I/O within a traditional Linux event loop
can be especially tricky. If there were a single interface which provided
an application with all of the event information it needed, applications
would get simpler. There is also the potential for significant performance
improvements.
There are two active proposals for event interfaces for Linux: the kevent mechanism and the event
channel API proposed by Ulrich
Drepper at this year's Ottawa Linux Symposium. Of the two, kevents
currently have the advantage for one simple reason: there is an existing,
working implementation to look at. So most of the discussion has concerned
how kevents can be improved.
The original kevent API is seen as being a bit difficult; it relies on a
single multiplexer system call (kevent_ctl()), an approach which is generally
frowned upon. The call also requires the application to construct an array
with two different types of structures, which is a bit awkward. So one of
the first suggestions has been to separate out various parts of the API.
The current kevent patch (as
of August 1) contains a new system call:
int kevent_get_events(int ctl_fd,
unsigned int min_nr,
unsigned int max_nr,
unsigned int timeout,
void *buf,
unsigned flags);
This call would return between min_nr and max_nr events,
storing them sequentially in buf, subject to the given
timeout (specified in milliseconds). The flags argument
is unused in the current implementation.
There are a number of things which might be improved with this interface,
but, as it happens, its final form is likely to look quite
different. The current interface still requires frequent system calls to
retrieve events; Linux system calls are fast, but, in a high-bandwidth
situation, it still would be preferable to spend more time in user space if
possible. With a different approach to event reporting, it might just be
possible.
The idea which has been discussed is to map an array of kevent
structures between kernel and user space. This array would be treated as a
circular buffer, perhaps managed using a cache-friendly, channel-like index
mechanism. The kernel would place events into the buffer when they occur,
and user-space would consume them. Whenever there are events to process,
the application could obtain them without entering the kernel at all. Once
this mechanism is in place, the kevent_get_events() call could go
away, replaced by a simple "wait for events" interface (though glibc would
almost certainly provide a synchronous "get events" function). The result
should be a very fast interface, especially when the number of events is
large.
There are a couple of issues to be worked out, still. One has to do with
what happens when the buffer fills. The current asynchronous I/O interface
does not allow there to be more outstanding operations than there are
available control block structures; that way, there is guaranteed to be
space to report on the status of each operation. That can be important,
since the place in the kernel which wants to do the reporting is often
running at software or hardware interrupt level. If one envisions using
kevents to track thousands of open sockets, an unknown number of connection
events, etc., however, preallocating all of the event structures becomes
increasingly impractical. So something intelligent will have to be done
when the buffer fills.
The other issue has to do with "level-triggered" events which correspond
more to a specific status than a real event which has occurred. "This
socket can be written to" is such an event. When an interface like
poll() is used to query whether a write would block, the kernel
can check the status and return immediately if the given file descriptor
can be written to. Reporting this sort of status through a circular buffer
is rather harder to do. So, one way or another, applications will have to
explicitly poll for such events.
Given the current level of interest, some way of dealing with these issues
seems likely to surface in the near future. That could clear the path for
merging kevents into the mainline, perhaps as early as 2.6.20.
Comments (7 posted)
The
udev utility has a well-defined job: take information from
kernel events and the sysfs virtual filesystem and use it to create device
files corresponding to the actual configuration of the system. If
udev falls down, the system will be partially or completely
unusable, a situation which tends to go over poorly with users. So, when
Andrew James Wade
reported a
udev
failure with a recent -mm kernel, the developers took notice.
The problem, as it turns out, is caused by some sysfs changes designed to
improve power management in the kernel. The immediate problem can be fixed
by adding another patch, but that, in turn, only leads to further problems;
a number of distributions will break because the version of udev
they ship is too old to understand the new sysfs format. Andrew Morton complained that Fedora Core 3 breaks, but
the problem is likely to be more widespread than that.
Greg Kroah-Hartman, the developer behind the changes, responded this way:
That distro is unsupported now, right?
How long do you expect the kernel to support unsupported, community
based distros that thrive on the fact that they are quickly
updated? [...]
And yes, I will revert the patch in mainline that causes people to
have to upgrade to a udev that is in FC5, and wait till the next
release for that to happen (the minimum will be 081, which was
released in January, 2006, by the time 2.6.19 is out, that will be
about 10 months old.)
Andrew was unimpressed:
My (repeat) point is that we're proposing to break _all_ distros
which are older than ten months. We don't play the "oh, that isn't
supported any more" game....
This sucks. Do you know what machines we'll be breaking out there?
I sure don't.
Among others, distributions scheduled to break with the 2.6.19 kernel
include Ubuntu 6.06 LTS ("dapper") and the not-yet-released Slackware 11.
So, unsurprisingly, it's not just Andrew who is displeased by this change; there is
a definite chance that the whole set of patches will be withdrawn and
rethought.
Greg asks a fundamental question, however:
"How long should the community have to care about a distro after the
creators of it have abandoned it?" The traditional answer has been
"forever," but the new generation of "kernel in user space" tools is making
that promise harder to keep. Tools like udev are tightly tied to
the sysfs filesystem which, in turn, is a nearly direct representation of internal
kernel data structures. Sysfs functions, in some ways, like an internal
kernel API, but it is, in reality, a user-space interface. Keeping it
stable and avoiding compatibility problems with older user-space tools is a
difficult challenge, aggravated by the fact that the kernel developers are
still well within the process of figuring out how sysfs should really work.
At this year's Kernel Summit,
there was some talk of folding tools like
udev into the kernel code base and distributing them together.
New kernels would always come with a version of udev that worked,
and some of these compatibility problems would go away. There are limits,
however, to how many tools can be packaged in this way, and, in any case,
it can be hard to see this approach as anything other than a hack to avoid
the hard problem of keeping such a wide and complex ABI stable.
This particular problem will likely be worked around, one way or another.
But it won't be the last such. If the kernel developers are going to
continue to promise that the user-space ABI will remain stable
indefinitely, they will have to get a handle on all aspects of that ABI -
not just the system calls. It will not be easy: modern systems require
complex communications between the user and kernel realms. But the kernel
developers have solved plenty of "not easy" problems so far; given the
increased attention being paid to ABI regressions, they will probably
figure this one out too.
Comments (27 posted)
Patches and updates
Kernel trees
Build system
Core kernel code
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Networking
Architecture-specific
Security-related
Virtualization and containers
Page editor: Jonathan Corbet
Distributions
News and Editorials
MEPIS Linux (home of SimplyMEPIS and
MEPISLite) is a fairly popular Debian-based distribution company. With the
recent release of SimplyMEPIS 6.0, a MEPIS transitioned from using Debian
packages to using Ubuntu (actually Kubuntu as MEPIS is KDE-centric)
packages.
MEPIS has typically used binary packages straight from the parent
repository for large parts of the system. They never carried the source
code for these unaltered packages. For packages that they did alter, such
as the MEPIS kernel, they have always made the source code available.
However that doesn't conform to the letter of the GNU General Public
License (GPL) version 2, the license used by many of the packages found in
SimplyMEPIS. The GPL
v2 states:
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software
interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
Sending people to the parent source repository is not good enough, although
they got away with it for some time. So MEPIS has now
announced a full GPL source
release. There are some interesting comments in the associated
GPL compliance FAQ, however.
MEPIS now offers all source code
on 2 DVDs available though the MEPIS Store.
Comments (3 posted)
New Releases
ROCK Linux has released version 3 of its Distribution Build Kit. The
release announcement (click below) contains the changes since version
2.0.3, plus pointers to the new ROCK Linux roadmap and more.
Full Story (comments: none)
Mandriva has released
the
first beta of Mandriva Linux 2007. CD and DVD images are available for
download for a variety of architectures and languages.
Comments (none posted)
A new release candidate for Familiar Linux v0.8.4 is available for
download. It comes with various bug fixes and further improves support for
the HP iPAQ h2200, hx4700, and h6300 series of devices.
Full Story (comments: none)
64 Studio has released a 709MB DVD-R
image for version 0.9.0 beta. "
This will install Debian testing with
X.org 7.0, the Gnome 2.14 desktop, Linux kernel 2.6.17 with real-time
pre-emption patches and a selection of creative applications, covering
audio and music, 2D and 3D graphics, and publishing for the web and
print. It also includes the internet and office tools that a creative user
is likely to need for their daily work." Click below for
information on download and known issues.
Full Story (comments: none)
Distribution News
Software in the Public Interest has announced that it has appointed new
Officers following the election of three new members to the board of
directors. "
In a board meeting on 1st August, the board elected
Bdale Garbee as President, Michael Schultheiss as Vice President, Neil
McGovern as Secretary and Josh Berkus as Treasurer of the board."
Full Story (comments: none)
The Debian Project will have its 13th anniversary on August 16, 2006. A
wiki page has been set up to
help organize local celebrations.
Full Story (comments: none)
Novell, Inc. has
issued
a press release claiming success for SUSE Linux Enterprise 10.
"
To date, over 165,000 users from around the globe have downloaded
components of the SUSE Linux Enterprise 10 suite, which includes the SUSE
Linux Enterprise Server and SUSE Linux Enterprise Desktop products."
Comments (none posted)
Ubuntu's community-contributed documentation has been moved to its
own wiki on the
global documentation website.
Full Story (comments: none)
The first point release of the current stable version of Ubuntu
(a.k.a. Dapper Drake) will be released soon. Ubuntu 6.06.1 LTS will be
built from dapper, dapper-security, and dapper-updates, and will consist of
updated desktop, alternate, and server CD images. On the development
release front, the second milestone release of Edgy (Knot 2) should be out
next week.
Full Story (comments: 1)
Xandros is seeking to attract legacy Microsoft Windows users. "
"Now
that Microsoft has discontinued all support for Windows 98, 98SE and ME,
legacy Windows users have three options," said Andreas Typaldos, CEO of
Xandros. "First, they can cross their fingers and continue to use the
abandoned, insecure and unsupported Windows product. Second, they can
purchase a costly XP upgrade along with new hardware that will be out of
date as soon as Vista is released. Or third, they can continue using their
existing computer by installing the latest Xandros Desktop Home
Edition. Not only does this option extend the useful life of their computer
without a need to learn anything new, but it also provides users with a
stable and reliable platform that is free from the constant frustration of
spyware and viruses, and costs less than Windows-based Anti-Virus software
alone.""
Full Story (comments: none)
Distribution Newsletters
The Debian Weekly News for August 1, 2006 covers new members on the QA
team, an integrated l10n infrastructure in the works for Debian, Xen on
Debian GNU/Linux 3.1 howto, proposed branding for Debian Derivatives, key
management for Secure APT, and several other topics.
Full Story (comments: none)
The
Fedora
Weekly News looks at One Laptop Per Child: An Education Project, The
K12 Open Source Interview Series Has Begun, OSCON Day 0 - Freedom 2.0,
On-Disk.com Donations and Big Developer Payouts, Use Fedora Directory
Server For Manageable LDAP, Book review: Red Hat Fedora 5 Unleashed, and
more.
Comments (none posted)
The
Gentoo
Weekly Newsletter for July 31, 2006 covers Catalyst 2.0 released,
Bugday's 3rd anniversary, Gentoo/Java staffing needs, Developer of the week
- Joshua Kinard, and more.
Comments (none posted)
The Ubuntu Weekly Newsletter for the week of July 15 - 21, 2006 covers the
Edgy Eft Knot 1 Release, The Classroom, Ubuntu Magazine Meeting, Canonical
Commercial Repositories, Opera 9 for Ubuntu, Hug Day, Technical Board
Meeting, Ubuntu Marketing Team Meeting, Lugradio Live 2006, and more.
Full Story (comments: none)
The
DistroWatch
Weekly for July 31, 2006 is out. "
This is my third and final
week bringing you DistroWatch Weekly. It's been great fun, but I now have
an even greater appreciation for the contribution Ladislav Bodnar makes to
the Linux and Open Source Community. Fedora and Mandriva have announced the
end of the support cycle for some older products, Ubuntu is starting class
and Gentoo is holding elections. Dr. W. T. Zhu brings us an in-depth look
at all the options and features available here at Distrowatch with glimpses
into some of the history as well. Beranger brings us a wonderful look at
last week's release of Zenwalk Linux 2.8, while I report on my test drive
of Berry Linux 0.72."
Comments (none posted)
Package updates
Updates for
Fedora Core 5:
xorg-x11-drv-nv (new PCI IDs, better installer
behaviour),
cups (update to 1.2.2),
samba (bug fixes),
vim (Vim-7.0 Patchlevel 42),
hal (bug fix),
xorg-x11-drv-nv (bug fix),
java-1.4.2-gcj-compat (bug fixes),
openoffice.org (bug fix),
icon-naming-utils (update to 0.7.3),
selinux-policy (bump for FC5),
NetworkManager (update to 0.6.4),
lksctp-tools (resolves a kernel - userspace
interface conflict),
libstdc++so7 (reverts
the libstdc++so7 string implementation to the rc kind),
scim (rebuilt against libstdc++so7),
scim-anthy (rebuilt against libstdc++so7),
scim-chewing (rebuilt against libstdc++so7),
scim-hangul (rebuilt against libstdc++so7),
scim-m17n (rebuilt against libstdc++so7),
scim-pinyin (rebuilt against libstdc++so7),
scim-tables (rebuilt against libstdc++so7).
Updates for Fedora Core 4: samba
(bug fixes).
Updates for Fedora Extras 5: dumb
(security issue).
Comments (none posted)
Mandriva has updated ImageMagick packages that fix an infinite loop issue.
Full Story (comments: none)
Updates for
rPath Linux 1:
conary,
conary-build, conary-repository (Conary 1.0.25 maintenance release),
vsftpd (start vsftp as a listening service).
Comments (none posted)
It's been a busy week for
Slackware
Linux. Many packages have been upgraded including KDE and X11
packages. There are Linux 2.6.17.7 in testing, For a complete view see
the
slackware-current
changelog.
Comments (none posted)
Updates for
Ubuntu 6.06 (Dapper Drake):
openoffice.org (minor fixes),
openoffice.org-l10n (added help in many
languages),
localechooser (bug fix),
openoffice.org (improved amd64 support),
openoffice.org (adjust the Conflict/Replaces
for dapper-updates),
kdenetwork (bug
fixes),
gnome-games (bug fixes),
matplotlib (bug fix),
sixpack (bug fixes + bib manpage),
sparc-utils (sync with Debian),
hw-detect (improved sparc support),
openoffice.org-amd64 (update to
2.0.3-3dapper6),
gajim (new upstream
release),
libwpd (new upstream release),
base-installer (backport from trunk),
debian-installer (improved sparc support),
libgnomeui (bug fixes),
gtksourceview (new upstream version),
gnome-desktop (new upstream version),
pessulus (new upstream version),
openoffice.org (upload to dapper-proposed;
remaining changes compared to edgy),
gedit
(new upstream version),
ubiquity (bug
fixes),
gtkhtml (new upstream version),
debian-installer (add dapper-security to
sources.list.udeb),
kdenetwork (bug fixes),
openoffice.org-amd64 (update to
2.0.3-4dapper1),
gnome-panel (new upstream
version),
zenity (new upstream version),
debian-installer-utils (backport bug fixes),
file-roller (new upstream version),
gnome-themes (new upstream version),
debian-installer (bug fix),
nautilus-cd-burner (new upstream version),
yelp (new upstream version),
eel2 (new upstream version),
gnome-applets (new upstream version),
totem (new upstream version),
dasher (new upstream version),
gnome-games (new upstream version),
eog (new upstream version),
gtk+2.0 (new upstream version),
epiphany-browser (new upstream version),
gnome-menus (new upstream version),
gnome-session (new upstream version),
gdm (new upstream version),
gtk2-engines (new upstream version),
ia32-libs-kde (add dapper-security to the list
of sources),
ia32-libs-openoffice.org
(freshen packages).
Comments (none posted)
Newsletters and articles of interest
KDE.News has
an interview with
Fabio Erculani, founder and developer of
Sabayon Linux. "
Sabayon Linux
is quite a new addition to the family of KDE distributions. It first came
into existence on the Gentoo Forums as RR4/RR64 and was designed to provide
a fast and easy way to get a Gentoo system with extras. After the initial
success, founder and developer Fabio Erculani decided to turn this project
into a fully fledged distribution. It was also decided that a new name was
needed and thus Sabayon Linux was born."
Comments (none posted)
Linux.com
looks
at APT. "
The Advanced Packaging Tool (APT) is a distinguishing
feature of Debian-based systems. APT was the first major alternative in
GNU/Linux to boast automatic dependency resolution. Most GNU/Linux users
know it through the apt-get command, a utility that calls on the
lower-level dpkg command. However, other APT-based utilities remain largely
unknown to desktop users. Some of these utilities offer a range of
functionality far beyond those of the basic tools."
Comments (none posted)
Distribution reviews
Linux.com
looks at
Freespire. "
Freespire is the
free offshoot of the proprietary Linspire Linux distribution, formerly an
outside effort, but now produced by the company itself. The first beta
release is available through the Freespire Web site, both as an CD-sized
burnable ISO image and as a VMware Virtual Appliance. Despite its youth
and inexperience, it already exhibits considerable polish."
Comments (none posted)
TuxMachines
reviews the
first beta release of Mandriva 2007 and the results are not good.
"
[T]his release isn't even beta quality. I know Mandriva has been
plagued with hardware issues amongst other things and their beta cycle was
falling embarrassingly behind schedule, but they should have waited a bit
longer. Don't bother downloading this one."
Comments (none posted)
Tweakers.net
reviews
Rock Linux 3.
"
It took a bit over 20 months, but finally, ROCK 3 is done. Over the last 20 months, ROCK Linux has seen many changes not only in the code, but also in its aim and social relations:
ROCK has an official mission statement,
ROCK has switched to a Wiki-based website, allowing anyone to contribute in various ways, not only coders and bug-reporters,
Sadly, some people have left ROCK for one reason or another,
Other people have in turn become more active in the project,
Despite - or because - of that, ROCK 3 is now available for public consumption."
Comments (none posted)
Linux.com
reviews
Symphony OS. "
Symphony OS is a GNU/Linux distribution designed to
innovate from the ground up. Although originally based on Knoppix and now
on Debian stable, it quickly differentiates itself from the bulk of distros
by implementing the ideas articulated in a so-called grey paper on user
interface design by Jason Spisak, one of the co-founders of Lycoris. Often,
Symphony's implementations challenge UI assumptions on any platform. At
other times, the possible shortcomings of Symphony OS' solutions raise
issues themselves. Either way, in putting the May 2006 beta through its
paces, I found it impossible to stop thinking about UI design. Even when
Symphony OS does not provide ultimate answers, it raises questions about
usability that are too often ignored."
Comments (4 posted)
Page editor: Rebecca Sobol
Development
August 1, 2006
This article was contributed by Nathan Sanders
For two years now, Google's Summer of Code has furnished students with time, money, and help to encourage the next generation of open source developers. During that time, several thousand applications were submitted to Google, of which only several hundred could be accepted. The Summer of Code's capacity is limited by funds - each project Google sponsors costs them $4500 to the student and $500 to the mentor, plus associated expenses - as well as organizational concerns. Dozens of revered open source projects signed up to accept students for the Summer, including KDE, makers of what is one of free software's most popular desktop environments. As a large project, KDE was lucky enough to have Google sponsor twenty-four students. Unfortunately, this left nearly 200 hopefuls without work.
The KDE organization itself stepped up to take on many of these left over students as part of their own Season of KDE 2006, which is hoped to be the first of many such events. Organizer Sebastian Trueg told me: "The idea arose in a discussion between
the Summer of Code mentors when it was obvious that Google would not support as
many students as we had hoped. We did not want to waste all that talent and all
that enthusiasm so we came up with the idea to do our own follow-up project. It
took some time to get off the ground but now 15 projects are running." Invitations were sent to nearly all those left over from the Summer of Code. Most politely declined to join the Season of KDE, citing commitments to summer jobs, internships, and other occupations. Organizer Pradeepto Bhattacharya recalls, however, that: "some of the students replied with so much enthusiasm that many of us were actually surprised."
KDE cannot afford to pay, but there are other incentives for students. They offer the same mentors and experiences to their students as Google would and, if sponsors can be found, the students may also get to attend aKademy 2006 in Dublin. Trueg notes: "For now we only support them in a non-financial way but we hope to improve on that." The selected students officially began work on their project on July 10th, and are expected to present a mid-term report on September 10th. The completed projects are due on November 11th, along with final comments from students and mentors.
Not surprisingly, the group of students who have signed on bear a great resemblance to the KDE community as a whole. A majority of them are from outside the United States and have a strong educational background in computer science. Nearly all of the students I questioned had intended to become involved with KDE whether or not their Summer of Code applications were accepted, and were delighted by the Season of KDE and the opportunity to work with a mentor. Student Yang Sheng, working on the "KNotes improvement" project, told me: "I took this as a practice and a challenge more than as a simple project. So it not only aids KNotes' improvement, but also my own improvement." Similarly, the mentors were delighted to mold new recruits for their particular area of KDE development. Trueg, also a
mentor for the "K3b lite" project, explains: "I think it is a very good opportunity for new developers to become involved with the KDE project".
Fifteen projects were registered as members of the Season of KDE.
Many of the ideas were built upon suggestions given to potential applicants by KDE developers.
This week we take a look at the first five of these projects.
Inspired by a three year old feature request on bugs.kde.com, Martin Böhm intends to add Fluxbox-like tabs to Kwin, KDE's window manager.
Tabs in window managers work just like those in web browsers, allowing several
windows to occupy the same space. The Fluxbox
implementation lets you group windows by dragging
them onto each other with the middle mouse button, and then allows
switching between windows in the group by clicking on a tab bar placed on an edge of
the window. Groups save on space and clutter and can be moved, minimized,
and maximized together. They can be disassembled by dragging off tabs with
the middle mouse button.
Some question the usefulness of tabs for a window manager. Many note that
having windows overlap as tabs obstructs the ability to drag and drop
documents, a highly touted usability feature. Others point out that the
taskbar already serves to tab windows, and that developers are free to
implement them per-application if they deem it necessary, though this
argument does not address the ability to group together different
applications. Fortunately, Böhm will add configuration options to
KControl, including keyboard shortcuts and default behavior, so that those
who do not like tabs can ignore them. He also points out that there will
be essentially no performance cost for the feature. Some users will no
doubt
enjoy using tabs with applications such as KEdit or the GIMP, which do not implement application tab support but could perhaps benefit from them.
Böhm considers himself a window-manager connoisseur who has particularly extensive experience with KDE and Fluxbox. He cites skill in C++ (the foremost requirement for his project), an interest in Qt and KDE, and server administration experience at a small ISP. He and mentor Lubos Lunak appear to share Czech citizenship and background, which Böhm feels eliminates any potential communication barrier. Lunak has had his hand in KDE for years, on a diverse set of components including KHotKeys, Kicker, and kdelibs.
Ivan Cukic's "Kamion" User State Migration Tool (mentored by Thiago Macieira)
"User state migration" refers to saving or restoring a user's application
configuration and data for backup purposes or use on another installation.
Today, wise Unix users may opt to accomplish this by copying their /home
directory, though they must first take a comb to their files to make sure
they aren't restoring application settings of an incompatible version or
wasting space by archiving browser caches. Kamion promises an integrated
wizard for both "packing" and "unpacking" compressed user states, making
sure to avoid the pitfalls of the /home method. Cukic envisions a database of application signatures, kept by either distribution packagers or KDE developers, that will instruct Kamion of which versions have incompatible settings and which files are not worth packing.
Cukic intends to offer users a simple and usable solution without depriving them of any power. Kamion will prompt the users as to which application states they want to restore, and whether to ignore incompatibility warnings. An option to package only specific applications may be added, or even specific data such as a music collection. Users will also choose whether to save their packs to disk, email them, or burn them to CD with K3b. Kamion will be integrated into the desktop via a mime type for .kamion packs and options in the KDE Welcome Wizard.
Many of these details did not exist in Cukic's initial Summer of Code application. He informed me that he has dropped his proposed XML data storage format in favor of a faster sqlite3 method. When I contacted him he had already nearly completed the Kamion backend library and was readying to begin work on the GUI. Though he told me he has experience with KDE development, Kamion will be his first notable contribution to the desktop. Cukic, a student at the Faculty of Mathematics, University of Belgrade Computer Science Department, seems devoted to software engineering and is active in the free software world. Mentor Thiago Macieira is one of KDE foremost bug-fixers and maintainer of its networking code.
A user's media collection usually consists of much more than what can be found in a
'Music' folder on the hard drive. Jovev recognizes that it can be expected
to extend to a large assortment of DVDs, storage cards, external and
network drives, and even the Internet. Such a distributed collection is
difficult to manage, even with the aid of one of the many "collection
manager" applications like Tellico. In response to this,
Jovev has designed an API and storage backend to allow KDE applications to
store information about any media that they access and keep this
information even when the media is no longer accessible. The user will be
able to, for example, browse his entire music collection in Amarok and be prompted to insert a
specific CD if necessary.
His API, KMetaLibrary, needs to be sufficiently fast, configurable, and
robust as to appear transparent to the user. To that end, Jovev plans to
section off his database. As described in his Season of KDE page:
Each collection will be done using SQLite, XML or some other type of
database. There will be separate collections for movies, songs and
pictures. This will make faster manipulation of data for applications that
are working, for example, only with pictures. Also, it will be easier to
create and manage separate database structures, since video and audio files
will not use same data structure.
Configuration to restrict the API's
cataloging scope will be possible both globally and per-application. Digikam, for instance, may be restricted to
indexing photos it found on flash cards.
Jovev has had delays in starting his project, but promises that in August
he is "ready to spend all [his] spare time on this project. That means 5-6
hours per day." He may have to, for an ambitious idea that mentor Carston
Pfeiffer expects to prove an integral part of KDE 4. Pfeiffer is the
creator of image viewer Kuikshow and the KISDN telephony program and has
been a contributor to several other KDE projects, including KDE 3's meta
data facilities. When I contacted him, he had a very insightful note about
the benefits Season of KDE students are getting: "collaborating on software
development (which is something you hardly learn in computer science classes)". He continues: "Due to lack of time, I cannot develop much for KDE myself recently, so the
least I could do is help others doing that."
Jovev is a computer science major at the Faculty of Electronic Engineering, University of Nish in Serbia. The KMetaLibrary project is his first formal involvement with KDE, though he tells me has written small patches in the past that were not published. His Season of KDE page imparts that he has been a KDE user for six years and has had software development experience with Irvas International.
Corey Latislaw's KOffice ClipArt Browser (mentored by Carsten Pfeiffer)
Clip art has undeniable appeal to those doing casual desktop publishing, the exact Microsoft Office jockeys that desktop Linux is targeting. Such images usually have legal restrictions, but great strides have been made in compiling an Open Clip Art archive. Latislaw is making a clip art library browsing application that she intends to integrate with KOffice. The applications would be usable across all of KOffice's many components, where inserting an image would be applicable.
In the current version of KOffice, users can easily add preselected pictures to documents, but there are no tools to help them find images. Latislaw's browser would present them with thumbnails of the images in their clip art libraries, similar to the behavior of many competing office suites. Mentor Carsten Pfeiffer imagines clip art being selectable from any source, such as CDs or network directories, though Latislaw specifically outlined Open Clip Art integration to me. He suspects that Latislaw will implement images categories organized and searchable by meta-data or perhaps even content.
Some
previous attempts at coding a KOffice clip art browser seem to have been abandoned.
Latislaw is a student at Florida State University, treasurer of their Women in Computer Science organization, and contributes to the FSU Student Leadership Corps. Latislaw tells me that she has settled on using C++ for her project and has been refreshing her skills in the language. She hopes to present the browser at aKademy
Emmanuel Lesser's optical touchscreen (mentored by Olaf Jan Schmidt)
Lesser's project is a fantastically innovative and interesting method for turning a $20 webcam and a user's existing monitor into a functional touchscreen. His software will litter the screen with markers, which when photographed by the webcam and fed through OCR, will recognize when a marker is missing (covered by a finger) and report it as the position of the user's click. He hopes to bring touchscreens, whose applications include aiding the disabled, to the masses, foregoing expensive monitor hardware or Tablet PCs. Mentor Olaf Jan Schmidt is a member of the KDE Accessibility team.
The optical method for touch recognition does have several hampering flaws. Lesser intends to write a custom OCR engine tailored to the job which will have some performace penalties that will undoubtedly be exacerbated on older hardware. Logic algorithms, which lesser will write in Prolog, are needed to differentiate between markers users intentionally cover and those incidentally covered by their arms. The webcam must also have a direct view of the monitor, which may involve a custom mounting solution and interfere with the user's workspace. Calibration will be required before use. Lesser does not address the possibility, if any, of conflict between a low-speed webcam video camera and CRT refresh rates, nor low-resolution images and the detection of markers.
Extensive coding is necessary for the project, ranging from low-level driver support to a graphical configuration utility. Much of it will be ported from a 2003 prototype that Lesser wrote in JavaScript. Nonetheless, he will have to code an OCR engine from scratch, develop Prolog algorithms to process the images, manage driver support, create a GUI using the technique, and author a plugin-like sub engine system to allow other applications to hook into his code. Lesser laments the stagnation of his prototype, but states that, "I firmly believe that by coding a custom OCR-engine, using more flexible (low-level) languages like C and with my extended knowledge and experience, this application can become very fast and compatible with virtually any platform."
Ten more Season of KDE Projects projects will be examined
in the
second and final part of this article series.
Comments (2 posted)
System Applications
Embedded Systems
Stable version 1.2.1 of
BusyBox, a condensed collection
of command line utilities for embedded systems, is out.
"
Since nobody seems to have objected too loudly over the weekend, I might as well point you all at Busybox 1.2.1, a bugfix-only release with no new features."
Comments (none posted)
Web Site Development
The Apache Software Foundation and The Apache HTTP Server Project have
announced the release of version 2.2.3 of the Apache HTTP Server
("Apache"). This version fixes a
potential security
flaw. "
Depending on the manner in which Apache HTTP Server was
compiled, this software defect may result in a vulnerability which, in
combination with certain types of Rewrite rules in the web server
configuration files, could be triggered remotely. For vulnerable builds,
the nature of the vulnerability can be denial of service (crashing of web
server processes) or potentially allow arbitrary code execution. This issue
has been rated as having important security impact by the Apache HTTP
Server Security Team."
Full Story (comments: none)
Skeletonz is a new Python-based content management system.
"
Say goodbye to tedius backend administration and say hello to insite
dynamic editing of your site! The system is a CMS refreshment - - it
represents a whole new way of editing! Say goodbye to bloatness also.
Skeletonz is dynamic, very fast and dead simple to use. The system has
been in development for around 9 months. Current version is 1.0 beta."
Full Story (comments: none)
Desktop Applications
Audio Applications
New versions of das_watchdog and jack_capture are available with
bug fixes and other improvements.
Full Story (comments: none)
sfront 0.91 7/30/06 is out with bug fixes.
"
Sfront compiles MPEG 4 Structured Audio (MP4-SA) bitstreams into
efficient C programs that generate audio when executed."
Full Story (comments: 1)
Desktop Environments
Version 2.15.90 of GARNOME, the bleeding-edge GNOME distribution is out.
"
We are pleased to announce the release of GARNOME 2.15.90 Desktop and
Developer Platform. This release includes all of GNOME 2.15.90 (aka
2.16.0 Beta 1), tweaked and updated with love by the GARNOME Team."
Full Story (comments: none)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
KDE 3.5.4 is out. The announcement describes it as a maintenance release,
but notes that there are "over 27 new features" as well. Those new
features include better removable device support, improved wireless
networking configuration, and more; the
changelog
has all the details.
Full Story (comments: none)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (1 posted)
KDE.News
presents News from KDE
Web Dev. "
The Quanta development team is pleased to announce our
Hot New Stuff server implementation is now running. This means that Quanta
Plus users can now begin taking advantage of KNewStuff. We are also
preparing for exciting new developments we want to work on during the
upcoming Akademy in Ireland. We will have at least four developers there
and we very much appreciate any help rasing funds for travel, accommodation
and other expenses. Two of our developers have notebooks running 500 MHz or
slower and I would like to get them new notebooks for the conference. You
can contributed to the project at the kdewebdev site. Finally development
has resumed on Kommander, read on for full details."
Comments (none posted)
The July 30, 2006 edition of the
KDE Commit-Digest
has been
announced. Here's the
content summary:
"
Work begins on integrating C# support in KDevelop, as the second phase of the "C# parser for KDevelop" Summer Of Code project, whilst a companion effort concurrently starts to support Java. Eigen, a matrix and vector mathematics library is begun. okular is ported to QGraphicsView. Infrastructure improvements in Solid and Kalzium. "Siox" tool ported to Krita."
Comments (none posted)
Electronics
Version 1.0.2 of
gerbv,
a Gerber file viewer for printed circuit CAD designs, is out. See the
release announcement for details.
"
This is to announce the third release in the stable branch of
gerbv, 1.0.2.
During the course of the 1.5 year many things has been rotting
away in the CVS. Some patches has found it's way out on the 'net
anyhow, like the GCC4-patch.
If anyone is interested to take over this project and bring it up
to new heights - or at least maintain it properly - is welcome."
Comments (none posted)
Games
Version 4.3.0 of
Allegro,
a game programming library for C/C++ developers, is available.
"
This is a WIP version, which will probably not work as expected for many things when using as a 4.2 drop in, although the 4.3 branch will be developed together with a compatibility layer, mapping the 4.2 API onto the new 4.3 API. This release is only the first release of the 4.3 branch though, and many if not most things are not implemented yet."
Also, version 0.1.4 of
Alpy, the Python bindings to Allegro, is out with new features and
bug fixes.
Comments (none posted)
GUI Packages
KDE.News
covers
the first preview release of Qt for Java.
"
Trolltech has released a preview of the long awaited Java bindings for Qt 4.
"Qt Jambi technology integrates Qt with the Java programming language,
providing new possibilities for both Java and C++ programmers. This
technology enables Java developers to take advantage of the powerful features
of Qt from within Java Standard Edition 5.0 and Java Enterprise Edition 5.0.""
Comments (none posted)
Interoperability
Version 0.9.18 of Wine
has been announced. Changes include:
Still more work on Direct3D, A lot of MSI bug fixes and improvements,
More compatible memory management, Several fixes for Win64 support,
Some performance improvements and Lots of bug fixes.
Comments (none posted)
Medical Applications
Version 2.2 of Care2x
has been announced.
"
Care2x is an open source web-based hospital information system (HIS).
The development of Care2x started back in 2002 by Elpidio Latorilla.
The software is released under the GNU General Public License.
The latest version 2.2 is maintenance release."
Comments (none posted)
Office Suites
KDE.News
has announced
KOffice 1.6 alpha.
"
Swiftly following the latest bugfix release for KOffice 1.5, the KDE Project today announced the release of KOffice 1.6 alpha. This is the first preview release for KOffice 1.6, scheduled for release this October. KOffice is an integrated office suite with more components than any other suite in existence. KOffice 1.6 is mainly a feature release for Krita and Kexi while the new revolutionary KOffice 2.0 is being developed".
Comments (none posted)
The July, 2006 edition of the OpenOffice.org Newsletter is online
with the latest OpenOffice.org office suite news.
Full Story (comments: none)
Web Browsers
MozillaZine
has announced the release of version 1.5.0.5 of the
Mozilla Firefox web browser.
"
Mozilla Firefox 1.5.0.5 is now available for download. This update to the Mozilla Corporation's flagship browser includes stability and security fixes and changes for the Frisian locale. The Firefox 1.5.0.5 Release Notes have more details and the Firefox 1.5.0.5 section of the
known vulnerabilities page
has details about the security bugs resolved in this release."
Comments (6 posted)
Miscellaneous
Version 0.2 of
ANNA
is out with several new capabilities.
"
ANNA: (Artificial Neural Network Architecture) is a Back propagation neural network class developed thinking in a good matching class to the FLTK. The distribution include the source code and a demo which should work on Linux systems. The structure is very flexible and you can change in a simple way the number of inputs, number of hidden layers, number of neurons per layer and the outputs. There is included a nice Structure editor, where you can visualise the neuronal network structure."
Comments (none posted)
A new stable GnuPG v1.4.5 has been released. "
Fixed 2 more possible
memory allocation attacks. They are similar to the problem we fixed with
1.4.4. This bug can easily be be exploited for a DoS; remote code execution
is not entirely impossible."
Full Story (comments: none)
The
LZMA Utils is a relatively
new compression utility that works like gzip/bzip2, but uses the LZMA
algorithm, it is a work in progress.
(Thanks to Fabio.)
Comments (none posted)
Languages and Tools
Caml
The August 1, 2006 edition of the Caml Weekly News
is out with new Caml language articles.
Full Story (comments: none)
Python
Version 0.5.0 of
SciPy,
Scientific Tools for Python, is out.
"
This version adds support for NumPy 1.0b1. It also contains bug fixes and minor enhancements to sparse, weave, optimize, ndimage, stats, and other modules.
New features include callback functions in optimization routines, ..."
Comments (none posted)
The August 2, 2006 edition of Dr. Dobb's Python-URL! is online with
a new collection of Python article links.
Full Story (comments: none)
Tcl/Tk
The August 1, 2006 edition of Dr. Dobb's Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
Cross Compilers
Version 2.6.0 of
SDCC,
a cross-compiler for 8051, DS390, Z80, PIC and HC08 microprocessors,
is out.
"
This release improves the compiler's conformance to the C standard. Significant progress was also made on the PIC (both 14- and 16-bit) backends. For the 8051 SDCC has seen the addition of a new memory model, code banking and bit variables. Numerous feature requests and bug fixes are included as well.
Since 2.5.0 the ChangeLog has grown by more than 3000 lines so all changes are simply too numerous to name."
Comments (none posted)
IDEs
Version 2.1.1 of Wing IDE
has been announced.
"
We're happy to announce the release of Wing IDE version 2.1.1, an
advanced development environment for the Python programming
language.
This is a bugfix release, fixing several editor, subprocess, and
startup bugs."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
LinuxWorld
reports
that Google is adding open source project hosting to its services.
"
The heart of an open source project hosting service is the version
control system, which keeps track of changes to software and allows
developers to fix conflicting changes or roll back to previous
versions. Google will be using Subversion, an open source version control
system to which several Google developers contribute, [Google engineer
Greg] Stein said."
Comments (22 posted)
ZDNet
covers
the launch of the
Fedora
Women project. "
"A large portion of the Fedora user base is made
up of women. They are often under-represented within the community, with
many people not even realizing how big a share of the community they
are. The Fedora Women program aims to improve that representation and to
provide a forum for the women of the Fedora community," the group
said."
Comments (none posted)
Trade Shows and Conferences
Joe 'Zonker' Brockmeier
covers day three of the O'Reilly Open Source Convention on NewsForge.
Covered sessions and events include: Open Technology Development: Open Source
and the US Government, Greg Kroah-Hartman's Current State of the Linux Kernel,
Lightning States sessions, and the exhibit floor.
Comments (none posted)
NewsForge
covers
day four at O'Reilly Open Source Convention (OSCON). "
Guido van
Rossum, the creator of Python, gave an talk on "Python 3000," the minor
revamp of Python, which will eventually result in Python 3.0. During his
session van Rossum discussed the philosophy of the new design and gave a
tentative timeline for development."
Comments (none posted)
NewsForge
presents
an OSCON wrap-up. "
The eighth annual O'Reilly Open Source Convention
wrapped up Friday with a half day of talks and a farewell address by Eben
Moglen, general counsel for the Free Software Foundation and chairman of
the Software Freedom Law Center, on the importance of software
licenses. Moglen's talk provided a perfect end to an excellent
conference."
Comments (none posted)
The SCO Problem
The Salt Lake Tribune
observes a minor milestone in the SCO case: "
After a sustained slide fed by sustained poor earnings results and courthouse reversals, SCO shares closed Tuesday at $2.28 per share.
That was 2 cents per share lower than the company's stock sold for on March 25, 2003. That was the same day SCO, alleging IBM had transferred SCO's proprietary Unix code into its Linux releases, filed its $5 billion complaint against Big Blue in Salt Lake City's U.S. District Court."
Comments (18 posted)
Companies
ZDNet
reports
that Pervasive Software is getting out of the PostgreSQL support business.
"
In a letter to the PostgreSQL community of developers, Pervasive
Software President John Farr said last week that the company
"underestimated the high level of quality support and expertise already
available within the PostgreSQL community.""
Comments (3 posted)
Legal
Modern Healthcare has
an article about a suit by Medsphere Systems against its co-founders. "
According to the lawsuit, these alleged acts include posting proprietary source code known as 'OpenVistA Client' -- also known as 'Kickstand' -- and 'Jumps' on June 6 and June 7 on the SourceForge.net open-source development Web site..." Note that reading the full article requires an intrusive registration step - and isn't worth it. (Seen on
Linux Med News).
Comments (5 posted)
Interviews
KDE.News has
announced
an
interview
with Olivier Goffart in its People Behind KDE series.
"
Today's star of People Behind KDE is a member of what was once described as "the younger generation of Kopete developers". This man talks Messenger and Jabber nativly but only communicated on IRC thanks to Babelfish. Learn about the trials of a Kopete developer in our interview with Olivier Goffart."
Comments (none posted)
NewsForge
talks
with Eben Moglen about the second draft of GPLv3. "
Moglen
stepped us through the highlights of the new draft. They include language
simplifications that make the GPL easier to use and lead to greater
internationalization, clarification of issues about potentially restrictive
technologies and peer to peer downloads, and a radical simplification of
the GNU Lesser General Public License (LGPL). Although some issues remain,
he believes that this draft is the first clear indication of what the final
version of GPL3 will look like."
Comments (none posted)
Resources
Jason Weathersby
shows how to deploy BIRT in an O'Reilly article.
"
The Business Intelligence and Reporting Tools (BIRT) project is an open source, Eclipse-based reporting framework that enables the creation and deployment of complex report designs. Development with BIRT can usually be thought of as a two-step process: the creation of the report designs within the Eclipse BIRT Report Designer, followed by the deployment of the designs and framework to an application for dissemination."
Comments (none posted)
Groklaw
has published an article by Jonathan Zittrain entitled
"The Generative Internet", the author is requesting comments on the work:
"
I've just finished a new paper on the future of the Net, in which I extol its open qualities but fear that a focus on an open Internet can too often exclude worrying about an open PC -- which I define in a broader fashion than the divide between free and proprietary software typically contemplates.
I think it's critically important that users retain general purpose PCs, even some with proprietary OSes, instead of "information appliances." I fear these appliances, like TiVo, can come to predominate -- or that the PC itself will morph towards becoming one, with new gatekeepers determining what code will or won't run on them, rather than the users themselves."
Comments (5 posted)
Kevin Quiggle and Mike Whitton
explain how to add GPS location information to a photo album
in a Linux.com article.
"
Open standards, and openness in general, enables people to combine a variety of technologies in new and interesting ways. For example, using a camera with Exif support, a GPS receiver, the Google Maps API, and Perl, PHP and JavaScript, Mike Whitton created a Web-based photo album in which the photographs are automatically placed on a map at the exact location they were taken. Let's take a look at how this is done."
Comments (none posted)
The
August issue of the
Linux Gazette is out; topics this month include XMMS effect plugins,
low-fat Linux, concurrent server design, and more.
Comments (none posted)
Linux Journal
looks
at parallel programming. "
Whether you're a scientist, graphic
artist, musician or movie executive, you can benefit from the speed and
price of today's high-performance Beowulf clusters."
Comments (none posted)
Reviews
Linux.com
reviews Feh,
an image viewer. "
Too many Linux image viewers are tinged with
little annoyances -- they take too long to load, are slow to redraw the
display, have limited format support, sport inconvenient controls -- so
when you want to settle on one, inevitably there's something to make you
utter feh! in general discontent. Good call -- feh is the name of a speedy
little viewer that packs in a surprising number of features for its
size."
Comments (13 posted)
KDE.News
covers some KDE 3
applications. "
This is part four of the the successful series All
About the Apps, reminding us that while KDE 4 development may be fun, to
watch to find great apps working today KDE 3 beats them all. This time we
report on the Linux equivalent of Cubase - Rosengarden, the great Basket,
KPhotoAlbum and the next version of KDevelop."
Comments (none posted)
NewsForge
looks forward to Thunderbird 2.0. "
The tag system has three advantages over the old label system. First, you can define as many tags as you want (labels were limited to five). Second, you can apply as many tags as you want to each message (labels were limited to one per message). And third, tags are hot, new, and Web 2.0 buzzword-compliant (labels are not)."
Comments (none posted)
NewsForge
reviews
VMware Server 1.0. "
VMware offers the VMware Server software as an
RPM or a tarball with the installer and necessary components -- no Debian
package at this time, unfortunately. I decided to go with the RPM install
on a dual Pentium III 1.0GHz server with 2GB of RAM, running CentOS
4.3. VMware Server should install on most x86 or AMD64 Linux distros. The
main prerequisites are GCC and the kernel headers for your system."
Comments (none posted)
Miscellaneous
Glyn Moody
examines some issues behind the dual-licensing of software projects,
in a Linux Journal article.
"
A whole new generation of open source companies like MySQL, SugarCRM and JasperSoft have shown that such an approach can be highly successful, and this is encouraging others to adopt the same model Scalix is the latest to join the club. Before this becomes established as the de facto standard for open source business in the dotcom 2.0 world, now might be a good time to examine whether it is really is such a good thing for free software, or whether it might even represent a threat to its fundamental principles."
Comments (5 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The government of the Spanish state of Extremadura has made the decision to
move all of its systems over to free software and open formats within one
year. "
The councillor explained that a version gnuLinEx, adapted for the public
administration, will be established as the obligatory operating system
in workplaces of the civil servants of the Junta and that the OS will be
gradually introduced to all administrative organizations of the Junta de
Extremadura."
Full Story (comments: 2)
The
Linux Business Campus
Nuremberg has
announced
its existence. It is a sort of business incubator aimed at Linux and
open source businesses; there seem to be a number of early SUSE folks
(among others) involved. "
Thirteen campus coaches currently offer advisory services ranging
from organizing high-ranking contacts with international software
companies, support for open source technology and business models, advice
on setting up a product or sales management system and development of
go-to-market strategies to growth financing support from the Business Angel
network and venture capital companies."
Comments (none posted)
There is a new
Proposal for an OpenDocument icon set.
"
The idea is that each icon maker (desktop environments, applications, etc) will make their own icon set, suitable for their environment, but will include this image so that the user can recognize the document as an OpenDocument file.
Think of PDF. KDE and Gnome have different PDF icons, but both are recognizable as PDF be[c]ause of the red squiggle that is associated with PDF. Wouldn't it be nice to have something like that for OpenDocument? Having such an image would significantly improve awareness of the OpenDocument format."
(Thanks to Pete Harlow.)
Comments (none posted)
Software in the Public Interest has announced the appointment of
three new board members.
"
Software in the Public Interest is pleased to announce that it has appointed
new Officers following the election of three new members to the board of
directors.
In a board meeting on 1st August, the board elected Bdale Garbee as
President, Michael Schultheiss as Vice President, Neil McGovern as Secretary
and Josh Berkus as Treasurer of the board."
Full Story (comments: none)
Commercial announcements
BitRock has announced availability of LAPPStack 1.0.
"
BitRock LAPPStack 1.0 is an easy to install distribution of Apache, PHP,
PostgreSQL, Python, and supporting libraries. LAPPStack allows users to have
a complete web development environment up and running in just minutes."
Full Story (comments: none)
Wind River Systems, Inc. has
announced the selection of the Wind River Platform for
Networking Equipment - Linux Edition by Boeing, for use in the P-8A
Multi-mission Maritime Aircraft mission system.
"
The P-8A is a long-range anti-submarine warfare, anti-surface warfare,
intelligence, surveillance, and reconnaissance aircraft. It possesses an
advanced mission system for maximum interoperability in battle space.
Capable of broad-area, maritime, and littoral operations, the P-8A is
expected to improve training, deployment, and operation of the U.S. Navy's
maritime patrol and reconnaissance forces."
Comments (none posted)
GDA Technologies, Inc. has
announced an embedded Linux reference platform for the
Freescale Semiconductor MPC8548E PowerQUICC processor.
"
The MPC8548E-based AMC is designed with high-performance Gigabit
Ethernet interfaces and up to 8 lanes of PCI Express for embedded
applications in broadband telecommunications and data communications
networks. The board has four Gigabit Ethernet ports (two on the front panel
and two on the edge connector) along with a debug port on the front panel
and 8 PCI Express lanes on the AMC edge connector."
Comments (none posted)
South Korean Linux developer Haansoft has
joined Open
Source Development LabsL (OSDL). "
The company's involvement
should help the spread of linux in Asia, OSDL said. For example, Haansoft
is also a developer of Asianux 2.0, the second version of the Asianux Linux
distribution. Other companies behind Asianux are Red Flag Software
Co. Ltd., one of China's leading Linux developers, and Japan's Miracle
Linux Corp. Asianux 2.0 should be available in South Korea and China in
July and in Japan in October."
Comments (none posted)
ObjectWeb has announced the release of an Open-Source Enterprise Content Management and Repository Solution, the eXo Enterprise Content Management
and eXo Java Content Repository.
"
ObjectWeb and eXo Platform SARL today announced the
availability of the first complete open-source content management and repository solutions that
allow users to create, manage and store documents from a customized, single point-of-access Web
portal."
Full Story (comments: none)
Wind River Systems, Inc. has
announced
the release of over 300,000 lines of code to the Eclipse Foundation.
"
The contributions are being made to four Eclipse projects: the C/C++
Development Tools (CDT) Project, the Platform Project, and both the Target
Management (TM) and Device Debugging (DD) subprojects within the Device
Software Development Platform (DSDP) Project."
Comments (none posted)
Wind River Systems, Inc. has
announced the availability of new commercial grade Linux platforms.
"
At its
foundation is a pristine, unmodified, stable version of the Linux 2.6.14
kernel. Available today, the Linux editions of the Wind River(R) General
Purpose Platform, Platform for Consumer Devices and Platform for Network
Equipment ship with the latest version of the company's Eclipse-based
device software development suite, Wind River(R) Workbench 2.5 and include
significant new enhancements to runtime performance and footprint size,
networking protocols, security, file systems and hardware architectures."
Comments (none posted)
New Books
O'Reilly has published the book
Ruby Cookbook
by Lucas Carlson and Leonard Richardson.
Full Story (comments: none)
No Starch Press has published the book
Ubuntu Linux for Non-Geeks
by Rickford Grant.
Full Story (comments: none)
Contests and Awards
Astaro Corporation has won an award from SC Magazine.
"
Astaro Corporation, developers of a Linux-based line of network
security appliances comprised of more than 300 open source projects and proprietary technology,
today announced that SC Magazine has honored the Astaro Security Gateway 425 with the SC Magazine
"Recommended" Award and an overall rating of 4 stars in the group test category of firewalls."
Full Story (comments: none)
Education and Certification
The Linux Professional Institute has announced a round of
Ubuntu and MySQL Certification exams, to be held at LinuxWorld
San Francisco on August 15 -17, 2006.
Full Story (comments: none)
Upcoming Events
The Fourth International Conference on GPLv3 will take place in
Bangalore, India on August 23 and 24, 2006.
"
A part of the world-wide drive to create awareness
about the upcoming version three of the GNU General Public License (GPLv3),
the two-day conference is expected to draw delegates from across the
communities - legal, bureaucrat and academia."
Full Story (comments: 1)
The next Gelato Itanium Conference & Expo (ICE) will take place
in Singapore on October 1-4, 2006.
Full Story (comments: none)
Linux Journal has an
announcement for
RubyConf*MI. "
It's being held in Grand Rapids Michigan on Aug
26th. It looks like a good conference, David Black will be speaking (the
word is he'll be presenting a day of training through Ruby Power and Light
ahead of the conference as well). I'm going to be speaking there too, along
with several local Ruby hackers. You can see the speaker list or register
for the conference at their website."
Comments (none posted)
| Date | Event | Location |
| August 3, 2006 | Black Hat USA 2006 Briefings and
Training | (Caesars Palace)Las Vegas, NV |
| August 3, 2006 | SigGraph
2006 | (Boston Convention and Exposition Center)Boston, MA |
| August 4 - 6, 2006 | DEF CON 14 | (Riviera
Hotel)Las Vegas, NV |
| August 4 - 6, 2006 | Wikimania | (Harvard Law
School)Cambridge, MA |
| August 4 - 6, 2006 | Vancouver Python
Workshop | Vancouver, BC, Canada |
| August 8 - 10, 2006 | Flash Memory
Summit | (Wyndham Hotel)San Jose, CA |
| August 14 - 17, 2006 | LinuxWorld San Francisco
2006 | (Moscone Center)San Francisco, CA |
| August 14 - 17, 2006 | ApacheCon
Asia | (Trans Asia Hotel)Colombo, Sri Lanka |
| August 17 - 18, 2006 | Python for
Scientific Computing(SciPy2006) | (Caltech)Pasadena, CA |
| August 18 - 19, 2006 | The Ubucon
Conference | (Google headquarters)Mountain View, CA |
| August 21 - 27, 2006 | Ireland PyPy
sprint | (University of Limerick)Limerick, Ireland |
| August 23 - 24, 2006 | Fourth International
Conference on GPLv3 | (Indian Institute of Management)Bangalore, India |
| August 26, 2006 | RubyConf*MI | (Calvin
College)Grand Rapids, MI |
| August 28 - 31, 2006 | Bellua Cyber Security Asia
2006 | (Jakarta Convention Center)Jakarta, Indonesia |
| September 8, 2006 | Leipzig Python
Workshop | Leipzig, Germany |
| September 9 - 10, 2006 | Linuxtage in
Essen | (University of Essen)Essen, Germany |
| September 11 - 13, 2006 | OpenOffice.org Conference(OOoConf
2006) | Lyon, France |
| September 12 - 15, 2006 | php|works/db|works
2006 | Toronto, Canada |
| September 13 - 15, 2006 | 2006 WebGUI Users
Conference | (The Vegas Club Hotel and Casino)Las Vegas, NV |
| September 14, 2006 | NLUUG
najaarsconferentie 2006 | (De Reehorst)Gelderland, The Netherlands |
| September 14 - 16, 2006 | Wizards of OS 4 -
Information Freedom Rules | Berlin, Germany |
| September 18 - 21, 2006 | 2006
European Open Source Convention(EuroOSCON) | Brussels, Belgium |
| September 18 - 21, 2006 | New Security
Paradigms Workshop(NSPW) | Schloss Dagstuhl, Germany |
| September 23 - 30, 2006 | KDE World Summit
2006(aKademy) | (Trinity College)Dublin, Ireland |
| September 25 - 28, 2006 | Embedded
Systems Conference | (Hynes Convention Center)Boston, MA |
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Micah Yoder <micah-AT-yoderdev.com> |
| To: |
| letters-AT-lwn.net |
| Subject: |
| "Foundational software" and Free Software |
| Date: |
| Sun, 30 Jul 2006 18:36:54 -0500 |
Hi,
I have become aware of some nonprofit organizations which are not only
rejecting Linux, but standardizing on the entire Microsoft stack -- Windows
Server, Exchange Server, Office, Outlook, SQL Server, etc -- all because of
one class of software: "Foundational software."
This software runs the entire database structure of the organization and has
special features for donor management and other things they need. One of
these products is Navigator by Serenic, which seems to be one of the more
popular, but there are others.
Obviously, something is very wrong here. Free Software is supposed to benefit
nonprofit organizations even more than businesses because, hypothetically,
they have less money for software.
I'll be the first to admit that I don't understand exactly what this software
does -- I have never set it up nor used it. But apparently it ties together
all the Microsoft servers and applications in a way that makes things easy
for these organizations.
My question, to which I would welcome answers in talkbacks, is do we have
members of the Free Software community who use and understand this software,
and what can be done about it?
I would not necessarily argue that said software *must* be Free Software, but
we do need to have a reasonable solution that ties together the similar Free
applications. If it itself is Free Software, fine.
One project that has shown some promise is GNU Enterprise (
http://www.gnuenterprise.org ), but its progress seems slow right now.
In any case, a project to implement this class of software with Free tools
seems a necessary step to achieving World Domination.
Micah
Comments (9 posted)
Page editor: Jonathan Corbet