LWN.net Logo

LWN.net Weekly Edition for September 7, 2006

Security updates for embedded systems

The Avaya S8500 Media Server is a product which "allows for a distributed enterprise over an IP infrastructure in the mid-market space (up to 3200 ports)." Whatever that means. It fits in a 1U rack space; it also, as it happens, runs Linux - Red Hat Enterprise Linux, in particular. So, when Red Hat recently produced a security update for its kernel, Avaya sent out an advisory of its own. As it turns out, however, Avaya has classified this set of vulnerabilities as being of "low" concern, so, by the company's posted policy, there will be no software update coming anytime soon. Instead, the fixes will be packaged up with the next regular operating system update.

In the mean time, however, Avaya has a helpful suggestion:

For all system products which use vulnerable versions of the kernel, Avaya recommends that customers restrict local and network access to the server. This restriction should be enforced through the use of physical security, firewalls, ACLs, VPNs, and other generally-accepted networking practices until such time as an update becomes available and can be installed

Restricting network access will certainly make a network server product more secure, but it might just interfere with the tasks said server was purchased to perform in the first place.

In a separate episode, your editor was recently wandering around on the net in search of a fix for some obnoxious behavior exhibited by his DSL router. As it turns out, this router runs Linux. One can telnet into it and wander around. It's always amusing to discover that one is running even more Linux systems than had been previously thought. This one is built upon a MontaVista distribution, and is running a 2.4.17 kernel.

As LWN readers may have noticed, there have been a few security issues discovered in the 2.4 kernel after 2.4.17 was released. Quite a few. The support services sold by MontaVista to its customers must certainly include security updates, but there does not appear to be any mechanism for getting those updates through to the end customers who will actually be running vulnerable software. That is true even in your editor's case, where the router was obtained directly from the local huge telecom company, which should have good records regarding the equipment at its customers' homes. Said large telecom company tends to be held in rather low esteem by its customers, but, even so, one might expect that it would make a minimal attempt to keep those customers (who are, in the end, connected to its network) secure.

The end result is that your editor's DSL router - a Linux system with all the power BusyBox can deliver - almost certainly contains known security holes. It has writable flash storage, and can run programs uploaded to it. This is a rather discouraging situation when one considers that, for many users, this router will be the front gate to their home or small business network. The potential for mass mayhem is real.

In both cases, we are seeing situations where Linux systems have been deployed into security-relevant roles, but the security update mechanism has not kept up with them. As Linux pushes its way into more low-end consumer-grade devices, this problem will multiply. Who thinks about applying security updates to their telephone? And which manufacturers of cheap consumer electronics will concern themselves with pushing security updates to their customers?

Linux systems can be quite secure, especially when they are pared down to a minimal set of functions. But one of the things that keeps Linux secure is the quick closing of known security holes, and the quick dissemination of those fixes to deployed Linux systems. Without that support structure in place, Linux systems (like all others) become vulnerable to holes discovered after they were built.

Embedded systems tend to lack that support structure. When the system is, say, a music player with no connection to the wider world, there is no particular cause for concern. Network-connected devices, however, are subject to attack. Fortunately, network-connected devices should also be able to detect and install security updates - though setting up such a mechanism in a way which does not create privacy concerns can be a challenge. It should be a solvable problem.

The use of Linux in embedded systems is a cool thing - especially if those systems are designed to allow improvements by their users. It is one more step toward World Domination. But that cause could be set back significantly by a single Linux-based router or cellphone worm. We do not yet know how to create systems which will remain secure indefinitely into the future. Until that problem is solved, we must maintain structures which can close vulnerabilities as they are discovered. Purveyors of embedded systems ignore that need at their peril.

Comments (31 posted)

Various notes, all about Python

Dave Jones's How user space sucks talk at OLS this year received quite a bit of attention. It is simultaneously discouraging and encouraging to know that so many of our applications behave as inefficiently as they do. Discouraging because we should be doing better than that; encouraging because there are obviously easy fixes to be made.

Jeff Waugh recently brought back memories of that talk with a weblog entry on how Python behaves. For the curious: start up an interactive Python interpreter, then examine it from another window with strace. That Python interpreter, seemingly doing nothing, is, in fact, busily waking up ten times per second so that it can do nothing in a more active way. The offending code (in the readline library) is easy to find; it wakes up every 100ms just in case somebody might have registered a hook to look for events outside of the input file descriptor. As it turns out, the Python GTK library does the same thing so that it can check for pending signals.

So a system running a number of Python GTK applications (and some systems have many) will be experiencing the load of each one of them doing nothing every 100ms. This sort of behavior uses CPU time needlessly and it keeps the processor from sleeping - thus draining laptop batteries more quickly. Not good behavior - and a bit of low-hanging fruit that, one hopes will get fixed in the near future.

Meanwhile, the Python developers are working toward a major new release with the first Python 2.5 release candidate in testing for the last few weeks. For a full description of what's in Python 2.5, see A.M. Kuchling's excellent summary. New language features include conditional expressions (something like the "? :" notation used in C, but with a very different syntax), partial function application (forms of functions with some of the arguments supplied ahead of time), a number of exception handling improvements, a "with" statement intended to provide robust cleanup handling, and a number of performance improvements. There is also a long list of new modules and enhancements to existing modules.

The Python developers have long talked, often not entirely seriously, about "Python 3000," the upcoming major update to the language. While the Python language has evolved considerably over the 2.x series, it has done so in a compatible manner - older Python programs continue to run (though Python extensions written in other languages have tended to break). With Python 3000, the plan is that anything can happen, and there will be no guarantee (or even, perhaps, hope) that unmodified Python 2.x programs will work.

Python 3000 has been, as they say, Py in the sky for some time. But it looks like that situation might change before too long; some serious plans for the Python 3000 series have been laid down, and development may happen soon. Very soon, according to Python benevolent dictator for life Guido van Rossum:

We are now officially starting parallel development of 2.6 and 3.0. I really don't expect that we'll be able to merge the easily into the 3.0 branch much longer, so effectively 3.0 will be a fork of 2.5.

He goes on to suggest that much of the work for Python 2.6 may be oriented toward helping programs (and programmers) make the jump to the eventual 3000 release. So Python 2.6 may not contain a whole lot of new features, but it could have a bunch of new warnings for things that will break in the future - and fixes to the standard modules to avoid those warnings.

The first alpha Python 3000 release is expected sometime next year; it could be a year or so after that before the stable release (to be Python 3.0) is ready. Current plans are to continue to develop and support 2.x for some time - well into the 3.x series.

What will be in Python 3000 3.0? Python Enhancement Proposal 3100 has the details, as they are understood at the moment. These include the removal of old-style classes, various expression syntax changes, a new set syntax, use of Unicode throughout (but no non-ASCII characters used in the language itself), and much more.

Python hackers who are concerned about changes to the language might want to take a look at PEP 3099, a document listing the things that will not change. These include no implicit self, no programmable syntax, no overly complex parser, and so on. There will be no braces added in Python 3.0, preserving the grouping by indentation that is such a strong characteristic of the language; for some amusement, fire up Python and type:

    from __future__ import braces

In the end, for all its changes, the Python language will still be very much true to its original goals: a straightforward language with one clear way to carry out most tasks. Python 3.0 will also be developed in an evolutionary manner - no massive rewrite or multi-year series of pronouncements from the language designer. As a result, Python 3.0 should, despite its rather later start, be in use well before Perl 6.

Finally, for a different and interesting project, PyPy is worth a look. These developers are writing an entirely new Python interpreter - in Python. There are a lot of goals driving this work, one of which is the ability to compile the interpreter into a runtime system which is highly targeted for its intended purpose. Different builds can use different memory management algorithms, for example. The developers believe that they will eventually be able to build Python systems which run faster than the current C interpreter - though, at this point, they are running about three times slower. It is an active project, however, which is making rapid progress; expect interesting things from that direction.

Comments (21 posted)

Eclipse signs up Black Duck

Black Duck Software was profiled on LWN by Pamela Jones just over one year ago. This company sells a product which enables companies to verify the sources of software in products that they ship; in particular, it seems oriented toward helping proprietary software vendors avoid unwitting violation of licenses like the GPL. This product includes "code prints" of thousands of free software releases; these prints can be compared against a program to determine if any of that program's code came from one of those projects. It seems like a product which could bring some peace of mind to company managers who worry about whether their programmers might be using free code in projects which are not intended for free release.

Whether the database of code prints (much of which is obtained through a "special relationship" with SourceForge) constitutes a derived product from the free software code it is "compiled" from is an interesting question - but one for a different article.

Today's topic involves this Black Duck press release stating that the Eclipse project has purchased Black Duck's "protexIP" product to verify licenses in the Eclipse code base. From the PR:

"Companies worldwide are capitalizing on applications developed by the Eclipse community, and many software vendors sell products that are dependent on Eclipse," said Mike Milinkovich, executive director of Eclipse Foundation. "For that reason, it is absolutely vital for us to analyze our code before we release it to our community."

At first blush, it might seem a little strange that a free software project would purchase a proprietary tool to help ensure that no free code is incorporated by mistake. There are, however, a couple of reasons why Eclipse might want to take this step:

  • Eclipse is distributed under the Eclipse Public License. It is a free license, with copyleft-type requirements, but it is not a GPL-compatible license. So the incorporation of any GPL-licensed code into Eclipse would be a bad idea.

  • Black Duck has been expanding its database with thousands of "code prints" claimed from proprietary programs. Thus, the product should be able to detect attempts to use proprietary code in cases where that code has been fingerprinted by Black Duck.

So, if there are people within Eclipse who are worried about those types of code contamination, perhaps using Black Duck's products will help them to sleep a bit better at night.

One wonders, however, about what sort of commercial pressures might have pushed Eclipse to make this decision. While Black Duck would, beyond doubt, like to see this adoption as the beginning of a trend in the free software world, some of us may feel a little differently. It would be a sad day if we came to the point that free software projects had to buy this sort of service to be taken seriously in the commercial world. Releasing software is a remarkably easy process - at least, for those of us who are not under the control of large corporate legal departments. Loading up the process with expensive validation bureaucracy in the name of license compliance seems like a step in the wrong direction.

Comments (3 posted)

Page editor: Jonathan Corbet

Security

AJAX and security

September 6, 2006

This article was contributed by Jake Edge.

Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Unfortunately, AJAX also provides a number of serious security issues that should be considered and, at least partly because the technique is relatively new, many of the tutorials and other documentation completely disregard the security implications. Developing secure code rarely gets the attention it deserves and new technologies are typically slow to develop 'best practices' and to disseminate that information throughout their community. This can only lead to exploits in the future.

Traditional web applications are synchronous in nature, a user clicks a button or link which sends a request to the server; the server replies with a page of HTML and the browser displays the new page. AJAX applications do some amount of work in the background, making requests of the server, sometimes without explicit user input. These applications do not refresh the entire page as they receive replies from the server; they only modify parts of the page or their internal state which gives users a much smoother, less page oriented experience.

One of the best known examples of an AJAX application is Google Maps. While the user is viewing a particular section of the map, the client requests other sections of the map that are not yet visible and this allows the user to seamlessly scroll the map to view off-screen sections. Auto-completion for text fields, automatically updating form elements and form submission without a page refresh are other common uses for AJAX in these 'Web 2.0' applications.

In order to handle the asynchronous server requests, AJAX programs use the Javascript XmlHttpRequest (XHR) object. The name of this object is really where the X in AJAX comes from as XML is not necessarily used in the XHR request or response. A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Various queries and requests that were once handled internally on the server are now exposed as a de facto API for AJAX applications. This drastically increases the attack surface of these programs because there are so many additional ways to potentially inject malicious content. Filtering user input correctly is, as always, the single most important safeguard for a web application; this is an area that traditional web applications have regularly failed to handle correctly. It is difficult to see how adding additional ways to get user input into the application is going to help this problem.

SQL injection and Cross-site scripting (XSS) are two attacks that can be made against an application that does not filter user input correctly. AJAX techniques allow for additional ways to exploit these vectors in the background, undetectable by the user. The Myspace samy worm (more technical description here) is an example of the kinds of things that can be done. At the recent Black Hat Briefings, there was a session describing a port sniffer written in Javascript that could potentially discover internal network details behind a firewall and report them to a malicious site.

The requirement that XHR objects refer only to URLs on the same server is an excellent security choice. Unfortunately, it is probably the single biggest complaint that web designers have about AJAX. Because they often want to display information from various sources on the same page, the restriction is considered to be 'too strict' and to get around it, AJAX bridges came about.

An AJAX bridge proxies requests to other servers, returning the remote server's response. This allows XHR objects to refer to URLs on the server that returned the page, but still retrieve content from other servers elsewhere in the web. Unfortunately, this can lead to various abuses. Depending on how it is written, the bridge can provide a means to attack the third party site via SQL injection or XSS and allow the malicious user to hide behind a level of indirection. Various monitoring tools could detect the attack and shut down access for the aggregating site, effectively causing a denial of service attack. By proxying requests, a site is implicitly trusting its users not to abuse the APIs of third parties.

Many of these attacks are not new, nor do they require AJAX to function, but by incorporating AJAX techniques into web applications, they are made easier. At one time, it was considered reasonable to turn off Javascript for many or all sites, but with the prevalence of Web 2.0 applications, this just is not possible for most web users. Web application developers need to be vigilant in rooting out the bugs that allow these attacks to succeed.

Comments (9 posted)

New vulnerabilities

capi4hylafax: missing input sanitizing

Package(s):capi4hylafax CVE #(s):CVE-2006-3126
Created:September 1, 2006 Updated:October 18, 2006
Description: Lionel Elie Mamane discovered a security vulnerability in capi4hylafax, tools for faxing over a CAPI 2.0 device, that allows remote attackers to execute arbitrary commands on the fax receiving system.
Alerts:
Gentoo 200610-05 2006-10-17
Debian DSA-1165-1 2006-09-01

Comments (none posted)

cheesetracker: buffer overflow

Package(s):cheesetracker CVE #(s):CVE-2006-3814
Created:September 4, 2006 Updated:October 27, 2006
Description: Luigi Auriemma discovered a buffer overflow in the loading component of cheesetracker, a sound module tracking program, which could allow a maliciously constructed input file to execute arbitrary code.
Alerts:
Gentoo 200610-13 2006-10-26
Debian DSA-1166-2 2006-10-13
Debian DSA-1166-1 2006-09-03

Comments (1 posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

ImageMagick: buffer overflows

Package(s):imagemagick CVE #(s):CVE-2006-3743 CVE-2006-3744
Created:September 6, 2006 Updated:September 26, 2006
Description: The latest set of buffer overflow vulnerabilities in ImageMagick can be found in the Sun Raster and XCF decoders.
Alerts:
Gentoo 200609-14 2006-09-26
SuSE SUSE-SA:2006:050 2006-09-08
Ubuntu USN-340-1 2006-09-06

Comments (2 posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-2935 CVE-2006-4145 CVE-2006-3745
Created:September 1, 2006 Updated:July 30, 2008
Description: Previous versions of the kernel package are subject to several vulnerabilities. Certain malformed UDF filesystems can cause the system to crash (denial of service). Malformed CDROM firmware or USB storage devices (such as USB keys) could cause system crash (denial of service), and if they were intentionally malformed, can cause arbitrary code to run with elevated privileges. In addition, the SCTP protocol is subject to a remote system crash (denial of service) attack.
Alerts:
Red Hat RHSA-2008:0665-01 2008-07-24
SuSE SUSE-SA:2007:053 2007-10-12
SuSE SUSE-SA:2006:064 2006-11-10
Red Hat RHSA-2006:0710-01 2006-10-19
SuSE SUSE-SA:2006:057 2006-09-28
Trustix TSLSA-2006-0051 2006-09-15
Ubuntu USN-346-2 2006-09-14
Ubuntu USN-346-1 2006-09-14
rPath rPSA-2006-0162-1 2006-08-31

Comments (none posted)

MySQL: denial of service

Package(s):mysql CVE #(s):CVE-2006-4380 CVE-2006-4389
Created:September 1, 2006 Updated:September 6, 2006
Description: MySQL before 4.1.13 allows local users to cause a denial of service (persistent replication slave crash) via a query with multiupdate and subselects. (CVE-2006-4380)

There is a bug in the MySQL-Max (and MySQL) init script where the script was not waiting for the mysqld daemon to fully stop. This impacted the restart behavior during updates, as well as scripted setups that temporarily stopped the server to backup the database files.

Alerts:
Debian DSA-1169-1 2006-09-05
Mandriva MDKSA-2006:158 2006-08-31

Comments (none posted)

openssl: insufficient signature checking

Package(s):openssl CVE #(s):CVE-2006-4339
Created:September 5, 2006 Updated:November 15, 2006
Description: Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google Security discovered that the OpenSSL library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge signatures without the need of the secret key.
Alerts:
Mandriva MDKSA-2006:207 2006-11-14
Slackware SSA:2006-310-01 2006-11-07
OpenPKG OpenPKG-SA-2006.029 2006-11-06
SuSE SUSE-SA:2006:061 2006-10-19
Slackware SSA:2006-257-02 2006-09-15
Gentoo 200609-05:02 2006-09-07
Debian DSA-1174-1 2006-09-11
Debian DSA-1173-1 2006-09-10
Red Hat RHSA-2006:0661-01 2006-09-06
Gentoo 200609-05 2006-09-07
Mandriva MDKSA-2006:161 2006-09-06
rPath rPSA-2006-0163-1 2006-09-05
OpenPKG OpenPKG-SA-2006.018 2006-09-06
Fedora FEDORA-2006-953 2006-09-05
Ubuntu USN-339-1 2006-09-05

Comments (none posted)

openttd: denial of service

Package(s):openttd CVE #(s):CVE-2006-1998 CVE-2006-1999
Created:September 6, 2006 Updated:September 6, 2006
Description: A flaw in the openttd error handling code leaves the system vulnerable to a remote denial of service attack. Version 0.4.8 fixes the problem.
Alerts:
Gentoo 200609-03 2006-09-06

Comments (none posted)

sendmail: denial of service

Package(s):sendmail CVE #(s):CVE-2006-4434
Created:August 31, 2006 Updated:September 6, 2006
Description: The sendmail mail transfer agent has a programming error. A remote attacker can send specially crafted email messages with extra long header lines to sendmail. The sendmail process will crash, leading to a denial of service.
Alerts:
SuSE SUSE-SR:2006:021 2006-09-01
Mandriva MDKSA-2006:156 2006-08-30
Debian DSA-1164-1 2006-08-31

Comments (none posted)

Updated vulnerabilities

AlsaPlayer: multiple buffer overflows

Package(s):alsaplayer CVE #(s):CVE-2006-4089
Created:August 28, 2006 Updated:September 19, 2006
Description: AlsaPlayer contains three buffer overflows: in the function that handles the HTTP connections, the GTK interface, and the CDDB querying mechanism. An attacker could exploit the first vulnerability by enticing a user to load a malicious URL resulting in the execution of arbitrary code with the permissions of the user running AlsaPlayer.
Alerts:
Debian DSA-1179-1 2006-09-19
Gentoo 200608-24 2006-08-26

Comments (none posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

audacious: buffer overflow

Package(s):audacious CVE #(s):CVE-2006-3581 CVE-2006-3582
Created:August 2, 2006 Updated:September 13, 2006
Description: Audacious (prior to version 1.1.0) suffers from a buffer overflow which could be exploitable via a maliciously crafted media file.
Alerts:
Gentoo 200609-06 2006-09-12
Gentoo 200607-13 2006-07-29

Comments (none posted)

binutils: buffer overflow

Package(s):binutils CVE #(s):CVE-2005-4807
Created:August 17, 2006 Updated:October 19, 2006
Description: The GNU assembler (gas) in binutils is vulnerable to a buffer overflow. If a user can be tricked into assembling a specially crafted file with gcc or gas, arbitrary code can be executed with the privileges of the user.
Alerts:
Ubuntu USN-366-1 2006-10-18
Ubuntu USN-336-1 2006-08-16

Comments (3 posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Red Hat RHSA-2007:0244-02 2007-05-01
Fedora FEDORA-2006-511 2006-05-04
Fedora FEDORA-2006-510 2006-05-04

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:March 17, 2010
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
CentOS CESA-2010:0145 2010-03-17
Red Hat RHSA-2010:0145-01 2010-03-15
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

vixie-cron: privilege escalation

Package(s):cron CVE #(s):CVE-2006-2607
Created:May 31, 2006 Updated:June 1, 2009
Description: The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Alerts:
Ubuntu USN-778-1 2009-06-01
Red Hat RHSA-2006:0539-01 2006-07-12
Gentoo 200606-07 2006-06-09
SuSE SUSE-SA:2006:027 2006-05-31
rPath rPSA-2006-0082-1 2006-05-25

Comments (1 posted)

cscope: buffer overflows

Package(s):cscope CVE #(s):CVE-2004-2541
Created:May 22, 2006 Updated:June 19, 2009
Description: A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.
Alerts:
CentOS CESA-2009:1102 2009-06-19
CentOS CESA-2009:1101 2009-06-16
Red Hat RHSA-2009:1102-01 2009-06-15
Red Hat RHSA-2009:1101-01 2009-06-15
Gentoo 200606-10 2006-06-11
Debian DSA-1064-1 2006-05-19

Comments (1 posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):firefox seamonkey thunderbird CVE #(s):CVE-2006-3113 CVE-2006-3677 CVE-2006-3801 CVE-2006-3802 CVE-2006-3803 CVE-2006-3804 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-3812
Created:July 27, 2006 Updated:September 15, 2006
Description: This CERT advisory contains details on multiple vulnerabilities in Mozilla products, including Firefox, SeaMonkey and Thunderbird. The most serious vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system.
Alerts:
Debian DSA-1160-2 2006-09-15
Debian DSA-1161-2 2006-09-13
Debian DSA-1159-2 2006-09-08
Debian DSA-1161-1 2006-08-29
Debian DSA-1160-1 2006-08-29
Red Hat RHSA-2006:0594-02 2006-08-28
Debian DSA-1159-1 2006-08-28
Mandriva MDKSA-2006:146 2006-08-21
Mandriva MDKSA-2006:145 2006-08-21
Mandriva MDKSA-2006:143-1 2006-08-17
Mandriva MDKSA-2006:143 2006-08-16
SuSE SUSE-SA:2006:048 2006-08-16
Fedora FEDORA-2006-902 2006-08-09
Fedora FEDORA-2006-903 2006-08-09
Gentoo 200608-04 2006-08-03
Gentoo 200608-03 2006-08-03
Gentoo 200608-02 2006-08-03
Red Hat RHSA-2006:0609-01 2006-08-02
Ubuntu USN-327-2 2006-08-01
Ubuntu USN-329-1 2006-07-28
Red Hat RHSA-2006:0611-01 2006-07-28
Red Hat RHSA-2006:0610-01 2006-07-28
Slackware SSA:2006-208-01 2006-07-28
rPath rPSA-2006-0138-1 2006-07-27
Red Hat RHSA-2006:0608-01 2006-07-27
Ubuntu USN-327-1 2006-07-27
rPath rPSA-2006-0137-1 2006-07-26

Comments (none posted)

freeradius: several vulnerabilities

Package(s):freeradius CVE #(s):CVE-2005-4745 CVE-2005-4746
Created:August 8, 2006 Updated:April 24, 2007
Description: Several remote vulnerabilities have been discovered in freeradius, a high-performance RADIUS server, which may lead to SQL injection or denial of service.
Alerts:
Mandriva MDKSA-2007:092 2007-04-23
Debian DSA-1145-1 2006-08-08

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:June 1, 2010
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 201006-01 2010-06-01
Fedora FEDORA-2009-5644 2009-05-28
Fedora FEDORA-2009-5558 2009-05-28
CentOS CESA-2009:0329 2009-05-22
Red Hat RHSA-2009:1062-01 2009-05-22
Red Hat RHSA-2009:0329-02 2009-05-22
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

gtetrinet: buffer overflows

Package(s):gtetrinet CVE #(s):CVE-2006-3125
Created:August 30, 2006 Updated:September 6, 2006
Description: A number of out-of-bounds index accesses have been found in gtetrinet; they could conceivably be exploited by a hostile server to execute arbitrary code.
Alerts:
Gentoo 200609-02 2006-09-06
Debian DSA-1163-1 2006-08-30

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 10, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

ImageMagick: heap overflow vulnerability

Package(s):ImageMagick CVE #(s):CVE-2006-2440
Created:May 25, 2006 Updated:September 5, 2006
Description: The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result.
Alerts:
Debian DSA-1168-1 2006-09-04
Fedora FEDORA-2006-588 2006-05-24
Fedora FEDORA-2006-587 2006-05-24

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (1 posted)

kernel: denial of service by memory consumption

Package(s):kernel CVE #(s):CVE-2006-2936
Created:July 17, 2006 Updated:November 14, 2007
Description: The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the driver can handle, which causes the data to be queued.
Alerts:
SuSE SUSE-SA:2007:035 2007-06-14
Mandriva MDKSA-2006:151 2006-08-25
Mandriva MDKSA-2006:150 2006-08-25
Ubuntu USN-331-1 2006-08-03
rPath rPSA-2006-0130-1 2006-07-17

Comments (none posted)

krb5: local privilege escalation

Package(s):krb5 CVE #(s):CVE-2006-3083
Created:August 9, 2006 Updated:July 7, 2010
Description: Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
Alerts:
Mandriva MDVSA-2010:129 2010-07-07
SuSE SUSE-SR:2006:022 2006-09-08
Gentoo 200608-21 2006-08-23
Ubuntu USN-334-1 2006-08-16
Fedora FEDORA-2006-905 2006-08-09
Mandriva MDKSA-2006:139 2006-09-09
Gentoo 200608-15 2006-08-10
rPath rPSA-2006-0150-1 2006-08-09
Red Hat RHSA-2006:0612-01 2006-08-08
Debian DSA-1146-1 2006-08-09

Comments (none posted)

lesstif: libXm library privilege escalation

Package(s):lesstif CVE #(s):CVE-2006-4124
Created:August 29, 2006 Updated:August 30, 2006
Description: The libXm library in LessTif 0.95.0 and earlier allows local users to gain privileges via the DEBUG_FILE environment variable, which is used to create world-writable files when libXm is run from a setuid program.
Alerts:
Mandriva MDKSA-2006:154 2006-08-28

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: denial of service

Package(s):libgd2 CVE #(s):CVE-2006-2906
Created:June 14, 2006 Updated:January 16, 2007
Description: Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications.
Alerts:
rPath rPSA-2007-0008-1 2007-01-15
Debian DSA-1117-1 2006-07-21
Mandriva MDKSA-2006:113 2006-06-27
Mandriva MDKSA-2006:112 2006-06-27
Ubuntu USN-298-1 2006-06-13

Comments (none posted)

libmms: buffer overflows

Package(s):libmms CVE #(s):CVE-2006-2200
Created:July 6, 2006 Updated:December 25, 2006
Description: Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program.
Alerts:
Slackware SSA:2006-357-05 2006-12-25
Gentoo 200607-07 2006-07-20
Mandriva MDKSA-2006:121 2006-07-12
Mandriva MDKSA-2006:117-1 2006-07-12
Ubuntu USN-315-1 2006-07-12
Mandriva MDKSA-2006:117 2006-07-06
Ubuntu USN-309-1 2006-07-05

Comments (none posted)

libmusicbrainz: buffer overflows

Package(s):libmusicbrainz-2.0 CVE #(s):CVE-2006-4197
Created:August 30, 2006 Updated:October 23, 2006
Description: Several buffer overflows have been discovered in the libmusicbrainz CD index library.
Alerts:
Gentoo 200610-09 2006-10-22
Ubuntu USN-363-1 2006-10-11
Mandriva MDKSA-2006:157-1 2006-09-28
rPath rPSA-2006-0161-1 2006-08-30
Mandriva MDKSA-2006:157 2006-08-30
Debian DSA-1162-1 2006-08-30

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
rPath rPSA-2006-0183-1 2006-10-05
Mandriva MDKSA-2005:190 2005-10-20
Gentoo 200508-22 2005-08-31
Debian DSA-785-1 2005-08-25

Comments (none posted)

libpng: buffer overflow

Package(s):libpng CVE #(s):CVE-2006-3334
Created:July 19, 2006 Updated:December 15, 2008
Description: In pngrutil.c, the function png_decompress_chunk() allocates insufficient space for an error message, potentially overwriting stack data, leading to a buffer overflow.
Alerts:
Gentoo 200812-15 2008-12-14
Mandriva MDKSA-2006:213 2006-11-16
rPath rPSA-2006-0133-1 2006-07-19
Gentoo 200607-06 2006-07-19

Comments (none posted)

libpng: heap based buffer overflow

Package(s):libpng CVE #(s):CVE-2006-0481
Created:February 13, 2006 Updated:December 15, 2008
Description: A heap based buffer overflow bug was found in the way libpng strips alpha channels from a PNG image. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash or execute arbitrary code when the file is opened by a victim.
Alerts:
Gentoo 200812-15 2008-12-14
Red Hat RHSA-2006:0205-01 2006-02-13

Comments (1 posted)

libtiff: buffer overflows

Package(s):libtiff CVE #(s):CVE-2006-3459 CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465
Created:August 2, 2006 Updated:September 5, 2006
Description: An audit of the libtiff library (done by Tavis Ormandy at Google) turned up several buffer overflow vulnerabilities.
Alerts:
Red Hat RHSA-2006:0648-01 2006-08-28
Slackware SSA:2006-230-01 2006-08-18
Gentoo 200608-07 2006-08-04
Ubuntu USN-330-1 2006-08-02
Red Hat RHSA-2006:0603-01 2006-08-02
Debian DSA-1137-1 2006-08-02
rPath rPSA-2006-0142-1 2006-08-01
Mandriva MDKSA-2006:136 2006-08-01
Mandriva MDKSA-2006:137 2006-08-01
Fedora FEDORA-2006-877 2006-08-02
Fedora FEDORA-2006-878 2006-08-02

Comments (none posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CVE-2006-2193
Created:June 15, 2006 Updated:September 1, 2008
Description: The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters in the DocumentName tag to overflow a buffer, causing a denial of service, and possibly the execution of arbitrary code.
Alerts:
CentOS CESA-2008:0848 2008-08-30
Red Hat RHSA-2008:0848-01 2008-08-28
Fedora FEDORA-2006-952 2006-09-05
SuSE SUSE-SA:2006:044 2006-08-01
Gentoo 200607-03 2006-07-09
SuSE SUSE-SR:2006:014 2006-06-20
Trustix TSLSA-2006-0036 2006-06-16
Mandriva MDKSA-2006:102 2006-06-14

Comments (none posted)

libvncserver: authentication bypass

Package(s):libvncserver CVE #(s):CVE-2006-2450
Created:August 4, 2006 Updated:March 19, 2007
Description: LibVNCServer fails to properly validate protocol types effectively letting users decide what protocol to use, such as "Type 1 - None". LibVNCServer will accept this security type, even if it is not offered by the server.
Alerts:
Gentoo 200703-19 2007-03-18
Gentoo 200608-12 2006-08-07
Gentoo 200608-05 2006-08-04

Comments (none posted)

libwmf: integer overflow

Package(s):libwmf CVE #(s):CVE-2006-3376
Created:July 13, 2006 Updated:November 6, 2006
Description: libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability.
Alerts:
OpenPKG OpenPKG-SA-2006.031 2006-11-06
Debian DSA-1194-1 2006-10-09
Gentoo 200608-17 2006-08-10
Ubuntu USN-333-1 2006-08-09
Mandriva MDKSA-2006:132 2006-07-28
Fedora FEDORA-2006-831 2006-07-18
Fedora FEDORA-2006-832 2006-07-18
Fedora FEDORA-2006-805 2006-07-12
Fedora FEDORA-2006-804 2006-07-12

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

lynx: arbitrary command execution

Package(s):lynx CVE #(s):CVE-2005-2929
Created:November 14, 2005 Updated:September 14, 2009
Description: An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx.
Alerts:
Gentoo 200909-15 2009-09-12
Fedora-Legacy FLSA:152832 2005-12-17
OpenPKG OpenPKG-SA-2005.026 2005-12-03
Fedora FEDORA-2005-1079 2005-11-14
Fedora FEDORA-2005-1078 2005-11-14
Gentoo 200511-09 2005-11-13
Mandriva MDKSA-2005:211 2005-11-12
Red Hat RHSA-2005:839-01 2005-11-11

Comments (none posted)

mutt: IMAP namespace buffer overflow

Package(s):mutt CVE #(s):CVE-2006-3242
Created:June 28, 2006 Updated:October 24, 2006
Description: TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently check the validity of namespace strings. If an user connects to a malicious IMAP server, that server could exploit this to crash mutt or even execute arbitrary code with the privileges of the mutt user. See this Secunia advisory for more information.
Alerts:
Fedora FEDORA-2006-1061 2006-10-24
Slackware SSA:2006-207-01 2006-07-27
OpenPKG OpenPKG-SA-2006.013 2006-07-15
SuSE SUSE-SR:2006:016 2006-07-14
Red Hat RHSA-2006:0577-01 2006-07-12
Debian DSA-1108-1 2006-07-11
Fedora FEDORA-2006-761 2006-06-29
Fedora FEDORA-2006-760 2006-06-29
Trustix TSLSA-2006-0038 2006-06-30
rPath rPSA-2006-0116-1 2006-06-29
Mandriva MDKSA-2006:115 2006-06-28
Gentoo 200606-27 2006-06-28
Ubuntu USN-307-1 2006-06-28

Comments (none posted)

mysql: format string bug

Package(s):mysql CVE #(s):CVE-2006-3469
Created:July 21, 2006 Updated:July 30, 2008
Description: Jean-David Maillefer discovered a format string bug in the date_format() function's error reporting. By calling the function with invalid arguments, an authenticated user could exploit this to crash the server.
Alerts:
Red Hat RHSA-2008:0768-01 2008-07-24
Slackware SSA:2006-211-01 2006-07-31
Ubuntu USN-321-1 2006-07-21

Comments (none posted)

MySQL: privilege violations

Package(s):mysql CVE #(s):CVE-2006-4031 CVE-2006-4226
Created:August 25, 2006 Updated:July 30, 2008
Description: MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy (CVE-2006-4031).

MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226).

Alerts:
Red Hat RHSA-2008:0768-01 2008-07-24
Red Hat RHSA-2008:0364-01 2008-05-21
Red Hat RHSA-2007:0152-01 2007-04-03
Red Hat RHSA-2007:0083-01 2007-02-19
Fedora FEDORA-2006-1298 2006-11-27
Fedora FEDORA-2006-1297 2006-11-27
Ubuntu USN-338-1 2006-09-05
Mandriva MDKSA-2006:149 2006-08-24

Comments (none posted)

MySQL: logging bypass

Package(s):mysql CVE #(s):CVE-2006-0903
Created:April 4, 2006 Updated:May 21, 2008
Description: MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Ubuntu USN-274-2 2006-05-15
Ubuntu USN-274-1 2006-04-27
Mandriva MDKSA-2006:064 2006-04-03

Comments (2 posted)

nbd: arbitrary code execution

Package(s):nbd CVE #(s):CVE-2005-3534
Created:January 6, 2006 Updated:March 7, 2011
Description: Kurt Fitzner discovered that the NBD (network block device) server did not correctly verify the maximum size of request packets. By sending specially crafted large request packets, a remote attacker who is allowed to access the server could exploit this to execute arbitrary code with root privileges.
Alerts:
SuSE SUSE-SR:2006:001 2006-01-13
Ubuntu USN-237-1 2006-01-06

Comments (none posted)

ncompress: buffer underflow

Package(s):ncompress CVE #(s):CVE-2006-1168
Created:August 10, 2006 Updated:February 21, 2012
Description: The ncompress compression utility has a missing boundary check. A local user can use a maliciously created file to cause a a .bss buffer underflow.
Alerts:
Gentoo 200610-03 2006-10-06
Red Hat RHSA-2006:0663-01 2006-09-12
Mandriva MDKSA-2006:140 2006-08-09
Debian DSA-1149-1 2006-08-10
Red Hat RHSA-2012:0308-03 2012-02-21
Scientific Linux SL-busy-20120321 2012-03-21
Red Hat RHSA-2012:0810-04 2012-06-20
Scientific Linux SL-busy-20120709 2012-07-09
Mageia MGASA-2012-0171 2012-07-19
Mandriva MDVSA-2012:129 2012-08-10
Mandriva MDVSA-2012:129-1 2012-08-10

Comments (none posted)

openoffice.org: several vulnerabilities

Package(s):openoffice.org CVE #(s):CVE-2006-2198 CVE-2006-2199 CVE-2006-3117
Created:June 30, 2006 Updated:January 4, 2007
Description: Several vulnerabilities have been discovered in OpenOffice.org, a free office suite.
  • It turned out to be possible to embed arbitrary BASIC macros in documents in a way that OpenOffice.org does not see them but executes them anyway without any user interaction. (CVE-2006-2198)
  • It is possible to evade the Java sandbox with specially crafted Java applets. (CVE-2006-2199)
  • Loading malformed XML documents can cause buffer overflows and cause a denial of service or execute arbitrary code. (CVE-2006-3117)
Alerts:
Fedora FEDORA-2007-005 2007-01-03
rPath rPSA-2006-0173-1 2006-09-26
Gentoo 200607-12 2006-07-28
Ubuntu USN-313-2 2006-07-19
Ubuntu USN-313-1 2006-07-11
Mandriva MDKSA-2006:118 2006-07-07
Debian DSA-1104-2 2006-07-06
Red Hat RHSA-2006:0573-01 2006-07-03
SuSE SUSE-SA:2006:040 2006-07-03
Fedora FEDORA-2006-770 2006-07-03
Fedora FEDORA-2006-764 2006-06-30
Debian DSA-1104-1 2006-06-30

Comments (none posted)

php: arbitrary code execution

Package(s):php CVE #(s):CVE-2006-4020
Created:August 22, 2006 Updated:September 21, 2006
Description: A vulnerability was discovered in the sscanf function that could allow attackers in certain circumstances to execute arbitrary code via argument swapping which incremented an index past the end of an array and triggered a buffer over-read.
Alerts:
Red Hat RHSA-2006:0682-01 2006-09-21
Ubuntu USN-342-1 2006-09-07
Gentoo 200608-28 2006-08-29
Mandriva MDKSA-2006:144 2006-08-21

Comments (none posted)

phpbb2: missing input sanitizing

Package(s):phpbb2 CVE #(s):CVE-2006-1896
Created:May 22, 2006 Updated:February 11, 2008
Description: It was discovered that phpbb2, a web based bulletin board, insufficiently sanitizes values passed to the "Font Color 3" setting, which might lead to the execution of injected code by admin users.
Alerts:
Debian DSA-1066-1 2006-05-20

Comments (none posted)

phpbb2: multiple vulnerabilities

Package(s):phpbb2 CVE #(s):CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537
Created:December 22, 2005 Updated:February 11, 2008
Description: The phpbb2 web forum has a number of vulnerabilities including: a web script injection problem, a protection mechanism bypass, a security check bypass, a remote global variable bypass, cross site scripting vulnerabilities, an SQL injection vulnerability, a remote regular expression modification problem, missing input sanitizing, and a missing request validation problem.
Alerts:
Debian DSA-925-1 2005-12-22

Comments (none posted)

phpMyAdmin: multiple vulnerabilities

Package(s):phpmyadmin CVE #(s):CVE-2005-4079 CVE-2005-3665
Created:December 12, 2005 Updated:November 20, 2006
Description: Stefan Esser reported multiple vulnerabilities found in phpMyAdmin. The $GLOBALS variable allows modifying the global variable import_blacklist to open phpMyAdmin to local and remote file inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to conduct an XSS attack via the $HTTP_HOST variable and a local and remote file inclusion because the contents of the variable are under total control of the attacker (CVE-2005-3665, PMASA-2005-8).
Alerts:
Debian DSA-1207-2 2006-11-19
Debian DSA-1207-1 2006-11-09
SuSE SUSE-SA:2006:004 2006-01-26
Gentoo 200512-03 2005-12-11

Comments (none posted)

postgresql: SQL injection

Package(s):postgresql CVE #(s):CVE-2006-2313 CVE-2006-2314
Created:May 24, 2006 Updated:June 6, 2007
Description: The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a newly-discovered set of SQL injection issues. Details about the problem can be found on the technical information page; in short: multi-byte encodings can be used to defeat normal string sanitizing techniques. The update fixes one problem related to invalid multi-byte characters, but punts on another by simply disallowing the old, unsafe technique of escaping single quotes with a backslash.
Alerts:
Fedora FEDORA-2007-0249 2007-06-06
Trustix TSLSA-2006-0059 2006-10-27
Gentoo 200607-04 2006-07-09
SuSE SUSE-SA:2006:030 2006-06-09
Ubuntu USN-288-3 2006-06-09
Ubuntu USN-288-2 2006-06-09
Mandriva MDKSA-2006:098 2006-06-07
Debian DSA-1087-1 2006-06-03
Ubuntu USN-288-1 2006-05-29
rPath rPSA-2006-0080-1 2006-05-24
Red Hat RHSA-2006:0526-02 2006-05-23
Fedora FEDORA-2006-578 2006-05-23
Fedora FEDORA-2006-579 2006-05-23

Comments (1 posted)

Py2Play: remote execution of arbitrary Python code

Package(s):Py2Play CVE #(s):CAN-2005-2875
Created:September 19, 2005 Updated:September 6, 2006
Description: Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client.
Alerts:
Gentoo 200509-09:02 2005-09-17
Debian DSA-856-1 2005-10-10
Gentoo 200509-09 2005-09-17

Comments (none posted)

quake: buffer overflow

Package(s):quake3-bin CVE #(s):CVE-2006-2236
Created:May 10, 2006 Updated:January 12, 2009
Description: Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server.
Alerts:
Gentoo 200901-06 2009-01-11
Gentoo 200605-12 2006-05-10

Comments (none posted)

sendmail: denial of service

Package(s):sendmail CVE #(s):CVE-2006-1173
Created:June 15, 2006 Updated:November 1, 2006
Description: Sendmail has a vulnerability in the way it handles multi-part MIME messages. A remote attacker can create a specially crafted email message that can be used to crash the sendmail process, causing a denial of service.
Alerts:
Fedora-Legacy FLSA:195418 2006-10-29
Debian DSA-1155-2 2006-08-24
Debian DSA-1155-1 2006-08-24
rPath rPSA-2006-0134-1 2006-07-21
Fedora FEDORA-2006-837 2006-07-18
Fedora FEDORA-2006-836 2006-07-18
Gentoo 200606-19 2006-06-15
SuSE SUSE-SA:2006:032 2006-06-14
Slackware SSA:2006-166-01 2006-06-15
Red Hat RHSA-2006:0515-01 2006-06-14
Mandriva MDKSA-2006:104 2006-06-14

Comments (none posted)

shadow-utils: mailbox creation vulnerability

Package(s):shadow-utils CVE #(s):CVE-2006-1174
Created:May 25, 2006 Updated:June 12, 2007
Description: The useradd tool from the shadow-utils package has a potential security problem. When a new user's mailbox is created, the permissions are set to random garbage from the stack, potentially allowing the file to be read or written during the time before fchmod() is called.
Alerts:
Red Hat RHSA-2007:0431-01 2007-06-11
rPath rPSA-2007-0096-1 2007-05-11
Red Hat RHSA-2007:0276-02 2007-05-01
Gentoo 200606-02 2006-06-07
Mandriva MDKSA-2006:090 2006-05-24

Comments (none posted)

squirrelmail: insecure permissions

Package(s):squirrelmail CVE #(s):CVE-2006-4019
Created:August 14, 2006 Updated:September 26, 2006
Description: Squirrelmail contains a vulnerability that allows authenticated users to read and write other users' preferences and attachments.
Alerts:
Red Hat RHSA-2006:0668-01 2006-09-26
Mandriva MDKSA-2006:147 2006-08-22
Debian DSA-1154-1 2006-08-20
Fedora FEDORA-2006-913 2006-08-15
rPath rPSA-2006-0152-1 2006-08-11

Comments (none posted)

streamripper: buffer overflow

Package(s):streamripper CVE #(s):CVE-2006-3124
Created:August 28, 2006 Updated:September 6, 2006
Description: Ulf Harnhammer from the Debian Security Audit Project discovered that streamripper, a utility to record online radio-streams, performs insufficient sanitizing of data received from the streaming server, which might lead to buffer overflows and the execution of arbitrary code.
Alerts:
Gentoo 200609-01 2006-09-06
Debian DSA-1158-1 2006-08-25

Comments (none posted)

sudo: vulnerability via scripts

Package(s):sudo CVE #(s):CAN-2005-4158 CVE-2006-0151
Created:December 16, 2005 Updated:September 1, 2006
Description: Perl and Python scripts run via Sudo can be subverted.
Alerts:
Mandriva MDKSA-2006:159 2006-08-31
Debian DSA-946-2 2006-04-08
Slackware SSA:2006-045-08 2006-02-15
SuSE SUSE-SR:2006:002 2006-01-20
Debian DSA-946-1 2006-01-20
Ubuntu USN-235-2 2006-01-09
Ubuntu USN-235-1 2006-01-05
Mandriva MDKSA-2005:234 2005-12-20
Fedora FEDORA-2005-1147 2005-12-16

Comments (none posted)

texinfo: temporary file vulnerability

Package(s):texinfo CVE #(s):CAN-2005-3011
Created:October 5, 2005 Updated:November 9, 2006
Description: Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability.
Alerts:
Ubuntu USN-194-2 2006-01-09
Fedora FEDORA-2005-991 2005-10-14
Fedora FEDORA-2005-990 2005-10-14
Mandriva MDKSA-2005:175 2005-10-06
Ubuntu USN-194-1 2005-10-06
Gentoo 200510-04 2005-10-05

Comments (none posted)

tin: buffer overflow

Package(s):tin CVE #(s):CVE-2006-0804
Created:February 19, 2006 Updated:November 24, 2006
Description: An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier which can lead to a buffer overflow.
Alerts:
Gentoo 200611-18 2006-11-24
OpenPKG OpenPKG-SA-2006.005 2006-02-19

Comments (none posted)

unzip: long file name buffer overflow

Package(s):unzip CVE #(s):CVE-2005-4667
Created:February 6, 2006 Updated:May 2, 2007
Description: A buffer overflow in UnZip 5.50 and earlier allows local users to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.
Alerts:
Red Hat RHSA-2007:0203-02 2007-05-01
Fedora-Legacy FLSA:180159 2006-04-04
Debian DSA-1012-1 2006-03-21
Mandriva MDKSA-2006:050 2006-02-27
Ubuntu USN-248-2 2006-02-15
Ubuntu USN-248-1 2006-02-13
Fedora FEDORA-2006-098 2006-02-06

Comments (1 posted)

w3c-libwww: possible stack overflow

Package(s):w3c-libwww CVE #(s):CVE-2005-3183
Created:October 14, 2005 Updated:May 2, 2007
Description: xtensive testing of libwww's handling of multipart/byteranges content from HTTP/1.1 servers revealed multiple logical flaws and bugs in Library/src/HTBound.c
Alerts:
Red Hat RHSA-2007:0208-02 2007-05-01
Ubuntu USN-220-1 2005-12-01
Mandriva MDKSA-2005:210 2005-11-09
Fedora FEDORA-2005-953 2005-10-07
Fedora FEDORA-2005-952 2005-10-07

Comments (1 posted)

wireshark: several vulnerabilities

Package(s):wireshark CVE #(s):CVE-2006-4330 CVE-2006-4331 CVE-2006-4332 CVE-2006-4333
Created:August 25, 2006 Updated:November 2, 2006
Description: There are multiple problems in Wireshark, versions 0.7.9 to 0.99.2.
Alerts:
Red Hat RHSA-2006:0658-01 2006-09-12
Debian DSA-1171-1 2006-09-07
Gentoo 200608-26 2006-08-29
Fedora FEDORA-2006-936 2006-08-25
Mandriva MDKSA-2006:152 2006-08-25
rPath rPSA-2006-0158-1 2006-08-25

Comments (none posted)

xine-lib: buffer overflow

Package(s):xine-lib CVE #(s):CVE-2006-2802
Created:June 9, 2006 Updated:September 29, 2006
Description: Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input module. By tricking an user into opening a malicious remote media location, a remote attacker could exploit this to crash Xine library frontends (like totem-xine, gxine, or xine-ui) and possibly even execute arbitrary code with the user's privileges.
Alerts:
Mandriva MDKSA-2006:176 2006-09-28
Mandriva MDKSA-2006:175 2006-09-28
Mandriva MDKSA-2006:174 2006-09-28
Mandriva MDKSA-2006:173 2006-09-28
Gentoo 200609-08 2006-09-13
Slackware SSA:2006-207-04 2006-07-27
Debian DSA-1105-1 2006-07-07
Mandriva MDKSA-2006:108 2006-06-20
Ubuntu USN-295-1 2006-06-09

Comments (none posted)

xine-lib: buffer overflow

Package(s):xine-lib CVE #(s):CVE-2006-1664
Created:April 27, 2006 Updated:February 27, 2008
Description: xine-lib does an improper input data boundary check on MPEG streams. A specially crafted MPEG file can be created that can cause arbitrary code execution when the file is accessed.
Alerts:
Gentoo 200802-12 2008-02-26
Gentoo 200604-16 2006-04-26

Comments (none posted)

xine-ui: format string vulnerabilities

Package(s):xine-ui CVE #(s):CVE-2006-2230
Created:June 9, 2006 Updated:January 24, 2007
Description: Several format string vulnerabilities have been discovered in xine-ui, the user interface of the xine video player, which may cause a denial of service.
Alerts:
Gentoo 200701-18 2007-01-23
Debian DSA-1093-1 2006-06-08

Comments (none posted)

X.org: local privilege escalations

Package(s):xorg-x11 CVE #(s):CVE-2006-4447
Created:August 28, 2006 Updated:April 30, 2007
Description: Several X.org libraries and X.org itself contain system calls to set*uid() functions, without checking their result. Local users could deliberately exceed their assigned resource limits and elevate their privileges after an unsuccessful set*uid() system call. This requires resource limits to be enabled on the machine.
Alerts:
Gentoo 200704-22 2007-04-27
Mandriva MDKSA-2006:160 2006-08-31
Gentoo 200608-25 2006-08-28

Comments (none posted)

X.Org: buffer overflow

Package(s):xorg-x11-server xorg-x11 CVE #(s):CVE-2006-1526
Created:May 3, 2006 Updated:January 10, 2007
Description: There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information.
Alerts:
Fedora-Legacy FLSA:190777 2006-06-06
Trustix TSLSA-2006-0024 2006-05-05
Mandriva MDKSA-2006:081-1 2006-05-04
Ubuntu USN-280-1 2006-05-04
Slackware SSA:2006-123-01 2006-05-04
Red Hat RHSA-2006:0451-01 2006-05-04
SuSE SUSE-SA:2006:023 2006-05-03
Mandriva MDKSA-2006:081 2006-05-02
Gentoo 200605-02 2006-05-02

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

xpdf: integer overflows

Package(s):xpdf, poppler, cupsys, tetex-bin CVE #(s):CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627
Created:January 5, 2006 Updated:November 30, 2006
Description: xpdf has a number of integer overflows. A remote attacker can trick a user into opening a maliciously crafted pdf file, allowing the attacker to execute code with the privileges of the local user. This also affects the Poppler library, cupsys and tetex-bin.
Alerts:
Fedora FEDORA-2006-1220 2006-11-30
Debian DSA-932-1 2006-01-09
Debian DSA-931-1 2006-01-09
Ubuntu USN-236-2 2006-01-09
Mandriva MDKSA-2006:008 2006-01-06
Mandriva MDKSA-2006:006 2006-01-05
Mandriva MDKSA-2006:005 2006-01-05
Mandriva MDKSA-2006:004 2006-01-05
Mandriva MDKSA-2006:003 2006-01-05
Ubuntu USN-236-1 2006-01-05

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.18-rc6, released by Linus on September 3. It is possibly the final prepatch before the 2.6.18 final release. There are a lot of fixes; one of those is the removal of much of the SMP alternatives work, which was causing build problems with some compilers. See the long-format changelog for the details.

A handful of additional fixes have gone into the mainline git repository since the -rc6 release.

The current -mm tree is 2.6.18-rc5-mm1. Recent changes to -mm include some enhancements to the no-MMU architecture support, a number of NFS server improvements, a steady trickle of reiser4 fixes, and a set of patches allowing a kernel to be built with no block device support (though those don't quite work yet).

On the 2.4 front, Willy Tarreau has released 2.4.33.3 with a small set of important fixes, and 2.4.34-pre2 with a larger set of fixes. The current plan is that the gcc 4.x support discussed here a couple of weeks ago will be merged into 2.4.34-pre3.

Other notes: a number of developers have been having difficulties posting patches to lists hosted on vger.kernel.org recently. The list maintainers have begun using bogofilter in an attempt to cut down on the amount of spam getting through to the list - and, presumably, to reduce the amount of time they put into manually maintaining filter patterns. To date, bogofilter appears to believe that quite a few patches are spam. On the other hand, a substantial amount of distinctly non-technical mail involving nontraditional approaches to family quality time and members of the animal kingdom has been sailing through without a hitch. One can only assume that the training process will eventually iron out these little problems.

Comments (none posted)

Kernel development news

Quote of the week

"Tiedostoa tai hakemistoa ei ole" just means "No such file or directory".

EVERYBODY knows that.

It's not like there's even a single ä or ö in the whole sentence, so you can't even blame the strange letters (and that's unusual, since in Finnish, usually every other letter is 'ä' if only just to confuse the uninitiated).

-- Linus Torvalds

Comments (9 posted)

Support for drivers in user space

Device drivers are generally done inside the kernel for the usual reasons of performance and control. There are times, however, when the ability to run a device driver in user space is helpful. These include situations where the code is far too large to go into the kernel (X.org, for example) and where the author of the driver does not wish to place the code under the GPL. Some types of drivers (such as those for USB devices) are easily run in user space now, but others can be a bit more challenging. Very few PCI drivers, for example, are written in user space.

Thomas Gleixner has written an interface module which may help to change that situation. With this code in place, PCI drivers (some of them, at least) can be written almost entirely in user space, with only a small stub module loaded into the kernel.

That module has two specific jobs to carry out. The first is to register the device to be driven, with a couple of bits of important information. To that end, it should fill out an iio_device structure, which contains the following fields:

struct iio_device {
    char			*name;
    char			*version;
    unsigned long		physaddr;
    void			*virtaddr;
    unsigned long		size;
    long			irq;

    irqreturn_t (*handler)(int irq, void *dev_id, struct pt_regs *regs);
    ssize_t (*event_write)(struct file *filep, const char __user * buf,
    		       size_t count, loff_t *ppos);
    struct file_operations	*fops;
    void			*priv;
    /* ... */
};

The first part of the structure provides information about the hardware to be driven - its name, where its I/O memory area lives (physaddr), where that area has been mapped into the kernel (virtaddr), its size, and the interrupt being used by the device. If virtaddr is zero, then physaddr is interpreted as the beginning of a range of I/O ports, rather than a memory address.

The fops field provides the file operations for the device; normally, they are set to the generic versions provided by the IIO (for "industrial I/O") driver: iio_open(), iio_read(), iio_mmap(), etc. With this setup, the driver can create a basic device which allows a user-space program to read from or write to device memory (or ports). I/O memory can also be mapped into user space.

The capabilities described thus far are not all that different from what can be done with /dev/mem; the main difference is that the stub driver can enable the PCI device and perform any other needed initialization. The real hitch in writing user-space PCI drivers, however, has been in the handling of interrupts. There is currently no way to write a user-space interrupt handler, and the IIO patch doesn't really change that. Instead, the stub driver is expected to provide a minimal interrupt handler of its own.

This handler is needed because every device requires its own specific interrupt acknowledgment ritual. The kernel must respond quickly to an interrupt and give the device the attention it craves so that said device will stop asserting the interrupt. After that, any additional processing can be done at relative leisure. So, once the handler provided with the stub driver acknowledges the interrupt, the rest of the work can normally be done by the user-space driver.

All that is needed is to let this driver know that the interrupt has happened. The IIO module provides a couple of mechanisms for that purpose. One is a second device node associated with the device; whenever an interrupt happens, a byte can be read from this "event device." So a user-space driver can simply block on a read from that device, or it can use poll() in more complicated situations. It is also possible for the user-space driver to receive SIGIO signals when an interrupt happens, but using signals will normally increase the ultimate response time to the interrupt.

So, to make all this happen, the stub driver provides a minimal interrupt handler in the handler() field of the iio_device structure. When an interrupt happens, the IIO module will call this handler; if it returns IRQ_HANDLED, user space will be notified. If the stub driver provides an event_write() function, that function will be called in response to a write operation on the event device. This capability can be used to further control the kernel-space response to interrupts, request that interrupts be masked, etc.

Readers who think that the event mechanism shares some features with the proposed kevent subsystem are right. It is probable that the IIO event handling code will be rewritten to use kevents, if and when kevents are merged into the mainline.

Meanwhile, however, the IIO driver works. Thomas has posted an example driver (or parts of one, anyway) to show how this mechanism can be used. The real question which appears to be on a number of minds, however, is: could ATI and nVidia use IIO to move their drivers out of the kernel. Only those vendors can answer that question, however, so, until they say something, nobody really knows.

Comments (29 posted)

Parallel IDE drivers

Back in 2003, Jeff Garzik announced the availability of "a new SCSI driver." That driver was, in fact, the libata subsystem, which was to be the foundation for serial ATA support in Linux. In the process, however, Jeff had thought a bit about supporting the current parallel ATA (PATA) drives, but that was not really his goal:

Note that PATA in my driver is only an afterthought. The main area of focus, now and in the future, is SATA.

In the last three years, the parallel ATA drives that most of us use have continued to be driven by the old IDE driver subsystem. Some of this code dates back to the beginning of Linux; since then it has been maintained by a substantial list of people, a number of whom are widely held to have been driven insane by the experience. The current maintainer, Bartlomiej Zolnierkiewicz, has kept a rather low profile for some time now; he signed off no patches in either of the 2.6.17 or upcoming 2.6.18 kernels. Not much has been happening in the IDE area.

That does not mean that things have been quiet in the parallel ATA area, however. Over the last year or so, Alan Cox has been working to bring full PATA support into the libata code. The resulting drivers have been sitting in the -mm tree for a while, but that period is about to end: the PATA driver set has been queued for merging into 2.6.19.

The stated advantages of the new PATA code are many. The code has been reworked from the beginning, and is up to current kernel standards. The use of libata means that these drivers are well integrated with their SATA cousins, bringing two divergent subsystems back together. The new drivers support a number of chipsets that the IDE layer doesn't handle. Error handling has been much improved. Also, according to Alan's announcement from August, the new drivers feature "active maintenance and updates" and "more interesting bugs to find and help fix."

On the other hand, the new PATA drivers are not considered to be ready for production use yet, and distributors are not expected to enable them in the near future. The merging into 2.6.19 is intended mainly to broaden the test base. A completely new disk subsystem is the sort of thing that one likes to test very well before entrusting it with data that one wishes to actually keep; that process may go on for a little while yet. It is also worth noting that the new PATA code also drops support for some ancient IDE controllers.

The issue that gets everybody's attention, however, is that, as with all drives handled through libata, PATA drives show up as if they were SCSI disks, and are named /dev/sd*. Anybody who just switches to the new drivers without updating /etc/fstab (or using the mount-by-label feature) is likely to have a rough bootstrap experience. That is an easy problem to work around, but the use of the SCSI drive namespace seems to bother some people. What appears to be happening in reality is that Linux is slowly moving toward having a generic disk subsystem, where everything can just be called /dev/diskN. All that's left is a few details and a new set of udev rules to rename the device nodes.

Someday, most of us will be using the new PATA code. But this is not a process which is expected to go quickly, and there are no plans to remove or deprecate the existing IDE code:

At this point in time it is premature to discuss or plan the point at which the old IDE layer would go away. That discussion can start at the point where everyone is happy that the new libata based layer is providing better quality and coverage than the old one. Even then there would be no need to hurry.

So it appears that Linux will have parallel subsystems for parallel ATA support for some time.

Comments (5 posted)

Guest page hinting

Paravirtualized systems are operating systems unto themselves - they look like independent systems to the greatest extent possible. In the end, however, a paravirtualized system is still running under a host, and must interact with that host. A recent set of patches (entitled "guest page hinting") shows how running paravirtualized systems in a fully independent mode can hurt performance - and the sorts of tricks which can be required to make things run more efficiently.

Consider, for example, a short-lived application which runs on a guest system. That application may dirty a number of pages, then exit, its job finished. The guest system knows that the dirty pages are no longer in use, and can be recycled. From the host's point of view, however, the only thing known is that the pages are dirty. So the host will, if needs to reclaim those pages, carefully write their (useless) data out to swap first. This is a wasted effort which would be nice to avoid.

The hinting patches add a couple of low-level primitives for use by guest operating systems: set_page_unused() and set_page_stable(). The former marks a page as being unneeded by the guest, while the latter marks the page as being in active use. The s/390 architecture (which is the main target for this patch set currently) can implement these states through a pair of page flags which the guest can set, making the operations fast. Once pages have been marked as unused, the host system can reclaim them with no further effort, making the whole virtual memory subsystem more efficient.

The next step is to consider page cache pages. These pages will contain data from a file found on a storage device somewhere, meaning that they can be recreated from the source if need be. That, in turn, means that the host could discard them in response to memory pressure. But, once again, the host knows nothing about the guests' page caches. So the hinting patches add another state, called "volatile," to mark pages with backing store. When the host is feeling memory pressure, it is free to discard volatile pages without saving their contents first. It must, however, make sure that the guest system knows that this action has taken place so that the page can be removed from the guest's page cache. In the current patch set, this notification only works for s/390 machines, however.

Pages which have been locked into memory pose an extra challenge here - they can be part of the page cache, but they still shouldn't be taken away by the host system. So such pages cannot be marked as "volatile." The problem is that figuring out if a page is locked is harder than it might seem; it can involve scanning a list of virtual memory area (VMA) structures, which is slow. So the hinting patches add a new flag to the address_space structure to note that somebody has locked pages from that address space in memory. When the flag is set, those pages are not marked as being volatile.

The swap cache also benefits from some hinting work - once the guest has written a page to swap, that page has good backing store and can be grabbed by the host system. The approach taken is similar to that used with the page cache, though there are a few extra details to take care of. For example, the guest must take care to have the page marked stable (and deal with its potentially having been discarded by the host) before freeing the associated entry in the swap area.

Attentive readers may have noticed that these patches are heavily oriented toward the s/390 architecture. IBM has, of course, been doing virtualization for a very long time, so it is not surprising that some relatively advanced virtualization patches are coming from that direction - or that IBM's architectures are designed with virtualization in mind. Other paravirtualization projects will encounter many of the same issues, however, and may well benefit from this work. So the next stage for this patch set should be consideration by other projects and possible work to make the hinting features more generally applicable.

Comments (1 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

  • Andreas Gruenbacher: Tmpfs acls. (September 4, 2006)

Memory management

Networking

Architecture-specific

Security-related

Virtualization and containers

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Debian's Alioth cracked

Anybody having trouble getting through to the Debian Alioth web server now knows why: the system was broken into by way of a pmwiki vulnerability. "This security alert is over, however we have way too many projects running some custom-installed web applications. We're going to review everything that is installed and come up with suggestion to use the packaged (and thus security-supported) version of the web applications when possible."

It has now been decided that the new Alioth will be hosted in a Xen client. "This means it's easy to stop (or shutdown) the Alioth host for inspection, or to simply reinstall it from scratch. That's why while preparing the new Alioth, I'm documenting the configuration of all the services."

Comments (none posted)

New Releases

Ubuntu 6.10 alpha - Knot 2 released

Edgy Eft Knot 2, the second in a series of milestone CD images that will be released throughout the Edgy development cycle, is now available in Ubuntu, Kubuntu, Edubuntu and Xubuntu flavors.

Full Story (comments: 18)

Slackware 11.0 rc4

Slackware 11.0 should be out soon. A fourth release candidate has been announced in the September 3 change log entry. For a complete list of changes check the slackware-current changelog.

Full Story (comments: none)

Debian GNU/Linux 3.1 updated

The Debian project has updated the stable distribution Debian GNU/Linux 3.1 (codename `sarge'). "This update mainly adds security updates to the stable release, along with a few corrections to serious problems. Those who frequently update from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update."

Full Story (comments: 2)

Distribution News

Yet another Debian resolution on firmware

Debian project leader Anthony Towns has put forward a new general resolution proposal for the Debian developers to consider. This one starts with the idea that the social contract, in its current form, cannot be met, so it should be reverted to its pre-2004 language. The resolution would explicitly exempt firmware, allowing "etch" to be released on time and in compliance with the social contract. "I think it's a mistake to have a social contract that we can't meet -- I would much rather say "we're not only meeting our social contract, but we're going above and beyond it" than keep worrying about how we've overpromised and keep having to underdeliver." Click below for the full text, or see this LWN article for the previous episode in this story.

Full Story (comments: 1)

cdrkit: Debian's fork of cdrtools

The Debian cdrtools maintainers have posted the first version of "cdrkit," the project's fork of the cdrtools package. The reasons behind this fork were covered in LWN last month. It was nearly bound to happen; the real question is the extent to which distributors will cooperate in the maintenance of the new version. The Debian folks have reached out to other distributors, so the initial signs are good. Meanwhile, cdrkit needs testing.

Full Story (comments: 23)

minutes of debburn/cdrkit team meeting, 2006-09-05

Click below for the minutes of the September 5 meeting of the debburn/cdrkit maintainers.

Full Story (comments: 1)

New Debian Tcl/Tk list, maintenance team forming

Debian's tcl/tk maintainer is putting together a team to co-maintain tcl/tk and some of it's add-ons (e.g. tcllib, itcl). "It is also, in my opinion, past time to develop some more formal policies for tcl/tk-using packages. For this reason, I have created a mailing list for discussing Debian's tcl/tk infrastructure and policy, and an Alioth project for tcl/tk maintenance."

Full Story (comments: none)

Debian Bug Squashing Party in Zurich: 9 Sept 2006

Two Debian Bug Squashing Parties will take place in Zurich, Switzerland. The first will take place Saturday, 9 Sept. 2006.

Full Story (comments: none)

Bug Squashing around the world - more about the BSP-Marathon

Click below for an update on more Debian Bug Squashing Parties around the world.

Full Story (comments: none)

Fedora Core to drop openmotif

It's official: Fedora Core 6 will not include the openmotif library, which has a non-free license. The library will be removed prior to the October 2 development freeze. As a result, a number of packages using openmotif (including cmucl, ddd, nedit, and xpdf) will break; they, too, will be removed if they cannot be shifted over to lesstif in the next month (but, in most cases, that work has already been done).

Full Story (comments: 73)

Gentoo Trustees Announcement

The Gentoo Foundation has announced its newly elected Board of Trustees. The new board has five members; Chris Gianelloni, Grant Goodyear, Stuart Herbert, Seemant Kulleen and Renat Lumpau.

Full Story (comments: none)

The future of NetBSD

Charles Hannum, one of the original NetBSD developers, has sent out a long, unhappy posting about the state of that project. "The NetBSD Project has stagnated to the point of irrelevance. It has gotten to the point that being associated with the project is often more of a liability than an asset. I will attempt to explain how this happened, what the current state of affairs is, and what needs to be done to attempt to fix the situation." Click below for the original message; the full discussion can be found in the archives.

Full Story (comments: 27)

Ubuntu Edgy feature freeze imminent

According to the Ubuntu schedule, the Edgy feature freeze is in effect. A beta release is expected before the end of the month.

Full Story (comments: none)

New Distributions

Ubuntu Christian Edition

Ubuntu Christian Edition is a free, open source operating system geared towards Christians. It is based on Ubuntu Linux and is suitable for both desktop and server use. Along with the standard Ubuntu applications, Ubuntu Christian Edition includes the best available Christian software. The latest release contains GnomeSword, a top of the line Bible study program for Linux based on the Sword Project. The recently released Ubuntu CE v1.2 is based on Ubuntu 6.06.1 LTS.

Comments (4 posted)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for September 5, 2006 looks at security updates to the sarge Mozilla packages that need testing, availability of DebConf session videos, donations needed for an etch release advertisement, a new Tcl/Tk team, bug squashing parties and much more.

Full Story (comments: none)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for August 28, 2006 covers the Gentoo 2006.1 release, GCC 4.1.1/ glibc 2.4 stable, Gentoo Summer Camp and several other topics.

Comments (none posted)

Ubuntu Weekly News #12

The Ubuntu Weekly News for September 2, 2006 is out. "In this edition, read about the release of a milestone image and call for testing, a roundup of news from the Google Summer of Code student projects and a sneak preview news of another project, 'upstart', by Ubuntu Developer Scott James Remnant, designed to change the way that a Unix/Linux boots for the first time in 30 years."

Full Story (comments: none)

DistroWatch Weekly, Issue 167

The DistroWatch Weekly for September 4, 2006 is out. "Following a new release of Gentoo Linux last week, another popular "geek" project is likely to announce a major new version this week. Slackware Linux, the world's oldest surviving Linux distribution, has been through no fewer than four release candidates, so the final version can't be far away. Also expected later this week - GNOME 2.16. In other news, Linspire scraps the annual fee for its software repository, Ubuntu contributors keep enhancing their favourite distribution with extra software, services and even a new start-up script, and the NetBSD world is rocked by accusations of mismanagement by one of the project's founders. We also have the pleasure to announce that DistroWatch has once again been voted one of the "Top 101" web sites by PC Magazine and that the August 2006 donation of US$350 goes to the Puppy Linux project."

Comments (none posted)

Minor distribution updates

First release candidate for 64 Studio distribution

64 Studio 0.9.4 is the first release candidate for the 64 Studio 1.0 distribution. "The CD image will install a custom Debian system specialised for multimedia content creation, including a NUMA-enabled SMP Linux 2.6.17 kernel with realtime preemption for dual Opteron systems."

Full Story (comments: none)

Updated versions and derivates of Red Hat Enterprise Linux (Heise Online)

Heise Online covers the release of CentOS 4.4. "The novel features introduced with the update include among others a transition from Mozilla Suite 1.7 to its indirect successor Seamonkey 1.0, which will henceforth be maintained. For some items of hardware such as the network chips by Intel, Broadcom and Nvidia, as well as the Qlogic storage adapter, drivers such as bnx2, cciss, e1000, emulex, forcedeth, qlogic and tg3 were updated. While the drivers that were added are the SAS driver adp94xx by Adaptec and the OpenIPMI tools. In addition the update sported improvements with regard to network, USB, and SCSI subsystems, as well as NFS and autofs4."

Comments (none posted)

September 5th - Morphix SVN Commit Day

Morphix has released Morphix Base 0.5-pre6 'Amalthea', MorphixLiveKiosk 0.01 and MorphingMorphix 0.3, as part of Morphix SVN Commit Day, September 5, 2006.

Full Story (comments: none)

Package updates

Fedora updates

Updates for Fedora Core 5: anacron (bug fix), enscript (wrap long headers), mkinitrd (rebuild against parted-1.7.1), pyparted (rebuild against parted-1.7.1), mc (new mc CVS snapshot), db4 (bug fix), gnome-applets (bug fix), cups (bug fix), gimp (version 2.2.13), xsane (version 0.991).

Comments (none posted)

rPath updates

Updates for rPath Linux 1: conary, conary-build, conary-repository (Conary 1.0.30 maintenance release).

Comments (none posted)

Trustix updates

Updates for Trustix Secure Linux 2.2 & 3.0: amavisd-new, apache, cyrus-sasl, nfs-utils, openswan and squid (various bug fixes).

Comments (none posted)

Ubuntu updates

Updates for Ubuntu 6.06 LTS: kboincspy_0.9.1-3~dapper1, seahorse_0.9.3-0ubuntu5~dapper1, konversation_1.0-0ubuntu1~dapper1, openoffice.org 2.0.3-6dapper1, openoffice.org-l10n 2.0.3-6dapper1, openoffice.org-amd64 2.0.3-6dapper1-1, openoffice.org 2.0.3-6dapper2.

Comments (none posted)

Newsletters and articles of interest

Maintainer's resignation highlights problems in Debian project (Linux.com)

Linux.com covers the resignation of Matthew Garrett from the Debian project. "The resignation of Matthew Garrett, one of the most active developers in Debian, has drawn attention to some ongoing issues about how the project operates. Specifically, Garrett's announcement on his blog cites a lack of civility and a slowness in decision-making, and compares Debian unfavorably to Ubuntu, the Debian-derived distribution which is increasingly attracting the efforts of many Debian maintainers."

Comments (none posted)

Distribution reviews

Linux From Scratch (Packt Publishing)

Packt Publishing interviews Gerard Beekmans, creator of Linux From Scratch. "MS: What prompted you to write Linux From Scratch? GB: I started working with Linux about eight years ago. I was living in The Netherlands at the time (where I was born and raised). After trying out a few distributions I couldn't settle on any one pre-packed system to fit my needs. I also didn't get the feeling I was learning everything I could learn about how Linux works, especially behind the scenes. That's how the LFS project started. I was putting together a Linux system from scratch as an attempt to figure out how things worked. I wrote down the steps I took to get such a system up and running, thinking that there are probably other people out there who would be interested in it."

Comments (none posted)

Page editor: Rebecca Sobol

Development

A look at the Firefox 2 Beta 2 browser

The beta 2 release of version 2 of the Firefox web browser, aka Bon Echo, has been announced, it is the fifth developer milestone for Firefox 2. This early release is aimed at developers and testers, not end users. The Bon Echo Alpha 2 release was tested here last May. [Firefox]

New features in Firefox 2 beta 2 include:

  • A new theme and user interface for improved usability.
  • Tool bar buttons that glow when the mouse hovers over them.
  • Built-in phishing protection with warnings when known phishing sites are visited.
  • Improved search engine management with search suggestions for popular search engines.
  • Improvements to tabbed browsing, the ability to open recently closed tabs and side arrows for support of many open tabs.
  • The ability to resume where you were after a browser or system crash.
  • Improved web feed preview and subscription capabilities.
  • Support for inline web form spell checking.
  • Support for bookmarks with live titles for web sites with microsummaries.
  • A new add-ons manager with simplified extension and theme management.
  • Support for JavaScript version 1.7.
  • Support for the extended MozSearch search plugin format.
  • Security and localization extensions to the extension system.
  • Web Application client-side session and persistent storage support.
  • New Scalable Vector Graphics (SVG) svg:textPath support.
  • A new and improved installer for the Windows platform.

The Firefox 2 beta 2 release notes page looks at the new features in more detail and the Bon Echo Planning Center explains what to expect in upcoming Firefox releases.

Firefox 2 beta 2 is available for download here. Testers should familiarize themselves with the known issues section of the release notes, as well as the Firefox System Requirements document.

Your editor gave this version of Firefox a quick spin, it started up with a few NS_ERROR_FAILURE messages, but continued working anyway. The multiple tab features look useful, in addition to the left and right tab extender buttons, there is also a down arrow that shows a list of all of the open tabs. All but the currently used tab are now displayed with a lower contrast view. The tab changes to a medium contrast when the mouse move on top, then goes to a high contrast when clicked on, this may take some getting used to. Several times, the left most tab disappeared from the screen after submitting changes on a web entry form, this appears to be a bug.

The back and forward buttons are now split, and have an additional down arrow that brings up a list of recently viewed pages. In previous versions of Firefox, this was all done with the single arrow buttons. Additionally, there is a similar down arrow next to the current URL display. This appears to your editor as the addition of unnecessary features and screen clutter, remember this old axiom: simpler is better.

All of the errors encountered in the Bon Echo Alpha One release appear to have been fixed. Firefox 2 appears to be getting more stable, although it is probably best to wait for the official release before relying on it for critical work.

Comments (7 posted)

System Applications

Audio Projects

Speex 1.2 beta 1 released

Version 1.2 beta 1 of Speex, a speech CODEC, is out. "This new release brings many significant improvements. The quality has been improved, both at the encoder level and the decoder level. These include enhancer improvements (now on by default), input/output high-pass filters, as well as fixing minor regressions in previous 1.1.x releases. A strange and rare instability problem with pure sinusoids has also been fixed. On top of that, memory use has been greatly reduced, especially for fixed-point and narrowband. The fixed-point narrowband encoder+decoder memory use has been cut by more than half, making it possible to fit both in less than 6 kB of RAM. In general, CPU requirement had gone down, especially for the fixed-point port."

Comments (1 posted)

Database Software

MySQL 5.0.24a has been released

Version 5.0.24a of MySQL is available. "This is a minor release to fix a few bugs, and a possible security flaw."

Full Story (comments: none)

Interoperability

Samba 3.0.23c available

Version 3.0.23c of Samba has been announced. "This is the version that production Samba servers should be running for all current bug-fixes. Please read the changes in the Release Notes for details on new features and difference in behavior from previous releases."

Comments (none posted)

Mail Software

Archiveopteryx 1.10 released

Version 1.10 of Archiveopteryx has been announced. "Archiveopteryx (formerly Oryx Mailstore) is a mail archive server that stores normalized mail in a PostgreSQL database, and serves it using IMAP/POP. It has now been used in production for several months, and is available both on commercial terms and as open source. This release comes sooner than planned, because we feel the deployment of privilege separation is important enough to justify it."

Full Story (comments: none)

bogofilter 1.1.1 released

Stable version 1.1.1 of Bogofilter, a spam filter, is out. "Version 1.1.1 improved on 1.1.0 with a minor token parsing fix, a new Italian FAQ, and cleaned up formatting for the English and French FAQs."

Full Story (comments: none)

Desktop Applications

Desktop Environments

GNOME 2.16 released

GNOME 2.16 is out. Click below for the announcement, or see the GNOME 2.16 page for the release notes, download information, and more.

Full Story (comments: 16)

Gnome 2.17 schedule announced

The first draft of the GNOME 2.17 release schedule has been announced. "what's worth to mention? the release cycle will have 27 weeks - christmas and new year's day are on monday, guess we don't want a tarballs due on these holidays. also, API/ABI/Feature freeze and UI freeze will not be the same date again."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

KDE Commit-Digest (KDE.News)

KDE.News has announced the September 3, 2006 edition of the KDE Commit-Digest. "In this week's KDE Commit-Digest: Kickoff, the experimental application menu alternative developed by SuSE, is imported into KDE SVN. Import of the work to support SVG scalable tilesets in KMahjongg. KViewShell gets support for LZW compressed fax files. Strigi gets support for the D-Bus Inter-Process Communication service, KBFX, a prospective element of Plasma, gets full support for Strigi. Kaffeine gets DVB plugin support. Amarok sees fundamental changes in a key statistics technology, along with a name change of the technology to "Amarok File Tracking (AFT)". Development of SafeSite, a network-aware phishing protection service proceeds. Interface changes in KTorrent."

Comments (none posted)

KOffice: Summer of Code students deliver the goods (KDE.News)

KDE.News covers KOffice contributions from the 2006 Summer of Code. "Under the KDE umbrella, the KOffice project took part in the 2006 Summer of Code with four participants. And not only that, but the Dutch Programmeerzomer, sponsored by Finalist, also selected a KOffice project. The summer is over, the season of mists and long hacking nights has arrived and the question that's obviously in everyones mind is, have these five delivered? -- and, more importantly, will Gabor, Alfredo, Emanuele, Thomas and Fredrik continue hacking on KOffice?"

Comments (none posted)

First Konqueror Bug Triage Day (KDE.News)

KDE.News covers the first Konqueror Bug Day. "The aim was to either confirm or close as many unconfirmed Konqueror bugs as possible, known as bug triage. About 150 bugs were dealt with."

Comments (none posted)

Xfce 4.4 Release Candidate 1 (4.3.99.1) released

Version 4.4 Release Candidate 1 (aka 4.3.99.1) of the Xfce lightweight desktop environment is out. "This release fixes a lot of bugs that were present in the second beta release, but also introduces new features, like the trash support in Thunar and xfdesktop. Besides that, this release also includes Xarchiver 0.4.0."

Comments (none posted)

Electronics

gEDA 20060824 announced

Version 20060824 of gEDA, a collection of electronic CAD tools, has been announced, along with version 20060825 of the gEDA Suite installer CD ISO image. gEDA changes include: "Numerous bug-fixes, usability and documentation improvements from an every-growing band of contributors."

Comments (none posted)

Fonts and Images

Linux Libertine 2.1.9 released

Version 2.1.9 of the Linux Libertine open font set is available.

Full Story (comments: none)

GUI Packages

Trolltech Releases Second Preview of Qt for Java (KDE.News)

KDE.News looks at Qt Jambi. "Trolltech has released a second preview of Qt Jambi - a prototype version of Qt that allows Java programmers to use the popular cross-platform development framework. This release incorporates the feedback of over 1700 beta testers, and features new additions like Web Start functionality, improved integration with Eclipse and single JAR file deployment for Qt Jambi-based applications."

Comments (none posted)

Music Applications

MMA Beta 0.23 now available

The Beta 0.23 release of MMA, Musical MIDI Accompaniment, is out. "Included in this release: A number of minor bugfixes; new RNDSEED command; a number of new and improved library files."

Full Story (comments: none)

Office Suites

OpenOffice.org Newsletter

The August, 2006 edition of the OpenOffice.org Newsletter is out with the latest OO.o office suite articles and events.

Full Story (comments: none)

Languages and Tools

Caml

Caml Weekly News

The September 5, 2006 edition of the Caml Weekly News is out with new Caml language articles.

Full Story (comments: none)

Python

Dr. Dobb's Python-URL!

The August 30, 2006 edition of Dr. Dobb's Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The September 6, 2006 edition of Dr. Dobb's Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The September 5, 2006 edition of Dr. Dobb's Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

XML

XML Schemas 1.1 (Structures) new working draft (O'Reilly)

Rick Jelliffe looks at XML Schemas 1.1 on O'Reilly. "Of course, I am most interested in the new assert element. It is based on the assert element from my Schematron schema language; Eddie Robertsson created some XSLT stylesheets for embedding assertions in XML Schemas, and it has proved quite popular and useful. And certainly the ability to constrain types rather than names is useful, for XML Schemas. They have done the right thing by defining a larger version of XPath that can be used, though the draft seems quite fuzzy about whether to use XPath 1 or XPath 2: I cannot image that will not get sorted out though. As with key/keyref and uniqueness, I think their assertions could be translated in Schematron readily enough."

Comments (none posted)

Miscellaneous

Catching up with Unicode 5.0 (O'Reilly)

Rick Jelliffe in Articles discusses the release of Unicode 5.0 on O'Reilly. "Unicode 5.0 was released a week ago: congratulations to all concerned. Unicode now has about 99,000 characters defined, though many of the improvements in Unicode 5.0 are related to how to use characters (their properties or display algorithms) rather than additions. There are only 1369 new characters compared to Unicode 4.1; and no milestone for implementations such as Unicode 3.1 in 2001 when the number of characters broke the 16-bit range."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Changing the Report, After the Vote (Inside Higher Ed)

Inside Higher Ed has a detailed story on the politics behind the creation of the American Council on Education's report on the future of higher education. "That agreement was nearly imperiled last weekend, though. Gerri Elliott, corporate vice president at Microsoft's Worldwide Public Sector division, sent an e-mail message to fellow commissioners Friday evening saying that she 'vigorously' objected to a paragraph in which the panel embraced and encouraged the development of open source software and open content projects in higher education." Read the article for the relevant text before and after Microsoft's intervention.

Comments (6 posted)

A first look at GNOME 2.16 (ars technica)

ars technica looks forward to the GNOME 2.16 release. "In addition to new icons and an updated GTK theme, GNOME got an infusion of compositing goodness, including support for toggling compositor support at runtime, support for wobbling and exploding affects, magnification, configurable transparency for windows and menus, fading effects, and shrinking effects for minimization."

Comments (none posted)

Trade Shows and Conferences

Report on the Fourth International GPLv3 Conference (Linux.com)

Linux.com has a report on the GPLv3 conference in Bangalore. "Last month the Free Software Foundation (FSF) held its Fourth International Conference on GPLv3 at the Indian Institute of Management in Bangalore. Around 150 participants from all over India and abroad, including Japan, France, and Germany, attended. Since this was the first conference after the second draft of GPLv3, which saw several extensive revisions, both Richard Stallman and Eben Moglen painstakingly explained the new draft, and took many questions from attendees."

Comments (1 posted)

YAPC::EU 2006 coverage (O'Reilly)

O'Reilly covers day 1 and day 2 of the YAPC::EU 2006 Perl conference.

Comments (none posted)

Companies

MySQL to drop Berkeley DB storage engine, add memcache plugin (Linux.com)

Joe 'Zonker' Brockmeier covers a DBMS change from MySQL AB on Linux.com. "With the 5.1.12 release, MySQL will be dropping the Berkeley DB (BDB) storage engine from its list of supported database engines. Some observers have suggested that this move is connected to Oracle's purchase of Sleepycat, and that InnoDB may be next. However, Brian Aker, MySQL's director of architecture, says that they're unlikely to drop InnoDB, and the Berkeley engine is being dropped for technical reasons. Aker also announced the first release of a memcache storage engine plugin for MySQL."

Comments (none posted)

Really Free Software (Forbes)

Forbes is running a look at Ubuntu and its founder. "Canonical has burned through $15 million of Shuttleworth's money in two and a half years. He says that it will take him at least another two years to even know whether it has a chance to become profitable, and that it may never return his investment. But that doesn't matter. He's paying all the bills either way, along with setting up a $10 million endowment for the Ubuntu Foundation that's earning interest for a day when his attentions may drift elsewhere."

Comments (7 posted)

Wind River claims embedded Linux dominance (LinuxDevices)

LinuxDevices looks at Wind River's quarterly report, with an emphasis on the company's apparent success in transitioning to Linux. "In terms of specific Linux design wins, [CEO Ken] Klein cited high-end Swedish stereo equipment vendor Bang & Olufsen, which reportedly licensed Wind River's Platform for Consumer Electronics, Linux Edition (PCE-LE), in part because of PCD-LE's interesting remote management capabilities."

Comments (6 posted)

Business

The New Barbarians (Forbes)

Forbes is running a series of articles called The New Barbarians. It seems that Daniel Lyons has finally figured out that commodity hardware and free software might offer some value. "Linux today has less than 2% market share on the desktop. That's because with past versions of Linux only hackers could get Linux installed and running right. But a new batch of easier-to-use versions is putting Linux within reach of regular folks." There is also a rather confused article about the GPLv3 process.

Comments (8 posted)

Linux Adoption

India state to dump Windows for Linux (Seattle pi)

Seattle pi has published an Associated Press article on the upcoming switch to Linux at all of the high schools in the Indian state of Kerala. "The decision to switch to Linux came after free software guru Richard Stallman, founder of the open-source GNU software project, visited Kerala two weeks ago, and persuaded officials to discard proprietary software, such as Microsoft, at state-run schools, Baby said. Despite the denials that Microsoft was the target, opposition leader M.A. Shahnawaz, of the Congress party, said he believed the decision was based on the communists' opposition to the software giant's products."

Comments (6 posted)

Legal

SanDisk faces MP3 licence dispute (BBC)

The BBC covers a dispute between SanDisk and Sisvel over the MP3 patent. "Sisvel's founder Roberto Dini told the website DigitalLifestyles.info that SanDisk could gain an unfair edge over competitors and could potentially offer trade customers at the high-profile German show a lower price for its MP3 players. This is unfair competition,' Mr Dini told DigitalLifestyles.info." The interesting thing - beyond the notion of license fees as necessary for fair competition - is that SanDisk claims to have come up with a non-infringing MP3 decoder. DigitalLifestyles has posted the interview with Mr. Dini, in MP3 format, of course.

Comments (19 posted)

Some Quick Comments on Australia's Exposure Draft TPM Measures Bill, by Brendan Scott (Groklaw)

Groklaw looks at DMCA-like draft legislation in Australia. "As a result of the Australia-US Free Trade Agreement (AUSFTA), Australia is required to augment its existing DMCA style provisions in the Australian Copyright Act. The AUSFTA requires that these changes be in place by the end of 2006. Following a number of reviews, draft legislation which aims at implementing the relevant provisions of the AUSFTA (i.e. paragraph 17.4.7) has been released."

Comments (none posted)

Interviews

Author Interviews: Hal Fulton - The Ruby Way (On Ruby)

Pat Eyler interviews Hal Fulton. "Hal Fulton is a longtime Ruby hacker and the author of one of my favorite Ruby books, The Ruby Way. Recently, he's been hard at work on a second edition (due out in November). The second edition will come with a change in publishers, The Ruby Way will now be an Addison-Wesley book. When he's not working on his book, Hal is active on the ruby-talk mailing list and in the Ruby community at large."

Comments (none posted)

PC-BSD Interview (KDE.News)

KDE.News talks with Kris Moore founder and lead developer of PC-BSD. "PC-BSD was initially released as 0.5 Beta about a year ago, April 2005. I chose to begin development with the goal of making a FreeBSD-based desktop OS, with a custom software installation method called PBI or PC-BSD Installer. Instead of a true "distro" with numerous ports or programs being apart of the base system, PC-BSD is by default a Operating System only. Software packages live independent of the operating system, self-contained in their own directories, where they do no harm or cause dependency issues."

Comments (none posted)

People Behind KDE: Celeste Lyn Paul (KDE.News)

KDE.News has announced the latest interview in its People Behind KDE series. "Today's People Behind KDE features the American lass who is forging the KDE 4 Human Interface Guidelines. Find out the advantage of a hobby against job, what is wrong with Fruit Salad plus the good fortune of one KDE convert as we interview Celeste Lyn Paul."

Comments (none posted)

Linspire Founder on Linux, iPod, Zune (Red Herring)

Red Herring interviews Michael Robertson. "Is Michael Robertson afraid of anything? The entrepreneur has a made a career--and a fortune--playing rough with giants. Now, though, he's turning up the volume: predicting an end to Apple's hold on digital music, shaking up the Linux community by looking to marry open source smarts with proprietary know how, and talking trash about Microsoft's new Zune."

Comments (13 posted)

Opening Up: Laurie Tolson on Open Source Strategy for the Java Platform

The Sun Developer Network has an interview with Laurie Tolson, VP of Developer Products and Programs at Sun. "Jim: Where is Sun in the process of open sourcing the code for Sun's Java platform implementations? When can developers expect to see the code released? Laurie: Sun will release several significant components of Java SE by the end of 2006. We don't know exactly which ones yet, but the javac bytecode compiler and the HotSpot Virtual Machine --among other things-- are on the table. The rest of a buildable JDK will be released in early 2007. In addition, Sun plans to open source implementations of the Java ME platform (both CLDC and CDC). We intend to roll this out by the end of 2006. Most importantly, we're not doing this in isolation. We want to learn from successful open source projects how best to go about this." (Thanks to Drew Daniels)

Comments (none posted)

Resources

It's not just Linux: Open Source has arrived (Linux-Watch)

Linux-Watch reports on the results of an IDC study. "Open-source true believers have been saying forever that open source is the way to develop software. It turns out they've convinced most programmers that they're right. According to a newly released IDC study, open source isn't just hype; it's now the way most developers make software."

Comments (none posted)

Linux Gazette #130 is out

The September 2006 edition of Linux Gazette is out. Articles include EclipseCon Conference 2006: The Way of Eclipse, DNS techniques, The Geekword Puzzle, Vancouver Python Workshop 2006, Custom OpenLDAP Schemas, Interview: Timothy Miller, Open Graphics Project and more.

Comments (none posted)

Reviews

Cold War makes for intriguing gaming (Linux.com)

Linux.com plays around with a new game. "It's been a long time since I've played a commercial game on Linux, probably since the fall of Loki, but the long dry spell is over now. I've been spending a lot of time playing Cold War lately, and I've missed this kind of gaming."

Comments (5 posted)

Hail the Konqueror (Linux.com)

Linux.com has a look at Konqueror. "Tabbed browsing support is great for viewing multiple sites one at a time, but Konqueror kicks it up a notch with split windows. Its window can be split horizontally or vertically (or both), and you can browse different sites in each pane. This is useful if you're composing a blog post and want to refer to someone else's post on the other side, or if you just have a site that you want visible all the time, such as a Nagios window, where you can keep an eye out for any alerts."

Comments (6 posted)

Can Linux-based Collax Replace Microsoft Small Business Server? (CRN)

CRN reviews Collax Business Server. "With the release of Collax Business Server (CBS), Microsoft's Small Business Server 2003 (SBS) is starting to look a little like France in 1940, with Germany amassing troops on the border, readying invasion. Collax has made it no secret that it intends to battle Microsoft for the small business server market and is aggressively seeking soldiers in the form of solution providers. And with the recall and delay of the R2 upgrade to SBS, Microsoft now lacks the re-enforcements it needs to strengthen its line, creating an even more tempting target for Collax."

Comments (24 posted)

Taking an OpenReports test drive (Linux.com)

Michael Stutz takes a look at OpenReports on Linux.com. "Business Intelligence (BI) software, those tools and suites that take the raw minings of your databases and turn them into comprehensible signposts and mappings that lead toward profits, is a hot market today. One of the more talked-about open source solutions is OpenReports, a GPLed, Web-based BI report generation system whose first stable, milestone release of its 2.0 series has just come out. A lot of bugginess has been cleaned up from earlier versions. This 2.0 milestone release also brings with it a better report scheduling method".

Comments (2 posted)

Review: The Linux-based Motorola ROKR-E2 (OS News)

OS News reviews Motorola's ROKR-E2 Linux-based feature phone. "In the box (arrived in just two days from Hong Kong) we found the cellphone, an 850 mAh battery, 128 MB transflash-in-SD card, the manual, software CDs, a USB cable, a 3.5mm handsfree and a travel charger. The battery was almost full when the box arrived, but we fully charged it for an extra hour or so too. This feature phone (not a smartphone) features triband GSM, 1.3 MP camera with flash, 11 MBs internal storage, full SD slot, 2.2" QVGA screen, stereo sound, FM radio, 3.5mm audio jack, USB 2.0 charging & file transfer and Bluetooth."

Comments (none posted)

Personal wikis: Three small, simple alternatives (Linux.com)

Linux.com looks at some lightweight wikis. "Wikis aren't just great tools for sharing information and collaborating on projects. They also make excellent personal information managers. With a personal wiki, all of your to-do lists, notes, and appointments are at your fingertips in form that's easy to use and maintain."

Comments (none posted)

Miscellaneous

FSF reaches out to social activists (NewsForge)

NewsForge covers the Free Software Foundation. "2006 may be remembered as the year that the Free Software Foundation (FSF) reached out to the community. The FSF has already undertaken an unprecedented year-long consultation process about the revisions to the GNU General Public License, and the Defective By Design campaign against digital rights management technologies. Now, the FSF is planning a third campaign to deliver its message about ethical software to social activists outside the technical communities. "We think that social groups taking on policies about free software can act as a huge lever within schools, trade unions, local governments, and churches," says Peter Brown, executive director of the FSF."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

EFF: California Lawmakers Pass Safeguards for Privacy-Leaking RFID Chips

The Electronic Frontier Foundation has sent out a Media Release concerning California legislation over RFID chips. "The California State Senate passed tough new privacy safeguards late yesterday for use of "tag and track" devices known as Radio Frequency Identification (RFID) chips embedded in state identification cards. The bill helps ensure that Californians can control the personal information contained on their drivers' licenses, library cards and other important ID documents."

Full Story (comments: none)

Planning For 10 Years of Free Desktop (KDE.News)

KDE.News looks at 10 years of KDE. "10 years ago, on October 14th 1996, Matthias Ettrich announced a project to create a complete and consistent GUI for the prospering Linux operating system. The project grew and matured and now it is 2006 and KDE is one of the largest Free Software projects."

Comments (none posted)

Nominations for X.Org Foundation Board of Directors are OPEN

X.Org Foundation Board nominations are being accepted. "We are seeking nominations for candidates for election to the X.Org Foundation Board of Directors. All X.Org Foundation members are eligible for election to the board. Nominations for the 2006 election are now open and will remain open until 23.59 GMT on 24 September 2006."

Full Story (comments: none)

Commercial announcements

Sun launches the Sun Studio Express Program

Sun Microsystems, Inc. has announced the launch of the Sun Studio Express Program for its Sun Studio 11 development tool. "Sun has launched the Sun Studio Express Program that enables C, C++, and Fortran developers to preview features intended for future releases. With more than 50,000 registered downloads in the past 6 months, this program was created in response to the rapid adoption and interest in Sun Studio 11 software."

Comments (none posted)

Team ASA announces NPWR-LCX Single Board Computer

Team ASA has announced the NPWR-LCX single board computer. "The NPWR-LCX is one of two new single board networking computers released by Team ASA this week. The NPWR-LCX is based on the recently released Intel 80219 XScale CPU, running at 600 MHz. The NPWR-LCX I/O suite consists of Dual Gigabit Ethernet ports, four Serial ATA ports, a USB 2.0 Device port and a Serial port. The NPWR-LCX Memory configuration supports 64 to 512 Megabytes of 266 MHz, DDR SDRAM and 8-16 Megabytes of FLASH ROM. The NPWR-LCX comes configured with a 2.6.13 Linux OS version on FLASH ROM Disk and a Linux Binary Distribution CD-ROM."

Team ASA also announced their NPWR-SAI board, which uses the Intel 80219 XScale CPU.

Full Story (comments: none)

Terra Soft announces the Y-Bio JS21 Cluster

Terra Soft has announced the Y-Bio JS21 Cluster, which is aimed at biological supercomputing applications. "The Terra Soft Y-Bio gene sequence analysis suite offers a single, database driven interface to the most common gene sequence analysis programs: Probcons, T-Coffee, mpiBLAST, MrBayes, Modeltest, NCBI BLAST, EMBOSS, Glimmer, ClustalW, HMMER, Wise, and FastA. The Y-Bio JS21 Cluster is comprised of Y-Bio pre-installed on each of 14 IBM JS21 blades in a single BladeCenter chassis. Each blade boasts four 2.5GHz cores for 56 cores in just 7U for a compelling 4x performance-density improvement over the former Apple G5 Xserve product line."

Full Story (comments: none)

New Books

Open Life publishes The Philosophy of Open Source

Open Life has published the book The Philosophy of Open Source by Henrik Ingo.

Full Story (comments: none)

The Relational Database Dictionary - O'Reilly's Latest Release

O'Reilly has published the book The Relational Database Dictionary by C. J. Date.

Full Story (comments: none)

Contests and Awards

Rackspace Named Leader in Gartner Magic Quadrant

Rackspace Managed Hosting has announced that the company was positioned in the "Leader's" Quadrant in Gartner Inc.'s annual North American Web Hosting Magic Quadrant* published August 25, 2006 and authored by Gartner analysts Ted Chamberlin and Lydia Leong.

Full Story (comments: none)

Event Reports

Transcript of Richard Stallman at the 4th international GPLv3 conference

A transcript of Richard Stallman at the 4th international GPLv3 conference is available. This page links to audio and video recordings as well as text. "The overall topic of this speech is what we've changed in the GNU GPL. In order to speak about this, I need to remind people what the point of it is. The reason we change the GPL is to make it do it's job better, so what is that job? That job is protecting the freedom of all users of our software." (Thanks to Ciaran O'Riordan)

Comments (27 posted)

Minutes from the OSDL DTL meeting on fonts and Linux

Waldo Bastian has posted minutes from the August 31 OSDL desktop Linux "tech board" meeting on fonts and Linux. There is quite a bit of work going on to improve the current situation. "[The Bitstream Vera license] requires renaming in order to extend. This may cause problems, e.g. somewhile back SUSE renamed Bitstream Vera to SUSE Sans. Websites/documents specifying SUSE Sans will not work correctly with other Linux distributions."

Full Story (comments: none)

Calls for Presentations

CFP, IT Underground, Warsaw, Poland 2006

A call for papers has gone out for the IT Underground 2006 conference. The event will take place in Warsaw, Poland on October 26-27, 2006.

Full Story (comments: none)

PyCon 2007 Calls for Proposals/Tutorials

A Call for Proposals has gone out for PyCon 2007. "Want to share your expertise? PyCon 2007 is looking for proposals to fill the formal presentation tracks. PyCon 2007 will take place February 23-25 2007 in Addison, Texas." Submissions are due by October 31.

Full Story (comments: none)

Upcoming Events

The Ohio LinuxFest 2006

The Ohio LinuxFest 2006 will take place in Columbus, Ohio on September 30, 2006. "The Ohio LinuxFest 2006 will feature 19 exciting presentations this year by speakers such as Jon 'maddog' Hall, Jeff Waugh, Chris DiBona, Jay Pipes, Michael Johnson, and Jorge Castro -- as well as a guest appearance by live penguins!"

Full Story (comments: none)

Invitation to OSDL's Conference on Software Tagging (Groklaw)

Groklaw mentions an upcoming software tagging workshop in Portland, Oregon. "Kees Cook of OSDL would like to pick your brain some more, on the topic of software tagging. He also would like to hear from you, if you host an OSS software repository, and he has an invitation for Groklaw folks. Here's the request, along with the invitation: "I'm helping to host the OSDL-sponsored Software Tagging Workshop September 14 - 15 and am working with a number of folks to research best practices for manual software tagging and recording stamps. We'd like to create a list of who is currently hosting OSS repositories and the best way to contact them.""

Comments (none posted)

Software Development Best Practices India 2007 announced

CMP Technology has announced the Software Development Best Practices Conference & Expo series. The event will take place in Hyderabad, Chennai and Bangalore, India on January 16-18, 2007.

Comments (none posted)

Events: September 14, 2006 to November 13, 2006

The following event listing is taken from the LWN.net Calendar.

Date(s)EventLocation
September 12
September 15
php|works/db|works 2006 Toronto, Canada,
September 13
September 15
2006 WebGUI Users Conference Las Vegas, NV,
September 14 NLUUG najaarsconferentie 2006 Gelderland, The Netherlands,
September 14
September 16
Wizards of OS 4 - Information Freedom Rules Berlin, Germany,
September 14
September 15
RailsConf Europe 2006 London, UK
September 14 Open Source: New DoD Paradigm, or Business as Usual? Arlington, VA, USA
September 14
September 15
Software Tagging Workshop Portland, OR, USA
September 16
September 17
WineConf Reading, UK
September 16
September 17
Linux-Delhi (India Linux users group Delhi chapter) Freedel 2006 Delhi, India
September 17 KLDP 10 year Anniversary Free/Open Source Software Conference Seoul, Korea
September 18
September 21
2006 European Open Source Convention Brussels, Belgium,
September 18
September 21
New Security Paradigms Workshop Schloss Dagstuhl, Germany,
September 19
September 21
High Performance Embedded Computing Workshop Lexington, MA, USA
September 23
September 30
KDE World Summit 2006 Dublin, Ireland,
September 25
September 28
Embedded Systems Conference Boston, MA,
September 29
September 30
No cON Name 2006 Congress Palma de Mallorca, Spain,
September 29
October 1
ToorCon 2006 San Diego, CA,
September 29
October 1
Encuentro de Desarrolladores de GNOME Zaragoza Zaragoza, Spain
September 30
October 1
RuxCon 2006 Sydney, Australia,
September 30 Ohio LinuxFest 2006 Columbus, Ohio,
September 30 Defective by Design, 2pm-5pm, Apple Store, Regent Street, London, UK London, UK
October 1
October 4
Gelato ICE Itanium Conference and Expo Biopolis, Singapore,
October 1
October 3
LinuxBIOS Symposium 2006 Hamburg, Germany
October 2
October 5
Security OPUS Infosec Conference San Francisco, CA, USA
October 7
October 9
GNOME Boston Summit Boston, MA, USA
October 9
October 13
ApacheCon US Austin, TX,
October 9
October 13
13th Annual Tcl/Tk Conference Naperville, IL,
October 11
October 12
Eclipse Summit Europe Esslingen, Germany
October 11
October 12
Linux World Conference and Expo Utrecht, The Netherlands
October 12
October 15
Eighth Real-Time Linux Workshop Lanzhou, Gansu, China,
October 18
October 19
International Conference on IT-Incident Management and IT-Forensics Stuttgart, Germany,
October 18
October 22
Pike Conference 2006 Riga, Latvia
October 19
October 21
HackLu 2006 Kirchberg, Luxembourg,
October 19
October 20
DC PHP Conference Washington, D.C.,
October 20
October 22
aLANtejo 06 Évora, Portugal
October 20
October 22
RubyConf 2006 Denver, Colorado
October 22
October 27
Colorado Software Summit Keystone, CO, USA
October 23
October 24
Mono User and Developers Meeting Cambridge, MA, USA
October 23
October 26
Enterprise Architecture Practitioners Conf Lisbon, Portugal
October 25
October 26
LinuxWorld UK 2006 London, UK,
October 25
October 27
Plone Conference 2006 Seattle, WA,
October 26
October 27
IT Underground Warsaw, Poland
October 26
October 27
Free Software and Open Source Symposium Toronto, Canada
October 28 LinuxDay 2006 Many of them, Italy
October 31
November 2
Zend/PHP Conference and Expo San Jose, CA,
November 1 Ingres Users Association Conference London, England
November 4
November 8
I Jornadas técnicas KDE de Zaragoza, Spain
November 4
November 11
Open Source in Performance and Exhibition London, England
November 5
November 8
International PHP Conference Frankfurt, Germany
November 5
November 10
Ubuntu Developer Summit - Mountain View Mountain View, CA, USA
November 6
November 10
Colorado Python seminar Estes Park, CO, USA
November 7
November 9
2006 Web 2.0 Conference San Francisco, CA,
November 9
November 10
Forum PHP 2006 Paris, France,
November 10
November 12
Chicago Perl Hackathon 2006 Chicago, IL, USA
November 11
November 17
Supercomputing 2006 Tampa, FL, USA
November 11 FSFE Fellows Meeting Bolzano, Italy
November 12
November 14
Firebird Conference 2006 Prague, Czech Republic,

If your event does not appear here, please tell us about it.

Page editor: Forrest Cook

Letters to the editor

Corrections to Dan Shearer's summary of qmail

From:  Charles Cazabon <web-feedback-lwn.net-letters-danshearer-98.23.19.82.34.97.82.34.8-AT-discworld.dyndns.org>
To:  Linux Weekly News Letters <letters-AT-lwn.net>
Subject:  Corrections to Dan Shearer's summary of qmail
Date:  Fri, 25 Aug 2006 13:34:18 -0600
Cc:  Dan Shearer <dan-AT-shearer.org>

Greetings,
 
In your most recent issue, you published the first part of an article by Dan
Shearer about the various common Unix-based MTAs. Unfortunately, his summary
of qmail contains some fairly glaring errors (both of fact, and of more
debatable issues). As a long-time member of the qmail-using and -supporting
community, I feel I'm in a position to help correct the record.
 
Errors of fact in his article include:
 
1) Wrong website. He gives the URL http://www.qmail.org/ as the website of
qmail. That's not the case; D.J. Bernstein (qmail's author) maintains a
website for qmail at http://cr.yp.to/qmail.html . The qmail.org site, while
very useful for qmail users and administrators, is not officially affiliated
with qmail; it is a community-based site run by Russell Nelson.
 
2) Wrong release count and dates. He claims qmail was last updated by the
author in 1997. qmail 1.03 was released in June of 1998, as is clearly listed
on the website and in the software documentation.
 
3) Wrong information about contributors. He claims there have been no major
contributors to qmail other than its primary author. That's not the case; a
simple perusal of the included documentation reveals a number of additional
contributors. Fairly major portions of the code were based on some users
contributions, including the included POP3 server and authentication framework
for such (based on code contributed by Russell Nelson).
 
Other erroneous or misleading statements he makes are more debatable. For
instance, he says qmail's source is "usable within very tight restrictions".
On the contrary, qmail's author explicitly states that the source code and be
modified and used at will for any purpose; the only restrictions the author
places on it are on redistribution -- there are absolutely no restrictions on
its use.
 
Another statement seems like trolling: "No, qmail isn't a realistic option
these days". That would come as a surprise to the millions (literally; see
the SMTP surveys) of sites running qmail. He also states "it isn't possible
for someone else to maintain it", which also comes as a surprise to those of
us who *do* maintain it; see http://qmail.org/netqmail/ , where a group of
regular qmail users maintains the legally-distributable, currently-maintained
version. This is particularly galling because he goes on to actually refer to
netqmail in the next paragraph.
 
Charles Cazabon
 
P.S. Note I am an LWN subscriber, but I post from another address because of
the volume of spam a posting on the LWN letters page attracts.
 
 
--
-----------------------------------------------------------------------
Charles Cazabon <web-feedback-lwn.net-letters-danshearer-98.23.19.82.34.97.82.34.8@discworld.dyndns.org>
-----------------------------------------------------------------------

Comments (3 posted)

The New Dependency Hell

From:  "Metathronius Galabant" <m.galabant-AT-googlemail.com>
To:  letters-AT-lwn.net
Subject:  The New Dependency Hell
Date:  Wed, 6 Sep 2006 14:18:29 +0200

Dear Editor,
 
I felt recently in the situation of installing an email server.
Because the system you know best and have built your remaining
infrastructure like PCs and Servers on is the most secure system - I
went with CentOS.
CentOS is a 100% spin off of some american red thingy distribution
(that company requested to remove all hints that they are related in
some sort). I chose "minimal installation" which presented me with
around 700MB of installed packages (very big for minimal I'd say).
After removing each and every unneded package I came down to ~400MB.
 
Because the configuration files have long gone beyond hand-editable
(only replacing the hostname requires touching a handful of files
because it's referenced more than once like in DHCP_HOSTNAME and the
network profiles etc) I decided to go with the natural tool
"system-config-network".
 
#> yum install system-config-network
 
which is about 397K (pretty big, isn't it).
But the dependencies weighted in at no less than 40 packages ranging
from Corba implementations (ORBit2) to gtk2 to even alsa-lib,
audiofile and esound (sound is surely needed on a server) to even half
of the gnome-libs.
 
And now for the best:
Why I even need an OpenGL library (xorg-x11-Mesa-libGL) to *JUST*
configure my network properly is very beyond my understanding. I'm an
aspiring PhD with my main field in computer science and I do care
about code reuse and centralized functionality, but this is beyond
ridiculous. The KISS principle has been violated so ugly you even
can't hear it screaming.
 
If any of the red thingy distribution employees reads this: please put
back the administration fun into your distribution!
And please also update the text utilities to cope with the current
configuration policies (netconf doesn't, as doesn't
system-config-network-tui).
 
Thank you from an admin who has been active for 11 years in the Linux field.

Comments (23 posted)

Page editor: Jonathan Corbet

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds