September 20, 2006
By Pamela Jones, Editor of Groklaw
It isn't just the GPL that is being updated. Creative Commons is working on
changes to its licenses also, and for some of the same reasons. It was
announced
early in August that changes were in the works, and you can read the
proposed draft language on that page, and while it was hoped that the
license would be finished by the beginning of September, the discussions
continue on the CC public discussion board. A major sticking point? What
to do about DRM.
There is already an anti-DRM clause in the Creative Commons licenses which
reads like this:
You may not distribute,
publicly display, publicly perform, or publicly digitally perform the
Work with any technological measures that control access or use of
the Work in a manner inconsistent with the terms of this License
Agreement.
What is proposed are some amendments to clarify
the language, but some, particularly in the Debian camp, worried that the
language in the draft was inconsistent with the Debian Free Software
Guidelines, and instead proposed a kind of parallel distribution
clause, in order to give programmers freedom to code for both open and
closed systems.
Creative Commons project lead Mia Garlick opened the
topic up for discussion.
Some find it ridiculous to argue that the way to promote freedom is by
allowing DRM, with its potential to take CC works and close them off. They
see DRM as the fast track to destroying the share-alike community that
Creative Commons authors are choosing to be a part of. The whole point of
having such a license, after all, is precisely to avoid the sort of total
freedom to do whatever
you wish with the work, as would be possible by the author choosing to
release into the public domain.
As one comment put it, allowing DRM on CC'd works in the name of
freedom is like saying the way to promote democracy is to vote in a
dictator.
And so the upgrading to CC version 3.0 is going through a
similar discussion as the GPLv3. Because of the opposition, the dual
license idea isn't currently in the draft, as Garlick explained:
Consequently, CC is currently not proposing to include this new
parallel distribution language as part of version 3.0; however,
because it is not clear whether the Debian community will declare the
CC licenses DFSG-free without it and because it represents an
interesting proposal, we felt that it was appropriate to circulate
the proposal as part of the public discussions of version
3.0.
It's a fascinating discussion, and polite. If you
wish to join in, here's where
you go. You must subscribe
to post a comment.
To get up to speed on what has already been
discussed, here's
a PDF that summarizes the discussion so far, along with Creative
Commons' reactions to various suggestions, available here.
The Debian point of view, as far as I can see, is being expressed by
Evan Prodromou, and the contrary view by many, but outstandingly by Rob
Meyers and Greg London. You can find the archives by author here. My
best suggestion would be to start
here, and just click on "next message" for a while to follow the
discussion in a straight line. At that starting link, London suggests
making sure "DRM can't be used to take a work private
or set someone up as sole source for DRM-versions
of works," and Meyers answers
Prodromou's expressed concerns about "licensees being free to distribute
works in their format of choice." Prodromou expresses
this worry:
Sony's not going to change their platform for
us. They're just not.
Millions of users aren't going to throw out their PS2's because they
can't play Free Content games on them. It's not going to happen. So the
question becomes whether we're going to hamstring Free Software
developers who want to port to this kind of platform. What purpose does
it serve, besides restricting the freedom of those developers?
Again, I'll contrast to Free Software applications running on
proprietary operating systems. If the GPL had forbidden running or
developing a Free app on a propriety OS, there would be no Free Software
today.
Letting people make their own accommodations with the increasingly DRM'd
world means we will see Free Content on more platforms, not less.
Turning up our nose and saying that our content is too good for DRM'd
platforms won't stop DRM; it'll just impede the distribution of Free
Content.
I don't like DRM. I think it sucks. But license provisions are the wrong
place to fight it.
He amplifies
in this comment:
There are millions of people who have
game consoles, text readers, and music players that require some sort of
DRM. And even if it's just one person who can't use a work on one piece
of hardware, it's still wrong.
Of course, that's when the
discussion gets really interesting. Meyers points
out:
Embracing DRM will not move the movement
forward. Unless you spin it
180 degrees.
My son tells me that Sony are now allowing people to play vanilla
MPEGs on PSPs. So problem solved. We don't need a blanket DRM
permission to use free culture on PSPs.
When one comment states,
"That's why pleas for DRM are *not* pleas for user freedom," Prodromou
argues,
Parallel distribution doesn't restrict freedom. It gives *at
least* the
same freedoms as distributing in an unencumbered format, *plus* the
freedom to run on a DRM-only platform. That's more freedom, not less.
To
which London responds:
If it means you can put FLOSS work on an DRM-only
player, and you can't play non-DRM versions on the player,
and you cant even legally convert your works to a
DRM-compatible format without paying iSuck Corp a lot
of money, then the barn door is open and it's only
a question of when the wolves are coming in.
Another issue, and again this is identical to efforts in GPLv3, is to
internationalize the license. The CC proposed solution is this, according
to the August announcement:
Another big feature of version 3.0
is that we will be spinning off
what has been called the "generic" license to now be the US license
and have crafted a new "generic" license that is based on the
language of international IP treaties and takes effect according to
the national implementation of those treaties. This may only be
something that gets IP lawyers excited but I thought it might be good
to share this draft with the community as well in order to ensure
full transparency and in case people were interested and/or had any
comments.
And finally, there is discussion
on just what the definition of "noncommercial" is.
I would suggest that you
take the time to read all the comments
themselves in August and September, though, and not just rely on the PDF
summary, as there is already a comment
indicating the summary didn't get every point precisely as the commenter
intended. Besides, figuring out the appropriate response to DRM is a very
important task, one the community needs to get right.
Comments (6 posted)
Lawrence Lessig appeared at the third edition of the Wizards of OS to
launch Creative Commons Germany. He returned at
WOS4, instead,
to talk about free culture. As it turns out, Mr. Lessig has
![[Lawrence Lessig]](/images/conf/wos4/lessig1-sm.jpg)
recently moved to Berlin to spend the next year working on his next book,
so there may well be other opportunities for the locals to hear him speak.
For the rest of us, though, it was a rare treat.
He started by talking about the composer John Phillip Sousa, who had
expressed frustration (to a Congressional committee) with the "talking
machines" which were just becoming
common in his time. These machines, he feared, would turn the public into
mere listeners, rather than people who participated in the creation of
music. Many years later, Mr. Lessig notes, this "read-only" approach to
culture has indeed taken over, especially in the U.S.
The talk then shifted to the founding of the U.S. Republican party, which
was based, at that time, on the idea of "free labor." Working for others
was seen as a form of indentured slavery - especially given the kind of
labor contracts which were in use at that time. The idea motivating the
Republicans was a vision of a country where people owned their own means of
production and worked for themselves. Needless to say, things did not work
out that way. Industrialization pushed the economy in a different
direction, and, by the 1870's, 70% of the workers in the U.S. were
employees. Free labor, he says, is a "fantasy" now.
The idea is beginning to come back, however, as the net is enabling more
people to own their own production equipment. We are also seeing similar
trends in politics - the 20th century mode of being told what to think by
politicians on the television is giving way to a blog-driven participatory
democracy. It's becoming a read-write system. And that, Mr. Lessig says, is
how things have been for most of our history; the 20th century was an
aberration in this regard.
Moving back to culture, Lessig noted that the Internet can enable both
read-only and read-write culture. In the read-only mode, the net is a
channel by which we can consume culture created elsewhere. The classic
example here would be iTunes, which allows the purchase of music for
specific devices, to be used in specific ways. The Internet can be a way of
perfecting the control held by content owners.
But it need not be that way.
To demonstrate the read-write alternative, he showed a few videos taken
from the net. These varied from silly works involving reworked anime clips
set to music rather different from that used by the original creators
through to highly political pieces. Something to offend everybody - but
highly amusing. Text, says Lessig, is "the Latin of our time"; video is
the way to communicate in this era. Unfortunately, many of the videos he
showed have been subjected to takedown notices and other attacks from
copyright holders. Lessig also mentioned a film which won a prize at
Cannes; it was made for all of $218, but then the creator was faced with a
$400,000 bill to clear the rights for the background music used.
There are many differences between the read-only and read-write views of
culture, starting with the way that the read-write view departs from the
"couch potato" mode. Read-write culture is a participatory medium. The
read-write culture is also far larger, by almost any measure. It certainly
involves more people, but it can also be economically larger.
Unfortunately, current copyright law heavily favors the read-only mode. It
controls the right to make copies, but, in the digital world, any use of a
work involves copying it. So every use requires permission. Content
holders are making full use of this legal view, which, in the end, means
they have control over how people use culture.
Copyright law, in other words, conflicts with the read-write net. It
smothers it.
Jack Valenti described "piracy" as his own terrorist war. We are, it
seems, fighting a war where the terrorists are our own children. And the
tools which are being deployed in this war, in the name of stopping piracy,
are also killing read-write culture.
So what do we do about all this? The first step, says Lessig, is to enable
free culture in any way we can. And that requires building free tools.
The free software community, for all of its successes, has not yet
succeeded in building a comprehensive set of friendly tools which can be
used by artists. We need to fight DRM in any way we can, support free
codecs and protocols to the greatest extent possible, and support free
software everywhere.
We must also build a legal platform for free culture. The Creative Commons
license is aimed at that goal. It seems to be having some success; by one
measure, there are now as many as 140 million CC-licensed works
available on the net.
Finally, Lessig says, we must reach out and support the creation of free
culture on proprietary platforms. In particular, the estimated one million
Flash developers should be brought into the read-write world. That
involves encouraging them to share their code, putting "view source"
buttons on Flash products, etc. By reaching out to these people, we'll
grow the support for free culture, and, ultimately, free platforms. Free
software, he says, was not initially built on free platforms; free culture
will need to take a similar path.
In summary, says Lessig, the 20th century is best described as the
"weirdest century." But it's over. If we can grow the free culture
movement, we will enter truly into the read-write world, and we'll all be
richer for it.
During the question period, Mr. Lessig was asked what he thought of Richard
Stallman's refusal to support the Creative Commons licenses. The day of
that announcement, he responded, was one of the most depressing of his
life. He stands by the Creative Commons licenses, however. The artistic
community still has not really had the discussion of what rights it needs
to be truly free. There is no artistic equivalent to the "four freedoms"
for software. Until that discussion has happened, the Creative Commons can
only defer to the free-culture friendly musicians it is working with
(Gilberto Gil was mentioned) and go with what they suggest. Mr. Lessig
does not feel that he knows better, and will not try to force a particular
vision of freedom on them - even if it means losing Richard Stallman's
support.
The question was asked: don't the Creative Commons licenses constitute an
admission that many of the rights often claimed under fair use do not
actually exist, since those rights must be codified separately in a
license? That can be a problem, he responded, which is why these licenses
have always been written as a grant of additional rights beyond all of
those already permitted by law. In the end, it comes down to a choice of
trying to build this legal platform, or doing nothing at all; they chose to
act.
Comments (16 posted)
One problem which must be faced by any cooperative project is that of
quality management. If anybody can contribute to a work, how can a project
ensure that its output is up to the standards it has set for itself? A
Wizards of
OS 4 panel session on this topic highlighted three very different
approaches to this issue.
Ullrich Pöschl, a researcher at the Max Planck Institute for Chemistry, is
trying to address a number of problems with the scientific publishing
world. Publication is crucial to scientists - it is, in the end, the one
concrete result from their work which matters. But the process to
publication is long and frustrating, and can often be hampered by personal
agendas and scientific conservatism. Your editor who, in a previous life,
actually published a paper in a
refereed journal can attest to what a
painful process it can be. There are also problems with scientific fraud
and (much more often) plain old carelessness. Scientists, in their rush to
get their work out, will often not take the time to produce work of the
needed quality. Quite a few papers are published which contribute little
and actually dilute the pool of scientific knowledge.
On the other side, scientific journals are tremendously expensive, and they
publish last year's work. There are a lot of pressures for faster - and
more open - access to scientific results. It seems that a more open
approach would benefit everybody, but only if the quality level can be
maintained.
Ullrich is a founder of a relatively new journal (Atmospheric Chemistry
and Physics) which has set out to demonstrate a
new approach to scientific publication. This journal has retained much of
the classic scientific publication process - every paper is still reviewed by
anonymous referees whose questions must be answered to the editor's
satisfaction. Where things differ is in the openness of the process.
When a paper is submitted, as long as it's not complete junk, it will be
immediately published as a "discussion paper" on the journal's web site. It is
clearly marked as an unreviewed paper, not to be taken as definitive
results at that time. While the referees are reviewing the paper, others
can post comments and questions as well. These others are limited to "registered
scientists," since the desire is to keep the conversation at a high level.
The comments become part of the permanent record stored with the paper, and
they can, at times, be cited by others in their own right. The editor will
consider outside comments when deciding whether the paper is to be accepted
and what revisions are to be required.
After using this process for five years, Atmospheric Chemistry and Physics
has the highest level of citations in the field. Citations are important
in the scientific world: they are an indication that a given set of
research results has helped and inspired discoveries elsewhere. The high
level of citations here indicates that this publication process is
succeeding in attracting high-level papers and filtering out the less
useful submissions.
Things are at an early stage - out of approximately 7,000 scientific
journals, about five are currently publishing with this sort of technique.
Others are interested, however, and that number can be expected to grow in
the future.
Martin Haase then took the podium to talk about quality management in
Wikipedia. While Wikipedia is a useful resource, there have been a number
of well-reported problems. Some articles can be flat-out wrong, or,
sometimes, distorted to meet somebody's political goals. Maintaining and
improving Wikipedia's reputation will require getting a handle on
these problems.
Some measures being taken by Wikipedia are:
- Putting restrictions on anonymous access. In particular, anonymous
editors cannot create new articles.
- Getting a better handle on attribution of work. Wikipedia maintains
an article editing history now, and has lists of contributors. Some
people, it seems, have been surprised to learn this, and have
changed the style of their contributions afterward.
- A two-level reviewing process. Articles which have been heavily
reviewed and deemed to be correct can be designated as "featured"
articles. This process, however, turns out to be slow, so a new, less
rigorous "good article" designation has been created as well.
- Specific metadata about validation is being added to articles.
- There is a mechanism for creating permanent links to specific
versions of articles. These links can be used by outside sites to
link to a "known good" version of an article with no need to worry
about what subsequent changes could bring.
While agreeing that improving the quality of Wikipedia articles will be a
never-ending process, Martin seems to think that the measures being taken
will move things in the right direction. He warned explicitly about
"expertism" - requiring that articles be written by experts in the field.
It can be hard for experts to write articles for people who are unfamiliar
with the field - their work tends to be jargon-heavy and written at the
wrong level. They also tend to run in schools, and expert-written
articles tend to reflect the views of one school only. Limiting
contributions to experts would, in Mr. Haase's view, rob Wikipedia of much
of its usefulness.
The third panelist, Larry Sanger, disagrees. Larry was a part of the
creation of Wikipedia, but has since fallen out with that project. So,
while claiming to be a "big fan of Wikipedia," he spent much time
criticizing it. Wikipedia, he says, was meant to be the wild side
of Nupedia, it was never supposed to be the whole thing. With only
half of the original design, he says, it is not surprising that things have
gone wrong.
So what has gone wrong? According to Larry, the Wikipedia rules are not
enforced uniformly, leading to lots of abuses. Anonymous editing attracts
trolls and other people whose main purpose is not the creation of a
top-quality encyclopedia. The Wikipedia community is insular and hard to
join. And there is no place for academics, people who are experts in
their field. Wikipedia people may fear expertism, but Larry, instead, is
on a campaign against amateurism. This amateurism, he says, is behind many of the
problems with Wikipedia, but the community will not recognize these
problems, and, thus, he says, will never fix them.
So Larry is going to fork Wikipedia. His project, called The Citizendium, will, he says, be very
different. It will start out very much the same, however: the same
software, and copies of all the Wikipedia articles. Those articles will
track changes to their Wikipedia equivalents until they are changed
locally, at which point they will become a hard fork. There are no plans
to fork the software. In essence, the Citizendium intends to make full use
of Wikipedia's free licensing (as is its right) to bootstrap the new site,
and only move away from Wikipedia content when and where it feels it has
something better to offer.
There will be some distinct roles for members of the Citizendium project. People who
are deemed to be sufficiently expert in a given field will be called
"editors"; regular contributors will be expected to defer to the editors in
their field of expertise. These editors will be self-selecting, but they
must publicly state their credentials. Editors can mark an article as
being "approved," indicating that, in their opinion, it has reached a
certain level of quality.
There will be no anonymous editing allowed in the Citizendium, and no
pseudonyms either. All contributors must work under their own names.
There will be a number of rules on how contributors and editors are
supposed to work, with quick expulsion from the project for those who do
not follow them. To that end, there will also be "constables," whose job
is to enforce these rules.
There are vague plans for a meeting to draft and approve the charter under which
the project operates. For now, however, the Citizendium is very much Larry
Sanger's project, with goals and processes set by him. Whether it will be
able to build a community and maintain it while keeping quality high
remains to be seen.
Comments (15 posted)
Page editor: Jonathan Corbet
Security
September 20, 2006
This article was contributed by Jake Edge.
Providing random or semi-random data to a program to see what happens is
an excellent black-box testing technique known as
fuzzing. Programs that
generate this data are, unsurprisingly, called fuzzers and are a potent
tool for folks doing penetration or other kinds of testing. After
sitting through some interesting presentations at this summer's
Black Hat Briefings, it seems like a good opportunity for an overview
of fuzzing and some pointers to tools, techniques and research.
Generating bad input for programs is a time-honored tradition for test
engineers, but human generated test cases tend to contain fewer tests
than a fuzzer can produce. In addition, test engineers may make
implicit assumptions about the kind of data that can or will be fed into
a program where an automated, brainless fuzzer will just try anything.
The simplest fuzzer will just send random bytes of data to a
program and see what, if anything, happens. It might also vary the length
of the data that it sends to explore buffer length issues and the like.
More sophisticated fuzzers extend those simple techniques with more
domain specific data. A fuzzer targeted at web applications might
generate GET and POST queries using (and abusing) the variables that
the form or page submits as well as adding in some random variables and
values. A fuzzer targeting a web browser might generate random input that
conformed to HTML syntax, with random tags and attributes as well as abusing
the defined tags. This domain specific approach tends to yield better
results by limiting the search space but that can lead to some of the same
implicit assumption problems that are prevalent in human generated
tests. A combination of both simple and complex fuzzing is likely the
best approach.
Open source tools for fuzzing various applications and protocols are
available; Jack Koziol provides a nice, but not exhaustive,
list.
While it is not specifically a fuzzer, one must mention
Metasploit, the swiss army knife of
penetration testing, which provides a framework for all kinds of exploit
testing. It would appear that the Ruby language is gaining some traction
for penetration testing as Metasploit has been rewritten in Ruby for its
next version and
RFuzz provides a nice library
for web application fuzzing. Most other popular languages (C, Perl, Python,
Java) are represented as well.
Researchers at the University of Central Florida are trying to take fuzzing
a step further by using information about what portions of the code
were exercised by various inputs and whether they led to program crashes
to drive a
genetic
algorithm that 'optimizes' for inputs that are likely to cause
crashes. Obviously, this is no longer black-box testing, but it could be
a fairly useful technique for projects that are looking for vulnerabilities
in their own code. Slides from the Black Hat presentation are available
here
(PDF).
An input source that is often overlooked is data files. Because these files
are often generated by a program, it is easy to write code that
blindly believes what a data file says; this mistake has led
to many exploits. Dan Kaminsky briefly talked about data format fuzzing in
his "Black Ops 2006" presentation. He presented some ideas from his research
into automated recognition of formats for the purposes of fuzzing them.
Just feeding a random stream of bytes into a program meant to read a specific
format is less likely to cause it to fail. With some rudimentary understanding
of the format and fuzzing within that framework, much more interesting
program failures can be provoked. Dan's slides are available
here,
unfortunately in PowerPoint format, but readable by OpenOffice.org.
Internationalization (i18n) is another potentially exploitable area for many
applications. Scott Stender presented some ideas on fuzzing i18n data
at Black Hat, in particular using Unicode representations to get bad data
past validators when different levels of the application handle character
encodings differently. He gave some explicit examples of input that might
validate within a web application, but be interpreted differently by a database
leading to various kinds of misbehavior. His slides are
here
(PDF).
Fuzzing can be used to find all kinds of security issues with a program:
buffer overflows, SQL injection, cross-site scripting, denial of service,
etc. It is, of course, no silver bullet. It is just a powerful
technique to help a developer or tester pinpoint areas where input
validation and filtering are not working and to give some level of confidence
that validation is working in other areas.
Comments (5 posted)
New vulnerabilities
bomberclone: information disclosure and denial of service
| Package(s): | bomberclone |
CVE #(s): | CVE-2006-4005
CVE-2006-4006
|
| Created: | September 19, 2006 |
Updated: | September 20, 2006 |
| Description: |
Luigi Auriemma discovered two security related bugs in bomberclone, a free
Bomberman clone. The program copies remotely provided data unchecked which
could lead to a denial of service via an application crash. Bomberclone
uses remotely provided data as length argument which can lead to the
disclosure of private information. |
| Alerts: |
|
Comments (1 posted)
dokuwiki: arbitrary command execution
| Package(s): | dokuwiki |
CVE #(s): | CVE-2006-4674
CVE-2006-4675
CVE-2006-4679
|
| Created: | September 15, 2006 |
Updated: | September 20, 2006 |
| Description: |
"rgod" discovered that DokuWiki doesn't sanitize the X-FORWARDED-FOR
HTTP header, allowing the injection of arbitrary contents - such as PHP
commands - into a file. Additionally, the accessory scripts installed
in the "bin" DokuWiki directory are vulnerable to directory traversal
attacks, allowing to copy and execute the previously injected code. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | mozilla firefox thunderbird |
CVE #(s): | CVE-2006-4565
CVE-2006-4566
CVE-2006-4571
CVE-2006-4253
CVE-2006-4567
CVE-2006-4568
CVE-2006-4569
|
| Created: | September 15, 2006 |
Updated: | November 14, 2006 |
| Description: |
Two flaws were found in the way Firefox/Thunderbird processed certain regular
expressions. A malicious web page/HTML email could crash the browser or
possibly execute arbitrary code as the user running
Firefox/Thunderbird. (CVE-2006-4565, CVE-2006-4566)
A number of flaws were found in Firefox/Thunderbird. A malicious web
page/HTML email could crash the browser or possibly execute arbitrary code
as the user running Firefox/Thunderbird. (CVE-2006-4571)
A flaw was found in the handling of JavaScript timed events. A malicious
web page could crash the browser or possibly execute arbitrary code as the
user running Firefox/Thunderbird. (CVE-2006-4253)
A flaw was found in the Firefox/Thunderbird auto-update verification
system. An attacker who has the ability to spoof a victim's DNS could get
Firefox to download and install malicious code. In order to exploit this
issue an attacker would also need to get a victim to previously accept an
unverifiable certificate. (CVE-2006-4567)
Firefox did not properly prevent a frame in one domain from injecting
content into a sub-frame that belongs to another domain, which facilitates
website spoofing and other attacks (CVE-2006-4568)
Firefox did not load manually opened, blocked popups in the right domain
context, which could lead to cross-site scripting attacks. In order to
exploit this issue an attacker would need to find a site which would frame
their malicious page and convince the user to manually open a blocked
popup. (CVE-2006-4569) |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gnutls: signature forge vulnerability
| Package(s): | gnutls |
CVE #(s): | CVE-2006-4790
|
| Created: | September 14, 2006 |
Updated: | September 26, 2006 |
| Description: |
GnuTLS has a vulnerability with PKCS #1 v1.5 signatures.
If an RSA key with exponent 3 is used, an attacker may be able to
forge a PKCS #1 v1.5 signature. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | January 20, 2010 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | January 5, 2009 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
nss: signature forgery vulnerability
| Package(s): | nss |
CVE #(s): | CVE-2006-4340
|
| Created: | September 15, 2006 |
Updated: | October 18, 2006 |
| Description: |
Daniel Bleichenbacher recently described an implementation error in RSA
signature verification. For RSA keys with exponent 3 it is possible for an
attacker to forge a signature that which would be incorrectly verified by
the NSS library. |
| Alerts: |
|
Comments (1 posted)
usermin: programming error
| Package(s): | usermin |
CVE #(s): | CVE-2006-4246
|
| Created: | September 15, 2006 |
Updated: | September 20, 2006 |
| Description: |
Hendrik Weimer discovered that it is possible for a normal user to
disable the login shell of the root account via usermin, a web-based
administration tool. |
| Alerts: |
|
Comments (none posted)
zope2.7: information disclosure
| Package(s): | zope2.7 |
CVE #(s): | CVE-2006-4684
|
| Created: | September 14, 2006 |
Updated: | September 20, 2006 |
| Description: |
Version 2.7 of Zope has an information disclosure vulnerability.
The csv_table directive is not disabled in web pages containing ReST
markup. Files that the Zope server has access to can be exposed. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
AlsaPlayer: multiple buffer overflows
| Package(s): | alsaplayer |
CVE #(s): | CVE-2006-4089
|
| Created: | August 28, 2006 |
Updated: | September 19, 2006 |
| Description: |
AlsaPlayer contains three buffer overflows: in the function that handles
the HTTP connections, the GTK interface, and the CDDB querying mechanism.
An attacker could exploit the first vulnerability by enticing a user to
load a malicious URL resulting in the execution of arbitrary code with the
permissions of the user running AlsaPlayer. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
audacious: buffer overflow
| Package(s): | audacious |
CVE #(s): | CVE-2006-3581
CVE-2006-3582
|
| Created: | August 2, 2006 |
Updated: | September 13, 2006 |
| Description: |
Audacious (prior to version 1.1.0) suffers from a buffer overflow which could be exploitable via a maliciously crafted media file. |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
binutils: buffer overflow
| Package(s): | binutils |
CVE #(s): | CVE-2005-4807
|
| Created: | August 17, 2006 |
Updated: | October 19, 2006 |
| Description: |
The GNU assembler (gas) in binutils is vulnerable to a buffer overflow.
If a user can be tricked into assembling a specially crafted file with
gcc or gas, arbitrary code can be executed with the privileges of the user. |
| Alerts: |
|
Comments (3 posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
capi4hylafax: missing input sanitizing
| Package(s): | capi4hylafax |
CVE #(s): | CVE-2006-3126
|
| Created: | September 1, 2006 |
Updated: | October 18, 2006 |
| Description: |
Lionel Elie Mamane discovered a security vulnerability in capi4hylafax,
tools for faxing over a CAPI 2.0 device, that allows remote attackers to
execute arbitrary commands on the fax receiving system. |
| Alerts: |
|
Comments (none posted)
cheesetracker: buffer overflow
| Package(s): | cheesetracker |
CVE #(s): | CVE-2006-3814
|
| Created: | September 4, 2006 |
Updated: | October 27, 2006 |
| Description: |
Luigi Auriemma discovered a buffer overflow in the loading component
of cheesetracker, a sound module tracking program, which could allow a
maliciously constructed input file to execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | June 1, 2009 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 19, 2009 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
Comments (none posted)
flash-plugin: arbitrary code execution
| Package(s): | flash-plugin |
CVE #(s): | CVE-2006-3311
CVE-2006-3587
CVE-2006-3588
|
| Created: | September 13, 2006 |
Updated: | October 5, 2006 |
| Description: |
Security issues were discovered in the Adobe Flash Player. It may be
possible to execute arbitrary code on a victim's machine if the victim
opens a malicious Adobe Flash file. |
| Alerts: |
|
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | June 1, 2010 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
ImageMagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-3743
CVE-2006-3744
|
| Created: | September 6, 2006 |
Updated: | September 26, 2006 |
| Description: |
The latest set of buffer overflow vulnerabilities in ImageMagick can be found in the Sun Raster and XCF decoders. |
| Alerts: |
|
Comments (2 posted)
isakmpd: programming error
| Package(s): | isakmpd |
CVE #(s): | CVE-2006-4436
|
| Created: | September 13, 2006 |
Updated: | September 13, 2006 |
| Description: |
A flaw has been found in isakmpd, OpenBSD's implementation of the
Internet Key Exchange protocol, that caused Security Associations to be
created with a replay window of 0 when isakmpd was acting as the
responder during SA negotiation. This could allow an attacker to
re-inject sniffed IPsec packets, which would not be checked against the
replay counter. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
krb5: local privilege escalation
| Package(s): | krb5 |
CVE #(s): | CVE-2006-3083
|
| Created: | August 9, 2006 |
Updated: | July 7, 2010 |
| Description: |
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libmusicbrainz: buffer overflows
| Package(s): | libmusicbrainz-2.0 |
CVE #(s): | CVE-2006-4197
|
| Created: | August 30, 2006 |
Updated: | October 23, 2006 |
| Description: |
Several buffer overflows have been discovered in the libmusicbrainz CD index library. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | December 15, 2008 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libwmf: integer overflow
| Package(s): | libwmf |
CVE #(s): | CVE-2006-3376
|
| Created: | July 13, 2006 |
Updated: | November 6, 2006 |
| Description: |
libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mailman: several vulnerabilities
| Package(s): | mailman |
CVE #(s): | CVE-2006-2941
CVE-2006-3636
|
| Created: | September 8, 2006 |
Updated: | October 23, 2006 |
| Description: |
A flaw was found in the way Mailman handled MIME multipart messages. An
attacker could send a carefully crafted MIME multipart email message to a
mailing list run by Mailman which caused that particular mailing list
to stop working. (CVE-2006-2941)
Several cross-site scripting (XSS) issues were found in Mailman. An
attacker could exploit these issues to perform cross-site scripting attacks
against the Mailman administrator. (CVE-2006-3636) |
| Alerts: |
|
Comments (none posted)
mutt: IMAP namespace buffer overflow
| Package(s): | mutt |
CVE #(s): | CVE-2006-3242
|
| Created: | June 28, 2006 |
Updated: | October 24, 2006 |
| Description: |
TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently
check the validity of namespace strings. If an user connects to a malicious
IMAP server, that server could exploit this to crash mutt or even execute
arbitrary code with the privileges of the mutt user. See this Secunia advisory for more
information. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncompress: buffer underflow
| Package(s): | ncompress |
CVE #(s): | CVE-2006-1168
|
| Created: | August 10, 2006 |
Updated: | February 21, 2012 |
| Description: |
The ncompress compression utility has a missing boundary check.
A local user can use a maliciously created file to cause a
a .bss buffer underflow. |
| Alerts: |
|
Comments (none posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
openssl: insufficient signature checking
| Package(s): | openssl |
CVE #(s): | CVE-2006-4339
|
| Created: | September 5, 2006 |
Updated: | November 15, 2006 |
| Description: |
Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google
Security discovered that the OpenSSL library did not sufficiently check the
padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3
(which is widely used for CAs). This could be exploited to forge signatures
without the need of the secret key. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-4481
CVE-2006-4484
CVE-2006-4485
|
| Created: | September 8, 2006 |
Updated: | June 13, 2008 |
| Description: |
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485). |
| Alerts: |
|
Comments (1 posted)
php: arbitrary code execution
| Package(s): | php |
CVE #(s): | CVE-2006-4020
|
| Created: | August 22, 2006 |
Updated: | September 21, 2006 |
| Description: |
A vulnerability was discovered in the sscanf function that could allow
attackers in certain circumstances to execute arbitrary code via argument
swapping which incremented an index past the end of an array and triggered
a buffer over-read. |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
postgresql: SQL injection
| Package(s): | postgresql |
CVE #(s): | CVE-2006-2313
CVE-2006-2314
|
| Created: | May 24, 2006 |
Updated: | June 6, 2007 |
| Description: |
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash. |
| Alerts: |
|
Comments (1 posted)
quake: buffer overflow
| Package(s): | quake3-bin |
CVE #(s): | CVE-2006-2236
|
| Created: | May 10, 2006 |
Updated: | January 12, 2009 |
| Description: |
Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server. |
| Alerts: |
|
Comments (none posted)
sendmail: denial of service
| Package(s): | sendmail |
CVE #(s): | CVE-2006-1173
|
| Created: | June 15, 2006 |
Updated: | November 1, 2006 |
| Description: |
Sendmail has a vulnerability in the way it handles multi-part MIME messages.
A remote attacker can create a specially crafted email message that can
be used to crash the sendmail process, causing a denial of service. |
| Alerts: |
|
Comments (none posted)
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils |
CVE #(s): | CVE-2006-1174
|
| Created: | May 25, 2006 |
Updated: | June 12, 2007 |
| Description: |
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called. |
| Alerts: |
|
Comments (none posted)
squirrelmail: insecure permissions
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-4019
|
| Created: | August 14, 2006 |
Updated: | September 26, 2006 |
| Description: |
Squirrelmail contains a vulnerability that allows authenticated users to
read and write other users' preferences and attachments. |
| Alerts: |
|
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
tin: buffer overflow
| Package(s): | tin |
CVE #(s): | CVE-2006-0804
|
| Created: | February 19, 2006 |
Updated: | November 24, 2006 |
| Description: |
An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier
which can lead to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
wireshark: several vulnerabilities
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-2802
|
| Created: | June 9, 2006 |
Updated: | September 29, 2006 |
| Description: |
Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input
module. By tricking an user into opening a malicious remote media
location, a remote attacker could exploit this to crash Xine library
frontends (like totem-xine, gxine, or xine-ui) and possibly even
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-1664
|
| Created: | April 27, 2006 |
Updated: | February 27, 2008 |
| Description: |
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed. |
| Alerts: |
|
Comments (none posted)
xine-ui: format string vulnerabilities
| Package(s): | xine-ui |
CVE #(s): | CVE-2006-2230
|
| Created: | June 9, 2006 |
Updated: | January 24, 2007 |
| Description: |
Several format string vulnerabilities have been discovered in xine-ui,
the user interface of the xine video player, which may cause a denial
of service. |
| Alerts: |
|
Comments (none posted)
X.org: local privilege escalations
| Package(s): | xorg-x11 |
CVE #(s): | CVE-2006-4447
|
| Created: | August 28, 2006 |
Updated: | April 30, 2007 |
| Description: |
Several X.org libraries and X.org itself contain system calls to
set*uid() functions, without checking their result. Local users could
deliberately exceed their assigned resource limits and elevate their
privileges after an unsuccessful set*uid() system call. This requires
resource limits to be enabled on the machine. |
| Alerts: |
|
Comments (none posted)
X.Org: buffer overflow
| Package(s): | xorg-x11-server xorg-x11 |
CVE #(s): | CVE-2006-1526
|
| Created: | May 3, 2006 |
Updated: | January 10, 2007 |
| Description: |
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information. |
| Alerts: |
|
Comments (none posted)
xorg-x11: privilege escalation
| Package(s): | xorg-x11 xfree86 |
CVE #(s): | CVE-2006-3739
CVE-2006-3740
|
| Created: | September 12, 2006 |
Updated: | December 14, 2006 |
| Description: |
iDefense reported two integer overflow
flaws in the way the X.org server processed CID font files. A malicious
authorized client could exploit this issue to cause a denial of service
(crash) or potentially execute arbitrary code with root privileges on the
X.org server. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current stable kernel release is 2.6.18,
released by Linus on September 19. Do read
the announcement; it appears to have some changelog entries which did not
come directly from git.
There is a
vast amount of new stuff in this release, including
priority-inheriting futexes, a
new
generic interrupt handling
layer, a new
core time
subsystem, the
kernel locking
validator, the
SMPnice
work, a bunch of virtual memory work, a huge
serial ATA update, the removal
of devfs, and much more. See
the KernelNewbies LinuxChanges
page for a much more detailed list, the
LWN 2.6 kernel API changes page for
information on internal programming interface changes, or
the
long-format changelog for thousands of patches' worth of detail.
The current -mm release is 2.6.18-rc7-mm1. Says Andrew:
It took maybe ten hours solid work to get this dogpile vaguely
compiling and limping to a login prompt on x86, x86_64 and powerpc. I
guess it's worth briefly testing if you're keen.
He also notes
that this kernel will not run on distributions with an older version of
udev due to some driver core changes, a situation which was discussed here back in August.
Other changes to -mm include a "probably wrong" change to the
kmap() API to make it handle coherency issues, a new
GFP_THISNODE memory allocation flag, the removal of the questionable HDAPS driver for
unstated reasons (though it is worth noting that one of the last patches
into 2.6.18 made it clear that anonymous code contributions cannot be
accepted), the SLIM and integrity
measurement security modules, and a number of fixes.
For 2.6.16 users: Adrian Bunk released 2.6.16.29 with a number of fixes
on September 13.
The current 2.4 prepatch is 2.4.34-pre3, released on
September 19. The main change this time around is the inclusion of
the gcc 4.0 patches.
Comments (none posted)
Kernel development news
Sometimes, things just do not go according to plan. Mathieu Desnoyers is
the current maintainer of the
Linux Trace
Toolkit, a kernel event tracing package which has, despite a
significant user base, remained outside of the mainline for many years. He
recently posted
a new LTT release with the
following introduction:
Following an advice Christoph gave me this summer, submitting a
smaller, easier to review patch should make everybody happier.
What resulted was a thread of
hundreds of messages, many of which could be
considered to be impolite even by linux-kernel standards. Clearly, LTT has
hit a nerve - especially surprising given that the points of real
disagreement are minimal.
At times, people have questioned whether the kernel needs any sort of
tracing facility at all. That particular question would appear to have
been resolved (affirmatively); the disagreement now would appear to be
whether that tracing should be static or dynamic. Static tracing works by
putting explicit tracepoints into the source code (they look like function
calls); the tracing framework can then enable or disable those tracepoints
at run time as desired. In a dynamic system, instead, tracepoints are
injected into a running system, usually in the form of a breakpoint
instruction.
The kernel already has dynamic tracing in the form of KProbes; LTT, instead, uses
(primarily) a static model. So the biggest question, at least on the
surface, has been over whether Linux needs a static tracing package in
addition to the dynamic mechanism it has now. This debate revolves around
a few points:
- Overhead, part 1: when tracing is not being used (the normal situation
on most systems), dynamic tracepoints clearly have lower overhead:
they do not exist at all. For all the work that is done to make
static tracepoints be fast when they are not in use, they still exist,
and will still have a (small) runtime cost.
- Overhead, part 2: when tracing is being used, static
tracepoints will tend to be faster. The breakpoint mechanism used by
KProbes can (in the current implementation) take about ten times as
many CPU cycles as a static tracepoint. There are projects in the
works (djprobes, in particular) which can reduce this overhead
considerably; Ingo Molnar also, as part of the discussion, posted a
series of patches which cut the KProbes overhead roughly in half.
One might wonder why overhead concerns people in this case. Tracing
is often used to track frequent events, so a higher tracepoint
overhead can slow things down in a noticeable manner. More
to the point, though, heavyweight tracepoints can change the timing of
events, leading to the dreaded "heisenbugs" which vanish when the
developer actively looks for them.
- Maintenance overhead: some developers are concerned that the addition
of static tracepoints to the kernel code will complicate the
maintenance of that code. Tracepoints clutter the code itself, and
they must continue to work into the indefinite future. In a sense,
each one can be thought of as a little system call which, once placed,
cannot be changed. Developers also worry that there will be pressure
to add increasing numbers of these tracepoints over time.
On the other hand, dynamic tracepoints impose a different sort of
overhead: everybody who is interested in a set of tracepoints must
take on the maintenance of those tracepoints. As the kernel changes,
the tracepoints will need to move around to follow those changes.
Keeping a set of dynamic tracepoints current can, in fact, be a
nontrivial and tiresome job. Tools like SystemTap help in this
regard, but they are far from a complete solution at this time.
Static tracepoints placed into the kernel code, instead, will continue
to work as that code changes.
- Flexibility: dynamic tracepoints can be placed anywhere at any time, but
static tracepoints require, at a minimum, a source code edit, rebuild,
and reboot. Dynamic tracepoints can more easily support runtime
filtering of events as well. On the other hand, static tracepoints
currently are better at accessing local variables.
- Architecture support: KProbes are not currently implemented on all
architectures, so they are not available to all Linux users. Static
tracepoints tend to require less architecture-specific trickiness, and
are thus easier to support universally. On the other hand, it has
been argued, the addition of static tracepoints would take away much
of the incentive architecture maintainers might have to make KProbes
work.
Reading through the discussion, one could be forgiven for going into a
state of complete despair. The interesting thing, though, is that the
level of disagreement is lower than one might think. There is a near
consensus among the participants that there is a place for both
static and dynamic tracepoints. Static tracing of events of interest will
help a lot of people - user-space developers and system administrators, not
just kernel developers - understand what is going on in the system. Making
all of these people figure out where to place, for example, a tracepoint to
report scheduler changes in a specific kernel makes things a lot harder.
The key point, however, is that the value of the static point is not really
its static placement, but the fact that it is a clear indicator of where
the tracepoint needs to be. So it has been suggested that an answer which
might please everybody is to insert "markers" rather than tracepoints.
These markers, which could live in a different section of the kernel image,
are simply signs pointing out where a dynamic tracepoint should be
inserted, should the need exist. To this end, Mathieu has posted a simple marker patch; it was promptly fired
upon for implementation issues, but there are few people who are opposed to
the idea.
So markers may well be the way this work goes forward. If the LTT code
could be reworked around the marker concept, then the way might be clear
for a discussion of what else needs to happen before that code could be
merged (there are a number of issues to talk about there which have been,
thus far, overshadowed by the current debate). After suitable
consideration, a carefully-selected set of markers/tracepoints could be
added to the mainline kernel, enabling anybody to easily hook into and
monitor well-known events. Once the smoke clears, there might just be a
viable solution which will please almost everybody.
Comments (9 posted)
Containers have been an area of increased developer interest over the last
year or so. The container concept offers many of the advantages of full
paravirtualization, but at a much lower cost, allowing more virtual
machines to be run on the same host. The only problem is getting everybody
to agree about just what a container is. The recent
container patch set from Rohit Seth is another
attempt to flesh out this concept.
Many approaches to containers are oriented around process trees - one
process explicitly encloses itself within a container, and becomes the
"init" process there; the container is then populated with the children of
the initial process. Rohit's patch maintains part of that functionality -
when a process calls fork(), the child will belong to the same
container as the parent (if any), but the mechanism is a bit more flexible
than that. Arbitrary processes can be added to - and removed from - a
container at any time.
Such changes are effected through a configfs interface. If configfs is mounted on
/config, the system administrator can work with containers by
moving into /config/containers. A new container is created by
making a new directory there; containers, thus, are identified through a
simple, flat namespace. A container's directory contains several files:
- addtask: writing a process ID into this file will add the
corresponding process to the container. Processes already belonging
to a container cannot be added directly to a new container; they must
be explicitly removed from the old one first.
- rmtask: a process may be removed from a container by writing
its ID to this file.
- page_limit: the maximum number of active memory pages which
may be used by the container.
There are also a few informational files for getting statistics about how
the container is operating.
The memory limit works by adding a container pointer to each
mm_struct and address_space structure on the system. As
pages are used or freed, the container's total count is updated
accordingly. Should the container go over its limit, a separate process (a
workqueue) goes to work freeing up pages belonging to the container. If
the limit is exceeded in a big way, processes within the container will
(when they try to add pages) be put on hold briefly to let the reaper catch
up.
Rohit's containers are thus concerned with controlling aggregate resource
usage. In this sense, they resemble the resource beancounters patch -
but they do not use any of the beancounter code. These containers also
lack one other feature found in most other implementations: any sort of
namespace control. Processes placed into one of these containers will
still see - and have access to - the entire system.
So these containers are only a partial solution to the problem, at least at
this point. Namespace control features could presumably be added later on,
though how that control would interact with the ability to add and remove
processes at arbitrary times would be interesting to see. Meanwhile we
have another approach to (at least part of) the problem to look at.
Comments (none posted)
The
nopage() address space operation is charged with handling a
major page fault within an address range. For address spaces backed by
files, there is a generic
nopage() method which causes the needed
page to be read into memory. Device drivers also occasionally provide
nopage() as part of their implementation of
mmap(). In
the driver case, a page fault is usually handled by finding the
struct
page corresponding to a memory-mapped buffer and passing that back to
the kernel.
There are a couple of errors which can be signaled by nopage():
NOPAGE_SIGBUS for truly bad addresses and
NOPAGE_OOM for situations where an out-of-memory situation caused
the attempt to handle the fault to fail. What is missing is the ability to
indicate that nopage() was interrupted by a signal and the
operation should be retried. That is not a situation which normally comes
up in nopage() handlers which, if they must wait, usually do so in
a non-interruptible manner. Benjamin Herrenschmidt has run into this
issue, however, and has proposed a small change allowing
a new NOPAGE_RETRY value. The response would be just as one would
expect - the operation is retried later on, after the signal is handled.
It turns out that Google has a similar
patch which it applies internally, though the motivations are
different. In Google's case, the patch exists to work around a performance
problem that has been experienced there. This patch has not been submitted
for merging because of potential denial of
service problems and the fact that its author considers it to be a bit
of a hack.
Some form of this patch may well be merged eventually, but some more work
seems called for first. The two patches make it clear that there are
multiple reasons for returning NOPAGE_RETRY, so it might make
sense to make that reason available to the higher levels of the page fault
handler. That would allow some potential efficiency problems to be
addressed, though the DOS scenario still presents potential problems.
Meanwhile, one of the longstanding limitations of nopage() is that
it can only handle situations where the relevant physical memory has a
corresponding struct page. Those structures exist for main
memory, but they do not exist when the memory is, for example, on a
peripheral device and mapped into a PCI I/O memory region. Some
architectures also do very strange things with special memory and multiple
views of the same memory. In such cases, drivers must explicitly map the
memory into user space with remap_pfn_range() instead of using
nopage().
Jes Sorensen has, for some time, been carrying a patch which adds another
address space operation called nopfn(). It is called in response
to page faults only if there is no nopage() operation available;
its job is to return a physical address (in the form of a page frame
number) for the page which will satisfy the fault. That address will be
stored directly into the process's page table, with no struct page
required, and no reference counting performed. Jes has an IA-64 special memory driver
which shows how this operation would be used.
The idea has not been universally popular in the past - Linus
has opposed it, as have others. To some it looks like a needless
complication of the virtual memory subsystem; these people would rather see
code use remap_pfn_range() or create special page
structures as needed. There are a number of situations where the
nopfn() is said to work better, however, and the pressures for its
inclusion do not appear to be going away. So it will be interesting to see
whether this one makes it into 2.6.19 or not.
Comments (none posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
- Daniele Lacamera: TCP Pacing.
(September 16, 2006)
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
One of the things that people like about Gentoo is that it is
customizable. You can select the packages you want, in the versions you
prefer, compile them with the options you select, and finally arrive at a
system that is just the way you like it. What people don't like is that
process is time-consuming and it can be difficult to duplicate the process
for a number of machines. The comments attached to
this article show exactly what LWN readers
like and dislike about Gentoo.
The initial announcement for the Gentoo
Seeds project came out this week, aimed at taking some of the pain out of
Gentoo installs. Gentoo does offer staged installation. A stage 3 install
provides pre-compiled packages for a basic installation fairly quickly.
The Seeds project just takes that concept a step further.
The Gentoo Seeds
Project is "currently exploring ways to quickly 'seed'
fully-working copies of Gentoo onto boxes." That includes basic
system configuration. Seeds are built using existing Gentoo tools such as
catalyst, overlays, layman and custom profiles, so that each seed will
provide a well-documented way of installing multiple servers with a similar
setup. Different seeds will provide different setups.
The project is still quite young and the first seed under construction is a
basic Gentoo LAMP Server edition. Hopefully this will become just one seed
of many that people can choose to more easily install the same Gentoo
system on multiple boxes.
Comments (1 posted)
New Releases
The third test release for Fedora Core 6 is out, click below for the
details. The final FC6 release is scheduled for October 11, so now
would be a good time for interested people to test it out and find those
last obnoxious bugs.
Full Story (comments: 15)
Slackware has released a fifth release candidate for Slackware 11.0. Click
below for a look at the change log.
Full Story (comments: none)
Ubuntu/Kubuntu/Xubuntu/Edubuntu Knot 3 is out. This is the third in a
series of milestone CD images that will be released throughout the Edgy
development cycle. "
The primary changes from Knot 2 have been
finalising of feature goals and bugfixing. The current state of features
targetted for Edgy is at
https://features.launchpad.net/distros/ubuntu/edgy/+specs . Common to all
variants, we have changed the init system from the venerable sysvinit to
upstart which is an event-driven init script system. In addition, all
derivatives have new artwork, both for usplash as well as for login
managers and default backgrounds. The keyboard layout handling on the
console has been changed to use X keymaps."
Full Story (comments: 2)
Distribution News
Dunc-Tank.org has
announced its first
fund-raising experiment: collecting donations to help Debian GNU/Linux 4.0,
codenamed etch, be released on schedule on the 4th of December, 2006.
"
Dunc-Tank.org aims to support Debian's efforts to meet its release
schedule for etch by financially supporting the volunteers working on
managing the release process, allowing them to devote their full attention
to that task. The experiment's initial goal is to be able to raise enough
funds to pay both release managers enough to work exclusively on the
release of etch for a month each, having Steve Langasek available full-time
during October and Andreas Barth available full-time during November, with
the release expected to follow soon after in the first week of
December."
Comments (3 posted)
Here's a
report on the first Debian
internationalization meeting, which took place earlier this month in
Extremadura, Spain. "
23 people from all over the world, representing
various different scope in the Debian internationalisation and localisation
effort, as well as representative from related projects participated to
this meeting."
The second call for votes has been issued
for the general resolution to address the procedures related to handling
assets for the project.
Comments (none posted)
The
Unofficial Fedora FAQ has been
updated. Click below for a list of the most recent changes.
Full Story (comments: none)
The beta freeze for Ubuntu 6.10 is in effect according to the
release schedule.
"
During this time, uploads should be made only for changes which are
critical for the beta release, and must be approved by the release team.
As we work to prepare the release, further information about these
restrictions may be announced."
Full Story (comments: none)
Distribution Newsletters
The Debian Weekly News for September 19, 2006 looks at various etch topics,
GNOME 2.16 in experimental soon, a report from Come 2 Linux, moving toward
DebConf7, the Hurd with WLAN and PCMCIA, and several other topics.
Full Story (comments: none)
The
Gentoo
Weekly Newsletter for September 18, 2006 covers some openssl options,
portage 2.1.1 released, cleanup of autotools wrappers, and more.
Comments (none posted)
The
Gentoo
Weekly Newsletter for September 11, 2006 covers Gentoo Council election
results, a donation from Cloanto, support dropped for monolithic X,
developer of the week Joshua Nichols, and several other topics.
Comments (none posted)
The Ubuntu Weekly Newsletter for September 16, 2006 covers the release of
Edgy Eft Knot 3, the passing of Rob Levin of Freenode, announcement of the
next development summit for Ubuntu, changes in Edgy, Ubuntu in the news and
much more.
Full Story (comments: none)
The
DistroWatch
Weekly for September 18, 2006 is out. "
It's a Mandriva week, no
doubt. With the imminent release of its brand new version 2007, all eyes of
the Linux community are now on the French distribution maker whose new
product is likely to raise the usability and eye candy bar for desktop
Linux distributions significantly. Can Mandriva regain its former glory?
We'll find out soon. In other news: the development of the venerable RPM
Package Manager is in deep trouble, Terra Soft announces Yellow Dog Linux
5.0, NetBSD continues its round of negative publicity, and a trial edition
of Xandros Desktop 4 is now available for free download. In our "Tips and
tricks" section we'll let you on some secrets about extracting package
lists from various distributions, while the "Statistics" feature looks at
the DistroWatch visitor numbers from the Middle East. A couple of site
updates follow before the usual database summary concludes this
issue."
Comments (none posted)
Package updates
Updates for
Fedora Core 5:
kernel
(bug fixes),
pinfo (update to 0.6.9),
dump (bug fixes),
cups (bug fixes),
tar (upgrade),
nspr (update to 4.6.3),
krb5-auth-dialog (bug fix),
glibc (bug fixes),
vixie-cron (bug fixes),
frysk (new upstream version),
kdelibs (bug fixes),
perl-DBI (upgrade to 1.52),
sed (bug fix),
system-config-securitylevel (bug fixes),
sane-backends (clean up),
ORBit2 (bug fix),
bridge-utils (bug fix),
kdebase (bug fixes),
openssh (sync with FC6 version),
jessie (bug fix),
anacron (bug fixes).
Comments (none posted)
Updates for
Mandriva Linux 2006.0:
ipsec-tools (update to 0.6.6).
Comments (none posted)
Updates for
rPath Linux 1:
conary,
conary-build, conary-repository, conary-policy (Conary 1.0.31
maintenance release).
Comments (none posted)
Updates for
Trustix Secure Linux 2.2 and 3.0:
openswan, perl-dbd-mysql, php, php4 (various
bug fixes).
Comments (none posted)
Updates for
Ubuntu 6.06 LTS:
flashplugin-nonfree_7.0.68~ubuntu1~dapper1,
amarok_1.4.3-0ubuntu6~dapper1,
openoffice.org 2.0.3-6dapper3,
k3b_0.12.17-1ubuntu3~dapper1.
Comments (none posted)
Newsletters and articles of interest
Debian Help covers Debian network utilities and tools for administrators
and users, including tools to check the network related traffic and monitor
the network. The article is in two parts. Here is
part 1 and
part 2.
Comments (none posted)
Distribution reviews
Dave Phillips
tests
the Apodio and Dynebolic live CD audio distributions in a
Linux Journal article.
"
In this entry I'm going to introduce two audio-optimized Linux distributions, Apodio and Dynebolic. Both systems can be run in "live" mode, i.e. you put the distribution disc in your CD drive, you reboot, and voila, you're booted into the system. Basically the live mode runs itself from a RAM disk and the distribution CD. The process is transparent, except for the occasional disc reads. The systems can be installed to a hard-drive, but to keep things simple for myself I've tested them only in live mode."
Comments (1 posted)
ZDNet
looks
at Mandriva Corporate Server 4.0. "
Corporate Server 4.0 uses the
2.6.12 Linux kernel and includes MySQL 5.0, PostgreSQL 8.1, Apache 2.2 and
Samba 3.0.22. It also features the newest version of Mandriva Pulse, a
provisioning ad configuration management tool that can manage both Linux
and Windows systems. It is fully compliant with the Linux Standard Base,
meaning it's interoperable with other LSB-compliant operating
systems."
Comments (none posted)
Page editor: Rebecca Sobol
Development
There are a lot of terms that a project does not wish to be associated with: "bloated", "slow", "insecure", and "archaic" come to mind. Perhaps one of the worst labels a project can receive, though, is "vaporware", a term reserved for projects that consist of nothing but hot air. If you had composed a histogram of the adjectives used by commentators to color Perl 6 whenever it made a news appearance, you might have worried that the developer community believed that the language was either dying, dead, or would be dead on arrival. Beyond the resulting disagreements over predictions of where this language is headed, there were also disagreements over whether the predicted doomsday scenarios would amount to a tragedy.
And who could blame many of these commentators? Perl 5 is now almost 12 years old. In the years that have passed, developers have been wooed by other languages such as PHP, Python, Ruby and Java. Perl 6 has not yet gone gold, despite the fact that it has been on the minds of Perl developers for years.
If Perl 6 is going to win back hearts and minds, it's going to need to be all that Perl 5 was, and more. It must still be the swiss-army chainsaw of UNIX programming. It must remain the glue that holds the Internet together, and it must keep the ability to mow down entire rainforests in 4 seconds. That's a very tall order, but Perl is famous for making hard things easy and impossible things doable.
Radically Different but Radically the Same
Larry Wall, the creator of Perl, intends for Perl 6 to be the community's rewrite
of Perl. When the design phase of Perl 6 began, he asked the community for a series of RFCs.
Each RFC proposed a new feature or change to the Perl language. When the dust settled, 361 RFCs had been submitted.
Larry then began a process of responding to the RFCs in a series of Apocalypses (think "a Revealing"). Each Apocalypse
addressed a series of RFCs, rating the presented problem, suggested solution, and finally casting
a decision on whether the RFC as a whole was accepted.
The Apocalypse documents formed the first official Perl 6 spec.
Perl programmers might worry that a rewrite would create a language incomparable to
the one they grew up on; fortunately, that is not the case. In responding to
RFC 28 (Perl should stay Perl),
Larry agreed not to go raving mad but reminded that Perl is intentionally multi-paradigmatic.
I am happy to report that Perl 6 isn't the work of a madman.
It's much more of the things some language purists hate, but with half
the calories, none of the hacks and a 16-cylinder turbocharged engine.
Here are some of the new concepts developers can look forward to using:
- Coroutines are a general case of subroutines that allow you
to return and re-enter at a later time. This model is especially useful
for state machines.
- Lazy evaluation defers work until it is needed, allowing
the use of concepts such as virtual infinite lists.
- Function currying essentially creates a new function based
on an old function by predefining one of its arguments.
- Junctions represent many values at once, allowing a test
such as if ($variable ~~ any('str1','str2','str3')) { ... }
- Hyperoperators, which apply an operation on an entire vector
In addition to introducing new features, the overhaul has corrected many shortcomings:
- given is the new, built-in switch statement with the new ~~ smart-match operator for individual cases
- Unicode processing is fully supported
- Native object support makes classes, roles, methods, and attributes
with strong encapsulation and fully object-oriented exception handling a fundamental property of the language rather than a run-time bolt-on.
- Parameter passing in Perl 6 supports named and positional parameters and captures, providing all the flexibility of the Perl 5 calling convention, while supporting well-defined interfaces without the need to invoke third-party modules like Params::Validate.
- Multi-method dispatch allows these new well-defined interfaces to be overloaded with different versions depending on the parameter signature
- Threading, Garbage collection and XS, the system allowing Perl to link other languages, will all receive improvements as well.
But what is perhaps most interesting is what is happening to Perl 6's bread and butter: regular expressions and text handling. It will be possible to use Perl 5 regular expressions in Perl 6, but the system's new syntax features radical
renovation. Regular expressions are now called Rules. This system provides named regular expressions with named captures, both of which can be represented and used in object form. Incremental regex matching can be combined with the system's new ability to write
LL and
LR Grammars
directly in Perl 6 to create advanced parsers even more capable and easy to create than those made with the revolutionary lex and yacc tools of yesteryear. And for the fans of the C programming language, Perl 6 provides macro support, in the form of the ability to alter the Perl 6 grammar itself from within your Perl 6 code.
A Tall Order, Toppled
The promise of Perl 6 is not one that everyone expects will be kept. Surveying the extent of the Perl 6 blueprints, many armchair implementors might rate the requisite development effort as one in need of the infinite number of monkeys currently busy at their typewriters with the reproduction of the works of Shakespeare.
The good news is that the insurmountable task of developing Perl 6 is already well underway. Pugs
is a project to implement Perl 6 using the functional programming
language
Haskell.
Written by Audrey Tang,
the Pugs compiler implements the Perl 6 language specification, giving programmers an opportunity to write real Perl 6 code today. This also allows the language designers to catch and fix any problems with the Perl 6 specification. The Pugs Subversion repository, currently tracking in excess of 12,000 revisions, is also home to a vast collection of example code and nearly 12,000 unit tests. Backends exist to run Perl 6 code natively, inside a JavaScript
runtime, inside a Perl 5 runtime, or inside a Parrot runtime.
The Parrot runtime came to life as an April Fools joke in the form of a press release in 2001 that promised to merge desirable properties of Python and Perl. But whatever the original intention of the Parrot announcement may have been, Parrot is a very real software project whose most recent 0.4.6 release offers a common, free software virtual machine that aims not only to support the Perl 6 and
Python languages, but also TCL, Ruby, JavaScript and others.
Pugs and Parrot are not complete projects. Neither claim to be the final, standalone implementation of Perl 6. But what we are looking at is clear. One of the most defining characteristics of Perl is that "There's More than One Way to Do It". It is a belief that choice is good and that flexibility is essential. Pugs and Parrot both represent powerful embraces of this ideal. Where Pugs demonstrates the possibility of running Perl 6 code in multiple programming language containers, Parrot demonstrates the possibility of running multiple programming languages in one container.
This flexibility means that programmers most comfortable using Python, Ruby or other languages capable of being compiled to Parrot bytecode can share functions, objects and modules.
The famous Perl DBI and many other excellent CPAN modules can be shared amongst these other languages, rather than reproducing similar but incompatible systems time and time again.
Programmer portability is just as important as program portability. Parrot aims to run on as many of the 50 systems supported by Perl 5 as possible. This ensures bytecode produced by Parrot-enabled programming languages will achieve the
kind of portability normally reserved for languages with a long and diverse history. Additionally, by providing a free software implementation of a true common
language runtime, software projects like Apache that traditionally offered rich access to their internal APIs through projects like mod_perl can do so with an embedded Parrot runtime rather than a specific language interpreter.
It Starts Today
As mentioned, there is no official, production-ready Perl 6 implementation. But interested programmers need not wait for the future. Pugs provides the ability to run real Perl 6 code today. A number of CPAN modules provide Perl 6 technology inside the Perl 5 language. An experimental Perl 6 compiler written in Perl 5 is under development and currently passes about 10% of the Perl 6 test suite. Part of Perl 6 is already written in Perl 6. And an O'Reilly book, Perl 6 and Parrot Essentials,
has already been on shelves for two years (during which time the language has, as you might expect, evolved considerably).
These projects won't stop concerned readers from asking "Would the real Perl
6 please stand up?" In truth, the concept of an "official" Perl 6 implementation misses the point. This is best explained by Larry Wall in Synopsis 1 under the "Project Plan" section:
What we can say here is that, unlike how it was
with Perl 5, none of these projects is designed to be the Official
Perl. Perl 6 is anything that
passes the official test suite. This test suite was initially developed
under the Pugs project because that project is the furthest along in
exploring the high-level semantics of Perl 6. (Other projects are better at
other things, such as speed or interoperability.) However, the Pugs project
views the test suite as community property, and is working towards platform
neutrality, so that Perl 6 is defined primarily by its desired semantics,
not by accidents of history.
Lastly, it is expected that Perl 6 will be self-hosting. The compiler for Perl 6 will be written in Perl 6 itself. This implementation effort is already underway in the
Pugs v6 repository.
Comments (15 posted)
System Applications
Audio Projects
Version 0.9.74 of the Rivendell radio automation system is out
with bug and security fixes.
"
Rivendell is a full-featured radio
automation system targeted for use in professional broadcast environments. It
is available under the GNU General Public License."
Full Story (comments: none)
Mail Software
Version 2.1.9 of Mailman, a mailing list manager,
has been announced.
"
This is primarily a security and bug fix release and
it is highly recommended that all sites upgrade to this version.
Mailman 2.1.9 also contains support for two new languages: Arabic and
Vietnamese."
Comments (none posted)
Web Site Development
The September 1-15, 2006 edition of
Zope News
is available with the latest Zope web development platform news.
Comments (none posted)
Desktop Applications
Audio Applications
Version 0.9.7.0 of SND-ls, a distribution of the sound editor SND,
is out with several bug fixes.
Full Story (comments: none)
Data Visualization
The first public release of
PyXPlot
has been announced.
"
PyXPlot is a commandline graphing package, which, for ease of use, has an interface based heavily upon that of gnuplot -- perhaps UNIX's most widely-used plotting package. Despite the shared interface, however, PyXPlot is intended to significantly improve upon the quality of gnuplot's output, producing publication-quality figures. The commandline interface has also been extended, providing a wealth of new features, and short-cuts for some operations which were felt to be excessively cumbersome in the original.
The motivation behind PyXPlot's creation was the apparent lack of a free plotting package which combined both high-quality output and a simple interface."
Comments (none posted)
Desktop Environments
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
The September 17, 2006 edition of the
KDE Commit-Digest has been
announced.
The content summary says:
"
Amarok gets the roots of support for the Magnatune music store. Work begins on a LiveUI Designer application. Mass import of KBoard code, a lightweight canvas intended for games. Work on supporting the XML Paper Specification format in okular. Support for multiple galleries in kipiplugins, on which Digikam and KPhotoAlbum depend. Support for compressed Scalable Vector Graphics (SVGZ) in kdelibs. Solid gets Network Management and CPU Monitoring capabilities. Continued improvements in KArchiver."
Comments (none posted)
KDE.News
covers
the progress of KDE 4.
"
Packages for the first KDE 4 developers snapshot "Krash" have started appearing. Most exciting is packages for a whole new platform, Mac OS X. More details are on Benjamin Reed's blog. For the traditionalists packages are available from openSUSE and Kubuntu. If you are a KDE application developer, this is the easiest way to start porting your application to KDE 4. Meanwhile work is continuing on KDE on Windows where developers have successfully got all of kdelibs compiling. Finally the KDE Women project has a new tutorial to get you started in KDE4 development."
Comments (none posted)
Financial Applications
Version 2.6.19 of SQL-Ledger, a web-based accounting system,
has been announced, it features several bug fixes and other
improvements.
Comments (none posted)
Graphics
Version 0.44.1 of Inkscape, an SVG-based drawing tool, is out.
"
This bugfix version fixes several weeks of work by the community
in order to fix some crashes on windows, Mac OS X, and other packaging
issues which have come up from our last successfule release, 0.44 which
introduced substantial features like graphical layers, clipping and
masking support, and native PDF export with transparency."
Full Story (comments: none)
Interoperability
Version 0.9.21 of Wine has been
announced.
Changes include:
OpenGL restructurations, The usual assortment of MSI improvements,
Several Richedit fixes, WCMD Winelib app renamed to CMD for compatibility,
Many improvements to the Wintrust DLL, Some code cleanups and
Lots of bug fixes.
Comments (none posted)
The September 19, 2006 edition of the
Wine Weekly Newsletter
has been published. This edition features a WineConf 2006 Summary.
"
The goal is to make MacOS a first-class citizen. Alexandre mentioned a couple of times that we need a good OS X package available on WineHQ. It would also be nice to have a Quartz driver, but everyone agrees that would be a lot of work.
Things are shaping up pretty nicely for a Wine 1.0 release. The configuration mechanisms have been in place for a while and the initial registry set up works pretty good."
Comments (none posted)
Mail Clients
Version 1.5.0.7 of the Mozilla Thunderbird email client
has been announced.
"
This release fixes several critical security vulnerabilities. See the Mozilla Thunderbird 1.5.0.7
Release Notes for more information."
Comments (none posted)
RSS Software
Paul Sobocinski
shows how to make an Ajax RSS Parser on O'Reilly's XML.com.
"
Ajax (Asynchronous JavaScript And XML) and RSS (Really Simple Syndication) are two technologies that have taken the Web by storm. Most commonly, RSS is used to provide news to either people or other organizations. This is done by serving an "RSS feed" from a website. An RSS feed is simply a link to an XML file that is structured in a certain way. The RSS specification tells us the expected structure of the XML file. For example, the title, author, and description tags are required, and so all RSS XML files will have at least these three tags."
Comments (none posted)
Web Browsers
Version 1.5.0.7 of the Mozilla Firefox web browser
has been announced.
"
Mozilla Firefox 1.5.0.7 is now available for download from the Mozilla
Firefox product page. Users of previous version will be offered the upgrade
through the Firefox software update system. This release fixes several
critical security vulnerabilities. See the Mozilla Firefox 1.5.0.7
Release Notes for more information."
Comments (none posted)
Version 1.0.5 of
Seamonkey,
an internet application suite with a web browser, email and newsgroup clients, IRC chat client, and HTML editor, is out with
security fixes.
"
This release contains important fixes for several security vulnerabilities and various stability improvements. The SeaMonkey Council recommends that all users upgrade."
Comments (none posted)
Languages and Tools
Caml
The September 19, 2006 edition of the Caml Weekly News
is out with new Caml language articles.
Full Story (comments: none)
Perl
The Weekly
Perl 6 mailing list summary for September 10-16, 2006 is out with the
latest Perl discussion topics.
Comments (2 posted)
Python
The final Python 2.5 release is now available. "
Python 2.5 is probably the most significant new release
of Python since 2.2, way back in the dark ages of 2001.
There's been a wide variety of changes and additions,
both user-visible and underneath the hood." Click below for details
and download information.
Full Story (comments: 5)
The September 14, 2006 edition of Dr. Dobb's Python-URL! is online with
a new collection of Python article links.
Full Story (comments: none)
XML
Version 1.1.9 of the Amara XML Toolkit
has been announced, it adds new capabilities and bug fixes.
"
Amara XML Toolkit is a collection of Python tools for XML processing--
not just tools that happen to be written in Python, but tools built from
the ground up to use Python's conventions and take advantage of the many
advantages of teh language.
Amara builds on 4Suite [http://4Suite.org], but whereas 4Suite offers
more on literal implementation of XML standards in Python, Amara
focuses on Pythonic idiom."
Comments (none posted)
Profilers
Version 3.2.1 of Valgrind has been announced.
"
Valgrind is an open-source suite of simulation based debugging and
profiling tools. 3.2.1 fixes a bunch of bugs in 3.2.0, adds support
for SSE3 instructions, and supports recent GNU binutils releases."
See the
release notes for details.
Full Story (comments: none)
Version Control
Version 0.30 of monotone, a distributed version control system, is out.
Changes include:
"
Speed improvements, bug fixes, and improved infrastructure.
Several internal data formats have changed with this release;
migration is straight-forward, but slightly more complicated
than usual".
Full Story (comments: none)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Richard Stallman
criticizes
the OSDL prior art project. "
Such a project cannot really
protect programmers from software patents, because it focuses only on
absurd software patents -- those that could be legally denied or
invalidated based on prior art. However, the greatest danger comes from
patents that are not absurd, those for which we have no prior art."
Comments (46 posted)
LinuxWorld
looks at the increasing use of Linux and open-source software in a
number of small companies.
"
Lamonica deployed an open source monitoring system from GroundWork and says that moving forward hell weigh open source options along with commercial software packages in any buying decision.
Were past the point in time where we have to say, Well, I wont get fired if I buy Cisco, or I wont get fired if I buy Microsoft. I think that fear has gone away and open source has matured a great deal so that now people are no longer afraid of it, he says."
Comments (none posted)
Companies
Linux-Watch
looks at
Linspire's partner program. "
Linspire Inc. launched a revamped
partner program on September 14 that will pay system builders a percentage
on all commercial Linux software and services purchased by users of either
Linspire or Freespire pre-installed desktop and laptop computers using the
company's CNR (Click N' Run) technology."
Comments (1 posted)
ZDNet
reports on Novell's plan to release a real-time version of SUSE Enterprise Linux.
"
The product won't be purchased the same way as Novell's other Linux versions, however. 'Setting it up does require a consulting engagement' from Novell, which installs and tunes the software, [marketing director Justin] Steinman said. 'It isn't something you can take off the shelf and get up and running.'"
Comments (none posted)
Business
Linux Journal
looks
at the business of blogging. "
If you look at the font of all
wisdom - no, I don't mean Wikipedia, but Amazon - you will find stacks of
books with titles like The Corporate Blogging Book, Blogging
for Business, Blog Marketing and the rest. Whatever the
title, the basic message is the same: if you're in business, you've got to
be blogging. Because if you aren't, you're not "having the
conversation" with your customers, which means, in turn, that you're not
getting your message out or valuable comments back."
Comments (6 posted)
Linux Adoption
LinuxWorld
covers the switch to an open-source telephone PBX by
Sam Houston State University.
"
Some organizations consider taking the plunge off of big iron PBX platforms into IP telephony as being pretty daring, but that's nothing compared to what Sam Houston State University (SHSU) is doing. The south Texas school is boldly moving thousands of users off a Cisco VoIP platform to an open-source VoIP network based on Asterisk.
SHSU is in the process of moving its 6,000 students, faculty and staff off of Cisco CallManager IP PBXs and a legacy Nortel Meridian PBX over to Linux servers running Asterisk, which includes call processing, voicemail and PSTN gateway functionality. The driver for this project was cost, says Aaron Daniel, senior voice analyst at Sam Houston State University."
Comments (2 posted)
Linux at Work
Linux Devices
covers
NASA's test of its Linux-based K-10 lunar rover.
"
The K-10 robot is being exercised this week by a NASA working group called "D-RATS" (desert research and technology studies). Comprised of both NASA and non-NASA scientists, D-RATS aims to give next-generation engineers, scientists, technicians, and astronauts hands-on experience expected to be of use in realizing the goals of NASA's Constellation Program, which is tasked with creating Crew Exploration Vehicles (CEV), Crew Launch Vehicles (CLV), and related exploration architecture systems for manned and unmanned planetary exploration."
Comments (2 posted)
Interviews
O'ReillyNet
talks
with Charles M. Hannum about NetBSD. "
Charles M. Hannum: I'm one
of the creators of the NetBSD Project, and served as its de facto technical
lead for a long time. I was also involved in creating the NetBSD
Foundation, and served as its president and chairman of the board. (Note: I
was never the Foundation's secretary or treasurer.)"
Comments (19 posted)
Behind Ubuntu
interviews
Daniel Holbach. "
In what way are you involved in Ubuntu?
I'm currently spending most of my Ubuntu time in Ubuntu's DesktopTeam,
doing package maintenance, working on Desktop bugs and geting on
Sebastien's nerves. Apart from that I'm involved in a lot of Ubuntu's
teams: the MOTU team, the Bug Squad, the Accessibility team, I got started
helping out the Art team. Let's see which team is next. It's amazing to see
the Ubuntu community growing and to be part of that all."
Comments (none posted)
KDE.News
has announced
the latest
interview
in the People Behind KDE series.
"
Tonight in the two-weekly People Behind KDE series we are featuring Allan
Sandfeld Jensen. He is a KDE core developer, mostly active for KHTML and KDE
multimedia. After reading the interview you will know what his personal
"carewolf" looks like, together with all other personal things you have to
know about this developer."
Comments (none posted)
Resources
Linux.com
looks at
the Invisible Internet Project (I2P). "
In I2P, each participating
peer keeps a secret pool of inbound, or data-receiving, and outbound, or
data-transmitting, tunnels it chooses itself. A tunnel consists of a
configurable number of routers in sequence, where longer tunnels mean more
anonymity, at the expense of performance. When a peer sends data, it is
passed through one of its outbound tunnels, at the end of which it enters
an inbound tunnel of the recipient. For each router that is part of the
chosen tunnel, a layer of encryption based on the router's key is
added. This technique, the main feature of "onion routing," prevents
compromised routers from eavesdropping."
Comments (none posted)
Joe 'Zonker' Brockmeier
shows how
to set up Planet in a Linux.com article.
"
Major open source projects like GNOME, KDE, Ubuntu, Fedora, Debian, and Apache all have something in common -- they all have Planet feed reader sites set up to aggregate developer blog feeds. The Planet software was developed to power Planet GNOME and Planet Debian, but now it's being used by dozens of open source projects. With just a few simple steps, you can set up a Planet aggregator to watch your favorite blogs or to help publicize your favorite project."
Comments (none posted)
Linux Journal presents a
book excerpt
from Using SUSE Linux on Your Desktop by Chris Brown PhD.
"
Given the rapid pace of software development in the Linux world, it is inevitable that some topics that are bleeding-edge as this book goes into production will be mainstream technology by the time you get to read it. One such is the Xgl X server and the compositing window manager compiz. Together with a modern graphics card, these components (which are shipped with SUSE Linux 10.1) offer some stunning visual desktop effects comparable (dare I say this?) to the best that the Mac has to offer. These effects include transparent windows, fade-in/fade-out of windows and menus, animated window minimization, and the ability to put four desktops onto four faces of a cube and spin the cube (in 3-D) to switch desktops. The overall result is to give the desktop a more fluid, organic feel."
Comments (20 posted)
Reviews
Linux.com
looks at
the Alacarte menu editor in GNOME 2.16. "
The Alacarte menu editor is
one of the major additions in GNOME 2.16. Already previously available in
Ubuntu and other distributions, Alacarte adds a degree of customization
that has been generally lacking since GNOME dropped its previous menu
editor more than five years ago during the early 2.x releases."
Comments (none posted)
NewsForge
covers
the release of FreeDOS 1.0. "
FreeDOS was originally slated for
release at the end of July, but Hall says he decided to take a few extra
weeks to make sure everything was just right before making 1.0 available
for download. "Nothing very unusual came up in the last weeks, except a
tiny problem in our preliminary FreeDOS 1.0 distros where we could make
your hard drive unbootable if you happened to have Win32 on it," said
Hall. "We figured it would be bad to make a 1.0 release until we fixed
that. Based on all the downloads we've gotten since the announcement, I'm
really glad we decided to give it a few more weeks to get things
right.""
Comments (5 posted)
Joe Barr
concludes
that Gentoo is not for everyone. "
Gentoo is a popular, powerful,
well-crafted distribution that panders to your geek side to the nth
degree. You want control? Gentoo hands you the reins and wishes you good
luck. How much luck you need depends on how much you know. But it's simply
not for me. Like a good programmer, I'm lazy. While it was once fun to
compile the kernel and mention it the next morning while grabbing a cup of
coffee, these days I want to use my machine for things other the care and
feeding of the operating system."
Comments (24 posted)
Dr. Dobb's Portal
takes
a look at a Linux-powered helicopter simulator. "
Every now and
then, you stumble across a software system that you never think about. Such
is the case with a Linux-powered helicopter simulator being developed by
Mitsubishi Heavy Industries. And no, you can't run it on your PlayStation
2."
Comments (5 posted)
Ben McGrath
looks at KToon in a Linux.com article.
"
If you are running Mac OS X or Microsoft Windows, you have access to many different animation applications, ranging from Adobe Flash to Anime Studio. That is not so for Linux. While many think of animation in Linux as a lost cause, there are alternatives. The relatively new KToon calls itself "the open source animation revolution." KToon has a small learning curve and an intuitive interface, making it an excellent choice for simple animation within Linux."
Comments (none posted)
ZDNet
takes a
look at the
Red
Hat Application Stack. "
The bundle includes Red Hat Enterprise
Linux, the JBoss Application Server, database-access software called
Hibernate, and the Tomcat Web application server. The stack is certified to
run with open-source database PostgreSQL and includes MySQL, another
popular open-source database."
Comments (2 posted)
Linux.com
looks at the Simple Groupware package. "
But what sets Simple Groupware apart from similar applications, is its own XML-based language called sgsML, which allows you to customize the existing modules and create new ones even if you don't have any prior programming experience. For example, the default file manager is fine as it is, but you can also turn it into a simple document management system using the tools provided by sgsML."
Comments (10 posted)
Miscellaneous
Linux.com
looks at
some lessons learned from the second Summer of Code. "
As the second
Google Summer of Code (SOC) winds down, most participants agree: the
program, which pays selected students to work on a free or open source
software (FOSS) project for three months, is a unique and exciting
opportunity, but needs to continue efforts to become more organized. Those
who were previously involved tend to agree that this year was less chaotic
than last year. However, whether they are organizers at Google or students
or members of mentoring organizations (the projects accepting students),
most participants this year also see the need for more structure. Many of
them also offer concrete advice about how participants can get more out of
the program if it happens next year."
Comments (3 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Electronic Frontier Foundation has sent out a press release
concerning an Ohio E-voting case.
"
The Electronic Frontier Foundation (EFF)
has asked the 6th U.S. Circuit Court of Appeals to reject
Ohio's latest attempt to dismiss a critical electronic
voting case -- the final legal hurdle in the path to a
thorough investigation of the state's widely criticized
2004 election and much needed reform.
"Ohio's procedures, like many used elsewhere across the
country, simply don't do enough to protect voters from the
serious vulnerabilities in the current generation of
electronic voting equipment," said EFF Staff Attorney Matt
Zimmerman."
Full Story (comments: none)
KDE.News
commemorates Rob
Levin. "
We knew him as lilo. He was the founder of the Freenode IRC
network, a place where many open source projects established a real-time
meeting ground. Freenode is where we work, play, and share. It is where
many a small idea has grown into a large project. It is where we are all
enriched by the experience and diversity of a group of people from many
cultures who all have in common a love of open source."
Comments (none posted)
The Software Freedom Conservancy has announced its newest member,
Mercurial.
"
The Software Freedom Conservancy, home
of Free and Open Source Software (FOSS) projects, today announced that
it welcomes as its newest member Mercurial, a distributed source
management program which can be used to track revisions of software
during development.
By joining the Conservancy, Mercurial is entitled to all of the
benefits of being a corporate entity. In particular, the
Conservancy's corporate form limits the personal liability of
individual developers and allows member projects to receive donations."
Full Story (comments: none)
The city of Munich, Germany has put out
a
press release (in German,
English
translation here) on the status of its migration to Linux.
The early pilot phase has been completed, and the core system
(built on Debian 3.1, KDE 3.5, and OpenOffice.org 2) has
been approved. While this system is expected to continue to evolve
somewhat, it seems that the deployment phase is beginning.
Comments (none posted)
Rockbox developer Björn Stenberg has let it be known that the project
received a cease-and-desist letter from the Tetris company, which objected to the
name of the "Tetrox" game distributed as a Rockbox plugin. In response,
the project has renamed the game "Rockblox." "
In addition to the trademark claim, they also claim copyright on "features"
of the game. However, the lawyers agree with me that those claims are
nonsense so we can safely ignore them."
Full Story (comments: 10)
X.Org has a board election coming up, with membership in the X.Org
Foundation required to vote. It has, however, been difficult to actually
become a member of the Foundation. That has now changed with the establishment
of the new
X.Org membership site. If you are
interested in the direction of the X Window System, and have contributions
to X that you can point to, you may wish to set up your membership now
so that you can be part of the upcoming election. (Click below for the
announcement).
Full Story (comments: none)
Commercial announcements
GroundWork Open Source, Inc. has announced version 5 of the GroundWork
Monitor product line, including GroundWork Monitor Professional, a major
upgrade to the company's flagship solution for monitoring the most
demanding IT infrastructures, including servers, applications, and
networked devices.
Full Story (comments: none)
The Intel Open Source Technology Center has announced
the Linux-ready Firmware Developer Kit, which is aimed at
BIOS writers.
"
The Linux-ready Firmware Developer Kit is an open source tool to test how
well Linux works together with the firmware (BIOS) of your machine. The kit
consists of a bootable CD that runs a series of tests and then presents the
results on the screen for interactive inspection. The tests all check an
aspect of the firmware that Linux uses or depends on for optimal operation."
Full Story (comments: 2)
Novell, Inc. has
announced that it is honoring its training partners.
"
Reflecting the importance of
training in promoting Linux* adoption worldwide, Novell(R) is honoring its
top Linux training partners for their success in driving Linux education,
designating them Linux Centers of Excellence. These partners, which include
companies across Novell's major geographic markets, delivered rapid growth
in students trained, top ratings for the quality of their Linux
instructors, and high marks for customer satisfaction."
Comments (none posted)
Version 1.2 of OpenSceneGraph, a cross-platform scene graph platform,
is out.
"
OpenSceneGraph Professional
Services announces the release of OpenSceneGraph 1.2, the industry's
leading open source scene graph technology, designed to accelerate
application development and improve 3D graphics performance.
OpenSceneGraph 1.2, written entirely in Standard C++ and built upon
OpenGL, offers developers working in the visual simulation, game
development, virtual reality, scientific visualization and modeling
markets a real time visualization tool which rivals established
commercial scene graph toolkits in functionality and performance."
Full Story (comments: none)
Sun Microsystems, Inc. has
announced the NetBeans IDE/BlueJ Edition.
"
Sun Microsystems, Inc. (Nasdaq: SUNW) the creator and leading
advocate of Java(TM) technology, together with the NetBeans(TM) community
and the University of Kent today announced the general availability of a
new version of the open source NetBeans Integrated Development Environment
(IDE), the NetBeans IDE/BlueJ Edition. This freely available edition of
NetBeans offers a seamless migration path for students transitioning from
educational tools to a full-featured, professional IDE."
Comments (none posted)
Contests and Awards
KDE.News
covers
plans for the upcoming aKademy Awards.
"
This year aKademy will continue with tradition created at aKademy
2005 of awarding the people that made an outstanding contribution to KDE
in the last year. The award ceremony will be on Sunday, September 24th
at 17:50-18:00."
Comments (none posted)
The winner of the Fedora Open Video contest has been announced.
"
I would like to congratulate Maurizio Bertoldi who has won the first
prize for his video "Fly your mind." The prize -- a digital Sony DVD
camcorder -- will be soon on its way to Maurizio."
Full Story (comments: none)
Calls for Presentations
A
call for participation has gone out for FOSS.IN/2006.
The event takes place on November 24-26, 2006 in Bangalore, India,
submissions are due by October 8.
Full Story (comments: none)
A call for papers has gone out for the Hackers to Hackers Conference III.
"
The H2HC have as mainly objective offer a national and internation
conference for Brazilians Hackers, strongly the ethical of hacking.
We have as mission change and desmistify the word hacker from the
pejoractive sense to show the hacker as who works in software research and
security, possing a professional ethic to protect the organizations. Who
destroy systems? Crackers!." The event takes place during
November, 2006, submissions are due by September, 30.
Full Story (comments: none)
Upcoming Events
KDE.News
previews
the Akademy 2006 conference, which will take place in Dublin,
Ireland on September 23 and 24.
"
There is now less than one week to go until KDE developers meet with our users and industry supporters at Trinity College Dublin for our annual KDE World Summit, aKademy 2006. We are pleased to announce a further two sponsors to our long list. Office automation equipment manufacturer Ricoh and mobile phone company Nokia are now both silver supporters. Read on for the keynote speakers and some more useful information."
Also, the final version of the
aKademy 2006 Schedule has been posted.
Comments (none posted)
PAKCON III, the underground hacking convention, will be held
during December, 2006 at the Pearl Continental Hotel in Karachi, Pakistan.
"
PAKCON is an underground hacking convention, the first initiative of
its kind in the history of the Pakistan IT scene. PAKCON is the
brainchild of a group of capable security professionals who have
employed their genius and aptitude to provide their extensive and
comprehensive experience of information security in the form of a
wide-ranging convention on information security."
Full Story (comments: none)
Events: September 28, 2006 to November 27, 2006
The following event listing is taken from the
LWN.net Calendar.
| Date(s) | Event | Location |
September 23 September 30 |
KDE World Summit 2006 |
Dublin, Ireland, |
September 25 September 28 |
Embedded Systems Conference |
Boston, MA, |
September 29 September 30 |
No cON Name 2006 Congress |
Palma de Mallorca, Spain, |
September 29 October 1 |
ToorCon 2006 |
San Diego, CA, |
September 29 October 1 |
Encuentro de Desarrolladores de GNOME Zaragoza |
Zaragoza, Spain |
September 30 October 1 |
RuxCon 2006 |
Sydney, Australia, |
| September 30 |
Ohio LinuxFest 2006 |
Columbus, Ohio, |
| September 30 |
Defective by Design, 2pm-5pm, Apple Store, Regent Street, London, UK |
London, UK |
October 1 October 4 |
Gelato ICE Itanium Conference and Expo |
Biopolis, Singapore, |
October 1 October 3 |
LinuxBIOS Symposium 2006 |
Hamburg, Germany |
October 2 October 5 |
Security OPUS Infosec Conference |
San Francisco, CA, USA |
October 7 October 9 |
GNOME Boston Summit |
Boston, MA, USA |
October 9 October 13 |
ApacheCon US |
Austin, TX, |
October 9 October 13 |
13th Annual Tcl/Tk Conference |
Naperville, IL, |
October 11 October 12 |
Eclipse Summit Europe |
Esslingen, Germany |
October 11 October 12 |
Linux World Conference and Expo |
Utrecht, The Netherlands |
October 12 October 15 |
Eighth Real-Time Linux Workshop |
Lanzhou, Gansu, China, |
October 18 October 19 |
International Conference on IT-Incident Management and IT-Forensics |
Stuttgart, Germany, |
October 18 October 22 |
Pike Conference 2006 |
Riga, Latvia |
October 19 October 21 |
HackLu 2006 |
Kirchberg, Luxembourg, |
October 19 October 20 |
DC PHP Conference |
Washington, D.C., |
October 20 October 22 |
aLANtejo 06 |
Évora, Portugal |
October 20 October 22 |
RubyConf 2006 |
Denver, Colorado |
October 22 October 27 |
Colorado Software Summit |
Keystone, CO, USA |
October 23 October 24 |
Mono User and Developers Meeting |
Cambridge, MA, USA |
October 23 October 26 |
Enterprise Architecture Practitioners Conf |
Lisbon, Portugal |
October 25 October 26 |
LinuxWorld UK 2006 |
London, UK, |
October 25 October 27 |
Plone Conference 2006 |
Seattle, WA, |
October 26 October 27 |
IT Underground |
Warsaw, Poland |
October 26 October 27 |
Free Software and Open Source Symposium |
Toronto, Canada |
| October 28 |
LinuxDay 2006 |
Many of them, Italy |
October 31 November 2 |
Zend/PHP Conference and Expo |
San Jose, CA, |
| November 1 |
Ingres Users Association Conference |
London, England |
November 4 November 8 |
I Jornadas técnicas KDE de |
Zaragoza, Spain |
November 4 November 11 |
Open Source in Performance and Exhibition |
London, England |
November 5 November 8 |
International PHP Conference |
Frankfurt, Germany |
November 5 November 10 |
Ubuntu Developer Summit - Mountain View |
Mountain View, CA, USA |
November 6 November 10 |
Colorado Python seminar |
Estes Park, CO, USA |
November 7 November 9 |
2006 Web 2.0 Conference |
San Francisco, CA, |
November 9 November 10 |
Forum PHP 2006 |
Paris, France, |
November 10 November 12 |
Chicago Perl Hackathon 2006 |
Chicago, IL, USA |
November 11 November 17 |
Supercomputing 2006 |
Tampa, FL, USA |
| November 11 |
FSFE Fellows Meeting |
Bolzano, Italy |
November 12 November 14 |
Firebird Conference 2006 |
Prague, Czech Republic, |
November 14 November 16 |
LinuxWorld Cologne |
Cologne, Germany |
November 16 November 17 |
III Latin American Free Software Conference |
Iguassu Falls, Brazil |
November 16 November 17 |
Conference on Software Patents |
Boston, MA, USA |
| November 18 |
Richard Stallman speaks in Seoul |
Seoul, South Korea |
November 21 November 24 |
15th International Conference on Computing |
Mexico City, Mexico, |
November 24 November 26 |
FOSS.IN 2006 |
Bangalore, India |
| November 25 |
FAVE 2006 - free software multimedia event in London |
London, UK |
If your event does not appear here, please
tell us about it.
Web sites
A new
forum for the discussion of
MMA, the Musical MIDI Accompaniment software, has been created.
"
Our good friends at Kara Moon Productions have added a forum and
will be adding some "power user tutorials" and other examples on their
web site. These folks have been giving the development of your program a
ig boast in the last weeks, so I encourage your support."
Full Story (comments: none)
Audio and Video programs
Novell presents
an audio interview with Lars Mueller and Guenther Deschner.
"
Samba hacker Lars Mueller explains new capabilities that he and Guenther Deschner team have been working on, allowing SUSE Linux Enterprise Desktop 10 to integrate into an Active Directory environment. From joining the Active Directory domain to initial login and Kerberos provisioning, this stuff is too cool. And Dave Mair and Randy Goddard are back for News from Support, so cue the bagpipes!"
Comments (none posted)
Page editor: Forrest Cook